Joe Sandbox Cloud Basic Analysis Report
Play interactive tourEdit tour

Windows Analysis Report ngen.exe

Overview

General Information

Sample Name:ngen.exe
Analysis ID:537992
MD5:1005a2cff70e24f1a962d9a915c3ef37
SHA1:8accb04fbd141329da5bf40d383f1c25f846c3e7
SHA256:29ed5c2adf67042e55937f8ae47d1bd01d13b79273823cbf8d622c58b1da9ad7
Infos:

Most interesting Screenshot:

Detection

Score:6
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • ngen.exe (PID: 6280 cmdline: "C:\Users\user\Desktop\ngen.exe" MD5: 1005A2CFF70E24F1A962D9A915C3EF37)
    • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ngen.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: ngen.exeStatic PE information: certificate valid
Source: ngen.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ngen.pdb source: ngen.exe
Source: C:\Users\user\Desktop\ngen.exeCode function: 4x nop then jmp 00E0146Ch0_2_00E014D8
Source: ngen.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: C:\Users\user\Desktop\ngen.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ngen.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00DF3B070_2_00DF3B07
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00DFECFF0_2_00DFECFF
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00DF6F920_2_00DF6F92
Source: C:\Users\user\Desktop\ngen.exeCode function: String function: 00DF1BCF appears 41 times
Source: C:\Users\user\Desktop\ngen.exeCode function: String function: 00DF528A appears 38 times
Source: ngen.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ngen.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ngen.exe "C:\Users\user\Desktop\ngen.exe"
Source: C:\Users\user\Desktop\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_01
Source: classification engineClassification label: clean6.winEXE@2/0@0/0
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: ngen.exeStatic PE information: certificate valid
Source: ngen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ngen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ngen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ngen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ngen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ngen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ngen.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: ngen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ngen.pdb source: ngen.exe
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00DF74FC push ecx; ret 0_2_00DF7512
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00DF1687 push ecx; ret 0_2_00DF169D
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00DF1679 push ecx; ret 0_2_00DF169D
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00E05320 rdtsc 0_2_00E05320
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00E07C53 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E07C53
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00E06210 GetProcessHeap,0_2_00E06210
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00E05320 rdtsc 0_2_00E05320
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00DF70DF SetUnhandledExceptionFilter,0_2_00DF70DF
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00E07992 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E07992
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00E07C53 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E07C53
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00DF731A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00DF731A
Source: C:\Users\user\Desktop\ngen.exeCode function: 0_2_00DF2440 HeapSetInformation,exit,SetErrorMode,CLRCreateInstance,_wcsicmp,wcscpy_s,CLRCreateInstance,CorBindToRuntime,GetRealProcAddress,GetRealProcAddress,GetRealProcAddress,GetRealProcAddress,GetRealProcAddress,GetRealProcAddress,GetRealProcAddress,GetRealProcAddress,0_2_00DF2440

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Process Injection1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Deobfuscate/Decode Files or Information1LSASS MemorySecurity Software Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 537992 Sample: ngen.exe Startdate: 10/12/2021 Architecture: WINDOWS Score: 6 5 ngen.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ngen.exe0%VirustotalBrowse
ngen.exe3%MetadefenderBrowse
ngen.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:537992
Start date:10.12.2021
Start time:19:02:24
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ngen.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean6.winEXE@2/0@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 99.5% (good quality ratio 78.1%)
  • Quality average: 53.8%
  • Quality standard deviation: 31.9%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 37
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
  • Execution Graph export aborted for target ngen.exe, PID 6280 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information

Simulations

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.3428372057945115
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:ngen.exe
File size:144344
MD5:1005a2cff70e24f1a962d9a915c3ef37
SHA1:8accb04fbd141329da5bf40d383f1c25f846c3e7
SHA256:29ed5c2adf67042e55937f8ae47d1bd01d13b79273823cbf8d622c58b1da9ad7
SHA512:4e0c41a0d962e3e1c14c60048a70207e217c457a9b4cec3f53eba536077e7e7be2b20da8dcac2f1701cfe81bca47e6f9d981e55f2c29faa1d9bd626b999d008e
SSDEEP:3072:Dx1a7djLgHy+i8DC12HiN4gsdpEGaYCzxrcq8:DLa7dl+i8S3Szyz1cv
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q...q...q.....;.s.......p...o...s.......u.......s.......d...........q.........>.z.......n.....x.p.......p...Richq..........

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x407310
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5FF3A9B6 [Mon Jan 4 23:50:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:3e0e9999397436894662f70fc3d346eb

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 3/4/2020 10:39:47 AM 3/3/2021 10:39:47 AM
Subject Chain
  • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:AAEE394B1087AC1044A13D09468CDF1E
Thumbprint SHA-1:2485A7AFA98E178CB8F30C9838346B514AEA4769
Thumbprint SHA-256:C0772D3C9E20C3F4EBB09F5816D6DADA0D8FA86563C2D68898539EC1CD355A1B
Serial:3300000187721772155940C709000000000187
Instruction
call 00007FC6AD04B9AAh
jmp 00007FC6AD046D81h
push ebp
mov ebp, esp
sub esp, 14h
and dword ptr [ebp-0000000Ch], 00000000h
and dword ptr [ebp-00000008h], 00000000h
mov eax, dword ptr [0041F000h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp eax, edi
je 00007FC6AD050A0Eh
test esi, eax
je 00007FC6AD050A06h
not eax
mov dword ptr [0041F094h], eax
pop edi
pop esi
mov esp, ebp
pop ebp
ret
push 00030000h
push 00010000h
push 00000000h
call 00007FC6AD04B9B1h
add esp, 0Ch
test eax, eax
jne 00007FC6AD050A69h
ret
jmp dword ptr [004201E0h]
push 00000028h
mov eax, 0041A07Bh
call 00007FC6AD0461E9h
xor esi, esi
mov ecx, 00403A50h
push 00000000h
inc esi
push esi
mov edx, esi
call 00007FC6AD04810Fh
xor edi, edi
mov dword ptr [ebp-0000002Ch], eax
mov dword ptr [ebp-00000028h], edi
test eax, eax
jne 00007FC6AD04EAD7h
mov dword ptr [ebp-00000004h], 00000002h
mov ecx, 00403974h
call 00007FC6AD049DBDh
xor ebx, ebx
mov dword ptr [ebp-00000024h], eax
mov dword ptr [ebp-00000020h], ebx
test eax, eax
Programming Language:
  • [IMP] VS2008 build 21022
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x202480xa0.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000x784.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x210000x23d8
IMAGE_DIRECTORY_ENTRY_BASERELOC0x220000x19c0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x1e3580x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10100x40.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x200000x244.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1d4280x1d600False0.451620678191data6.07922262736IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x1f0000x9fc0x400False0.1416015625data1.43573916251IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata0x200000xeee0x1000False0.43310546875data5.2596651162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x210000x7840x800False0.4404296875data4.39998343694IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x220000x19c00x1a00False0.739633413462data6.57713213007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0x210a00x40cdataEnglishUnited States
RT_MANIFEST0x214ac0x2d8ASCII text, with very long lines, with no line terminatorsEnglishUnited States
DLLImport
KERNEL32.dllIsDebuggerPresent, VirtualQuery, TlsFree, TlsGetValue, SleepEx, CreateSemaphoreW, DeleteCriticalSection, HeapDestroy, ResetEvent, TlsAlloc, WaitForSingleObjectEx, SetEvent, CreateEventW, HeapValidate, ReleaseMutex, CreateMutexW, InitializeCriticalSection, LeaveCriticalSection, VirtualAlloc, UnhandledExceptionFilter, VirtualFree, EnterCriticalSection, VirtualProtect, TlsSetValue, HeapCreate, MoveFileExW, GetFileAttributesExW, GetFileSizeEx, ReadFile, CreateProcessW, GetSystemTimeAsFileTime, SetLastError, DebugBreak, OutputDebugStringW, GetCurrentThreadId, TerminateProcess, LoadLibraryExW, HeapSetInformation, CreateFileW, GetEnvironmentVariableW, GetCurrentProcess, RaiseException, LCMapStringW, LocalFree, IsDBCSLeadByte, FormatMessageW, MultiByteToWideChar, GetACP, GetCPInfo, FreeLibrary, GetProcessHeap, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, InitializeSListHead, CreateDirectoryW, GetLastError, WideCharToMultiByte, GetModuleHandleW, GetCurrentProcessId, GetCurrentDirectoryW, GetLocalTime, CloseHandle, GetFileAttributesW, WaitForSingleObject, SetErrorMode, GetModuleFileNameW, WriteFile, GetStdHandle, GetConsoleOutputCP, GetFullPathNameW, WerSetFlags, ReleaseSemaphore, HeapFree, HeapAlloc
VCRUNTIME140_CLR0400.dllmemset, _except_handler4_common, memcpy, _CxxThrowException, __CxxFrameHandler3, _purecall, memmove
ucrtbase_clr0400.dll_configthreadlocale, _register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___wargv, __p___argc, _set_fmode, _exit, _initterm_e, _initterm, _get_initial_wide_environment, _initialize_wide_environment, _configure_wide_argv, __setusermatherr, _set_app_type, _crt_atexit, malloc, free, _set_new_mode, _putws, _flushall, iswspace, strcpy_s, __stdio_common_vsnwprintf_s, __stdio_common_vsnprintf_s, wcsncpy_s, _errno, wcstoul, _wcsnicmp, __stdio_common_vswprintf, wcscat_s, wcscpy_s, tolower, _wtoi, _wcsicmp, exit, _controlfp_s, terminate, __p__commode, _initialize_onexit_table, _register_onexit_function, _seh_filter_exe
mscoree.dllGetRequestedRuntimeInfo, CLRCreateInstance, GetCORSystemDirectory, CorGetSvc, CorBindToRuntime, GetRealProcAddress
OLEAUT32.dllSysAllocString, SetErrorInfo, SysFreeString
USER32.dllLoadStringW
ADVAPI32.dllEventWrite, RegOpenKeyExW, RegCloseKey, RegQueryValueExW
DescriptionData
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNamengen.exe
FileVersion4.8.4330.0 built by: NET48REL1LAST_B
CompanyNameMicrosoft Corporation
PrivateBuildDDBLD343B
CommentsFlavor=Retail
ProductNameMicrosoft .NET Framework
ProductVersion4.8.4330.0
FileDescriptionMicrosoft Common Language Runtime native compiler
OriginalFilenamengen.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

050100s020406080100

Click to jump to process

Memory Usage

050100s0.0051015MB

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: ngen.exe PID: 6280 Parent PID: 760

Function Logs

General

Start time:19:03:20
Start date:10/12/2021
Path:C:\Users\user\Desktop\ngen.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\ngen.exe"
Imagebase:0xdf0000
File size:144344 bytes
MD5 hash:1005A2CFF70E24F1A962D9A915C3EF37
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Analysis Process: conhost.exe PID: 6696 Parent PID: 6280

Function Logs

General

Start time:19:03:21
Start date:10/12/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7f20f0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

LPC Port Activities

Disassembly

Code Analysis

Analysis Process: ngen.exe PID: 6280 Parent PID: 760 ngen.exeCOMMON

Executed Functions

Non-executed Functions

Download Yara Rule
C-Code - Quality: 79%
			E00DF6F92(void* __ebx, signed short* __ecx, void* __edi, void* __esi, signed short* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v536;
				void* _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				char _v1064;
				short* _v1068;
				signed int _v1072;
				signed int _v1076;
				unsigned int _v1080;
				char _v1592;
				short* _v1596;
				signed int _v1600;
				signed int _v1604;
				unsigned int _v1608;
				char _v2120;
				short* _v2124;
				signed int _v2128;
				signed int _v2132;
				signed int _v2136;
				char _v2648;
				short* _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				char _v3176;
				short* _v3180;
				signed int _v3184;
				signed int _v3188;
				signed int _v3192;
				char _v3704;
				short* _v3708;
				signed int _v3712;
				signed int _v3716;
				signed int _v3720;
				char _v4232;
				short* _v4236;
				signed int _v4240;
				signed int _v4244;
				signed int _v4248;
				char _v4760;
				short* _v4764;
				signed int _v4768;
				signed int _v4772;
				signed int _v4776;
				char _v5288;
				short* _v5292;
				signed int _v5296;
				signed int _v5300;
				signed int _v5304;
				char _v5816;
				char _v5832;
				void _v6344;
				char _v6360;
				char _v6872;
				signed int _v6876;
				signed int _v6880;
				signed int _v6884;
				signed int _v6888;
				signed int _v6896;
				char _v6900;
				intOrPtr _v6904;
				intOrPtr _v6908;
				intOrPtr _v6912;
				char _v6916;
				signed int _v6920;
				signed int _v6924;
				void* __ebp;
				signed int _t761;
				signed int _t762;
				signed int _t763;
				signed int _t764;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				char _t814;
				signed int _t837;
				signed int _t844;
				signed int _t851;
				signed int _t858;
				signed int _t865;
				signed int _t874;
				signed int _t881;
				void* _t898;
				signed int _t903;
				signed int _t907;
				signed int _t911;
				signed int _t915;
				signed int _t917;
				char* _t930;
				signed int _t938;
				signed int _t943;
				void* _t972;
				signed int _t975;
				void* _t990;
				signed int _t993;
				void* _t1008;
				signed int _t1011;
				signed int _t1024;
				signed int _t1027;
				signed int _t1041;
				signed int _t1044;
				signed int _t1058;
				signed int _t1061;
				signed char _t1084;
				signed int _t1086;
				signed int _t1103;
				signed int _t1104;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int* _t1111;
				unsigned int _t1132;
				signed int _t1152;
				signed int _t1158;
				signed int _t1160;
				signed int* _t1161;
				signed int _t1163;
				signed int _t1165;
				signed int* _t1166;
				signed int* _t1168;
				signed int* _t1169;
				char* _t1172;
				signed int* _t1173;
				char* _t1176;
				signed int* _t1177;
				char* _t1180;
				signed int* _t1181;
				char* _t1184;
				signed int* _t1185;
				char* _t1188;
				signed int* _t1189;
				char* _t1193;
				char* _t1211;
				char* _t1214;
				char* _t1217;
				char* _t1220;
				void* _t1224;
				signed int _t1242;
				intOrPtr _t1247;
				signed int _t1383;
				char* _t1390;
				signed short* _t1438;
				signed short* _t1440;
				void* _t1442;
				signed int _t1446;
				signed int _t1447;
				signed int _t1448;
				signed int _t1458;
				signed int _t1459;
				signed int _t1460;
				signed int _t1461;
				signed int _t1463;
				signed int _t1465;
				signed int _t1467;
				signed int _t1470;
				signed int _t1471;
				intOrPtr _t1472;

