Play interactive tour

Edit tour

Windows Analysis Report WmiPrvSE.exe

Overview

General Information

Sample Name:	WmiPrvSE.exe
Analysis ID:	483971
MD5:	1dd684e647bf9dd3e486276f5fa07a11
SHA1:	0b2e62993b89201f71be7afc32e0abfa97aee2a7
SHA256:	d17557a926c07e11fd21cc737c36e5a0e8742f3f7deb6b0c95c397605a38ed86
Infos:
Most interesting Screenshot:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Uses 32bit PE files

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Classification

Process Tree

System is w10x64

WmiPrvSE.exe (PID: 7152 cmdline: 'C:\Users\user\Desktop\WmiPrvSE.exe' MD5: 1DD684E647BF9DD3E486276F5FA07A11)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: WmiPrvSE.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: WmiPrvSE.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: WmiPrvSE.pdb source: WmiPrvSE.exe

Source: WmiPrvSE.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\WmiPrvSE.exe

Code function: 0_2_00F047AD HeapFree,HeapAlloc,HeapAlloc,NtQuerySystemInformation,GetCurrentProcessId,HeapFree,

0_2_00F047AD

Source: WmiPrvSE.exe

Binary or memory string: OriginalFilename vs WmiPrvSE.exe

Source: WmiPrvSE.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WmiPrvSE.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WmiPrvSE.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F0117D	0_2_00F0117D
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F07363	0_2_00F07363
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F0D75D	0_2_00F0D75D
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F12C44	0_2_00F12C44
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F08D8D	0_2_00F08D8D
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F4BD8B	0_2_00F4BD8B
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F11D26	0_2_00F11D26

Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: String function: 00F061F5 appears 42 times
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: String function: 00F30C1E appears 44 times
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: String function: 00F03FD5 appears 89 times

Source: WmiPrvSE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WmiPrvSE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean5.winEXE@1/0@0/0

Source: WmiPrvSE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WmiPrvSE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WmiPrvSE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WmiPrvSE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WmiPrvSE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WmiPrvSE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: WmiPrvSE.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: WmiPrvSE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: WmiPrvSE.pdb source: WmiPrvSE.exe

Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F125E0 push ecx; ret	0_2_00F12601
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F125EE push ecx; ret	0_2_00F12601
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F03A00 push ecx; ret	0_2_00F03A13
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F1FB28 push cs; iretd	0_2_00F1FB29
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F04E48 push ebx; iretd	0_2_00F04E8A

Source: WmiPrvSE.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\WmiPrvSE.exe

Code function: 0_2_00F047AD HeapFree,HeapAlloc,HeapAlloc,NtQuerySystemInformation,GetCurrentProcessId,HeapFree,

0_2_00F047AD

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WmiPrvSE.exe

Code function: 0_2_00F047AD HeapFree,HeapAlloc,HeapAlloc,NtQuerySystemInformation,GetCurrentProcessId,HeapFree,

0_2_00F047AD

Source: C:\Users\user\Desktop\WmiPrvSE.exe

Code function: 0_2_00F162A9 HeapFree,EventUnregister,GetProcessHeap,HeapFree,GetProcessHeap,HeapDestroy,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,

0_2_00F162A9

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F2320B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00F2320B
Source: C:\Users\user\Desktop\WmiPrvSE.exe	Code function: 0_2_00F12470 SetUnhandledExceptionFilter,		0_2_00F12470

Source: C:\Users\user\Desktop\WmiPrvSE.exe

Code function: 0_2_00F13422 InitializeSecurityDescriptor,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,RtlLengthSid,LocalAlloc,RtlCreateAcl,RtlAddAccessAllowedAce,LocalFree,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,GetLastError,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,GetLastError,GetLastError,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,GetLastError,GetLastError,GetLastError,GetLastError,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,GetLastError,GetLastError,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,RtlNtStatusToDosError,LocalFree,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,RtlNtStatusToDosError,LocalFree,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,GetLastError,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,GetLastError,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,GetLastError,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,?GetMemLogObject@@YGPAVCMemoryLog@@XZ,?Write@CMemoryLog@@QAEXJ@Z,

0_2_00F13422

Source: C:\Users\user\Desktop\WmiPrvSE.exe

0_2_00F13422

Source: C:\Users\user\Desktop\WmiPrvSE.exe

Code function: 0_2_00F12483 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00F12483

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Deobfuscate/Decode Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information2	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
WmiPrvSE.exe	0%	Virustotal	Browse
WmiPrvSE.exe	0%	Metadefender	Browse
WmiPrvSE.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483971
Start date:	15.09.2021
Start time:	17:27:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	WmiPrvSE.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.9% (good quality ratio 12.2%) Quality average: 28.7% Quality standard deviation: 36.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 122
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Execution Graph export aborted for target WmiPrvSE.exe, PID 7152 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.627536219401717
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WmiPrvSE.exe
File size:	419328
MD5:	1dd684e647bf9dd3e486276f5fa07a11
SHA1:	0b2e62993b89201f71be7afc32e0abfa97aee2a7
SHA256:	d17557a926c07e11fd21cc737c36e5a0e8742f3f7deb6b0c95c397605a38ed86
SHA512:	e43089b3a3cde7e6ca61bd9be43031c47f4a5b617cbb94dd96e011d0495f01ed460b2dd77de1907dc1bb8dbacbce5885b2f91fbac10dc26bde7b520d7fbfa64a
SSDEEP:	6144:Ca4NW484t7Iz6DPV6QHzcrR/oOEcHU8unDV1w+ERrjrQPQDePBw:Ca4NW4LIz6DPJgBNn08GDV1lERr4M8B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+Z..o;j.o;j.o;j.....n;j.fC..[;j.....i;j.o;k.I:j.....d;j.....j;j.....u;j.....D;j.....n;j.....n;j.Richo;j........................

File Icon


Icon Hash:	a4e0a6beb8aea0a0

Static PE Info

General
Entrypoint:	0x412700
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5A9A326E [Sat Mar 3 05:28:14 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	3
File Version Major:	6
File Version Minor:	3
Subsystem Version Major:	6
Subsystem Version Minor:	3
Import Hash:	0bc76ebc1f9429ca90e54ea7c41e8bab

Entrypoint Preview

Instruction
call 00007FEB48937213h
push 0000005Ch
push 00412830h
call 00007FEB48937250h
and dword ptr [ebp-24h], 00000000h
and dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-6Ch]
push eax
call dword ptr [00451210h]
mov dword ptr [ebp-04h], FFFFFFFEh
xor ebx, ebx
inc ebx
mov dword ptr [ebp-04h], ebx
mov eax, dword ptr fs:[00000018h]
mov edi, dword ptr [eax+04h]
xor esi, esi
mov edx, 0044F0D8h
mov ecx, edi
xor eax, eax
lock cmpxchg dword ptr [edx], ecx
test eax, eax
jne 00007FEB4894395Ch
cmp dword ptr [0044F0C0h], ebx
je 00007FEB4894395Bh
cmp dword ptr [0044F0C0h], 00000000h
jne 00007FEB48937592h
mov dword ptr [0044F0C0h], ebx
push 0041282Ch
push 00412820h
call 00007FEB4893712Fh
pop ecx
pop ecx
test eax, eax
jne 00007FEB489439F0h
cmp dword ptr [0044F0C0h], ebx
jne 00007FEB489374ADh
push 0041281Ch
push 004127FCh
call 00007FEB489371BCh
pop ecx
pop ecx
mov dword ptr [0044F0C0h], 00000002h
test esi, esi
jne 00007FEB4893749Bh
xor eax, eax
mov ecx, 0044F0D8h
xchg dword ptr [ecx], eax
cmp dword ptr [00450600h], 00000000h
jne 00007FEB4894390Fh
mov eax, dword ptr [00001008h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x512c8	0x208	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0xfa58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0x5294	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4ea58	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1000	0x5c	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x2c4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4e2f0	0x180	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4dabd	0x4dc00	False	0.394647432677	data	6.35849353732	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x4f000	0x1ac8	0x1c00	False	0.167271205357	data	3.87457048937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x51000	0x17f4	0x1800	False	0.418131510417	data	5.51914238101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x53000	0xe4	0x200	False	0.275390625	data	1.84822308643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x54000	0xfa58	0xfc00	False	0.704070560516	data	6.83311921039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0x5294	0x5400	False	0.738141741071	data	6.7211010381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x549d0	0x668	data	English	United States
RT_ICON	0x55038	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2298443911, next used block 8849520	English	United States
RT_ICON	0x55320	0x1e8	data	English	United States
RT_ICON	0x55508	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x55630	0xea8	data	English	United States
RT_ICON	0x564d8	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x56d80	0x6c8	data	English	United States
RT_ICON	0x57448	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x579b0	0x7ba8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x5f558	0x25a8	data	English	United States
RT_ICON	0x61b00	0x10a8	data	English	United States
RT_ICON	0x62ba8	0x988	data	English	United States
RT_ICON	0x63530	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0x63998	0xbc	data	English	United States
RT_VERSION	0x54628	0x3a8	data	English	United States
RT_MANIFEST	0x54390	0x294	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
msvcrt.dll	_initterm, __setusermatherr, _acmdln, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, __CxxFrameHandler3, _CxxThrowException, ??0exception@@QAE@XZ, ??1type_info@@UAE@XZ, _lock, _unlock, __dllonexit, _onexit, ?terminate@@YAXXZ, _controlfp, _purecall, ??8type_info@@QBEHABV0@@Z, _except_handler4_common, memcmp, memcpy, ??0exception@@QAE@ABQBD@Z, ?what@exception@@UBEPBDXZ, _itow, wcstok, memmove_s, memcpy_s, _vsnwprintf, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, memset
api-ms-win-core-synch-l1-2-0.dll	EnterCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, CreateEventW, SetEvent, LeaveCriticalSection, WaitForSingleObject, Sleep, WaitForMultipleObjectsEx
api-ms-win-eventing-provider-l1-1-0.dll	EventWrite, EventUnregister, EventRegister
api-ms-win-security-base-l1-2-0.dll	MakeSelfRelativeSD, GetSecurityDescriptorLength, GetAclInformation, AddAce, AccessCheck, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, FreeSid, AllocateAndInitializeSid, InitializeSecurityDescriptor, MapGenericMask, MakeAbsoluteSD, InitializeAcl, CopySid, RevertToSelf, GetLengthSid, SetSecurityDescriptorOwner, GetTokenInformation, ImpersonateLoggedOnUser
api-ms-win-core-errorhandling-l1-1-1.dll	SetUnhandledExceptionFilter, GetLastError, UnhandledExceptionFilter
api-ms-win-core-libraryloader-l1-2-0.dll	GetModuleHandleExW, FreeLibrary, GetProcAddress, GetModuleFileNameW, GetModuleHandleA
api-ms-win-core-handle-l1-1-0.dll	CloseHandle, DuplicateHandle
api-ms-win-core-processthreads-l1-1-2.dll	GetCurrentThreadId, TlsFree, GetCurrentProcess, SwitchToThread, GetCurrentThread, OpenThreadToken, SetThreadToken, CreateThread, TerminateProcess, TlsAlloc, GetCurrentProcessId, OpenProcessToken
api-ms-win-core-processenvironment-l1-2-0.dll	GetCommandLineW
api-ms-win-core-string-l1-1-0.dll	CompareStringW, GetStringTypeExW
api-ms-win-core-heap-l1-2-0.dll	HeapCreate, GetProcessHeap, HeapDestroy, HeapAlloc, HeapFree, HeapSetInformation
api-ms-win-core-registry-l1-1-0.dll	RegCreateKeyExW, RegSetValueExW, RegDeleteKeyExW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey
api-ms-win-core-memory-l1-1-2.dll	OpenFileMappingW, MapViewOfFile, CreateFileMappingW, UnmapViewOfFile
api-ms-win-core-sysinfo-l1-2-1.dll	GetSystemTimeAsFileTime, GetTickCount
api-ms-win-core-localization-l1-2-1.dll	LCMapStringW
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-threadpool-legacy-l1-1-0.dll	ChangeTimerQueueTimer
api-ms-win-core-kernel32-legacy-l1-1-1.dll	GetStartupInfoA
ntdll.dll	RtlLengthSid, RtlCreateAcl, RtlNtStatusToDosError, RtlAddAccessAllowedAce, NtQuerySystemInformation, EtwGetTraceLoggerHandle, EtwGetTraceEnableLevel, EtwGetTraceEnableFlags, EtwRegisterTraceGuidsW, EtwUnregisterTraceGuids, EtwTraceMessage
api-ms-win-core-heap-obsolete-l1-1-0.dll	LocalFree, LocalAlloc
FastProx.dll	?Release@CWbemCallSecurity@@UAGKXZ, ?QueryInterface@CWbemCallSecurity@@UAGJABU_GUID@@PAPAX@Z, ?New@CWbemCallSecurity@@SGPAV1@XZ, ?AddRef@CWbemCallSecurity@@UAGKXZ, ?GetThreadSecurity@CWbemCallSecurity@@UAGJW4tag_WMI_THREAD_SECURITY_ORIGIN@@PAPAU_IWmiThreadSecHandle@@@Z, ?SetThreadSecurity@CWbemCallSecurity@@UAGJPAU_IWmiThreadSecHandle@@@Z
NCObjAPI.DLL	WmiSetAndCommitObject, WmiEventSourceConnect, WmiCreateObjectWithFormat, WmiDestroyObject, WmiEventSourceDisconnect
wbemcomn.dll	?BreakOnDbgAndRenterLoop@@YGKXZ, ?GetMemLogObject@@YGPAVCMemoryLog@@XZ, ?Write@CMemoryLog@@QAEXJ@Z, ?_ThrowMemoryException_@@YGXXZ, ?Init@CPublishWMIOperationEvent@@SGJXZ, ?PublishProviderStarted@CPublishWMIOperationEvent@@SGJPAGJ0K0@Z, ?SetPreferredLanguages@CMUILocale@@SGJKPBGPAK@Z, ?GetPreferredLanguages@CMUILocale@@SGJKPAPAGPAK@Z, ?_Free@CMUILocale@@SGHPAX@Z
api-ms-win-core-apiquery-l1-1-0.dll	ApiSetQueryApiSetPresence
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI, DelayLoadFailureHook

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	Wmiprvse.exe
FileVersion	6.3.9600.18946 (winblue_ltsb_escrow.180302-1800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	6.3.9600.18946
FileDescription	WMI Provider Host
OriginalFilename	Wmiprvse.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• WmiPrvSE.exe

Click to jump to process

Memory Usage

• WmiPrvSE.exe

Click to jump to process

System Behavior

Analysis Process: WmiPrvSE.exe PID: 7152 Parent PID: 6660

Function Logs

General

Start time:	17:28:41
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\WmiPrvSE.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\WmiPrvSE.exe'
Imagebase:	0xf00000
File size:	419328 bytes
MD5 hash:	1DD684E647BF9DD3E486276F5FA07A11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: WmiPrvSE.exe PID: 7152 Parent PID: 6660 WmiPrvSE.exeCOMMON

Executed Functions

Non-executed Functions

Function 00F13422, Relevance: 72.5, APIs: 48, Instructions: 536
memoryCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00F13422(void* __ebx) {
				int _v8;
				char _v16;
				signed int _v20;
				short _v24;
				struct _SID_IDENTIFIER_AUTHORITY _v28;
				void* _v32;
				void* _v36;
				int _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				char _v76;
				void* _v95;
				struct _SECURITY_DESCRIPTOR _v96;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t124;
				signed int _t125;
				signed int _t131;
				intOrPtr* _t133;
				int _t136;
				intOrPtr _t139;
				intOrPtr _t146;
				signed short _t152;
				intOrPtr _t153;
				signed int _t155;
				intOrPtr _t156;
				signed int _t159;
				signed short _t168;
				intOrPtr _t169;
				signed int _t173;
				intOrPtr _t174;
				signed int _t177;
				void* _t181;
				long _t182;
				intOrPtr _t184;
				intOrPtr _t191;
				intOrPtr _t196;
				intOrPtr _t203;
				void* _t224;
				void* _t253;
				void* _t262;
				void* _t263;
				struct _ACL* _t268;
				void* _t274;
				signed int _t275;
				void* _t276;
				long _t280;
				signed int _t286;

				_t224 = __ebx;
				_t124 =  *0xf4f1a4; // 0xbd26e8f
				_t125 = _t124 ^ _t286;
				_v20 = _t125;
				 *[fs:0x0] =  &_v16;
				_t275 =  *0xf53060(0, 0, _t125, _t262, _t274,  *[fs:0x0], E00F24F35, 0xffffffff);
				if(_t275 < 0) {
					L17:
					_v40 = 0;
					_push( &_v40);
					_push(E00F136C0);
					_push(1);
					_push(0);
					_push(E00F136D0);
					if( *0xf53048() < 0) {
						 *0xf53064();
						_t131 = 0xe;
						L22:
						 *[fs:0x0] = _v16;
						_pop(_t263);
						_pop(_t276);
						return E00F01CA0(_t131, _t224, _v20 ^ _t286, _t261, _t263, _t276);
					}
					_t133 = _v40;
					 *0xf512c4(_t133, 1, 1);
					 *((intOrPtr*)( *((intOrPtr*)( *_t133 + 0xc))))();
					_t136 = _v40;
					 *0xf512c4(_t136);
					 *((intOrPtr*)( *((intOrPtr*)( *_t136 + 8))))();
					if(_t275 < 0) {
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t275);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t139 =  *0xf4f014; // 0xf4f014
					if(_t139 == 0xf4f014 || ( *(_t139 + 0x1c) & 0x00000004) == 0) {
						L21:
						_t131 = _t275;
					} else {
						__eflags =  *((char*)(_t139 + 0x19)) - 2;
						if( *((char*)(_t139 + 0x19)) < 2) {
							goto L21;
						}
						_t121 = _t139 + 0x14; // 0x20000000
						_t261 = 0xf21274;
						_t122 = _t139 + 0x10; // 0x40000000
						E00F32A46(0x15, 0xf21274,  *_t122,  *_t121, _t275);
						_t131 = _t275;
					}
					goto L22;
				}
				_v96.Revision = 0;
				_v36 = 0;
				asm("stosd");
				_v32 = 0;
				_v28.Value = 0;
				asm("stosd");
				_v24 = 0x500;
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				if(InitializeSecurityDescriptor( &_v96, 1) == 0) {
					_t275 = GetLastError();
					__eflags = _t275;
					if(_t275 > 0) {
						_t275 = _t275 & 0x0000ffff | 0x80070000;
						__eflags = _t275;
					}
					 *0xf53064();
					__eflags = _t275;
					if(_t275 < 0) {
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t275);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t146 =  *0xf4f014; // 0xf4f014
					__eflags = _t146 - 0xf4f014;
					if(_t146 != 0xf4f014) {
						__eflags =  *(_t146 + 0x1c) & 0x00000004;
						if(( *(_t146 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t146 + 0x19)) - 2;
							if( *((char*)(_t146 + 0x19)) >= 2) {
								_t58 = _t146 + 0x14; // 0x20000000
								_t261 = 0xf21274;
								_t59 = _t146 + 0x10; // 0x40000000
								E00F32A46(0xa, 0xf21274,  *_t59,  *_t58, _t275);
							}
						}
					}
					goto L21;
				}
				if(AllocateAndInitializeSid( &_v28, 1, 0xb, 0, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
					 *0xf53064();
					_t152 = GetLastError();
					__eflags = _t152;
					if(__eflags > 0) {
						__eflags = _t152 & 0x0000ffff | 0x80070000;
					}
					if(__eflags < 0) {
						_t159 = GetLastError();
						__eflags = _t159;
						if(_t159 > 0) {
							_t159 = _t159 & 0x0000ffff | 0x80070000;
							__eflags = _t159;
						}
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t159);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t153 =  *0xf4f014; // 0xf4f014
					__eflags = _t153 - 0xf4f014;
					if(_t153 != 0xf4f014) {
						__eflags =  *(_t153 + 0x1c) & 0x00000004;
						if(( *(_t153 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t153 + 0x19)) - 2;
							if( *((char*)(_t153 + 0x19)) >= 2) {
								_t155 = GetLastError();
								__eflags = _t155;
								if(_t155 > 0) {
									__eflags = _t155;
								}
								_t156 =  *0xf4f014; // 0xf4f014
								_t261 = 0xf21274;
								_t64 = _t156 + 0x14; // 0x20000000
								_t65 = _t156 + 0x10; // 0x40000000
								E00F32A46(0xb, 0xf21274,  *_t65,  *_t64, _t155);
							}
						}
					}
					_t131 = GetLastError();
					__eflags = _t131;
					if(_t131 > 0) {
						_t131 = _t131 & 0x0000ffff | 0x80070000;
					}
					goto L22;
				}
				_t261 = FreeSid;
				E00F136E5( &_v64, FreeSid, _v32);
				_v8 = 0;
				if(AllocateAndInitializeSid( &_v28, 1, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v36) == 0) {
					 *0xf53064();
					_t168 = GetLastError();
					__eflags = _t168;
					if(__eflags > 0) {
						__eflags = _t168 & 0x0000ffff | 0x80070000;
					}
					if(__eflags < 0) {
						_t177 = GetLastError();
						__eflags = _t177;
						if(_t177 > 0) {
							_t177 = _t177 & 0x0000ffff | 0x80070000;
							__eflags = _t177;
						}
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t177);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t169 =  *0xf4f014; // 0xf4f014
					__eflags = _t169 - 0xf4f014;
					if(_t169 != 0xf4f014) {
						__eflags =  *(_t169 + 0x1c) & 0x00000004;
						if(( *(_t169 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t169 + 0x19)) - 2;
							if( *((char*)(_t169 + 0x19)) >= 2) {
								_t173 = GetLastError();
								__eflags = _t173;
								if(_t173 > 0) {
									__eflags = _t173;
								}
								_t174 =  *0xf4f014; // 0xf4f014
								_t261 = 0xf21274;
								_t70 = _t174 + 0x14; // 0x20000000
								_t71 = _t174 + 0x10; // 0x40000000
								E00F32A46(0xc, 0xf21274,  *_t71,  *_t70, _t173);
							}
						}
					}
					_t275 = GetLastError();
					__eflags = _t275;
					if(_t275 > 0) {
						_t275 = _t275 & 0x0000ffff | 0x80070000;
					}
					L113:
					_v8 = 0xffffffff;
					__eflags = _v64;
					if(_v64 != 0) {
						goto L21;
					}
					 *0xf512c4(_v56);
					 *_v60();
					_t131 = _t275;
					goto L22;
				}
				_t261 = FreeSid;
				_t181 = E00F136E5( &_v76, FreeSid, _v36);
				_v8 = 1;
				__imp__RtlLengthSid(_v32);
				_t21 = _t181 + 0x14; // 0x14
				_t280 = _t21;
				_t182 = LocalAlloc(0, _t280);
				_t268 = _t182;
				if(_t268 == 0) {
					 *0xf53064();
					__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(0x80070008);
					__imp__?Write@CMemoryLog@@QAEXJ@Z();
					_t184 =  *0xf4f014; // 0xf4f014
					__eflags = _t184 - 0xf4f014;
					if(_t184 != 0xf4f014) {
						__eflags =  *(_t184 + 0x1c) & 0x00000004;
						if(( *(_t184 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t184 + 0x19)) - 2;
							if( *((char*)(_t184 + 0x19)) >= 2) {
								_t76 = _t184 + 0x14; // 0x20000000
								_t261 = 0xf21274;
								_t77 = _t184 + 0x10; // 0x40000000
								E00F32A46(0xe, 0xf21274,  *_t77,  *_t76, 0x80070008);
							}
						}
					}
					_t275 = 0x80070008;
					L111:
					_v8 = 0;
					__eflags = _v76;
					if(_v76 == 0) {
						 *0xf512c4(_v68);
						 *_v72();
					}
					goto L113;
				}
				__imp__RtlCreateAcl(_t268, _t280, 2);
				if(_t182 < 0) {
					_t275 = RtlNtStatusToDosError(_t182);
					__eflags = _t275;
					if(_t275 > 0) {
						_t275 = _t275 & 0x0000ffff | 0x80070000;
						__eflags = _t275;
					}
					 *0xf53064();
					LocalFree(_t268);
					__eflags = _t275;
					if(_t275 < 0) {
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t275);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t191 =  *0xf4f014; // 0xf4f014
					__eflags = _t191 - 0xf4f014;
					if(_t191 != 0xf4f014) {
						__eflags =  *(_t191 + 0x1c) & 0x00000004;
						if(( *(_t191 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t191 + 0x19)) - 2;
							if( *((char*)(_t191 + 0x19)) >= 2) {
								_t82 = _t191 + 0x14; // 0x20000000
								_t261 = 0xf21274;
								_t83 = _t191 + 0x10; // 0x40000000
								E00F32A46(0xf, 0xf21274,  *_t83,  *_t82, _t275);
							}
						}
					}
					goto L111;
				}
				__imp__RtlAddAccessAllowedAce(_t268, 2, 1, _v32);
				if(_t182 < 0) {
					_t275 = RtlNtStatusToDosError(_t182);
					__eflags = _t275;
					if(_t275 > 0) {
						_t275 = _t275 & 0x0000ffff | 0x80070000;
						__eflags = _t275;
					}
					 *0xf53064();
					LocalFree(_t268);
					__eflags = _t275;
					if(_t275 < 0) {
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t275);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t196 =  *0xf4f014; // 0xf4f014
					__eflags = _t196 - 0xf4f014;
					if(_t196 != 0xf4f014) {
						__eflags =  *(_t196 + 0x1c) & 0x00000004;
						if(( *(_t196 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t196 + 0x19)) - 2;
							if( *((char*)(_t196 + 0x19)) >= 2) {
								_t88 = _t196 + 0x14; // 0x20000000
								_t261 = 0xf21274;
								_t89 = _t196 + 0x10; // 0x40000000
								E00F32A46(0x10, 0xf21274,  *_t89,  *_t88, _t275);
							}
						}
					}
					goto L111;
				}
				_t261 = LocalFree;
				E00F136E5( &_v52, LocalFree, _t268);
				_v8 = 2;
				if(SetSecurityDescriptorOwner( &_v96, _v36, 0) == 0) {
					_t275 = GetLastError();
					__eflags = _t275;
					if(_t275 > 0) {
						_t275 = _t275 & 0x0000ffff | 0x80070000;
						__eflags = _t275;
					}
					 *0xf53064();
					__eflags = _t275;
					if(_t275 < 0) {
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t275);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t203 =  *0xf4f014; // 0xf4f014
					__eflags = _t203 - 0xf4f014;
					if(_t203 == 0xf4f014) {
						L109:
						_v8 = 1;
						__eflags = _v52;
						if(_v52 == 0) {
							 *0xf512c4(_v44);
							 *_v48();
						}
						goto L111;
					} else {
						__eflags =  *(_t203 + 0x1c) & 0x00000004;
						if(( *(_t203 + 0x1c) & 0x00000004) == 0) {
							goto L109;
						}
						__eflags =  *((char*)(_t203 + 0x19)) - 2;
						if( *((char*)(_t203 + 0x19)) < 2) {
							goto L109;
						}
						_t253 = 0x11;
						L108:
						_t106 = _t203 + 0x14; // 0x20000000
						_t261 = 0xf21274;
						_t107 = _t203 + 0x10; // 0x40000000
						E00F32A46(_t253, 0xf21274,  *_t107,  *_t106, _t275);
						goto L109;
					}
				}
				if(SetSecurityDescriptorGroup( &_v96, _v36, 0) == 0) {
					_t275 = GetLastError();
					__eflags = _t275;
					if(_t275 > 0) {
						_t275 = _t275 & 0x0000ffff | 0x80070000;
						__eflags = _t275;
					}
					 *0xf53064();
					__eflags = _t275;
					if(_t275 < 0) {
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t275);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t203 =  *0xf4f014; // 0xf4f014
					__eflags = _t203 - 0xf4f014;
					if(_t203 == 0xf4f014) {
						goto L109;
					} else {
						__eflags =  *(_t203 + 0x1c) & 0x00000004;
						if(( *(_t203 + 0x1c) & 0x00000004) == 0) {
							goto L109;
						}
						__eflags =  *((char*)(_t203 + 0x19)) - 2;
						if( *((char*)(_t203 + 0x19)) < 2) {
							goto L109;
						}
						_t253 = 0x12;
						goto L108;
					}
				}
				if(SetSecurityDescriptorDacl( &_v96, 1, _t268, 0) == 0) {
					_t275 = GetLastError();
					__eflags = _t275;
					if(_t275 > 0) {
						_t275 = _t275 & 0x0000ffff | 0x80070000;
						__eflags = _t275;
					}
					 *0xf53064();
					__eflags = _t275;
					if(_t275 < 0) {
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t275);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t203 =  *0xf4f014; // 0xf4f014
					__eflags = _t203 - 0xf4f014;
					if(_t203 == 0xf4f014) {
						goto L109;
					} else {
						__eflags =  *(_t203 + 0x1c) & 0x00000004;
						if(( *(_t203 + 0x1c) & 0x00000004) == 0) {
							goto L109;
						}
						__eflags =  *((char*)(_t203 + 0x19)) - 2;
						if( *((char*)(_t203 + 0x19)) < 2) {
							goto L109;
						}
						_t253 = 0x13;
						goto L108;
					}
				}
				_t275 =  *0xf5304c( &_v96, 0xffffffff, 0, 0, 2, 3, 0, 0x40, 0);
				if(_t275 < 0) {
					 *0xf53064();
					__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t275);
					__imp__?Write@CMemoryLog@@QAEXJ@Z();
					_t203 =  *0xf4f014; // 0xf4f014
					__eflags = _t203 - 0xf4f014;
					if(_t203 == 0xf4f014) {
						goto L109;
					}
					__eflags =  *(_t203 + 0x1c) & 0x00000004;
					if(( *(_t203 + 0x1c) & 0x00000004) == 0) {
						goto L109;
					}
					__eflags =  *((char*)(_t203 + 0x19)) - 2;
					if( *((char*)(_t203 + 0x19)) < 2) {
						goto L109;
					}
					_t253 = 0x14;
					goto L108;
				} else {
					_v8 = 1;
					if(_v52 == 0) {
						 *0xf512c4(_v44);
						 *_v48();
					}
					_v8 = 0;
					if(_v76 == 0) {
						 *0xf512c4(_v68);
						 *_v72();
					}
					_v8 = 0xffffffff;
					if(_v64 == 0) {
						 *0xf512c4(_v56);
						 *_v60();
					}
					goto L17;
				}
			}

0x00f13422
0x00f13438
0x00f1343d
0x00f1343f
0x00f13448
0x00f13458
0x00f1345c
0x00f13633
0x00f13636
0x00f1363d
0x00f1363e
0x00f13643
0x00f13645
0x00f13647
0x00f13654
0x00f2b307
0x00f2b30d
0x00f136a4
0x00f136a7
0x00f136af
0x00f136b0
0x00f136be
0x00f136be
0x00f1365a
0x00f13669
0x00f1366f
0x00f13671
0x00f1367c
0x00f13682
0x00f13686
0x00f2b2cd
0x00f2b2d5
0x00f2b2d5
0x00f1368c
0x00f13696
0x00f136a2
0x00f136a2
0x00f2b2e0
0x00f2b2e0
0x00f2b2e4
0x00000000
0x00000000
0x00f2b2eb
0x00f2b2ee
0x00f2b2f8
0x00f2b2fb
0x00f2b300
0x00f2b300
0x00000000
0x00f13696
0x00f13464
0x00f1346b
0x00f13472
0x00f13475
0x00f1347c
0x00f13483
0x00f13484
0x00f1348a
0x00f1348b
0x00f1348c
0x00f1348e
0x00f1349b
0x00f2ae48
0x00f2ae4a
0x00f2ae4c
0x00f2ae51
0x00f2ae51
0x00f2ae51
0x00f2ae57
0x00f2ae5d
0x00f2ae5f
0x00f2ae62
0x00f2ae6a
0x00f2ae6a
0x00f2ae70
0x00f2ae75
0x00f2ae7a
0x00f2ae80
0x00f2ae84
0x00f2ae8a
0x00f2ae8e
0x00f2ae95
0x00f2ae98
0x00f2aea2
0x00f2aea5
0x00f2aea5
0x00f2ae8e
0x00f2ae84
0x00000000
0x00f2ae7a
0x00f134c3
0x00f2aeaf
0x00f2aeb5
0x00f2aebb
0x00f2aebd
0x00f2aec7
0x00f2aec7
0x00f2aec9
0x00f2aecb
0x00f2aed1
0x00f2aed3
0x00f2aed8
0x00f2aed8
0x00f2aed8
0x00f2aede
0x00f2aee6
0x00f2aee6
0x00f2aeec
0x00f2aef1
0x00f2aef6
0x00f2aef8
0x00f2aefc
0x00f2aefe
0x00f2af02
0x00f2af04
0x00f2af0a
0x00f2af0c
0x00f2af11
0x00f2af11
0x00f2af17
0x00f2af1c
0x00f2af26
0x00f2af29
0x00f2af2c
0x00f2af2c
0x00f2af02
0x00f2aefc
0x00f2af31
0x00f2af37
0x00f2af39
0x00f2af42
0x00f2af42
0x00000000
0x00f2af39
0x00f134d5
0x00f134d7
0x00f134df
0x00f13508
0x00f2af4c
0x00f2af52
0x00f2af58
0x00f2af5a
0x00f2af64
0x00f2af64
0x00f2af66
0x00f2af68
0x00f2af6e
0x00f2af70
0x00f2af75
0x00f2af75
0x00f2af75
0x00f2af7b
0x00f2af83
0x00f2af83
0x00f2af89
0x00f2af8e
0x00f2af93
0x00f2af95
0x00f2af99
0x00f2af9b
0x00f2af9f
0x00f2afa1
0x00f2afa7
0x00f2afa9
0x00f2afae
0x00f2afae
0x00f2afb4
0x00f2afb9
0x00f2afc3
0x00f2afc6
0x00f2afc9
0x00f2afc9
0x00f2af9f
0x00f2af99
0x00f2afd4
0x00f2afd6
0x00f2afd8
0x00f2afe1
0x00f2afe1
0x00f2b2a4
0x00f2b2a4
0x00f2b2ab
0x00f2b2af
0x00000000
0x00000000
0x00f2b2bd
0x00f2b2c3
0x00f2b2c5
0x00000000
0x00f2b2c5
0x00f13511
0x00f13516
0x00f1351b
0x00f13522
0x00f13528
0x00f13528
0x00f1352e
0x00f13534
0x00f13538
0x00f2afec
0x00f2aff7
0x00f2afff
0x00f2b005
0x00f2b00a
0x00f2b00f
0x00f2b011
0x00f2b015
0x00f2b017
0x00f2b01b
0x00f2b022
0x00f2b025
0x00f2b02f
0x00f2b032
0x00f2b032
0x00f2b01b
0x00f2b015
0x00f2b037
0x00f2b28a
0x00f2b28a
0x00f2b28e
0x00f2b292
0x00f2b29c
0x00f2b2a2
0x00f2b2a2
0x00000000
0x00f2b292
0x00f13542
0x00f1354a
0x00f2b048
0x00f2b04a
0x00f2b04c
0x00f2b051
0x00f2b051
0x00f2b051
0x00f2b057
0x00f2b05e
0x00f2b064
0x00f2b066
0x00f2b069
0x00f2b071
0x00f2b071
0x00f2b077
0x00f2b07c
0x00f2b081
0x00f2b087
0x00f2b08b
0x00f2b091
0x00f2b095
0x00f2b09c
0x00f2b09f
0x00f2b0a9
0x00f2b0ac
0x00f2b0ac
0x00f2b095
0x00f2b08b
0x00000000
0x00f2b081
0x00f13558
0x00f13560
0x00f2b0bd
0x00f2b0bf
0x00f2b0c1
0x00f2b0c6
0x00f2b0c6
0x00f2b0c6
0x00f2b0cc
0x00f2b0d3
0x00f2b0d9
0x00f2b0db
0x00f2b0de
0x00f2b0e6
0x00f2b0e6
0x00f2b0ec
0x00f2b0f1
0x00f2b0f6
0x00f2b0fc
0x00f2b100
0x00f2b106
0x00f2b10a
0x00f2b111
0x00f2b114
0x00f2b11e
0x00f2b121
0x00f2b121
0x00f2b10a
0x00f2b100
0x00000000
0x00f2b0f6
0x00f13566
0x00f13570
0x00f13577
0x00f1358a
0x00f2b131
0x00f2b133
0x00f2b135
0x00f2b13a
0x00f2b13a
0x00f2b13a
0x00f2b140
0x00f2b146
0x00f2b148
0x00f2b14b
0x00f2b153
0x00f2b153
0x00f2b159
0x00f2b15e
0x00f2b163
0x00f2b270
0x00f2b270
0x00f2b274
0x00f2b278
0x00f2b282
0x00f2b288
0x00f2b288
0x00000000
0x00f2b169
0x00f2b169
0x00f2b16d
0x00000000
0x00000000
0x00f2b173
0x00f2b177
0x00000000
0x00000000
0x00f2b17d
0x00f2b25f
0x00f2b260
0x00f2b263
0x00f2b268
0x00f2b26b
0x00000000
0x00f2b26b
0x00f2b163
0x00f135a1
0x00f2b18d
0x00f2b18f
0x00f2b191
0x00f2b196
0x00f2b196
0x00f2b196
0x00f2b19c
0x00f2b1a2
0x00f2b1a4
0x00f2b1a7
0x00f2b1af
0x00f2b1af
0x00f2b1b5
0x00f2b1ba
0x00f2b1bf
0x00000000
0x00f2b1c5
0x00f2b1c5
0x00f2b1c9
0x00000000
0x00000000
0x00f2b1cf
0x00f2b1d3
0x00000000
0x00000000
0x00f2b1d9
0x00000000
0x00f2b1d9
0x00f2b1bf
0x00f135b8
0x00f2b1e6
0x00f2b1e8
0x00f2b1ea
0x00f2b1ef
0x00f2b1ef
0x00f2b1ef
0x00f2b1f5
0x00f2b1fb
0x00f2b1fd
0x00f2b200
0x00f2b208
0x00f2b208
0x00f2b20e
0x00f2b213
0x00f2b218
0x00000000
0x00f2b21a
0x00f2b21a
0x00f2b21e
0x00000000
0x00000000
0x00f2b220
0x00f2b224
0x00000000
0x00000000
0x00f2b226
0x00000000
0x00f2b226
0x00f2b218
0x00f135d8
0x00f135dc
0x00f2b22d
0x00f2b234
0x00f2b23c
0x00f2b242
0x00f2b247
0x00f2b24c
0x00000000
0x00000000
0x00f2b24e
0x00f2b252
0x00000000
0x00000000
0x00f2b254
0x00f2b258
0x00000000
0x00000000
0x00f2b25a
0x00000000
0x00f135e2
0x00f135e2
0x00f135ea
0x00f135f4
0x00f135fa
0x00f135fa
0x00f135fc
0x00f13604
0x00f1360e
0x00f13614
0x00f13614
0x00f13616
0x00f13621
0x00f1362b
0x00f13631
0x00f13631
0x00000000
0x00f13621

APIs

InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001), ref: 00F13493
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001,0000000B,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F134BB
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F13500
RtlLengthSid.NTDLL(00000000), ref: 00F13522
LocalAlloc.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0(00000000,00000014), ref: 00F1352E
RtlCreateAcl.NTDLL(00000000,00000014,00000002), ref: 00F13542
RtlAddAccessAllowedAce.NTDLL ref: 00F13558
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000000,00000000,00000000), ref: 00F13582
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000000,00000000), ref: 00F13599
SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001,00000000,00000000), ref: 00F135B0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2AE42
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2AE62
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2AE6A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2AEB5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2AECB
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2AEDE
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2AEE6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2AF04
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(40000000,20000000,00000000), ref: 00F2AF31
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2AF52
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2AF68
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2AF7B
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2AF83
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2AFA1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(40000000,20000000,00000000), ref: 00F2AFCE
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80070008), ref: 00F2AFF7
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2AFFF
RtlNtStatusToDosError.NTDLL ref: 00F2B042
LocalFree.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0(00000000), ref: 00F2B05E
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2B069
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2B071
RtlNtStatusToDosError.NTDLL ref: 00F2B0B7
LocalFree.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0(00000000), ref: 00F2B0D3
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2B0DE
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2B0E6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2B12B
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2B14B
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2B153
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2B187
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2B1A7
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2B1AF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F2B1E0
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2B200
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2B208
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2B234
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2B23C
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2B2CD
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2B2D5

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Error$Last$Object@@Write@$DescriptorSecurity$InitializeLocal$AllocateFreeStatus$AccessAllocAllowedCreateDaclGroupLengthOwner
String ID:
API String ID: 4058294524-0
Opcode ID: c6de4a192769643cf673d35d75cb5708c815ec84ae890335d9dea01d6bcaeafe
Instruction ID: 85c063f2aacd565ac8d0e658f51d7f38dc2c5e5a49f7ae26b435755e9aef71b1
Opcode Fuzzy Hash: c6de4a192769643cf673d35d75cb5708c815ec84ae890335d9dea01d6bcaeafe
Instruction Fuzzy Hash: B912B334A00368EBDB269B64ED0CBAE7BA5BF45325F010054EE01E72F1CB39D944BB65

Uniqueness

Uniqueness Score: -1.00%

Function 00F11D26, Relevance: 42.4, APIs: 28, Instructions: 405
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00F11D26() {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t76;
				void* _t81;
				void* _t82;
				void* _t83;
				signed short _t91;
				intOrPtr _t92;
				void* _t93;
				signed short _t96;
				intOrPtr _t97;
				void* _t98;
				short _t101;
				signed short _t106;
				intOrPtr _t107;
				void* _t108;
				signed short _t111;
				intOrPtr _t112;
				void* _t113;
				short _t116;
				signed short _t121;
				intOrPtr _t122;
				void* _t123;
				signed short _t126;
				intOrPtr _t127;
				void* _t128;
				short _t131;
				signed short _t136;
				intOrPtr _t137;
				void* _t138;
				signed short _t141;
				intOrPtr _t142;
				void* _t143;
				short _t145;
				long _t162;
				void* _t163;
				long _t168;
				void* _t169;
				long _t172;
				void* _t173;
				long _t176;
				void* _t177;
				long _t180;
				void* _t181;
				long _t184;
				void* _t185;
				long _t188;
				void* _t189;
				long _t192;
				void* _t193;
				long _t196;
				void* _t197;
				long _t198;
				long _t199;
				void* _t200;
				signed int _t201;

				_t76 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t76 ^ _t201;
				_t162 = 0;
				_v12 = 0x500;
				_v16.Value = 0;
				_v32 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				if(AllocateAndInitializeSid( &_v16, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
					L46:
					_t162 = 0x8007000e;
				} else {
					_t199 = GetLengthSid(_v32);
					_t11 = _t199 + 8; // 0x8
					_t91 = _t11;
					 *0xf4f00c = _t91;
					_t198 = _t91 & 0x0000ffff;
					_t92 =  *0xf4f0cc; // 0x0
					_t93 =  *(_t92 + 4);
					_t168 =  *(_t92 + 8) & 0x00000005 | 0x00000008;
					if(_t93 == 0) {
						L38:
						_t200 = 0;
					} else {
						_t200 = HeapAlloc(_t93, _t168, _t198);
						if(_t200 == 0) {
							if(E00F48131() != 0) {
								goto L38;
							} else {
								goto L3;
							}
							L63:
						}
					}
					L3:
					 *0xf4f0ac = _t200;
					if(_t200 == 0) {
						goto L46;
					} else {
						_t15 = _t200 + 8; // 0x8
						CopySid(_t199, _t15, _v32);
						_t169 =  *0xf4f0ac; // 0x0
						_t96 =  *0xf4f00c; // 0x0
						_t198 = _t96 & 0x0000ffff;
						 *(_t169 + 4) = 1;
						 *_t169 = 0x300;
						 *(_t169 + 2) = _t96;
						_t97 =  *0xf4f0cc; // 0x0
						_t98 =  *(_t97 + 4);
						_t172 =  *(_t97 + 8) & 0x00000005 | 0x00000008;
						if(_t98 == 0) {
							L39:
							_t200 = 0;
						} else {
							_t200 = HeapAlloc(_t98, _t172, _t198);
							if(_t200 == 0) {
								if(E00F48131() != 0) {
									goto L39;
								} else {
									goto L6;
								}
								goto L63;
							}
						}
						L6:
						 *0xf4f0b8 = _t200;
						if(_t200 == 0) {
							goto L46;
						} else {
							_t21 = _t200 + 8; // 0x8
							CopySid(_t199, _t21, _v32);
							_t173 =  *0xf4f0b8; // 0x0
							_t101 =  *0xf4f00c; // 0x0
							 *((short*)(_t173 + 2)) = _t101;
							 *((intOrPtr*)(_t173 + 4)) = 0xf01ff;
							 *_t173 = 0x300;
							if(AllocateAndInitializeSid( &_v16, 1, 0x13, 0, 0, 0, 0, 0, 0, 0,  &_v20) == 0) {
								goto L46;
							} else {
								_t199 = GetLengthSid(_v20);
								_t27 = _t199 + 8; // 0x8
								_t106 = _t27;
								 *0xf4f008 = _t106;
								_t198 = _t106 & 0x0000ffff;
								_t107 =  *0xf4f0cc; // 0x0
								_t108 =  *(_t107 + 4);
								_t176 =  *(_t107 + 8) & 0x00000005 | 0x00000008;
								if(_t108 == 0) {
									L40:
									_t200 = 0;
								} else {
									_t200 = HeapAlloc(_t108, _t176, _t198);
									if(_t200 == 0) {
										if(E00F48131() != 0) {
											goto L40;
										} else {
											goto L10;
										}
										goto L63;
									}
								}
								L10:
								 *0xf4f0a8 = _t200;
								if(_t200 == 0) {
									goto L46;
								} else {
									_t31 = _t200 + 8; // 0x8
									CopySid(_t199, _t31, _v20);
									_t177 =  *0xf4f0a8; // 0x0
									_t111 =  *0xf4f008; // 0x0
									_t198 = _t111 & 0x0000ffff;
									 *(_t177 + 4) = 1;
									 *_t177 = 0x300;
									 *(_t177 + 2) = _t111;
									_t112 =  *0xf4f0cc; // 0x0
									_t113 =  *(_t112 + 4);
									_t180 =  *(_t112 + 8) & 0x00000005 | 0x00000008;
									if(_t113 == 0) {
										L41:
										_t200 = 0;
									} else {
										_t200 = HeapAlloc(_t113, _t180, _t198);
										if(_t200 == 0) {
											if(E00F48131() != 0) {
												goto L41;
											} else {
												goto L13;
											}
											goto L63;
										}
									}
									L13:
									 *0xf4f0b4 = _t200;
									if(_t200 == 0) {
										goto L46;
									} else {
										_t37 = _t200 + 8; // 0x8
										CopySid(_t199, _t37, _v20);
										_t181 =  *0xf4f0b4; // 0x0
										_t116 =  *0xf4f008; // 0x0
										 *((short*)(_t181 + 2)) = _t116;
										 *((intOrPtr*)(_t181 + 4)) = 0xf01ff;
										 *_t181 = 0x300;
										if(AllocateAndInitializeSid( &_v16, 1, 0x14, 0, 0, 0, 0, 0, 0, 0,  &_v24) == 0) {
											goto L46;
										} else {
											_t199 = GetLengthSid(_v24);
											_t43 = _t199 + 8; // 0x8
											_t121 = _t43;
											 *0xf4f004 = _t121;
											_t198 = _t121 & 0x0000ffff;
											_t122 =  *0xf4f0cc; // 0x0
											_t123 =  *(_t122 + 4);
											_t184 =  *(_t122 + 8) & 0x00000005 | 0x00000008;
											if(_t123 == 0) {
												L42:
												_t200 = 0;
											} else {
												_t200 = HeapAlloc(_t123, _t184, _t198);
												if(_t200 == 0) {
													if(E00F48131() != 0) {
														goto L42;
													} else {
														goto L17;
													}
													goto L63;
												}
											}
											L17:
											 *0xf4f0a4 = _t200;
											if(_t200 == 0) {
												goto L46;
											} else {
												_t47 = _t200 + 8; // 0x8
												CopySid(_t199, _t47, _v24);
												_t185 =  *0xf4f0a4; // 0x0
												_t126 =  *0xf4f004; // 0x0
												_t198 = _t126 & 0x0000ffff;
												 *(_t185 + 4) = 1;
												 *_t185 = 0x300;
												 *(_t185 + 2) = _t126;
												_t127 =  *0xf4f0cc; // 0x0
												_t128 =  *(_t127 + 4);
												_t188 =  *(_t127 + 8) & 0x00000005 | 0x00000008;
												if(_t128 == 0) {
													L43:
													_t200 = 0;
												} else {
													_t200 = HeapAlloc(_t128, _t188, _t198);
													if(_t200 == 0) {
														if(E00F48131() != 0) {
															goto L43;
														} else {
															goto L20;
														}
														goto L63;
													}
												}
												L20:
												 *0xf4f0b0 = _t200;
												if(_t200 == 0) {
													goto L46;
												} else {
													_t53 = _t200 + 8; // 0x8
													CopySid(_t199, _t53, _v24);
													_t189 =  *0xf4f0b0; // 0x0
													_t131 =  *0xf4f004; // 0x0
													 *((short*)(_t189 + 2)) = _t131;
													 *((intOrPtr*)(_t189 + 4)) = 0xf01ff;
													 *_t189 = 0x300;
													if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v28) == 0) {
														goto L46;
													} else {
														_t199 = GetLengthSid(_v28);
														_t59 = _t199 + 8; // 0x8
														_t136 = _t59;
														 *0xf4f000 = _t136;
														_t198 = _t136 & 0x0000ffff;
														_t137 =  *0xf4f0cc; // 0x0
														_t138 =  *(_t137 + 4);
														_t192 =  *(_t137 + 8) & 0x00000005 | 0x00000008;
														if(_t138 == 0) {
															L44:
															_t200 = 0;
														} else {
															_t200 = HeapAlloc(_t138, _t192, _t198);
															if(_t200 == 0) {
																if(E00F48131() != 0) {
																	goto L44;
																} else {
																	goto L24;
																}
																goto L63;
															}
														}
														L24:
														 *0xf4f0a0 = _t200;
														if(_t200 == 0) {
															goto L46;
														} else {
															_t63 = _t200 + 8; // 0x8
															CopySid(_t199, _t63, _v28);
															_t193 =  *0xf4f0a0; // 0x0
															_t141 =  *0xf4f000; // 0x0
															_t198 = _t141 & 0x0000ffff;
															 *(_t193 + 4) = 1;
															 *_t193 = 0x300;
															 *(_t193 + 2) = _t141;
															_t142 =  *0xf4f0cc; // 0x0
															_t143 =  *(_t142 + 4);
															_t196 =  *(_t142 + 8) & 0x00000005 | 0x00000008;
															if(_t143 == 0) {
																L45:
																_t200 = 0;
															} else {
																_t200 = HeapAlloc(_t143, _t196, _t198);
																if(_t200 == 0) {
																	if(E00F48131() != 0) {
																		goto L45;
																	} else {
																		goto L27;
																	}
																	goto L63;
																}
															}
															L27:
															 *0xf4f09c = _t200;
															if(_t200 == 0) {
																goto L46;
															} else {
																CopySid(_t199, _t200, _v28);
																_t197 =  *0xf4f09c; // 0x0
																_t145 =  *0xf4f000; // 0x0
																 *((intOrPtr*)(_t197 + 4)) = 0xf01ff;
																 *_t197 = 0x300;
																 *((short*)(_t197 + 2)) = _t145;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				_t81 = _v28;
				if(_t81 != 0) {
					FreeSid(_t81);
				}
				_t82 = _v32;
				if(_t82 != 0) {
					FreeSid(_t82);
				}
				_t83 = _v20;
				if(_t83 != 0) {
					FreeSid(_t83);
				}
				_t163 = _v24;
				if(_t163 != 0) {
					FreeSid(_t163);
				}
				return E00F01CA0(_t162, _t162, _v8 ^ _t201, _t198, _t199, _t200);
				goto L63;
			}

0x00f11d2e
0x00f11d35
0x00f11d3b
0x00f11d3d
0x00f11d46
0x00f11d58
0x00f11d5c
0x00f11d5f
0x00f11d62
0x00f11d6d
0x00f1e31a
0x00f1e31a
0x00f11d73
0x00f11d7c
0x00f11d7e
0x00f11d7e
0x00f11d81
0x00f11d87
0x00f11d8a
0x00f11d92
0x00f11d98
0x00f11d9d
0x00f121c1
0x00f121c1
0x00f11da3
0x00f11dac
0x00f11db0
0x00f2accd
0x00000000
0x00f2acd3
0x00000000
0x00f2acd3
0x00000000
0x00f2accd
0x00f11db0
0x00f11db6
0x00f11db6
0x00f11dbe
0x00000000
0x00f11dc4
0x00f11dc7
0x00f11dcc
0x00f11dd2
0x00f11dd8
0x00f11dde
0x00f11de1
0x00f11de8
0x00f11ded
0x00f11df1
0x00f11df9
0x00f11dff
0x00f11e04
0x00f121c8
0x00f121c8
0x00f11e0a
0x00f11e13
0x00f11e17
0x00f2acdf
0x00000000
0x00f2ace5
0x00000000
0x00f2ace5
0x00000000
0x00f2acdf
0x00f11e17
0x00f11e1d
0x00f11e1d
0x00f11e25
0x00000000
0x00f11e2b
0x00f11e2e
0x00f11e33
0x00f11e39
0x00f11e3f
0x00f11e45
0x00f11e62
0x00f11e6a
0x00f11e77
0x00000000
0x00f11e7d
0x00f11e86
0x00f11e88
0x00f11e88
0x00f11e8b
0x00f11e91
0x00f11e94
0x00f11e9c
0x00f11ea2
0x00f11ea7
0x00f121cf
0x00f121cf
0x00f11ead
0x00f11eb6
0x00f11eba
0x00f2acf1
0x00000000
0x00f2acf7
0x00000000
0x00f2acf7
0x00000000
0x00f2acf1
0x00f11eba
0x00f11ec0
0x00f11ec0
0x00f11ec8
0x00000000
0x00f11ece
0x00f11ed1
0x00f11ed6
0x00f11edc
0x00f11ee2
0x00f11ee8
0x00f11eeb
0x00f11ef2
0x00f11ef7
0x00f11efb
0x00f11f03
0x00f11f09
0x00f11f0e
0x00f121d6
0x00f121d6
0x00f11f14
0x00f11f1d
0x00f11f21
0x00f2ad03
0x00000000
0x00f2ad09
0x00000000
0x00f2ad09
0x00000000
0x00f2ad03
0x00f11f21
0x00f11f27
0x00f11f27
0x00f11f2f
0x00000000
0x00f11f35
0x00f11f38
0x00f11f3d
0x00f11f43
0x00f11f49
0x00f11f4f
0x00f11f6c
0x00f11f74
0x00f11f81
0x00000000
0x00f11f87
0x00f11f90
0x00f11f92
0x00f11f92
0x00f11f95
0x00f11f9b
0x00f11f9e
0x00f11fa6
0x00f11fac
0x00f11fb1
0x00f121dd
0x00f121dd
0x00f11fb7
0x00f11fc0
0x00f11fc4
0x00f2ad15
0x00000000
0x00f2ad1b
0x00000000
0x00f2ad1b
0x00000000
0x00f2ad15
0x00f11fc4
0x00f11fca
0x00f11fca
0x00f11fd2
0x00000000
0x00f11fd8
0x00f11fdb
0x00f11fe0
0x00f11fe6
0x00f11fec
0x00f11ff2
0x00f11ff5
0x00f11ffc
0x00f12001
0x00f12005
0x00f1200d
0x00f12013
0x00f12018
0x00f121e4
0x00f121e4
0x00f1201e
0x00f12027
0x00f1202b
0x00f2ad27
0x00000000
0x00f2ad2d
0x00000000
0x00f2ad2d
0x00000000
0x00f2ad27
0x00f1202b
0x00f12031
0x00f12031
0x00f12039
0x00000000
0x00f1203f
0x00f12042
0x00f12047
0x00f1204d
0x00f12053
0x00f12059
0x00f12079
0x00f12081
0x00f1208e
0x00000000
0x00f12094
0x00f1209d
0x00f1209f
0x00f1209f
0x00f120a2
0x00f120a8
0x00f120ab
0x00f120b3
0x00f120b9
0x00f120be
0x00f121eb
0x00f121eb
0x00f120c4
0x00f120cd
0x00f120d1
0x00f2ad39
0x00000000
0x00f2ad3f
0x00000000
0x00f2ad3f
0x00000000
0x00f2ad39
0x00f120d1
0x00f120d7
0x00f120d7
0x00f120df
0x00000000
0x00f120e5
0x00f120e8
0x00f120ed
0x00f120f3
0x00f120f9
0x00f120ff
0x00f12102
0x00f12109
0x00f1210e
0x00f12112
0x00f1211a
0x00f12120
0x00f12125
0x00f121f2
0x00f121f2
0x00f1212b
0x00f12134
0x00f12138
0x00f2ad4b
0x00000000
0x00f2ad51
0x00000000
0x00f2ad51
0x00000000
0x00f2ad4b
0x00f12138
0x00f1213e
0x00f1213e
0x00f12146
0x00000000
0x00f1214c
0x00f12154
0x00f1215a
0x00f12160
0x00f12166
0x00f1216d
0x00f12172
0x00f12172
0x00f12146
0x00f120df
0x00f1208e
0x00f12039
0x00f11fd2
0x00f11f81
0x00f11f2f
0x00f11ec8
0x00f11e77
0x00f11e25
0x00f11dbe
0x00f12176
0x00f1217b
0x00f1217e
0x00f1217e
0x00f12184
0x00f12189
0x00f1218c
0x00f1218c
0x00f12192
0x00f12197
0x00f1219a
0x00f1219a
0x00f121a0
0x00f121a5
0x00f121a8
0x00f121a8
0x00f121c0
0x00000000

APIs

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,FFFFFFFE), ref: 00F11D65
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11D76
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11DA6
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11DCC
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11E0D
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11E33
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0BD26E8F,?,?,?,?,00F0CC0D), ref: 00F11E6F
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(0BD26E8F,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11E80
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11EB0
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,0BD26E8F,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11ED6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11F17
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,0BD26E8F,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11F3D
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001,00000014,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00F0CC0D), ref: 00F11F79
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00F0CC0D,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11F8A
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11FBA
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,00F0CC0D,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11FE0
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F12021
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,00F0CC0D,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F12047
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F12086
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F12097
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F120C7
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,?,?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F120ED
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F1212E
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,-00000008,?,?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F12154
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F1217E
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F1218C
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(0BD26E8F,?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F1219A
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00F0CC0D,?,?,?,?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F121A8

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocCopyHeap$AllocateFreeInitializeLength
String ID:
API String ID: 1385409774-0
Opcode ID: e870f5b2823aa8d390c1744d2f486cd64e45da72bee4ef78d53e27003bd10414
Instruction ID: 7d278ce90d74a7978a5912cb3f2b616c179b623f99adbfbfb68cb83ee61761f9
Opcode Fuzzy Hash: e870f5b2823aa8d390c1744d2f486cd64e45da72bee4ef78d53e27003bd10414
Instruction Fuzzy Hash: 76D17F39D0121A9FD711CF64DC45BBABBB8FF55752B04801AEE06E7261DB30E845EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F12C44, Relevance: 38.1, APIs: 25, Instructions: 641
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E00F12C44() {
				long _v8;
				char _v16;
				signed int _v20;
				long _v24;
				long _v28;
				long _v32;
				long _v36;
				long _v40;
				long _v44;
				long _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t159;
				signed int _t160;
				intOrPtr _t164;
				long _t170;
				void* _t171;
				void* _t177;
				long _t181;
				void* _t182;
				void* _t188;
				long _t192;
				void* _t193;
				void* _t199;
				long _t203;
				void* _t204;
				void* _t210;
				long _t214;
				void* _t215;
				void* _t221;
				long _t226;
				char _t228;
				long _t229;
				long _t232;
				char _t234;
				long _t235;
				long _t238;
				char _t240;
				long _t244;
				char _t246;
				long _t250;
				char _t252;
				void* _t262;
				long _t267;
				void* _t268;
				long _t269;
				void* _t276;
				long _t277;
				long _t285;
				long _t293;
				long _t301;
				long _t309;
				void* _t324;
				long _t325;
				long _t326;
				long _t327;
				long _t328;
				long _t329;
				struct _CRITICAL_SECTION* _t330;
				struct _CRITICAL_SECTION* _t331;
				struct _CRITICAL_SECTION* _t332;
				struct _CRITICAL_SECTION* _t333;
				struct _CRITICAL_SECTION* _t334;
				void* _t335;
				void* _t337;
				long _t338;
				long _t339;
				intOrPtr* _t341;
				long _t343;
				intOrPtr* _t345;
				long _t347;
				intOrPtr* _t349;
				long _t351;
				intOrPtr* _t353;
				long _t355;
				intOrPtr* _t357;
				long* _t359;
				long _t360;
				signed int _t361;

				_push(0xffffffff);
				_push(E00F25071);
				_push( *[fs:0x0]);
				_t159 =  *0xf4f1a4; // 0xbd26e8f
				_t160 = _t159 ^ _t361;
				_v20 = _t160;
				_push(_t160);
				 *[fs:0x0] =  &_v16;
				_t269 =  *0xf4f0cc; // 0x0
				if(_t269 != 0) {
					L10:
					if( *0xf4f164 == 0 ||  *0xf4f180 == 0) {
						L101:
						_t267 = 0x80041006;
						goto L74;
					} else {
						_t276 =  *(_t269 + 4);
						_t170 =  *(_t269 + 8) & 0x00000005 | 0x00000008;
						if(_t276 == 0) {
							L78:
							_t338 = 0;
							L14:
							_v24 = _t338;
							_v8 = 2;
							if(_t338 == 0) {
								_t338 = 0;
							} else {
								_t170 =  *0xf4f0cc; // 0x0
								 *_t338 = 0;
								 *(_t338 + 4) = 0;
								 *(_t338 + 8) = _t170;
							}
							_v8 = 0xffffffff;
							 *0xf4f07c = _t338;
							if(_t338 == 0) {
								goto L101;
							}
							__imp__EventRegister(E00F133EC, 0, 0, 0xf4f128);
							_t267 = _t170;
							if(_t267 < 0) {
								L74:
								E00F13925();
								E00F121FE();
								if(_t267 < 0) {
									__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t267);
									__imp__?Write@CMemoryLog@@QAEXJ@Z();
								}
								_t164 =  *0xf4f014; // 0xf4f014
								if(_t164 != 0xf4f014 && ( *(_t164 + 0x1c) & 0x00000004) != 0) {
									__eflags =  *((char*)(_t164 + 0x19)) - 2;
									if( *((char*)(_t164 + 0x19)) >= 2) {
										_t156 = _t164 + 0x14; // 0x20000000
										_t320 = 0xf21d84;
										_t157 = _t164 + 0x10; // 0x40000000
										E00F32A46(0x12, 0xf21d84,  *_t157,  *_t156, _t267);
									}
								}
								 *[fs:0x0] = _v16;
								_pop(_t324);
								_pop(_t337);
								_pop(_t268);
								return E00F01CA0(_t267, _t268, _v20 ^ _t361, _t320, _t324, _t337);
							}
							_t277 =  *0xf4f0cc; // 0x0
							_t171 =  *(_t277 + 4);
							_t320 =  *(_t277 + 8) & 0x00000005 | 0x00000008;
							if(_t171 == 0) {
								L80:
								_t339 = 0;
								L20:
								_v28 = _t339;
								_v8 = 3;
								if(_t339 == 0) {
									_t339 = 0;
								} else {
									_t250 =  *0xf4f0cc; // 0x0
									_t31 = _t339 + 8; // 0x8
									_t334 = _t31;
									 *_t339 = 0xf03a18;
									 *(_t339 + 4) = 0;
									_v24 = _t250;
									 *((short*)(_t334 + 0x18)) = 0;
									if(InitializeCriticalSectionAndSpinCount(_t334, 0) == 0) {
										_t252 = 0;
									} else {
										_t252 = 1;
									}
									 *((char*)(_t334 + 0x18)) = _t252;
									if(_t252 != 1) {
										__eflags =  *((char*)(_t334 + 0x19));
										if(__eflags != 0) {
											__imp__?_ThrowMemoryException_@@YGXXZ();
										}
									}
									_v8 = 4;
									 *(_t339 + 0x24) = 0;
									 *(_t339 + 0x28) = 0;
									 *((intOrPtr*)(_t339 + 0x2c)) = _v24;
									_v8 = 3;
								}
								_v8 = 0xffffffff;
								 *0xf4f084 = _t339;
								if(_t339 == 0) {
									goto L101;
								} else {
									 *0xf512c4(_t339);
									 *((intOrPtr*)( *((intOrPtr*)( *_t339 + 4))))();
									_t325 =  *0xf4f084; // 0x0
									_t341 =  *((intOrPtr*)( *_t325 + 0x10));
									if(_t341 != E00F13410) {
										 *0xf512c4();
										_t177 =  *_t341();
										_t325 =  *0xf4f084; // 0x0
									} else {
										_t177 = E00F13410(_t325);
									}
									if(_t177 != 0) {
										__eflags = _t325;
										if(_t325 != 0) {
											 *0xf512c4(1);
											 *((intOrPtr*)( *((intOrPtr*)( *_t325 + 0xc))))();
										}
										 *0xf4f084 = 0;
										goto L101;
									} else {
										_t181 =  *0xf4f0cc; // 0x0
										_t182 =  *(_t181 + 4);
										_t285 =  *(_t181 + 8) & 0x00000005 | 0x00000008;
										if(_t182 == 0) {
											L83:
											_t343 = 0;
											L31:
											_v28 = _t343;
											_v8 = 6;
											if(_t343 == 0) {
												_t343 = 0;
											} else {
												_t244 =  *0xf4f0cc; // 0x0
												_t49 = _t343 + 8; // 0x8
												_t333 = _t49;
												 *_t343 = 0xf03a74;
												 *(_t343 + 4) = 0;
												_v24 = _t244;
												 *((short*)(_t333 + 0x18)) = 0;
												if(InitializeCriticalSectionAndSpinCount(_t333, 0) == 0) {
													_t246 = 0;
												} else {
													_t246 = 1;
												}
												 *((char*)(_t333 + 0x18)) = _t246;
												if(_t246 != 1) {
													__eflags =  *((char*)(_t333 + 0x19));
													if(__eflags != 0) {
														__imp__?_ThrowMemoryException_@@YGXXZ();
													}
												}
												_v8 = 7;
												 *(_t343 + 0x24) = 0;
												 *(_t343 + 0x28) = 0;
												 *((intOrPtr*)(_t343 + 0x2c)) = _v24;
												_v8 = 6;
											}
											_v8 = 0xffffffff;
											 *0xf4f080 = _t343;
											if(_t343 == 0) {
												goto L101;
											} else {
												 *0xf512c4(_t343);
												 *((intOrPtr*)( *((intOrPtr*)( *_t343 + 4))))();
												_t326 =  *0xf4f080; // 0x0
												_t345 =  *((intOrPtr*)( *_t326 + 0x10));
												if(_t345 != E00F13410) {
													 *0xf512c4();
													_t188 =  *_t345();
													_t326 =  *0xf4f080; // 0x0
												} else {
													_t188 = E00F13410(_t326);
												}
												if(_t188 != 0) {
													__eflags = _t326;
													if(_t326 != 0) {
														 *0xf512c4(1);
														 *((intOrPtr*)( *((intOrPtr*)( *_t326 + 0xc))))();
													}
													 *0xf4f080 = 0;
													goto L101;
												} else {
													_t192 =  *0xf4f0cc; // 0x0
													_t193 =  *(_t192 + 4);
													_t293 =  *(_t192 + 8) & 0x00000005 | 0x00000008;
													if(_t193 == 0) {
														L86:
														_t347 = 0;
														L42:
														_v28 = _t347;
														_v8 = 9;
														if(_t347 == 0) {
															_t347 = 0;
														} else {
															_t238 =  *0xf4f0cc; // 0x0
															_t67 = _t347 + 8; // 0x8
															_t332 = _t67;
															 *_t347 = 0xf06400;
															 *(_t347 + 4) = 0;
															_v24 = _t238;
															 *((short*)(_t332 + 0x18)) = 0;
															if(InitializeCriticalSectionAndSpinCount(_t332, 0) == 0) {
																_t240 = 0;
															} else {
																_t240 = 1;
															}
															 *((char*)(_t332 + 0x18)) = _t240;
															if(_t240 != 1) {
																__eflags =  *((char*)(_t332 + 0x19));
																if(__eflags != 0) {
																	__imp__?_ThrowMemoryException_@@YGXXZ();
																}
															}
															_v8 = 0xa;
															 *(_t347 + 0x24) = 0;
															 *(_t347 + 0x28) = 0;
															 *((intOrPtr*)(_t347 + 0x2c)) = _v24;
															_v8 = 9;
														}
														_v8 = 0xffffffff;
														 *0xf4f088 = _t347;
														if(_t347 == 0) {
															goto L101;
														} else {
															 *0xf512c4(_t347);
															 *((intOrPtr*)( *((intOrPtr*)( *_t347 + 4))))();
															_t327 =  *0xf4f088; // 0x0
															_t349 =  *((intOrPtr*)( *_t327 + 0x10));
															if(_t349 != E00F13410) {
																 *0xf512c4();
																_t199 =  *_t349();
																_t327 =  *0xf4f088; // 0x0
															} else {
																_t199 = E00F13410(_t327);
															}
															if(_t199 != 0) {
																__eflags = _t327;
																if(_t327 != 0) {
																	 *0xf512c4(1);
																	 *((intOrPtr*)( *((intOrPtr*)( *_t327 + 0xc))))();
																}
																 *0xf4f088 = 0;
																goto L101;
															} else {
																_t203 =  *0xf4f0cc; // 0x0
																_t204 =  *(_t203 + 4);
																_t301 =  *(_t203 + 8) & 0x00000005 | 0x00000008;
																if(_t204 == 0) {
																	L89:
																	_t351 = 0;
																	L53:
																	_v28 = _t351;
																	_v8 = 0xc;
																	if(_t351 == 0) {
																		_t351 = 0;
																	} else {
																		_t232 =  *0xf4f0cc; // 0x0
																		_t85 = _t351 + 8; // 0x8
																		_t331 = _t85;
																		 *_t351 = 0xf0d598;
																		 *(_t351 + 4) = _t232;
																		_v24 = _t232;
																		 *((short*)(_t331 + 0x18)) = 0;
																		if(InitializeCriticalSectionAndSpinCount(_t331, 0) == 0) {
																			_t234 = 0;
																		} else {
																			_t234 = 1;
																		}
																		 *((char*)(_t331 + 0x18)) = _t234;
																		if(_t234 != 1) {
																			__eflags =  *((char*)(_t331 + 0x19));
																			if(__eflags != 0) {
																				__imp__?_ThrowMemoryException_@@YGXXZ();
																			}
																		}
																		_v8 = 0xd;
																		_t235 = _v24;
																		 *(_t351 + 0x24) = 0;
																		 *(_t351 + 0x28) = 0;
																		 *(_t351 + 0x2c) = 0;
																		 *((intOrPtr*)(_t351 + 0x30)) = _t235;
																		_v8 = 0xe;
																		 *(_t351 + 0x34) = 0;
																		 *(_t351 + 0x38) = 0;
																		 *((intOrPtr*)(_t351 + 0x3c)) = _t235;
																		 *((intOrPtr*)(_t351 + 0x40)) = _t235;
																		_v8 = 0xf;
																		 *(_t351 + 0x44) = 0;
																		_v8 = 0x10;
																		 *_t351 = 0xf133ac;
																		_v8 = 0xc;
																	}
																	_v8 = 0xffffffff;
																	 *0xf4f090 = _t351;
																	if(_t351 == 0) {
																		goto L101;
																	} else {
																		 *0xf512c4(_t351);
																		 *((intOrPtr*)( *((intOrPtr*)( *_t351 + 4))))();
																		_t328 =  *0xf4f090; // 0x0
																		_t353 =  *((intOrPtr*)( *_t328 + 0x10));
																		if(_t353 != E00F13410) {
																			 *0xf512c4();
																			_t210 =  *_t353();
																			_t328 =  *0xf4f090; // 0x0
																		} else {
																			_t210 = E00F13410(_t328);
																		}
																		if(_t210 != 0) {
																			__eflags = _t328;
																			if(_t328 != 0) {
																				 *0xf512c4(1);
																				 *((intOrPtr*)( *((intOrPtr*)( *_t328 + 0xc))))();
																			}
																			 *0xf4f090 = 0;
																			goto L101;
																		} else {
																			_t214 =  *0xf4f0cc; // 0x0
																			_t215 =  *(_t214 + 4);
																			_t309 =  *(_t214 + 8) & 0x00000005 | 0x00000008;
																			if(_t215 == 0) {
																				L92:
																				_t355 = 0;
																				L64:
																				_v28 = _t355;
																				_v8 = 0x11;
																				if(_t355 == 0) {
																					_t355 = 0;
																				} else {
																					_t226 =  *0xf4f0cc; // 0x0
																					_t112 = _t355 + 8; // 0x8
																					_t330 = _t112;
																					 *_t355 = 0xf0d508;
																					 *(_t355 + 4) = _t226;
																					_v24 = _t226;
																					 *((short*)(_t330 + 0x18)) = 0;
																					if(InitializeCriticalSectionAndSpinCount(_t330, 0) == 0) {
																						_t228 = 0;
																					} else {
																						_t228 = 1;
																					}
																					 *((char*)(_t330 + 0x18)) = _t228;
																					if(_t228 != 1) {
																						__eflags =  *((char*)(_t330 + 0x19));
																						if(__eflags != 0) {
																							__imp__?_ThrowMemoryException_@@YGXXZ();
																						}
																					}
																					_v8 = 0x12;
																					_t229 = _v24;
																					 *(_t355 + 0x24) = 0;
																					 *(_t355 + 0x28) = 0;
																					 *(_t355 + 0x2c) = 0;
																					 *((intOrPtr*)(_t355 + 0x30)) = _t229;
																					_v8 = 0x13;
																					 *(_t355 + 0x34) = 0;
																					 *(_t355 + 0x38) = 0;
																					 *((intOrPtr*)(_t355 + 0x3c)) = _t229;
																					 *((intOrPtr*)(_t355 + 0x40)) = _t229;
																					_v8 = 0x14;
																					 *(_t355 + 0x44) = 0;
																					_v8 = 0x15;
																					 *_t355 = 0xf13368;
																					_v8 = 0x11;
																				}
																				_v8 = 0xffffffff;
																				 *0xf4f08c = _t355;
																				if(_t355 == 0) {
																					goto L101;
																				} else {
																					 *0xf512c4(_t355);
																					 *((intOrPtr*)( *((intOrPtr*)( *_t355 + 4))))();
																					_t329 =  *0xf4f08c; // 0x0
																					_t357 =  *((intOrPtr*)( *_t329 + 0x10));
																					if(_t357 != E00F13410) {
																						 *0xf512c4();
																						_t221 =  *_t357();
																						_t329 =  *0xf4f08c; // 0x0
																					} else {
																						_t221 = E00F13410(_t329);
																					}
																					_t418 = _t221;
																					if(_t221 != 0) {
																						__eflags = _t329;
																						if(_t329 != 0) {
																							 *0xf512c4(1);
																							 *((intOrPtr*)( *((intOrPtr*)( *_t329 + 0xc))))();
																						}
																						 *0xf4f08c = 0;
																						goto L101;
																					} else {
																						if(E00F122DD(_t267, _t329, _t357, _t418) != 0) {
																							goto L101;
																						}
																						goto L74;
																					}
																				}
																			}
																			_t355 = HeapAlloc(_t215, _t309, 0x48);
																			if(_t355 == 0) {
																				__eflags = E00F48131();
																				if(__eflags != 0) {
																					goto L92;
																				}
																			}
																			goto L64;
																		}
																	}
																}
																_t351 = HeapAlloc(_t204, _t301, 0x48);
																if(_t351 == 0) {
																	__eflags = E00F48131();
																	if(__eflags != 0) {
																		goto L89;
																	}
																}
																goto L53;
															}
														}
													}
													_t347 = HeapAlloc(_t193, _t293, 0x30);
													if(_t347 == 0) {
														__eflags = E00F48131();
														if(__eflags != 0) {
															goto L86;
														}
													}
													goto L42;
												}
											}
										}
										_t343 = HeapAlloc(_t182, _t285, 0x30);
										if(_t343 == 0) {
											__eflags = E00F48131();
											if(__eflags != 0) {
												goto L83;
											}
										}
										goto L31;
									}
								}
							}
							_t339 = HeapAlloc(_t171, _t320, 0x30);
							if(_t339 == 0) {
								__eflags = E00F48131();
								if(__eflags != 0) {
									goto L80;
								}
							}
							goto L20;
						}
						_t170 = HeapAlloc(_t276, _t170, 0xc);
						_t338 = _t170;
						if(_t338 == 0) {
							_t170 = E00F48131();
							__eflags = _t170;
							if(__eflags != 0) {
								goto L78;
							}
						}
						goto L14;
					}
				}
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_t335 = GetProcessHeap();
				_v44 = _t335;
				_v8 = 0;
				if(_t335 == 0) {
					L100:
					_t267 = 0x80041006;
					L6:
					_v8 = 0xffffffff;
					if(_t335 != 0 && _t335 != GetProcessHeap()) {
						__eflags = HeapDestroy(_t335);
						if(__eflags == 0) {
							E00F48131();
						} else {
							_v44 = 0;
						}
					}
					if(_t267 < 0) {
						goto L74;
					} else {
						_t269 =  *0xf4f0cc; // 0x0
						goto L10;
					}
				}
				_t359 = HeapAlloc(_t335, 8, 0x14);
				 *0xf4f0cc = _t359;
				if(_t359 == 0) {
					__eflags = E00F48131();
					if(__eflags != 0) {
						goto L100;
					}
					_t359 =  *0xf4f0cc; // 0x0
				}
				_v24 = _t359;
				_v8 = 1;
				if(_t359 != 0) {
					 *_t359 = 0;
					_t359[1] = 0;
					_t359[2] = 0;
					_t359[3] = 0;
					_t359[4] = 0;
					_t359[1] = GetProcessHeap();
				}
				_v8 = 0;
				_t360 =  *0xf4f0cc; // 0x0
				if( *(_t360 + 4) == 0) {
					_t262 = HeapCreate( *(_t360 + 8),  *(_t360 + 0xc),  *(_t360 + 0x10));
					 *(_t360 + 4) = _t262;
					__eflags = _t262;
					if(__eflags != 0) {
						goto L6;
					}
					__eflags = E00F48131();
					if(__eflags != 0) {
						goto L100;
					}
				}
				goto L6;
			}

0x00f12c49
0x00f12c4b
0x00f12c56
0x00f12c5a
0x00f12c5f
0x00f12c61
0x00f12c67
0x00f12c6b
0x00f12c71
0x00f12c7b
0x00f12d32
0x00f12d39
0x00f1e3ad
0x00f1e3ad
0x00000000
0x00f12d4c
0x00f12d4f
0x00f12d55
0x00f12d5a
0x00f132ec
0x00f132ec
0x00f12d74
0x00f12d74
0x00f12d77
0x00f12d80
0x00f132f3
0x00f12d86
0x00f12d86
0x00f12d8b
0x00f12d91
0x00f12d98
0x00f12d98
0x00f12d9b
0x00f12da2
0x00f12daa
0x00000000
0x00000000
0x00f12dbe
0x00f12dc4
0x00f12dc8
0x00f132a6
0x00f132a6
0x00f132ab
0x00f132b2
0x00f2b510
0x00f2b518
0x00f2b518
0x00f132b8
0x00f132c2
0x00f2b523
0x00f2b527
0x00f2b52e
0x00f2b531
0x00f2b53b
0x00f2b53e
0x00f2b53e
0x00f2b527
0x00f132d3
0x00f132db
0x00f132dc
0x00f132dd
0x00f132eb
0x00f132eb
0x00f12dce
0x00f12dd7
0x00f12ddd
0x00f12de2
0x00f132fa
0x00f132fa
0x00f12dfc
0x00f12dfc
0x00f12dff
0x00f12e08
0x00f13308
0x00f12e0e
0x00f12e0e
0x00f12e13
0x00f12e13
0x00f12e18
0x00f12e1e
0x00f12e26
0x00f12e29
0x00f12e37
0x00f13301
0x00f12e3d
0x00f12e3d
0x00f12e3d
0x00f12e3f
0x00f12e44
0x00f2b3a0
0x00f2b3a4
0x00f2b3aa
0x00f2b3aa
0x00f2b3a4
0x00f12e4a
0x00f12e51
0x00f12e58
0x00f12e5f
0x00f12e62
0x00f12e62
0x00f12e66
0x00f12e6d
0x00f12e75
0x00000000
0x00f12e7b
0x00f12e83
0x00f12e89
0x00f12e8b
0x00f12e93
0x00f12e9c
0x00f1e332
0x00f1e33a
0x00f1e33c
0x00f12ea2
0x00f12ea4
0x00f12ea4
0x00f12eab
0x00f2b3b5
0x00f2b3b7
0x00f2b3c2
0x00f2b3ca
0x00f2b3ca
0x00f2b3cc
0x00000000
0x00f12eb1
0x00f12eb1
0x00f12eb9
0x00f12ebf
0x00f12ec4
0x00f1330f
0x00f1330f
0x00f12ede
0x00f12ede
0x00f12ee1
0x00f12eea
0x00f1331d
0x00f12ef0
0x00f12ef0
0x00f12ef5
0x00f12ef5
0x00f12efa
0x00f12f00
0x00f12f08
0x00f12f0b
0x00f12f19
0x00f13316
0x00f12f1f
0x00f12f1f
0x00f12f1f
0x00f12f21
0x00f12f26
0x00f2b3ed
0x00f2b3f1
0x00f2b3f7
0x00f2b3f7
0x00f2b3f1
0x00f12f2c
0x00f12f33
0x00f12f3a
0x00f12f41
0x00f12f44
0x00f12f44
0x00f12f48
0x00f12f4f
0x00f12f57
0x00000000
0x00f12f5d
0x00f12f65
0x00f12f6b
0x00f12f6d
0x00f12f75
0x00f12f7e
0x00f1e349
0x00f1e351
0x00f1e353
0x00f12f84
0x00f12f86
0x00f12f86
0x00f12f8d
0x00f2b402
0x00f2b404
0x00f2b40f
0x00f2b417
0x00f2b417
0x00f2b419
0x00000000
0x00f12f93
0x00f12f93
0x00f12f9b
0x00f12fa1
0x00f12fa6
0x00f13324
0x00f13324
0x00f12fc0
0x00f12fc0
0x00f12fc3
0x00f12fcc
0x00f13332
0x00f12fd2
0x00f12fd2
0x00f12fd7
0x00f12fd7
0x00f12fdc
0x00f12fe2
0x00f12fea
0x00f12fed
0x00f12ffb
0x00f1332b
0x00f13001
0x00f13001
0x00f13001
0x00f13003
0x00f13008
0x00f2b43a
0x00f2b43e
0x00f2b444
0x00f2b444
0x00f2b43e
0x00f1300e
0x00f13015
0x00f1301c
0x00f13023
0x00f13026
0x00f13026
0x00f1302a
0x00f13031
0x00f13039
0x00000000
0x00f1303f
0x00f13047
0x00f1304d
0x00f1304f
0x00f13057
0x00f13060
0x00f1e360
0x00f1e368
0x00f1e36a
0x00f13066
0x00f13068
0x00f13068
0x00f1306f
0x00f2b44f
0x00f2b451
0x00f2b45c
0x00f2b464
0x00f2b464
0x00f2b466
0x00000000
0x00f13075
0x00f13075
0x00f1307d
0x00f13083
0x00f13088
0x00f13339
0x00f13339
0x00f130a2
0x00f130a2
0x00f130a5
0x00f130ae
0x00f13347
0x00f130b4
0x00f130b4
0x00f130b9
0x00f130b9
0x00f130be
0x00f130c4
0x00f130c8
0x00f130cb
0x00f130d9
0x00f13340
0x00f130df
0x00f130df
0x00f130df
0x00f130e1
0x00f130e6
0x00f2b487
0x00f2b48b
0x00f2b491
0x00f2b491
0x00f2b48b
0x00f130ec
0x00f130f0
0x00f130f3
0x00f130fa
0x00f13101
0x00f13108
0x00f1310b
0x00f1310f
0x00f13116
0x00f1311d
0x00f13120
0x00f13123
0x00f13127
0x00f1312e
0x00f13132
0x00f13138
0x00f13138
0x00f1313c
0x00f13143
0x00f1314b
0x00000000
0x00f13151
0x00f13159
0x00f1315f
0x00f13161
0x00f13169
0x00f13172
0x00f1e377
0x00f1e37f
0x00f1e381
0x00f13178
0x00f1317a
0x00f1317a
0x00f13181
0x00f2b49c
0x00f2b49e
0x00f2b4a9
0x00f2b4b1
0x00f2b4b1
0x00f2b4b3
0x00000000
0x00f13187
0x00f13187
0x00f1318f
0x00f13195
0x00f1319a
0x00f1334e
0x00f1334e
0x00f131b4
0x00f131b4
0x00f131b7
0x00f131c0
0x00f1335c
0x00f131c6
0x00f131c6
0x00f131cb
0x00f131cb
0x00f131d0
0x00f131d6
0x00f131da
0x00f131dd
0x00f131eb
0x00f13355
0x00f131f1
0x00f131f1
0x00f131f1
0x00f131f3
0x00f131f8
0x00f2b4d4
0x00f2b4d8
0x00f2b4de
0x00f2b4de
0x00f2b4d8
0x00f131fe
0x00f13202
0x00f13205
0x00f1320c
0x00f13213
0x00f1321a
0x00f1321d
0x00f13221
0x00f13228
0x00f1322f
0x00f13232
0x00f13235
0x00f13239
0x00f13240
0x00f13244
0x00f1324a
0x00f1324a
0x00f1324e
0x00f13255
0x00f1325d
0x00000000
0x00f13263
0x00f1326b
0x00f13271
0x00f13273
0x00f1327b
0x00f13284
0x00f1e38e
0x00f1e396
0x00f1e398
0x00f1328a
0x00f1328c
0x00f1328c
0x00f13291
0x00f13293
0x00f2b4e9
0x00f2b4eb
0x00f2b4f6
0x00f2b4fe
0x00f2b4fe
0x00f2b500
0x00000000
0x00f13299
0x00f132a0
0x00000000
0x00000000
0x00000000
0x00f132a0
0x00f13293
0x00f1325d
0x00f131aa
0x00f131ae
0x00f2b4c7
0x00f2b4c9
0x00000000
0x00000000
0x00f2b4cf
0x00000000
0x00f131ae
0x00f13181
0x00f1314b
0x00f13098
0x00f1309c
0x00f2b47a
0x00f2b47c
0x00000000
0x00000000
0x00f2b482
0x00000000
0x00f1309c
0x00f1306f
0x00f13039
0x00f12fb6
0x00f12fba
0x00f2b42d
0x00f2b42f
0x00000000
0x00000000
0x00f2b435
0x00000000
0x00f12fba
0x00f12f8d
0x00f12f57
0x00f12ed4
0x00f12ed8
0x00f2b3e0
0x00f2b3e2
0x00000000
0x00000000
0x00f2b3e8
0x00000000
0x00f12ed8
0x00f12eab
0x00f12e75
0x00f12df2
0x00f12df6
0x00f2b393
0x00f2b395
0x00000000
0x00000000
0x00f2b39b
0x00000000
0x00f12df6
0x00f12d64
0x00f12d6a
0x00f12d6e
0x00f2b37c
0x00f2b381
0x00f2b383
0x00000000
0x00000000
0x00f2b389
0x00000000
0x00f12d6e
0x00f12d39
0x00f12c81
0x00f12c84
0x00f12c87
0x00f12c8a
0x00f12c8d
0x00f12c96
0x00f12c98
0x00f12c9b
0x00f12ca0
0x00f1e3a3
0x00f1e3a3
0x00f12d0b
0x00f12d0b
0x00f12d14
0x00f2b362
0x00f2b364
0x00f2b372
0x00f2b366
0x00f2b366
0x00f2b366
0x00f2b364
0x00f12d26
0x00000000
0x00f12d2c
0x00f12d2c
0x00000000
0x00f12d2c
0x00f12d26
0x00f12cb1
0x00f12cb3
0x00f12cbb
0x00f2b31c
0x00f2b31e
0x00000000
0x00000000
0x00f2b324
0x00f2b324
0x00f12cc1
0x00f12cc4
0x00f12cca
0x00f12ccc
0x00f12cd2
0x00f12cd9
0x00f12ce0
0x00f12ce7
0x00f12cf4
0x00f12cf4
0x00f12cf7
0x00f12cfb
0x00f12d05
0x00f2b338
0x00f2b33e
0x00f2b341
0x00f2b343
0x00000000
0x00000000
0x00f2b34e
0x00f2b350
0x00000000
0x00000000
0x00f2b356
0x00000000

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0(0BD26E8F,00000000,00000001,00000001), ref: 00F12C90
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(00000000,00000008,00000014), ref: 00F12CAB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00F12CEE
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00F12D16
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,0000000C,0BD26E8F,00000000,00000001,00000001), ref: 00F12D64
EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(00F133EC,00000000,00000000,00F4F128), ref: 00F12DBE
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000030), ref: 00F12DEC
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-2-0(00000008,00000000), ref: 00F12E2F
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000030,?,?,?,?,?,?,?,?,00F12830,0000005C), ref: 00F12ECE
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-2-0(00000008,00000000,?,?,?,?,?,?,?,?,00F12830,0000005C), ref: 00F12F11
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000030,?,?,?,?,?,?,?,?,00F12830,0000005C), ref: 00F12FB0
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-2-0(00000008,00000000,?,?,?,?,?,?,?,?,00F12830,0000005C), ref: 00F12FF3
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000048,?,?,?,?,?,?,?,?,00F12830,0000005C), ref: 00F13092
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-2-0(00000008,00000000,?,?,?,?,?,?,?,?,00F12830,0000005C), ref: 00F130D1
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000048), ref: 00F131A4
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-2-0(00000008,00000000), ref: 00F131E3
?_ThrowMemoryException_@@YGXXZ.WBEMCOMN(?,?,?,?,?,?,?,?,00F12830,0000005C), ref: 00F2B491

Part of subcall function 00F122DD: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,0000000C,00000004,00F1329E), ref: 00F12338
Part of subcall function 00F122DD: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,0000000C,00000004,00F1329E), ref: 00F12387

Part of subcall function 00F13925: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\WBEM\CIMOM,00000000,00020119,00F132AB,?,?,00F132AB), ref: 00F1394C
Part of subcall function 00F13925: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F132AB,Sink Transmit Buffer Size,00000000,?,00F4F040,?,?,?,00F132AB), ref: 00F13976
Part of subcall function 00F13925: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F132AB,?,?,00F132AB), ref: 00F1397F

Part of subcall function 00F121FE: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Wbem\Cimom,00000000,00020119,?,?,?,?,00F132B0), ref: 00F12225
Part of subcall function 00F121FE: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultRpcStackSize,00000000,00F132B0,?,?,00000000,?,?,?,00F132B0), ref: 00F12252
Part of subcall function 00F121FE: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00F132B0), ref: 00F12263

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2B510
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2B518

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Alloc$CountCriticalInitializeSectionSpin$MemoryProcess$CloseLog@@OpenQueryValue$EventException_@@Object@@RegisterThrowWrite@
String ID:
API String ID: 1121862496-0
Opcode ID: 6b24c57e4c296e756ff72374ec1733ba260e6800e2c89cc47de459acd8be9d5b
Instruction ID: f66ddd384fe2321dad90abd29b181aed0cf1d049c8dd099c8356719b227acf2a
Opcode Fuzzy Hash: 6b24c57e4c296e756ff72374ec1733ba260e6800e2c89cc47de459acd8be9d5b
Instruction Fuzzy Hash: FA42CA31A00759DBD721CF68C9487AEBBF4BF48714F14415AEC46AB391CB74AE84BB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F08D8D, Relevance: 32.9, Strings: 25, Instructions: 1608COMMON

Download Yara Rule

Strings

SupportsQuotas, xrefs: 00F09658
InitializationTimeoutInterval, xrefs: 00F09750
__NAMESPACE, xrefs: 00F08DFD
InitializeAsAdminFirst, xrefs: 00F09922
__RELPATH, xrefs: 00F08E42
ImpersonationLevel, xrefs: 00F094E1
OperationTimeoutInterval, xrefs: 00F096D2
ClientLoadableCLSID, xrefs: 00F09346
CLSID, xrefs: 00F092B7
DefaultNetworkServiceHost, xrefs: 00F1F57A
PerLocaleInitialization, xrefs: 00F09A12
Version, xrefs: 00F0913B
SupportsThrottling, xrefs: 00F097CE
Name, xrefs: 00F091B5
UnloadTimeout, xrefs: 00F09460
InitializationReentrancy, xrefs: 00F098AB
HostingModel, xrefs: 00F09B07
SecurityDescriptor, xrefs: 00F09BB6
SupportsShutdown, xrefs: 00F095DE
Pure, xrefs: 00F09A8B
DefaultMachineName, xrefs: 00F093E2
PerUserInitialization, xrefs: 00F0999C
SupportsSendStatus, xrefs: 00F09564
Enabled, xrefs: 00F0923D
ConcurrentIndependantRequests, xrefs: 00F09848

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: CLSID$ClientLoadableCLSID$ConcurrentIndependantRequests$DefaultMachineName$DefaultNetworkServiceHost$Enabled$HostingModel$ImpersonationLevel$InitializationReentrancy$InitializationTimeoutInterval$InitializeAsAdminFirst$Name$OperationTimeoutInterval$PerLocaleInitialization$PerUserInitialization$Pure$SecurityDescriptor$SupportsQuotas$SupportsSendStatus$SupportsShutdown$SupportsThrottling$UnloadTimeout$Version$__NAMESPACE$__RELPATH
API String ID: 0-829198682
Opcode ID: aea6ed8444b5e810de046082bedaa060e16854f0698c800ff7c10d0e3bea307c
Instruction ID: 850f35ae62e2400266c03f358c8c64df9a5826454b666e47c706ebfc18342766
Opcode Fuzzy Hash: aea6ed8444b5e810de046082bedaa060e16854f0698c800ff7c10d0e3bea307c
Instruction Fuzzy Hash: 81D27071E0430A9FDB14CFA4C884BEEBBB4FB08315F140129E516E7291E7B4A985FB65

Uniqueness

Uniqueness Score: -1.00%

Function 00F07363, Relevance: 19.1, APIs: 12, Instructions: 1075
memorysynchronizationCOMMONCrypto

Download Yara Rule

C-Code - Quality: 23%

			E00F07363(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a20, signed int _a24, signed int _a28, signed int _a32, intOrPtr _a48) {
				long _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v180;
				void* _v184;
				long _v188;
				void* _v192;
				signed int _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				signed int _v208;
				signed int _v212;
				void* _v216;
				signed int _v220;
				signed int _v224;
				long _v228;
				signed int _v232;
				signed int _v236;
				void* _v240;
				intOrPtr _v244;
				void* _v248;
				void* _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				void* _v264;
				void* _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t367;
				signed int _t368;
				signed int _t373;
				intOrPtr _t381;
				intOrPtr* _t385;
				intOrPtr _t387;
				void* _t388;
				long _t393;
				intOrPtr _t394;
				intOrPtr _t399;
				void* _t400;
				void* _t401;
				intOrPtr* _t412;
				intOrPtr _t415;
				void* _t416;
				intOrPtr _t419;
				signed int _t436;
				intOrPtr* _t437;
				signed int _t440;
				intOrPtr _t451;
				intOrPtr _t457;
				intOrPtr* _t460;
				intOrPtr* _t463;
				void* _t466;
				intOrPtr* _t469;
				void* _t474;
				void* _t486;
				signed int _t490;
				signed int _t493;
				signed int _t494;
				signed int _t502;
				signed int _t512;
				signed int _t516;
				intOrPtr _t531;
				intOrPtr* _t533;
				intOrPtr _t536;
				signed int _t541;
				signed int _t547;
				intOrPtr* _t551;
				signed int _t555;
				signed int _t558;
				intOrPtr* _t563;
				signed int _t569;
				signed int _t570;
				intOrPtr* _t577;
				signed int _t578;
				void* _t579;
				long _t581;
				signed int _t582;
				void* _t583;
				signed int _t584;
				signed int _t585;
				void* _t586;
				signed int _t587;
				long _t588;
				signed int _t590;
				intOrPtr _t593;
				long _t605;
				signed int _t620;
				signed int _t627;
				void* _t645;
				intOrPtr* _t652;
				signed int _t654;
				intOrPtr* _t657;
				intOrPtr* _t677;
				intOrPtr* _t690;
				void* _t714;
				void* _t717;
				intOrPtr _t720;
				void* _t721;
				long _t722;
				long _t723;
				intOrPtr* _t724;
				long _t726;
				intOrPtr _t731;
				void* _t732;
				intOrPtr* _t739;
				long _t749;
				signed int _t753;
				intOrPtr* _t755;
				void* _t756;
				long _t758;
				signed int _t763;
				signed int _t764;
				intOrPtr* _t765;
				signed int _t771;
				intOrPtr* _t773;
				signed int _t777;
				void* _t778;
				intOrPtr _t779;

				_push(0xffffffff);
				_push(E00F24461);
				_push( *[fs:0x0]);
				_t779 = _t778 - 0xfc;
				_t367 =  *0xf4f1a4; // 0xbd26e8f
				_t368 = _t367 ^ _t777;
				_v24 = _t368;
				_push(_t368);
				 *[fs:0x0] =  &_v16;
				_v20 = _t779;
				_v244 = _a4;
				_t577 = _a8;
				_v228 = _t577;
				_v200 = _a12;
				_v256 = _a20;
				_t373 = _a24;
				_v220 = _t373;
				_v212 = _a28;
				_t590 = _a32;
				_v196 = _t590;
				_v260 = _t590;
				_t720 = _a48;
				_v204 = _t720;
				if(_t373 != 0) {
					 *0xf53040(_t373,  &_v180, 0x4e);
				}
				if( *(_t720 + 0x7d4) != 0) {
					_v192 = 0;
					 *0xf512c4(_t577, 0xf22640,  &_v192);
					_t753 =  *((intOrPtr*)( *((intOrPtr*)( *_t577))))();
					_t593 =  *0xf4f014; // 0xf4f014
					__eflags = _t593 - 0xf4f014;
					if(_t593 != 0xf4f014) {
						__eflags =  *(_t593 + 0x1c) & 0x00000004;
						if(( *(_t593 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t593 + 0x19)) - 5;
							if( *((char*)(_t593 + 0x19)) >= 5) {
								_t144 = _t593 + 0x14; // 0x20000000
								_t145 = _t593 + 0x10; // 0x40000000
								_t693 = 0xf212f8;
								E00F32A46(0x15, 0xf212f8,  *_t145,  *_t144, _t753);
							}
						}
					}
					__eflags = _t753;
					if(_t753 >= 0) {
						_v252 = 0;
						_v216 = 0;
						_v232 = 0;
						_t693 =  &_v232;
						_t771 = E00F066C5( &_v216,  &_v232,  &_v252, 0);
						__eflags = _t771;
						if(_t771 >= 0) {
							_v188 = 0;
							_v184 = 0;
							_v240 = 3;
							_v208 = 0;
							_t555 =  *0xf53038(0xf03a60,  &_v208);
							__eflags = _t555;
							if(_t555 >= 0) {
								_t570 =  *0xf53030();
								_v236 = _t570;
								__eflags = _t570;
								if(_t570 >= 0) {
									_v240 = E00F07D03();
									 *0xf5302c();
								}
								_t690 = _v208;
								 *0xf512c4(_t690);
								 *((intOrPtr*)( *((intOrPtr*)( *_t690 + 8))))();
								_t771 = _v236;
							}
							__eflags = _t771;
							if(_t771 >= 0) {
								_t717 = _v192;
								_push( &_v188);
								_push( &_v184);
								__eflags = _v240 - 2;
								if(__eflags != 0) {
									_t569 = E00F47DE6(0xf22640, _t717, __eflags);
								} else {
									_t569 = E00F47ECE(0xf22640, _t717, __eflags);
								}
								_t771 = _t569;
							}
							__eflags = _t771 - 0x80041002;
							if(_t771 != 0x80041002) {
								__eflags = _t771;
								if(_t771 >= 0) {
									_t773 = _v184;
									_t558 = E00F47D61(_t773, E00F07D03());
									__eflags = _t558;
									if(_t558 >= 0) {
										_v8 = 2;
										 *0xf512c4(_t773, 0,  *((intOrPtr*)(_t720 + 0x6d8)));
										 *((intOrPtr*)( *((intOrPtr*)( *_t773 + 0xc))))();
										_v8 = 0xffffffff;
									}
									E00F47D18(_v184, _v188);
								}
							} else {
								_v8 = 0;
								_t563 = _v192;
								 *0xf512c4(_t563, 0,  *((intOrPtr*)(_t720 + 0x6d8)));
								 *((intOrPtr*)( *((intOrPtr*)( *_t563 + 0xc))))();
								_v8 = 0xffffffff;
								 *0xf5302c();
							}
							_t693 = _v232;
							E00F1A856(_v216, _v232, _v252);
						}
						_t551 = _v192;
						 *0xf512c4(_t551);
						 *((intOrPtr*)( *((intOrPtr*)( *_t551 + 8))))();
					}
				}
				_v248 = 0;
				_t755 =  *((intOrPtr*)( *_t577));
				_t594 = _t755;
				 *0xf512c4(_t577, 0xf07c5c,  &_v248);
				_t578 =  *_t755();
				_t381 =  *0xf4f014; // 0xf4f014
				if(_t381 != 0xf4f014 && ( *(_t381 + 0x1c) & 0x00000004) != 0) {
					__eflags =  *((char*)(_t381 + 0x19)) - 5;
					if( *((char*)(_t381 + 0x19)) >= 5) {
						_t184 = _t381 + 0x14; // 0x20000000
						_t185 = _t381 + 0x10; // 0x40000000
						_t693 = 0xf212f8;
						_t594 = 0x16;
						E00F32A46(0x16, 0xf212f8,  *_t185,  *_t184, _t578);
						_t381 =  *0xf4f014; // 0xf4f014
					}
				}
				if(_t578 < 0) {
					__eflags =  *(_t720 + 0x7b4);
					if( *(_t720 + 0x7b4) != 0) {
						L186:
						__eflags =  *(_t720 + 0x6f4);
						if( *(_t720 + 0x6f4) != 0) {
							L191:
							_t578 = 0x80041013;
							goto L192;
						}
						__eflags =  *(_t720 + 0x760);
						if( *(_t720 + 0x760) != 0) {
							goto L191;
						}
						__eflags =  *(_t720 + 0x798);
						if( *(_t720 + 0x798) != 0) {
							goto L191;
						}
						__eflags =  *(_t720 + 0x7d4);
						if( *(_t720 + 0x7d4) != 0) {
							goto L191;
						}
						_t578 = 0;
						goto L61;
					}
					__eflags =  *(_t720 + 0x7ec);
					if( *(_t720 + 0x7ec) == 0) {
						goto L191;
					}
					goto L186;
				} else {
					if( *(_t720 + 0x668) != 0) {
						__eflags =  *(_t720 + 0x664);
						if(__eflags == 0) {
							goto L6;
						}
						_t494 = E00F19D72(_t594, __eflags, 0x18);
						_t779 = _t779 + 4;
						_t587 = _t494;
						_v188 = _t494;
						_v236 = _t587;
						_v8 = 4;
						__eflags = _t587;
						if(_t587 == 0) {
							_t587 = 0;
							__eflags = 0;
							_v188 = 0;
							_v228 = 0;
						} else {
							 *_t587 = 0xf06520;
							 *(_t587 + 4) = 0;
							 *(_t587 + 8) = 0;
							 *(_t587 + 0xc) = 0;
							 *(_t587 + 0x10) = 0;
							 *(_t587 + 0x14) = 0;
							_v228 = _t494;
						}
						_v8 = 0xffffffff;
						__eflags = _t587;
						if(_t587 == 0) {
							L77:
							_t578 = 0x80041006;
							L59:
							_t385 = _v248;
							 *0xf512c4(_t385);
							_t381 =  *((intOrPtr*)( *((intOrPtr*)( *_t385 + 8))))();
							if(_t578 < 0) {
								L192:
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t578);
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
							}
							_t381 =  *0xf4f014; // 0xf4f014
							L61:
							if(_t381 != 0xf4f014 && ( *(_t381 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t381 + 0x19)) - 2;
								if( *((char*)(_t381 + 0x19)) >= 2) {
									_t364 = _t381 + 0x14; // 0x20000000
									_t365 = _t381 + 0x10; // 0x40000000
									_t693 = 0xf212f8;
									E00F32A46(0x1b, 0xf212f8,  *_t365,  *_t364, _t578);
								}
							}
							 *[fs:0x0] = _v16;
							_pop(_t721);
							_pop(_t756);
							_pop(_t579);
							return E00F01CA0(_t578, _t579, _v24 ^ _t777, _t693, _t721, _t756);
						} else {
							 *0xf512c4(_t587);
							 *((intOrPtr*)( *((intOrPtr*)( *_t587 + 4))))();
							_t651 = _t587;
							_t578 = E00F405E1(_t587,  *((intOrPtr*)(_t720 + 0x6e8)));
							__eflags = _t578;
							if(__eflags < 0) {
								L147:
								_t652 = _v188;
								 *0xf512c4(_t652);
								 *((intOrPtr*)( *((intOrPtr*)( *_t652 + 8))))();
								goto L6;
							}
							_t502 = E00F19D72(_t651, __eflags, 0x18);
							_t779 = _t779 + 4;
							_v236 = _t502;
							_v8 = 5;
							__eflags = _t502;
							if(_t502 == 0) {
								_t654 = 0;
								__eflags = 0;
								_v192 = 0;
							} else {
								_t547 = E00F404DF(_t502, _v188);
								_t654 = _t547;
								_v192 = _t547;
							}
							_v8 = 0xffffffff;
							__eflags = _t654;
							if(_t654 == 0) {
								_t578 = 0x80041006;
								goto L147;
							} else {
								 *0xf512c4(_t654);
								 *((intOrPtr*)( *((intOrPtr*)( *_t654 + 4))))();
								_v252 = 0;
								_v264 = 0;
								_v208 = 0;
								_t693 =  &_v208;
								_t578 = E00F066C5( &_v264,  &_v208,  &_v252, 0);
								__eflags = _t578;
								if(_t578 < 0) {
									L145:
									_t657 = _v192;
									 *0xf512c4(_t657);
									 *((intOrPtr*)( *((intOrPtr*)( *_t657 + 8))))();
									goto L147;
								}
								_v240 = 0;
								_v184 = 0;
								_t763 = 3;
								_v232 = 3;
								_v216 = 0;
								_t512 =  *0xf53038(0xf03a60,  &_v216);
								__eflags = _t512;
								if(_t512 >= 0) {
									_t578 =  *0xf53030();
									__eflags = _t578;
									if(_t578 >= 0) {
										_v232 = E00F07D03();
										 *0xf5302c();
									}
									_t677 = _v216;
									 *0xf512c4(_t677);
									 *((intOrPtr*)( *((intOrPtr*)( *_t677 + 8))))();
									_t763 = _v232;
								}
								__eflags = _t578;
								if(_t578 >= 0) {
									_t714 = _v248;
									_push( &_v240);
									_push( &_v184);
									__eflags = _t763 - 2;
									if(__eflags != 0) {
										_t541 = E00F47DE6(0xf07c5c, _t714, __eflags);
									} else {
										_t541 = E00F47ECE(0xf07c5c, _t714, __eflags);
									}
									_t578 = _t541;
								}
								__eflags = _t578 - 0x80041002;
								if(_t578 != 0x80041002) {
									__eflags = _t578;
									if(_t578 < 0) {
										_t764 = _v220;
										goto L143;
									}
									_t765 = _v184;
									_v236 = _t765;
									_t578 = E00F47D61(_t765, E00F07D03());
									__eflags = _t578;
									if(_t578 < 0) {
										_t764 = _v220;
									} else {
										_v8 = 8;
										asm("sbb eax, eax");
										 *0xf512c4(_v236, 0, 0, _v200,  ~( *(_t720 + 0x66c)) & _v196, _v244, _v256, _v192);
										_t578 =  *((intOrPtr*)( *((intOrPtr*)( *_t765 + 0xc))))();
										_v224 = _t578;
										_v8 = 0xffffffff;
										_t764 = _v220;
										_t531 =  *0xf4f014; // 0xf4f014
										__eflags = _t531 - 0xf4f014;
										if(_t531 != 0xf4f014) {
											__eflags =  *(_t531 + 0x1c) & 0x00000004;
											if(( *(_t531 + 0x1c) & 0x00000004) != 0) {
												__eflags =  *((char*)(_t531 + 0x19)) - 5;
												if( *((char*)(_t531 + 0x19)) >= 5) {
													_t261 = _t531 + 0x14; // 0x20000000
													_t262 = _t531 + 0x10; // 0x40000000
													E00F32A46(0x18, 0xf212f8,  *_t262,  *_t261, _t578);
												}
											}
										}
									}
									E00F47D18(_v184, _v240);
									goto L139;
								} else {
									_v8 = 6;
									asm("sbb ecx, ecx");
									_t533 = _v248;
									 *0xf512c4(_t533, 0, 0, _v200,  ~( *(_t720 + 0x66c)) & _v196, _v244, _v256, _v192);
									_t578 =  *((intOrPtr*)( *((intOrPtr*)( *_t533 + 0xc))))();
									_v224 = _t578;
									_t536 =  *0xf4f014; // 0xf4f014
									__eflags = _t536 - 0xf4f014;
									if(_t536 != 0xf4f014) {
										__eflags =  *(_t536 + 0x1c) & 0x00000004;
										if(( *(_t536 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *((char*)(_t536 + 0x19)) - 5;
											if( *((char*)(_t536 + 0x19)) >= 5) {
												_t239 = _t536 + 0x14; // 0x20000000
												_t240 = _t536 + 0x10; // 0x40000000
												E00F32A46(0x17, 0xf212f8,  *_t240,  *_t239, _t578);
											}
										}
									}
									_v8 = 0xffffffff;
									_t764 = _v220;
									 *0xf5302c();
									L139:
									__eflags = _t578;
									if(_t578 < 0) {
										L143:
										asm("sbb edx, edx");
										asm("sbb ecx, ecx");
										asm("sbb eax, eax");
										_t516 =  ~( *(_t720 + 0x668)) & _v212;
										__eflags = _t516;
										__imp__WmiSetAndCommitObject( *0xf4f760, 1, _v200,  *((intOrPtr*)(_t720 + 0x38)), _t516,  ~( *(_t720 + 0x66c)) & _v196,  ~_t764 &  &_v180, _t578);
										_t779 = _t779 + 0x20;
										_t578 = 0x80041013;
										L144:
										_t693 = _v208;
										E00F1A856(_v264, _v208, _v252);
										goto L145;
									}
									_t588 = _v188;
									E00F32161(_t588,  *((intOrPtr*)(_t720 + 0x694)));
									_t578 =  *(_t588 + 0x10);
									__eflags = _t578;
									if(_t578 < 0) {
										goto L143;
									}
									asm("sbb edx, edx");
									asm("sbb ecx, ecx");
									asm("sbb eax, eax");
									__imp__WmiSetAndCommitObject( *0xf4f764, 1, _v200,  *((intOrPtr*)(_t720 + 0x38)),  ~( *(_t720 + 0x668)) & _v212,  ~( *(_t720 + 0x66c)) & _v196,  ~_t764 &  &_v180);
									_t779 = _t779 + 0x1c;
									goto L144;
								}
							}
						}
						L66:
						_t758 = 0;
						L9:
						_v236 = _t758;
						_v8 = 0xa;
						if(_t758 == 0) {
							_t758 = 0;
						} else {
							 *_t758 = 0xf06520;
							 *(_t758 + 4) = 0;
							 *(_t758 + 8) = 0;
							 *(_t758 + 0xc) = 0;
							 *(_t758 + 0x10) = 0;
							 *(_t758 + 0x14) = 0;
						}
						_v228 = _t758;
						_v8 = 0xffffffff;
						if(_t758 == 0) {
							goto L77;
						}
						_t722 =  *( *_t758 + 4);
						_t606 = _t722;
						 *0xf512c4(_t758);
						 *_t722();
						_t723 =  *(_v204 + 0x6e8);
						_t393 = CreateEventW(0, 0, 0, 0);
						 *(_t758 + 0xc) = _t393;
						if(_t393 == 0) {
							_t578 = 0x80041006;
							L151:
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t578);
							_t606 = _t393;
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
							L14:
							_t394 =  *0xf4f014; // 0xf4f014
							if(_t394 != 0xf4f014 && ( *(_t394 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t394 + 0x19)) - 2;
								if( *((char*)(_t394 + 0x19)) >= 2) {
									_t293 = _t394 + 0x14; // 0x20000000
									_t294 = _t394 + 0x10; // 0x40000000
									_t693 = 0xf212e8;
									_t606 = 0xa;
									E00F32A46(0xa, 0xf212e8,  *_t294,  *_t293, _t578);
								}
							}
							if(_t578 < 0) {
								L57:
								_t124 =  *_t758 + 8; // 0x0
								_t724 =  *_t124;
								_push(_t758);
								if(_t724 != E00F0C4C0) {
									 *0xf512c4();
									 *_t724();
								} else {
									E00F0C4C0(_t606, _t693);
								}
								goto L59;
							} else {
								_t399 =  *0xf4f0cc; // 0x0
								_t606 =  *(_t399 + 8) & 0x00000005 | 0x00000008;
								_t400 =  *(_t399 + 4);
								if(_t400 == 0) {
									L71:
									_t581 = 0;
									_v188 = 0;
									L19:
									_v236 = _t581;
									_v8 = 0xb;
									if(_t581 == 0) {
										_t581 = 0;
										_v188 = 0;
									} else {
										 *_t581 = 0xf06484;
										 *(_t581 + 4) = 0;
										 *(_t581 + 8) = 0;
										 *(_t581 + 0xc) = 0;
										 *(_t581 + 0x10) = 0;
										 *(_t581 + 0x14) = _t758;
										_t693 = 0xf4f0f8;
										asm("lock xadd [edx], eax");
										asm("lock xadd [eax], ecx");
										_t606 =  *(_t581 + 0x14);
										if(_t606 != 0) {
											_t486 =  *_t606;
											_t57 = _t486 + 4; // 0x0
											_t749 =  *_t57;
											_t606 = _t749;
											 *0xf512c4(_t606);
											 *_t749();
										}
									}
									_v208 = _t581;
									_v8 = 0xffffffff;
									if(_t581 == 0) {
										_t578 = 0x80041006;
										goto L57;
									}
									_t401 =  *_t581;
									_t60 = _t401 + 4; // 0x0
									 *0xf512c4(_t581);
									 *((intOrPtr*)( *_t60))();
									_v236 = 0;
									_v268 = 0;
									_v252 = 0;
									_t693 =  &_v252;
									_t578 = E00F066C5( &_v268,  &_v252,  &_v236, 0);
									if(_t578 < 0) {
										L55:
										_t606 = _v188;
										_t726 =  *( *_t606 + 8);
										_push(_t606);
										if(_t726 != E00F0C400) {
											_t606 = _t726;
											 *0xf512c4();
											 *_t726();
										} else {
											E00F0C400();
										}
										goto L57;
									}
									_v184 = 0;
									_v192 = 0;
									_t582 = 3;
									_v264 = 0;
									_push( &_v264);
									_push(0xf03a60);
									if( *0xf53038() < 0) {
										L28:
										_t412 = _v248;
										_v216 = _t412;
										_v184 = 0;
										_v232 = 0;
										 *0xf512c4(_t412, 0xf07c5c,  &_v232);
										_t583 =  *((intOrPtr*)( *((intOrPtr*)( *_t412))))();
										if(_t583 < 0) {
											L33:
											if(_t583 != 0x80041002) {
												_t584 = 0x8004100a;
												goto L166;
											}
											goto L34;
										} else {
											_v240 = 0;
											_t460 = _v216;
											 *0xf512c4(_t460, E00F06690,  &_v240);
											_t586 =  *((intOrPtr*)( *((intOrPtr*)( *_t460))))();
											if(_t586 >= 0) {
												_t463 = _v240;
												 *0xf512c4(_t463, _v216,  &_v192);
												_t583 =  *((intOrPtr*)( *((intOrPtr*)( *_t463 + 0x14))))();
												_t466 = _v240;
												 *0xf512c4(_t466);
												 *((intOrPtr*)( *((intOrPtr*)( *_t466 + 8))))();
											} else {
												if(_t586 == 0x80004002) {
													_t583 = 0x80041002;
												}
											}
											_t469 = _v232;
											 *0xf512c4(_t469);
											 *((intOrPtr*)( *((intOrPtr*)( *_t469 + 8))))();
											if(_t583 >= 0) {
												_t584 =  *0xf53030();
												__eflags = _t584;
												if(_t584 < 0) {
													_t584 = 0x80041003;
													L165:
													E00F47D18(_v192, _v184);
													goto L166;
												}
												_v184 = 1;
												_t474 = E00F07D03();
												__eflags = _t474 - 3;
												if(_t474 != 3) {
													__eflags = _t474 - 4;
													if(_t474 != 4) {
														_t779 = _t779 - 0x14;
														_t584 = E00F4D336(_v192);
													}
												}
												__eflags = _t584;
												if(_t584 >= 0) {
													goto L166;
												} else {
													goto L165;
												}
											}
											goto L33;
										}
									} else {
										if( *0xf53030() >= 0) {
											_t582 = E00F07D03();
											 *0xf5302c();
										}
										_t645 = _v264;
										 *0xf512c4(_t645);
										 *((intOrPtr*)( *((intOrPtr*)( *_t645 + 8))))();
										if(_t582 == 2) {
											_t584 = E00F47ECE(0xf07c5c, _v248, __eflags,  &_v192,  &_v184);
											L166:
											__eflags = _t584 - 0x80041002;
											if(_t584 == 0x80041002) {
												L34:
												_v8 = 0xc;
												_t415 = _v204;
												if( *((intOrPtr*)(_t415 + 0x66c)) != 0) {
													_t585 = _v196;
												} else {
													_t585 = 0;
												}
												asm("sbb edx, edx");
												_t693 =  ~( *(_t415 + 0x668)) & _v212;
												_t416 = _v248;
												 *0xf512c4(_t416,  ~( *(_t415 + 0x668)) & _v212, 0, _v200, _t585, _v244, _v256, _v188);
												_t584 =  *((intOrPtr*)( *((intOrPtr*)( *_t416 + 0xc))))();
												_v224 = _t584;
												_t419 =  *0xf4f014; // 0xf4f014
												if(_t419 != 0xf4f014 && ( *(_t419 + 0x1c) & 0x00000004) != 0) {
													__eflags =  *((char*)(_t419 + 0x19)) - 5;
													if( *((char*)(_t419 + 0x19)) >= 5) {
														_t325 = _t419 + 0x14; // 0x20000000
														_t326 = _t419 + 0x10; // 0x40000000
														_t693 = 0xf212f8;
														E00F32A46(0x19, 0xf212f8,  *_t326,  *_t325, _t584);
													}
												}
												_v8 = 0xffffffff;
												_t731 = _v204;
												 *0xf5302c();
												L40:
												if(_t584 < 0) {
													L180:
													asm("sbb edx, edx");
													_t693 =  ~_v220 &  &_v180;
													asm("sbb ecx, ecx");
													asm("sbb eax, eax");
													__imp__WmiSetAndCommitObject( *0xf4f760, 1, _v200,  *((intOrPtr*)(_t731 + 0x38)),  ~( *(_t731 + 0x668)) & _v212,  ~( *(_t731 + 0x66c)) & _v196,  ~_v220 &  &_v180, _t584);
													_t578 = 0x80041013;
													L48:
													_v232 = _v252;
													_t732 = _v268;
													_v184 = _t732;
													_v216 = 0;
													_push( &_v216);
													_push(_t732);
													if( *0xf53034() >= 0) {
														if(_t732 != 0 && _v236 != 0) {
															_v208 = 0;
															 *0xf512c4(_v184, 0xf068b0,  &_v208);
															_t436 =  *((intOrPtr*)( *( *_t732)))();
															__eflags = _t436;
															if(_t436 >= 0) {
																_t437 = _v208;
																 *0xf512c4(_t437);
																 *((intOrPtr*)( *((intOrPtr*)( *_t437 + 0x10))))();
																_t440 = _v208;
																 *0xf512c4(_t440);
																 *((intOrPtr*)( *((intOrPtr*)( *_t440 + 8))))();
															}
															_t732 = _v184;
														}
														_t620 = _v232;
														if(_t620 != 0) {
															 *0xf512c4(_t620);
															 *((intOrPtr*)( *((intOrPtr*)( *_t620 + 8))))();
															_t732 = _v184;
														}
													}
													if(_t732 != 0) {
														 *0xf512c4(_t732);
														 *((intOrPtr*)( *((intOrPtr*)( *_t732 + 8))))();
													}
													goto L55;
												}
												if(WaitForSingleObject( *(_t758 + 0xc),  *(_t731 + 0x694)) == 0x102) {
													 *(_t758 + 0x10) = 0x80041013;
												}
												_t584 =  *(_t758 + 0x10);
												if(_t584 < 0) {
													goto L180;
												} else {
													if(_v220 != 0) {
														_t627 =  &_v180;
													} else {
														_t627 = 0;
													}
													if( *(_t731 + 0x66c) == 0) {
														_v196 = 0;
													}
													asm("sbb eax, eax");
													__imp__WmiSetAndCommitObject( *0xf4f764, 1, _v200,  *((intOrPtr*)(_t731 + 0x38)),  ~( *(_t731 + 0x668)) & _v212, _v196, _t627);
													goto L48;
												}
											}
											__eflags = _t584;
											if(_t584 < 0) {
												_t731 = _v204;
												goto L180;
											}
											_t739 = _v192;
											_v216 = _t739;
											_t584 = E00F47D61(_t739, E00F07D03());
											__eflags = _t584;
											if(_t584 < 0) {
												_t731 = _v204;
												L177:
												_t693 = _v184;
												E00F47D18(_v192, _v184);
												goto L40;
											}
											_v8 = 0xe;
											_t451 = _v204;
											asm("sbb edx, edx");
											asm("sbb eax, eax");
											 *0xf512c4(_v216,  ~( *(_t451 + 0x668)) & _v212, 0, _v200,  ~( *(_t451 + 0x66c)) & _v196, _v244, _v256, _v188);
											_t584 =  *((intOrPtr*)( *((intOrPtr*)( *_t739 + 0xc))))();
											_v224 = _t584;
											_v8 = 0xffffffff;
											_t731 = _v204;
											_t457 =  *0xf4f014; // 0xf4f014
											__eflags = _t457 - 0xf4f014;
											if(_t457 == 0xf4f014) {
												goto L177;
											} else {
												__eflags =  *(_t457 + 0x1c) & 0x00000004;
												if(( *(_t457 + 0x1c) & 0x00000004) == 0) {
													goto L177;
												}
												__eflags =  *((char*)(_t457 + 0x19)) - 5;
												if( *((char*)(_t457 + 0x19)) < 5) {
													goto L177;
												}
												_t332 = _t457 + 0x14; // 0x20000000
												_t333 = _t457 + 0x10; // 0x40000000
												E00F32A46(0x1a, 0xf212f8,  *_t333,  *_t332, _t584);
												_t693 = _v184;
												E00F47D18(_v192, _v184);
												goto L40;
											}
										}
										goto L28;
									}
								}
								_t581 = HeapAlloc(_t400, _t606, 0x18);
								_v188 = _t581;
								if(_t581 == 0) {
									_t490 = E00F48131();
									__eflags = _t490;
									if(_t490 != 0) {
										goto L71;
									}
								}
								goto L19;
							}
						}
						if(_t723 != 0) {
							_t291 = _t758 + 0x14; // 0x14
							_t693 = _t291;
							_t606 = _t723;
							_t393 = E00F47FFF(_t723, _t291);
							_t578 = _t393;
							__eflags = _t578;
							if(_t578 >= 0) {
								goto L14;
							}
							goto L151;
						}
						goto L14;
					}
					L6:
					if(_t578 < 0) {
						goto L59;
					}
					_t387 =  *0xf4f0cc; // 0x0
					_t605 =  *(_t387 + 8) & 0x00000005 | 0x00000008;
					_t388 =  *(_t387 + 4);
					if(_t388 == 0) {
						goto L66;
					}
					_t758 = HeapAlloc(_t388, _t605, 0x18);
					if(_t758 == 0) {
						_t493 = E00F48131();
						__eflags = _t493;
						if(_t493 != 0) {
							goto L66;
						}
					}
					goto L9;
				}
			}

0x00f07368
0x00f0736a
0x00f07375
0x00f07376
0x00f0737c
0x00f07381
0x00f07383
0x00f07389
0x00f0738d
0x00f07393
0x00f07399
0x00f0739f
0x00f073a2
0x00f073ab
0x00f073b4
0x00f073ba
0x00f073bd
0x00f073c6
0x00f073cc
0x00f073cf
0x00f073d5
0x00f073db
0x00f073de
0x00f073e6
0x00f27540
0x00f27540
0x00f073f3
0x00f2754b
0x00f27568
0x00f27570
0x00f27572
0x00f27578
0x00f2757e
0x00f27580
0x00f27584
0x00f27586
0x00f2758a
0x00f2758d
0x00f27590
0x00f27593
0x00f2759d
0x00f2759d
0x00f2758a
0x00f27584
0x00f275a2
0x00f275a4
0x00f275aa
0x00f275b4
0x00f275be
0x00f275d1
0x00f275e2
0x00f275e4
0x00f275e6
0x00f275ec
0x00f275f6
0x00f27600
0x00f2760a
0x00f27620
0x00f27626
0x00f27628
0x00f2762a
0x00f27630
0x00f27636
0x00f27638
0x00f2763f
0x00f27645
0x00f27645
0x00f2764b
0x00f27659
0x00f2765f
0x00f27661
0x00f27661
0x00f27667
0x00f27669
0x00f27671
0x00f2767c
0x00f27683
0x00f27684
0x00f2768b
0x00f27694
0x00f2768d
0x00f2768d
0x00f2768d
0x00f27699
0x00f27699
0x00f2769b
0x00f276a1
0x00f27707
0x00f27709
0x00f2770b
0x00f27719
0x00f2771e
0x00f27720
0x00f27722
0x00f27739
0x00f2773f
0x00f27761
0x00f27761
0x00f27774
0x00f27774
0x00f276a3
0x00f276a3
0x00f276aa
0x00f276c0
0x00f276c6
0x00f276c8
0x00f276cf
0x00f276cf
0x00f2777f
0x00f2778b
0x00f2778b
0x00f27790
0x00f2779e
0x00f277a4
0x00f277a4
0x00f275a4
0x00f073f9
0x00f07412
0x00f07414
0x00f07416
0x00f0741e
0x00f07420
0x00f0742a
0x00f277ab
0x00f277af
0x00f277b6
0x00f277b9
0x00f277bc
0x00f277c1
0x00f277c6
0x00f277cb
0x00f277cb
0x00f277af
0x00f07438
0x00f28066
0x00f2806d
0x00f28078
0x00f28078
0x00f2807f
0x00f280a3
0x00f280a3
0x00000000
0x00f280a3
0x00f28081
0x00f28088
0x00000000
0x00000000
0x00f2808a
0x00f28091
0x00000000
0x00000000
0x00f28093
0x00f2809a
0x00000000
0x00000000
0x00f2809c
0x00000000
0x00f2809c
0x00f2806f
0x00f28076
0x00000000
0x00000000
0x00000000
0x00f0743e
0x00f07445
0x00f13c93
0x00f13c9a
0x00000000
0x00000000
0x00f277d7
0x00f277dc
0x00f277df
0x00f277e1
0x00f277e7
0x00f277ed
0x00f277f4
0x00f277f6
0x00f27829
0x00f27829
0x00f2782b
0x00f27831
0x00f277f8
0x00f277f8
0x00f277fe
0x00f27805
0x00f2780c
0x00f27813
0x00f2781a
0x00f27821
0x00f27821
0x00f27837
0x00f2783e
0x00f27840
0x00f1cacf
0x00f1cacf
0x00f0790b
0x00f0790b
0x00f07919
0x00f0791f
0x00f07923
0x00f280a8
0x00f280a9
0x00f280b1
0x00f280b1
0x00f07929
0x00f0792e
0x00f07933
0x00f280bc
0x00f280c0
0x00f280c7
0x00f280ca
0x00f280cd
0x00f280d7
0x00f280d7
0x00f280c0
0x00f07944
0x00f0794c
0x00f0794d
0x00f0794e
0x00f0795c
0x00f27846
0x00f2784e
0x00f27854
0x00f2785c
0x00f27863
0x00f27865
0x00f27867
0x00f27ca3
0x00f27ca3
0x00f27cb1
0x00f27cb7
0x00000000
0x00f27cb7
0x00f2786f
0x00f27874
0x00f27877
0x00f2787d
0x00f27884
0x00f27886
0x00f2789f
0x00f2789f
0x00f278a1
0x00f27888
0x00f27890
0x00f27895
0x00f27897
0x00f27897
0x00f278a7
0x00f278ae
0x00f278b0
0x00f27c9e
0x00000000
0x00f278b6
0x00f278be
0x00f278c4
0x00f278c6
0x00f278d0
0x00f278da
0x00f278ed
0x00f278fe
0x00f27900
0x00f27902
0x00f27c86
0x00f27c86
0x00f27c94
0x00f27c9a
0x00000000
0x00f27c9a
0x00f27908
0x00f27912
0x00f2791c
0x00f27921
0x00f27927
0x00f2793d
0x00f27943
0x00f27945
0x00f2794d
0x00f2794f
0x00f27951
0x00f27958
0x00f2795e
0x00f2795e
0x00f27964
0x00f27972
0x00f27978
0x00f2797a
0x00f2797a
0x00f27980
0x00f27982
0x00f2798a
0x00f27995
0x00f2799c
0x00f2799d
0x00f279a0
0x00f279a9
0x00f279a2
0x00f279a2
0x00f279a2
0x00f279ae
0x00f279ae
0x00f279b0
0x00f279b6
0x00f27aa0
0x00f27aa2
0x00f27c18
0x00000000
0x00f27c18
0x00f27aa8
0x00f27aae
0x00f27ac1
0x00f27ac3
0x00f27ac5
0x00f27b96
0x00f27acb
0x00f27acb
0x00f27ada
0x00f27b0c
0x00f27b14
0x00f27b16
0x00f27b1c
0x00f27b60
0x00f27b66
0x00f27b6b
0x00f27b70
0x00f27b72
0x00f27b76
0x00f27b78
0x00f27b7c
0x00f27b7f
0x00f27b82
0x00f27b8f
0x00f27b8f
0x00f27b7c
0x00f27b76
0x00f27b70
0x00f27ba8
0x00000000
0x00f279bc
0x00f279bc
0x00f279cb
0x00f279d3
0x00f279fe
0x00f27a06
0x00f27a08
0x00f27a0e
0x00f27a13
0x00f27a18
0x00f27a1a
0x00f27a1e
0x00f27a20
0x00f27a24
0x00f27a27
0x00f27a2a
0x00f27a37
0x00f27a37
0x00f27a24
0x00f27a1e
0x00f27a3c
0x00f27a43
0x00f27a49
0x00f27bad
0x00f27bad
0x00f27baf
0x00f27c1e
0x00f27c22
0x00f27c34
0x00f27c44
0x00f27c46
0x00f27c46
0x00f27c61
0x00f27c67
0x00f27c6a
0x00f27c6f
0x00f27c75
0x00f27c81
0x00000000
0x00f27c81
0x00f27bb7
0x00f27bbf
0x00f27bc4
0x00f27bc7
0x00f27bc9
0x00000000
0x00000000
0x00f27bcf
0x00f27be1
0x00f27bf1
0x00f27c0d
0x00f27c13
0x00000000
0x00f27c13
0x00f279b6
0x00f278b0
0x00f13ca5
0x00f13ca5
0x00f07480
0x00f07480
0x00f07486
0x00f0748f
0x00f13cac
0x00f07495
0x00f07495
0x00f0749b
0x00f074a2
0x00f074a9
0x00f074b0
0x00f074b7
0x00f074b7
0x00f074be
0x00f074c4
0x00f074cd
0x00000000
0x00000000
0x00f074d6
0x00f074d9
0x00f074db
0x00f074e1
0x00f074e9
0x00f074f5
0x00f074fb
0x00f07500
0x00f1ca81
0x00f27ce4
0x00f27ce5
0x00f27ceb
0x00f27ced
0x00f0750e
0x00f0750e
0x00f07518
0x00f27cf8
0x00f27cfc
0x00f27d03
0x00f27d06
0x00f27d09
0x00f27d0e
0x00f27d13
0x00f27d13
0x00f27cfc
0x00f07526
0x00f078f4
0x00f078f6
0x00f078f6
0x00f078f9
0x00f07900
0x00f1ca74
0x00f1ca7a
0x00f07906
0x00f07906
0x00f07906
0x00000000
0x00f0752c
0x00f0752c
0x00f07537
0x00f0753a
0x00f0753f
0x00f1ca8b
0x00f1ca8b
0x00f1ca8d
0x00f0755f
0x00f0755f
0x00f07565
0x00f0756e
0x00f1ca98
0x00f1ca9a
0x00f07574
0x00f07574
0x00f0757a
0x00f07581
0x00f07588
0x00f0758f
0x00f07596
0x00f07599
0x00f075a5
0x00f075ae
0x00f075b3
0x00f075b8
0x00f075ba
0x00f075bd
0x00f075bd
0x00f075c0
0x00f075c2
0x00f075c8
0x00f075c8
0x00f075b8
0x00f075ca
0x00f075d0
0x00f075d9
0x00f1cac5
0x00000000
0x00f1cac5
0x00f075df
0x00f075e2
0x00f075e7
0x00f075ed
0x00f075ef
0x00f075f9
0x00f07603
0x00f07616
0x00f07627
0x00f0762b
0x00f078d7
0x00f078d7
0x00f078df
0x00f078e2
0x00f078e9
0x00f1ca63
0x00f1ca65
0x00f1ca6b
0x00f078ef
0x00f078ef
0x00f078ef
0x00000000
0x00f078e9
0x00f07631
0x00f0763b
0x00f07645
0x00f0764a
0x00f0765a
0x00f0765b
0x00f07668
0x00f076a0
0x00f076a0
0x00f076a6
0x00f076ac
0x00f076b6
0x00f076d3
0x00f076db
0x00f076df
0x00f07741
0x00f07747
0x00f1caa5
0x00000000
0x00f1caa5
0x00000000
0x00f076e1
0x00f076e1
0x00f076eb
0x00f07704
0x00f0770c
0x00f07710
0x00f27d54
0x00f27d6f
0x00f27d77
0x00f27d79
0x00f27d87
0x00f27d8d
0x00f07716
0x00f0771c
0x00f0771e
0x00f0771e
0x00f0771c
0x00f07723
0x00f07731
0x00f07737
0x00f0773b
0x00f27d9a
0x00f27d9c
0x00f27d9e
0x00f27dcf
0x00f27dd4
0x00f27de0
0x00000000
0x00f27de0
0x00f27da0
0x00f27daa
0x00f27daf
0x00f27db2
0x00f27db4
0x00f27db7
0x00f27db9
0x00f27dc7
0x00f27dc7
0x00f27db7
0x00f27dc9
0x00f27dcb
0x00000000
0x00f27dcd
0x00000000
0x00f27dcd
0x00f27dcb
0x00000000
0x00f0773b
0x00f0766a
0x00f07672
0x00f07679
0x00f0767b
0x00f0767b
0x00f07681
0x00f0768f
0x00f07695
0x00f0769a
0x00f27d4d
0x00f27de5
0x00f27de5
0x00f27deb
0x00f0774d
0x00f0774d
0x00f07754
0x00f07761
0x00f1caaf
0x00f07767
0x00f07767
0x00f07767
0x00f07771
0x00f07773
0x00f07779
0x00f077a4
0x00f077ac
0x00f077ae
0x00f077b4
0x00f077be
0x00f27e8f
0x00f27e93
0x00f27e9a
0x00f27e9d
0x00f27ea0
0x00f27eaa
0x00f27eaa
0x00f27e93
0x00f077ca
0x00f077d1
0x00f077d7
0x00f077dd
0x00f077df
0x00f27fa7
0x00f27faf
0x00f27fb7
0x00f27fc1
0x00f27fd1
0x00f27fee
0x00f27ff7
0x00f0785e
0x00f07864
0x00f0786a
0x00f07870
0x00f07876
0x00f07886
0x00f07887
0x00f07890
0x00f07894
0x00f28001
0x00f28023
0x00f28029
0x00f2802b
0x00f2802d
0x00f2802f
0x00f2803d
0x00f28043
0x00f28045
0x00f28053
0x00f28059
0x00f28059
0x00f2805b
0x00f2805b
0x00f078a3
0x00f078ab
0x00f078b5
0x00f078bb
0x00f078bd
0x00f078bd
0x00f078ab
0x00f078c5
0x00f078cf
0x00f078d5
0x00f078d5
0x00000000
0x00f078c5
0x00f077f9
0x00f27f95
0x00f27f95
0x00f077ff
0x00f07804
0x00000000
0x00f0780a
0x00f07811
0x00f1caba
0x00f07817
0x00f07817
0x00f07817
0x00f07820
0x00f07822
0x00f07822
0x00f07834
0x00f07855
0x00000000
0x00f0785b
0x00f07804
0x00f27df1
0x00f27df3
0x00f27fa1
0x00000000
0x00f27fa1
0x00f27df9
0x00f27dff
0x00f27e12
0x00f27e14
0x00f27e16
0x00f27f79
0x00f27f7f
0x00f27f7f
0x00f27f8b
0x00000000
0x00f27f8b
0x00f27e1c
0x00f27e23
0x00f27e31
0x00f27e41
0x00f27e73
0x00f27e7b
0x00f27e7d
0x00f27e83
0x00f27f2f
0x00f27f35
0x00f27f3a
0x00f27f3f
0x00000000
0x00f27f41
0x00f27f41
0x00f27f45
0x00000000
0x00000000
0x00f27f47
0x00f27f4b
0x00000000
0x00000000
0x00f27f4e
0x00f27f51
0x00f27f5e
0x00f27f63
0x00f27f6f
0x00000000
0x00f27f6f
0x00f27f3f
0x00000000
0x00f0769a
0x00f07668
0x00f0754f
0x00f07551
0x00f07559
0x00f27d1d
0x00f27d22
0x00f27d24
0x00000000
0x00000000
0x00f27d2a
0x00000000
0x00f07559
0x00f07526
0x00f07508
0x00f27cd0
0x00f27cd0
0x00f27cd3
0x00f27cd5
0x00f27cda
0x00f27cdc
0x00f27cde
0x00000000
0x00000000
0x00000000
0x00f27cde
0x00000000
0x00f07508
0x00f0744b
0x00f0744d
0x00000000
0x00000000
0x00f07453
0x00f0745e
0x00f07461
0x00f07466
0x00000000
0x00000000
0x00f07476
0x00f0747a
0x00f27cbe
0x00f27cc3
0x00f27cc5
0x00000000
0x00000000
0x00f27ccb
0x00000000
0x00f0747a

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018), ref: 00F07470
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000), ref: 00F074F5
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018), ref: 00F07549
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?), ref: 00F077EE
WmiSetAndCommitObject.NCOBJAPI(00000001,?,00F07BF8,?,?,00000000), ref: 00F07855

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocHeapObject$CommitCreateEventSingleWait
String ID:
API String ID: 3803894061-0
Opcode ID: 123a11c790c6ce468e7547655d90fcea190eca1c864c896380c879746c1e2960
Instruction ID: c9533f594e0e1139e548b6f837f75209b110ce3f0a6ce09e6c547fb8fac754b8
Opcode Fuzzy Hash: 123a11c790c6ce468e7547655d90fcea190eca1c864c896380c879746c1e2960
Instruction Fuzzy Hash: 82A2B070A04329DFDB24DF54CD84BA9BBB6BF48314F1041E9EA09A7291CB75AD84EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F047AD, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 198
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00F047AD(intOrPtr __edx) {
				char _v16;
				signed int _v24;
				long _v28;
				intOrPtr _v32;
				signed int _v40;
				intOrPtr _v44;
				long _v56;
				char _v64;
				char _v68;
				unsigned int _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int _t38;
				intOrPtr _t41;
				void* _t44;
				intOrPtr _t45;
				void* _t46;
				intOrPtr _t49;
				void* _t50;
				void* _t51;
				long _t58;
				void* _t63;
				intOrPtr _t64;
				int _t65;
				char* _t67;
				char* _t69;
				char* _t71;
				void* _t76;
				void* _t77;
				intOrPtr _t84;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t101;
				void* _t102;
				long _t104;
				void* _t106;
				void* _t107;
				signed int _t108;
				signed int _t110;

				_t98 = __edx;
				_push(0xffffffff);
				_push(0xf24d14);
				_push( *[fs:0x0]);
				_t110 = (_t108 & 0xfffffff8) - 0x28;
				_t36 =  *0xf4f1a4; // 0xbd26e8f
				_v24 = _t36 ^ _t110;
				_push(_t101);
				_t38 =  *0xf4f1a4; // 0xbd26e8f
				_push(_t38 ^ _t110);
				 *[fs:0x0] =  &_v16;
				_t41 =  *0xf4f0cc; // 0x0
				_t104 = 0xb8;
				_t80 =  *(_t41 + 8) & 0x00000005 | 0x00000008;
				if( *((intOrPtr*)(_t41 + 4)) == 0) {
					L24:
					_t101 = 0;
					goto L27;
				} else {
					L6:
					__eax = HeapAlloc(__eax, __ecx, 0xb8);
					__edi = __eax;
					__eflags = __edi;
					if(__edi == 0) {
						__eax = E00F48131();
						__eflags = __eax;
						if(__eax != 0) {
							goto L24;
						}
						L27:
						__eflags = _t101;
						if(_t101 != 0) {
							while(1) {
								L8:
								_t44 = NtQuerySystemInformation(5, _t101, _t104,  &_v56);
								__eflags = _t44 - 0xc0000004;
								if(_t44 != 0xc0000004) {
									break;
								}
								goto L1;
							}
							__eflags = _t44;
							if(_t44 < 0) {
								_t84 =  *0xf4f0cc; // 0x0
								E00F04A17(_t84, _t101);
								L47:
								_t51 = 0;
								L17:
								 *[fs:0x0] = _v32;
								_pop(_t102);
								_pop(_t106);
								_pop(_t76);
								return E00F01CA0(_t51, _t76, _v40 ^ _t110, _t98, _t102, _t106);
							}
							_t77 = 1;
							_t107 = _t101;
							do {
								_t58 = GetCurrentProcessId();
								__eflags =  *((intOrPtr*)(_t107 + 0x44)) - _t58;
								if( *((intOrPtr*)(_t107 + 0x44)) == _t58) {
									__eflags =  *((intOrPtr*)(_t107 + 0x4c)) -  *0xf4f020; // 0x1000
									if(__eflags > 0) {
										L33:
										E00F2DC90( &_v68, _t80);
										_v28 = 0;
										E00F2E812(_t77,  &_v72, _t98, _t101, _t107, __eflags);
										_t99 =  *((intOrPtr*)(_t107 + 0x4c));
										_t91 =  *0xf4f020; // 0x1000
										__eflags =  *((intOrPtr*)(_t107 + 0x4c)) - _t91;
										if( *((intOrPtr*)(_t107 + 0x4c)) > _t91) {
											__eflags = _v44 - 8;
											_t71 = _v64;
											if(_v44 < 8) {
												_t71 =  &_v64;
											}
											E00F2EF89(L"HandleCount", _t99, _t91, _t71);
											_t77 = 0;
											__eflags = 0;
										}
										_t100 =  *((intOrPtr*)(_t107 + 4));
										_t92 =  *0xf4f01c; // 0x1000
										__eflags =  *((intOrPtr*)(_t107 + 4)) - _t92;
										if( *((intOrPtr*)(_t107 + 4)) <= _t92) {
											L41:
											_t98 =  *((intOrPtr*)(_t107 + 0x84));
											_t93 =  *0xf4f018; // 0x10000000
											__eflags =  *((intOrPtr*)(_t107 + 0x84)) - _t93;
											if( *((intOrPtr*)(_t107 + 0x84)) <= _t93) {
												L45:
												_t80 =  &_v68;
												_v24 = 0xffffffff;
												E00F2F9E8( &_v68, 1, 0);
												goto L12;
											}
											__eflags = _v44 - 8;
											_t67 = _v64;
											if(_v44 < 8) {
												_t67 =  &_v64;
											}
											E00F2EF89(L"PrivatePageCount", _t98, _t93, _t67);
											_t77 = 0;
											__eflags = 0;
											goto L45;
										} else {
											__eflags = _v44 - 8;
											_t69 = _v64;
											if(_v44 < 8) {
												_t69 =  &_v64;
											}
											E00F2EF89(L"ThreadCount", _t100, _t92, _t69);
											_t77 = 0;
											__eflags = 0;
											goto L41;
										}
									}
									__eflags =  *((intOrPtr*)(_t107 + 4)) -  *0xf4f01c; // 0x1000
									if(__eflags > 0) {
										goto L33;
									}
									__eflags =  *((intOrPtr*)(_t107 + 0x84)) -  *0xf4f018; // 0x10000000
									if(__eflags <= 0) {
										goto L12;
									}
									__eflags =  *0xf504d4;
									if( *0xf504d4 != 0) {
										goto L12;
									} else {
										goto L33;
									}
								}
								L12:
								_t63 =  *_t107;
								__eflags = _t63;
								if(_t63 == 0) {
									break;
								}
								_t107 = _t107 + _t63;
								__eflags = _t107;
							} while (_t107 != 0);
							_t64 =  *0xf4f0cc; // 0x0
							_t94 =  *(_t64 + 4);
							__eflags = _t94;
							if(_t94 != 0) {
								_t65 = HeapFree(_t94, 0, _t101);
								__eflags = _t65;
								if(_t65 == 0) {
									E00F48131();
								}
							}
							_t51 = _t77;
							goto L17;
						}
						goto L47;
					}
					goto L8;
				}
				L1:
				_t45 =  *0xf4f0cc; // 0x0
				_t46 =  *(_t45 + 4);
				if(_t46 != 0 && HeapFree(_t46, 0, _t101) == 0) {
					E00F48131();
				}
				_t104 = _v72 + 0x8000 + (_v72 >> 4);
				_t49 =  *0xf4f0cc; // 0x0
				_t50 =  *(_t49 + 4);
				_t80 =  *(_t49 + 8) & 0x00000005 | 0x00000008;
				if(_t50 == 0) {
					L25:
					_t101 = 0;
					goto L30;
				} else {
					_t101 = HeapAlloc(_t50, _t80, _t104);
					if(_t101 != 0) {
						goto L8;
					}
					if(E00F48131() != 0) {
						goto L25;
					} else {
						L30:
						if(_t101 != 0) {
							goto L8;
						}
						_t51 = 0;
						goto L17;
					}
					goto L6;
				}
			}

0x00f047ad
0x00f047b5
0x00f047b7
0x00f047c2
0x00f047c3
0x00f047c6
0x00f047cd
0x00f047d3
0x00f047d4
0x00f047db
0x00f047e0
0x00f047e6
0x00f047eb
0x00f047f9
0x00f047fe
0x00f1e2a1
0x00f1e2a1
0x00000000
0x00f04804
0x00f04804
0x00f04807
0x00f0480d
0x00f0480f
0x00f04811
0x00f2a65c
0x00f2a661
0x00f2a663
0x00000000
0x00000000
0x00f2a669
0x00f2a669
0x00f2a66b
0x00f04819
0x00f04819
0x00f04822
0x00f04828
0x00f0482d
0x00000000
0x00000000
0x00000000
0x00f0482d
0x00f04833
0x00f04835
0x00f2a755
0x00f2a75c
0x00f2a761
0x00f2a761
0x00f04873
0x00f04877
0x00f0487f
0x00f04880
0x00f04881
0x00f04890
0x00f04890
0x00f0483b
0x00f04840
0x00f04842
0x00f04842
0x00f04848
0x00f0484b
0x00f04894
0x00f0489a
0x00f2a69f
0x00f2a6a4
0x00f2a6ad
0x00f2a6b5
0x00f2a6ba
0x00f2a6bd
0x00f2a6c3
0x00f2a6c5
0x00f2a6c7
0x00f2a6cc
0x00f2a6d0
0x00f2a6d2
0x00f2a6d2
0x00f2a6dd
0x00f2a6e2
0x00f2a6e2
0x00f2a6e2
0x00f2a6e4
0x00f2a6e7
0x00f2a6ed
0x00f2a6ef
0x00f2a70e
0x00f2a70e
0x00f2a714
0x00f2a71a
0x00f2a71c
0x00f2a73b
0x00f2a73f
0x00f2a743
0x00f2a74b
0x00000000
0x00f2a74b
0x00f2a71e
0x00f2a723
0x00f2a727
0x00f2a729
0x00f2a729
0x00f2a734
0x00f2a739
0x00f2a739
0x00000000
0x00f2a6f1
0x00f2a6f1
0x00f2a6f6
0x00f2a6fa
0x00f2a6fc
0x00f2a6fc
0x00f2a707
0x00f2a70c
0x00f2a70c
0x00000000
0x00f2a70c
0x00f2a6ef
0x00f048a3
0x00f048a9
0x00000000
0x00000000
0x00f048b5
0x00f048bb
0x00000000
0x00000000
0x00f2a692
0x00f2a699
0x00000000
0x00000000
0x00000000
0x00000000
0x00f2a699
0x00f0484d
0x00f0484d
0x00f0484f
0x00f04851
0x00000000
0x00000000
0x00f04853
0x00f04853
0x00f04853
0x00f04857
0x00f0485c
0x00f0485f
0x00f04861
0x00f04867
0x00f0486d
0x00f0486f
0x00f048cc
0x00f048cc
0x00f0486f
0x00f04871
0x00000000
0x00f04871
0x00000000
0x00f2a671
0x00000000
0x00f04811
0x00f0474c
0x00f0474c
0x00f04751
0x00f04756
0x00f048c2
0x00f048c2
0x00f04779
0x00f0477b
0x00f04783
0x00f04789
0x00f0478e
0x00f1e2a8
0x00f1e2a8
0x00000000
0x00f04794
0x00f0479d
0x00f047a1
0x00000000
0x00000000
0x00f2a67d
0x00000000
0x00f2a683
0x00f2a683
0x00f2a685
0x00000000
0x00000000
0x00f2a68b
0x00000000
0x00f2a68b
0x00000000
0x00f2a67d

APIs

HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000), ref: 00F0475C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?), ref: 00F04797
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,000000B8,0BD26E8F), ref: 00F04807
NtQuerySystemInformation.NTDLL(00000005,00000000,000000B8,0BD26E8F), ref: 00F04822
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00F04842
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000), ref: 00F04867

Part of subcall function 00F48131: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(00F2B381), ref: 00F48131

Strings

PrivatePageCount, xrefs: 00F2A72F
ThreadCount, xrefs: 00F2A702
HandleCount, xrefs: 00F2A6D8

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Heap$AllocFree$CurrentErrorInformationLastProcessQuerySystem
String ID: HandleCount$PrivatePageCount$ThreadCount
API String ID: 2501119509-1022455807
Opcode ID: 9b4c6c6ead6fa24efcac815bd5ca8de3845f8c07c484911a7935442b7369d7a0
Instruction ID: 41bcac72cc12ea2dfaf8a5e6b89266d61394dff6259ae7863287c64928b98ff1
Opcode Fuzzy Hash: 9b4c6c6ead6fa24efcac815bd5ca8de3845f8c07c484911a7935442b7369d7a0
Instruction Fuzzy Hash: DF61B075A042418FD724DB24EC94B2A77E9EBC5351F14892DFA5AC3291DB30EC04FB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F162A9, Relevance: 12.3, APIs: 8, Instructions: 313memoryCOMMON

Download Yara Rule

APIs

HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,0BD26E8F,00000000,00000001,00000001), ref: 00F1630A
EventUnregister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(00000000,00000000,0BD26E8F,00000000,00000001,00000001), ref: 00F16508
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0(0BD26E8F,00000000,00000001,00000001), ref: 00F16525
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(00000000,00000000), ref: 00F16544
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00F1655D

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Heap$FreeProcess$EventUnregister
String ID:
API String ID: 2225842419-0
Opcode ID: f199685b5bf4a45cd1cc00253f195f8beaea62c3e925c4a447d0ec0821b854e6
Instruction ID: eeaa0ad10ddff12cc25a7c72004514984ea3323f62500bde580ea5ad1189edba
Opcode Fuzzy Hash: f199685b5bf4a45cd1cc00253f195f8beaea62c3e925c4a447d0ec0821b854e6
Instruction Fuzzy Hash: 53B19535F00528CFCB159F28EC546AD77A6BBD8721B150068ED06DB392CB34AC85FB95

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D75D, Relevance: 11.1, APIs: 7, Instructions: 642
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00F0D75D(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				short _v10;
				char _v12;
				char _v16;
				short _v24;
				short _v28;
				short _v36;
				char _v40;
				short _v44;
				short _v48;
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				char _v76;
				void* _v80;
				char _v84;
				void* _v88;
				char _v92;
				int _v96;
				intOrPtr _v100;
				intOrPtr* _v104;
				int _v108;
				short _v112;
				char _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t237;
				void* _t241;
				signed short _t284;
				signed int _t286;
				signed short _t287;
				int _t291;
				signed int _t292;
				signed short _t293;
				intOrPtr _t297;
				signed int _t298;
				signed short _t299;
				intOrPtr _t303;
				signed int _t304;
				signed short _t305;
				signed int _t311;
				signed short _t312;
				intOrPtr* _t317;
				signed int _t318;
				signed int _t323;
				signed int _t327;
				signed int _t330;
				signed int _t331;
				signed int _t334;
				signed int _t335;
				signed int _t338;
				signed int _t339;
				signed int _t342;
				signed int _t343;
				signed int _t346;
				void* _t351;
				intOrPtr _t352;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				void* _t363;
				intOrPtr _t364;
				signed int _t371;
				signed int* _t372;
				signed int _t374;
				signed int* _t375;
				signed int _t377;
				signed int* _t378;
				signed int _t380;
				signed int* _t381;
				signed int _t383;
				signed int* _t384;
				signed int _t387;
				signed int* _t388;
				signed int _t391;
				intOrPtr _t396;
				void* _t400;
				signed int _t402;
				void* _t403;
				intOrPtr* _t404;
				intOrPtr _t406;
				intOrPtr _t410;
				signed int _t411;
				signed int _t412;
				void* _t414;
				signed int _t415;
				void* _t416;
				signed int _t417;
				void* _t418;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t423;
				void* _t425;
				signed int _t426;

				_t237 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t237 ^ _t426;
				_t402 = _a4;
				_t351 = 0x80041021;
				_v100 = __ecx;
				if(_t402 != 0) {
					_t391 = _t402;
					_t4 = _t391 + 2; // 0xf0f21a
					_t363 = _t4;
					do {
						_t241 =  *_t391;
						_t391 = _t391 + 2;
					} while (_t241 != 0);
					_t390 = _t391 - _t363 >> 1;
					if(_t391 - _t363 >> 1 == 0x19) {
						_v116 = 0;
						_v76 = 0;
						_v52 = 0;
						_push(_t403);
						_v12 = 0xffffffff;
						_t9 = _t402 + 0x2a; // 0xf0f242
						_t404 = _t9;
						_v64 = 0xffffffff;
						_v68 = 0xffffffff;
						_v60 = 0xffffffff;
						_v56 = 0xffffffff;
						_v72 = 0xffffffff;
						_v44 = 0xffffffff;
						_v48 = 0xffffffff;
						_v112 = 0xffffffff;
						_v108 = 1;
						_v96 = 1;
						_v92 = 0;
						_v84 = 0;
						_v88 = 0;
						_v80 = 0;
						_v104 = _t404;
						if(0x3a !=  *_t404) {
							_v112 = 0;
							if(E00F493FC(_t402, _t402, 4,  &_v12,  &_v116) == 0) {
								goto L101;
							} else {
								_t194 = _t402 + 8; // 0xf0f220
								if(E00F493FC(_t402, _t194, 2,  &_v64,  &_v108) == 0) {
									goto L101;
								} else {
									_t197 = _t402 + 0xc; // 0xf0f224
									if(E00F493FC(_t402, _t197, 2,  &_v68,  &_v96) == 0) {
										goto L101;
									} else {
										_t200 = _t402 + 0x10; // 0xf0f228
										if(E00F493FC(_t402, _t200, 2,  &_v60,  &_v92) == 0) {
											goto L101;
										} else {
											_t203 = _t402 + 0x14; // 0xf0f22c
											if(E00F493FC(_t402, _t203, 2,  &_v56,  &_v84) == 0) {
												goto L101;
											} else {
												_t206 = _t402 + 0x18; // 0xf0f230
												if(E00F493FC(_t402, _t206, 2,  &_v72,  &_v88) == 0) {
													goto L101;
												} else {
													_t207 = _t402 + 0x1c; // 0x458bff33
													if(0x2e !=  *_t207) {
														goto L101;
													} else {
														_t210 = _t402 + 0x1e; // 0xf0f236
														if(E00F493FC(_t402, _t210, 6,  &_v44,  &_v80) == 0 || E00F494C2(_t404,  &_v48,  &_v52, 1) == 0) {
															goto L101;
														} else {
															_t352 = _v80;
															_t364 = _v88;
															_t402 = _v48;
															_v76 = _v52;
															_v80 = _v12;
															_v88 = _v64;
															_t284 = _v44;
															_v64 = _v72 & 0x0000ffff;
															goto L100;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L130;
						} else {
							_v80 = 0;
							_t411 = 0;
							_v88 = 0;
							do {
								if(_t411 == 0x15 || _t411 == 0xe) {
									goto L10;
								} else {
									_v48 =  *((intOrPtr*)(_t402 + _t411 * 2));
									if(GetStringTypeExW(0x7f, 1,  &_v48, 1,  &_v44) != 0 && (_v44 & 0x00000004) != 0) {
										goto L10;
									}
								}
								goto L101;
								L10:
								_t411 = _t411 + 1;
							} while (_t411 < 0x19);
							_t371 = 0;
							_t390 = 0x2a;
							_v68 = 0;
							_t412 = 0;
							do {
								_t286 =  *(_t402 + _t412 * 2) & 0x0000ffff;
								if(_t390 == _t286) {
									_t287 = _t286 | 0xffffffff;
									if(_t287 != _t371) {
										goto L16;
									} else {
										goto L101;
									}
									L130:
								} else {
									_v48 = _t286;
									_t346 = GetStringTypeExW(0x7f, 1,  &_v48, 1,  &_v44);
									if(_t346 != 0 && (_v44 & 0x00000004) != 0) {
										_t287 = _t346 | 0xffffffff;
										_t371 = _t287 & 0x0000ffff;
										_v68 = _t371;
										_t45 = _t287 + 0x2b; // 0x2b
										_t390 = _t45;
										goto L16;
									}
								}
								goto L101;
								L16:
								_t412 = _t412 + 1;
							} while (_t412 < 8);
							if(_t287 == _t371) {
								_t372 =  &_v40;
								_v52 = 0;
								_t353 = 0;
								_t390 = 0xc;
								_t414 = _t402 - _t372;
								while(1) {
									_t48 = _t390 - 4; // 0x8
									if(_t48 == 0) {
										break;
									}
									_t343 =  *(_t414 + _t372) & 0x0000ffff;
									if(_t343 == 0) {
										break;
									} else {
										 *_t372 = _t343;
										_t372 =  &(_t372[0]);
										_t390 = _t390 - 1;
										if(_t390 != 0) {
											continue;
										} else {
											L105:
											_t372 = _t372 - 2;
											_t353 = 0x8007007a;
										}
									}
									L24:
									 *_t372 = 0;
									if(_t353 < 0) {
										L55:
										_t351 = 0x80041021;
									} else {
										_v24 = 0;
										_t291 = E00F0DD7D( &_v40,  &_v52, _t372);
										_t374 = 0;
										_v96 = _t291;
										_t54 = _t402 + 0x10; // 0xf0f228
										_t354 = _t54;
										_v60 = 0;
										_t415 = 0;
										_t390 = 0x2a;
										do {
											_t292 =  *(_t354 + _t415 * 2) & 0x0000ffff;
											if(_t390 == _t292) {
												_t293 = _t292 | 0xffffffff;
												if(_t293 != _t374) {
													goto L30;
												} else {
													goto L55;
												}
												goto L130;
											} else {
												_v48 = _t292;
												_t342 = GetStringTypeExW(0x7f, 1,  &_v48, 1,  &_v44);
												if(_t342 == 0 || (_v44 & 0x00000004) == 0) {
													goto L55;
												} else {
													_t293 = _t342 | 0xffffffff;
													_t374 = _t293 & 0x0000ffff;
													_v60 = _t374;
													_t65 = _t293 + 0x2b; // 0x2b
													_t390 = _t65;
													goto L30;
												}
											}
											goto L101;
											L30:
											_t415 = _t415 + 1;
										} while (_t415 < 2);
										if(_t293 != _t374) {
											goto L55;
										} else {
											_t375 =  &_v40;
											_v52 = 0;
											_t416 = 0;
											_t390 = 0xc;
											_t355 = _t354 - _t375;
											while(1) {
												_t68 = _t390 - 0xa; // 0x2
												if(_t68 == 0) {
													break;
												}
												_t339 =  *(_t355 + _t375) & 0x0000ffff;
												if(_t339 == 0) {
													break;
												} else {
													 *_t375 = _t339;
													_t375 =  &(_t375[0]);
													_t390 = _t390 - 1;
													if(_t390 != 0) {
														continue;
													} else {
														L108:
														_t375 = _t375 - 2;
														_t416 = 0x8007007a;
													}
												}
												L38:
												 *_t375 = 0;
												if(_t416 < 0) {
													goto L55;
												} else {
													_v36 = 0;
													_t297 = E00F0DD7D( &_v40,  &_v52, _t375);
													_t377 = 0;
													_v92 = _t297;
													_t74 = _t402 + 0x14; // 0xf0f22c
													_t356 = _t74;
													_v56 = 0;
													_t417 = 0;
													_t390 = 0x2a;
													do {
														_t298 =  *(_t356 + _t417 * 2) & 0x0000ffff;
														if(_t390 == _t298) {
															_t299 = _t298 | 0xffffffff;
															if(_t299 != _t377) {
																goto L44;
															} else {
																goto L55;
															}
															goto L130;
														} else {
															_v48 = _t298;
															_t338 = GetStringTypeExW(0x7f, 1,  &_v48, 1,  &_v44);
															if(_t338 == 0 || (_v44 & 0x00000004) == 0) {
																goto L55;
															} else {
																_t299 = _t338 | 0xffffffff;
																_t377 = _t299 & 0x0000ffff;
																_v56 = _t377;
																_t85 = _t299 + 0x2b; // 0x2b
																_t390 = _t85;
																goto L44;
															}
														}
														goto L101;
														L44:
														_t417 = _t417 + 1;
													} while (_t417 < 2);
													if(_t299 != _t377) {
														goto L55;
													} else {
														_t378 =  &_v40;
														_v52 = 0;
														_t418 = 0;
														_t390 = 0xc;
														_t357 = _t356 - _t378;
														while(1) {
															_t88 = _t390 - 0xa; // 0x2
															if(_t88 == 0) {
																break;
															}
															_t335 =  *(_t357 + _t378) & 0x0000ffff;
															if(_t335 == 0) {
																break;
															} else {
																 *_t378 = _t335;
																_t378 =  &(_t378[0]);
																_t390 = _t390 - 1;
																if(_t390 != 0) {
																	continue;
																} else {
																	L111:
																	_t378 = _t378 - 2;
																	_t418 = 0x8007007a;
																}
															}
															L52:
															 *_t378 = 0;
															if(_t418 < 0) {
																goto L55;
															} else {
																_v36 = 0;
																_t303 = E00F0DD7D( &_v40,  &_v52, _t378);
																_t380 = 0;
																_v84 = _t303;
																_t94 = _t402 + 0x18; // 0xf0f230
																_t358 = _t94;
																_v64 = 0;
																_t419 = 0;
																_t390 = 0x2a;
																do {
																	_t304 =  *(_t358 + _t419 * 2) & 0x0000ffff;
																	if(_t390 == _t304) {
																		_t305 = _t304 | 0xffffffff;
																		if(_t305 != _t380) {
																			goto L60;
																		} else {
																			goto L55;
																		}
																		goto L130;
																	} else {
																		_v48 = _t304;
																		_t334 = GetStringTypeExW(0x7f, 1,  &_v48, 1,  &_v44);
																		if(_t334 == 0 || (_v44 & 0x00000004) == 0) {
																			goto L55;
																		} else {
																			_t305 = _t334 | 0xffffffff;
																			_t380 = _t305 & 0x0000ffff;
																			_v64 = _t380;
																			_t105 = _t305 + 0x2b; // 0x2b
																			_t390 = _t105;
																			goto L60;
																		}
																	}
																	goto L101;
																	L60:
																	_t419 = _t419 + 1;
																} while (_t419 < 2);
																if(_t305 != _t380) {
																	goto L55;
																} else {
																	_t381 =  &_v40;
																	_v52 = 0;
																	_t420 = 0;
																	_t390 = 0xc;
																	_t359 = _t358 - _t381;
																	while(1) {
																		_t108 = _t390 - 0xa; // 0x2
																		if(_t108 == 0) {
																			break;
																		}
																		_t331 =  *(_t359 + _t381) & 0x0000ffff;
																		if(_t331 == 0) {
																			break;
																		} else {
																			 *_t381 = _t331;
																			_t381 =  &(_t381[0]);
																			_t390 = _t390 - 1;
																			if(_t390 != 0) {
																				continue;
																			} else {
																				L114:
																				_t381 = _t381 - 2;
																				_t420 = 0x8007007a;
																			}
																		}
																		L68:
																		 *_t381 = 0;
																		if(_t420 < 0) {
																			goto L55;
																		} else {
																			_t390 =  &_v52;
																			_v36 = 0;
																			_v52 = E00F0DD7D( &_v40,  &_v52, _t381);
																			_t114 = _t402 + 0x1c; // 0x458bff33
																			if(0x2e !=  *_t114) {
																				goto L55;
																			} else {
																				_t383 = 0;
																				_t402 = _t402 + 0x1e;
																				_v72 = 0;
																				_t421 = 0;
																				_t390 = 0x2a;
																				do {
																					_t311 =  *(_t402 + _t421 * 2) & 0x0000ffff;
																					if(_t390 == _t311) {
																						_t312 = _t311 | 0xffffffff;
																						if(_t312 != _t383) {
																							goto L75;
																						} else {
																							goto L55;
																						}
																						goto L130;
																					} else {
																						_v48 = _t311;
																						_t330 = GetStringTypeExW(0x7f, 1,  &_v48, 1,  &_v44);
																						if(_t330 == 0 || (_v44 & 0x00000004) == 0) {
																							goto L55;
																						} else {
																							_t312 = _t330 | 0xffffffff;
																							_t383 = _t312 & 0x0000ffff;
																							_v72 = _t383;
																							_t125 = _t312 + 0x2b; // 0x2b
																							_t390 = _t125;
																							goto L75;
																						}
																					}
																					goto L101;
																					L75:
																					_t421 = _t421 + 1;
																				} while (_t421 < 6);
																				if(_t312 != _t383) {
																					goto L55;
																				} else {
																					_t384 =  &_v40;
																					_v12 = 0;
																					_t422 = 0;
																					_t390 = 0xc;
																					_t402 = _t402 - _t384;
																					while(1) {
																						_t128 = _t390 - 6; // 0x6
																						if(_t128 == 0) {
																							break;
																						}
																						_t327 =  *(_t384 + _t402) & 0x0000ffff;
																						if(_t327 == 0) {
																							break;
																						} else {
																							 *_t384 = _t327;
																							_t384 =  &(_t384[0]);
																							_t390 = _t390 - 1;
																							if(_t390 != 0) {
																								continue;
																							} else {
																								L117:
																								_t384 = _t384 - 2;
																								_t422 = 0x8007007a;
																							}
																						}
																						L83:
																						 *_t384 = 0;
																						if(_t422 < 0) {
																							goto L55;
																						} else {
																							_t390 =  &_v12;
																							_v28 = 0;
																							_t352 = E00F0DD7D( &_v40, _t390, _t384);
																							_t317 = _v104;
																							_t402 = 0;
																							if(0x3a !=  *_t317) {
																								goto L55;
																							} else {
																								_t423 = 1;
																								_t387 = 0x2a;
																								do {
																									_t318 =  *(_t317 + _t423 * 2) & 0x0000ffff;
																									if(_t387 == _t318) {
																										_t390 = _t390 | 0xffffffff;
																										if(_t390 != _t402) {
																											goto L90;
																										} else {
																											goto L55;
																										}
																										goto L130;
																									} else {
																										_v48 = _t318;
																										if(GetStringTypeExW(0x7f, 1,  &_v48, 1,  &_v44) == 0 || (_v44 & 0x00000004) == 0) {
																											goto L55;
																										} else {
																											_t390 = _t390 | 0xffffffff;
																											_t402 = _t390;
																											_t387 = _t390 + 0x2b;
																											goto L90;
																										}
																									}
																									goto L101;
																									L90:
																									_t317 = _v104;
																									_t423 = _t423 + 1;
																								} while (_t423 < 4);
																								if(_t390 == _t402) {
																									_t388 =  &_v16;
																									_v76 = 0;
																									_t400 = 4;
																									_t425 = _v104 - _t388;
																									while(1) {
																										_t147 = _t400 - 1; // 0x3
																										if(_t147 == 0) {
																											break;
																										}
																										_t323 =  *(_t425 +  &(_t388[0])) & 0x0000ffff;
																										if(_t323 == 0) {
																											break;
																										} else {
																											 *_t388 = _t323;
																											_t388 =  &(_t388[0]);
																											_t400 = _t400 - 1;
																											if(_t400 != 0) {
																												continue;
																											} else {
																												L54:
																												_t388 = _t388 - 2;
																											}
																										}
																										L98:
																										 *_t388 = 0;
																										_v10 = 0;
																										_v76 = E00F0DD7D( &_v16,  &_v76, _t388);
																										goto L99;
																									}
																									if(_t400 == 0) {
																										goto L54;
																									}
																									goto L98;
																								}
																								L99:
																								_t364 = _v52;
																								_t284 = _v72;
																								L100:
																								_t406 = _v100;
																								 *((intOrPtr*)(_t406 + 0x18)) = _v116;
																								 *(_t406 + 0x1c) = _v108;
																								_t396 = _v100;
																								 *(_t396 + 0x20) = _v96;
																								 *((intOrPtr*)(_t396 + 0x24)) = _v92;
																								 *((intOrPtr*)(_t396 + 0x28)) = _v84;
																								_t410 = _t396;
																								_t390 = _v64;
																								 *((intOrPtr*)(_t410 + 0x2c)) = _t364;
																								 *((intOrPtr*)(_t410 + 0x34)) = _v76;
																								 *((short*)(_t410 + 4)) = _v80;
																								 *((short*)(_t410 + 6)) = _v88;
																								 *((short*)(_t410 + 8)) = _v68;
																								 *((short*)(_t410 + 0xa)) = _v60;
																								 *(_t410 + 0x10) = _t284;
																								 *((intOrPtr*)(_t410 + 0x30)) = _t352;
																								_t351 = 0;
																								 *((short*)(_t410 + 0xc)) = _v56;
																								 *((short*)(_t410 + 0xe)) = _v64;
																								 *(_t410 + 0x12) = _t402;
																								 *((short*)(_t410 + 0x14)) = _v112;
																							}
																						}
																						goto L101;
																					}
																					if(_t390 == 0) {
																						goto L117;
																					}
																					goto L83;
																				}
																			}
																		}
																		goto L101;
																	}
																	if(_t390 == 0) {
																		goto L114;
																	}
																	goto L68;
																}
															}
															goto L101;
														}
														if(_t390 == 0) {
															goto L111;
														}
														goto L52;
													}
												}
												goto L101;
											}
											if(_t390 == 0) {
												goto L108;
											}
											goto L38;
										}
									}
									goto L101;
								}
								if(_t390 == 0) {
									goto L105;
								}
								goto L24;
							}
						}
						L101:
						_pop(_t403);
					}
				}
				return E00F01CA0(_t351, _t351, _v8 ^ _t426, _t390, _t402, _t403);
				goto L130;
			}

0x00f0d765
0x00f0d76c
0x00f0d771
0x00f0d774
0x00f0d779
0x00f0d77e
0x00f0d784
0x00f0d786
0x00f0d786
0x00f0d78c
0x00f0d78c
0x00f0d78f
0x00f0d792
0x00f0d799
0x00f0d79e
0x00f0d7a6
0x00f0d7ad
0x00f0d7b0
0x00f0d7b6
0x00f0d7b7
0x00f0d7bb
0x00f0d7bb
0x00f0d7be
0x00f0d7c2
0x00f0d7c6
0x00f0d7ca
0x00f0d7ce
0x00f0d7d2
0x00f0d7d6
0x00f0d7da
0x00f0d7e2
0x00f0d7e9
0x00f0d7f0
0x00f0d7f7
0x00f0d7fe
0x00f0d805
0x00f0d80c
0x00f0d812
0x00f2a9a8
0x00f2a9c1
0x00000000
0x00f2a9c7
0x00f2a9d4
0x00f2a9df
0x00000000
0x00f2a9e5
0x00f2a9f2
0x00f2a9fd
0x00000000
0x00f2aa03
0x00f2aa10
0x00f2aa1b
0x00000000
0x00f2aa21
0x00f2aa2e
0x00f2aa39
0x00000000
0x00f2aa3f
0x00f2aa4c
0x00f2aa57
0x00000000
0x00f2aa5d
0x00f2aa62
0x00f2aa66
0x00000000
0x00f2aa6c
0x00f2aa79
0x00f2aa84
0x00000000
0x00f2aaa2
0x00f2aaa5
0x00f2aaa8
0x00f2aab2
0x00f2aac2
0x00f2aac9
0x00f2aad0
0x00f2aae8
0x00f2aaef
0x00000000
0x00f2aaef
0x00f2aa84
0x00f2aa66
0x00f2aa57
0x00f2aa39
0x00f2aa1b
0x00f2a9fd
0x00f2a9df
0x00000000
0x00f0d818
0x00f0d818
0x00f0d81f
0x00f0d821
0x00f0d82b
0x00f0d82e
0x00000000
0x00f0d835
0x00f0d839
0x00f0d853
0x00000000
0x00000000
0x00f0d853
0x00000000
0x00f0d863
0x00f0d863
0x00f0d864
0x00f0d869
0x00f0d86b
0x00f0d870
0x00f0d873
0x00f0d877
0x00f0d877
0x00f0d87e
0x00f2a8fe
0x00f2a904
0x00000000
0x00f2a90a
0x00000000
0x00f2a90a
0x00000000
0x00f0d884
0x00f0d884
0x00f0d896
0x00f0d89e
0x00f0d8ae
0x00f0d8b1
0x00f0d8b4
0x00f0d8b7
0x00f0d8b7
0x00000000
0x00f0d8b7
0x00f0d89e
0x00000000
0x00f0d8ba
0x00f0d8ba
0x00f0d8bb
0x00f0d8c3
0x00f0d8c9
0x00f0d8cc
0x00f0d8d7
0x00f0d8d9
0x00f0d8de
0x00f0d8e3
0x00f0d8e3
0x00f0d8e8
0x00000000
0x00000000
0x00f0d8ea
0x00f0d8f1
0x00000000
0x00f0d8f3
0x00f0d8f3
0x00f0d8f6
0x00f0d8f9
0x00f0d8fa
0x00000000
0x00f0d8fc
0x00f2a90f
0x00f2a90f
0x00f2a912
0x00f2a912
0x00f0d8fa
0x00f0d909
0x00f0d90b
0x00f0d910
0x00f0dab8
0x00f0dab8
0x00f0d916
0x00f0d91a
0x00f0d921
0x00f0d926
0x00f0d928
0x00f0d92b
0x00f0d92b
0x00f0d92e
0x00f0d931
0x00f0d933
0x00f0d938
0x00f0d938
0x00f0d93f
0x00f2a91c
0x00f2a922
0x00000000
0x00f2a928
0x00000000
0x00f2a928
0x00000000
0x00f0d945
0x00f0d945
0x00f0d957
0x00f0d95f
0x00000000
0x00f0d96f
0x00f0d96f
0x00f0d972
0x00f0d975
0x00f0d978
0x00f0d978
0x00000000
0x00f0d978
0x00f0d95f
0x00000000
0x00f0d97b
0x00f0d97b
0x00f0d97c
0x00f0d984
0x00000000
0x00f0d98a
0x00f0d98a
0x00f0d98d
0x00f0d996
0x00f0d998
0x00f0d99d
0x00f0d99f
0x00f0d99f
0x00f0d9a4
0x00000000
0x00000000
0x00f0d9a6
0x00f0d9ad
0x00000000
0x00f0d9af
0x00f0d9af
0x00f0d9b2
0x00f0d9b5
0x00f0d9b6
0x00000000
0x00f0d9b8
0x00f2a92d
0x00f2a92d
0x00f2a930
0x00f2a930
0x00f0d9b6
0x00f0d9c5
0x00f0d9c7
0x00f0d9cc
0x00000000
0x00f0d9d2
0x00f0d9d6
0x00f0d9dd
0x00f0d9e2
0x00f0d9e4
0x00f0d9e7
0x00f0d9e7
0x00f0d9ea
0x00f0d9ed
0x00f0d9ef
0x00f0d9f7
0x00f0d9f7
0x00f0d9fe
0x00f2a93a
0x00f2a940
0x00000000
0x00f2a946
0x00000000
0x00f2a946
0x00000000
0x00f0da04
0x00f0da04
0x00f0da16
0x00f0da1e
0x00000000
0x00f0da2e
0x00f0da2e
0x00f0da31
0x00f0da34
0x00f0da37
0x00f0da37
0x00000000
0x00f0da37
0x00f0da1e
0x00000000
0x00f0da3a
0x00f0da3a
0x00f0da3b
0x00f0da43
0x00000000
0x00f0da45
0x00f0da45
0x00f0da48
0x00f0da51
0x00f0da53
0x00f0da58
0x00f0da5a
0x00f0da5a
0x00f0da5f
0x00000000
0x00000000
0x00f0da61
0x00f0da68
0x00000000
0x00f0da6a
0x00f0da6a
0x00f0da6d
0x00f0da70
0x00f0da71
0x00000000
0x00f0da73
0x00f2a94b
0x00f2a94b
0x00f2a94e
0x00f2a94e
0x00f0da71
0x00f0da80
0x00f0da82
0x00f0da87
0x00000000
0x00f0da89
0x00f0da8d
0x00f0da94
0x00f0da99
0x00f0da9b
0x00f0da9e
0x00f0da9e
0x00f0daa1
0x00f0daa4
0x00f0daa6
0x00f0dac2
0x00f0dac2
0x00f0dac9
0x00f2a958
0x00f2a95e
0x00000000
0x00f2a964
0x00000000
0x00f2a964
0x00000000
0x00f0dacf
0x00f0dacf
0x00f0dae1
0x00f0dae9
0x00000000
0x00f0daf1
0x00f0daf1
0x00f0daf4
0x00f0daf7
0x00f0dafa
0x00f0dafa
0x00000000
0x00f0dafa
0x00f0dae9
0x00000000
0x00f0dafd
0x00f0dafd
0x00f0dafe
0x00f0db06
0x00000000
0x00f0db08
0x00f0db08
0x00f0db0b
0x00f0db14
0x00f0db16
0x00f0db1b
0x00f0db1d
0x00f0db1d
0x00f0db22
0x00000000
0x00000000
0x00f0db24
0x00f0db2b
0x00000000
0x00f0db2d
0x00f0db2d
0x00f0db30
0x00f0db33
0x00f0db34
0x00000000
0x00f0db36
0x00f2a969
0x00f2a969
0x00f2a96c
0x00f2a96c
0x00f0db34
0x00f0db43
0x00f0db45
0x00f0db4a
0x00000000
0x00f0db50
0x00f0db51
0x00f0db54
0x00f0db60
0x00f0db68
0x00f0db6c
0x00000000
0x00f0db72
0x00f0db72
0x00f0db74
0x00f0db77
0x00f0db7a
0x00f0db7c
0x00f0db81
0x00f0db81
0x00f0db88
0x00f2a976
0x00f2a97c
0x00000000
0x00f2a982
0x00000000
0x00f2a982
0x00000000
0x00f0db8e
0x00f0db8e
0x00f0dba0
0x00f0dba8
0x00000000
0x00f0dbb8
0x00f0dbb8
0x00f0dbbb
0x00f0dbbe
0x00f0dbc1
0x00f0dbc1
0x00000000
0x00f0dbc1
0x00f0dba8
0x00000000
0x00f0dbc4
0x00f0dbc4
0x00f0dbc5
0x00f0dbcd
0x00000000
0x00f0dbd3
0x00f0dbd3
0x00f0dbd6
0x00f0dbdf
0x00f0dbe1
0x00f0dbe6
0x00f0dbe8
0x00f0dbe8
0x00f0dbed
0x00000000
0x00000000
0x00f0dbef
0x00f0dbf6
0x00000000
0x00f0dbf8
0x00f0dbf8
0x00f0dbfb
0x00f0dbfe
0x00f0dbff
0x00000000
0x00f0dc01
0x00f2a987
0x00f2a987
0x00f2a98a
0x00f2a98a
0x00f0dbff
0x00f0dc0e
0x00f0dc10
0x00f0dc15
0x00000000
0x00f0dc1b
0x00f0dc1c
0x00f0dc1f
0x00f0dc2b
0x00f0dc32
0x00f0dc35
0x00f0dc3a
0x00000000
0x00f0dc40
0x00f0dc40
0x00f0dc45
0x00f0dc4d
0x00f0dc4d
0x00f0dc54
0x00f2a994
0x00f2a99a
0x00000000
0x00f2a9a0
0x00000000
0x00f2a9a0
0x00000000
0x00f0dc5a
0x00f0dc5a
0x00f0dc74
0x00000000
0x00f0dc84
0x00f0dc84
0x00f0dc87
0x00f0dc8a
0x00000000
0x00f0dc8a
0x00f0dc74
0x00000000
0x00f0dc8d
0x00f0dc8d
0x00f0dc90
0x00f0dc91
0x00f0dc99
0x00f0dc9e
0x00f0dca3
0x00f0dcaa
0x00f0dcaf
0x00f0dcb1
0x00f0dcb1
0x00f0dcb6
0x00000000
0x00000000
0x00f0dcb8
0x00f0dcc0
0x00000000
0x00f0dcc2
0x00f0dcc2
0x00f0dcc5
0x00f0dcc8
0x00f0dcc9
0x00000000
0x00f0dccb
0x00f0dab0
0x00f0dab0
0x00f0dab0
0x00f0dcc9
0x00f0dcd8
0x00f0dcdd
0x00f0dce4
0x00f0dced
0x00000000
0x00f0dced
0x00f0dcd2
0x00000000
0x00000000
0x00000000
0x00f0dcd2
0x00f0dcf0
0x00f0dcf0
0x00f0dcf3
0x00f0dcf6
0x00f0dcf6
0x00f0dcfc
0x00f0dd02
0x00f0dd05
0x00f0dd0b
0x00f0dd11
0x00f0dd17
0x00f0dd1a
0x00f0dd1c
0x00f0dd1f
0x00f0dd25
0x00f0dd2b
0x00f0dd32
0x00f0dd39
0x00f0dd40
0x00f0dd47
0x00f0dd4e
0x00f0dd51
0x00f0dd53
0x00f0dd57
0x00f0dd5b
0x00f0dd5f
0x00f0dd5f
0x00f0dc3a
0x00000000
0x00f0dc15
0x00f0dc08
0x00000000
0x00000000
0x00000000
0x00f0dc08
0x00f0dbcd
0x00f0db6c
0x00000000
0x00f0db4a
0x00f0db3d
0x00000000
0x00000000
0x00000000
0x00f0db3d
0x00f0db06
0x00000000
0x00f0da87
0x00f0da7a
0x00000000
0x00000000
0x00000000
0x00f0da7a
0x00f0da43
0x00000000
0x00f0d9cc
0x00f0d9bf
0x00000000
0x00000000
0x00000000
0x00f0d9bf
0x00f0d984
0x00000000
0x00f0d910
0x00f0d903
0x00000000
0x00000000
0x00000000
0x00f0d903
0x00f0d8c3
0x00f0dd63
0x00f0dd63
0x00f0dd63
0x00f0d79e
0x00f0dd75
0x00000000

APIs

GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,00000001,?,?,00000000,?), ref: 00F0D84B
GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,00000001,?,?,00000000,?), ref: 00F0D896
GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,00000001,?,?,?,?,?,00000000,?), ref: 00F0DAE1

Part of subcall function 00F0DD7D: GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,00000001,00000001,00000004,00000002,?,00000001,?,?,00000003,00000000,00000004,00000001), ref: 00F0DDAF
Part of subcall function 00F0DD7D: GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,00000004,00000001,00000001,?,?,00000003,00000000,00000004,00000001), ref: 00F0DDE5
Part of subcall function 00F0DD7D: GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,00000004,00000001,00000000,?,?,00000003,00000000,00000004,00000001), ref: 00F0DE34

GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,00000001,?,?,?,00000000,?), ref: 00F0D957
GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,00000001,?,?,?,?,00000000,?), ref: 00F0DA16
GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,00000001,?,?,?,?,?,?,00000000,?), ref: 00F0DBA0
GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,00000001,?,?,?,?,?,?,?,00000000,?), ref: 00F0DC6C

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: StringType
String ID:
API String ID: 4177115715-0
Opcode ID: 15e58f8a6bd2d73cb263f96a63724f0d750f0427caacd10bf8f421372ba1fba9
Instruction ID: c27fc220a30daa29a9cd70ffbdd3c2bab35a24a10d753e84e27dee119e3e4bb8
Opcode Fuzzy Hash: 15e58f8a6bd2d73cb263f96a63724f0d750f0427caacd10bf8f421372ba1fba9
Instruction Fuzzy Hash: D732C175E002188ADF20DFE8C8807EDB7B4FF08720F54821AE951EB2D5E7749946EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00F12483, Relevance: 7.6, APIs: 5, Instructions: 53
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F12483() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t35;
				signed int _t36;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xf4f1a4; // 0xbd26e8f
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t35 = _v20 ^ _v24.LowPart;
					_t39 = _v8 ^ _t35;
					if(_t39 == 0xbb40e64e || ( *0xf4f1a4 & 0xffff0000) == 0) {
						_t39 = 0xbb40e64f;
					}
					 *0xf4f1a4 = _t39;
					 *0xf4f010 =  !_t39;
					return _t35;
				} else {
					_t36 =  !_t23;
					 *0xf4f010 = _t36;
					return _t36;
				}
			}

0x00f1248b
0x00f1248f
0x00f12493
0x00f124a6
0x00f1ed7e
0x00f1ed8a
0x00f1ed93
0x00f1ed9c
0x00f1edad
0x00f1edb4
0x00f1edbd
0x00f1edc3
0x00f1edc7
0x00f1edd1
0x00f1edd1
0x00f1edd6
0x00f1edde
0x00000000
0x00f124b4
0x00f124b4
0x00f124b6
0x00000000
0x00f124b6

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-2-1(00000000), ref: 00F1ED7E
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00F1ED8D
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00F1ED96
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-2-1 ref: 00F1ED9F
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00F1EDB4

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 349ccfecf7ad5af2b4d63e8ec9a165ffb6c968359e29facfdcc6ca71015b977b
Instruction ID: 17b48c9cca1f0fdda9569cc3054d8a6c2ca40c740dd84d2566623ebe8fccc893
Opcode Fuzzy Hash: 349ccfecf7ad5af2b4d63e8ec9a165ffb6c968359e29facfdcc6ca71015b977b
Instruction Fuzzy Hash: DE112B75D0120CEFCB10DBB8EA4869EBBF4FF58315F5505AAE906D7260DB309A44AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F2320B, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F2320B(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00f23212
0x00f2321b
0x00f23234

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(00000000,?,00F23346,00F21248), ref: 00F23212
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(00F23346,?,00F23346,00F21248), ref: 00F2321B
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(C0000409,?,00F23346,00F21248), ref: 00F23226
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?,00F23346,00F21248), ref: 00F2322D

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: ee386460cc7ec01824ea61b2da82dd1dd8d3555dfbc52038fe0727c8dc24dd75
Instruction ID: a4ab1c9d91f926c73c8f02ec89e1d57995ef3814f6be30e3a5ff52553b1e650b
Opcode Fuzzy Hash: ee386460cc7ec01824ea61b2da82dd1dd8d3555dfbc52038fe0727c8dc24dd75
Instruction Fuzzy Hash: 5AD0C932004B0CABD7002BF2EC0CB493E2CFB48263F044480F31982821CA32B801AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F4BD8B, Relevance: 2.9, Strings: 2, Instructions: 380
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00F4BD8B(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16, signed int* _a20) {
				signed int _v8;
				char _v16;
				long long _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v68;
				void* __ebx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				signed int _t112;
				signed int _t115;
				void* _t118;
				signed char _t121;
				signed int _t124;
				signed int _t131;
				long long _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				void* _t144;
				signed int _t145;
				signed int _t148;
				signed int _t151;
				signed int _t152;
				void* _t153;
				signed int _t154;
				signed int _t156;
				intOrPtr _t163;
				signed int _t165;
				signed int _t172;
				signed int _t174;
				signed int _t189;
				intOrPtr _t192;
				signed int _t194;
				signed int* _t200;
				signed int _t201;
				signed int _t206;
				signed int _t208;
				signed int _t211;
				signed int _t213;

				_push(0xffffffff);
				_push(E00F26FEF);
				_push( *[fs:0x0]);
				_t112 =  *0xf4f1a4; // 0xbd26e8f
				_push(_t112 ^ (_t213 & 0xfffffff8) - 0x00000020);
				 *[fs:0x0] =  &_v16;
				_v48 = __ecx;
				_t200 = _a20;
				_t162 = _a8;
				_t168 = 1;
				_t204 = 1;
				_t115 =  *_t200;
				_t192 =  *((intOrPtr*)(_a8 + _t115 * 4));
				 *_t200 = _t115 - 1;
				_t118 =  *((intOrPtr*)(_t192 + 4)) - 1;
				if(_t118 == 0) {
					_t163 = _t192;
					_t201 = 0;
					__eflags =  *(_t163 + 8) & 0x00000010;
					if(( *(_t163 + 8) & 0x00000010) == 0) {
						L45:
						_t204 = 0;
						__eflags = 0;
						L46:
						__eflags = _t204;
						if(_t204 == 0) {
							L82:
							 *[fs:0x0] = _v16;
							return _t204;
						}
						_t204 = _t168;
						_v40 = _v40 & 0x00000000;
						 *_a16 = _t201;
						__eflags =  *(_t163 + 8) & 0x00000020;
						if(( *(_t163 + 8) & 0x00000020) != 0) {
							_t138 = E00F3249A( *((intOrPtr*)(_t163 + 0x3c)), L"Upper");
							__eflags = _t138;
							if(_t138 != 0) {
								_t139 = E00F3249A( *((intOrPtr*)(_t163 + 0x3c)), L"Lower");
								__eflags = _t139;
								if(_t139 != 0) {
									_t204 = 0;
									__eflags = 0;
								} else {
									_v40 = 2;
								}
							} else {
								_v40 = 1;
							}
						}
						_v44 = _v44 & 0x00000000;
						__eflags =  *(_t163 + 8) & 0x00000040;
						if(( *(_t163 + 8) & 0x00000040) != 0) {
							_t136 = E00F3249A( *((intOrPtr*)(_t163 + 0x38)), L"Upper");
							__eflags = _t136;
							if(_t136 != 0) {
								_t137 = E00F3249A( *((intOrPtr*)(_t163 + 0x38)), L"Lower");
								__eflags = _t137;
								if(_t137 != 0) {
									_t204 = 0;
									__eflags = 0;
								} else {
									_v44 = 2;
								}
							} else {
								_v44 = 1;
							}
						}
						__eflags = _t204;
						if(_t204 == 0) {
							goto L82;
						} else {
							_t121 =  *(_t163 + 8);
							_t206 = 8;
							_t172 = _t121 & 0x00000002;
							_t194 = _t121 & _t206;
							_t208 = _t121 & 0x00000004;
							__eflags = _t121 & 0x00000001;
							if((_t121 & 0x00000001) == 0) {
								L81:
								_t204 = 0;
								__eflags = 0;
								goto L82;
							}
							__eflags = _t172;
							if(_t172 != 0) {
								goto L81;
							}
							__eflags = _t194;
							if(_t194 == 0) {
								goto L81;
							}
							__eflags = _t208;
							if(_t208 != 0) {
								goto L81;
							}
							 *0xf53014( &_v36);
							_t124 =  *(_t163 + 0x18);
							__eflags = _t124;
							if(_t124 == 0) {
								_t204 = 1;
								_v40 = 1;
								L71:
								_t165 =  *0xf53000( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x14)) + 0xc)))));
								__eflags = _t165;
								if(__eflags == 0) {
									_t204 = 0;
									__eflags = 0;
								} else {
									_t131 = E00F4A840(_t165, _t201, _t204, __eflags, _a4, _t165,  &_v44, _v48, _v52, _t201);
									__eflags = _t131;
									if(_t131 == 0) {
										_t204 = 0;
										__eflags = 0;
									} else {
										 *(_t201 + 0x10) = _t131;
									}
									 *0xf53004(_t165);
								}
								 *0xf53018( &_v44);
								goto L82;
							}
							_t174 = 3;
							__eflags = _t124 - _t174;
							if(_t124 == _t174) {
								_t133 =  *((intOrPtr*)(_t163 + 0x20));
								_v40 = _t174;
								L69:
								_v32 = _t133;
								L70:
								_t204 = 1;
								__eflags = 1;
								goto L71;
							}
							__eflags = _t124 - 0x14;
							if(_t124 == 0x14) {
								_t134 = 5;
								_v32 =  *((long long*)(_t163 + 0x20));
								_v40 = _t134;
								goto L70;
							}
							__eflags = _t124 - 0x1f;
							if(_t124 != 0x1f) {
								goto L70;
							}
							_t135 = 8;
							_v40 = _t135;
							_t133 =  *0xf53000( *((intOrPtr*)(_t163 + 0x20)));
							goto L69;
						}
					}
					_t141 =  *((intOrPtr*)(_t163 + 0xc)) - 1;
					__eflags = _t141 - 7;
					if(__eflags > 0) {
						_t204 = 0;
						__eflags = 0;
						L44:
						__eflags = _t201;
						if(_t201 != 0) {
							goto L46;
						}
						goto L45;
					}
					switch( *((intOrPtr*)(_t141 * 4 +  &M00F4C223))) {
						case 0:
							_t142 = E00F19D72(1, __eflags, 0x1c);
							_v40 = _t142;
							_v8 = _v8 & 0x00000000;
							__eflags = _t142;
							if(__eflags == 0) {
								goto L25;
							}
							_push(_a12);
							_push(0);
							_t143 = E00F49836(_t142, 1, __eflags);
							goto L24;
						case 1:
							__eax = E00F19D72(__ecx, __eflags, 0x1c);
							_v40 = __eax;
							__ecx = 0;
							__ecx = 1;
							_v8 = 1;
							__eflags = __eax;
							if(__eflags == 0) {
								__edi = 0;
								__eflags = 0;
							} else {
								_push(_a12);
								__ecx = __eax;
								_push(0);
								__eax = E00F49A13(__eax, __esi, __eflags);
								__ecx = 0;
								__edi = __eax;
								__ecx = 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L44;
						case 2:
							__eax = E00F19D72(__ecx, __eflags, 0x1c);
							_v40 = __eax;
							_v8 = 2;
							__eflags = __eax;
							if(__eflags == 0) {
								goto L25;
							}
							_push(_a12);
							__ecx = __eax;
							_push(0);
							__eax = E00F49871(__ecx, __esi, __eflags);
							goto L24;
						case 3:
							__eax = E00F19D72(__ecx, __eflags, 0x1c);
							_v40 = __eax;
							_v8 = 3;
							__eflags = __eax;
							if(__eflags == 0) {
								goto L25;
							}
							_push(_a12);
							__ecx = __eax;
							_push(0);
							__eax = E00F498AC(__ecx, __esi, __eflags);
							goto L24;
						case 4:
							__eax = E00F19D72(__ecx, __eflags, 0x1c);
							_v40 = __eax;
							_v8 = 4;
							__eflags = __eax;
							if(__eflags == 0) {
								goto L25;
							}
							_push(_a12);
							__ecx = __eax;
							_push(0);
							__eax = E00F4995D(__ecx, __esi, __eflags);
							goto L24;
						case 5:
							__eax = E00F19D72(__ecx, __eflags, 0x1c);
							_v40 = __eax;
							_v8 = 5;
							__eflags = __eax;
							if(__eflags == 0) {
								goto L25;
							}
							_push(_a12);
							__ecx = __eax;
							_push(0);
							__eax = E00F498E7(__ecx, __esi, __eflags);
							goto L24;
						case 6:
							__eax = E00F19D72(__ecx, __eflags, 0x1c);
							_v40 = __eax;
							_v8 = 6;
							__eflags = __eax;
							if(__eflags == 0) {
								goto L25;
							}
							_push(_a12);
							__ecx = __eax;
							_push(0);
							__eax = E00F49998(__ecx, __esi, __eflags);
							goto L24;
						case 7:
							__eax = E00F19D72(__ecx, __eflags, 0x1c);
							_v40 = __eax;
							_v8 = 7;
							__eflags = __eax;
							if(__eflags == 0) {
								L25:
								_t201 = 0;
								__eflags = 0;
								L26:
								_v8 = _v8 | 0xffffffff;
								_t168 = 1;
								goto L44;
							}
							_push(_a12);
							__ecx = __eax;
							_push(0);
							__eax = E00F49922(__ecx, __esi, __eflags);
							L24:
							_t201 = _t143;
							goto L26;
					}
				}
				_t144 = _t118 - 1;
				if(_t144 == 0) {
					_t145 = E00F19D72(1, __eflags, 0x1c);
					_v40 = _t145;
					_v8 = 8;
					__eflags = _t145;
					if(__eflags == 0) {
						L12:
						_t211 = 0;
						__eflags = 0;
						L13:
						_v8 = _v8 | 0xffffffff;
						 *_a16 = _t211;
						__eflags = _t211;
						if(_t211 == 0) {
							goto L81;
						}
						_t24 = _t211 + 0x10; // 0x10
						_t148 = E00F4BD8B(_v48, _a4, _t162, _t211, _t24, _t200);
						__eflags = _t148;
						if(_t148 == 0) {
							goto L81;
						}
						_t27 = _t211 + 0x14; // 0x14
						_t151 = E00F4BD8B(_v48, _a4, _t162,  *_a16, _t27, _t200);
						__eflags = _t151;
						if(_t151 == 0) {
							goto L81;
						}
						_t204 = 1;
						goto L82;
					}
					_push(_a12);
					_push(0);
					_push(0);
					_t152 = E00F49772(_t162, _t145, _t200, 1, __eflags);
					L11:
					_t211 = _t152;
					goto L13;
				}
				_t153 = _t144 - 1;
				if(_t153 == 0) {
					_t154 = E00F19D72(1, __eflags, 0x1c);
					_v40 = _t154;
					_v8 = 9;
					__eflags = _t154;
					if(__eflags == 0) {
						goto L12;
					}
					_push(_a12);
					_push(0);
					_push(0);
					_t152 = E00F49AC4(_t162, _t154, _t200, 1, __eflags);
					goto L11;
				}
				_t219 = _t153 != 1;
				if(_t153 != 1) {
					goto L81;
				} else {
					_t156 = E00F19D72(1, _t219, 0x1c);
					_v40 = _t156;
					_v8 = 0xa;
					_t220 = _t156;
					if(_t156 == 0) {
						_t189 = 0;
						__eflags = 0;
					} else {
						_push(_a12);
						_push(0);
						_t189 = E00F497B2(_t162, _t156, _t200, 1, _t220);
					}
					_v8 = _v8 | 0xffffffff;
					 *_a16 = _t189;
					if(_t189 == 0) {
						goto L81;
					}
					_t14 = _t189 + 0x10; // 0x10
					_t204 = E00F4BD8B(_v48, _a4, _t162, _t189, _t14, _t200);
					goto L82;
				}
			}

0x00f4bd93
0x00f4bd95
0x00f4bda0
0x00f4bda7
0x00f4bdae
0x00f4bdb3
0x00f4bdb9
0x00f4bdbd
0x00f4bdc2
0x00f4bdc5
0x00f4bdc6
0x00f4bdc8
0x00f4bdca
0x00f4bdce
0x00f4bdd3
0x00f4bdd4
0x00f4beec
0x00f4beee
0x00f4bef0
0x00f4bef4
0x00f4c085
0x00f4c085
0x00f4c085
0x00f4c087
0x00f4c087
0x00f4c089
0x00f4c20c
0x00f4c212
0x00f4c220
0x00f4c220
0x00f4c092
0x00f4c094
0x00f4c099
0x00f4c09b
0x00f4c09f
0x00f4c0a9
0x00f4c0ae
0x00f4c0b0
0x00f4c0c4
0x00f4c0c9
0x00f4c0cb
0x00f4c0d7
0x00f4c0d7
0x00f4c0cd
0x00f4c0cd
0x00f4c0cd
0x00f4c0b2
0x00f4c0b2
0x00f4c0b2
0x00f4c0b0
0x00f4c0d9
0x00f4c0de
0x00f4c0e2
0x00f4c0ec
0x00f4c0f1
0x00f4c0f3
0x00f4c107
0x00f4c10c
0x00f4c10e
0x00f4c11a
0x00f4c11a
0x00f4c110
0x00f4c110
0x00f4c110
0x00f4c0f5
0x00f4c0f5
0x00f4c0f5
0x00f4c0f3
0x00f4c11c
0x00f4c11e
0x00000000
0x00f4c124
0x00f4c124
0x00f4c12b
0x00f4c12e
0x00f4c131
0x00f4c135
0x00f4c138
0x00f4c13a
0x00f4c20a
0x00f4c20a
0x00f4c20a
0x00000000
0x00f4c20a
0x00f4c140
0x00f4c142
0x00000000
0x00000000
0x00f4c148
0x00f4c14a
0x00000000
0x00000000
0x00f4c150
0x00f4c152
0x00000000
0x00000000
0x00f4c15d
0x00f4c163
0x00f4c166
0x00f4c168
0x00f4c1e8
0x00f4c1e9
0x00f4c193
0x00f4c1a1
0x00f4c1a3
0x00f4c1a5
0x00f4c1fb
0x00f4c1fb
0x00f4c1a7
0x00f4c1bd
0x00f4c1c2
0x00f4c1c4
0x00f4c1f0
0x00f4c1f0
0x00f4c1c6
0x00f4c1c6
0x00f4c1c6
0x00f4c1f3
0x00f4c1f3
0x00f4c202
0x00000000
0x00f4c202
0x00f4c16c
0x00f4c16d
0x00f4c16f
0x00f4c1dc
0x00f4c1df
0x00f4c18c
0x00f4c18c
0x00f4c190
0x00f4c192
0x00f4c192
0x00000000
0x00f4c192
0x00f4c171
0x00f4c174
0x00f4c1d0
0x00f4c1d1
0x00f4c1d5
0x00000000
0x00f4c1d5
0x00f4c176
0x00f4c179
0x00000000
0x00000000
0x00f4c17d
0x00f4c181
0x00f4c186
0x00000000
0x00f4c186
0x00f4c11e
0x00f4befd
0x00f4befe
0x00f4bf01
0x00f4c07f
0x00f4c07f
0x00f4c081
0x00f4c081
0x00f4c083
0x00000000
0x00000000
0x00000000
0x00f4c083
0x00f4bf07
0x00000000
0x00f4bf10
0x00f4bf16
0x00f4bf1a
0x00f4bf1f
0x00f4bf21
0x00000000
0x00000000
0x00f4bf23
0x00f4bf28
0x00f4bf2a
0x00000000
0x00000000
0x00f4bf44
0x00f4bf4a
0x00f4bf4e
0x00f4bf50
0x00f4bf51
0x00f4bf55
0x00f4bf57
0x00f4bf6c
0x00f4bf6c
0x00f4bf59
0x00f4bf59
0x00f4bf5c
0x00f4bf5e
0x00f4bf60
0x00f4bf65
0x00f4bf67
0x00f4bf69
0x00f4bf69
0x00f4bf6e
0x00000000
0x00000000
0x00f4bf7a
0x00f4bf80
0x00f4bf84
0x00f4bf8c
0x00f4bf8e
0x00000000
0x00000000
0x00f4bf90
0x00f4bf93
0x00f4bf95
0x00f4bf97
0x00000000
0x00000000
0x00f4bfa0
0x00f4bfa6
0x00f4bfaa
0x00f4bfb2
0x00f4bfb4
0x00000000
0x00000000
0x00f4bfba
0x00f4bfbd
0x00f4bfbf
0x00f4bfc1
0x00000000
0x00000000
0x00f4bfcd
0x00f4bfd3
0x00f4bfd7
0x00f4bfdf
0x00f4bfe1
0x00000000
0x00000000
0x00f4bfe7
0x00f4bfea
0x00f4bfec
0x00f4bfee
0x00000000
0x00000000
0x00f4bffa
0x00f4c000
0x00f4c004
0x00f4c00c
0x00f4c00e
0x00000000
0x00000000
0x00f4c014
0x00f4c017
0x00f4c019
0x00f4c01b
0x00000000
0x00000000
0x00f4c027
0x00f4c02d
0x00f4c031
0x00f4c039
0x00f4c03b
0x00000000
0x00000000
0x00f4c041
0x00f4c044
0x00f4c046
0x00f4c048
0x00000000
0x00000000
0x00f4c054
0x00f4c05a
0x00f4c05e
0x00f4c066
0x00f4c068
0x00f4bf33
0x00f4bf33
0x00f4bf33
0x00f4bf35
0x00f4bf35
0x00f4bf3c
0x00000000
0x00f4bf3c
0x00f4c06e
0x00f4c071
0x00f4c073
0x00f4c075
0x00f4bf2f
0x00f4bf2f
0x00000000
0x00000000
0x00f4bf07
0x00f4bdda
0x00f4bddb
0x00f4bec3
0x00f4bec9
0x00f4becd
0x00f4bed5
0x00f4bed7
0x00f4be6b
0x00f4be6b
0x00f4be6b
0x00f4be6d
0x00f4be6d
0x00f4be75
0x00f4be77
0x00f4be79
0x00000000
0x00000000
0x00f4be83
0x00f4be8d
0x00f4be92
0x00f4be94
0x00000000
0x00000000
0x00f4be9e
0x00f4beac
0x00f4beb1
0x00f4beb3
0x00000000
0x00000000
0x00f4bebb
0x00000000
0x00f4bebb
0x00f4bed9
0x00f4bede
0x00f4bee0
0x00f4bee2
0x00f4be67
0x00f4be67
0x00000000
0x00f4be67
0x00f4bde1
0x00f4bde2
0x00f4be43
0x00f4be49
0x00f4be4d
0x00f4be55
0x00f4be57
0x00000000
0x00000000
0x00f4be59
0x00f4be5e
0x00f4be60
0x00f4be62
0x00000000
0x00f4be62
0x00f4bde4
0x00f4bde5
0x00000000
0x00f4bdeb
0x00f4bded
0x00f4bdf3
0x00f4bdf7
0x00f4bdff
0x00f4be01
0x00f4be13
0x00f4be13
0x00f4be03
0x00f4be03
0x00f4be08
0x00f4be0f
0x00f4be0f
0x00f4be15
0x00f4be1d
0x00f4be21
0x00000000
0x00000000
0x00f4be28
0x00f4be3a
0x00000000
0x00f4be3a

Strings

Upper, xrefs: 00F4C0A4, 00F4C0E7
Lower, xrefs: 00F4C0BF, 00F4C102

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: Lower$Upper
API String ID: 0-361161821
Opcode ID: 1805372a2544b91a16357d526ca1dac089975b653740fef70a9fdb8d91bb6d2a
Instruction ID: 4689679a8870c5bda02f350b24e8a90f86c039c3f1a59d40111efafe6362abfb
Opcode Fuzzy Hash: 1805372a2544b91a16357d526ca1dac089975b653740fef70a9fdb8d91bb6d2a
Instruction Fuzzy Hash: D3D1D3716093059BEB549F68CC81B6B7EE4EF88760F101429FD56C7292DBB4C940EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F12470, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F12470() {

				SetUnhandledExceptionFilter(E00F23490);
				return 0;
			}

0x00f12475
0x00f1247d

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(Function_00023490), ref: 00F12475

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 499dd774e04fd08b4c2d65d72f32dc62c69c132aa1dd6c0be657b3a159a5a9ea
Instruction ID: 96f3c4a1d82ad45c8fa790101921f5bbaae51c8eb33663025a7f65f1252e4539
Opcode Fuzzy Hash: 499dd774e04fd08b4c2d65d72f32dc62c69c132aa1dd6c0be657b3a159a5a9ea
Instruction Fuzzy Hash: 099002A425161446461167716D0D64935D46B5C60774204D0A251C4458DA54A5407512

Uniqueness

Uniqueness Score: -1.00%

Function 00F0117D, Relevance: .8, Instructions: 779COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e29ae6943d937f6df819c1583fe33bc9f43cf92f8b56b9c57c55108de62d31
Instruction ID: deb44de1f16be3eb2b347a666d8dc0a3a3fcf6c54ec0d7ca2ab06baf6034c511
Opcode Fuzzy Hash: 39e29ae6943d937f6df819c1583fe33bc9f43cf92f8b56b9c57c55108de62d31
Instruction Fuzzy Hash: A162FBA644D3C15FD7138BB488EA6907FB0EF2B32574E45DAC0C18F5A3E298A457E712

Uniqueness

Uniqueness Score: -1.00%

Function 00F2FDE8, Relevance: 63.5, APIs: 35, Strings: 1, Instructions: 475
memoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00F2FDE8(void* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				struct _ACL* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				long _v40;
				void* _v44;
				void* _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				long _v68;
				long _v72;
				long _v76;
				long _v80;
				long _v84;
				long _v88;
				void* _v92;
				long _v96;
				long _v100;
				struct _SECURITY_DESCRIPTOR _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t144;
				int _t148;
				int _t151;
				int _t154;
				int _t157;
				int _t160;
				signed short _t161;
				struct _ACL* _t171;
				int _t192;
				long _t206;
				long _t213;
				long _t221;
				long _t229;
				void* _t245;
				signed int _t253;
				void* _t254;
				intOrPtr _t255;
				void* _t258;
				intOrPtr _t260;
				intOrPtr _t261;
				intOrPtr _t262;
				intOrPtr _t263;
				intOrPtr _t264;
				intOrPtr _t265;
				intOrPtr _t267;
				signed int _t274;
				char* _t277;
				long _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				long _t283;
				void* _t289;
				signed int _t290;

				_t144 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t144 ^ _t290;
				_v92 = __ecx;
				_v12 = 0x500;
				_v16.Value = 0;
				_v28 = 0;
				_t245 = 0;
				_v60 = 0;
				_t148 = AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v28);
				_t291 = _t148;
				if(_t148 == 0) {
					L3:
					L4:
					_v48 = 0;
					_v68 = 0;
					_v64 = 0;
					_t151 = AllocateAndInitializeSid( &_v16, 1, 4, 0, 0, 0, 0, 0, 0, 0,  &_v48);
					_t293 = _t151;
					if(_t151 == 0) {
						L7:
						L8:
						_v32 = 0;
						_v80 = 0;
						_v56 = 0;
						_t154 = AllocateAndInitializeSid( &_v16, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v32);
						_t295 = _t154;
						if(_t154 == 0) {
							L11:
							L12:
							_v44 = 0;
							_v72 = 0;
							_v52 = 0;
							_t157 = AllocateAndInitializeSid( &_v16, 1, 0x13, 0, 0, 0, 0, 0, 0, 0,  &_v44);
							_t297 = _t157;
							if(_t157 == 0) {
								L15:
								L16:
								_v36 = 0;
								_v76 = 0;
								_v40 = 0;
								_t160 = AllocateAndInitializeSid( &_v16, 1, 0x14, 0, 0, 0, 0, 0, 0, 0,  &_v36);
								_t299 = _t160;
								if(_t160 == 0) {
									L19:
									_t161 = _v40;
									_t289 = 0x8007000e;
									L20:
									_t274 = _v52 & 0x0000ffff;
									_t273 = _v56 & 0x0000ffff;
									_v84 = _t161 & 0x0000ffff;
									_t253 = _v64 & 0x0000ffff;
									_v20 = _v60 & 0x0000ffff;
									_v100 = _t274;
									_v88 = _t273;
									_v96 = _t253;
									_t277 = _v20 + 8 + _v84 + _t274 + _t273 + _t253;
									_t171 = E00F19D72(_t253, _t300, _t277);
									_v24 = _t171;
									_pop(_t254);
									if(_t171 == 0) {
										_t289 = 0x8007000e;
										L50:
										if(_t245 != 0) {
											_t264 =  *0xf4f0cc; // 0x0
											E00F04A17(_t264, _t245);
										}
										_t172 = _v68;
										if(_v68 != 0) {
											_t263 =  *0xf4f0cc; // 0x0
											E00F04A17(_t263, _t172);
										}
										_t173 = _v80;
										if(_v80 != 0) {
											_t262 =  *0xf4f0cc; // 0x0
											E00F04A17(_t262, _t173);
										}
										_t174 = _v72;
										if(_v72 != 0) {
											_t261 =  *0xf4f0cc; // 0x0
											E00F04A17(_t261, _t174);
										}
										_t175 = _v76;
										if(_v76 != 0) {
											_t260 =  *0xf4f0cc; // 0x0
											_t175 = E00F04A17(_t260, _t175);
										}
										if(_v48 != 0) {
											_t175 = FreeSid(_v48);
										}
										if(_v32 != 0) {
											_t175 = FreeSid(_v32);
										}
										if(_v44 != 0) {
											_t175 = FreeSid(_v44);
										}
										if(_v36 != 0) {
											_t175 = FreeSid(_v36);
										}
										if(_v28 != 0) {
											_t175 = FreeSid(_v28);
										}
										if(_t289 < 0) {
											__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t289);
											__imp__?Write@CMemoryLog@@QAEXJ@Z();
										}
										_t255 =  *0xf4f014; // 0xf4f014
										if(_t255 != 0xf4f014 && ( *(_t255 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t255 + 0x19)) >= 2) {
											_push(_t289);
											_t141 = _t255 + 0x14; // 0x20000000
											_push( *_t141);
											_t273 = 0xf21d74;
											_t142 = _t255 + 0x10; // 0x40000000
											_push( *_t142);
											_t258 = 0xd;
											E00F32A46(_t258, 0xf21d74);
										}
										return E00F01CA0(_t289, _t245, _v8 ^ _t290, _t273, _t277, _t289);
									}
									if(InitializeAcl(_t171, _t277, 2) == 0) {
										L48:
										_t265 =  *0xf4f0cc; // 0x0
										E00F04A17(_t265, _v24);
										goto L50;
									}
									_t278 = 0;
									if(_v64 != 0 && AddAce(_v24, 2, 0, _v68, _v96) != 0) {
										_t278 = 1;
									}
									if(_v56 != 0 && AddAce(_v24, 2, _t278, _v80, _v88) != 0) {
										_t278 = _t278 + 1;
									}
									if(_v52 != 0 && AddAce(_v24, 2, _t278, _v72, _v100) != 0) {
										_t278 = _t278 + 1;
									}
									if(_v40 != 0 && AddAce(_v24, 2, _t278, _v76, _v84) != 0) {
										_t278 = _t278 + 1;
									}
									if(_v60 == 0) {
										_t277 = _v24;
									} else {
										_t277 = _v24;
										AddAce(_t277, 2, _t278, _t245, _v20);
									}
									if(InitializeSecurityDescriptor( &_v120, 1) == 0 || SetSecurityDescriptorDacl( &_v120, 1, _t277, 0) == 0 || SetSecurityDescriptorOwner( &_v120, _v32, 0) == 0) {
										L47:
										_t289 = 0x80004005;
									} else {
										_t192 = SetSecurityDescriptorGroup( &_v120, _v28, 0);
										_t319 = _t192;
										if(_t192 == 0) {
											goto L47;
										}
										_v20 = GetSecurityDescriptorLength( &_v120);
										_t277 = E00F19D72(_t254, _t319, _t194);
										if(_t277 == 0) {
											_t289 = 0x8007000e;
										} else {
											if(MakeSelfRelativeSD( &_v120, _t277,  &_v20) != 0 && RegSetValueExW(_v92, L"LaunchPermission", 0, 3, _t277, _v20) != 0) {
												_t289 = 0x80004005;
											}
											_t267 =  *0xf4f0cc; // 0x0
											E00F04A17(_t267, _t277);
										}
									}
									goto L48;
								}
								_t206 = GetLengthSid(_v36);
								_v20 = _t206;
								_v40 = _t206 + 0x00000008 & 0x0000ffff;
								_t279 = E00F19D72(0, _t299, _t206 + 0x00000008 & 0xffff);
								_v76 = _t279;
								_t300 = _t279;
								if(_t279 == 0) {
									goto L19;
								}
								_t72 = _t279 + 8; // 0x8
								CopySid(_v20, _t72, _v36);
								_t161 = _v40;
								 *(_t279 + 4) = 1;
								 *_t279 = 0x300;
								 *(_t279 + 2) = _t161;
								goto L20;
							}
							_t213 = GetLengthSid(_v44);
							_v20 = _t213;
							_v52 = _t213 + 0x00000008 & 0x0000ffff;
							_t280 = E00F19D72(0, _t297, _t213 + 0x00000008 & 0xffff);
							_v72 = _t280;
							if(_t280 == 0) {
								goto L15;
							}
							_t57 = _t280 + 8; // 0x8
							CopySid(_v20, _t57, _v44);
							 *(_t280 + 4) = 1;
							 *_t280 = 0x300;
							 *((short*)(_t280 + 2)) = _v52;
							goto L16;
						}
						_t221 = GetLengthSid(_v32);
						_v20 = _t221;
						_v56 = _t221 + 0x00000008 & 0x0000ffff;
						_t281 = E00F19D72(0, _t295, _t221 + 0x00000008 & 0xffff);
						_v80 = _t281;
						if(_t281 == 0) {
							goto L11;
						}
						_t42 = _t281 + 8; // 0x8
						CopySid(_v20, _t42, _v32);
						 *(_t281 + 4) = 1;
						 *_t281 = 0x300;
						 *((short*)(_t281 + 2)) = _v56;
						goto L12;
					}
					_t229 = GetLengthSid(_v48);
					_v20 = _t229;
					_v64 = _t229 + 0x00000008 & 0x0000ffff;
					_t282 = E00F19D72(0, _t293, _t229 + 0x00000008 & 0xffff);
					_v68 = _t282;
					if(_t282 == 0) {
						goto L7;
					}
					_t27 = _t282 + 8; // 0x8
					CopySid(_v20, _t27, _v48);
					 *(_t282 + 4) = 1;
					 *_t282 = 0x300;
					 *((short*)(_t282 + 2)) = _v64;
					goto L8;
				}
				_t283 = GetLengthSid(_v28);
				_t10 = _t283 + 8; // 0x8
				_v60 = _t10 & 0x0000ffff;
				_t245 = E00F19D72(0, _t291, _t10 & 0xffff);
				if(_t245 == 0) {
					goto L3;
				}
				_t13 = _t245 + 8; // 0x8
				CopySid(_t283, _t13, _v28);
				 *(_t245 + 4) = 1;
				 *_t245 = 0x300;
				 *((short*)(_t245 + 2)) = _v60;
				goto L4;
			}