				_t1113 = __ecx;
				_push(0xffffffff);
				_push(E00E08C4A);
				_push( *[fs:0x0]);
				_push(__ecx);
				E00DF6F65();
				_t761 =  *0xe0f000; // 0x365ea2a8
				_t762 = _t761 ^ _t1471;
				_v24 = _t762;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t762);
				_t763 =  &_v16;
				 *[fs:0x0] = _t763;
				_v20 = _t1472;
				_t1438 = _a4;
				_t1111 = _a8;
				if( *_t1111 == 4) {
					_t763 =  *_t1438 & 0x0000ffff;
					__eflags = _t763 - 0x30;
					if(_t763 != 0x30) {
						__eflags = _t763 - 0x31;
						if(_t763 != 0x31) {
							__eflags = _t763 - 0x32;
							if(_t763 != 0x32) {
								__eflags = _t763 - 0x33;
								if(_t763 != 0x33) {
									goto L1;
								}
								L15:
								_t1111[0x1a] = 3;
								goto L9;
							}
							L13:
							_t1111[0x1a] = 2;
							goto L9;
						}
						L11:
						_t1111[0x1a] = 1;
						goto L9;
					} else {
						_t8 =  &(_t1111[0x1a]);
						 *_t8 = _t1111[0x1a] & 0x00000000;
						__eflags =  *_t8;
						L9:
						L6:
						 *[fs:0x0] = _v16;
						return E00DF13F0(_v24 ^ _t1471);
					}
				}
				L1:
				if( *_t1111 == 6) {
					__eflags = _t1111[0x1c];
					if(_t1111[0x1c] != 0) {
						__eflags = _t1111[0x1e];
						if(_t1111[0x1e] != 0) {
							__eflags = _t1111[0x20];
							if(_t1111[0x20] == 0) {
								goto L2;
							}
							__eflags = _t1111[0x21];
							if(_t1111[0x21] != 0) {
								goto L2;
							}
							__imp__#2(_t1438);
							_t1446 = _t763;
							__eflags = _t1111[0x22];
							if(_t1111[0x22] != 0) {
								__imp__#6(_t1111[0x21]);
								_t1111[0x22] = 0;
							}
							_t1111[0x21] = _t1446;
							__eflags = _t1446;
							if(_t1446 != 0) {
								_t1111[0x22] = 1;
							}
							goto L9;
						}
						__imp__#2(_t1438);
						_t1447 = _t763;
						__eflags = _t1111[0x1f];
						if(_t1111[0x1f] != 0) {
							__imp__#6(_t1111[0x1e]);
							_t1111[0x1f] = 0;
						}
						_t1111[0x1e] = _t1447;
						__eflags = _t1447;
						if(_t1447 != 0) {
							_t1111[0x1f] = 1;
						}
						goto L9;
					}
					__imp__#2(_t1438);
					_t1448 = _t763;
					__eflags = _t1111[0x1d];
					if(_t1111[0x1d] != 0) {
						__imp__#6(_t1111[0x1c]);
						_t1111[0x1d] = 0;
					}
					_t1111[0x1c] = _t1448;
					__eflags = _t1448;
					if(_t1448 != 0) {
						_t1111[0x1d] = 1;
					}
					goto L9;
				}
				L2:
				if( *_t1111 == 5) {
					_t1114 = _t1438;
					_t764 = E00DF5FCC(_t1438, L"scmstart", 0, _t1113, 1, 0);
					__eflags = _t764;
					if(_t764 != 0) {
						_t1115 = _t1438;
						_t765 = E00DF5FCC(_t1438, L"scmpause", 0, _t1114, 1, 0);
						__eflags = _t765;
						if(_t765 != 0) {
							_t1116 = _t1438;
							_t766 = E00DF5FCC(_t1438, L"scmstop", 0, _t1115, 1, 0);
							__eflags = _t766;
							if(_t766 != 0) {
								_t1117 = _t1438;
								_t767 = E00DF5FCC(_t1438, L"scmcontinue", 0, _t1116, 1, 0);
								__eflags = _t767;
								if(_t767 != 0) {
									_t1118 = _t1438;
									_t768 = E00DF5FCC(_t1438, L"scmstatus", 0, _t1117, 1, 0);
									__eflags = _t768;
									if(_t768 != 0) {
										_t1119 = _t1438;
										_t769 = E00DF5FCC(_t1438, L"pause", 0, _t1118, 1, 0);
										__eflags = _t769;
										if(_t769 != 0) {
											_t1120 = _t1438;
											_t770 = E00DF5FCC(_t1438, L"continue", 0, _t1119, 1, 0);
											__eflags = _t770;
											if(_t770 == 0) {
												goto L39;
											}
											_t1113 = _t1438;
											_t773 = E00DF5FCC(_t1438, L"status", 0, _t1120, 1, 0);
											__eflags = _t773;
											if(_t773 != 0) {
												goto L3;
											}
											goto L41;
										}
										_t1111[0x1b] = 5;
										goto L9;
									}
									L41:
									_t1111[0x1b] = 4;
									goto L9;
								}
								L39:
								_t1111[0x1b] = 3;
								goto L9;
							}
							_t1111[0x1b] = 1;
							goto L9;
						}
						_t1111[0x1b] = 2;
						goto L9;
					}
					_t1111[0x1b] = 0;
					goto L9;
				}
				L3:
				_t774 =  *_t1438 & 0x0000ffff;
				if(_t774 == 0x2d || _t774 == 0x2f) {
					_t1440 =  &(_t1438[1]);
					_t1125 = _t1440;
					_t775 = E00DF5FCC(_t1440, L"Silent", 0, _t1113, 1, 0);
					__eflags = _t775;
					if(_t775 != 0) {
						_t1126 = _t1440;
						_t776 = E00DF5FCC(_t1440, L"Verbose", 0, _t1125, 1, 0);
						__eflags = _t776;
						if(_t776 != 0) {
							__eflags =  *_t1111 - 2;
							if( *_t1111 != 2) {
								L57:
								__eflags =  *_t1111;
								if( *_t1111 == 0) {
									L59:
									_t1126 = _t1440;
									_t777 = E00DF5FCC(_t1440, L"Queue", 0, _t1440, 1, 0);
									__eflags = _t777;
									if(_t777 == 0) {
										L68:
										_t1111[0x14] = 1;
										goto L15;
									}
									L60:
									__eflags =  *_t1111;
									if( *_t1111 != 0) {
										L69:
										__eflags =  *_t1111 - 2;
										if( *_t1111 != 2) {
											L72:
											__eflags =  *_t1111;
											if( *_t1111 != 0) {
												L75:
												__eflags =  *_t1111 - 6;
												if( *_t1111 != 6) {
													L78:
													_t1127 = _t1440;
													_t778 = E00DF5FCC(_t1440, L"NoLogo", 0, _t1126, 1, 0);
													__eflags = _t778;
													if(_t778 != 0) {
														_t1128 = _t1440;
														_t779 = E00DF5FCC(_t1440, L"NoRoot", 0, _t1127, 1, 0);
														__eflags = _t779;
														if(_t779 != 0) {
															_t1424 = L"LegacyServiceBehavior";
															_t780 = E00DF5FCC(_t1440, L"LegacyServiceBehavior", 0, _t1128, 1, 0);
															__eflags = _t780;
															if(_t780 != 0) {
																_v552 = 0;
																_v548 = 0;
																_v544 = 0;
																_v540 = 0;
																_v540 =  &_v536;
																_v548 = 0x200;
																_v8 = 0;
																_v552 = 2;
																 *_v540 = 0;
																_v8 = 1;
																E00DF1C56( &_v552, _t1440);
																_t1132 = 2;
																_v8 = _t1132;
																_v1608 = 0;
																_v1604 = 0;
																_v1600 = 0;
																_v1596 = 0;
																_v1596 =  &_v1592;
																_v1604 = 0x200;
																_v8 = 3;
																_v1608 = _t1132;
																 *_v1596 = 0;
																_v8 = 4;
																E00DF1C56( &_v1608, L"ExeConfig:");
																_v8 = 5;
																_v1080 = 0;
																_v1076 = 0;
																_v1072 = 0;
																_v1068 = 0;
																_v1068 =  &_v1064;
																_v1076 = 0x200;
																_v8 = 6;
																_t1442 = 2;
																_v1080 = 0x200;
																 *_v1068 = 0;
																_v8 = 7;
																E00DF1C56( &_v1080, L"AppBase:");
																_v8 = 8;
																_v5304 = 0;
																_v5300 = 0;
																_v5296 = 0;
																_v5292 = 0;
																_v5292 =  &_v5288;
																_v5300 = 0x200;
																_v8 = 9;
																_v5304 = 0x200;
																 *_v5292 = 0;
																_v8 = 0xa;
																E00DF1C56( &_v5304, L"MoveFromRepository:");
																_v8 = 0xb;
																_v4776 = 0;
																_v4772 = 0;
																_v4768 = 0;
																_v4764 = 0;
																_v4764 =  &_v4760;
																_v4772 = 0x200;
																_v8 = 0xc;
																_v4776 = 0x200;
																 *_v4764 = 0;
																_v8 = 0xd;
																E00DF1C56( &_v4776, L"CopyFromRepository:");
																_v8 = 0xe;
																_v4248 = 0;
																_v4244 = 0;
																_v4240 = 0;
																_v4236 = 0;
																_v4236 =  &_v4232;
																_v4244 = 0x200;
																_v8 = 0xf;
																_v4248 = 0x200;
																 *_v4236 = 0;
																_v8 = 0x10;
																E00DF1C56( &_v4248, L"CopyToRepository:");
																_v8 = 0x11;
																_v3720 = 0;
																_v3716 = 0;
																_v3712 = 0;
																_v3708 = 0;
																_v3708 =  &_v3704;
																_v3716 = 0x200;
																_v8 = 0x12;
																_v3720 = 0x200;
																 *_v3708 = 0;
																_v8 = 0x13;
																E00DF1C56( &_v3720, L"Version:");
																_v8 = 0x14;
																_v3192 = 0;
																_v3188 = 0;
																_v3184 = 0;
																_v3180 = 0;
																_v3180 =  &_v3176;
																_v3188 = 0x200;
																_v8 = 0x15;
																_v3192 = 0x200;
																 *_v3180 = 0;
																_v8 = 0x16;
																E00DF1C56( &_v3192, L"Package:");
																_v8 = 0x17;
																_v2664 = 0;
																_v2660 = 0;
																_v2656 = 0;
																_v2652 = 0;
																_v2652 =  &_v2648;
																_v2660 = 0x200;
																_v8 = 0x18;
																_v2664 = 0x200;
																 *_v2652 = 0;
																_v8 = 0x19;
																E00DF1C56( &_v2664, L"LocalAppData:");
																_v8 = 0x1a;
																_v2136 = 0;
																_v2132 = 0;
																_v2128 = 0;
																_v2124 = 0;
																_v2124 =  &_v2120;
																_v2132 = 0x200;
																_v8 = 0x1b;
																_v2136 = 0x200;
																 *_v2124 = 0;
																_v8 = 0x1c;
																E00DF1C56( &_v2136, L"Stats");
																_v8 = 0x1d;
																_push( &_v2136);
																E00DFC98B(_t1111,  &_v6360, _t1442, 0, __eflags);
																_v8 = 0x1e;
																_t189 = _t1442 + 0x7e; // 0x80
																_t1152 = _t189;
																_t1452 =  &_v2120;
																memcpy( &_v6344, _t1452, _t1152 << 2);
																_t1445 = _t1452 + _t1152 + _t1152;
																_v8 = 0x1f;
																_t814 = 2;
																_v6916 = _t814;
																_v6912 = _t814;
																_v6908 = 0x10;
																_v6904 = 0xdf2eb0;
																_v8 = 0x20;
																E00E00502( &_v6916, 0);
																_v8 = 0x21;
																E00DF1B32(_t1111,  &_v6360, _t1452 + _t1152 + _t1152,  &_v6916);
																_v8 = 0x1f;
																E00DF1A07();
																E00DF282C(_t1111,  &_v552, _t1452 + _t1152 + _t1152);
																_t1158 = _v544;
																__eflags = _t1158 & 0x00000010;
																if(__eflags != 0) {
																	E00DF1857( &_v552, L"LegacyServiceBehavior", _v548, 1);
																	_t1158 = _v544;
																}
																_v6900 = _v540;
																_t1160 =  !_t1158 & 0x00000001;
																_v6896 = _t1160;
																_push(_t1160);
																_push( &_v1608);
																_push( &_v6900);
																_t1161 =  &_v552;
																__eflags = E00E007A0(_t1111, _t1161, _t1445, _t1452, __eflags);
																if(__eflags == 0) {
																	E00DF282C(_t1111,  &_v552, _t1445);
																	_t1163 = _v544;
																	__eflags = _t1163 & 0x00000010;
																	if(__eflags != 0) {
																		E00DF1857( &_v552, _t1424, _v548, 1);
																		_t1163 = _v544;
																	}
																	_v6900 = _v540;
																	_t1165 =  !_t1163 & 0x00000001;
																	_v6896 = _t1165;
																	_push(_t1165);
																	_push( &_v1080);
																	_push( &_v6900);
																	_t1166 =  &_v552;
																	__eflags = E00E007A0(_t1111, _t1166, _t1445, _t1452, __eflags);
																	if(__eflags == 0) {
																		E00DF282C(_t1111,  &_v552, _t1445);
																		_t1168 =  &_v552;
																		E00DFC905(_t1168);
																		_v6900 = _v540;
																		_v6896 =  !_v544 & 0x00000001;
																		_push(_t1168);
																		_push( &_v5304);
																		_push( &_v6900);
																		_t1169 =  &_v552;
																		_t837 = E00E007A0(_t1111, _t1169, _t1445, _t1452, __eflags);
																		__eflags = _t837;
																		if(_t837 == 0) {
																			E00DF282C(_t1111,  &_v552, _t1445);
																			E00DFC905( &_v552);
																			_t1445 = 0;
																			_t1172 =  &_v6900;
																			E00DFC916(_t1172,  &_v552, 0);
																			_push(_t1172);
																			_push( &_v4776);
																			_push( &_v6900);
																			_t1173 =  &_v552;
																			_t844 = E00E007A0(_t1111, _t1173, 0, _t1452, __eflags);
																			__eflags = _t844;
																			if(_t844 == 0) {
																				E00DF282C(_t1111,  &_v552, 0);
																				E00DFC905( &_v552);
																				_t1176 =  &_v6900;
																				E00DFC916(_t1176,  &_v552, 0);
																				_push(_t1176);
																				_push( &_v4248);
																				_push( &_v6900);
																				_t1177 =  &_v552;
																				_t851 = E00E007A0(_t1111, _t1177, 0, _t1452, __eflags);
																				__eflags = _t851;
																				if(_t851 == 0) {
																					E00DF282C(_t1111,  &_v552, 0);
																					E00DFC905( &_v552);
																					_t1180 =  &_v6900;
																					E00DFC916(_t1180,  &_v552, 0);
																					_push(_t1180);
																					_push( &_v3720);
																					_push( &_v6900);
																					_t1181 =  &_v552;
																					_t858 = E00E007A0(_t1111, _t1181, 0, _t1452, __eflags);
																					__eflags = _t858;
																					if(_t858 == 0) {
																						E00DF282C(_t1111,  &_v552, 0);
																						E00DFC905( &_v552);
																						_t1184 =  &_v6900;
																						E00DFC916(_t1184,  &_v552, 0);
																						_push(_t1184);
																						_push( &_v3192);
																						_push( &_v6900);
																						_t1185 =  &_v552;
																						_t865 = E00E007A0(_t1111, _t1185, 0, _t1452, __eflags);
																						__eflags = _t865;
																						if(_t865 == 0) {
																							E00DF282C(_t1111,  &_v552, 0);
																							E00DFC905( &_v552);
																							_t1188 =  &_v6900;
																							E00DFC916(_t1188,  &_v552, 0);
																							_push(_t1188);
																							_push( &_v2664);
																							_push( &_v6900);
																							_t1189 =  &_v552;
																							__eflags = E00E007A0(_t1111, _t1189, 0, _t1452, __eflags);
																							if(__eflags == 0) {
																								_push(_t1189);
																								_push( &_v2136);
																								_t874 = E00E00682(_t1111,  &_v552, 0, _t1452, __eflags);
																								__eflags = _t874;
																								if(_t874 == 0) {
																									E00DF282C(_t1111,  &_v552, 0);
																									E00DFC905( &_v552);
																									_t1193 =  &_v6900;
																									E00DFC916(_t1193,  &_v552, 0);
																									_push(_t1193);
																									_push( &_v6360);
																									_push( &_v6900);
																									_t881 = E00E007A0(_t1111,  &_v552, 0, _t1452, __eflags);
																									__eflags = _t881;
																									if(_t881 == 0) {
																										_v8 = 0x1d;
																										E00DF1A07();
																										_v8 = 0x1a;
																										E00DF1A07();
																										_v8 = 0x17;
																										E00DF1A07();
																										_v8 = 0x14;
																										E00DF1A07();
																										_v8 = 0x11;
																										E00DF1A07();
																										_v8 = 0xe;
																										E00DF1A07();
																										_v8 = 0xb;
																										E00DF1A07();
																										_v8 = 8;
																										E00DF1A07();
																										_v8 = 5;
																										E00DF1A07();
																										_v8 = 2;
																										E00DF1A07();
																										_v8 = _v8 | 0xffffffff;
																										E00DF1A07();
																										goto L5;
																									}
																									E00DF282C(_t1111,  &_v552, 0);
																									E00DFC905( &_v552);
																									E00DFC916( &_v6900,  &_v552, 0);
																									_t898 = E00DFCA34( &_v6360);
																									_push( *0xe0f0f0);
																									_push(_t898);
																									_push( &_v6900);
																									E00DF1A52(_t1111,  &_v552, 0, _t1452, __eflags);
																									_push(L"fixups");
																									_t1211 =  &_v6916;
																									E00DF1C0C(_t1111, _t1211, 0, _t1452, __eflags);
																									_v8 = 0xb9;
																									_push(_t1211);
																									_push( &_v6916);
																									_t903 = E00E00682(_t1111,  &_v552, 0, _t1452, __eflags);
																									_t1453 = _t903;
																									_v8 = 0x1f;
																									E00DF1A07();
																									__eflags = _t903;
																									if(__eflags == 0) {
																										_push(L"calls");
																										_t1214 =  &_v6916;
																										E00DF1C0C(_t1111, _t1214, 0, _t1453, __eflags);
																										_v8 = 0xba;
																										_push(_t1214);
																										_push( &_v6916);
																										_t907 = E00E00682(_t1111,  &_v552, 0, _t1453, __eflags);
																										_t1454 = _t907;
																										_v8 = 0x1f;
																										E00DF1A07();
																										__eflags = _t907;
																										if(__eflags == 0) {
																											_push(L"attributed");
																											_t1217 =  &_v6916;
																											E00DF1C0C(_t1111, _t1217, 0, _t1454, __eflags);
																											_v8 = 0xbb;
																											_push(_t1217);
																											_push( &_v6916);
																											_t911 = E00E00682(_t1111,  &_v552, 0, _t1454, __eflags);
																											_t1455 = _t911;
																											_v8 = 0x1f;
																											E00DF1A07();
																											__eflags = _t911;
																											if(__eflags == 0) {
																												_push("all");
																												_t1220 =  &_v6916;
																												E00DF1C0C(_t1111, _t1220, 0, _t1455, __eflags);
																												_v8 = 0xbc;
																												_push(_t1220);
																												_push( &_v6916);
																												_t915 = E00E00682(_t1111,  &_v552, 0, _t1455, __eflags);
																												_t1452 = _t915;
																												_v8 = 0x1f;
																												E00DF1A07();
																												__eflags = _t915;
																												if(_t915 == 0) {
																													_t917 = E00DFC9D5( &_v552);
																													__imp___wtoi();
																													_t1224 = _t917;
																													__eflags = _t917;
																													if(_t917 != 0) {
																														_t1111[0x12] = _t917;
																														L183:
																														_v8 = 0x1d;
																														E00DF1A07();
																														_v8 = 0x1a;
																														E00DF1A07();
																														_v8 = 0x17;
																														E00DF1A07();
																														_v8 = 0x14;
																														E00DF1A07();
																														_v8 = 0x11;
																														E00DF1A07();
																														_v8 = 0xe;
																														E00DF1A07();
																														_v8 = 0xb;
																														E00DF1A07();
																														_v8 = 8;
																														E00DF1A07();
																														_v8 = 5;
																														E00DF1A07();
																														_v8 = 2;
																														E00DF1A07();
																														goto L101;
																													}
																													E00DF6A41();
																													_push(L"Error: Unrecognized option used for /Stats:<option>");
																													_push(_t1224);
																													_t930 = E00DF528A(_t1111,  &_v6916, 0, _t1452, __eflags);
																													_v8 = 0xbd;
																													goto L89;
																												}
																												_t1111[0x12] = _t1111[0x12] | 0xffffffff;
																												goto L183;
																											}
																											_t1111[0x12] = 8;
																											goto L183;
																										}
																										_t1111[0x12] = 4;
																										goto L183;
																									}
																									_t1111[0x12] = 2;
																									goto L183;
																								}
																								_t1111[0x12] = 1;
																								_v8 = 0x1d;
																								E00DF1A07();
																								_v8 = 0x1a;
																								E00DF1A07();
																								_v8 = 0x17;
																								E00DF1A07();
																								_v8 = 0x14;
																								E00DF1A07();
																								_v8 = 0x11;
																								E00DF1A07();
																								_v8 = 0xe;
																								E00DF1A07();
																								_v8 = 0xb;
																								E00DF1A07();
																								_v8 = 8;
																								E00DF1A07();
																								_v8 = 5;
																								E00DF1A07();
																								_v8 = 2;
																								E00DF1A07();
																								goto L101;
																							}
																							__eflags = _t1111[0xf];
																							if(__eflags == 0) {
																								E00DF282C(_t1111,  &_v552, 0);
																								E00DFC905( &_v552);
																								E00DFC916( &_v6900,  &_v552, 0);
																								_t972 = E00DFCA34( &_v2664);
																								E00DF1A52(_t1111,  &_v552, 0, _t1452, __eflags);
																								_t975 = E00DFC9D5( &_v552);
																								__imp__#2(_t975,  &_v6900, _t972,  *0xe0f0f0);
																								_t1459 = _t975;
																								__eflags = _t1111[0x10];
																								if(_t1111[0x10] != 0) {
																									__imp__#6(_t1111[0xf]);
																									_t1111[0x10] = 0;
																								}
																								_t1111[0xf] = _t1459;
																								__eflags = _t1459;
																								if(_t1459 != 0) {
																									_t1111[0x10] = 1;
																								}
																								_v8 = 0x1d;
																								E00DF1A07();
																								_v8 = 0x1a;
																								E00DF1A07();
																								_v8 = 0x17;
																								E00DF1A07();
																								_v8 = 0x14;
																								E00DF1A07();
																								_v8 = 0x11;
																								E00DF1A07();
																								_v8 = 0xe;
																								E00DF1A07();
																								_v8 = 0xb;
																								E00DF1A07();
																								_v8 = 8;
																								E00DF1A07();
																								_v8 = 5;
																								E00DF1A07();
																								_v8 = 2;
																								E00DF1A07();
																								goto L101;
																							}
																							_push(L"Error: Cannot specify multiple localappdata directories");
																							_push(_t1189);
																							_t930 = E00DF528A(_t1111,  &_v6916, 0, _t1452, __eflags);
																							_v8 = 0xa2;
																							goto L89;
																						}
																						__eflags = _t1111[0xd];
																						if(__eflags == 0) {
																							E00DF282C(_t1111,  &_v552, 0);
																							E00DFC905( &_v552);
																							E00DFC916( &_v6900,  &_v552, 0);
																							_t990 = E00DFCA34( &_v3192);
																							E00DF1A52(_t1111,  &_v552, 0, _t1452, __eflags);
																							_t993 = E00DFC9D5( &_v552);
																							__imp__#2(_t993,  &_v6900, _t990,  *0xe0f0f0);
																							_t1460 = _t993;
																							__eflags = _t1111[0xe];
																							if(_t1111[0xe] != 0) {
																								__imp__#6(_t1111[0xd]);
																								_t1111[0xe] = 0;
																							}
																							_t1111[0xd] = _t1460;
																							__eflags = _t1460;
																							if(_t1460 != 0) {
																								_t1111[0xe] = 1;
																							}
																							_v8 = 0x1d;
																							E00DF1A07();
																							_v8 = 0x1a;
																							E00DF1A07();
																							_v8 = 0x17;
																							E00DF1A07();
																							_v8 = 0x14;
																							E00DF1A07();
																							_v8 = 0x11;
																							E00DF1A07();
																							_v8 = 0xe;
																							E00DF1A07();
																							_v8 = 0xb;
																							E00DF1A07();
																							_v8 = 8;
																							E00DF1A07();
																							_v8 = 5;
																							E00DF1A07();
																							_v8 = 2;
																							E00DF1A07();
																							goto L101;
																						}
																						_push(L"Error: Cannot specify multiple package monikers");
																						_push(_t1185);
																						_t930 = E00DF528A(_t1111,  &_v6916, 0, _t1452, __eflags);
																						_v8 = 0x96;
																						goto L89;
																					}
																					__eflags = _t1111[0xb];
																					if(__eflags == 0) {
																						E00DF282C(_t1111,  &_v552, 0);
																						E00DFC905( &_v552);
																						E00DFC916( &_v6900,  &_v552, 0);
																						_t1008 = E00DFCA34( &_v3720);
																						E00DF1A52(_t1111,  &_v552, 0, _t1452, __eflags);
																						_t1011 = E00DFC9D5( &_v552);
																						__imp__#2(_t1011,  &_v6900, _t1008,  *0xe0f0f0);
																						_t1461 = _t1011;
																						__eflags = _t1111[0xc];
																						if(_t1111[0xc] != 0) {
																							__imp__#6(_t1111[0xb]);
																							_t1111[0xc] = 0;
																						}
																						_t1111[0xb] = _t1461;
																						__eflags = _t1461;
																						if(_t1461 != 0) {
																							_t1111[0xc] = 1;
																						}
																						_v8 = 0x1d;
																						E00DF1A07();
																						_v8 = 0x1a;
																						E00DF1A07();
																						_v8 = 0x17;
																						E00DF1A07();
																						_v8 = 0x14;
																						E00DF1A07();
																						_v8 = 0x11;
																						E00DF1A07();
																						_v8 = 0xe;
																						E00DF1A07();
																						_v8 = 0xb;
																						E00DF1A07();
																						_v8 = 8;
																						E00DF1A07();
																						_v8 = 5;
																						E00DF1A07();
																						_v8 = 2;
																						E00DF1A07();
																						goto L101;
																					}
																					_push(L"Error: Cannot specify multiple runtime versions");
																					_push(_t1181);
																					_t930 = E00DF528A(_t1111,  &_v6916, 0, _t1452, __eflags);
																					_v8 = 0x8a;
																					goto L89;
																				}
																				__eflags = _t1111[8];
																				if(__eflags == 0) {
																					E00DFC943( &_v5832, __eflags);
																					_v8 = 0x7d;
																					_t1024 = E00DFCA34( &_v4248);
																					E00DF7108(_t1111, E00DFC9D5( &_v552) + _t1024 * 2,  &_v5832, 0, _t1024, __eflags);
																					_t1027 = E00DFC9D5( &_v5832);
																					__imp__#2(_t1027, 1,  &_v5816, 0x200);
																					_t1463 = _t1027;
																					__eflags = _t1111[9];
																					if(_t1111[9] != 0) {
																						__imp__#6(_t1111[8]);
																						_t1111[9] = 0;
																					}
																					_t1111[8] = _t1463;
																					__eflags = _t1463;
																					if(_t1463 != 0) {
																						_t1111[9] = 1;
																					}
																					_t1111[0xa] = _t1111[0xa] | 0x00000002;
																					__eflags =  *_t1111 - 2;
																					if( *_t1111 == 2) {
																						_t493 =  &(_t1111[4]);
																						 *_t493 = _t1111[4] | 0x00000001;
																						__eflags =  *_t493;
																					}
																					_v8 = 0x1f;
																					E00DF1A07();
																					_v8 = 0x1d;
																					E00DF1A07();
																					_v8 = 0x1a;
																					E00DF1A07();
																					_v8 = 0x17;
																					E00DF1A07();
																					_v8 = 0x14;
																					E00DF1A07();
																					_v8 = 0x11;
																					E00DF1A07();
																					_v8 = 0xe;
																					E00DF1A07();
																					_v8 = 0xb;
																					E00DF1A07();
																					_v8 = 8;
																					E00DF1A07();
																					_v8 = 5;
																					E00DF1A07();
																					_v8 = 2;
																					E00DF1A07();
																					goto L101;
																				}
																				_push(L"Error: Cannot specify multiple repository options");
																				_push(_t1177);
																				_t930 = E00DF528A(_t1111,  &_v6916, 0, _t1452, __eflags);
																				_v8 = 0x7b;
																				goto L89;
																			}
																			__eflags = _t1111[8];
																			if(__eflags == 0) {
																				E00DFC943( &_v5832, __eflags);
																				_v8 = 0x6e;
																				_t1041 = E00DFCA34( &_v4776);
																				E00DF7108(_t1111, E00DFC9D5( &_v552) + _t1041 * 2,  &_v5832, 0, _t1041, __eflags);
																				_t1044 = E00DFC9D5( &_v5832);
																				__imp__#2(_t1044, 0,  &_v5816, 0x200);
																				_t1465 = _t1044;
																				__eflags = _t1111[9];
																				if(_t1111[9] != 0) {
																					__imp__#6(_t1111[8]);
																					_t1111[9] = 0;
																				}
																				_t1111[8] = _t1465;
																				__eflags = _t1465;
																				if(_t1465 != 0) {
																					_t1111[9] = 1;
																				}
																				_v8 = 0x1f;
																				E00DF1A07();
																				_v8 = 0x1d;
																				E00DF1A07();
																				_v8 = 0x1a;
																				E00DF1A07();
																				_v8 = 0x17;
																				E00DF1A07();
																				_v8 = 0x14;
																				E00DF1A07();
																				_v8 = 0x11;
																				E00DF1A07();
																				_v8 = 0xe;
																				E00DF1A07();
																				_v8 = 0xb;
																				E00DF1A07();
																				_v8 = 8;
																				E00DF1A07();
																				_v8 = 5;
																				E00DF1A07();
																				_v8 = 2;
																				E00DF1A07();
																				goto L101;
																			}
																			_push(L"Error: Cannot specify multiple repository options");
																			_push(_t1173);
																			_t930 = E00DF528A(_t1111,  &_v6916, 0, _t1452, __eflags);
																			_v8 = 0x6c;
																			goto L89;
																		}
																		_t1445 = 0;
																		__eflags = _t1111[8];
																		if(__eflags == 0) {
																			E00DFC943( &_v5832, __eflags);
																			_v8 = 0x5f;
																			_t1058 = E00DFCA34( &_v5304);
																			E00DF7108(_t1111, E00DFC9D5( &_v552) + _t1058 * 2,  &_v5832, 0, _t1058, __eflags);
																			_t1061 = E00DFC9D5( &_v5832);
																			__imp__#2(_t1061, 0,  &_v5816, 0x200);
																			_t1467 = _t1061;
																			__eflags = _t1111[9];
																			if(_t1111[9] != 0) {
																				__imp__#6(_t1111[8]);
																				_t1111[9] = 0;
																			}
																			_t1111[8] = _t1467;
																			__eflags = _t1467;
																			if(_t1467 != 0) {
																				_t1111[9] = 1;
																			}
																			_t1111[0xa] = _t1111[0xa] | 0x00000001;
																			_v8 = 0x1f;
																			E00DF1A07();
																			_v8 = 0x1d;
																			E00DF1A07();
																			_v8 = 0x1a;
																			E00DF1A07();
																			_v8 = 0x17;
																			E00DF1A07();
																			_v8 = 0x14;
																			E00DF1A07();
																			_v8 = 0x11;
																			E00DF1A07();
																			_v8 = 0xe;
																			E00DF1A07();
																			_v8 = 0xb;
																			E00DF1A07();
																			_v8 = 8;
																			E00DF1A07();
																			_v8 = 5;
																			E00DF1A07();
																			_v8 = 2;
																			E00DF1A07();
																			goto L101;
																		}
																		_push(L"Error: Cannot specify multiple repository options");
																		_push(_t1169);
																		_t930 = E00DF528A(_t1111,  &_v6916, 0, _t1452, __eflags);
																		_v8 = 0x5d;
																	} else {
																		__eflags = E00DF57FF(_t1111, _t1166, _t1445, _t1452, __eflags);
																		if(__eflags == 0) {
																			_t1445 = 0;
																			__eflags = _t1111[6];
																			if(_t1111[6] == 0) {
																				E00DF1B89(_t1111,  &_v1080, 0);
																				_t1452 = (_v1080 >> ( !_v1072 & 0x00000001)) - 1;
																				E00DF282C(_t1111,  &_v552, 0);
																				_t1383 = _v544;
																				__eflags = _t1383 & 0x00000010;
																				if(__eflags != 0) {
																					E00DF1857( &_v552, _t1424, _v548, 1);
																					_t1383 = _v544;
																				}
																				_v6900 = _v540;
																				_v6896 =  !_t1383 & 0x00000001;
																				_push( *0xe0f0f0);
																				_push(_t1452);
																				_push( &_v6900);
																				E00DF1A52(_t1111,  &_v552, _t1445, _t1452, __eflags);
																				_push(0x200);
																				_push( &_v5816);
																				E00DFC943( &_v5832, __eflags);
																				_v8 = 0x43;
																				_v6924 = _t1445;
																				_v6920 = _t1445;
																				_v8 = 0x44;
																				_v8 = 0x45;
																				_push(1);
																				E00DF7108(_t1111, E00DFC9D5( &_v552),  &_v5832, _t1445, _t1452, __eflags);
																				_v8 = 0x44;
																				_v8 = 0x43;
																				_t1390 =  &_v5832;
																				_t1084 = GetFileAttributesW(E00DFC9D5(_t1390));
																				__eflags = _t1084 - 0xffffffff;
																				if(_t1084 == 0xffffffff) {
																					L118:
																					E00DF6A41();
																					_push(L"Error: /AppBase specified without a valid directory");
																					_push(_t1390);
																					_t930 = E00DF528A(_t1111,  &_v6916, _t1445, _t1452, __eflags);
																					_v8 = 0x50;
																					goto L89;
																				} else {
																					__eflags = _t1084 & 0x00000010;
																					if((_t1084 & 0x00000010) == 0) {
																						goto L118;
																					}
																					_t1086 = E00DFC9D5( &_v5832);
																					__imp__#2(_t1086);
																					_t1470 = _t1086;
																					__eflags = _t1111[7] - _t1445;
																					if(_t1111[7] != _t1445) {
																						__imp__#6(_t1111[6]);
																						_t1111[7] = _t1445;
																					}
																					_t1111[6] = _t1470;
																					__eflags = _t1470;
																					if(_t1470 != 0) {
																						_t1111[7] = 1;
																					}
																					_v8 = 0x1f;
																					E00DF1A07();
																					_v8 = 0x1d;
																					E00DF1A07();
																					_v8 = 0x1a;
																					E00DF1A07();
																					_v8 = 0x17;
																					E00DF1A07();
																					_v8 = 0x14;
																					E00DF1A07();
																					_v8 = 0x11;
																					E00DF1A07();
																					_v8 = 0xe;
																					E00DF1A07();
																					_v8 = 0xb;
																					E00DF1A07();
																					_v8 = 8;
																					E00DF1A07();
																					_v8 = 5;
																					E00DF1A07();
																					_v8 = 2;
																					E00DF1A07();
																					goto L101;
																				}
																			}
																			E00DF6A41();
																			_push(L"Error: Cannot specify both /ExeConfig and /AppBase");
																			_push(_t1166);
																			_t930 = E00DF528A(_t1111,  &_v6916, 0, _t1452, __eflags);
																			_v8 = 0x41;
																			goto L89;
																		}
																		_push(L"Error: Cannot use /AppBase with the Ngen Offline feature.");
																		_push(_t1166);
																		_t930 = E00DF528A(_t1111,  &_v6916, _t1445, _t1452, __eflags);
																		_v8 = 0x40;
																	}
																} else {
																	__eflags = E00DF57FF(_t1111, _t1161, _t1445, _t1452, __eflags);
																	if(__eflags == 0) {
																		L90:
																		_t1445 = 0;
																		__eflags = _t1111[6];
																		if(_t1111[6] == 0) {
																			E00DF1B89(_t1111,  &_v1608, 0);
																			_t1452 = (_v1608 >> ( !_v1600 & 0x00000001)) - 1;
																			E00DF282C(_t1111,  &_v552, 0);
																			_t1242 = _v544;
																			__eflags = _t1242 & 0x00000010;
																			if(__eflags != 0) {
																				E00DF1857( &_v552, _t1424, _v548, 1);
																				_t1242 = _v544;
																			}
																			_v6900 = _v540;
																			_v6896 =  !_t1242 & 0x00000001;
																			_push( *0xe0f0f0);
																			_push(_t1452);
																			_push( &_v6900);
																			E00DF1A52(_t1111,  &_v552, _t1445, _t1452, __eflags);
																			E00DF169F( &_v552);
																			_t1247 = _v540;
																			_t938 = E00DFCBCF(_t1111, _t1247, _t1445, _t1452, __eflags);
																			__eflags = _t938;
																			if(_t938 != 0) {
																				_v6888 = _t1445;
																				_v6884 = _t1445;
																				_v6880 = _t1445;
																				_v6876 = _t1445;
																				_v6876 =  &_v6872;
																				_v6884 = 0x200;
																				_v8 = 0x25;
																				_v6888 = 2;
																				 *_v6876 = 0;
																				_v8 = 0x27;
																				_v6924 = _t1445;
																				_v6920 = _t1445;
																				_v8 = 0x28;
																				_v8 = 0x29;
																				E00DF169F( &_v552);
																				E00DF717E(_t1111, _v540,  &_v6888, 1);
																				_v8 = 0x28;
																				_v8 = 0x27;
																				_t943 = E00DF169F( &_v6888);
																				__imp__#2(_v6876);
																				_t1458 = _t943;
																				__eflags = _t1111[7] - _t1445;
																				if(_t1111[7] != _t1445) {
																					__imp__#6(_t1111[6]);
																					_t1111[7] = _t1445;
																				}
																				_t1111[6] = _t1458;
																				__eflags = _t1458;
																				if(_t1458 != 0) {
																					_t1111[7] = 1;
																				}
																				_v8 = 0x1f;
																				E00DF1A07();
																				_v8 = 0x1d;
																				E00DF1A07();
																				_v8 = 0x1a;
																				E00DF1A07();
																				_v8 = 0x17;
																				E00DF1A07();
																				_v8 = 0x14;
																				E00DF1A07();
																				_v8 = 0x11;
																				E00DF1A07();
																				_v8 = 0xe;
																				E00DF1A07();
																				_v8 = 0xb;
																				E00DF1A07();
																				_v8 = 8;
																				E00DF1A07();
																				_v8 = 5;
																				E00DF1A07();
																				_v8 = 2;
																				E00DF1A07();
																				L101:
																				_v8 = _v8 | 0xffffffff;
																				E00DF1A07();
																				goto L9;
																			} else {
																				E00DF6A41();
																				_push(L"Error: /ExeConfig specified without an executable");
																				_push(_t1247);
																				_t930 = E00DF528A(_t1111,  &_v6916, _t1445, _t1452, __eflags);
																				_v8 = 0x24;
																				L89:
																				_t1424 = _t930;
																				_t1161 = 0x80070057;
																				E00E043CC(_t1111, 0x80070057, _t930, _t1445, _t1452, __eflags);
																				goto L90;
																			}
																		}
																		E00DF6A41();
																		_push(L"Error: Cannot specify both /ExeConfig and /AppBase");
																		_push(_t1161);
																		_t930 = E00DF528A(_t1111,  &_v6916, 0, _t1452, __eflags);
																		_v8 = 0x23;
																		goto L89;
																	}
																	_push(L"Error: Cannot use /ExeConfig with the Ngen Offline feature.");
																	_push(_t1161);
																	_t930 = E00DF528A(_t1111,  &_v6916, _t1445, _t1452, __eflags);
																	_v8 = 0x22;
																}
																goto L89;
															}
															_t1111[0x18] = 1;
															goto L9;
														}
														_t1111[5] = _t1111[5] | 0x00000004;
														goto L9;
													}
													_t1111[0x17] = 1;
													goto L9;
												}
												_t1126 = _t1440;
												_t1103 = E00DF5FCC(_t1440, L"lines", 0, _t1440, 1, 0);
												__eflags = _t1103;
												if(_t1103 != 0) {
													goto L78;
												}
												_t1111[0x20] = 1;
												goto L9;
											}
											_t1126 = _t1440;
											_t1104 = E00DF5FCC(_t1440, L"NetfxPri1", 0, _t1440, 1, 0);
											__eflags = _t1104;
											if(_t1104 != 0) {
												goto L75;
											}
											_t1111[5] = _t1111[5] | 0x00000002;
											goto L9;
										}
										_t1126 = _t1440;
										_t1105 = E00DF5FCC(_t1440, L"Delay", 0, _t1440, 1, 0);
										__eflags = _t1105;
										if(_t1105 != 0) {
											goto L72;
										}
										_t1111[0x15] = 1;
										goto L9;
									}
									_t1126 = _t1440;
									_t1106 = E00DF5FCC(_t1440, L"Queue:1", 0, _t1440, 1, 0);
									__eflags = _t1106;
									if(_t1106 != 0) {
										__eflags =  *_t1111;
										if( *_t1111 != 0) {
											goto L69;
										}
										_t1126 = _t1440;
										_t1107 = E00DF5FCC(_t1440, L"Queue:2", 0, _t1440, 1, 0);
										__eflags = _t1107;
										if(_t1107 != 0) {
											__eflags =  *_t1111;
											if( *_t1111 != 0) {
												goto L69;
											}
											_t1126 = _t1440;
											_t1108 = E00DF5FCC(_t1440, L"Queue:3", 0, _t1440, 1, 0);
											__eflags = _t1108;
											if(_t1108 != 0) {
												goto L69;
											}
											goto L68;
										}
										_t1111[0x14] = 1;
										goto L13;
									}
									_t1111[0x14] = 1;
									goto L11;
								}
								__eflags =  *_t1111 - 2;
								if( *_t1111 != 2) {
									goto L60;
								}
								goto L59;
							}
							_t1126 = _t1440;
							_t1109 = E00DF5FCC(_t1440, L"Force", 0, _t1440, 1, 0);
							__eflags = _t1109;
							if(_t1109 != 0) {
								__eflags =  *_t1111 - 2;
								if( *_t1111 != 2) {
									goto L57;
								}
								__imp___wcsicmp(L"Postreboot");
								_t1126 = _t1440;
								__eflags = _t1109;
								if(_t1109 != 0) {
									goto L57;
								}
								_t1111[0x1a] = 3;
								_t1111[4] = _t1111[4] | 0x00000002;
								goto L9;
							}
							_t1111[4] = _t1111[4] | 0x00000001;
							goto L9;
						}
						_t1111[0x19] = 3;
						goto L9;
					}
					_t1111[0x19] = 1;
					goto L9;
				} else {
					L5:
					goto L6;
				}
			}


















































































































































































0x00df6f92
0x00df6f95
0x00df6f97
0x00df6fa2
0x00df6fa3
0x00df6fa9
0x00df6fae
0x00df6fb3
0x00df6fb5
0x00df6fbb
0x00df6fbc
0x00df6fbd
0x00df6fbe
0x00df6fbf
0x00df6fc5
0x00df6fcb
0x00df6fd1
0x00df6fd4
0x00df6fda
0x00df76ed
0x00df76f0
0x00df76f3
0x00df7700
0x00df7703
0x00df770e
0x00df7711
0x00df771c
0x00df771f
0x00000000
0x00000000
0x00df7725
0x00df7725
0x00000000
0x00df7725
0x00df7713
0x00df7713
0x00000000
0x00df7713
0x00df7705
0x00df7705
0x00000000
0x00df76f5
0x00df76f5
0x00df76f5
0x00df76f5
0x00df76f9
0x00df700b
0x00df7011
0x00df702c
0x00df702c
0x00df76f3
0x00df6fe0
0x00df6fe5
0x00df772e
0x00df7731
0x00df775d
0x00df7760
0x00df7793
0x00df7799
0x00000000
0x00000000
0x00df779f
0x00df77a5
0x00000000
0x00000000
0x00df77ac
0x00df77b2
0x00df77b4
0x00df77ba
0x00df77c2
0x00df77c8
0x00df77c8
0x00df77ce
0x00df77d4
0x00df77d6
0x00df77dc
0x00df77dc
0x00000000
0x00df77d6
0x00df7763
0x00df7769
0x00df776b
0x00df776e
0x00df7773
0x00df7779
0x00df7779
0x00df777c
0x00df777f
0x00df7781
0x00df7787
0x00df7787
0x00000000
0x00df7781
0x00df7734
0x00df773a
0x00df773c
0x00df773f
0x00df7744
0x00df774a
0x00df774a
0x00df774d
0x00df7750
0x00df7752
0x00df7754
0x00df7754
0x00000000
0x00df7752
0x00df6feb
0x00df6fee
0x00df77f5
0x00df77f7
0x00df77fc
0x00df77fe
0x00df7812
0x00df7814
0x00df7819
0x00df781b
0x00df7833
0x00df7835
0x00df783a
0x00df783c
0x00df7854
0x00df7856
0x00df785b
0x00df785d
0x00df7875
0x00df7877
0x00df787c
0x00df787e
0x00df7896
0x00df7898
0x00df789d
0x00df789f
0x00df78b7
0x00df78b9
0x00df78be
0x00df78c0
0x00000000
0x00000000
0x00df78cc
0x00df78ce
0x00df78d3
0x00df78d5
0x00000000
0x00000000
0x00000000
0x00df78db
0x00df78a1
0x00000000
0x00df78a1
0x00df7880
0x00df7880
0x00000000
0x00df7880
0x00df785f
0x00df785f
0x00000000
0x00df785f
0x00df783e
0x00000000
0x00df783e
0x00df781d
0x00000000
0x00df781d
0x00df7800
0x00000000
0x00df7800
0x00df6ff4
0x00df6ff4
0x00df6ffa
0x00df78dd
0x00df78ea
0x00df78ec
0x00df78f1
0x00df78f3
0x00df790b
0x00df790d
0x00df7912
0x00df7914
0x00df7922
0x00df7925
0x00df796c
0x00df796c
0x00df796f
0x00df7976
0x00df7980
0x00df7982
0x00df7987
0x00df7989
0x00df79ee
0x00df79ee
0x00000000
0x00df79ee
0x00df798b
0x00df798b
0x00df798d
0x00df79fa
0x00df79fa
0x00df79fd
0x00df7a20
0x00df7a20
0x00df7a22
0x00df7a42
0x00df7a42
0x00df7a45
0x00df7a6b
0x00df7a75
0x00df7a77
0x00df7a7c
0x00df7a7e
0x00df7a96
0x00df7a98
0x00df7a9d
0x00df7a9f
0x00df7aaf
0x00df7ab6
0x00df7abb
0x00df7abd
0x00df7acb
0x00df7ad1
0x00df7ad7
0x00df7add
0x00df7ae9
0x00df7aef
0x00df7af9
0x00df7aff
0x00df7b11
0x00df7b14
0x00df7b25
0x00df7b2c
0x00df7b2d
0x00df7b33
0x00df7b39
0x00df7b3f
0x00df7b45
0x00df7b51
0x00df7b5c
0x00df7b62
0x00df7b69
0x00df7b77
0x00df7b7a
0x00df7b8c
0x00df7b91
0x00df7b98
0x00df7b9e
0x00df7ba4
0x00df7baa
0x00df7bb6
0x00df7bbc
0x00df7bc2
0x00df7bcb
0x00df7bcc
0x00df7bda
0x00df7bdd
0x00df7bef
0x00df7bf4
0x00df7bfb
0x00df7c01
0x00df7c07
0x00df7c0d
0x00df7c19
0x00df7c1f
0x00df7c29
0x00df7c30
0x00df7c3e
0x00df7c41
0x00df7c53
0x00df7c58
0x00df7c5f
0x00df7c65
0x00df7c6b
0x00df7c71
0x00df7c7d
0x00df7c83
0x00df7c8d
0x00df7c94
0x00df7ca2
0x00df7ca5
0x00df7cb7
0x00df7cbc
0x00df7cc3
0x00df7cc9
0x00df7ccf
0x00df7cd5
0x00df7ce1
0x00df7ce7
0x00df7cf1
0x00df7cf8
0x00df7d06
0x00df7d09
0x00df7d1b
0x00df7d20
0x00df7d27
0x00df7d2d
0x00df7d33
0x00df7d39
0x00df7d45
0x00df7d4b
0x00df7d55
0x00df7d5c
0x00df7d6a
0x00df7d6d
0x00df7d7f
0x00df7d84
0x00df7d8b
0x00df7d91
0x00df7d97
0x00df7d9d
0x00df7da9
0x00df7daf
0x00df7db9
0x00df7dc0
0x00df7dce
0x00df7dd1
0x00df7de3
0x00df7de8
0x00df7def
0x00df7df5
0x00df7dfb
0x00df7e01
0x00df7e0d
0x00df7e13
0x00df7e1d
0x00df7e24
0x00df7e32
0x00df7e35
0x00df7e47
0x00df7e4c
0x00df7e53
0x00df7e59
0x00df7e5f
0x00df7e65
0x00df7e71
0x00df7e77
0x00df7e81
0x00df7e88
0x00df7e96
0x00df7e99
0x00df7eab
0x00df7eb0
0x00df7ebd
0x00df7ec4
0x00df7ec9
0x00df7ed0
0x00df7ed0
0x00df7ed3
0x00df7edf
0x00df7edf
0x00df7ee1
0x00df7eea
0x00df7eeb
0x00df7ef1
0x00df7ef7
0x00df7f01
0x00df7f0b
0x00df7f19
0x00df7f1e
0x00df7f32
0x00df7f37
0x00df7f44
0x00df7f4f
0x00df7f54
0x00df7f5a
0x00df7f5d
0x00df7f6d
0x00df7f72
0x00df7f72
0x00df7f7e
0x00df7f86
0x00df7f89
0x00df7f8f
0x00df7f96
0x00df7f9d
0x00df7f9e
0x00df7fa9
0x00df7fab
0x00df82ee
0x00df82f3
0x00df82f9
0x00df82fc
0x00df830c
0x00df8311
0x00df8311
0x00df831d
0x00df8325
0x00df8328
0x00df832e
0x00df8335
0x00df833c
0x00df833d
0x00df8348
0x00df834a
0x00df8627
0x00df862c
0x00df8632
0x00df863d
0x00df864e
0x00df8654
0x00df865b
0x00df8662
0x00df8663
0x00df8669
0x00df866e
0x00df8670
0x00df87e7
0x00df87f2
0x00df87f7
0x00df8801
0x00df8807
0x00df880c
0x00df8813
0x00df881a
0x00df881b
0x00df8821
0x00df8826
0x00df8828
0x00df8999
0x00df89a4
0x00df89b1
0x00df89b7
0x00df89bc
0x00df89c3
0x00df89ca
0x00df89cb
0x00df89d1
0x00df89d6
0x00df89d8
0x00df8b57
0x00df8b62
0x00df8b6f
0x00df8b75
0x00df8b7a
0x00df8b81
0x00df8b88
0x00df8b89
0x00df8b8f
0x00df8b94
0x00df8b96
0x00df8cfd
0x00df8d08
0x00df8d15
0x00df8d1b
0x00df8d20
0x00df8d27
0x00df8d2e
0x00df8d2f
0x00df8d35
0x00df8d3a
0x00df8d3c
0x00df8ea3
0x00df8eae
0x00df8ebb
0x00df8ec1
0x00df8ec6
0x00df8ecd
0x00df8ed4
0x00df8ed5
0x00df8ee0
0x00df8ee2
0x00df9043
0x00df904a
0x00df9051
0x00df9056
0x00df9058
0x00df9124
0x00df912f
0x00df913c
0x00df9142
0x00df9147
0x00df914e
0x00df9155
0x00df915c
0x00df9161
0x00df9163
0x00df93dd
0x00df93ea
0x00df93ef
0x00df93fc
0x00df9401
0x00df940e
0x00df9413
0x00df9420
0x00df9425
0x00df9432
0x00df9437
0x00df9444
0x00df9449
0x00df9456
0x00df945b
0x00df9468
0x00df946d
0x00df947a
0x00df947f
0x00df948c
0x00df9491
0x00df949e
0x00000000
0x00df949e
0x00df916f
0x00df917a
0x00df918d
0x00df9198
0x00df919d
0x00df91a3
0x00df91aa
0x00df91b1
0x00df91b6
0x00df91bb
0x00df91c1
0x00df91c6
0x00df91cd
0x00df91d4
0x00df91db
0x00df91e0
0x00df91e2
0x00df91ef
0x00df91f4
0x00df91f6
0x00df9204
0x00df9209
0x00df920f
0x00df9214
0x00df921b
0x00df9222
0x00df9229
0x00df922e
0x00df9230
0x00df923d
0x00df9242
0x00df9244
0x00df9252
0x00df9257
0x00df925d
0x00df9262
0x00df9269
0x00df9270
0x00df9277
0x00df927c
0x00df927e
0x00df928b
0x00df9290
0x00df9292
0x00df92a0
0x00df92a5
0x00df92ab
0x00df92b0
0x00df92b7
0x00df92be
0x00df92c5
0x00df92ca
0x00df92cc
0x00df92d9
0x00df92de
0x00df92e0
0x00df92ee
0x00df92f4
0x00df92fa
0x00df92fb
0x00df92fd
0x00df9321
0x00df9324
0x00df9324
0x00df9331
0x00df9336
0x00df9343
0x00df9348
0x00df9355
0x00df935a
0x00df9367
0x00df936c
0x00df9379
0x00df937e
0x00df938b
0x00df9390
0x00df939d
0x00df93a2
0x00df93af
0x00df93b4
0x00df93c1
0x00df93c6
0x00df93d3
0x00000000
0x00df93d3
0x00df92ff
0x00df9304
0x00df9309
0x00df9310
0x00df9315
0x00000000
0x00df9315
0x00df92e2
0x00000000
0x00df92e2
0x00df9294
0x00000000
0x00df9294
0x00df9246
0x00000000
0x00df9246
0x00df91f8
0x00000000
0x00df91f8
0x00df905e
0x00df9065
0x00df9072
0x00df9077
0x00df9084
0x00df9089
0x00df9096
0x00df909b
0x00df90a8
0x00df90ad
0x00df90ba
0x00df90bf
0x00df90cc
0x00df90d1
0x00df90de
0x00df90e3
0x00df90f0
0x00df90f5
0x00df9102
0x00df9107
0x00df9114
0x00000000
0x00df9114
0x00df8ee8
0x00df8eeb
0x00df8f10
0x00df8f1b
0x00df8f2e
0x00df8f39
0x00df8f52
0x00df8f5d
0x00df8f63
0x00df8f69
0x00df8f6b
0x00df8f6e
0x00df8f73
0x00df8f79
0x00df8f79
0x00df8f7c
0x00df8f7f
0x00df8f81
0x00df8f83
0x00df8f83
0x00df8f8a
0x00df8f97
0x00df8f9c
0x00df8fa9
0x00df8fae
0x00df8fbb
0x00df8fc0
0x00df8fcd
0x00df8fd2
0x00df8fdf
0x00df8fe4
0x00df8ff1
0x00df8ff6
0x00df9003
0x00df9008
0x00df9015
0x00df901a
0x00df9027
0x00df902c
0x00df9039
0x00000000
0x00df9039
0x00df8eed
0x00df8ef2
0x00df8ef9
0x00df8efe
0x00000000
0x00df8efe
0x00df8d42
0x00df8d45
0x00df8d6a
0x00df8d75
0x00df8d88
0x00df8d93
0x00df8dac
0x00df8db7
0x00df8dbd
0x00df8dc3
0x00df8dc5
0x00df8dc8
0x00df8dcd
0x00df8dd3
0x00df8dd3
0x00df8dd6
0x00df8dd9
0x00df8ddb
0x00df8ddd
0x00df8ddd
0x00df8de4
0x00df8df1
0x00df8df6
0x00df8e03
0x00df8e08
0x00df8e15
0x00df8e1a
0x00df8e27
0x00df8e2c
0x00df8e39
0x00df8e3e
0x00df8e4b
0x00df8e50
0x00df8e5d
0x00df8e62
0x00df8e6f
0x00df8e74
0x00df8e81
0x00df8e86
0x00df8e93
0x00000000
0x00df8e93
0x00df8d47
0x00df8d4c
0x00df8d53
0x00df8d58
0x00000000
0x00df8d58
0x00df8b9c
0x00df8b9f
0x00df8bc4
0x00df8bcf
0x00df8be2
0x00df8bed
0x00df8c06
0x00df8c11
0x00df8c17
0x00df8c1d
0x00df8c1f
0x00df8c22
0x00df8c27
0x00df8c2d
0x00df8c2d
0x00df8c30
0x00df8c33
0x00df8c35
0x00df8c37
0x00df8c37
0x00df8c3e
0x00df8c4b
0x00df8c50
0x00df8c5d
0x00df8c62
0x00df8c6f
0x00df8c74
0x00df8c81
0x00df8c86
0x00df8c93
0x00df8c98
0x00df8ca5
0x00df8caa
0x00df8cb7
0x00df8cbc
0x00df8cc9
0x00df8cce
0x00df8cdb
0x00df8ce0
0x00df8ced
0x00000000
0x00df8ced
0x00df8ba1
0x00df8ba6
0x00df8bad
0x00df8bb2
0x00000000
0x00df8bb2
0x00df89de
0x00df89e1
0x00df8a12
0x00df8a17
0x00df8a24
0x00df8a41
0x00df8a4c
0x00df8a52
0x00df8a58
0x00df8a5a
0x00df8a5d
0x00df8a62
0x00df8a68
0x00df8a68
0x00df8a6b
0x00df8a6e
0x00df8a70
0x00df8a72
0x00df8a72
0x00df8a79
0x00df8a7d
0x00df8a80
0x00df8a82
0x00df8a82
0x00df8a82
0x00df8a82
0x00df8a86
0x00df8a93
0x00df8a98
0x00df8aa5
0x00df8aaa
0x00df8ab7
0x00df8abc
0x00df8ac9
0x00df8ace
0x00df8adb
0x00df8ae0
0x00df8aed
0x00df8af2
0x00df8aff
0x00df8b04
0x00df8b11
0x00df8b16
0x00df8b23
0x00df8b28
0x00df8b35
0x00df8b3a
0x00df8b47
0x00000000
0x00df8b47
0x00df89e3
0x00df89e8
0x00df89ef
0x00df89f4
0x00000000
0x00df89f4
0x00df882e
0x00df8831
0x00df8862
0x00df8867
0x00df8874
0x00df8890
0x00df889b
0x00df88a1
0x00df88a7
0x00df88a9
0x00df88ac
0x00df88b1
0x00df88b7
0x00df88b7
0x00df88ba
0x00df88bd
0x00df88bf
0x00df88c1
0x00df88c1
0x00df88c8
0x00df88d5
0x00df88da
0x00df88e7
0x00df88ec
0x00df88f9
0x00df88fe
0x00df890b
0x00df8910
0x00df891d
0x00df8922
0x00df892f
0x00df8934
0x00df8941
0x00df8946
0x00df8953
0x00df8958
0x00df8965
0x00df896a
0x00df8977
0x00df897c
0x00df8989
0x00000000
0x00df8989
0x00df8833
0x00df8838
0x00df883f
0x00df8844
0x00000000
0x00df8844
0x00df8676
0x00df8678
0x00df867b
0x00df86ac
0x00df86b1
0x00df86be
0x00df86da
0x00df86e5
0x00df86eb
0x00df86f1
0x00df86f3
0x00df86f6
0x00df86fb
0x00df8701
0x00df8701
0x00df8704
0x00df8707
0x00df8709
0x00df870b
0x00df870b
0x00df8712
0x00df8716
0x00df8723
0x00df8728
0x00df8735
0x00df873a
0x00df8747
0x00df874c
0x00df8759
0x00df875e
0x00df876b
0x00df8770
0x00df877d
0x00df8782
0x00df878f
0x00df8794
0x00df87a1
0x00df87a6
0x00df87b3
0x00df87b8
0x00df87c5
0x00df87ca
0x00df87d7
0x00000000
0x00df87d7
0x00df867d
0x00df8682
0x00df8689
0x00df868e
0x00df8350
0x00df8355
0x00df8357
0x00df8376
0x00df8378
0x00df837b
0x00df83a5
0x00df83bd
0x00df83c4
0x00df83c9
0x00df83cf
0x00df83d2
0x00df83e2
0x00df83e7
0x00df83e7
0x00df83f3
0x00df83fe
0x00df8404
0x00df840a
0x00df8411
0x00df8418
0x00df841d
0x00df8428
0x00df842f
0x00df8434
0x00df843b
0x00df8441
0x00df8447
0x00df844e
0x00df8455
0x00df846a
0x00df846f
0x00df8479
0x00df8483
0x00df848f
0x00df8495
0x00df8498
0x00df85a4
0x00df85a4
0x00df85a9
0x00df85ae
0x00df85b5
0x00df85ba
0x00000000
0x00df849e
0x00df849e
0x00df84a0
0x00000000
0x00000000
0x00df84ac
0x00df84b2
0x00df84b8
0x00df84ba
0x00df84bd
0x00df84c2
0x00df84c8
0x00df84c8
0x00df84cb
0x00df84ce
0x00df84d0
0x00df84d2
0x00df84d2
0x00df84d9
0x00df84e6
0x00df84eb
0x00df84f8
0x00df84fd
0x00df850a
0x00df850f
0x00df851c
0x00df8521
0x00df852e
0x00df8533
0x00df8540
0x00df8545
0x00df8552
0x00df8557
0x00df8564
0x00df8569
0x00df8576
0x00df857b
0x00df8588
0x00df858d
0x00df859a
0x00000000
0x00df859a
0x00df8498
0x00df837d
0x00df8382
0x00df8387
0x00df838e
0x00df8393
0x00000000
0x00df8393
0x00df8359
0x00df835e
0x00df8365
0x00df836a
0x00df836a
0x00df7fb1
0x00df7fb6
0x00df7fb8
0x00df7fde
0x00df7fde
0x00df7fe0
0x00df7fe3
0x00df800a
0x00df8022
0x00df8029
0x00df802e
0x00df8034
0x00df8037
0x00df8047
0x00df804c
0x00df804c
0x00df8058
0x00df8063
0x00df8069
0x00df806f
0x00df8076
0x00df807d
0x00df8088
0x00df808d
0x00df8093
0x00df8098
0x00df809a
0x00df80be
0x00df80c4
0x00df80ca
0x00df80d0
0x00df80dc
0x00df80e2
0x00df80ec
0x00df80f3
0x00df8105
0x00df8108
0x00df810f
0x00df8115
0x00df811b
0x00df8122
0x00df812f
0x00df8142
0x00df8147
0x00df8151
0x00df8161
0x00df816c
0x00df8172
0x00df8174
0x00df8177
0x00df817c
0x00df8182
0x00df8182
0x00df8185
0x00df8188
0x00df818a
0x00df818c
0x00df818c
0x00df8193
0x00df81a0
0x00df81a5
0x00df81b2
0x00df81b7
0x00df81c4
0x00df81c9
0x00df81d6
0x00df81db
0x00df81e8
0x00df81ed
0x00df81fa
0x00df81ff
0x00df820c
0x00df8211
0x00df821e
0x00df8223
0x00df8230
0x00df8235
0x00df8242
0x00df8247
0x00df8254
0x00df8259
0x00df8259
0x00df8266
0x00000000
0x00df809c
0x00df809c
0x00df80a1
0x00df80a6
0x00df80ad
0x00df80b2
0x00df7fd2
0x00df7fd2
0x00df7fd4
0x00df7fd9
0x00000000
0x00df7fd9
0x00df809a
0x00df7fe5
0x00df7fea
0x00df7fef
0x00df7ff6
0x00df7ffb
0x00000000
0x00df7ffb
0x00df7fba
0x00df7fbf
0x00df7fc6
0x00df7fcb
0x00df7fcb
0x00000000
0x00df7fab
0x00df7abf
0x00000000
0x00df7abf
0x00df7aa1
0x00000000
0x00df7aa1
0x00df7a80
0x00000000
0x00df7a80
0x00df7a51
0x00df7a53
0x00df7a58
0x00df7a5a
0x00000000
0x00000000
0x00df7a5c
0x00000000
0x00df7a5c
0x00df7a2e
0x00df7a30
0x00df7a35
0x00df7a37
0x00000000
0x00000000
0x00df7a39
0x00000000
0x00df7a39
0x00df7a09
0x00df7a0b
0x00df7a10
0x00df7a12
0x00000000
0x00000000
0x00df7a14
0x00000000
0x00df7a14
0x00df7999
0x00df799b
0x00df79a0
0x00df79a2
0x00df79b0
0x00df79b2
0x00000000
0x00000000
0x00df79be
0x00df79c0
0x00df79c5
0x00df79c7
0x00df79d5
0x00df79d7
0x00000000
0x00000000
0x00df79e3
0x00df79e5
0x00df79ea
0x00df79ec
0x00000000
0x00000000
0x00000000
0x00df79ec
0x00df79c9
0x00000000
0x00df79c9
0x00df79a4
0x00000000
0x00df79a4
0x00df7971
0x00df7974
0x00000000
0x00000000
0x00000000
0x00df7974
0x00df7931
0x00df7933
0x00df7938
0x00df793a
0x00df7945
0x00df7948
0x00000000
0x00000000
0x00df7950
0x00df7957
0x00df7958
0x00df795a
0x00000000
0x00000000
0x00df795c
0x00df7963
0x00000000
0x00df7963
0x00df793c
0x00000000
0x00df793c
0x00df7916
0x00000000
0x00df7916
0x00df78f5
0x00000000
0x00df7009
0x00df7009
0x00000000
0x00df7009

APIs
  • #2.OLEAUT32(?,365EA2A8,?,?,?,?,?,00E08C4A,000000FF), ref: 00DF7734
  • #6.OLEAUT32(?,?,?,?,?,?,00E08C4A,000000FF), ref: 00DF7744
  • #2.OLEAUT32(?,365EA2A8,?,?,?,?,?,00E08C4A,000000FF), ref: 00DF7763
  • #6.OLEAUT32(?,?,?,?,?,?,00E08C4A,000000FF), ref: 00DF7773
  • #2.OLEAUT32(?,365EA2A8,?,?,?,?,?,00E08C4A,000000FF), ref: 00DF77AC
  • #6.OLEAUT32(?,?,?,?,?,?,00E08C4A,000000FF), ref: 00DF77C2
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID:
  • String ID: AppBase:$CopyFromRepository:$CopyToRepository:$Delay$Error: /AppBase specified without a valid directory$Error: /ExeConfig specified without an executable$Error: Cannot specify both /ExeConfig and /AppBase$Error: Cannot specify multiple localappdata directories$Error: Cannot specify multiple package monikers$Error: Cannot specify multiple repository options$Error: Cannot specify multiple runtime versions$Error: Cannot use /AppBase with the Ngen Offline feature.$Error: Cannot use /ExeConfig with the Ngen Offline feature.$Error: Unrecognized option used for /Stats:<option>$ExeConfig:$Force$LegacyServiceBehavior$LocalAppData:$MoveFromRepository:$NetfxPri1$NoLogo$NoRoot$Package:$Postreboot$Queue$Queue:1$Queue:2$Queue:3$Silent$Stats$Verbose$Version:$all$attributed$calls$continue$fixups$lines$pause$scmcontinue$scmpause$scmstart$scmstatus$scmstop$status$}
  • API String ID: 0-3420828249
  • Opcode ID: 32a0e1d886ae72bb9fef679306151fdd8e8833f27ead5f7788e7de97e45af79a
  • Instruction ID: 9a057221bde806ec1862b0bcaf766737c871bb3fd5038129fa8442c264f06d3d
  • Opcode Fuzzy Hash: 32a0e1d886ae72bb9fef679306151fdd8e8833f27ead5f7788e7de97e45af79a
  • Instruction Fuzzy Hash: 46F29E708052ADCACB25EB20CD55BF9BBB4EF15304F0980D9E649A7192DBB45E88CF71
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 53%
			E00DF2440(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t205;
				void* _t207;
				char* _t220;
				signed int* _t221;
				void* _t225;
				char _t227;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				intOrPtr* _t234;
				signed int _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t250;
				signed int _t259;
				signed int _t260;
				intOrPtr* _t262;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				void* _t285;
				signed int _t286;
				char _t290;
				signed int _t292;
				intOrPtr _t304;
				signed int _t306;
				intOrPtr _t307;
				intOrPtr _t318;
				char* _t322;
				signed int _t323;
				signed int* _t325;
				char* _t332;
				signed int* _t334;
				signed int* _t337;
				char* _t342;
				char* _t343;
				signed int _t349;
				intOrPtr _t361;
				signed int _t364;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t372;
				intOrPtr _t374;
				signed int _t376;
				char* _t377;
				signed int _t379;
				signed int _t382;
				char* _t384;
				signed int _t385;
				void* _t389;
				void* _t390;
				void* _t391;
				void* _t392;
				void* _t394;