0x00f2fdf0
0x00f2fdf7
0x00f2fe00
0x00f2fe05
0x00f2fe1e
0x00f2fe24
0x00f2fe27
0x00f2fe29
0x00f2fe2c
0x00f2fe32
0x00f2fe34
0x00f2fe7d
0x00f2fe82
0x00f2fe96
0x00f2fe9a
0x00f2fe9d
0x00f2fea0
0x00f2fea6
0x00f2fea8
0x00f2fef7
0x00f2fefc
0x00f2ff10
0x00f2ff14
0x00f2ff17
0x00f2ff1a
0x00f2ff20
0x00f2ff22
0x00f2ff71
0x00f2ff76
0x00f2ff8a
0x00f2ff8e
0x00f2ff91
0x00f2ff94
0x00f2ff9a
0x00f2ff9c
0x00f2ffeb
0x00f2fff0
0x00f30004
0x00f30008
0x00f3000b
0x00f3000e
0x00f30014
0x00f30016
0x00f30065
0x00f30065
0x00f30068
0x00f3006d
0x00f30073
0x00f30079
0x00f3007f
0x00f30082
0x00f3008b
0x00f30093
0x00f3009d
0x00f300a3
0x00f300a6
0x00f300a9
0x00f300ae
0x00f300b1
0x00f300b4
0x00f30229
0x00f3022e
0x00f30230
0x00f30232
0x00f30239
0x00f30239
0x00f3023e
0x00f30243
0x00f30245
0x00f3024c
0x00f3024c
0x00f30251
0x00f30256
0x00f30258
0x00f3025f
0x00f3025f
0x00f30264
0x00f30269
0x00f3026b
0x00f30272
0x00f30272
0x00f30277
0x00f3027c
0x00f3027e
0x00f30285
0x00f30285
0x00f3028e
0x00f30293
0x00f30293
0x00f3029d
0x00f302a2
0x00f302a2
0x00f302ac
0x00f302b1
0x00f302b1
0x00f302bb
0x00f302c0
0x00f302c0
0x00f302ca
0x00f302cf
0x00f302cf
0x00f302d7
0x00f302da
0x00f302e2
0x00f302e2
0x00f302e8
0x00f302f4
0x00f30302
0x00f30303
0x00f30303
0x00f30306
0x00f3030b
0x00f3030b
0x00f30310
0x00f30311
0x00f30311
0x00f30328
0x00f30328
0x00f300c6
0x00f30219
0x00f3021c
0x00f30222
0x00000000
0x00f30222
0x00f300cc
0x00f300d2
0x00f300ea
0x00f300ea
0x00f300f0
0x00f30108
0x00f30108
0x00f3010e
0x00f30126
0x00f30126
0x00f3012c
0x00f30144
0x00f30144
0x00f3014a
0x00f3015f
0x00f3014c
0x00f30151
0x00f30157
0x00f30157
0x00f30170
0x00f30214
0x00f30214
0x00f301a0
0x00f301a9
0x00f301af
0x00f301b1
0x00000000
0x00000000
0x00f301be
0x00f301c6
0x00f301cb
0x00f3020d
0x00f301cd
0x00f301de
0x00f301fa
0x00f301fa
0x00f301ff
0x00f30206
0x00f30206
0x00f301cb
0x00000000
0x00f30170
0x00f3001b
0x00f30021
0x00f3002a
0x00f30036
0x00f30038
0x00f3003c
0x00f3003e
0x00000000
0x00000000
0x00f30043
0x00f3004a
0x00f30050
0x00f30053
0x00f3005a
0x00f3005f
0x00000000
0x00f3005f
0x00f2ffa1
0x00f2ffa7
0x00f2ffb0
0x00f2ffbc
0x00f2ffbe
0x00f2ffc4
0x00000000
0x00000000
0x00f2ffc9
0x00f2ffd0
0x00f2ffd9
0x00f2ffe0
0x00f2ffe5
0x00000000
0x00f2ffe5
0x00f2ff27
0x00f2ff2d
0x00f2ff36
0x00f2ff42
0x00f2ff44
0x00f2ff4a
0x00000000
0x00000000
0x00f2ff4f
0x00f2ff56
0x00f2ff5f
0x00f2ff66
0x00f2ff6b
0x00000000
0x00f2ff6b
0x00f2fead
0x00f2feb3
0x00f2febc
0x00f2fec8
0x00f2feca
0x00f2fed0
0x00000000
0x00000000
0x00f2fed5
0x00f2fedc
0x00f2fee5
0x00f2feec
0x00f2fef1
0x00000000
0x00f2fef1
0x00f2fe3f
0x00f2fe41
0x00f2fe47
0x00f2fe53
0x00f2fe58
0x00000000
0x00000000
0x00f2fe5d
0x00f2fe62
0x00f2fe6b
0x00f2fe72
0x00f2fe77
0x00000000

APIs

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00F2FE2C
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F2FE39
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,?), ref: 00F2FE62
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F2FEA0
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F2FEAD
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000008,?), ref: 00F2FEDC
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F2FF1A
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F2FF27
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000008,?), ref: 00F2FF56
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F2FF94
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F2FFA1
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000008,?), ref: 00F2FFD0
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000014,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F3000E
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F3001B
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000008,?), ref: 00F3004A
InitializeAcl.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,?,00000002), ref: 00F300BE
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,00000000,?,?), ref: 00F300E0
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,00000000,?,?), ref: 00F300FE
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,00000000,?,?), ref: 00F3011C
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,00000000,?,?), ref: 00F3013A
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,00000000,00000000,?), ref: 00F30157
InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001), ref: 00F30168
SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,?,00000000), ref: 00F3017F
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,00000000), ref: 00F30196
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,00000000), ref: 00F301A9
GetSecurityDescriptorLength.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F301B7
MakeSelfRelativeSD.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000000,?), ref: 00F301D6
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,LaunchPermission,00000000,00000003,00000000,?), ref: 00F301F0
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F30293
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F302A2
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F302B1
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F302C0
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F302CF
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(8007000E), ref: 00F302DA
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F302E2

Strings

LaunchPermission, xrefs: 00F301E8

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Initialize$Length$AllocateCopyDescriptorFreeSecurity$Log@@Memory$DaclGroupMakeObject@@OwnerRelativeSelfValueWrite@
String ID: LaunchPermission
API String ID: 88284555-4257139491
Opcode ID: 877b2a987f6f63eb9e1878859d68a89fe4e7f21c53c677932a345f9668429e7e
Instruction ID: 2b3d55e12a8ee68c35c82c46a92ace24ec31b9a5c6d559ff170a607b9a1fe561
Opcode Fuzzy Hash: 877b2a987f6f63eb9e1878859d68a89fe4e7f21c53c677932a345f9668429e7e
Instruction Fuzzy Hash: 40F18D75D00249AFDB148FE5DC49BAEBBB9FF44321F14402AF601E72A0DB759944EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F08723, Relevance: 51.2, APIs: 16, Strings: 13, Instructions: 461
registryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00F08723(signed int __ecx, short* __edx, intOrPtr _a4, int _a8) {
				signed int _v8;
				char _v528;
				char _v1048;
				short* _v1052;
				short _v1056;
				short _v1060;
				short _v1064;
				short _v1068;
				short _v1072;
				int _v1076;
				void* _v1080;
				int* _v1084;
				short* _v1088;
				short* _v1092;
				int _v1096;
				int _v1100;
				void* _v1104;
				short _v1108;
				int _v1112;
				short _v1116;
				short _v1120;
				void* _v1124;
				int _v1128;
				int _v1132;
				int _v1136;
				int _v1140;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t144;
				int* _t146;
				int* _t148;
				int _t152;
				signed int _t156;
				intOrPtr _t168;
				intOrPtr _t170;
				signed int _t176;
				signed int _t182;
				int _t204;
				signed int _t208;
				signed int _t212;
				int _t215;
				signed short _t216;
				short _t217;
				int _t220;
				signed short _t221;
				signed short _t222;
				signed int _t224;
				int _t227;
				signed short _t228;
				signed int _t229;
				int _t232;
				signed short _t233;
				signed short _t234;
				signed int _t237;
				int* _t245;
				intOrPtr _t246;
				signed int _t247;
				signed int _t259;
				signed int _t260;
				signed int _t264;
				int _t271;
				intOrPtr _t272;
				signed int _t273;
				void* _t274;
				void* _t275;
				void* _t276;

				_t270 = __edx;
				_t248 = __ecx;
				_t144 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t144 ^ _t273;
				_t247 = __ecx;
				_t272 = _a4;
				_t146 =  *(__ecx + 0x20);
				_t271 = _a8;
				if(_t146 != 0) {
					 *0xf53004(_t146);
					 *(__ecx + 0x20) = 0;
				}
				if(_t272 == 0) {
					L7:
					_t148 =  *(_t247 + 0x28);
					if(_t148 != 0) {
						 *0xf53004(_t148);
						 *(_t247 + 0x28) = 0;
					}
					if(_t271 == 0) {
						L10:
						_push(_t272);
						_push(L"CLSID\\");
						_v1088 = 0;
						_t271 = E00F07F7F(2,  &_v1088);
						_t275 = _t274 + 0x10;
						if(_t271 < 0) {
							L59:
							_t152 = _t271;
							goto L60;
						}
						_push(0xf079b4);
						_push(_v1088);
						 *((intOrPtr*)(_t247 + 0x644)) = 0x20;
						_v1084 = 0;
						_t271 = E00F07F7F(2,  &_v1084);
						_t276 = _t275 + 0x10;
						if(_t271 < 0) {
							L50:
							if( *((intOrPtr*)(_t247 + 0x644)) != 0x20) {
								_t156 = 0x100;
							} else {
								_t156 = 0x200;
							}
							if(RegOpenKeyExW(0x80000000, _v1088, 0, _t156 | 0x00020019,  &_v1104) == 0) {
								_v1112 = 1;
								_t72 = _t247 + 0x43c; // 0x44c
								_v1076 = 0x208;
								RegQueryValueExW(_v1104,  *0xf504d8, 0,  &_v1112, _t72,  &_v1076);
								_v1096 = 1;
								_v1100 = 0x208;
								_t271 = 0;
								if(RegQueryValueExW(_v1104, L"AppId", 0,  &_v1096,  &_v528,  &_v1100) == 0) {
									_t168 =  *((intOrPtr*)(_t247 + 0x24));
									if(_t168 != 0) {
										 *0xf53004(_t168);
									}
									_t170 =  *0xf53000( &_v528);
									 *((intOrPtr*)(_t247 + 0x24)) = _t170;
									if(_t170 == 0) {
										_t271 = 0x80041006;
									}
								}
								if(_t271 >= 0 &&  *(_t247 + 0x10) != 1 &&  *(_t247 + 0x14) != 1) {
									 *(_t247 + 0x18) = 1;
									 *(_t247 + 8) = 2;
									 *(_t247 + 0xc) = 0;
								}
								RegCloseKey(_v1104);
							}
							 *0xf53004(_v1088);
							if(_t271 >= 0) {
								 *(_t247 + 0x1c) = 1;
							}
							goto L59;
						}
						_push(L"InProcServer32");
						_push(_v1084);
						_v1092 = 0;
						_t271 = E00F07F7F(2,  &_v1092);
						_t274 = _t276 + 0x10;
						if(_t271 < 0) {
							L49:
							 *0xf53004(_v1084);
							goto L50;
						}
						if( *((intOrPtr*)(_t247 + 0x644)) != 0x20) {
							_t176 = 0x100;
						} else {
							_t176 = 0x200;
						}
						if(RegOpenKeyExW(0x80000000, _v1092, 0, _t176 | 0x00020019,  &_v1080) != 0) {
							L43:
							 *0xf53004(_v1092);
							if(_t271 >= 0) {
								_push(L"LocalServer32");
								_push(_v1084);
								_v1052 = 0;
								_t271 = E00F07F7F(2,  &_v1052);
								if(_t271 >= 0) {
									if( *((intOrPtr*)(_t247 + 0x644)) != 0x20) {
										_t182 = 0x100;
									} else {
										_t182 = 0x200;
									}
									if(RegOpenKeyExW(0x80000000, _v1052, 0, _t182 | 0x00020019,  &_v1124) == 0) {
										 *(_t247 + 0x14) = 1;
										_t129 = _t247 + 0x234; // 0x244
										 *(_t247 + 8) = 2;
										 *(_t247 + 0xc) = 0;
										_v1076 = 1;
										_v1112 = 0x208;
										RegQueryValueExW(_v1124,  *0xf504d8, 0,  &_v1076, _t129,  &_v1112);
										RegCloseKey(_v1124);
									}
									 *0xf53004(_v1052);
								}
							}
							goto L49;
						} else {
							 *(_t247 + 0x10) = 1;
							_v1136 = 1;
							_v1140 = 0x208;
							_t271 = 0;
							if(RegQueryValueExW(_v1080, L"ThreadingModel", 0,  &_v1136,  &_v528,  &_v1140) != 0) {
								_t271 = 0x80041012;
							} else {
								_t272 = 0;
								goto L18;
								L19:
								_t259 = _t212;
								if(_t259 > 0x7f) {
									_v1068 = _t259;
									_t215 = LCMapStringW(0x7f, 0x100,  &_v1068, 1,  &_v1120, 1);
									_t216 = _v1068;
									if(_t215 != 0) {
										_t216 = _v1120;
									}
									L22:
									_t217 = _t216 & 0x0000ffff;
									L23:
									_t32 = _t272 + L"apartment"; // 0x610000
									_t260 =  *_t32 & 0x0000ffff;
									_v1056 = _t217;
									if(_t260 > 0x7f) {
										_v1064 = _t260;
										_t220 = LCMapStringW(0x7f, 0x100,  &_v1064, 1,  &_v1108, 1);
										_t221 = _v1064;
										if(_t220 != 0) {
											_t221 = _v1108;
										}
										L76:
										_t222 = _t221 & 0x0000ffff;
										L26:
										if((_v1056 & 0x0000ffff) == (_t222 & 0x0000ffff)) {
											_t272 = _t272 + 2;
											L18:
											_t212 =  *(_t273 + _t272 - 0x20c) & 0x0000ffff;
											if(_t212 == 0) {
												goto L70;
											}
											goto L19;
										} else {
											_t272 = 0;
											goto L28;
											L29:
											_t248 = _t224;
											if(_t248 > 0x7f) {
												_v1072 = _t248;
												_t227 = LCMapStringW(0x7f, 0x100,  &_v1072, 1,  &_v1116, 1);
												_t228 = _v1072;
												if(_t227 != 0) {
													_t228 = _v1116;
												}
												L2:
												_t229 = _t228 & 0x0000ffff;
												L32:
												_t39 = _t272 + L"both"; // 0x620000
												_t264 =  *_t39 & 0x0000ffff;
												_v1052 = _t229;
												if(_t264 > 0x7f) {
													_v1060 = _t264;
													_t232 = LCMapStringW(0x7f, 0x100,  &_v1060, 1,  &_v1056, 1);
													_t233 = _v1060;
													if(_t232 != 0) {
														_t233 = _v1056;
													}
													L81:
													_t234 = _t233 & 0x0000ffff;
													L35:
													if((_v1052 & 0x0000ffff) != (_t234 & 0x0000ffff)) {
														_t270 = L"free";
														if(E00F3249A( &_v528, L"free") != 0) {
															_t270 = L"neutral";
															_t237 = E00F3249A( &_v528, L"neutral");
															asm("sbb eax, eax");
															 *(_t247 + 8) =  ~( ~_t237) + 3;
														} else {
															 *(_t247 + 8) = 2;
														}
														L39:
														if(_t271 >= 0) {
															_v1128 = 1;
															_v1132 = 0x208;
															if(RegQueryValueExW(_v1080, L"Synchronization", 0,  &_v1128,  &_v1048,  &_v1132) == 0) {
																_t270 = L"ignored";
																_t204 = E00F3249A( &_v1048, L"ignored");
																if(_t204 != 0) {
																	_t270 = L"none";
																	if(E00F3249A( &_v1048, L"none") != 0) {
																		_t270 = L"supported";
																		if(E00F3249A( &_v1048, L"supported") != 0) {
																			_t270 = L"required";
																			if(E00F3249A( &_v1048, L"required") != 0) {
																				_t270 = L"requiresnew";
																				_t208 = E00F3249A( &_v1048, L"requiresnew");
																				asm("sbb eax, eax");
																				 *(_t247 + 0xc) =  ~( ~_t208) + 4;
																			} else {
																				 *(_t247 + 0xc) = 3;
																			}
																		} else {
																			 *(_t247 + 0xc) = 2;
																		}
																	} else {
																		 *(_t247 + 0xc) = 1;
																	}
																} else {
																	 *(_t247 + 0xc) = _t204;
																}
															}
															_t271 = 0;
														}
														_v1100 = 1;
														_t53 = _t247 + 0x2c; // 0x3c
														_v1096 = 0x208;
														RegQueryValueExW(_v1080,  *0xf504d8, 0,  &_v1100, _t53,  &_v1096);
														RegCloseKey(_v1080);
														goto L43;
													} else {
														_t272 = _t272 + 2;
														L28:
														_t224 =  *(_t273 + _t272 - 0x20c) & 0x0000ffff;
														if(_t224 == 0) {
															goto L37;
														}
														goto L29;
													}
												}
												_t41 = _t264 - 0x41; // 0x61ffbf
												if(_t41 <= 0x19) {
													_t88 = _t264 + 0x20; // 0x6f0082
													_t233 = _t88;
													goto L81;
												} else {
													_t234 = _t264;
													goto L35;
												}
											}
											if(_t248 - 0x41 <= 0x19) {
												_t228 = _t248 + 0x20;
												goto L2;
											} else {
												_t229 = _t248;
												goto L32;
											}
											L37:
											if( *(_t272 + L"both") != _t271) {
												goto L29;
											} else {
												 *(_t247 + 8) = 1;
												goto L39;
											}
										}
									}
									_t34 = _t260 - 0x41; // 0x60ffbf
									if(_t34 <= 0x19) {
										_t87 = _t260 + 0x20; // 0x700081
										_t221 = _t87;
										goto L76;
									} else {
										_t222 = _t260;
										goto L26;
									}
								}
								if(_t259 - 0x41 > 0x19) {
									_t217 = _t259;
									goto L23;
								} else {
									_t216 = _t259 + 0x20;
									goto L22;
								}
								L70:
								if( *(_t272 + L"apartment") != _t271) {
									goto L19;
								}
								 *(_t247 + 8) = _t271;
							}
							goto L39;
						}
					} else {
						_t245 =  *0xf53000(_t271);
						 *(_t247 + 0x28) = _t245;
						if(_t245 == 0) {
							goto L68;
						}
						goto L10;
					}
				} else {
					_t246 =  *0xf53000(_t272);
					 *((intOrPtr*)(_t247 + 0x20)) = _t246;
					if(_t246 == 0) {
						L68:
						_t152 = 0x80041006;
						L60:
						return E00F01CA0(_t152, _t247, _v8 ^ _t273, _t270, _t271, _t272);
					}
					goto L7;
				}
			}

0x00f08723
0x00f08723
0x00f0872e
0x00f08735
0x00f08739
0x00f0873c
0x00f08740
0x00f08743
0x00f08748
0x00f1fe05
0x00f1fe0b
0x00f1fe0b
0x00f08750
0x00f08764
0x00f08764
0x00f08769
0x00f1fe22
0x00f1fe28
0x00f1fe28
0x00f08771
0x00f08785
0x00f08785
0x00f08786
0x00f08791
0x00f087a3
0x00f087a5
0x00f087aa
0x00f08bad
0x00f08bad
0x00000000
0x00f08bad
0x00f087b0
0x00f087b5
0x00f087c1
0x00f087ce
0x00f087dd
0x00f087df
0x00f087e4
0x00f08ac0
0x00f08ac7
0x00f1c9ce
0x00f08acd
0x00f08acd
0x00f08acd
0x00f08af4
0x00f08b00
0x00f08b0b
0x00f08b11
0x00f08b31
0x00f08b3d
0x00f08b4e
0x00f08b5f
0x00f08b76
0x00f2008c
0x00f20091
0x00f20094
0x00f20094
0x00f200a1
0x00f200a7
0x00f200ac
0x00f200b2
0x00f200b2
0x00f200ac
0x00f08b7e
0x00f200c6
0x00f200cd
0x00f200d4
0x00f200d4
0x00f08b90
0x00f08b90
0x00f08b9c
0x00f08ba4
0x00f08ba6
0x00f08ba6
0x00000000
0x00f08ba4
0x00f087ea
0x00f087ef
0x00f087fb
0x00f0880d
0x00f0880f
0x00f08814
0x00f08ab4
0x00f08aba
0x00000000
0x00f08aba
0x00f08821
0x00f1c9a0
0x00f08827
0x00f08827
0x00f08827
0x00f0884e
0x00f08a32
0x00f08a38
0x00f08a40
0x00f08a42
0x00f08a47
0x00f08a53
0x00f08a65
0x00f08a6c
0x00f08a75
0x00f1c9c4
0x00f08a7b
0x00f08a7b
0x00f08a7b
0x00f08aa2
0x00f2002f
0x00f20037
0x00f2003d
0x00f2004b
0x00f2005b
0x00f2006b
0x00f20075
0x00f20081
0x00f20081
0x00f08aae
0x00f08aae
0x00f08a6c
0x00000000
0x00f08854
0x00f0885a
0x00f08868
0x00f08879
0x00f08884
0x00f0889a
0x00f1c9ba
0x00f088a0
0x00f088a0
0x00f088a0
0x00f088b4
0x00f088b4
0x00f088b9
0x00f1fe51
0x00f1fe69
0x00f1fe71
0x00f1fe78
0x00f1fe7e
0x00f1fe7e
0x00f088cf
0x00f088cf
0x00f088d2
0x00f088d2
0x00f088d2
0x00f088d9
0x00f088e2
0x00f1fe92
0x00f1feaa
0x00f1feb2
0x00f1feb9
0x00f1febb
0x00f1febb
0x00f1fec2
0x00f1fec2
0x00f088f7
0x00f08905
0x00f08716
0x00f088a3
0x00f088a3
0x00f088ae
0x00000000
0x00000000
0x00000000
0x00f0890b
0x00f0890b
0x00f0890b
0x00f0891c
0x00f0891c
0x00f08921
0x00f1fed2
0x00f1feea
0x00f1fef2
0x00f1fef9
0x00f1feff
0x00f1feff
0x00f08707
0x00f08707
0x00f08936
0x00f08936
0x00f08936
0x00f0893d
0x00f08946
0x00f1ff13
0x00f1ff2b
0x00f1ff33
0x00f1ff3a
0x00f1ff3c
0x00f1ff3c
0x00f1ff43
0x00f1ff43
0x00f0895b
0x00f08969
0x00f1ff4b
0x00f1ff5d
0x00f1ff6b
0x00f1ff76
0x00f1ff7d
0x00f1ff84
0x00f1ff5f
0x00f1ff5f
0x00f1ff5f
0x00f089a2
0x00f089a4
0x00f089ac
0x00f089bd
0x00f089e4
0x00f1ff8c
0x00f1ff97
0x00f1ff9e
0x00f1ffa8
0x00f1ffba
0x00f1ffc8
0x00f1ffda
0x00f1ffe8
0x00f1fffa
0x00f20008
0x00f20013
0x00f2001a
0x00f20021
0x00f1fffc
0x00f1fffc
0x00f1fffc
0x00f1ffdc
0x00f1ffdc
0x00f1ffdc
0x00f1ffbc
0x00f1ffbc
0x00f1ffbc
0x00f1ffa0
0x00f1ffa0
0x00f1ffa0
0x00f1ff9e
0x00f089ea
0x00f089ea
0x00f089f2
0x00f089fd
0x00f08a00
0x00f08a20
0x00f08a2c
0x00000000
0x00f0896f
0x00f0896f
0x00f0890f
0x00f0890f
0x00f0891a
0x00000000
0x00000000
0x00000000
0x00f0891a
0x00f08969
0x00f0894c
0x00f08953
0x00f1c9b2
0x00f1c9b2
0x00000000
0x00f08959
0x00f08959
0x00000000
0x00f08959
0x00f08953
0x00f0892e
0x00f08704
0x00000000
0x00f08934
0x00f08934
0x00000000
0x00f08934
0x00f08992
0x00f08999
0x00000000
0x00f0899b
0x00f0899b
0x00000000
0x00f0899b
0x00f08999
0x00f08905
0x00f088e8
0x00f088ef
0x00f1c9aa
0x00f1c9aa
0x00000000
0x00f088f5
0x00f088f5
0x00000000
0x00f088f5
0x00f088ef
0x00f088c6
0x00f0870f
0x00000000
0x00f088cc
0x00f088cc
0x00000000
0x00f088cc
0x00f1fe34
0x00f1fe3b
0x00000000
0x00000000
0x00f1fe41
0x00f1fe41
0x00000000
0x00f0889a
0x00f08773
0x00f08774
0x00f0877a
0x00f0877f
0x00000000
0x00000000
0x00000000
0x00f0877f
0x00f08752
0x00f08753
0x00f08759
0x00f0875e
0x00f1fe17
0x00f1fe17
0x00f08baf
0x00f08bbf
0x00f08bbf
0x00000000
0x00f0875e

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000000,00000000,00000000,00000200,?), ref: 00F08846
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,ThreadingModel,00000000,00000001,?,?), ref: 00F08892
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Synchronization,00000000,00000001,?,?), ref: 00F089DC
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000001,0000003C,?), ref: 00F08A20
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00F08A2C
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000000,00000000,00000000,00000200,?), ref: 00F08A9A
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000000,00000000,00000000,00000200,?), ref: 00F08AEC
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000001,0000044C,?), ref: 00F08B31
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-1(0000007F,00000100,?,00000001,?,00000001), ref: 00F1FEEA

Strings

requiresnew, xrefs: 00F20008
none, xrefs: 00F1FFA8
free, xrefs: 00F1FF4B
AppId, xrefs: 00F08B63
LocalServer32, xrefs: 00F08A42
supported, xrefs: 00F1FFC8
neutral, xrefs: 00F1FF6B
ThreadingModel, xrefs: 00F08887
Synchronization, xrefs: 00F089D1
InProcServer32, xrefs: 00F087EA
required, xrefs: 00F1FFE8
ignored, xrefs: 00F1FF8C
CLSID\, xrefs: 00F08786

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: QueryValue$Open$CloseString
String ID: AppId$CLSID\$InProcServer32$LocalServer32$Synchronization$ThreadingModel$free$ignored$neutral$none$required$requiresnew$supported
API String ID: 2397329482-3949642071
Opcode ID: e956dc0d4812bd1b0684984de60501b51234ab4330145ac90d9a0881ce99511e
Instruction ID: 1f8c60ab02bb21247211967c4fe964cc409144717b9c9e04cb3f02c6cf930b3a
Opcode Fuzzy Hash: e956dc0d4812bd1b0684984de60501b51234ab4330145ac90d9a0881ce99511e
Instruction Fuzzy Hash: 7902A3B1900218DBDB209F10CC84BE9B7B8FB44355F5040E9EA49A7192EB74AEC5FF65

Uniqueness

Uniqueness Score: -1.00%

Function 00F46FCB, Relevance: 39.4, APIs: 26, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00F46FCB(void* __ecx, void* __edx, struct _SECURITY_DESCRIPTOR* _a8, struct _SECURITY_DESCRIPTOR** _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void _v20;
				long _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				long _v44;
				long _v48;
				int _v52;
				int _v56;
				long _v60;
				long _v64;
				long _v68;
				void* _v72;
				struct _SECURITY_DESCRIPTOR** _v76;
				void* _v80;
				signed int _v84;
				long _v88;
				struct _SECURITY_DESCRIPTOR _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t104;
				long _t109;
				signed int _t123;
				struct _ACL* _t126;
				long _t127;
				signed short _t136;
				signed short _t137;
				signed short _t138;
				signed short _t139;
				long _t144;
				struct _SECURITY_DESCRIPTOR* _t145;
				int _t158;
				long _t180;
				struct _SECURITY_DESCRIPTOR* _t189;
				struct _SECURITY_DESCRIPTOR* _t198;
				void* _t201;
				void* _t202;
				intOrPtr _t206;
				intOrPtr _t207;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr _t210;
				intOrPtr _t216;
				intOrPtr _t217;
				struct _SECURITY_DESCRIPTOR* _t229;
				long _t232;
				short _t235;
				int _t236;
				signed int _t237;
				void* _t238;

				_t203 = __ecx;
				_t104 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t104 ^ _t237;
				_t229 = _a8;
				_t201 = __ecx;
				_v32 = __edx;
				_t226 = 0;
				_v80 = __ecx;
				_t236 = 0;
				_v76 = _a12;
				_v24 = 0;
				_v28 = 0;
				_v40 = 0;
				_v56 = 0;
				_v52 = 0;
				_v36 = 0;
				if(_t229->Revision == 0) {
					__eflags = InitializeSecurityDescriptor( &_v108, 1);
					if(__eflags == 0) {
						L20:
						_t236 = 0x8004100a;
						L21:
						_t203 =  &_v108;
						_v24 =  &_v108;
						L22:
						_t109 = GetLengthSid(_t201);
						_t202 = 0;
						_v88 = _t109;
						_t254 = _t236;
						if(_t236 < 0) {
							L70:
							_t110 = _v28;
							if(_v28 != 0) {
								_t210 =  *0xf4f0cc; // 0x0
								E00F04A17(_t210, _t110);
							}
							_t111 = _v40;
							if(_v40 != 0) {
								_t209 =  *0xf4f0cc; // 0x0
								E00F04A17(_t209, _t111);
							}
							_t112 = _v56;
							if(_v56 != 0) {
								_t208 =  *0xf4f0cc; // 0x0
								E00F04A17(_t208, _t112);
							}
							_t113 = _v52;
							if(_v52 != 0) {
								_t207 =  *0xf4f0cc; // 0x0
								E00F04A17(_t207, _t113);
							}
							_t114 = _v36;
							if(_v36 != 0) {
								_t206 =  *0xf4f0cc; // 0x0
								E00F04A17(_t206, _t114);
							}
							return E00F01CA0(_t236, _t202, _v8 ^ _t237, _t226, _t229, _t236);
						}
						_t123 = _t109 + 0xfffffffc & 0x0000ffff;
						_v84 = _t123;
						_v32 = _t123 + 0xc;
						_t229 = E00F19D72(_t203, _t254, _t123 + 0xc);
						_v72 = _t229;
						if(_t229 == 0) {
							_t236 = 0x80041006;
						} else {
							_t64 =  &(_t229->Group); // 0x8
							CopySid(_v88, _t64, _v80);
							_t229->Owner = 1;
							_t229->Revision = 0x300;
							_t229->Control = _v32;
						}
						if(_t236 < 0) {
							goto L70;
						} else {
							_v20 = _v20 & _t202;
							_v16 = _v16 & _t202;
							_v12 = _v12 & _t202;
							_t126 = _v28;
							if(_t126 == 0) {
								_t127 = GetLengthSid(_v80);
								_t226 = (_t127 - 0x00000004 & 0x0000ffff) + 0x14;
								_t232 = ( *0xf4f008 & 0x0000ffff) + (_t127 - 0x00000004 & 0x0000ffff) + 0x14 + ( *0xf4f000 & 0x0000ffff) + ( *0xf4f00c & 0x0000ffff) + ( *0xf4f004 & 0x0000ffff);
								_t202 = E00F19D72(( *0xf4f000 & 0x0000ffff) + ( *0xf4f00c & 0x0000ffff) + ( *0xf4f004 & 0x0000ffff), __eflags, _t232);
								_pop(_t215);
								__eflags = _t202;
								if(__eflags == 0) {
									L35:
									_t236 = 0x80041006;
									L36:
									_t229 = 0;
									if(_t236 < 0) {
										L66:
										_t132 = _v72;
										if(_v72 != 0) {
											_t217 =  *0xf4f0cc; // 0x0
											E00F04A17(_t217, _t132);
										}
										if(_t202 != 0) {
											_t216 =  *0xf4f0cc; // 0x0
											E00F04A17(_t216, _t202);
										}
										goto L70;
									}
									if(AddAce(_t202, 2, _v20, _v72, _v32) == 0) {
										_t236 = 0x8004100a;
									} else {
										_t229 = 1;
									}
									if(_t236 < 0) {
										goto L66;
									} else {
										_t136 =  *0xf4f00c; // 0x0
										if(_t136 == 0 || AddAce(_t202, 2, _t229,  *0xf4f0ac, _t136 & 0x0000ffff) == 0) {
											_t236 = 0x8004100a;
										} else {
											_t229 =  &(_t229->Sbz1);
										}
										if(_t236 < 0) {
											goto L66;
										} else {
											_t137 =  *0xf4f008; // 0x0
											if(_t137 == 0 || AddAce(_t202, 2, _t229,  *0xf4f0a8, _t137 & 0x0000ffff) == 0) {
												_t236 = 0x8004100a;
											} else {
												_t229 =  &(_t229->Sbz1);
											}
											if(_t236 < 0) {
												goto L66;
											} else {
												_t138 =  *0xf4f004; // 0x0
												if(_t138 == 0 || AddAce(_t202, 2, _t229,  *0xf4f0a4, _t138 & 0x0000ffff) == 0) {
													_t236 = 0x8004100a;
												} else {
													_t229 =  &(_t229->Sbz1);
												}
												if(_t236 < 0) {
													goto L66;
												} else {
													_t139 =  *0xf4f000; // 0x0
													if(_t139 == 0 || AddAce(_t202, 2, _t229,  *0xf4f0a0, _t139 & 0x0000ffff) == 0) {
														_t236 = 0x8004100a;
													}
													if(_t236 < 0) {
														goto L66;
													} else {
														_t229 = _v24;
														if(SetSecurityDescriptorDacl(_t229, 1, _t202, 0) == 0) {
															L65:
															_t236 = 0x8004100a;
															goto L66;
														}
														_v24 = _v24 & 0x00000000;
														if(MakeSelfRelativeSD(_t229,  *_v76,  &_v24) != 0) {
															goto L66;
														}
														_t144 = GetLastError();
														_t277 = _t144 - 0x7a;
														if(_t144 != 0x7a) {
															goto L66;
														}
														_t145 = E00F19D72(_t215, _t277, _v24);
														 *_v76 = _t145;
														if(_t145 == 0) {
															_t236 = 0x80041006;
															goto L66;
														}
														if(MakeSelfRelativeSD(_t229, _t145,  &_v24) != 0) {
															goto L66;
														}
														goto L65;
													}
												}
											}
										}
									}
								}
								__eflags = InitializeAcl(_t202, _t232, 2);
								if(__eflags == 0) {
									L34:
									_t236 = 0x8004100a;
									goto L36;
								}
								__eflags = GetAclInformation(_t202,  &_v20, 0xc, 2);
								if(__eflags != 0) {
									goto L36;
								}
								goto L34;
							}
							_t215 =  &_v20;
							_t158 = GetAclInformation(_t126,  &_v20, 0xc, 2);
							_t258 = _t158;
							if(_t158 == 0) {
								goto L34;
							}
							_t226 = ( *0xf4f000 & 0x0000ffff) + ( *0xf4f00c & 0x0000ffff);
							_t235 = _v16 + 0xc + ( *0xf4f008 & 0x0000ffff) + ( *0xf4f004 & 0x0000ffff) + _v84 + ( *0xf4f000 & 0x0000ffff) + ( *0xf4f00c & 0x0000ffff) + _v12;
							_t202 = E00F19D72(( *0xf4f008 & 0x0000ffff) + ( *0xf4f004 & 0x0000ffff) + _v84 + ( *0xf4f000 & 0x0000ffff) + ( *0xf4f00c & 0x0000ffff) + _v12, _t258, _t235);
							_pop(_t215);
							if(_t202 == 0) {
								goto L35;
							}
							memcpy(_t202, _v28, _v12 + _v16);
							 *((short*)(_t202 + 2)) = _t235;
							goto L36;
						}
					}
					__eflags = SetSecurityDescriptorOwner( &_v108, _t201, 0);
					if(__eflags == 0) {
						goto L20;
					}
					__eflags = SetSecurityDescriptorGroup( &_v108, _v32, 0);
					if(__eflags != 0) {
						goto L21;
					}
					goto L20;
				}
				_v60 = 0x14;
				_v64 = 0;
				_v68 = 0;
				_v48 = 0;
				_v44 = 0;
				if(MakeAbsoluteSD(_t229->Revision, 0,  &_v60, 0,  &_v64, 0,  &_v68, 0,  &_v48, 0,  &_v44) != 0) {
					L15:
					_t236 = 0x8004100a;
					goto L22;
				}
				_t180 = GetLastError();
				_t242 = _t180 - 0x7a;
				if(_t180 != 0x7a) {
					goto L15;
				}
				_t203 = (GetLengthSid(_t201) - 0x00000004 & 0x0000ffff) + 0xc;
				_v28 = E00F19D72((GetLengthSid(_t201) - 0x00000004 & 0x0000ffff) + 0xc, _t242, (GetLengthSid(_t201) - 0x00000004 & 0x0000ffff) + 0xc + _v64);
				_v40 = E00F19D72((GetLengthSid(_t201) - 0x00000004 & 0x0000ffff) + 0xc, _t242, _v68);
				_v56 = E00F19D72((GetLengthSid(_t201) - 0x00000004 & 0x0000ffff) + 0xc, _t242, _v48);
				_v52 = E00F19D72(_t203, _t242, _v44);
				_t189 = E00F19D72(_t203, _t242, _v60);
				_t238 = _t238 + 0x14;
				_v36 = _t189;
				if(_t189 == 0 || _v28 == 0 || _v40 == 0 || _v56 == 0 || _v52 == 0) {
					_t236 = 0x80041006;
					goto L22;
				} else {
					if(InitializeSecurityDescriptor(_t189, 1) == 0 || MakeAbsoluteSD( *_t229, _v36,  &_v60, _v28,  &_v64, _v40,  &_v68, _v56,  &_v48, _v52,  &_v44) == 0) {
						goto L15;
					} else {
						_t198 = _v36;
						_v24 = _t198;
						if(_v48 != 0) {
							L13:
							if(_v44 != _t236 || SetSecurityDescriptorGroup(_t198, _v32, 0) != 0) {
								goto L22;
							} else {
								goto L15;
							}
						}
						if(SetSecurityDescriptorOwner(_t198, _t201, 0) == 0) {
							goto L15;
						}
						_t198 = _v36;
						goto L13;
					}
				}
			}

0x00f46fcb
0x00f46fd3
0x00f46fda
0x00f46fe3
0x00f46fe6
0x00f46fe8
0x00f46feb
0x00f46fed
0x00f46ff0
0x00f46ff2
0x00f46ff5
0x00f46ff8
0x00f46ffb
0x00f46ffe
0x00f47001
0x00f47004
0x00f47009
0x00f4714e
0x00f47150
0x00f47176
0x00f47176
0x00f4717b
0x00f4717b
0x00f4717e
0x00f47181
0x00f47182
0x00f47188
0x00f4718a
0x00f4718d
0x00f4718f
0x00f47450
0x00f47450
0x00f47455
0x00f47457
0x00f4745e
0x00f4745e
0x00f47463
0x00f47468
0x00f4746a
0x00f47471
0x00f47471
0x00f47476
0x00f4747b
0x00f4747d
0x00f47484
0x00f47484
0x00f47489
0x00f4748e
0x00f47490
0x00f47497
0x00f47497
0x00f4749c
0x00f474a1
0x00f474a3
0x00f474aa
0x00f474aa
0x00f474c1
0x00f474c1
0x00f47198
0x00f4719b
0x00f471a2
0x00f471aa
0x00f471ac
0x00f471b2
0x00f471d9
0x00f471b4
0x00f471b7
0x00f471be
0x00f471c7
0x00f471ce
0x00f471d3
0x00f471d3
0x00f471e0
0x00000000
0x00f471e6
0x00f471e6
0x00f471e9
0x00f471ec
0x00f471ef
0x00f471f4
0x00f4726a
0x00f4728b
0x00f4729b
0x00f472a3
0x00f472a5
0x00f472a6
0x00f472a8
0x00f472d2
0x00f472d2
0x00f472d7
0x00f472d7
0x00f472db
0x00f4742d
0x00f4742d
0x00f47432
0x00f47434
0x00f4743b
0x00f4743b
0x00f47442
0x00f47444
0x00f4744b
0x00f4744b
0x00000000
0x00f47442
0x00f472f5
0x00f472fa
0x00f472f7
0x00f472f7
0x00f472f7
0x00f47301
0x00000000
0x00f47307
0x00f47307
0x00f47310
0x00f4732d
0x00f4732a
0x00f4732a
0x00f4732a
0x00f47334
0x00000000
0x00f4733a
0x00f4733a
0x00f47343
0x00f47360
0x00f4735d
0x00f4735d
0x00f4735d
0x00f47367
0x00000000
0x00f4736d
0x00f4736d
0x00f47376
0x00f47393
0x00f47390
0x00f47390
0x00f47390
0x00f4739a
0x00000000
0x00f473a0
0x00f473a0
0x00f473a9
0x00f473c3
0x00f473c3
0x00f473ca
0x00000000
0x00f473cc
0x00f473cc
0x00f473dd
0x00f47428
0x00f47428
0x00000000
0x00f47428
0x00f473df
0x00f473f5
0x00000000
0x00000000
0x00f473f7
0x00f473fd
0x00f47400
0x00000000
0x00000000
0x00f47405
0x00f4740e
0x00f47412
0x00f474c4
0x00000000
0x00f474c4
0x00f47426
0x00000000
0x00000000
0x00000000
0x00f47426
0x00f473ca
0x00f4739a
0x00f47367
0x00f47334
0x00f47301
0x00f472b4
0x00f472b6
0x00f472cb
0x00f472cb
0x00000000
0x00f472cb
0x00f472c7
0x00f472c9
0x00000000
0x00000000
0x00000000
0x00f472c9
0x00f471fa
0x00f471ff
0x00f47205
0x00f47207
0x00000000
0x00000000
0x00f47222
0x00f4723b
0x00f47243
0x00f47245
0x00f47248
0x00000000
0x00000000
0x00f47259
0x00f47261
0x00000000
0x00f47261
0x00f471e0
0x00f4715f
0x00f47161
0x00000000
0x00000000
0x00f47172
0x00f47174
0x00000000
0x00000000
0x00000000
0x00f47174
0x00f47012
0x00f4701e
0x00f47026
0x00f4702e
0x00f47036
0x00f47045
0x00f47134
0x00f47134
0x00000000
0x00f47134
0x00f4704b
0x00f47051
0x00f47054
0x00000000
0x00000000
0x00f4706a
0x00f47078
0x00f47083
0x00f4708e
0x00f47099
0x00f4709c
0x00f470a1
0x00f470a4
0x00f470a9
0x00f4713b
0x00000000
0x00f470c7
0x00f470d2
0x00000000
0x00f47104
0x00f47104
0x00f47107
0x00f4710d
0x00f4711f
0x00f47122
0x00000000
0x00000000
0x00000000
0x00000000
0x00f47122
0x00f4711a
0x00000000
0x00000000
0x00f4711c
0x00000000
0x00f4711c
0x00f470d2

APIs

MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-2-0(00000014,00000000,00000014,00000000,?,00000000,?,00000000,?,00000000,?,00000000,00000000,?), ref: 00F4703D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F4704B
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F4705B
InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001), ref: 00F470CA
MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-2-0(00000014,?,00000014,00F480B4,?,?,?,?,?,?,?), ref: 00F470FA
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000000,00000000), ref: 00F47112
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,00000000), ref: 00F4712A
InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000000,00000000,?), ref: 00F47148
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000000,00000000), ref: 00F47159
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,00000000), ref: 00F4716C
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F47182
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000008,?), ref: 00F471BE
GetAclInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00F480B4,?,0000000C,00000002), ref: 00F471FF
memcpy.MSVCRT ref: 00F47259
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F4726A
InitializeAcl.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000000,00000002), ref: 00F472AE
GetAclInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,?,0000000C,00000002), ref: 00F472C1
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000002,?,?,?), ref: 00F472ED
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000002,00000000,?), ref: 00F47320
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000002,00000000,?), ref: 00F47353
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000002,00000000,?), ref: 00F47386
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000002,00000000,?), ref: 00F473B9
SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000000,00000000), ref: 00F473D5
MakeSelfRelativeSD.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,00000000), ref: 00F473ED
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F473F7
MakeSelfRelativeSD.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000000,00000000), ref: 00F4741E

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: DescriptorSecurity$Make$InitializeLength$AbsoluteErrorGroupInformationLastOwnerRelativeSelf$CopyDaclmemcpy
String ID:
API String ID: 3990581120-0
Opcode ID: 98c33f1d71527bef54f0d90490b1958346da32c4db63819a8336c67867f665a2
Instruction ID: 58492311911bc2418795dce3c1379afca54c608b9046f92bfd5cfcc97ae8223f
Opcode Fuzzy Hash: 98c33f1d71527bef54f0d90490b1958346da32c4db63819a8336c67867f665a2
Instruction Fuzzy Hash: 0EE16D75E04359ABDB10AFA5EC44BBEBBB8BB44711F044029FE05E7291E7789D40EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F3160B, Relevance: 37.9, APIs: 25, Instructions: 383
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F3160B(struct _SECURITY_DESCRIPTOR* __ecx, void* __edi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				short _v20;
				struct _SID_IDENTIFIER_AUTHORITY _v24;
				long _v28;
				struct _ACL* _v32;
				long _v36;
				void* _v40;
				void* _v44;
				long _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				signed int _v64;
				void* _v68;
				signed int _v72;
				void* _v76;
				long _v80;
				long _v84;
				long _v88;
				struct _SECURITY_DESCRIPTOR* _v92;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t116;
				int _t125;
				int _t131;
				signed short _t132;
				struct _ACL* _t140;
				long _t142;
				long _t143;
				long _t144;
				int _t148;
				int _t149;
				long _t152;
				int _t161;
				void* _t166;
				void* _t169;
				int _t172;
				long _t173;
				long _t187;
				long _t188;
				void* _t189;
				long _t190;
				intOrPtr _t192;
				void* _t195;
				intOrPtr _t198;
				intOrPtr _t199;
				intOrPtr _t200;
				intOrPtr _t201;
				signed int _t204;
				intOrPtr _t211;
				void* _t217;
				void* _t219;
				signed int _t220;

				_t216 = __edi;
				_t191 = __ecx;
				_t116 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t116 ^ _t220;
				_t187 = 0;
				_v92 = __ecx;
				if(InitializeSecurityDescriptor(__ecx, 1) == 0) {
					_t219 = 0x8004100a;
					L60:
					if(_t219 < 0) {
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t219);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t192 =  *0xf4f014; // 0xf4f014
					if(_t192 != 0xf4f014 && ( *(_t192 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t192 + 0x19)) >= 2) {
						_push(_t219);
						_t113 = _t192 + 0x14; // 0x20000000
						_push( *_t113);
						_t215 = 0xf21d84;
						_t114 = _t192 + 0x10; // 0x40000000
						_push( *_t114);
						_t195 = 0xc;
						E00F32A46(_t195, 0xf21d84);
					}
					return E00F01CA0(_t219, _t187, _v8 ^ _t220, _t215, _t216, _t219);
				}
				_push(__edi);
				_v16.Value = 0;
				_v12 = 0x500;
				_v44 = 0;
				_t217 = 0;
				_v72 = 0;
				_t125 = AllocateAndInitializeSid( &_v16, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v44);
				_t222 = _t125;
				if(_t125 == 0) {
					L5:
					_t219 = 0x80041006;
					L6:
					_v56 = _t187;
					_v76 = _t187;
					_v60 = _t187;
					if(_t219 < 0) {
						L12:
						_v40 = _t187;
						_v68 = _t187;
						_v64 = _t187;
						if(_t219 < 0) {
							L18:
							_t215 = 0;
							_v52 = _t187;
							_v48 = 0;
							if(_t219 < 0) {
								L43:
								if(_t217 != 0) {
									_t201 =  *0xf4f0cc; // 0x0
									E00F04A17(_t201, _t217);
								}
								_t126 = _v68;
								_pop(_t216);
								if(_v68 != 0) {
									_t200 =  *0xf4f0cc; // 0x0
									E00F04A17(_t200, _t126);
								}
								_t119 = _v76;
								if(_v76 != 0) {
									_t199 =  *0xf4f0cc; // 0x0
									_t119 = E00F04A17(_t199, _t119);
								}
								if(_t187 != 0) {
									_t198 =  *0xf4f0cc; // 0x0
									_t119 = E00F04A17(_t198, _t187);
								}
								if(_v44 != 0) {
									_t119 = FreeSid(_v44);
								}
								if(_v40 != 0) {
									_t119 = FreeSid(_v40);
								}
								if(_v56 != 0) {
									_t119 = FreeSid(_v56);
								}
								if(_v52 != 0) {
									_t119 = FreeSid(_v52);
								}
								goto L60;
							}
							_v24.Value = 0;
							_v20 = 0x100;
							_t131 = AllocateAndInitializeSid( &_v24, 1, 0, 0, 0, 0, 0, 0, 0, 0,  &_v52);
							_t231 = _t131;
							if(_t131 == 0) {
								L22:
								_t132 = _v48;
								_t219 = 0x80041006;
								L23:
								_t233 = _t219;
								if(_t219 >= 0) {
									_t215 = _v64 & 0x0000ffff;
									_v36 = _t132 & 0x0000ffff;
									_v80 = _v60 & 0x0000ffff;
									_t204 = _v72 & 0x0000ffff;
									_v84 = _t204;
									_v88 = _t215;
									_v28 = _v36 + _t215 + _v80 + _t204 + 8;
									_t140 = E00F19D72(_t204 + 8, _t233, _v36 + _t215 + _v80 + _t204 + 8);
									_v32 = _t140;
									if(_t140 == 0) {
										_t219 = 0x80041006;
									} else {
										if(InitializeAcl(_t140, _v28, 2) != 0) {
											_t142 = 0;
											_v28 = 0;
											if(_v72 != 0) {
												if(AddAce(_v32, 2, 0, _t217, _v84) == 0) {
													_t142 = _v28;
												} else {
													_t142 = 1;
													_v28 = 1;
												}
											}
											if(_v64 == 0) {
												_t143 = _v28;
											} else {
												_t149 = AddAce(_v32, 2, _t142, _v68, _v88);
												_t143 = _v28;
												if(_t149 != 0) {
													_t143 = _t143 + 1;
													_v28 = _t143;
												}
											}
											if(_v60 == 0) {
												_t144 = _v28;
											} else {
												_t148 = AddAce(_v32, 2, _t143, _v76, _v80);
												_t144 = _v28;
												if(_t148 != 0) {
													_t144 = _t144 + 1;
												}
											}
											if(_v48 != 0) {
												AddAce(_v32, 2, _t144, _t187, _v36);
											}
											if(SetSecurityDescriptorDacl(_v92, 1, _v32, 0) == 0) {
												_t211 =  *0xf4f0cc; // 0x0
												E00F04A17(_t211, _v32);
												_t219 = 0x8004100a;
											}
										}
									}
								}
								goto L43;
							}
							_t152 = GetLengthSid(_v52);
							_v36 = _t152;
							_v48 = _t152 + 0x00000008 & 0x0000ffff;
							_t187 = E00F19D72(0, _t231, _t152 + 0x00000008 & 0xffff);
							if(_t187 == 0) {
								goto L22;
							} else {
								_t56 = _t187 + 8; // 0x8
								CopySid(_v36, _t56, _v52);
								_t132 = _v48;
								 *((intOrPtr*)(_t187 + 4)) = 0x20015;
								 *_t187 = 0x300;
								 *(_t187 + 2) = _t132;
								goto L23;
							}
						}
						_t161 = AllocateAndInitializeSid( &_v16, 1, 0x14, _t187, _t187, _t187, _t187, _t187, _t187, _t187,  &_v40);
						_t228 = _t161;
						if(_t161 == 0) {
							L17:
							_t219 = 0x80041006;
							goto L18;
						}
						_t188 = GetLengthSid(_v40);
						_t38 = _t188 + 8; // 0x8
						_v64 = _t38 & 0x0000ffff;
						_t166 = E00F19D72(_t191, _t228, _t38 & 0xffff);
						_v68 = _t166;
						if(_t166 == 0) {
							_t187 = 0;
							__eflags = 0;
							goto L17;
						} else {
							CopySid(_t188, _t166 + 8, _v40);
							_t169 = _v68;
							_t187 = 0;
							 *((intOrPtr*)(_t169 + 4)) = 0x13001f;
							 *_t169 = 0x300;
							 *((short*)(_t169 + 2)) = _v64;
							goto L18;
						}
					}
					_t172 = AllocateAndInitializeSid( &_v16, 1, 0x13, _t187, _t187, _t187, _t187, _t187, _t187, _t187,  &_v56);
					_t225 = _t172;
					if(_t172 == 0) {
						L11:
						_t219 = 0x80041006;
						goto L12;
					}
					_t173 = GetLengthSid(_v56);
					_v36 = _t173;
					_v60 = _t173 + 0x00000008 & 0x0000ffff;
					_t189 = E00F19D72(_t191, _t225, _t173 + 0x00000008 & 0xffff);
					_v76 = _t189;
					_pop(_t191);
					if(_t189 == 0) {
						_t187 = 0;
						__eflags = 0;
						goto L11;
					} else {
						_t27 = _t189 + 8; // 0x8
						CopySid(_v36, _t27, _v56);
						_t191 = _v60;
						 *((intOrPtr*)(_t189 + 4)) = 0x13001f;
						 *_t189 = 0x300;
						 *((short*)(_t189 + 2)) = _v60;
						_t187 = 0;
						goto L12;
					}
				}
				_t190 = GetLengthSid(_v44);
				_t10 = _t190 + 8; // 0x8
				_v72 = _t10 & 0x0000ffff;
				_t217 = E00F19D72(_t191, _t222, _t10 & 0xffff);
				_pop(_t191);
				if(_t217 == 0) {
					_t187 = 0;
					__eflags = 0;
					goto L5;
				} else {
					_t13 = _t217 + 8; // 0x8
					CopySid(_t190, _t13, _v44);
					_t191 = _v72;
					_t187 = 0;
					 *((intOrPtr*)(_t217 + 4)) = 0xf001f;
					 *_t217 = 0x300;
					 *((short*)(_t217 + 2)) = _v72;
					goto L6;
				}
			}

0x00f3160b
0x00f3160b
0x00f31613
0x00f3161a
0x00f31621
0x00f31626
0x00f31633
0x00f319e6
0x00f319eb
0x00f319ed
0x00f319f0
0x00f319f8
0x00f319f8
0x00f319fe
0x00f31a0a
0x00f31a18
0x00f31a19
0x00f31a19
0x00f31a1c
0x00f31a21
0x00f31a21
0x00f31a26
0x00f31a27
0x00f31a27
0x00f31a3d
0x00f31a3d
0x00f31639
0x00f3163d
0x00f3164f
0x00f31656
0x00f31659
0x00f3165b
0x00f3165e
0x00f31664
0x00f31666
0x00f316b3
0x00f316b3
0x00f316b8
0x00f316b8
0x00f316bb
0x00f316be
0x00f316c3
0x00f31738
0x00f31738
0x00f3173b
0x00f3173e
0x00f31743
0x00f317b6
0x00f317b6
0x00f317b8
0x00f317bd
0x00f317c2
0x00f31961
0x00f31963
0x00f31965
0x00f3196c
0x00f3196c
0x00f31971
0x00f31974
0x00f31977
0x00f31979
0x00f31980
0x00f31980
0x00f31985
0x00f3198a
0x00f3198c
0x00f31993
0x00f31993
0x00f3199a
0x00f3199c
0x00f319a3
0x00f319a3
0x00f319ac
0x00f319b1
0x00f319b1
0x00f319bb
0x00f319c0
0x00f319c0
0x00f319ca
0x00f319cf
0x00f319cf
0x00f319d9
0x00f319de
0x00f319de
0x00000000
0x00f319d9
0x00f317cb
0x00f317dc
0x00f317e3
0x00f317e9
0x00f317eb
0x00f31837
0x00f31837
0x00f3183a
0x00f3183f
0x00f3183f
0x00f31841
0x00f3184d
0x00f31853
0x00f3185c
0x00f3185f
0x00f31867
0x00f31872
0x00f31876
0x00f31879
0x00f3187e
0x00f31884
0x00f3195c
0x00f3188a
0x00f31898
0x00f318a1
0x00f318a3
0x00f318a9
0x00f318bd
0x00f318c7
0x00f318bf
0x00f318c1
0x00f318c2
0x00f318c2
0x00f318bd
0x00f318d0
0x00f318f1
0x00f318d2
0x00f318de
0x00f318e6
0x00f318e9
0x00f318eb
0x00f318ec
0x00f318ec
0x00f318e9
0x00f318fa
0x00f31918
0x00f318fc
0x00f31908
0x00f31910
0x00f31913
0x00f31915
0x00f31915
0x00f31913
0x00f31921
0x00f3192d
0x00f3192d
0x00f31945
0x00f3194a
0x00f31950
0x00f31955
0x00f31955
0x00f31945
0x00f31898
0x00f31884
0x00000000
0x00f31841
0x00f317f0
0x00f317f6
0x00f317ff
0x00f3180b
0x00f31810
0x00000000
0x00f31812
0x00f31815
0x00f3181c
0x00f31822
0x00f31825
0x00f3182c
0x00f31831
0x00000000
0x00f31831
0x00f31810
0x00f31758
0x00f3175e
0x00f31760
0x00f317b1
0x00f317b1
0x00000000
0x00f317b1
0x00f3176b
0x00f3176d
0x00f31773
0x00f3177a
0x00f3177f
0x00f31785
0x00f317af
0x00f317af
0x00000000
0x00f31787
0x00f3178f
0x00f31795
0x00f31798
0x00f3179d
0x00f317a4
0x00f317a9
0x00000000
0x00f317a9
0x00f31785
0x00f316d8
0x00f316de
0x00f316e0
0x00f31733
0x00f31733
0x00000000
0x00f31733
0x00f316e5
0x00f316eb
0x00f316f4
0x00f31700
0x00f31702
0x00f31705
0x00f31708
0x00f31731
0x00f31731
0x00000000
0x00f3170a
0x00f3170d
0x00f31714
0x00f3171a
0x00f3171d
0x00f31724
0x00f31729
0x00f3172d
0x00000000
0x00f3172d
0x00f31708
0x00f31671
0x00f31673
0x00f31679
0x00f31685
0x00f31687
0x00f3168a
0x00f316b1
0x00f316b1
0x00000000
0x00f3168c
0x00f3168f
0x00f31694
0x00f3169a
0x00f3169d
0x00f3169f
0x00f316a6
0x00f316ab
0x00000000
0x00f316ab

APIs

InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000000,00000000), ref: 00F3162B
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00F3165E
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F3166B
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,?), ref: 00F31694
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F316D8
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F316E5
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000008,?), ref: 00F31714
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000014,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F31758
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F31765
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,-00000008,?), ref: 00F3178F
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F317E3
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F317F0
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000008,?), ref: 00F3181C
InitializeAcl.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,?,00000002), ref: 00F31890
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,00000000,00000000,?), ref: 00F318B5
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,00000000,?,?), ref: 00F318DE
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,?,?,?), ref: 00F31908
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000002,?,00000000,?), ref: 00F3192D
SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000001,?,00000000), ref: 00F3193D
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F319B1
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F319C0
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F319CF
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F319DE
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(8004100A), ref: 00F319F0
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F319F8

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Initialize$AllocateCopyFreeLength$DescriptorLog@@MemorySecurity$DaclObject@@Write@
String ID:
API String ID: 3117960345-0
Opcode ID: cf600569a8bf334868eda16723617d50d005c0911027fb5398892b91953bf9b4
Instruction ID: 2f53d4458c3e032eb1ec2a50fbc23ceb37e7da1d84545a4395b1286388db98de
Opcode Fuzzy Hash: cf600569a8bf334868eda16723617d50d005c0911027fb5398892b91953bf9b4
Instruction Fuzzy Hash: 80D13675E01249AFDF148FA5DC95BAEBBB9FF08321F144029EA05E72A1D7349D40EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F0C8E9, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 133
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F0C8E9(char __ecx, int** __edx) {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				char _t33;
				int* _t35;
				int** _t55;
				short* _t58;
				int* _t59;
				char _t60;
				long _t61;
				int* _t62;
				signed int _t63;

				_t62 = 0;
				_t58 = __ecx;
				_v12 = 0;
				_t55 = __edx;
				_v20 = __ecx;
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\WBEM\\CIMOM\\SecuredHostProviders", 0, 0x20019,  &_v8) != 0) {
					L9:
					_t33 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\WBEM\\CIMOM\\CompatibleHostProviders", _t62, 0x20019,  &_v8);
					__eflags = _t33;
					if(_t33 != 0) {
						L14:
						_t35 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\WBEM\\CIMOM", _t62, 0x20019,  &_v8);
						__eflags = _t35;
						if(__eflags != 0) {
							if(__eflags > 0) {
								_t63 = _t35 & 0x0000ffff;
								L26:
								_t62 = _t63 | 0x80070000;
								__eflags = _t62;
								L27:
								return _t62;
							}
							_t62 = _t35;
							goto L27;
						}
						_v20 = _t62;
						_v12 = 4;
						_t59 = RegQueryValueExW(_v8, L"DefaultSecuredHost", _t62,  &_v16,  &_v20,  &_v12);
						RegCloseKey(_v8);
						__eflags = _t59;
						if(_t59 != 0) {
							__eflags = _t59 - 2;
							if(_t59 == 2) {
								L21:
								 *_t55 = 1;
								goto L27;
							}
							__eflags = _t59;
							if(_t59 > 0) {
								_t63 = _t59 & 0x0000ffff;
								goto L26;
							}
							_t62 = _t59;
							goto L27;
						}
						__eflags = _v16 - 4;
						if(_v16 != 4) {
							goto L21;
						}
						__eflags = _v20;
						 *_t55 = 0 | _v20 == 0x00000000;
						goto L27;
					}
					_v12 = _t62;
					_t60 = RegQueryValueExW(_v8, _t58, _t62,  &_v16, _t62,  &_v12);
					RegCloseKey(_v8);
					__eflags = _t60;
					if(_t60 == 0) {
						L12:
						__eflags = _v16 - 1;
						if(_v16 != 1) {
							goto L14;
						}
						 *_t55 = 1;
						L4:
						return 0;
					}
					__eflags = _t60 - 0xea;
					if(_t60 != 0xea) {
						goto L14;
					}
					goto L12;
				}
				_v12 = 0;
				_t61 = RegQueryValueExW(_v8, _t58, 0,  &_v16, 0,  &_v12);
				RegCloseKey(_v8);
				if(_t61 != 0) {
					__eflags = _t61 - 0xea;
					if(_t61 == 0xea) {
						goto L2;
					}
					L8:
					_t58 = _v20;
					goto L9;
				}
				L2:
				if(_v16 != 1) {
					goto L8;
				}
				 *_t55 = _t62;
				goto L4;
			}

0x00f0c8f7
0x00f0c905
0x00f0c907
0x00f0c90f
0x00f0c911
0x00f0c91c
0x00f1ede9
0x00f1edfd
0x00f1ee03
0x00f1ee05
0x00f1ee44
0x00f1ee58
0x00f1ee5e
0x00f1ee60
0x00f1eec2
0x00f1eec8
0x00f1eecb
0x00f1eecb
0x00f1eecb
0x00f1eed1
0x00000000
0x00f1eed1
0x00f1eec4
0x00000000
0x00f1eec4
0x00f1ee65
0x00f1ee6c
0x00f1ee8a
0x00f1ee8c
0x00f1ee92
0x00f1ee94
0x00f1eea8
0x00f1eeab
0x00f1eeb5
0x00f1eeb5
0x00000000
0x00f1eeb5
0x00f1eead
0x00f1eeaf
0x00f1eebd
0x00000000
0x00f1eebd
0x00f1eeb1
0x00000000
0x00f1eeb1
0x00f1ee96
0x00f1ee9a
0x00000000
0x00000000
0x00f1ee9e
0x00f1eea4
0x00000000
0x00f1eea4
0x00f1ee0a
0x00f1ee21
0x00f1ee23
0x00f1ee29
0x00f1ee2b
0x00f1ee35
0x00f1ee38
0x00f1ee3b
0x00000000
0x00000000
0x00f1ee3d
0x00f0c954
0x00000000
0x00f0c954
0x00f1ee2d
0x00f1ee33
0x00000000
0x00000000
0x00000000
0x00f1ee33
0x00f0c925
0x00f0c93c
0x00f0c93e
0x00f0c946
0x00f0c95d
0x00f0c963
0x00000000
0x00000000
0x00f1c7cf
0x00f1c7cf
0x00000000
0x00f1c7cf
0x00f0c948
0x00f0c94c
0x00000000
0x00000000
0x00f0c952
0x00000000

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders,00000000,00020019,00F1F571,00000008,?,00000000,?,?,?,00F1F571), ref: 00F0C914
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F1F571,00000000,00000000,?,00000000,?,?,?,?,00F1F571), ref: 00F0C933
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F1F571,?,?,?,00F1F571), ref: 00F0C93E
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders,00000000,00020019,00F1F571,?,?,?,00F1F571), ref: 00F1EDFD
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F1F571,00000000,00000000,?,00000000,?,?,?,?,00F1F571), ref: 00F1EE18
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F1F571,?,?,?,00F1F571), ref: 00F1EE23
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\WBEM\CIMOM,00000000,00020019,00F1F571,?,?,?,00F1F571), ref: 00F1EE58
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F1F571,DefaultSecuredHost,00000000,?,?,?), ref: 00F1EE81
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F1F571), ref: 00F1EE8C

Strings

DefaultSecuredHost, xrefs: 00F1EE79
SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders, xrefs: 00F1EDF3
Software\Microsoft\WBEM\CIMOM, xrefs: 00F1EE4E
SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders, xrefs: 00F0C900

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: DefaultSecuredHost$SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders$SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders$Software\Microsoft\WBEM\CIMOM
API String ID: 3677997916-590304595
Opcode ID: 3bb189ac85c610f6a921f268ec343edd65b866d56c1f18a39541e4b5bb43765c
Instruction ID: 05abf4a25170fead55adf595cb5e7d3ee3c9feeaca5123742cd7d25b301a5a07
Opcode Fuzzy Hash: 3bb189ac85c610f6a921f268ec343edd65b866d56c1f18a39541e4b5bb43765c
Instruction Fuzzy Hash: 67414176E00229FADB218B919C48BEFBAB9FB45761F2144A5E905A3140D7309A44FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F47632, Relevance: 22.6, APIs: 15, Instructions: 131
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F47632(struct _SECURITY_DESCRIPTOR* __ecx, struct _SECURITY_DESCRIPTOR* _a8) {
				void* _v8;
				int _v12;
				long _v16;
				long _v20;
				long _v24;
				long _t36;
				long _t42;
				struct _SECURITY_DESCRIPTOR* _t60;
				intOrPtr _t65;
				int _t67;
				struct _PRIVILEGE_SET* _t70;
				signed int _t72;

				_t60 = __ecx;
				_t72 = 0;
				_v20 = 1;
				if(__ecx == 0) {
					_t60 = _a8;
				}
				_v8 = _v8 & _t72;
				_t67 = OpenThreadToken(GetCurrentThread(), 8, 1,  &_v8);
				_t36 = GetLastError();
				if(_t36 == 0x51d || _t36 == 0x3f0) {
					__eflags = _t67;
					if(__eflags != 0) {
						goto L7;
					}
					_v12 = _v12 & _t72;
					__eflags = OpenProcessToken(GetCurrentProcess(), 0xa,  &_v12);
					if(__eflags == 0) {
						goto L5;
					}
					__eflags = ImpersonateLoggedOnUser(_v12);
					if(__eflags == 0) {
						_t72 = 0x80041003;
					} else {
						__eflags = OpenThreadToken(GetCurrentThread(), 8, 1,  &_v8);
						if(__eflags == 0) {
							_t72 = 0x80041003;
						}
						RevertToSelf();
					}
					CloseHandle(_v12);
					goto L6;
				} else {
					if(_t67 != 0) {
						L7:
						_v24 = _v24 & 0x00000000;
						_v12 = _v12 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						MapGenericMask( &_v20, 0xf50a90);
						if(AccessCheck(_t60, _v8, _v20, 0xf50a90, 0,  &_v16,  &_v24,  &_v12) == 0 || _v12 == 0) {
							_t42 = GetLastError();
							_t81 = _t42 - 0x7a;
							if(_t42 != 0x7a) {
								_t72 = 0x80041003;
							} else {
								_t70 = E00F19D72(1, _t81, _v16);
								if(_t70 == 0) {
									_t72 = 0x80041006;
								} else {
									if(AccessCheck(_t60, _v8, _v20, 0xf50a90, _t70,  &_v16,  &_v24,  &_v12) == 0 || _v12 == 0) {
										_t72 = 0x80041003;
									}
									_t65 =  *0xf4f0cc; // 0x0
									E00F04A17(_t65, _t70);
								}
							}
						}
						CloseHandle(_v8);
						L26:
						return _t72;
					}
					L5:
					_t72 = 0x80041003;
					L6:
					if(_t72 < 0) {
						goto L26;
					}
					goto L7;
				}
			}

0x00f4763b
0x00f47641
0x00f47643
0x00f47649
0x00f4764b
0x00f4764b
0x00f4764e
0x00f47665
0x00f47667
0x00f47672
0x00f47738
0x00f4773a
0x00000000
0x00000000
0x00f47740
0x00f47756
0x00f47758
0x00000000
0x00000000
0x00f47767
0x00f47769
0x00f47791
0x00f4776b
0x00f47780
0x00f47782
0x00f47784
0x00f47784
0x00f47789
0x00f47789
0x00f47799
0x00000000
0x00f47683
0x00f47685
0x00f47694
0x00f47694
0x00f4769b
0x00f476a4
0x00f476aa
0x00f476ce
0x00f476da
0x00f476e0
0x00f476e3
0x00f477ab
0x00f476e9
0x00f476f1
0x00f476f6
0x00f477a4
0x00f476fc
0x00f4771d
0x00f47725
0x00f47725
0x00f4772a
0x00f47731
0x00f47731
0x00f476f6
0x00f476e3
0x00f477b3
0x00f477b9
0x00f477c1
0x00f477c1
0x00f47687
0x00f47687
0x00f4768c
0x00f4768e
0x00000000
0x00000000
0x00000000
0x00f4768e

APIs

GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000008,00000001,00000000,00000000,00000000,?,?,00F0C6A3,?,00000000,00000000), ref: 00F47658
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?,00F0C6A3,?,00000000,00000000), ref: 00F4765F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(?,00F0C6A3,?,00000000,00000000), ref: 00F47667
MapGenericMask.API-MS-WIN-SECURITY-BASE-L1-2-0(00F0C6A3,00F50A90), ref: 00F476AA
AccessCheck.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000000,00F0C6A3,00F50A90,00000000,00000000,00000000,00000000), ref: 00F476C6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F476DA
AccessCheck.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00000000,00F0C6A3,00F50A90,00000000,00000000,00000000,00000000), ref: 00F47715
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(0000000A,00000000,?,00F0C6A3,?,00000000,00000000), ref: 00F47749
OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?,00F0C6A3,?,00000000,00000000), ref: 00F47750
ImpersonateLoggedOnUser.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,?,00F0C6A3,?,00000000,00000000), ref: 00F47761
GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000008,00000001,00000000,?,00F0C6A3,?,00000000,00000000), ref: 00F47773
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?,00F0C6A3,?,00000000,00000000), ref: 00F4777A
RevertToSelf.API-MS-WIN-SECURITY-BASE-L1-2-0(?,00F0C6A3,?,00000000,00000000), ref: 00F47789
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,00F0C6A3,?,00000000,00000000), ref: 00F47799
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00F477B3

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Thread$CurrentOpenToken$AccessCheckCloseErrorHandleLastProcess$GenericImpersonateLoggedMaskRevertSelfUser
String ID:
API String ID: 282326827-0
Opcode ID: 3e3e62d90e3d9e497fa7a4764738872899161f20c78b1d4f5e7e919e1e7407dc
Instruction ID: 4dccbf78f3536f257c8752892f9360e338c574f092075bc380d5e2b9a440bcbc
Opcode Fuzzy Hash: 3e3e62d90e3d9e497fa7a4764738872899161f20c78b1d4f5e7e919e1e7407dc
Instruction Fuzzy Hash: 74416076D04709AFDB11ABE4DC48BAEBF7DFB44722F1144A5EA01E2150DB74AE40EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F0DF8C, Relevance: 20.0, APIs: 13, Instructions: 497
sleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F0DF8C(char __ecx, char* __edx) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				signed int _v24;
				void* _v32;
				char _v44;
				char _v48;
				char _v60;
				char _v64;
				intOrPtr* _v68;
				intOrPtr* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				void* _v88;
				char _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed int _t133;
				intOrPtr* _t136;
				char _t157;
				char _t159;
				char _t177;
				char _t179;
				char _t186;
				char _t187;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				char _t205;
				char _t210;
				intOrPtr* _t211;
				char _t229;
				char _t236;
				char _t243;
				struct _CRITICAL_SECTION* _t245;
				void* _t246;
				char _t261;
				intOrPtr* _t275;
				char* _t281;
				intOrPtr* _t287;
				char _t291;
				intOrPtr* _t300;
				char* _t305;
				char _t311;
				void* _t312;
				intOrPtr _t313;
				intOrPtr* _t314;
				char _t321;
				void* _t322;
				intOrPtr* _t324;
				intOrPtr _t325;
				signed int _t327;
				signed int _t329;

				_t309 = __edx;
				_push(0xffffffff);
				_push(E00F248DD);
				_push( *[fs:0x0]);
				_t329 = (_t327 & 0xfffffff8) - 0x58;
				_t131 =  *0xf4f1a4; // 0xbd26e8f
				_v24 = _t131 ^ _t329;
				_t133 =  *0xf4f1a4; // 0xbd26e8f
				_push(_t133 ^ _t329);
				 *[fs:0x0] =  &_v16;
				_t311 = __ecx;
				_v92 = __ecx;
				_t136 =  *((intOrPtr*)(__ecx + 0x44));
				_v84 = 0;
				_v80 = 0;
				_v76 = _t136;
				_v72 = _t136;
				_v8 = 0;
				_v64 = __ecx + 0x6c;
				_t245 = __ecx + 0x18;
				goto L1;
				do {
					do {
						do {
							L1:
							if( *((intOrPtr*)(_t245 + 0x18)) == 0 || E00F02E90(_t245) != 0) {
								L3:
								if(E00F04025(_t311 + 0x6c,  &_v60,  &_v104) == 0) {
									_t321 = E00F2E1FC(_t311 + 0x6c, _t309);
									E00F321AA(_t245);
									__eflags = _t321;
									if(_t321 != 0) {
										break;
									}
									_t211 = _v104;
									__eflags =  *((intOrPtr*)(_t211 + 0x24)) - 2;
									if( *((intOrPtr*)(_t211 + 0x24)) != 2) {
										_t309 = 1;
										E00F47847(0xf4f0fc, 1);
										_t321 = E00F2E266(0xf4f0fc,  &_v104);
										E00F321AA(0xf4f0fc);
										__eflags = _t321 - 0x80000008;
										if(_t321 == 0x80000008) {
											_t321 = 0;
											__eflags = 0;
										}
										 *0xf512c4();
										 *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0x1c))))();
										L85:
										_t300 = _v104;
										 *0xf512c4(_t300);
										 *((intOrPtr*)( *((intOrPtr*)( *_t300 + 8))))();
										_t311 = _v96;
										goto L6;
									}
									 *0xf512c4(_t311);
									_t321 =  *((intOrPtr*)( *((intOrPtr*)( *_t211 + 0x14))))();
									_t309 = 1;
									__eflags = _t321 - 2;
									if(_t321 == 2) {
										E00F47847(_t245, 1);
										_t229 =  *((intOrPtr*)(_v108 + 0x20));
										__eflags = _t229;
										if(_t229 == 0) {
											_t305 =  &_v88;
											L80:
											_t321 = E00F04123(_t305,  &_v64,  &_v108,  &_v104);
											L81:
											E00F321AA(_t245);
											SetEvent( *(_t311 + 0x3c));
											goto L6;
										}
										_t236 = _t229 - 1;
										__eflags = _t236;
										if(_t236 == 0) {
											_t305 = _t311 + 0x7c;
											goto L80;
										}
										__eflags = _t236 != 1;
										if(_t236 != 1) {
											goto L81;
										}
										_t305 = _t311 + 0x6c;
										goto L80;
									}
									E00F47847(0xf4f0fc, 1);
									_t321 = E00F2E266(0xf4f0fc,  &_v108);
									E00F321AA(0xf4f0fc);
									__eflags = _t321 - 0x80000008;
									if(_t321 != 0x80000008) {
										goto L85;
									}
									_t321 = 0;
								} else {
									if( *((char*)(_t245 + 0x18)) != 0) {
										LeaveCriticalSection(_t245);
									}
								}
							} else {
								while(1) {
									_t243 = E00F02E90(_t245);
									__eflags = _t243;
									if(_t243 != 0) {
										goto L3;
									}
									Sleep(0x3e8);
								}
								goto L3;
							}
							L6:
						} while (_t321 == 0);
						if(_t321 != 0x80000002) {
							goto L33;
						}
						if( *((intOrPtr*)(_t245 + 0x18)) == 0 || E00F02E90(_t245) != 0) {
							L10:
							_t313 = _v64;
							_t321 = 0;
							while(1) {
								_t261 = _v84;
								if(_t261 == 0) {
									break;
								}
								__eflags = _t321;
								if(_t321 != 0) {
									break;
								}
								_t309 =  &_v100;
								_t93 = _t261 + 8; // 0x8
								_v88 = _t93;
								_t321 = E00F04123(_t313, _t93, _t261,  &_v100);
								__eflags = _t321;
								if(_t321 == 0) {
									_t321 = E00F2E2B1( &_v84, _v88);
								}
							}
							_t311 = _v92;
							if( *((char*)(_t245 + 0x18)) != 0) {
								LeaveCriticalSection(_t245);
								_t261 = _v84;
							}
							if(_t321 != 0) {
								L23:
								if(_t321 != 0x80000002) {
									goto L33;
								}
								if( *((intOrPtr*)(_t245 + 0x18)) == 0) {
									L27:
									_t321 = 0;
									while(_t261 != 0) {
										__eflags = _t321;
										if(_t321 != 0) {
											break;
										}
										_t309 =  &_v88;
										_t115 = _t261 + 8; // 0x8
										_v100 = _t115;
										_t321 = E00F04123(_t311 + 0x5c, _t115, _t261,  &_v88);
										__eflags = _t321;
										if(_t321 == 0) {
											_t157 = E00F2E2B1( &_v84, _v100);
											_t261 = _v88;
											_t321 = _t157;
										} else {
											_t261 = _v84;
										}
									}
									if( *((char*)(_t245 + 0x18)) != 0) {
										LeaveCriticalSection(_t245);
									}
									if(_t321 != 0) {
										goto L34;
									} else {
										_t321 = E00F04042(_t311);
										goto L33;
									}
								}
								if(E00F02E90(_t245) == 0) {
									while(1) {
										_t159 = E00F02E90(_t245);
										__eflags = _t159;
										if(_t159 != 0) {
											goto L26;
										}
										Sleep(0x3e8);
									}
								}
								L26:
								_t261 = _v84;
								goto L27;
							}
							_t314 = _t311 + 0x5c;
							_v68 = _t314;
							do {
								if( *((intOrPtr*)(_t245 + 0x18)) == 0 || E00F02E90(_t245) != 0) {
									L18:
									if(E00F04025(_t314,  &_v44,  &_v96) == 0) {
										__eflags =  *((intOrPtr*)(_t314 + 4));
										if( *((intOrPtr*)(_t314 + 4)) == 0) {
											_t321 = 0x80000002;
											L47:
											__eflags = _t321;
											if(_t321 != 0) {
												E00F321AA(_t245);
												goto L21;
											}
											__eflags =  *((char*)(_t245 + 0x18));
											if( *((char*)(_t245 + 0x18)) != 0) {
												LeaveCriticalSection(_t245);
											}
											_t324 = _v96;
											__eflags =  *((intOrPtr*)(_t324 + 0x24)) - 2;
											if( *((intOrPtr*)(_t324 + 0x24)) != 2) {
												_t309 = 1;
												E00F47847(0xf4f0fc, 1);
												_t321 = E00F2E266(0xf4f0fc,  &_v96);
												E00F321AA(0xf4f0fc);
												__eflags = _t321 - 0x80000008;
												if(_t321 == 0x80000008) {
													_t321 = 0;
													__eflags = 0;
												}
												 *0xf512c4();
												 *((intOrPtr*)( *((intOrPtr*)( *_v96 + 0x1c))))();
												goto L113;
											} else {
												_push(_v92);
												_t177 =  *((intOrPtr*)( *_t324 + 0x14));
												_v100 = _t177;
												__eflags = _t177 - E00F15A90;
												if(_t177 != E00F15A90) {
													__eflags = _t177 - E00F054F0;
													if(_t177 != E00F054F0) {
														 *0xf512c4();
														_t179 = _v100();
													} else {
														_t179 = E00F054F0();
													}
												} else {
													_t179 = E00F15A90();
												}
												_t321 = _t179;
												__eflags = _t321 - 2;
												if(_t321 != 2) {
													_t309 = 1;
													E00F47847(0xf4f0fc, 1);
													_t321 = E00F2E266(0xf4f0fc,  &_v100);
													E00F321AA(0xf4f0fc);
													__eflags = _t321 - 0x80000008;
													if(_t321 != 0x80000008) {
														L113:
														_t275 = _v96;
														 *0xf512c4(_t275);
														 *((intOrPtr*)( *((intOrPtr*)( *_t275 + 8))))();
														_t314 = _v72;
														goto L21;
													}
													_t321 = 0;
													goto L21;
												} else {
													__eflags =  *((intOrPtr*)(_t245 + 0x18));
													if( *((intOrPtr*)(_t245 + 0x18)) == 0) {
														L56:
														_t186 =  *((intOrPtr*)(_v100 + 0x20));
														__eflags = _t186 - 1;
														if(_t186 != 1) {
															_t187 = _t186;
															__eflags = _t187;
															if(_t187 == 0) {
																_t281 =  &_v88;
																L58:
																_t321 = E00F04123(_t281,  &_v48,  &_v100,  &_v104);
																L59:
																__eflags =  *((char*)(_t245 + 0x18));
																if( *((char*)(_t245 + 0x18)) != 0) {
																	LeaveCriticalSection(_t245);
																}
																SetEvent( *(_v96 + 0x3c));
																goto L21;
															}
															__eflags = _t187 != 2;
															if(_t187 != 2) {
																goto L59;
															}
															_t281 = _v68;
															goto L58;
														}
														_t281 = _v96 + 0x7c;
														goto L58;
													}
													_t195 = E00F02E90(_t245);
													__eflags = _t195;
													if(_t195 == 0) {
														while(1) {
															_t196 = E00F02E90(_t245);
															__eflags = _t196;
															if(_t196 != 0) {
																goto L56;
															}
															Sleep(0x3e8);
														}
													}
													goto L56;
												}
											}
										}
										_t325 =  *_t314;
										_t197 = _t325;
										__eflags = _t197;
										if(_t197 == 0) {
											L41:
											_t42 = _t197 + 8; // 0x8
											_t287 = _t42;
											_v88 = _t287;
											__eflags = _t325;
											if(_t325 == 0) {
												L65:
												_t321 = 0x80000008;
												goto L47;
											}
											_t198 =  *_t287;
											_v100 = _t198;
											while(1) {
												__eflags = _t198 -  *((intOrPtr*)(_t325 + 8));
												_t46 = _t325 + 8; // 0x8
												_t309 = _t46;
												if(_t198 !=  *((intOrPtr*)(_t325 + 8))) {
													goto L95;
												}
												L44:
												_t314 = _v68;
												__eflags =  *((intOrPtr*)(_t287 + 8)) -  *((intOrPtr*)(_t309 + 8));
												if( *((intOrPtr*)(_t287 + 8)) !=  *((intOrPtr*)(_t309 + 8))) {
													goto L95;
												}
												__eflags =  *((intOrPtr*)(_t287 + 0xc)) -  *((intOrPtr*)(_t309 + 0xc));
												if( *((intOrPtr*)(_t287 + 0xc)) !=  *((intOrPtr*)(_t309 + 0xc))) {
													goto L95;
												}
												_t321 = E00F0461F(_t314, _t325);
												goto L47;
												L95:
												__eflags = E00F30B91(_t287, _t309);
												if(__eflags == 0) {
													_t99 = _t325 + 0x10; // 0x10
													_t309 = _t99;
													__eflags = E00F2DBA6(_v88 + 8, _t99);
												}
												if(__eflags >= 0) {
													_t325 =  *((intOrPtr*)(_t325 + 0x1c));
												} else {
													_t325 =  *((intOrPtr*)(_t325 + 0x18));
												}
												__eflags = _t325;
												if(_t325 == 0) {
													goto L65;
												} else {
													_t287 = _v88;
													_t198 = _v100;
													__eflags = _t198 -  *((intOrPtr*)(_t325 + 8));
													_t46 = _t325 + 8; // 0x8
													_t309 = _t46;
													if(_t198 !=  *((intOrPtr*)(_t325 + 8))) {
														goto L95;
													}
													goto L44;
												}
											}
										}
										_t291 =  *((intOrPtr*)(_t197 + 0x18));
										__eflags = _t291;
										if(_t291 != 0) {
											while(1) {
												_t197 = _t291;
												_t291 =  *((intOrPtr*)(_t197 + 0x18));
												__eflags = _t291;
												if(_t291 == 0) {
													goto L41;
												}
											}
										}
										goto L41;
									}
									if( *((char*)(_t245 + 0x18)) != 0) {
										LeaveCriticalSection(_t245);
									}
								} else {
									while(1) {
										_t205 = E00F02E90(_t245);
										__eflags = _t205;
										if(_t205 != 0) {
											goto L18;
										}
										Sleep(0x3e8);
									}
									goto L18;
								}
								L21:
							} while (_t321 == 0);
							_t261 = _v84;
							_t311 = _v92;
							goto L23;
						} else {
							while(1) {
								_t210 = E00F02E90(_t245);
								__eflags = _t210;
								if(_t210 != 0) {
									goto L10;
								}
								Sleep(0x3e8);
							}
							goto L10;
						}
						L33:
					} while (_t321 == 0);
					L34:
				} while (_t321 == 0x8000000d);
				_v8 = 1;
				_t144 = _v84;
				if(_v84 != 0) {
					E00F16C0D( &_v84, _t144);
					E00F04A17(_v80, _v88);
					_v92 = 0;
				}
				_v8 = 0xffffffff;
				_t147 = _v84;
				if(_v84 != 0) {
					E00F16C0D( &_v84, _t147);
					E00F04A17(_v80, _v88);
					_v92 = 0;
				}
				 *[fs:0x0] = _v16;
				_pop(_t312);
				_pop(_t322);
				_pop(_t246);
				return E00F01CA0(_t321, _t246, _v24 ^ _t329, _t309, _t312, _t322);
			}

0x00f0df8c
0x00f0df94
0x00f0df96
0x00f0dfa1
0x00f0dfa2
0x00f0dfa5
0x00f0dfac
0x00f0dfb3
0x00f0dfba
0x00f0dfbf
0x00f0dfc5
0x00f0dfc7
0x00f0dfcb
0x00f0dfce
0x00f0dfd6
0x00f0dfde
0x00f0dfe2
0x00f0dfe9
0x00f0dff1
0x00f0dff5
0x00f0dffb
0x00f1d6d5
0x00f1d6d5
0x00f1d6d5
0x00f1d6d5
0x00f1d6da
0x00f1d6eb
0x00f1d701
0x00f296b4
0x00f296b6
0x00f296bb
0x00f296bd
0x00000000
0x00000000
0x00f296c3
0x00f296c7
0x00f296cb
0x00f29776
0x00f29780
0x00f29794
0x00f29796
0x00f2979b
0x00f297a1
0x00f297a3
0x00f297a3
0x00f297a3
0x00f297b0
0x00f297ba
0x00f297bc
0x00f297bc
0x00f297c8
0x00f297ce
0x00f297d0
0x00000000
0x00f297d0
0x00f296d9
0x00f296e5
0x00f296e7
0x00f296ec
0x00f296ef
0x00f29726
0x00f29732
0x00f29732
0x00f29735
0x00f29747
0x00f2974b
0x00f2975f
0x00f29761
0x00f29763
0x00f2976b
0x00000000
0x00f2976b
0x00f29737
0x00f29737
0x00f29738
0x00f29742
0x00000000
0x00f29742
0x00f2973a
0x00f2973b
0x00000000
0x00000000
0x00f2973d
0x00000000
0x00f2973d
0x00f296f6
0x00f2970a
0x00f2970c
0x00f29711
0x00f29717
0x00000000
0x00000000
0x00f2971d
0x00f1d707
0x00f1d70b
0x00f1d70e
0x00f1d70e
0x00f1d70b
0x00f2968e
0x00f2968e
0x00f29690
0x00f29695
0x00f29697
0x00000000
0x00000000
0x00f296a2
0x00f296a2
0x00000000
0x00f2968e
0x00f1d714
0x00f1d714
0x00f1d71e
0x00000000
0x00000000
0x00f1d729
0x00f1d73a
0x00f1d73a
0x00f1d73e
0x00f1d740
0x00f1d740
0x00f1d746
0x00000000
0x00000000
0x00f297f5
0x00f297f7
0x00000000
0x00000000
0x00f297fd
0x00f29802
0x00f29809
0x00f29812
0x00f29814
0x00f29816
0x00f29829
0x00f29829
0x00f29816
0x00f1d750
0x00f1d754
0x00f1d757
0x00f1d75d
0x00f1d75d
0x00f1d763
0x00f1d7b9
0x00f1d7bf
0x00000000
0x00000000
0x00f1d7c6
0x00f1d7db
0x00f1d7db
0x00f1d7df
0x00f29993
0x00f29995
0x00000000
0x00000000
0x00f2999b
0x00f299a0
0x00f299a8
0x00f299b1
0x00f299b3
0x00f299b5
0x00f299c8
0x00f299cd
0x00f299d1
0x00f299b7
0x00f299b7
0x00f299b7
0x00f299b5
0x00f1d7eb
0x00f1d7ee
0x00f1d7ee
0x00f1d7f6
0x00000000
0x00f1d7f8
0x00f1d7ff
0x00000000
0x00f1d7ff
0x00f1d7f6
0x00f1d7d1
0x00f29977
0x00f29979
0x00f2997e
0x00f29980
0x00000000
0x00000000
0x00f2998b
0x00f2998b
0x00f29977
0x00f1d7d7
0x00f1d7d7
0x00000000
0x00f1d7d7
0x00f1d765
0x00f1d768
0x00f1d76f
0x00f1d774
0x00f1d785
0x00f1d79a
0x00f1d85d
0x00f1d861
0x00f1d999
0x00f1d8c1
0x00f1d8c1
0x00f1d8c3
0x00f2996d
0x00000000
0x00f2996d
0x00f1d8c9
0x00f1d8cd
0x00f1d8d0
0x00f1d8d0
0x00f1d8d6
0x00f1d8da
0x00f1d8de
0x00f29908
0x00f29912
0x00f29926
0x00f29928
0x00f2992d
0x00f29933
0x00f29935
0x00f29935
0x00f29935
0x00f29942
0x00f2994c
0x00000000
0x00f1d8e4
0x00f1d8e6
0x00f1d8ea
0x00f1d8ed
0x00f1d8f1
0x00f1d8f6
0x00f1d96c
0x00f1d971
0x00f1d97e
0x00f1d986
0x00f1d973
0x00f1d975
0x00f1d975
0x00f1d8f8
0x00f1d8fa
0x00f1d8fa
0x00f1d8ff
0x00f1d901
0x00f1d904
0x00f29894
0x00f2989e
0x00f298b2
0x00f298b4
0x00f298b9
0x00f298bf
0x00f2994e
0x00f2994e
0x00f2995a
0x00f29960
0x00f29962
0x00000000
0x00f29962
0x00f298c5
0x00000000
0x00f1d90a
0x00f1d90d
0x00f1d90f
0x00f1d920
0x00f1d924
0x00f1d927
0x00f1d92a
0x00f298e8
0x00f298e8
0x00f298eb
0x00f298ff
0x00f1d937
0x00f1d94b
0x00f1d94d
0x00f1d94d
0x00f1d951
0x00f1d954
0x00f1d954
0x00f1d961
0x00000000
0x00f1d961
0x00f298ed
0x00f298f0
0x00000000
0x00000000
0x00f298f6
0x00000000
0x00f298f6
0x00f1d934
0x00000000
0x00f1d934
0x00f1d913
0x00f1d918
0x00f1d91a
0x00f298cc
0x00f298ce
0x00f298d3
0x00f298d5
0x00000000
0x00000000
0x00f298e0
0x00f298e0
0x00f298cc
0x00000000
0x00f1d91a
0x00f1d904
0x00f1d8de
0x00f1d867
0x00f1d869
0x00f1d86b
0x00f1d86d
0x00f1d87a
0x00f1d87a
0x00f1d87a
0x00f1d87d
0x00f1d881
0x00f1d883
0x00f1d98f
0x00f1d98f
0x00000000
0x00f1d98f
0x00f1d889
0x00f1d88b
0x00f1d88f
0x00f1d88f
0x00f1d892
0x00f1d892
0x00f1d895
0x00000000
0x00000000
0x00f1d89b
0x00f1d89e
0x00f1d8a2
0x00f1d8a5
0x00000000
0x00000000
0x00f1d8ae
0x00f1d8b1
0x00000000
0x00000000
0x00f1d8bf
0x00000000
0x00f2985b
0x00f29860
0x00f29862
0x00f29868
0x00f29868
0x00f29873
0x00f29873
0x00f29875
0x00f2987c
0x00f29877
0x00f29877
0x00f29877
0x00f2987f
0x00f29881
0x00000000
0x00f29887
0x00f29887
0x00f2988b
0x00f1d88f
0x00f1d892
0x00f1d892
0x00f1d895
0x00000000
0x00000000
0x00000000
0x00f1d895
0x00f29881
0x00f1d88f
0x00f1d86f
0x00f1d872
0x00f1d874
0x00f2984c
0x00f2984c
0x00f2984e
0x00f29851
0x00f29853
0x00000000
0x00000000
0x00f29859
0x00f2984c
0x00000000
0x00f1d874
0x00f1d7a4
0x00f1d7a7
0x00f1d7a7
0x00f29830
0x00f29830
0x00f29832
0x00f29837
0x00f29839
0x00000000
0x00000000
0x00f29844
0x00f29844
0x00000000
0x00f29830
0x00f1d7ad
0x00f1d7ad
0x00f1d7b1
0x00f1d7b5
0x00000000
0x00f297d9
0x00f297d9
0x00f297db
0x00f297e0
0x00f297e2
0x00000000
0x00000000
0x00f297ed
0x00f297ed
0x00000000
0x00f297d9
0x00f1d801
0x00f1d801
0x00f1d809
0x00f1d809
0x00f1d815
0x00f1d81d
0x00f1d823
0x00f299dd
0x00f299ea
0x00f299ef
0x00f299ef
0x00f1d829
0x00f1d831
0x00f1d837
0x00f29a01
0x00f29a0e
0x00f29a13
0x00f29a13
0x00f1d843
0x00f1d84b
0x00f1d84c
0x00f1d84d
0x00f1d85c

APIs

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,0BD26E8F), ref: 00F1D70E
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,0BD26E8F), ref: 00F1D757
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,0BD26E8F), ref: 00F1D7A7
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,0BD26E8F), ref: 00F1D7EE

Part of subcall function 00F02E90: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00F4F0FC,0BD26E8F,00000000,00000050,00000000,00F23660), ref: 00F02ED7

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8), ref: 00F296A2

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CriticalSection$Leave$EnterSleep
String ID:
API String ID: 4275215032-0
Opcode ID: 8149f19c57d56732df064ffb4ab34dee7cb2d544bfd7f8eb14c1831e5c39a6f8
Instruction ID: 26e244cacbd0cb57d4b64fd3340adbacb95b3f916087d0eaf7d6774af4e52b3f
Opcode Fuzzy Hash: 8149f19c57d56732df064ffb4ab34dee7cb2d544bfd7f8eb14c1831e5c39a6f8
Instruction Fuzzy Hash: EB02D6319083518BCB14EF24D884BAEB7F5BF94724F14095DE98297292DB74EC84FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F06BB0, Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 499
memoryCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00F06BB0(intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a24, intOrPtr* _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56) {
				char _v16;
				signed int _v24;
				char _v28;
				char _v32;
				HANDLE* _v36;
				HANDLE* _v40;
				intOrPtr _v44;
				signed int _v52;
				intOrPtr* _v56;
				intOrPtr _v72;
				void* _v76;
				HANDLE* _v80;
				intOrPtr _v84;
				HANDLE* _v108;
				intOrPtr _v124;
				void* _v132;
				void* _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t150;
				signed int _t152;
				signed int _t157;
				intOrPtr* _t170;
				signed int _t172;
				intOrPtr _t173;
				void* _t174;
				HANDLE* _t176;
				signed int _t179;
				intOrPtr _t180;
				signed int _t182;
				intOrPtr* _t190;
				signed int _t194;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t199;
				signed int _t231;
				signed int _t238;
				void* _t239;
				intOrPtr _t242;
				intOrPtr _t246;
				long _t259;
				intOrPtr _t260;
				intOrPtr* _t261;
				intOrPtr* _t262;
				intOrPtr* _t263;
				intOrPtr* _t264;
				intOrPtr* _t265;
				intOrPtr* _t266;
				intOrPtr _t269;
				HANDLE* _t270;
				HANDLE** _t272;
				void* _t274;
				intOrPtr _t275;
				HANDLE* _t278;
				HANDLE* _t281;
				intOrPtr _t285;
				intOrPtr _t295;
				HANDLE* _t299;
				void* _t300;
				signed int _t301;
				void _t305;
				void* _t313;
				intOrPtr _t314;
				void* _t316;
				void* _t318;
				void* _t319;
				signed int _t320;
				signed int _t322;

				_push(0xffffffff);
				_push(0xf243d8);
				_push( *[fs:0x0]);
				_t322 = (_t320 & 0xfffffff8) - 0x20;
				_t150 =  *0xf4f1a4; // 0xbd26e8f
				_v24 = _t150 ^ _t322;
				_t152 =  *0xf4f1a4; // 0xbd26e8f
				_push(_t152 ^ _t322);
				 *[fs:0x0] =  &_v16;
				_t242 =  *0xf4f014; // 0xf4f014
				if(_t242 != 0xf4f014 && ( *(_t242 + 0x1c) & 0x00000004) != 0) {
					__eflags =  *((char*)(_t242 + 0x19)) - 5;
					if( *((char*)(_t242 + 0x19)) >= 5) {
						_t101 = _t242 + 0x14; // 0x20000000
						_t102 = _t242 + 0x10; // 0x40000000
						E00F40F83( &_v16,  *_t102,  *_t101, _a48);
						_t246 =  *0xf4f014; // 0xf4f014
					}
				}
				_t313 = _a8;
				_t299 = 0;
				_v28 = 0;
				_v40 = 0;
				_v32 = 0;
				if((_t313 | _a12) != 0) {
					_t157 = SetThreadToken(0, _t313);
					__eflags = _t157;
					if(_t157 == 0) {
						_t238 = 0x80041003;
					} else {
						_t294 =  &_v32;
						_t238 = E00F30C3E( &_v28,  &_v32,  &_v40);
						RevertToSelf();
						_t299 = _v44;
					}
					CloseHandle(_t313);
					__eflags = _t238;
					if(_t238 >= 0) {
						goto L3;
					} else {
						goto L55;
					}
				} else {
					L3:
					_t314 = _a44;
					_v36 = 0;
					if(_t314 != 0) {
						_t238 =  *0xf53048(0xf0ac48, 0, 5, 0xf07c4c,  &_v36);
						__eflags = _t238;
						if(_t238 < 0) {
							L52:
							L53:
							_t294 = _v56;
							if(_t294 != 0) {
								 *0xf512c4(_t294);
								 *((intOrPtr*)( *((intOrPtr*)( *_t294 + 8))))();
								_t246 =  *0xf4f014; // 0xf4f014
							}
							if((_a8 | _a12) != 0) {
								_t294 = _v56;
								E00F1A856(_v52, _v56, _t299);
								RevertToSelf();
								_t246 =  *0xf4f014; // 0xf4f014
							}
							L55:
							if(_t246 != 0xf4f014 && ( *(_t246 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t246 + 0x19)) - 5;
								if( *((char*)(_t246 + 0x19)) >= 5) {
									_t144 = _t246 + 0x14; // 0x20000000
									_t294 = 0xf212f8;
									_t145 = _t246 + 0x10; // 0x40000000
									E00F32A46(0x25, 0xf212f8,  *_t145,  *_t144, _t238);
									_t246 =  *0xf4f014; // 0xf4f014
								}
							}
							if(_t238 < 0) {
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t238);
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
								_t246 =  *0xf4f014; // 0xf4f014
							}
							if(_t246 != 0xf4f014 && ( *(_t246 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t246 + 0x19)) - 2;
								if( *((char*)(_t246 + 0x19)) >= 2) {
									_t147 = _t246 + 0x14; // 0x20000000
									_t294 = 0xf212f8;
									_t148 = _t246 + 0x10; // 0x40000000
									E00F32A46(0x26, 0xf212f8,  *_t148,  *_t147, _t238);
								}
							}
							 *[fs:0x0] = _v44;
							_pop(_t300);
							_pop(_t316);
							_pop(_t239);
							return E00F01CA0(_t238, _t239, _v52 ^ _t322, _t294, _t300, _t316);
						}
						_t170 = _v56;
						 *0xf512c4(_t170, 0xc, _t314);
						_t172 =  *((intOrPtr*)( *((intOrPtr*)( *_t170 + 0xc))))();
						_t246 =  *0xf4f014; // 0xf4f014
						_t238 = _t172;
					}
					if(_t238 < 0) {
						goto L53;
					}
					_t173 =  *0xf4f0cc; // 0x0
					_t174 =  *(_t173 + 4);
					_t259 =  *(_t173 + 8) & 0x00000005 | 0x00000008;
					if(_t174 == 0) {
						L61:
						_t318 = 0;
						L7:
						_v76 = _t318;
						_v40 = 0;
						if(_t318 == 0) {
							_t319 = 0;
						} else {
							_t319 = E00F0A695();
						}
						_v40 = 0xffffffff;
						if(_t319 == 0) {
							_t238 = 0x80041006;
							goto L52;
						} else {
							asm("lock xadd [esi], eax");
							_t260 = _a4;
							_t176 =  *((intOrPtr*)(_t260 + 0x24));
							_t295 =  *((intOrPtr*)(_t260 + 0x20));
							_t261 = _a28;
							_v80 = _t176;
							_v76 = _t295;
							 *((intOrPtr*)(_t319 + 0x7fc)) = _t261;
							 *((intOrPtr*)(_t319 + 0x800)) = _t295;
							 *((intOrPtr*)(_t319 + 0x804)) = _t176;
							if(_t261 != 0) {
								 *0xf512c4(_t261);
								 *((intOrPtr*)( *((intOrPtr*)( *_t261 + 4))))();
							}
							_t262 =  *((intOrPtr*)(_t319 + 0x800));
							if(_t262 != 0) {
								 *0xf512c4(_t262);
								 *((intOrPtr*)( *((intOrPtr*)( *_t262 + 4))))();
							}
							_t263 =  *((intOrPtr*)(_t319 + 0x804));
							if(_t263 != 0) {
								 *0xf512c4(_t263);
								 *((intOrPtr*)( *((intOrPtr*)( *_t263 + 4))))();
							}
							_t264 = _a28;
							 *((intOrPtr*)(_t319 + 0x6e0)) = _v76;
							 *((intOrPtr*)(_t319 + 0x6dc)) = _t264;
							 *((intOrPtr*)(_t319 + 0x6e4)) = _v80;
							if(_t264 != 0) {
								 *0xf512c4(_t264);
								 *((intOrPtr*)( *((intOrPtr*)( *_t264 + 4))))();
							}
							_t265 =  *((intOrPtr*)(_t319 + 0x6e0));
							if(_t265 != 0) {
								 *0xf512c4(_t265);
								 *((intOrPtr*)( *((intOrPtr*)( *_t265 + 4))))();
							}
							_t266 =  *((intOrPtr*)(_t319 + 0x6e4));
							if(_t266 != 0) {
								 *0xf512c4(_t266);
								 *((intOrPtr*)( *((intOrPtr*)( *_t266 + 4))))();
							}
							if( *((intOrPtr*)(_t319 + 0x6f4)) != 0 ||  *((intOrPtr*)(_t319 + 0x760)) != 0 ||  *((intOrPtr*)(_t319 + 0x798)) != 0 ||  *((intOrPtr*)(_t319 + 0x7b4)) != 0) {
								_t179 = E00F48439(_t319);
								__eflags = _t179;
								if(_t179 == 0) {
									_t180 =  *0xf4f034; // 0x1d4c0
									goto L82;
								}
								_t285 =  *0xf4f034; // 0x1d4c0
								_t180 =  *0xf4f030; // 0x1d4c0
								__eflags = _t285 - _t180;
								if(_t285 < _t180) {
									goto L82;
								}
								 *((intOrPtr*)(_t319 + 0x69c)) = _t285;
								goto L28;
							} else {
								if( *((intOrPtr*)(_t319 + 0x7ec)) != 0 ||  *((intOrPtr*)(_t319 + 0x7d4)) != 0) {
									_t180 =  *0xf4f030; // 0x1d4c0
									L82:
									 *((intOrPtr*)(_t319 + 0x69c)) = _t180;
									goto L28;
								} else {
									L28:
									_push(0xf07a04);
									_push(_a48);
									_v80 = 0;
									_push(L"__Win32Provider.Name=\"");
									_t182 = E00F07F7F(3,  &_v80);
									_t301 = _t182;
									_t322 = _t322 + 0x14;
									if(_t301 < 0) {
										L97:
										__eflags = _t301 - 0x80041002;
										_t238 = (0 | __eflags != 0x00000000) * 2 - 0x7ffbefef;
										L50:
										asm("lock xadd [esi], eax");
										if((_t182 | 0xffffffff) == 1) {
											E00F05F75(_t238, _t319, _t301, _t319, __eflags);
											_t269 =  *0xf4f0cc; // 0x0
											E00F04A17(_t269, _t319);
										}
										_t299 = _v72;
										goto L52;
									}
									_t270 =  *(_t319 + 0x6d8);
									if(_t270 != 0) {
										 *0xf512c4(_t270);
										 *((intOrPtr*)( *((intOrPtr*)( *_t270 + 8))))();
										_t113 = _t319 + 0x6d8; // 0x6d8
										_t272 = _t113;
										 *_t272 = 0;
									} else {
										_t53 = _t319 + 0x6d8; // 0x6d8
										_t272 = _t53;
									}
									_t190 =  *((intOrPtr*)(_t319 + 0x6e4));
									 *0xf512c4(_t190, _v84, 0,  *((intOrPtr*)(_t319 + 0x6dc)), _t272, 0);
									_t301 =  *((intOrPtr*)( *((intOrPtr*)( *_t190 + 0x18))))();
									if(_t301 >= 0) {
										_push(_a48);
										_t59 = _t319 + 8; // 0x8
										_push( *(_t319 + 0x6d8));
										_t322 = _t322 - 8;
										_t301 = E00F08D8D(_t59);
									}
									_t182 =  *0xf53004(_v108);
									if(_t301 < 0) {
										goto L97;
									} else {
										_push(0xf07bf8);
										_push(_a48);
										_v108 = 0;
										_push(L"references of {__Win32Provider.Name=\"");
										_t182 = E00F07F7F(3,  &_v108);
										_t301 = _t182;
										_t322 = _t322 + 0x14;
										if(_t301 < 0) {
											goto L97;
										}
										_t274 = _t319;
										_t322 = _t322 - 0xc;
										_t194 = L00F081EE(_t274);
										_t301 = _t194;
										_t182 =  *0xf53004(_v124, _v108);
										if(_t301 < 0) {
											goto L97;
										}
										_t195 =  *((intOrPtr*)(_t319 + 0x680));
										if(_t195 == 0xb || _t195 == 8) {
											__eflags =  *((intOrPtr*)(_t319 + 0x24)) - 1;
											if(__eflags == 0) {
												 *((intOrPtr*)(_t319 + 0x680)) = 3;
											}
										}
										_t196 =  *0xf4f014; // 0xf4f014
										if(_t196 != 0xf4f014 && ( *(_t196 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *((char*)(_t196 + 0x19)) - 5;
											if(__eflags >= 0) {
												_t274 = 0x23;
												_t119 = _t196 + 0x14; // 0x20000000
												_t120 = _t196 + 0x10; // 0x40000000
												E00F404B0(0x23, 0xf212f8,  *_t120,  *_t119,  *((intOrPtr*)(_t319 + 0x680)),  *((intOrPtr*)(_t319 + 0x20)));
											}
										}
										 *(_t322 + 0x10) = 0;
										if( *((intOrPtr*)(_t319 + 0x680)) == 3 ||  *((intOrPtr*)(_t319 + 0x20)) != 1) {
											L43:
											_t275 = _a28;
											_push(_t319);
											_push(_t322 + 0x10);
											_t322 = _t322 - 8;
											_push(_a40);
											_push(_a36);
											_push(_a32);
											_push(_t275);
											_push(_t275);
											_t276 = _a4;
											_t182 = E00F06FFE(_a4, _t356);
											goto L44;
										} else {
											_t182 =  *(_t319 + 0x18);
											_t356 = _t182 - 1;
											if(_t182 != 1) {
												__eflags = _t182;
												if(__eflags == 0) {
													_push(_t319);
													_push(_t322 + 0x14);
													_push(_t274);
													_push(_a44);
													_push(_a40);
													_push(_a36);
													_push(_a32);
													_push(_a28);
													_push(_a24);
													_t276 = _a4;
													_t182 = E00F40661(_t238, _a4, _t301, _t319, __eflags);
													L44:
													_t238 = _t182;
													if(_t238 >= 0) {
														_t238 = E00F0AFA7(_t276, _t319,  *(_t322 + 0x10));
														if(_t238 < 0) {
															__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(0xffffffff);
															__imp__?Write@CMemoryLog@@QAEXJ@Z();
															_t199 =  *0xf4f014; // 0xf4f014
															__eflags = _t199 - 0xf4f014;
															if(__eflags != 0) {
																__eflags =  *(_t199 + 0x1c) & 0x00000004;
																if(__eflags != 0) {
																	__eflags =  *((char*)(_t199 + 0x19)) - 2;
																	if(__eflags >= 0) {
																		_t134 = _t199 + 0x14; // 0x20000000
																		_t135 = _t199 + 0x10; // 0x40000000
																		E00F32562(0x24, 0xf212f8,  *_t135,  *_t134, _a48, _t238);
																	}
																}
															}
														} else {
															_t281 =  *(_t322 + 0x10);
															_push(_a56);
															_push(_a52);
															_push(_t281);
															_t305 =  *( *_t281);
															if(_t305 != E00F04F30) {
																 *0xf512c4();
																_t238 =  *_t305();
															} else {
																_t238 = E00F04F30(_t281);
															}
														}
														_t278 =  *(_t322 + 0x10);
														_push(_t278);
														_t86 =  *_t278 + 8; // 0x1000
														_t301 =  *_t86;
														if(_t301 != E00F03910) {
															 *0xf512c4();
															_t182 =  *_t301();
														} else {
															_t182 = E00F03910(_t278);
														}
													}
													goto L50;
												}
												__eflags = _t182 - 1;
												if(__eflags <= 0) {
													L91:
													_t238 = 0x80041012;
													goto L50;
												}
												__eflags = _t182 - 3;
												if(__eflags <= 0) {
													goto L43;
												}
												goto L91;
											}
											goto L43;
										}
									}
								}
							}
						}
					}
					_t318 = HeapAlloc(_t174, _t259, 0x808);
					if(_t318 == 0) {
						_t231 = E00F48131();
						__eflags = _t231;
						if(_t231 != 0) {
							goto L61;
						}
					}
					goto L7;
				}
			}