				_t394 = __eflags;
				_t361 = __edx;
				_t307 = __ecx;
				E00DF1718(E00E0A296, __ebx, __ecx, __edi, __esi);
				_t374 = _t361;
				 *((intOrPtr*)(_t391 - 0x348)) = _t374;
				_t304 = _t307;
				 *((intOrPtr*)(_t391 - 0x34c)) = _t304;
				 *(_t391 - 0x2e4) = 0;
				__imp__HeapSetInformation(0, 1, 0, 0, 0x340);
				E00DF354F(_t307, __esi, _t394);
				_push(_t374);
				_push(_t304);
				E00DF6AE0(_t304, _t307, _t374, __esi, _t394);
				 *((intOrPtr*)(_t391 - 0x328)) = 0x100;
				 *(_t391 - 0x334) = 0;
				 *(_t391 - 0x330) = 0;
				 *((intOrPtr*)(_t391 - 0x32c)) = 0;
				 *((intOrPtr*)(_t391 - 0x324)) = 0;
				 *((short*)(_t391 - 0x320)) = 0;
				 *((intOrPtr*)(_t391 - 0x31c)) = 0;
				 *((char*)(_t391 - 0x318)) = 0;
				 *(_t391 - 4) = 0;
				 *((intOrPtr*)(_t391 - 0x2e0)) = 0;
				 *((intOrPtr*)(_t391 - 0x2dc)) = 0;
				 *((intOrPtr*)(_t391 - 0x2d8)) = 0;
				 *((intOrPtr*)(_t391 - 0x2d4)) = 0;
				 *((intOrPtr*)(_t391 - 0x2dc)) = 0x200;
				 *((intOrPtr*)(_t391 - 0x2d4)) = _t391 - 0x2d0;
				 *(_t391 - 4) = 1;
				 *((intOrPtr*)(_t391 - 0x2e0)) = 2;
				 *((short*)( *((intOrPtr*)(_t391 - 0x2d4)))) = 0;
				 *(_t391 - 4) = 2;
				E00DF1C56(_t391 - 0x2e0, L"Command line: ");
				 *(_t391 - 4) = 3;
				_t379 = 0;
				_t395 = _t304;
				if(_t304 <= 0) {
					L2:
					_t205 = E00DF5EDA(_t304, 0xdf260c, _t374, _t379, _t391 - 0x309);
					_push(0xdf3934);
					_t311 = _t391 - 0x2e0;
					 *0xe0f014 = _t205;
					E00DF52F0(_t304, _t391 - 0x2e0, _t374, _t379, _t396);
					_t397 =  *0xe0f08c;
					if( *0xe0f08c != 0) {
						_t311 = _t391 - 0x2e0;
						E00DF169F(_t391 - 0x2e0);
						E00DF2B99(0xe0f040, E00DF13E4,  *((intOrPtr*)(_t391 - 0x2d4)));
						_t392 = _t392 + 0xc;
					}
					_t207 = E00DF737F(_t304, _t311, _t374, _t379, _t397);
					_t398 = _t207;
					if(_t207 != 0) {
						E00DFD32D(_t304, L"To use the Offline Ngen feature, you must set all the environment variables outlined in the documentation.\n", _t374, L"To use the Offline Ngen feature, you must set all the environment variables outlined in the documentation.\n", __eflags);
						E00DF2B99(0xe0f040, E00DF13E4, L"To use the Offline Ngen feature, you must set all the environment variables outlined in the documentation.\n");
						 *(_t391 - 4) = 0;
						E00DF1A07();
						 *(_t391 - 4) =  *(_t391 - 4) | 0xffffffff;
					} else {
						_t381 = _t374 + 4;
						_t375 = _t304 - 1;
						_t362 = _t374 + 4;
						if(E00DF2314(_t304, _t304 - 1, _t374 + 4, _t304 - 1, _t374 + 4, _t398) == 0) {
							_t382 = E00DFDF6E(_t391 - 0x334, _t375, _t381);
							E00DFE525(_t391 - 0x334);
							__eflags = _t382 - 1;
							if(__eflags != 0) {
								E00DF6A02(_t304, "WARNING: This syntax is deprecated or you mis-typed your command.  Run \"ngen /?\" to display a list of the currently supported parameters.\n", _t375, _t382, __eflags);
							}
							__eflags = _t382;
							if(__eflags == 0) {
								L15:
								SetErrorMode(1);
								 *((intOrPtr*)(_t391 - 0x338)) = 0;
								 *(_t391 - 0x33c) = 0;
								 *(_t391 - 0x2fc) = 0;
								 *(_t391 - 0x2e8) = 0;
								 *(_t391 - 0x314) = 0;
								 *((intOrPtr*)(_t391 - 0x310)) = 0;
								 *(_t391 - 4) = 9;
								_t317 = _t391 - 0x314;
								_t220 = E00DF6812(0, _t391 - 0x314, _t375, _t382, __eflags);
								 *(_t391 - 4) = 0xa;
								__imp__CLRCreateInstance(0xdfb0d0, 0xdfb0e0,  *_t220, _t391 - 0x340);
								__eflags = _t220;
								if(_t220 < 0) {
									_t317 = _t220;
									L00E042D0(0, _t220, _t362, _t375, _t382);
								}
								 *(_t391 - 4) = 9;
								_t221 =  *(_t391 - 0x340);
								__eflags =  *_t221;
								if( *_t221 != 0) {
									_t221[1] = 1;
								}
								_t376 = 0;
								_t306 =  *(_t391 - 0x334);
								__eflags =  *(_t391 - 0x330);
								if( *(_t391 - 0x330) <= 0) {
									L32:
									_push(0x766f);
									_push(0);
									_t375 = 4;
									E00DFCA4B(_t391 - 0xd0, 0x40, L"v%d.%d.%d", _t375);
									_t392 = _t392 + 0x18;
									goto L34;
								} else {
									while(1) {
										_t362 =  *(_t306 + _t376 * 4);
										_t349 = _t362;
										_t389 = _t349 + 2;
										do {
											_t285 =  *_t349;
											_t349 = _t349 + 2;
											__eflags = _t285 -  *(_t391 - 0x2e4);
										} while (_t285 !=  *(_t391 - 0x2e4));
										_t317 = _t349 - _t389 >> 1;
										__eflags = _t317 - 4;
										if(_t317 <= 4) {
											L27:
											_t382 =  *(_t391 - 0x2e8);
											L28:
											_t376 = _t376 + 1;
											__eflags = _t376 -  *(_t391 - 0x330);
											if(_t376 >=  *(_t391 - 0x330)) {
												L31:
												__eflags = _t382;
												if(_t382 != 0) {
													_t375 = 4;
													L34:
													__eflags =  *((char*)(_t391 - 0x321));
													_t225 = _t391 - 0xd0;
													if(__eflags == 0) {
														_t318 = 0x20;
														 *((intOrPtr*)(_t391 - 0x344)) = _t318;
														__imp__wcscpy_s(_t391 - 0x50, _t318, _t225);
														_t227 =  *(_t391 - 0x314);
														_t392 = _t392 + 0xc;
														 *0xe10244(_t227, 8, 0, 0, _t391 - 0x50, _t391 - 0x344, 0, 0, 0, 0xdfacc4, 0);
														_t229 =  *((intOrPtr*)( *_t227 + 0xc))();
														_t384 = L"v1.1.4322";
														__eflags = _t229;
														if(_t229 < 0) {
															L59:
															_t322 = _t384;
															_t230 = _t391 - 0xd0;
															while(1) {
																_t364 =  *_t230;
																__eflags = _t364 -  *_t322;
																if(_t364 !=  *_t322) {
																	break;
																}
																__eflags = _t364;
																if(_t364 == 0) {
																	L64:
																	_t323 = 0;
																	_t231 = 0;
																	L66:
																	__eflags = _t231;
																	if(__eflags != 0) {
																		L77:
																		 *(_t391 - 0x2ec) = 0;
																		 *(_t391 - 0x2f8) = 0;
																		 *(_t391 - 0x2f4) = 0;
																		 *(_t391 - 0x2f0) = 0;
																		 *((intOrPtr*)(_t391 - 0x308)) = 0;
																		 *((intOrPtr*)(_t391 - 0x304)) = 0;
																		 *(_t391 - 4) = 0x22;
																		_t234 = E00DF6812(_t306, _t391 - 0x308, _t375, _t384, __eflags);
																		 *(_t391 - 4) = 0x23;
																		_t236 = _t391 - 0x50;
																		__imp__CorBindToRuntime(_t236, 0, 0xdfb0c0, 0xdfb120,  *_t234, _t391 - 0x2e4);
																		_t382 = _t236;
																		__eflags = _t382;
																		_t237 = _t236 & 0xffffff00 | _t382 < 0x00000000;
																		 *(_t391 - 4) = 0x22;
																		_t325 =  *(_t391 - 0x2e4);
																		_t362 = 0;
																		__eflags =  *_t325;
																		if( *_t325 != 0) {
																			_t325[1] = 1;
																		}
																		__eflags = _t237;
																		if(__eflags == 0) {
																			 *(_t391 - 4) = 9;
																			_t326 = _t391 - 0x308;
																			E00DF1CC2();
																			_t239 = _t391 - 0x2ec;
																			__imp__GetRealProcAddress("LegacyNGenCreateZapper", _t239);
																			_t385 = _t239;
																			_t377 = "LegacyNGenTryEnumerateFusionCache";
																			__eflags = _t385;
																			if(_t385 >= 0) {
																				__imp__GetRealProcAddress(_t377, _t391 - 0x2f8);
																				__imp__GetRealProcAddress("LegacyNGenCompile", _t391 - 0x2f4);
																				__imp__GetRealProcAddress("LegacyNGenFreeZapper", _t391 - 0x2f0);
																			}
																			_t240 =  *(_t391 - 0x2ec);
																			__eflags = _t240;
																			if(_t240 != 0) {
																				L87:
																				__eflags =  *(_t391 - 0x2f8);
																				if( *(_t391 - 0x2f8) == 0) {
																					goto L91;
																				}
																				__eflags =  *(_t391 - 0x2f4);
																				if( *(_t391 - 0x2f4) == 0) {
																					goto L91;
																				}
																				__eflags =  *(_t391 - 0x2f0);
																				if( *(_t391 - 0x2f0) == 0) {
																					goto L91;
																				}
																				_push( *(_t391 - 0x2f0));
																				_push( *(_t391 - 0x2f4));
																				_push( *(_t391 - 0x2f8));
																				_push(_t240);
																				L00DFE736(_t306, _t391 - 0x334,  *(_t391 - 0x2e8), _t377, _t385);
																				_t306 =  *(_t391 - 0x334);
																				goto L96;
																			} else {
																				_t250 = _t391 - 0x2ec;
																				__imp__GetRealProcAddress("LegacyNGenCreateZapper", _t250);
																				_t385 = _t250;
																				__eflags = _t385;
																				if(_t385 >= 0) {
																					__imp__GetRealProcAddress(_t377, _t391 - 0x2f8);
																					__imp__GetRealProcAddress("LegacyNGenCompile", _t391 - 0x2f4);
																					__imp__GetRealProcAddress("LegacyNGenFreeZapper", _t391 - 0x2f0);
																				}
																				_t240 =  *(_t391 - 0x2ec);
																				__eflags = _t240;
																				if(_t240 == 0) {
																					L91:
																					__eflags = _t385 - 0x80131701;
																					if(_t385 == 0x80131701) {
																						_t326 =  *((intOrPtr*)(_t391 - 0x34c));
																						_t385 = E00DFE53F(_t306,  *((intOrPtr*)(_t391 - 0x34c)),  *((intOrPtr*)(_t391 - 0x348)), _t377, _t385,  *((intOrPtr*)(_t391 - 0x34c)));
																					}
																					__eflags = _t385;
																					if(__eflags < 0) {
																						_push(_t391 - 0xd0);
																						_push(L"Unable to launch CLR Version %s to compile this assembly.\n");
																						E00DFD36B(_t306, _t326, _t377, _t385, __eflags);
																					}
																					L96:
																					 *(_t391 - 4) = 3;
																					E00DF1CC2();
																					 *(_t391 - 4) = 0;
																					E00DF1A07();
																					 *(_t391 - 4) =  *(_t391 - 4) | 0xffffffff;
																					__eflags = _t306;
																					if(_t306 != 0) {
																						E00DF1480(_t306);
																					}
																					L7:
																					return E00DF1679();
																				} else {
																					goto L87;
																				}
																			}
																		} else {
																			_t332 = L"Unable to bind to runtime for legacy NGEN scenario.\n";
																			L71:
																			E00DFD32D(_t306, _t332, _t375, _t382, __eflags);
																			_push(_t382);
																			goto L14;
																		}
																	}
																	 *((intOrPtr*)(_t391 - 0x308)) = _t323;
																	 *((intOrPtr*)(_t391 - 0x304)) = _t323;
																	 *(_t391 - 4) = 0x12;
																	_t259 = E00DF6812(_t306, _t391 - 0x308, _t375, _t384, __eflags);
																	 *(_t391 - 4) = 0x13;
																	__imp__CLRCreateInstance(0xdfb100, 0xdfb0f0,  *_t259, _t391 - 0x2e4);
																	_t382 = _t259;
																	__eflags = _t382;
																	_t260 = _t259 & 0xffffff00 | _t382 < 0x00000000;
																	 *(_t391 - 4) = 0x12;
																	_t334 =  *(_t391 - 0x2e4);
																	_t362 = 0;
																	__eflags =  *_t334;
																	if( *_t334 != 0) {
																		_t334[1] = 1;
																	}
																	__eflags = _t260;
																	if(__eflags == 0) {
																		 *(_t391 - 0x300) = _t362;
																		 *(_t391 - 0x2fc) = _t362;
																		 *(_t391 - 4) = 0x18;
																		_t375 =  *((intOrPtr*)(_t391 - 0x308));
																		_t262 = E00DF6812(_t306, _t391 - 0x300, _t375, _t382, __eflags);
																		 *(_t391 - 4) = 0x19;
																		 *0xe10244(_t375, L"v1.1.4322", 0xdfb110,  *_t262, _t391 - 0x2e4);
																		_t264 =  *((intOrPtr*)( *_t375 + 0xc))();
																		_t382 = _t264;
																		__eflags = _t382;
																		_t265 = _t264 & 0xffffff00 | _t382 < 0x00000000;
																		 *(_t391 - 4) = 0x18;
																		_t337 =  *(_t391 - 0x2e4);
																		_t362 = 0;
																		__eflags =  *_t337;
																		if( *_t337 != 0) {
																			_t337[1] = 1;
																		}
																		__eflags = _t265;
																		if(__eflags != 0) {
																			goto L70;
																		} else {
																			_t266 =  *(_t391 - 0x300);
																			 *0xe10244(_t266, L"mscorjit.dll", _t391 - 0x340);
																			_t382 =  *((intOrPtr*)( *_t266 + 0x1c))();
																			__eflags = _t382;
																			if(__eflags < 0) {
																				goto L70;
																			}
																			 *(_t391 - 4) = 0x12;
																			E00DF1CC2();
																			 *(_t391 - 4) = 9;
																			E00DF1CC2();
																			goto L77;
																		}
																	} else {
																		L70:
																		_t332 = L"Unable to load v1.1.4322 mscorjit.dll.\n";
																		goto L71;
																	}
																}
																_t368 =  *((intOrPtr*)(_t230 + 2));
																__eflags = _t368 - _t322[2];
																if(_t368 != _t322[2]) {
																	break;
																}
																_t230 = _t230 + _t375;
																_t322 =  &(_t322[_t375]);
																__eflags = _t368;
																if(_t368 != 0) {
																	continue;
																}
																goto L64;
															}
															asm("sbb eax, eax");
															_t231 = _t230 | 0x00000001;
															_t323 = 0;
															__eflags = 0;
															goto L66;
														}
														_t342 = L"v1.0.3705";
														_t271 = _t391 - 0x50;
														while(1) {
															_t369 =  *_t271;
															__eflags = _t369 -  *_t342;
															if(_t369 !=  *_t342) {
																break;
															}
															__eflags = _t369;
															if(_t369 == 0) {
																L43:
																_t272 = 0;
																L45:
																__eflags = _t272;
																if(_t272 == 0) {
																	goto L59;
																}
																_t343 = _t384;
																_t273 = _t391 - 0x50;
																while(1) {
																	_t370 =  *_t273;
																	__eflags = _t370 -  *_t343;
																	if(_t370 !=  *_t343) {
																		break;
																	}
																	__eflags = _t370;
																	if(_t370 == 0) {
																		L51:
																		_t274 = 0;
																		L53:
																		__eflags = _t274;
																		if(__eflags == 0) {
																			goto L59;
																		}
																		_push(_t391 - 0x2fc);
																		_t276 = E00DFECFF(_t306, _t391 - 0x334, _t370, _t375, _t384, __eflags);
																		__eflags = _t276;
																		if(_t276 == 0) {
																			_t306 =  *(_t391 - 0x334);
																			 *(_t391 - 0x33c) =  *(_t391 - 0x2fc);
																			goto L59;
																		}
																		 *(_t391 - 4) = 3;
																		E00DF1CC2();
																		 *(_t391 - 4) = 0;
																		E00DF1A07();
																		 *(_t391 - 4) =  *(_t391 - 4) | 0xffffffff;
																		_t371 =  *(_t391 - 0x334);
																		__eflags =  *(_t391 - 0x334);
																		if( *(_t391 - 0x334) != 0) {
																			E00DF1480(_t371);
																		}
																		goto L7;
																	}
																	_t370 =  *((intOrPtr*)(_t273 + 2));
																	__eflags = _t370 - _t343[2];
																	if(_t370 != _t343[2]) {
																		break;
																	}
																	_t273 = _t273 + _t375;
																	_t343 =  &(_t343[_t375]);
																	__eflags = _t370;
																	if(_t370 != 0) {
																		continue;
																	}
																	goto L51;
																}
																asm("sbb eax, eax");
																_t274 = _t273 | 0x00000001;
																__eflags = _t274;
																goto L53;
															}
															_t372 =  *((intOrPtr*)(_t271 + 2));
															__eflags = _t372 - _t342[2];
															if(_t372 != _t342[2]) {
																break;
															}
															_t271 = _t271 + _t375;
															_t342 =  &(_t342[_t375]);
															__eflags = _t372;
															if(_t372 != 0) {
																continue;
															}
															goto L43;
														}
														asm("sbb eax, eax");
														_t272 = _t271 | 0x00000001;
														__eflags = _t272;
														goto L45;
													}
													_push(_t225);
													_push(L"Version %s of the runtime would be used to generate this image.\n");
													E00DFD36B(_t306, _t317, _t375, _t382, __eflags);
													goto L36;
												}
												goto L32;
											}
											continue;
										}
										_t286 = _t362 +  &(_t317[0xfffffffffffffffc]) * 2;
										__imp___wcsicmp(L".exe");
										_t382 =  *(_t391 - 0x2e8);
										_t317 = _t286;
										__eflags = _t286;
										if(_t286 != 0) {
											goto L28;
										}
										__eflags = _t382;
										if(__eflags != 0) {
											E00DF6A02(_t306, "\nWARNING: Do not specify multiple EXEs as input. NGen uses the\n", _t376, _t382, __eflags);
											E00DF6A02(_t306, "configuration context of the first EXE for all other inputs.\n", _t376, _t382, __eflags);
											_t317 = "Instead, run NGen separately for individual EXEs.\n\n";
											E00DF6A02(_t306, "Instead, run NGen separately for individual EXEs.\n\n", _t376, _t382, __eflags);
											goto L31;
										}
										_t362 = 0;
										 *(_t391 - 0xd0) = _t286;
										_t290 =  *(_t391 - 0x314);
										 *((intOrPtr*)(_t391 - 0x338)) = 0x40;
										_t390 =  *_t290;
										_t317 =  *(_t390 + 0xc);
										 *0xe10244(_t290, 8,  *(_t306 + _t376 * 4), 0, _t391 - 0xd0, _t391 - 0x338, 0, 0, 0, 0xdfacc4, 0);
										_t292 =  *(_t390 + 0xc)();
										__eflags = _t292;
										if(_t292 < 0) {
											goto L27;
										}
										_t382 =  *(_t306 + _t376 * 4);
										 *(_t391 - 0x2e8) = _t382;
										goto L28;
									}
								}
							} else {
								E00DFD3F0();
								__eflags = _t382;
								if(__eflags >= 0) {
									L36:
									_push(0);
									L14:
									exit();
									goto L15;
								}
								_push(0xffffffff);
								goto L14;
							}
						}
						 *(_t391 - 4) = 0;
						E00DF1A07();
						 *(_t391 - 4) =  *(_t391 - 4) | 0xffffffff;
					}
					goto L7;
				} else {
					goto L1;
				}
				do {
					L1:
					_push( *((intOrPtr*)(_t374 + _t379 * 4)));
					E00DF52F0(_t304, _t391 - 0x2e0, _t374, _t379, _t395);
					_push(0xdf394c);
					E00DF52F0(_t304, _t391 - 0x2e0, _t374, _t379, _t395);
					_t379 = _t379 + 1;
					_t396 = _t379 - _t304;
				} while (_t379 < _t304);
				goto L2;
			}
































































0x00df2440
0x00df2440
0x00df2440
0x00df244a
0x00df244f
0x00df2451
0x00df2457
0x00df2459
0x00df2466
0x00df246c
0x00df2472
0x00df2477
0x00df2478
0x00df2479
0x00df2480
0x00df248a
0x00df2490
0x00df2496
0x00df249c
0x00df24a2
0x00df24a9
0x00df24af
0x00df24b5
0x00df24bb
0x00df24c1
0x00df24c7
0x00df24cd
0x00df24d9
0x00df24e3
0x00df24e9
0x00df24f0
0x00df2502
0x00df2505
0x00df2517
0x00df251c
0x00df2525
0x00df2527
0x00df2529
0x00df254e
0x00df255a
0x00df255f
0x00df2564
0x00df256a
0x00df256f
0x00df2574
0x00df257b
0x00df257d
0x00df2583
0x00df2598
0x00df259d
0x00df259d
0x00df25a0
0x00df25a5
0x00df25a7
0x00dfa5d3
0x00dfa5e3
0x00dfa5ed
0x00dfa5f9
0x00dfa5fe
0x00df25ad
0x00df25ad
0x00df25b0
0x00df25b6
0x00df25c1
0x00dfa620
0x00dfa622
0x00dfa627
0x00dfa62a
0x00dfa631
0x00dfa631
0x00dfa636
0x00dfa638
0x00dfa64f
0x00dfa651
0x00dfa65b
0x00dfa661
0x00dfa667
0x00dfa66d
0x00dfa673
0x00dfa679
0x00dfa67f
0x00dfa68d
0x00dfa693
0x00dfa698
0x00dfa6ab
0x00dfa6b1
0x00dfa6b3
0x00dfa6b5
0x00dfa6b7
0x00dfa6b7
0x00dfa6bc
0x00dfa6c3
0x00dfa6c9
0x00dfa6cb
0x00dfa6cd
0x00dfa6cd
0x00dfa6d4
0x00dfa6d6
0x00dfa6dc
0x00dfa6e2
0x00dfa7b4
0x00dfa7b4
0x00dfa7bb
0x00dfa7be
0x00dfa7ce
0x00dfa7d3
0x00000000
0x00000000
0x00dfa6e8
0x00dfa6e8
0x00dfa6eb
0x00dfa6ed
0x00dfa6f0
0x00dfa6f0
0x00dfa6f3
0x00dfa6f6
0x00dfa6f6
0x00dfa701
0x00dfa703
0x00dfa706
0x00dfa77e
0x00dfa77e
0x00dfa784
0x00dfa784
0x00dfa785
0x00dfa78b
0x00dfa7b0
0x00dfa7b0
0x00dfa7b2
0x00dfa7da
0x00dfa7db
0x00dfa7db
0x00dfa7e2
0x00dfa7e8
0x00dfa801
0x00dfa80a
0x00dfa811
0x00dfa817
0x00dfa823
0x00dfa843
0x00dfa849
0x00dfa84c
0x00dfa851
0x00dfa853
0x00dfa938
0x00dfa938
0x00dfa93a
0x00dfa940
0x00dfa940
0x00dfa943
0x00dfa946
0x00000000
0x00000000
0x00dfa948
0x00dfa94b
0x00dfa960
0x00dfa960
0x00dfa962
0x00dfa96d
0x00dfa96d
0x00dfa96f
0x00dfaaad
0x00dfaaaf
0x00dfaab5
0x00dfaabb
0x00dfaac1
0x00dfaac7
0x00dfaacd
0x00dfaad3
0x00dfaae7
0x00dfaaec
0x00dfab02
0x00dfab09
0x00dfab0f
0x00dfab11
0x00dfab13
0x00dfab16
0x00dfab1d
0x00dfab23
0x00dfab25
0x00dfab27
0x00dfab29
0x00dfab29
0x00dfab30
0x00dfab32
0x00dfab3e
0x00dfab45
0x00dfab4b
0x00dfab50
0x00dfab5c
0x00dfab62
0x00dfab64
0x00dfab69
0x00dfab6b
0x00dfab75
0x00dfab87
0x00dfab99
0x00dfab99
0x00dfab9f
0x00dfaba5
0x00dfaba7
0x00dfabfd
0x00dfabfd
0x00dfac04
0x00000000
0x00000000
0x00dfac06
0x00dfac0d
0x00000000
0x00000000
0x00dfac0f
0x00dfac16
0x00000000
0x00000000
0x00dfac18
0x00dfac2a
0x00dfac30
0x00dfac36
0x00dfac37
0x00dfac3c
0x00000000
0x00dfaba9
0x00dfaba9
0x00dfabb5
0x00dfabbb
0x00dfabbd
0x00dfabbf
0x00dfabc9
0x00dfabdb
0x00dfabed
0x00dfabed
0x00dfabf3
0x00dfabf9
0x00dfabfb
0x00dfac46
0x00dfac46
0x00dfac4c
0x00dfac55
0x00dfac60
0x00dfac60
0x00dfac62
0x00dfac64
0x00dfac6c
0x00dfac6d
0x00dfac72
0x00dfac79
0x00dfac84
0x00dfac84
0x00dfac91
0x00dfac98
0x00dfaca4
0x00dfaca9
0x00dfacb0
0x00dfacb2
0x00dfacb6
0x00dfacb6
0x00df25e3
0x00df25e8
0x00000000
0x00000000
0x00000000
0x00dfabfb
0x00dfab34
0x00dfab34
0x00dfa9dd
0x00dfa9dd
0x00dfa9e2
0x00000000
0x00dfa9e2
0x00dfab32
0x00dfa975
0x00dfa97b
0x00dfa981
0x00dfa995
0x00dfa99a
0x00dfa9ad
0x00dfa9b3
0x00dfa9b5
0x00dfa9b7
0x00dfa9ba
0x00dfa9c1
0x00dfa9c7
0x00dfa9c9
0x00dfa9cb
0x00dfa9cd
0x00dfa9cd
0x00dfa9d4
0x00dfa9d6
0x00dfa9e8
0x00dfa9ee
0x00dfa9f4
0x00dfaa01
0x00dfaa0e
0x00dfaa13
0x00dfaa2c
0x00dfaa32
0x00dfaa35
0x00dfaa37
0x00dfaa39
0x00dfaa3c
0x00dfaa43
0x00dfaa49
0x00dfaa4b
0x00dfaa4d
0x00dfaa4f
0x00dfaa4f
0x00dfaa56
0x00dfaa58
0x00000000
0x00dfaa5e
0x00dfaa5e
0x00dfaa76
0x00dfaa7f
0x00dfaa81
0x00dfaa83
0x00000000
0x00000000
0x00dfaa89
0x00dfaa96
0x00dfaa9b
0x00dfaaa8
0x00000000
0x00dfaaa8
0x00dfa9d8
0x00dfa9d8
0x00dfa9d8
0x00000000
0x00dfa9d8
0x00dfa9d6
0x00dfa94d
0x00dfa951
0x00dfa955
0x00000000
0x00000000
0x00dfa957
0x00dfa959
0x00dfa95b
0x00dfa95e
0x00000000
0x00000000
0x00000000
0x00dfa95e
0x00dfa966
0x00dfa968
0x00dfa96b
0x00dfa96b
0x00000000
0x00dfa96b
0x00dfa859
0x00dfa85e
0x00dfa864
0x00dfa864
0x00dfa867
0x00dfa86a
0x00000000
0x00000000
0x00dfa86c
0x00dfa86f
0x00dfa884
0x00dfa884
0x00dfa88d
0x00dfa88d
0x00dfa88f
0x00000000
0x00000000
0x00dfa895
0x00dfa897
0x00dfa89d
0x00dfa89d
0x00dfa8a0
0x00dfa8a3
0x00000000
0x00000000
0x00dfa8a5
0x00dfa8a8
0x00dfa8bd
0x00dfa8bd
0x00dfa8c6
0x00dfa8c6
0x00dfa8c8
0x00000000
0x00000000
0x00dfa8d0
0x00dfa8d7
0x00dfa8dc
0x00dfa8de
0x00dfa92c
0x00dfa932
0x00000000
0x00dfa932
0x00dfa8e0
0x00dfa8ed
0x00dfa8f4
0x00dfa900
0x00dfa905
0x00dfa90c
0x00dfa912
0x00dfa914
0x00dfa916
0x00dfa916
0x00000000
0x00dfa91b
0x00dfa8aa
0x00dfa8ae
0x00dfa8b2
0x00000000
0x00000000
0x00dfa8b4
0x00dfa8b6
0x00dfa8b8
0x00dfa8bb
0x00000000
0x00000000
0x00000000
0x00dfa8bb
0x00dfa8c1
0x00dfa8c3
0x00dfa8c3
0x00000000
0x00dfa8c3
0x00dfa871
0x00dfa875
0x00dfa879
0x00000000
0x00000000
0x00dfa87b
0x00dfa87d
0x00dfa87f
0x00dfa882
0x00000000
0x00000000
0x00000000
0x00dfa882
0x00dfa888
0x00dfa88a
0x00dfa88a
0x00000000
0x00dfa88a
0x00dfa7ea
0x00dfa7eb
0x00dfa7f0
0x00000000
0x00dfa7f6
0x00000000
0x00dfa7b2
0x00000000
0x00dfa78d
0x00dfa710
0x00dfa714
0x00dfa71a
0x00dfa721
0x00dfa722
0x00dfa724
0x00000000
0x00000000
0x00dfa726
0x00dfa728
0x00dfa797
0x00dfa7a1
0x00dfa7a6
0x00dfa7ab
0x00000000
0x00dfa7ab
0x00dfa72a
0x00dfa72c
0x00dfa733
0x00dfa74f
0x00dfa759
0x00dfa760
0x00dfa766
0x00dfa76c
0x00dfa76f
0x00dfa771
0x00000000
0x00000000
0x00dfa773
0x00dfa776
0x00000000
0x00dfa776
0x00dfa6e8
0x00dfa63a
0x00dfa63a
0x00dfa63f
0x00dfa641
0x00dfa7f7
0x00dfa7f9
0x00dfa649
0x00dfa649
0x00000000
0x00dfa649
0x00dfa647
0x00000000
0x00dfa647
0x00dfa638
0x00df25c9
0x00df25d5
0x00df25da
0x00df25e1
0x00000000
0x00000000
0x00000000
0x00000000
0x00df252b
0x00df252b
0x00df252b
0x00df2534
0x00df2539
0x00df2544
0x00df2549
0x00df254a
0x00df254a
0x00000000

APIs
  • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,00000340), ref: 00DF246C
    • Part of subcall function 00DF354F: GetACP.KERNEL32(0000001C,00E07276,00000278,00E07767,00000004,?,?,?,80004005,00000000), ref: 00DF3564
    • Part of subcall function 00DF354F: GetCPInfo.KERNEL32(00000000,00DF2EB0,?,?,80004005,00000000), ref: 00DF3574
    • Part of subcall function 00DF6AE0: _wcsnicmp.UCRTBASE_CLR0400(?,?,0000000E), ref: 00DF6B44
    • Part of subcall function 00DF6AE0: _wcsnicmp.UCRTBASE_CLR0400(?,?,00000008), ref: 00DF6B67
    • Part of subcall function 00DF1C56: wcscpy_s.UCRTBASE_CLR0400(00DF2EB0,00000000,00000004,00000004,00000000,?,?,00000000,?,00DF1C45,00000004,00000004,00E0453C,00DFC770,00000024,00000000), ref: 00DF1CAB
Strings
  • LegacyNGenTryEnumerateFusionCache, xrefs: 00DFAB64, 00DFAB74, 00DFABC8
  • configuration context of the first EXE for all other inputs., xrefs: 00DFA79C
  • ", xrefs: 00DFAB16
  • v1.0.3705, xrefs: 00DFA859
  • LegacyNGenFreeZapper, xrefs: 00DFAB94, 00DFABE8
  • .exe, xrefs: 00DFA70B
  • WARNING: Do not specify multiple EXEs as input. NGen uses the, xrefs: 00DFA792
  • Instead, run NGen separately for individual EXEs., xrefs: 00DFA7A6
  • Version %s of the runtime would be used to generate this image., xrefs: 00DFA7EB
  • WARNING: This syntax is deprecated or you mis-typed your command. Run "ngen /?" to display a list of the currently supported parameters., xrefs: 00DFA62C
  • @, xrefs: 00DFA74F
  • v1.1.4322, xrefs: 00DFA84C, 00DFAA23
  • mscorjit.dll, xrefs: 00DFAA6B
  • Unable to load v1.1.4322 mscorjit.dll., xrefs: 00DFA9D8
  • LegacyNGenCompile, xrefs: 00DFAB82, 00DFABD6
  • Command line: , xrefs: 00DF250C
  • v%d.%d.%d, xrefs: 00DFA7C0
  • Unable to launch CLR Version %s to compile this assembly., xrefs: 00DFAC6D
  • To use the Offline Ngen feature, you must set all the environment variables outlined in the documentation., xrefs: 00DFA5CC, 00DFA5D8
  • Unable to bind to runtime for legacy NGEN scenario., xrefs: 00DFAB34
  • LegacyNGenCreateZapper, xrefs: 00DFAB57, 00DFABB0
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: _wcsnicmp$HeapInfoInformationwcscpy_s
  • String ID: WARNING: Do not specify multiple EXEs as input. NGen uses the$"$.exe$@$Command line: $Instead, run NGen separately for individual EXEs.$LegacyNGenCompile$LegacyNGenCreateZapper$LegacyNGenFreeZapper$LegacyNGenTryEnumerateFusionCache$To use the Offline Ngen feature, you must set all the environment variables outlined in the documentation.$Unable to bind to runtime for legacy NGEN scenario.$Unable to launch CLR Version %s to compile this assembly.$Unable to load v1.1.4322 mscorjit.dll.$Version %s of the runtime would be used to generate this image.$WARNING: This syntax is deprecated or you mis-typed your command. Run "ngen /?" to display a list of the currently supported parameters.$configuration context of the first EXE for all other inputs.$mscorjit.dll$v%d.%d.%d$v1.0.3705$v1.1.4322
  • API String ID: 1974869348-1505401050
  • Opcode ID: 379eb5ed1e4f8917db312618ff750043e549e5476ce2775f75fe0e22a31aed8b
  • Instruction ID: ab1d08d35999a89a07578a5849e9891f4237b7aba68dfa1b0ab3f95c03bd86d6
  • Opcode Fuzzy Hash: 379eb5ed1e4f8917db312618ff750043e549e5476ce2775f75fe0e22a31aed8b
  • Instruction Fuzzy Hash: E1326CB090126D9FCB259B28CD45BB9B7B4AF14700F06C1E9E60DA7291DB705E85CF71
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 58%
			E00DFECFF(void* __ebx, signed int* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t250;
				intOrPtr* _t253;
				signed int _t255;
				signed int _t256;
				signed int* _t257;
				intOrPtr* _t261;
				signed int* _t263;
				signed int _t278;
				signed int _t280;
				signed int _t282;
				intOrPtr* _t283;
				signed int _t285;
				signed int _t291;
				signed int _t297;
				signed int _t303;
				intOrPtr* _t306;
				signed int* _t308;
				signed int _t309;
				signed int _t314;
				signed int _t315;
				intOrPtr* _t323;
				signed int* _t325;
				signed int _t326;
				signed int _t331;
				signed int _t332;
				signed int _t336;
				signed int _t339;
				signed int* _t340;
				intOrPtr* _t348;
				signed char _t358;
				signed int _t366;
				intOrPtr _t367;
				intOrPtr _t392;
				signed int _t419;
				signed int _t420;
				signed int* _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				void* _t437;
				signed int _t438;