0x00f06bb8
0x00f06bba
0x00f06bc5
0x00f06bc6
0x00f06bc9
0x00f06bd0
0x00f06bd7
0x00f06bde
0x00f06be3
0x00f06be9
0x00f06bf5
0x00f1fb36
0x00f1fb3a
0x00f1fb43
0x00f1fb46
0x00f1fb49
0x00f1fb4e
0x00f1fb4e
0x00f1fb3a
0x00f06c01
0x00f06c06
0x00f06c08
0x00f06c0e
0x00f06c15
0x00f06c19
0x00f1fb5c
0x00f1fb62
0x00f1fb64
0x00f1fb86
0x00f1fb66
0x00f1fb6b
0x00f1fb78
0x00f1fb7a
0x00f1fb80
0x00f1fb80
0x00f1fb8c
0x00f1fb98
0x00f1fb9a
0x00000000
0x00f1fba0
0x00000000
0x00f1fba0
0x00f06c1f
0x00f06c1f
0x00f06c1f
0x00f06c22
0x00f06c2c
0x00f1fbbe
0x00f1fbc0
0x00f1fbc2
0x00f06f7f
0x00f06f85
0x00f06f85
0x00f06f8b
0x00f1fd68
0x00f1fd6e
0x00f1fd70
0x00f1fd70
0x00f06f97
0x00f1fd7b
0x00f1fd84
0x00f1fd89
0x00f1fd8f
0x00f1fd8f
0x00f06f9d
0x00f06fa3
0x00f1fd9a
0x00f1fd9e
0x00f1fda5
0x00f1fda8
0x00f1fdad
0x00f1fdb5
0x00f1fdba
0x00f1fdba
0x00f1fd9e
0x00f06fb1
0x00f1fdc6
0x00f1fdce
0x00f1fdd4
0x00f1fdd4
0x00f06fbd
0x00f1fddf
0x00f1fde3
0x00f1fdea
0x00f1fded
0x00f1fdf2
0x00f1fdfa
0x00f1fdfa
0x00f1fde3
0x00f06fcf
0x00f06fd7
0x00f06fd8
0x00f06fd9
0x00f06fe8
0x00f06fe8
0x00f1fbc8
0x00f1fbd7
0x00f1fbdd
0x00f1fbdf
0x00f1fbe5
0x00f1fbe5
0x00f06c34
0x00000000
0x00000000
0x00f06c3a
0x00f06c42
0x00f06c48
0x00f06c4d
0x00f06feb
0x00f06feb
0x00f06c6a
0x00f06c6a
0x00f06c6e
0x00f06c78
0x00f06ff2
0x00f06c7e
0x00f06c85
0x00f06c85
0x00f06c87
0x00f06c91
0x00f1c996
0x00000000
0x00f06c97
0x00f06c9c
0x00f06ca0
0x00f06ca3
0x00f06ca6
0x00f06ca9
0x00f06cac
0x00f06cb0
0x00f06cb4
0x00f06cba
0x00f06cc0
0x00f06cc8
0x00f06cd2
0x00f06cd8
0x00f06cd8
0x00f06cda
0x00f06ce2
0x00f06cec
0x00f06cf2
0x00f06cf2
0x00f06cf4
0x00f06cfc
0x00f06d06
0x00f06d0c
0x00f06d0c
0x00f06d12
0x00f06d15
0x00f06d1f
0x00f06d25
0x00f06d2d
0x00f06d37
0x00f06d3d
0x00f06d3d
0x00f06d3f
0x00f06d47
0x00f06d51
0x00f06d57
0x00f06d57
0x00f06d59
0x00f06d61
0x00f06d6b
0x00f06d71
0x00f06d71
0x00f06d7a
0x00f1fc00
0x00f1fc05
0x00f1fc07
0x00f1fc25
0x00000000
0x00f1fc25
0x00f1fc09
0x00f1fc0f
0x00f1fc14
0x00f1fc16
0x00000000
0x00000000
0x00f1fc1a
0x00000000
0x00f06da7
0x00f06dae
0x00f1c98c
0x00f1fc2a
0x00f1fc2a
0x00000000
0x00f06dc1
0x00f06dc1
0x00f06dc1
0x00f06dc6
0x00f06dcd
0x00f06dd5
0x00f06ddd
0x00f06de2
0x00f06de4
0x00f06de9
0x00f1fd31
0x00f1fd33
0x00f1fd3c
0x00f06f6d
0x00f06f70
0x00f06f75
0x00f1fd4a
0x00f1fd4f
0x00f1fd56
0x00f1fd56
0x00f06f7b
0x00000000
0x00f06f7b
0x00f06def
0x00f06df7
0x00f1fc3d
0x00f1fc43
0x00f1fc45
0x00f1fc45
0x00f1fc4b
0x00f06dfd
0x00f06dfd
0x00f06dfd
0x00f06dfd
0x00f06e03
0x00f06e20
0x00f06e28
0x00f06e2c
0x00f06e2e
0x00f06e31
0x00f06e34
0x00f06e3a
0x00f06e42
0x00f06e42
0x00f06e48
0x00f06e50
0x00000000
0x00f06e56
0x00f06e56
0x00f06e5b
0x00f06e62
0x00f06e6a
0x00f06e72
0x00f06e77
0x00f06e79
0x00f06e7e
0x00000000
0x00000000
0x00f06e88
0x00f06e8a
0x00f06e8d
0x00f06e96
0x00f06e98
0x00f06ea0
0x00000000
0x00000000
0x00f06ea6
0x00f06eaf
0x00f1fc56
0x00f1fc5a
0x00f1fc60
0x00f1fc60
0x00f1fc5a
0x00f06ebe
0x00f06ec8
0x00f1fc6f
0x00f1fc73
0x00f1fc81
0x00f1fc8c
0x00f1fc8f
0x00f1fc92
0x00f1fc92
0x00f1fc73
0x00f06edb
0x00f06ee3
0x00f06ef7
0x00f06ef7
0x00f06efe
0x00f06eff
0x00f06f00
0x00f06f03
0x00f06f06
0x00f06f09
0x00f06f0c
0x00f06f0d
0x00f06f0e
0x00f06f11
0x00000000
0x00f06eeb
0x00f06eeb
0x00f06eee
0x00f06ef1
0x00f1fc9c
0x00f1fc9e
0x00f1fcb8
0x00f1fcbd
0x00f1fcbe
0x00f1fcbf
0x00f1fcc5
0x00f1fcc8
0x00f1fccb
0x00f1fcce
0x00f1fccf
0x00f1fcd2
0x00f1fcd5
0x00f06f16
0x00f06f16
0x00f06f1a
0x00f06f26
0x00f06f2a
0x00f1fce1
0x00f1fce9
0x00f1fcef
0x00f1fcf4
0x00f1fcf9
0x00f1fcff
0x00f1fd03
0x00f1fd09
0x00f1fd0d
0x00f1fd21
0x00f1fd24
0x00f1fd27
0x00f1fd27
0x00f1fd0d
0x00f1fd03
0x00f06f30
0x00f06f30
0x00f06f34
0x00f06f37
0x00f06f3c
0x00f06f3d
0x00f06f45
0x00f1c96e
0x00f1c976
0x00f06f4b
0x00f06f50
0x00f06f50
0x00f06f45
0x00f06f52
0x00f06f56
0x00f06f59
0x00f06f59
0x00f06f62
0x00f1c97f
0x00f1c985
0x00f06f68
0x00f06f68
0x00f06f68
0x00f06f62
0x00000000
0x00f06f1a
0x00f1fca0
0x00f1fca3
0x00f1fcae
0x00f1fcae
0x00000000
0x00f1fcae
0x00f1fca5
0x00f1fca8
0x00000000
0x00000000
0x00000000
0x00f1fca8
0x00000000
0x00f06ef1
0x00f06ee3
0x00f06e50
0x00f06dae
0x00f06d7a
0x00f06c91
0x00f06c60
0x00f06c64
0x00f1fbec
0x00f1fbf1
0x00f1fbf3
0x00000000
0x00000000
0x00f1fbf9
0x00000000
0x00f06c64

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000808), ref: 00F06C5A

Strings

__Win32Provider.Name=", xrefs: 00F06DD5
references of {__Win32Provider.Name=", xrefs: 00F06E6A

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocHeap
String ID: __Win32Provider.Name="$references of {__Win32Provider.Name="
API String ID: 4292702814-4209906609
Opcode ID: 028e2e3d77f6cc0720496dd895928ec2f2a3d1bcaa3641500424ffdf3b307dfc
Instruction ID: 9793f6770fcc77b01485b725dcef847eb61f175a6e5ed275bb9dbcf8741ab723
Opcode Fuzzy Hash: 028e2e3d77f6cc0720496dd895928ec2f2a3d1bcaa3641500424ffdf3b307dfc
Instruction Fuzzy Hash: 5212AA74A043069FCB24DF24E944B6ABBE6BF88325F10052CF94A872A1DB31EC55FB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F0CB9F, Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 475
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00F0CB9F(long __ecx, void* __edx, void* __eflags) {
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				char _v44;
				long _v68;
				long _v72;
				long _v96;
				long _v100;
				long _v104;
				long _v108;
				long _v112;
				long _v116;
				long _v120;
				long _v124;
				long _v128;
				long _v132;
				long _v136;
				long _v140;
				long _v144;
				long _v148;
				long _v152;
				long _v156;
				long _v160;
				long _v164;
				long _v168;
				long _v172;
				long _v176;
				void* _v180;
				void* _v184;
				long _v188;
				char _v192;
				intOrPtr _v196;
				long _v204;
				intOrPtr _v228;
				intOrPtr _v236;
				intOrPtr* _v240;
				intOrPtr _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t126;
				signed int _t128;
				intOrPtr _t132;
				long _t143;
				void* _t144;
				void* _t154;
				void* _t155;
				long _t156;
				void* _t158;
				intOrPtr* _t166;
				intOrPtr _t169;
				intOrPtr* _t175;
				intOrPtr _t176;
				intOrPtr* _t187;
				intOrPtr* _t195;
				intOrPtr _t204;
				long _t205;
				long _t214;
				intOrPtr _t225;
				long _t228;
				intOrPtr* _t230;
				long _t240;
				void* _t241;
				void* _t242;
				long _t256;
				intOrPtr* _t270;
				intOrPtr* _t272;
				intOrPtr* _t276;
				intOrPtr* _t278;
				intOrPtr* _t280;
				unsigned int _t282;
				intOrPtr* _t283;
				long _t285;
				void* _t300;
				intOrPtr* _t301;
				void* _t303;
				void* _t304;
				void* _t307;
				intOrPtr* _t308;
				signed int _t324;
				signed int _t326;

				_t298 = __edx;
				_push(0xffffffff);
				_push(E00F24D8E);
				_push( *[fs:0x0]);
				_t326 = (_t324 & 0xfffffff8) - 0x88;
				_t126 =  *0xf4f1a4; // 0xbd26e8f
				_v24 = _t126 ^ _t326;
				_push(_t299);
				_t128 =  *0xf4f1a4; // 0xbd26e8f
				_push(_t128 ^ _t326);
				 *[fs:0x0] =  &_v16;
				_t240 = __ecx;
				_v136 = __ecx;
				_t303 = E00F13422(__ecx);
				if(_t303 < 0) {
					L77:
					__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t303);
					__imp__?Write@CMemoryLog@@QAEXJ@Z();
					L56:
					_t132 =  *0xf4f014; // 0xf4f014
					if(_t132 != 0xf4f014 && ( *(_t132 + 0x1c) & 0x00000004) != 0) {
						__eflags =  *((char*)(_t132 + 0x19)) - 2;
						if( *((char*)(_t132 + 0x19)) >= 2) {
							_t123 = _t132 + 0x14; // 0x20000000
							_t298 = 0xf21274;
							_t124 = _t132 + 0x10; // 0x40000000
							E00F32A46(0x19, 0xf21274,  *_t124,  *_t123, _t303);
						}
					}
					 *[fs:0x0] = _v20;
					_pop(_t300);
					_pop(_t304);
					_pop(_t241);
					return E00F01CA0(_t303, _t241, _v28 ^ _t326, _t298, _t300, _t304);
				}
				if(E00F128DE(E00F1384C()) < 0 || E00F11D26() < 0) {
					L55:
					_t303 = E00F15B2F();
					E00F16A2A();
					 *0xf53064();
					if(_t303 < 0) {
						goto L77;
					}
					goto L56;
				} else {
					_v152 = 0;
					_push( &_v152);
					_push(0xf03a60);
					_push(5);
					_push(0);
					_push(E00F0D208);
					if( *0xf53048() < 0) {
						L30:
						_t143 =  *0xf4f0cc; // 0x0
						_t144 =  *(_t143 + 4);
						_t252 =  *(_t143 + 8) & 0x00000005 | 0x00000008;
						if(_t144 == 0) {
							L59:
							_t305 = 0;
							L32:
							_v156 = _t305;
							_v28 = 2;
							if(_t305 == 0) {
								_t305 = 0;
							} else {
								_t299 =  *0xf4f0cc; // 0x0
								_push(_t252);
								_t252 = _t305;
								E00F0E467(_t299, _t305, 0x1d4c0);
								_v44 = 3;
								 *_t305 = 0xf01cec;
								 *(_t305 + 0x90) = _t299;
								_v44 = 2;
							}
							_v28 = 0xffffffff;
							 *0xf4f05c = _t305;
							if(_t305 != 0) {
								_push(_t305);
								_t301 =  *((intOrPtr*)( *_t305 + 4));
								if(_t301 != E00F0E0B0) {
									 *0xf512c4();
									 *_t301();
								} else {
									E00F0E0B0(_t240, _t252, _t298);
								}
								_t305 =  *0xf4f05c; // 0x0
								_v172 = 0xffffffff;
								_t299 =  *( *_t305 + 0x20);
								_push( &_v172);
								if(_t299 != E00F0EE90) {
									 *0xf512c4();
									_t154 =  *_t299();
								} else {
									_t154 = E00F0EE90(_t305, _t298);
								}
								if(_t154 == 0) {
									_t155 = E00F0EAF4(_t298);
									_t299 = 0xf4f060;
									_t355 = _t155;
									if(_t155 >= 0) {
										_t307 = E00F0F401(_t240, _t240, 0xf4f060, _t305, _t355);
										if(E00F0D21D(_t240) == 0) {
											WaitForSingleObject( *0xf4f074, 0xffffffff);
										} else {
											if(_t307 >= 0) {
												E00F06668();
											}
										}
										_t175 =  *0xf4f060; // 0x0
										asm("lock cmpxchg [edi], ecx");
										if(_t175 != 0) {
											_t265 =  *_t175;
											_push(_t175);
											_t308 =  *((intOrPtr*)( *_t175 + 8));
											if(_t308 != E00F15AF0) {
												 *0xf512c4();
												 *_t308();
											} else {
												E00F15AF0(_t265, _t298, _t308);
											}
										}
										_t176 =  *0xf4f014; // 0xf4f014
										if(_t176 != 0xf4f014 && ( *(_t176 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *((char*)(_t176 + 0x19)) - 2;
											if(__eflags >= 0) {
												_t116 = _t176 + 0x14; // 0x20000000
												_t298 = 0xf21274;
												_t117 = _t176 + 0x10; // 0x40000000
												E00F32A46(0x18, 0xf21274,  *_t117,  *_t116, 0);
											}
										}
									}
									_t156 =  *0xf4f05c; // 0x0
									_v180 = 0;
									_t158 = GetCurrentProcess();
									DuplicateHandle(GetCurrentProcess(),  *(_t156 + 0x4c), _t158,  &_v180, 0, 0, 2);
									_t256 =  *0xf4f05c; // 0x0
									_push(_t256);
									_t305 =  *( *_t256 + 8);
									if(_t305 != E00F16100) {
										 *0xf512c4();
										 *_t305();
									} else {
										E00F16100(_t240, _t256, _t298);
									}
									WaitForSingleObject(_v184, 0xffffffff);
									CloseHandle(_v184);
									_t166 =  *0xf4f060; // 0x0
									 *0xf4f05c = 0;
									asm("lock cmpxchg [edi], ecx");
									if(_t166 != 0) {
										_t305 =  *( *_t166 + 8);
										 *0xf512c4(_t166);
										 *( *( *_t166 + 8))();
									}
									_t169 =  *0xf4f014; // 0xf4f014
									if(_t169 != 0xf4f014) {
										_t365 =  *(_t169 + 0x1c) & 0x00000004;
										if(( *(_t169 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *((char*)(_t169 + 0x19)) - 2;
											if(__eflags >= 0) {
												_t120 = _t169 + 0x14; // 0x20000000
												_t298 = 0xf21274;
												_t121 = _t169 + 0x10; // 0x40000000
												E00F32A46(0x18, 0xf21274,  *_t121,  *_t120, 0);
											}
										}
									}
								}
							}
							E00F15DBB(_t240, _t299, _t305, _t365);
							E00F15BE1();
							E00F15B7B(_t305);
							goto L55;
						}
						_t305 = HeapAlloc(_t144, _t252, 0x98);
						if(_t305 == 0) {
							__eflags = E00F48131();
							if(__eflags != 0) {
								goto L59;
							}
						}
						goto L32;
					}
					_v164 = 0;
					_t242 =  *0xf53000(L"Root");
					if(_t242 == 0) {
						L29:
						_t187 = _v176;
						 *0xf512c4(_t187);
						 *((intOrPtr*)( *((intOrPtr*)( *_t187 + 8))))();
						_t240 = _v164;
						goto L30;
					}
					_t270 = _v176;
					 *0xf512c4(_t270, _t242, 0, 0, 0, 0, 0, 0,  &_v168);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t270 + 0xc))))() < 0) {
						L28:
						 *0xf53004(_t242);
						goto L29;
					} else {
						_v188 = 0;
						_v184 = 0;
						_v180 = 0x1d4c0;
						_v176 = 0;
						_v172 = 0x1d4c0;
						_v168 = 0;
						_v164 = 0;
						_v160 = 0;
						_v68 = 0;
						_t272 = _v204;
						_v168 = 0;
						_v164 = 0;
						_v160 = _t272;
						if(_t272 != 0) {
							 *0xf512c4(_t272);
							 *((intOrPtr*)( *((intOrPtr*)( *_t272 + 4))))();
						}
						_t326 = _t326 - 8;
						if(E00F0EF8E( &_v192) < 0) {
							L20:
							_t195 = _v204;
							 *0xf512c4(_t195);
							 *((intOrPtr*)( *((intOrPtr*)( *_t195 + 8))))();
							_v72 = 0xffffffff;
							_t276 = _v172;
							if(_t276 != 0) {
								 *0xf512c4(_t276);
								 *((intOrPtr*)( *((intOrPtr*)( *_t276 + 8))))();
							}
							_t278 = _v172;
							if(_t278 != 0) {
								 *0xf512c4(_t278);
								 *((intOrPtr*)( *((intOrPtr*)( *_t278 + 8))))();
							}
							_t280 = _v172;
							if(_t280 != 0) {
								 *0xf512c4(_t280);
								 *((intOrPtr*)( *((intOrPtr*)( *_t280 + 8))))();
							}
							_t204 = _v196;
							if(_t204 != 0) {
								 *0xf53004(_t204);
							}
							_t205 = _v188;
							if(_t205 != 0) {
								 *0xf53004(_t205);
							}
							goto L28;
						} else {
							_t282 = _v180;
							 *0xf4f03c = _t282 >> 1;
							_v144 = 0;
							_v136 = 0;
							_v128 = 0;
							_v120 = 0;
							_v112 = 0;
							 *0xf4f038 = _t282;
							 *0xf4f034 = _t282;
							 *0xf4f030 = _v172;
							_v148 = 0;
							_v140 = 0;
							_v132 = 0;
							_v124 = 0;
							_v116 = 0;
							_v108 = 0;
							_v104 = 0;
							_v100 = 0;
							_v96 = 0;
							_v68 = 1;
							_v104 = 0;
							_v100 = 0;
							_t299 = _v204;
							_v96 = _t299;
							if(_t299 != 0) {
								 *0xf512c4(_t299);
								 *((intOrPtr*)( *((intOrPtr*)( *_t299 + 4))))();
							}
							_t214 =  *0xf53000(L"__ProviderHostQuotaConfiguration=@");
							_v160 = _t214;
							if(_t214 != 0) {
								_v204 = 0;
								 *0xf512c4(_t299, _t214, 0, 0,  &_v204, 0);
								_t225 =  *((intOrPtr*)( *((intOrPtr*)( *_t299 + 0x18))))();
								_v236 = _t225;
								if(_t225 >= 0) {
									_t326 = _t326 - 8;
									_v248 = E00F0E105( &_v180, _t298);
									_t230 = _v240;
									 *0xf512c4(_t230, _v228);
									 *((intOrPtr*)( *((intOrPtr*)( *_t230 + 8))))();
									_t299 = _v140;
								}
								 *0xf53004(_v184);
								if(_v240 >= 0) {
									 *0xf4f024 = _v168;
									 *0xf4f02c = _v144;
									_t228 = _v176;
									 *0xf4f020 = _v152;
									 *0xf4f028 = _t228;
									 *0xf4f01c = _v160;
									 *0xf4f018 = _t228;
								}
							}
							_v72 = 0;
							_t283 = _v108;
							if(_t283 != 0) {
								 *0xf512c4(_t283);
								 *((intOrPtr*)( *((intOrPtr*)( *_t283 + 8))))();
							}
							_t285 = _v108;
							if(_t285 != 0) {
								 *0xf512c4(_t285);
								 *((intOrPtr*)( *((intOrPtr*)( *_t285 + 8))))();
							}
							if(_t299 != 0) {
								 *0xf512c4(_t299);
								 *((intOrPtr*)( *((intOrPtr*)( *_t299 + 8))))();
							}
							goto L20;
						}
					}
				}
			}

0x00f0cb9f
0x00f0cba7
0x00f0cba9
0x00f0cbb4
0x00f0cbb5
0x00f0cbbb
0x00f0cbc2
0x00f0cbcb
0x00f0cbcc
0x00f0cbd3
0x00f0cbdb
0x00f0cbe1
0x00f0cbe3
0x00f0cbec
0x00f0cbf0
0x00f2a860
0x00f2a861
0x00f2a869
0x00f0d164
0x00f0d164
0x00f0d16e
0x00f2a874
0x00f2a878
0x00f2a87f
0x00f2a882
0x00f2a88c
0x00f2a88f
0x00f2a88f
0x00f2a878
0x00f0d183
0x00f0d18b
0x00f0d18c
0x00f0d18d
0x00f0d19f
0x00f0d19f
0x00f0cc02
0x00f0d14a
0x00f0d14f
0x00f0d151
0x00f0d156
0x00f0d15e
0x00000000
0x00000000
0x00000000
0x00f0cc15
0x00f0cc19
0x00f0cc21
0x00f0cc22
0x00f0cc27
0x00f0cc29
0x00f0cc2b
0x00f0cc38
0x00f0cf61
0x00f0cf61
0x00f0cf69
0x00f0cf6f
0x00f0cf74
0x00f0d1a0
0x00f0d1a0
0x00f0cf91
0x00f0cf91
0x00f0cf95
0x00f0cfa2
0x00f0d1a7
0x00f0cfa8
0x00f0cfa8
0x00f0cfae
0x00f0cfb6
0x00f0cfb8
0x00f0cfbd
0x00f0cfc5
0x00f0cfcb
0x00f0cfd1
0x00f0cfd1
0x00f0cfd9
0x00f0cfe4
0x00f0cfec
0x00f0cff4
0x00f0cff5
0x00f0cffe
0x00f1e2c0
0x00f1e2c6
0x00f0d004
0x00f0d004
0x00f0d004
0x00f0d009
0x00f0d00f
0x00f0d019
0x00f0d020
0x00f0d027
0x00f1e2cf
0x00f1e2d7
0x00f0d02d
0x00f0d02f
0x00f0d02f
0x00f0d036
0x00f0d03c
0x00f0d041
0x00f0d046
0x00f0d048
0x00f0d051
0x00f0d05a
0x00f2a7d6
0x00f0d060
0x00f0d062
0x00f0d064
0x00f0d064
0x00f0d062
0x00f0d069
0x00f0d070
0x00f0d076
0x00f0d078
0x00f0d07a
0x00f0d07b
0x00f0d084
0x00f2a7e3
0x00f2a7e9
0x00f0d08a
0x00f0d08a
0x00f0d08a
0x00f0d084
0x00f0d08f
0x00f0d099
0x00f2a7f0
0x00f2a7f4
0x00f2a7fc
0x00f2a7ff
0x00f2a809
0x00f2a80c
0x00f2a80c
0x00f2a7f4
0x00f0d099
0x00f0d0a5
0x00f0d0ae
0x00f0d0c0
0x00f0d0cf
0x00f0d0d5
0x00f0d0db
0x00f0d0de
0x00f0d0e7
0x00f2a818
0x00f2a81e
0x00f0d0ed
0x00f0d0ed
0x00f0d0ed
0x00f0d0f8
0x00f0d102
0x00f0d108
0x00f0d10f
0x00f0d119
0x00f0d11f
0x00f2a828
0x00f2a82d
0x00f2a833
0x00f2a833
0x00f0d125
0x00f0d12f
0x00f0d131
0x00f0d135
0x00f2a83a
0x00f2a83e
0x00f2a846
0x00f2a849
0x00f2a853
0x00f2a856
0x00f2a856
0x00f2a83e
0x00f0d135
0x00f0d12f
0x00f0d036
0x00f0d13b
0x00f0d140
0x00f0d145
0x00000000
0x00f0d145
0x00f0cf87
0x00f0cf8b
0x00f2a7c1
0x00f2a7c3
0x00000000
0x00000000
0x00f2a7c9
0x00000000
0x00f0cf8b
0x00f0cc43
0x00f0cc51
0x00f0cc55
0x00f0cf49
0x00f0cf49
0x00f0cf55
0x00f0cf5b
0x00f0cf5d
0x00000000
0x00f0cf5d
0x00f0cc5b
0x00f0cc79
0x00f0cc83
0x00f0cf42
0x00f0cf43
0x00000000
0x00f0cc89
0x00f0cc89
0x00f0cc91
0x00f0cc99
0x00f0cca1
0x00f0cca9
0x00f0ccb1
0x00f0ccb9
0x00f0ccc1
0x00f0ccc9
0x00f0ccd4
0x00f0ccd8
0x00f0cce0
0x00f0cce8
0x00f0ccee
0x00f0ccf8
0x00f0ccfe
0x00f0ccfe
0x00f0cd00
0x00f0cd0e
0x00f0ced5
0x00f0ced5
0x00f0cee1
0x00f0cee7
0x00f0cee9
0x00f0cef4
0x00f0cefa
0x00f2a79a
0x00f2a7a0
0x00f2a7a0
0x00f0cf00
0x00f0cf06
0x00f2a7af
0x00f2a7b5
0x00f2a7b5
0x00f0cf0c
0x00f0cf12
0x00f0cf1c
0x00f0cf22
0x00f0cf22
0x00f0cf24
0x00f0cf2a
0x00f0cf2d
0x00f0cf2d
0x00f0cf33
0x00f0cf39
0x00f0cf3c
0x00f0cf3c
0x00000000
0x00f0cd14
0x00f0cd14
0x00f0cd1c
0x00f0cd25
0x00f0cd2d
0x00f0cd35
0x00f0cd3d
0x00f0cd45
0x00f0cd4d
0x00f0cd53
0x00f0cd59
0x00f0cd5e
0x00f0cd66
0x00f0cd6e
0x00f0cd76
0x00f0cd7e
0x00f0cd86
0x00f0cd8e
0x00f0cd96
0x00f0cda1
0x00f0cdac
0x00f0cdb4
0x00f0cdbc
0x00f0cdc7
0x00f0cdcb
0x00f0cdd4
0x00f0cdde
0x00f0cde4
0x00f0cde4
0x00f0cdeb
0x00f0cdf1
0x00f0cdf7
0x00f0ce03
0x00f0ce19
0x00f0ce1f
0x00f0ce21
0x00f0ce27
0x00f0ce31
0x00f0ce39
0x00f0ce3d
0x00f0ce49
0x00f0ce4f
0x00f0ce51
0x00f0ce51
0x00f0ce5c
0x00f0ce67
0x00f0ce71
0x00f0ce7b
0x00f0ce80
0x00f0ce84
0x00f0ce8e
0x00f0ce93
0x00f0ce99
0x00f0ce99
0x00f0ce67
0x00f0ce9e
0x00f0cea6
0x00f0ceac
0x00f2a770
0x00f2a776
0x00f2a776
0x00f0ceb2
0x00f0cebb
0x00f2a785
0x00f2a78b
0x00f2a78b
0x00f0cec3
0x00f0cecd
0x00f0ced3
0x00f0ced3
0x00000000
0x00f0cec3
0x00f0cd0e
0x00f0cc83

APIs

Part of subcall function 00F13422: InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001), ref: 00F13493
Part of subcall function 00F13422: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001,0000000B,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F134BB
Part of subcall function 00F13422: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F13500
Part of subcall function 00F13422: RtlLengthSid.NTDLL(00000000), ref: 00F13522
Part of subcall function 00F13422: LocalAlloc.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0(00000000,00000014), ref: 00F1352E
Part of subcall function 00F13422: RtlCreateAcl.NTDLL(00000000,00000014,00000002), ref: 00F13542

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000098), ref: 00F0CF81
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,00000000,00000000,00000002,FFFFFFFF,00000000,00000000,?,0001D4C0), ref: 00F0D0C0
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(?,00000000,?,0001D4C0), ref: 00F0D0C8
DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,0001D4C0), ref: 00F0D0CF
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0(FFFFFFFF,000000FF,00000000,?,0001D4C0), ref: 00F0D0F8
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,0001D4C0), ref: 00F0D102
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,0BD26E8F,00000000,00000001,00000001), ref: 00F2A861
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2A869

Part of subcall function 00F1384C: OpenFileMappingW.API-MS-WIN-CORE-MEMORY-L1-1-2(00000006,00000000,Global\Wmi Provider Sub System Counters,00000000,00000000,FFFFFFFE,?,?,?,00F0CBFB,0BD26E8F,00000000,00000001,00000001), ref: 00F13863
Part of subcall function 00F1384C: MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-2(00000000,00000006,00000000,00000000,00000148,?,?,?,00F0CBFB,0BD26E8F,00000000,00000001,00000001), ref: 00F1387D

Part of subcall function 00F128DE: WmiEventSourceConnect.NCOBJAPI(root\cimv2,ProviderSubSystem,00000001,00007D00,00000064,00000000,00000000,00000000,00000000,FFFFFFFE,00F0CC00,0BD26E8F,00000000,00000001,00000001), ref: 00F128FA
Part of subcall function 00F128DE: WmiCreateObjectWithFormat.NCOBJAPI(00000000,00F0F4E8,00000001,00F0F548), ref: 00F12923

Part of subcall function 00F11D26: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,FFFFFFFE), ref: 00F11D65
Part of subcall function 00F11D26: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11D76
Part of subcall function 00F11D26: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11DA6
Part of subcall function 00F11D26: CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11DCC
Part of subcall function 00F11D26: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11E0D
Part of subcall function 00F11D26: CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000008,?,?,?,?,?,00F0CC0D,0BD26E8F,00000000), ref: 00F11E33

Strings

Root, xrefs: 00F0CC3E
__ProviderHostQuotaConfiguration=@, xrefs: 00F0CDE6

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocInitialize$AllocateHeap$CopyCreateCurrentFileHandleLengthLog@@MemoryObjectProcess$CloseConnectDescriptorDuplicateEventFormatLocalMappingObject@@OpenSecuritySingleSourceViewWaitWithWrite@
String ID: Root$__ProviderHostQuotaConfiguration=@
API String ID: 1995170614-3680425872
Opcode ID: 9d3f8912d3910477750415829f21edc6138cc2cffcd88618375aaf8a95a3941f
Instruction ID: 22a061a3e7b498bcb31414e48fe3af52a8cb291c763ea04135087700c85e6175
Opcode Fuzzy Hash: 9d3f8912d3910477750415829f21edc6138cc2cffcd88618375aaf8a95a3941f
Instruction Fuzzy Hash: 1E129A34A083559FD7149F68D808B1ABBE5BF89715F00056CFA859B2E1CB75AC04FF92

Uniqueness

Uniqueness Score: -1.00%

Function 00F06FFE, Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 409memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F08BF5: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000000), ref: 00F08CA3

WmiSetAndCommitObject.NCOBJAPI(00000001,00000000,?,?,?,00000000,?,0000044C,FFFFFFFF,00000000,?,00000000,?,?), ref: 00F072AE
?Init@CPublishWMIOperationEvent@@SGJXZ.WBEMCOMN(?,?,?,?,?,?,?,?,00F06F16,00000000,80041003,0BD26E8F,00000000,00000000), ref: 00F072BD
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(0000003C,?,?,?,?,?,?,?,?,00F06F16,00000000,80041003,0BD26E8F,00000000,00000000), ref: 00F072D4
?PublishProviderStarted@CPublishWMIOperationEvent@@SGJPAGJ0K0@Z.WBEMCOMN(?,00000000,wmiprvse.exe,00000000,?,?,?,?,?,?,?,?,00F06F16,00000000,80041003,0BD26E8F), ref: 00F072E2
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,?,?,?,?,?,?,?,?,00F06F16,00000000,80041003,0BD26E8F,00000000), ref: 00F07300

Part of subcall function 00F07363: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018), ref: 00F07470

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041006,0BD26E8F,00000000,00000000,80041003), ref: 00F28393
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2839B

Strings

wmiprvse.exe, xrefs: 00F072DB

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: HeapPublish$AllocEvent@@Log@@MemoryOperation$CommitCurrentFreeInit@ObjectObject@@ProcessProviderStarted@Write@
String ID: wmiprvse.exe
API String ID: 1180389829-74504709
Opcode ID: 42bcf3cbeb4b7f6cfe9e54b7c7322d0a3725ce7a1584dde12c011a74bd7aaec1
Instruction ID: b858689af35d31edf367e0838517beed8be048d25fa974c73ce126e3df3bbc19
Opcode Fuzzy Hash: 42bcf3cbeb4b7f6cfe9e54b7c7322d0a3725ce7a1584dde12c011a74bd7aaec1
Instruction Fuzzy Hash: D6F15870A05318DFEB249F54DD44BAABBBAFB45310F1041D9E90AA72A1CB31AD85FF11

Uniqueness

Uniqueness Score: -1.00%

Function 00F3070E, Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 211
registryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00F3070E(int __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t75;
				intOrPtr* _t76;
				long _t91;
				long _t95;
				long _t102;
				long _t104;
				long _t110;
				intOrPtr _t115;
				intOrPtr* _t117;
				intOrPtr _t129;
				intOrPtr _t139;
				intOrPtr* _t144;
				void* _t147;
				void* _t163;
				intOrPtr _t169;
				signed int _t170;
				void* _t171;
				signed int _t178;

				_t116 = __ebx;
				_push(0x540);
				E00F03FD5(E00F25D5B, __ebx, __edi, __esi);
				_t169 = _t171 + 0x14;
				_t165 = _t171 - 0x52c;
				 *(_t171 - 0x548) =  *(_t171 + 8);
				asm("movsd");
				 *((intOrPtr*)(_t171 - 0x53c)) =  *((intOrPtr*)(_t171 + 0xc));
				 *(_t171 - 0x51c) = 0;
				 *((short*)(_t171 - 0x314)) = 0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(GetModuleFileNameW( *0xf50aa8, _t171 - 0x51c, 0x104) == 0) {
					L28:
					L29:
					return E00F03FC1(_t116, _t165, _t169);
				}
				_t117 = _t171 - 0x51c;
				_t116 = 0;
				_t147 = _t117 + 2;
				_t170 = 2;
				do {
					_t75 =  *_t117;
					_t117 = _t117 + _t170;
				} while (_t75 != 0);
				_t76 =  *((intOrPtr*)(_t171 - 0x53c));
				_t165 = (_t117 - _t147 >> 1) + 1;
				if(_t76 == 0) {
					L7:
					_t169 = E00F19D72( ~(0 | _t178 > 0x00000000) | _t165 * _t170, _t178,  ~(0 | _t178 > 0x00000000) | _t165 * _t170);
					if(_t169 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t171 - 0x54c)) = _t169;
					 *(_t171 - 4) = _t116;
					E00F3047F(_t169, _t165, _t171 - 0x51c);
					_t180 =  *((intOrPtr*)(_t171 - 0x53c));
					if( *((intOrPtr*)(_t171 - 0x53c)) != 0) {
						E00F30437(_t169, _t165, 0xf30a24);
						E00F30437(_t169, _t165,  *((intOrPtr*)(_t171 - 0x53c)));
					}
					 *0xf53040(_t171 - 0x52c, _t171 - 0x210, 0x80);
					E00F3047F(_t171 - 0x310, 0x80, L"APPID\\");
					E00F30437(_t171 - 0x310, 0x80, _t171 - 0x210);
					_t165 =  *(_t171 - 0x548);
					if(E00F30353(_t171 - 0x310, 0, _t180, _t116,  *(_t171 - 0x548)) != 0) {
						_t91 = RegOpenKeyExW(0x80000000, _t171 - 0x310, _t116, 0x2001f, _t171 - 0x540);
						__eflags = _t91;
						if(_t91 != 0) {
							goto L11;
						}
						E00F136E5(_t171 - 0x538, RegCloseKey,  *(_t171 - 0x540));
						 *(_t171 - 4) = 1;
						_t95 = E00F2FDE8( *(_t171 - 0x540), _t171 - 0x538);
						__eflags = _t95;
						if(_t95 >= 0) {
							__eflags =  *(_t171 + 0x10);
							if( *(_t171 + 0x10) == 0) {
								L19:
								 *(_t171 - 4) = _t116;
								__eflags =  *((char*)(_t171 - 0x538));
								if( *((char*)(_t171 - 0x538)) == 0) {
									 *0xf512c4( *((intOrPtr*)(_t171 - 0x530)));
									 *((intOrPtr*)(_t171 - 0x534))();
								}
								E00F3047F(_t171 - 0x110, 0x80, L"CLSID\\");
								E00F30437(_t171 - 0x110, 0x80, _t171 - 0x210);
								__eflags = E00F30353(_t171 - 0x110, 0, __eflags, L"AppId", _t171 - 0x210);
								if(__eflags == 0) {
									goto L11;
								} else {
									__eflags = E00F30353(_t171 - 0x110, 0, __eflags, _t116, _t165);
									if(__eflags == 0) {
										goto L11;
									}
									_t102 = E00F30353(_t171 - 0x110, L"NotInsertable", __eflags, _t116, _t116);
									_push(_t169);
									__eflags = _t102;
									if(__eflags == 0) {
										goto L12;
									}
									_t165 = L"LocalServer32";
									_push(_t116);
									__eflags = E00F30353(_t171 - 0x110, L"LocalServer32", __eflags);
									if(__eflags == 0) {
										goto L11;
									}
									_t104 = E00F30353(_t171 - 0x110, L"LocalServer32", __eflags, L"ThreadingModel", L"Both");
									__eflags = _t104;
									if(_t104 == 0) {
										_t116 = 0x80040201;
									}
									 *(_t171 - 4) =  *(_t171 - 4) | 0xffffffff;
									_t139 =  *0xf4f0cc; // 0x0
									E00F04A17(_t139, _t169);
									goto L29;
								}
							}
							 *(_t171 - 0x544) = 2;
							_t110 = RegSetValueExW( *(_t171 - 0x540), L"AppIDFlags", _t116, 4, _t171 - 0x544, 4);
							__eflags = _t110;
							if(_t110 != 0) {
								goto L15;
							}
							goto L19;
						}
						L15:
						 *(_t171 - 4) = _t116;
						__eflags =  *((char*)(_t171 - 0x538));
						if( *((char*)(_t171 - 0x538)) == 0) {
							 *0xf512c4( *((intOrPtr*)(_t171 - 0x530)));
							 *((intOrPtr*)(_t171 - 0x534))();
						}
						goto L11;
					} else {
						L11:
						_push(_t169);
						L12:
						 *(_t171 - 4) =  *(_t171 - 4) | 0xffffffff;
						_t129 =  *0xf4f0cc; // 0x0
						E00F04A17(_t129);
						goto L29;
					}
				}
				_t144 = _t76;
				_t163 = _t144 + 2;
				do {
					_t115 =  *_t144;
					_t144 = _t144 + _t170;
				} while (_t115 != 0);
				_t178 = _t165;
				goto L7;
			}

0x00f3070e
0x00f3070e
0x00f30718
0x00f30720
0x00f30723
0x00f30729
0x00f30732
0x00f30733
0x00f3073b
0x00f30742
0x00f3074f
0x00f3075c
0x00f3075d
0x00f30766
0x00f30a17
0x00f30a1c
0x00f30a21
0x00f30a21
0x00f3076c
0x00f30772
0x00f30776
0x00f30779
0x00f3077a
0x00f3077a
0x00f3077d
0x00f3077f
0x00f30784
0x00f3078e
0x00f30793
0x00f307ad
0x00f307c0
0x00f307c5
0x00000000
0x00000000
0x00f307cb
0x00f307d7
0x00f307df
0x00f307e4
0x00f307eb
0x00f307f6
0x00f30805
0x00f30805
0x00f3081e
0x00f30831
0x00f30845
0x00f3084a
0x00f30861
0x00f30896
0x00f3089c
0x00f3089e
0x00000000
0x00000000
0x00f308b2
0x00f308b7
0x00f308c2
0x00f308c7
0x00f308c9
0x00f308f4
0x00f308f8
0x00f30925
0x00f30925
0x00f30928
0x00f3092f
0x00f3093d
0x00f30943
0x00f30943
0x00f30959
0x00f30970
0x00f3098e
0x00f30990
0x00000000
0x00f30996
0x00f309a5
0x00f309a7
0x00000000
0x00000000
0x00f309ba
0x00f309bf
0x00f309c0
0x00f309c2
0x00000000
0x00000000
0x00f309c8
0x00f309d3
0x00f309db
0x00f309dd
0x00000000
0x00000000
0x00f309f5
0x00f309fa
0x00f309fc
0x00f309fe
0x00f309fe
0x00f30a03
0x00f30a07
0x00f30a0e
0x00000000
0x00f30a13
0x00f30990
0x00f30902
0x00f3091b
0x00f30921
0x00f30923
0x00000000
0x00000000
0x00000000
0x00f30923
0x00f308cb
0x00f308cb
0x00f308ce
0x00f308d5
0x00f308e3
0x00f308e9
0x00f308e9
0x00000000
0x00f30863
0x00f30863
0x00f30863
0x00f30864
0x00f30864
0x00f30868
0x00f3086e
0x00000000
0x00f30873
0x00f30861
0x00f30795
0x00f30797
0x00f3079a
0x00f3079a
0x00f3079d
0x00f3079f
0x00f307ab
0x00000000

APIs

GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000104,00000540,00F30581,Microsoft WMI Provider Subsystem Host,00000000,00000000), ref: 00F3075E
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000000,?,00000000,0002001F,?,00000000,?,?,APPID\), ref: 00F30896
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,AppIDFlags,00000000,00000004,?,00000004,?,?), ref: 00F3091B

Strings

NotInsertable, xrefs: 00F309AF
AppId, xrefs: 00F3097E
APPID\, xrefs: 00F30824
Both, xrefs: 00F309E3
AppIDFlags, xrefs: 00F30910
LocalServer32, xrefs: 00F309C8
ThreadingModel, xrefs: 00F309E8
CLSID\, xrefs: 00F30949

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: FileModuleNameOpenValue
String ID: APPID\$AppIDFlags$AppId$Both$CLSID\$LocalServer32$NotInsertable$ThreadingModel
API String ID: 3821765626-1511659387
Opcode ID: 0f78e65eefa46586f3d93ab45dc2aa6bb3bd622aa3ec6c5d285fc163cd519067
Instruction ID: 370f4ca323ced210e5fb5deb14a84d0636f1057f39f77e0f9c463b3627ef2b5d
Opcode Fuzzy Hash: 0f78e65eefa46586f3d93ab45dc2aa6bb3bd622aa3ec6c5d285fc163cd519067
Instruction Fuzzy Hash: D081B230A0061D9BDB24DB24DC61BEFB679BF44325F0480EAA609A7190DF749F85EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F12607, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00F12607(intOrPtr* __ecx) {
				void* __ebx;
				wchar_t* _t1;
				wchar_t* _t4;
				intOrPtr* _t10;
				void* _t14;
				wchar_t** _t15;
				short* _t17;
				wchar_t* _t21;

				_t10 = __ecx;
				_t21 = 0;
				 *__ecx = 0;
				_t1 = GetCommandLineW();
				if(_t1 != 0) {
					wcstok(_t1, 0xf126ac, _t15);
					_t4 = wcstok(0, 0xf126ac, ??);
					while(1) {
						_t17 = _t4;
						if(_t17 == 0) {
							break;
						}
						if(CompareStringW(0x7f, 1, _t17, 0xffffffff, L"/RegServer", 0xffffffff) == 2) {
							_t21 = 1;
							E00F3055C(_t10, _t14, __eflags);
						} else {
							if(CompareStringW(0x7f, 1, _t17, 0xffffffff, L"/UnRegServer", 0xffffffff) == 2) {
								_t21 = 1;
								E00F30699(_t14, __eflags);
							} else {
								if(CompareStringW(0x7f, 1, _t17, 0xffffffff, L"-secured", 0xffffffff) == 2) {
									 *_t10 = 1;
								}
								_t4 = wcstok(_t21, 0xf126ac, ??);
								continue;
							}
						}
						break;
					}
				}
				return _t21;
			}

0x00f1260a
0x00f1260d
0x00f1260f
0x00f12611
0x00f12619
0x00f12627
0x00f1262f
0x00f12638
0x00f12638
0x00f1263c
0x00000000
0x00000000
0x00f12659
0x00f13c6e
0x00f13c6f
0x00f1265f
0x00f12676
0x00f13c61
0x00f13c62
0x00f1267c
0x00f12695
0x00f13c58
0x00f13c58
0x00f126a1
0x00000000
0x00f126a8
0x00f12676
0x00000000
0x00f12659
0x00f126e6
0x00f126eb

APIs

GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-2-0(00000001,00000001,00F0D6B3,?,00F0D63C,00F00000,00000000,00000000,0000000A), ref: 00F12611
wcstok.MSVCRT ref: 00F12627
wcstok.MSVCRT ref: 00F1262F
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,00000000,000000FF,/RegServer,000000FF), ref: 00F12650
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,00000000,000000FF,/UnRegServer,000000FF), ref: 00F1266D
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,00000000,000000FF,-secured,000000FF), ref: 00F1268C
wcstok.MSVCRT ref: 00F126A1

Strings

/RegServer, xrefs: 00F12644
/UnRegServer, xrefs: 00F12661
-secured, xrefs: 00F1267E

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CompareStringwcstok$CommandLine
String ID: -secured$/RegServer$/UnRegServer
API String ID: 1457712244-2803500518
Opcode ID: a5585436f4a57c07af6496166e99db5cefdaf54f9f1c0c741ce4a046cf46d5bb
Instruction ID: d78e7252cb67a3bc5fb1faba34181c709e9c3b81408f1297bf0ffe77c3aa8f2f
Opcode Fuzzy Hash: a5585436f4a57c07af6496166e99db5cefdaf54f9f1c0c741ce4a046cf46d5bb
Instruction Fuzzy Hash: 0B11293164C6617BD76117A95C0EFAB3A59EBC3B31B300304F335E21E5CA504891B1A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F15519, Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 411memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,000000A4), ref: 00F155EF
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00F156B3

Strings

__GET_EXT_CLIENT_REQUEST, xrefs: 00F2D8F0, 00F2D913, 00F2D935
__GET_EXT_KEYS_ONLY, xrefs: 00F2D94C
CreateInstanceEnumAsync, xrefs: 00F2DA47
__GET_EXTENSIONS, xrefs: 00F15592, 00F2D91E
__GET_EXT_PROPERTIES, xrefs: 00F2D961

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocCommitHeapObject
String ID: CreateInstanceEnumAsync$__GET_EXTENSIONS$__GET_EXT_CLIENT_REQUEST$__GET_EXT_KEYS_ONLY$__GET_EXT_PROPERTIES
API String ID: 2164795135-1040527617
Opcode ID: 17b023eb3276b2790aead46a5488978b798319a5d52eb22ecdeb7dbf411ba918
Instruction ID: f2bfba70b4d32932d97090099efc067f0621580b26d9352aa2c9d3723d116ca9
Opcode Fuzzy Hash: 17b023eb3276b2790aead46a5488978b798319a5d52eb22ecdeb7dbf411ba918
Instruction Fuzzy Hash: 2BF1C371A00219DFCB14DF64DD48BAEBBB6FF84725F140069E9069B2A1D734AD41EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F19092, Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 407memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000068), ref: 00F191B3
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F19262

Strings

__GET_EXT_CLIENT_REQUEST, xrefs: 00F19138, 00F1915F, 00F2C806
__GET_EXT_KEYS_ONLY, xrefs: 00F2C81D
__GET_EXTENSIONS, xrefs: 00F1910F, 00F2C7EF
GetObjectAsync, xrefs: 00F2C967
__GET_EXT_PROPERTIES, xrefs: 00F2C832

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocCommitHeapObject
String ID: GetObjectAsync$__GET_EXTENSIONS$__GET_EXT_CLIENT_REQUEST$__GET_EXT_KEYS_ONLY$__GET_EXT_PROPERTIES
API String ID: 2164795135-2040179058
Opcode ID: a9f5028ba954f51bb74663fe56b0c2ea9d2a2bb705a48dd50cf795be04aa334a
Instruction ID: b670832a211b59333b34cef2b381c5cacae97ca1e4b52340742f33635b3c77a8
Opcode Fuzzy Hash: a9f5028ba954f51bb74663fe56b0c2ea9d2a2bb705a48dd50cf795be04aa334a
Instruction Fuzzy Hash: C2F1BF71A002199FCB14DF64DD58BAEBBB5FF88315F144069E906AB2A0CB74AD41EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F30A4F, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 96
registryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00F30A4F(void* __eflags, void* _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1032;
				char _v1048;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				signed int _t60;

				_t21 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t21 ^ _t60;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *0xf53040( &_v1048,  &_v776, 0x80);
				E00F3047F( &_v264, 0x80, L"CLSID\\");
				E00F30437( &_v264, 0x80,  &_v776);
				_t59 = L"%s\\%s";
				E00F2F62F( &_v520, 0x80, L"%s\\%s",  &_v264);
				__imp__RegDeleteKeyExW(0x80000000,  &_v520, 0, 0, L"NotInsertable");
				E00F3047F( &_v1032, 0x80, L"APPID\\");
				E00F30437( &_v1032, 0x80,  &_v776);
				__imp__RegDeleteKeyExW(0x80000000,  &_v1032, 0, 0);
				E00F2F62F( &_v520, 0x80, L"%s\\%s",  &_v264);
				__imp__RegDeleteKeyExW(0x80000000,  &_v520, 0, 0, L"LocalServer32");
				__imp__RegDeleteKeyExW( &_v264, 0, 0);
				return E00F01CA0(0, 0, _v8 ^ _t60, 0x80, 0x80000000, _t59, 0x80000000);
			}

0x00f30a5a
0x00f30a61
0x00f30a75
0x00f30a84
0x00f30a86
0x00f30a87
0x00f30a88
0x00f30a9b
0x00f30aaf
0x00f30abf
0x00f30ace
0x00f30ae7
0x00f30afd
0x00f30b14
0x00f30b23
0x00f30b42
0x00f30b54
0x00f30b64
0x00f30b7c

APIs

RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000000,?,00000000,00000000,?,CLSID\,?,00F14C58,FFFFFFFE), ref: 00F30AE7
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000000,?,00000000,00000000,?,APPID\,?,00F14C58,FFFFFFFE), ref: 00F30B23
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000000,?,00000000,00000000,?,?,?,?,?,?,?,?,00F14C58,FFFFFFFE), ref: 00F30B54
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000000,?,00000000,00000000,?,?,?,?,?,?,?,?,00F14C58,FFFFFFFE), ref: 00F30B64

Strings

NotInsertable, xrefs: 00F30AB4
APPID\, xrefs: 00F30AED
LocalServer32, xrefs: 00F30B29
CLSID\, xrefs: 00F30A8E
%s\%s, xrefs: 00F30ABF, 00F30AC5, 00F30B35

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Delete
String ID: %s\%s$APPID\$CLSID\$LocalServer32$NotInsertable
API String ID: 1035893169-4016042841
Opcode ID: 73cbd3c5d73153e75875c5e1c684477254447e961562ff3e4c99eed4695e9393
Instruction ID: 1289ef70678fd01e311918351c96c698783ff0e5d1d77e6ddb4ee307a52c75e3
Opcode Fuzzy Hash: 73cbd3c5d73153e75875c5e1c684477254447e961562ff3e4c99eed4695e9393
Instruction Fuzzy Hash: BD3129F290021CABD710EB50DD95EEBB3BCEB94340F4040E6BB45A6141EA34AF49AA60

Uniqueness

Uniqueness Score: -1.00%

Function 00F0BEFF, Relevance: 15.5, APIs: 10, Instructions: 497memorysynchronizationCOMMON

Download Yara Rule

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000230,?,?,?,00000000,00F246BA,000000FF,?,00F07187,?,00000000,00000000,?,?), ref: 00F0BF93

Part of subcall function 00F0B089: InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-2-0(0000008C,00000000,0BD26E8F,?,00000000,?,?,?), ref: 00F0B145

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018,00000058,00000000,?,00F07187,?,?,?,?,?,?,?,00000000), ref: 00F0C0D0
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0C140
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018,?,?,?,00000000), ref: 00F0C18C
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,00000000,00000000,?,?,000000FF,00000000,?,00000000,00000000,?), ref: 00F0C28C
SetEvent.API-MS-WIN-CORE-SYNCH-L1-2-0(?,00000058,00000000,?,00F07187,?,?,?,?,?,?,?,00000000), ref: 00F0C377
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(8004100A,?,?,?,00000000,00F246BA,000000FF,?,00F07187,?,00000000,00000000,?,?,?,?), ref: 00F288CA
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,?,00000000,00F246BA,000000FF,?,00F07187,?,00000000,00000000,?,?,?,?,?), ref: 00F288D2

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocHeap$EventLog@@Memory$CountCreateCriticalInitializeObjectObject@@SectionSingleSpinWaitWrite@
String ID:
API String ID: 2704700961-0
Opcode ID: bb6c637ded3f0c5f489b2a21b893b0c81e920d307c14758e00767565b6390b0c
Instruction ID: 2c7e23774e032dfbb37d7b0f900eafc3be438dbaee0680eea39cdd800b2b1865
Opcode Fuzzy Hash: bb6c637ded3f0c5f489b2a21b893b0c81e920d307c14758e00767565b6390b0c
Instruction Fuzzy Hash: 8812AE75A00218DFCB149F68D944BAEBBA1BF48721F154169E906AB3E1CB34AC41FBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1384C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00F1384C() {
				struct _SECURITY_ATTRIBUTES _v16;
				intOrPtr _v20;
				char _v36;
				void* __edi;
				intOrPtr _t17;
				void* _t24;
				intOrPtr _t26;
				void* _t28;
				void* _t30;

				_t28 = OpenFileMappingW(6, 0, L"Global\\Wmi Provider Sub System Counters");
				if(_t28 == 0) {
					if(GetLastError() != 2) {
						_t30 = 0x80041003;
						L19:
						if(_t30 >= 0) {
							goto L1;
						}
						L9:
						if(_t28 != 0) {
							_t16 = CloseHandle(_t28);
						}
						L4:
						if(_t30 < 0) {
							L21:
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t30);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
						}
						_t17 =  *0xf4f014; // 0xf4f014
						if(_t17 != 0xf4f014 && ( *(_t17 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t17 + 0x19)) >= 2) {
							_push(_t30);
							_t13 = _t17 + 0x14; // 0x20000000
							_push( *_t13);
							_t14 = _t17 + 0x10; // 0x40000000
							_push( *_t14);
							_t24 = 0xd;
							E00F32A46(_t24, 0xf21d84);
						}
						return _t30;
					}
					_t30 = E00F3160B( &_v36, _t28);
					if(_t30 < 0) {
						goto L21;
					}
					_v16.nLength = 0xc;
					_v16.lpSecurityDescriptor =  &_v36;
					_v16.bInheritHandle = 0;
					_t28 = CreateFileMappingW(0xffffffff,  &_v16, 0x8000004, 0, 0x148, L"Global\\Wmi Provider Sub System Counters");
					if(_t28 == 0) {
						_t30 = 0x80041003;
					}
					if(_v20 != 0) {
						_t26 =  *0xf4f0cc; // 0x0
						_t16 = E00F04A17(_t26, _v20);
					}
					goto L19;
				}
				L1:
				_t16 = MapViewOfFile(_t28, 6, 0, 0, 0x148);
				if(_t16 == 0) {
					_t30 = 0x80041003;
				}
				if(_t30 < 0) {
					goto L9;
				} else {
					 *0xf4f094 = _t28;
					 *0xf4f098 = _t16;
					goto L4;
				}
			}

0x00f13869
0x00f1386d
0x00f2ad9d
0x00f2adf9
0x00f2adfe
0x00f2ae00
0x00000000
0x00000000
0x00f138c4
0x00f138c6
0x00f1e325
0x00f1e325
0x00f13896
0x00f13898
0x00f2ae0b
0x00f2ae0c
0x00f2ae14
0x00f2ae14
0x00f1389e
0x00f138a8
0x00f2ae29
0x00f2ae2a
0x00f2ae2a
0x00f2ae32
0x00f2ae32
0x00f2ae37
0x00f2ae38
0x00f2ae38
0x00f138bc
0x00f138bc
0x00f2ada7
0x00f2adab
0x00000000
0x00000000
0x00f2adbb
0x00f2adc2
0x00f2add0
0x00f2add9
0x00f2addd
0x00f2addf
0x00f2addf
0x00f2ade7
0x00f2adec
0x00f2adf2
0x00f2adf2
0x00000000
0x00f2ade7
0x00f13873
0x00f1387d
0x00f13885
0x00f138bd
0x00f138bd
0x00f13889
0x00000000
0x00f1388b
0x00f1388b
0x00f13891
0x00000000
0x00f13891

APIs

OpenFileMappingW.API-MS-WIN-CORE-MEMORY-L1-1-2(00000006,00000000,Global\Wmi Provider Sub System Counters,00000000,00000000,FFFFFFFE,?,?,?,00F0CBFB,0BD26E8F,00000000,00000001,00000001), ref: 00F13863
MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-2(00000000,00000006,00000000,00000000,00000148,?,?,?,00F0CBFB,0BD26E8F,00000000,00000001,00000001), ref: 00F1387D
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,?,?,00F0CBFB,0BD26E8F,00000000,00000001,00000001), ref: 00F1E325
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(?,?,?,00F0CBFB,0BD26E8F,00000000,00000001,00000001), ref: 00F2AD94
CreateFileMappingW.API-MS-WIN-CORE-MEMORY-L1-1-2(000000FF,0000000C,08000004,00000000,00000148,Global\Wmi Provider Sub System Counters,?,?,?,00F0CBFB,0BD26E8F), ref: 00F2ADD3

Strings

Global\Wmi Provider Sub System Counters, xrefs: 00F13857, 00F2ADAD

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: File$Mapping$CloseCreateErrorHandleLastOpenView
String ID: Global\Wmi Provider Sub System Counters
API String ID: 1524699163-3057216162
Opcode ID: 7059791b9741e3ac7551df3a9de24ef737cb75f49e72bfd3e8baf5b1b69b4826
Instruction ID: 84c8c418db143bbba6d3f1ad815845bc20ab3a39c80252981239ebf21975acfa
Opcode Fuzzy Hash: 7059791b9741e3ac7551df3a9de24ef737cb75f49e72bfd3e8baf5b1b69b4826
Instruction Fuzzy Hash: 04312B37D00729ABD7214B649C45BAE7A65FB40736F110069FE05A72A0DB34DD84BB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F0EAF4, Relevance: 13.8, APIs: 9, Instructions: 280
memoryCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00F0EAF4(void* __edx) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				signed int _t63;
				int _t65;
				void* _t66;
				void* _t67;
				struct _SECURITY_ATTRIBUTES* _t76;
				void* _t80;
				int _t81;
				void* _t82;
				struct _SECURITY_ATTRIBUTES* _t88;
				void* _t92;
				int _t93;
				void* _t94;
				void* _t95;
				int _t98;
				void* _t99;
				void* _t100;
				void* _t104;
				void* _t105;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t108;
				struct _SECURITY_ATTRIBUTES* _t109;
				struct _SECURITY_ATTRIBUTES* _t110;
				long _t113;
				intOrPtr _t115;
				long _t128;
				long* _t132;
				intOrPtr* _t141;
				void* _t142;
				struct _SECURITY_ATTRIBUTES* _t144;
				void* _t145;
				struct _SECURITY_ATTRIBUTES* _t147;
				long* _t148;
				long* _t150;
				intOrPtr* _t151;
				signed int _t152;

				_t139 = __edx;
				_push(0xffffffff);
				_push(E00F245E3);
				_push( *[fs:0x0]);
				_t62 =  *0xf4f1a4; // 0xbd26e8f
				_t63 = _t62 ^ _t152;
				_v20 = _t63;
				_push(_t63);
				 *[fs:0x0] =  &_v16;
				_t65 =  *0xf4f0cc; // 0x0
				_t141 =  *0xf4f05c; // 0x0
				_t66 =  *(_t65 + 4);
				_t113 =  *(_t65 + 8) & 0x00000005 | 0x00000008;
				if(_t66 == 0) {
					L36:
					_t144 = 0;
				} else {
					_t144 = HeapAlloc(_t66, _t113, 0x28);
					if(_t144 == 0) {
						if(E00F48131() != 0) {
							goto L36;
						} else {
							goto L2;
						}
						L33:
						_t115 =  *0xf4f014; // 0xf4f014
						if(_t115 != 0xf4f014 && ( *(_t115 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t115 + 0x19)) >= 2) {
							_t59 = _t115 + 0x14; // 0x20000000
							_t139 = 0xf21274;
							_t60 = _t115 + 0x10; // 0x40000000
							E00F32A46(0x17, 0xf21274,  *_t60,  *_t59, _t104);
						}
						 *[fs:0x0] = _v16;
						_pop(_t142);
						_pop(_t145);
						_pop(_t105);
						return E00F01CA0(_t104, _t105, _v20 ^ _t152, _t139, _t142, _t145);
					}
				}
				L2:
				_v24 = _t144;
				_v8 = 0;
				if(_t144 == 0) {
					_t144 = 0;
				} else {
					_t98 =  *0xf4f0cc; // 0x0
					_t110 = 0;
					_t144->nLength = 0xf06240;
					_t144->lpSecurityDescriptor = 0;
					_t144->bInheritHandle = _t98;
					 *(_t144 + 0xc) = 0;
					 *(_t144 + 0x10) = 0;
					 *(_t144 + 0x14) = 0;
					 *(_t144 + 0x18) = 0;
					 *(_t144 + 0x1c) = 0;
					 *(_t144 + 0x24) = 0;
					_t99 = CreateEventW(0, 0, 0, 0);
					 *(_t144 + 0x14) = _t99;
					if(_t99 == 0) {
						_t110 = 0x80000001;
					}
					 *(_t144 + 0x1c) = _t110;
					if(_t110 == 0) {
						_t100 = CreateEventW(_t110, _t110, _t110,  *(_t144 + 0x10));
						 *(_t144 + 0x18) = _t100;
						if(_t100 == 0) {
							_t110 = 0x80000001;
						}
						 *(_t144 + 0x1c) = _t110;
					}
					_v8 = 1;
					_t144->nLength = 0xf0ee48;
					_v8 = 0;
				}
				_v8 = 0xffffffff;
				 *0xf4f064 = _t144;
				if(_t144 == 0) {
					L54:
					_t104 = 0x80041006;
					 *0xf4f064 = 0;
				} else {
					 *0xf512c4(_t144);
					 *((intOrPtr*)( *((intOrPtr*)( *_t144 + 4))))();
					_t147 =  *0xf4f064; // 0x0
					_t106 =  *((intOrPtr*)(_t147->nLength + 0xc));
					if(_t106 != E00F0EE80) {
						 *0xf512c4();
						_t76 =  *_t106();
						_t147 =  *0xf4f064; // 0x0
					} else {
						_t76 = E00F0EE80(_t147);
					}
					if(_t76 != 0) {
						goto L54;
					} else {
						_v24 = _t76;
						_push(_t147);
						_t107 =  *((intOrPtr*)( *_t141 + 0x34));
						_push( &_v24);
						if(_t107 != E00F0E7E0) {
							 *0xf512c4();
							_t80 =  *_t107();
						} else {
							_t80 = E00F0E7E0(_t141);
						}
						if(_t80 != 0) {
							goto L54;
						} else {
							_t81 =  *0xf4f0cc; // 0x0
							_t82 =  *(_t81 + 4);
							_t128 =  *(_t81 + 8) & 0x00000005 | 0x00000008;
							if(_t82 == 0) {
								L38:
								_t148 = 0;
							} else {
								_t148 = HeapAlloc(_t82, _t128, 0x28);
								if(_t148 == 0) {
									if(E00F48131() != 0) {
										goto L38;
									} else {
										goto L17;
									}
									goto L33;
								}
							}
							L17:
							_v24 = _t148;
							_v8 = 2;
							if(_t148 == 0) {
								_t148 = 0;
							} else {
								_t93 =  *0xf4f0cc; // 0x0
								_t109 = 0;
								 *_t148 = 0xf06240;
								_t148[1] = 0;
								_t148[2] = _t93;
								_t148[3] = 0;
								_t148[4] = 0;
								_t148[5] = 0;
								_t148[6] = 0;
								_t148[7] = 0;
								_t148[9] = 0;
								_t94 = CreateEventW(0, 0, 0, 0);
								_t148[5] = _t94;
								if(_t94 == 0) {
									_t109 = 0x80000001;
								}
								_t148[7] = _t109;
								if(_t109 == 0) {
									_t95 = CreateEventW(_t109, _t109, _t109, _t148[4]);
									_t148[6] = _t95;
									if(_t95 == 0) {
										_t109 = 0x80000001;
									}
									_t148[7] = _t109;
								}
								_v8 = 3;
								 *_t148 = 0xf0ee18;
								_v8 = 2;
							}
							_v8 = 0xffffffff;
							 *0xf4f060 = _t148;
							if(_t148 == 0) {
								L48:
								_t104 = 0x80041006;
							} else {
								 *0xf512c4(_t148);
								 *((intOrPtr*)( *((intOrPtr*)( *_t148 + 4))))();
								_t150 =  *0xf4f060; // 0x0
								_t108 =  *((intOrPtr*)( *_t150 + 0xc));
								if(_t108 != E00F0EE80) {
									 *0xf512c4();
									_t88 =  *_t108();
								} else {
									_t88 = E00F0EE80(_t150);
								}
								if(_t88 != 0) {
									goto L48;
								} else {
									_t132 =  *0xf4f060; // 0x0
									_v24 = _t88;
									_push(_t132);
									_t151 =  *((intOrPtr*)( *_t141 + 0x34));
									_push( &_v24);
									if(_t151 != E00F0E7E0) {
										 *0xf512c4();
										_t92 =  *_t151();
									} else {
										_t92 = E00F0E7E0(_t141);
									}
									if(_t92 != 0) {
										goto L48;
									} else {
										_t104 = 0;
									}
								}
							}
						}
					}
				}
				_t67 = CreateEventW(0, 0, 0, 0);
				 *0xf4f074 = _t67;
				if(_t67 == 0) {
					_t104 = 0x80041006;
					goto L55;
				} else {
					if(_t104 < 0) {
						L55:
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t104);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
				}
				goto L33;
			}

0x00f0eaf4
0x00f0eaf9
0x00f0eafb
0x00f0eb06
0x00f0eb0a
0x00f0eb0f
0x00f0eb11
0x00f0eb17
0x00f0eb1b
0x00f0eb21
0x00f0eb26
0x00f0eb2f
0x00f0eb35
0x00f0eb3a
0x00f0edf6
0x00f0edf6
0x00f0eb40
0x00f0eb4a
0x00f0eb4e
0x00f2869c
0x00000000
0x00f286a2
0x00000000
0x00f286a2
0x00f0edc0
0x00f0edc0
0x00f0edcc
0x00f286ec
0x00f286ef
0x00f286f4
0x00f286fc
0x00f286fc
0x00f0eddd
0x00f0ede5
0x00f0ede6
0x00f0ede7
0x00f0edf5
0x00f0edf5
0x00f0eb4e
0x00f0eb54
0x00f0eb54
0x00f0eb57
0x00f0eb60
0x00f0edfd
0x00f0eb66
0x00f0eb66
0x00f0eb6b
0x00f0eb71
0x00f0eb77
0x00f0eb7e
0x00f0eb81
0x00f0eb88
0x00f0eb8f
0x00f0eb96
0x00f0eb9d
0x00f0eba4
0x00f0ebab
0x00f0ebb1
0x00f0ebb6
0x00f1cb3e
0x00f1cb3e
0x00f0ebbc
0x00f0ebc1
0x00f0ebc9
0x00f0ebcf
0x00f0ebd4
0x00f1cb48
0x00f1cb48
0x00f0ebda
0x00f0ebda
0x00f0ebdd
0x00f0ebe1
0x00f0ebe7
0x00f0ebe7
0x00f0ebeb
0x00f0ebf2
0x00f0ebfa
0x00f286b9
0x00f286b9
0x00f286be
0x00f0ec00
0x00f0ec08
0x00f0ec0e
0x00f0ec10
0x00f0ec18
0x00f0ec21
0x00f1caf6
0x00f1cafe
0x00f1cb00
0x00f0ec27
0x00f0ec29
0x00f0ec29
0x00f0ec30
0x00000000
0x00f0ec36
0x00f0ec36
0x00f0ec3b
0x00f0ec3c
0x00f0ec42
0x00f0ec49
0x00f1cb0d
0x00f1cb15
0x00f0ec4f
0x00f0ec51
0x00f0ec51
0x00f0ec58
0x00000000
0x00f0ec5e
0x00f0ec5e
0x00f0ec66
0x00f0ec6c
0x00f0ec71
0x00f0ee04
0x00f0ee04
0x00f0ec77
0x00f0ec81
0x00f0ec85
0x00f286ae
0x00000000
0x00f286b4
0x00000000
0x00f286b4
0x00000000
0x00f286ae
0x00f0ec85
0x00f0ec8b
0x00f0ec8b
0x00f0ec8e
0x00f0ec97
0x00f0ee0b
0x00f0ec9d
0x00f0ec9d
0x00f0eca2
0x00f0eca8
0x00f0ecae
0x00f0ecb5
0x00f0ecb8
0x00f0ecbf
0x00f0ecc6
0x00f0eccd
0x00f0ecd4
0x00f0ecdb
0x00f0ece2
0x00f0ece8
0x00f0eced
0x00f1cb52
0x00f1cb52
0x00f0ecf3
0x00f0ecf8
0x00f0ed00
0x00f0ed06
0x00f0ed0b
0x00f1cb5c
0x00f1cb5c
0x00f0ed11
0x00f0ed11
0x00f0ed14
0x00f0ed18
0x00f0ed1e
0x00f0ed1e
0x00f0ed22
0x00f0ed29
0x00f0ed31
0x00f1cb66
0x00f1cb66
0x00f0ed37
0x00f0ed3f
0x00f0ed45
0x00f0ed47
0x00f0ed4f
0x00f0ed58
0x00f1cb1e
0x00f1cb26
0x00f0ed5e
0x00f0ed60
0x00f0ed60
0x00f0ed67
0x00000000
0x00f0ed6d
0x00f0ed6d
0x00f0ed73
0x00f0ed78
0x00f0ed79
0x00f0ed7f
0x00f0ed86
0x00f1cb2f
0x00f1cb37
0x00f0ed8c
0x00f0ed8e
0x00f0ed8e
0x00f0ed95
0x00000000
0x00f0ed9b
0x00f0ed9b
0x00f0ed9b
0x00f0ed95
0x00f0ed67
0x00f0ed31
0x00f0ec58
0x00f0ec30
0x00f0eda5
0x00f0edab
0x00f0edb2
0x00f1cb70
0x00000000
0x00f0edb8
0x00f0edba
0x00f286cd
0x00f286ce
0x00f286d6
0x00f286d6
0x00f0edba
0x00000000

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000028,0BD26E8F,?,00000000,FFFFFFFE,00000001,00000001), ref: 00F0EB44
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00F24D8E,000000FF), ref: 00F0EBAB
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00F24D8E,000000FF), ref: 00F0EBC9

Part of subcall function 00F0E7E0: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00F4F0FC), ref: 00F0E857
Part of subcall function 00F0E7E0: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00000018,?,?,?,00000000), ref: 00F0E8C8
Part of subcall function 00F0E7E0: SetEvent.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,00000000), ref: 00F0E8D1

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000028,?,00000000,?,?,?,?,?,?,?,?,00000000,00F24D8E,000000FF), ref: 00F0EC7B
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00F24D8E,000000FF), ref: 00F0ECE2
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00F24D8E,000000FF), ref: 00F0ED00
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,00000000,00F24D8E), ref: 00F0EDA5
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041006,?,?,?,?,?,?,?,?,00000000,00F24D8E,000000FF,?,00F0D6DC,?,00F0D63C), ref: 00F286CE
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,?,?,?,?,?,?,00000000,00F24D8E,000000FF,?,00F0D6DC,?,00F0D63C,00F00000), ref: 00F286D6

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Event$Create$AllocCriticalHeapLeaveLog@@MemorySection$Object@@Write@
String ID:
API String ID: 729907563-0
Opcode ID: e4bdcf018c04caaf7f5d2d0d8ca916c8c5c7e99276a3f1cb37bf8d504c37822f
Instruction ID: 1a578717f1c584a8336c117ac436801c034f37df5fa2ae2cbd48c61912fa1697
Opcode Fuzzy Hash: e4bdcf018c04caaf7f5d2d0d8ca916c8c5c7e99276a3f1cb37bf8d504c37822f
Instruction Fuzzy Hash: 64A1CC74A01719DFEB208F24D984B2ABBE4EB48714F10492DE9469B3D1DB74EC48FB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F12700, Relevance: 13.6, APIs: 9, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags, long _a4) {
				signed int _v4;
				void* _v8;
				signed int _v32;
				signed int _v36;
				struct _STARTUPINFOA _v108;
				int _t33;
				void* _t53;
				void* _t55;
				intOrPtr _t57;
				intOrPtr _t63;
				void* _t65;

				E00F12483();
				_push(0x5c);
				_push(0xf12830);
				E00F124CC(__ebx, __edi, __esi);
				_v36 = _v36 & 0x00000000;
				_v4 = _v4 & 0x00000000;
				GetStartupInfoA( &_v108);
				_v4 = 0xfffffffe;
				_v4 = 1;
				_t57 =  *((intOrPtr*)( *[fs:0x18] + 4));
				while(1) {
					__edx = 0xf4f0d8;
					__ecx = __edi;
					__eax = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 == 0) {
						break;
					}
					__eflags = 0 - __edi;
					if(0 != __edi) {
						Sleep(0x3e8);
						continue;
					} else {
						__esi = __ebx;
					}
					break;
				}
				__eflags =  *0xf4f0c0 - __ebx; // 0x0
				if(__eflags == 0) {
					L00F234E3();
					__ecx = 0x1f;
					goto L19;
				} else {
					__eflags =  *0xf4f0c0;
					if( *0xf4f0c0 != 0) {
						 *0xf50aa0 = __ebx;
						goto L19;
					} else {
						 *0xf4f0c0 = __ebx;
						__eax = E00F12418(__ecx, 0xf12820, 0xf1282c);
						_pop(__ecx);
						_pop(__ecx);
						__eflags = __eax;
						if(__eax != 0) {
							_v4 = 0xfffffffe;
							__eax = 0xff;
							goto L49;
						} else {
							L19:
							__eflags =  *0xf4f0c0 - __ebx; // 0x0
							if(__eflags == 0) {
								L00F124C6();
								__ecx = 0xf127fc;
								__ecx = 0xf1281c;
								 *0xf4f0c0 = 2;
							}
							__eflags = __esi;
							if(__esi == 0) {
								__eax = 0;
								__eflags = 0;
								__ecx = 0xf4f0d8;
								__eax =  *0xf4f0d8;
								 *0xf4f0d8 = 0;
							}
							__eflags =  *0xf50600;
							if(__eflags != 0) {
								__eax = E00F23538(__eflags, 0xf50600);
								__eflags = __eax;
								if(__eax != 0) {
									_push(0);
									_push(2);
									_push(0);
									__esi =  *0xf50600; // 0x0
									__ecx = __esi;
									 *0xf512c4() =  *__esi();
								}
							}
							__eax = _acmdln;
							__esi =  *_acmdln;
							_v32 = __esi;
							__edi = _v36;
							while(1) {
								__cl =  *__esi;
								__eflags = __cl - 0x20;
								if(__cl <= 0x20) {
									goto L29;
								}
								L26:
								__eflags = __cl - 0x22;
								if(__cl == 0x22) {
									__eax = 0;
									__eflags = __edi;
									__eax = 0 | __eflags == 0x00000000;
									__edi = __eflags == 0;
									_v36 = __edi;
								}
								__eax = __cl & 0x000000ff;
								__imp___ismbblead();
								__ecx = __eax;
								__eflags = __eax;
								if(__eax != 0) {
									__esi = __esi + 1;
									_v32 = __esi;
								}
								__esi = __esi + 1;
								_v32 = __esi;
								continue;
								L29:
								__eflags = __cl;
								if(__cl != 0) {
									__eflags = __edi;
									if(__edi == 0) {
										goto L33;
									} else {
										goto L26;
									}
									while(1) {
										L33:
										__al =  *__esi;
										__eflags = __al;
										if(__al == 0) {
											break;
										}
										__eflags = __al - 0x20;
										if(__al <= 0x20) {
											__esi = __esi + 1;
											_v32 = __esi;
											continue;
										}
										break;
									}
									if((_v108.dwFlags & 0x00000001) != 0) {
										_t33 = _v108.wShowWindow & 0x0000ffff;
									} else {
										_t33 = 0xa;
									}
									_push(_t33);
									_push(0);
									_push(0);
									_push(0xf00000);
									L5();
									 *0xf4f044 = _t33;
									if( *0xf4f04c != 0) {
										__eflags =  *0xf50aa0;
										if( *0xf50aa0 == 0) {
											__imp___cexit();
										}
										_v4 = 0xfffffffe;
										L49:
										return E00F125E4(1, _t57, 0);
									} else {
										exit(_t33);
										_t63 = 1;
										__imp__HeapSetInformation(0, 1, 0, 0, _t57, 0, _t53, _t65);
										E00F11CE2(_t33);
										 *0xf4f4f8 = 0xf0d724;
										 *0xf4f4fc = 0xf0d714;
										 *0xf4f014 = 0xf4f700;
										E00F1288D(_t53);
										 *0xf53070();
										if(E00F12C44() >= 0) {
											_t54 =  &_v8;
											_v8 = 0;
											if(E00F12607( &_v8) == 0) {
												if(E00F0D21D( &_v8) != 0) {
													_t54 = _a4;
													_t63 = E00F11C2F(_a4);
												}
												 *0xf4f070 = _t63;
												_t77 = _t63;
												if(_t63 != 0) {
													_t54 = _v8;
													E00F0CB9F(_v8, _t55, _t77);
												}
												if(E00F0D21D(_t54) != 0) {
													 *0xf530c4( *0xf4f070);
													 *0xf530d4(L"Wmi Provider Host", _a4);
												}
											}
											E00F162A9(_t55);
										}
										E00F160AC();
										return 0;
									}
									goto L50;
								}
								goto L33;
							}
						}
					}
				}
				L50:
			}

0x00f12700
0x00f12705
0x00f12707
0x00f1270c
0x00f12711
0x00f12715
0x00f1271d
0x00f12723
0x00f1272d
0x00f12736
0x00f1273b
0x00f1273b
0x00f12740
0x00f12742
0x00f12744
0x00f12748
0x00f1274a
0x00000000
0x00000000
0x00f1ec16
0x00f1ec18
0x00f1ec33
0x00000000
0x00f1ec1a
0x00f1ec1a
0x00f1ec1a
0x00000000
0x00f1ec18
0x00f12750
0x00f12756
0x00f1ec23
0x00f1ec28
0x00000000
0x00f1275c
0x00f1275c
0x00f12763
0x00f12865
0x00000000
0x00f12769
0x00f12769
0x00f12779
0x00f1277e
0x00f1277f
0x00f12780
0x00f12782
0x00f1ece2
0x00f1ece9
0x00000000
0x00f12788
0x00f12788
0x00f12788
0x00f1278e
0x00f1279a
0x00f1279f
0x00f127a0
0x00f127a1
0x00f127a1
0x00f127ab
0x00f127ad
0x00f127af
0x00f127af
0x00f127b1
0x00f127b6
0x00f127b6
0x00f127b6
0x00f127b8
0x00f127bf
0x00f1ec43
0x00f1ec49
0x00f1ec4b
0x00f1ec51
0x00f1ec53
0x00f1ec55
0x00f1ec57
0x00f1ec5d
0x00f1ec65
0x00f1ec65
0x00f1ec4b
0x00f127c5
0x00f127ca
0x00f127cc
0x00f127cf
0x00f127d2
0x00f127d2
0x00f127d4
0x00f127d7
0x00000000
0x00000000
0x00f127d9
0x00f127d9
0x00f127dc
0x00f1ec75
0x00f1ec77
0x00f1ec79
0x00f1ec7c
0x00f1ec7e
0x00f1ec7e
0x00f127e2
0x00f127e6
0x00f127ec
0x00f127ed
0x00f127ef
0x00f1ec86
0x00f1ec87
0x00f1ec87
0x00f127f5
0x00f127f6
0x00000000
0x00f12858
0x00f12858
0x00f1285a
0x00f1285c
0x00f1285e
0x00000000
0x00f12860
0x00000000
0x00f12860
0x00f12870
0x00f12870
0x00f12870
0x00f12872
0x00f12874
0x00000000
0x00000000
0x00f1287a
0x00f1287c
0x00f12882
0x00f12883
0x00000000
0x00f12883
0x00000000
0x00f1287c
0x00f0d625
0x00f1ec6c
0x00f0d62b
0x00f0d62d
0x00f0d62d
0x00f0d62e
0x00f0d62f
0x00f0d630
0x00f0d632
0x00f0d637
0x00f0d63c
0x00f0d648
0x00f1ecbe
0x00f1ecc5
0x00f1ecc7
0x00f1eccd
0x00f1ecd2
0x00f1ecee
0x00f1ecf3
0x00f0d64e
0x00f0d64f
0x00f0d668
0x00f0d66b
0x00f0d671
0x00f0d676
0x00f0d680
0x00f0d68a
0x00f0d694
0x00f0d699
0x00f0d6a6
0x00f0d6a8
0x00f0d6ab
0x00f0d6b5
0x00f0d6be
0x00f0d6c0
0x00f0d6c8
0x00f0d6c8
0x00f0d6ca
0x00f0d6d0
0x00f0d6d2
0x00f0d6d4
0x00f0d6d7
0x00f0d6d7
0x00f0d6e3
0x00f0d6eb
0x00f0d6f9
0x00f0d6f9
0x00f0d6e3
0x00f0d6ff
0x00f0d6ff
0x00f0d704
0x00f0d710
0x00f0d710
0x00000000
0x00f0d648
0x00000000
0x00f1285a
0x00f127d2
0x00f12782
0x00f12763
0x00000000

APIs

GetStartupInfoA.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-1(?,?,?,?,?,?,?,?,?,00F12830,0000005C), ref: 00F1271D
_initterm.MSVCRT ref: 00F1279A
_ismbblead.MSVCRT ref: 00F127E6

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: InfoStartup_initterm_ismbblead
String ID:
API String ID: 3170235899-0
Opcode ID: 2c32176ec4f3de7b0410cdb24aec89f9a00287d6831dcd2e68b8d63be8561ff3
Instruction ID: d6770f8b8df201a974d63bf85f49e216530937e7af90b6e8f82e3c2371fcdbda
Opcode Fuzzy Hash: 2c32176ec4f3de7b0410cdb24aec89f9a00287d6831dcd2e68b8d63be8561ff3
Instruction Fuzzy Hash: 9D41BD35D40319CFDB609FA8DC057EA7AA0BB59731F20012AE905A72D2DB7888D1FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A825, Relevance: 12.4, APIs: 8, Instructions: 438COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F3A911
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3A919
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041006), ref: 00F3A979
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3A981
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041010), ref: 00F3A9FD
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3AA05
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F3AC7D
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3AC85

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: 83e75b3db8634ac68ce81ea986fe78b527d1d1d3b1435900c87ca0cc68694209
Instruction ID: 9109e2c46783f9217d42601223045f084bab549debc075bbfc7e7593bd7dc14b
Opcode Fuzzy Hash: 83e75b3db8634ac68ce81ea986fe78b527d1d1d3b1435900c87ca0cc68694209
Instruction Fuzzy Hash: 1B025E70A00349EFDB14CFA9D988BAEBBB5BF48315F104059EA05E72A1C775AD40EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F17F20, Relevance: 12.4, APIs: 8, Instructions: 375
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00F17F20(signed char __edx, long _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20, intOrPtr* _a24) {
				signed char _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed char _v28;
				signed char _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				signed char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t141;
				signed int _t142;
				signed char _t145;
				signed char _t151;
				signed int _t153;
				signed char _t154;
				signed char _t156;
				signed int _t158;
				signed char _t159;
				signed int _t163;
				intOrPtr* _t164;
				signed int _t168;
				intOrPtr _t171;
				void* _t172;
				signed char _t177;
				signed char _t179;
				signed int _t181;
				intOrPtr _t187;
				void* _t188;
				intOrPtr* _t200;
				void* _t201;
				signed int _t202;
				intOrPtr _t222;
				long _t245;
				void* _t246;
				signed int _t250;
				void* _t251;
				void* _t259;
				signed int _t261;

				_t243 = __edx;
				_push(0xffffffff);
				_push(0xf2471c);
				_push( *[fs:0x0]);
				_t141 =  *0xf4f1a4; // 0xbd26e8f
				_t142 = _t141 ^ _t261;
				_v20 = _t142;
				_push(_t142);
				 *[fs:0x0] =  &_v16;
				_t144 =  *0xf4f014; // 0xf4f014
				_t200 = _a20;
				if(_t144 != 0xf4f014 && ( *(_t144 + 0x1c) & 0x00000004) != 0) {
					__eflags =  *((char*)(_t144 + 0x19)) - 5;
					if( *((char*)(_t144 + 0x19)) >= 5) {
						_t243 = 0xf21284;
						_t58 = _t144 + 0x14; // 0x20000000
						_t59 = _t144 + 0x10; // 0x40000000
						_t144 = E00F327E7(0x74, 0xf21284,  *_t59,  *_t58, _a8, _a12, _a16, _t200, _a24);
					}
				}
				_t245 = _a4;
				_t250 = 0x80041024;
				if( *((intOrPtr*)(_t245 + 0xb8)) == 0) {
					__eflags =  *(_t245 + 0xc0);
					if( *(_t245 + 0xc0) == 0) {
						_t250 = 0x8004100a;
						L68:
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t250);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
						L17:
						_t145 =  *0xf4f014; // 0xf4f014
						if(_t145 != 0xf4f014 && ( *(_t145 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t145 + 0x19)) - 2;
							if( *((char*)(_t145 + 0x19)) >= 2) {
								_t138 = _t145 + 0x14; // 0x20000000
								_t243 = 0xf21284;
								_t139 = _t145 + 0x10; // 0x40000000
								E00F32A46(0x76, 0xf21284,  *_t139,  *_t138, _t250);
							}
						}
						 *[fs:0x0] = _v16;
						_pop(_t246);
						_pop(_t251);
						_pop(_t201);
						return E00F01CA0(_t250, _t201, _v20 ^ _t261, _t243, _t246, _t251);
					}
					_v28 = 0;
					_v24 = 5;
					_t250 = E00F19CB7(E00F13E64,  &_v24, 0xf13e74,  &_v28);
					__eflags = _t250;
					if(_t250 < 0) {
						goto L68;
					}
					_t151 = _v28;
					 *0xf512c4(_t151, _a8, _a12, 0);
					_t153 =  *((intOrPtr*)( *((intOrPtr*)( *_t151 + 0x18))))();
					__eflags = _t153;
					if(_t153 < 0) {
						_t250 = 0x8004100c;
					} else {
						_t156 = _v28;
						_v32 = 0;
						 *0xf512c4(_t156, 1, 0,  &_v32);
						_t158 =  *((intOrPtr*)( *((intOrPtr*)( *_t156 + 0x1c))))();
						__eflags = _t158;
						if(_t158 < 0) {
							_t250 = 0x8004101d;
						} else {
							_t243 = _v32;
							__eflags =  *((intOrPtr*)(_t243 + 0x20)) - 1;
							if( *((intOrPtr*)(_t243 + 0x20)) != 1) {
								_t250 = 0x8004100c;
							} else {
								_t163 =  *0xf53000( *((intOrPtr*)( *((intOrPtr*)(_t243 + 0x2c)))));
								_v24 = _t163;
								__eflags = _t163;
								if(__eflags == 0) {
									_t243 = _v32;
									_t250 = 0x80041006;
								} else {
									_t164 = _a24;
									 *0xf512c4(_t164, 1, 0, 0, 0);
									 *((intOrPtr*)( *((intOrPtr*)( *_t164 + 0x10))))();
									_t202 = _v24;
									_t168 = E00F3B353(_t202, _t245, _t245,  *((intOrPtr*)( *_t164 + 0x10)), __eflags);
									_t250 = _t168;
									 *0xf53004(_t202,  *(_t245 + 0xc0), _t202, _a16, _t200, _a24);
									_t243 = _v32;
								}
							}
							_t159 = _v28;
							 *0xf512c4(_t159, _t243);
							 *((intOrPtr*)( *((intOrPtr*)( *_t159 + 0x20))))();
						}
					}
					_t154 = _v28;
					 *0xf512c4(_t154);
					_t144 =  *((intOrPtr*)( *((intOrPtr*)( *_t154 + 8))))();
					L16:
					if(_t250 < 0) {
						goto L68;
					}
					goto L17;
				}
				_t222 =  *((intOrPtr*)(_t245 + 0x134));
				_t144 =  *(_t222 + 0x780);
				if((_t144 & 0x00000001) == 0) {
					__eflags = _t144 & 0x00000008;
					if((_t144 & 0x00000008) != 0) {
						goto L4;
					}
					__eflags =  *(_t222 + 0x770);
					if( *(_t222 + 0x770) != 0) {
						goto L4;
					} else {
						goto L68;
					}
				}
				L4:
				_v32 = 0;
				_v8 = 0;
				_v40 = 0;
				_v44 = 0;
				_v52 = 0;
				_t171 =  *((intOrPtr*)( *((intOrPtr*)(_t245 + 0x134)) + 0x680));
				_v48 = 0;
				_v24 = 0;
				if(_t171 != 0xc) {
					_t172 = _t171 - 1;
					__eflags = _t172 - 0xc;
					if(_t172 > 0xc) {
						L27:
						_t243 =  &_v52;
						_t250 = E00F066C5( &_v44,  &_v52,  &_v24, 0);
						__eflags = _t250;
						if(__eflags < 0) {
							_v36 = _v24;
							_v28 = _v24;
							L40:
							__eflags = _t250 - 0x80041002;
							if(_t250 == 0x80041002) {
								L43:
								_t250 = 0x80041002;
								L13:
								_v8 = 0xffffffff;
								_t144 = _v32;
								if(_t144 != 0) {
									_v24 = 0;
									__imp__?SetPreferredLanguages@CMUILocale@@SGJKPBGPAK@Z(8, _t144,  &_v24);
									if(_t144 >= 0) {
										__imp__?_Free@CMUILocale@@SGHPAX@Z(_v32);
										_v32 = 0;
									}
								}
								goto L16;
							}
							__eflags = _t250;
							if(_t250 < 0) {
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t250);
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
							}
							L7:
							_t177 =  *0xf4f014; // 0xf4f014
							if(_t177 != 0xf4f014 && ( *(_t177 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t177 + 0x19)) - 2;
								if( *((char*)(_t177 + 0x19)) >= 2) {
									_t92 = _t177 + 0x14; // 0x20000000
									_t243 = 0xf21284;
									_t93 = _t177 + 0x10; // 0x40000000
									E00F32A46(0x44, 0xf21284,  *_t93,  *_t92, _t250);
								}
							}
							if(_t250 < 0) {
								goto L13;
							} else {
								_t259 = E00F177C2( &_v32, _t200);
								if(_t259 < 0) {
									__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t259);
									__imp__?Write@CMemoryLog@@QAEXJ@Z();
									_t179 =  *0xf4f014; // 0xf4f014
									__eflags = _t179 - 0xf4f014;
									if(_t179 != 0xf4f014) {
										__eflags =  *(_t179 + 0x1c) & 0x00000004;
										if(( *(_t179 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *((char*)(_t179 + 0x19)) - 2;
											if( *((char*)(_t179 + 0x19)) >= 2) {
												_t98 = _t179 + 0x14; // 0x20000000
												_t243 = 0xf21284;
												_t99 = _t179 + 0x10; // 0x40000000
												E00F32A46(0x75, 0xf21284,  *_t99,  *_t98, _t259);
											}
										}
									}
								}
								_t181 = E00F180C6(_t245, _v28, _a8, _a12, _a16, _t200, _a24, _v36);
								_t203 = _v40;
								_t250 = _t181;
								_v28 = _v52;
								_v36 = _v44;
								 *0xf5302c();
								if(_v40 != 0) {
									_t243 = 0;
									E00F47C8C(_t245 + 0xf0, 0, __eflags, _t203, _v48);
								}
								_t187 =  *((intOrPtr*)( *((intOrPtr*)(_t245 + 0x134)) + 0x680));
								if(_t187 != 0xc) {
									_t188 = _t187 - 1;
									__eflags = _t188 - 0xc;
									if(_t188 > 0xc) {
										L53:
										_t243 = _v28;
										E00F1A856(_v36, _v28, _v24);
										goto L13;
									}
									switch( *((intOrPtr*)(( *(_t188 + 0xf2905f) & 0x000000ff) * 4 +  &M00F29057))) {
										case 0:
											goto L13;
										case 1:
											goto L53;
									}
								} else {
									goto L13;
								}
							}
						}
						_t243 = 0;
						_t250 = E00F1A8DF(_t245 + 0xf0, 0, __eflags, 0xf04ea8,  *((intOrPtr*)(_t245 + 0xb8)),  &_v40,  &_v48);
						__eflags = _t250 - 0x80041002;
						if(_t250 != 0x80041002) {
							__eflags = _t250;
							if(_t250 < 0) {
								_v36 = _v24;
								_v28 = _v24;
								L37:
								__eflags = _t250 - 0x80041002;
								if(_t250 == 0x80041002) {
									goto L43;
								}
								_t243 = _v52;
								_t176 = E00F1A856(_v44, _v52, _v24);
								goto L40;
							}
							_v28 = 1;
							_v36 = _v40;
							_t250 = E00F47D61(_v40, E00F07D03());
							__eflags = _t250;
							if(__eflags < 0) {
								L34:
								_t243 = 0;
								_t176 = E00F47C8C(_t245 + 0xf0, 0, __eflags, _v40, _v48);
								__eflags = _t250;
								if(_t250 >= 0) {
									goto L40;
								}
								goto L37;
							}
							_t250 =  *0xf53030();
							__eflags = _t250;
							if(__eflags >= 0) {
								goto L40;
							} else {
								_t250 = 0x80041003;
								goto L34;
							}
						} else {
							_v28 = 0;
							_t250 = 0;
							L6:
							_v36 =  *((intOrPtr*)(_t245 + 0xb8));
							goto L7;
						}
					}
					switch( *((intOrPtr*)(( *(_t172 + 0xf29047) & 0x000000ff) * 4 +  &M00F2903F))) {
						case 0:
							goto L5;
						case 1:
							goto L27;
					}
				}
				L5:
				_v28 = 0;
				goto L6;
			}

0x00f17f20
0x00f17f25
0x00f17f27
0x00f17f32
0x00f17f36
0x00f17f3b
0x00f17f3d
0x00f17f43
0x00f17f47
0x00f17f4d
0x00f17f52
0x00f17f5a
0x00f28cc2
0x00f28cc6
0x00f28ccf
0x00f28ce3
0x00f28ce6
0x00f28ce9
0x00f28ce9
0x00f28cc6
0x00f17f66
0x00f17f69
0x00f17f75
0x00f28ed0
0x00f28ed7
0x00f29001
0x00f29006
0x00f29007
0x00f2900f
0x00f1808b
0x00f1808b
0x00f18095
0x00f2901a
0x00f2901e
0x00f29025
0x00f29028
0x00f29032
0x00f29035
0x00f29035
0x00f2901e
0x00f180a6
0x00f180ae
0x00f180af
0x00f180b0
0x00f180be
0x00f180be
0x00f28ee0
0x00f28ef0
0x00f28f02
0x00f28f04
0x00f28f06
0x00000000
0x00000000
0x00f28f0c
0x00f28f21
0x00f28f27
0x00f28f29
0x00f28f2b
0x00f28fe4
0x00f28f31
0x00f28f31
0x00f28f38
0x00f28f4b
0x00f28f51
0x00f28f53
0x00f28f55
0x00f28fdd
0x00f28f5b
0x00f28f5b
0x00f28f5e
0x00f28f62
0x00f28fc2
0x00f28f64
0x00f28f69
0x00f28f6f
0x00f28f72
0x00f28f74
0x00f28fb8
0x00f28fbb
0x00f28f76
0x00f28f76
0x00f28f89
0x00f28f8f
0x00f28f9a
0x00f28fa5
0x00f28fab
0x00f28fad
0x00f28fb3
0x00f28fb3
0x00f28f74
0x00f28fc7
0x00f28fd3
0x00f28fd9
0x00f28fd9
0x00f28f55
0x00f28fe9
0x00f28ff4
0x00f28ffa
0x00f18083
0x00f18085
0x00000000
0x00000000
0x00000000
0x00f18085
0x00f17f7b
0x00f17f81
0x00f17f89
0x00f28cf3
0x00f28cf5
0x00000000
0x00000000
0x00f28cfb
0x00f28d02
0x00000000
0x00f28d08
0x00000000
0x00f28d08
0x00f28d02
0x00f17f8f
0x00f17f8f
0x00f17f96
0x00f17fa5
0x00f17fa8
0x00f17fab
0x00f17fae
0x00f17fb4
0x00f17fb7
0x00f17fbd
0x00f28d0d
0x00f28d0e
0x00f28d11
0x00f28d21
0x00f28d27
0x00f28d32
0x00f28d34
0x00f28d36
0x00f28de9
0x00f28def
0x00f28df2
0x00f28df2
0x00f28df8
0x00f28e16
0x00f28e16
0x00f1804d
0x00f1804d
0x00f18054
0x00f18059
0x00f1805e
0x00f18069
0x00f18071
0x00f18076
0x00f1807c
0x00f1807c
0x00f18071
0x00000000
0x00f18059
0x00f28dfa
0x00f28dfc
0x00f28e03
0x00f28e0b
0x00f28e0b
0x00f17fcf
0x00f17fcf
0x00f17fd9
0x00f28e20
0x00f28e24
0x00f28e2b
0x00f28e2e
0x00f28e38
0x00f28e3b
0x00f28e3b
0x00f28e24
0x00f17fe7
0x00000000
0x00f17fe9
0x00f17ff2
0x00f17ff6
0x00f28e46
0x00f28e4e
0x00f28e54
0x00f28e59
0x00f28e5e
0x00f28e64
0x00f28e68
0x00f28e6e
0x00f28e72
0x00f28e79
0x00f28e7c
0x00f28e86
0x00f28e89
0x00f28e89
0x00f28e72
0x00f28e68
0x00f28e5e
0x00f18014
0x00f18019
0x00f1801c
0x00f18021
0x00f18027
0x00f1802a
0x00f18032
0x00f28e9c
0x00f28e9f
0x00f28e9f
0x00f1803e
0x00f18047
0x00f28ea9
0x00f28eaa
0x00f28ead
0x00f28ebd
0x00f28ec0
0x00f28ec6
0x00000000
0x00f28ec6
0x00f28eb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f18047
0x00f17fe7
0x00f28d3f
0x00f28d5c
0x00f28d5e
0x00f28d64
0x00f28d74
0x00f28d76
0x00f28dc5
0x00f28dcb
0x00f28dce
0x00f28dce
0x00f28dd4
0x00000000
0x00000000
0x00f28dd9
0x00f28ddf
0x00000000
0x00f28ddf
0x00f28d7b
0x00f28d82
0x00f28d92
0x00f28d94
0x00f28d96
0x00f28da9
0x00f28dac
0x00f28db7
0x00f28dbc
0x00f28dbe
0x00000000
0x00000000
0x00000000
0x00f28dc0
0x00f28d9e
0x00f28da0
0x00f28da2
0x00000000
0x00f28da4
0x00f28da4
0x00000000
0x00f28da4
0x00f28d66
0x00f28d66
0x00f28d6d
0x00f17fc6
0x00f17fcc
0x00000000
0x00f17fcc
0x00f28d64
0x00f28d1a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f28d1a
0x00f17fc3
0x00f17fc3
0x00000000

APIs

?SetPreferredLanguages@CMUILocale@@SGJKPBGPAK@Z.WBEMCOMN(00000008,00000000,?,?,00000000), ref: 00F18069
?_Free@CMUILocale@@SGHPAX@Z.WBEMCOMN(00000000), ref: 00F18076

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Locale@@$Free@Languages@Preferred
String ID:
API String ID: 314991416-0
Opcode ID: 4cb7324fe5604773484900c3908aaaeb41ec4f5208f03929ac13c3cf7b0667bf
Instruction ID: d2c50f6e752c9e2b6a3338927335a3d6bba4fbe064ea05d31e9d9453ea77aa44
Opcode Fuzzy Hash: 4cb7324fe5604773484900c3908aaaeb41ec4f5208f03929ac13c3cf7b0667bf
Instruction Fuzzy Hash: 0BE1C071E042299FCB14DFA4D944BEEBBB6FB48350F114158E905A73A1CB34AD46EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F18EF0, Relevance: 12.3, APIs: 8, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00F18EF0(signed int __edx, void* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				char _v44;
				char _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t111;
				signed int _t112;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr* _t121;
				intOrPtr _t124;
				void* _t125;
				intOrPtr _t130;
				intOrPtr _t132;
				signed int _t133;
				intOrPtr _t139;
				void* _t140;
				intOrPtr* _t153;
				void* _t154;
				intOrPtr _t156;
				void* _t186;
				void* _t188;
				void* _t191;
				void* _t192;
				signed int _t195;

				_t183 = __edx;
				_push(0xffffffff);
				_push(0xf25614);
				_push( *[fs:0x0]);
				_t111 =  *0xf4f1a4; // 0xbd26e8f
				_t112 = _t111 ^ _t195;
				_v20 = _t112;
				_push(_t112);
				 *[fs:0x0] =  &_v16;
				_t114 =  *0xf4f014; // 0xf4f014
				_t153 = _a16;
				_t156 = _a8;
				if(_t114 != 0xf4f014 && ( *(_t114 + 0x1c) & 0x00000004) != 0) {
					__eflags =  *((char*)(_t114 + 0x19)) - 5;
					if( *((char*)(_t114 + 0x19)) >= 5) {
						_t183 = 0xf21284;
						_t54 = _t114 + 0x14; // 0x20000000
						_t55 = _t114 + 0x10; // 0x40000000
						E00F329B6(0x51, 0xf21284,  *_t55,  *_t54, _t156, _a12, _t153, _a20);
						_t156 = _a8;
					}
				}
				_t191 = _a4;
				_t185 = 0x80041024;
				if( *((intOrPtr*)(_t191 + 0xb8)) == 0) {
					_t115 =  *(_t191 + 0xc0);
					__eflags =  *(_t191 + 0xc0);
					if(__eflags == 0) {
						L23:
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t185);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
						L17:
						_t116 =  *0xf4f014; // 0xf4f014
						if(_t116 != 0xf4f014 && ( *(_t116 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t116 + 0x19)) - 2;
							if( *((char*)(_t116 + 0x19)) >= 2) {
								_t108 = _t116 + 0x14; // 0x20000000
								_t183 = 0xf21284;
								_t109 = _t116 + 0x10; // 0x40000000
								E00F32A46(0x53, 0xf21284,  *_t109,  *_t108, _t185);
							}
						}
						 *[fs:0x0] = _v16;
						_pop(_t186);
						_pop(_t192);
						_pop(_t154);
						return E00F01CA0(_t185, _t154, _v20 ^ _t195, _t183, _t186, _t192);
					}
					_t185 = E00F3A825(_t153, _t191, 0x80041024, _t191, __eflags, _t115, _t156, _t156, _t153, _a20);
					_t121 = _a20;
					 *0xf512c4(_t121, 0, _t185, 0, 0);
					_t115 =  *((intOrPtr*)( *((intOrPtr*)( *_t121 + 0x10))))();
					L16:
					if(_t185 < 0) {
						goto L23;
					}
					goto L17;
				}
				_t115 =  *(_t191 + 0x134);
				if( *((intOrPtr*)(_t115 + 0x768)) == 0) {
					__eflags =  *(_t115 + 0x6fc);
					if( *(_t115 + 0x6fc) != 0) {
						goto L4;
					}
					goto L23;
				}
				L4:
				_v36 = 0;
				_v8 = 0;
				_v40 = 0;
				_v44 = 0;
				_v52 = 0;
				_t124 =  *((intOrPtr*)( *(_t191 + 0x134) + 0x680));
				_v48 = 0;
				_v24 = 0;
				if(_t124 != 0xc) {
					_t125 = _t124 - 1;
					__eflags = _t125 - 0xc;
					if(_t125 > 0xc) {
						L26:
						_t183 =  &_v52;
						_t185 = E00F066C5( &_v44,  &_v52,  &_v24, 0);
						__eflags = _t185;
						if(__eflags < 0) {
							_v32 = _v24;
							_v28 = _v24;
							L39:
							__eflags = _t185 - 0x80041002;
							if(_t185 == 0x80041002) {
								L42:
								_t185 = 0x80041002;
								L13:
								_v8 = 0xffffffff;
								_t115 = _v36;
								if(_t115 != 0) {
									_v24 = 0;
									__imp__?SetPreferredLanguages@CMUILocale@@SGJKPBGPAK@Z(8, _t115,  &_v24);
									if(_t115 >= 0) {
										__imp__?_Free@CMUILocale@@SGHPAX@Z(_v36);
										_v36 = 0;
									}
								}
								goto L16;
							}
							__eflags = _t185;
							if(_t185 < 0) {
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t185);
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
							}
							L7:
							_t130 =  *0xf4f014; // 0xf4f014
							if(_t130 != 0xf4f014 && ( *(_t130 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t130 + 0x19)) - 2;
								if( *((char*)(_t130 + 0x19)) >= 2) {
									_t87 = _t130 + 0x14; // 0x20000000
									_t183 = 0xf21284;
									_t88 = _t130 + 0x10; // 0x40000000
									E00F32A46(0x44, 0xf21284,  *_t88,  *_t87, _t185);
								}
							}
							if(_t185 < 0) {
								goto L13;
							} else {
								_t188 = E00F177C2( &_v36, _t153);
								if(_t188 < 0) {
									__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t188);
									__imp__?Write@CMemoryLog@@QAEXJ@Z();
									_t132 =  *0xf4f014; // 0xf4f014
									__eflags = _t132 - 0xf4f014;
									if(_t132 != 0xf4f014) {
										__eflags =  *(_t132 + 0x1c) & 0x00000004;
										if(( *(_t132 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *((char*)(_t132 + 0x19)) - 2;
											if( *((char*)(_t132 + 0x19)) >= 2) {
												_t93 = _t132 + 0x14; // 0x20000000
												_t183 = 0xf21284;
												_t94 = _t132 + 0x10; // 0x40000000
												E00F32A46(0x52, 0xf21284,  *_t94,  *_t93, _t188);
											}
										}
									}
								}
								_t133 = E00F19092(_t191, _v28, _a8, _a12, _t153, _a20, _v32);
								_t155 = _v40;
								_t185 = _t133;
								_v28 = _v52;
								_v32 = _v44;
								 *0xf5302c();
								if(_v40 != 0) {
									_t183 = 0;
									E00F47C8C(_t191 + 0xf0, 0, __eflags, _t155, _v48);
								}
								_t139 =  *((intOrPtr*)( *(_t191 + 0x134) + 0x680));
								if(_t139 != 0xc) {
									_t140 = _t139 - 1;
									__eflags = _t140 - 0xc;
									if(_t140 > 0xc) {
										L52:
										_t183 = _v28;
										E00F1A856(_v32, _v28, _v24);
										goto L13;
									}
									switch( *((intOrPtr*)(( *(_t140 + 0xf2c7de) & 0x000000ff) * 4 +  &M00F2C7D6))) {
										case 0:
											goto L13;
										case 1:
											goto L52;
									}
								} else {
									goto L13;
								}
							}
						}
						_t183 = 0;
						_t185 = E00F1A8DF(_t191 + 0xf0, 0, __eflags, 0xf04ea8,  *((intOrPtr*)(_t191 + 0xb8)),  &_v40,  &_v48);
						__eflags = _t185 - 0x80041002;
						if(_t185 != 0x80041002) {
							__eflags = _t185;
							if(_t185 < 0) {
								_v32 = _v24;
								_v28 = _v24;
								L36:
								__eflags = _t185 - 0x80041002;
								if(_t185 == 0x80041002) {
									goto L42;
								}
								_t183 = _v52;
								_t129 = E00F1A856(_v44, _v52, _v24);
								goto L39;
							}
							_v28 = 1;
							_v32 = _v40;
							_t185 = E00F47D61(_v40, E00F07D03());
							__eflags = _t185;
							if(__eflags < 0) {
								L33:
								_t183 = 0;
								_t129 = E00F47C8C(_t191 + 0xf0, 0, __eflags, _v40, _v48);
								__eflags = _t185;
								if(_t185 >= 0) {
									goto L39;
								}
								goto L36;
							}
							_t185 =  *0xf53030();
							__eflags = _t185;
							if(__eflags >= 0) {
								goto L39;
							}
							_t185 = 0x80041003;
							goto L33;
						} else {
							_v28 = 0;
							_t185 = 0;
							L6:
							_v32 =  *((intOrPtr*)(_t191 + 0xb8));
							goto L7;
						}
					}
					switch( *((intOrPtr*)(( *(_t125 + 0xf2c7c6) & 0x000000ff) * 4 +  &M00F2C7BE))) {
						case 0:
							goto L5;
						case 1:
							goto L26;
					}
				}
				L5:
				_v28 = 0;
				goto L6;
			}

0x00f18ef0
0x00f18ef5
0x00f18ef7
0x00f18f02
0x00f18f06
0x00f18f0b
0x00f18f0d
0x00f18f13
0x00f18f17
0x00f18f1d
0x00f18f22
0x00f18f25
0x00f18f2d
0x00f2c549
0x00f2c54d
0x00f2c556
0x00f2c560
0x00f2c568
0x00f2c56b
0x00f2c570
0x00f2c570
0x00f2c54d
0x00f18f39
0x00f18f3c
0x00f18f48
0x00f2c75c
0x00f2c762
0x00f2c764
0x00f2c585
0x00f2c586
0x00f2c58e
0x00f19057
0x00f19057
0x00f19061
0x00f2c799
0x00f2c79d
0x00f2c7a4
0x00f2c7a7
0x00f2c7b1
0x00f2c7b4
0x00f2c7b4
0x00f2c79d
0x00f19072
0x00f1907a
0x00f1907b
0x00f1907c
0x00f1908a
0x00f1908a
0x00f2c778
0x00f2c77a
0x00f2c78c
0x00f2c792
0x00f1904f
0x00f19051
0x00000000
0x00000000
0x00000000
0x00f19051
0x00f18f4e
0x00f18f5b
0x00f2c578
0x00f2c57f
0x00000000
0x00000000
0x00000000
0x00f2c57f
0x00f18f61
0x00f18f61
0x00f18f68
0x00f18f77
0x00f18f7a
0x00f18f7d
0x00f18f80
0x00f18f86
0x00f18f89
0x00f18f8f
0x00f2c599
0x00f2c59a
0x00f2c59d
0x00f2c5ad
0x00f2c5b3
0x00f2c5be
0x00f2c5c0
0x00f2c5c2
0x00f2c675
0x00f2c67b
0x00f2c67e
0x00f2c67e
0x00f2c684
0x00f2c6a2
0x00f2c6a2
0x00f19019
0x00f19019
0x00f19020
0x00f19025
0x00f1902a
0x00f19035
0x00f1903d
0x00f19042
0x00f19048
0x00f19048
0x00f1903d
0x00000000
0x00f19025
0x00f2c686
0x00f2c688
0x00f2c68f
0x00f2c697
0x00f2c697
0x00f18fa1
0x00f18fa1
0x00f18fab
0x00f2c6ac
0x00f2c6b0
0x00f2c6b7
0x00f2c6ba
0x00f2c6c4
0x00f2c6c7
0x00f2c6c7
0x00f2c6b0
0x00f18fb9
0x00000000
0x00f18fbb
0x00f18fc4
0x00f18fc8
0x00f2c6d2
0x00f2c6da
0x00f2c6e0
0x00f2c6e5
0x00f2c6ea
0x00f2c6f0
0x00f2c6f4
0x00f2c6fa
0x00f2c6fe
0x00f2c705
0x00f2c708
0x00f2c712
0x00f2c715
0x00f2c715
0x00f2c6fe
0x00f2c6f4
0x00f2c6ea
0x00f18fe0
0x00f18fe5
0x00f18fe8
0x00f18fed
0x00f18ff3
0x00f18ff6
0x00f18ffe
0x00f2c728
0x00f2c72b
0x00f2c72b
0x00f1900a
0x00f19013
0x00f2c735
0x00f2c736
0x00f2c739
0x00f2c749
0x00f2c74c
0x00f2c752
0x00000000
0x00f2c752
0x00f2c742
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f19013
0x00f18fb9
0x00f2c5cb
0x00f2c5e8
0x00f2c5ea
0x00f2c5f0
0x00f2c600
0x00f2c602
0x00f2c651
0x00f2c657
0x00f2c65a
0x00f2c65a
0x00f2c660
0x00000000
0x00000000
0x00f2c665
0x00f2c66b
0x00000000
0x00f2c66b
0x00f2c607
0x00f2c60e
0x00f2c61e
0x00f2c620
0x00f2c622
0x00f2c635
0x00f2c638
0x00f2c643
0x00f2c648
0x00f2c64a
0x00000000
0x00000000
0x00000000
0x00f2c64c
0x00f2c62a
0x00f2c62c
0x00f2c62e
0x00000000
0x00000000
0x00f2c630
0x00000000
0x00f2c5f2
0x00f2c5f2
0x00f2c5f9
0x00f18f98
0x00f18f9e
0x00000000
0x00f18f9e
0x00f2c5f0
0x00f2c5a6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f2c5a6
0x00f18f95
0x00f18f95
0x00000000

APIs

?SetPreferredLanguages@CMUILocale@@SGJKPBGPAK@Z.WBEMCOMN(00000008,00000000,?,?,00000000), ref: 00F19035
?_Free@CMUILocale@@SGHPAX@Z.WBEMCOMN(00000000), ref: 00F19042

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Locale@@$Free@Languages@Preferred
String ID:
API String ID: 314991416-0
Opcode ID: e03ffa3dc80e43e6581315cb7f60722d9ea26c0483d0316ef689d198fee32ef0
Instruction ID: 76407629f6f544ac5ff4ef23ad850324f5eae5bdb262f9f3c46a17554de8f49d
Opcode Fuzzy Hash: e03ffa3dc80e43e6581315cb7f60722d9ea26c0483d0316ef689d198fee32ef0
Instruction Fuzzy Hash: 8AB1C0759002099FCB15CF64DD44BEEBBB6FF88320F154029E905A72A1CB35E985FBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F15380, Relevance: 12.3, APIs: 8, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00F15380(void* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t108;
				intOrPtr _t112;
				intOrPtr _t117;
				void* _t118;
				intOrPtr _t123;
				intOrPtr _t125;
				signed int _t127;
				intOrPtr _t133;
				void* _t134;
				intOrPtr* _t146;
				intOrPtr _t149;
				signed int _t173;
				void* _t188;
				void* _t191;
				signed int _t193;

				_push(0xffffffff);
				_push(E00F259F0);
				_push( *[fs:0x0]);
				_t108 =  *0xf4f1a4; // 0xbd26e8f
				_push(_t108 ^ _t193);
				 *[fs:0x0] =  &_v16;
				_t111 =  *0xf4f014; // 0xf4f014
				_t149 = _a20;
				_t146 = _a16;
				_t173 = _a12;
				if(_t111 != 0xf4f014 && ( *(_t111 + 0x1c) & 0x00000004) != 0) {
					__eflags =  *((char*)(_t111 + 0x19)) - 5;
					if( *((char*)(_t111 + 0x19)) >= 5) {
						_t52 = _t111 + 0x14; // 0x20000000
						_t53 = _t111 + 0x10; // 0x40000000
						_t111 = E00F329B6(0x6f, 0xf21284,  *_t53,  *_t52, _a8, _t173, _t146, _t149);
						_t149 = _a20;
						_t173 = _a12;
					}
				}
				_t191 = _a4;
				_t185 = 0x80041024;
				if( *((intOrPtr*)(_t191 + 0xb8)) == 0) {
					__eflags =  *(_t191 + 0xc0);
					if(__eflags == 0) {
						L53:
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t185);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
						L17:
						_t112 =  *0xf4f014; // 0xf4f014
						if(_t112 != 0xf4f014 && ( *(_t112 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t112 + 0x19)) - 2;
							if( *((char*)(_t112 + 0x19)) >= 2) {
								_t105 = _t112 + 0x14; // 0x20000000
								_t106 = _t112 + 0x10; // 0x40000000
								E00F32A46(0x71, 0xf21284,  *_t106,  *_t105, _t185);
							}
						}
						 *[fs:0x0] = _v16;
						return _t185;
					}
					_push(_t149);
					_push(_t146);
					_push(_t173);
					_push(_a8);
					_push( *(_t191 + 0xc0));
					_t185 = E00F3B353(_t146, _t191, 0x80041024, _t191, __eflags);
					L16:
					if(_t185 < 0) {
						goto L53;
					}
					goto L17;
				}
				_t111 =  *((intOrPtr*)(_t191 + 0x134));
				if( *((intOrPtr*)( *((intOrPtr*)(_t191 + 0x134)) + 0x770)) == 0) {
					goto L53;
				}
				_v32 = 0;
				_v8 = 0;
				_v28 = 0;
				_v40 = 0;
				_v36 = 0;
				_t117 =  *((intOrPtr*)( *((intOrPtr*)(_t191 + 0x134)) + 0x680));
				_v44 = 0;
				_v48 = 0;
				if(_t117 != 0xc) {
					_t118 = _t117 - 1;
					__eflags = _t118 - 0xc;
					if(_t118 > 0xc) {
						L24:
						_t185 = E00F066C5( &_v40,  &_v36,  &_v48, 0);
						__eflags = _t185;
						if(__eflags < 0) {
							_v20 = _v48;
							_v24 = _v48;
							L37:
							__eflags = _t185 - 0x80041002;
							if(_t185 == 0x80041002) {
								L40:
								_t185 = 0x80041002;
								L13:
								_v8 = 0xffffffff;
								_t111 = _v32;
								if(_t111 != 0) {
									_v48 = 0;
									__imp__?SetPreferredLanguages@CMUILocale@@SGJKPBGPAK@Z(8, _t111,  &_v48);
									if(_t111 >= 0) {
										__imp__?_Free@CMUILocale@@SGHPAX@Z(_v32);
										_v32 = 0;
									}
								}
								goto L16;
							}
							__eflags = _t185;
							if(_t185 < 0) {
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t185);
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
							}
							L7:
							_t123 =  *0xf4f014; // 0xf4f014
							if(_t123 != 0xf4f014 && ( *(_t123 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t123 + 0x19)) - 2;
								if( *((char*)(_t123 + 0x19)) >= 2) {
									_t85 = _t123 + 0x14; // 0x20000000
									_t86 = _t123 + 0x10; // 0x40000000
									E00F32A46(0x44, 0xf21284,  *_t86,  *_t85, _t185);
								}
							}
							if(_t185 < 0) {
								goto L13;
							} else {
								_t188 = E00F177C2( &_v32, _t146);
								if(_t188 < 0) {
									__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t188);
									__imp__?Write@CMemoryLog@@QAEXJ@Z();
									_t125 =  *0xf4f014; // 0xf4f014
									__eflags = _t125 - 0xf4f014;
									if(_t125 != 0xf4f014) {
										__eflags =  *(_t125 + 0x1c) & 0x00000004;
										if(( *(_t125 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *((char*)(_t125 + 0x19)) - 2;
											if( *((char*)(_t125 + 0x19)) >= 2) {
												_t91 = _t125 + 0x14; // 0x20000000
												_t92 = _t125 + 0x10; // 0x40000000
												E00F32A46(0x70, 0xf21284,  *_t92,  *_t91, _t188);
											}
										}
									}
								}
								_t127 = E00F15519(_t191, _v24, _a8, _a12, _t146, _a20, _v20);
								_t148 = _v28;
								_t185 = _t127;
								_v24 = _v36;
								_v20 = _v40;
								 *0xf5302c();
								if(_v28 != 0) {
									E00F47C8C(_t191 + 0xf0, 0, __eflags, _t148, _v44);
								}
								_t133 =  *((intOrPtr*)( *((intOrPtr*)(_t191 + 0x134)) + 0x680));
								if(_t133 != 0xc) {
									_t134 = _t133 - 1;
									__eflags = _t134 - 0xc;
									if(_t134 > 0xc) {
										L50:
										E00F1A856(_v20, _v24, _v48);
										goto L13;
									}
									switch( *((intOrPtr*)(( *(_t134 + 0xf2d8d1) & 0x000000ff) * 4 +  &M00F2D8C9))) {
										case 0:
											goto L13;
										case 1:
											goto L50;
									}
								} else {
									goto L13;
								}
							}
						}
						_t185 = E00F1A8DF(_t191 + 0xf0, 0, __eflags, 0xf04ea8,  *((intOrPtr*)(_t191 + 0xb8)),  &_v28,  &_v44);
						__eflags = _t185 - 0x80041002;
						if(_t185 != 0x80041002) {
							__eflags = _t185;
							if(_t185 < 0) {
								_v20 = _v48;
								_v24 = _v48;
								L34:
								__eflags = _t185 - 0x80041002;
								if(_t185 == 0x80041002) {
									goto L40;
								}
								_t122 = E00F1A856(_v40, _v36, _v48);
								goto L37;
							}
							_v24 = 1;
							_v20 = _v28;
							_t185 = E00F47D61(_v28, E00F07D03());
							__eflags = _t185;
							if(__eflags < 0) {
								L31:
								_t122 = E00F47C8C(_t191 + 0xf0, 0, __eflags, _v28, _v44);
								__eflags = _t185;
								if(_t185 >= 0) {
									goto L37;
								}
								goto L34;
							}
							_t185 =  *0xf53030();
							__eflags = _t185;
							if(__eflags >= 0) {
								goto L37;
							}
							_t185 = 0x80041003;
							goto L31;
						} else {
							_v24 = 0;
							_t185 = 0;
							L6:
							_v20 =  *((intOrPtr*)(_t191 + 0xb8));
							goto L7;
						}
					}
					switch( *((intOrPtr*)(( *(_t118 + 0xf2d8b9) & 0x000000ff) * 4 +  &M00F2D8B1))) {
						case 0:
							goto L5;
						case 1:
							goto L24;
					}
				}
				L5:
				_v24 = 0;
				goto L6;
			}

0x00f15385
0x00f15387
0x00f15392
0x00f15399
0x00f153a0
0x00f153a4
0x00f153aa
0x00f153af
0x00f153b2
0x00f153b5
0x00f153bd
0x00f2d661
0x00f2d665
0x00f2d67b
0x00f2d67e
0x00f2d681
0x00f2d686
0x00f2d689
0x00f2d689
0x00f2d665
0x00f153c9
0x00f153cc
0x00f153d8
0x00f2d854
0x00f2d85b
0x00f2d878
0x00f2d879
0x00f2d881
0x00f154e8
0x00f154e8
0x00f154f2
0x00f2d88c
0x00f2d890
0x00f2d897
0x00f2d8a4
0x00f2d8a7
0x00f2d8a7
0x00f2d890
0x00f15503
0x00f15511
0x00f15511
0x00f2d860
0x00f2d861
0x00f2d862
0x00f2d863
0x00f2d864
0x00f2d871
0x00f154e0
0x00f154e2
0x00000000
0x00000000
0x00000000
0x00f154e2
0x00f153de
0x00f153eb
0x00000000
0x00000000
0x00f153f1
0x00f153f8
0x00f15407
0x00f1540a
0x00f1540d
0x00f15410
0x00f15416
0x00f15419
0x00f1541f
0x00f2d691
0x00f2d692
0x00f2d695
0x00f2d6a5
0x00f2d6b6
0x00f2d6b8
0x00f2d6ba
0x00f2d76d
0x00f2d773
0x00f2d776
0x00f2d776
0x00f2d77c
0x00f2d79a
0x00f2d79a
0x00f154aa
0x00f154aa
0x00f154b1
0x00f154b6
0x00f154bb
0x00f154c6
0x00f154ce
0x00f154d3
0x00f154d9
0x00f154d9
0x00f154ce
0x00000000
0x00f154b6
0x00f2d77e
0x00f2d780
0x00f2d787
0x00f2d78f
0x00f2d78f
0x00f15431
0x00f15431
0x00f1543b
0x00f2d7a4
0x00f2d7a8
0x00f2d7af
0x00f2d7bc
0x00f2d7bf
0x00f2d7bf
0x00f2d7a8
0x00f15449
0x00000000
0x00f1544b
0x00f15454
0x00f15458
0x00f2d7ca
0x00f2d7d2
0x00f2d7d8
0x00f2d7dd
0x00f2d7e2
0x00f2d7e8
0x00f2d7ec
0x00f2d7f2
0x00f2d7f6
0x00f2d7fd
0x00f2d80a
0x00f2d80d
0x00f2d80d
0x00f2d7f6
0x00f2d7ec
0x00f2d7e2
0x00f15471
0x00f15476
0x00f15479
0x00f1547e
0x00f15484
0x00f15487
0x00f1548f
0x00f2d823
0x00f2d823
0x00f1549b
0x00f154a4
0x00f2d82d
0x00f2d82e
0x00f2d831
0x00f2d841
0x00f2d84a
0x00000000
0x00f2d84a
0x00f2d83a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f154a4
0x00f15449
0x00f2d6e0
0x00f2d6e2
0x00f2d6e8
0x00f2d6f8
0x00f2d6fa
0x00f2d749
0x00f2d74f
0x00f2d752
0x00f2d752
0x00f2d758
0x00000000
0x00000000
0x00f2d763
0x00000000
0x00f2d763
0x00f2d6ff
0x00f2d706
0x00f2d716
0x00f2d718
0x00f2d71a
0x00f2d72d
0x00f2d73b
0x00f2d740
0x00f2d742
0x00000000
0x00000000
0x00000000
0x00f2d744
0x00f2d722
0x00f2d724
0x00f2d726
0x00000000
0x00000000
0x00f2d728
0x00000000
0x00f2d6ea
0x00f2d6ea
0x00f2d6f1
0x00f15428
0x00f1542e
0x00000000
0x00f1542e
0x00f2d6e8
0x00f2d69e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f2d69e
0x00f15425
0x00f15425
0x00000000

APIs

?SetPreferredLanguages@CMUILocale@@SGJKPBGPAK@Z.WBEMCOMN(00000008,00000000,?,?,00000000), ref: 00F154C6
?_Free@CMUILocale@@SGHPAX@Z.WBEMCOMN(00000000), ref: 00F154D3

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Locale@@$Free@Languages@Preferred
String ID:
API String ID: 314991416-0
Opcode ID: 0b7385b7941cff2273ff262758333ae745cadf14cc98f09026798bfae3ace9fa
Instruction ID: 12e65752d4b771f25132f4c17eed73c8873204634d1307750e3fedc1fd997892
Opcode Fuzzy Hash: 0b7385b7941cff2273ff262758333ae745cadf14cc98f09026798bfae3ace9fa
Instruction Fuzzy Hash: CFB1D175D00619DFDB15CF68D844BEEBBB6FF88721F108029E915A72A1C735A980FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F30C3E, Relevance: 12.1, APIs: 8, Instructions: 128threadCOMMON

Download Yara Rule

APIs

?New@CWbemCallSecurity@@SGPAV1@XZ.FASTPROX ref: 00F30CA7
?AddRef@CWbemCallSecurity@@UAGKXZ.FASTPROX(00000000), ref: 00F30CB4
?GetThreadSecurity@CWbemCallSecurity@@UAGJW4tag_WMI_THREAD_SECURITY_ORIGIN@@PAPAU_IWmiThreadSecHandle@@@Z.FASTPROX(00000004,00000002,00000000), ref: 00F30CC8
?SetThreadSecurity@CWbemCallSecurity@@UAGJPAU_IWmiThreadSecHandle@@@Z.FASTPROX(00000004,00000000), ref: 00F30CD8
?QueryInterface@CWbemCallSecurity@@UAGJABU_GUID@@PAPAX@Z.FASTPROX(00000000,00F068B0,?), ref: 00F30CED
?Release@CWbemCallSecurity@@UAGKXZ.FASTPROX(00000000), ref: 00F30D28
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F30D4A
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F30D52

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CallSecurity@@Wbem$Thread$Handle@@@Log@@MemorySecurity@$Interface@New@Object@@QueryRef@Release@W4tag_Write@
String ID:
API String ID: 515228686-0
Opcode ID: d55cee740de46d1ca35df0f01e13f598a88ea17f8744b68f2668679fb4c8761f
Instruction ID: 3e85923aecf460e0aacec4ad4ee797945147daf6dec6263c3e5a0bee4828e5c2
Opcode Fuzzy Hash: d55cee740de46d1ca35df0f01e13f598a88ea17f8744b68f2668679fb4c8761f
Instruction Fuzzy Hash: 6C415D39A00319AFCB059FA4DC58A5E7BB5BF88322F150099EA05D72A1CF34ED01EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F18650, Relevance: 10.7, APIs: 7, Instructions: 243
memoryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00F18650(intOrPtr _a4, signed int _a8, struct _CRITICAL_SECTION* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				struct _CRITICAL_SECTION* _v12;
				void* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				intOrPtr _t92;
				void* _t93;
				struct _CRITICAL_SECTION* _t100;
				intOrPtr _t104;
				void* _t105;
				struct _CRITICAL_SECTION* _t109;
				struct _CRITICAL_SECTION* _t110;
				intOrPtr _t111;
				void* _t112;
				struct _CRITICAL_SECTION* _t125;
				signed int _t126;
				intOrPtr _t127;
				long _t138;
				intOrPtr* _t140;
				long _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t157;
				struct _CRITICAL_SECTION* _t158;
				void* _t159;
				intOrPtr _t161;
				signed int _t162;
				signed int _t171;

				_t90 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t90 ^ _t162;
				_t92 =  *0xf4f014; // 0xf4f014
				_t125 = _a12;
				_t156 = _a8;
				if(_t92 != 0xf4f014 && ( *(_t92 + 0x1c) & 0x00000004) != 0) {
					_t153 = _a4;
					if( *((char*)(_t92 + 0x19)) >= 5) {
						_t81 = _t92 + 0x14; // 0x20000000
						_t82 = _t92 + 0x10; // 0x40000000
						E00F40422(0x39,  *_t82,  *_t81, _t156, _t125, _t153, _a16, _a20);
						_t92 =  *0xf4f014; // 0xf4f014
					}
				} else {
					_t153 = _a4;
				}
				_t147 = _t156 & 0xffffe0ff;
				_v24 = _t147;
				if(_t147 != 0) {
					_push(_a20);
					_push(_a16);
					_push(_t125);
					_push(_t156);
					L31:
					_push(_t153);
					_t93 = E00F17140();
					_t147 = _v24;
					_t157 = _t93;
					_t92 =  *0xf4f014; // 0xf4f014
					L32:
					_t127 =  *((intOrPtr*)(_t153 + 0xa4));
					if(_t127 != 0 && _t147 == 0) {
						__imp__WmiSetAndCommitObject( *0xf4f7c0, 1,  *((intOrPtr*)(_t127 + 0x140)),  *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x134)) + 0x38)),  *((intOrPtr*)(_t127 + 0x13c)),  *((intOrPtr*)(_t127 + 0x138)),  *((intOrPtr*)(_t127 + 0x144)),  *((intOrPtr*)(_t153 + 0x98)),  *((intOrPtr*)(_t153 + 0x9c)),  *((intOrPtr*)(_t153 + 0xa0)), _t125, _a16, _a20);
						_t92 =  *0xf4f014; // 0xf4f014
					}
					if(_t157 != 0x80041008) {
						if(_t157 < 0) {
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t157);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
							_t92 =  *0xf4f014; // 0xf4f014
						}
						if(_t92 != 0xf4f014 && ( *(_t92 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t92 + 0x19)) >= 2) {
							_t88 = _t92 + 0x14; // 0x20000000
							_t147 = 0xf22544;
							_t89 = _t92 + 0x10; // 0x40000000
							E00F32A46(0x3a, 0xf22544,  *_t89,  *_t88, _t157);
						}
						return E00F01CA0(_t157, _t125, _v8 ^ _t162, _t147, _t153, _t157);
					} else {
						return E00F01CA0(_t157, _t125, _v8 ^ _t162, _t147, _t153, _t157);
					}
				}
				if( *((intOrPtr*)(_t153 + 0x58)) != 0) {
					_t157 = 0x80041033;
					goto L32;
				}
				_t158 = _t153 + 0x7c;
				_v12 = _t158;
				if( *((char*)(_t153 + 0x94)) == 0 || E00F02E90(_t158) == 0) {
					L46:
					_t100 = 0x80041006;
					goto L30;
				} else {
					_t126 =  *(_t153 + 0x70);
					_t171 = _t126;
					if(_t171 == 0) {
						if( *((char*)(_t158 + 0x18)) != 0) {
							LeaveCriticalSection(_t158);
						}
						_t125 = _a12;
						L29:
						_t100 = _t125;
						L30:
						_push(_a20);
						_push(_a16);
						_push(_t100);
						_push(_a8);
						goto L31;
					}
					_t138 =  ~(0 | _t171 > 0x00000000) | _t126 * 0x00000004;
					_t104 =  *0xf4f0cc; // 0x0
					_t105 =  *(_t104 + 4);
					_t152 =  *(_t104 + 8) & 0x00000005 | 0x00000008;
					if(_t105 == 0) {
						L51:
						E00F321AA(_t158);
						_t125 = _a12;
						goto L46;
					}
					_t159 = HeapAlloc(_t105, _t152, _t138);
					_v20 = _t159;
					if(_t159 == 0) {
						E00F48131();
						_t158 = _t153 + 0x7c;
						goto L51;
					}
					_t154 = 0;
					if(_t126 <= 0) {
						L19:
						_t109 = _v12;
						if( *((char*)(_t109 + 0x18)) != 0) {
							LeaveCriticalSection(_t109);
						}
						_t110 = E00F17E80(_a4, _t126, _t159);
						_t155 = 0;
						_v12 = _t110;
						if(_t126 <= 0) {
							L26:
							_t111 =  *0xf4f0cc; // 0x0
							_t112 =  *(_t111 + 4);
							if(_t112 != 0 && HeapFree(_t112, 0, _t159) == 0) {
								E00F48131();
							}
							_t100 = _v12;
							_t153 = _a4;
							_t125 = _a12;
							if(_t100 < 0) {
								goto L30;
							} else {
								goto L29;
							}
						} else {
							do {
								_t140 =  *((intOrPtr*)(_t159 + _t155 * 4));
								if(_t140 != 0) {
									 *0xf512c4(_t140);
									 *((intOrPtr*)( *((intOrPtr*)( *_t140 + 8))))();
									_t159 = _v20;
								}
								_t155 = _t155 + 1;
							} while (_t155 < _t126);
							goto L26;
						}
					} else {
						_t161 = _a4;
						do {
							if(E00F17480(_t161 + 0x60,  &_v28) == 0) {
								 *((intOrPtr*)(_v20 + _t154 * 4)) = _v28;
								if( *((intOrPtr*)(_t161 + 0x60)) !=  *((intOrPtr*)(_t161 + 0x64)) ||  *(_t161 + 0x68) !=  *((intOrPtr*)(_t161 + 0x6c))) {
									 *(_t161 + 0x68) =  *(_t161 + 0x68) + 1;
									if( *(_t161 + 0x68) == 0x100) {
										E00F18AC2(_t161 + 0x60);
										 *(_t161 + 0x68) = 0;
									}
									 *((intOrPtr*)(_t161 + 0x70)) =  *((intOrPtr*)(_t161 + 0x70)) - 1;
								}
							}
							_t154 = _t154 + 1;
						} while (_t154 < _t126);
						_t159 = _v20;
						goto L19;
					}
				}
			}

0x00f18658
0x00f1865f
0x00f18665
0x00f1866a
0x00f1866d
0x00f18675
0x00f29d97
0x00f29d9a
0x00f29dae
0x00f29db1
0x00f29db4
0x00f29db9
0x00f29db9
0x00f18681
0x00f18681
0x00f18681
0x00f1dea7
0x00f1dead
0x00f1deb0
0x00f1e081
0x00f1e084
0x00f1e087
0x00f1e088
0x00f1dff6
0x00f1dff6
0x00f1dff7
0x00f1dffc
0x00f1dfff
0x00f1e001
0x00f1e006
0x00f1e006
0x00f1e00e
0x00f1e056
0x00f1e05c
0x00f1e061
0x00f1e06a
0x00f1e090
0x00f29def
0x00f29df7
0x00f29dfd
0x00f29dfd
0x00f1e09b
0x00f29e12
0x00f29e15
0x00f29e1f
0x00f29e22
0x00f29e22
0x00f1e0b9
0x00f1e06d
0x00f1e07e
0x00f1e07e
0x00f1e06a
0x00f1deba
0x00f1e0e5
0x00000000
0x00f1e0e5
0x00f1dec7
0x00f1deca
0x00f1decd
0x00f1e0db
0x00f1e0db
0x00000000
0x00f1dee2
0x00f1dee2
0x00f1dee5
0x00f1dee7
0x00f1e0c0
0x00f1e0c3
0x00f1e0c3
0x00f1e0c9
0x00f1dfea
0x00f1dfea
0x00f1dfec
0x00f1dfec
0x00f1dfef
0x00f1dff2
0x00f1dff3
0x00000000
0x00f1dff3
0x00f1defd
0x00f1deff
0x00f1df07
0x00f1df0d
0x00f1df12
0x00f29dcb
0x00f29dcd
0x00f29dd2
0x00000000
0x00f29dd2
0x00f1df21
0x00f1df23
0x00f1df28
0x00f29dc3
0x00f29dc8
0x00000000
0x00f29dc8
0x00f1df2e
0x00f1df32
0x00f1df7b
0x00f1df7b
0x00f1df82
0x00f1df85
0x00f1df85
0x00f1df90
0x00f1df95
0x00f1df97
0x00f1df9c
0x00f1dfbf
0x00f1dfbf
0x00f1dfc4
0x00f1dfc9
0x00f1e0d1
0x00f1e0d1
0x00f1dfdd
0x00f1dfe0
0x00f1dfe3
0x00f1dfe8
0x00000000
0x00000000
0x00000000
0x00000000
0x00f1dfa0
0x00f1dfa0
0x00f1dfa0
0x00f1dfa5
0x00f1dfaf
0x00f1dfb5
0x00f1dfb7
0x00f1dfb7
0x00f1dfba
0x00f1dfbb
0x00000000
0x00f1dfa0
0x00f1df34
0x00f1df34
0x00f1df37
0x00f1df45
0x00f1df4d
0x00f1df56
0x00f1df60
0x00f1df6a
0x00f29ddd
0x00f29de2
0x00f29de2
0x00f1df70
0x00f1df70
0x00f1df56
0x00f1df73
0x00f1df74
0x00f1df78
0x00000000
0x00f1df78
0x00f1df32

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000000), ref: 00F1DF1B
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 00F1DF85
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,?,?,00000000), ref: 00F1DFCF
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F1E056

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Heap$AllocCommitCriticalFreeLeaveObjectSection
String ID:
API String ID: 581755459-0
Opcode ID: 09022a13e56f05b15ed50978931d80e5740da15a754cfacf792ed72184fe1b48
Instruction ID: 887518f340edf3e557749e2075312773cc5075644538af11aaf408f6ab38abd1
Opcode Fuzzy Hash: 09022a13e56f05b15ed50978931d80e5740da15a754cfacf792ed72184fe1b48
Instruction Fuzzy Hash: 00919D35A00209AFDB259F64CC44BEABBB5FF48354F044069FA0697261C731ED92FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F01DB0, Relevance: 10.7, APIs: 7, Instructions: 237
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00F01DB0(void* __eax, void* __ebx, intOrPtr* __edi, signed int __esi) {
				signed int _t108;
				void* _t118;
				long _t119;
				signed int _t122;
				long _t127;
				signed int _t132;
				void* _t135;
				void* _t137;
				intOrPtr _t142;
				signed int _t144;
				signed int _t147;
				intOrPtr _t151;
				intOrPtr _t175;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				long _t182;
				long _t183;
				void* _t187;
				void* _t188;
				signed int _t195;
				signed int _t198;
				intOrPtr _t199;
				signed int _t201;
				intOrPtr* _t208;
				struct _CRITICAL_SECTION* _t215;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t219;
				void* _t220;
				signed int _t221;
				intOrPtr _t222;
				intOrPtr _t225;
				signed int _t226;
				signed int _t228;
				void* _t229;
				intOrPtr* _t230;
				signed int* _t232;
				intOrPtr _t233;
				signed int _t235;

				_t228 = __esi;
				_t219 = __edi;
				_t187 = __ebx;
				 *((intOrPtr*)(_t235 + 0x54850ff6)) =  *((intOrPtr*)(_t235 + 0x54850ff6)) + __eax;
				L1:
				while(_t228 == 0) {
					_t221 =  *0xf530b0(_t187 + 2, _t235 - 0x158,  *(_t219 + 0x54), 0x1cff, 2);
					 *(_t235 - 0x14) = _t221;
					if(_t221 != 1) {
						__eflags = _t221 - 0x102;
						if(__eflags == 0) {
							_t219 =  *((intOrPtr*)(_t235 - 8));
							_t230 =  *((intOrPtr*)( *_t219 + 0x2c));
							__eflags = _t230 - E00F04900;
							if(__eflags != 0) {
								L79:
								 *0xf512c4();
								_t228 =  *_t230();
								continue;
							}
							_t228 = E00F04900(_t187, _t215, _t219, _t230, __eflags);
							continue;
						}
						if(__eflags > 0) {
							__eflags = _t221 - 0xffffffff;
							if(_t221 != 0xffffffff) {
								L11:
								__eflags = _t221 - _t187 + 2;
								if(__eflags == 0) {
									_t118 =  *0xf530a0(_t235 - 0x54, 0, 0, 0, 0);
									__eflags = _t118 - 1;
									if(_t118 != 1) {
										L71:
										_t119 =  *(_t235 - 0x20);
										_t219 =  *((intOrPtr*)(_t235 - 8));
										L72:
										_t122 = WaitForMultipleObjectsEx(_t187 + 2, _t235 - 0x158, 0, _t119, 0);
										_t195 = _t122;
										__eflags = _t195 - 0x102;
										if(__eflags > 0) {
											__eflags = _t195 - 0xffffffff;
											if(_t195 != 0xffffffff) {
												L83:
												__eflags = _t195 - _t187 + 2;
												if(_t195 >= _t187 + 2) {
													_t228 = 0x80000004;
												} else {
													_t228 = E00F2F17D(_t219,  &((_t235 - 0x158)[_t195]));
												}
												continue;
											}
											_t127 = GetLastError();
											__eflags = _t127 - 8;
											if(_t127 != 8) {
												_t228 = 0x80000007;
											} else {
												asm("sbb eax, eax");
												Sleep( ~( *(_t235 - 0x10)) & 0x0000000a);
												 *(_t235 - 0x10) =  *(_t235 - 0x10) ^ 0x00000001;
											}
											continue;
										}
										if(__eflags == 0) {
											_t230 =  *((intOrPtr*)( *_t219 + 0x2c));
											goto L79;
										}
										_t132 = _t122;
										__eflags = _t132;
										if(_t132 == 0) {
											_t228 = 0x8000000c;
											continue;
										}
										__eflags = _t132 != 1;
										if(_t132 != 1) {
											goto L83;
										}
										_t228 = 0x8000000d;
										continue;
									} else {
										goto L68;
									}
									do {
										L68:
										_t135 =  *0xf53098(_t235 - 0x54, 0, 0, 0);
										__eflags = _t135 - 1;
										if(_t135 == 1) {
											 *0xf530a4(_t235 - 0x54);
											 *0xf5309c(_t235 - 0x54);
										}
										_t137 =  *0xf530a0(_t235 - 0x54, 0, 0, 0, 0);
										__eflags = _t137 - 1;
									} while (_t137 == 1);
									goto L71;
								}
								if(__eflags >= 0) {
									_t219 =  *((intOrPtr*)(_t235 - 8));
									_t228 = 0x80000004;
									continue;
								}
								_t142 =  *((intOrPtr*)(_t235 - 0x18));
								_t228 = 0;
								__eflags =  *((char*)(_t142 + 0x18));
								if( *((char*)(_t142 + 0x18)) == 0) {
									L15:
									_t144 =  *( *((intOrPtr*)(_t235 - 8)) + 0x80);
									 *(_t235 - 0x24) = _t144;
									while(1) {
										__eflags = _t144;
										if(_t144 == 0) {
											break;
										}
										_t147 = E00F04025( *(_t235 - 0x1c), _t235 - 0x38, _t235 - 0xc);
										__eflags = _t147;
										if(_t147 == 0) {
											_t232 =  *(_t235 - 0x1c);
											__eflags = _t232[1] - _t147;
											if(_t232[1] != _t147) {
												_t198 =  *_t232;
												_t216 = _t198;
												__eflags = _t216;
												if(_t216 == 0) {
													L29:
													__eflags = _t198;
													if(_t198 != 0) {
														do {
															__eflags =  *((intOrPtr*)(_t216 + 8)) -  *((intOrPtr*)(_t198 + 8));
															if(__eflags != 0) {
																L90:
																if(__eflags >= 0) {
																	L50:
																	_t198 =  *(_t198 + 0x1c);
																	goto L40;
																}
																L39:
																_t198 =  *(_t198 + 0x18);
																goto L40;
															}
															_t221 =  *(_t235 - 0x14);
															__eflags =  *((intOrPtr*)(_t216 + 0x10)) -  *((intOrPtr*)(_t198 + 0x10));
															if( *((intOrPtr*)(_t216 + 0x10)) !=  *((intOrPtr*)(_t198 + 0x10))) {
																L34:
																__eflags =  *((intOrPtr*)(_t216 + 8)) -  *((intOrPtr*)(_t198 + 8));
																if(__eflags != 0) {
																	goto L90;
																}
																__eflags =  *((intOrPtr*)(_t216 + 0x10)) -  *((intOrPtr*)(_t198 + 0x10));
																_t175 =  *((intOrPtr*)(_t198 + 0x14));
																_t232 =  *(_t235 - 0x1c);
																if( *((intOrPtr*)(_t216 + 0x10)) ==  *((intOrPtr*)(_t198 + 0x10))) {
																	__eflags =  *((intOrPtr*)(_t216 + 0x14)) - _t175;
																	if( *((intOrPtr*)(_t216 + 0x14)) != _t175) {
																		goto L36;
																	}
																	goto L50;
																}
																L36:
																__eflags =  *((intOrPtr*)(_t216 + 0x14)) - _t175;
																if(__eflags > 0) {
																	goto L50;
																}
																if(__eflags < 0) {
																	goto L39;
																}
																__eflags =  *((intOrPtr*)(_t216 + 0x10)) -  *((intOrPtr*)(_t198 + 0x10));
																if( *((intOrPtr*)(_t216 + 0x10)) >=  *((intOrPtr*)(_t198 + 0x10))) {
																	goto L50;
																}
																goto L39;
															}
															__eflags =  *((intOrPtr*)(_t216 + 0x14)) -  *((intOrPtr*)(_t198 + 0x14));
															if( *((intOrPtr*)(_t216 + 0x14)) ==  *((intOrPtr*)(_t198 + 0x14))) {
																_t228 = E00F0461F(_t232, _t198);
																L20:
																__eflags = _t228;
																if(_t228 != 0) {
																	goto L18;
																}
																_t199 =  *((intOrPtr*)(_t235 - 0xc));
																__eflags =  *((intOrPtr*)(_t199 + 0x14)) -  *((intOrPtr*)(_t235 + _t221 * 4 - 0x158));
																if( *((intOrPtr*)(_t199 + 0x14)) !=  *((intOrPtr*)(_t235 + _t221 * 4 - 0x158))) {
																	_t151 =  *((intOrPtr*)(_t235 - 8));
																	_t222 =  *((intOrPtr*)(_t235 - 8));
																	_t217 =  *((intOrPtr*)(_t151 + 8));
																	_t233 =  *((intOrPtr*)(_t151 + 0xc));
																	_t201 = _t217 + 1;
																	__eflags = _t201;
																	 *(_t222 + 8) = _t201;
																	asm("adc eax, 0x0");
																	 *((intOrPtr*)(_t235 - 0x30)) = _t217;
																	 *((intOrPtr*)(_t235 - 0x2c)) = _t233;
																	 *((intOrPtr*)(_t222 + 0xc)) = _t233;
																	_t228 = E00F04123(_t222 + 0x7c, _t235 - 0x38, _t235 - 0xc, _t235 - 0x28);
																	L45:
																	_t221 =  *(_t235 - 0x14);
																	goto L18;
																}
																__eflags =  *((intOrPtr*)(_t199 + 0x24)) - 2;
																if( *((intOrPtr*)(_t199 + 0x24)) != 2) {
																	E00F47847(0xf4f0fc, 1);
																	_t228 = E00F2E266(0xf4f0fc, _t235 - 0xc);
																	E00F321AA(0xf4f0fc);
																	__eflags = _t228 - 0x80000008;
																	if(_t228 == 0x80000008) {
																		_t228 = 0;
																		__eflags = 0;
																	}
																	 *0xf512c4();
																	 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t235 - 0xc)))) + 0x1c))))();
																	_t208 =  *((intOrPtr*)(_t235 - 0xc));
																	 *0xf512c4(_t208);
																	 *((intOrPtr*)( *((intOrPtr*)( *_t208 + 8))))();
																	goto L45;
																}
																_t228 = E00F04123( *((intOrPtr*)(_t235 - 8)) + 0x5c, _t235 - 0x38, _t235 - 0xc, _t235 - 0x28);
																__eflags = _t228;
																if(_t228 != 0) {
																	goto L18;
																}
																_t219 =  *((intOrPtr*)(_t235 - 8));
																SetEvent( *(_t219 + 0x3c));
																L25:
																__eflags =  *((char*)(_t219 + 0x30));
																_t215 = _t219 + 0x18;
																if( *((char*)(_t219 + 0x30)) != 0) {
																	LeaveCriticalSection(_t215);
																}
																goto L1;
															}
															goto L34;
															L40:
															__eflags = _t198;
														} while (_t198 != 0);
														L57:
														_t228 = 0x80000008;
														goto L20;
													}
													goto L57;
												}
												_t179 =  *(_t216 + 0x18);
												__eflags = _t179;
												if(_t179 != 0) {
													while(1) {
														_t216 = _t179;
														_t179 =  *(_t216 + 0x18);
														__eflags = _t179;
														if(_t179 == 0) {
															goto L29;
														}
													}
												}
												goto L29;
											}
											_t228 = 0x80000002;
											goto L20;
										}
										L18:
										_t144 =  *(_t235 - 0x24) - 1;
										 *(_t235 - 0x24) = _t144;
										__eflags = _t228;
										if(_t228 == 0) {
											continue;
										}
										break;
									}
									_t219 =  *((intOrPtr*)(_t235 - 8));
									goto L25;
								}
								_t180 = E00F02E90(_t142);
								__eflags = _t180;
								if(_t180 == 0) {
									_t225 =  *((intOrPtr*)(_t235 - 0x18));
									while(1) {
										_t181 = E00F02E90(_t225);
										__eflags = _t181;
										if(_t181 != 0) {
											break;
										}
										Sleep(0x3e8);
									}
									_t221 =  *(_t235 - 0x14);
								}
								goto L15;
							}
							_t182 = GetLastError();
							__eflags = _t182 - 8;
							if(_t182 != 8) {
								_t183 = GetLastError();
								__eflags = _t183 - 0x7f;
								if(_t183 != 0x7f) {
									goto L11;
								}
								_t219 =  *((intOrPtr*)(_t235 - 8));
								_t119 =  *(_t219 + 0x54);
								 *(_t235 - 0x20) = _t119;
								goto L72;
							}
							_t226 =  *(_t235 - 0x10);
							asm("sbb eax, eax");
							Sleep( ~_t226 & 0x0000000a);
							 *(_t235 - 0x10) = _t226 ^ 0x00000001;
							L4:
							_t219 =  *((intOrPtr*)(_t235 - 8));
							continue;
						}
						__eflags = _t221;
						if(_t221 == 0) {
							_t219 =  *((intOrPtr*)(_t235 - 8));
							_t228 = 0x8000000c;
							continue;
						}
						__eflags = _t221 - 0xc0;
						if(_t221 == 0xc0) {
							_t219 =  *((intOrPtr*)(_t235 - 8));
							_t228 = 0;
							continue;
						}
						goto L11;
					}
					_t228 = 0x8000000d;
					goto L4;
				}
				_t108 = _t228;
				_pop(_t220);
				_pop(_t229);
				__eflags =  *(_t235 - 4) ^ _t235;
				_pop(_t188);
				return E00F01CA0(_t108, _t188,  *(_t235 - 4) ^ _t235, _t215, _t220, _t229);
			}

0x00f01db0
0x00f01db0
0x00f01db0
0x00f01db0
0x00000000
0x00f01db1
0x00f01dd4
0x00f01dd6
0x00f01ddc
0x00f04425
0x00f0442b
0x00f048d3
0x00f048d8
0x00f048db
0x00f048e1
0x00f28ac5
0x00f28ac7
0x00f28ad1
0x00000000
0x00f28ad1
0x00f048ee
0x00000000
0x00f048ee
0x00f04431
0x00f289d9
0x00f289dc
0x00f0444b
0x00f0444e
0x00f04450
0x00f28a31
0x00f28a37
0x00f28a3a
0x00f28a7c
0x00f28a7c
0x00f28a7f
0x00f28a82
0x00f28a92
0x00f28a98
0x00f28a9a
0x00f28aa0
0x00f28ad8
0x00f28adb
0x00f28b02
0x00f28b05
0x00f28b07
0x00f28b21
0x00f28b09
0x00f28b1a
0x00f28b1a
0x00000000
0x00f28b07
0x00f28add
0x00f28ae3
0x00f28ae6
0x00f28b2b
0x00f28ae8
0x00f28aed
0x00f28af3
0x00f28af9
0x00f28af9
0x00000000
0x00f28ae6
0x00f28aa2
0x00f28ac2
0x00000000
0x00f28ac2
0x00f28aa4
0x00f28aa4
0x00f28aa7
0x00f28ab6
0x00000000
0x00f28ab6
0x00f28aa9
0x00f28aaa
0x00000000
0x00000000
0x00f28aac
0x00000000
0x00000000
0x00000000
0x00000000
0x00f28a3c
0x00f28a3c
0x00f28a46
0x00f28a4c
0x00f28a4f
0x00f28a55
0x00f28a5f
0x00f28a5f
0x00f28a71
0x00f28a77
0x00f28a77
0x00000000
0x00f28a3c
0x00f04456
0x00f1ccfa
0x00f1ccfd
0x00000000
0x00f1ccfd
0x00f0445c
0x00f0445f
0x00f04461
0x00f04465
0x00f04476
0x00f04479
0x00f0447f
0x00f04484
0x00f04484
0x00f04486
0x00000000
0x00000000
0x00f04497
0x00f0449e
0x00f044a0
0x00f1cc8f
0x00f1cc92
0x00f1cc95
0x00f04670
0x00f04672
0x00f04674
0x00f04676
0x00f0467f
0x00f0467f
0x00f04681
0x00f0468c
0x00f0468f
0x00f04692
0x00f28b55
0x00f28b55
0x00f15a83
0x00f15a83
0x00000000
0x00f15a83
0x00f046e4
0x00f046e4
0x00000000
0x00f046e4
0x00f0469b
0x00f0469e
0x00f046a1
0x00f046af
0x00f046b2
0x00f046b5
0x00000000
0x00000000
0x00f046be
0x00f046c1
0x00f046c4
0x00f046c7
0x00f1ccb4
0x00f1ccb7
0x00000000
0x00000000
0x00000000
0x00f1ccbd
0x00f046cd
0x00f046cd
0x00f046d0
0x00000000
0x00000000
0x00f046d6
0x00000000
0x00000000
0x00f046db
0x00f046de
0x00000000
0x00000000
0x00000000
0x00f046de
0x00f046a6
0x00f046a9
0x00f1ccad
0x00f0451a
0x00f0451a
0x00f0451c
0x00000000
0x00000000
0x00f0451e
0x00f04524
0x00f0452b
0x00f0470a
0x00f0470d
0x00f04710
0x00f04715
0x00f04718
0x00f04718
0x00f0471b
0x00f04720
0x00f04723
0x00f04728
0x00f0472b
0x00f04742
0x00f04744
0x00f04744
0x00000000
0x00f04744
0x00f04531
0x00f04535
0x00f28b6a
0x00f28b7d
0x00f28b7f
0x00f28b84
0x00f28b8a
0x00f28b8c
0x00f28b8c
0x00f28b8c
0x00f28b98
0x00f28ba1
0x00f28ba3
0x00f28bae
0x00f28bb4
0x00000000
0x00f28bb4
0x00f04552
0x00f04554
0x00f04556
0x00000000
0x00000000
0x00f0455c
0x00f04562
0x00f04568
0x00f04568
0x00f0456c
0x00f0456f
0x00f04576
0x00f04576
0x00000000
0x00f0456f
0x00000000
0x00f046e7
0x00f046e7
0x00f046e7
0x00f1ccc2
0x00f1ccc2
0x00000000
0x00f1ccc2
0x00000000
0x00f04687
0x00f04678
0x00f0467b
0x00f0467d
0x00f046f0
0x00f046f0
0x00f046f2
0x00f046f5
0x00f046f7
0x00000000
0x00000000
0x00f046f9
0x00f046f0
0x00000000
0x00f0467d
0x00f1ccf0
0x00000000
0x00f1ccf0
0x00f044a6
0x00f044a9
0x00f044aa
0x00f044ad
0x00f044af
0x00000000
0x00000000
0x00000000
0x00f044b1
0x00f15a7b
0x00000000
0x00f15a7b
0x00f04469
0x00f0446e
0x00f04470
0x00f1cce8
0x00f28b35
0x00f28b37
0x00f28b3c
0x00f28b3e
0x00000000
0x00000000
0x00f28b45
0x00f28b45
0x00f28b4d
0x00f28b4d
0x00000000
0x00f04470
0x00f289e2
0x00f289e8
0x00f289eb
0x00f28a0b
0x00f28a11
0x00f28a14
0x00000000
0x00000000
0x00f28a1a
0x00f28a1d
0x00f28a20
0x00000000
0x00f28a20
0x00f289ed
0x00f289f4
0x00f289fa
0x00f28a03
0x00f01de7
0x00f01de7
0x00000000
0x00f01de7
0x00f04437
0x00f04439
0x00f15a6e
0x00f15a71
0x00000000
0x00f15a71
0x00f0443f
0x00f04445
0x00f1ccde
0x00f1cce1
0x00000000
0x00f1cce1
0x00000000
0x00f04445
0x00f01de2
0x00000000
0x00f01de2
0x00f0400d
0x00f04012
0x00f04013
0x00f04014
0x00f04016
0x00f0401f

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c848c44793b2045d950e1e1acc353f668439483c9019a9546a49a3280fb7f0ef
Instruction ID: 7a69938311275e1c0c017c9ca44939a6f44e5a10a77254f7766db2626feebb0a
Opcode Fuzzy Hash: c848c44793b2045d950e1e1acc353f668439483c9019a9546a49a3280fb7f0ef
Instruction Fuzzy Hash: 9C81A272E41219DBDF20CBA4D895BED73B5BB44360F250155EA02EB2C0DB34ED85BB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F16A94, Relevance: 10.7, APIs: 7, Instructions: 177
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00F16A94(intOrPtr __ecx) {
				char _v8;
				char _v16;
				void* _v20;
				intOrPtr _v24;
				void** _v28;
				signed int _t43;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;
				long _t64;
				void* _t66;
				void* _t70;
				void* _t75;
				void* _t83;
				void** _t104;
				long* _t105;
				long* _t106;
				intOrPtr _t109;
				struct _CRITICAL_SECTION* _t110;
				signed int _t112;

				_push(0xffffffff);
				_push(E00F24CBD);
				_push( *[fs:0x0]);
				_t43 =  *0xf4f1a4; // 0xbd26e8f
				_push(_t43 ^ _t112);
				 *[fs:0x0] =  &_v16;
				_t109 = __ecx;
				_v24 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0xf02f18;
				_v8 = 3;
				_t46 =  *((intOrPtr*)(__ecx + 0x48));
				if( *((intOrPtr*)(__ecx + 0x48)) != 0) {
					E00F04A17( *((intOrPtr*)(__ecx + 0x44)), _t46);
				}
				_t48 =  *(_t109 + 0x38);
				if(_t48 != 0) {
					CloseHandle(_t48);
				}
				_t49 =  *(_t109 + 0x40);
				if(_t49 != 0) {
					CloseHandle(_t49);
				}
				_t50 =  *(_t109 + 0x3c);
				if(_t50 != 0) {
					CloseHandle(_t50);
				}
				_t51 =  *(_t109 + 0x4c);
				if(_t51 != 0) {
					CloseHandle(_t51);
				}
				_t104 = _t109 + 0x7c;
				_v8 = 2;
				_v28 = _t104;
				_v8 = 4;
				_t83 =  *_t104;
				if(_t83 != 0) {
					_t66 =  *((intOrPtr*)(_t83 + 0x18));
					_v20 = _t66;
					if(_t66 != 0) {
						E00F16C0D(_t104, _t66);
						_t75 =  *(_t104[2] + 4);
						if(_t75 != 0 && HeapFree(_t75, 0, _v20) == 0) {
							E00F48131();
						}
					}
					_t85 =  *((intOrPtr*)(_t83 + 0x1c));
					if( *((intOrPtr*)(_t83 + 0x1c)) != 0) {
						E00F16C0D(_t104, _t85);
						E00F04A17(_t104[2], _t85);
					}
					_t70 =  *(_t104[2] + 4);
					if(_t70 != 0 && HeapFree(_t70, 0,  *_t104) == 0) {
						E00F48131();
					}
					 *_t104 = 0;
				}
				_v8 = 2;
				_t52 =  *_t104;
				if( *_t104 != 0) {
					E00F16C0D(_t104, _t52);
					E00F04A17(_t104[2],  *_t104);
					 *_t104 = 0;
				}
				_t105 = _t109 + 0x6c;
				_v8 = 1;
				_v28 = _t105;
				_v8 = 5;
				_t55 =  *_t105;
				if( *_t105 != 0) {
					E00F16C0D(_t105, _t55);
					E00F04A17(_t105[2],  *_t105);
					 *_t105 = 0;
				}
				_v8 = 1;
				_t58 =  *_t105;
				if( *_t105 != 0) {
					E00F16C0D(_t105, _t58);
					E00F04A17(_t105[2],  *_t105);
					 *_t105 = 0;
				}
				_t106 = _t109 + 0x5c;
				_v8 = 0;
				_v28 = _t106;
				_v8 = 6;
				_t61 =  *_t106;
				if( *_t106 != 0) {
					E00F16C0D(_t106, _t61);
					E00F04A17(_t106[2],  *_t106);
					 *_t106 = 0;
				}
				_v8 = 0;
				_t64 =  *_t106;
				if(_t64 != 0) {
					E00F16C0D(_t106, _t64);
					_t64 = E00F04A17(_t106[2],  *_t106);
					 *_t106 = 0;
				}
				_t110 = _t109 + 0x18;
				_v8 = 0xffffffff;
				if( *((char*)(_t110 + 0x18)) != 0) {
					DeleteCriticalSection(_t110);
				}
				 *[fs:0x0] = _v16;
				return _t64;
			}

0x00f16a99
0x00f16a9b
0x00f16aa6
0x00f16aad
0x00f16ab4
0x00f16ab8
0x00f16abe
0x00f16ac0
0x00f16ac3
0x00f16ac9
0x00f16ad0
0x00f16ad5
0x00f2a485
0x00f2a485
0x00f16adb
0x00f16ae0
0x00f16ae3
0x00f16ae3
0x00f16ae9
0x00f16aee
0x00f16af1
0x00f16af1
0x00f16af7
0x00f16afc
0x00f16aff
0x00f16aff
0x00f16b05
0x00f16b0a
0x00f16b0d
0x00f16b0d
0x00f16b13
0x00f16b16
0x00f16b1a
0x00f16b1d
0x00f16b21
0x00f16b25
0x00f16b27
0x00f16b2a
0x00f16b2f
0x00f16b34
0x00f16b3c
0x00f16b41
0x00f1894c
0x00f1894c
0x00f16b41
0x00f16b57
0x00f16b5c
0x00f2a492
0x00f2a49b
0x00f2a49b
0x00f16b65
0x00f16b6a
0x00f18956
0x00f18956
0x00f16b7f
0x00f16b7f
0x00f16b85
0x00f16b89
0x00f16b8d
0x00f2a4a8
0x00f2a4b2
0x00f2a4b7
0x00f2a4b7
0x00f16b93
0x00f16b96
0x00f16b9a
0x00f16b9d
0x00f16ba1
0x00f16ba5
0x00f2a4c5
0x00f2a4cf
0x00f2a4d4
0x00f2a4d4
0x00f16bab
0x00f16baf
0x00f16bb3
0x00f2a4e2
0x00f2a4ec
0x00f2a4f1
0x00f2a4f1
0x00f16bb9
0x00f16bbc
0x00f16bc0
0x00f16bc3
0x00f16bc7
0x00f16bcb
0x00f18932
0x00f1893c
0x00f18941
0x00f18941
0x00f16bd1
0x00f16bd5
0x00f16bd9
0x00f2a4ff
0x00f2a509
0x00f2a50e
0x00f2a50e
0x00f16bdf
0x00f16be2
0x00f16bed
0x00f16bf0
0x00f16bf0
0x00f16bf9
0x00f16c07

APIs

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,0BD26E8F,00F4F0FC,?,FFFFFFFE,00000000,00000001), ref: 00F16AE3
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000001,0BD26E8F,00F4F0FC,?,FFFFFFFE,00000000,00000001), ref: 00F16AF1
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,0BD26E8F,00F4F0FC,?,FFFFFFFE,00000000,00000001), ref: 00F16AFF
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,0BD26E8F,00F4F0FC,?,FFFFFFFE,00000000,00000001), ref: 00F16B0D
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(FFFFFFFE,00000000,FFFFFFFE,?,0BD26E8F,00F4F0FC,?,FFFFFFFE,00000000,00000001), ref: 00F16B49
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(FFFFFFFE,00000000,?,0BD26E8F,00F4F0FC,?,FFFFFFFE,00000000,00000001), ref: 00F16B71
DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?,0BD26E8F,00F4F0FC,?,FFFFFFFE,00000000,00000001), ref: 00F16BF0

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CloseHandle$FreeHeap$CriticalDeleteSection
String ID:
API String ID: 700345508-0
Opcode ID: 78564ee8f83756685dc4844c578120033418973961c6a0884c68173fa2069a30
Instruction ID: 6c482eb02178af1b6d988dda83fb58179d3fb55de3c4810238d69e31ef0bca4e
Opcode Fuzzy Hash: 78564ee8f83756685dc4844c578120033418973961c6a0884c68173fa2069a30
Instruction Fuzzy Hash: D061CC75A04702EFDB10EF29C844BAEBBB9BF44300F104459E941E7291DB78E990FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F128DE, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

WmiEventSourceConnect.NCOBJAPI(root\cimv2,ProviderSubSystem,00000001,00007D00,00000064,00000000,00000000,00000000,00000000,FFFFFFFE,00F0CC00,0BD26E8F,00000000,00000001,00000001), ref: 00F128FA
WmiCreateObjectWithFormat.NCOBJAPI(00000000,00F0F4E8,00000001,00F0F548), ref: 00F12923
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(8004100A), ref: 00F2AD5C
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2AD64

Strings

ProviderSubSystem, xrefs: 00F128F0
root\cimv2, xrefs: 00F128F5

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$ConnectCreateEventFormatObjectObject@@SourceWithWrite@
String ID: ProviderSubSystem$root\cimv2
API String ID: 250187745-474028568
Opcode ID: 54e1f7b88dc9be8084b9fe3d567480e66766cb6622cfe40a7c04488587890f4a
Instruction ID: 1361827f68d92751efc8106f4b64109a13bbd6925af72d9b2e1fe1aa48b4e0d7
Opcode Fuzzy Hash: 54e1f7b88dc9be8084b9fe3d567480e66766cb6622cfe40a7c04488587890f4a
Instruction Fuzzy Hash: E6112F75B00305AFEF740BB8AC44BE23A96FF81725F240034FA0E961A1C675DCA5B721

Uniqueness

Uniqueness Score: -1.00%

Function 00F15DBB, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00F15DBB(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				void* _t17;
				intOrPtr* _t39;
				void* _t40;

				_t38 = __esi;
				_t30 = __ebx;
				E00F03FD5(0xf25138, __ebx, __edi, __esi);
				_t17 = _t40 - 0x14;
				 *(_t40 - 0x14) = 0;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t17, 0x14);
				if(_t17 != 0) {
					if( *(_t40 - 0x14) != 0) {
						E00F136E5(_t40 - 0x20, FreeLibrary,  *(_t40 - 0x14));
						 *(_t40 - 4) = 0;
						_t39 = GetProcAddress( *(_t40 - 0x14), "CoEEShutDownCOM");
						if(_t39 != 0) {
							 *0xf512c4();
							 *_t39();
						}
						_t38 = GetProcAddress( *(_t40 - 0x14), "CorExitProcess");
						if(_t38 != 0 &&  *0xf4f0e8 != 0) {
							E00F16A2A();
							 *0xf53064();
							 *0xf512c4(0);
							 *_t38();
						}
						 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
						if( *((char*)(_t40 - 0x20)) == 0) {
							 *0xf512c4( *((intOrPtr*)(_t40 - 0x18)));
							 *((intOrPtr*)(_t40 - 0x1c))();
						}
					}
				}
				return E00F03FC1(_t30, 0, _t38);
			}

0x00f15dbb
0x00f15dbb
0x00f15dc2
0x00f15dc7
0x00f15dd3
0x00f15dd6
0x00f15dde
0x00f2b60d
0x00f2b61f
0x00f2b629
0x00f2b635
0x00f2b639
0x00f2b63d
0x00f2b643
0x00f2b643
0x00f2b653
0x00f2b657
0x00f2b662
0x00f2b667
0x00f2b670
0x00f2b676
0x00f2b676
0x00f2b678
0x00f2b680
0x00f2b68c
0x00f2b692
0x00f2b692
0x00f2b680
0x00f2b60d
0x00f15de9

APIs

GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,mscoree.dll,?,00000014,00F0D140,00000000,?,0001D4C0), ref: 00F15DD6
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,CoEEShutDownCOM,?,?,0001D4C0), ref: 00F2B62F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,CorExitProcess,?,0001D4C0), ref: 00F2B64D

Strings

CorExitProcess, xrefs: 00F2B645
mscoree.dll, xrefs: 00F15DCD
CoEEShutDownCOM, xrefs: 00F2B624

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoEEShutDownCOM$CorExitProcess$mscoree.dll
API String ID: 667068680-694248032
Opcode ID: 2b5d3b2067ecfa08286386e28f1ace8ef78546e91750dec11053cbc6895c8038
Instruction ID: 9f480f0babe50129b6fc42dbb0624efec8ba8ca6fba0e2670a24d0b9960190b8
Opcode Fuzzy Hash: 2b5d3b2067ecfa08286386e28f1ace8ef78546e91750dec11053cbc6895c8038
Instruction Fuzzy Hash: 1A112130D0162AEBCB219B65ED19AAEBF75FF80716F100155EA01B21B4DB345E40FB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F15BE1, Relevance: 10.1, APIs: 8, Instructions: 132
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F15BE1() {
				void* _t9;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t18;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t26;
				void* _t27;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t34;
				void* _t35;
				intOrPtr _t38;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;
				void* _t48;
				intOrPtr _t49;
				void* _t50;

				_t42 =  *0xf4f0ac; // 0x0
				if(_t42 != 0) {
					_t38 =  *0xf4f0cc; // 0x0
					_t39 =  *(_t38 + 4);
					if(_t39 != 0 && HeapFree(_t39, 0, _t42) == 0) {
						E00F48131();
					}
					 *0xf4f0ac = 0;
				}
				_t43 =  *0xf4f0a8; // 0x0
				if(_t43 != 0) {
					_t34 =  *0xf4f0cc; // 0x0
					_t35 =  *(_t34 + 4);
					if(_t35 != 0 && HeapFree(_t35, 0, _t43) == 0) {
						E00F48131();
					}
					 *0xf4f0a8 = 0;
				}
				_t44 =  *0xf4f0a4; // 0x0
				if(_t44 != 0) {
					_t30 =  *0xf4f0cc; // 0x0
					_t31 =  *(_t30 + 4);
					if(_t31 != 0 && HeapFree(_t31, 0, _t44) == 0) {
						E00F48131();
					}
					 *0xf4f0a4 = 0;
				}
				_t45 =  *0xf4f0a0; // 0x0
				if(_t45 != 0) {
					_t26 =  *0xf4f0cc; // 0x0
					_t27 =  *(_t26 + 4);
					if(_t27 != 0 && HeapFree(_t27, 0, _t45) == 0) {
						E00F48131();
					}
					 *0xf4f0a0 = 0;
				}
				_t46 =  *0xf4f0b8; // 0x0
				if(_t46 != 0) {
					_t22 =  *0xf4f0cc; // 0x0
					_t23 =  *(_t22 + 4);
					if(_t23 != 0 && HeapFree(_t23, 0, _t46) == 0) {
						E00F48131();
					}
					 *0xf4f0b8 = 0;
				}
				_t47 =  *0xf4f0b4; // 0x0
				if(_t47 != 0) {
					_t18 =  *0xf4f0cc; // 0x0
					_t19 =  *(_t18 + 4);
					if(_t19 != 0 && HeapFree(_t19, 0, _t47) == 0) {
						E00F48131();
					}
					 *0xf4f0b4 = 0;
				}
				_t48 =  *0xf4f0b0; // 0x0
				if(_t48 != 0) {
					_t14 =  *0xf4f0cc; // 0x0
					_t15 =  *(_t14 + 4);
					if(_t15 != 0 && HeapFree(_t15, 0, _t48) == 0) {
						E00F48131();
					}
					 *0xf4f0b0 = 0;
				}
				_t9 =  *0xf4f09c; // 0x0
				if(_t9 == 0) {
					L32:
					return 0;
				} else {
					_t49 =  *0xf4f0cc; // 0x0
					_t50 =  *(_t49 + 4);
					if(_t50 == 0 || HeapFree(_t50, 0, _t9) != 0) {
						 *0xf4f09c = 0;
						goto L32;
					} else {
						E00F48131();
						 *0xf4f09c = 0;
						return 0;
					}
				}
			}

0x00f15be1
0x00f15be9
0x00f15beb
0x00f15bf0
0x00f15bf5
0x00f15d70
0x00f15d70
0x00f15c09
0x00f15c09
0x00f15c13
0x00f15c1b
0x00f15c1d
0x00f15c22
0x00f15c27
0x00f15d7a
0x00f15d7a
0x00f15c3b
0x00f15c3b
0x00f15c45
0x00f15c4d
0x00f15c4f
0x00f15c54
0x00f15c59
0x00f15d84
0x00f15d84
0x00f15c6d
0x00f15c6d
0x00f15c77
0x00f15c7f
0x00f15c81
0x00f15c86
0x00f15c8b
0x00f15d8e
0x00f15d8e
0x00f15c9f
0x00f15c9f
0x00f15ca9
0x00f15cb1
0x00f15cb3
0x00f15cb8
0x00f15cbd
0x00f15d98
0x00f15d98
0x00f15cd1
0x00f15cd1
0x00f15cdb
0x00f15ce3
0x00f15ce5
0x00f15cea
0x00f15cef
0x00f15da2
0x00f15da2
0x00f15d03
0x00f15d03
0x00f15d0d
0x00f15d15
0x00f15d17
0x00f15d1c
0x00f15d21
0x00f15dac
0x00f15dac
0x00f15d31
0x00f15d31
0x00f15d3b
0x00f15d42
0x00f15d6d
0x00f15d6f
0x00f15d44
0x00f15d44
0x00f15d4a
0x00f15d4f
0x00f15d63
0x00000000
0x00f1e3d8
0x00f1e3d8
0x00f1e3dd
0x00f1e3e9
0x00f1e3e9
0x00f15d4f

APIs

HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00F0D145,00000000,?,0001D4C0), ref: 00F15BFB
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00F0D145,00000000,?,0001D4C0), ref: 00F15C2D
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00F0D145,00000000,?,0001D4C0), ref: 00F15C5F
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00F0D145,00000000,?,0001D4C0), ref: 00F15C91
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00F0D145,00000000,?,0001D4C0), ref: 00F15CC3
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00F0D145,00000000,?,0001D4C0), ref: 00F15CF5
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00F0D145,00000000,?,0001D4C0), ref: 00F15D27
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00F0D145,00000000,?,0001D4C0), ref: 00F15D55

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a4d296028bd954cafe3c495984d321289abe4207e6e07bfc5c3fe04dd0be4ceb
Instruction ID: 93d94ca942f98420298e30fcff478cc213bbde1d8cee81d422a2542fe20010bc
Opcode Fuzzy Hash: a4d296028bd954cafe3c495984d321289abe4207e6e07bfc5c3fe04dd0be4ceb
Instruction Fuzzy Hash: D9418378B04745DFE7249F75EC59B6A37A8ABD1B40F04802DAD09C72A2DB30E845FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F27B35, Relevance: 9.4, APIs: 6, Instructions: 401
memoryCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00F27B35() {
				void* _t220;
				signed int _t223;
				intOrPtr _t227;
				void* _t228;
				long _t233;
				signed int _t234;
				intOrPtr _t239;
				void* _t240;
				void* _t241;
				void* _t252;
				intOrPtr _t255;
				void* _t256;
				signed int _t259;
				signed int _t276;
				void* _t277;
				void* _t280;
				intOrPtr _t291;
				signed int _t297;
				void* _t300;
				void* _t303;
				void* _t306;
				void* _t309;
				void* _t314;
				void* _t326;
				signed int _t330;
				signed int _t333;
				signed int _t334;
				void* _t335;
				long _t337;
				void* _t338;
				void* _t339;
				signed int _t340;
				signed int _t341;
				void* _t342;
				long _t353;
				void* _t368;
				void* _t375;
				void* _t393;
				void* _t411;
				long _t412;
				long _t413;
				intOrPtr* _t414;
				long _t416;
				intOrPtr _t421;
				signed int _t422;
				void* _t429;
				long _t439;
				void* _t441;
				long _t442;
				signed int _t443;
				void* _t445;

				 *(_t443 - 4) = 0xffffffff;
				_t334 =  *(_t443 - 0xdc);
				 *(_t443 - 0xb8) =  *(_t443 - 0xe0);
				 *(_t443 - 0xc0) =  *(_t443 - 0x100);
				__esi =  *(__ebp - 0xd8);
				__eax =  *0xf4f014; // 0xf4f014
				__eflags = __eax - 0xf4f014;
				if(__eax != 0xf4f014) {
					__eflags =  *(__eax + 0x1c) & 0x00000004;
					if(( *(__eax + 0x1c) & 0x00000004) != 0) {
						__eflags =  *((char*)(__eax + 0x19)) - 5;
						if( *((char*)(__eax + 0x19)) >= 5) {
							_t121 = __eax + 0x14; // 0x20000000
							_t122 = __eax + 0x10; // 0x40000000
							__edx = 0xf212f8;
							__ecx = 0x18;
							__eax = E00F32A46(0x18, 0xf212f8,  *_t122,  *_t121, __ebx);
						}
					}
				}
				__edx =  *(__ebp - 0xec);
				__ecx =  *(__ebp - 0xb4);
				__eax = E00F47D18( *(__ebp - 0xb4),  *(__ebp - 0xec));
				__eflags = __ebx;
				if(__ebx < 0) {
					L79:
					__esi =  ~__esi;
					asm("sbb edx, edx");
					__eax = __ebp - 0xb0;
					__edx =  ~__esi & __ebp - 0x000000b0;
					 *(__edi + 0x66c) =  ~( *(__edi + 0x66c));
					asm("sbb ecx, ecx");
					__ecx =  ~( *(__edi + 0x66c)) &  *(__ebp - 0xc0);
					 *(__edi + 0x668) =  ~( *(__edi + 0x668));
					asm("sbb eax, eax");
					__eax =  ~( *(__edi + 0x668)) &  *(__ebp - 0xd0);
					__eflags = __eax;
					__imp__WmiSetAndCommitObject( *0xf4f760, 1,  *((intOrPtr*)(__ebp - 0xc4)),  *((intOrPtr*)(__edi + 0x38)), __eax,  ~( *(__edi + 0x66c)) &  *(__ebp - 0xc0),  ~__esi & __ebp - 0x000000b0, __ebx);
					__esp = __esp + 0x20;
					__ebx = 0x80041013;
					goto L80;
				} else {
					__ebx =  *(__ebp - 0xb8);
					__ecx = __ebx;
					__eax = E00F32161(__ebx,  *((intOrPtr*)(__edi + 0x694)));
					__ebx =  *(__ebx + 0x10);
					__eflags = __ebx;
					if(__ebx < 0) {
						goto L79;
					}
					__esi =  ~__esi;
					asm("sbb edx, edx");
					__eax = __ebp - 0xb0;
					__edx =  ~__esi & __ebp - 0x000000b0;
					 *(__edi + 0x66c) =  ~( *(__edi + 0x66c));
					asm("sbb ecx, ecx");
					__ecx =  ~( *(__edi + 0x66c)) &  *(__ebp - 0xc0);
					 *(__edi + 0x668) =  ~( *(__edi + 0x668));
					asm("sbb eax, eax");
					__eax =  ~( *(__edi + 0x668)) &  *(__ebp - 0xd0);
					__imp__WmiSetAndCommitObject( *0xf4f764, 1,  *((intOrPtr*)(__ebp - 0xc4)),  *((intOrPtr*)(__edi + 0x38)),  ~( *(__edi + 0x668)) &  *(__ebp - 0xd0),  ~( *(__edi + 0x66c)) &  *(__ebp - 0xc0),  ~__esi & __ebp - 0x000000b0);
					__esp = __esp + 0x1c;
					L80:
					__edx =  *(__ebp - 0xcc);
					__ecx =  *(__ebp - 0x104);
					__eax = E00F1A856( *(__ebp - 0x104), __edx,  *((intOrPtr*)(__ebp - 0xf8)));
					__ecx =  *(__ebp - 0xbc);
					__eax =  *__ecx;
					__esi =  *( *__ecx + 8);
					__ecx = __esi;
					 *0xf512c4() =  *__esi();
					__ecx =  *(__ebp - 0xb8);
					__eax =  *__ecx;
					__esi =  *( *__ecx + 8);
					__ecx = __esi;
					__eax =  *0xf512c4(__ecx, __ecx);
					__eax =  *__esi();
					if(_t334 < 0) {
						L54:
						_t220 =  *(_t443 - 0xf4);
						 *0xf512c4(_t220);
						 *((intOrPtr*)( *((intOrPtr*)( *_t220 + 8))))();
						if(_t334 < 0) {
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t334);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
						}
						_t223 =  *0xf4f014; // 0xf4f014
						if(_t223 != 0xf4f014 && ( *(_t223 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t223 + 0x19)) - 2;
							if( *((char*)(_t223 + 0x19)) >= 2) {
								_t216 = _t223 + 0x14; // 0x20000000
								_t217 = _t223 + 0x10; // 0x40000000
								_t398 = 0xf212f8;
								E00F32A46(0x1b, 0xf212f8,  *_t217,  *_t216, _t334);
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t443 - 0xc));
						_pop(_t411);
						_pop(_t441);
						_pop(_t335);
						return E00F01CA0(_t334, _t335,  *(_t443 - 0x14) ^ _t443, _t398, _t411, _t441);
					} else {
						_t227 =  *0xf4f0cc; // 0x0
						_t353 =  *(_t227 + 8) & 0x00000005 | 0x00000008;
						_t228 =  *(_t227 + 4);
						if(_t228 == 0) {
							L59:
							_t442 = 0;
							L4:
							 *(_t443 - 0xe8) = _t442;
							 *(_t443 - 4) = 0xa;
							if(_t442 == 0) {
								_t442 = 0;
							} else {
								 *_t442 = 0xf06520;
								 *(_t442 + 4) = 0;
								 *(_t442 + 8) = 0;
								 *(_t442 + 0xc) = 0;
								 *(_t442 + 0x10) = 0;
								 *(_t442 + 0x14) = 0;
							}
							 *(_t443 - 0xe0) = _t442;
							 *(_t443 - 4) = 0xffffffff;
							if(_t442 == 0) {
								_t334 = 0x80041006;
								goto L54;
							} else {
								_t412 =  *( *_t442 + 4);
								_t354 = _t412;
								 *0xf512c4(_t442);
								 *_t412();
								_t413 =  *( *((intOrPtr*)(_t443 - 0xc8)) + 0x6e8);
								_t233 = CreateEventW(0, 0, 0, 0);
								 *(_t442 + 0xc) = _t233;
								if(_t233 == 0) {
									_t334 = 0x80041006;
									L86:
									__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t334);
									_t354 = _t233;
									__imp__?Write@CMemoryLog@@QAEXJ@Z();
									L9:
									_t234 =  *0xf4f014; // 0xf4f014
									if(_t234 != 0xf4f014 && ( *(_t234 + 0x1c) & 0x00000004) != 0) {
										__eflags =  *((char*)(_t234 + 0x19)) - 2;
										if( *((char*)(_t234 + 0x19)) >= 2) {
											_t151 = _t234 + 0x14; // 0x20000000
											_t152 = _t234 + 0x10; // 0x40000000
											_t398 = 0xf212e8;
											_t354 = 0xa;
											E00F32A46(0xa, 0xf212e8,  *_t152,  *_t151, _t334);
										}
									}
									if(_t334 < 0) {
										L52:
										_t104 =  *_t442 + 8; // 0x0
										_t414 =  *_t104;
										_push(_t442);
										if(_t414 != E00F0C4C0) {
											 *0xf512c4();
											 *_t414();
										} else {
											E00F0C4C0(_t354, _t398);
										}
										goto L54;
									} else {
										_t239 =  *0xf4f0cc; // 0x0
										_t354 =  *(_t239 + 8) & 0x00000005 | 0x00000008;
										_t240 =  *(_t239 + 4);
										if(_t240 == 0) {
											L64:
											_t337 = 0;
											 *(_t443 - 0xb8) = 0;
											L14:
											 *(_t443 - 0xe8) = _t337;
											 *(_t443 - 4) = 0xb;
											if(_t337 == 0) {
												_t337 = 0;
												 *(_t443 - 0xb8) = 0;
											} else {
												 *_t337 = 0xf06484;
												 *(_t337 + 4) = 0;
												 *(_t337 + 8) = 0;
												 *(_t337 + 0xc) = 0;
												 *(_t337 + 0x10) = 0;
												 *(_t337 + 0x14) = _t442;
												_t398 = 0xf4f0f8;
												asm("lock xadd [edx], eax");
												asm("lock xadd [eax], ecx");
												_t354 =  *(_t337 + 0x14);
												if(_t354 != 0) {
													_t326 =  *_t354;
													_t37 = _t326 + 4; // 0x0
													_t439 =  *_t37;
													_t354 = _t439;
													 *0xf512c4(_t354);
													 *_t439();
												}
											}
											 *(_t443 - 0xcc) = _t337;
											 *(_t443 - 4) = 0xffffffff;
											if(_t337 == 0) {
												_t334 = 0x80041006;
												goto L52;
											}
											_t241 =  *_t337;
											_t40 = _t241 + 4; // 0x0
											 *0xf512c4(_t337);
											 *((intOrPtr*)( *_t40))();
											 *(_t443 - 0xe8) = 0;
											 *(_t443 - 0x108) = 0;
											 *(_t443 - 0xf8) = 0;
											_t398 = _t443 - 0xf8;
											_t334 = E00F066C5(_t443 - 0x108, _t443 - 0xf8, _t443 - 0xe8, 0);
											if(_t334 < 0) {
												L50:
												_t354 =  *(_t443 - 0xb8);
												_t416 =  *( *_t354 + 8);
												_push(_t354);
												if(_t416 != E00F0C400) {
													_t354 = _t416;
													 *0xf512c4();
													 *_t416();
												} else {
													E00F0C400();
												}
												goto L52;
											}
											 *(_t443 - 0xb4) = 0;
											 *(_t443 - 0xbc) = 0;
											_t338 = 3;
											 *(_t443 - 0x104) = 0;
											_push(_t443 - 0x104);
											_push(0xf03a60);
											if( *0xf53038() < 0) {
												L23:
												_t252 =  *(_t443 - 0xf4);
												 *(_t443 - 0xd4) = _t252;
												 *(_t443 - 0xb4) = 0;
												 *(_t443 - 0xe4) = 0;
												 *0xf512c4(_t252, 0xf07c5c, _t443 - 0xe4);
												_t339 =  *((intOrPtr*)( *( *_t252)))();
												if(_t339 < 0) {
													L28:
													if(_t339 != 0x80041002) {
														_t340 = 0x8004100a;
														goto L101;
													}
													goto L29;
												}
												 *(_t443 - 0xec) = 0;
												_t300 =  *(_t443 - 0xd4);
												 *0xf512c4(_t300, E00F06690, _t443 - 0xec);
												_t342 =  *((intOrPtr*)( *( *_t300)))();
												if(_t342 >= 0) {
													_t303 =  *(_t443 - 0xec);
													 *0xf512c4(_t303,  *(_t443 - 0xd4), _t443 - 0xbc);
													_t339 =  *((intOrPtr*)( *((intOrPtr*)( *_t303 + 0x14))))();
													_t306 =  *(_t443 - 0xec);
													 *0xf512c4(_t306);
													 *((intOrPtr*)( *((intOrPtr*)( *_t306 + 8))))();
												} else {
													if(_t342 == 0x80004002) {
														_t339 = 0x80041002;
													}
												}
												_t309 =  *(_t443 - 0xe4);
												 *0xf512c4(_t309);
												 *((intOrPtr*)( *((intOrPtr*)( *_t309 + 8))))();
												if(_t339 >= 0) {
													_t340 =  *0xf53030();
													__eflags = _t340;
													if(_t340 < 0) {
														_t340 = 0x80041003;
														L100:
														E00F47D18( *(_t443 - 0xbc),  *(_t443 - 0xb4));
														goto L101;
													}
													 *(_t443 - 0xb4) = 1;
													_t314 = E00F07D03();
													__eflags = _t314 - 3;
													if(_t314 != 3) {
														__eflags = _t314 - 4;
														if(_t314 != 4) {
															_t445 = _t445 - 0x14;
															_t340 = E00F4D336( *(_t443 - 0xbc));
														}
													}
													__eflags = _t340;
													if(_t340 >= 0) {
														goto L101;
													} else {
														goto L100;
													}
												} else {
													goto L28;
												}
											} else {
												if( *0xf53030() >= 0) {
													_t338 = E00F07D03();
													 *0xf5302c();
												}
												_t393 =  *(_t443 - 0x104);
												 *0xf512c4(_t393);
												 *((intOrPtr*)( *((intOrPtr*)( *_t393 + 8))))();
												if(_t338 == 2) {
													_t340 = E00F47ECE(0xf07c5c,  *(_t443 - 0xf4), __eflags, _t443 - 0xbc, _t443 - 0xb4);
													L101:
													__eflags = _t340 - 0x80041002;
													if(_t340 == 0x80041002) {
														L29:
														 *(_t443 - 4) = 0xc;
														_t255 =  *((intOrPtr*)(_t443 - 0xc8));
														if( *((intOrPtr*)(_t255 + 0x66c)) != 0) {
															_t341 =  *(_t443 - 0xc0);
														} else {
															_t341 = 0;
														}
														asm("sbb edx, edx");
														_t398 =  ~( *(_t255 + 0x668)) &  *(_t443 - 0xd0);
														_t256 =  *(_t443 - 0xf4);
														 *0xf512c4(_t256,  ~( *(_t255 + 0x668)) &  *(_t443 - 0xd0), 0,  *((intOrPtr*)(_t443 - 0xc4)), _t341,  *((intOrPtr*)(_t443 - 0xf0)),  *((intOrPtr*)(_t443 - 0xfc)),  *(_t443 - 0xb8));
														_t340 =  *((intOrPtr*)( *((intOrPtr*)( *_t256 + 0xc))))();
														 *(_t443 - 0xdc) = _t340;
														_t259 =  *0xf4f014; // 0xf4f014
														if(_t259 != 0xf4f014 && ( *(_t259 + 0x1c) & 0x00000004) != 0) {
															__eflags =  *((char*)(_t259 + 0x19)) - 5;
															if( *((char*)(_t259 + 0x19)) >= 5) {
																_t183 = _t259 + 0x14; // 0x20000000
																_t184 = _t259 + 0x10; // 0x40000000
																_t398 = 0xf212f8;
																E00F32A46(0x19, 0xf212f8,  *_t184,  *_t183, _t340);
															}
														}
														 *(_t443 - 4) = 0xffffffff;
														_t421 =  *((intOrPtr*)(_t443 - 0xc8));
														 *0xf5302c();
														L35:
														if(_t340 < 0) {
															L115:
															asm("sbb edx, edx");
															_t398 =  ~( *(_t443 - 0xd8)) & _t443 - 0x000000b0;
															asm("sbb ecx, ecx");
															asm("sbb eax, eax");
															__imp__WmiSetAndCommitObject( *0xf4f760, 1,  *((intOrPtr*)(_t443 - 0xc4)),  *((intOrPtr*)(_t421 + 0x38)),  ~( *(_t421 + 0x668)) &  *(_t443 - 0xd0),  ~( *(_t421 + 0x66c)) &  *(_t443 - 0xc0),  ~( *(_t443 - 0xd8)) & _t443 - 0x000000b0, _t340);
															_t334 = 0x80041013;
															L43:
															 *(_t443 - 0xe4) =  *(_t443 - 0xf8);
															_t422 =  *(_t443 - 0x108);
															 *(_t443 - 0xb4) = _t422;
															 *(_t443 - 0xd4) = 0;
															_push(_t443 - 0xd4);
															_push(_t422);
															if( *0xf53034() >= 0) {
																if(_t422 != 0 &&  *(_t443 - 0xe8) != 0) {
																	 *(_t443 - 0xcc) = 0;
																	 *0xf512c4( *(_t443 - 0xb4), 0xf068b0, _t443 - 0xcc);
																	_t276 =  *((intOrPtr*)( *((intOrPtr*)( *_t422))))();
																	__eflags = _t276;
																	if(_t276 >= 0) {
																		_t277 =  *(_t443 - 0xcc);
																		 *0xf512c4(_t277);
																		 *((intOrPtr*)( *((intOrPtr*)( *_t277 + 0x10))))();
																		_t280 =  *(_t443 - 0xcc);
																		 *0xf512c4(_t280);
																		 *((intOrPtr*)( *((intOrPtr*)( *_t280 + 8))))();
																	}
																	_t422 =  *(_t443 - 0xb4);
																}
																_t368 =  *(_t443 - 0xe4);
																if(_t368 != 0) {
																	 *0xf512c4(_t368);
																	 *((intOrPtr*)( *((intOrPtr*)( *_t368 + 8))))();
																	_t422 =  *(_t443 - 0xb4);
																}
															}
															if(_t422 != 0) {
																 *0xf512c4(_t422);
																 *((intOrPtr*)( *((intOrPtr*)( *_t422 + 8))))();
															}
															goto L50;
														}
														if(WaitForSingleObject( *(_t442 + 0xc),  *(_t421 + 0x694)) == 0x102) {
															 *(_t442 + 0x10) = 0x80041013;
														}
														_t340 =  *(_t442 + 0x10);
														if(_t340 < 0) {
															goto L115;
														} else {
															if( *(_t443 - 0xd8) != 0) {
																_t375 = _t443 - 0xb0;
															} else {
																_t375 = 0;
															}
															if( *(_t421 + 0x66c) == 0) {
																 *(_t443 - 0xc0) = 0;
															}
															asm("sbb eax, eax");
															__imp__WmiSetAndCommitObject( *0xf4f764, 1,  *((intOrPtr*)(_t443 - 0xc4)),  *((intOrPtr*)(_t421 + 0x38)),  ~( *(_t421 + 0x668)) &  *(_t443 - 0xd0),  *(_t443 - 0xc0), _t375);
															goto L43;
														}
													}
													__eflags = _t340;
													if(_t340 < 0) {
														_t421 =  *((intOrPtr*)(_t443 - 0xc8));
														goto L115;
													}
													_t429 =  *(_t443 - 0xbc);
													 *(_t443 - 0xd4) = _t429;
													_t340 = E00F47D61(_t429, E00F07D03());
													__eflags = _t340;
													if(_t340 < 0) {
														_t421 =  *((intOrPtr*)(_t443 - 0xc8));
														L112:
														_t398 =  *(_t443 - 0xb4);
														E00F47D18( *(_t443 - 0xbc),  *(_t443 - 0xb4));
														goto L35;
													}
													 *(_t443 - 4) = 0xe;
													_t291 =  *((intOrPtr*)(_t443 - 0xc8));
													asm("sbb edx, edx");
													asm("sbb eax, eax");
													 *0xf512c4( *(_t443 - 0xd4),  ~( *(_t291 + 0x668)) &  *(_t443 - 0xd0), 0,  *((intOrPtr*)(_t443 - 0xc4)),  ~( *(_t291 + 0x66c)) &  *(_t443 - 0xc0),  *((intOrPtr*)(_t443 - 0xf0)),  *((intOrPtr*)(_t443 - 0xfc)),  *(_t443 - 0xb8));
													_t340 =  *((intOrPtr*)( *((intOrPtr*)( *_t429 + 0xc))))();
													 *(_t443 - 0xdc) = _t340;
													 *(_t443 - 4) = 0xffffffff;
													_t421 =  *((intOrPtr*)(_t443 - 0xc8));
													_t297 =  *0xf4f014; // 0xf4f014
													__eflags = _t297 - 0xf4f014;
													if(_t297 == 0xf4f014) {
														goto L112;
													} else {
														__eflags =  *(_t297 + 0x1c) & 0x00000004;
														if(( *(_t297 + 0x1c) & 0x00000004) == 0) {
															goto L112;
														}
														__eflags =  *((char*)(_t297 + 0x19)) - 5;
														if( *((char*)(_t297 + 0x19)) < 5) {
															goto L112;
														}
														_t190 = _t297 + 0x14; // 0x20000000
														_t191 = _t297 + 0x10; // 0x40000000
														E00F32A46(0x1a, 0xf212f8,  *_t191,  *_t190, _t340);
														_t398 =  *(_t443 - 0xb4);
														E00F47D18( *(_t443 - 0xbc),  *(_t443 - 0xb4));
														goto L35;
													}
												}
												goto L23;
											}
										}
										_t337 = HeapAlloc(_t240, _t354, 0x18);
										 *(_t443 - 0xb8) = _t337;
										if(_t337 == 0) {
											_t330 = E00F48131();
											__eflags = _t330;
											if(_t330 != 0) {
												goto L64;
											}
										}
										goto L14;
									}
								}
								if(_t413 != 0) {
									_t149 = _t442 + 0x14; // 0x14
									_t398 = _t149;
									_t354 = _t413;
									_t233 = E00F47FFF(_t413, _t149);
									_t334 = _t233;
									__eflags = _t334;
									if(_t334 >= 0) {
										goto L9;
									}
									goto L86;
								}
								goto L9;
							}
						}
						_t442 = HeapAlloc(_t228, _t353, 0x18);
						if(_t442 == 0) {
							_t333 = E00F48131();
							__eflags = _t333;
							if(_t333 != 0) {
								goto L59;
							}
						}
						goto L4;
					}
				}
			}

0x00f27b35
0x00f27b3c
0x00f27b48
0x00f27b54
0x00f27b60
0x00f27b66
0x00f27b6b
0x00f27b70
0x00f27b72
0x00f27b76
0x00f27b78
0x00f27b7c
0x00f27b7f
0x00f27b82
0x00f27b85
0x00f27b8a
0x00f27b8f
0x00f27b8f
0x00f27b7c
0x00f27b76
0x00f27b9c
0x00f27ba2
0x00f27ba8
0x00f27bad
0x00f27baf
0x00f27c1e
0x00f27c20
0x00f27c22
0x00f27c24
0x00f27c2a
0x00f27c32
0x00f27c34
0x00f27c36
0x00f27c42
0x00f27c44
0x00f27c46
0x00f27c46
0x00f27c61
0x00f27c67
0x00f27c6a
0x00000000
0x00f27bb1
0x00f27bb7
0x00f27bbd
0x00f27bbf
0x00f27bc4
0x00f27bc7
0x00f27bc9
0x00000000
0x00000000
0x00f27bcd
0x00f27bcf
0x00f27bd1
0x00f27bd7
0x00f27bdf
0x00f27be1
0x00f27be3
0x00f27bef
0x00f27bf1
0x00f27bf3
0x00f27c0d
0x00f27c13
0x00f27c6f
0x00f27c75
0x00f27c7b
0x00f27c81
0x00f27c86
0x00f27c8c
0x00f27c8f
0x00f27c92
0x00f27c9a
0x00f27ca3
0x00f27ca9
0x00f27cac
0x00f27caf
0x00f27cb1
0x00f27cb7
0x00f0744d
0x00f0790b
0x00f0790b
0x00f07919
0x00f0791f
0x00f07923
0x00f280a9
0x00f280b1
0x00f280b1
0x00f07929
0x00f07933
0x00f280bc
0x00f280c0
0x00f280c7
0x00f280ca
0x00f280cd
0x00f280d7
0x00f280d7
0x00f280c0
0x00f07944
0x00f0794c
0x00f0794d
0x00f0794e
0x00f0795c
0x00f07453
0x00f07453
0x00f0745e
0x00f07461
0x00f07466
0x00f13ca5
0x00f13ca5
0x00f07480
0x00f07480
0x00f07486
0x00f0748f
0x00f13cac
0x00f07495
0x00f07495
0x00f0749b
0x00f074a2
0x00f074a9
0x00f074b0
0x00f074b7
0x00f074b7
0x00f074be
0x00f074c4
0x00f074cd
0x00f1cacf
0x00000000
0x00f074d3
0x00f074d6
0x00f074d9
0x00f074db
0x00f074e1
0x00f074e9
0x00f074f5
0x00f074fb
0x00f07500
0x00f1ca81
0x00f27ce4
0x00f27ce5
0x00f27ceb
0x00f27ced
0x00f0750e
0x00f0750e
0x00f07518
0x00f27cf8
0x00f27cfc
0x00f27d03
0x00f27d06
0x00f27d09
0x00f27d0e
0x00f27d13
0x00f27d13
0x00f27cfc
0x00f07526
0x00f078f4
0x00f078f6
0x00f078f6
0x00f078f9
0x00f07900
0x00f1ca74
0x00f1ca7a
0x00f07906
0x00f07906
0x00f07906
0x00000000
0x00f0752c
0x00f0752c
0x00f07537
0x00f0753a
0x00f0753f
0x00f1ca8b
0x00f1ca8b
0x00f1ca8d
0x00f0755f
0x00f0755f
0x00f07565
0x00f0756e
0x00f1ca98
0x00f1ca9a
0x00f07574
0x00f07574
0x00f0757a
0x00f07581
0x00f07588
0x00f0758f
0x00f07596
0x00f07599
0x00f075a5
0x00f075ae
0x00f075b3
0x00f075b8
0x00f075ba
0x00f075bd
0x00f075bd
0x00f075c0
0x00f075c2
0x00f075c8
0x00f075c8
0x00f075b8
0x00f075ca
0x00f075d0
0x00f075d9
0x00f1cac5
0x00000000
0x00f1cac5
0x00f075df
0x00f075e2
0x00f075e7
0x00f075ed
0x00f075ef
0x00f075f9
0x00f07603
0x00f07616
0x00f07627
0x00f0762b
0x00f078d7
0x00f078d7
0x00f078df
0x00f078e2
0x00f078e9
0x00f1ca63
0x00f1ca65
0x00f1ca6b
0x00f078ef
0x00f078ef
0x00f078ef
0x00000000
0x00f078e9
0x00f07631
0x00f0763b
0x00f07645
0x00f0764a
0x00f0765a
0x00f0765b
0x00f07668
0x00f076a0
0x00f076a0
0x00f076a6
0x00f076ac
0x00f076b6
0x00f076d3
0x00f076db
0x00f076df
0x00f07741
0x00f07747
0x00f1caa5
0x00000000
0x00f1caa5
0x00000000
0x00f07747
0x00f076e1
0x00f076eb
0x00f07704
0x00f0770c
0x00f07710
0x00f27d54
0x00f27d6f
0x00f27d77
0x00f27d79
0x00f27d87
0x00f27d8d
0x00f07716
0x00f0771c
0x00f0771e
0x00f0771e
0x00f0771c
0x00f07723
0x00f07731
0x00f07737
0x00f0773b
0x00f27d9a
0x00f27d9c
0x00f27d9e
0x00f27dcf
0x00f27dd4
0x00f27de0
0x00000000
0x00f27de0
0x00f27da0
0x00f27daa
0x00f27daf
0x00f27db2
0x00f27db4
0x00f27db7
0x00f27db9
0x00f27dc7
0x00f27dc7
0x00f27db7
0x00f27dc9
0x00f27dcb
0x00000000
0x00f27dcd
0x00000000
0x00f27dcd
0x00000000
0x00000000
0x00000000
0x00f0766a
0x00f07672
0x00f07679
0x00f0767b
0x00f0767b
0x00f07681
0x00f0768f
0x00f07695
0x00f0769a
0x00f27d4d
0x00f27de5
0x00f27de5
0x00f27deb
0x00f0774d
0x00f0774d
0x00f07754
0x00f07761
0x00f1caaf
0x00f07767
0x00f07767
0x00f07767
0x00f07771
0x00f07773
0x00f07779
0x00f077a4
0x00f077ac
0x00f077ae
0x00f077b4
0x00f077be
0x00f27e8f
0x00f27e93
0x00f27e9a
0x00f27e9d
0x00f27ea0
0x00f27eaa
0x00f27eaa
0x00f27e93
0x00f077ca
0x00f077d1
0x00f077d7
0x00f077dd
0x00f077df
0x00f27fa7
0x00f27faf
0x00f27fb7
0x00f27fc1
0x00f27fd1
0x00f27fee
0x00f27ff7
0x00f0785e
0x00f07864
0x00f0786a
0x00f07870
0x00f07876
0x00f07886
0x00f07887
0x00f07890
0x00f07894
0x00f28001
0x00f28023
0x00f28029
0x00f2802b
0x00f2802d
0x00f2802f
0x00f2803d
0x00f28043
0x00f28045
0x00f28053
0x00f28059
0x00f28059
0x00f2805b
0x00f2805b
0x00f078a3
0x00f078ab
0x00f078b5
0x00f078bb
0x00f078bd
0x00f078bd
0x00f078ab
0x00f078c5
0x00f078cf
0x00f078d5
0x00f078d5
0x00000000
0x00f078c5
0x00f077f9
0x00f27f95
0x00f27f95
0x00f077ff
0x00f07804
0x00000000
0x00f0780a
0x00f07811
0x00f1caba
0x00f07817
0x00f07817
0x00f07817
0x00f07820
0x00f07822
0x00f07822
0x00f07834
0x00f07855
0x00000000
0x00f0785b
0x00f07804
0x00f27df1
0x00f27df3
0x00f27fa1
0x00000000
0x00f27fa1
0x00f27df9
0x00f27dff
0x00f27e12
0x00f27e14
0x00f27e16
0x00f27f79
0x00f27f7f
0x00f27f7f
0x00f27f8b
0x00000000
0x00f27f8b
0x00f27e1c
0x00f27e23
0x00f27e31
0x00f27e41
0x00f27e73
0x00f27e7b
0x00f27e7d
0x00f27e83
0x00f27f2f
0x00f27f35
0x00f27f3a
0x00f27f3f
0x00000000
0x00f27f41
0x00f27f41
0x00f27f45
0x00000000
0x00000000
0x00f27f47
0x00f27f4b
0x00000000
0x00000000
0x00f27f4e
0x00f27f51
0x00f27f5e
0x00f27f63
0x00f27f6f
0x00000000
0x00f27f6f
0x00f27f3f
0x00000000
0x00f0769a
0x00f07668
0x00f0754f
0x00f07551
0x00f07559
0x00f27d1d
0x00f27d22
0x00f27d24
0x00000000
0x00000000
0x00f27d2a
0x00000000
0x00f07559
0x00f07526
0x00f07508
0x00f27cd0
0x00f27cd0
0x00f27cd3
0x00f27cd5
0x00f27cda
0x00f27cdc
0x00f27cde
0x00000000
0x00000000
0x00000000
0x00f27cde
0x00000000
0x00f07508
0x00f074cd
0x00f07476
0x00f0747a
0x00f27cbe
0x00f27cc3
0x00f27cc5
0x00000000
0x00000000
0x00f27ccb
0x00000000
0x00f0747a
0x00f0744d

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018), ref: 00F07470
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000), ref: 00F074F5
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,00000000), ref: 00F27C0D
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,00000000), ref: 00F27C61
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041006), ref: 00F27CE5
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F27CED

Part of subcall function 00F32A46: EtwTraceMessage.NTDLL ref: 00F32A5D

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CommitLog@@MemoryObject$AllocCreateEventHeapMessageObject@@TraceWrite@
String ID:
API String ID: 1422187237-0
Opcode ID: f724c29bdae8fc081c4e5d2a307af9f3d867311339b0a474c224aeb1a97805d1
Instruction ID: e7217f97c6178708a65122abc20142ff7f58c1663431624ebc18e75faa6b408d
Opcode Fuzzy Hash: f724c29bdae8fc081c4e5d2a307af9f3d867311339b0a474c224aeb1a97805d1
Instruction Fuzzy Hash: 5BF1A070A003199FDB24DF14CD94BAAB7B6BF44314F1481E8DA09A72A1CB75AD85EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F27A64, Relevance: 9.4, APIs: 6, Instructions: 386
memoryCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00F27A64() {
				signed int _t216;
				void* _t224;
				intOrPtr _t227;
				intOrPtr _t231;
				void* _t232;
				long _t237;
				intOrPtr _t238;
				intOrPtr _t243;
				void* _t244;
				void* _t245;
				void* _t256;
				intOrPtr _t259;
				void* _t260;
				intOrPtr _t263;
				signed int _t280;
				signed int _t281;
				signed int _t284;
				intOrPtr _t295;
				intOrPtr _t301;
				void* _t304;
				void* _t307;
				void* _t310;
				void* _t313;
				void* _t318;
				void* _t330;
				signed int _t334;
				signed int _t337;
				signed int _t343;
				signed int _t344;
				void* _t345;
				long _t347;
				void* _t348;
				void* _t349;
				signed int _t350;
				signed int _t351;
				void* _t352;
				long _t353;
				void* _t358;
				long _t360;
				long _t372;
				void* _t387;
				void* _t394;
				void* _t412;
				intOrPtr _t439;
				void* _t440;
				long _t441;
				long _t442;
				intOrPtr* _t443;
				long _t445;
				intOrPtr _t450;
				signed int _t451;
				void* _t458;
				long _t468;
				signed int _t469;
				void* _t473;
				long _t474;
				signed int _t475;
				void* _t477;
				void* _t478;

				 *(_t475 - 4) = 0xffffffff;
				_t343 =  *(_t475 - 0xdc);
				 *(_t475 - 0xb8) =  *(_t475 - 0xe0);
				 *(_t475 - 0xc0) =  *(_t475 - 0x100);
				_t439 =  *((intOrPtr*)(_t475 - 0xc8));
				_t469 =  *(_t475 - 0xd8);
				 *0xf5302c();
				if(_t343 < 0) {
					L74:
					asm("sbb edx, edx");
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t216 =  ~( *(_t439 + 0x668)) &  *(_t475 - 0xd0);
					__eflags = _t216;
					__imp__WmiSetAndCommitObject( *0xf4f760, 1,  *((intOrPtr*)(_t475 - 0xc4)),  *((intOrPtr*)(_t439 + 0x38)), _t216,  ~( *(_t439 + 0x66c)) &  *(_t475 - 0xc0),  ~_t469 & _t475 - 0x000000b0, _t343);
					_t478 = _t477 + 0x20;
					_t344 = 0x80041013;
					goto L75;
				} else {
					_t353 =  *(_t475 - 0xb8);
					E00F32161(_t353,  *((intOrPtr*)(_t439 + 0x694)));
					_t343 =  *(_t353 + 0x10);
					if(_t343 < 0) {
						goto L74;
					}
					asm("sbb edx, edx");
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					__imp__WmiSetAndCommitObject( *0xf4f764, 1,  *((intOrPtr*)(_t475 - 0xc4)),  *((intOrPtr*)(_t439 + 0x38)),  ~( *(_t439 + 0x668)) &  *(_t475 - 0xd0),  ~( *(_t439 + 0x66c)) &  *(_t475 - 0xc0),  ~_t469 & _t475 - 0x000000b0);
					_t478 = _t477 + 0x1c;
					L75:
					_t424 =  *(_t475 - 0xcc);
					E00F1A856( *(_t475 - 0x104),  *(_t475 - 0xcc),  *(_t475 - 0xf8));
					_t358 =  *(_t475 - 0xbc);
					 *0xf512c4(_t358);
					 *((intOrPtr*)( *((intOrPtr*)( *_t358 + 8))))();
					_t360 =  *(_t475 - 0xb8);
					 *0xf512c4(_t360);
					 *((intOrPtr*)( *((intOrPtr*)( *_t360 + 8))))();
					if(_t344 < 0) {
						L54:
						_t224 =  *(_t475 - 0xf4);
						 *0xf512c4(_t224);
						 *((intOrPtr*)( *((intOrPtr*)( *_t224 + 8))))();
						if(_t344 < 0) {
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t344);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
						}
						_t227 =  *0xf4f014; // 0xf4f014
						if(_t227 != 0xf4f014 && ( *(_t227 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t227 + 0x19)) - 2;
							if( *((char*)(_t227 + 0x19)) >= 2) {
								_t208 = _t227 + 0x14; // 0x20000000
								_t209 = _t227 + 0x10; // 0x40000000
								_t424 = 0xf212f8;
								E00F32A46(0x1b, 0xf212f8,  *_t209,  *_t208, _t344);
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t475 - 0xc));
						_pop(_t440);
						_pop(_t473);
						_pop(_t345);
						return E00F01CA0(_t344, _t345,  *(_t475 - 0x14) ^ _t475, _t424, _t440, _t473);
					} else {
						_t231 =  *0xf4f0cc; // 0x0
						_t372 =  *(_t231 + 8) & 0x00000005 | 0x00000008;
						_t232 =  *(_t231 + 4);
						if(_t232 == 0) {
							L59:
							_t474 = 0;
							L4:
							 *(_t475 - 0xe8) = _t474;
							 *(_t475 - 4) = 0xa;
							if(_t474 == 0) {
								_t474 = 0;
							} else {
								 *_t474 = 0xf06520;
								 *(_t474 + 4) = 0;
								 *(_t474 + 8) = 0;
								 *(_t474 + 0xc) = 0;
								 *(_t474 + 0x10) = 0;
								 *(_t474 + 0x14) = 0;
							}
							 *(_t475 - 0xe0) = _t474;
							 *(_t475 - 4) = 0xffffffff;
							if(_t474 == 0) {
								_t344 = 0x80041006;
								goto L54;
							} else {
								_t441 =  *( *_t474 + 4);
								_t373 = _t441;
								 *0xf512c4(_t474);
								 *_t441();
								_t442 =  *( *((intOrPtr*)(_t475 - 0xc8)) + 0x6e8);
								_t237 = CreateEventW(0, 0, 0, 0);
								 *(_t474 + 0xc) = _t237;
								if(_t237 == 0) {
									_t344 = 0x80041006;
									L81:
									__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t344);
									_t373 = _t237;
									__imp__?Write@CMemoryLog@@QAEXJ@Z();
									L9:
									_t238 =  *0xf4f014; // 0xf4f014
									if(_t238 != 0xf4f014 && ( *(_t238 + 0x1c) & 0x00000004) != 0) {
										__eflags =  *((char*)(_t238 + 0x19)) - 2;
										if( *((char*)(_t238 + 0x19)) >= 2) {
											_t143 = _t238 + 0x14; // 0x20000000
											_t144 = _t238 + 0x10; // 0x40000000
											_t424 = 0xf212e8;
											_t373 = 0xa;
											E00F32A46(0xa, 0xf212e8,  *_t144,  *_t143, _t344);
										}
									}
									if(_t344 < 0) {
										L52:
										_t105 =  *_t474 + 8; // 0x0
										_t443 =  *_t105;
										_push(_t474);
										if(_t443 != E00F0C4C0) {
											 *0xf512c4();
											 *_t443();
										} else {
											E00F0C4C0(_t373, _t424);
										}
										goto L54;
									} else {
										_t243 =  *0xf4f0cc; // 0x0
										_t373 =  *(_t243 + 8) & 0x00000005 | 0x00000008;
										_t244 =  *(_t243 + 4);
										if(_t244 == 0) {
											L64:
											_t347 = 0;
											 *(_t475 - 0xb8) = 0;
											L14:
											 *(_t475 - 0xe8) = _t347;
											 *(_t475 - 4) = 0xb;
											if(_t347 == 0) {
												_t347 = 0;
												 *(_t475 - 0xb8) = 0;
											} else {
												 *_t347 = 0xf06484;
												 *(_t347 + 4) = 0;
												 *(_t347 + 8) = 0;
												 *(_t347 + 0xc) = 0;
												 *(_t347 + 0x10) = 0;
												 *(_t347 + 0x14) = _t474;
												_t424 = 0xf4f0f8;
												asm("lock xadd [edx], eax");
												asm("lock xadd [eax], ecx");
												_t373 =  *(_t347 + 0x14);
												if(_t373 != 0) {
													_t330 =  *_t373;
													_t38 = _t330 + 4; // 0x0
													_t468 =  *_t38;
													_t373 = _t468;
													 *0xf512c4(_t373);
													 *_t468();
												}
											}
											 *(_t475 - 0xcc) = _t347;
											 *(_t475 - 4) = 0xffffffff;
											if(_t347 == 0) {
												_t344 = 0x80041006;
												goto L52;
											}
											_t245 =  *_t347;
											_t41 = _t245 + 4; // 0x0
											 *0xf512c4(_t347);
											 *((intOrPtr*)( *_t41))();
											 *(_t475 - 0xe8) = 0;
											 *(_t475 - 0x108) = 0;
											 *(_t475 - 0xf8) = 0;
											_t424 = _t475 - 0xf8;
											_t344 = E00F066C5(_t475 - 0x108, _t475 - 0xf8, _t475 - 0xe8, 0);
											if(_t344 < 0) {
												L50:
												_t373 =  *(_t475 - 0xb8);
												_t445 =  *( *_t373 + 8);
												_push(_t373);
												if(_t445 != E00F0C400) {
													_t373 = _t445;
													 *0xf512c4();
													 *_t445();
												} else {
													E00F0C400();
												}
												goto L52;
											}
											 *(_t475 - 0xb4) = 0;
											 *(_t475 - 0xbc) = 0;
											_t348 = 3;
											 *(_t475 - 0x104) = 0;
											_push(_t475 - 0x104);
											_push(0xf03a60);
											if( *0xf53038() < 0) {
												L23:
												_t256 =  *(_t475 - 0xf4);
												 *(_t475 - 0xd4) = _t256;
												 *(_t475 - 0xb4) = 0;
												 *(_t475 - 0xe4) = 0;
												 *0xf512c4(_t256, 0xf07c5c, _t475 - 0xe4);
												_t349 =  *((intOrPtr*)( *( *_t256)))();
												if(_t349 < 0) {
													L28:
													if(_t349 != 0x80041002) {
														_t350 = 0x8004100a;
														L96:
														__eflags = _t350 - 0x80041002;
														if(_t350 == 0x80041002) {
															goto L29;
														}
														__eflags = _t350;
														if(_t350 < 0) {
															_t450 =  *((intOrPtr*)(_t475 - 0xc8));
															L110:
															asm("sbb edx, edx");
															_t424 =  ~( *(_t475 - 0xd8)) & _t475 - 0x000000b0;
															asm("sbb ecx, ecx");
															asm("sbb eax, eax");
															__imp__WmiSetAndCommitObject( *0xf4f760, 1,  *((intOrPtr*)(_t475 - 0xc4)),  *((intOrPtr*)(_t450 + 0x38)),  ~( *(_t450 + 0x668)) &  *(_t475 - 0xd0),  ~( *(_t450 + 0x66c)) &  *(_t475 - 0xc0),  ~( *(_t475 - 0xd8)) & _t475 - 0x000000b0, _t350);
															_t344 = 0x80041013;
															L43:
															 *(_t475 - 0xe4) =  *(_t475 - 0xf8);
															_t451 =  *(_t475 - 0x108);
															 *(_t475 - 0xb4) = _t451;
															 *(_t475 - 0xd4) = 0;
															_push(_t475 - 0xd4);
															_push(_t451);
															if( *0xf53034() >= 0) {
																if(_t451 != 0 &&  *(_t475 - 0xe8) != 0) {
																	 *(_t475 - 0xcc) = 0;
																	 *0xf512c4( *(_t475 - 0xb4), 0xf068b0, _t475 - 0xcc);
																	_t280 =  *((intOrPtr*)( *((intOrPtr*)( *_t451))))();
																	__eflags = _t280;
																	if(_t280 >= 0) {
																		_t281 =  *(_t475 - 0xcc);
																		 *0xf512c4(_t281);
																		 *((intOrPtr*)( *((intOrPtr*)( *_t281 + 0x10))))();
																		_t284 =  *(_t475 - 0xcc);
																		 *0xf512c4(_t284);
																		 *((intOrPtr*)( *((intOrPtr*)( *_t284 + 8))))();
																	}
																	_t451 =  *(_t475 - 0xb4);
																}
																_t387 =  *(_t475 - 0xe4);
																if(_t387 != 0) {
																	 *0xf512c4(_t387);
																	 *((intOrPtr*)( *((intOrPtr*)( *_t387 + 8))))();
																	_t451 =  *(_t475 - 0xb4);
																}
															}
															if(_t451 != 0) {
																 *0xf512c4(_t451);
																 *((intOrPtr*)( *((intOrPtr*)( *_t451 + 8))))();
															}
															goto L50;
														}
														_t458 =  *(_t475 - 0xbc);
														 *(_t475 - 0xd4) = _t458;
														_t350 = E00F47D61(_t458, E00F07D03());
														__eflags = _t350;
														if(_t350 < 0) {
															_t450 =  *((intOrPtr*)(_t475 - 0xc8));
															L107:
															_t424 =  *(_t475 - 0xb4);
															E00F47D18( *(_t475 - 0xbc),  *(_t475 - 0xb4));
															L35:
															if(_t350 < 0) {
																goto L110;
															}
															if(WaitForSingleObject( *(_t474 + 0xc),  *(_t450 + 0x694)) == 0x102) {
																 *(_t474 + 0x10) = 0x80041013;
															}
															_t350 =  *(_t474 + 0x10);
															if(_t350 < 0) {
																goto L110;
															} else {
																if( *(_t475 - 0xd8) != 0) {
																	_t394 = _t475 - 0xb0;
																} else {
																	_t394 = 0;
																}
																if( *(_t450 + 0x66c) == 0) {
																	 *(_t475 - 0xc0) = 0;
																}
																asm("sbb eax, eax");
																__imp__WmiSetAndCommitObject( *0xf4f764, 1,  *((intOrPtr*)(_t475 - 0xc4)),  *((intOrPtr*)(_t450 + 0x38)),  ~( *(_t450 + 0x668)) &  *(_t475 - 0xd0),  *(_t475 - 0xc0), _t394);
																goto L43;
															}
														}
														 *(_t475 - 4) = 0xe;
														_t295 =  *((intOrPtr*)(_t475 - 0xc8));
														asm("sbb edx, edx");
														asm("sbb eax, eax");
														 *0xf512c4( *(_t475 - 0xd4),  ~( *(_t295 + 0x668)) &  *(_t475 - 0xd0), 0,  *((intOrPtr*)(_t475 - 0xc4)),  ~( *(_t295 + 0x66c)) &  *(_t475 - 0xc0),  *((intOrPtr*)(_t475 - 0xf0)),  *((intOrPtr*)(_t475 - 0xfc)),  *(_t475 - 0xb8));
														_t350 =  *((intOrPtr*)( *((intOrPtr*)( *_t458 + 0xc))))();
														 *(_t475 - 0xdc) = _t350;
														 *(_t475 - 4) = 0xffffffff;
														_t450 =  *((intOrPtr*)(_t475 - 0xc8));
														_t301 =  *0xf4f014; // 0xf4f014
														__eflags = _t301 - 0xf4f014;
														if(_t301 == 0xf4f014) {
															goto L107;
														} else {
															__eflags =  *(_t301 + 0x1c) & 0x00000004;
															if(( *(_t301 + 0x1c) & 0x00000004) == 0) {
																goto L107;
															}
															__eflags =  *((char*)(_t301 + 0x19)) - 5;
															if( *((char*)(_t301 + 0x19)) < 5) {
																goto L107;
															}
															_t182 = _t301 + 0x14; // 0x20000000
															_t183 = _t301 + 0x10; // 0x40000000
															E00F32A46(0x1a, 0xf212f8,  *_t183,  *_t182, _t350);
															_t424 =  *(_t475 - 0xb4);
															E00F47D18( *(_t475 - 0xbc),  *(_t475 - 0xb4));
															goto L35;
														}
													}
													L29:
													 *(_t475 - 4) = 0xc;
													_t259 =  *((intOrPtr*)(_t475 - 0xc8));
													if( *((intOrPtr*)(_t259 + 0x66c)) != 0) {
														_t351 =  *(_t475 - 0xc0);
													} else {
														_t351 = 0;
													}
													asm("sbb edx, edx");
													_t424 =  ~( *(_t259 + 0x668)) &  *(_t475 - 0xd0);
													_t260 =  *(_t475 - 0xf4);
													 *0xf512c4(_t260,  ~( *(_t259 + 0x668)) &  *(_t475 - 0xd0), 0,  *((intOrPtr*)(_t475 - 0xc4)), _t351,  *((intOrPtr*)(_t475 - 0xf0)),  *((intOrPtr*)(_t475 - 0xfc)),  *(_t475 - 0xb8));
													_t350 =  *((intOrPtr*)( *((intOrPtr*)( *_t260 + 0xc))))();
													 *(_t475 - 0xdc) = _t350;
													_t263 =  *0xf4f014; // 0xf4f014
													if(_t263 != 0xf4f014 && ( *(_t263 + 0x1c) & 0x00000004) != 0) {
														__eflags =  *((char*)(_t263 + 0x19)) - 5;
														if( *((char*)(_t263 + 0x19)) >= 5) {
															_t175 = _t263 + 0x14; // 0x20000000
															_t176 = _t263 + 0x10; // 0x40000000
															_t424 = 0xf212f8;
															E00F32A46(0x19, 0xf212f8,  *_t176,  *_t175, _t350);
														}
													}
													 *(_t475 - 4) = 0xffffffff;
													_t450 =  *((intOrPtr*)(_t475 - 0xc8));
													 *0xf5302c();
													goto L35;
												}
												 *(_t475 - 0xec) = 0;
												_t304 =  *(_t475 - 0xd4);
												 *0xf512c4(_t304, E00F06690, _t475 - 0xec);
												_t352 =  *((intOrPtr*)( *( *_t304)))();
												if(_t352 >= 0) {
													_t307 =  *(_t475 - 0xec);
													 *0xf512c4(_t307,  *(_t475 - 0xd4), _t475 - 0xbc);
													_t349 =  *((intOrPtr*)( *((intOrPtr*)( *_t307 + 0x14))))();
													_t310 =  *(_t475 - 0xec);
													 *0xf512c4(_t310);
													 *((intOrPtr*)( *((intOrPtr*)( *_t310 + 8))))();
												} else {
													if(_t352 == 0x80004002) {
														_t349 = 0x80041002;
													}
												}
												_t313 =  *(_t475 - 0xe4);
												 *0xf512c4(_t313);
												 *((intOrPtr*)( *((intOrPtr*)( *_t313 + 8))))();
												if(_t349 >= 0) {
													_t350 =  *0xf53030();
													__eflags = _t350;
													if(_t350 < 0) {
														_t350 = 0x80041003;
														L95:
														E00F47D18( *(_t475 - 0xbc),  *(_t475 - 0xb4));
														goto L96;
													}
													 *(_t475 - 0xb4) = 1;
													_t318 = E00F07D03();
													__eflags = _t318 - 3;
													if(_t318 != 3) {
														__eflags = _t318 - 4;
														if(_t318 != 4) {
															_t478 = _t478 - 0x14;
															_t350 = E00F4D336( *(_t475 - 0xbc));
														}
													}
													__eflags = _t350;
													if(_t350 >= 0) {
														goto L96;
													} else {
														goto L95;
													}
												} else {
													goto L28;
												}
											}
											if( *0xf53030() >= 0) {
												_t348 = E00F07D03();
												 *0xf5302c();
											}
											_t412 =  *(_t475 - 0x104);
											 *0xf512c4(_t412);
											 *((intOrPtr*)( *((intOrPtr*)( *_t412 + 8))))();
											if(_t348 == 2) {
												_t350 = E00F47ECE(0xf07c5c,  *(_t475 - 0xf4), __eflags, _t475 - 0xbc, _t475 - 0xb4);
												goto L96;
											} else {
												goto L23;
											}
										}
										_t347 = HeapAlloc(_t244, _t373, 0x18);
										 *(_t475 - 0xb8) = _t347;
										if(_t347 == 0) {
											_t334 = E00F48131();
											__eflags = _t334;
											if(_t334 != 0) {
												goto L64;
											}
										}
										goto L14;
									}
								}
								if(_t442 != 0) {
									_t141 = _t474 + 0x14; // 0x14
									_t424 = _t141;
									_t373 = _t442;
									_t237 = E00F47FFF(_t442, _t141);
									_t344 = _t237;
									__eflags = _t344;
									if(_t344 >= 0) {
										goto L9;
									}
									goto L81;
								}
								goto L9;
							}
						}
						_t474 = HeapAlloc(_t232, _t372, 0x18);
						if(_t474 == 0) {
							_t337 = E00F48131();
							__eflags = _t337;
							if(_t337 != 0) {
								goto L59;
							}
						}
						goto L4;
					}
				}
			}