				_t412 = __edx;
				_t340 = __ecx;
				_push(0xa9c);
				E00DF1718(E00E09F11, __ebx, __ecx, __edi, __esi);
				_t422 = _t340;
				 *(_t437 - 0xa78) = _t422;
				_t339 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t437 + 8)))) = 0;
				if(_t422[7] == 0) {
					_t419 = 1;
					__eflags = _t422[4];
					if(__eflags == 0) {
						__eflags = _t422[5];
						if(__eflags != 0) {
							 *0xe0f014 = 3;
						}
					} else {
						 *0xe0f014 = 1;
					}
					_t250 = E00DFEBE3(_t339, _t340, _t412, _t419, _t422, __eflags);
					 *(_t437 - 0xa6c) = _t250;
					 *(_t437 - 0xa68) = _t339;
					__eflags = _t250;
					if(__eflags != 0) {
						 *(_t437 - 0xa68) = _t419;
					}
					 *(_t437 - 4) = 3;
					 *(_t437 - 0xa98) = _t339;
					 *(_t437 - 0xa94) = _t339;
					 *(_t437 - 0xa90) = _t339;
					 *(_t437 - 4) = 4;
					 *(_t437 - 0xa94) = _t422[6];
					 *(_t437 - 0xa8c) = _t339;
					 *(_t437 - 0xa88) = _t339;
					 *(_t437 - 4) = 8;
					_t423 =  *(_t437 - 0xa6c);
					_t253 = E00DF6812(_t339, _t437 - 0xa8c, _t419, _t423, __eflags);
					 *(_t437 - 4) = 9;
					_t424 =  *((intOrPtr*)( *_t423));
					 *0xe10244(_t423, 0xdf38f4,  *_t253, _t437 - 0xa64);
					_t255 =  *( *((intOrPtr*)( *_t423)))();
					__eflags = _t255;
					if(_t255 >= 0) {
						L10:
						 *(_t437 - 4) = 8;
						_t256 =  *(_t437 - 0xa64);
						__eflags =  *_t256 - _t339;
						if( *_t256 != _t339) {
							 *(_t256 + 4) = _t419;
						}
						_t257 =  *(_t437 - 0xa8c);
						_t424 = _t437 - 0xa98;
						_t438 = _t438 - 0xc;
						_t419 = _t438;
						_t339 =  *_t257;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *0xe10244(_t257);
						_t255 =  *((intOrPtr*)(_t339 + 0xc))();
						__eflags = _t255;
						if(_t255 < 0) {
							goto L9;
						} else {
							_t339 =  *(_t437 - 0xa78);
							__eflags =  *((char*)(_t339 + 0xc));
							if(__eflags == 0) {
								__eflags =  *((char*)(_t339 + 0x14));
								if(__eflags == 0) {
									L43:
									_t419 = 0;
									 *((intOrPtr*)(_t437 - 0xaa0)) = 0;
									 *((intOrPtr*)(_t437 - 0xa9c)) = 0;
									 *(_t437 - 4) = 0x31;
									_t425 =  *(_t437 - 0xa6c);
									_t261 = E00DF6812(_t339, _t437 - 0xaa0, 0, _t425, __eflags);
									 *(_t437 - 4) = 0x32;
									_t424 =  *((intOrPtr*)( *_t425));
									_t348 = _t424;
									 *0xe10244(_t425, "q",  *_t261, _t437 - 0xa78);
									_t255 =  *_t424();
									__eflags = _t255;
									if(_t255 < 0) {
										goto L9;
									}
									 *(_t437 - 4) = 0x31;
									_t263 =  *(_t437 - 0xa78);
									__eflags =  *_t263;
									if( *_t263 != 0) {
										_t263[1] = 1;
									}
									 *0xe0f018 = 1;
									 *(_t437 - 0xa60) = _t419;
									 *(_t437 - 0xa5c) = _t419;
									 *(_t437 - 4) = 0x36;
									_t426 = _t419;
									__eflags =  *(_t339 + 4) - _t419;
									if( *(_t339 + 4) <= _t419) {
										L57:
										__eflags =  *(_t437 - 0xa60);
										if( *(_t437 - 0xa60) == 0) {
											__eflags = GetCurrentDirectoryW(0x104, _t437 - 0x218);
											if(__eflags == 0) {
												E00E044D1(_t339, _t348, _t412, _t419, _t426, __eflags);
											}
											_t291 = _t437 - 0x218;
											__imp__#2(_t291);
											_t431 = _t291;
											__eflags =  *(_t437 - 0xa5c);
											if( *(_t437 - 0xa5c) != 0) {
												__imp__#6( *(_t437 - 0xa60));
												 *(_t437 - 0xa5c) = _t419;
											}
											 *(_t437 - 0xa60) = _t431;
											__eflags = _t431;
											if(_t431 != 0) {
												 *(_t437 - 0xa5c) = 1;
											}
										}
										_t427 = _t419;
										 *(_t437 - 0xa64) = _t419;
										__eflags =  *(_t339 + 4) - _t419;
										if( *(_t339 + 4) <= _t419) {
											L77:
											 *(_t437 - 4) = 0x31;
											E00DF317E();
											 *(_t437 - 4) = 8;
											L78:
											E00DF1CC2();
											L79:
											 *(_t437 - 4) = 4;
											E00DF1CC2();
											 *(_t437 - 4) =  *(_t437 - 4) | 0xffffffff;
											E00DF1CC2();
											__eflags = 1;
											L80:
											return E00DF1679();
										} else {
											_t419 = 0x80070002;
											while(1) {
												 *(_t437 - 0x428) = 0;
												 *(_t437 - 0x424) = 0;
												 *(_t437 - 0x420) = 0;
												 *((intOrPtr*)(_t437 - 0x41c)) = 0;
												 *(_t437 - 0x424) = 0x200;
												 *((intOrPtr*)(_t437 - 0x41c)) = _t437 - 0x418;
												 *(_t437 - 4) = 0x3c;
												 *(_t437 - 0x428) = 2;
												 *((short*)( *((intOrPtr*)(_t437 - 0x41c)))) = 0;
												 *(_t437 - 4) = 0x3e;
												E00DF717E(_t339,  *((intOrPtr*)( *_t339 + _t427 * 4)), _t437 - 0x428, 1);
												_t429 = 1;
												_t358 =  !( *(_t437 - 0x420)) & 1;
												__eflags = ( *(_t437 - 0x428) >> _t358) - 1;
												if(__eflags == 0) {
													break;
												}
												_t280 = E00DF169F(_t437 - 0x428);
												__imp__#2( *((intOrPtr*)(_t437 - 0x41c)));
												 *(_t437 - 0xa70) =  *(_t437 - 0xa70) & 0x00000000;
												 *(_t437 - 0xa74) = _t280;
												__eflags = _t280;
												if(_t280 != 0) {
													 *(_t437 - 0xa70) = 1;
												}
												 *(_t437 - 4) = 0x42;
												E00DF169F(_t437 - 0x428);
												_t282 = E00DFCBCF(_t339,  *((intOrPtr*)(_t437 - 0x41c)), _t419, _t429, __eflags);
												asm("sbb edx, edx");
												_t412 =  !( ~_t282) &  *(_t437 - 0xa60);
												 *((intOrPtr*)(_t339 + 0xe)) =  *((char*)(_t339 + 0x10));
												_t366 = 0x20 + (0 |  *((intOrPtr*)(_t339 + 0xe)) != 0x00000000) * 2;
												if( *((char*)(_t339 + 0x10)) != 0) {
													_t366 = _t366 | 0x00000008;
													__eflags = _t366;
												}
												__eflags =  *((char*)(_t339 + 0x11));
												if( *((char*)(_t339 + 0x11)) != 0) {
													_t366 = _t366 | 0x00000010;
													__eflags = _t366;
												}
												_t283 =  *((intOrPtr*)(_t437 - 0xaa0));
												_t429 =  *_t283;
												_t367 =  *((intOrPtr*)(_t429 + 0xc));
												 *0xe10244(_t283,  *(_t437 - 0xa74), _t366, _t412, 1, 3);
												_t255 =  *((intOrPtr*)(_t429 + 0xc))();
												__eflags = _t255 - _t419;
												if(__eflags == 0) {
													_push(L"Error: The specified assembly is not installed.");
													_push(_t367);
													_t278 = E00DF528A(_t339, _t437 - 0xa84, _t419, _t429, __eflags);
													 *(_t437 - 4) = 0x43;
													L42:
													_t412 = _t278;
													E00E043CC(_t339, _t419, _t278, _t419, _t429, __eflags);
													goto L43;
												} else {
													__eflags = _t255;
													if(_t255 < 0) {
														goto L9;
													}
													_t285 =  *(_t437 - 0xa6c);
													_t424 =  *((intOrPtr*)( *_t285 + 0x14));
													 *0xe10244(_t285, 0xe0f008, 0);
													_t255 =  *((intOrPtr*)( *((intOrPtr*)( *_t285 + 0x14))))();
													__eflags = _t255;
													if(_t255 < 0) {
														goto L9;
													}
													 *(_t437 - 4) = 0x3e;
													E00DF317E();
													 *(_t437 - 4) = 0x36;
													E00DF1A07();
													_t427 =  *(_t437 - 0xa64) + 1;
													 *(_t437 - 0xa64) = _t427;
													__eflags = _t427 -  *(_t339 + 4);
													if(_t427 <  *(_t339 + 4)) {
														continue;
													}
													goto L77;
												}
											}
											_push(L"Error: You must specify an assembly to install.");
											_push(_t358);
											_t278 = E00DF528A(_t339, _t437 - 0xa84, _t419, 1, __eflags);
											 *(_t437 - 4) = 0x3f;
											goto L42;
										}
									} else {
										while(1) {
											 *(_t437 - 0x638) = _t419;
											 *(_t437 - 0x634) = _t419;
											 *(_t437 - 0x630) = _t419;
											 *(_t437 - 0x62c) = _t419;
											 *(_t437 - 0x634) = 0x200;
											 *(_t437 - 0x62c) = _t437 - 0x628;
											 *(_t437 - 4) = 0x37;
											 *(_t437 - 0x638) = 2;
											 *( *(_t437 - 0x62c)) = 0;
											 *(_t437 - 4) = 0x39;
											_t412 = _t437 - 0x638;
											E00DF717E(_t339,  *((intOrPtr*)( *_t339 + _t426 * 4)), _t437 - 0x638, 1);
											E00DF169F(_t437 - 0x638);
											_t297 = E00DFCBCF(_t339,  *(_t437 - 0x62c), _t419, _t426, __eflags);
											__eflags = _t297;
											if(_t297 == 0) {
												goto L54;
											}
											__eflags =  *(_t437 - 0xa60);
											if(__eflags != 0) {
												E00DF6A02(_t339, "\nWARNING: Do not specify multiple EXEs as input. NGen uses the\n", _t419, _t426, __eflags);
												E00DF6A02(_t339, "configuration context of the first EXE for all other inputs.\n", _t419, _t426, __eflags);
												E00DF6A02(_t339, "Instead, run NGen separately for individual EXEs.\n\n", _t419, _t426, __eflags);
												 *(_t437 - 4) = 0x36;
												_t348 = _t437 - 0x638;
												E00DF1A07();
												goto L57;
											}
											_t303 = E00DF169F(_t437 - 0x638);
											__imp__#2( *(_t437 - 0x62c));
											_t420 = _t303;
											__eflags =  *(_t437 - 0xa5c);
											if( *(_t437 - 0xa5c) != 0) {
												__imp__#6( *(_t437 - 0xa60));
												_t169 = _t437 - 0xa5c;
												 *_t169 =  *(_t437 - 0xa5c) & 0x00000000;
												__eflags =  *_t169;
											}
											 *(_t437 - 0xa60) = _t420;
											__eflags = _t420;
											if(_t420 != 0) {
												 *(_t437 - 0xa5c) = 1;
											}
											_t419 = 0;
											__eflags = 0;
											L54:
											 *(_t437 - 4) = 0x36;
											_t348 = _t437 - 0x638;
											E00DF1A07();
											_t426 = _t426 + 1;
											__eflags = _t426 -  *(_t339 + 4);
											if(_t426 >=  *(_t339 + 4)) {
												goto L57;
											}
										}
									}
								}
								__eflags =  *(_t339 + 4);
								if(__eflags != 0) {
									 *(_t437 - 0xa74) = 0;
									 *(_t437 - 0xa70) = 0;
									 *(_t437 - 4) = 0x21;
									_t432 =  *(_t437 - 0xa6c);
									_t306 = E00DF6812(_t339, _t437 - 0xa74, _t419, _t432, __eflags);
									 *(_t437 - 4) = 0x22;
									_t424 =  *((intOrPtr*)( *_t432));
									 *0xe10244(_t432, "q",  *_t306, _t437 - 0xa78);
									_t255 =  *((intOrPtr*)( *((intOrPtr*)( *_t432))))();
									__eflags = _t255;
									if(_t255 < 0) {
										goto L9;
									}
									 *(_t437 - 4) = 0x21;
									_t308 =  *(_t437 - 0xa78);
									_t412 = 0;
									__eflags =  *_t308;
									if( *_t308 != 0) {
										_t308[1] = 1;
									}
									_t433 = _t412;
									 *(_t437 - 0xa64) = _t412;
									__eflags =  *(_t339 + 4) - _t412;
									if( *(_t339 + 4) <= _t412) {
										L39:
										_t309 =  *(_t437 - 0xa6c);
										_t424 =  *((intOrPtr*)( *_t309 + 0x14));
										 *0xe10244(_t309, 0xe0f008, _t412);
										_t255 =  *((intOrPtr*)( *((intOrPtr*)( *_t309 + 0x14))))();
										__eflags = _t255;
										if(_t255 < 0) {
											goto L9;
										}
										 *(_t437 - 4) = 8;
										goto L78;
									} else {
										_t419 = 0x80070002;
										while(1) {
											 *(_t437 - 0xa58) = _t412;
											 *(_t437 - 0xa54) = _t412;
											 *(_t437 - 0xa50) = _t412;
											 *(_t437 - 0xa4c) = _t412;
											 *(_t437 - 0xa54) = 0x200;
											 *(_t437 - 0xa4c) = _t437 - 0xa48;
											 *(_t437 - 4) = 0x24;
											 *(_t437 - 0xa58) = 2;
											 *( *(_t437 - 0xa4c)) = 0;
											 *(_t437 - 4) = 0x26;
											_t412 = _t437 - 0xa58;
											E00DF717E(_t339,  *((intOrPtr*)( *_t339 + _t433 * 4)), _t437 - 0xa58, _t437 - 0xa58);
											_t314 = E00DF169F(_t437 - 0xa58);
											__imp__#2( *(_t437 - 0xa4c));
											 *(_t437 - 0xa5c) =  *(_t437 - 0xa5c) & 0x00000000;
											 *(_t437 - 0xa60) = _t314;
											__eflags = _t314;
											if(_t314 != 0) {
												 *(_t437 - 0xa5c) = 1;
											}
											 *(_t437 - 4) = 0x29;
											_t315 =  *(_t437 - 0xa74);
											_t429 =  *_t315;
											_t392 =  *((intOrPtr*)(_t429 + 0x10));
											 *0xe10244(_t315,  *(_t437 - 0xa60), 1, 0, 1);
											_t255 =  *((intOrPtr*)(_t429 + 0x10))();
											__eflags = _t255 - _t419;
											if(__eflags == 0) {
												break;
											}
											__eflags = _t255;
											if(_t255 < 0) {
												goto L9;
											}
											 *(_t437 - 4) = 0x26;
											E00DF317E();
											 *(_t437 - 4) = 0x21;
											E00DF1A07();
											_t433 =  *(_t437 - 0xa64) + 1;
											 *(_t437 - 0xa64) = _t433;
											_t412 = 0;
											__eflags = _t433 -  *(_t339 + 4);
											if(_t433 <  *(_t339 + 4)) {
												continue;
											}
											goto L39;
										}
										_push(L"Error: The specified assembly is not installed.");
										_push(_t392);
										_t278 = E00DF528A(_t339, _t437 - 0xaa8, _t419, _t429, __eflags);
										 *(_t437 - 4) = 0x2a;
										goto L42;
									}
								}
								 *(_t437 - 4) = 4;
								E00DF1CC2();
								 *(_t437 - 4) =  *(_t437 - 4) | 0xffffffff;
								E00DF1CC2();
								goto L1;
							}
							 *(_t437 - 0xa60) =  *(_t437 - 0xa60) & 0x00000000;
							 *(_t437 - 0xa5c) =  *(_t437 - 0xa5c) & 0x00000000;
							 *(_t437 - 4) = 0xe;
							_t435 =  *(_t437 - 0xa6c);
							_t323 = E00DF6812(_t339, _t437 - 0xa60, _t419, _t435, __eflags);
							 *(_t437 - 4) = 0xf;
							_t424 =  *((intOrPtr*)( *_t435));
							 *0xe10244(_t435, 0xdfc4a8,  *_t323, _t437 - 0xa78);
							_t255 =  *((intOrPtr*)( *((intOrPtr*)( *_t435))))();
							__eflags = _t255;
							if(_t255 < 0) {
								goto L9;
							}
							 *(_t437 - 4) = 0xe;
							_t325 =  *(_t437 - 0xa78);
							__eflags =  *_t325;
							if( *_t325 != 0) {
								_t325[1] = 1;
							}
							_t326 =  *(_t339 + 4);
							__eflags = _t326;
							if(_t326 != 0) {
								_t419 = 0;
								__eflags = _t326;
								if(_t326 == 0) {
									goto L25;
								} else {
									goto L21;
								}
								while(1) {
									L21:
									 *(_t437 - 0x848) = 0;
									 *(_t437 - 0x844) = 0;
									 *((intOrPtr*)(_t437 - 0x840)) = 0;
									 *((intOrPtr*)(_t437 - 0x83c)) = 0;
									 *(_t437 - 0x844) = 0x200;
									 *((intOrPtr*)(_t437 - 0x83c)) = _t437 - 0x838;
									 *(_t437 - 4) = 0x11;
									 *(_t437 - 0x848) = 2;
									 *((short*)( *((intOrPtr*)(_t437 - 0x83c)))) = 0;
									 *(_t437 - 4) = 0x13;
									_t412 = _t437 - 0x848;
									E00DF717E(_t339,  *((intOrPtr*)( *_t339 + _t419 * 4)), _t437 - 0x848, 1);
									_t331 = E00DF169F(_t437 - 0x848);
									__imp__#2( *((intOrPtr*)(_t437 - 0x83c)));
									 *(_t437 - 0xa7c) = _t331;
									 *(_t437 - 0xa78) = 0;
									__eflags = _t331;
									if(_t331 != 0) {
										 *(_t437 - 0xa78) = 1;
									}
									 *(_t437 - 4) = 0x16;
									_t332 =  *(_t437 - 0xa60);
									_t424 =  *((intOrPtr*)( *_t332 + 0x10));
									 *0xe10244(_t332,  *(_t437 - 0xa7c), 1);
									_t255 =  *((intOrPtr*)( *((intOrPtr*)( *_t332 + 0x10))))();
									__eflags = _t255;
									if(_t255 < 0) {
										goto L9;
									}
									 *(_t437 - 4) = 0x13;
									E00DF317E();
									 *(_t437 - 4) = 0xe;
									E00DF1A07();
									_t419 = _t419 + 1;
									_push(0);
									_pop(0);
									__eflags = _t419 -  *(_t339 + 4);
									if(_t419 <  *(_t339 + 4)) {
										continue;
									}
									goto L25;
								}
								goto L9;
							} else {
								_t336 =  *(_t437 - 0xa60);
								_t424 =  *((intOrPtr*)( *_t336 + 0x10));
								 *0xe10244(_t336, 0, 1);
								_t255 =  *((intOrPtr*)( *((intOrPtr*)( *_t336 + 0x10))))();
								__eflags = _t255;
								if(_t255 < 0) {
									goto L9;
								}
								L25:
								 *(_t437 - 4) = 8;
								E00DF1CC2();
								goto L79;
							}
						}
					} else {
						L9:
						L00E042D0(_t339, _t255, _t412, _t419, _t424);
						goto L10;
					}
				}
				L1:
				goto L80;
			}















































0x00dfecff
0x00dfecff
0x00dfecff
0x00dfed09
0x00dfed0e
0x00dfed10
0x00dfed19
0x00dfed1b
0x00dfed20
0x00dfed2b
0x00dfed2c
0x00dfed2f
0x00dfed39
0x00dfed3c
0x00dfed3e
0x00dfed3e
0x00dfed31
0x00dfed31
0x00dfed31
0x00dfed48
0x00dfed4d
0x00dfed53
0x00dfed59
0x00dfed5b
0x00dfed5d
0x00dfed5d
0x00dfed63
0x00dfed6d
0x00dfed73
0x00dfed79
0x00dfed7f
0x00dfed89
0x00dfed8f
0x00dfed95
0x00dfed9b
0x00dfeda8
0x00dfedb5
0x00dfedba
0x00dfedcb
0x00dfedcf
0x00dfedd5
0x00dfedd7
0x00dfedd9
0x00dfede2
0x00dfede2
0x00dfede9
0x00dfedef
0x00dfedf1
0x00dfedf3
0x00dfedf3
0x00dfedf6
0x00dfedfc
0x00dfee02
0x00dfee05
0x00dfee07
0x00dfee0a
0x00dfee0e
0x00dfee0f
0x00dfee10
0x00dfee16
0x00dfee19
0x00dfee1b
0x00000000
0x00dfee1d
0x00dfee1d
0x00dfee23
0x00dfee27
0x00dfefd9
0x00dfefdd
0x00dff1ef
0x00dff1ef
0x00dff1f1
0x00dff1f7
0x00dff1fd
0x00dff20a
0x00dff217
0x00dff21c
0x00dff22d
0x00dff22f
0x00dff231
0x00dff237
0x00dff239
0x00dff23b
0x00000000
0x00000000
0x00dff241
0x00dff248
0x00dff24e
0x00dff250
0x00dff252
0x00dff252
0x00dff259
0x00dff263
0x00dff269
0x00dff26f
0x00dff276
0x00dff278
0x00dff27b
0x00dff39f
0x00dff39f
0x00dff3a6
0x00dff3ba
0x00dff3bc
0x00dff3be
0x00dff3be
0x00dff3c3
0x00dff3ca
0x00dff3d0
0x00dff3d2
0x00dff3d9
0x00dff3e1
0x00dff3e7
0x00dff3e7
0x00dff3ed
0x00dff3f3
0x00dff3f5
0x00dff3f7
0x00dff3f7
0x00dff3f5
0x00dff401
0x00dff403
0x00dff409
0x00dff40c
0x00dff5a3
0x00dff5a3
0x00dff5b0
0x00dff5b5
0x00dff5c2
0x00dff5c2
0x00dff5c7
0x00dff5c7
0x00dff5d4
0x00dff5d9
0x00dff5e6
0x00dff5ed
0x00dff5ee
0x00dff5f3
0x00dff412
0x00dff412
0x00dff417
0x00dff419
0x00dff41f
0x00dff425
0x00dff42b
0x00dff437
0x00dff441
0x00dff447
0x00dff44e
0x00dff460
0x00dff463
0x00dff477
0x00dff48a
0x00dff48d
0x00dff491
0x00dff493
0x00000000
0x00000000
0x00dff49f
0x00dff4aa
0x00dff4b0
0x00dff4b7
0x00dff4bd
0x00dff4bf
0x00dff4c1
0x00dff4c1
0x00dff4c7
0x00dff4d4
0x00dff4df
0x00dff4e8
0x00dff4ee
0x00dff4fa
0x00dff4fe
0x00dff505
0x00dff507
0x00dff507
0x00dff507
0x00dff50a
0x00dff50e
0x00dff510
0x00dff510
0x00dff510
0x00dff513
0x00dff51e
0x00dff527
0x00dff52b
0x00dff531
0x00dff534
0x00dff536
0x00dff5f6
0x00dff5fb
0x00dff602
0x00dff607
0x00dff1e6
0x00dff1e6
0x00dff1ea
0x00000000
0x00dff53c
0x00dff53c
0x00dff53e
0x00000000
0x00000000
0x00dff544
0x00dff554
0x00dff559
0x00dff55f
0x00dff561
0x00dff563
0x00000000
0x00000000
0x00dff569
0x00dff576
0x00dff57b
0x00dff588
0x00dff593
0x00dff594
0x00dff59a
0x00dff59d
0x00000000
0x00000000
0x00000000
0x00dff59d
0x00dff536
0x00dff613
0x00dff618
0x00dff61f
0x00dff624
0x00000000
0x00dff624
0x00000000
0x00dff281
0x00dff281
0x00dff287
0x00dff28d
0x00dff293
0x00dff29f
0x00dff2a9
0x00dff2af
0x00dff2b6
0x00dff2c8
0x00dff2cb
0x00dff2d2
0x00dff2df
0x00dff2ea
0x00dff2f5
0x00dff2fa
0x00dff2fc
0x00000000
0x00000000
0x00dff2fe
0x00dff305
0x00dff374
0x00dff37e
0x00dff388
0x00dff38d
0x00dff394
0x00dff39a
0x00000000
0x00dff39a
0x00dff30d
0x00dff318
0x00dff31e
0x00dff320
0x00dff327
0x00dff32f
0x00dff335
0x00dff335
0x00dff335
0x00dff335
0x00dff33c
0x00dff342
0x00dff344
0x00dff346
0x00dff346
0x00dff350
0x00dff350
0x00dff352
0x00dff352
0x00dff359
0x00dff35f
0x00dff364
0x00dff365
0x00dff368
0x00000000
0x00000000
0x00dff36a
0x00dff281
0x00dff27b
0x00dfefe5
0x00dfefe8
0x00dff013
0x00dff019
0x00dff01f
0x00dff02c
0x00dff039
0x00dff03e
0x00dff04f
0x00dff053
0x00dff059
0x00dff05b
0x00dff05d
0x00000000
0x00000000
0x00dff063
0x00dff06a
0x00dff070
0x00dff072
0x00dff074
0x00dff076
0x00dff076
0x00dff07d
0x00dff07f
0x00dff085
0x00dff088
0x00dff198
0x00dff198
0x00dff1a7
0x00dff1ac
0x00dff1b2
0x00dff1b4
0x00dff1b6
0x00000000
0x00000000
0x00dff1bc
0x00000000
0x00dff08e
0x00dff08e
0x00dff093
0x00dff093
0x00dff099
0x00dff09f
0x00dff0a5
0x00dff0b1
0x00dff0bb
0x00dff0c1
0x00dff0c8
0x00dff0da
0x00dff0dd
0x00dff0e7
0x00dff0f0
0x00dff0fb
0x00dff106
0x00dff10c
0x00dff113
0x00dff119
0x00dff11b
0x00dff11d
0x00dff11d
0x00dff127
0x00dff12e
0x00dff13a
0x00dff143
0x00dff146
0x00dff14c
0x00dff14f
0x00dff151
0x00000000
0x00000000
0x00dff153
0x00dff155
0x00000000
0x00000000
0x00dff15b
0x00dff168
0x00dff16d
0x00dff17a
0x00dff185
0x00dff188
0x00dff18e
0x00dff18f
0x00dff192
0x00000000
0x00000000
0x00000000
0x00dff192
0x00dff1ce
0x00dff1d3
0x00dff1da
0x00dff1df
0x00000000
0x00dff1df
0x00dff088
0x00dfefea
0x00dfeff7
0x00dfeffc
0x00dff009
0x00000000
0x00dff009
0x00dfee2d
0x00dfee34
0x00dfee3b
0x00dfee48
0x00dfee55
0x00dfee5a
0x00dfee6b
0x00dfee6f
0x00dfee75
0x00dfee77
0x00dfee79
0x00000000
0x00000000
0x00dfee7f
0x00dfee86
0x00dfee8e
0x00dfee90
0x00dfee92
0x00dfee92
0x00dfee99
0x00dfee9c
0x00dfee9e
0x00dfeec6
0x00dfeec8
0x00dfeeca
0x00000000
0x00000000
0x00000000
0x00000000
0x00dfeed0
0x00dfeed0
0x00dfeed0
0x00dfeed6
0x00dfeedc
0x00dfeee2
0x00dfeeee
0x00dfeef8
0x00dfeefe
0x00dfef05
0x00dfef17
0x00dfef1a
0x00dfef21
0x00dfef2e
0x00dfef39
0x00dfef44
0x00dfef4a
0x00dfef50
0x00dfef56
0x00dfef58
0x00dfef5a
0x00dfef5a
0x00dfef64
0x00dfef6b
0x00dfef7c
0x00dfef81
0x00dfef87
0x00dfef89
0x00dfef8b
0x00000000
0x00000000
0x00dfef91
0x00dfef9e
0x00dfefa3
0x00dfefb0
0x00dfefb5
0x00dfefb6
0x00dfefb8
0x00dfefb9
0x00dfefbc
0x00000000
0x00000000
0x00000000
0x00dfefbc
0x00000000
0x00dfeea0
0x00dfeea0
0x00dfeeac
0x00dfeeb1
0x00dfeeb7
0x00dfeeb9
0x00dfeebb
0x00000000
0x00000000
0x00dfefc2
0x00dfefc2
0x00dfefcf
0x00000000
0x00dfefcf
0x00dfee9e
0x00dfeddb
0x00dfeddb
0x00dfeddd
0x00000000
0x00dfeddd
0x00dfedd9
0x00dfed22
0x00000000

Strings
  • configuration context of the first EXE for all other inputs., xrefs: 00DFF379
  • Error: The specified assembly is not installed., xrefs: 00DFF1CE, 00DFF5F6
  • Instead, run NGen separately for individual EXEs., xrefs: 00DFF383
  • WARNING: Do not specify multiple EXEs as input. NGen uses the, xrefs: 00DFF36F
  • ?, xrefs: 00DFF624
  • Error: You must specify an assembly to install., xrefs: 00DFF613
  • q, xrefs: 00DFF049, 00DFF227
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID:
  • String ID: WARNING: Do not specify multiple EXEs as input. NGen uses the$?$Error: The specified assembly is not installed.$Error: You must specify an assembly to install.$Instead, run NGen separately for individual EXEs.$configuration context of the first EXE for all other inputs.$q
  • API String ID: 0-3128719627
  • Opcode ID: 8fd79aef2fee701cf752a72dab0c80a03bc42b77e0786c60183c2e008706ebcd
  • Instruction ID: ee4a6afa9db408a696eea4dea151ac54c2e3ddfb11e44d1b25b44e263d41b842
  • Opcode Fuzzy Hash: 8fd79aef2fee701cf752a72dab0c80a03bc42b77e0786c60183c2e008706ebcd
  • Instruction Fuzzy Hash: 90425870A0136CCFDB21DF24CC44BA9BBB0AF45314F0980E9D649AB6A1DB755E85CF62
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 96%
			E00DF3B07(void* __ebx, short* __ecx, void* __edx, char* __edi, void* __esi, void* __eflags) {
				void*** _t160;
				char* _t161;
				char* _t170;
				intOrPtr* _t179;
				void*** _t182;
				char* _t186;
				intOrPtr* _t192;
				void*** _t195;
				signed int _t202;
				signed int _t203;
				signed int _t216;
				signed int _t219;
				signed int _t224;
				signed int _t226;
				short* _t232;
				char* _t233;
				char* _t235;
				char* _t238;
				char* _t239;
				void* _t244;