0x00f27a64
0x00f27a6b
0x00f27a77
0x00f27a83
0x00f27a89
0x00f27a8f
0x00f27a95
0x00f27baf
0x00f27c1e
0x00f27c22
0x00f27c34
0x00f27c44
0x00f27c46
0x00f27c46
0x00f27c61
0x00f27c67
0x00f27c6a
0x00000000
0x00f27bb1
0x00f27bb7
0x00f27bbf
0x00f27bc4
0x00f27bc9
0x00000000
0x00000000
0x00f27bcf
0x00f27be1
0x00f27bf1
0x00f27c0d
0x00f27c13
0x00f27c6f
0x00f27c75
0x00f27c81
0x00f27c86
0x00f27c94
0x00f27c9a
0x00f27ca3
0x00f27cb1
0x00f27cb7
0x00f0744d
0x00f0790b
0x00f0790b
0x00f07919
0x00f0791f
0x00f07923
0x00f280a9
0x00f280b1
0x00f280b1
0x00f07929
0x00f07933
0x00f280bc
0x00f280c0
0x00f280c7
0x00f280ca
0x00f280cd
0x00f280d7
0x00f280d7
0x00f280c0
0x00f07944
0x00f0794c
0x00f0794d
0x00f0794e
0x00f0795c
0x00f07453
0x00f07453
0x00f0745e
0x00f07461
0x00f07466
0x00f13ca5
0x00f13ca5
0x00f07480
0x00f07480
0x00f07486
0x00f0748f
0x00f13cac
0x00f07495
0x00f07495
0x00f0749b
0x00f074a2
0x00f074a9
0x00f074b0
0x00f074b7
0x00f074b7
0x00f074be
0x00f074c4
0x00f074cd
0x00f1cacf
0x00000000
0x00f074d3
0x00f074d6
0x00f074d9
0x00f074db
0x00f074e1
0x00f074e9
0x00f074f5
0x00f074fb
0x00f07500
0x00f1ca81
0x00f27ce4
0x00f27ce5
0x00f27ceb
0x00f27ced
0x00f0750e
0x00f0750e
0x00f07518
0x00f27cf8
0x00f27cfc
0x00f27d03
0x00f27d06
0x00f27d09
0x00f27d0e
0x00f27d13
0x00f27d13
0x00f27cfc
0x00f07526
0x00f078f4
0x00f078f6
0x00f078f6
0x00f078f9
0x00f07900
0x00f1ca74
0x00f1ca7a
0x00f07906
0x00f07906
0x00f07906
0x00000000
0x00f0752c
0x00f0752c
0x00f07537
0x00f0753a
0x00f0753f
0x00f1ca8b
0x00f1ca8b
0x00f1ca8d
0x00f0755f
0x00f0755f
0x00f07565
0x00f0756e
0x00f1ca98
0x00f1ca9a
0x00f07574
0x00f07574
0x00f0757a
0x00f07581
0x00f07588
0x00f0758f
0x00f07596
0x00f07599
0x00f075a5
0x00f075ae
0x00f075b3
0x00f075b8
0x00f075ba
0x00f075bd
0x00f075bd
0x00f075c0
0x00f075c2
0x00f075c8
0x00f075c8
0x00f075b8
0x00f075ca
0x00f075d0
0x00f075d9
0x00f1cac5
0x00000000
0x00f1cac5
0x00f075df
0x00f075e2
0x00f075e7
0x00f075ed
0x00f075ef
0x00f075f9
0x00f07603
0x00f07616
0x00f07627
0x00f0762b
0x00f078d7
0x00f078d7
0x00f078df
0x00f078e2
0x00f078e9
0x00f1ca63
0x00f1ca65
0x00f1ca6b
0x00f078ef
0x00f078ef
0x00f078ef
0x00000000
0x00f078e9
0x00f07631
0x00f0763b
0x00f07645
0x00f0764a
0x00f0765a
0x00f0765b
0x00f07668
0x00f076a0
0x00f076a0
0x00f076a6
0x00f076ac
0x00f076b6
0x00f076d3
0x00f076db
0x00f076df
0x00f07741
0x00f07747
0x00f1caa5
0x00f27de5
0x00f27de5
0x00f27deb
0x00000000
0x00000000
0x00f27df1
0x00f27df3
0x00f27fa1
0x00f27fa7
0x00f27faf
0x00f27fb7
0x00f27fc1
0x00f27fd1
0x00f27fee
0x00f27ff7
0x00f0785e
0x00f07864
0x00f0786a
0x00f07870
0x00f07876
0x00f07886
0x00f07887
0x00f07890
0x00f07894
0x00f28001
0x00f28023
0x00f28029
0x00f2802b
0x00f2802d
0x00f2802f
0x00f2803d
0x00f28043
0x00f28045
0x00f28053
0x00f28059
0x00f28059
0x00f2805b
0x00f2805b
0x00f078a3
0x00f078ab
0x00f078b5
0x00f078bb
0x00f078bd
0x00f078bd
0x00f078ab
0x00f078c5
0x00f078cf
0x00f078d5
0x00f078d5
0x00000000
0x00f078c5
0x00f27df9
0x00f27dff
0x00f27e12
0x00f27e14
0x00f27e16
0x00f27f79
0x00f27f7f
0x00f27f7f
0x00f27f8b
0x00f077dd
0x00f077df
0x00000000
0x00000000
0x00f077f9
0x00f27f95
0x00f27f95
0x00f077ff
0x00f07804
0x00000000
0x00f0780a
0x00f07811
0x00f1caba
0x00f07817
0x00f07817
0x00f07817
0x00f07820
0x00f07822
0x00f07822
0x00f07834
0x00f07855
0x00000000
0x00f0785b
0x00f07804
0x00f27e1c
0x00f27e23
0x00f27e31
0x00f27e41
0x00f27e73
0x00f27e7b
0x00f27e7d
0x00f27e83
0x00f27f2f
0x00f27f35
0x00f27f3a
0x00f27f3f
0x00000000
0x00f27f41
0x00f27f41
0x00f27f45
0x00000000
0x00000000
0x00f27f47
0x00f27f4b
0x00000000
0x00000000
0x00f27f4e
0x00f27f51
0x00f27f5e
0x00f27f63
0x00f27f6f
0x00000000
0x00f27f6f
0x00f27f3f
0x00f0774d
0x00f0774d
0x00f07754
0x00f07761
0x00f1caaf
0x00f07767
0x00f07767
0x00f07767
0x00f07771
0x00f07773
0x00f07779
0x00f077a4
0x00f077ac
0x00f077ae
0x00f077b4
0x00f077be
0x00f27e8f
0x00f27e93
0x00f27e9a
0x00f27e9d
0x00f27ea0
0x00f27eaa
0x00f27eaa
0x00f27e93
0x00f077ca
0x00f077d1
0x00f077d7
0x00000000
0x00f077d7
0x00f076e1
0x00f076eb
0x00f07704
0x00f0770c
0x00f07710
0x00f27d54
0x00f27d6f
0x00f27d77
0x00f27d79
0x00f27d87
0x00f27d8d
0x00f07716
0x00f0771c
0x00f0771e
0x00f0771e
0x00f0771c
0x00f07723
0x00f07731
0x00f07737
0x00f0773b
0x00f27d9a
0x00f27d9c
0x00f27d9e
0x00f27dcf
0x00f27dd4
0x00f27de0
0x00000000
0x00f27de0
0x00f27da0
0x00f27daa
0x00f27daf
0x00f27db2
0x00f27db4
0x00f27db7
0x00f27db9
0x00f27dc7
0x00f27dc7
0x00f27db7
0x00f27dc9
0x00f27dcb
0x00000000
0x00f27dcd
0x00000000
0x00f27dcd
0x00000000
0x00000000
0x00000000
0x00f0773b
0x00f07672
0x00f07679
0x00f0767b
0x00f0767b
0x00f07681
0x00f0768f
0x00f07695
0x00f0769a
0x00f27d4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00f0769a
0x00f0754f
0x00f07551
0x00f07559
0x00f27d1d
0x00f27d22
0x00f27d24
0x00000000
0x00000000
0x00f27d2a
0x00000000
0x00f07559
0x00f07526
0x00f07508
0x00f27cd0
0x00f27cd0
0x00f27cd3
0x00f27cd5
0x00f27cda
0x00f27cdc
0x00f27cde
0x00000000
0x00000000
0x00000000
0x00f27cde
0x00000000
0x00f07508
0x00f074cd
0x00f07476
0x00f0747a
0x00f27cbe
0x00f27cc3
0x00f27cc5
0x00000000
0x00000000
0x00f27ccb
0x00000000
0x00f0747a
0x00f0744d

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018), ref: 00F07470
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000), ref: 00F074F5
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,00000000), ref: 00F27C61

Part of subcall function 00F32161: WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,00F27BC4,?,00000000), ref: 00F3216F

WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,00000000), ref: 00F27C0D

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Object$Commit$AllocCreateEventHeapSingleWait
String ID:
API String ID: 4204774-0
Opcode ID: 21023c56a5e1f1debde0f5977b5cebd860a77f54f5250fca5a7b727b08a883d5
Instruction ID: 8d3f7272d7e177794993d95a7097ef25a77cb5770ab32cfd15c0d2566aca8684
Opcode Fuzzy Hash: 21023c56a5e1f1debde0f5977b5cebd860a77f54f5250fca5a7b727b08a883d5
Instruction Fuzzy Hash: 25F1A070A003199FDB24DF14CD94BAEB7B6BF44314F1481E8EA09A72A0CB71AD85EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F14E90, Relevance: 9.2, APIs: 6, Instructions: 232
memoryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00F14E90(intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				char _v16;
				void* _v20;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t88;
				intOrPtr _t90;
				void* _t92;
				char _t97;
				intOrPtr _t103;
				void* _t104;
				void* _t106;
				signed int _t109;
				intOrPtr _t110;
				void* _t111;
				signed int _t120;
				intOrPtr _t126;
				signed int _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t134;
				long _t140;
				intOrPtr* _t142;
				long _t154;
				intOrPtr _t156;
				signed int _t157;
				void* _t158;
				struct _CRITICAL_SECTION* _t159;
				void* _t160;
				signed int _t162;
				signed int _t171;

				_t88 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t88 ^ _t162;
				_t90 =  *0xf4f014; // 0xf4f014
				_t156 = _a4;
				_t128 = _a20;
				_t126 = _a12;
				_t157 = _a8;
				if(_t90 != 0xf4f014 && ( *(_t90 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t90 + 0x19)) >= 5) {
					_t77 = _t90 + 0x14; // 0x20000000
					_t78 = _t90 + 0x10; // 0x40000000
					E00F40422(0x35,  *_t78,  *_t77, _t157, _t126, _t156, _a16, _t128);
					_t90 =  *0xf4f014; // 0xf4f014
					_t128 = _a20;
				}
				_t149 = _t157 & 0xffffe0ff;
				_v28 = _t149;
				if(_t149 != 0) {
					_push(_t128);
					_push(_a16);
					_push(_t126);
					_push(_t157);
					goto L28;
				} else {
					if( *((intOrPtr*)(_t156 + 0x58)) != 0) {
						_t158 = 0x80041033;
						L29:
						_t129 =  *((intOrPtr*)(_t156 + 0xa0));
						if(_t129 != 0 && _t149 == 0) {
							__imp__WmiSetAndCommitObject( *0xf4f7bc, 1,  *((intOrPtr*)(_t129 + 0x140)),  *((intOrPtr*)( *((intOrPtr*)(_t129 + 0x134)) + 0x38)),  *((intOrPtr*)(_t129 + 0x13c)),  *((intOrPtr*)(_t129 + 0x138)),  *((intOrPtr*)(_t129 + 0x144)),  *((intOrPtr*)(_t156 + 0x98)),  *((intOrPtr*)(_t156 + 0x9c)), _t126, _a16, _a20);
							_t90 =  *0xf4f014; // 0xf4f014
						}
						if(_t158 < 0) {
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t158);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
							_t90 =  *0xf4f014; // 0xf4f014
						}
						if(_t90 != 0xf4f014 && ( *(_t90 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t90 + 0x19)) >= 2) {
							_t86 = _t90 + 0x14; // 0x20000000
							_t149 = 0xf22544;
							_t87 = _t90 + 0x10; // 0x40000000
							E00F32A46(0x36, 0xf22544,  *_t87,  *_t86, _t158);
						}
						return E00F01CA0(_t158, _t126, _v8 ^ _t162, _t149, _t156, _t158);
					}
					_t159 = _t156 + 0x7c;
					if( *((char*)(_t156 + 0x94)) == 0 || E00F02E90(_t159) == 0) {
						L37:
						_t97 = 0x80041006;
						goto L38;
					} else {
						_t127 =  *(_t156 + 0x70);
						_t171 = _t127;
						if(_t171 == 0) {
							E00F321AA(_t159);
							_t126 = _a12;
							L26:
							_t134 = _t126;
							L27:
							_push(_a20);
							_push(_a16);
							_push(_t134);
							_push(_a8);
							L28:
							_push(_t156);
							_t92 = E00F17140();
							_t149 = _v28;
							_t158 = _t92;
							_t90 =  *0xf4f014; // 0xf4f014
							goto L29;
						}
						_t140 =  ~(0 | _t171 > 0x00000000) | _t127 * 0x00000004;
						_t103 =  *0xf4f0cc; // 0x0
						_t104 =  *(_t103 + 4);
						_t154 =  *(_t103 + 8) & 0x00000005 | 0x00000008;
						if(_t104 == 0) {
							L45:
							E00F321AA(_t159);
							_t126 = _a12;
							goto L37;
						}
						_t106 = HeapAlloc(_t104, _t154, _t140);
						_v20 = _t106;
						if(_t106 == 0) {
							E00F48131();
							goto L45;
						}
						_v12 = 0;
						if(_t127 <= 0) {
							L17:
							if( *((char*)(_t159 + 0x18)) != 0) {
								LeaveCriticalSection(_t159);
							}
							_t160 = _v20;
							_v16 = E00F17E80(_t156, _t127, _t160);
							_t109 = 0;
							_v12 = 0;
							if(_t127 <= 0) {
								L23:
								_t110 =  *0xf4f0cc; // 0x0
								_t111 =  *(_t110 + 4);
								if(_t111 != 0 && HeapFree(_t111, 0, _t160) == 0) {
									E00F48131();
								}
								_t97 = _v16;
								_t126 = _a12;
								if(_t97 < 0) {
									L38:
									_t134 = _t97;
									goto L27;
								} else {
									goto L26;
								}
							} else {
								do {
									_t142 =  *((intOrPtr*)(_t160 + _t109 * 4));
									if(_t142 != 0) {
										 *0xf512c4(_t142);
										 *((intOrPtr*)( *((intOrPtr*)( *_t142 + 8))))();
										_t109 = _v12;
										_t160 = _v20;
									}
									_t109 = _t109 + 1;
									_v12 = _t109;
								} while (_t109 < _t127);
								goto L23;
							}
						} else {
							goto L10;
						}
						do {
							L10:
							if(E00F17480(_t156 + 0x60,  &_v16) == 0) {
								 *((intOrPtr*)(_v20 + _v12 * 4)) = _v16;
								if( *((intOrPtr*)(_t156 + 0x60)) !=  *((intOrPtr*)(_t156 + 0x64)) ||  *(_t156 + 0x68) !=  *((intOrPtr*)(_t156 + 0x6c))) {
									 *(_t156 + 0x68) =  *(_t156 + 0x68) + 1;
									if( *(_t156 + 0x68) == 0x100) {
										E00F18AC2(_t156 + 0x60);
										 *(_t156 + 0x68) = 0;
									}
									 *(_t156 + 0x70) =  *(_t156 + 0x70) - 1;
								}
							}
							_t120 = _v12 + 1;
							_v12 = _t120;
						} while (_t120 < _t127);
						_t159 = _t156 + 0x7c;
						goto L17;
					}
				}
			}

0x00f14e98
0x00f14e9f
0x00f14ea5
0x00f14eaa
0x00f14ead
0x00f14eb0
0x00f14eb3
0x00f14ebb
0x00f2dab1
0x00f2dab4
0x00f2dab7
0x00f2dabc
0x00f2dac1
0x00f2dac1
0x00f14ec9
0x00f14ecf
0x00f14ed2
0x00f2dacc
0x00f2dacd
0x00f2dace
0x00f2dacf
0x00000000
0x00f14ed8
0x00f14edc
0x00f1ebbb
0x00f15035
0x00f15035
0x00f1503d
0x00f1507f
0x00f15085
0x00f1508a
0x00f1508f
0x00f2db08
0x00f2db10
0x00f2db16
0x00f2db16
0x00f1509a
0x00f2db2b
0x00f2db2e
0x00f2db38
0x00f2db3b
0x00f2db3b
0x00f150b8
0x00f150b8
0x00f14ee9
0x00f14eec
0x00f150c5
0x00f150c5
0x00000000
0x00f14f01
0x00f14f01
0x00f14f04
0x00f14f06
0x00f2dafa
0x00f2daff
0x00f15018
0x00f15018
0x00f1501a
0x00f1501a
0x00f15020
0x00f15021
0x00f15022
0x00f15025
0x00f15025
0x00f15026
0x00f1502b
0x00f1502e
0x00f15030
0x00000000
0x00f15030
0x00f14f1c
0x00f14f1e
0x00f14f26
0x00f14f2c
0x00f14f31
0x00f2dae9
0x00f2daeb
0x00f2daf0
0x00000000
0x00f2daf0
0x00f14f3a
0x00f14f40
0x00f14f45
0x00f1ebb1
0x00000000
0x00f1ebb1
0x00f14f4b
0x00f14f54
0x00f14fa3
0x00f14fa7
0x00f14faa
0x00f14faa
0x00f14fb0
0x00f14fbb
0x00f14fbe
0x00f14fc0
0x00f14fc5
0x00f14fec
0x00f14fec
0x00f14ff1
0x00f14ff6
0x00f150bb
0x00f150bb
0x00f1500a
0x00f1500d
0x00f15012
0x00f150ca
0x00f150ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00f14fc7
0x00f14fc7
0x00f14fc7
0x00f14fcc
0x00f14fd6
0x00f14fdc
0x00f14fde
0x00f14fe1
0x00f14fe1
0x00f14fe4
0x00f14fe5
0x00f14fe8
0x00000000
0x00f14fc7
0x00000000
0x00000000
0x00000000
0x00f14f56
0x00f14f56
0x00f14f64
0x00f14f6f
0x00f14f78
0x00f14f82
0x00f14f8c
0x00f2dad8
0x00f2dadd
0x00f2dadd
0x00f14f92
0x00f14f92
0x00f14f78
0x00f14f98
0x00f14f99
0x00f14f9c
0x00f14fa0
0x00000000
0x00f14fa0
0x00f14eec

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000000), ref: 00F14F3A
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 00F14FAA
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,?,?,?,?), ref: 00F14FFC
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?,?,?,?,?,80041006,?,?), ref: 00F1507F

Part of subcall function 00F48131: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(00F2B381), ref: 00F48131

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Heap$AllocCommitCriticalErrorFreeLastLeaveObjectSection
String ID:
API String ID: 2622589674-0
Opcode ID: 7d8c34eb18efbd751333255de587e9e3b1faed6d20347e790e455053283c9a54
Instruction ID: 163ab6b6d148fb9c4dabeeb23502ed6320db004c35aa6fc3d0af929dbf0209c5
Opcode Fuzzy Hash: 7d8c34eb18efbd751333255de587e9e3b1faed6d20347e790e455053283c9a54
Instruction Fuzzy Hash: 9A81AD35A0060AEFDB14CF64DC84BAABBB5FF89310F144068F90597262C735EC91EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F07D90, Relevance: 9.2, APIs: 6, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00F07D90(void* __ebx, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				signed int _t47;
				char* _t48;
				signed int _t50;
				intOrPtr _t55;
				intOrPtr _t60;
				void* _t61;
				signed int _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				signed int _t72;
				void* _t73;
				intOrPtr _t81;
				intOrPtr _t83;
				long _t88;
				intOrPtr _t90;
				void* _t96;
				signed int _t97;
				intOrPtr* _t98;
				signed int _t99;
				intOrPtr _t101;
				void* _t102;
				signed int _t105;
				signed int _t106;
				signed int _t107;

				_t73 = __ebx;
				_push(0xffffffff);
				_push(E00F255B3);
				_push( *[fs:0x0]);
				_t46 =  *0xf4f1a4; // 0xbd26e8f
				_t47 = _t46 ^ _t107;
				_v20 = _t47;
				_push(_t47);
				_t48 =  &_v16;
				 *[fs:0x0] = _t48;
				_t101 = _a8;
				_push(0x10);
				_push(0xf07ef4);
				_push(_t101);
				L00F03B58();
				if(_t48 != 0) {
					_t94 = 0xf2d040;
					_t74 = _t101;
					__eflags = E00F2DE11(_t48, _t101, 0xf2d040);
					if(__eflags == 0) {
						_t50 = 0x80040111;
						L12:
						 *[fs:0x0] = _v16;
						_pop(_t96);
						_pop(_t102);
						return E00F01CA0(_t50, _t73, _v20 ^ _t107, _t94, _t96, _t102);
					}
					_t97 = E00F19D72(_t74, __eflags, 0x18);
					_v24 = _t97;
					_v8 = 1;
					__eflags = _t97;
					if(_t97 == 0) {
						_t97 = 0;
						__eflags = 0;
					} else {
						_t83 =  *0xf4f0cc; // 0x0
						_t94 = 0xf50aa4;
						 *((intOrPtr*)(_t97 + 0xc)) = _t83;
						 *_t97 = E00F0DF44;
						 *((intOrPtr*)(_t97 + 4)) = 0xf0f2c4;
						 *((intOrPtr*)(_t97 + 8)) = 0;
						 *((intOrPtr*)(_t97 + 0x10)) = 0;
						 *((intOrPtr*)(_t97 + 0x14)) = 0;
						asm("lock xadd [edx], eax");
						asm("lock xadd [eax], ecx");
					}
					_v8 = 0xffffffff;
					__eflags = _t97;
					if(_t97 == 0) {
						L21:
						_t50 = 0x8007000e;
					} else {
						 *0xf512c4(_t97, _a20, _a24);
						_t105 =  *((intOrPtr*)( *((intOrPtr*)( *_t97))))();
						__eflags = _t105;
						if(_t105 < 0) {
							_t81 =  *0xf4f0cc; // 0x0
							E00F04A17(_t81, _t97);
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t105);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
						}
						_t55 =  *0xf4f014; // 0xf4f014
						__eflags = _t55 - 0xf4f014;
						if(_t55 != 0xf4f014) {
							__eflags =  *(_t55 + 0x1c) & 0x00000004;
							if(( *(_t55 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t55 + 0x19)) - 2;
								if( *((char*)(_t55 + 0x19)) >= 2) {
									_t43 = _t55 + 0x14; // 0x20000000
									_t94 = 0xf2cfec;
									_t44 = _t55 + 0x10; // 0x40000000
									E00F32A46(0x39, 0xf2cfec,  *_t44,  *_t43, _t105);
								}
							}
						}
						_t50 = _t105;
					}
					goto L12;
				}
				_t60 =  *0xf4f0cc; // 0x0
				_t61 =  *(_t60 + 4);
				_t88 =  *(_t60 + 8) & 0x00000005 | 0x00000008;
				if(_t61 == 0) {
					L13:
					_t106 = 0;
					L3:
					_v24 = _t106;
					_v8 = 0;
					if(_t106 == 0) {
						_t106 = 0;
					} else {
						_t68 =  *0xf4f0cc; // 0x0
						 *((intOrPtr*)(_t106 + 0xc)) = _t68;
						_t94 = 0xf4f0f0;
						 *_t106 = 0xf06a5c;
						 *((intOrPtr*)(_t106 + 4)) = 0xf068c4;
						 *((intOrPtr*)(_t106 + 8)) = 0xf069b0;
						 *((intOrPtr*)(_t106 + 0x10)) = 0;
						 *((intOrPtr*)(_t106 + 0x14)) = 0;
						 *((intOrPtr*)(_t106 + 0x18)) = 0;
						 *((intOrPtr*)(_t106 + 0x1c)) = 0;
						 *((intOrPtr*)(_t106 + 0x20)) = 0;
						 *((intOrPtr*)(_t106 + 0x24)) = 0;
						 *((intOrPtr*)(_t106 + 0x28)) = 0;
						asm("lock xadd [edx], eax");
						asm("lock xadd [eax], ecx");
						_t88 = 2;
					}
					_v8 = 0xffffffff;
					if(_t106 == 0) {
						goto L21;
					}
					_push(_a24);
					_push(_a20);
					_t98 =  *((intOrPtr*)( *_t106));
					_push(_t106);
					if(_t98 != E00F06AA0) {
						 *0xf512c4();
						_t64 =  *_t98();
					} else {
						_t64 = E00F06AA0(_t88);
					}
					_t99 = _t64;
					if(_t99 < 0) {
						_t90 =  *0xf4f0cc; // 0x0
						E00F04A17(_t90, _t106);
						__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t99);
						__imp__?Write@CMemoryLog@@QAEXJ@Z();
					}
					_t66 =  *0xf4f014; // 0xf4f014
					if(_t66 != 0xf4f014 && ( *(_t66 + 0x1c) & 0x00000004) != 0) {
						__eflags =  *((char*)(_t66 + 0x19)) - 2;
						if( *((char*)(_t66 + 0x19)) >= 2) {
							_t27 = _t66 + 0x14; // 0x20000000
							_t94 = 0xf2cfec;
							_t28 = _t66 + 0x10; // 0x40000000
							E00F32A46(0x38, 0xf2cfec,  *_t28,  *_t27, _t99);
						}
					}
					_t50 = _t99;
					goto L12;
				}
				_t106 = HeapAlloc(_t61, _t88, 0x2c);
				if(_t106 == 0) {
					_t72 = E00F48131();
					__eflags = _t72;
					if(_t72 != 0) {
						goto L13;
					}
				}
				goto L3;
			}

0x00f07d90
0x00f07d95
0x00f07d97
0x00f07da2
0x00f07da6
0x00f07dab
0x00f07dad
0x00f07db2
0x00f07db3
0x00f07db6
0x00f07dbc
0x00f07dbf
0x00f07dc1
0x00f07dc6
0x00f07dc7
0x00f07dd1
0x00f2bfdb
0x00f2bfe0
0x00f2bfe7
0x00f2bfe9
0x00f2c0cc
0x00f07eca
0x00f07ecd
0x00f07ed5
0x00f07ed6
0x00f07ee4
0x00f07ee4
0x00f2bff6
0x00f2bffb
0x00f2bffe
0x00f2c005
0x00f2c007
0x00f2c050
0x00f2c050
0x00f2c009
0x00f2c009
0x00f2c00f
0x00f2c014
0x00f2c01c
0x00f2c024
0x00f2c02b
0x00f2c032
0x00f2c039
0x00f2c040
0x00f2c049
0x00f2c04d
0x00f2c052
0x00f2c059
0x00f2c05b
0x00f2bfd1
0x00f2bfd1
0x00f2c061
0x00f2c06e
0x00f2c076
0x00f2c078
0x00f2c07a
0x00f2c07c
0x00f2c083
0x00f2c089
0x00f2c091
0x00f2c091
0x00f2c097
0x00f2c09c
0x00f2c0a1
0x00f2c0a3
0x00f2c0a7
0x00f2c0a9
0x00f2c0ad
0x00f2c0b0
0x00f2c0b3
0x00f2c0bd
0x00f2c0c0
0x00f2c0c0
0x00f2c0ad
0x00f2c0a7
0x00f2c0c5
0x00f2c0c5
0x00000000
0x00f2c05b
0x00f07dd7
0x00f07ddf
0x00f07de5
0x00f07dea
0x00f07ee7
0x00f07ee7
0x00f07e04
0x00f07e04
0x00f07e07
0x00f07e10
0x00f07eee
0x00f07e16
0x00f07e16
0x00f07e20
0x00f07e23
0x00f07e28
0x00f07e30
0x00f07e37
0x00f07e3e
0x00f07e45
0x00f07e4c
0x00f07e53
0x00f07e5a
0x00f07e61
0x00f07e68
0x00f07e6f
0x00f07e78
0x00f07e7c
0x00f07e7c
0x00f07e7d
0x00f07e86
0x00000000
0x00000000
0x00f07e8e
0x00f07e91
0x00f07e94
0x00f07e96
0x00f07e9d
0x00f1e544
0x00f1e54a
0x00f07ea3
0x00f07ea3
0x00f07ea3
0x00f07ea8
0x00f07eac
0x00f2bf8c
0x00f2bf93
0x00f2bf99
0x00f2bfa1
0x00f2bfa1
0x00f07eb2
0x00f07ebc
0x00f2bfac
0x00f2bfb0
0x00f2bfb7
0x00f2bfba
0x00f2bfc4
0x00f2bfc7
0x00f2bfc7
0x00f2bfb0
0x00f07ec8
0x00000000
0x00f07ec8
0x00f07dfa
0x00f07dfe
0x00f2bf7a
0x00f2bf7f
0x00f2bf81
0x00000000
0x00000000
0x00f2bf87
0x00000000

APIs

memcmp.MSVCRT ref: 00F07DC7
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,0000002C,0BD26E8F), ref: 00F07DF4
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,00000000,?,0BD26E8F), ref: 00F2C089
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,0BD26E8F), ref: 00F2C091

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$AllocHeapObject@@Write@memcmp
String ID:
API String ID: 2990538600-0
Opcode ID: 4b82800b95d3cc8c6809577fdf2d6caaa44f429c9dfee91ed17a3467c3bdbf1a
Instruction ID: 35392e16bff00358f61d69b109659b9564b9ce45e4959336c446972599bf4fcc
Opcode Fuzzy Hash: 4b82800b95d3cc8c6809577fdf2d6caaa44f429c9dfee91ed17a3467c3bdbf1a
Instruction Fuzzy Hash: 7F71F035A01755DBC7259F18DD04B2ABBA1EF85324F1081A9E9069B3E2C779EC05FBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B6BD, Relevance: 9.2, APIs: 6, Instructions: 160COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?,?), ref: 00F3B719
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00F3B80C
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F3B824
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3B82C
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3B85E
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3B866

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$CommitObjectObject@@Write@
String ID:
API String ID: 570967217-0
Opcode ID: ea6bde7d997d739d6b24608c1497188fec85e4194c04b9b39c881625cca2b2f4
Instruction ID: ff5309d235340bc5cd35c797525f6f1ca06dcd601edb2a9dd51dfd66d716bd91
Opcode Fuzzy Hash: ea6bde7d997d739d6b24608c1497188fec85e4194c04b9b39c881625cca2b2f4
Instruction Fuzzy Hash: 2D51A236A00209FFDF1A9F94DC58FEABB66FF49320F004158FA1956161D732A925FB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BF1E, Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?), ref: 00F3BF75
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?,00000000,?,?,00F04ED8,00000004,?,?), ref: 00F3C046
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F3C054
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3C05C
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3C08E
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3C096

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$CommitObjectObject@@Write@
String ID:
API String ID: 570967217-0
Opcode ID: a566e9884d73f7deb53df0fb33ad3d0c179066e07352f5b024d8720bba3c8d74
Instruction ID: 3f1804f72e1f34fea29e28857e9656c357b96d119f4cd51ff0caca33b12e08df
Opcode Fuzzy Hash: a566e9884d73f7deb53df0fb33ad3d0c179066e07352f5b024d8720bba3c8d74
Instruction Fuzzy Hash: 18516176600209FFCB1A9F94CC44FEABB76FF49310F048154FA1997161C732A965EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C0E5, Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?), ref: 00F3C136
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,00000000,?,?,00F04EE8,00000003,?,?,?,?), ref: 00F3C1FF
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?,?,?,?,?,?,?,?,?), ref: 00F3C20D
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,?,?,?,?,?,?,?), ref: 00F3C215
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3C247
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3C24F

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$CommitObjectObject@@Write@
String ID:
API String ID: 570967217-0
Opcode ID: 100f17c39727e81a64dddfc18955d4437cf3852cdb69976c59d3e55b16cb8dbb
Instruction ID: 879ec1ab6942151ff3553f23c29c84c9efac63b6015193e65ab33f67e0f340f7
Opcode Fuzzy Hash: 100f17c39727e81a64dddfc18955d4437cf3852cdb69976c59d3e55b16cb8dbb
Instruction Fuzzy Hash: 5E519571A00209BFDB1A9FA4CC44FEBBB76FF49314F044165FA19A6161C732A925EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B8B5, Relevance: 9.1, APIs: 6, Instructions: 132COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?), ref: 00F3B906
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,00000000,00000000,?,00F04ED8,00000004,?,?,?,?), ref: 00F3B9CC
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F3B9DA
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3B9E2
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3BA14
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3BA1C

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$CommitObjectObject@@Write@
String ID:
API String ID: 570967217-0
Opcode ID: 8c6ba4ae13c9efbb0c0ecc6115bdb2c65e99c4f97fc4c85ecfbd892d3605edb3
Instruction ID: e2407b7751ba4c514d9b5a37ddbb5c294f02b6a21fe2a0ab5b8243f516c061de
Opcode Fuzzy Hash: 8c6ba4ae13c9efbb0c0ecc6115bdb2c65e99c4f97fc4c85ecfbd892d3605edb3
Instruction Fuzzy Hash: F751B071A00609BFCF1A8F94CC48FEABBB6FF49310F044165FB0996161D736A965EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F22D6F, Relevance: 9.1, APIs: 6, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00F22D6F(unsigned char* __ebx, void* __edx, void* __esi, void* __eflags) {
				signed int _v16;
				intOrPtr _v24;
				char _v56;
				signed int _v76;
				char _v116;
				signed int _v136;
				char _v176;
				signed int _t19;
				signed int _t23;
				intOrPtr* _t26;
				signed int _t27;
				intOrPtr _t31;
				char* _t34;
				char* _t36;
				intOrPtr _t37;
				void* _t39;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t49;
				void* _t52;

				_t52 = __eflags;
				_t33 = _v24;
				E00F22EFD(__ebx, _v24, 1, 0);
				_push(0);
				_push(0);
				L00F23426();
				asm("int3");
				0;
				0;
				_t43 = _t48;
				_t49 = _t48 - 0x2c;
				_t19 =  *0xf4f1a4; // 0xbd26e8f
				_v16 = _t19 ^ _t43;
				_t34 =  &_v56;
				E00F22A50(_t34, _t33);
				_push(0xf4de44);
				_push( &_v56);
				L00F23426();
				asm("int3");
				_push(_t43);
				_t44 = _t49;
				_t23 =  *0xf4f1a4; // 0xbd26e8f
				_v76 = _t23 ^ _t44;
				_push(_t34);
				E00F22AC0(__ebx,  &_v116, _t39, __esi, _t52);
				_push(0xf22dec);
				_t26 =  &_v116;
				_push(_t26);
				L00F23426();
				asm("int3");
				 *_t26 =  *_t26 + _t26;
				 *_t26 =  *_t26 + _t26;
				 *__ebx =  *__ebx >> 1;
				asm("repne add [eax], al");
				 *_t26 =  *_t26 + _t26;
				 *_t26 =  *_t26 + _t26;
				asm("fdivrp st4, st0");
				 *((intOrPtr*)(_t26 - 0x6f6f6f70)) =  *((intOrPtr*)(_t26 - 0x6f6f6f70)) + __edx;
				0;
				0;
				0;
				_push(_t44);
				_t45 = _t49 - 0x2c;
				_t27 =  *0xf4f1a4; // 0xbd26e8f
				_v136 = _t27 ^ _t45;
				_t36 =  &_v176;
				E00F22B40(_t36,  &_v116);
				_push(0xf4de64);
				_push( &_v176);
				L00F23426();
				asm("int3");
				_push(_t45);
				_t31 = _v176;
				 *((intOrPtr*)(_t36 + 0x14)) = _t31;
				if( *((intOrPtr*)(_t36 + 0x18)) < 0x10) {
					_t37 = _t36 + 4;
					__eflags = _t37;
				} else {
					_t37 =  *((intOrPtr*)(_t36 + 4));
				}
				 *((char*)(_t37 + _t31)) = 0;
				return _t31;
			}

0x00f22d6f
0x00f22d6f
0x00f22d76
0x00f22d7b
0x00f22d7d
0x00f22d7f
0x00f22d84
0x00f22d8b
0x00f22d8f
0x00f22d93
0x00f22d95
0x00f22d98
0x00f22d9f
0x00f22da3
0x00f22da6
0x00f22dab
0x00f22db3
0x00f22db4
0x00f22db9
0x00f22dc2
0x00f22dc3
0x00f22dc8
0x00f22dcf
0x00f22dd2
0x00f22dd6
0x00f22ddb
0x00f22de0
0x00f22de3
0x00f22de4
0x00f22de9
0x00f22dec
0x00f22dee
0x00f22df0
0x00f22df2
0x00f22df5
0x00f22df7
0x00f22df9
0x00f22dfb
0x00f22e07
0x00f22e0b
0x00f22e0f
0x00f22e12
0x00f22e13
0x00f22e18
0x00f22e1f
0x00f22e23
0x00f22e26
0x00f22e2b
0x00f22e33
0x00f22e34
0x00f22e39
0x00f22e41
0x00f22e48
0x00f22e4b
0x00f22e4e
0x00f22e55
0x00f22e55
0x00f22e50
0x00f22e50
0x00f22e50
0x00f22e58
0x00f22e5d

APIs

Part of subcall function 00F22EFD: memcpy_s.MSVCRT ref: 00F22F24

_CxxThrowException.MSVCRT(00000000,00000000), ref: 00F22D7F
std::bad_exception::bad_exception.LIBCMT ref: 00F22DA6
_CxxThrowException.MSVCRT(?,00F4DE44), ref: 00F22DB4

Part of subcall function 00F22AC0: ??0exception@@QAE@ABV0@@Z.MSVCRT(?), ref: 00F22AD5

_CxxThrowException.MSVCRT(?,00F22DEC), ref: 00F22DE4
std::bad_exception::bad_exception.LIBCMT ref: 00F22E26
_CxxThrowException.MSVCRT(?,00F4DE64), ref: 00F22E34

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionThrow$std::bad_exception::bad_exception$??0exception@@V0@@memcpy_s
String ID:
API String ID: 1756578156-0
Opcode ID: 90aa31f9c54f6b2491a6005c9636ed5b6a24e4c1bdc35cffaffc68ebb1222360
Instruction ID: 2b91e98b9a56233ddc1d5c230d34fbea1767066f8bff3d74309ea23454d040de
Opcode Fuzzy Hash: 90aa31f9c54f6b2491a6005c9636ed5b6a24e4c1bdc35cffaffc68ebb1222360
Instruction Fuzzy Hash: 2D11D371D0834C6FC705EBB4DC46E8ABB789F46300F5044A6E520BB192D968AD08D765

Uniqueness

Uniqueness Score: -1.00%

Function 00F3F3F0, Relevance: 9.1, APIs: 6, Instructions: 93synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?), ref: 00F3F46B
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041013), ref: 00F3F47E
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3F486
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0(?,00000000,?), ref: 00F3F4BC
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F3F4DC
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3F4E4

Part of subcall function 00F404B0: EtwTraceMessage.NTDLL ref: 00F404CD

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$ObjectObject@@SingleWaitWrite@$MessageTrace
String ID:
API String ID: 581779049-0
Opcode ID: 2d568ff7b899c65123643dac40bb573b08aeaaea4687aa0badd779fb0386a61c
Instruction ID: 4559d7e590f9de6580a1fd806b9e775c421d92e6eaacc1aa1463cd4e15efd3b5
Opcode Fuzzy Hash: 2d568ff7b899c65123643dac40bb573b08aeaaea4687aa0badd779fb0386a61c
Instruction Fuzzy Hash: 2D31B434E00248ABCB258F14EA08B5A7B63BB45336F154074EE05972B3C73ADD59BBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F2DFE3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164
sleepCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00F2DFE3(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				char _v48;
				char _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				void* _v308;
				intOrPtr _t47;
				void* _t50;
				void* _t53;
				long _t64;
				intOrPtr _t69;
				long _t71;
				signed int _t72;
				void* _t81;
				signed int _t82;
				intOrPtr _t83;
				int _t84;
				void* _t89;

				_v12 = _v12 & 0x00000000;
				_t83 = _a4;
				_t69 = __ecx;
				_v20 = __ecx;
				_t81 = E00F2EAF6(_t83);
				if(_t81 == 0) {
					_t84 = 0;
					__eflags = 0;
					L38:
					return _t84;
				}
				_v296 =  *((intOrPtr*)(_t81 + 0x40));
				_v308 =  *((intOrPtr*)(_t83 + 0x18));
				_v292 =  *((intOrPtr*)(_t81 + 0x3c));
				_v304 =  *((intOrPtr*)(_t69 + 0x40));
				_v300 =  *((intOrPtr*)(_t81 + 0x4c));
				_v16 = 0x3a;
				_t84 = E00F2E706(_t69,  &_v288,  &_v16);
				_v5 = 1;
				while(_t84 == 0) {
					_t71 = _v16 + 5;
					_t82 =  *0xf530b4(_t71,  &_v308, _t84,  *_a8, 0x1cff);
					if(_t82 == 0) {
						L34:
						_t84 = 0;
						_t47 = 0;
						__eflags = 0;
						_v5 = 0;
						L35:
						if(_t47 == 0) {
							goto L38;
						}
						continue;
					}
					_t89 = _t82 - 1;
					if(_t89 == 0) {
						L33:
						_t47 = _v5;
						_t84 = 0x8000000c;
						goto L35;
					}
					if(_t89 <= 0) {
						L16:
						__eflags = _t82 - _t71;
						if(__eflags == 0) {
							while(1) {
								_t50 =  *0xf530a0( &_v48, 0, 0, 0, 0);
								__eflags = _t50 - 1;
								if(_t50 != 1) {
									break;
								}
								_t53 =  *0xf53098( &_v48, 0, 0, 0);
								__eflags = _t53 - 1;
								if(_t53 == 1) {
									 *0xf530a4( &_v48);
									 *0xf5309c( &_v48);
								}
							}
							_t82 = WaitForMultipleObjectsEx(_t71,  &_v308, 0, 0, 0);
							__eflags = _t82;
							if(_t82 == 0) {
								goto L34;
							}
							__eflags = _t82 - 1;
							if(__eflags == 0) {
								goto L33;
							}
							if(__eflags <= 0) {
								L29:
								__eflags = _t82 - _t71;
								L30:
								if(__eflags >= 0) {
									_t47 = _v5;
									_t84 = 0x80000004;
									goto L35;
								}
								_t84 = E00F2F17D(_v20,  &(( &_v308)[_t82]));
								L13:
								_t47 = _v5;
								goto L35;
							}
							__eflags = _t82 - 3;
							if(_t82 <= 3) {
								L15:
								_t84 = 0x8000000b;
								goto L13;
							}
							__eflags = _t82 - 4;
							if(_t82 == 4) {
								L14:
								_t84 = 0x8000000d;
								goto L13;
							}
							__eflags = _t82 - 0x102;
							if(_t82 == 0x102) {
								L12:
								_t84 = 1;
								__eflags = 1;
								goto L13;
							}
							__eflags = _t82 - 0xffffffff;
							if(_t82 != 0xffffffff) {
								goto L29;
							}
							_t64 = GetLastError();
							__eflags = _t64 - 8;
							if(_t64 == 8) {
								L11:
								_t72 = _v12;
								asm("sbb eax, eax");
								Sleep( ~_t72 & 0x0000000a);
								_v12 = _t72 ^ 0x00000001;
								goto L13;
							}
							goto L29;
						}
						goto L30;
					}
					if(_t82 <= 3) {
						goto L15;
					}
					if(_t82 == 4) {
						goto L14;
					}
					if(_t82 == 0x102) {
						goto L12;
					}
					if(_t82 != 0xffffffff || GetLastError() != 8) {
						goto L16;
					} else {
						goto L11;
					}
				}
				goto L38;
			}

0x00f2dfee
0x00f2dff4
0x00f2dff7
0x00f2dffc
0x00f2e004
0x00f2e008
0x00f2e1bd
0x00f2e1bd
0x00f2e1c0
0x00f2e1c7
0x00f2e1c7
0x00f2e014
0x00f2e01d
0x00f2e026
0x00f2e02f
0x00f2e03f
0x00f2e048
0x00f2e054
0x00f2e056
0x00f2e05a
0x00f2e06d
0x00f2e081
0x00f2e085
0x00f2e1ad
0x00f2e1ad
0x00f2e1af
0x00f2e1af
0x00f2e1b1
0x00f2e1b4
0x00f2e1b6
0x00000000
0x00000000
0x00000000
0x00f2e1b8
0x00f2e08b
0x00f2e08e
0x00f2e1a3
0x00f2e1a3
0x00f2e1a6
0x00000000
0x00f2e1a6
0x00f2e094
0x00f2e0ec
0x00f2e0ec
0x00f2e0ee
0x00f2e11d
0x00f2e127
0x00f2e12d
0x00f2e130
0x00000000
0x00000000
0x00f2e0fe
0x00f2e104
0x00f2e107
0x00f2e10d
0x00f2e117
0x00f2e117
0x00f2e107
0x00f2e145
0x00f2e147
0x00f2e149
0x00000000
0x00000000
0x00f2e14b
0x00f2e14e
0x00000000
0x00000000
0x00f2e150
0x00f2e17c
0x00f2e17c
0x00f2e17e
0x00f2e17e
0x00f2e199
0x00f2e19c
0x00000000
0x00f2e19c
0x00f2e192
0x00f2e0d6
0x00f2e0d6
0x00000000
0x00f2e0d6
0x00f2e152
0x00f2e155
0x00f2e0e5
0x00f2e0e5
0x00000000
0x00f2e0e5
0x00f2e157
0x00f2e15a
0x00f2e0de
0x00f2e0de
0x00000000
0x00f2e0de
0x00f2e15c
0x00f2e162
0x00f2e0d3
0x00f2e0d5
0x00f2e0d5
0x00000000
0x00f2e0d5
0x00f2e168
0x00f2e16b
0x00000000
0x00000000
0x00f2e16d
0x00f2e173
0x00f2e176
0x00f2e0b8
0x00f2e0b8
0x00f2e0bf
0x00f2e0c5
0x00f2e0ce
0x00000000
0x00f2e0ce
0x00000000
0x00f2e176
0x00000000
0x00f2e0f0
0x00f2e099
0x00000000
0x00000000
0x00f2e09e
0x00000000
0x00000000
0x00f2e0a6
0x00000000
0x00000000
0x00f2e0ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00f2e0ab
0x00000000

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(?,00000000,?), ref: 00F2E0AD
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,?,00000000,?), ref: 00F2E0C5
WaitForMultipleObjectsEx.API-MS-WIN-CORE-SYNCH-L1-2-0(00000035,?,00000000,00000000,00000000,?,00000000,?), ref: 00F2E13F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(?,00000000,?), ref: 00F2E16D

Strings

:, xrefs: 00F2E048

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: ErrorLast$MultipleObjectsSleepWait
String ID: :
API String ID: 2323490255-336475711
Opcode ID: e1da766298cf72e6caeda82657eee5ce2bb22bb90c2c28fa723614679f794bf1
Instruction ID: a0f02833640b8eb32f7dc98dab2245dc929f1bd540cb549dce295f24b2bf2242
Opcode Fuzzy Hash: e1da766298cf72e6caeda82657eee5ce2bb22bb90c2c28fa723614679f794bf1
Instruction Fuzzy Hash: 1D511B72E002289BDB21CBA8EC846FEB7BDFB49320F24417AE915D3340D6749D51EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3EFED, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 153COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?,?,?,00F2DA51,CreateInstanceEnumAsync,00000000,00000000), ref: 00F3F15A
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,?,00F2DA51,CreateInstanceEnumAsync,00000000,00000000), ref: 00F3F162

Part of subcall function 00F3F527: EtwTraceMessage.NTDLL ref: 00F3F5F6

Strings

Operation, xrefs: 00F3F0A3
Provider, xrefs: 00F3F07C
Provider Subsystem Error Report, xrefs: 00F3F0F2

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$MessageObject@@TraceWrite@
String ID: Operation$Provider$Provider Subsystem Error Report
API String ID: 1702877992-1271437390
Opcode ID: c7da73c1bfac03b0dc9f14250cef60c9b1a3cf619b1b0a29769c2d710b32c812
Instruction ID: bea1ad5be9becf443799d1170d3356bf602096aa297c087a03e31b70d1bd4497
Opcode Fuzzy Hash: c7da73c1bfac03b0dc9f14250cef60c9b1a3cf619b1b0a29769c2d710b32c812
Instruction Fuzzy Hash: 6D516D71604345AFD714EF28ED49E6B7BA9FF88724F044468FA45972A1CB70EC08EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F177C2, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

?GetPreferredLanguages@CMUILocale@@SGJKPAPAGPAK@Z.WBEMCOMN(00000040,00000000,00000000), ref: 00F17851
?SetPreferredLanguages@CMUILocale@@SGJKPBGPAK@Z.WBEMCOMN(00000008,?,00000000), ref: 00F17881
?_Free@CMUILocale@@SGHPAX@Z.WBEMCOMN(00000000), ref: 00F29F22

Strings

__ClientPreferredLanguages, xrefs: 00F1781C

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Locale@@$Languages@Preferred$Free@
String ID: __ClientPreferredLanguages
API String ID: 2631867714-2977330997
Opcode ID: cbd502f558041f638bd96a0e36877d02e1517a719a5e8bc9c4a77e878bc1679a
Instruction ID: 7a4d32eac9c0c940ab762a2105b79ae2688283d495601a757520a95433d8b80d
Opcode Fuzzy Hash: cbd502f558041f638bd96a0e36877d02e1517a719a5e8bc9c4a77e878bc1679a
Instruction Fuzzy Hash: F741B272E04319AFDB10DF95D848BDEBBB8FB44721F20422AE905E7280D774AD44EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3055C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 00F30699: ?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F306CA
Part of subcall function 00F30699: ?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F306D2

Part of subcall function 00F3070E: GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000104,00000540,00F30581,Microsoft WMI Provider Subsystem Host,00000000,00000000), ref: 00F3075E

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,Microsoft WMI Provider Subsystem Secured Host,-secured,00000001), ref: 00F305A7
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F305AF

Strings

Microsoft WMI Provider Subsystem Secured Host, xrefs: 00F30593
-secured, xrefs: 00F3058E
Microsoft WMI Provider Subsystem Host, xrefs: 00F30574

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@$FileModuleName
String ID: -secured$Microsoft WMI Provider Subsystem Host$Microsoft WMI Provider Subsystem Secured Host
API String ID: 3174849260-268285720
Opcode ID: 912632695865922259d129a8be81e9fb6ffee46c49bbb3af2d3104527ae4ca6a
Instruction ID: 7d7618d27961e766c10665294888ecb8e40ce2fdc85f6dc924c12f13c710c259
Opcode Fuzzy Hash: 912632695865922259d129a8be81e9fb6ffee46c49bbb3af2d3104527ae4ca6a
Instruction Fuzzy Hash: A701D635A0071067D766AA2C9D1AB9F3D029B83B34F0A0452FD049F3E3CEA6D845BAD5

Uniqueness

Uniqueness Score: -1.00%

Function 00F121FE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F121FE() {
				int _v8;
				char _v12;
				void* _v16;
				int _v20;
				signed int _t14;
				signed int _t15;
				int _t24;

				 *0xf4f0bc = 0x8000;
				_t14 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Wbem\\Cimom", 0, 0x20119,  &_v16);
				if(_t14 == 0) {
					_v12 = _v12 & _t14;
					_t24 = 4;
					_v8 = _t24;
					_v20 = _t24;
					if(RegQueryValueExW(_v16, L"DefaultRpcStackSize", 0,  &_v8,  &_v12,  &_v20) == 0) {
						if(_v8 == _t24) {
							 *0xf4f0bc = _v12 << 0xa;
						}
					}
					RegCloseKey(_v16);
				}
				_t15 =  *0xf4f0bc; // 0x0
				return _t15;
			}

0x00f12206
0x00f12225
0x00f1222d
0x00f1222f
0x00f12238
0x00f1223d
0x00f12244
0x00f1225a
0x00f2b54b
0x00f2b557
0x00f2b557
0x00f2b54b
0x00f12263
0x00f12269
0x00f1226a
0x00f12272

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Wbem\Cimom,00000000,00020119,?,?,?,?,00F132B0), ref: 00F12225
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultRpcStackSize,00000000,00F132B0,?,?,00000000,?,?,?,00F132B0), ref: 00F12252
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00F132B0), ref: 00F12263

Strings

Software\Microsoft\Wbem\Cimom, xrefs: 00F1221B
DefaultRpcStackSize, xrefs: 00F1224A

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: DefaultRpcStackSize$Software\Microsoft\Wbem\Cimom
API String ID: 3677997916-1710159536
Opcode ID: c77de11e2a858c41ce092a6440ab4d4a091a289939675c38d6bd25956ed36fa7
Instruction ID: f535f086a5aca5bc0460d1f66982d9805568c48ac4892d542a0143669e755d6c
Opcode Fuzzy Hash: c77de11e2a858c41ce092a6440ab4d4a091a289939675c38d6bd25956ed36fa7
Instruction Fuzzy Hash: A6014C7690024CFBEB108B95EC05FAEBBB8FB80711F1081AAEA11A2150D7709A54EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F13925, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F13925() {
				void* _v8;
				int _v12;
				int _v16;
				char _t10;
				int _t11;

				 *0xf4f040 = 0x40000;
				if(RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\WBEM\\CIMOM", 0, 0x20119,  &_v8) == 0) {
					_t11 = 4;
					_v16 = _t11;
					_v12 = _t11;
					RegQueryValueExW(_v8, L"Sink Transmit Buffer Size", 0,  &_v16, 0xf4f040,  &_v12);
					RegCloseKey(_v8);
				}
				_t10 =  *0xf4f040; // 0x40000
				return _t10;
			}

0x00f1392d
0x00f13954
0x00f13958
0x00f13959
0x00f1395c
0x00f13976
0x00f1397f
0x00f1397f
0x00f13985
0x00f1398d

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\WBEM\CIMOM,00000000,00020119,00F132AB,?,?,00F132AB), ref: 00F1394C
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F132AB,Sink Transmit Buffer Size,00000000,?,00F4F040,?,?,?,00F132AB), ref: 00F13976
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00F132AB,?,?,00F132AB), ref: 00F1397F

Strings

Sink Transmit Buffer Size, xrefs: 00F1396E
Software\Microsoft\WBEM\CIMOM, xrefs: 00F13942

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Sink Transmit Buffer Size$Software\Microsoft\WBEM\CIMOM
API String ID: 3677997916-3607532515
Opcode ID: b1b0a002005552623014163c4813bf888cf2143e4e39c3aeafbb5bf93223f1c1
Instruction ID: 5f0333c5ee01d50c3cd57322e634bc01f803e8395c02dce57b89dea72c897016
Opcode Fuzzy Hash: b1b0a002005552623014163c4813bf888cf2143e4e39c3aeafbb5bf93223f1c1
Instruction Fuzzy Hash: F0F01D75A4030CBBD710CB95EC0AF99BBBCF744705F5000A5FB08F5191D7B06A54AB55

Uniqueness

Uniqueness Score: -1.00%

Function 00F27749, Relevance: 7.9, APIs: 5, Instructions: 364
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00F27749(void* __eflags) {
				intOrPtr _t315;
				void* _t319;
				intOrPtr _t321;
				void* _t322;
				long _t327;
				intOrPtr _t328;
				intOrPtr _t333;
				void* _t334;
				void* _t335;
				void* _t346;
				intOrPtr _t349;
				void* _t350;
				intOrPtr _t353;
				signed int _t370;
				intOrPtr* _t371;
				signed int _t374;
				intOrPtr _t385;
				intOrPtr _t391;
				void* _t394;
				void* _t397;
				void* _t400;
				void* _t403;
				void* _t408;
				void* _t420;
				signed int _t424;
				signed int _t427;
				signed int _t428;
				signed int _t436;
				signed int _t446;
				signed int _t450;
				intOrPtr _t465;
				void* _t467;
				intOrPtr _t470;
				signed int _t475;
				signed int _t481;
				long _t483;
				signed int _t484;
				void* _t485;
				long _t487;
				void* _t488;
				void* _t489;
				signed int _t490;
				signed int _t491;
				void* _t492;
				signed int _t493;
				long _t494;
				long _t506;
				void* _t521;
				void* _t528;
				void* _t546;
				long _t553;
				signed int _t555;
				void* _t558;
				void* _t578;
				void* _t602;
				intOrPtr _t604;
				void* _t605;
				long _t606;
				long _t607;
				intOrPtr* _t608;
				long _t610;
				intOrPtr _t615;
				void* _t616;
				void* _t623;
				long _t633;
				intOrPtr* _t635;
				void* _t636;
				long _t638;
				void* _t643;
				signed int _t644;
				signed int _t645;
				signed int _t651;
				void* _t653;

				_t483 =  *(_t651 - 0xe0);
				 *(_t651 - 0xc0) =  *(_t651 - 0x100);
				_t604 =  *((intOrPtr*)(_t651 - 0xc8));
				 *(__ebp - 4) = 0xffffffff;
				__edx =  *((intOrPtr*)(__ebp - 0xb8));
				__ecx =  *((intOrPtr*)(__ebp - 0xb4));
				__eax = E00F47D18( *((intOrPtr*)(__ebp - 0xb4)),  *((intOrPtr*)(__ebp - 0xb8)));
				__edx =  *((intOrPtr*)(__ebp - 0xe4));
				__ecx =  *((intOrPtr*)(__ebp - 0xd4));
				__eax = E00F1A856( *((intOrPtr*)(__ebp - 0xd4)), __edx,  *((intOrPtr*)(__ebp - 0xf8)));
				__eax =  *((intOrPtr*)(__ebp - 0xbc));
				__ecx =  *__eax;
				__esi =  *((intOrPtr*)( *__eax + 8));
				__ecx = __esi;
				__eax =  *0xf512c4(__eax);
				__eax =  *__esi();
				 *(_t651 - 0xf4) = 0;
				_t635 =  *((intOrPtr*)( *_t483));
				_t495 = _t635;
				 *0xf512c4(_t483, 0xf07c5c, _t651 - 0xf4);
				_t484 =  *_t635();
				_t315 =  *0xf4f014; // 0xf4f014
				if(_t315 != 0xf4f014 && ( *(_t315 + 0x1c) & 0x00000004) != 0) {
					__eflags =  *((char*)(_t315 + 0x19)) - 5;
					if( *((char*)(_t315 + 0x19)) >= 5) {
						_t129 = _t315 + 0x14; // 0x20000000
						_t130 = _t315 + 0x10; // 0x40000000
						_t581 = 0xf212f8;
						_t495 = 0x16;
						E00F32A46(0x16, 0xf212f8,  *_t130,  *_t129, _t484);
						_t315 =  *0xf4f014; // 0xf4f014
					}
				}
				if(_t484 < 0) {
					__eflags =  *(_t604 + 0x7b4);
					if( *(_t604 + 0x7b4) != 0) {
						L164:
						__eflags =  *(_t604 + 0x6f4);
						if( *(_t604 + 0x6f4) != 0) {
							L169:
							_t484 = 0x80041013;
							goto L170;
						}
						__eflags =  *(_t604 + 0x760);
						if( *(_t604 + 0x760) != 0) {
							goto L169;
						}
						__eflags =  *(_t604 + 0x798);
						if( *(_t604 + 0x798) != 0) {
							goto L169;
						}
						__eflags =  *(_t604 + 0x7d4);
						if( *(_t604 + 0x7d4) != 0) {
							goto L169;
						}
						_t484 = 0;
						goto L60;
					}
					__eflags =  *(_t604 + 0x7ec);
					if( *(_t604 + 0x7ec) == 0) {
						goto L169;
					}
					goto L164;
				} else {
					if( *(_t604 + 0x668) != 0) {
						__eflags =  *(_t604 + 0x664);
						if(__eflags == 0) {
							goto L5;
						}
						_t428 = E00F19D72(_t495, __eflags, 0x18);
						_t653 = _t653 + 4;
						_t493 = _t428;
						 *(_t651 - 0xb8) = _t428;
						 *(_t651 - 0xe8) = _t493;
						 *(_t651 - 4) = 4;
						__eflags = _t493;
						if(_t493 == 0) {
							_t493 = 0;
							__eflags = 0;
							 *(_t651 - 0xb8) = 0;
							 *(_t651 - 0xe0) = 0;
						} else {
							 *_t493 = 0xf06520;
							 *(_t493 + 4) = 0;
							 *(_t493 + 8) = 0;
							 *(_t493 + 0xc) = 0;
							 *(_t493 + 0x10) = 0;
							 *(_t493 + 0x14) = 0;
							 *(_t651 - 0xe0) = _t428;
						}
						 *(_t651 - 4) = 0xffffffff;
						__eflags = _t493;
						if(_t493 == 0) {
							L76:
							_t484 = 0x80041006;
							L58:
							_t319 =  *(_t651 - 0xf4);
							 *0xf512c4(_t319);
							_t315 =  *((intOrPtr*)( *((intOrPtr*)( *_t319 + 8))))();
							if(_t484 < 0) {
								L170:
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t484);
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
							}
							_t315 =  *0xf4f014; // 0xf4f014
							L60:
							if(_t315 != 0xf4f014 && ( *(_t315 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t315 + 0x19)) - 2;
								if( *((char*)(_t315 + 0x19)) >= 2) {
									_t309 = _t315 + 0x14; // 0x20000000
									_t310 = _t315 + 0x10; // 0x40000000
									_t581 = 0xf212f8;
									E00F32A46(0x1b, 0xf212f8,  *_t310,  *_t309, _t484);
								}
							}
							 *[fs:0x0] =  *((intOrPtr*)(_t651 - 0xc));
							_pop(_t605);
							_pop(_t636);
							_pop(_t485);
							return E00F01CA0(_t484, _t485,  *(_t651 - 0x14) ^ _t651, _t581, _t605, _t636);
						} else {
							 *0xf512c4(_t493);
							 *((intOrPtr*)( *((intOrPtr*)( *_t493 + 4))))();
							_t552 = _t493;
							_t484 = E00F405E1(_t493,  *((intOrPtr*)(_t604 + 0x6e8)));
							__eflags = _t484;
							if(__eflags < 0) {
								L125:
								_t553 =  *(_t651 - 0xb8);
								 *0xf512c4(_t553);
								 *((intOrPtr*)( *((intOrPtr*)( *_t553 + 8))))();
								goto L5;
							}
							_t436 = E00F19D72(_t552, __eflags, 0x18);
							_t653 = _t653 + 4;
							 *(_t651 - 0xe8) = _t436;
							 *(_t651 - 4) = 5;
							__eflags = _t436;
							if(_t436 == 0) {
								_t555 = 0;
								__eflags = 0;
								 *(_t651 - 0xbc) = 0;
							} else {
								_t481 = E00F404DF(_t436,  *(_t651 - 0xb8));
								_t555 = _t481;
								 *(_t651 - 0xbc) = _t481;
							}
							 *(_t651 - 4) = 0xffffffff;
							__eflags = _t555;
							if(_t555 == 0) {
								_t484 = 0x80041006;
								goto L125;
							} else {
								 *0xf512c4(_t555);
								 *((intOrPtr*)( *((intOrPtr*)( *_t555 + 4))))();
								 *(_t651 - 0xf8) = 0;
								 *(_t651 - 0x104) = 0;
								 *(_t651 - 0xcc) = 0;
								_t581 = _t651 - 0xcc;
								_t484 = E00F066C5(_t651 - 0x104, _t651 - 0xcc, _t651 - 0xf8, 0);
								__eflags = _t484;
								if(_t484 < 0) {
									L123:
									_t558 =  *(_t651 - 0xbc);
									 *0xf512c4(_t558);
									 *((intOrPtr*)( *((intOrPtr*)( *_t558 + 8))))();
									goto L125;
								}
								 *(_t651 - 0xec) = 0;
								 *(_t651 - 0xb4) = 0;
								_t643 = 3;
								 *(_t651 - 0xe4) = 3;
								 *(_t651 - 0xd4) = 0;
								_t446 =  *0xf53038(0xf03a60, _t651 - 0xd4);
								__eflags = _t446;
								if(_t446 >= 0) {
									_t484 =  *0xf53030();
									__eflags = _t484;
									if(_t484 >= 0) {
										 *(_t651 - 0xe4) = E00F07D03();
										 *0xf5302c();
									}
									_t578 =  *(_t651 - 0xd4);
									 *0xf512c4(_t578);
									 *((intOrPtr*)( *((intOrPtr*)( *_t578 + 8))))();
									_t643 =  *(_t651 - 0xe4);
								}
								__eflags = _t484;
								if(_t484 >= 0) {
									_t602 =  *(_t651 - 0xf4);
									_push(_t651 - 0xec);
									_push(_t651 - 0xb4);
									__eflags = _t643 - 2;
									if(__eflags != 0) {
										_t475 = E00F47DE6(0xf07c5c, _t602, __eflags);
									} else {
										_t475 = E00F47ECE(0xf07c5c, _t602, __eflags);
									}
									_t484 = _t475;
								}
								__eflags = _t484 - 0x80041002;
								if(_t484 != 0x80041002) {
									__eflags = _t484;
									if(_t484 < 0) {
										_t644 =  *(_t651 - 0xd8);
										goto L121;
									}
									_t645 =  *(_t651 - 0xb4);
									 *(_t651 - 0xe8) = _t645;
									_t484 = E00F47D61(_t645, E00F07D03());
									__eflags = _t484;
									if(_t484 < 0) {
										_t644 =  *(_t651 - 0xd8);
									} else {
										 *(_t651 - 4) = 8;
										asm("sbb eax, eax");
										 *0xf512c4( *(_t651 - 0xe8), 0, 0,  *((intOrPtr*)(_t651 - 0xc4)),  ~( *(_t604 + 0x66c)) &  *(_t651 - 0xc0),  *((intOrPtr*)(_t651 - 0xf0)),  *((intOrPtr*)(_t651 - 0xfc)),  *(_t651 - 0xbc));
										_t484 =  *((intOrPtr*)( *((intOrPtr*)( *_t645 + 0xc))))();
										 *(_t651 - 0xdc) = _t484;
										 *(_t651 - 4) = 0xffffffff;
										_t644 =  *(_t651 - 0xd8);
										_t465 =  *0xf4f014; // 0xf4f014
										__eflags = _t465 - 0xf4f014;
										if(_t465 != 0xf4f014) {
											__eflags =  *(_t465 + 0x1c) & 0x00000004;
											if(( *(_t465 + 0x1c) & 0x00000004) != 0) {
												__eflags =  *((char*)(_t465 + 0x19)) - 5;
												if( *((char*)(_t465 + 0x19)) >= 5) {
													_t206 = _t465 + 0x14; // 0x20000000
													_t207 = _t465 + 0x10; // 0x40000000
													E00F32A46(0x18, 0xf212f8,  *_t207,  *_t206, _t484);
												}
											}
										}
									}
									E00F47D18( *(_t651 - 0xb4),  *(_t651 - 0xec));
									goto L117;
								} else {
									 *(_t651 - 4) = 6;
									asm("sbb ecx, ecx");
									_t467 =  *(_t651 - 0xf4);
									 *0xf512c4(_t467, 0, 0,  *((intOrPtr*)(_t651 - 0xc4)),  ~( *(_t604 + 0x66c)) &  *(_t651 - 0xc0),  *((intOrPtr*)(_t651 - 0xf0)),  *((intOrPtr*)(_t651 - 0xfc)),  *(_t651 - 0xbc));
									_t484 =  *((intOrPtr*)( *((intOrPtr*)( *_t467 + 0xc))))();
									 *(_t651 - 0xdc) = _t484;
									_t470 =  *0xf4f014; // 0xf4f014
									__eflags = _t470 - 0xf4f014;
									if(_t470 != 0xf4f014) {
										__eflags =  *(_t470 + 0x1c) & 0x00000004;
										if(( *(_t470 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *((char*)(_t470 + 0x19)) - 5;
											if( *((char*)(_t470 + 0x19)) >= 5) {
												_t184 = _t470 + 0x14; // 0x20000000
												_t185 = _t470 + 0x10; // 0x40000000
												E00F32A46(0x17, 0xf212f8,  *_t185,  *_t184, _t484);
											}
										}
									}
									 *(_t651 - 4) = 0xffffffff;
									_t644 =  *(_t651 - 0xd8);
									 *0xf5302c();
									L117:
									__eflags = _t484;
									if(_t484 < 0) {
										L121:
										asm("sbb edx, edx");
										asm("sbb ecx, ecx");
										asm("sbb eax, eax");
										_t450 =  ~( *(_t604 + 0x668)) &  *(_t651 - 0xd0);
										__eflags = _t450;
										__imp__WmiSetAndCommitObject( *0xf4f760, 1,  *((intOrPtr*)(_t651 - 0xc4)),  *((intOrPtr*)(_t604 + 0x38)), _t450,  ~( *(_t604 + 0x66c)) &  *(_t651 - 0xc0),  ~_t644 & _t651 - 0x000000b0, _t484);
										_t653 = _t653 + 0x20;
										_t484 = 0x80041013;
										L122:
										_t581 =  *(_t651 - 0xcc);
										E00F1A856( *(_t651 - 0x104),  *(_t651 - 0xcc),  *(_t651 - 0xf8));
										goto L123;
									}
									_t494 =  *(_t651 - 0xb8);
									E00F32161(_t494,  *((intOrPtr*)(_t604 + 0x694)));
									_t484 =  *(_t494 + 0x10);
									__eflags = _t484;
									if(_t484 < 0) {
										goto L121;
									}
									asm("sbb edx, edx");
									asm("sbb ecx, ecx");
									asm("sbb eax, eax");
									__imp__WmiSetAndCommitObject( *0xf4f764, 1,  *((intOrPtr*)(_t651 - 0xc4)),  *((intOrPtr*)(_t604 + 0x38)),  ~( *(_t604 + 0x668)) &  *(_t651 - 0xd0),  ~( *(_t604 + 0x66c)) &  *(_t651 - 0xc0),  ~_t644 & _t651 - 0x000000b0);
									_t653 = _t653 + 0x1c;
									goto L122;
								}
							}
						}
						L65:
						_t638 = 0;
						L8:
						 *(_t651 - 0xe8) = _t638;
						 *(_t651 - 4) = 0xa;
						if(_t638 == 0) {
							_t638 = 0;
						} else {
							 *_t638 = 0xf06520;
							 *(_t638 + 4) = 0;
							 *(_t638 + 8) = 0;
							 *(_t638 + 0xc) = 0;
							 *(_t638 + 0x10) = 0;
							 *(_t638 + 0x14) = 0;
						}
						 *(_t651 - 0xe0) = _t638;
						 *(_t651 - 4) = 0xffffffff;
						if(_t638 == 0) {
							goto L76;
						} else {
							_t606 =  *( *_t638 + 4);
							_t507 = _t606;
							 *0xf512c4(_t638);
							 *_t606();
							_t607 =  *( *((intOrPtr*)(_t651 - 0xc8)) + 0x6e8);
							_t327 = CreateEventW(0, 0, 0, 0);
							 *(_t638 + 0xc) = _t327;
							if(_t327 == 0) {
								_t484 = 0x80041006;
								L129:
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t484);
								_t507 = _t327;
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
								L13:
								_t328 =  *0xf4f014; // 0xf4f014
								if(_t328 != 0xf4f014 && ( *(_t328 + 0x1c) & 0x00000004) != 0) {
									__eflags =  *((char*)(_t328 + 0x19)) - 2;
									if( *((char*)(_t328 + 0x19)) >= 2) {
										_t238 = _t328 + 0x14; // 0x20000000
										_t239 = _t328 + 0x10; // 0x40000000
										_t581 = 0xf212e8;
										_t507 = 0xa;
										E00F32A46(0xa, 0xf212e8,  *_t239,  *_t238, _t484);
									}
								}
								if(_t484 < 0) {
									L56:
									_t107 =  *_t638 + 8; // 0x0
									_t608 =  *_t107;
									_push(_t638);
									if(_t608 != E00F0C4C0) {
										 *0xf512c4();
										 *_t608();
									} else {
										E00F0C4C0(_t507, _t581);
									}
									goto L58;
								} else {
									_t333 =  *0xf4f0cc; // 0x0
									_t507 =  *(_t333 + 8) & 0x00000005 | 0x00000008;
									_t334 =  *(_t333 + 4);
									if(_t334 == 0) {
										L70:
										_t487 = 0;
										 *(_t651 - 0xb8) = 0;
										L18:
										 *(_t651 - 0xe8) = _t487;
										 *(_t651 - 4) = 0xb;
										if(_t487 == 0) {
											_t487 = 0;
											 *(_t651 - 0xb8) = 0;
										} else {
											 *_t487 = 0xf06484;
											 *(_t487 + 4) = 0;
											 *(_t487 + 8) = 0;
											 *(_t487 + 0xc) = 0;
											 *(_t487 + 0x10) = 0;
											 *(_t487 + 0x14) = _t638;
											_t581 = 0xf4f0f8;
											asm("lock xadd [edx], eax");
											asm("lock xadd [eax], ecx");
											_t507 =  *(_t487 + 0x14);
											if(_t507 != 0) {
												_t420 =  *_t507;
												_t40 = _t420 + 4; // 0x0
												_t633 =  *_t40;
												_t507 = _t633;
												 *0xf512c4(_t507);
												 *_t633();
											}
										}
										 *(_t651 - 0xcc) = _t487;
										 *(_t651 - 4) = 0xffffffff;
										if(_t487 == 0) {
											_t484 = 0x80041006;
											goto L56;
										}
										_t335 =  *_t487;
										_t43 = _t335 + 4; // 0x0
										 *0xf512c4(_t487);
										 *((intOrPtr*)( *_t43))();
										 *(_t651 - 0xe8) = 0;
										 *(_t651 - 0x108) = 0;
										 *(_t651 - 0xf8) = 0;
										_t581 = _t651 - 0xf8;
										_t484 = E00F066C5(_t651 - 0x108, _t651 - 0xf8, _t651 - 0xe8, 0);
										if(_t484 < 0) {
											L54:
											_t507 =  *(_t651 - 0xb8);
											_t610 =  *( *_t507 + 8);
											_push(_t507);
											if(_t610 != E00F0C400) {
												_t507 = _t610;
												 *0xf512c4();
												 *_t610();
											} else {
												E00F0C400();
											}
											goto L56;
										}
										 *(_t651 - 0xb4) = 0;
										 *(_t651 - 0xbc) = 0;
										_t488 = 3;
										 *(_t651 - 0x104) = 0;
										_push(_t651 - 0x104);
										_push(0xf03a60);
										if( *0xf53038() < 0) {
											L27:
											_t346 =  *(_t651 - 0xf4);
											 *(_t651 - 0xd4) = _t346;
											 *(_t651 - 0xb4) = 0;
											 *(_t651 - 0xe4) = 0;
											 *0xf512c4(_t346, 0xf07c5c, _t651 - 0xe4);
											_t489 =  *((intOrPtr*)( *( *_t346)))();
											if(_t489 < 0) {
												L32:
												if(_t489 != 0x80041002) {
													_t490 = 0x8004100a;
													goto L144;
												}
												goto L33;
											} else {
												 *(_t651 - 0xec) = 0;
												_t394 =  *(_t651 - 0xd4);
												 *0xf512c4(_t394, E00F06690, _t651 - 0xec);
												_t492 =  *((intOrPtr*)( *( *_t394)))();
												if(_t492 >= 0) {
													_t397 =  *(_t651 - 0xec);
													 *0xf512c4(_t397,  *(_t651 - 0xd4), _t651 - 0xbc);
													_t489 =  *((intOrPtr*)( *((intOrPtr*)( *_t397 + 0x14))))();
													_t400 =  *(_t651 - 0xec);
													 *0xf512c4(_t400);
													 *((intOrPtr*)( *((intOrPtr*)( *_t400 + 8))))();
												} else {
													if(_t492 == 0x80004002) {
														_t489 = 0x80041002;
													}
												}
												_t403 =  *(_t651 - 0xe4);
												 *0xf512c4(_t403);
												 *((intOrPtr*)( *((intOrPtr*)( *_t403 + 8))))();
												if(_t489 >= 0) {
													_t490 =  *0xf53030();
													__eflags = _t490;
													if(_t490 < 0) {
														_t490 = 0x80041003;
														L143:
														E00F47D18( *(_t651 - 0xbc),  *(_t651 - 0xb4));
														goto L144;
													}
													 *(_t651 - 0xb4) = 1;
													_t408 = E00F07D03();
													__eflags = _t408 - 3;
													if(_t408 != 3) {
														__eflags = _t408 - 4;
														if(_t408 != 4) {
															_t653 = _t653 - 0x14;
															_t490 = E00F4D336( *(_t651 - 0xbc));
														}
													}
													__eflags = _t490;
													if(_t490 >= 0) {
														goto L144;
													} else {
														goto L143;
													}
												}
												goto L32;
											}
										} else {
											if( *0xf53030() >= 0) {
												_t488 = E00F07D03();
												 *0xf5302c();
											}
											_t546 =  *(_t651 - 0x104);
											 *0xf512c4(_t546);
											 *((intOrPtr*)( *((intOrPtr*)( *_t546 + 8))))();
											if(_t488 == 2) {
												_t490 = E00F47ECE(0xf07c5c,  *(_t651 - 0xf4), __eflags, _t651 - 0xbc, _t651 - 0xb4);
												L144:
												__eflags = _t490 - 0x80041002;
												if(_t490 == 0x80041002) {
													L33:
													 *(_t651 - 4) = 0xc;
													_t349 =  *((intOrPtr*)(_t651 - 0xc8));
													if( *((intOrPtr*)(_t349 + 0x66c)) != 0) {
														_t491 =  *(_t651 - 0xc0);
													} else {
														_t491 = 0;
													}
													asm("sbb edx, edx");
													_t581 =  ~( *(_t349 + 0x668)) &  *(_t651 - 0xd0);
													_t350 =  *(_t651 - 0xf4);
													 *0xf512c4(_t350,  ~( *(_t349 + 0x668)) &  *(_t651 - 0xd0), 0,  *((intOrPtr*)(_t651 - 0xc4)), _t491,  *((intOrPtr*)(_t651 - 0xf0)),  *((intOrPtr*)(_t651 - 0xfc)),  *(_t651 - 0xb8));
													_t490 =  *((intOrPtr*)( *((intOrPtr*)( *_t350 + 0xc))))();
													 *(_t651 - 0xdc) = _t490;
													_t353 =  *0xf4f014; // 0xf4f014
													if(_t353 != 0xf4f014 && ( *(_t353 + 0x1c) & 0x00000004) != 0) {
														__eflags =  *((char*)(_t353 + 0x19)) - 5;
														if( *((char*)(_t353 + 0x19)) >= 5) {
															_t270 = _t353 + 0x14; // 0x20000000
															_t271 = _t353 + 0x10; // 0x40000000
															_t581 = 0xf212f8;
															E00F32A46(0x19, 0xf212f8,  *_t271,  *_t270, _t490);
														}
													}
													 *(_t651 - 4) = 0xffffffff;
													_t615 =  *((intOrPtr*)(_t651 - 0xc8));
													 *0xf5302c();
													L39:
													if(_t490 < 0) {
														L158:
														asm("sbb edx, edx");
														_t581 =  ~( *(_t651 - 0xd8)) & _t651 - 0x000000b0;
														asm("sbb ecx, ecx");
														asm("sbb eax, eax");
														__imp__WmiSetAndCommitObject( *0xf4f760, 1,  *((intOrPtr*)(_t651 - 0xc4)),  *((intOrPtr*)(_t615 + 0x38)),  ~( *(_t615 + 0x668)) &  *(_t651 - 0xd0),  ~( *(_t615 + 0x66c)) &  *(_t651 - 0xc0),  ~( *(_t651 - 0xd8)) & _t651 - 0x000000b0, _t490);
														_t484 = 0x80041013;
														L47:
														 *(_t651 - 0xe4) =  *(_t651 - 0xf8);
														_t616 =  *(_t651 - 0x108);
														 *(_t651 - 0xb4) = _t616;
														 *(_t651 - 0xd4) = 0;
														_push(_t651 - 0xd4);
														_push(_t616);
														if( *0xf53034() >= 0) {
															if(_t616 != 0 &&  *(_t651 - 0xe8) != 0) {
																 *(_t651 - 0xcc) = 0;
																 *0xf512c4( *(_t651 - 0xb4), 0xf068b0, _t651 - 0xcc);
																_t370 =  *((intOrPtr*)( *( *_t616)))();
																__eflags = _t370;
																if(_t370 >= 0) {
																	_t371 =  *(_t651 - 0xcc);
																	 *0xf512c4(_t371);
																	 *((intOrPtr*)( *((intOrPtr*)( *_t371 + 0x10))))();
																	_t374 =  *(_t651 - 0xcc);
																	 *0xf512c4(_t374);
																	 *((intOrPtr*)( *((intOrPtr*)( *_t374 + 8))))();
																}
																_t616 =  *(_t651 - 0xb4);
															}
															_t521 =  *(_t651 - 0xe4);
															if(_t521 != 0) {
																 *0xf512c4(_t521);
																 *((intOrPtr*)( *((intOrPtr*)( *_t521 + 8))))();
																_t616 =  *(_t651 - 0xb4);
															}
														}
														if(_t616 != 0) {
															 *0xf512c4(_t616);
															 *((intOrPtr*)( *((intOrPtr*)( *_t616 + 8))))();
														}
														goto L54;
													}
													if(WaitForSingleObject( *(_t638 + 0xc),  *(_t615 + 0x694)) == 0x102) {
														 *(_t638 + 0x10) = 0x80041013;
													}
													_t490 =  *(_t638 + 0x10);
													if(_t490 < 0) {
														goto L158;
													} else {
														if( *(_t651 - 0xd8) != 0) {
															_t528 = _t651 - 0xb0;
														} else {
															_t528 = 0;
														}
														if( *(_t615 + 0x66c) == 0) {
															 *(_t651 - 0xc0) = 0;
														}
														asm("sbb eax, eax");
														__imp__WmiSetAndCommitObject( *0xf4f764, 1,  *((intOrPtr*)(_t651 - 0xc4)),  *((intOrPtr*)(_t615 + 0x38)),  ~( *(_t615 + 0x668)) &  *(_t651 - 0xd0),  *(_t651 - 0xc0), _t528);
														goto L47;
													}
												}
												__eflags = _t490;
												if(_t490 < 0) {
													_t615 =  *((intOrPtr*)(_t651 - 0xc8));
													goto L158;
												}
												_t623 =  *(_t651 - 0xbc);
												 *(_t651 - 0xd4) = _t623;
												_t490 = E00F47D61(_t623, E00F07D03());
												__eflags = _t490;
												if(_t490 < 0) {
													_t615 =  *((intOrPtr*)(_t651 - 0xc8));
													L155:
													_t581 =  *(_t651 - 0xb4);
													E00F47D18( *(_t651 - 0xbc),  *(_t651 - 0xb4));
													goto L39;
												}
												 *(_t651 - 4) = 0xe;
												_t385 =  *((intOrPtr*)(_t651 - 0xc8));
												asm("sbb edx, edx");
												asm("sbb eax, eax");
												 *0xf512c4( *(_t651 - 0xd4),  ~( *(_t385 + 0x668)) &  *(_t651 - 0xd0), 0,  *((intOrPtr*)(_t651 - 0xc4)),  ~( *(_t385 + 0x66c)) &  *(_t651 - 0xc0),  *((intOrPtr*)(_t651 - 0xf0)),  *((intOrPtr*)(_t651 - 0xfc)),  *(_t651 - 0xb8));
												_t490 =  *((intOrPtr*)( *((intOrPtr*)( *_t623 + 0xc))))();
												 *(_t651 - 0xdc) = _t490;
												 *(_t651 - 4) = 0xffffffff;
												_t615 =  *((intOrPtr*)(_t651 - 0xc8));
												_t391 =  *0xf4f014; // 0xf4f014
												__eflags = _t391 - 0xf4f014;
												if(_t391 == 0xf4f014) {
													goto L155;
												} else {
													__eflags =  *(_t391 + 0x1c) & 0x00000004;
													if(( *(_t391 + 0x1c) & 0x00000004) == 0) {
														goto L155;
													}
													__eflags =  *((char*)(_t391 + 0x19)) - 5;
													if( *((char*)(_t391 + 0x19)) < 5) {
														goto L155;
													}
													_t277 = _t391 + 0x14; // 0x20000000
													_t278 = _t391 + 0x10; // 0x40000000
													E00F32A46(0x1a, 0xf212f8,  *_t278,  *_t277, _t490);
													_t581 =  *(_t651 - 0xb4);
													E00F47D18( *(_t651 - 0xbc),  *(_t651 - 0xb4));
													goto L39;
												}
											}
											goto L27;
										}
									}
									_t487 = HeapAlloc(_t334, _t507, 0x18);
									 *(_t651 - 0xb8) = _t487;
									if(_t487 == 0) {
										_t424 = E00F48131();
										__eflags = _t424;
										if(_t424 != 0) {
											goto L70;
										}
									}
									goto L18;
								}
							}
							if(_t607 != 0) {
								_t236 = _t638 + 0x14; // 0x14
								_t581 = _t236;
								_t507 = _t607;
								_t327 = E00F47FFF(_t607, _t236);
								_t484 = _t327;
								__eflags = _t484;
								if(_t484 >= 0) {
									goto L13;
								}
								goto L129;
							}
							goto L13;
						}
					}
					L5:
					if(_t484 < 0) {
						goto L58;
					}
					_t321 =  *0xf4f0cc; // 0x0
					_t506 =  *(_t321 + 8) & 0x00000005 | 0x00000008;
					_t322 =  *(_t321 + 4);
					if(_t322 == 0) {
						goto L65;
					}
					_t638 = HeapAlloc(_t322, _t506, 0x18);
					if(_t638 == 0) {
						_t427 = E00F48131();
						__eflags = _t427;
						if(_t427 != 0) {
							goto L65;
						}
					}
					goto L8;
				}
			}

0x00f27749
0x00f27755
0x00f2775b
0x00f27761
0x00f27768
0x00f2776e
0x00f27774
0x00f2777f
0x00f27785
0x00f2778b
0x00f27790
0x00f27796
0x00f27799
0x00f2779c
0x00f2779e
0x00f277a4
0x00f073f9
0x00f07412
0x00f07414
0x00f07416
0x00f0741e
0x00f07420
0x00f0742a
0x00f277ab
0x00f277af
0x00f277b6
0x00f277b9
0x00f277bc
0x00f277c1
0x00f277c6
0x00f277cb
0x00f277cb
0x00f277af
0x00f07438
0x00f28066
0x00f2806d
0x00f28078
0x00f28078
0x00f2807f
0x00f280a3
0x00f280a3
0x00000000
0x00f280a3
0x00f28081
0x00f28088
0x00000000
0x00000000
0x00f2808a
0x00f28091
0x00000000
0x00000000
0x00f28093
0x00f2809a
0x00000000
0x00000000
0x00f2809c
0x00000000
0x00f2809c
0x00f2806f
0x00f28076
0x00000000
0x00000000
0x00000000
0x00f0743e
0x00f07445
0x00f13c93
0x00f13c9a
0x00000000
0x00000000
0x00f277d7
0x00f277dc
0x00f277df
0x00f277e1
0x00f277e7
0x00f277ed
0x00f277f4
0x00f277f6
0x00f27829
0x00f27829
0x00f2782b
0x00f27831
0x00f277f8
0x00f277f8
0x00f277fe
0x00f27805
0x00f2780c
0x00f27813
0x00f2781a
0x00f27821
0x00f27821
0x00f27837
0x00f2783e
0x00f27840
0x00f1cacf
0x00f1cacf
0x00f0790b
0x00f0790b
0x00f07919
0x00f0791f
0x00f07923
0x00f280a8
0x00f280a9
0x00f280b1
0x00f280b1
0x00f07929
0x00f0792e
0x00f07933
0x00f280bc
0x00f280c0
0x00f280c7
0x00f280ca
0x00f280cd
0x00f280d7
0x00f280d7
0x00f280c0
0x00f07944
0x00f0794c
0x00f0794d
0x00f0794e
0x00f0795c
0x00f27846
0x00f2784e
0x00f27854
0x00f2785c
0x00f27863
0x00f27865
0x00f27867
0x00f27ca3
0x00f27ca3
0x00f27cb1
0x00f27cb7
0x00000000
0x00f27cb7
0x00f2786f
0x00f27874
0x00f27877
0x00f2787d
0x00f27884
0x00f27886
0x00f2789f
0x00f2789f
0x00f278a1
0x00f27888
0x00f27890
0x00f27895
0x00f27897
0x00f27897
0x00f278a7
0x00f278ae
0x00f278b0
0x00f27c9e
0x00000000
0x00f278b6
0x00f278be
0x00f278c4
0x00f278c6
0x00f278d0
0x00f278da
0x00f278ed
0x00f278fe
0x00f27900
0x00f27902
0x00f27c86
0x00f27c86
0x00f27c94
0x00f27c9a
0x00000000
0x00f27c9a
0x00f27908
0x00f27912
0x00f2791c
0x00f27921
0x00f27927
0x00f2793d
0x00f27943
0x00f27945
0x00f2794d
0x00f2794f
0x00f27951
0x00f27958
0x00f2795e
0x00f2795e
0x00f27964
0x00f27972
0x00f27978
0x00f2797a
0x00f2797a
0x00f27980
0x00f27982
0x00f2798a
0x00f27995
0x00f2799c
0x00f2799d
0x00f279a0
0x00f279a9
0x00f279a2
0x00f279a2
0x00f279a2
0x00f279ae
0x00f279ae
0x00f279b0
0x00f279b6
0x00f27aa0
0x00f27aa2
0x00f27c18
0x00000000
0x00f27c18
0x00f27aa8
0x00f27aae
0x00f27ac1
0x00f27ac3
0x00f27ac5
0x00f27b96
0x00f27acb
0x00f27acb
0x00f27ada
0x00f27b0c
0x00f27b14
0x00f27b16
0x00f27b1c
0x00f27b60
0x00f27b66
0x00f27b6b
0x00f27b70
0x00f27b72
0x00f27b76
0x00f27b78
0x00f27b7c
0x00f27b7f
0x00f27b82
0x00f27b8f
0x00f27b8f
0x00f27b7c
0x00f27b76
0x00f27b70
0x00f27ba8
0x00000000
0x00f279bc
0x00f279bc
0x00f279cb
0x00f279d3
0x00f279fe
0x00f27a06
0x00f27a08
0x00f27a0e
0x00f27a13
0x00f27a18
0x00f27a1a
0x00f27a1e
0x00f27a20
0x00f27a24
0x00f27a27
0x00f27a2a
0x00f27a37
0x00f27a37
0x00f27a24
0x00f27a1e
0x00f27a3c
0x00f27a43
0x00f27a49
0x00f27bad
0x00f27bad
0x00f27baf
0x00f27c1e
0x00f27c22
0x00f27c34
0x00f27c44
0x00f27c46
0x00f27c46
0x00f27c61
0x00f27c67
0x00f27c6a
0x00f27c6f
0x00f27c75
0x00f27c81
0x00000000
0x00f27c81
0x00f27bb7
0x00f27bbf
0x00f27bc4
0x00f27bc7
0x00f27bc9
0x00000000
0x00000000
0x00f27bcf
0x00f27be1
0x00f27bf1
0x00f27c0d
0x00f27c13
0x00000000
0x00f27c13
0x00f279b6
0x00f278b0
0x00f13ca5
0x00f13ca5
0x00f07480
0x00f07480
0x00f07486
0x00f0748f
0x00f13cac
0x00f07495
0x00f07495
0x00f0749b
0x00f074a2
0x00f074a9
0x00f074b0
0x00f074b7
0x00f074b7
0x00f074be
0x00f074c4
0x00f074cd
0x00000000
0x00f074d3
0x00f074d6
0x00f074d9
0x00f074db
0x00f074e1
0x00f074e9
0x00f074f5
0x00f074fb
0x00f07500
0x00f1ca81
0x00f27ce4
0x00f27ce5
0x00f27ceb
0x00f27ced
0x00f0750e
0x00f0750e
0x00f07518
0x00f27cf8
0x00f27cfc
0x00f27d03
0x00f27d06
0x00f27d09
0x00f27d0e
0x00f27d13
0x00f27d13
0x00f27cfc
0x00f07526
0x00f078f4
0x00f078f6
0x00f078f6
0x00f078f9
0x00f07900
0x00f1ca74
0x00f1ca7a
0x00f07906
0x00f07906
0x00f07906
0x00000000
0x00f0752c
0x00f0752c
0x00f07537
0x00f0753a
0x00f0753f
0x00f1ca8b
0x00f1ca8b
0x00f1ca8d
0x00f0755f
0x00f0755f
0x00f07565
0x00f0756e
0x00f1ca98
0x00f1ca9a
0x00f07574
0x00f07574
0x00f0757a
0x00f07581
0x00f07588
0x00f0758f
0x00f07596
0x00f07599
0x00f075a5
0x00f075ae
0x00f075b3
0x00f075b8
0x00f075ba
0x00f075bd
0x00f075bd
0x00f075c0
0x00f075c2
0x00f075c8
0x00f075c8
0x00f075b8
0x00f075ca
0x00f075d0
0x00f075d9
0x00f1cac5
0x00000000
0x00f1cac5
0x00f075df
0x00f075e2
0x00f075e7
0x00f075ed
0x00f075ef
0x00f075f9
0x00f07603
0x00f07616
0x00f07627
0x00f0762b
0x00f078d7
0x00f078d7
0x00f078df
0x00f078e2
0x00f078e9
0x00f1ca63
0x00f1ca65
0x00f1ca6b
0x00f078ef
0x00f078ef
0x00f078ef
0x00000000
0x00f078e9
0x00f07631
0x00f0763b
0x00f07645
0x00f0764a
0x00f0765a
0x00f0765b
0x00f07668
0x00f076a0
0x00f076a0
0x00f076a6
0x00f076ac
0x00f076b6
0x00f076d3
0x00f076db
0x00f076df
0x00f07741
0x00f07747
0x00f1caa5
0x00000000
0x00f1caa5
0x00000000
0x00f076e1
0x00f076e1
0x00f076eb
0x00f07704
0x00f0770c
0x00f07710
0x00f27d54
0x00f27d6f
0x00f27d77
0x00f27d79
0x00f27d87
0x00f27d8d
0x00f07716
0x00f0771c
0x00f0771e
0x00f0771e
0x00f0771c
0x00f07723
0x00f07731
0x00f07737
0x00f0773b
0x00f27d9a
0x00f27d9c
0x00f27d9e
0x00f27dcf
0x00f27dd4
0x00f27de0
0x00000000
0x00f27de0
0x00f27da0
0x00f27daa
0x00f27daf
0x00f27db2
0x00f27db4
0x00f27db7
0x00f27db9
0x00f27dc7
0x00f27dc7
0x00f27db7
0x00f27dc9
0x00f27dcb
0x00000000
0x00f27dcd
0x00000000
0x00f27dcd
0x00f27dcb
0x00000000
0x00f0773b
0x00f0766a
0x00f07672
0x00f07679
0x00f0767b
0x00f0767b
0x00f07681
0x00f0768f
0x00f07695
0x00f0769a
0x00f27d4d
0x00f27de5
0x00f27de5
0x00f27deb
0x00f0774d
0x00f0774d
0x00f07754
0x00f07761
0x00f1caaf
0x00f07767
0x00f07767
0x00f07767
0x00f07771
0x00f07773
0x00f07779
0x00f077a4
0x00f077ac
0x00f077ae
0x00f077b4
0x00f077be
0x00f27e8f
0x00f27e93
0x00f27e9a
0x00f27e9d
0x00f27ea0
0x00f27eaa
0x00f27eaa
0x00f27e93
0x00f077ca
0x00f077d1
0x00f077d7
0x00f077dd
0x00f077df
0x00f27fa7
0x00f27faf
0x00f27fb7
0x00f27fc1
0x00f27fd1
0x00f27fee
0x00f27ff7
0x00f0785e
0x00f07864
0x00f0786a
0x00f07870
0x00f07876
0x00f07886
0x00f07887
0x00f07890
0x00f07894
0x00f28001
0x00f28023
0x00f28029
0x00f2802b
0x00f2802d
0x00f2802f
0x00f2803d
0x00f28043
0x00f28045
0x00f28053
0x00f28059
0x00f28059
0x00f2805b
0x00f2805b
0x00f078a3
0x00f078ab
0x00f078b5
0x00f078bb
0x00f078bd
0x00f078bd
0x00f078ab
0x00f078c5
0x00f078cf
0x00f078d5
0x00f078d5
0x00000000
0x00f078c5
0x00f077f9
0x00f27f95
0x00f27f95
0x00f077ff
0x00f07804
0x00000000
0x00f0780a
0x00f07811
0x00f1caba
0x00f07817
0x00f07817
0x00f07817
0x00f07820
0x00f07822
0x00f07822
0x00f07834
0x00f07855
0x00000000
0x00f0785b
0x00f07804
0x00f27df1
0x00f27df3
0x00f27fa1
0x00000000
0x00f27fa1
0x00f27df9
0x00f27dff
0x00f27e12
0x00f27e14
0x00f27e16
0x00f27f79
0x00f27f7f
0x00f27f7f
0x00f27f8b
0x00000000
0x00f27f8b
0x00f27e1c
0x00f27e23
0x00f27e31
0x00f27e41
0x00f27e73
0x00f27e7b
0x00f27e7d
0x00f27e83
0x00f27f2f
0x00f27f35
0x00f27f3a
0x00f27f3f
0x00000000
0x00f27f41
0x00f27f41
0x00f27f45
0x00000000
0x00000000
0x00f27f47
0x00f27f4b
0x00000000
0x00000000
0x00f27f4e
0x00f27f51
0x00f27f5e
0x00f27f63
0x00f27f6f
0x00000000
0x00f27f6f
0x00f27f3f
0x00000000
0x00f0769a
0x00f07668
0x00f0754f
0x00f07551
0x00f07559
0x00f27d1d
0x00f27d22
0x00f27d24
0x00000000
0x00000000
0x00f27d2a
0x00000000
0x00f07559
0x00f07526
0x00f07508
0x00f27cd0
0x00f27cd0
0x00f27cd3
0x00f27cd5
0x00f27cda
0x00f27cdc
0x00f27cde
0x00000000
0x00000000
0x00000000
0x00f27cde
0x00000000
0x00f07508
0x00f074cd
0x00f0744b
0x00f0744d
0x00000000
0x00000000
0x00f07453
0x00f0745e
0x00f07461
0x00f07466
0x00000000
0x00000000
0x00f07476
0x00f0747a
0x00f27cbe
0x00f27cc3
0x00f27cc5
0x00000000
0x00000000
0x00f27ccb
0x00000000
0x00f0747a

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018), ref: 00F07470
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000), ref: 00F074F5
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018), ref: 00F07549
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?), ref: 00F077EE
WmiSetAndCommitObject.NCOBJAPI(00000001,?,00F07BF8,?,?,00000000), ref: 00F07855

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocHeapObject$CommitCreateEventSingleWait
String ID:
API String ID: 3803894061-0
Opcode ID: c1e70eca2092f92876c57272254c9ff82aa8ef7803fab0378c70d4581eefa695
Instruction ID: 4b721b8606ebef3cc408f8442b0682033ec15158fe52cdb74ac0a93b8365e185
Opcode Fuzzy Hash: c1e70eca2092f92876c57272254c9ff82aa8ef7803fab0378c70d4581eefa695
Instruction Fuzzy Hash: D5F19E70A003198FDB20DF54CD94BAAB7F5BF44324F1481E8DA09A72A1CB75AD85EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F276E0, Relevance: 7.9, APIs: 5, Instructions: 363
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00F276E0() {
				void* _t311;
				intOrPtr _t317;
				void* _t321;
				intOrPtr _t323;
				void* _t324;
				long _t329;
				intOrPtr _t330;
				intOrPtr _t335;
				void* _t336;
				void* _t337;
				void* _t348;
				intOrPtr _t351;
				void* _t352;
				intOrPtr _t355;
				signed int _t372;
				intOrPtr* _t373;
				signed int _t376;
				intOrPtr _t387;
				intOrPtr _t393;
				void* _t396;
				void* _t399;
				void* _t402;
				signed int _t405;
				void* _t410;
				void* _t422;
				signed int _t426;
				signed int _t429;
				signed int _t430;
				signed int _t438;
				signed int _t448;
				signed int _t452;
				intOrPtr _t467;
				void* _t469;
				intOrPtr _t472;
				signed int _t477;
				signed int _t483;
				long _t485;
				signed int _t486;
				void* _t487;
				long _t489;
				signed int _t490;
				void* _t491;
				signed int _t492;
				signed int _t493;
				void* _t494;
				signed int _t495;
				long _t496;
				long _t511;
				signed int _t526;
				void* _t533;
				void* _t551;
				long _t558;
				signed int _t560;
				void* _t563;
				void* _t583;
				void* _t607;
				intOrPtr _t609;
				void* _t610;
				long _t611;
				long _t612;
				intOrPtr* _t613;
				long _t615;
				intOrPtr _t620;
				void* _t621;
				void* _t628;
				long _t638;
				intOrPtr* _t642;
				void* _t643;
				long _t645;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t658;
				void* _t660;