				_t231 = __edi;
				_push(0x34);
				E00DF1BCF(E00E0B6F1, __ebx, __ecx, __edi, __esi);
				_t152 = __ecx;
				 *(_t244 - 0x10) = __ecx;
				_t202 = 0;
				 *(_t244 - 0x18) = 0;
				 *(_t244 - 0x38) = 0;
				 *(_t244 - 0x34) = 0;
				 *(_t244 - 4) = 2;
				 *(_t244 - 0x30) = 0;
				 *(_t244 - 0x2c) = 0;
				 *(_t244 - 4) = 5;
				 *(_t244 - 0x40) = 0;
				 *((intOrPtr*)(_t244 - 0x3c)) = 0;
				 *(_t244 - 4) = 8;
				 *(_t244 - 0x28) = 0;
				 *(_t244 - 0x24) = 0;
				 *(_t244 - 4) = 0xc;
				if(( *(_t244 + 8) & 0x00000001) == 0) {
					_t238 =  *(_t244 - 0x28);
					L5:
					if(( *(_t244 + 8) & 0x0000000e) == 0 ||  *((intOrPtr*)(_t244 + 0xc)) != 0 && E00DF5D34(_t152, _t231) == 0) {
						L27:
						 *(_t244 - 4) = 8;
						E00DF36D9();
						 *(_t244 - 4) = 5;
						E00DF3AB8();
						 *(_t244 - 4) = 2;
						E00DF3AB8();
						 *(_t244 - 4) =  *(_t244 - 4) | 0xffffffff;
						E00DF3AB8();
						return E00DF1687();
					} else {
						if(( *(_t244 + 8) & 0x00000002) == 0) {
							L15:
							if(( *(_t244 + 8) & 0x00000004) == 0) {
								L25:
								if(( *(_t244 + 8) & 0x00000008) != 0) {
									_push(_t244 - 0x20);
									_t160 = E00DF372C(_t202, _t244 - 0x40, _t231, _t238, __eflags);
									 *(_t244 - 4) = 0x37;
									_t203 = _t202 | 0x00000004;
									 *(_t244 - 0x18) = _t203;
									_t161 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Fusion", 0, 0x20019,  *_t160);
									_t232 =  *(_t244 - 0x10);
									__eflags = _t161;
									if(_t161 != 0) {
										L70:
										_t226 = 0;
										__eflags = 0;
										L71:
										 *(_t244 - 4) = 0xc;
										 *(_t244 - 0x18) = _t203 & 0xfffffffb;
										E00DFD2DA();
										__eflags = _t226;
										if(_t226 == 0) {
											goto L26;
										}
										_t239 = E00DF6E8C();
										__eflags =  *(_t244 - 0x24);
										if( *(_t244 - 0x24) != 0) {
											E00DFFDAA( *(_t244 - 0x28));
											_t141 = _t244 - 0x24;
											 *_t141 =  *(_t244 - 0x24) & 0x00000000;
											__eflags =  *_t141;
										}
										 *(_t244 - 0x28) = _t239;
										__eflags = _t239;
										if(_t239 == 0) {
											goto L26;
										} else {
											 *(_t244 - 0x24) = 1;
											 *_t239 = 0;
											RegQueryValueExW( *(_t244 - 0x40), _t232, 0, 0,  *(_t244 - 0x28), _t244 - 0x14);
											 *(_t244 - 0x24) =  *(_t244 - 0x24) & 0x00000000;
											L32:
											_t238 =  *(_t244 - 0x28);
											goto L27;
										}
									}
									_t170 = RegQueryValueExW( *(_t244 - 0x40), _t232, 0, _t244 - 0x1c, 0, _t244 - 0x14);
									__eflags = _t170;
									if(_t170 != 0) {
										goto L70;
									}
									__eflags =  *(_t244 - 0x1c) - 1;
									if( *(_t244 - 0x1c) != 1) {
										goto L70;
									}
									_t226 = 1;
									goto L71;
								}
								L26:
								_t238 = 0;
								goto L27;
							}
							_t231 =  *0xe0f0a8; // 0xffffffff
							_t238 = 0;
							_t261 = _t231 - 0xffffffff;
							if(_t231 != 0xffffffff) {
								_t238 = 1;
								__eflags =  *(_t244 - 0x2c);
								if( *(_t244 - 0x2c) != 0) {
									RegCloseKey( *(_t244 - 0x30));
									_t108 = _t244 - 0x2c;
									 *_t108 =  *(_t244 - 0x2c) & 0x00000000;
									__eflags =  *_t108;
								}
								 *(_t244 - 0x30) = _t231;
								__eflags = _t231;
								if(__eflags != 0) {
									 *(_t244 - 0x2c) = 1;
								}
								L18:
								_t216 = 1;
								L19:
								 *(_t244 - 4) = 0xc;
								if((_t202 & 0x00000002) != 0) {
									_t202 = _t202 & 0xfffffffd;
									 *(_t244 - 0x18) = _t202;
									 *(_t244 - 4) = 0xc;
									_t179 =  *((intOrPtr*)(_t244 - 0x20));
									if( *_t179 != 0) {
										 *(_t179 + 4) = 1;
									}
								}
								if(_t216 == 0) {
									goto L25;
								}
								_t231 = 0;
								if(RegQueryValueExW( *(_t244 - 0x30),  *(_t244 - 0x10), 0, _t244 - 0x1c, 0, _t244 - 0x14) == 0) {
									__eflags =  *(_t244 - 0x1c) - 1;
									if(__eflags == 0) {
										_t233 = E00DF6E8C();
										__eflags =  *(_t244 - 0x24);
										if( *(_t244 - 0x24) != 0) {
											_t227 =  *(_t244 - 0x28);
											__eflags =  *(_t244 - 0x28);
											if( *(_t244 - 0x28) != 0) {
												E00DF1480(_t227);
											}
											_t116 = _t244 - 0x24;
											 *_t116 =  *(_t244 - 0x24) & 0x00000000;
											__eflags =  *_t116;
										}
										 *(_t244 - 0x28) = _t233;
										__eflags = _t233;
										if(__eflags != 0) {
											 *(_t244 - 0x24) = 1;
											 *_t233 = 0;
											RegQueryValueExW( *(_t244 - 0x30),  *(_t244 - 0x10), 0, 0,  *(_t244 - 0x28), _t244 - 0x14);
											_t124 = _t244 - 0x24;
											 *_t124 =  *(_t244 - 0x24) & 0x00000000;
											__eflags =  *_t124;
										}
										_t231 = 1;
									}
								}
								asm("sbb esi, esi");
								 *(_t244 - 0x2c) = _t238;
								if(_t231 != 0) {
									goto L32;
								} else {
									goto L25;
								}
							}
							_push(_t244 - 0x20);
							_t182 = E00DF372C(_t202, _t244 - 0x30, _t231, 0, _t261);
							 *(_t244 - 4) = 0x33;
							_t202 = _t202 | 0x00000002;
							 *(_t244 - 0x18) = _t202;
							if(RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\.NETFramework", 0, 0x20019,  *_t182) != 0) {
								_t216 = 0;
								goto L19;
							}
							goto L18;
						}
						_t231 =  *0xe0f0a4; // 0xffffffff
						_t238 = 0;
						_t254 = _t231 - 0xffffffff;
						if(_t231 != 0xffffffff) {
							_t238 = 1;
							__eflags =  *(_t244 - 0x34);
							if( *(_t244 - 0x34) != 0) {
								RegCloseKey( *(_t244 - 0x38));
								_t81 = _t244 - 0x34;
								 *_t81 =  *(_t244 - 0x34) & 0x00000000;
								__eflags =  *_t81;
							}
							 *(_t244 - 0x38) = _t231;
							__eflags = _t231;
							if(__eflags != 0) {
								 *(_t244 - 0x34) = 1;
							}
							L30:
							_t219 = 1;
							L12:
							 *(_t244 - 4) = 0xc;
							if((_t202 & 0x00000001) != 0) {
								_t202 = _t202 & 0xfffffffe;
								 *(_t244 - 0x18) = _t202;
								 *(_t244 - 4) = 0xc;
								_t192 =  *((intOrPtr*)(_t244 - 0x20));
								if( *_t192 != 0) {
									 *(_t192 + 4) = 1;
								}
							}
							if(_t219 != 0) {
								_t231 = 0;
								_t186 = RegQueryValueExW( *(_t244 - 0x38),  *(_t244 - 0x10), 0, _t244 - 0x1c, 0, _t244 - 0x14);
								__eflags = _t186;
								if(_t186 == 0) {
									__eflags =  *(_t244 - 0x1c) - 1;
									if( *(_t244 - 0x1c) == 1) {
										_t235 = E00DF6E8C();
										__eflags =  *(_t244 - 0x24);
										if( *(_t244 - 0x24) != 0) {
											_t228 =  *(_t244 - 0x28);
											__eflags =  *(_t244 - 0x28);
											if( *(_t244 - 0x28) != 0) {
												E00DF1480(_t228);
											}
											_t94 = _t244 - 0x24;
											 *_t94 =  *(_t244 - 0x24) & 0x00000000;
											__eflags =  *_t94;
										}
										 *(_t244 - 0x28) = _t235;
										__eflags = _t235;
										if(_t235 != 0) {
											 *(_t244 - 0x24) = 1;
											 *_t235 = 0;
											RegQueryValueExW( *(_t244 - 0x38),  *(_t244 - 0x10), 0, 0,  *(_t244 - 0x28), _t244 - 0x14);
											_t102 = _t244 - 0x24;
											 *_t102 =  *(_t244 - 0x24) & 0x00000000;
											__eflags =  *_t102;
										}
										_t231 = 1;
										__eflags = 1;
									}
								}
								asm("sbb esi, esi");
								 *(_t244 - 0x34) = _t238;
								__eflags = _t231;
								if(__eflags == 0) {
									goto L15;
								} else {
									goto L32;
								}
							}
							goto L15;
						}
						_push(_t244 - 0x20);
						_t195 = E00DF372C(_t202, _t244 - 0x38, _t231, 0, _t254);
						 *(_t244 - 4) = 0x28;
						_t202 = 1;
						 *(_t244 - 0x18) = 1;
						if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\.NETFramework", 0, 0x20019,  *_t195) == 0) {
							goto L30;
						} else {
							_t219 = 0;
							goto L12;
						}
					}
				}
				_t238 = E00DF6D92(0, __ecx, __edx, __edi, __esi);
				if( *(_t244 - 0x24) != 0) {
					_t229 =  *(_t244 - 0x28);
					__eflags =  *(_t244 - 0x28);
					if(__eflags != 0) {
						E00DF1480(_t229);
					}
					_t224 = 0;
					 *(_t244 - 0x24) = 0;
				} else {
					_t224 = 0;
				}
				 *(_t244 - 0x28) = _t238;
				if(_t238 != 0) {
					 *(_t244 - 0x24) = 1;
					__eflags =  *_t238 - _t224;
					if( *_t238 == _t224) {
						E00DF1480(_t238);
						 *(_t244 - 0x24) =  *(_t244 - 0x24) & 0x00000000;
						_t238 = 0;
						 *(_t244 - 0x28) = 0;
						goto L4;
					} else {
						 *(_t244 - 0x24) = _t224;
						goto L27;
					}
				} else {
					L4:
					_t152 =  *(_t244 - 0x10);
					goto L5;
				}
			}























0x00df3b07
0x00df3b07
0x00df3b0e
0x00df3b13
0x00df3b15
0x00df3b1d
0x00df3b1f
0x00df3b25
0x00df3b2b
0x00df3b31
0x00df3b3b
0x00df3b41
0x00df3b47
0x00df3b4e
0x00df3b54
0x00df3b5a
0x00df3b61
0x00df3b67
0x00df3b6d
0x00df3b78
0x00df3db9
0x00df3ba9
0x00df3bad
0x00df3d45
0x00df3d45
0x00df3d52
0x00df3d57
0x00df3d64
0x00df3d69
0x00df3d76
0x00df3d7b
0x00df3d88
0x00df3d94
0x00df3bc8
0x00df3bcc
0x00df3c5e
0x00df3c62
0x00df3d39
0x00df3d3d
0x00dfbd4a
0x00dfbd51
0x00dfbd56
0x00dfbd5d
0x00dfbd60
0x00dfbd79
0x00dfbd7f
0x00dfbd85
0x00dfbd87
0x00dfbdc0
0x00dfbdc0
0x00dfbdc0
0x00dfbdc2
0x00dfbdc2
0x00dfbdd5
0x00dfbddb
0x00dfbde0
0x00dfbde2
0x00000000
0x00000000
0x00dfbdf3
0x00dfbdf5
0x00dfbdfc
0x00dfbe04
0x00dfbe09
0x00dfbe09
0x00dfbe09
0x00dfbe09
0x00dfbe10
0x00dfbe16
0x00dfbe18
0x00000000
0x00dfbe1e
0x00dfbe1e
0x00dfbe2a
0x00dfbe45
0x00dfbe4b
0x00df3dc4
0x00df3dc4
0x00000000
0x00df3dc4
0x00dfbe18
0x00dfbda2
0x00dfbda8
0x00dfbdaa
0x00000000
0x00000000
0x00dfbdac
0x00dfbdb3
0x00000000
0x00000000
0x00dfbdb5
0x00000000
0x00dfbdb5
0x00df3d43
0x00df3d43
0x00000000
0x00df3d43
0x00df3c68
0x00df3c6e
0x00df3c70
0x00df3c73
0x00dfbc86
0x00dfbc87
0x00dfbc8e
0x00dfbc96
0x00dfbc9c
0x00dfbc9c
0x00dfbc9c
0x00dfbc9c
0x00dfbca3
0x00dfbca9
0x00dfbcab
0x00dfbcb1
0x00dfbcb1
0x00df3cbc
0x00df3cbc
0x00df3cbe
0x00df3cbe
0x00df3ccb
0x00df3ccd
0x00df3cd0
0x00df3cd6
0x00df3cdd
0x00df3ce6
0x00df3ce8
0x00df3ce8
0x00df3ce6
0x00df3cf1
0x00000000
0x00000000
0x00df3cf9
0x00df3d19
0x00dfbcc0
0x00dfbcc7
0x00dfbcd8
0x00dfbcda
0x00dfbce1
0x00dfbce3
0x00dfbce9
0x00dfbceb
0x00dfbced
0x00dfbced
0x00dfbcf2
0x00dfbcf2
0x00dfbcf2
0x00dfbcf2
0x00dfbcf9
0x00dfbcff
0x00dfbd01
0x00dfbd05
0x00dfbd0f
0x00dfbd2f
0x00dfbd35
0x00dfbd35
0x00dfbd35
0x00dfbd35
0x00dfbd3e
0x00dfbd3e
0x00dfbcc7
0x00df3d21
0x00df3d2b
0x00df3d33
0x00000000
0x00000000
0x00000000
0x00000000
0x00df3d33
0x00df3c7f
0x00df3c86
0x00df3c8b
0x00df3c92
0x00df3c95
0x00df3cb6
0x00dfbdb9
0x00000000
0x00dfbdb9
0x00000000
0x00df3cb6
0x00df3bd2
0x00df3bd8
0x00df3bda
0x00df3bdd
0x00dfbb7e
0x00dfbb7f
0x00dfbb86
0x00dfbb8e
0x00dfbb94
0x00dfbb94
0x00dfbb94
0x00dfbb94
0x00dfbb9b
0x00dfbba1
0x00dfbba3
0x00dfbba9
0x00dfbba9
0x00df3db2
0x00df3db2
0x00df3c28
0x00df3c28
0x00df3c35
0x00df3c37
0x00df3c3a
0x00df3c40
0x00df3c47
0x00df3c50
0x00dfbbb8
0x00dfbbb8
0x00df3c50
0x00df3c58
0x00dfbbca
0x00dfbbe2
0x00dfbbe8
0x00dfbbea
0x00dfbbec
0x00dfbbf3
0x00dfbc00
0x00dfbc02
0x00dfbc09
0x00dfbc0b
0x00dfbc11
0x00dfbc13
0x00dfbc15
0x00dfbc15
0x00dfbc1a
0x00dfbc1a
0x00dfbc1a
0x00dfbc1a
0x00dfbc21
0x00dfbc27
0x00dfbc29
0x00dfbc2d
0x00dfbc37
0x00dfbc57
0x00dfbc5d
0x00dfbc5d
0x00dfbc5d
0x00dfbc5d
0x00dfbc66
0x00dfbc66
0x00dfbc66
0x00dfbbf3
0x00dfbc69
0x00dfbc73
0x00dfbc79
0x00dfbc7b
0x00000000
0x00dfbc81
0x00000000
0x00dfbc81
0x00dfbc7b
0x00000000
0x00df3c58
0x00df3be9
0x00df3bf0
0x00df3bf5
0x00df3bfe
0x00df3bff
0x00df3c20
0x00000000
0x00df3c26
0x00df3c26
0x00000000
0x00df3c26
0x00df3c20
0x00df3bad
0x00df3b85
0x00df3b8d
0x00dfbb47
0x00dfbb4d
0x00dfbb4f
0x00dfbb51
0x00dfbb51
0x00dfbb56
0x00dfbb58
0x00df3b93
0x00df3b93
0x00df3b93
0x00df3b95
0x00df3b9d
0x00df3d97
0x00df3da1
0x00df3da4
0x00dfbb65
0x00dfbb6a
0x00dfbb71
0x00dfbb73
0x00000000
0x00df3daa
0x00df3daa
0x00000000
0x00df3daa
0x00df3ba3
0x00df3ba3
0x00df3ba3
0x00000000
0x00df3ba3

APIs
    • Part of subcall function 00DF6D92: wcscpy_s.UCRTBASE_CLR0400(?,00000040,COMPlus_,00000010,00000012,?,?,00000010,00000004,?), ref: 00DF6DF7
    • Part of subcall function 00DF6D92: wcscat_s.UCRTBASE_CLR0400(?,00000040,00000010,00000010,00000004,?), ref: 00DF6E0A
    • Part of subcall function 00DF6D92: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00DF6E1C
  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\.NETFramework,00000000,00020019,00000000,?,00000034,00DFB671,?,00000001), ref: 00DF3C18
  • RegOpenKeyExW.ADVAPI32(?,Software\Microsoft\.NETFramework,00000000,00020019,00000000,?,00000034,00DFB671,?,00000001), ref: 00DF3CAE
  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000034,00DFB671,?,00000001), ref: 00DF3D11
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: Open$EnvironmentQueryValueVariablewcscat_swcscpy_s
  • String ID: 7$Software\Microsoft\.NETFramework$Software\Microsoft\Fusion
  • API String ID: 2237448454-3001485244
  • Opcode ID: b51899468f2dafb35ce59ccb51f3ad856a9aac2f80201757d41ba5b1eca3ccdd
  • Instruction ID: 2f2ce970f4b2ba80c38ead7ba254351788e6a578fadf82510b762ba2978f58cc
  • Opcode Fuzzy Hash: b51899468f2dafb35ce59ccb51f3ad856a9aac2f80201757d41ba5b1eca3ccdd
  • Instruction Fuzzy Hash: 5AE12771C0122C8ADB318B25CD48BE9BBB5AF48754F16C1D9E6496B291CB718FC8CF64
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 85%
			E00E07C53(intOrPtr __edx, intOrPtr __edi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				void _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				void* _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				_Unknown_base(*)()* _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				void _v808;
				char* _t38;
				long _t48;
				signed int _t50;
				intOrPtr _t51;
				signed char _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;

				_t57 = __edi;
				_t56 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				 *0xe0f588 = 0;
				_v632 = memset( &_v808, 0, 0x2cc);
				_v636 = _t55;
				_v640 = _t56;
				_v644 = _t51;
				_v648 = 0;
				_v652 = _t57;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t38 =  &_v0;
				_v612 = _t38;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t38 - 4));
				memset( &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t48 = UnhandledExceptionFilter( &_v12);
				if(_t48 == 0) {
					_t50 =  ~(_t54 & 0x000000ff);
					asm("sbb eax, eax");
					 *0xe0f588 =  *0xe0f588 & _t50;
					return _t50;
				}
				return _t48;
			}

































0x00e07c53
0x00e07c53
0x00e07c67
0x00e07c69
0x00e07c6c
0x00e07c6c
0x00e07c7d
0x00e07c8b
0x00e07c91
0x00e07c97
0x00e07c9d
0x00e07ca3
0x00e07ca9
0x00e07caf
0x00e07cb5
0x00e07cbb
0x00e07cc1
0x00e07cc7
0x00e07ccd
0x00e07cd3
0x00e07cd4
0x00e07cdd
0x00e07ce3
0x00e07ce6
0x00e07cec
0x00e07cfe
0x00e07d0c
0x00e07d17
0x00e07d21
0x00e07d2b
0x00e07d38
0x00e07d46
0x00e07d52
0x00e07d54
0x00e07d5a
0x00e07d5c
0x00e07d69
0x00e07d71
0x00e07d76
0x00e07d78
0x00e07d7a
0x00000000
0x00e07d7a
0x00e07d85

APIs
  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00E07C60
  • memset.VCRUNTIME140_CLR0400(?,00000000,000002CC,00000017,?), ref: 00E07C83
  • memset.VCRUNTIME140_CLR0400(?,00000000,00000050,00000017,?), ref: 00E07D0C
  • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00E07D31
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 00E07D5C
  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 00E07D69
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
  • String ID:
  • API String ID: 1045392073-0
  • Opcode ID: 981c8a0fad9c683ef24f001a7acc38e619ff44efd2e1ca71b2f7196b66ba511b
  • Instruction ID: 18bd76a97b2b8374d4f2d2862078eb0c71c069660c60bc451ac69841faf38469
  • Opcode Fuzzy Hash: 981c8a0fad9c683ef24f001a7acc38e619ff44efd2e1ca71b2f7196b66ba511b
  • Instruction Fuzzy Hash: D43118B5C0522C9ACB60DF25DD89BD9BBB8FF08305F1041EAE40CA7250EB715AC88F54
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 100%
			E00DF731A() {
				signed int _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t21;
				signed int _t29;
				signed int _t32;
				signed int _t36;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t21 =  *0xe0f000; // 0x365ea2a8
				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = _v8 ^ GetCurrentProcessId();
					QueryPerformanceCounter( &_v24);
					_t29 =  &_v8;
					_t36 = _v20 ^ _v24.LowPart ^ _v8 ^ _t29;
					if(_t36 != 0xbb40e64e) {
						if((0xffff0000 & _t36) == 0) {
							_t29 = (_t36 | 0x00004711) << 0x10;
							_t36 = _t36 | _t29;
						}
					} else {
						_t36 = 0xbb40e64f;
					}
					 *0xe0f000 = _t36;
					 *0xe0f094 =  !_t36;
					return _t29;
				} else {
					_t32 =  !_t21;
					 *0xe0f094 = _t32;
					return _t32;
				}
			}











0x00df7320
0x00df7327
0x00df732e
0x00df7341
0x00dfc3b6
0x00dfc3c8
0x00dfc3d4
0x00dfc3e0
0x00dfc3ed
0x00dfc3f9
0x00dfc40b
0x00dfc40f
0x00dfc41a
0x00dfc423
0x00dfc426
0x00dfc426
0x00dfc411
0x00dfc411
0x00dfc411
0x00dfc428
0x00dfc430
0x00000000
0x00df734f
0x00df734f
0x00df7351
0x00000000
0x00df7351

APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00DFC3B6
  • GetCurrentThreadId.KERNEL32 ref: 00DFC3CE
  • GetCurrentProcessId.KERNEL32 ref: 00DFC3DA
  • QueryPerformanceCounter.KERNEL32(?), ref: 00DFC3ED
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
  • String ID:
  • API String ID: 2933794660-0
  • Opcode ID: 9c4a659ef0db8590aa26caf10245d4c3d6bd376d9348499a1dcad9ef727d3303
  • Instruction ID: c28886106a867ad1a70e0c2938a9e94bd88759a3d4d82a7d7b1a6e9818a130f0
  • Opcode Fuzzy Hash: 9c4a659ef0db8590aa26caf10245d4c3d6bd376d9348499a1dcad9ef727d3303
  • Instruction Fuzzy Hash: 4B1190B5D0112C8FDB34CB75DD04BE9B7B4EB08301F4585AAD60AE7250EA709A988F64
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 100%
			E00DF70DF() {

				return SetUnhandledExceptionFilter(E00E07D90);
			}



0x00df70ea

APIs
  • SetUnhandledExceptionFilter.KERNEL32(Function_00017D90), ref: 00DF70E4
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: ExceptionFilterUnhandled
  • String ID:
  • API String ID: 3192549508-0
  • Opcode ID: a527c74cad62756da80fb48ff9959006c7b0eb6ddd9b4e7b8dd479d23edb5528
  • Instruction ID: f8b50c03f4391976a8d0e21c1f16d85add6747548f7a7bad5b6b46bb11a9d110
  • Opcode Fuzzy Hash: a527c74cad62756da80fb48ff9959006c7b0eb6ddd9b4e7b8dd479d23edb5528
  • Instruction Fuzzy Hash:
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 100%
			E00E06210() {

				return GetProcessHeap();
			}



0x00e06216

APIs
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: HeapProcess
  • String ID:
  • API String ID: 54951025-0
  • Opcode ID: 66a0086f74a401c6065d96f8335cda47e4a12f9a4d13f23f1bede0cf54b7a58c
  • Instruction ID: 6be2e6763b39ab63ffd5999b69213cfc7f33ed88c324e178bd7c076d31a27a4d
  • Opcode Fuzzy Hash: 66a0086f74a401c6065d96f8335cda47e4a12f9a4d13f23f1bede0cf54b7a58c
  • Instruction Fuzzy Hash:
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 40%
			E00E014D8(signed int __ecx, void* __edx, signed int* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t17;
				signed int _t20;
				signed int _t22;
				void* _t24;
				void* _t32;

				_t17 =  *0xd000e012;
				_push(cs);
				asm("loopne 0x2");
				_push(_t17);
				asm("adc ah, al");
				 *((intOrPtr*)(_t17 + 0x12)) =  *((intOrPtr*)(_t17 + 0x12)) + _t17;
				asm("loopne 0x2");
				asm("arpl di, bx");
				 *((intOrPtr*)(_t17 - 0xfff209d)) =  *((intOrPtr*)(_t17 - 0xfff209d)) + __edx;
				asm("adc eax, esp");
				 *_t17 =  *_t17 + _t17;
				asm("adc ah, al");
				 *_t17 =  *_t17 + _t17;
				asm("adc ah, al");
				 *_t17 =  *_t17 + __edx;
				asm("adc eax, 0x129000e0");
				asm("loopne 0x2");
				_push(_t17);
				_push(ss);
				asm("loopne 0x2");
				 *__edi =  *__edi & __ecx;
				asm("loopne 0x2");
				_push(0xc);
				E00DF1BCF(E00E0AFA5, _t24, __ecx, __edi, __esi);
				_t20 =  *0xe0f5a8; // 0x0
				if(_t20 == 0) {
					 *((intOrPtr*)(_t32 - 0x18)) = 0xdf398c;
					 *(_t32 - 0x14) =  *(_t32 - 0x14) & _t20;
					 *(_t32 - 4) =  *(_t32 - 4) & _t20;
					_t22 = _t20 + 1;
					 *((intOrPtr*)(_t32 - 0x18)) = E00E014D8;
					 *(_t32 - 0x10) = _t22;
					 *(_t32 - 4) = _t22;
					 *0xe0f5a8 = 0xe0f978;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t32 - 4) =  *(_t32 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t32 - 0x18)) = 0xdf398c;
				}
				return E00DF1687();
			}








0x00e014d8
0x00e014dd
0x00e014de
0x00e014e0
0x00e014e1
0x00e014e3
0x00e014e6
0x00e014e9
0x00e014eb
0x00e014f1
0x00e014f3
0x00e014f5
0x00e014f7
0x00e014f9
0x00e014fb
0x00e014fd
0x00e01502
0x00e01504
0x00e01505
0x00e01506
0x00e01508
0x00e0150a
0x00e0146c
0x00e01473
0x00e01478
0x00e0147f
0x00e01486
0x00e0148c
0x00e01492
0x00e01498
0x00e01499
0x00e014a3
0x00e014a9
0x00e014b6
0x00e014c1
0x00e014c2
0x00e014c3
0x00e014c4
0x00e014cb
0x00e014cb
0x00e014d6

Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 9118321f0ed38a5a91214729056684aba47a20d169ce7f8718b4c641d53c16b3
  • Instruction ID: 48f6d27570987ec602f434b4af19969df1f858655e2f87913472e043f7be6b9a
  • Opcode Fuzzy Hash: 9118321f0ed38a5a91214729056684aba47a20d169ce7f8718b4c641d53c16b3
  • Instruction Fuzzy Hash: B4E04F1945D2C55ECB2306E10C24AE17F38895B38A76E70CB9095BF1F3C08C898DE7AA
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 37%
			E00E05320(void* __eax) {

				asm("rdtsc");
				return __eax;
			}



0x00e05320
0x00e05322

Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
  • Instruction ID: 515e982fcc113093bc8b9341a6cdcd2dd9e3cb9215dfa8f3b5e9b2f25e208636
  • Opcode Fuzzy Hash: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
  • Instruction Fuzzy Hash:
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • memcpy.VCRUNTIME140_CLR0400(00000000,?,?), ref: 00DFDFF5
  • tolower.UCRTBASE_CLR0400(?), ref: 00DFE025
  • _wcsicmp.UCRTBASE_CLR0400(?,instrument), ref: 00DFE061
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: _wcsicmpmemcpytolower
  • String ID: Error: Cannot specify both /debug and /debugopt.$Error: Unrecognized option %s$Error: You must specify an assembly to install.$Error: You must specify an assembly to uninstall.$Warning: /debug will be ignored if /prof is specified.$WARNING: Use "ngen install /Tuning" instead of "ngen /instrument"$attributed$calls$debug$debugopt$delete$fixups$help$instrument$nologo$prof$show$showversion$silent$stats$verbose
  • API String ID: 320641587-1668034060
  • Opcode ID: 1210ca0d977ff2f11d3cf462b43bc6ced7be93368a563548a3efe4caaf8e307f
  • Instruction ID: 2977a1532ab14e297e7903636aeaa316043034fdb97f1c3e9fc8a492f9034cae
  • Opcode Fuzzy Hash: 1210ca0d977ff2f11d3cf462b43bc6ced7be93368a563548a3efe4caaf8e307f
  • Instruction Fuzzy Hash: CE917831608349AED7344F29D84973637E89F42710B2FC41DEB86D62B1FBA5D984873A
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 89%
			E00DF6155(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t66;
				signed int _t70;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				signed int _t75;
				void* _t79;
				signed int _t88;
				signed int _t92;
				signed int _t94;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				intOrPtr _t112;
				void* _t121;
				intOrPtr _t126;
				signed int* _t129;
				void* _t140;
				intOrPtr _t149;
				void* _t150;
				signed int* _t152;
				void* _t153;
				void* _t154;

				_t112 = __ecx;
				_push(0x43c);
				E00DF1718(E00E08CF8, __ebx, __ecx, __edi, __esi);
				 *((intOrPtr*)(_t153 - 0x438)) = _t112;
				_t149 =  *((intOrPtr*)(_t153 + 8));
				_t66 =  *((intOrPtr*)(_t153 + 0xc));
				_t152 =  *(_t153 + 0x10);
				if(_t149 < 1) {
					L28:
					L25:
					return E00DF1679();
				}
				_t110 =  *_t66;
				_t150 = _t149 - 1;
				 *(_t153 - 0x434) = _t66 + 4;
				_t113 = _t110;
				_t70 = E00DF5FCC(_t110, L"install", 0, _t112, 1, 0);
				if(_t70 != 0) {
					_t114 = _t110;
					_t71 = E00DF5FCC(_t110, L"uninstall", 0, _t113, 1, 0);
					__eflags = _t71;
					if(_t71 != 0) {
						_t115 = _t110;
						_t72 = E00DF5FCC(_t110, L"update", 0, _t114, 1, 0);
						__eflags = _t72;
						if(_t72 != 0) {
							_t116 = _t110;
							_t73 = E00DF5FCC(_t110, L"display", 0, _t115, 1, 0);
							__eflags = _t73;
							if(_t73 != 0) {
								_t117 = _t110;
								_t74 = E00DF5FCC(_t110, L"executeQueuedItems", 0, _t116, 1, 0);
								__eflags = _t74;
								if(_t74 == 0) {
									L45:
									 *_t152 = 4;
									_t152[0x1a] = 3;
									L3:
									_t111 =  *(_t153 - 0x434);
									if(_t150 <= 0) {
										L8:
										if( *_t152 != 0) {
											__eflags =  *_t152 - 1;
											if( *_t152 != 1) {
												__eflags =  *_t152 - 3;
												if( *_t152 != 3) {
													L20:
													if(_t150 <= 0) {
														L23:
														if( *_t152 == 1) {
															_t75 = _t152[3];
															__eflags = _t75 - 1;
															if(_t75 != 1) {
																_t152[3] = _t75 & 0xfffffffe;
															}
														}
														L24:
														goto L25;
													} else {
														goto L21;
													}
													while(1) {
														L21:
														_t111 =  *_t111;
														_t118 =  &(_t152[3]);
														 *(_t153 - 0x434) =  *(_t153 - 0x434) + 4;
														_t150 = _t150 - 1;
														if(E00DF612E( &(_t152[3]), _t111,  &(_t152[3])) == 0) {
															goto L56;
														}
														L22:
														if(_t150 > 0) {
															_t111 =  *(_t153 - 0x434);
															continue;
														}
														goto L23;
														L56:
														_t79 = E00DF6F92(_t111, _t118, _t150, _t152, _t111, _t152);
														__eflags = _t79;
														if(_t79 != 0) {
															goto L22;
														}
														E00DF6A41();
														 *(_t153 - 0x430) = 0;
														 *((intOrPtr*)(_t153 - 0x42c)) = 0;
														 *((intOrPtr*)(_t153 - 0x428)) = 0;
														 *((intOrPtr*)(_t153 - 0x424)) = 0;
														 *((intOrPtr*)(_t153 - 0x42c)) = 0x200;
														 *((intOrPtr*)(_t153 - 0x424)) = _t153 - 0x420;
														 *(_t153 - 4) = 5;
														 *(_t153 - 0x430) = 2;
														 *((short*)( *((intOrPtr*)(_t153 - 0x424)))) = 0;
														 *(_t153 - 4) = 7;
														E00DF2EB4(_t153 - 0x430, L"Error: Unrecognized option %s\n", _t111);
														_t154 = _t154 + 0xc;
														E00DFD095( *((intOrPtr*)(_t153 - 0x438)));
														_t140 = _t153 - 0x430;
														_t121 = 0x80070057;
														L54:
														E00E043CC(_t111, _t121, _t140, _t150, _t152, __eflags);
														L55:
														__imp__#6(_t152[1]);
														_t152[2] = _t152[2] & 0x00000000;
														_t88 =  *(_t153 - 0x434);
														L16:
														_t152[1] = _t88;
														if(_t88 != 0) {
															_t152[2] = 1;
														}
														_t150 = _t150 - 1;
														_t111 = _t111 + 4;
														 *(_t153 - 0x434) = _t111;
														L19:
														 *(_t153 - 4) =  *(_t153 - 4) | 0xffffffff;
														E00DF1A07();
														goto L20;
													}
												}
												goto L9;
											}
										}
										L9:
										if(_t150 < 1) {
											goto L24;
										}
										 *(_t153 - 0x220) = 0;
										 *((intOrPtr*)(_t153 - 0x21c)) = 0;
										 *((intOrPtr*)(_t153 - 0x218)) = 0;
										 *((intOrPtr*)(_t153 - 0x214)) = 0;
										 *((intOrPtr*)(_t153 - 0x21c)) = 0x200;
										 *((intOrPtr*)(_t153 - 0x214)) = _t153 - 0x210;
										 *(_t153 - 4) = 0;
										 *(_t153 - 0x220) = 2;
										 *((short*)( *((intOrPtr*)(_t153 - 0x214)))) = 0;
										 *(_t153 - 4) = 2;
										_t124 =  *_t111;
										_t92 =  *( *_t111) & 0x0000ffff;
										if(_t92 == 0x2d || _t92 == 0x2f) {
											goto L19;
										} else {
											if( *_t152 != 0) {
												__eflags =  *_t152 - 3;
												if( *_t152 == 3) {
													goto L13;
												}
												_t94 = 0;
												L14:
												E00DF717E(_t111, _t124, _t153 - 0x220, _t94);
												if(E00DF57FF(_t111, _t124, _t150, _t152, 1) != 0) {
													E00DF169F(_t153 - 0x220);
													_t126 =  *((intOrPtr*)(_t153 - 0x214));
													__eflags = E00DFD056(_t126, __eflags);
													if(__eflags == 0) {
														goto L15;
													}
													_push(L"Error: Only strong-named assemblies are allowed with offline ngen");
													_push(_t126);
													_t99 = E00DF528A(_t111, _t153 - 0x448, _t150, _t152, __eflags);
													 *(_t153 - 4) = 3;
													_t140 = _t99;
													_t121 = 0x800700a0;
													goto L54;
												}
												L15:
												_t88 = E00DF169F(_t153 - 0x220);
												__imp__#2( *((intOrPtr*)(_t153 - 0x214)));
												 *(_t153 - 0x434) = _t88;
												if(_t152[2] != 0) {
													goto L55;
												}
												goto L16;
											}
											L13:
											_t94 = 1;
											goto L14;
										}
									}
									_t129 =  &(_t152[3]);
									while(1) {
										 *(_t153 - 0x434) =  *_t111;
										if(E00DF612E(_t129,  *_t111, _t129) == 0 && E00DF6F92(_t111, _t129, _t150, _t152,  *(_t153 - 0x434), _t152) == 0) {
											break;
										}
										_t150 = _t150 - 1;
										_t129 =  &(_t152[3]);
										_t111 = _t111 + 4;
										__eflags = _t150;
										if(_t150 <= 0) {
											break;
										}
									}
									 *(_t153 - 0x434) = _t111;
									goto L8;
								}
								_t130 = _t110;
								_t103 = E00DF5FCC(_t110, 0xdf9e88, 0, _t117, 1, 0);
								__eflags = _t103;
								if(_t103 == 0) {
									goto L45;
								}
								_t131 = _t110;
								_t104 = E00DF5FCC(_t110, L"queue", 0, _t130, 1, 0);
								__eflags = _t104;
								if(_t104 != 0) {
									_t132 = _t110;
									_t105 = E00DF5FCC(_t110, L"createpdb", 0, _t131, 1, 0);
									__eflags = _t105;
									if(_t105 != 0) {
										_t133 = _t110;
										_t106 = E00DF5FCC(_t110, L"removetaskboottrigger", 0, _t132, 1, 0);
										__eflags = _t106;
										if(_t106 != 0) {
											_t107 = E00DF5FCC(_t110, L"removetaskdelaystarttrigger", 0, _t133, 1, 0);
											__eflags = _t107;
											if(_t107 != 0) {
												goto L28;
											}
											 *_t152 = 8;
											goto L3;
										}
										 *_t152 = 7;
										goto L3;
									}
									 *_t152 = 6;
									goto L3;
								}
								 *_t152 = 5;
								goto L3;
							}
							 *_t152 = 3;
							goto L3;
						}
						 *_t152 = 2;
						goto L3;
					}
					_t108 = _t71 + 1;
					 *_t152 = _t108;
					_t152[3] = _t108;
					goto L3;
				}
				 *_t152 =  *_t152 & _t70;
				goto L3;
			}

































0x00df6155
0x00df6155
0x00df615f
0x00df6164
0x00df616a
0x00df616d
0x00df6170
0x00df6176
0x00df9b88
0x00df6301
0x00df6306
0x00df6306
0x00df617c
0x00df617e
0x00df6182
0x00df6194
0x00df6196
0x00df619d
0x00df9b9b
0x00df9b9d
0x00df9ba2
0x00df9ba4
0x00df9bbd
0x00df9bbf
0x00df9bc4
0x00df9bc6
0x00df9bdf
0x00df9be1
0x00df9be6
0x00df9be8
0x00df9c01
0x00df9c03
0x00df9c08
0x00df9c0a
0x00df9cb7
0x00df9cb7
0x00df9cbd
0x00df61a5
0x00df61a5
0x00df61ad
0x00df61e3
0x00df61e6
0x00df9cdd
0x00df9ce0
0x00df6309
0x00df630c
0x00df62ce
0x00df62d0
0x00df62f6
0x00df62f9
0x00df9dff
0x00df9e02
0x00df9e05
0x00df9e0e
0x00df9e0e
0x00df9e05
0x00df62ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00df62d2
0x00df62d2
0x00df62d2
0x00df62d4
0x00df62d7
0x00df62de
0x00df62e8
0x00000000
0x00000000
0x00df62ee
0x00df62f0
0x00df9d66
0x00000000
0x00df9d66
0x00000000
0x00df9d55
0x00df9d57
0x00df9d5c
0x00df9d5e
0x00000000
0x00000000
0x00df9d71
0x00df9d78
0x00df9d7e
0x00df9d84
0x00df9d8a
0x00df9d96
0x00df9da0
0x00df9da6
0x00df9db0
0x00df9dc2
0x00df9dc5
0x00df9ddc
0x00df9de7
0x00df9dea
0x00df9def
0x00df9df5
0x00df9d38
0x00df9d38
0x00df9d3d
0x00df9d40
0x00df9d46
0x00df9d4a
0x00df62a4
0x00df62a4
0x00df62a9
0x00df62ab
0x00df62ab
0x00df62b2
0x00df62b3
0x00df62b6
0x00df62bc
0x00df62bc
0x00df62c9
0x00000000
0x00df62c9
0x00df62d2
0x00000000
0x00df630e
0x00df9ce6
0x00df61ec
0x00df61ef
0x00000000
0x00000000
0x00df61f7
0x00df61fd
0x00df6203
0x00df6209
0x00df6215
0x00df621f
0x00df6225
0x00df622b
0x00df623d
0x00df6240
0x00df624a
0x00df624c
0x00df6252
0x00000000
0x00df6259
0x00df625b
0x00df9ceb
0x00df9cee
0x00000000
0x00000000
0x00df9cf4
0x00df6264
0x00df626b
0x00df6277
0x00df9d01
0x00df9d06
0x00df9d11
0x00df9d13
0x00000000
0x00000000
0x00df9d19
0x00df9d1e
0x00df9d25
0x00df9d2a
0x00df9d31
0x00df9d33
0x00000000
0x00df9d33
0x00df627d
0x00df6283
0x00df628e
0x00df6294
0x00df629e
0x00000000
0x00000000
0x00000000
0x00df629e
0x00df6261
0x00df6263
0x00000000
0x00df6263
0x00df6252
0x00df61af
0x00df61b2
0x00df61b6
0x00df61c3
0x00000000
0x00000000
0x00df9cc9
0x00df9cca
0x00df9ccd
0x00df9cd0
0x00df9cd2
0x00000000
0x00000000
0x00df9cd8
0x00df61dd
0x00000000
0x00df61dd
0x00df9c1c
0x00df9c1e
0x00df9c23
0x00df9c25
0x00000000
0x00000000
0x00df9c37
0x00df9c39
0x00df9c3e
0x00df9c40
0x00df9c59
0x00df9c5b
0x00df9c60
0x00df9c62
0x00df9c7b
0x00df9c7d
0x00df9c82
0x00df9c84
0x00df9c9f
0x00df9ca4
0x00df9ca6
0x00000000
0x00000000
0x00df9cac
0x00000000
0x00df9cac
0x00df9c86
0x00000000
0x00df9c86
0x00df9c64
0x00000000
0x00df9c64
0x00df9c42
0x00000000
0x00df9c42
0x00df9bea
0x00000000
0x00df9bea
0x00df9bc8
0x00000000
0x00df9bc8
0x00df9ba6
0x00df9ba7
0x00df9ba9
0x00000000
0x00df9ba9
0x00df61a3
0x00000000

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID:
  • String ID: Error: Only strong-named assemblies are allowed with offline ngen$Error: Unrecognized option %s$createpdb$display$eqi$executeQueuedItems$install$queue$removetaskboottrigger$removetaskdelaystarttrigger$uninstall$update
  • API String ID: 0-2673233420
  • Opcode ID: 8c6feab4db18f7768812eaea5684e925a2d93421d694061e153d97e251a8dfd8
  • Instruction ID: bd13579e272faf2d06479fd80cdab464766705db3e1774d0bbfc55ee870e9722
  • Opcode Fuzzy Hash: 8c6feab4db18f7768812eaea5684e925a2d93421d694061e153d97e251a8dfd8
  • Instruction Fuzzy Hash: FCB1A870A4030C9AEB249F20CD957BAB6E5EF54304F12C4A8E749AB686D770DD84CF74
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 79%
			E00DF6AE0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t161;
				struct HINSTANCE__* _t162;
				signed int _t174;
				signed int _t183;
				signed int _t187;
				long _t191;
				signed int _t212;
				signed int _t217;
				signed int _t233;
				signed int _t244;
				signed int _t245;
				signed int _t248;
				signed char _t255;
				signed char _t266;
				signed int _t269;
				signed int _t271;
				void* _t276;
				signed int _t285;
				signed int _t298;
				signed int _t300;
				void* _t308;
				void* _t321;
				signed int _t329;
				void* _t330;
				intOrPtr _t332;
				void* _t334;
				void* _t335;
				void* _t336;

				_push(0x68c);
				E00DF1718(0xe09481, __ebx, __ecx, __edi, __esi);
				_t248 = 7;
				 *(_t334 - 0x694) =  *(_t334 - 0x694) & 0x00000000;
				_t161 = memcpy(_t334 - 0x44, L"/LocalAppData:", _t248 << 2);
				_t336 = _t335 + 0xc;
				_t249 = 0;
				 *(_t334 - 0x684) = _t161;
				_t244 = 0;
				 *(_t334 - 0x66d) = 1;
				asm("movsw");
				_t321 = _t334 - 0x24;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t329 = 1;
				if( *((intOrPtr*)(_t334 + 8)) <= 1) {
					L7:
					_t162 = GetModuleHandleW(L"ngen.exe");
					__eflags = _t162;
					if(__eflags == 0) {
						L17:
						E00E044D1(_t244, _t249, _t308, _t321, _t329, __eflags);
						L18:
						L00E042D0(_t244, 0x8000ffff, _t308, _t321, _t329);
						L19:
						E00DF1857(_t334 - 0x66c, _t308,  *((intOrPtr*)(_t334 - 0x668)), _t244);
						L11:
						E00DF1B89(_t244, _t334 - 0x66c, _t321);
						_t255 =  !( *(_t334 - 0x664)) & _t244;
						_t312 = ( *(_t334 - 0x66c) >> _t255) - 1 << _t255;
						 *((intOrPtr*)(_t334 - 0x67c)) =  *(_t334 - 0x660) + (( *(_t334 - 0x66c) >> _t255) - 1 << _t255);
						 *(_t334 - 0x678) = _t255;
						_push(_t255);
						E00DF6ED8(_t334 - 0x66c, _t334 - 0x67c);
						E00DF35E4(_t334 - 0x66c, _t334 - 0x67c);
						_t174 = E00DF5EDA(_t244, 0xdf6d68, _t321, _t329, _t334 - 0x67d);
						__eflags =  *(_t334 - 0x66d);
						_t245 = _t174;
						if(__eflags == 0) {
							_push(_t334 - 0x66c);
							E00DFC98B(_t245, _t334 - 0x45c, _t321, _t329, __eflags);
							 *(_t334 - 4) = 3;
							_t330 = _t334 - 0x65c;
							memcpy(_t334 - 0x44c, _t330, 0x80 << 2);
							_t324 = _t330 + 0x100;
							 *(_t334 - 4) = 4;
							E00DF282C(_t245, _t334 - 0x45c, _t330 + 0x100);
							__eflags =  *(_t334 - 0x454) & 0x00000010;
							if(( *(_t334 - 0x454) & 0x00000010) != 0) {
								E00DF1857(_t334 - 0x45c, _t312,  *((intOrPtr*)(_t334 - 0x458)), 1);
							}
							E00DF1B89(_t245, _t334 - 0x45c, _t324);
							_t266 =  !( *(_t334 - 0x454)) & 0x00000001;
							_t316 = ( *(_t334 - 0x45c) >> _t266) - 1 << _t266;
							 *(_t334 - 0x690) =  *((intOrPtr*)(_t334 - 0x450)) + (( *(_t334 - 0x45c) >> _t266) - 1 << _t266);
							 *(_t334 - 0x68c) = _t266;
							_t329 = _t334 - 0x690;
							_t321 = _t334 - 0x67c;
							asm("movsd");
							_push(_t266);
							asm("movsd");
							asm("movsd");
							_t183 = E00DF6ED8(_t334 - 0x45c, _t334 - 0x67c);
							__eflags = _t183;
							if(_t183 != 0) {
								_t332 =  *((intOrPtr*)(_t334 - 0x67c)) + (1 <<  *(_t334 - 0x678));
								 *((intOrPtr*)(_t334 - 0x67c)) = _t332;
								E00DF282C(_t245, _t334 - 0x45c, _t321);
								__eflags =  *(_t334 - 0x454) & 0x00000010;
								if(( *(_t334 - 0x454) & 0x00000010) != 0) {
									E00DF1857(_t334 - 0x45c, _t316,  *((intOrPtr*)(_t334 - 0x458)), 1);
								}
								_t329 = _t332 -  *((intOrPtr*)(_t334 - 0x450)) >>  *(_t334 - 0x678);
								E00DF282C(_t245, _t334 - 0x45c, _t321);
								_t298 =  *(_t334 - 0x454);
								__eflags = _t298 & 0x00000010;
								if((_t298 & 0x00000010) != 0) {
									E00DF1857(_t334 - 0x45c, _t316,  *((intOrPtr*)(_t334 - 0x458)), 1);
									_t298 =  *(_t334 - 0x454);
								}
								 *(_t334 - 0x690) =  *((intOrPtr*)(_t334 - 0x450));
								_t300 =  !_t298 & 0x00000001;
								__eflags = _t300;
								 *(_t334 - 0x68c) = _t300;
								_push( *0xe0f0f0);
								_push(_t329);
								_push(_t334 - 0x690);
								E00DF1A52(_t245, _t334 - 0x45c, _t321, _t329, _t300);
							}
							E00DF282C(_t245, _t334 - 0x45c, _t321);
							_t269 =  *(_t334 - 0x454);
							__eflags = _t269 & 0x00000010;
							if((_t269 & 0x00000010) != 0) {
								E00DF1857(_t334 - 0x45c, _t316,  *((intOrPtr*)(_t334 - 0x458)), 1);
								_t269 =  *(_t334 - 0x454);
							}
							 *(_t334 - 0x690) =  *((intOrPtr*)(_t334 - 0x450));
							_t271 =  !_t269 & 0x00000001;
							 *(_t334 - 0x68c) = _t271;
							_push(_t271);
							_push(_t271);
							_t187 = E00E008DE(_t245, _t334 - 0x45c, _t334 - 0x690);
							__eflags = _t187;
							if(_t187 != 0) {
								E00DF282C(_t245, _t334 - 0x45c, _t321);
								_t285 =  *(_t334 - 0x454);
								__eflags = _t285 & 0x00000010;
								if((_t285 & 0x00000010) != 0) {
									E00DF1857(_t334 - 0x45c, _t316,  *((intOrPtr*)(_t334 - 0x458)), 1);
									_t285 =  *(_t334 - 0x454);
								}
								 *(_t334 - 0x690) =  *((intOrPtr*)(_t334 - 0x450));
								 *(_t334 - 0x68c) =  !_t285 & 0x00000001;
								_t329 = _t334 - 0x690;
								_t321 = _t334 - 0x67c;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t212 = E00DF5355(_t334 - 0x45c, _t334 - 0x67c, 0x2e);
								__eflags = _t212;
								if(_t212 != 0) {
									 *((intOrPtr*)(_t334 - 0x67c)) =  *((intOrPtr*)(_t334 - 0x67c)) + (1 <<  *(_t334 - 0x678));
									_t217 = E00DF5355(_t334 - 0x45c, _t334 - 0x67c, 0x2e);
									__eflags = _t217;
									if(_t217 != 0) {
										E00DF35E4(_t334 - 0x45c, _t334 - 0x67c);
									}
								}
							}
							__eflags =  *(_t334 - 0x698) - 1 - 0x102;
							if( *(_t334 - 0x698) - 1 <= 0x102) {
								__eflags =  *((intOrPtr*)( *(_t334 - 0x684) +  *(_t334 - 0x694) * 4)) + 0x1c;
								E00DF1C56(_t334 - 0x66c,  *((intOrPtr*)( *(_t334 - 0x684) +  *(_t334 - 0x694) * 4)) + 0x1c);
								_push(L"\\Microsoft\\CLR_");
								E00DF52F0(_t245, _t334 - 0x66c, _t321, _t329, __eflags);
								E00DF1B32(_t245, _t334 - 0x66c, _t321, _t334 - 0x45c);
								_push(L"_32");
								E00DF52F0(_t245, _t334 - 0x66c, _t321, _t329, __eflags);
							}
							E00DF169F(_t334 - 0x66c);
							_t191 = GetFileAttributesW( *(_t334 - 0x660));
							__eflags = _t191 - 0xffffffff;
							if(_t191 == 0xffffffff) {
								E00DF169F(_t334 - 0x66c);
								CreateDirectoryW( *(_t334 - 0x660), 0);
							}
							__eflags = _t245;
							if(_t245 == 0) {
								_t245 = 0x19000;
							}
							 *(_t334 - 4) = 2;
							E00DF1A07();
						} else {
							__eflags = _t245;
							if(__eflags == 0) {
								_t245 = 0x100000;
							}
						}
						_push(L"\\ngen");
						E00DF52F0(_t245, _t334 - 0x66c, _t321, _t329, __eflags);
						_t276 = _t334 - 0x66c;
						E00DF169F(_t276);
						_push(_t245);
						_push(_t276);
						_push( *(_t334 - 0x660));
						E00DF5A0D(_t245, _t276, _t321, _t329, __eflags);
						_t57 = _t334 - 4;
						 *_t57 =  *(_t334 - 4) | 0xffffffff;
						__eflags =  *_t57;
						E00DF1A07();
						return E00DF1679();
					}
					_t329 = 0x104;
					_t249 = _t334 - 0x24c;
					_t233 = GetModuleFileNameW(_t162, _t334 - 0x24c, 0x104);
					 *(_t334 - 0x698) = _t233;
					__eflags = _t233;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t233 - 0x104;
					if(_t233 == 0x104) {
						goto L18;
					}
					 *(_t334 - 0x66c) = 0;
					 *((intOrPtr*)(_t334 - 0x668)) = 0;
					 *(_t334 - 0x664) = 0;
					 *(_t334 - 0x660) = 0;
					 *((intOrPtr*)(_t334 - 0x668)) = 0x200;
					 *(_t334 - 0x660) = _t334 - 0x65c;
					 *(_t334 - 4) = 0;
					 *(_t334 - 0x66c) = 2;
					 *( *(_t334 - 0x660)) = 0;
					_t244 = 1;
					 *(_t334 - 4) = 1;
					E00DF1C56(_t334 - 0x66c, _t334 - 0x24c);
					 *(_t334 - 4) = 2;
					E00DF282C(1, _t334 - 0x66c, _t321);
					__eflags =  *(_t334 - 0x664) & 0x00000010;
					if(( *(_t334 - 0x664) & 0x00000010) != 0) {
						goto L19;
					}
					goto L11;
				} else {
					goto L1;
				}
				goto L7;
				L1:
				_t10 = _t334 - 0x44; // 0xffffff98
				_t249 = _t10;
				__imp___wcsnicmp( *((intOrPtr*)(_t161 + _t329 * 4)), _t10, 0xe);
				_t336 = _t336 + 0xc;
				if(_t161 == 0) {
					 *(_t334 - 0x694) = _t329;
					_t244 = 0;
					__ebx = __ebx | 0x01b3ffff;
					__eflags = __ebx;
				} else {
					_t13 = _t334 - 0x24; // 0xffffffb8
					_t161 =  *(_t334 - 0x684);
					__imp___wcsnicmp( *((intOrPtr*)(_t161 + _t329 * 4)), _t13, 8);
					_t336 = _t336 + 0xc;
					if(_t161 == 0) {
						_t244 = 1;
					}
				}
				_t329 = _t329 + 1;
				if(_t329 >=  *((intOrPtr*)(_t334 + 8))) {
					 *(_t334 - 0x66d) = _t244;
					__eflags = _t244;
					if(_t244 == 0) {
						__eflags = _t244;
						 *0xe0f08c =  *0xe0f08c & (_t161 & 0xffffff00 | _t244 == 0x00000000) - 0x00000001;
						__eflags =  *0xe0f08c;
					}
					goto L7;
				} else {
					_t161 =  *(_t334 - 0x684);
					goto L1;
				}
			}































0x00df6ae0
0x00df6aea
0x00df6af1
0x00df6af7
0x00df6b07
0x00df6b07
0x00df6b07
0x00df6b0b
0x00df6b11
0x00df6b13
0x00df6b19
0x00df6b20
0x00df6b26
0x00df6b27
0x00df6b28
0x00df6b29
0x00df6b2a
0x00df6b2e
0x00df6b32
0x00df6bd1
0x00df6bd6
0x00df6bdc
0x00df6bde
0x00df9ffe
0x00df9ffe
0x00dfa003
0x00dfa008
0x00dfa00d
0x00dfa01a
0x00df6c94
0x00df6c9a
0x00df6cad
0x00df6cb2
0x00df6cbc
0x00df6cc2
0x00df6cc8
0x00df6cd6
0x00df6ce8
0x00df6cf9
0x00df6cfe
0x00df6d05
0x00df6d07
0x00dfa034
0x00dfa03b
0x00dfa040
0x00dfa04c
0x00dfa058
0x00dfa058
0x00dfa05a
0x00dfa067
0x00dfa06c
0x00dfa073
0x00dfa083
0x00dfa083
0x00dfa08e
0x00dfa0a1
0x00dfa0a7
0x00dfa0b1
0x00dfa0b7
0x00dfa0bd
0x00dfa0c3
0x00dfa0c9
0x00dfa0d0
0x00dfa0d8
0x00dfa0d9
0x00dfa0da
0x00dfa0df
0x00dfa0e1
0x00dfa0f8
0x00dfa0fa
0x00dfa106
0x00dfa10b
0x00dfa112
0x00dfa122
0x00dfa122
0x00dfa133
0x00dfa13b
0x00dfa140
0x00dfa146
0x00dfa149
0x00dfa159
0x00dfa15e
0x00dfa15e
0x00dfa16a
0x00dfa172
0x00dfa172
0x00dfa175
0x00dfa17b
0x00dfa187
0x00dfa188
0x00dfa18f
0x00dfa18f
0x00dfa19a
0x00dfa19f
0x00dfa1a5
0x00dfa1a8
0x00dfa1b8
0x00dfa1bd
0x00dfa1bd
0x00dfa1c9
0x00dfa1d1
0x00dfa1d4
0x00dfa1da
0x00dfa1db
0x00dfa1e9
0x00dfa1ee
0x00dfa1f0
0x00dfa1fc
0x00dfa201
0x00dfa207
0x00dfa20a
0x00dfa21a
0x00dfa21f
0x00dfa21f
0x00dfa22b
0x00dfa236
0x00dfa23c
0x00dfa242
0x00dfa248
0x00dfa258
0x00dfa259
0x00dfa25a
0x00dfa25f
0x00dfa261
0x00dfa274
0x00dfa283
0x00dfa288
0x00dfa28a
0x00dfa299
0x00dfa299
0x00dfa28a
0x00dfa261
0x00dfa2a5
0x00dfa2aa
0x00dfa2c1
0x00dfa2c5
0x00dfa2ca
0x00dfa2d5
0x00dfa2e7
0x00dfa2ec
0x00dfa2f7
0x00dfa2f7
0x00dfa302
0x00dfa30d
0x00dfa313
0x00dfa316
0x00dfa31e
0x00dfa32b
0x00dfa32b
0x00dfa331
0x00dfa333
0x00dfa335
0x00dfa335
0x00dfa33a
0x00dfa347
0x00df6d0d
0x00df6d0d
0x00df6d0f
0x00dfa024
0x00dfa024
0x00df6d0f
0x00df6d15
0x00df6d20
0x00df6d25
0x00df6d2b
0x00df6d30
0x00df6d31
0x00df6d32
0x00df6d38
0x00df6d3d
0x00df6d3d
0x00df6d3d
0x00df6d4a
0x00df6d56
0x00df6d56
0x00df6be4
0x00df6be9
0x00df6bf2
0x00df6bf8
0x00df6bfe
0x00df6c00
0x00000000
0x00000000
0x00df6c06
0x00df6c08
0x00000000
0x00000000
0x00df6c10
0x00df6c16
0x00df6c1c
0x00df6c22
0x00df6c2e
0x00df6c38
0x00df6c3e
0x00df6c44
0x00df6c54
0x00df6c59
0x00df6c5a
0x00df6c6d
0x00df6c72
0x00df6c82
0x00df6c87
0x00df6c8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00df6b38
0x00df6b3a
0x00df6b3a
0x00df6b44
0x00df6b4a
0x00df6b4f
0x00df9fea
0x00df9ff0
0x00df9ff3
0x00df9ff3
0x00df6b55
0x00df6b57
0x00df6b5e
0x00df6b67
0x00df6b6d
0x00df6b72
0x00df9ff7
0x00df9ff7
0x00df6b72
0x00df6b78
0x00df6b7c
0x00df6bba
0x00df6bc0
0x00df6bc2
0x00df6bc4
0x00df6bcb
0x00df6bcb
0x00df6bcb
0x00000000
0x00df6b7e
0x00df6b7e
0x00000000
0x00df6b7e

APIs
  • _wcsnicmp.UCRTBASE_CLR0400(?,?,0000000E), ref: 00DF6B44
  • _wcsnicmp.UCRTBASE_CLR0400(?,?,00000008), ref: 00DF6B67
  • GetModuleHandleW.KERNEL32(ngen.exe), ref: 00DF6BD6
  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00DF6BF2
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: Module_wcsnicmp$FileHandleName
  • String ID: /LocalAppData:$/verbose$\Microsoft\CLR_$\ngen$_32$ngen.exe
  • API String ID: 59019458-2882282160
  • Opcode ID: bedca3defe0a4d61a6e2e8acf8e7d7eaaa7a5bee54d33806444b4a77ebcf55eb
  • Instruction ID: ea32820098b4b30332210dd3e822c747a60200326529296ccb284c048bb68318
  • Opcode Fuzzy Hash: bedca3defe0a4d61a6e2e8acf8e7d7eaaa7a5bee54d33806444b4a77ebcf55eb
  • Instruction Fuzzy Hash: D3E15CB190062C8FDB24DF24DC91BE9B7B6EF44305F0581D8E64DA7192DA726E98CF24
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 76%
			E00DF5D51(short* __ecx, wchar_t* __edx, char _a4, char _a8, signed char _a16, wchar_t* _a20) {
				short* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				int _v28;
				wchar_t* _v32;
				signed int _v36;
				char _v40;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t63;
				signed int _t64;
				signed int _t65;
				long _t71;
				void* _t72;
				signed int _t73;
				signed int _t74;
				long _t77;
				wchar_t* _t78;
				long _t80;
				signed char _t83;
				int _t84;
				wchar_t* _t93;
				signed int _t95;
				signed int _t97;
				wchar_t* _t99;
				char* _t100;

				_t93 = __edx;
				_t94 = __ecx;
				_t100 = __edx;
				_v8 = __ecx;
				_t83 = _a16;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v28 = 4;
				if((_t83 & 0x00000001) == 0) {
					L3:
					if((_t83 & 0x0000000e) == 0 || E00DF5D34(_t94, _t94) == 0) {
						L15:
						 *_t100 = _a4;
						_t100[4] = _a8;
						return 0x80004005;
					} else {
						if((_t83 & 0x00000002) == 0) {
							L8:
							if((_t83 & 0x00000004) == 0) {
								goto L15;
							}
							_t63 =  *0xe0f0a8; // 0xffffffff
							_t84 = 0;
							_v20 = _t63;
							if(_t63 != 0xffffffff) {
								L12:
								_t64 = RegQueryValueExW(_t63, _t94, 0,  &_v12,  &_v44,  &_v28);
								asm("cdq");
								_t95 = _t64;
								_t65 = _t93;
								_v36 = _t65;
								if(_t84 != 0) {
									RegCloseKey(_v20);
									_t65 = _v36;
								}
								if((_t95 | _t65) == 0) {
									if(_v12 == 4) {
										L19:
										 *_t100 = _v44;
										_t100[4] = _v40;
										L20:
										return 0;
									}
								}
								goto L15;
							}
							_t71 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\.NETFramework", 0, 0x20019,  &_v20);
							_t84 = 1;
							if(_t71 != 0) {
								goto L15;
							}
							_t63 = _v20;
							goto L12;
						}
						_t72 =  *0xe0f0a4; // 0xffffffff
						_v24 = _v24 & 0x00000000;
						_v16 = _t72;
						if(_t72 != 0xffffffff) {
							L28:
							_t73 = RegQueryValueExW(_t72, _t94, 0,  &_v12,  &_v44,  &_v28);
							asm("cdq");
							_t97 = _t73;
							_t74 = _t93;
							_v36 = _t74;
							if(_v24 != 0) {
								RegCloseKey(_v16);
								_t74 = _v36;
							}
							if((_t97 | _t74) != 0 || _v12 != 4) {
								_t94 = _v8;
								goto L8;
							} else {
								goto L19;
							}
						}
						_t77 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\.NETFramework", 0, 0x20019,  &_v16);
						_v24 = 1;
						if(_t77 == 0) {
							_t72 = _v16;
							goto L28;
						}
						goto L8;
					}
				}
				_t93 = _a20;
				_t78 = E00DF6D92(_t83, __ecx, _t93, __ecx, __edx);
				_t99 = _t78;
				if(_t99 != 0) {
					__imp___errno();
					 *_t78 =  *_t78 & 0x00000000;
					_t80 = wcstoul(_t99,  &_v32, 0x10);
					_v36 = _t80;
					__imp___errno();
					if( *_t80 == 0x22 || _v32 == _t99) {
						_v24 = _v24 & 0x00000000;
					} else {
						_v24 = 1;
					}
					_t93 = _t99;
					E00DF1480(_t93);
					if(_v24 == 0) {
						goto L2;
					} else {
						_t100[4] = _t100[4] & 0x00000000;
						 *_t100 = _v36;
						goto L20;
					}
				}
				L2:
				_t94 = _v8;
				goto L3;
			}

