				_t485 =  *(_t658 - 0xe0);
				 *(_t658 - 0xc0) =  *(_t658 - 0x100);
				_t609 =  *((intOrPtr*)(_t658 - 0xc8));
				 *(_t658 - 4) = 0xffffffff;
				 *0xf5302c();
				_t586 =  *(_t658 - 0xe4);
				E00F1A856( *(_t658 - 0xd4),  *(_t658 - 0xe4),  *(_t658 - 0xf8));
				_t311 =  *(_t658 - 0xbc);
				 *0xf512c4(_t311);
				 *((intOrPtr*)( *((intOrPtr*)( *_t311 + 8))))();
				 *(_t658 - 0xf4) = 0;
				_t642 =  *((intOrPtr*)( *_t485));
				_t500 = _t642;
				 *0xf512c4(_t485, 0xf07c5c, _t658 - 0xf4);
				_t486 =  *_t642();
				_t317 =  *0xf4f014; // 0xf4f014
				if(_t317 != 0xf4f014 && ( *(_t317 + 0x1c) & 0x00000004) != 0) {
					__eflags =  *((char*)(_t317 + 0x19)) - 5;
					if( *((char*)(_t317 + 0x19)) >= 5) {
						_t127 = _t317 + 0x14; // 0x20000000
						_t128 = _t317 + 0x10; // 0x40000000
						_t586 = 0xf212f8;
						_t500 = 0x16;
						E00F32A46(0x16, 0xf212f8,  *_t128,  *_t127, _t486);
						_t317 =  *0xf4f014; // 0xf4f014
					}
				}
				if(_t486 < 0) {
					__eflags =  *(_t609 + 0x7b4);
					if( *(_t609 + 0x7b4) != 0) {
						L162:
						__eflags =  *(_t609 + 0x6f4);
						if( *(_t609 + 0x6f4) != 0) {
							L167:
							_t486 = 0x80041013;
							goto L168;
						}
						__eflags =  *(_t609 + 0x760);
						if( *(_t609 + 0x760) != 0) {
							goto L167;
						}
						__eflags =  *(_t609 + 0x798);
						if( *(_t609 + 0x798) != 0) {
							goto L167;
						}
						__eflags =  *(_t609 + 0x7d4);
						if( *(_t609 + 0x7d4) != 0) {
							goto L167;
						}
						_t486 = 0;
						goto L60;
					}
					__eflags =  *(_t609 + 0x7ec);
					if( *(_t609 + 0x7ec) == 0) {
						goto L167;
					}
					goto L162;
				} else {
					if( *(_t609 + 0x668) != 0) {
						__eflags =  *(_t609 + 0x664);
						if(__eflags == 0) {
							goto L5;
						}
						_t430 = E00F19D72(_t500, __eflags, 0x18);
						_t660 = _t660 + 4;
						_t495 = _t430;
						 *(_t658 - 0xb8) = _t430;
						 *(_t658 - 0xe8) = _t495;
						 *(_t658 - 4) = 4;
						__eflags = _t495;
						if(_t495 == 0) {
							_t495 = 0;
							__eflags = 0;
							 *(_t658 - 0xb8) = 0;
							 *(_t658 - 0xe0) = 0;
						} else {
							 *_t495 = 0xf06520;
							 *(_t495 + 4) = 0;
							 *(_t495 + 8) = 0;
							 *(_t495 + 0xc) = 0;
							 *(_t495 + 0x10) = 0;
							 *(_t495 + 0x14) = 0;
							 *(_t658 - 0xe0) = _t430;
						}
						 *(_t658 - 4) = 0xffffffff;
						__eflags = _t495;
						if(_t495 == 0) {
							L76:
							_t486 = 0x80041006;
							L58:
							_t321 =  *(_t658 - 0xf4);
							 *0xf512c4(_t321);
							_t317 =  *((intOrPtr*)( *((intOrPtr*)( *_t321 + 8))))();
							if(_t486 < 0) {
								L168:
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t486);
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
							}
							_t317 =  *0xf4f014; // 0xf4f014
							L60:
							if(_t317 != 0xf4f014 && ( *(_t317 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t317 + 0x19)) - 2;
								if( *((char*)(_t317 + 0x19)) >= 2) {
									_t307 = _t317 + 0x14; // 0x20000000
									_t308 = _t317 + 0x10; // 0x40000000
									_t586 = 0xf212f8;
									E00F32A46(0x1b, 0xf212f8,  *_t308,  *_t307, _t486);
								}
							}
							 *[fs:0x0] =  *((intOrPtr*)(_t658 - 0xc));
							_pop(_t610);
							_pop(_t643);
							_pop(_t487);
							return E00F01CA0(_t486, _t487,  *(_t658 - 0x14) ^ _t658, _t586, _t610, _t643);
						} else {
							 *0xf512c4(_t495);
							 *((intOrPtr*)( *((intOrPtr*)( *_t495 + 4))))();
							_t557 = _t495;
							_t486 = E00F405E1(_t495,  *((intOrPtr*)(_t609 + 0x6e8)));
							__eflags = _t486;
							if(__eflags < 0) {
								L123:
								_t558 =  *(_t658 - 0xb8);
								 *0xf512c4(_t558);
								 *((intOrPtr*)( *((intOrPtr*)( *_t558 + 8))))();
								goto L5;
							}
							_t438 = E00F19D72(_t557, __eflags, 0x18);
							_t660 = _t660 + 4;
							 *(_t658 - 0xe8) = _t438;
							 *(_t658 - 4) = 5;
							__eflags = _t438;
							if(_t438 == 0) {
								_t560 = 0;
								__eflags = 0;
								 *(_t658 - 0xbc) = 0;
							} else {
								_t483 = E00F404DF(_t438,  *(_t658 - 0xb8));
								_t560 = _t483;
								 *(_t658 - 0xbc) = _t483;
							}
							 *(_t658 - 4) = 0xffffffff;
							__eflags = _t560;
							if(_t560 == 0) {
								_t486 = 0x80041006;
								goto L123;
							} else {
								 *0xf512c4(_t560);
								 *((intOrPtr*)( *((intOrPtr*)( *_t560 + 4))))();
								 *(_t658 - 0xf8) = 0;
								 *(_t658 - 0x104) = 0;
								 *(_t658 - 0xcc) = 0;
								_t586 = _t658 - 0xcc;
								_t486 = E00F066C5(_t658 - 0x104, _t658 - 0xcc, _t658 - 0xf8, 0);
								__eflags = _t486;
								if(_t486 < 0) {
									L121:
									_t563 =  *(_t658 - 0xbc);
									 *0xf512c4(_t563);
									 *((intOrPtr*)( *((intOrPtr*)( *_t563 + 8))))();
									goto L123;
								}
								 *(_t658 - 0xec) = 0;
								 *(_t658 - 0xb4) = 0;
								_t650 = 3;
								 *(_t658 - 0xe4) = 3;
								 *(_t658 - 0xd4) = 0;
								_t448 =  *0xf53038(0xf03a60, _t658 - 0xd4);
								__eflags = _t448;
								if(_t448 >= 0) {
									_t486 =  *0xf53030();
									__eflags = _t486;
									if(_t486 >= 0) {
										 *(_t658 - 0xe4) = E00F07D03();
										 *0xf5302c();
									}
									_t583 =  *(_t658 - 0xd4);
									 *0xf512c4(_t583);
									 *((intOrPtr*)( *((intOrPtr*)( *_t583 + 8))))();
									_t650 =  *(_t658 - 0xe4);
								}
								__eflags = _t486;
								if(_t486 >= 0) {
									_t607 =  *(_t658 - 0xf4);
									_push(_t658 - 0xec);
									_push(_t658 - 0xb4);
									__eflags = _t650 - 2;
									if(__eflags != 0) {
										_t477 = E00F47DE6(0xf07c5c, _t607, __eflags);
									} else {
										_t477 = E00F47ECE(0xf07c5c, _t607, __eflags);
									}
									_t486 = _t477;
								}
								__eflags = _t486 - 0x80041002;
								if(_t486 != 0x80041002) {
									__eflags = _t486;
									if(_t486 < 0) {
										_t651 =  *(_t658 - 0xd8);
										goto L119;
									}
									_t652 =  *(_t658 - 0xb4);
									 *(_t658 - 0xe8) = _t652;
									_t486 = E00F47D61(_t652, E00F07D03());
									__eflags = _t486;
									if(_t486 < 0) {
										_t651 =  *(_t658 - 0xd8);
									} else {
										 *(_t658 - 4) = 8;
										asm("sbb eax, eax");
										 *0xf512c4( *(_t658 - 0xe8), 0, 0,  *((intOrPtr*)(_t658 - 0xc4)),  ~( *(_t609 + 0x66c)) &  *(_t658 - 0xc0),  *((intOrPtr*)(_t658 - 0xf0)),  *((intOrPtr*)(_t658 - 0xfc)),  *(_t658 - 0xbc));
										_t486 =  *((intOrPtr*)( *((intOrPtr*)( *_t652 + 0xc))))();
										 *(_t658 - 0xdc) = _t486;
										 *(_t658 - 4) = 0xffffffff;
										_t651 =  *(_t658 - 0xd8);
										_t467 =  *0xf4f014; // 0xf4f014
										__eflags = _t467 - 0xf4f014;
										if(_t467 != 0xf4f014) {
											__eflags =  *(_t467 + 0x1c) & 0x00000004;
											if(( *(_t467 + 0x1c) & 0x00000004) != 0) {
												__eflags =  *((char*)(_t467 + 0x19)) - 5;
												if( *((char*)(_t467 + 0x19)) >= 5) {
													_t204 = _t467 + 0x14; // 0x20000000
													_t205 = _t467 + 0x10; // 0x40000000
													E00F32A46(0x18, 0xf212f8,  *_t205,  *_t204, _t486);
												}
											}
										}
									}
									E00F47D18( *(_t658 - 0xb4),  *(_t658 - 0xec));
									goto L115;
								} else {
									 *(_t658 - 4) = 6;
									asm("sbb ecx, ecx");
									_t469 =  *(_t658 - 0xf4);
									 *0xf512c4(_t469, 0, 0,  *((intOrPtr*)(_t658 - 0xc4)),  ~( *(_t609 + 0x66c)) &  *(_t658 - 0xc0),  *((intOrPtr*)(_t658 - 0xf0)),  *((intOrPtr*)(_t658 - 0xfc)),  *(_t658 - 0xbc));
									_t486 =  *((intOrPtr*)( *((intOrPtr*)( *_t469 + 0xc))))();
									 *(_t658 - 0xdc) = _t486;
									_t472 =  *0xf4f014; // 0xf4f014
									__eflags = _t472 - 0xf4f014;
									if(_t472 != 0xf4f014) {
										__eflags =  *(_t472 + 0x1c) & 0x00000004;
										if(( *(_t472 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *((char*)(_t472 + 0x19)) - 5;
											if( *((char*)(_t472 + 0x19)) >= 5) {
												_t182 = _t472 + 0x14; // 0x20000000
												_t183 = _t472 + 0x10; // 0x40000000
												E00F32A46(0x17, 0xf212f8,  *_t183,  *_t182, _t486);
											}
										}
									}
									 *(_t658 - 4) = 0xffffffff;
									_t651 =  *(_t658 - 0xd8);
									 *0xf5302c();
									L115:
									__eflags = _t486;
									if(_t486 < 0) {
										L119:
										asm("sbb edx, edx");
										asm("sbb ecx, ecx");
										asm("sbb eax, eax");
										_t452 =  ~( *(_t609 + 0x668)) &  *(_t658 - 0xd0);
										__eflags = _t452;
										__imp__WmiSetAndCommitObject( *0xf4f760, 1,  *((intOrPtr*)(_t658 - 0xc4)),  *((intOrPtr*)(_t609 + 0x38)), _t452,  ~( *(_t609 + 0x66c)) &  *(_t658 - 0xc0),  ~_t651 & _t658 - 0x000000b0, _t486);
										_t660 = _t660 + 0x20;
										_t486 = 0x80041013;
										L120:
										_t586 =  *(_t658 - 0xcc);
										E00F1A856( *(_t658 - 0x104),  *(_t658 - 0xcc),  *(_t658 - 0xf8));
										goto L121;
									}
									_t496 =  *(_t658 - 0xb8);
									E00F32161(_t496,  *((intOrPtr*)(_t609 + 0x694)));
									_t486 =  *(_t496 + 0x10);
									__eflags = _t486;
									if(_t486 < 0) {
										goto L119;
									}
									asm("sbb edx, edx");
									asm("sbb ecx, ecx");
									asm("sbb eax, eax");
									__imp__WmiSetAndCommitObject( *0xf4f764, 1,  *((intOrPtr*)(_t658 - 0xc4)),  *((intOrPtr*)(_t609 + 0x38)),  ~( *(_t609 + 0x668)) &  *(_t658 - 0xd0),  ~( *(_t609 + 0x66c)) &  *(_t658 - 0xc0),  ~_t651 & _t658 - 0x000000b0);
									_t660 = _t660 + 0x1c;
									goto L120;
								}
							}
						}
						L65:
						_t645 = 0;
						L8:
						 *(_t658 - 0xe8) = _t645;
						 *(_t658 - 4) = 0xa;
						if(_t645 == 0) {
							_t645 = 0;
						} else {
							 *_t645 = 0xf06520;
							 *(_t645 + 4) = 0;
							 *(_t645 + 8) = 0;
							 *(_t645 + 0xc) = 0;
							 *(_t645 + 0x10) = 0;
							 *(_t645 + 0x14) = 0;
						}
						 *(_t658 - 0xe0) = _t645;
						 *(_t658 - 4) = 0xffffffff;
						if(_t645 == 0) {
							goto L76;
						} else {
							_t611 =  *( *_t645 + 4);
							_t512 = _t611;
							 *0xf512c4(_t645);
							 *_t611();
							_t612 =  *( *((intOrPtr*)(_t658 - 0xc8)) + 0x6e8);
							_t329 = CreateEventW(0, 0, 0, 0);
							 *(_t645 + 0xc) = _t329;
							if(_t329 == 0) {
								_t486 = 0x80041006;
								L127:
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t486);
								_t512 = _t329;
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
								L13:
								_t330 =  *0xf4f014; // 0xf4f014
								if(_t330 != 0xf4f014 && ( *(_t330 + 0x1c) & 0x00000004) != 0) {
									__eflags =  *((char*)(_t330 + 0x19)) - 2;
									if( *((char*)(_t330 + 0x19)) >= 2) {
										_t236 = _t330 + 0x14; // 0x20000000
										_t237 = _t330 + 0x10; // 0x40000000
										_t586 = 0xf212e8;
										_t512 = 0xa;
										E00F32A46(0xa, 0xf212e8,  *_t237,  *_t236, _t486);
									}
								}
								if(_t486 < 0) {
									L56:
									_t108 =  *_t645 + 8; // 0x0
									_t613 =  *_t108;
									_push(_t645);
									if(_t613 != E00F0C4C0) {
										 *0xf512c4();
										 *_t613();
									} else {
										E00F0C4C0(_t512, _t586);
									}
									goto L58;
								} else {
									_t335 =  *0xf4f0cc; // 0x0
									_t512 =  *(_t335 + 8) & 0x00000005 | 0x00000008;
									_t336 =  *(_t335 + 4);
									if(_t336 == 0) {
										L70:
										_t489 = 0;
										 *(_t658 - 0xb8) = 0;
										L18:
										 *(_t658 - 0xe8) = _t489;
										 *(_t658 - 4) = 0xb;
										if(_t489 == 0) {
											_t489 = 0;
											 *(_t658 - 0xb8) = 0;
										} else {
											 *_t489 = 0xf06484;
											 *(_t489 + 4) = 0;
											 *(_t489 + 8) = 0;
											 *(_t489 + 0xc) = 0;
											 *(_t489 + 0x10) = 0;
											 *(_t489 + 0x14) = _t645;
											_t586 = 0xf4f0f8;
											asm("lock xadd [edx], eax");
											asm("lock xadd [eax], ecx");
											_t512 =  *(_t489 + 0x14);
											if(_t512 != 0) {
												_t422 =  *_t512;
												_t41 = _t422 + 4; // 0x0
												_t638 =  *_t41;
												_t512 = _t638;
												 *0xf512c4(_t512);
												 *_t638();
											}
										}
										 *(_t658 - 0xcc) = _t489;
										 *(_t658 - 4) = 0xffffffff;
										if(_t489 == 0) {
											_t486 = 0x80041006;
											goto L56;
										} else {
											_t337 =  *_t489;
											_t44 = _t337 + 4; // 0x0
											 *0xf512c4(_t489);
											 *((intOrPtr*)( *_t44))();
											 *(_t658 - 0xe8) = 0;
											 *(_t658 - 0x108) = 0;
											 *(_t658 - 0xf8) = 0;
											_t586 = _t658 - 0xf8;
											_t486 = E00F066C5(_t658 - 0x108, _t658 - 0xf8, _t658 - 0xe8, 0);
											if(_t486 < 0) {
												L54:
												_t512 =  *(_t658 - 0xb8);
												_t615 =  *( *_t512 + 8);
												_push(_t512);
												if(_t615 != E00F0C400) {
													_t512 = _t615;
													 *0xf512c4();
													 *_t615();
												} else {
													E00F0C400();
												}
												goto L56;
											}
											 *(_t658 - 0xb4) = 0;
											 *(_t658 - 0xbc) = 0;
											_t490 = 3;
											 *(_t658 - 0x104) = 0;
											_push(_t658 - 0x104);
											_push(0xf03a60);
											if( *0xf53038() < 0) {
												L27:
												_t348 =  *(_t658 - 0xf4);
												 *(_t658 - 0xd4) = _t348;
												 *(_t658 - 0xb4) = 0;
												 *(_t658 - 0xe4) = 0;
												 *0xf512c4(_t348, 0xf07c5c, _t658 - 0xe4);
												_t491 =  *((intOrPtr*)( *( *_t348)))();
												if(_t491 < 0) {
													L32:
													if(_t491 != 0x80041002) {
														_t492 = 0x8004100a;
														goto L142;
													}
													goto L33;
												} else {
													 *(_t658 - 0xec) = 0;
													_t396 =  *(_t658 - 0xd4);
													 *0xf512c4(_t396, E00F06690, _t658 - 0xec);
													_t494 =  *((intOrPtr*)( *( *_t396)))();
													if(_t494 >= 0) {
														_t399 =  *(_t658 - 0xec);
														 *0xf512c4(_t399,  *(_t658 - 0xd4), _t658 - 0xbc);
														_t491 =  *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0x14))))();
														_t402 =  *(_t658 - 0xec);
														 *0xf512c4(_t402);
														 *((intOrPtr*)( *((intOrPtr*)( *_t402 + 8))))();
													} else {
														if(_t494 == 0x80004002) {
															_t491 = 0x80041002;
														}
													}
													_t405 =  *(_t658 - 0xe4);
													 *0xf512c4(_t405);
													 *((intOrPtr*)( *((intOrPtr*)( *_t405 + 8))))();
													if(_t491 >= 0) {
														_t492 =  *0xf53030();
														__eflags = _t492;
														if(_t492 < 0) {
															_t492 = 0x80041003;
															L141:
															E00F47D18( *(_t658 - 0xbc),  *(_t658 - 0xb4));
															goto L142;
														}
														 *(_t658 - 0xb4) = 1;
														_t410 = E00F07D03();
														__eflags = _t410 - 3;
														if(_t410 != 3) {
															__eflags = _t410 - 4;
															if(_t410 != 4) {
																_t660 = _t660 - 0x14;
																_t492 = E00F4D336( *(_t658 - 0xbc));
															}
														}
														__eflags = _t492;
														if(_t492 >= 0) {
															goto L142;
														} else {
															goto L141;
														}
													}
													goto L32;
												}
											} else {
												if( *0xf53030() >= 0) {
													_t490 = E00F07D03();
													 *0xf5302c();
												}
												_t551 =  *(_t658 - 0x104);
												 *0xf512c4(_t551);
												 *((intOrPtr*)( *((intOrPtr*)( *_t551 + 8))))();
												if(_t490 == 2) {
													_t492 = E00F47ECE(0xf07c5c,  *(_t658 - 0xf4), __eflags, _t658 - 0xbc, _t658 - 0xb4);
													L142:
													__eflags = _t492 - 0x80041002;
													if(_t492 == 0x80041002) {
														L33:
														 *(_t658 - 4) = 0xc;
														_t351 =  *((intOrPtr*)(_t658 - 0xc8));
														if( *((intOrPtr*)(_t351 + 0x66c)) != 0) {
															_t493 =  *(_t658 - 0xc0);
														} else {
															_t493 = 0;
														}
														asm("sbb edx, edx");
														_t586 =  ~( *(_t351 + 0x668)) &  *(_t658 - 0xd0);
														_t352 =  *(_t658 - 0xf4);
														 *0xf512c4(_t352,  ~( *(_t351 + 0x668)) &  *(_t658 - 0xd0), 0,  *((intOrPtr*)(_t658 - 0xc4)), _t493,  *((intOrPtr*)(_t658 - 0xf0)),  *((intOrPtr*)(_t658 - 0xfc)),  *(_t658 - 0xb8));
														_t492 =  *((intOrPtr*)( *((intOrPtr*)( *_t352 + 0xc))))();
														 *(_t658 - 0xdc) = _t492;
														_t355 =  *0xf4f014; // 0xf4f014
														if(_t355 != 0xf4f014 && ( *(_t355 + 0x1c) & 0x00000004) != 0) {
															__eflags =  *((char*)(_t355 + 0x19)) - 5;
															if( *((char*)(_t355 + 0x19)) >= 5) {
																_t268 = _t355 + 0x14; // 0x20000000
																_t269 = _t355 + 0x10; // 0x40000000
																_t586 = 0xf212f8;
																E00F32A46(0x19, 0xf212f8,  *_t269,  *_t268, _t492);
															}
														}
														 *(_t658 - 4) = 0xffffffff;
														_t620 =  *((intOrPtr*)(_t658 - 0xc8));
														 *0xf5302c();
														L39:
														if(_t492 < 0) {
															L156:
															asm("sbb edx, edx");
															_t586 =  ~( *(_t658 - 0xd8)) & _t658 - 0x000000b0;
															asm("sbb ecx, ecx");
															asm("sbb eax, eax");
															__imp__WmiSetAndCommitObject( *0xf4f760, 1,  *((intOrPtr*)(_t658 - 0xc4)),  *((intOrPtr*)(_t620 + 0x38)),  ~( *(_t620 + 0x668)) &  *(_t658 - 0xd0),  ~( *(_t620 + 0x66c)) &  *(_t658 - 0xc0),  ~( *(_t658 - 0xd8)) & _t658 - 0x000000b0, _t492);
															_t486 = 0x80041013;
															L47:
															 *(_t658 - 0xe4) =  *(_t658 - 0xf8);
															_t621 =  *(_t658 - 0x108);
															 *(_t658 - 0xb4) = _t621;
															 *(_t658 - 0xd4) = 0;
															_push(_t658 - 0xd4);
															_push(_t621);
															if( *0xf53034() >= 0) {
																if(_t621 != 0 &&  *(_t658 - 0xe8) != 0) {
																	 *(_t658 - 0xcc) = 0;
																	 *0xf512c4( *(_t658 - 0xb4), 0xf068b0, _t658 - 0xcc);
																	_t372 =  *((intOrPtr*)( *( *_t621)))();
																	__eflags = _t372;
																	if(_t372 >= 0) {
																		_t373 =  *(_t658 - 0xcc);
																		 *0xf512c4(_t373);
																		 *((intOrPtr*)( *((intOrPtr*)( *_t373 + 0x10))))();
																		_t376 =  *(_t658 - 0xcc);
																		 *0xf512c4(_t376);
																		 *((intOrPtr*)( *((intOrPtr*)( *_t376 + 8))))();
																	}
																	_t621 =  *(_t658 - 0xb4);
																}
																_t526 =  *(_t658 - 0xe4);
																if(_t526 != 0) {
																	 *0xf512c4(_t526);
																	 *((intOrPtr*)( *((intOrPtr*)( *_t526 + 8))))();
																	_t621 =  *(_t658 - 0xb4);
																}
															}
															if(_t621 != 0) {
																 *0xf512c4(_t621);
																 *((intOrPtr*)( *((intOrPtr*)( *_t621 + 8))))();
															}
															goto L54;
														}
														if(WaitForSingleObject( *(_t645 + 0xc),  *(_t620 + 0x694)) == 0x102) {
															 *(_t645 + 0x10) = 0x80041013;
														}
														_t492 =  *(_t645 + 0x10);
														if(_t492 < 0) {
															goto L156;
														} else {
															if( *(_t658 - 0xd8) != 0) {
																_t533 = _t658 - 0xb0;
															} else {
																_t533 = 0;
															}
															if( *(_t620 + 0x66c) == 0) {
																 *(_t658 - 0xc0) = 0;
															}
															asm("sbb eax, eax");
															__imp__WmiSetAndCommitObject( *0xf4f764, 1,  *((intOrPtr*)(_t658 - 0xc4)),  *((intOrPtr*)(_t620 + 0x38)),  ~( *(_t620 + 0x668)) &  *(_t658 - 0xd0),  *(_t658 - 0xc0), _t533);
															goto L47;
														}
													}
													__eflags = _t492;
													if(_t492 < 0) {
														_t620 =  *((intOrPtr*)(_t658 - 0xc8));
														goto L156;
													}
													_t628 =  *(_t658 - 0xbc);
													 *(_t658 - 0xd4) = _t628;
													_t492 = E00F47D61(_t628, E00F07D03());
													__eflags = _t492;
													if(_t492 < 0) {
														_t620 =  *((intOrPtr*)(_t658 - 0xc8));
														L153:
														_t586 =  *(_t658 - 0xb4);
														E00F47D18( *(_t658 - 0xbc),  *(_t658 - 0xb4));
														goto L39;
													}
													 *(_t658 - 4) = 0xe;
													_t387 =  *((intOrPtr*)(_t658 - 0xc8));
													asm("sbb edx, edx");
													asm("sbb eax, eax");
													 *0xf512c4( *(_t658 - 0xd4),  ~( *(_t387 + 0x668)) &  *(_t658 - 0xd0), 0,  *((intOrPtr*)(_t658 - 0xc4)),  ~( *(_t387 + 0x66c)) &  *(_t658 - 0xc0),  *((intOrPtr*)(_t658 - 0xf0)),  *((intOrPtr*)(_t658 - 0xfc)),  *(_t658 - 0xb8));
													_t492 =  *((intOrPtr*)( *((intOrPtr*)( *_t628 + 0xc))))();
													 *(_t658 - 0xdc) = _t492;
													 *(_t658 - 4) = 0xffffffff;
													_t620 =  *((intOrPtr*)(_t658 - 0xc8));
													_t393 =  *0xf4f014; // 0xf4f014
													__eflags = _t393 - 0xf4f014;
													if(_t393 == 0xf4f014) {
														goto L153;
													} else {
														__eflags =  *(_t393 + 0x1c) & 0x00000004;
														if(( *(_t393 + 0x1c) & 0x00000004) == 0) {
															goto L153;
														}
														__eflags =  *((char*)(_t393 + 0x19)) - 5;
														if( *((char*)(_t393 + 0x19)) < 5) {
															goto L153;
														}
														_t275 = _t393 + 0x14; // 0x20000000
														_t276 = _t393 + 0x10; // 0x40000000
														E00F32A46(0x1a, 0xf212f8,  *_t276,  *_t275, _t492);
														_t586 =  *(_t658 - 0xb4);
														E00F47D18( *(_t658 - 0xbc),  *(_t658 - 0xb4));
														goto L39;
													}
												}
												goto L27;
											}
										}
									}
									_t489 = HeapAlloc(_t336, _t512, 0x18);
									 *(_t658 - 0xb8) = _t489;
									if(_t489 == 0) {
										_t426 = E00F48131();
										__eflags = _t426;
										if(_t426 != 0) {
											goto L70;
										}
									}
									goto L18;
								}
							}
							if(_t612 != 0) {
								_t234 = _t645 + 0x14; // 0x14
								_t586 = _t234;
								_t512 = _t612;
								_t329 = E00F47FFF(_t612, _t234);
								_t486 = _t329;
								__eflags = _t486;
								if(_t486 >= 0) {
									goto L13;
								}
								goto L127;
							}
							goto L13;
						}
					}
					L5:
					if(_t486 < 0) {
						goto L58;
					}
					_t323 =  *0xf4f0cc; // 0x0
					_t511 =  *(_t323 + 8) & 0x00000005 | 0x00000008;
					_t324 =  *(_t323 + 4);
					if(_t324 == 0) {
						goto L65;
					}
					_t645 = HeapAlloc(_t324, _t511, 0x18);
					if(_t645 == 0) {
						_t429 = E00F48131();
						__eflags = _t429;
						if(_t429 != 0) {
							goto L65;
						}
					}
					goto L8;
				}
			}

0x00f276e0
0x00f276ec
0x00f276f2
0x00f276f8
0x00f276ff
0x00f2777f
0x00f2778b
0x00f27790
0x00f2779e
0x00f277a4
0x00f073f9
0x00f07412
0x00f07414
0x00f07416
0x00f0741e
0x00f07420
0x00f0742a
0x00f277ab
0x00f277af
0x00f277b6
0x00f277b9
0x00f277bc
0x00f277c1
0x00f277c6
0x00f277cb
0x00f277cb
0x00f277af
0x00f07438
0x00f28066
0x00f2806d
0x00f28078
0x00f28078
0x00f2807f
0x00f280a3
0x00f280a3
0x00000000
0x00f280a3
0x00f28081
0x00f28088
0x00000000
0x00000000
0x00f2808a
0x00f28091
0x00000000
0x00000000
0x00f28093
0x00f2809a
0x00000000
0x00000000
0x00f2809c
0x00000000
0x00f2809c
0x00f2806f
0x00f28076
0x00000000
0x00000000
0x00000000
0x00f0743e
0x00f07445
0x00f13c93
0x00f13c9a
0x00000000
0x00000000
0x00f277d7
0x00f277dc
0x00f277df
0x00f277e1
0x00f277e7
0x00f277ed
0x00f277f4
0x00f277f6
0x00f27829
0x00f27829
0x00f2782b
0x00f27831
0x00f277f8
0x00f277f8
0x00f277fe
0x00f27805
0x00f2780c
0x00f27813
0x00f2781a
0x00f27821
0x00f27821
0x00f27837
0x00f2783e
0x00f27840
0x00f1cacf
0x00f1cacf
0x00f0790b
0x00f0790b
0x00f07919
0x00f0791f
0x00f07923
0x00f280a8
0x00f280a9
0x00f280b1
0x00f280b1
0x00f07929
0x00f0792e
0x00f07933
0x00f280bc
0x00f280c0
0x00f280c7
0x00f280ca
0x00f280cd
0x00f280d7
0x00f280d7
0x00f280c0
0x00f07944
0x00f0794c
0x00f0794d
0x00f0794e
0x00f0795c
0x00f27846
0x00f2784e
0x00f27854
0x00f2785c
0x00f27863
0x00f27865
0x00f27867
0x00f27ca3
0x00f27ca3
0x00f27cb1
0x00f27cb7
0x00000000
0x00f27cb7
0x00f2786f
0x00f27874
0x00f27877
0x00f2787d
0x00f27884
0x00f27886
0x00f2789f
0x00f2789f
0x00f278a1
0x00f27888
0x00f27890
0x00f27895
0x00f27897
0x00f27897
0x00f278a7
0x00f278ae
0x00f278b0
0x00f27c9e
0x00000000
0x00f278b6
0x00f278be
0x00f278c4
0x00f278c6
0x00f278d0
0x00f278da
0x00f278ed
0x00f278fe
0x00f27900
0x00f27902
0x00f27c86
0x00f27c86
0x00f27c94
0x00f27c9a
0x00000000
0x00f27c9a
0x00f27908
0x00f27912
0x00f2791c
0x00f27921
0x00f27927
0x00f2793d
0x00f27943
0x00f27945
0x00f2794d
0x00f2794f
0x00f27951
0x00f27958
0x00f2795e
0x00f2795e
0x00f27964
0x00f27972
0x00f27978
0x00f2797a
0x00f2797a
0x00f27980
0x00f27982
0x00f2798a
0x00f27995
0x00f2799c
0x00f2799d
0x00f279a0
0x00f279a9
0x00f279a2
0x00f279a2
0x00f279a2
0x00f279ae
0x00f279ae
0x00f279b0
0x00f279b6
0x00f27aa0
0x00f27aa2
0x00f27c18
0x00000000
0x00f27c18
0x00f27aa8
0x00f27aae
0x00f27ac1
0x00f27ac3
0x00f27ac5
0x00f27b96
0x00f27acb
0x00f27acb
0x00f27ada
0x00f27b0c
0x00f27b14
0x00f27b16
0x00f27b1c
0x00f27b60
0x00f27b66
0x00f27b6b
0x00f27b70
0x00f27b72
0x00f27b76
0x00f27b78
0x00f27b7c
0x00f27b7f
0x00f27b82
0x00f27b8f
0x00f27b8f
0x00f27b7c
0x00f27b76
0x00f27b70
0x00f27ba8
0x00000000
0x00f279bc
0x00f279bc
0x00f279cb
0x00f279d3
0x00f279fe
0x00f27a06
0x00f27a08
0x00f27a0e
0x00f27a13
0x00f27a18
0x00f27a1a
0x00f27a1e
0x00f27a20
0x00f27a24
0x00f27a27
0x00f27a2a
0x00f27a37
0x00f27a37
0x00f27a24
0x00f27a1e
0x00f27a3c
0x00f27a43
0x00f27a49
0x00f27bad
0x00f27bad
0x00f27baf
0x00f27c1e
0x00f27c22
0x00f27c34
0x00f27c44
0x00f27c46
0x00f27c46
0x00f27c61
0x00f27c67
0x00f27c6a
0x00f27c6f
0x00f27c75
0x00f27c81
0x00000000
0x00f27c81
0x00f27bb7
0x00f27bbf
0x00f27bc4
0x00f27bc7
0x00f27bc9
0x00000000
0x00000000
0x00f27bcf
0x00f27be1
0x00f27bf1
0x00f27c0d
0x00f27c13
0x00000000
0x00f27c13
0x00f279b6
0x00f278b0
0x00f13ca5
0x00f13ca5
0x00f07480
0x00f07480
0x00f07486
0x00f0748f
0x00f13cac
0x00f07495
0x00f07495
0x00f0749b
0x00f074a2
0x00f074a9
0x00f074b0
0x00f074b7
0x00f074b7
0x00f074be
0x00f074c4
0x00f074cd
0x00000000
0x00f074d3
0x00f074d6
0x00f074d9
0x00f074db
0x00f074e1
0x00f074e9
0x00f074f5
0x00f074fb
0x00f07500
0x00f1ca81
0x00f27ce4
0x00f27ce5
0x00f27ceb
0x00f27ced
0x00f0750e
0x00f0750e
0x00f07518
0x00f27cf8
0x00f27cfc
0x00f27d03
0x00f27d06
0x00f27d09
0x00f27d0e
0x00f27d13
0x00f27d13
0x00f27cfc
0x00f07526
0x00f078f4
0x00f078f6
0x00f078f6
0x00f078f9
0x00f07900
0x00f1ca74
0x00f1ca7a
0x00f07906
0x00f07906
0x00f07906
0x00000000
0x00f0752c
0x00f0752c
0x00f07537
0x00f0753a
0x00f0753f
0x00f1ca8b
0x00f1ca8b
0x00f1ca8d
0x00f0755f
0x00f0755f
0x00f07565
0x00f0756e
0x00f1ca98
0x00f1ca9a
0x00f07574
0x00f07574
0x00f0757a
0x00f07581
0x00f07588
0x00f0758f
0x00f07596
0x00f07599
0x00f075a5
0x00f075ae
0x00f075b3
0x00f075b8
0x00f075ba
0x00f075bd
0x00f075bd
0x00f075c0
0x00f075c2
0x00f075c8
0x00f075c8
0x00f075b8
0x00f075ca
0x00f075d0
0x00f075d9
0x00f1cac5
0x00000000
0x00f075df
0x00f075df
0x00f075e2
0x00f075e7
0x00f075ed
0x00f075ef
0x00f075f9
0x00f07603
0x00f07616
0x00f07627
0x00f0762b
0x00f078d7
0x00f078d7
0x00f078df
0x00f078e2
0x00f078e9
0x00f1ca63
0x00f1ca65
0x00f1ca6b
0x00f078ef
0x00f078ef
0x00f078ef
0x00000000
0x00f078e9
0x00f07631
0x00f0763b
0x00f07645
0x00f0764a
0x00f0765a
0x00f0765b
0x00f07668
0x00f076a0
0x00f076a0
0x00f076a6
0x00f076ac
0x00f076b6
0x00f076d3
0x00f076db
0x00f076df
0x00f07741
0x00f07747
0x00f1caa5
0x00000000
0x00f1caa5
0x00000000
0x00f076e1
0x00f076e1
0x00f076eb
0x00f07704
0x00f0770c
0x00f07710
0x00f27d54
0x00f27d6f
0x00f27d77
0x00f27d79
0x00f27d87
0x00f27d8d
0x00f07716
0x00f0771c
0x00f0771e
0x00f0771e
0x00f0771c
0x00f07723
0x00f07731
0x00f07737
0x00f0773b
0x00f27d9a
0x00f27d9c
0x00f27d9e
0x00f27dcf
0x00f27dd4
0x00f27de0
0x00000000
0x00f27de0
0x00f27da0
0x00f27daa
0x00f27daf
0x00f27db2
0x00f27db4
0x00f27db7
0x00f27db9
0x00f27dc7
0x00f27dc7
0x00f27db7
0x00f27dc9
0x00f27dcb
0x00000000
0x00f27dcd
0x00000000
0x00f27dcd
0x00f27dcb
0x00000000
0x00f0773b
0x00f0766a
0x00f07672
0x00f07679
0x00f0767b
0x00f0767b
0x00f07681
0x00f0768f
0x00f07695
0x00f0769a
0x00f27d4d
0x00f27de5
0x00f27de5
0x00f27deb
0x00f0774d
0x00f0774d
0x00f07754
0x00f07761
0x00f1caaf
0x00f07767
0x00f07767
0x00f07767
0x00f07771
0x00f07773
0x00f07779
0x00f077a4
0x00f077ac
0x00f077ae
0x00f077b4
0x00f077be
0x00f27e8f
0x00f27e93
0x00f27e9a
0x00f27e9d
0x00f27ea0
0x00f27eaa
0x00f27eaa
0x00f27e93
0x00f077ca
0x00f077d1
0x00f077d7
0x00f077dd
0x00f077df
0x00f27fa7
0x00f27faf
0x00f27fb7
0x00f27fc1
0x00f27fd1
0x00f27fee
0x00f27ff7
0x00f0785e
0x00f07864
0x00f0786a
0x00f07870
0x00f07876
0x00f07886
0x00f07887
0x00f07890
0x00f07894
0x00f28001
0x00f28023
0x00f28029
0x00f2802b
0x00f2802d
0x00f2802f
0x00f2803d
0x00f28043
0x00f28045
0x00f28053
0x00f28059
0x00f28059
0x00f2805b
0x00f2805b
0x00f078a3
0x00f078ab
0x00f078b5
0x00f078bb
0x00f078bd
0x00f078bd
0x00f078ab
0x00f078c5
0x00f078cf
0x00f078d5
0x00f078d5
0x00000000
0x00f078c5
0x00f077f9
0x00f27f95
0x00f27f95
0x00f077ff
0x00f07804
0x00000000
0x00f0780a
0x00f07811
0x00f1caba
0x00f07817
0x00f07817
0x00f07817
0x00f07820
0x00f07822
0x00f07822
0x00f07834
0x00f07855
0x00000000
0x00f0785b
0x00f07804
0x00f27df1
0x00f27df3
0x00f27fa1
0x00000000
0x00f27fa1
0x00f27df9
0x00f27dff
0x00f27e12
0x00f27e14
0x00f27e16
0x00f27f79
0x00f27f7f
0x00f27f7f
0x00f27f8b
0x00000000
0x00f27f8b
0x00f27e1c
0x00f27e23
0x00f27e31
0x00f27e41
0x00f27e73
0x00f27e7b
0x00f27e7d
0x00f27e83
0x00f27f2f
0x00f27f35
0x00f27f3a
0x00f27f3f
0x00000000
0x00f27f41
0x00f27f41
0x00f27f45
0x00000000
0x00000000
0x00f27f47
0x00f27f4b
0x00000000
0x00000000
0x00f27f4e
0x00f27f51
0x00f27f5e
0x00f27f63
0x00f27f6f
0x00000000
0x00f27f6f
0x00f27f3f
0x00000000
0x00f0769a
0x00f07668
0x00f075d9
0x00f0754f
0x00f07551
0x00f07559
0x00f27d1d
0x00f27d22
0x00f27d24
0x00000000
0x00000000
0x00f27d2a
0x00000000
0x00f07559
0x00f07526
0x00f07508
0x00f27cd0
0x00f27cd0
0x00f27cd3
0x00f27cd5
0x00f27cda
0x00f27cdc
0x00f27cde
0x00000000
0x00000000
0x00000000
0x00f27cde
0x00000000
0x00f07508
0x00f074cd
0x00f0744b
0x00f0744d
0x00000000
0x00000000
0x00f07453
0x00f0745e
0x00f07461
0x00f07466
0x00000000
0x00000000
0x00f07476
0x00f0747a
0x00f27cbe
0x00f27cc3
0x00f27cc5
0x00000000
0x00000000
0x00f27ccb
0x00000000
0x00f0747a

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018), ref: 00F07470
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000), ref: 00F074F5
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000018), ref: 00F07549
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?), ref: 00F077EE
WmiSetAndCommitObject.NCOBJAPI(00000001,?,00F07BF8,?,?,00000000), ref: 00F07855

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocHeapObject$CommitCreateEventSingleWait
String ID:
API String ID: 3803894061-0
Opcode ID: b7ea73877f7545ab1fdbcd75fb19c91a7717a927e52eb8c071ac2bb0fbaec58a
Instruction ID: e1686f4d0e48046e5eb4842b424522a38f4fd41b6f89c4908d439470f4b89fab
Opcode Fuzzy Hash: b7ea73877f7545ab1fdbcd75fb19c91a7717a927e52eb8c071ac2bb0fbaec58a
Instruction Fuzzy Hash: EBE1AE70A003198FDB20DF54CD94BAAB7F5BF44324F1481E8DA09A72A1CB71AD85EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F0E7E0, Relevance: 7.6, APIs: 5, Instructions: 137
sleepCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00F0E7E0(char __ecx, intOrPtr* _a4, void* _a8) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t32;
				struct _CRITICAL_SECTION* _t39;
				struct _CRITICAL_SECTION* _t50;
				char _t66;
				intOrPtr* _t71;
				intOrPtr* _t79;
				void* _t89;
				intOrPtr _t90;
				struct _CRITICAL_SECTION* _t91;
				void* _t92;
				signed int _t95;

				_t32 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t32 ^ _t95;
				_t66 = __ecx;
				if( *0xf4f114 != 0 && E00F02E90(0xf4f0fc) == 0) {
					while(E00F02E90(0xf4f0fc) == 0) {
						Sleep(0x3e8);
					}
				}
				_v16 = _t66;
				_t93 = E00F0E8F9( &_a8,  &_v16,  &_v12);
				if(_t93 != 0) {
					E00F321AA(0xf4f0fc);
					_t39 = _t93;
					goto L12;
				} else {
					_t71 = _a8;
					 *((intOrPtr*)(_t71 + 0x24)) = 2;
					 *0xf512c4(_t71);
					 *((intOrPtr*)( *((intOrPtr*)( *_t71 + 4))))();
					if( *0xf4f114 != 0) {
						LeaveCriticalSection(0xf4f0fc);
					}
					_t10 = _t66 + 0x18; // 0x18
					_t93 = _t10;
					if( *((char*)(_t66 + 0x30)) != 0 && E00F02E90(_t93) == 0) {
						while(E00F02E90(_t93) == 0) {
							Sleep(0x3e8);
						}
					}
					_t88 =  *((intOrPtr*)(_t66 + 8));
					_push(_t89);
					_t90 =  *((intOrPtr*)(_t66 + 0xc));
					 *((intOrPtr*)(_t66 + 8)) = _t88 + 1;
					asm("adc eax, 0x0");
					_v24 = _t88;
					 *((intOrPtr*)(_t66 + 0xc)) = _t90;
					_t16 = _t66 + 0x7c; // 0x7c
					_v20 = _t90;
					_v32 =  *_a4;
					_t50 = E00F04123(_t16,  &_v32,  &_a8,  &_v12);
					_t91 = _t50;
					if(_t91 != 0) {
						E00F321AA(_t93);
						_t88 = 1;
						E00F47847(0xf4f0fc, 1);
						E00F2E266(0xf4f0fc,  &_a8);
						E00F321AA(0xf4f0fc);
						_t79 = _a8;
						_t93 =  *( *_t79 + 8);
						 *0xf512c4(_t79);
						 *( *( *_t79 + 8))();
						goto L11;
					} else {
						 *((intOrPtr*)(_a8 + 0x20)) = 1;
						if( *((intOrPtr*)(_t93 + 0x18)) != _t50) {
							LeaveCriticalSection(_t93);
						}
						if(SetEvent( *(_t66 + 0x3c)) == 0) {
							_pop(_t92);
							return E00F01CA0(0x8000000a, _t66, _v8 ^ _t95, _t88, _t92, _t93);
						} else {
							L11:
							_t39 = _t91;
							_pop(_t89);
							L12:
							return E00F01CA0(_t39, _t66, _v8 ^ _t95, _t88, _t89, _t93);
						}
					}
				}
			}

0x00f0e7e8
0x00f0e7ef
0x00f0e7fb
0x00f0e7fd
0x00f28902
0x00f28919
0x00f28919
0x00f28902
0x00f0e814
0x00f0e825
0x00f0e829
0x00f28983
0x00f28988
0x00000000
0x00f0e82f
0x00f0e82f
0x00f0e833
0x00f0e841
0x00f0e847
0x00f0e850
0x00f0e857
0x00f0e857
0x00f0e861
0x00f0e861
0x00f0e864
0x00f28921
0x00f28935
0x00f28935
0x00f28921
0x00f0e875
0x00f0e87a
0x00f0e87b
0x00f0e883
0x00f0e886
0x00f0e889
0x00f0e88c
0x00f0e88f
0x00f0e895
0x00f0e89a
0x00f0e8a9
0x00f0e8ae
0x00f0e8b2
0x00f2893f
0x00f28944
0x00f2894e
0x00f28957
0x00f28961
0x00f28966
0x00f2896c
0x00f28971
0x00f28977
0x00000000
0x00f0e8b8
0x00f0e8bb
0x00f0e8c5
0x00f0e8c8
0x00f0e8c8
0x00f0e8d9
0x00f1cc7f
0x00f1cc8c
0x00f0e8df
0x00f0e8df
0x00f0e8df
0x00f0e8e1
0x00f0e8e4
0x00f0e8f1
0x00f0e8f1
0x00f0e8d9
0x00f0e8b2

APIs

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00F4F0FC), ref: 00F0E857
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00000018,?,?,?,00000000), ref: 00F0E8C8
SetEvent.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,00000000), ref: 00F0E8D1

Part of subcall function 00F02E90: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00F4F0FC,0BD26E8F,00000000,00000050,00000000,00F23660), ref: 00F02ED7

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00000000,?), ref: 00F28919
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8), ref: 00F28935

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CriticalSection$LeaveSleep$EnterEvent
String ID:
API String ID: 196716776-0
Opcode ID: 611b913ba27db6ac72a362a0dc9fe88370e5be609cc5996c26eb2fbbbd778a73
Instruction ID: 90e22781bf7129ec6f8b61f97f61648905f893ea8f23076458a441bba0dd34ab
Opcode Fuzzy Hash: 611b913ba27db6ac72a362a0dc9fe88370e5be609cc5996c26eb2fbbbd778a73
Instruction Fuzzy Hash: 1E41E735A002089BCB01EF64DC457AD77A9EF84360F10816AEE069B292DF34DD45FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0E467, Relevance: 7.6, APIs: 5, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00F0E467(intOrPtr _a4, intOrPtr _a12) {
				long _v8;
				char _v16;
				intOrPtr* _v20;
				signed int _t54;
				char _t58;
				struct _SECURITY_ATTRIBUTES* _t61;
				void* _t63;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr* _t71;
				struct _CRITICAL_SECTION* _t74;
				struct _SECURITY_ATTRIBUTES* _t76;
				signed int _t77;

				_push(0xffffffff);
				_push(E00F24E75);
				_push( *[fs:0x0]);
				_push(_t66);
				_t54 =  *0xf4f1a4; // 0xbd26e8f
				_push(_t54 ^ _t77);
				 *[fs:0x0] =  &_v16;
				_t71 = _t66;
				_v20 = _t71;
				_t3 = _t71 + 0x18; // 0x18
				_t74 = _t3;
				 *_t71 = 0xf02f18;
				 *(_t71 + 0x10) = 0;
				 *(_t71 + 0x14) = 0;
				 *((short*)(_t74 + 0x18)) = 0;
				if(InitializeCriticalSectionAndSpinCount(_t74, 0) == 0) {
					_t58 = 0;
				} else {
					_t58 = 1;
				}
				 *((char*)(_t74 + 0x18)) = _t58;
				if(_t58 != 1) {
					if( *((char*)(_t74 + 0x19)) != 0) {
						__imp__?_ThrowMemoryException_@@YGXXZ();
					}
				}
				_t67 = _a4;
				_v8 = 0;
				 *(_t71 + 0x34) = 0;
				 *(_t71 + 0x38) = 0;
				 *(_t71 + 0x3c) = 0;
				 *(_t71 + 0x40) = 0;
				 *((intOrPtr*)(_t71 + 0x44)) = _t67;
				 *(_t71 + 0x48) = 0;
				 *(_t71 + 0x4c) = 0;
				 *(_t71 + 0x50) = 0;
				 *((intOrPtr*)(_t71 + 0x54)) = _a12;
				 *(_t71 + 0x58) = 0;
				 *(_t71 + 0x5c) = 0;
				 *(_t71 + 0x60) = 0;
				 *((intOrPtr*)(_t71 + 0x64)) = _t67;
				 *((intOrPtr*)(_t71 + 0x68)) = _t67;
				_v8 = 1;
				 *(_t71 + 0x6c) = 0;
				 *(_t71 + 0x70) = 0;
				 *((intOrPtr*)(_t71 + 0x74)) = _t67;
				 *((intOrPtr*)(_t71 + 0x78)) = _t67;
				_v8 = 2;
				 *(_t71 + 0x7c) = 0;
				 *(_t71 + 0x80) = 0;
				 *((intOrPtr*)(_t71 + 0x84)) = _t67;
				 *((intOrPtr*)(_t71 + 0x88)) = _t67;
				_v8 = 3;
				if( *((intOrPtr*)(_t71 + 0x30)) == 0) {
					_t61 = 0x80000000;
				} else {
					_t61 = 0;
				}
				 *(_t71 + 0x34) = _t61;
				if(_t61 == 0) {
					 *(_t71 + 0x34) = _t61;
				}
				if( *(_t71 + 0x34) != 0) {
					L16:
					_v8 = 0xffffffff;
					 *[fs:0x0] = _v16;
					return _t71;
				}
				 *(_t71 + 0x34) = 0;
				if( *(_t71 + 0x34) != 0) {
					goto L16;
				}
				 *(_t71 + 0x34) = 0;
				if( *(_t71 + 0x34) != 0) {
					goto L16;
				}
				_t76 = 0;
				_t63 = CreateEventW(0, 0, 0, 0);
				 *(_t71 + 0x40) = _t63;
				if(_t63 == 0) {
					_t76 = 0x80000001;
				}
				 *(_t71 + 0x34) = _t76;
				if(_t76 == 0) {
					_t64 = CreateEventW(_t76, _t76, _t76, _t76);
					 *(_t71 + 0x38) = _t64;
					if(_t64 == 0) {
						_t76 = 0x80000001;
					}
					 *(_t71 + 0x34) = _t76;
					if(_t76 == 0) {
						_t65 = CreateEventW(_t76, _t76, _t76, _t76);
						 *(_t71 + 0x3c) = _t65;
						if(_t65 == 0) {
							_t76 = 0x80000001;
						}
						 *(_t71 + 0x34) = _t76;
					}
				}
				goto L16;
			}

0x00f0e46c
0x00f0e46e
0x00f0e479
0x00f0e47a
0x00f0e47d
0x00f0e484
0x00f0e488
0x00f0e48e
0x00f0e490
0x00f0e493
0x00f0e493
0x00f0e496
0x00f0e49e
0x00f0e4a5
0x00f0e4ad
0x00f0e4bb
0x00f0e603
0x00f0e4c1
0x00f0e4c1
0x00f0e4c1
0x00f0e4c3
0x00f0e4c8
0x00f2ac1f
0x00f2ac25
0x00f2ac25
0x00f2ac1f
0x00f0e4ce
0x00f0e4d4
0x00f0e4db
0x00f0e4e2
0x00f0e4e9
0x00f0e4f0
0x00f0e4f7
0x00f0e4fa
0x00f0e501
0x00f0e508
0x00f0e50f
0x00f0e512
0x00f0e519
0x00f0e520
0x00f0e527
0x00f0e52a
0x00f0e52d
0x00f0e531
0x00f0e538
0x00f0e53f
0x00f0e542
0x00f0e545
0x00f0e549
0x00f0e550
0x00f0e55a
0x00f0e560
0x00f0e566
0x00f0e56f
0x00f1e306
0x00f0e575
0x00f0e575
0x00f0e575
0x00f0e577
0x00f0e57c
0x00f0e57e
0x00f0e57e
0x00f0e585
0x00f0e5e7
0x00f0e5e9
0x00f0e5f3
0x00f0e600
0x00f0e600
0x00f0e587
0x00f0e592
0x00000000
0x00000000
0x00f0e594
0x00f0e59f
0x00000000
0x00000000
0x00f0e5a1
0x00f0e5a7
0x00f0e5ad
0x00f0e5b2
0x00f0e60a
0x00f0e60a
0x00f0e5b4
0x00f0e5b9
0x00f0e5bf
0x00f0e5c5
0x00f0e5ca
0x00f0e611
0x00f0e611
0x00f0e5cc
0x00f0e5d1
0x00f0e5d7
0x00f0e5dd
0x00f0e5e2
0x00f0e618
0x00f0e618
0x00f0e5e4
0x00f0e5e4
0x00f0e5d1
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-2-0(00000018,00000000,0BD26E8F,00000000,00000000,00000000,00000000,00F24E75,000000FF,?,00F0CFBD,00000000,?,0001D4C0), ref: 00F0E4B3
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000000,00000000,00000000,?,00F0CFBD,00000000,?,0001D4C0), ref: 00F0E5A7
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(80000001,80000001,80000001,80000001,?,00F0CFBD,00000000,?,0001D4C0), ref: 00F0E5BF
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(80000001,80000001,80000001,80000001,?,00F0CFBD,00000000,?,0001D4C0), ref: 00F0E5D7
?_ThrowMemoryException_@@YGXXZ.WBEMCOMN(?,00F0CFBD,00000000,?,0001D4C0), ref: 00F2AC25

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CreateEvent$CountCriticalException_@@InitializeMemorySectionSpinThrow
String ID:
API String ID: 1451983025-0
Opcode ID: b65e4d3349517417304ecf430e12b9108197b9e350d8348f591e2e3682b4320f
Instruction ID: 458553b4562ab344f91344d623aac96ac4de6af941317a47e687c2af46eccc3d
Opcode Fuzzy Hash: b65e4d3349517417304ecf430e12b9108197b9e350d8348f591e2e3682b4320f
Instruction Fuzzy Hash: 0C5178B1906B56EFE7258F25CA48796BFA4FF05328F10191AE40587B80D3B5E464EFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2EF89, Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,00000000,00000001), ref: 00F2EFB8
_itow.MSVCRT ref: 00F2EFCA
_itow.MSVCRT ref: 00F2EFDC
_itow.MSVCRT ref: 00F2EFE9
EventWrite.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(?,00000005,?), ref: 00F2F12E

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: _itow$CurrentEventProcessWrite
String ID:
API String ID: 1710260688-0
Opcode ID: 13636c551c411d692cdababd29a656a089c3b881f74bacfc15b6f29f32737976
Instruction ID: 2d59e675fa667d69ce3ea9df4af7bf1739eabd56ff2f5c8b75eadf0f6b78a96d
Opcode Fuzzy Hash: 13636c551c411d692cdababd29a656a089c3b881f74bacfc15b6f29f32737976
Instruction Fuzzy Hash: F8515E79D002299BDB24CF28DC55BEEB7B4FF89310F4141EAD90AA7251D7316A89CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00F47FFF, Relevance: 7.6, APIs: 5, Instructions: 88
threadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F47FFF(char __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t28;
				int _t35;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t50;
				void* _t51;
				int _t54;

				_t37 = __edx;
				_v24 = __ecx;
				_t51 =  *0xf53030();
				_v8 = 0;
				if(_t51 < 0) {
					if(_t51 != 0x80010117) {
						goto L14;
					} else {
						OpenProcessToken(GetCurrentProcess(), 8,  &_v8);
						goto L4;
					}
				} else {
					_t35 = OpenThreadToken(GetCurrentThread(), 8, 1,  &_v8);
					 *0xf5302c();
					_t54 = _t35;
					L4:
					if(_t54 != 0) {
						_v16 = 0;
						_v12 = 0;
						if(E00F47A1E(_v8,  &_v16,  &_v12) < 0) {
							_t51 = 0x8004100a;
						} else {
							_t41 = _v8;
							_v20 = 0;
							_v16 = 0;
							_t28 = E00F4788B(_v8,  &_v20,  &_v16);
							_t50 = _v12;
							_t51 = _t28;
							if(_t51 >= 0) {
								_t38 = _v16;
								_t51 = E00F46FCB(_t50, _t38, _t41,  &_v24, _t37);
								if(_t38 != 0) {
									_t44 =  *0xf4f0cc; // 0x0
									E00F04A17(_t44, _t38);
								}
							}
							if(_t50 != 0) {
								_t42 =  *0xf4f0cc; // 0x0
								E00F04A17(_t42, _t50);
							}
						}
						CloseHandle(_v8);
					} else {
						_t51 = 0x80041003;
					}
					L14:
					return _t51;
				}
			}

0x00f4800a
0x00f4800c
0x00f48015
0x00f48019
0x00f4801e
0x00f48047
0x00000000
0x00f4804d
0x00f4805a
0x00000000
0x00f48060
0x00f48020
0x00f4802f
0x00f48037
0x00f4803d
0x00f48062
0x00f48062
0x00f48075
0x00f48078
0x00f48082
0x00f480d8
0x00f48084
0x00f48084
0x00f4808e
0x00f48091
0x00f48094
0x00f48099
0x00f4809c
0x00f480a0
0x00f480a3
0x00f480b4
0x00f480b8
0x00f480ba
0x00f480c1
0x00f480c1
0x00f480b8
0x00f480c8
0x00f480ca
0x00f480d1
0x00f480d1
0x00f480c8
0x00f480e0
0x00f48064
0x00f48064
0x00f48064
0x00f480e7
0x00f480ee
0x00f480ee

APIs

GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000008,00000001,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F48028
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F4802F

Part of subcall function 00F47A1E: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,00000014,00000000,00000000,?,00F48080,00000000,?,0BD26E8F,?), ref: 00F47A52
Part of subcall function 00F47A1E: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(?,00F48080,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F47A60
Part of subcall function 00F47A1E: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00F48080,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F47A85
Part of subcall function 00F47A1E: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,?,00F48080,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F47A91
Part of subcall function 00F47A1E: memcpy.MSVCRT ref: 00F47AB4

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000008,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F48053
OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F4805A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F480E0

Part of subcall function 00F4788B: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000005(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,00000014,00000000,00000000,?,00F48099,?,00000000,?,0BD26E8F), ref: 00F478BF
Part of subcall function 00F4788B: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(?,00F48099,?,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F478CD
Part of subcall function 00F4788B: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000005(TokenIntegrityLevel),00000000,00000000,00000000,?,00F48099,?,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F478F2
Part of subcall function 00F4788B: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,?,00F48099,?,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F478FE
Part of subcall function 00F4788B: memcpy.MSVCRT ref: 00F47921

Part of subcall function 00F46FCB: MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-2-0(00000014,00000000,00000014,00000000,?,00000000,?,00000000,?,00000000,?,00000000,00000000,?), ref: 00F4703D
Part of subcall function 00F46FCB: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00F4704B
Part of subcall function 00F46FCB: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000), ref: 00F4705B
Part of subcall function 00F46FCB: InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001), ref: 00F470CA

Part of subcall function 00F04A17: HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,80000002,?,00F2B58B,00000000,00000004,00F1329E), ref: 00F04A2B

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Token$Information$ErrorLastLength$CurrentOpenProcessThreadmemcpy$AbsoluteCloseDescriptorFreeHandleHeapInitializeMakeSecurity
String ID:
API String ID: 2769509552-0
Opcode ID: 4b41052b31d0ff84b9a1026fcfaab72d726d127b69ad0e2cd986b7b2ac010d3a
Instruction ID: c291d33128a0ec085894095ade8e3fb387c04289f05b430fbd3bf13893920392
Opcode Fuzzy Hash: 4b41052b31d0ff84b9a1026fcfaab72d726d127b69ad0e2cd986b7b2ac010d3a
Instruction Fuzzy Hash: 2A21B676E0031DABCB10DFA8DC84AAEFBBCBF84751B114055EE05B3210DB749E05AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F4788B, Relevance: 7.6, APIs: 5, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F4788B(void* __ecx, int* __edx, void** _a4) {
				long _v8;
				int* _v12;
				long _t13;
				int _t16;
				void* _t24;
				void* _t28;
				intOrPtr _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				int _t39;

				_push(__ecx);
				_push(__ecx);
				_t24 = __ecx;
				_v12 = __edx;
				_t37 = 0x80041001;
				if(__ecx == 0) {
					_t37 = 0x80070006;
				} else {
					if(__edx == 0) {
						_t37 = 0x80041008;
					} else {
						_v8 = 0;
						if(GetTokenInformation(__ecx, 5, 0, 0,  &_v8) == 0) {
							_t13 = GetLastError();
							_t45 = _t13 - 0x7a;
							if(_t13 == 0x7a) {
								_t35 = E00F19D72(0, _t45, _v8);
								_pop(_t28);
								if(_t35 == 0) {
									_t37 = 0x80041006;
								} else {
									_t16 = GetTokenInformation(_t24, 5, _t35, _v8,  &_v8);
									_t47 = _t16;
									if(_t16 != 0) {
										_t39 = GetLengthSid( *_t35);
										 *_v12 = _t39;
										_t31 = E00F19D72(_t28, _t47, _t39);
										 *_a4 = _t31;
										if(_t31 == 0) {
											_t37 = 0x80041006;
										} else {
											memcpy(_t31,  *_t35, _t39);
											_t37 = 0;
										}
									}
									_t29 =  *0xf4f0cc; // 0x0
									E00F04A17(_t29, _t35);
								}
							}
						}
					}
				}
				return _t37;
			}

0x00f47890
0x00f47891
0x00f47894
0x00f47898
0x00f4789b
0x00f478a3
0x00f4794e
0x00f478a9
0x00f478ab
0x00f47947
0x00f478b1
0x00f478bc
0x00f478c7
0x00f478cd
0x00f478d3
0x00f478d6
0x00f478e0
0x00f478e2
0x00f478e5
0x00f47940
0x00f478e7
0x00f478f2
0x00f478f8
0x00f478fa
0x00f47904
0x00f4790a
0x00f47912
0x00f47917
0x00f4791b
0x00f4792d
0x00f4791d
0x00f47921
0x00f47929
0x00f47929
0x00f4791b
0x00f47932
0x00f47939
0x00f47939
0x00f478e5
0x00f478d6
0x00f478c7
0x00f478ab
0x00f4795b

APIs

GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000005(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,00000014,00000000,00000000,?,00F48099,?,00000000,?,0BD26E8F), ref: 00F478BF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(?,00F48099,?,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F478CD
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000005(TokenIntegrityLevel),00000000,00000000,00000000,?,00F48099,?,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F478F2
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,?,00F48099,?,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F478FE
memcpy.MSVCRT ref: 00F47921

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: InformationToken$ErrorLastLengthmemcpy
String ID:
API String ID: 341110202-0
Opcode ID: e3f45ad5b20eeca322a0ca3588a3a28b3be8bcf986a148b810a80976ea484f88
Instruction ID: 020ea743cc9ca5f8d813bf5a6a9ad6e99647522babeae34c180853f7bb7a37da
Opcode Fuzzy Hash: e3f45ad5b20eeca322a0ca3588a3a28b3be8bcf986a148b810a80976ea484f88
Instruction Fuzzy Hash: 30212977A08316AFE714AB99DC45F6EBF6DAB083217144079FE05D3210E7749D40B7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F47A1E, Relevance: 7.6, APIs: 5, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F47A1E(void* __ecx, int* __edx, void** _a4) {
				long _v8;
				int* _v12;
				long _t13;
				int _t16;
				void* _t24;
				void* _t28;
				intOrPtr _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				int _t39;

				_push(__ecx);
				_push(__ecx);
				_t24 = __ecx;
				_v12 = __edx;
				_t37 = 0x80041001;
				if(__ecx == 0) {
					_t37 = 0x80070006;
				} else {
					if(__edx == 0) {
						_t37 = 0x80041008;
					} else {
						_v8 = 0;
						if(GetTokenInformation(__ecx, 1, 0, 0,  &_v8) == 0) {
							_t13 = GetLastError();
							_t45 = _t13 - 0x7a;
							if(_t13 == 0x7a) {
								_t35 = E00F19D72(0, _t45, _v8);
								_pop(_t28);
								if(_t35 == 0) {
									_t37 = 0x80041006;
								} else {
									_t16 = GetTokenInformation(_t24, 1, _t35, _v8,  &_v8);
									_t47 = _t16;
									if(_t16 != 0) {
										_t39 = GetLengthSid( *_t35);
										 *_v12 = _t39;
										_t31 = E00F19D72(_t28, _t47, _t39);
										 *_a4 = _t31;
										if(_t31 == 0) {
											_t37 = 0x80041006;
										} else {
											memcpy(_t31,  *_t35, _t39);
											_t37 = 0;
										}
									}
									_t29 =  *0xf4f0cc; // 0x0
									E00F04A17(_t29, _t35);
								}
							}
						}
					}
				}
				return _t37;
			}

0x00f47a23
0x00f47a24
0x00f47a27
0x00f47a2b
0x00f47a2e
0x00f47a36
0x00f47ae1
0x00f47a3c
0x00f47a3e
0x00f47ada
0x00f47a44
0x00f47a4f
0x00f47a5a
0x00f47a60
0x00f47a66
0x00f47a69
0x00f47a73
0x00f47a75
0x00f47a78
0x00f47ad3
0x00f47a7a
0x00f47a85
0x00f47a8b
0x00f47a8d
0x00f47a97
0x00f47a9d
0x00f47aa5
0x00f47aaa
0x00f47aae
0x00f47ac0
0x00f47ab0
0x00f47ab4
0x00f47abc
0x00f47abc
0x00f47aae
0x00f47ac5
0x00f47acc
0x00f47acc
0x00f47a78
0x00f47a69
0x00f47a5a
0x00f47a3e
0x00f47aee

APIs

GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,00000014,00000000,00000000,?,00F48080,00000000,?,0BD26E8F,?), ref: 00F47A52
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(?,00F48080,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F47A60
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00F48080,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F47A85
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0(00000000,?,00F48080,00000000,?,0BD26E8F,?,00000000,00000000), ref: 00F47A91
memcpy.MSVCRT ref: 00F47AB4

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: InformationToken$ErrorLastLengthmemcpy
String ID:
API String ID: 341110202-0
Opcode ID: e174ef842c743adb00d5c46db55ac1c404953c25b4813bb379ba6f42df29df83
Instruction ID: 1cfd19924502455cc6cbb06b7e7375b3c72cbc17309935db0ad406329219817b
Opcode Fuzzy Hash: e174ef842c743adb00d5c46db55ac1c404953c25b4813bb379ba6f42df29df83
Instruction Fuzzy Hash: 7B21C876A48305BFD714AB95DC45E6F7EADEB443217140069FD01D3220E7799E40B6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F22D90, Relevance: 7.6, APIs: 5, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00F22D90(unsigned char* __ebx, void* __ecx, void* __edx) {
				signed int _v8;
				char _v48;
				signed int _v68;
				char _v108;
				signed int _v128;
				char _v168;
				void* _v176;
				void* __ebp;
				signed int _t17;
				signed int _t21;
				intOrPtr* _t24;
				signed int _t25;
				intOrPtr _t29;
				char* _t32;
				char* _t34;
				intOrPtr _t35;
				void* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t44;
				void* _t47;

				_t17 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t17 ^ _t40;
				_t32 =  &_v48;
				E00F22A50(_t32, __ecx);
				_push(0xf4de44);
				_push( &_v48);
				L00F23426();
				asm("int3");
				_push(_t40);
				_t41 = _t44;
				_t21 =  *0xf4f1a4; // 0xbd26e8f
				_v68 = _t21 ^ _t41;
				_push(_t32);
				E00F22AC0(__ebx,  &_v108, _t37, _t39, _t47);
				_push(0xf22dec);
				_t24 =  &_v108;
				_push(_t24);
				L00F23426();
				asm("int3");
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *__ebx =  *__ebx >> 1;
				asm("repne add [eax], al");
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				asm("fdivrp st4, st0");
				 *((intOrPtr*)(_t24 - 0x6f6f6f70)) =  *((intOrPtr*)(_t24 - 0x6f6f6f70)) + __edx;
				0;
				0;
				0;
				_push(_t41);
				_t42 = _t44 - 0x2c;
				_t25 =  *0xf4f1a4; // 0xbd26e8f
				_v128 = _t25 ^ _t42;
				_t34 =  &_v168;
				E00F22B40(_t34,  &_v108);
				_push(0xf4de64);
				_push( &_v168);
				L00F23426();
				asm("int3");
				_push(_t42);
				_t29 = _v168;
				 *((intOrPtr*)(_t34 + 0x14)) = _t29;
				if( *((intOrPtr*)(_t34 + 0x18)) < 0x10) {
					_t35 = _t34 + 4;
					__eflags = _t35;
				} else {
					_t35 =  *((intOrPtr*)(_t34 + 4));
				}
				 *((char*)(_t35 + _t29)) = 0;
				return _t29;
			}

0x00f22d98
0x00f22d9f
0x00f22da3
0x00f22da6
0x00f22dab
0x00f22db3
0x00f22db4
0x00f22db9
0x00f22dc2
0x00f22dc3
0x00f22dc8
0x00f22dcf
0x00f22dd2
0x00f22dd6
0x00f22ddb
0x00f22de0
0x00f22de3
0x00f22de4
0x00f22de9
0x00f22dec
0x00f22dee
0x00f22df0
0x00f22df2
0x00f22df5
0x00f22df7
0x00f22df9
0x00f22dfb
0x00f22e07
0x00f22e0b
0x00f22e0f
0x00f22e12
0x00f22e13
0x00f22e18
0x00f22e1f
0x00f22e23
0x00f22e26
0x00f22e2b
0x00f22e33
0x00f22e34
0x00f22e39
0x00f22e41
0x00f22e48
0x00f22e4b
0x00f22e4e
0x00f22e55
0x00f22e55
0x00f22e50
0x00f22e50
0x00f22e50
0x00f22e58
0x00f22e5d

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00F22DA6
_CxxThrowException.MSVCRT(?,00F4DE44), ref: 00F22DB4

Part of subcall function 00F22AC0: ??0exception@@QAE@ABV0@@Z.MSVCRT(?), ref: 00F22AD5

_CxxThrowException.MSVCRT(?,00F22DEC), ref: 00F22DE4
std::bad_exception::bad_exception.LIBCMT ref: 00F22E26
_CxxThrowException.MSVCRT(?,00F4DE64), ref: 00F22E34

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionThrow$std::bad_exception::bad_exception$??0exception@@V0@@
String ID:
API String ID: 2905314055-0
Opcode ID: 02a0150d3a2f8c4c945a6837c9547c187211c28617328f5b1a490ec8b5d81c57
Instruction ID: ef0633e5eccf9f42d5e2170ce979bab49c40033e4b3c11d598e5a6c313aa3e38
Opcode Fuzzy Hash: 02a0150d3a2f8c4c945a6837c9547c187211c28617328f5b1a490ec8b5d81c57
Instruction Fuzzy Hash: 8911E971C0934C6FC706EBB9DC46CCABBB89F5A20075184A6E420B7152D978ED0CD765

Uniqueness

Uniqueness Score: -1.00%

Function 00F07D03, Relevance: 7.6, APIs: 5, Instructions: 62
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00F07D03() {
				void* _v8;
				void _v12;
				long _v16;
				long _t13;
				int _t17;
				void _t20;
				void* _t21;

				_v8 = 0;
				if(OpenThreadToken(GetCurrentThread(), 8, 1,  &_v8) == 0) {
					_t13 = GetLastError();
					__eflags = _t13 - 0x51d;
					if(_t13 == 0x51d) {
						goto L13;
					} else {
						__eflags = _t13 - 0x3f0;
						goto L12;
					}
				} else {
					_v12 = 0;
					_v16 = 0;
					_t17 = GetTokenInformation(_v8, 9,  &_v12, 4,  &_v16);
					CloseHandle(_v8);
					if(_t17 != 0) {
						_t20 = _v12;
						if(_t20 != 0) {
							_t21 = _t20 - 1;
							if(_t21 == 0) {
								_push(2);
								goto L6;
							} else {
								if(_t21 != 1) {
									L12:
									if(__eflags == 0) {
										L13:
										_push(4);
										goto L6;
									}
								} else {
									_push(3);
									L6:
									_pop(1);
								}
							}
						}
					}
				}
				return 1;
			}

0x00f07d19
0x00f07d2b
0x00f280e1
0x00f280e7
0x00f280ec
0x00000000
0x00f280ee
0x00f280ee
0x00000000
0x00f280ee
0x00f07d31
0x00f07d35
0x00f07d3e
0x00f07d47
0x00f07d52
0x00f07d5b
0x00f07d60
0x00f07d62
0x00f07d64
0x00f07d65
0x00f07d79
0x00000000
0x00f07d67
0x00f07d68
0x00f280f3
0x00f280f3
0x00f280f9
0x00f280f9
0x00000000
0x00f280f9
0x00f07d6e
0x00f07d6e
0x00f07d70
0x00f07d70
0x00f07d70
0x00f07d68
0x00f07d65
0x00f07d62
0x00f07d5b
0x00f07d78

APIs

GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000008,00000001,6E006900,?,?,?,?,6E006900), ref: 00F07D1C
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?,?,?,?,6E006900), ref: 00F07D23
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-2-0(6E006900,00000009(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,6E006900), ref: 00F07D47
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(6E006900,?,?,?,?,?,6E006900), ref: 00F07D52
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(?,?,?,?,6E006900), ref: 00F280E1

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: ThreadToken$CloseCurrentErrorHandleInformationLastOpen
String ID:
API String ID: 1364139418-0
Opcode ID: f42e7d88f20050edde7157de6934e807d7e75d1afee00bfc9f891ce6d1971ff5
Instruction ID: 1247f5328f2b549c02d03100b20d5c98592c8ddb5ba232de089f4bd718a5bd02
Opcode Fuzzy Hash: f42e7d88f20050edde7157de6934e807d7e75d1afee00bfc9f891ce6d1971ff5
Instruction Fuzzy Hash: DB11C236E4570CBBDB209BA59C48BBEBB7CFB80762F0040A5AB01D2190DA309E45F690

Uniqueness

Uniqueness Score: -1.00%

Function 00F30D9E, Relevance: 7.6, APIs: 5, Instructions: 56threadCOMMON

Download Yara Rule

APIs

SetThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?), ref: 00F30DBE
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00F30DE5

Part of subcall function 00F30C3E: ?New@CWbemCallSecurity@@SGPAV1@XZ.FASTPROX ref: 00F30CA7
Part of subcall function 00F30C3E: ?AddRef@CWbemCallSecurity@@UAGKXZ.FASTPROX(00000000), ref: 00F30CB4
Part of subcall function 00F30C3E: ?GetThreadSecurity@CWbemCallSecurity@@UAGJW4tag_WMI_THREAD_SECURITY_ORIGIN@@PAPAU_IWmiThreadSecHandle@@@Z.FASTPROX(00000004,00000002,00000000), ref: 00F30CC8
Part of subcall function 00F30C3E: ?SetThreadSecurity@CWbemCallSecurity@@UAGJPAU_IWmiThreadSecHandle@@@Z.FASTPROX(00000004,00000000), ref: 00F30CD8
Part of subcall function 00F30C3E: ?QueryInterface@CWbemCallSecurity@@UAGJABU_GUID@@PAPAX@Z.FASTPROX(00000000,00F068B0,?), ref: 00F30CED
Part of subcall function 00F30C3E: ?Release@CWbemCallSecurity@@UAGKXZ.FASTPROX(00000000), ref: 00F30D28

RevertToSelf.API-MS-WIN-SECURITY-BASE-L1-2-0(?), ref: 00F30DD7
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041008), ref: 00F30DF0
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F30DF8

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CallSecurity@@Wbem$Thread$Handle@@@Log@@MemorySecurity@$CloseHandleInterface@New@Object@@QueryRef@Release@RevertSelfTokenW4tag_Write@
String ID:
API String ID: 2539269054-0
Opcode ID: 3c95c4348b376a52884124946a577c895c5ade9dc20d300a7c64e20383e31cf5
Instruction ID: ecbdc8dbb13a482ffcad4cbc1ddc9954849835d899745d76a2ae9882284e74fc
Opcode Fuzzy Hash: 3c95c4348b376a52884124946a577c895c5ade9dc20d300a7c64e20383e31cf5
Instruction Fuzzy Hash: ED11C635A00348ABC7245F65DC08B5A7FA9FB45772F05445AFA0497361CA74EC40F650

Uniqueness

Uniqueness Score: -1.00%

Function 00F0C580, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0(00000000,00000001,00000000,00000000), ref: 00F0C675

Strings

__ExtendedStatus, xrefs: 00F2BE51

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CreateEvent
String ID: __ExtendedStatus
API String ID: 2692171526-3070662379
Opcode ID: c2518611bf85c16d2af87c540ab1c978753884ce3450adc2f0138ef4e8385cd4
Instruction ID: 1f5686cf58af9d7471b9447e8a772cb77a204dc86733b0b91eb2251883a93baa
Opcode Fuzzy Hash: c2518611bf85c16d2af87c540ab1c978753884ce3450adc2f0138ef4e8385cd4
Instruction Fuzzy Hash: AC61E375A00719AFDF248F24DC44BAA7BA5BF48315F0501A9FA09E72A0D731ED80BF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F32A6F, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F32BED

Strings

<NULL>, xrefs: 00F32AC3, 00F32BBE
, xrefs: 00F32BD3
NULL, xrefs: 00F32AD5, 00F32B22, 00F32B79, 00F32BC5, 00F32BCE, 00F32BD2, 00F32BD6, 00F32BD8

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: $<NULL>$NULL
API String ID: 471583391-485957995
Opcode ID: b091e61747caf237588b825503b0b5d8b484aeff602ea5e29a24c54c6e056796
Instruction ID: c0b6dcb5324e2fa31d5621b551cdb2e372b58d3a7ab400f2dc684f4c86576cf1
Opcode Fuzzy Hash: b091e61747caf237588b825503b0b5d8b484aeff602ea5e29a24c54c6e056796
Instruction Fuzzy Hash: 0551AB36D0021ADBCF759F98C850BBEB775FB98730F64851AD902AB250E3705E91EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F40F30, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00F40F30(intOrPtr _a4, intOrPtr _a8) {
				void* _t9;
				long _t10;
				void* _t11;
				intOrPtr _t12;

				_t12 = _a8;
				_t11 = 0;
				if( *((intOrPtr*)(_t12 + 0x38)) == 0) {
					return _t9;
				}
				__imp__?Init@CPublishWMIOperationEvent@@SGJXZ();
				if( *((intOrPtr*)(_t12 + 0x20)) != 1) {
					if( *((intOrPtr*)(_t12 + 0x24)) == 1) {
						_t6 = _t12 + 0x244; // 0xf410a9
						_t11 = _t6;
					}
				} else {
					_t4 = _t12 + 0x3c; // 0xf40ea1
					_t11 = _t4;
				}
				_t7 = _t12 + 0x38; // 0xf0143d00
				_t10 = GetCurrentProcessId();
				__imp__?PublishProviderStarted@CPublishWMIOperationEvent@@SGJPAGJ0K0@Z( *_t7, _a4, L"wmiprvse.exe", _t10, _t11);
				return _t10;
			}

0x00f40f36
0x00f40f3a
0x00f40f3f
0x00f40f7b
0x00f40f7b
0x00f40f41
0x00f40f4b
0x00f40f56
0x00f40f58
0x00f40f58
0x00f40f58
0x00f40f4d
0x00f40f4d
0x00f40f4d
0x00f40f4d
0x00f40f5e
0x00f40f62
0x00f40f72
0x00000000

APIs

?Init@CPublishWMIOperationEvent@@SGJXZ.WBEMCOMN(80041006,?,?,00F40E65,80041006,?), ref: 00F40F41
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?,00F40E65,80041006,?), ref: 00F40F62
?PublishProviderStarted@CPublishWMIOperationEvent@@SGJPAGJ0K0@Z.WBEMCOMN(F0143D00,80041006,wmiprvse.exe,00000000,?,00F40E65,80041006,?), ref: 00F40F72

Strings

wmiprvse.exe, xrefs: 00F40F69

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Publish$Event@@Operation$CurrentInit@ProcessProviderStarted@
String ID: wmiprvse.exe
API String ID: 1806684630-74504709
Opcode ID: 18c97ffbc62ba54d79114e21d080cf958f9884da971e4644154a98bf604250a9
Instruction ID: a522d50fbd1d7dc53027287ce21bf50c2b159487d6b2030c9cc5a298ffba2deb
Opcode Fuzzy Hash: 18c97ffbc62ba54d79114e21d080cf958f9884da971e4644154a98bf604250a9
Instruction Fuzzy Hash: CBF0A733400714EB8B305F5599048A7BBB9FB853737414529FB4E93810CB31B88AFB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F17C80, Relevance: 6.5, APIs: 5, Instructions: 288
sleepCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00F17C80(intOrPtr _a4) {
				signed int _v8;
				void* _v9;
				void* _v10;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v812971966;
				intOrPtr* __ebx;
				intOrPtr* __edi;
				void* __esi;
				void* __ebp;
				signed int _t101;
				struct _CRITICAL_SECTION* _t168;
				intOrPtr _t210;
				signed int _t213;

				_t101 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t101 ^ _t213;
				_t212 = _a4 + 8;
				_t209 =  *(_t212 + 0x14);
				if( *(_t212 + 0x14) == 0) {
					L8:
					asm("lock xadd [eax], ebx");
					_t168 = (_t168 | 0xffffffff) - 1;
					if(_t168 == 0) {
						goto L1;
					} else {
						_t212 =  *(_t212 + 0x14);
						if(_t212 != 0) {
							_t13 =  *_t212 + 0x1c; // 0xf50018
							_t209 =  *_t13;
							if(_t209 != E00F04350) {
								 *0xf512c4();
								 *_t209();
							} else {
								_t212 = _t212 + 8;
								if( *((char*)(_t212 + 0x18)) != 0) {
									LeaveCriticalSection(_t212);
								}
							}
						}
						return E00F01CA0(_t168, _t168, _v8 ^ _t213, _t208, _t209, _t212);
					}
				} else {
					__eax =  *__edi;
					__ebx =  *((intOrPtr*)(__eax + 0x18));
					if(__ebx != E00F04320) {
						__ecx = __ebx;
						__eax =  *0xf512c4();
						__ecx = __edi;
						__eax =  *__ebx();
						goto L8;
					}
					if( *((char*)(__edi + 0x20)) == 0) {
						goto L8;
					}
					__ecx = __edi + 8;
					__eax = E00F02E90(__ecx);
					if(__al == 0) {
						while(1) {
							__ecx = __edi + 8;
							__eax = E00F02E90(__ecx);
							if(__al != 0) {
								goto L8;
							}
							Sleep(0x3e8);
						}
					}
					goto L8;
				}
				L1:
				_t4 =  *_t212 + 0x10; // 0x0
				_t210 =  *_t4;
			}

0x00f17c88
0x00f17c8f
0x00f17c97
0x00f17c9b
0x00f17ca0
0x00f17cc9
0x00f17ccf
0x00f17cd3
0x00f17cd4
0x00000000
0x00f17cda
0x00f17cda
0x00f17cdf
0x00f17ce3
0x00f17ce3
0x00f17cec
0x00f1dd7b
0x00f1dd83
0x00f17cf2
0x00f17cf2
0x00f17cf9
0x00f17cfc
0x00f17cfc
0x00f17cf9
0x00f17cec
0x00f17d14
0x00f17d14
0x00f17ca2
0x00f17ca2
0x00f17ca4
0x00f17cad
0x00f1dd57
0x00f1dd59
0x00f1dd5f
0x00f1dd61
0x00000000
0x00f1dd61
0x00f17cb7
0x00000000
0x00000000
0x00f17cb9
0x00f17cbc
0x00f17cc3
0x00f29cff
0x00f29cff
0x00f29d02
0x00f29d09
0x00000000
0x00000000
0x00f29d14
0x00f29d14
0x00f29cff
0x00000000
0x00f17cc3
0x00f14c68
0x00f14c6a
0x00f14c6a

APIs

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00F17CFC

Part of subcall function 00F02E90: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00F4F0FC,0BD26E8F,00000000,00000050,00000000,00F23660), ref: 00F02ED7

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00F29D14
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,?,?,?,?,?,?,00000000), ref: 00F29D31

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CriticalSectionSleep$EnterLeave
String ID:
API String ID: 890587828-0
Opcode ID: 4001802c7c5496658d33a0bd124cf53d2afccc5c09c1fba52b76623653cb33e9
Instruction ID: 5a991dbe4c2ebf7aa7cb7d5017a282d3d2c39c42c46cf85cada24a0c01fce256
Opcode Fuzzy Hash: 4001802c7c5496658d33a0bd124cf53d2afccc5c09c1fba52b76623653cb33e9
Instruction Fuzzy Hash: 24B18C75E042099FCB18DF64D888AEEB7B1BF84325F154599E906973A1CB30ED81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F05790, Relevance: 6.3, APIs: 4, Instructions: 342
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00F05790(void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr* _t113;
				intOrPtr* _t114;
				long _t116;
				void* _t122;
				intOrPtr _t127;
				signed int _t131;
				signed int _t135;
				signed int _t139;
				intOrPtr* _t142;
				intOrPtr _t145;
				void* _t146;
				signed int _t147;
				intOrPtr* _t150;
				intOrPtr* _t157;
				long _t160;
				intOrPtr* _t167;
				intOrPtr* _t176;
				intOrPtr* _t180;
				void* _t185;
				long _t186;
				intOrPtr* _t187;
				intOrPtr _t190;
				void* _t202;
				void* _t205;
				intOrPtr _t237;
				void* _t239;
				intOrPtr* _t240;
				signed int _t244;
				signed int _t260;
				void* _t267;

				_t110 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t110 ^ _t260;
				_t112 =  *0xf4f014; // 0xf4f014
				_t237 = _a16;
				if(_t112 != 0xf4f014) {
					__eflags =  *(_t112 + 0x1c) & 0x00000004;
					if(( *(_t112 + 0x1c) & 0x00000004) != 0) {
						__eflags =  *((char*)(_t112 + 0x19)) - 5;
						if( *((char*)(_t112 + 0x19)) >= 5) {
							_t233 = 0xf21284;
							_t55 = _t112 + 0x14; // 0x20000000
							_t56 = _t112 + 0x10; // 0x40000000
							E00F321C2(0xb3, 0xf21284,  *_t56,  *_t55, _a8, _a12, _t237);
						}
					}
				}
				_t185 = _a4;
				_t244 = 0;
				_v16 = 0;
				_t113 =  *((intOrPtr*)(_t185 + 0x70));
				if(_t113 != 0) {
					 *0xf512c4(_t113, 0xf03af4,  &_v16);
					_t244 =  *((intOrPtr*)( *((intOrPtr*)( *_t113))))();
					if(_t244 >= 0) {
						_v28 = 0;
						_t233 =  &_v32;
						_v12 = 0;
						_v32 = 0;
						_t244 = E00F066C5( &_v12,  &_v32,  &_v28, 0);
						__eflags = _t244;
						if(__eflags >= 0) {
							_v36 = 0;
							_v20 = 0;
							_t244 = E00F1A8DF(_t185 + 0xac, 0x15, __eflags, 0xf03af4, _v16,  &_v20,  &_v36);
							__eflags = _t244 - 0x80041002;
							if(_t244 != 0x80041002) {
								__eflags = _t244;
								if(_t244 >= 0) {
									_v24 = _v20;
									_t244 = E00F47D61(_v20, E00F07D03());
									__eflags = _t244;
									if(__eflags >= 0) {
										_t244 =  *0xf53030();
										__eflags = _t244;
										if(__eflags >= 0) {
											_t176 = _v24;
											 *0xf512c4(_t176, _a8, _a12, _t237);
											_t244 =  *((intOrPtr*)( *((intOrPtr*)( *_t176 + 0xc))))();
											 *0xf5302c();
										}
									}
									E00F47C8C(_t185 + 0xac, 0x15, __eflags, _v20, _v36);
								}
							} else {
								_t180 = _v16;
								 *0xf512c4(_t180, _a8, _a12, _t237);
								_t244 =  *((intOrPtr*)( *((intOrPtr*)( *_t180 + 0xc))))();
								 *0xf5302c();
							}
							_t233 = _v32;
							E00F1A856(_v12, _v32, _v28);
						}
						_t167 = _v16;
						 *0xf512c4(_t167);
						 *((intOrPtr*)( *((intOrPtr*)( *_t167 + 8))))();
						_t237 = _a16;
					}
				}
				_t114 =  *((intOrPtr*)(_t185 + 0xa0));
				if(_t114 != 0) {
					_v16 = 0;
					 *0xf512c4(_t114, 0xf03af4,  &_v16);
					_t244 =  *((intOrPtr*)( *((intOrPtr*)( *_t114))))();
					if(_t244 >= 0) {
						_t157 = _v16;
						 *0xf512c4(_t157, _a8, _a12, _t237);
						_t244 =  *((intOrPtr*)( *((intOrPtr*)( *_t157 + 0xc))))();
						_t160 = _v16;
						 *0xf512c4(_t160);
						 *((intOrPtr*)( *((intOrPtr*)( *_t160 + 8))))();
					}
				}
				_t238 = _t185 + 0x40;
				_v32 = _t238;
				_t116 =  *((intOrPtr*)( *(_t185 + 0x40) + 0x18));
				_v24 = _t116;
				if(_t116 != E00F04320) {
					 *0xf512c4();
					_v24();
				} else {
					E00F04320(_t238);
				}
				_t190 =  *0xf4f0cc; // 0x0
				_v24 =  *(_t190 + 8) & 0x00000005 | 0x00000008;
				_t122 =  *((intOrPtr*)(_t190 + 4));
				_v12 = _t122;
				_t267 = _t122;
				if(_t267 == 0) {
					L51:
					 *0xf512c4();
					 *((intOrPtr*)( *((intOrPtr*)( *_t238 + 0x1c))))();
					_t244 = 0x80041006;
					goto L19;
				} else {
					_t131 =  *(_t185 + 0x68);
					_t233 = _t131 * 4 >> 0x20;
					_t202 = HeapAlloc(_v12, _v24,  ~(0 | _t267 > 0x00000000) | _t131 * 0x00000004);
					_v28 = _t202;
					if(_t202 == 0) {
						E00F48131();
						goto L51;
					}
					_t135 =  *(_t185 + 0x64);
					if(_t135 != 0) {
						_t233 =  *(_t135 + 4);
						__eflags = _t233;
						if(_t233 == 0) {
							goto L12;
						} else {
							goto L44;
						}
						while(1) {
							L44:
							_t135 = _t233;
							_t233 =  *(_t135 + 4);
							__eflags = _t233;
							if(_t233 == 0) {
								goto L12;
							}
						}
					}
					L12:
					_v12 = _t135;
					_t186 = 0;
					_t239 = _t202;
					while(_t135 != 0) {
						_t150 =  *((intOrPtr*)(_t135 + 0x14));
						 *0xf512c4(_t150, 0xf03af4, _t239);
						_t244 =  *((intOrPtr*)( *((intOrPtr*)( *_t150))))();
						E00F456AB( &_v12);
						_t135 = _v12;
						_t186 = _t186 + 1;
						_t239 = _t239 + 4;
					}
					_t238 = _v32;
					_v20 = _t186;
					_t187 =  *((intOrPtr*)( *_v32 + 0x1c));
					__eflags = _t187 - E00F04350;
					if(_t187 != E00F04350) {
						 *0xf512c4();
						 *_t187();
					} else {
						E00F04350(_t238);
					}
					_t139 = _v20;
					_t205 = 0;
					_t185 = _v28;
					_v12 = 0;
					__eflags = _t139;
					if(_t139 != 0) {
						do {
							_t233 =  *(_t185 + _t205 * 4);
							_t240 = _t185 + _t205 * 4;
							__eflags = _t233;
							if(_t233 != 0) {
								 *0xf512c4(_t233, _a8, _a12, _a16);
								_t244 =  *((intOrPtr*)( *((intOrPtr*)( *_t233 + 0xc))))();
								_t142 =  *_t240;
								 *0xf512c4(_t142);
								 *((intOrPtr*)( *((intOrPtr*)( *_t142 + 8))))();
								_t139 = _v20;
								_t205 = _v12;
							}
							_t205 = _t205 + 1;
							_v12 = _t205;
							__eflags = _t205 - _t139;
						} while (_t205 < _t139);
						_t238 = _v32;
						goto L16;
					} else {
						L16:
						_t145 =  *0xf4f0cc; // 0x0
						_t146 =  *(_t145 + 4);
						__eflags = _t146;
						if(_t146 != 0) {
							_t147 = HeapFree(_t146, 0, _t185);
							__eflags = _t147;
							if(_t147 == 0) {
								E00F48131();
							}
						}
						L19:
						E00F22860(_t238);
						__eflags = _t244;
						if(_t244 < 0) {
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t244);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
						}
						_t127 =  *0xf4f014; // 0xf4f014
						__eflags = _t127 - 0xf4f014;
						if(_t127 != 0xf4f014) {
							__eflags =  *(_t127 + 0x1c) & 0x00000004;
							if(( *(_t127 + 0x1c) & 0x00000004) != 0) {
								__eflags =  *((char*)(_t127 + 0x19)) - 2;
								if( *((char*)(_t127 + 0x19)) >= 2) {
									_t108 = _t127 + 0x14; // 0x20000000
									_t233 = 0xf21284;
									_t109 = _t127 + 0x10; // 0x40000000
									E00F32A46(0xb4, 0xf21284,  *_t109,  *_t108, _t244);
								}
							}
						}
						__eflags = _v8 ^ _t260;
						return E00F01CA0(_t244, _t185, _v8 ^ _t260, _t233, _t238, _t244);
					}
				}
			}

0x00f05798
0x00f0579f
0x00f1e702
0x00f1e707
0x00f1e70f
0x00f0561a
0x00f0561e
0x00f2c1d3
0x00f2c1d7
0x00f2c1e1
0x00f2c1ee
0x00f2c1f1
0x00f2c1f4
0x00f2c1f4
0x00f2c1d7
0x00f0561e
0x00f05624
0x00f05627
0x00f05629
0x00f0562c
0x00f05631
0x00f05643
0x00f0564b
0x00f0564f
0x00f2c203
0x00f2c20b
0x00f2c20e
0x00f2c218
0x00f2c224
0x00f2c226
0x00f2c228
0x00f2c231
0x00f2c23c
0x00f2c25c
0x00f2c25e
0x00f2c264
0x00f2c28a
0x00f2c28c
0x00f2c291
0x00f2c2a1
0x00f2c2a3
0x00f2c2a5
0x00f2c2ad
0x00f2c2af
0x00f2c2b1
0x00f2c2b3
0x00f2c2c5
0x00f2c2cd
0x00f2c2cf
0x00f2c2cf
0x00f2c2b1
0x00f2c2e6
0x00f2c2e6
0x00f2c266
0x00f2c266
0x00f2c278
0x00f2c280
0x00f2c282
0x00f2c282
0x00f2c2ee
0x00f2c2f4
0x00f2c2f4
0x00f2c2f9
0x00f2c304
0x00f2c30a
0x00f2c30c
0x00f2c30c
0x00f0564f
0x00f05655
0x00f0565d
0x00f0565f
0x00f05676
0x00f0567e
0x00f05682
0x00f05684
0x00f05696
0x00f0569e
0x00f056a0
0x00f056ab
0x00f056b1
0x00f056b1
0x00f05682
0x00f056b6
0x00f056b9
0x00f056bc
0x00f056bf
0x00f056c7
0x00f1e729
0x00f1e731
0x00f056cd
0x00f056cf
0x00f056cf
0x00f056d4
0x00f056e3
0x00f056e6
0x00f056e9
0x00f056ec
0x00f056ee
0x00f2c3a9
0x00f2c3b0
0x00f2c3b8
0x00f2c3ba
0x00000000
0x00f056f4
0x00f056f4
0x00f056fe
0x00f05714
0x00f05716
0x00f0571b
0x00f1e74a
0x00000000
0x00f1e74a
0x00f05721
0x00f05726
0x00f2c314
0x00f2c317
0x00f2c319
0x00000000
0x00000000
0x00000000
0x00000000
0x00f2c31f
0x00f2c31f
0x00f2c31f
0x00f2c321
0x00f2c324
0x00f2c326
0x00000000
0x00000000
0x00f2c32c
0x00f2c31f
0x00f0572c
0x00f0572c
0x00f0572f
0x00f05731
0x00f1e71a
0x00f2c32e
0x00f2c33e
0x00f2c349
0x00f2c34b
0x00f2c350
0x00f2c353
0x00f2c354
0x00f2c354
0x00f0573a
0x00f0573d
0x00f05742
0x00f05745
0x00f0574b
0x00f1e73b
0x00f1e743
0x00f05751
0x00f05753
0x00f05753
0x00f05758
0x00f0575b
0x00f0575d
0x00f05760
0x00f05763
0x00f05765
0x00f2c35c
0x00f2c35c
0x00f2c35f
0x00f2c362
0x00f2c364
0x00f2c377
0x00f2c37f
0x00f2c381
0x00f2c38b
0x00f2c391
0x00f2c393
0x00f2c396
0x00f2c396
0x00f2c399
0x00f2c39a
0x00f2c39d
0x00f2c39d
0x00f2c3a1
0x00000000
0x00f0576b
0x00f0576b
0x00f0576b
0x00f05770
0x00f05773
0x00f05775
0x00f0577b
0x00f05781
0x00f05783
0x00f1e754
0x00f1e754
0x00f05783
0x00f057aa
0x00f057ac
0x00f057b1
0x00f057b3
0x00f2c3c5
0x00f2c3cd
0x00f2c3cd
0x00f057b9
0x00f057be
0x00f057c3
0x00f057c5
0x00f057c9
0x00f2c3d8
0x00f2c3dc
0x00f2c3e3
0x00f2c3e6
0x00f2c3f0
0x00f2c3f3
0x00f2c3f3
0x00f2c3dc
0x00f057c9
0x00f057d6
0x00f057e1
0x00f057e1
0x00f05765

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000000), ref: 00F0570E

Part of subcall function 00F04350: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(0000000C,00F05758), ref: 00F0435A

HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,?), ref: 00F0577B

Part of subcall function 00F48131: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1(00F2B381), ref: 00F48131

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Heap$AllocCriticalErrorFreeLastLeaveSection
String ID:
API String ID: 2749472163-0
Opcode ID: 2c806e99c5c7a1cd04693b9b14bc46cf5348180603bdd13cfa371e4834ade160
Instruction ID: 3085f1fa17f0abe0cb1c45921a44b79eaf2416503dcb74aa0a7ad5114668b26e
Opcode Fuzzy Hash: 2c806e99c5c7a1cd04693b9b14bc46cf5348180603bdd13cfa371e4834ade160
Instruction Fuzzy Hash: 08D18C75A00619DFCF04DFA4D844AAEBBB5BF88710F154099E906AB391CB74AD01FFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F084F8, Relevance: 6.2, APIs: 4, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00F084F8(signed int __edx, intOrPtr* _a8, signed short _a16) {
				signed int _v8;
				char _v136;
				short _v140;
				short _v144;
				signed short _v148;
				intOrPtr* _v152;
				short _v156;
				void* _v160;
				short _v164;
				signed int _v168;
				intOrPtr _v172;
				void* _v176;
				void* _v180;
				intOrPtr _v184;
				void* _v188;
				void* _v192;
				intOrPtr _v196;
				void _v200;
				intOrPtr _v204;
				void* _v208;
				intOrPtr _v212;
				char _v216;
				signed short __ebx;
				void* __edi;
				intOrPtr* __esi;
				void* __ebp;
				signed int _t78;
				void* _t82;
				intOrPtr _t89;
				signed short _t94;
				signed short _t95;
				intOrPtr _t97;
				signed int _t98;
				int _t101;
				signed short _t102;
				int _t105;
				intOrPtr* _t108;
				signed short _t109;
				signed int _t111;
				void* _t119;
				signed int _t120;
				signed short* _t126;
				signed int _t127;
				signed int _t128;

				_t122 = __edx;
				_t78 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t78 ^ _t128;
				_v148 = _a16;
				_t108 = _a8;
				_t82 = memset( &_v200, 0, 7 << 2);
				_t111 = 0;
				_v192 = _t82;
				_t126 =  &_v216;
				_v188 = _t82;
				_t127 = _t122;
				_v176 = _t82;
				_v180 = _t82;
				asm("stosd");
				_v152 = _t108;
				_v200 = 0xffffffff;
				asm("stosd");
				_v196 = 0xffffffff;
				_v184 = 3;
				_v160 = 0;
				asm("stosd");
				asm("stosd");
				_v208 =  &_v200;
				_v212 = 0;
				_v204 = 0;
				 *0xf53040(_t127,  &_v136, 0x40);
				_t109 =  *0xf53050(_t127,  *_t108,  &_v216, 0xf0622c,  &_v160);
				if(_t109 < 0) {
					_t89 =  *0xf4f014; // 0xf4f014
					if(_t89 == 0xf4f014 || ( *(_t89 + 0x1c) & 0x00000004) == 0 ||  *((char*)(_t89 + 0x19)) < 5) {
						goto L21;
					} else {
						_t73 = _t89 + 0x14; // 0x20000000
						_t74 = _t89 + 0x10; // 0x40000000
						E00F40FF7( *_t74,  *_t73,  &_v136,  *_v152, _t109);
						goto L20;
					}
				} else {
					__eax = _v160;
					__esi =  *__eax;
					__esi =  *((intOrPtr*)( *__eax + 0xc));
					__ecx = __esi;
					__eax =  *0xf512c4(__eax, 0, 0xf03a60, _v148);
					__ebx =  *__esi();
					_v148 = __ebx;
					if(__ebx < 0) {
						__eax =  *0xf4f014; // 0xf4f014
						if(__eax != 0xf4f014 && ( *(__eax + 0x1c) & 0x00000004) != 0 &&  *((char*)(__eax + 0x19)) >= 5) {
							_t55 = __eax + 0x14; // 0x20000000
							__edx = 0xf212f8;
							__ecx = 0xb;
							_t56 = __eax + 0x10; // 0x40000000
							__eax = E00F32A46(0xb, 0xf212f8,  *_t56,  *_t55, __ebx);
						}
					}
					__eax = _v160;
					__ecx =  *__eax;
					__esi =  *((intOrPtr*)( *__eax + 8));
					__ecx = __esi;
					__eax =  *0xf512c4(__eax);
					__eax =  *__esi();
					if( *0xf504d4 != 0) {
						L20:
						_t89 =  *0xf4f014; // 0xf4f014
						L21:
						if(_t109 < 0) {
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t109);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
							_t89 =  *0xf4f014; // 0xf4f014
						}
						if(_t89 != 0xf4f014 && ( *(_t89 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t89 + 0x19)) >= 2) {
							_t76 = _t89 + 0x14; // 0x20000000
							_t122 = 0xf212f8;
							_t77 = _t89 + 0x10; // 0x40000000
							E00F32A46(0xd, 0xf212f8,  *_t77,  *_t76, _t109);
						}
						return E00F01CA0(_t109, _t109, _v8 ^ _t128, _t122, _t126, _t127);
					} else {
						__eax = 0;
						__ecx = 2;
						_v172 = 0;
						_v152 = 2;
						do {
							_t122 = _t120 + _t97 >> 1;
							_t127 =  &_v136;
							_v168 = _t122;
							_t126 =  *(0xf504cc + _t122 * 4);
							while(1) {
								_t98 =  *_t127 & 0x0000ffff;
								if(_t98 == 0) {
									goto L32;
								}
								L8:
								if(_t98 > 0x7f) {
									_v140 = _t98;
									_t101 = LCMapStringW(0x7f, 0x100,  &_v140, 1,  &_v164, 1);
									_t102 = _v140;
									if(_t101 != 0) {
										_t102 = _v164;
									}
									L26:
									_t109 = _t102 & 0x0000ffff;
									L11:
									_t111 =  *_t126 & 0x0000ffff;
									if(_t111 > 0x7f) {
										_v144 = _t111;
										_t105 = LCMapStringW(0x7f, 0x100,  &_v144, 1,  &_v156, 1);
										_t94 = _v144;
										if(_t105 != 0) {
											_t94 = _v156;
										}
										L2:
										_t95 = _t94 & 0x0000ffff;
										L14:
										_t119 = (_t109 & 0x0000ffff) - (_t95 & 0x0000ffff);
										if(_t119 != 0) {
											break;
										}
										_t127 = _t127 + 2;
										_t126 =  &(_t126[1]);
										_t98 =  *_t127 & 0x0000ffff;
										if(_t98 == 0) {
											goto L32;
										}
										goto L8;
									}
									_t39 = _t111 - 0x41; // -130
									if(_t39 <= 0x19) {
										_t94 = _t111 + 0x20;
										goto L2;
									}
									_t95 = _t111;
									goto L14;
								}
								_t38 = _t98 - 0x41; // -65
								if(_t38 <= 0x19) {
									_t102 = _t98 + 0x20;
									goto L26;
								}
								_t109 = _t98;
								goto L11;
								L32:
								if( *_t126 != 0) {
									goto L8;
								}
								 *0xf504d4 = 1;
								goto L19;
							}
							if(_t119 < 0) {
								_t120 = _v168;
								_t97 = _v172;
								_v152 = _t120;
							} else {
								_t120 = _v152;
								_t97 = _v168 + 1;
								_v172 = _t97;
							}
						} while (_t97 < _t120);
						L19:
						_t109 = _v148;
						goto L20;
					}
				}
			}

0x00f084f8
0x00f08503
0x00f0850a
0x00f08518
0x00f08526
0x00f08529
0x00f08529
0x00f0852b
0x00f08531
0x00f08537
0x00f0853d
0x00f0853f
0x00f08545
0x00f0854b
0x00f0854e
0x00f08554
0x00f0855e
0x00f0855f
0x00f08569
0x00f08573
0x00f0857d
0x00f0857e
0x00f08585
0x00f08593
0x00f0859d
0x00f085a7
0x00f085c9
0x00f085cd
0x00f274b4
0x00f274be
0x00000000
0x00f274d8
0x00f274e8
0x00f274eb
0x00f274ee
0x00000000
0x00f274ee
0x00f085d3
0x00f085d3
0x00f085e4
0x00f085e9
0x00f085ec
0x00f085ee
0x00f085f6
0x00f085f8
0x00f08600
0x00f273da
0x00f273e4
0x00f273ff
0x00f27402
0x00f27407
0x00f2740c
0x00f2740f
0x00f2740f
0x00f273e4
0x00f08606
0x00f0860d
0x00f0860f
0x00f08612
0x00f08614
0x00f0861a
0x00f08623
0x00f086d1
0x00f086d1
0x00f086d6
0x00f086d8
0x00f274f9
0x00f27501
0x00f27507
0x00f27507
0x00f086e3
0x00f2751c
0x00f2751f
0x00f27529
0x00f2752c
0x00f2752c
0x00f08701
0x00f08629
0x00f08629
0x00f0862b
0x00f08630
0x00f08636
0x00f0863c
0x00f0863f
0x00f08641
0x00f08647
0x00f0864d
0x00f08657
0x00f08657
0x00f0865d
0x00000000
0x00000000
0x00f08663
0x00f08666
0x00f27434
0x00f27452
0x00f2745a
0x00f27461
0x00f27467
0x00f27467
0x00f0af7e
0x00f0af7e
0x00f0867b
0x00f0867b
0x00f08681
0x00f2747b
0x00f27493
0x00f2749b
0x00f274a2
0x00f274a8
0x00f274a8
0x00f084eb
0x00f084eb
0x00f08696
0x00f0869c
0x00f0869e
0x00000000
0x00000000
0x00f086a0
0x00f086a3
0x00f08657
0x00f0865d
0x00000000
0x00000000
0x00000000
0x00f0865d
0x00f08687
0x00f0868e
0x00f084e8
0x00000000
0x00f084e8
0x00f08694
0x00000000
0x00f08694
0x00f0866c
0x00f08673
0x00f0af7b
0x00000000
0x00f0af7b
0x00f08679
0x00000000
0x00f27419
0x00f2741d
0x00000000
0x00000000
0x00f27423
0x00000000
0x00f27423
0x00f086aa
0x00f14e6c
0x00f14e72
0x00f14e78
0x00f086b0
0x00f086b6
0x00f086bc
0x00f086bd
0x00f086bd
0x00f086c3
0x00f086cb
0x00f086cb
0x00000000
0x00f086cb
0x00f08623

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873f5b26327f73803999235bffb56a782a373d0552cb6f6318eedb3898ad1af2
Instruction ID: f140570eeaca3a773d78f67edb0d14ea4110067d09083da3c503139a055343e2
Opcode Fuzzy Hash: 873f5b26327f73803999235bffb56a782a373d0552cb6f6318eedb3898ad1af2
Instruction Fuzzy Hash: B9916B75A003289FDB24CF14DD44BAAB7B5FB04314F0140E9EA89A72A1DB719E85FF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BA6B, Relevance: 6.2, APIs: 4, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00F3BA6B(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr* _t82;
				intOrPtr* _t92;
				intOrPtr* _t112;
				intOrPtr _t115;
				intOrPtr* _t125;
				void* _t162;

				_t152 = __edi;
				_push(0x2c);
				E00F03FD5(0xf262e0, __ebx, __edi, __esi);
				_t112 = __ecx;
				 *((intOrPtr*)(_t162 - 0x28)) = __ecx;
				_t71 =  *((intOrPtr*)(__ecx + 0xd4));
				if( *((intOrPtr*)(__ecx + 0xd4)) == 0) {
					_t155 = 0x80041024;
					__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(0x80041024);
					__imp__?Write@CMemoryLog@@QAEXJ@Z();
					_t115 =  *0xf4f014; // 0xf4f014
					__eflags = _t115 - 0xf4f014;
					if(_t115 != 0xf4f014) {
						__eflags =  *(_t115 + 0x1c) & 0x00000004;
						if(( *(_t115 + 0x1c) & 0x00000004) != 0) {
							__eflags =  *((char*)(_t115 + 0x19)) - 2;
							if( *((char*)(_t115 + 0x19)) >= 2) {
								_t67 = _t115 + 0x14; // 0x20000000
								_t68 = _t115 + 0x10; // 0x40000000
								E00F32A46(0x91, 0xf21284,  *_t68,  *_t67, 0x80041024);
							}
						}
					}
					L30:
					return E00F03FC1(_t112, _t152, _t155);
				}
				_t155 = 0;
				 *((intOrPtr*)(_t162 - 0x18)) = 0;
				_t152 = E00F37D7A(__ecx, __edx, _t71, 0xf04eb8, 7, _t162 - 0x20, _t162 - 0x2c, _t162 - 0x1c, _t162 - 0x38, _t162 - 0x14, _t162 - 0x24, _t162 - 0x34);
				if(_t152 >= 0) {
					_t81 =  *0xf4f098; // 0x0
					if(_t81 != 0) {
						 *((intOrPtr*)(_t81 + 0x138)) =  *((intOrPtr*)(_t81 + 0x138)) + 1;
						asm("adc [eax+0x13c], esi");
					}
					_t82 =  *((intOrPtr*)(_t162 - 0x14));
					 *((intOrPtr*)(_t112 + 0x220)) =  *((intOrPtr*)(_t112 + 0x220)) + 1;
					asm("adc [ebx+0x224], esi");
					_t155 =  *_t82;
					_t130 =  *((intOrPtr*)(_t155 + 0xc));
					 *0xf512c4(_t82,  *((intOrPtr*)(_t162 + 8)), _t162 - 0x18);
					_t152 =  *((intOrPtr*)(_t155 + 0xc))();
					_t131 = _t112;
					_t75 = E00F38DDA(_t112,  *((intOrPtr*)(_t155 + 0xc)),  *((intOrPtr*)(_t155 + 0xc)), 7,  *((intOrPtr*)(_t162 - 0x20)),  *((intOrPtr*)(_t162 - 0x2c)),  *((intOrPtr*)(_t162 - 0x1c)), _t130, _t130,  *((intOrPtr*)(_t162 - 0x24)),  *((intOrPtr*)(_t162 - 0x34)));
					if(_t152 >= 0) {
						_t168 =  *((intOrPtr*)(_t162 + 0xc));
						if( *((intOrPtr*)(_t162 + 0xc)) != 0) {
							_t75 = E00F19D72(_t131, _t168, 0x74);
							 *((intOrPtr*)(_t162 - 0x38)) = _t75;
							 *(_t162 - 4) =  *(_t162 - 4) & 0x00000000;
							if(_t75 == 0) {
								_t112 = 0;
								__eflags = 0;
							} else {
								_push( *((intOrPtr*)(_t112 + 0x134)));
								_push(_t112 + 0x84);
								_push( *((intOrPtr*)(_t162 - 0x18)));
								_push( *((intOrPtr*)(_t112 + 0xec)));
								_t112 = _t75;
							}
							 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
							_t170 = _t112;
							if(_t112 == 0) {
								_t152 = 0x80041006;
							} else {
								 *0xf512c4(_t112);
								 *((intOrPtr*)( *((intOrPtr*)( *_t112 + 4))))();
								_t152 = E00F3B661(_t112, _t170);
								if(_t152 >= 0) {
									 *(_t162 - 0x30) =  *(_t162 - 0x30) & 0x00000000;
									_t92 =  *((intOrPtr*)(_t162 - 0x28)) + 0x84;
									 *((intOrPtr*)(_t162 - 0x14)) = _t92;
									 *0xf512c4();
									 *((intOrPtr*)( *((intOrPtr*)( *_t92 + 0x18))))();
									_t44 = _t112 + 0x10; // 0x10
									 *0xf512c4(_t44, _t162 - 0x30);
									if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t162 - 0x14)))) + 0x20))))() != 0) {
										 *0xf512c4();
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t162 - 0x14)))) + 0x1c))))();
										_t152 = 0x80041006;
									} else {
										 *0xf512c4();
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t162 - 0x14)))) + 0x1c))))();
										 *((intOrPtr*)( *((intOrPtr*)(_t162 + 0xc)))) = _t112;
										 *0xf512c4(_t112);
										 *((intOrPtr*)( *((intOrPtr*)( *_t112 + 4))))();
									}
								}
								_t155 =  *((intOrPtr*)( *_t112 + 8));
								 *0xf512c4(_t112);
								_t75 =  *((intOrPtr*)( *((intOrPtr*)( *_t112 + 8))))();
							}
						}
					}
				}
				_t125 =  *((intOrPtr*)(_t162 - 0x18));
				if(_t125 != 0) {
					_t155 =  *((intOrPtr*)( *_t125 + 8));
					 *0xf512c4(_t125);
					_t75 =  *((intOrPtr*)( *((intOrPtr*)( *_t125 + 8))))();
				}
				if(_t152 < 0) {
					__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t152);
					__imp__?Write@CMemoryLog@@QAEXJ@Z();
				}
				_t76 =  *0xf4f014; // 0xf4f014
				if(_t76 != 0xf4f014 && ( *(_t76 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t76 + 0x19)) >= 2) {
					_t61 = _t76 + 0x14; // 0x20000000
					_t62 = _t76 + 0x10; // 0x40000000
					E00F32A46(0x90, 0xf21284,  *_t62,  *_t61, _t152);
				}
				goto L30;
			}

0x00f3ba6b
0x00f3ba6b
0x00f3ba72
0x00f3ba77
0x00f3ba79
0x00f3ba7c
0x00f3ba84
0x00f3bc8e
0x00f3bc94
0x00f3bc9c
0x00f3bca2
0x00f3bca8
0x00f3bcae
0x00f3bcb0
0x00f3bcb4
0x00f3bcb6
0x00f3bcba
0x00f3bcbd
0x00f3bcc5
0x00f3bccd
0x00f3bccd
0x00f3bcba
0x00f3bcb4
0x00f3bcd4
0x00f3bcd9
0x00f3bcd9
0x00f3ba8d
0x00f3ba93
0x00f3babb
0x00f3babf
0x00f3bac5
0x00f3bacc
0x00f3bace
0x00f3bad5
0x00f3bad5
0x00f3badb
0x00f3bae1
0x00f3bae9
0x00f3baef
0x00f3baf5
0x00f3baf8
0x00f3bb04
0x00f3bb18
0x00f3bb1a
0x00f3bb21
0x00f3bb27
0x00f3bb2b
0x00f3bb33
0x00f3bb39
0x00f3bb3c
0x00f3bb42
0x00f3bb65
0x00f3bb65
0x00f3bb44
0x00f3bb44
0x00f3bb50
0x00f3bb51
0x00f3bb56
0x00f3bb61
0x00f3bb61
0x00f3bb67
0x00f3bb6b
0x00f3bb6d
0x00f3bc2d
0x00f3bb73
0x00f3bb7b
0x00f3bb81
0x00f3bb8a
0x00f3bb8e
0x00f3bb97
0x00f3bb9b
0x00f3bba0
0x00f3bbaa
0x00f3bbb3
0x00f3bbbb
0x00f3bbc7
0x00f3bbd4
0x00f3bc0c
0x00f3bc14
0x00f3bc16
0x00f3bbd6
0x00f3bbe0
0x00f3bbe9
0x00f3bbef
0x00f3bbf8
0x00f3bbfe
0x00f3bbfe
0x00f3bbd4
0x00f3bc1e
0x00f3bc23
0x00f3bc29
0x00f3bc29
0x00f3bb6d
0x00f3bb2b
0x00f3bb21
0x00f3bc32
0x00f3bc37
0x00f3bc3c
0x00f3bc41
0x00f3bc47
0x00f3bc47
0x00f3bc4b
0x00f3bc4e
0x00f3bc56
0x00f3bc56
0x00f3bc5c
0x00f3bc66
0x00f3bc75
0x00f3bc82
0x00f3bc85
0x00f3bc85
0x00000000

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?,?,00F04EB8,00000007,?,?,?,?,?,?,?,0000002C,00F39568,?,?), ref: 00F3BC4E
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,00F04EB8,00000007,?,?,?,?,?,?,?,0000002C,00F39568,?,?), ref: 00F3BC56
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024,0000002C,00F39568,?,?), ref: 00F3BC94
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3BC9C

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: a5a7c3816d713e8e665660a0440245b35a4ba3ae06a21649b78758feda355504
Instruction ID: 4f8fd4be5d2ab64626e2154dae01e13993de2b8d447c948147e59bf1290653f8
Opcode Fuzzy Hash: a5a7c3816d713e8e665660a0440245b35a4ba3ae06a21649b78758feda355504
Instruction Fuzzy Hash: 9F71A475A002159FCF19DF54D994EAE7BB5FF48321F144068FA06AB2A1DB34AD01EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00F1861D, Relevance: 6.2, APIs: 4, Instructions: 195
memoryCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00F1861D(signed int __eax, void* __ecx, void* __edx, signed int __esi, signed int _a4, struct _CRITICAL_SECTION* _a8, struct _CRITICAL_SECTION* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				struct _CRITICAL_SECTION* _v12;
				void* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t96;
				intOrPtr _t98;
				void* _t99;
				struct _CRITICAL_SECTION* _t106;
				intOrPtr _t110;
				void* _t111;
				struct _CRITICAL_SECTION* _t115;
				struct _CRITICAL_SECTION* _t116;
				intOrPtr _t117;
				void* _t118;
				struct _CRITICAL_SECTION* _t132;
				void* _t133;
				void* _t134;
				signed int _t135;
				intOrPtr _t138;
				long _t149;
				intOrPtr* _t151;
				long _t165;
				signed int _t167;
				void* _t168;
				void* _t169;
				signed int _t170;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				void* _t175;
				void* _t176;
				void* _t177;
				struct _CRITICAL_SECTION* _t178;
				void* _t179;
				signed int _t181;
				signed int _t186;
				signed int _t198;

				 *__eax =  *__eax + __eax;
				asm("aas");
				asm("repne add [eax], al");
				asm("aas");
				asm("repne add [eax+0x3f], al");
				asm("repne add [eax+0xf490], ah");
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				asm("pushad");
				_push(_t186);
				 *__eax =  *__eax + __ecx;
				_t173 = __esi ^ __eax;
				 *((intOrPtr*)(__eax - 0x6f6f6f70)) =  *((intOrPtr*)(__eax - 0x6f6f6f70)) + __ecx;
				0;
				_t183 = _t186;
				_t96 =  *0xf4f1a4; // 0xbd26e8f
				_v12 = _t96 ^ _t186;
				_push(_t173);
				_t98 =  *0xf4f014; // 0xf4f014
				_t132 = _a8;
				_t174 = _a4;
				if(_t98 == 0xf4f014 || ( *(_t98 + 0x1c) & 0x00000004) == 0) {
					_t167 = _a4;
				} else {
					_t167 = _a4;
					if( *((char*)(_t98 + 0x19)) >= 5) {
						_t86 = _t98 + 0x14; // 0x20000000
						_t87 = _t98 + 0x10; // 0x40000000
						E00F40422(0x39,  *_t87,  *_t86, _t174, _t132, _t167, _a16, _a20);
						_t98 =  *0xf4f014; // 0xf4f014
					}
				}
				_t160 = _t174 & 0xffffe0ff;
				_v24 = _t160;
				if(_t160 != 0) {
					_push(_a20);
					_push(_a16);
					_push(_t132);
					_push(_t174);
					goto L32;
				} else {
					if( *((intOrPtr*)(_t167 + 0x58)) != 0) {
						_t175 = 0x80041033;
						L33:
						_t138 =  *((intOrPtr*)(_t167 + 0xa4));
						if(_t138 != 0 && _t160 == 0) {
							__imp__WmiSetAndCommitObject( *0xf4f7c0, 1,  *((intOrPtr*)(_t138 + 0x140)),  *((intOrPtr*)( *((intOrPtr*)(_t138 + 0x134)) + 0x38)),  *((intOrPtr*)(_t138 + 0x13c)),  *((intOrPtr*)(_t138 + 0x138)),  *((intOrPtr*)(_t138 + 0x144)),  *((intOrPtr*)(_t167 + 0x98)),  *((intOrPtr*)(_t167 + 0x9c)),  *((intOrPtr*)(_t167 + 0xa0)), _t132, _a16, _a20);
							_t98 =  *0xf4f014; // 0xf4f014
						}
						if(_t175 != 0x80041008) {
							if(_t175 < 0) {
								__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t175);
								__imp__?Write@CMemoryLog@@QAEXJ@Z();
								_t98 =  *0xf4f014; // 0xf4f014
							}
							if(_t98 != 0xf4f014 && ( *(_t98 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t98 + 0x19)) >= 2) {
								_t93 = _t98 + 0x14; // 0x20000000
								_t160 = 0xf22544;
								_t94 = _t98 + 0x10; // 0x40000000
								E00F32A46(0x3a, 0xf22544,  *_t94,  *_t93, _t175);
							}
							_pop(_t168);
							_pop(_t176);
							_pop(_t133);
							return E00F01CA0(_t175, _t133, _v8 ^ _t183, _t160, _t168, _t176);
						} else {
							_pop(_t169);
							_pop(_t177);
							_pop(_t134);
							return E00F01CA0(_t175, _t134, _v8 ^ _t183, _t160, _t169, _t177);
						}
					}
					_t178 = _t167 + 0x7c;
					_v12 = _t178;
					if( *((char*)(_t167 + 0x94)) == 0 || E00F02E90(_t178) == 0) {
						L47:
						_t106 = 0x80041006;
						goto L31;
					} else {
						_t135 =  *(_t167 + 0x70);
						_t198 = _t135;
						if(_t198 == 0) {
							if( *((char*)(_t178 + 0x18)) != 0) {
								LeaveCriticalSection(_t178);
							}
							_t132 = _a12;
							L30:
							_t106 = _t132;
							L31:
							_push(_a20);
							_push(_a16);
							_push(_t106);
							_push(_a8);
							L32:
							_push(_t167);
							_t99 = E00F17140();
							_t160 = _v24;
							_t175 = _t99;
							_t98 =  *0xf4f014; // 0xf4f014
							goto L33;
						}
						_t149 =  ~(0 | _t198 > 0x00000000) | _t135 * 0x00000004;
						_t110 =  *0xf4f0cc; // 0x0
						_t111 =  *(_t110 + 4);
						_t165 =  *(_t110 + 8) & 0x00000005 | 0x00000008;
						if(_t111 == 0) {
							L52:
							E00F321AA(_t178);
							_t132 = _a12;
							goto L47;
						}
						_t179 = HeapAlloc(_t111, _t165, _t149);
						_v20 = _t179;
						if(_t179 == 0) {
							E00F48131();
							_t178 = _t167 + 0x7c;
							goto L52;
						}
						_t170 = 0;
						if(_t135 <= 0) {
							L20:
							_t115 = _v12;
							if( *((char*)(_t115 + 0x18)) != 0) {
								LeaveCriticalSection(_t115);
							}
							_t116 = E00F17E80(_a4, _t135, _t179);
							_t171 = 0;
							_v12 = _t116;
							if(_t135 <= 0) {
								L27:
								_t117 =  *0xf4f0cc; // 0x0
								_t118 =  *(_t117 + 4);
								if(_t118 != 0 && HeapFree(_t118, 0, _t179) == 0) {
									E00F48131();
								}
								_t106 = _v12;
								_t167 = _a4;
								_t132 = _a12;
								if(_t106 < 0) {
									goto L31;
								} else {
									goto L30;
								}
							} else {
								do {
									_t151 =  *((intOrPtr*)(_t179 + _t171 * 4));
									if(_t151 != 0) {
										 *0xf512c4(_t151);
										 *((intOrPtr*)( *((intOrPtr*)( *_t151 + 8))))();
										_t179 = _v20;
									}
									_t171 = _t171 + 1;
								} while (_t171 < _t135);
								goto L27;
							}
						} else {
							_t181 = _a4;
							do {
								if(E00F17480(_t181 + 0x60,  &_v28) == 0) {
									 *((intOrPtr*)(_v20 + _t170 * 4)) = _v28;
									if( *((intOrPtr*)(_t181 + 0x60)) !=  *((intOrPtr*)(_t181 + 0x64)) ||  *(_t181 + 0x68) !=  *((intOrPtr*)(_t181 + 0x6c))) {
										 *(_t181 + 0x68) =  *(_t181 + 0x68) + 1;
										if( *(_t181 + 0x68) == 0x100) {
											E00F18AC2(_t181 + 0x60);
											 *(_t181 + 0x68) = 0;
										}
										 *((intOrPtr*)(_t181 + 0x70)) =  *((intOrPtr*)(_t181 + 0x70)) - 1;
									}
								}
								_t170 = _t170 + 1;
							} while (_t170 < _t135);
							_t179 = _v20;
							goto L20;
						}
					}
				}
			}

0x00f1861f
0x00f18621
0x00f18622
0x00f18625
0x00f18626
0x00f1862a
0x00f18631
0x00f18633
0x00f18636
0x00f18638
0x00f1863a
0x00f1863c
0x00f1863d
0x00f1863f
0x00f18641
0x00f18643
0x00f1864f
0x00f18653
0x00f18658
0x00f1865f
0x00f18663
0x00f18665
0x00f1866a
0x00f1866d
0x00f18675
0x00f18681
0x00f29d93
0x00f29d97
0x00f29d9a
0x00f29dae
0x00f29db1
0x00f29db4
0x00f29db9
0x00f29db9
0x00f29d9a
0x00f1dea7
0x00f1dead
0x00f1deb0
0x00f1e081
0x00f1e084
0x00f1e087
0x00f1e088
0x00000000
0x00f1deb6
0x00f1deba
0x00f1e0e5
0x00f1e006
0x00f1e006
0x00f1e00e
0x00f1e056
0x00f1e05c
0x00f1e061
0x00f1e06a
0x00f1e090
0x00f29def
0x00f29df7
0x00f29dfd
0x00f29dfd
0x00f1e09b
0x00f29e12
0x00f29e15
0x00f29e1f
0x00f29e22
0x00f29e22
0x00f1e0ac
0x00f1e0ad
0x00f1e0b0
0x00f1e0b9
0x00f1e06c
0x00f1e06c
0x00f1e06f
0x00f1e070
0x00f1e07e
0x00f1e07e
0x00f1e06a
0x00f1dec7
0x00f1deca
0x00f1decd
0x00f1e0db
0x00f1e0db
0x00000000
0x00f1dee2
0x00f1dee2
0x00f1dee5
0x00f1dee7
0x00f1e0c0
0x00f1e0c3
0x00f1e0c3
0x00f1e0c9
0x00f1dfea
0x00f1dfea
0x00f1dfec
0x00f1dfec
0x00f1dfef
0x00f1dff2
0x00f1dff3
0x00f1dff6
0x00f1dff6
0x00f1dff7
0x00f1dffc
0x00f1dfff
0x00f1e001
0x00000000
0x00f1e001
0x00f1defd
0x00f1deff
0x00f1df07
0x00f1df0d
0x00f1df12
0x00f29dcb
0x00f29dcd
0x00f29dd2
0x00000000
0x00f29dd2
0x00f1df21
0x00f1df23
0x00f1df28
0x00f29dc3
0x00f29dc8
0x00000000
0x00f29dc8
0x00f1df2e
0x00f1df32
0x00f1df7b
0x00f1df7b
0x00f1df82
0x00f1df85
0x00f1df85
0x00f1df90
0x00f1df95
0x00f1df97
0x00f1df9c
0x00f1dfbf
0x00f1dfbf
0x00f1dfc4
0x00f1dfc9
0x00f1e0d1
0x00f1e0d1
0x00f1dfdd
0x00f1dfe0
0x00f1dfe3
0x00f1dfe8
0x00000000
0x00000000
0x00000000
0x00000000
0x00f1dfa0
0x00f1dfa0
0x00f1dfa0
0x00f1dfa5
0x00f1dfaf
0x00f1dfb5
0x00f1dfb7
0x00f1dfb7
0x00f1dfba
0x00f1dfbb
0x00000000
0x00f1dfa0
0x00f1df34
0x00f1df34
0x00f1df37
0x00f1df45
0x00f1df4d
0x00f1df56
0x00f1df60
0x00f1df6a
0x00f29ddd
0x00f29de2
0x00f29de2
0x00f1df70
0x00f1df70
0x00f1df56
0x00f1df73
0x00f1df74
0x00f1df78
0x00000000
0x00f1df78
0x00f1df32
0x00f1decd

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000000), ref: 00F1DF1B
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 00F1DF85
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,?,?,00000000), ref: 00F1DFCF
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F1E056

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Heap$AllocCommitCriticalFreeLeaveObjectSection
String ID:
API String ID: 581755459-0
Opcode ID: 09d26a5f20efcfab3217a537b1a9c094edb387776b12bfe4d4dc1ff8bc9b637e
Instruction ID: 6aa61d79549df92b5668fc4275bdbd763936ebcf20fc3397da8a19c3fa43a8f3
Opcode Fuzzy Hash: 09d26a5f20efcfab3217a537b1a9c094edb387776b12bfe4d4dc1ff8bc9b637e
Instruction Fuzzy Hash: F861B131A04249AFDB11CF65CC84AEABBB5FF49310F054069FD469B262C771ED82EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F421AB, Relevance: 6.2, APIs: 4, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00F421AB(void* __ebx, void* __ecx, signed int __edi, signed int __esi, void* __eflags) {
				intOrPtr _t65;
				signed int _t75;
				signed int _t81;
				signed int _t84;
				intOrPtr _t87;
				void* _t91;
				void* _t95;
				signed int _t102;
				intOrPtr _t115;
				void* _t116;
				void* _t117;
				signed int _t121;
				signed int _t122;
				void* _t128;

				_t123 = __esi;
				_t120 = __edi;
				_push(0x10);
				E00F03FD5(E00F2668C, __ebx, __edi, __esi);
				_t91 = __ecx;
				 *((intOrPtr*)(__ecx + 0xec)) =  *((intOrPtr*)(_t128 + 8));
				if( *((intOrPtr*)(_t128 + 0xc)) == 0) {
					L7:
					__eflags =  *(_t128 + 0x10);
					if( *(_t128 + 0x10) == 0) {
						L10:
						_t120 = E00F43B23(_t91,  *((intOrPtr*)(_t128 + 0x28)));
						__eflags = _t120;
						if(_t120 < 0) {
							L28:
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t120);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
							L29:
							_t65 =  *0xf4f014; // 0xf4f014
							__eflags = _t65 - 0xf4f014;
							if(_t65 != 0xf4f014) {
								__eflags =  *(_t65 + 0x1c) & 0x00000004;
								if(( *(_t65 + 0x1c) & 0x00000004) != 0) {
									__eflags =  *((char*)(_t65 + 0x19)) - 2;
									if( *((char*)(_t65 + 0x19)) >= 2) {
										_push(_t120);
										_t59 = _t65 + 0x14; // 0x20000000
										_push( *_t59);
										_t60 = _t65 + 0x10; // 0x40000000
										_push( *_t60);
										_t95 = 0x13;
										E00F32A46(_t95, 0xf22554);
									}
								}
							}
							L34:
							return E00F03FC1(_t91, _t120, _t123);
						}
						_t120 = E00F4378D(_t91,  *((intOrPtr*)(_t128 + 0x14)));
						__eflags = _t120;
						if(_t120 < 0) {
							goto L28;
						}
						_t97 = _t91;
						_t120 = E00F437FD(_t91, _t91, _t120, _t123,  *((intOrPtr*)(_t128 + 0x18)));
						__eflags = _t120;
						if(__eflags < 0) {
							goto L28;
						}
						 *((intOrPtr*)(_t91 + 0xe4)) =  *((intOrPtr*)(_t128 + 0x20));
						_t64 = E00F19D72(_t97, __eflags, 0x44);
						_pop(_t98);
						 *(_t128 - 0x18) = _t64;
						 *(_t128 - 4) =  *(_t128 - 4) & 0x00000000;
						__eflags = _t64;
						if(_t64 == 0) {
							_t121 = 0;
							__eflags = 0;
							 *(_t128 - 0x14) = 0;
						} else {
							_push(_t98);
							_t64 = E00F43F35(_t64, _t117,  *((intOrPtr*)(_t91 + 0xe0)), _t91);
							_t121 = _t64;
							 *(_t128 - 0x14) = _t64;
						}
						 *(_t128 - 4) =  *(_t128 - 4) | 0xffffffff;
						__eflags = _t121;
						if(_t121 == 0) {
							_t120 = 0x80041006;
							goto L27;
						} else {
							 *0xf512c4(_t121);
							 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 4))))();
							 *0xf512c4();
							_t75 =  *((intOrPtr*)( *((intOrPtr*)( *_t121 + 0xc))))();
							__eflags = _t75;
							if(_t75 != 0) {
								L24:
								_t120 = 0x80041006;
								L25:
								_t102 =  *(_t128 - 0x14);
								_t123 =  *( *_t102 + 8);
								 *0xf512c4(_t102);
								_t64 =  *( *( *_t102 + 8))();
								L27:
								__eflags = _t120;
								if(_t120 >= 0) {
									goto L29;
								}
								goto L28;
							}
							_t120 = E00F4406F(_t121,  *((intOrPtr*)(_t128 + 0x24)),  *((intOrPtr*)(_t128 + 0x1c)));
							__eflags = _t120;
							if(_t120 < 0) {
								goto L25;
							}
							 *(_t128 - 0x1c) =  *(_t128 - 0x1c) & 0x00000000;
							 *0xf512c4(_t128 - 0x1c,  *(_t128 - 0x14));
							_t81 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t91 + 0x20)) + 0x30))))();
							__eflags = _t81;
							if(_t81 != 0) {
								goto L24;
							}
							_t122 =  *(_t128 - 0x14);
							 *(_t128 - 0x18) =  *(_t128 - 0x18) | 0xffffffff;
							_t127 =  *((intOrPtr*)( *_t122 + 0x24));
							 *0xf512c4(_t128 - 0x18);
							_t84 =  *((intOrPtr*)( *((intOrPtr*)( *_t122 + 0x24))))();
							__eflags = _t84;
							if(_t84 != 0) {
								goto L24;
							}
							_t120 =  *(_t122 + 0x2c);
							__eflags = _t120;
							if(_t120 >= 0) {
								_t111 =  *(_t128 - 0x14);
								_t120 = E00F4445D(_t91,  *(_t128 - 0x14), _t117);
								__eflags = _t120;
								if(__eflags >= 0) {
									_t120 = E00F42792(_t91, _t91, _t120, _t127, __eflags,  *((intOrPtr*)(_t128 + 8)),  *((intOrPtr*)(_t128 + 0xc)),  *(_t128 + 0x10),  *((intOrPtr*)(_t128 + 0x14)), _t111,  *((intOrPtr*)(_t128 + 0x1c)), _t111,  *((intOrPtr*)(_t128 + 0x24)), _t111,  *((intOrPtr*)(_t128 + 0x2c)));
								}
							}
							goto L25;
						}
					}
					_t64 =  *0xf53000( *(_t128 + 0x10));
					 *(_t91 + 0xf4) = _t64;
					__eflags = _t64;
					if(_t64 != 0) {
						goto L10;
					}
					_t120 = 0x80041006;
					goto L28;
				}
				_t87 =  *0xf53000( *((intOrPtr*)(_t128 + 0xc)));
				 *((intOrPtr*)(__ecx + 0xf0)) = _t87;
				if(_t87 != 0) {
					goto L7;
				} else {
					_t123 = 0x80041006;
					__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(0x80041006);
					__imp__?Write@CMemoryLog@@QAEXJ@Z();
					_t115 =  *0xf4f014; // 0xf4f014
					if(_t115 != 0xf4f014 && ( *(_t115 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t115 + 0x19)) >= 2) {
						_push(0x80041006);
						_t10 = _t115 + 0x14; // 0x20000000
						_push( *_t10);
						_t11 = _t115 + 0x10; // 0x40000000
						_push( *_t11);
						_t116 = 0x12;
						E00F32A46(_t116, 0xf22554);
					}
					goto L34;
				}
			}

0x00f421ab
0x00f421ab
0x00f421ab
0x00f421b2
0x00f421b7
0x00f421c0
0x00f421c6
0x00f42224
0x00f42224
0x00f42228
0x00f42247
0x00f42251
0x00f42253
0x00f42255
0x00f423a0
0x00f423a1
0x00f423a9
0x00f423af
0x00f423af
0x00f423b4
0x00f423b9
0x00f423bb
0x00f423bf
0x00f423c1
0x00f423c5
0x00f423c7
0x00f423c8
0x00f423c8
0x00f423d0
0x00f423d0
0x00f423d5
0x00f423d6
0x00f423d6
0x00f423c5
0x00f423bf
0x00f423dd
0x00f423e2
0x00f423e2
0x00f42265
0x00f42267
0x00f42269
0x00000000
0x00000000
0x00f42272
0x00f42279
0x00f4227b
0x00f4227d
0x00000000
0x00000000
0x00f42288
0x00f4228e
0x00f42293
0x00f42294
0x00f42297
0x00f4229b
0x00f4229d
0x00f422b6
0x00f422b6
0x00f422b8
0x00f4229f
0x00f422a0
0x00f422aa
0x00f422af
0x00f422b1
0x00f422b1
0x00f422bb
0x00f422bf
0x00f422c1
0x00f42397
0x00000000
0x00f422c7
0x00f422cf
0x00f422d5
0x00f422de
0x00f422e6
0x00f422e8
0x00f422ea
0x00f4237d
0x00f4237d
0x00f42382
0x00f42382
0x00f42388
0x00f4238d
0x00f42393
0x00f4239c
0x00f4239c
0x00f4239e
0x00000000
0x00000000
0x00000000
0x00f4239e
0x00f422fd
0x00f422ff
0x00f42301
0x00000000
0x00000000
0x00f4230c
0x00f42316
0x00f4231f
0x00f42321
0x00f42323
0x00000000
0x00000000
0x00f42325
0x00f4232b
0x00f42332
0x00f42337
0x00f4233f
0x00f42341
0x00f42343
0x00000000
0x00000000
0x00f42345
0x00f42348
0x00f4234a
0x00f4234c
0x00f42354
0x00f42356
0x00f42358
0x00f42379
0x00f42379
0x00f42358
0x00000000
0x00f4234a
0x00f422c1
0x00f4222d
0x00f42233
0x00f42239
0x00f4223b
0x00000000
0x00000000
0x00f4223d
0x00000000
0x00f4223d
0x00f421cb
0x00f421d1
0x00f421d9
0x00000000
0x00f421db
0x00f421db
0x00f421e1
0x00f421e9
0x00f421ef
0x00f421fb
0x00f42209
0x00f4220a
0x00f4220a
0x00f42212
0x00f42212
0x00f42217
0x00f42218
0x00f42218
0x00000000
0x00f4221d

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041006,?,?,00000000), ref: 00F421E1
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,00000000), ref: 00F421E9

Part of subcall function 00F32A46: EtwTraceMessage.NTDLL ref: 00F32A5D

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?,00000010,00F40935,?,?,?,?,00000001,?,?,?,?,?,?,?), ref: 00F423A1
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,00000000), ref: 00F423A9

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@$MessageTrace
String ID:
API String ID: 1001461608-0
Opcode ID: c3e94d8dd6f7ea39c15ce810a8566d00b9e5d8c2a585b707b8f97da25df54ffd
Instruction ID: 63b7572e8dd94f6afdddec9fb2cbb5a807e744be99f2e32a66fdc0dd011631ec
Opcode Fuzzy Hash: c3e94d8dd6f7ea39c15ce810a8566d00b9e5d8c2a585b707b8f97da25df54ffd
Instruction Fuzzy Hash: A361AF35A0020A9BDF458F24D804BAE3FB2BF88324F554078FD15AB2A1DB79ED11BB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F0AAE0, Relevance: 6.2, APIs: 4, Instructions: 150
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00F0AAE0(intOrPtr _a4, intOrPtr _a16, intOrPtr* _a20, void* _a24, intOrPtr _a28, signed char _a32) {
				signed int _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				intOrPtr* _t46;
				signed char _t49;
				intOrPtr _t51;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr* _t68;
				signed int _t70;
				void* _t73;
				long _t76;
				void* _t77;
				intOrPtr* _t78;
				intOrPtr* _t79;
				signed char _t80;
				void* _t87;
				intOrPtr _t97;
				intOrPtr* _t99;
				signed int _t101;
				signed int _t103;
				void* _t109;

				_t44 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t44 ^ _t103;
				_t46 = _a24;
				_t73 = 0;
				_t97 = _a4;
				if(_t46 == 0) {
					L9:
					_t78 = _a20;
					 *((intOrPtr*)(_t97 + 0x10)) = _a16;
					 *((intOrPtr*)(_t97 + 0x20)) = _a28;
					_t49 = _a32;
					 *((intOrPtr*)(_t97 + 0x14)) = _t78;
					 *(_t97 + 0x24) = _t49;
					_t97 = _t97 + 1;
					_pop(_t103);
					if((_t49 & 0x00000085) != 0) {
						_t98 =  *( *_t78 + 4);
						 *0xf512c4(_t78);
						 *( *( *_t78 + 4))();
					}
					_t79 =  *((intOrPtr*)(_t97 + 0x20));
					if(_t79 != 0) {
						_t98 =  *( *_t79 + 4);
						 *0xf512c4(_t79);
						 *( *( *_t79 + 4))();
					}
					_t80 =  *(_t97 + 0x24);
					if(_t80 != 0) {
						_t98 =  *( *_t80 + 4);
						 *0xf512c4(_t80);
						 *( *( *_t80 + 4))();
					}
				} else {
					_t99 = _t46;
					_t87 = _t99 + 2;
					do {
						_t64 =  *_t99;
						_t99 = _t99 + 2;
					} while (_t64 != 0);
					_t65 =  *0xf4f0cc; // 0x0
					_t101 = _t99 - _t87 >> 1;
					_t66 =  *(_t65 + 4);
					_t76 =  *(_t65 + 8) & 0x00000005 | 0x00000008;
					_v12 = _t66;
					_t109 = _t66;
					if(_t109 == 0) {
						L19:
						_t77 = 0;
						goto L22;
					} else {
						_t70 = _t101 + 1;
						_t95 = _t70 * 2 >> 0x20;
						_t77 = HeapAlloc(_v12, _t76,  ~(0 | _t109 > 0x00000000) | _t70 * 0x00000002);
						if(_t77 == 0) {
							if(E00F48131() != 0) {
								goto L19;
							}
							L22:
							_t98 = _a24;
						} else {
							_t98 = _a24;
							_t66 = memcpy(_t77, _t98, 2 + _t101 * 2);
						}
					}
					 *(_t97 + 0x18) = _t77;
					if(_t77 == 0) {
						_t73 = 0x80041006;
						goto L23;
					} else {
						_t73 =  *0xf53048(0xf0ac48, 0, 1, 0xf07c4c, _t97 + 0x1c);
						if(_t73 < 0) {
							L23:
							__imp__?GetMemLogObject@@YGPAVCMemoryLog@@XZ(_t73);
							__imp__?Write@CMemoryLog@@QAEXJ@Z();
						} else {
							_t68 =  *((intOrPtr*)(_t97 + 0x1c));
							_t98 =  *( *_t68 + 0xc);
							 *0xf512c4(_t68, 0xc, _t98);
							_t73 =  *( *( *_t68 + 0xc))();
							if(_t73 < 0) {
								goto L23;
							} else {
								goto L9;
							}
						}
					}
				}
				_t51 =  *0xf4f014; // 0xf4f014
				if(_t51 != 0xf4f014 && ( *(_t51 + 0x1c) & 0x00000004) != 0 &&  *((char*)(_t51 + 0x19)) >= 2) {
					_t42 = _t51 + 0x14; // 0x20000000
					_t95 = 0xf212f8;
					_t43 = _t51 + 0x10; // 0x40000000
					E00F32A46(0x27, 0xf212f8,  *_t43,  *_t42, _t73);
				}
				return E00F01CA0(_t73, _t73, _v8 ^ _t103, _t95, _t97, _t98);
			}

0x00f0aae8
0x00f0aaef
0x00f0aaf2
0x00f0aaf7
0x00f0aafa
0x00f0aaff
0x00f0abc1
0x00f0abc4
0x00f0abc7
0x00f0abcd
0x00f0abd0
0x00f0abd3
0x00f0abd6
0x00f0abd7
0x00f0abda
0x00f0abdb
0x00f0abe0
0x00f0abe5
0x00f0abeb
0x00f0abeb
0x00f0abed
0x00f0abf2
0x00f0abf7
0x00f0abfc
0x00f0ac02
0x00f0ac02
0x00f0ac04
0x00f0ac09
0x00f0ac0e
0x00f0ac13
0x00f0ac19
0x00f0ac19
0x00f0ab05
0x00f0ab05
0x00f0ab07
0x00f0ab0c
0x00f0ab0c
0x00f0ab0f
0x00f0ab12
0x00f0ab17
0x00f0ab1e
0x00f0ab23
0x00f0ab29
0x00f0ab2c
0x00f0ab2f
0x00f0ab31
0x00f1e6f1
0x00f1e6f1
0x00000000
0x00f0ab37
0x00f0ab39
0x00f0ab41
0x00f0ab55
0x00f0ab59
0x00f2c18c
0x00000000
0x00000000
0x00f2c192
0x00f2c192
0x00f0ab5f
0x00f0ab67
0x00f0ab6c
0x00f0ab71
0x00f0ab59
0x00f0ab74
0x00f0ab79
0x00f1e6f8
0x00000000
0x00f0ab7f
0x00f0ab97
0x00f0ab9b
0x00f2c19a
0x00f2c19b
0x00f2c1a3
0x00f0aba1
0x00f0aba1
0x00f0abaa
0x00f0abaf
0x00f0abb7
0x00f0abbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00f0abbb
0x00f0ab9b
0x00f0ab79
0x00f0ac1b
0x00f0ac25
0x00f2c1b9
0x00f2c1bc
0x00f2c1c6
0x00f2c1c9
0x00f2c1c9
0x00f0ac43

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000000), ref: 00F0AB4F
memcpy.MSVCRT ref: 00F0AB6C

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocHeapmemcpy
String ID:
API String ID: 242294866-0
Opcode ID: ae0fd1539a9357c507ed85b4e258a3d211ab7b3d54689044d241d3ad23a3d362
Instruction ID: 73c0734c629e510b075433b91aa6ca0ba3de3a7d0a470aa1178a254d1fb63807
Opcode Fuzzy Hash: ae0fd1539a9357c507ed85b4e258a3d211ab7b3d54689044d241d3ad23a3d362
Instruction Fuzzy Hash: BE51CC35B0031AAFDB18CF68DC95A6A7BE5BF48304B054169ED06D72A1DB70EC10EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F198B0, Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024,00000020), ref: 00F199D7
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F20E29

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: 20c966cf424219c6ab749f09ff3409cefc45827191ad1b4bfa9ff025c32fadb2
Instruction ID: a42220f01ccd6fc41be7a3948d3b0bbc00b948ece604259a220dc1d95591730b
Opcode Fuzzy Hash: 20c966cf424219c6ab749f09ff3409cefc45827191ad1b4bfa9ff025c32fadb2
Instruction Fuzzy Hash: D251D236908249AFCF168FA0CC14EEE7F72BF05310F05009AF905A61A2C775D995FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1751B, Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-2-0(0000003C,00000000,0BD26E8F,0BD26E8F,00000000,?,?), ref: 00F175D7
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,0000007C,00000000), ref: 00F1769D

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID:
API String ID: 2593887523-0
Opcode ID: be4c5fac616c1891278d0c5181193f17d64aed4d663e05c5b3a65192e0994f65
Instruction ID: 47a678b39801b66b2f32ae6529f59b2e1564ef069f44276e111defe6684d6a9b
Opcode Fuzzy Hash: be4c5fac616c1891278d0c5181193f17d64aed4d663e05c5b3a65192e0994f65
Instruction Fuzzy Hash: 7C5175B0A04B4AAFD704DF19C94879ABBF4FF09318F10825DD4098BA90C7B5A994EFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F43DA0, Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?,00000000), ref: 00F43EA8
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F43EB0
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F43EDF
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F43EE7

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: f11017ad98c62f0fc5e82d2ab852cb5c0a6f771646d2490b4ab832e4538a7e85
Instruction ID: 880ec0ed24dc5f776e5e6ed6b07ab0930fcb9e1cb6d49f15698354c9e8e33c6f
Opcode Fuzzy Hash: f11017ad98c62f0fc5e82d2ab852cb5c0a6f771646d2490b4ab832e4538a7e85
Instruction Fuzzy Hash: 7941C835E01318AFCB159F64DC44AAEBF75BF44325F144069EE01A72A1CB35DE49BB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A565, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,-00000001,-00000001,00000000,00000001), ref: 00F0A612
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,-00000001,-00000001,00000000,00000001,00000000), ref: 00F27395

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CommitObject
String ID:
API String ID: 3211880563-0
Opcode ID: b1aa9d1292365c46f7637c74285e5a10038832f4e58565bd6a01e0146e8ee61e
Instruction ID: 77cb7f0da54d5f063bf46551f8a67df509e255bc8f00674e8a3c0b72b8ed20c7
Opcode Fuzzy Hash: b1aa9d1292365c46f7637c74285e5a10038832f4e58565bd6a01e0146e8ee61e
Instruction Fuzzy Hash: D141D471900728DFCF209F20CD44BAAB7F6FB49300F0444A9E58A96550C372AD98FF11

Uniqueness

Uniqueness Score: -1.00%

Function 00F42560, Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?,00000000), ref: 00F42655
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F4265D
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F4268C
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F42694

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: 2636ecb4dfacdeb719d98bfc6151dcda6569f4d2c51ce28e4bee722172c8b580
Instruction ID: ea00710a8e17c513741d9b89c18fd165d6f8898331d0761cf45e9700d95e8cda
Opcode Fuzzy Hash: 2636ecb4dfacdeb719d98bfc6151dcda6569f4d2c51ce28e4bee722172c8b580
Instruction Fuzzy Hash: B041C035900219AFCB269F64DC44AAEBF66FF44320F114069FE05A72A1CB31AD55EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F38390, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?,00000020), ref: 00F3843E
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,?,?,?,?,?,00000020), ref: 00F38446
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024,00000020), ref: 00F384C3
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F384CB

Part of subcall function 00F329B6: EtwTraceMessage.NTDLL ref: 00F32A2F

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@$MessageTrace
String ID:
API String ID: 1001461608-0
Opcode ID: 9c61be4bc3912d694cbdddbcb7ae6558a339811277b9851939c3fd51b0e25b44
Instruction ID: 3c983c84e11064c36307c2e44cc6d2f4bb50b00dabe61843c0379567f040701f
Opcode Fuzzy Hash: 9c61be4bc3912d694cbdddbcb7ae6558a339811277b9851939c3fd51b0e25b44
Instruction Fuzzy Hash: 8041933590035AABCF16CF90DC05ADE7F76BF08360F144069FA11A62A2CB79D955FBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F38560, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?), ref: 00F38643
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3864B
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3867A
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F38682

Part of subcall function 00F3F60D: EtwTraceMessage.NTDLL ref: 00F3F687

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@$MessageTrace
String ID:
API String ID: 1001461608-0
Opcode ID: ba94f5aaa5c24c82874654103fa73b064dc2c695879d0dfffc9bbb3cc0a57ebf
Instruction ID: d17cce8158ec11b14c0a60075e44f7dea93d25f70b987cf4c0e3536322312e5b
Opcode Fuzzy Hash: ba94f5aaa5c24c82874654103fa73b064dc2c695879d0dfffc9bbb3cc0a57ebf
Instruction Fuzzy Hash: DB419F75900308AFCF168F64DC48AAA7BB2FF45364F0444A9FD1597262CB39DD15EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F386D0, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?), ref: 00F387B3
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F387BB
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F387EA
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F387F2

Part of subcall function 00F3F6D8: EtwTraceMessage.NTDLL ref: 00F3F70D

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@$MessageTrace
String ID:
API String ID: 1001461608-0
Opcode ID: ca40257f624261b607a7d09d642d8d078025b2653b51213086f945905ec0006c
Instruction ID: c66b752eabdebfdb9198bdf0980c4b6d3fb3f9ad771cedd140c866ad70d019d5
Opcode Fuzzy Hash: ca40257f624261b607a7d09d642d8d078025b2653b51213086f945905ec0006c
Instruction Fuzzy Hash: AE41BF35A00308AFCF158F64DC48AAA7FB2FF45364F1044A9FD0597262CB39D916EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3EEA0, Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,00000000,?,00F22640,00000006,?,?,?,?,?,?,?), ref: 00F3EF5C
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3EF64
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3EF97
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3EF9F

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: 750871db27453600202e366e81ec9389fee188dcd55a8b1578fd3d70ffc71efc
Instruction ID: 6dfcb4a436cbe2e47acaff61b822af12f17d716f8d970bb36dcd6dd16faa2ed4
Opcode Fuzzy Hash: 750871db27453600202e366e81ec9389fee188dcd55a8b1578fd3d70ffc71efc
Instruction Fuzzy Hash: 6841AF35A00208AFCF198F64DC48FFF7BAABF44320F044169F905972A1DB759915EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C29E, Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?,?,00F04E88,00000008,?,?,?,?,?,?,?), ref: 00F3C352
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,00F04E88,00000008,?,?,?,?,?,?,?), ref: 00F3C35A
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3C38C
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3C394

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: d324077e6342f977b71335831b4fd5e367f1ea6feb2df457c2a3484a9fca8d56
Instruction ID: a669addf1890989d317c1b29e690a46141edfedff4d9c4120700c0385b9a7946
Opcode Fuzzy Hash: d324077e6342f977b71335831b4fd5e367f1ea6feb2df457c2a3484a9fca8d56
Instruction Fuzzy Hash: 5941B472A00204ABCB198B54DC48FFE7B65FF54324F04815CFA06A71A1DB359D05EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F38840, Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?), ref: 00F38918
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F38920
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3894F
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F38957

Part of subcall function 00F404B0: EtwTraceMessage.NTDLL ref: 00F404CD

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@$MessageTrace
String ID:
API String ID: 1001461608-0
Opcode ID: bc893f8acd7042c5633d41b45febfe2653b9432694fc863a5f7cbf2883b9e8d0
Instruction ID: 3f5710606aeebfe4be5320bbfe3cfc43ff14e47c0d4dfd0dae9e7da9e2598d0f
Opcode Fuzzy Hash: bc893f8acd7042c5633d41b45febfe2653b9432694fc863a5f7cbf2883b9e8d0
Instruction Fuzzy Hash: 0541D434A00308AFCB158F64DC48BAA7BB6FF45364F0444A9FD05972A2CB35D815EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F3F220, Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?), ref: 00F3F2F1
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3F2F9
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3F328
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3F330

Part of subcall function 00F3F69B: EtwTraceMessage.NTDLL ref: 00F3F6C6

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@$MessageTrace
String ID:
API String ID: 1001461608-0
Opcode ID: b5b6486667afe2f0325bc830918da318e4b59143b9a9475d1c6193070f903f61
Instruction ID: 067d2ff0d8e7e81588d4c9424fc504af67a5ac196e83869dc80e201d45b604fb
Opcode Fuzzy Hash: b5b6486667afe2f0325bc830918da318e4b59143b9a9475d1c6193070f903f61
Instruction Fuzzy Hash: 2B419D35E00348AFDF158F64DC48AAA7BB2FF85324F0544A9ED0697262C735DD18EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F39D00, Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F39DCB
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F39DD3
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F39E00
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F39E08

Part of subcall function 00F32A6F: EtwTraceMessage.NTDLL ref: 00F32BED

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@$MessageTrace
String ID:
API String ID: 1001461608-0
Opcode ID: 156a8ee567055b3b436328b938e3c445422dc037bec4497464994caa134b0cfa
Instruction ID: 43aaa7e870184f23f144b22f2a1d990dcf15f128c60a4b2ba7242c39c5e40228
Opcode Fuzzy Hash: 156a8ee567055b3b436328b938e3c445422dc037bec4497464994caa134b0cfa
Instruction Fuzzy Hash: F4418135A04248AFCB158F18DC48AAA3BA2FF45325F1440ADFD098B272C7B6DC55FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F3EA20, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F3EAED
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3EAF5
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3EB24
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3EB2C

Part of subcall function 00F32A6F: EtwTraceMessage.NTDLL ref: 00F32BED

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@$MessageTrace
String ID:
API String ID: 1001461608-0
Opcode ID: ed2ad3c440b8b92e21aa76cee51c91b03cff8aae59542fcec937504a7829a0df
Instruction ID: 1bb92f1998a52253f56f0d4d191aab85e5076454d1a07df4a4ae8760acafc14b
Opcode Fuzzy Hash: ed2ad3c440b8b92e21aa76cee51c91b03cff8aae59542fcec937504a7829a0df
Instruction Fuzzy Hash: 50416135A00248AFCF168F14DC48AAA7BA6FF85324F1540A8F9068B2B2C736DD55EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BCE1, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,00000000,?,00F04F08,00000009,?,?,?,?,?,?,?), ref: 00F3BD75
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,00000009,?,?,?,?,?,?,?), ref: 00F3BD7D
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3BDAF
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3BDB7

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: bb8f0e63bb14148144b26f2ec0adc9bf7283729421c8c8306d8dabfaf31858df
Instruction ID: 78e48791d625349e2c6154160e0636f17c387225c57878f5845e04eb6b5a2aa6
Opcode Fuzzy Hash: bb8f0e63bb14148144b26f2ec0adc9bf7283729421c8c8306d8dabfaf31858df
Instruction Fuzzy Hash: 6731A275900204AFCB1A8F94DC18EFF7B66EF45320F00415DFA06972A1DB359905EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BE06, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?,?,?,?,?,?,?,?,?,?,00F3B658,00000000,?,?,?), ref: 00F3BE92
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,?,?,?,?,?,?,?,?,00F3B658,00000000,?,?,?), ref: 00F3BE9A
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024,?,?,?,?,?,?,?,?,?,?,00F3B658,00000000,?,?,?), ref: 00F3BEC9
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN(?,?,?,?,?,?,?,?,?,?,00F3B658,00000000,?,?,?), ref: 00F3BED1

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: fe17a69f5046a0c0c56adb2cc91d9fe476fccb2c673eaa9bd9b7790ed7e5ecfa
Instruction ID: 061c28b4f6f9f8781d975eb441e92dc732160a9aa67cace7967cd383161fa249
Opcode Fuzzy Hash: fe17a69f5046a0c0c56adb2cc91d9fe476fccb2c673eaa9bd9b7790ed7e5ecfa
Instruction Fuzzy Hash: B2319C76900208BFCB168FA4DC48EEF7B7AFB48320F004069FA0196161D775A955EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F0EE90, Relevance: 6.1, APIs: 4, Instructions: 96
sleepsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00F0EE90(void* __ecx, void* __edx, long* _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				void* _t28;
				long _t33;
				void* _t37;
				void* _t53;
				void* _t54;
				void* _t55;
				intOrPtr* _t56;
				DWORD* _t57;
				intOrPtr _t59;
				signed int _t60;
				intOrPtr _t64;
				intOrPtr _t66;

				_t53 = __edx;
				_t21 =  *0xf4f1a4; // 0xbd26e8f
				_v8 = _t21 ^ _t60;
				_t54 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x34)) != 0) {
					L11:
					return E00F01CA0( *((intOrPtr*)(_t54 + 0x34)), 0, _v8 ^ _t60, _t53, _t54, _t55);
				}
				_push(_t55);
				_push(__ecx);
				_t56 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0xc));
				if(_t56 != E00F0EF70) {
					 *0xf512c4();
					 *_t56();
				} else {
					E00F0EF70();
				}
				_t4 = _t54 + 0x50; // 0x50
				_t57 = _t4;
				_t28 = CreateThread(0,  *(_t54 + 0x58), E00F0D270, _t54, 0, _t57);
				 *(_t54 + 0x4c) = _t28;
				if(_t28 == 0) {
					 *0xf512c4(_t54);
					 *((intOrPtr*)( *((intOrPtr*)( *_t54 + 0x10))))();
					_t59 = 0x80000001;
					L8:
					 *((intOrPtr*)(_t54 + 0x34)) = _t59;
					_pop(_t55);
					if( *((intOrPtr*)(_t54 + 0x34)) == 0) {
						_t33 = WaitForSingleObject( *(_t54 + 0x38),  *_a4);
						if(_t33 != 0) {
							__eflags = _t33 - 0x102;
							 *((intOrPtr*)(_t54 + 0x34)) = ((0 | _t33 == 0x00000102) - 0x00000001 & 0x80000006) + 1;
						} else {
							 *((intOrPtr*)(_t54 + 0x34)) = 0;
						}
					}
					goto L11;
				}
				_t64 =  *0xf4f114; // 0x0
				if(_t64 == 0) {
					L6:
					_v12 = _t54;
					_push( &_v16);
					_push( &_v12);
					_push(_t57);
					_t59 = E00F0E005(0, _t54, _t57, _t65);
					_t66 =  *0xf4f114; // 0x0
					if(_t66 != 0) {
						LeaveCriticalSection(0xf4f0fc);
					}
					goto L8;
				}
				_t37 = E00F02E90(0xf4f0fc);
				_t65 = _t37;
				if(_t37 == 0) {
					while(1) {
						__eflags = E00F02E90(0xf4f0fc);
						if(__eflags != 0) {
							goto L6;
						}
						Sleep(0x3e8);
					}
				}
				goto L6;
			}

0x00f0ee90
0x00f0ee98
0x00f0ee9f
0x00f0eea4
0x00f0eeab
0x00f0ef4b
0x00f0ef5d
0x00f0ef5d
0x00f0eeb3
0x00f0eeb4
0x00f0eeb5
0x00f0eebe
0x00f1e1cc
0x00f1e1d2
0x00f0eec4
0x00f0eec4
0x00f0eec4
0x00f0eec9
0x00f0eec9
0x00f0eed8
0x00f0eede
0x00f0eee3
0x00f2a122
0x00f2a128
0x00f2a12a
0x00f0ef29
0x00f0ef29
0x00f0ef2c
0x00f0ef30
0x00f0ef3a
0x00f0ef42
0x00f2a136
0x00f2a146
0x00f0ef48
0x00f0ef48
0x00f0ef48
0x00f0ef42
0x00000000
0x00f0ef30
0x00f0eee9
0x00f0eeef
0x00f0ef03
0x00f0ef06
0x00f0ef09
0x00f0ef0d
0x00f0ef0e
0x00f0ef14
0x00f0ef16
0x00f0ef1c
0x00f0ef23
0x00f0ef23
0x00000000
0x00f0ef1c
0x00f0eef6
0x00f0eefb
0x00f0eefd
0x00f2a0fb
0x00f2a105
0x00f2a107
0x00000000
0x00000000
0x00f2a112
0x00f2a112
0x00f2a0fb
0x00000000

APIs

CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(00000000,?,00F0D270,00000000,00000000,00000050,00000000,00000000,?,FFFFFFFE,00000000,00000001,00000001), ref: 00F0EED8
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00F4F0FC,00000050,?,?), ref: 00F0EF23
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?), ref: 00F0EF3A

Part of subcall function 00F02E90: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00F4F0FC,0BD26E8F,00000000,00000050,00000000,00F23660), ref: 00F02ED7

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8), ref: 00F2A112

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CriticalSection$CreateEnterLeaveObjectSingleSleepThreadWait
String ID:
API String ID: 3299295393-0
Opcode ID: 6b1c836f606df45e2717da1a908063aa41a85c59f32d8a871676690ce4316c9c
Instruction ID: 83642671ce81607880526f003430509be1c23d3eff38dad4d363ce7832989f99
Opcode Fuzzy Hash: 6b1c836f606df45e2717da1a908063aa41a85c59f32d8a871676690ce4316c9c
Instruction Fuzzy Hash: 87313571901616EFCB109F64DD859AEBB68FF85311B00046AF902D3692DB30ED64FFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F39BC0, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?), ref: 00F39C68
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F39C70
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F39CA2
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F39CAA

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: 4157b1e1aa6479b32487220fa0ee7672665e90bb271654e902ffda8fe7966407
Instruction ID: f63f81f064d5c763274dc32b8c9c94185aa5adf4faa04196f2672515d0416287
Opcode Fuzzy Hash: 4157b1e1aa6479b32487220fa0ee7672665e90bb271654e902ffda8fe7966407
Instruction Fuzzy Hash: D331D034E04309AFCB159F64DD08AAA7BF2FF85365F0040A9ED0697262D771E914FB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3EB80, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000,?), ref: 00F3EC28
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3EC30
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041024), ref: 00F3EC62
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3EC6A

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: 496fa0d02961cb6438fb8e44a4eeb0c1af7f383bcf0dbe89800c38bc5c5d89a5
Instruction ID: a0bf1f18ad29bed3e251c0b76e1f68dd73df75e26f08a3013157f2d4f39a2dca
Opcode Fuzzy Hash: 496fa0d02961cb6438fb8e44a4eeb0c1af7f383bcf0dbe89800c38bc5c5d89a5
Instruction Fuzzy Hash: BD319235A00308AFCB158F64DD08BAE7BB2FF85364F0044A9ED15972A2C735A915FB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F0BDA0, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(00000000), ref: 00F2C46A
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2C472
?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041008), ref: 00F2C49B
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F2C4A3

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID:
API String ID: 4155558331-0
Opcode ID: 3f6007e11e6124dedafb57b648d8870f052dc135b0c6b30b93e55645300ac92f
Instruction ID: ed30f83a79960ba2a70108e023aedefbbbd477795c5365364b55f85d22086d27
Opcode Fuzzy Hash: 3f6007e11e6124dedafb57b648d8870f052dc135b0c6b30b93e55645300ac92f
Instruction Fuzzy Hash: 2621D834B05214ABCB199F15E818B7A7F62FF46316F110098FD45972E2CB36DC05B795

Uniqueness

Uniqueness Score: -1.00%

Function 00F194C1, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

ExecMethodAsync, xrefs: 00F20F16

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CommitObject
String ID: ExecMethodAsync
API String ID: 3211880563-3116180483
Opcode ID: e40acd35990fbfd2319573a1412962a4fc9c9188c75afbd09eab15e0ef732cdd
Instruction ID: bd8900fb944e6879481937f5ff8500cb87b9fbeeb8b1f9ed8185d07fce39747e
Opcode Fuzzy Hash: e40acd35990fbfd2319573a1412962a4fc9c9188c75afbd09eab15e0ef732cdd
Instruction Fuzzy Hash: 90A1D336900219DFCF04CF64D958AEE7BB2BF48325F150068F905AB2A1DB75AD41EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F39EC9, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041006,00000014,00F3848F,?,?,?,?,?,?,?,00000020), ref: 00F3A181
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3A189

Strings

CreateClassEnumAsync, xrefs: 00F3A12D

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID: CreateClassEnumAsync
API String ID: 4155558331-1192769357
Opcode ID: ed66aeedf665e81d41eb7f01250ef293960c0a817d2bde9762ca0f4c67affb69
Instruction ID: 6d6cdffcca1bdfbd609b254303e740995925ccb8835f084b7a59ae9efdb7825e
Opcode Fuzzy Hash: ed66aeedf665e81d41eb7f01250ef293960c0a817d2bde9762ca0f4c67affb69
Instruction Fuzzy Hash: 5B91B335A00216DFCF089F24CD48AAE7BB1BF48325F150069ED45DB2A1DB74AC01EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D8B1, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,000000A4), ref: 00F155EF
WmiSetAndCommitObject.NCOBJAPI(00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00F156B3

Strings

__GET_EXT_CLIENT_REQUEST, xrefs: 00F2D8F0, 00F2D913

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: AllocCommitHeapObject
String ID: __GET_EXT_CLIENT_REQUEST
API String ID: 2164795135-2781797842
Opcode ID: c4ff5808fe1da3e8b1e8abdba77700de8c5fdde0d99ded13cfc564d8ec905129
Instruction ID: 7fc7c9958bea3fbed18885faad69421313b3efccf0f13b09eef5c956121cde27
Opcode Fuzzy Hash: c4ff5808fe1da3e8b1e8abdba77700de8c5fdde0d99ded13cfc564d8ec905129
Instruction Fuzzy Hash: 0C91B071A04315DFCB11CF64D884BEEBBB1BF85324F194069E9099B2A2C735AD85EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B055, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

?GetMemLogObject@@YGPAVCMemoryLog@@XZ.WBEMCOMN(80041006,00000010,00F3E9B6,?,?,?,?,?,?), ref: 00F3B2E6
?Write@CMemoryLog@@QAEXJ@Z.WBEMCOMN ref: 00F3B2EE

Strings

PutInstanceAsync, xrefs: 00F3B2A1

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: Log@@Memory$Object@@Write@
String ID: PutInstanceAsync
API String ID: 4155558331-2231458413
Opcode ID: 129c1d9ff729862514aec6398f0e6a163d894fb356f9d15ed7344f09458f3fd1
Instruction ID: 6c44a3b9ff35da6ef07ee3df2402c1d948d3d99bf7b95f9e76ceba64f3d6ae2b
Opcode Fuzzy Hash: 129c1d9ff729862514aec6398f0e6a163d894fb356f9d15ed7344f09458f3fd1
Instruction Fuzzy Hash: 03918235A00216DFCF098F54C968AAF7BB1BF48325F154169EE159B2A1DB70ED01EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F32C04, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F32D3B

Strings

<NULL>, xrefs: 00F32C5C
NULL, xrefs: 00F32C6E, 00F32CB6, 00F32CFF, 00F32D1C, 00F32D20, 00F32D22

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 058a8cdddca006109f7ba14ce214cb0d88f54374b6c159d231a1c37511624a61
Instruction ID: 75e7cf0237af98bb5675a539d545bcb939bffa3f62429bece436d2849103221f
Opcode Fuzzy Hash: 058a8cdddca006109f7ba14ce214cb0d88f54374b6c159d231a1c37511624a61
Instruction Fuzzy Hash: BD41E436D0020AABDF69DF58D851AFE7775FB84770F14851EEA0267240E7709E81E790

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E812, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00F2E812(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t46;
				intOrPtr* _t51;
				signed int _t58;
				void* _t63;
				signed int _t66;
				signed int _t68;
				char _t75;
				intOrPtr _t89;
				void* _t91;
				intOrPtr* _t93;
				signed int _t104;
				void* _t105;
				void* _t106;

				_t91 = __edx;
				E00F23445(0xf25cad, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t105 - 0x150)) = __ecx;
				_t93 =  *0xf4f080; // 0x0
				 *((intOrPtr*)(_t105 - 0x160)) = __ecx;
				 *((intOrPtr*)(_t105 - 0x158)) = _t93;
				 *0xf512c4(0x154);
				 *((intOrPtr*)( *((intOrPtr*)( *_t93 + 0x18))))();
				_t46 = E00F2EEAC( *((intOrPtr*)(_t93 + 0x24)));
				_t75 = 1;
				 *((intOrPtr*)(_t105 - 0x154)) = _t46;
				 *((char*)(_t105 - 0x141)) = 1;
				while(_t46 != 0) {
					_t51 =  *((intOrPtr*)(_t46 + 0x20));
					 *(_t105 - 0x148) =  *(_t105 - 0x148) & 0x00000000;
					 *0xf512c4(_t51, 0xf03a60, _t105 - 0x148);
					if( *((intOrPtr*)( *_t51))() < 0 ||  *(_t105 - 0x148) == 0) {
						L15:
						E00F2EB90(_t105 - 0x154);
						_t46 =  *((intOrPtr*)(_t105 - 0x154));
						continue;
					} else {
						_push(0x28);
						_push(_t105 - 0x68);
						asm("movsd");
						_push(_t105 - 0x140);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if( *0xf53040() != 0) {
							_t63 = E00F2F62F(_t105 - 0x130, 0x64, L"SOFTWARE\\Classes\\CLSID\\%s\\InprocServer32", _t105 - 0x68);
							_t106 = _t106 + 0x10;
							if(_t63 >= 0) {
								_t66 = RegOpenKeyExW(0x80000002, _t105 - 0x130, 0, 0x20019, _t105 - 0x15c);
								if(_t66 == 0) {
									 *(_t105 - 0x14c) =  *(_t105 - 0x14c) & _t66;
									_t68 = E00F2EA67( *(_t105 - 0x15c), _t105 - 0x14c);
									if(_t68 == 0) {
										 *(_t105 - 4) =  *(_t105 - 4) & _t68;
										_t115 = _t75;
										if(_t75 == 0) {
											E00F2FB0B( *((intOrPtr*)(_t105 - 0x150)), _t91, _t115, 0xf2ea5c, 2);
										}
										_t104 =  *(_t105 - 0x14c);
										_t75 = 0;
										 *((char*)(_t105 - 0x141)) = 0;
										E00F2FB0B( *((intOrPtr*)(_t105 - 0x150)), _t91, _t115, _t104, E00F2FDB6(_t104));
										 *(_t105 - 4) =  *(_t105 - 4) | 0xffffffff;
										if(_t104 != 0) {
											_t89 =  *0xf4f0cc; // 0x0
											E00F04A17(_t89, _t104);
										}
									}
									RegCloseKey( *(_t105 - 0x15c));
								}
							}
						}
						_t58 =  *(_t105 - 0x148);
						 *0xf512c4(_t58);
						 *((intOrPtr*)( *((intOrPtr*)( *_t58 + 8))))();
						goto L15;
					}
				}
				 *0xf512c4();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t105 - 0x158)))) + 0x1c))))();
				return E00F23431(_t75,  *((intOrPtr*)(_t105 - 0x158)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t105 - 0x158)))) + 0x1c)));
			}

0x00f2e812
0x00f2e81c
0x00f2e823
0x00f2e829
0x00f2e82f
0x00f2e835
0x00f2e842
0x00f2e84a
0x00f2e84f
0x00f2e854
0x00f2e856
0x00f2e85c
0x00f2e862
0x00f2e86a
0x00f2e873
0x00f2e885
0x00f2e88f
0x00f2e9cf
0x00f2e9d5
0x00f2e9da
0x00000000
0x00f2e8a3
0x00f2e8b8
0x00f2e8ba
0x00f2e8c1
0x00f2e8c2
0x00f2e8c3
0x00f2e8c4
0x00f2e8c5
0x00f2e8ce
0x00f2e8e6
0x00f2e8eb
0x00f2e8f0
0x00f2e910
0x00f2e918
0x00f2e91e
0x00f2e931
0x00f2e938
0x00f2e93a
0x00f2e93d
0x00f2e93f
0x00f2e94e
0x00f2e94e
0x00f2e953
0x00f2e959
0x00f2e95d
0x00f2e970
0x00f2e975
0x00f2e99f
0x00f2e9a1
0x00f2e9a8
0x00f2e9a8
0x00f2e99f
0x00f2e9b3
0x00f2e9b3
0x00f2e918
0x00f2e8f0
0x00f2e9b9
0x00f2e9c7
0x00f2e9cd
0x00000000
0x00f2e9cd
0x00f2e88f
0x00f2e9f2
0x00f2e9fa
0x00f2ea01

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,00020019,?), ref: 00F2E910
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?), ref: 00F2E9B3

Strings

SOFTWARE\Classes\CLSID\%s\InprocServer32, xrefs: 00F2E8D8

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CloseOpen
String ID: SOFTWARE\Classes\CLSID\%s\InprocServer32
API String ID: 47109696-450560693
Opcode ID: 8ce276ccaa504e27aa25f2022a6b6884cc67c3ad4239c8045375d71cbf43716a
Instruction ID: 561949f27c30f7f18005a077f0ca4ca3eeb17190ea11b0b78a79a5b19d828c8d
Opcode Fuzzy Hash: 8ce276ccaa504e27aa25f2022a6b6884cc67c3ad4239c8045375d71cbf43716a
Instruction Fuzzy Hash: C7414931A006389FCB61DB64DC55BEDB7B9BF49301F1400D9E909AB291DB34AE84EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F328CC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F3299F

Strings

<NULL>, xrefs: 00F32919
NULL, xrefs: 00F3292B, 00F32970, 00F3298E, 00F32990

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: e970d115a8ff72fca0521f78335e01d2321323ddcf8e4610f461a70d1b98ba25
Instruction ID: fd2c5246f9b65192415b3a210d64e001bce8b580adcb1a31b0626af115c23eb9
Opcode Fuzzy Hash: e970d115a8ff72fca0521f78335e01d2321323ddcf8e4610f461a70d1b98ba25
Instruction Fuzzy Hash: CD31C236A02209ABDB24CF55DC40BFB7778FB84730F15812AED469B240E670AE51B790

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E981, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
registryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00F2E981() {
				intOrPtr* _t44;
				signed int _t51;
				void* _t56;
				signed int _t59;
				signed int _t61;
				char _t67;
				intOrPtr _t78;
				void* _t80;
				signed int _t90;
				void* _t91;
				void* _t92;

				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				_t39 =  *((intOrPtr*)(_t91 - 0x160));
				_t67 =  *((intOrPtr*)(_t91 - 0x141));
				 *((intOrPtr*)(_t91 - 0x150)) =  *((intOrPtr*)(_t91 - 0x160));
				L11:
				while(1) {
					if(_t90 != 0) {
						_t78 =  *0xf4f0cc; // 0x0
						E00F04A17(_t78, _t90);
					}
					do {
						RegCloseKey( *(_t91 - 0x15c));
						goto L14;
						do {
							do {
								do {
									L14:
									_t51 =  *(_t91 - 0x148);
									 *0xf512c4(_t51);
									 *((intOrPtr*)( *((intOrPtr*)( *_t51 + 8))))();
									while(1) {
										E00F2EB90(_t91 - 0x154);
										_t39 =  *((intOrPtr*)(_t91 - 0x154));
										if(_t39 == 0) {
											break;
										}
										_t44 =  *((intOrPtr*)(_t39 + 0x20));
										 *(_t91 - 0x148) =  *(_t91 - 0x148) & 0x00000000;
										 *0xf512c4(_t44, 0xf03a60, _t91 - 0x148);
										if( *((intOrPtr*)( *_t44))() >= 0 &&  *(_t91 - 0x148) != 0) {
											goto L4;
										}
									}
									 *0xf512c4();
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t91 - 0x158)))) + 0x1c))))();
									return E00F23431(_t67,  *((intOrPtr*)(_t91 - 0x158)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t91 - 0x158)))) + 0x1c)));
									L4:
									_push(0x28);
									_push(_t91 - 0x68);
									asm("movsd");
									_push(_t91 - 0x140);
									asm("movsd");
									asm("movsd");
									asm("movsd");
								} while ( *0xf53040() == 0);
								_t56 = E00F2F62F(_t91 - 0x130, 0x64, L"SOFTWARE\\Classes\\CLSID\\%s\\InprocServer32", _t91 - 0x68);
								_t92 = _t92 + 0x10;
							} while (_t56 < 0);
							_t59 = RegOpenKeyExW(0x80000002, _t91 - 0x130, 0, 0x20019, _t91 - 0x15c);
						} while (_t59 != 0);
						 *(_t91 - 0x14c) =  *(_t91 - 0x14c) & _t59;
						_t61 = E00F2EA67( *(_t91 - 0x15c), _t91 - 0x14c);
					} while (_t61 != 0);
					 *(_t91 - 4) =  *(_t91 - 4) & _t61;
					_t101 = _t67;
					if(_t67 == 0) {
						E00F2FB0B( *((intOrPtr*)(_t91 - 0x150)), _t80, _t101, 0xf2ea5c, 2);
					}
					_t90 =  *(_t91 - 0x14c);
					_t67 = 0;
					 *((char*)(_t91 - 0x141)) = 0;
					E00F2FB0B( *((intOrPtr*)(_t91 - 0x150)), _t80, _t101, _t90, E00F2FDB6(_t90));
					 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				}
			}

0x00f2e981
0x00f2e985
0x00f2e98b
0x00f2e997
0x00000000
0x00f2e99d
0x00f2e99f
0x00f2e9a1
0x00f2e9a8
0x00f2e9a8
0x00f2e9ad
0x00f2e9b3
0x00f2e9b3
0x00f2e9b9
0x00f2e9b9
0x00f2e9b9
0x00f2e9b9
0x00f2e9b9
0x00f2e9c7
0x00f2e9cd
0x00f2e9cf
0x00f2e9d5
0x00f2e9da
0x00f2e864
0x00000000
0x00000000
0x00f2e86a
0x00f2e873
0x00f2e885
0x00f2e88f
0x00000000
0x00000000
0x00f2e88f
0x00f2e9f2
0x00f2e9fa
0x00f2ea01
0x00f2e8a3
0x00f2e8b8
0x00f2e8ba
0x00f2e8c1
0x00f2e8c2
0x00f2e8c3
0x00f2e8c4
0x00f2e8c5
0x00f2e8cc
0x00f2e8e6
0x00f2e8eb
0x00f2e8ee
0x00f2e910
0x00f2e916
0x00f2e91e
0x00f2e931
0x00f2e936
0x00f2e93a
0x00f2e93d
0x00f2e93f
0x00f2e94e
0x00f2e94e
0x00f2e953
0x00f2e959
0x00f2e95d
0x00f2e970
0x00f2e975
0x00f2e975

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,00020019,?), ref: 00F2E910
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?), ref: 00F2E9B3

Strings

SOFTWARE\Classes\CLSID\%s\InprocServer32, xrefs: 00F2E8D8

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CloseOpen
String ID: SOFTWARE\Classes\CLSID\%s\InprocServer32
API String ID: 47109696-450560693
Opcode ID: 300bee527ed792117bb2b685af54f278a2515a18330b66795b3afc8c8910d0d2
Instruction ID: 6d365d096b91e4e6036c60acaf0b9dc17ade81cd41010ac099dbbe0fdb6a7adf
Opcode Fuzzy Hash: 300bee527ed792117bb2b685af54f278a2515a18330b66795b3afc8c8910d0d2
Instruction Fuzzy Hash: FA418C31A006399FDB20DB60DC55BEEB7B8AF49311F1000D9E949AB291DB34AE84EF40

Uniqueness

Uniqueness Score: -1.00%

Function 00F327E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F328B5

Strings

<NULL>, xrefs: 00F32834
NULL, xrefs: 00F32846, 00F3288B, 00F328A4, 00F328A6

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: f6a6422e399077cb048b86a468f37218b9c25e02a8a537f652fe969b429f7f47
Instruction ID: 043da1995733d10d6350f877f657a931a191731258aaf65d7f344ddec5d875d6
Opcode Fuzzy Hash: f6a6422e399077cb048b86a468f37218b9c25e02a8a537f652fe969b429f7f47
Instruction Fuzzy Hash: F431C136E01209ABDB24DF58C840BBF7775FB84730F58852BEA169B290E3709D52E790

Uniqueness

Uniqueness Score: -1.00%

Function 00F3F527, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F3F5F6

Strings

<NULL>, xrefs: 00F3F574
NULL, xrefs: 00F3F586, 00F3F5CB, 00F3F5DE, 00F3F5E1, 00F3F5E7

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 1cc231c13c3de994f3af332ae6685e3b7e68d1f19b1aa053703cdb6f25212eff
Instruction ID: ea7f5aba965e4b1dd4eb941e0ca10934c1b5ca61128e5b4cdf2e23cf8e014d58
Opcode Fuzzy Hash: 1cc231c13c3de994f3af332ae6685e3b7e68d1f19b1aa053703cdb6f25212eff
Instruction Fuzzy Hash: FD31F236E01209ABDB209F54C840BBF7774FB84730F58813AEA169B290E3709E59E7D4

Uniqueness

Uniqueness Score: -1.00%

Function 00F22F9D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00F22F9D(intOrPtr __ebx, signed int __edx, intOrPtr __edi, char* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v4;
				intOrPtr* _v16;
				void* _v24;
				char _v44;
				char _v84;
				char* _t37;
				intOrPtr _t39;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t53;
				char* _t55;
				intOrPtr* _t59;
				intOrPtr _t63;
				void* _t66;
				signed int _t68;
				void* _t70;
				void* _t73;
				signed int _t77;

				_t64 = __esi;
				_t61 = __edi;
				_t51 = __ebx;
				_push(0x48);
				E00F03FD5(0xf25bac, __ebx, __edi, __esi);
				E00F22A15( &_v44, "invalid string position");
				_v4 = _v4 & 0x00000000;
				_push(0);
				_t55 =  &_v84;
				E00F22B81(_t55,  &_v44);
				_push(0xf4de64);
				_t37 =  &_v84;
				_push(_t37);
				L00F23426();
				asm("int3");
				_t68 =  *(__esi + 0x76) * 0x64696c61;
				_t8 = __ebx + 0x74;
				 *_t8 =  *(__ebx + 0x74) & __edx;
				if( *_t8 < 0) {
					L14:
					__eflags =  *((intOrPtr*)(_t64 + 0x18)) - 0x10;
					if( *((intOrPtr*)(_t64 + 0x18)) < 0x10) {
						_t55 = _t64 + 4;
					} else {
						_t55 =  *((intOrPtr*)(_t64 + 4));
						goto L16;
					}
					goto L19;
				} else {
					asm("outsb");
					_t10 = __ebx + __esi + 0x6f;
					 *_t10 =  *(__ebx + __esi + 0x6f) & __edx;
					_t77 =  *_t10;
					if(_t77 >= 0) {
						L16:
						_t64 = _t64 - 1;
						__eflags = _t37 + 0xeb;
						goto L17;
					} else {
						if(_t77 == 0) {
							L17:
							L19:
							_push(_t61);
							_t39 = _a12 + _t51;
							__eflags = _t39;
							_push(_t39);
							_push( *((intOrPtr*)(_t64 + 0x18)));
							_push(_t55);
							L00F231DB();
							E00F22E3F(_t64, _t61);
							goto L20;
						} else {
							asm("outsd");
							asm("outsb");
							 *((intOrPtr*)(_t37 - 0x6f6f6f70)) =  *((intOrPtr*)(_t37 - 0x6f6f6f70)) + __edx;
							_push(_t68);
							_t70 = _t73;
							_t43 =  *((intOrPtr*)(_t70 + 0xc));
							_push(__ebx);
							_t53 = _a4;
							_push(__esi);
							_push(__edi);
							_t64 = _t55;
							_t18 = _t53 + 0x14; // 0xf2dcf0
							_t63 =  *_t18;
							if(_t63 < _t43) {
								E00F22F9D(_t53, __edx, _t63, _t64, __eflags);
								asm("int3");
								_push(_t70);
								_t59 = _v16;
								_push(_t64);
								_t30 = _t59 + 1; // 0xf4de85
								_t66 = _t30;
								do {
									_t45 =  *_t59;
									_t59 = _t59 + 1;
									__eflags = _t45;
								} while (_t45 != 0);
								_t60 = _t59 - _t66;
								__eflags = _t59 - _t66;
								return E00F230B2(_t53, _t55, _t59 - _t66, _t59 - _t66, _v0, _t60);
							} else {
								_t61 = _t63 - _t43;
								if(_a12 < _t61) {
									_t61 = _a12;
								}
								if(_t64 != _t53) {
									_push(0);
									_t37 = E00F22E65(_t53, _t55, _t61, _t64, _t61);
									__eflags = _t37;
									if(_t37 != 0) {
										__eflags =  *((intOrPtr*)(_t53 + 0x18)) - 0x10;
										if( *((intOrPtr*)(_t53 + 0x18)) < 0x10) {
											_t51 = _t53 + 4;
											__eflags = _t51;
										} else {
											_t23 = _t53 + 4; // 0xf2de00
											_t51 =  *_t23;
										}
										goto L14;
									}
								} else {
									E00F2312B(_t55, _t61, _t64, _t43 + _t61, 0xffffffff);
									E00F2312B(_t64, _t61, _t64, 0, _a8);
								}
								L20:
								return _t64;
							}
						}
					}
				}
			}

0x00f22f9d
0x00f22f9d
0x00f22f9d
0x00f22f9d
0x00f22fa4
0x00f22fb1
0x00f22fb6
0x00f22fbd
0x00f22fc0
0x00f22fc3
0x00f22fc8
0x00f22fcd
0x00f22fd0
0x00f22fd1
0x00f22fd6
0x00f22fd8
0x00f22fdf
0x00f22fdf
0x00f22fe2
0x00f2304d
0x00f2304d
0x00f23051
0x00f23058
0x00f23053
0x00f23053
0x00000000
0x00f23053
0x00000000
0x00f22fe4
0x00f22fe4
0x00f22fe5
0x00f22fe5
0x00f22fe5
0x00f22fe9
0x00f23054
0x00f23054
0x00f23055
0x00000000
0x00f22feb
0x00f22feb
0x00f23056
0x00f2305b
0x00f2305e
0x00f2305f
0x00f2305f
0x00f23061
0x00f23062
0x00f23065
0x00f23066
0x00f23071
0x00000000
0x00f22fed
0x00f22fed
0x00f22fee
0x00f22fef
0x00f22ff7
0x00f22ff8
0x00f22ffa
0x00f22ffd
0x00f22ffe
0x00f23001
0x00f23002
0x00f23003
0x00f23005
0x00f23005
0x00f2300a
0x00f2307f
0x00f23084
0x00f2308c
0x00f2308f
0x00f23092
0x00f23093
0x00f23093
0x00f23096
0x00f23096
0x00f23098
0x00f23099
0x00f23099
0x00f2309d
0x00f2309d
0x00f230aa
0x00f2300c
0x00f2300c
0x00f23011
0x00f23013
0x00f23013
0x00f23018
0x00f23033
0x00f23036
0x00f2303b
0x00f2303d
0x00f2303f
0x00f23043
0x00f2304a
0x00f2304a
0x00f23045
0x00f23045
0x00f23045
0x00f23045
0x00000000
0x00f23043
0x00f2301a
0x00f2301f
0x00f2302c
0x00f2302c
0x00f23076
0x00f2307c
0x00f2307c
0x00f2300a
0x00f22feb
0x00f22fe9

APIs

Part of subcall function 00F22B81: std::runtime_error::runtime_error.LIBCPMT ref: 00F22B8C

_CxxThrowException.MSVCRT(?,00F4DE64), ref: 00F22FD1
memcpy_s.MSVCRT ref: 00F23066

Strings

invalid string position, xrefs: 00F22FD8, 00F22FA9

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionThrowmemcpy_sstd::runtime_error::runtime_error
String ID: invalid string position
API String ID: 3460673271-1799206989
Opcode ID: c22cd8935184ac15ec6f6ddc0a24b823031f12f2e27fee00ad44062a865cdee8
Instruction ID: 91fdbe1d6a596856b5f332fd9eb84ffa6ba4dcbc8842181236bb9670533d071c
Opcode Fuzzy Hash: c22cd8935184ac15ec6f6ddc0a24b823031f12f2e27fee00ad44062a865cdee8
Instruction Fuzzy Hash: 12212BB2604238A7CB14EE94ED85AAE7769EF51724F104009FA1657182CB7CEF05F761

Uniqueness

Uniqueness Score: -1.00%

Function 00F373CC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F37493

Strings

<NULL>, xrefs: 00F37416
NULL, xrefs: 00F37428, 00F3746D, 00F37480, 00F37482

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 0331486ffe365ab795d453ed8c486bbabb1672633e968f1ab6e16c81f30671a8
Instruction ID: abb660b2f2f28b08256160a6434b1046bc0fc3acf4e01fa258a1b1fc093a94e4
Opcode Fuzzy Hash: 0331486ffe365ab795d453ed8c486bbabb1672633e968f1ab6e16c81f30671a8
Instruction Fuzzy Hash: F721E1B6E04305EADF30FF54D800BAB7B75EB80730F54802AEE169B140E671AE52E791

Uniqueness

Uniqueness Score: -1.00%

Function 00F40422, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F4049B

Strings

<NULL>, xrefs: 00F40467, 00F4047D
NULL, xrefs: 00F4046E

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 57ddfd00ee9d83af8043e4f585cda3d8fe52a5df6dcc697e689a3f4f0846ee6f
Instruction ID: 8f78580e690a5afdb778723327026c3bebd729d09ff3339e06a3db082531165c
Opcode Fuzzy Hash: 57ddfd00ee9d83af8043e4f585cda3d8fe52a5df6dcc697e689a3f4f0846ee6f
Instruction Fuzzy Hash: B211E176600209AAEB14DE44EC51FF73B2DEBD1724F14802AFF02864A0DA709E91E2A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F329B6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F32A2F

Strings

<NULL>, xrefs: 00F32A04, 00F32A24
NULL, xrefs: 00F32A0B

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: ad998dc143e789e0bda6bd5b4bd0d610bbeb4898112ada918a5ab9cb5cc33cc8
Instruction ID: 3ac7ba0fe8e1327560eab2869f77f44c86ffea8386836c769b360bdebe82f05c
Opcode Fuzzy Hash: ad998dc143e789e0bda6bd5b4bd0d610bbeb4898112ada918a5ab9cb5cc33cc8
Instruction Fuzzy Hash: 6511A072901219BBDB649F44DC11FBB736CEB44B30F54452ABE069B190E6A06E91F3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3F60D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F3F687

Strings

<NULL>, xrefs: 00F3F64F, 00F3F66F
NULL, xrefs: 00F3F656

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 1597f60ab86dcea805093750287a74b5e4497ec61be4ca73c9552515f862ac2c
Instruction ID: 78e32bbafaecbcc2f2536e10154e63c9cc79a6151b0baf14342dde91035d5003
Opcode Fuzzy Hash: 1597f60ab86dcea805093750287a74b5e4497ec61be4ca73c9552515f862ac2c
Instruction Fuzzy Hash: F201C472A41215BAEB249E05DC02EF7372DFBC5774F004029FA069A194C6709D5AE6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F3752D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F375A2

Strings

<NULL>, xrefs: 00F37573, 00F37593
NULL, xrefs: 00F3757A

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 56e10a03aad0056d00120a7ebea0067e65de4acd21f936ce624721746ac3a4d9
Instruction ID: 73045f59754e43162741505980f6bf6c8fbc7a1ce2ba10f6caa5cfce9e9ab663
Opcode Fuzzy Hash: 56e10a03aad0056d00120a7ebea0067e65de4acd21f936ce624721746ac3a4d9
Instruction Fuzzy Hash: 7F01C4B6644305AAEB28FE44DC51FB7732DEB90720F588019FB024A590D7719E52E791

Uniqueness

Uniqueness Score: -1.00%

Function 00F32562, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F325CF

Strings

<NULL>, xrefs: 00F325B0, 00F325C4
NULL, xrefs: 00F325B7

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: bba3cb3a2beebd474613c8870ee3859f47c2f4048912213a9da4d1fc3eb71602
Instruction ID: d60a95900c10d6d080a5e59ea0fffbccb3d2b558d27fc96d93e7d436d065602f
Opcode Fuzzy Hash: bba3cb3a2beebd474613c8870ee3859f47c2f4048912213a9da4d1fc3eb71602
Instruction Fuzzy Hash: 0201F976A00115ABDBA48B04DC25FBF7368EF44730F59451AFD059B280E2B15F50A3E5

Uniqueness

Uniqueness Score: -1.00%

Function 00F374AA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F37519

Strings

<NULL>, xrefs: 00F374F0, 00F3750A
NULL, xrefs: 00F374F7

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: acd80d1ac38cc9bdf2e2889ffbc68b4e2e27aaf5c4340272a9d17b070502d60a
Instruction ID: caa45b45b7d3763917db21148ce94c21347a3fb6622c5b79e28a5f5ea86be134
Opcode Fuzzy Hash: acd80d1ac38cc9bdf2e2889ffbc68b4e2e27aaf5c4340272a9d17b070502d60a
Instruction Fuzzy Hash: 6401F5B6204305EBEB34FE48DC11FB77729EBD0734F54801AFB024A590D670AD92E2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F40FF7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F41064

Strings

<NULL>, xrefs: 00F4103A, 00F41054
NULL, xrefs: 00F41041

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 447fd29bab7da6f33b0fcc3a417004b0bf0ecdd102fc5f35c61bae97bc94dbed
Instruction ID: eaf8e39eaf8a9dd026771b8be244e3309533f52691c9f78b232b2a609b43703e
Opcode Fuzzy Hash: 447fd29bab7da6f33b0fcc3a417004b0bf0ecdd102fc5f35c61bae97bc94dbed
Instruction Fuzzy Hash: 67012436680245ABEB248A08EC01FB73B29FBC0750F408015FF028B0D4D2B1ADD2E695

Uniqueness

Uniqueness Score: -1.00%

Function 00F17250, Relevance: 5.3, APIs: 4, Instructions: 299
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00F17250(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				long _v32;
				void* _v36;
				signed int _v40;
				long _v44;
				intOrPtr* _v48;
				signed int _v52;
				char _v56;
				void* _v60;
				intOrPtr* _v64;
				long _v68;
				long _v72;
				intOrPtr _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t129;
				signed int _t130;
				intOrPtr _t132;
				signed int _t133;
				intOrPtr _t137;
				intOrPtr* _t147;
				long _t156;
				signed int _t162;
				intOrPtr _t164;
				void* _t165;
				void* _t166;
				void* _t169;
				struct _CRITICAL_SECTION* _t170;
				intOrPtr _t173;
				void* _t174;
				void* _t176;
				int _t177;
				intOrPtr* _t180;
				intOrPtr* _t183;
				void* _t190;
				void* _t193;
				signed int _t194;
				intOrPtr* _t196;
				intOrPtr* _t205;
				intOrPtr* _t207;
				intOrPtr _t217;
				long _t221;
				intOrPtr _t223;
				void* _t225;
				signed int _t239;
				void* _t240;
				intOrPtr* _t241;
				signed int _t242;
				signed int _t243;
				void* _t245;
				struct _CRITICAL_SECTION* _t248;
				intOrPtr* _t253;
				void* _t255;
				void* _t256;
				signed int _t257;
				void* _t270;

				_push(0xffffffff);
				_push(E00F249B1);
				_push( *[fs:0x0]);
				_t129 =  *0xf4f1a4; // 0xbd26e8f
				_t130 = _t129 ^ _t257;
				_v20 = _t130;
				_push(_t130);
				 *[fs:0x0] =  &_v16;
				_t132 = _a4;
				_t239 = 0;
				if( *((intOrPtr*)(_t132 + 0x58)) != 0) {
					_t133 = 0x80041033;
					L22:
					 *[fs:0x0] = _v16;
					_pop(_t240);
					_pop(_t245);
					_pop(_t193);
					return E00F01CA0(_t133, _t193, _v20 ^ _t257, _t233, _t240, _t245);
				}
				_t246 = _t132 + 0x7c;
				if( *((intOrPtr*)(_t132 + 0x94)) == 0 || E00F02E90(_t246) == 0) {
					_t133 = 0x80041006;
				} else {
					_t137 = _a8;
					_t194 = 0;
					_v40 = 0;
					while(_t194 < _t137) {
						_t205 =  *((intOrPtr*)(_a12 + _t194 * 4));
						if(_t205 == 0) {
							L18:
							_t194 = _t194 + 1;
							_v40 = _t194;
							if(_t239 >= 0) {
								continue;
							}
							break;
						}
						_v32 = 0;
						_t233 =  &_v32;
						 *0xf512c4(_t205,  &_v32);
						_t239 =  *((intOrPtr*)( *((intOrPtr*)( *_t205 + 0x30))))();
						_v24 = _t239;
						if(_t239 < 0) {
							L17:
							_t137 = _a8;
							goto L18;
						}
						_t241 = _v32;
						_v48 = _t241;
						_v72 = _t241;
						_v8 = 0;
						_t207 = _v32;
						_v44 = 0;
						 *0xf512c4(_t207, 0xf16dd4,  &_v60);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t207))))() < 0) {
							_v24 = 0x8004100a;
							L14:
							_v8 = 0xffffffff;
							if(_t241 != 0) {
								 *0xf512c4(_t241);
								 *((intOrPtr*)( *((intOrPtr*)( *_t241 + 8))))();
							}
							_t239 = _v24;
							_v72 = 0;
							goto L17;
						}
						_t253 = _v60;
						_v64 = _t253;
						_v68 = _t253;
						_v8 = 1;
						_t233 =  &_v44;
						_t147 = _v60;
						_v28 =  *_t147;
						 *0xf512c4(_t147, 0, 0,  &_v44);
						if( *((intOrPtr*)(_v28 + 0x114))() != 0x8004103c) {
							_v24 = 0x8004100a;
							L11:
							_v8 = 0;
							if(_t253 != 0) {
								 *0xf512c4(_t253);
								 *((intOrPtr*)( *((intOrPtr*)( *_t253 + 8))))();
							}
							_v68 = 0;
							goto L14;
						}
						if(E00F17437(_a4 + 0x60,  &_v32) != 0) {
							L52:
							_v24 = 0x80041006;
							goto L11;
						}
						_t156 = _v32;
						_v28 =  *((intOrPtr*)( *_t156 + 4));
						 *0xf512c4(_t156);
						_v28();
						_t217 = _a4;
						 *((intOrPtr*)(_t217 + 0x5c)) =  *((intOrPtr*)(_t217 + 0x5c)) + _v44;
						_t270 =  *((intOrPtr*)(_t217 + 0x5c)) -  *0xf4f040; // 0x40000
						if(_t270 >= 0) {
							_t162 =  *(_t217 + 0x70);
							_v36 = _t162;
							_t221 =  ~(0 | __eflags > 0x00000000) | _t162 * 0x00000004;
							_t164 =  *0xf4f0cc; // 0x0
							_t165 =  *(_t164 + 4);
							_t233 =  *(_t164 + 8) & 0x00000005 | 0x00000008;
							__eflags = _t165;
							if(_t165 == 0) {
								goto L52;
							}
							_t166 = HeapAlloc(_t165, _t233, _t221);
							_v28 = _t166;
							__eflags = _t166;
							if(_t166 == 0) {
								E00F48131();
								goto L52;
							}
							_t196 = _a4 + 0x60;
							_v24 = 0;
							_t169 = E00F17480(_t196,  &_v56);
							__eflags = _t169;
							if(_t169 != 0) {
								L34:
								_t223 = _a4;
								_t170 = _t223 + 0x7c;
								 *(_t223 + 0x5c) = 0;
								__eflags =  *((char*)(_t170 + 0x18));
								if( *((char*)(_t170 + 0x18)) != 0) {
									LeaveCriticalSection(_t170);
									_t223 = _a4;
								}
								_v76 = _t223 + 0x28;
								asm("lock xadd [ebx], eax");
								_v8 = 2;
								__eflags =  *(_t223 + 0x58);
								if( *(_t223 + 0x58) != 0) {
									_v24 = 0x80041033;
								} else {
									_t183 =  *((intOrPtr*)(_t223 + 0x34));
									_v24 =  *((intOrPtr*)( *_t183 + 0xc));
									 *0xf512c4(_t183, _v36, _v28);
									_v24();
									_v24 = 1;
								}
								_v8 = 1;
								asm("lock xadd [ebx], eax");
								__eflags = _v36;
								_v52 = 0;
								if(_v36 <= 0) {
									L42:
									_t173 =  *0xf4f0cc; // 0x0
									_t174 =  *(_t173 + 4);
									__eflags = _t174;
									if(_t174 != 0) {
										_t177 = HeapFree(_t174, 0, _v28);
										__eflags = _t177;
										if(_t177 == 0) {
											E00F48131();
										}
									}
									_t225 = _a4 + 0x7c;
									__eflags =  *(_t225 + 0x18);
									if( *(_t225 + 0x18) == 0) {
										L50:
										_t194 = _v40;
										_v24 = 0x80041006;
									} else {
										_t176 = E00F02E90(_t225);
										__eflags = _t176;
										if(_t176 == 0) {
											goto L50;
										}
										_t194 = _v40;
									}
									goto L11;
								} else {
									_t242 = _v52;
									_t255 = _v36;
									do {
										_t180 =  *((intOrPtr*)(_v28 + _t242 * 4));
										 *0xf512c4(_t180);
										 *((intOrPtr*)( *((intOrPtr*)( *_t180 + 8))))();
										_t242 = _t242 + 1;
										__eflags = _t242 - _t255;
									} while (_t242 < _t255);
									_t253 = _v64;
									_t241 = _v48;
									goto L42;
								}
							}
							_t243 = _v24;
							_t256 = _v36;
							while(1) {
								__eflags = _t243 - _t256;
								if(_t243 >= _t256) {
									break;
								}
								 *((intOrPtr*)(_v28 + _t243 * 4)) = _v56;
								_t243 = _t243 + 1;
								__eflags =  *_t196 -  *((intOrPtr*)(_t196 + 4));
								if( *_t196 !=  *((intOrPtr*)(_t196 + 4))) {
									L30:
									 *(_t196 + 8) =  *(_t196 + 8) + 1;
									__eflags =  *(_t196 + 8) - 0x100;
									if( *(_t196 + 8) == 0x100) {
										E00F18AC2(_t196);
										 *(_t196 + 8) = 0;
									}
									_t84 = _t196 + 0x10;
									 *_t84 =  *(_t196 + 0x10) - 1;
									__eflags =  *_t84;
									L32:
									_t190 = E00F17480(_t196,  &_v56);
									__eflags = _t190;
									if(_t190 == 0) {
										continue;
									}
									break;
								}
								__eflags =  *(_t196 + 8) -  *((intOrPtr*)(_t196 + 0xc));
								if( *(_t196 + 8) ==  *((intOrPtr*)(_t196 + 0xc))) {
									goto L32;
								}
								goto L30;
							}
							_t253 = _v64;
							_t241 = _v48;
							goto L34;
						}
						goto L11;
					}
					_t248 = _a4 + 0x7c;
					if( *((char*)(_t248 + 0x18)) != 0) {
						LeaveCriticalSection(_t248);
					}
					_t133 = _t239;
				}
			}

0x00f17255
0x00f17257
0x00f17262
0x00f17266
0x00f1726b
0x00f1726d
0x00f17273
0x00f17277
0x00f1727d
0x00f17280
0x00f17285
0x00f29e82
0x00f17414
0x00f17417
0x00f1741f
0x00f17420
0x00f17421
0x00f1742f
0x00f1742f
0x00f1728b
0x00f17293
0x00f29e78
0x00f172a8
0x00f172a8
0x00f172ab
0x00f172ad
0x00f172b0
0x00f172bb
0x00f172c0
0x00f173f3
0x00f173f3
0x00f173f4
0x00f173f9
0x00000000
0x00000000
0x00000000
0x00f173f9
0x00f172c6
0x00f172cd
0x00f172d9
0x00f172e1
0x00f172e3
0x00f172e8
0x00f173f0
0x00f173f0
0x00000000
0x00f173f0
0x00f172ee
0x00f172f1
0x00f172f4
0x00f172f7
0x00f17301
0x00f17304
0x00f17318
0x00f17322
0x00f29e6c
0x00f173cb
0x00f173cb
0x00f173d4
0x00f173de
0x00f173e4
0x00f173e4
0x00f173e6
0x00f173e9
0x00000000
0x00f173e9
0x00f17328
0x00f1732b
0x00f1732e
0x00f17331
0x00f17335
0x00f17338
0x00f17342
0x00f1734c
0x00f17360
0x00f29e60
0x00f173ac
0x00f173ac
0x00f173b2
0x00f173bc
0x00f173c2
0x00f173c2
0x00f173c4
0x00000000
0x00f173c4
0x00f17377
0x00f29e54
0x00f29e54
0x00000000
0x00f29e54
0x00f1737d
0x00f17388
0x00f1738b
0x00f17391
0x00f17394
0x00f1739a
0x00f173a0
0x00f173a6
0x00f18772
0x00f1877c
0x00f18786
0x00f18788
0x00f18790
0x00f18796
0x00f18799
0x00f1879b
0x00000000
0x00000000
0x00f187a4
0x00f187aa
0x00f187ad
0x00f187af
0x00f1e0fa
0x00000000
0x00f1e0fa
0x00f187bb
0x00f187be
0x00f187c8
0x00f187cd
0x00f187cf
0x00f1881c
0x00f1881c
0x00f1881f
0x00f18822
0x00f18829
0x00f1882d
0x00f18830
0x00f18836
0x00f18836
0x00f18841
0x00f18844
0x00f18848
0x00f1884c
0x00f18850
0x00f29e48
0x00f18856
0x00f18856
0x00f18867
0x00f1886a
0x00f18870
0x00f18873
0x00f18873
0x00f18876
0x00f1887d
0x00f18881
0x00f18885
0x00f1888c
0x00f188b5
0x00f188b5
0x00f188ba
0x00f188bd
0x00f188bf
0x00f188c7
0x00f188cd
0x00f188cf
0x00f18ab3
0x00f18ab3
0x00f188cf
0x00f188d8
0x00f188de
0x00f188e0
0x00f1e104
0x00f1e104
0x00f1e107
0x00f188e6
0x00f188e6
0x00f188eb
0x00f188ed
0x00000000
0x00000000
0x00f188f3
0x00f188f3
0x00000000
0x00f1888e
0x00f1888e
0x00f18891
0x00f18894
0x00f18897
0x00f188a2
0x00f188a8
0x00f188aa
0x00f188ab
0x00f188ab
0x00f188af
0x00f188b2
0x00000000
0x00f188b2
0x00f1888c
0x00f187d1
0x00f187d4
0x00f187d7
0x00f187d7
0x00f187d9
0x00000000
0x00000000
0x00f187e1
0x00f187e4
0x00f187e7
0x00f187ea
0x00f187f4
0x00f187f4
0x00f187f7
0x00f187fe
0x00f18aa2
0x00f18aa7
0x00f18aa7
0x00f18804
0x00f18804
0x00f18804
0x00f18807
0x00f1880d
0x00f18812
0x00f18814
0x00000000
0x00000000
0x00000000
0x00f18814
0x00f187ef
0x00f187f2
0x00000000
0x00000000
0x00000000
0x00f187f2
0x00f18816
0x00f18819
0x00000000
0x00f18819
0x00000000
0x00f173a6
0x00f17402
0x00f17409
0x00f1740c
0x00f1740c
0x00f17412
0x00f17412

APIs

Part of subcall function 00F02E90: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(00F4F0FC,0BD26E8F,00000000,00000050,00000000,00F23660), ref: 00F02ED7

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?,0BD26E8F), ref: 00F1740C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-2-0(?,?,00000000), ref: 00F187A4
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 00F18830

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: CriticalSection$Leave$AllocEnterHeap
String ID:
API String ID: 2749580694-0
Opcode ID: ca1948d8f7dfe6e3ccbc2011122486206b031a9de5aa8838e11511fd8a99cbdc
Instruction ID: dbce9407d956a4330ff5846e1baacecfea3c238b34361bc3212af2c08944f34c
Opcode Fuzzy Hash: ca1948d8f7dfe6e3ccbc2011122486206b031a9de5aa8838e11511fd8a99cbdc
Instruction Fuzzy Hash: 7FC17C70A04249DFCB00DF58C984BEEBBB5FF48354F144059E915AB391CB74AD82EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F40F83, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

EtwTraceMessage.NTDLL ref: 00F40FE4

Strings

<NULL>, xrefs: 00F40FC6, 00F40FD4
NULL, xrefs: 00F40FCD

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 262f83c99fd49a4258e375dd59286801352e2c566a94f40ab75824dd47a215a1
Instruction ID: 1fde61cdd505ac00882d2b9ab78f04724be7adbd2bfc2ce7a287ad354f435fc8
Opcode Fuzzy Hash: 262f83c99fd49a4258e375dd59286801352e2c566a94f40ab75824dd47a215a1
Instruction Fuzzy Hash: AB01F436641302A6EB344B05EC05FB77B26FBD4B30F508139FF125A1C4DAB05D96B695

Uniqueness

Uniqueness Score: -1.00%

Function 00F16C40, Relevance: 5.1, APIs: 4, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F16C40(signed int __eax, void* __ecx) {
				intOrPtr _v8;
				intOrPtr __ebx;
				void __edi;
				void* __esi;
				void* _t22;
				void* _t28;
				intOrPtr _t32;
				intOrPtr _t34;
				void _t41;
				void* _t43;
				void** _t44;
				void* _t45;

				_push(__ecx);
				_t32 =  *0xf4f0cc; // 0x0
				_v8 = _t32;
				_t41 = 0;
				asm("lock xadd [ecx], eax");
				if((__eax | 0xffffffff) != 0) {
					L23:
					return _t41;
				} else {
					_push(__esi);
					__esi =  *0xf4f058; // 0x0
					if(__esi != 0) {
						if( *__esi != 0) {
							__ecx = __esi;
							__eax = E00F31D15(__esi,  *__esi);
							__ecx =  *(__esi + 8);
							__eax = E00F04A17(__ecx,  *__esi);
							 *__esi =  *__esi & 0;
							__esi =  *0xf4f058; // 0x0
						}
						__edi = 0;
						if( *(__ebx + 4) == 0) {
							__edi = 0x80000002;
						} else {
							if(HeapFree( *(__ebx + 4), 0, __esi) == 0) {
								__edi = E00F48131();
							}
						}
						 *0xf4f058 =  *0xf4f058 & 0x00000000;
					}
					__esi =  *0xf4f054; // 0x0
					if(__esi == 0) {
						L22:
						goto L23;
					} else {
						__edi =  *__esi;
						if(__edi == 0) {
							L19:
							_t41 = 0;
							if( *(_t34 + 4) == 0) {
								_t41 = 0x80000002;
							} else {
								if(HeapFree( *(_t34 + 4), 0, _t45) == 0) {
									_t41 = E00F48131();
								}
							}
							 *0xf4f054 =  *0xf4f054 & 0x00000000;
							goto L22;
						}
						__ebx =  *((intOrPtr*)(__edi + 8));
						if( *((intOrPtr*)(__edi + 8)) != 0) {
							E00F16D45(_t44, _t32);
							E00F04A17(_t44[2], _t32);
						}
						_t43 =  *(_t41 + 0xc);
						if(_t43 != 0) {
							E00F16D45(_t44, _t43);
							_t28 = _t44[2];
							if( *(_t28 + 4) != 0 && HeapFree( *(_t28 + 4), 0, _t43) == 0) {
								E00F48131();
							}
						}
						_t22 = _t44[2];
						if( *(_t22 + 4) != 0 && HeapFree( *(_t22 + 4), 0,  *_t44) == 0) {
							E00F48131();
						}
						 *_t44 =  *_t44 & 0x00000000;
						_t45 =  *0xf4f054; // 0x0
						_t34 = _v8;
						goto L19;
					}
				}
			}

0x00f16c45
0x00f16c47
0x00f16c53
0x00f16c56
0x00f16c5b
0x00f16c5f
0x00f16d38
0x00f16d3f
0x00f16c65
0x00f16c65
0x00f16c66
0x00f16c6e
0x00f16c72
0x00f2bd5c
0x00f2bd5e
0x00f2bd65
0x00f2bd68
0x00f2bd6d
0x00f2bd6f
0x00f2bd6f
0x00f16c78
0x00f16c7d
0x00f1e4c6
0x00f16c83
0x00f16c90
0x00f2bd7f
0x00f2bd7f
0x00f16c90
0x00f16c96
0x00f16c96
0x00f16c9d
0x00f16ca5
0x00f16d37
0x00000000
0x00f16cab
0x00f16cab
0x00f16caf
0x00f16d12
0x00f16d12
0x00f16d17
0x00f04a71
0x00f16d1d
0x00f16d2a
0x00f1e4d5
0x00f1e4d5
0x00f16d2a
0x00f16d30
0x00000000
0x00f16d30
0x00f16cb1
0x00f16cb6
0x00f04a4a
0x00f04a53
0x00f04a53
0x00f16cbc
0x00f16cc1
0x00f16cc6
0x00f16ccb
0x00f16cd2
0x00f04a5d
0x00f04a5d
0x00f16cd2
0x00f16ce8
0x00f16cef
0x00f04a67
0x00f04a67
0x00f16d06
0x00f16d09
0x00f16d0f
0x00000000
0x00f16d0f
0x00f16ca5

APIs

HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00000000,00000000,00000000,?,?,00F164F4,0BD26E8F,00000000,00000001,00000001), ref: 00F16C88
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,?,00F164F4,0BD26E8F,00000000,00000001,00000001), ref: 00F16CDA
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00F164F4,0BD26E8F,00000000,00000001,00000001), ref: 00F16CF8
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0(?,00000000,00000000,00000000,00000000,00000000,?,?,00F164F4,0BD26E8F,00000000,00000001,00000001), ref: 00F16D22

Memory Dump Source

Source File: 00000000.00000002.673010421.0000000000F01000.00000020.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.673005558.0000000000F00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673052390.0000000000F4F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673057074.0000000000F50000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.673062524.0000000000F51000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673066629.0000000000F52000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_WmiPrvSE.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 77c99e0b4397e3da8e0d41497f724fa9fcb182ef7eb4ad3ec63f3ac484dbcf7e
Instruction ID: 6f943ee0859af57ab7cf590271a4543a5e22ae642ec8a34be7076c57cfddbbaa
Opcode Fuzzy Hash: 77c99e0b4397e3da8e0d41497f724fa9fcb182ef7eb4ad3ec63f3ac484dbcf7e
Instruction Fuzzy Hash: 4631E236700210DBD7309F15DC04B6ABBA5FFD0762F258029E94997262CB34EC81FBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report WmiPrvSE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: WmiPrvSE.exe PID: 7152 Parent PID: 6660

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Process Activities

Process Queried

Function 00F13422, Relevance: 72.5, APIs: 48, Instructions: 536
memoryCOMMON

Function 00F11D26, Relevance: 42.4, APIs: 28, Instructions: 405
memoryCOMMONCrypto

Function 00F12C44, Relevance: 38.1, APIs: 25, Instructions: 641
memoryCOMMONCrypto

Function 00F07363, Relevance: 19.1, APIs: 12, Instructions: 1075
memorysynchronizationCOMMONCrypto

Function 00F047AD, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 198
memorynativeCOMMON

Function 00F0D75D, Relevance: 11.1, APIs: 7, Instructions: 642
COMMONCrypto

Function 00F12483, Relevance: 7.6, APIs: 5, Instructions: 53
timethreadCOMMON

Function 00F2320B, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Function 00F4BD8B, Relevance: 2.9, Strings: 2, Instructions: 380
COMMONCrypto

Function 00F12470, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00F2FDE8, Relevance: 63.5, APIs: 35, Strings: 1, Instructions: 475
memoryregistryCOMMON

Function 00F08723, Relevance: 51.2, APIs: 16, Strings: 13, Instructions: 461
registryCOMMON

Function 00F46FCB, Relevance: 39.4, APIs: 26, Instructions: 435
COMMON

Function 00F3160B, Relevance: 37.9, APIs: 25, Instructions: 383
memoryCOMMON

Function 00F0C8E9, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 133
registryCOMMON

Function 00F47632, Relevance: 22.6, APIs: 15, Instructions: 131
threadCOMMON

Function 00F0DF8C, Relevance: 20.0, APIs: 13, Instructions: 497
sleepCOMMON

Function 00F06BB0, Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 499
memoryCOMMON

Function 00F0CB9F, Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 475
memorysynchronizationCOMMON

Function 00F3070E, Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 211
registryCOMMON

Function 00F12607, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
COMMON

Function 00F30A4F, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 96
registryCOMMON

Function 00F1384C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99
fileCOMMON

Function 00F0EAF4, Relevance: 13.8, APIs: 9, Instructions: 280
memoryCOMMON

Function 00F12700, Relevance: 13.6, APIs: 9, Instructions: 146
COMMON

Function 00F17F20, Relevance: 12.4, APIs: 8, Instructions: 375
COMMON

Function 00F18EF0, Relevance: 12.3, APIs: 8, Instructions: 290
COMMON

Function 00F15380, Relevance: 12.3, APIs: 8, Instructions: 276
COMMON

Function 00F18650, Relevance: 10.7, APIs: 7, Instructions: 243
memoryCOMMON

Function 00F01DB0, Relevance: 10.7, APIs: 7, Instructions: 237
COMMON

Function 00F16A94, Relevance: 10.7, APIs: 7, Instructions: 177
memoryCOMMON

Function 00F15DBB, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
libraryloaderCOMMON

Function 00F15BE1, Relevance: 10.1, APIs: 8, Instructions: 132
memoryCOMMON

Function 00F27B35, Relevance: 9.4, APIs: 6, Instructions: 401
memoryCOMMON

Function 00F27A64, Relevance: 9.4, APIs: 6, Instructions: 386
memoryCOMMON

Function 00F14E90, Relevance: 9.2, APIs: 6, Instructions: 232
memoryCOMMON

Function 00F07D90, Relevance: 9.2, APIs: 6, Instructions: 190
memoryCOMMON

Function 00F22D6F, Relevance: 9.1, APIs: 6, Instructions: 100
COMMON

Function 00F2DFE3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164
sleepCOMMON