0x00df5d51
0x00df5d5a
0x00df5d5c
0x00df5d5e
0x00df5d64
0x00df5d69
0x00df5d6f
0x00df5d75
0x00df5d7b
0x00df5d88
0x00df5da2
0x00df5da5
0x00df5e95
0x00df5e98
0x00df5e9d
0x00000000
0x00df5dba
0x00df5dbd
0x00df5e0a
0x00df5e0d
0x00000000
0x00000000
0x00df5e13
0x00df5e18
0x00df5e1a
0x00df5e23
0x00df5e4d
0x00df5e66
0x00df5e6c
0x00df5e6d
0x00df5e6f
0x00df5e71
0x00df5e79
0x00df5e81
0x00df5e87
0x00df5e87
0x00df5e8f
0x00df6f46
0x00df6f4d
0x00df6f53
0x00df6f5b
0x00df6f5e
0x00000000
0x00df6f5e
0x00df6f48
0x00000000
0x00df5e8f
0x00df5e3c
0x00df5e42
0x00df5e45
0x00000000
0x00000000
0x00df5e47
0x00000000
0x00df5e47
0x00df5dbf
0x00df5dc4
0x00df5dcb
0x00df5dd4
0x00dfbae6
0x00dfbaff
0x00dfbb0c
0x00dfbb0d
0x00dfbb0f
0x00dfbb11
0x00dfbb17
0x00dfbb1f
0x00dfbb25
0x00dfbb25
0x00dfbb2d
0x00dfbb3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00dfbb2d
0x00df5df2
0x00df5df8
0x00df5e04
0x00dfbae0
0x00000000
0x00dfbae0
0x00000000
0x00df5e04
0x00df5da5
0x00df5d8a
0x00df5d8d
0x00df5d92
0x00df5d96
0x00dfba73
0x00dfba7b
0x00dfba86
0x00dfba8f
0x00dfba95
0x00dfba9e
0x00dfbab4
0x00dfbaa8
0x00dfbaa8
0x00dfbaa8
0x00dfbabb
0x00dfbabd
0x00dfbac9
0x00000000
0x00dfbacf
0x00dfbad5
0x00dfbad9
0x00000000
0x00dfbad9
0x00dfbac9
0x00df5d9c
0x00df5d9c
0x00000000

APIs
  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\.NETFramework,00000000,00020019,00000010,00000004), ref: 00DF5DF2
  • RegOpenKeyExW.ADVAPI32(?,Software\Microsoft\.NETFramework,00000000,00020019,00000000,00000004), ref: 00DF5E3C
  • RegQueryValueExW.ADVAPI32(FFFFFFFF,00000010,00000000,?,?,00000004,00000004), ref: 00DF5E66
  • RegCloseKey.ADVAPI32(00000000), ref: 00DF5E81
    • Part of subcall function 00DF6D92: wcscpy_s.UCRTBASE_CLR0400(?,00000040,COMPlus_,00000010,00000012,?,?,00000010,00000004,?), ref: 00DF6DF7
    • Part of subcall function 00DF6D92: wcscat_s.UCRTBASE_CLR0400(?,00000040,00000010,00000010,00000004,?), ref: 00DF6E0A
    • Part of subcall function 00DF6D92: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00DF6E1C
  • _errno.UCRTBASE_CLR0400(00000004), ref: 00DFBA73
  • wcstoul.UCRTBASE_CLR0400(00000000,?,00000010), ref: 00DFBA86
  • _errno.UCRTBASE_CLR0400 ref: 00DFBA95
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: Open_errno$CloseEnvironmentQueryValueVariablewcscat_swcscpy_swcstoul
  • String ID: Software\Microsoft\.NETFramework
  • API String ID: 651904236-3720018691
  • Opcode ID: 28431a2aff53bd5ab8fe67f5e518519691a36561cfd174af37a21b102711b0da
  • Instruction ID: bbbb6ca871e023ab2b4631d289089fb152e7b968c19dca891e08da0927767e5d
  • Opcode Fuzzy Hash: 28431a2aff53bd5ab8fe67f5e518519691a36561cfd174af37a21b102711b0da
  • Instruction Fuzzy Hash: 19513871A0121C9FDB30CF19DC49BE9B7B4AF48310F158599E649A72A1DBB09EC8CF60
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 23%
			E00DFE53F(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v532;
				signed int _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				void* _v552;
				int _v556;
				intOrPtr _v560;
				void* _v572;
				void* _v576;
				void _v644;
				void* __ebp;
				signed int _t47;
				char* _t50;
				intOrPtr _t53;
				signed int _t55;
				signed int _t56;
				void* _t66;
				intOrPtr _t73;
				intOrPtr _t76;
				signed int _t77;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t89;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t102;
				int _t103;
				intOrPtr _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t109;
				void* _t116;

				_t47 =  *0xe0f000; // 0x365ea2a8
				_v8 = _t47 ^ _t107;
				_v540 = __edx;
				_t50 =  &_v532;
				_t105 = __ecx;
				_v544 = __ecx;
				_v556 = 0;
				_v552 = 0;
				__imp__GetCORSystemDirectory(_t50, 0x104,  &_v552);
				_t76 = _t50;
				_v548 = _t76;
				if(_t76 >= 0) {
					_t82 =  &_v532;
					_t93 = _t82 + 2;
					do {
						_t53 =  *_t82;
						_t82 = _t82 + 2;
					} while (_t53 != 0);
					_t102 = 1;
					_t55 = __ecx + 7 + (_t82 - _t93 >> 1);
					_v536 = _t55;
					_t94 = 1;
					if(__ecx > 1) {
						_t78 = _v540;
						do {
							_t89 =  *((intOrPtr*)(_t78 + _t94 * 4));
							_v560 = _t89 + 2;
							do {
								_t73 =  *_t89;
								_t89 = _t89 + 2;
							} while (_t73 != _v556);
							_t55 = _v536 + (_t89 - _v560 >> 1);
							_t94 = _t94 + 1;
							_v536 = _t55;
							_t116 = _t94 - _t105;
						} while (_t116 < 0);
						_t76 = _v548;
					}
					_t56 = _t55 + 9;
					_t95 = 2;
					_v536 = _t56;
					_t88 =  ~(_t116 > 0) | _t56 * _t95;
					_t106 = E00DF1833(_t76,  ~(_t116 > 0) | _t56 * _t95, _t56 * _t95 >> 0x20, _t102, _t105);
					if(_t106 != 0) {
						_push(L"ngen.exe");
						E00DFCA4B(_t106, _v536, L"%s%s /nologo",  &_v532);
						_t109 = _t108 + 0x14;
						__eflags = _v544 - _t102;
						if(__eflags > 0) {
							_t77 = _v536;
							do {
								__imp__wcscat_s(_t106, _t77, 0xdf394c);
								__imp__wcscat_s(_t106, _t77,  *((intOrPtr*)(_v540 + _t102 * 4)));
								_t109 = _t109 + 0x18;
								_t102 = _t102 + 1;
								__eflags = _t102 - _v544;
							} while (__eflags < 0);
							_t76 = _v548;
						}
						_t103 = 0x44;
						memset( &_v644, 0, _t103);
						_v644 = _t103;
						_push( &_v576);
						_push( &_v644);
						_t66 = E00E05A68(_t76, _t88, _t106, _t103, _t106, __eflags);
						__eflags = _t66;
						if(_t66 != 0) {
							WaitForSingleObject(_v576, 0xffffffff);
							CloseHandle(_v576);
							CloseHandle(_v572);
						} else {
							_t76 = 0x80004005;
						}
						E00DF1480(_t106);
					} else {
						_t76 = 0x8007000e;
					}
				}
				return E00DF13F0(_v8 ^ _t107);
			}







































0x00dfe548
0x00dfe54f
0x00dfe55e
0x00dfe56a
0x00dfe570
0x00dfe574
0x00dfe57b
0x00dfe581
0x00dfe587
0x00dfe58d
0x00dfe58f
0x00dfe597
0x00dfe59d
0x00dfe5a3
0x00dfe5a6
0x00dfe5a6
0x00dfe5a9
0x00dfe5ac
0x00dfe5ba
0x00dfe5bb
0x00dfe5bd
0x00dfe5c3
0x00dfe5c7
0x00dfe5c9
0x00dfe5cf
0x00dfe5cf
0x00dfe5d5
0x00dfe5db
0x00dfe5db
0x00dfe5de
0x00dfe5e1
0x00dfe5f8
0x00dfe5fa
0x00dfe5fb
0x00dfe601
0x00dfe601
0x00dfe605
0x00dfe605
0x00dfe60b
0x00dfe612
0x00dfe613
0x00dfe620
0x00dfe627
0x00dfe62b
0x00dfe637
0x00dfe64f
0x00dfe654
0x00dfe657
0x00dfe65d
0x00dfe65f
0x00dfe665
0x00dfe66c
0x00dfe67d
0x00dfe683
0x00dfe686
0x00dfe687
0x00dfe687
0x00dfe68f
0x00dfe68f
0x00dfe697
0x00dfe6a3
0x00dfe6ab
0x00dfe6b9
0x00dfe6c0
0x00dfe6c4
0x00dfe6c9
0x00dfe6cb
0x00dfe6dc
0x00dfe6e8
0x00dfe6f4
0x00dfe6cd
0x00dfe6cd
0x00dfe6cd
0x00dfe6fc
0x00dfe62d
0x00dfe62d
0x00dfe62d
0x00dfe62b
0x00dfe716

APIs
  • GetCORSystemDirectory.MSCOREE(?,00000104,?), ref: 00DFE587
    • Part of subcall function 00DFCA4B: __stdio_common_vswprintf.UCRTBASE_CLR0400(?,?,?,?,?,00000000,?), ref: 00DFCA8D
  • wcscat_s.UCRTBASE_CLR0400(00000000,?,00DF394C), ref: 00DFE66C
  • wcscat_s.UCRTBASE_CLR0400(00000000,?,?), ref: 00DFE67D
  • memset.VCRUNTIME140_CLR0400(?,00000000,00000044), ref: 00DFE6A3
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DFE6DC
  • CloseHandle.KERNEL32(?), ref: 00DFE6E8
  • CloseHandle.KERNEL32(?), ref: 00DFE6F4
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: CloseHandlewcscat_s$DirectoryObjectSingleSystemWait__stdio_common_vswprintfmemset
  • String ID: %s%s /nologo$ngen.exe
  • API String ID: 1150108501-2869113865
  • Opcode ID: e096f416ed977dc98753b1629e2206a9525bfea605d3d6df3ad4815a2d67110c
  • Instruction ID: 3eab92907abd47ba8912d0300f9cab2f7741e94909d2ae1d8ed532aa3a3547e6
  • Opcode Fuzzy Hash: e096f416ed977dc98753b1629e2206a9525bfea605d3d6df3ad4815a2d67110c
  • Instruction Fuzzy Hash: F451B575A4112D9FCB20EF58CC89AEAB7B4EF58300F1581E9EA09A6251DA305EC5CF60
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 74%
			E00DF26F6() {
				intOrPtr _t14;
				intOrPtr* _t18;
				int _t19;
				char _t24;
				intOrPtr* _t27;
				void* _t36;
				void* _t37;
				intOrPtr* _t40;
				intOrPtr* _t41;
				int _t43;
				intOrPtr* _t44;
				void* _t45;
				void* _t46;

				_push(0x14);
				_push(0xdf2810);
				E00DF337C();
				if(E00DF6493(1) == 0) {
					L10:
					E00E07C53(_t36, _t37, 7);
					L11:
					 *(_t45 - 4) = 0xfffffffe;
					L19:
					return E00DF74FC();
				}
				_t24 = 0;
				 *((char*)(_t45 - 0x19)) = 0;
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				 *((char*)(_t45 - 0x24)) = E00DF702F();
				_t14 =  *0xe0f0ac; // 0x0
				_t27 = 1;
				if(_t14 == 1) {
					goto L10;
				}
				if(_t14 != 0) {
					L9:
					_t24 = _t27;
					 *((char*)(_t45 - 0x19)) = _t24;
					L5:
					E00DF7070( *((intOrPtr*)(_t45 - 0x24)));
					_t40 = E00DF34EE();
					if( *_t40 != 0) {
						_push(_t40);
						__eflags = E00E07B04();
						if(__eflags != 0) {
							_t44 =  *_t40;
							_t27 = _t44;
							L00E07DD1();
							 *_t44(0, 2, 0);
						}
					}
					_t18 = E00DF34F4();
					_t41 = _t18;
					_t52 =  *_t41;
					if( *_t41 != 0) {
						_t18 = E00E07B04();
						_t27 = _t41;
						__eflags = _t18;
						if(__eflags != 0) {
							_push( *_t41);
							L00E07E10();
							_pop(_t27);
						}
					}
					L00DF34FA();
					L00DF3500();
					L00DF3506();
					_push(_t18);
					_push( *_t18);
					_push( *_t18);
					_t19 = E00DF2618(_t24, _t27,  *_t18, _t18, _t52);
					_t46 = _t46 + 0xc;
					_t43 = _t19;
					if(E00DF30F8() != 0) {
						__eflags = _t24;
						if(_t24 == 0) {
							L00E07E04();
						}
						E00E07BBC(1, 0);
						 *(_t45 - 4) = 0xfffffffe;
						goto L19;
					} else {
						exit(_t43);
						goto L9;
					}
				}
				 *0xe0f0ac = 1;
				_push(0xdf2808);
				_push(0xdf27f8);
				L00DF33D7();
				if(_t14 != 0) {
					goto L11;
				} else {
					_push(0xdf27f4);
					_push(0xdf27e8);
					L00DF34E8();
					 *0xe0f0ac = 2;
					goto L5;
				}
			}
















0x00df26f6
0x00df26f8
0x00df26fd
0x00df270c
0x00dfc272
0x00dfc274
0x00dfc279
0x00dfc279
0x00dfc340
0x00dfc345
0x00dfc345
0x00df2712
0x00df2714
0x00df271a
0x00df2726
0x00df272c
0x00df2733
0x00df2736
0x00000000
0x00000000
0x00df273e
0x00df27de
0x00df27de
0x00df27e0
0x00df277e
0x00df2784
0x00df278f
0x00df2795
0x00dfc28d
0x00dfc294
0x00dfc296
0x00dfc2a0
0x00dfc2a2
0x00dfc2a4
0x00dfc2a9
0x00dfc2a9
0x00dfc296
0x00df279b
0x00df27a0
0x00df27a2
0x00df27a4
0x00dfc2b1
0x00dfc2b6
0x00dfc2b7
0x00dfc2b9
0x00dfc2bf
0x00dfc2c1
0x00dfc2c6
0x00dfc2c6
0x00dfc2b9
0x00df27aa
0x00df27b1
0x00df27b8
0x00df27bd
0x00df27be
0x00df27bf
0x00df27c1
0x00df27c6
0x00df27c9
0x00df27d2
0x00dfc2cc
0x00dfc2ce
0x00dfc2d0
0x00dfc2d0
0x00dfc2d9
0x00dfc2e0
0x00000000
0x00df27d8
0x00df27d9
0x00000000
0x00df27d9
0x00df27d2
0x00df2744
0x00df274a
0x00df274f
0x00df2754
0x00df275d
0x00000000
0x00df2763
0x00df2763
0x00df2768
0x00df276d
0x00df2774
0x00000000
0x00df2774

APIs
  • _initterm_e.UCRTBASE_CLR0400(00DF27F8,00DF2808,00DF2810,00000014), ref: 00DF2754
  • _initterm.UCRTBASE_CLR0400(00DF27E8,00DF27F4,00DF2810,00000014), ref: 00DF276D
  • ___scrt_release_startup_lock.LIBCMT ref: 00DF2784
  • __p___wargv.UCRTBASE_CLR0400(00DF2810,00000014), ref: 00DF27AA
  • __p___argc.UCRTBASE_CLR0400(00DF2810,00000014), ref: 00DF27B1
  • _get_initial_wide_environment.UCRTBASE_CLR0400(00DF2810,00000014), ref: 00DF27B8
  • exit.UCRTBASE_CLR0400(00000000), ref: 00DF27D9
  • _register_thread_local_exe_atexit_callback.UCRTBASE_CLR0400(00000000,00DF2810,00000014), ref: 00DFC2C1
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: ___scrt_release_startup_lock__p___argc__p___wargv_get_initial_wide_environment_initterm_initterm_e_register_thread_local_exe_atexit_callbackexit
  • String ID:
  • API String ID: 1548446142-0
  • Opcode ID: 8861a535b6763b769c69fe5ca9f8f960c65d90a1f00dedffe5aa1a5f9a5d9459
  • Instruction ID: 39739f3c329416525128a3486edff674b07de39c1db2a482b66d26056dfce269
  • Opcode Fuzzy Hash: 8861a535b6763b769c69fe5ca9f8f960c65d90a1f00dedffe5aa1a5f9a5d9459
  • Instruction Fuzzy Hash: 4731D33164824D9ADA317B749C03B793790CF12360F1BD0A8F7807B1D2DE719D858AB5
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 00DFE7FF
Strings
  • No matched entries in the cache., xrefs: 00DFE981
  • Error reading fusion cache for %s, xrefs: 00DFE923
  • Deleting native images:, xrefs: 00DFE88C
  • Filename and path are too long., xrefs: 00DFE810
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: FullNamePath
  • String ID: Deleting native images:$Error reading fusion cache for %s$Filename and path are too long.$No matched entries in the cache.
  • API String ID: 608056474-2265093190
  • Opcode ID: 0f8ff4acdb304e07ce2b0c3161f3b986e9694d878990811f8ec5afc54c3c13e7
  • Instruction ID: ac8ac459cae0ec1c1c708488d2b8f2fcc8d47afbedbe5a45b785054fda46c888
  • Opcode Fuzzy Hash: 0f8ff4acdb304e07ce2b0c3161f3b986e9694d878990811f8ec5afc54c3c13e7
  • Instruction Fuzzy Hash: 5E6181306043499FD734DF24C844A7AB7E5AF84764F1ACA1DE6E6821B1D770E988CB71
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 78%
			E00DF16C5(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				WCHAR* _t35;
				WCHAR* _t43;
				void* _t44;
				struct _OVERLAPPED* _t59;
				long _t60;
				intOrPtr _t71;
				void* _t74;
				void* _t75;

				_t61 = __ecx;
				_push(0x12c);
				E00DF1718(E00E0BCDE, __ebx, __ecx, __edi, __esi);
				_t34 = _t61;
				 *((intOrPtr*)(_t75 - 0x12c)) = _t34;
				_t59 = 0;
				_t71 = _t34 + 4;
				L1:
				L1:
				if(_t71 == 0) {
					_t35 = 0;
				} else {
					_t61 = _t71;
					E00DF169F(_t71);
					_t35 =  *(_t71 + 0xc);
				}
				if(CreateFileW(_t35, 4, 3, 0, 3, 0x80, 0) == 0xffffffff) {
					goto L6;
				}
				L4:
				return E00DF1679();
				L6:
				if(GetLastError() != 2) {
					L11:
					if(GetLastError() != 0x20) {
						L13:
						goto L4;
					}
					E00DFFFB5(_t61);
					_t59 =  &(_t59->Internal);
					if(_t59 < 0xa) {
						goto L1;
					}
					goto L13;
				}
				if(_t71 != 0) {
					_t61 = _t71;
					E00DF169F(_t71);
					_t43 =  *(_t71 + 0xc);
				} else {
					_t43 = 0;
				}
				_t44 = CreateFileW(_t43, 4, 1, 0, 4, 0x80, 0);
				_t74 = _t44;
				if(_t74 != 0xffffffff) {
					__imp__GetFileSizeEx(_t74, _t75 - 0x138);
					if(_t44 != 0) {
						if(( *(_t75 - 0x138) |  *(_t75 - 0x134)) == 0) {
							 *(_t75 - 0x124) = 0xbbef;
							_push(0);
							 *((char*)(_t75 - 0x122)) = 0xbf;
							_push(_t75 - 0x130);
							_t60 = 3;
							WriteFile(_t74, _t75 - 0x124, _t60, ??, ??);
							 *((intOrPtr*)(_t75 - 0x120)) = 0;
							 *((intOrPtr*)(_t75 - 0x11c)) = 0;
							 *((intOrPtr*)(_t75 - 0x118)) = 0;
							 *((intOrPtr*)(_t75 - 0x114)) = 0;
							 *((intOrPtr*)(_t75 - 0x11c)) = 0x100;
							 *((intOrPtr*)(_t75 - 0x114)) = _t75 - 0x110;
							 *(_t75 - 4) = 0;
							 *((intOrPtr*)(_t75 - 0x120)) = 2;
							 *((short*)( *((intOrPtr*)(_t75 - 0x114)))) = 0;
							 *(_t75 - 4) = _t60;
							 *((intOrPtr*)(_t75 - 0x128)) = 0;
							WriteFile(_t74, E00DF2DDB( *((intOrPtr*)(_t75 - 0x12c)) + 0x14, _t75 - 0x120, _t75 - 0x128),  *((intOrPtr*)(_t75 - 0x128)) - 1, _t75 - 0x130, 0);
							 *(_t75 - 4) =  *(_t75 - 4) | 0xffffffff;
							E00DF1A07();
						}
						goto L4;
					}
					_t38 = CloseHandle(_t74);
					goto L13;
				} else {
					goto L11;
				}
			}












0x00df16c5
0x00df16c5
0x00df16cf
0x00df16d4
0x00df16d6
0x00df16dc
0x00df16de
0x00000000
0x00df16e1
0x00df16e3
0x00dfc057
0x00df16e9
0x00df16e9
0x00df16eb
0x00df16f0
0x00df16f0
0x00df170c
0x00000000
0x00000000
0x00df1712
0x00df1717
0x00dfc05e
0x00dfc067
0x00dfc098
0x00dfc0a1
0x00dfc0b2
0x00000000
0x00dfc0b2
0x00dfc0a3
0x00dfc0a8
0x00dfc0ac
0x00000000
0x00000000
0x00000000
0x00dfc0ac
0x00dfc06b
0x00dfc071
0x00dfc073
0x00dfc078
0x00dfc06d
0x00dfc06d
0x00dfc06d
0x00dfc08b
0x00dfc091
0x00dfc096
0x00dfc0c2
0x00dfc0ca
0x00dfc0e1
0x00dfc0e9
0x00dfc0f2
0x00dfc0f9
0x00dfc100
0x00dfc103
0x00dfc10d
0x00dfc113
0x00dfc119
0x00dfc11f
0x00dfc125
0x00dfc131
0x00dfc13b
0x00dfc141
0x00dfc147
0x00dfc159
0x00dfc15c
0x00dfc175
0x00dfc196
0x00dfc19c
0x00dfc1a9
0x00dfc1a9
0x00000000
0x00dfc1ae
0x00dfc0cd
0x00000000
0x00000000
0x00000000
0x00000000

APIs
  • CreateFileW.KERNEL32(?,00000004,00000003,00000000,00000003,00000080,00000000,0000012C,00DF28C0,00000140,00DF2B4E,?,?,?), ref: 00DF1703
  • GetLastError.KERNEL32 ref: 00DFC05E
  • CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00DFC08B
  • GetLastError.KERNEL32 ref: 00DFC098
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: CreateErrorFileLast
  • String ID:
  • API String ID: 1214770103-0
  • Opcode ID: 0842b0a7fdcfccce2bfef9e696fbbb1eac8fe2d8ffe8f579be9eb346dd8e69b3
  • Instruction ID: f49feda1cf839ef8b002a9d7c879bf0e02de70004c57e30fc4a9dce6bcf25d62
  • Opcode Fuzzy Hash: 0842b0a7fdcfccce2bfef9e696fbbb1eac8fe2d8ffe8f579be9eb346dd8e69b3
  • Instruction Fuzzy Hash: D441A074A0021CEFDB259F24CC45BEDB7B8AF49310F058689E35AE62D0DBB05A958F64
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,80004005,00000000), ref: 00E07745
    • Part of subcall function 00E048AA: GetLastError.KERNEL32(00E07218,?,00E076F8,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E048AA
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: ErrorFileLastModuleName
  • String ID: mscorrc.dll$v4.0.30319
  • API String ID: 2776309574-2820514680
  • Opcode ID: a19c029ad067809949380a9f290dfc4a4a369eea4a350c17ee4bc113c0f71d27
  • Instruction ID: d8b939cd9daf014c91d17e877ef0c96c3c55617657ec8189fa25160af0371fb1
  • Opcode Fuzzy Hash: a19c029ad067809949380a9f290dfc4a4a369eea4a350c17ee4bc113c0f71d27
  • Instruction Fuzzy Hash: 0D21BA716082046FE710DB909C85EBBB3DCDB44795F04542BF981D2180E7B4ED88C662
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 95%
			E00E05D3D(void* __ecx, void* __edx) {
				long _t2;
				signed int _t11;
				void* _t14;
				signed int _t17;
				long _t21;
				void* _t22;
				void* _t25;

				_t2 =  *0xe0f12c; // 0xffffffff
				_t14 = __edx;
				_t22 = __ecx;
				if(_t2 == 0xffffffff) {
					_t11 = TlsAlloc();
					_t21 = _t11;
					asm("lock cmpxchg [esi], ecx");
					if((_t11 | 0xffffffff) != 0xffffffff) {
						TlsFree(_t21);
					}
					_t2 =  *0xe0f12c; // 0xffffffff
					 *0xe0f128 = 0xe05d30;
				}
				_t25 = TlsGetValue(_t2);
				if(_t25 != 0 || _t14 == 0) {
					L11:
					return _t25;
				} else {
					_t25 = HeapAlloc(GetProcessHeap(), 0, 0x58);
					if(_t25 != 0) {
						L10:
						_t17 = 0x16;
						memset(_t25, 0, _t17 << 2);
						TlsSetValue( *0xe0f12c, _t25);
						goto L11;
					}
					if(_t22 == 9 || _t22 == 6) {
						return 0;
					} else {
						RaiseException(0xc0000017, 0, 0, 0);
						goto L10;
					}
				}
			}










0x00e05d3d
0x00e05d43
0x00e05d47
0x00e05d4c
0x00e05d4e
0x00e05d54
0x00e05d60
0x00e05d67
0x00e05d6a
0x00e05d6a
0x00e05d70
0x00e05d75
0x00e05d75
0x00e05d86
0x00e05d8a
0x00e05dd6
0x00000000
0x00e05d90
0x00e05da2
0x00e05da6
0x00e05dc0
0x00e05dc2
0x00e05dc7
0x00e05dd0
0x00000000
0x00e05dd0
0x00e05dab
0x00000000
0x00e05db2
0x00e05dba
0x00000000
0x00e05dba
0x00e05dab

APIs
  • TlsAlloc.KERNEL32(?,?,?,00E05EB1), ref: 00E05D4E
  • TlsFree.KERNEL32(00000000,?,?,?,00E05EB1), ref: 00E05D6A
  • TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00E05EB1), ref: 00E05D80
  • GetProcessHeap.KERNEL32(00000000,00000058,?,?,?,00E05EB1), ref: 00E05D95
  • HeapAlloc.KERNEL32(00000000,?,?,?,00E05EB1), ref: 00E05D9C
  • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,00E05EB1), ref: 00E05DBA
  • TlsSetValue.KERNEL32(00000000,?,?,?,00E05EB1), ref: 00E05DD0
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: AllocHeapValue$ExceptionFreeProcessRaise
  • String ID:
  • API String ID: 594535578-0
  • Opcode ID: 03c402b0b48d6c4809b2d383eaad6fb10a9647c000f8b5c6a4fd474ca4c436f1
  • Instruction ID: f4bf8a45edcceecf505f739c012f0e8504d21c2da680ee343b0cc5d4e2945e81
  • Opcode Fuzzy Hash: 03c402b0b48d6c4809b2d383eaad6fb10a9647c000f8b5c6a4fd474ca4c436f1
  • Instruction Fuzzy Hash: 2011E933601910AFC7710BB9AC4CA5F36999B5D3757208636FA54F32E0DA70CCD88EA0
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 77%
			E00DF63A0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t1;
				void* _t3;
				void* _t4;
				void* _t7;
				void* _t15;
				void* _t21;
				void* _t22;
				void* _t25;

				_t22 = __edi;
				_t21 = __edx;
				_t15 = __ebx;
				_push(__esi);
				_push(1);
				L00DF33DD();
				_t1 = E00DF33E3();
				L00DF33E9();
				L00DF33EF();
				 *_t1 = E00DF6390();
				_t3 = E00DF33F5(_t1, 1);
				_t25 = _t1;
				_t29 = _t3;
				if(_t3 == 0) {
					L6:
					_t4 = E00E07C53(_t21, _t22, 7);
					asm("int3");
					return _t4;
				}
				asm("fclex");
				E00DF3492(_t3);
				E00DF66E2(_t29, E00DF3150);
				_t7 = E00DF34BA();
				_push(_t7);
				L00DF34BE();
				if(_t7 != 0) {
					goto L6;
				}
				E00DF34C4(_t7);
				if(E00DF34D0() != 0) {
					_push(E00DF6390);
					L00E07DF8();
				}
				L7();
				L7();
				E00DF735C(_t9, _t15, _t22, _t25);
				_push(E00DF6390());
				L00DF34DC();
				if(E00DF6490() != 0) {
					L00DF34E2();
				}
				E00DF6390();
				return 0;
			}











0x00df63a0
0x00df63a0
0x00df63a0
0x00df63a0
0x00df63a1
0x00df63a3
0x00df63a8
0x00df63ae
0x00df63b3
0x00df63c1
0x00df63c3
0x00df63cb
0x00df63cc
0x00df63ce
0x00df6435
0x00df6437
0x00df643c
0x00000000
0x00df643c
0x00df63d0
0x00df63d2
0x00df63dc
0x00df63e1
0x00df63e6
0x00df63e7
0x00df63f0
0x00000000
0x00000000
0x00df63f2
0x00df63fe
0x00dfc261
0x00dfc266
0x00dfc26b
0x00df6404
0x00df6409
0x00df640e
0x00df6418
0x00df6419
0x00df6426
0x00df6428
0x00df6428
0x00df642d
0x00df6434

APIs
  • _set_app_type.UCRTBASE_CLR0400(00000001), ref: 00DF63A3
  • _set_fmode.UCRTBASE_CLR0400(00000000,00000001), ref: 00DF63AE
  • __p__commode.UCRTBASE_CLR0400(00000000,00000001), ref: 00DF63B3
  • _configure_wide_argv.UCRTBASE_CLR0400(00000000,Function_00003150), ref: 00DF63E7
    • Part of subcall function 00DF34C4: InitializeSListHead.KERNEL32(00E0F0D0), ref: 00DF34C9
  • __setusermatherr.UCRTBASE_CLR0400(Function_00006390), ref: 00DFC266
    • Part of subcall function 00DF735C: _controlfp_s.UCRTBASE_CLR0400(00000000,00010000,00030000,00DF6413), ref: 00DF7368
  • _configthreadlocale.UCRTBASE_CLR0400(00000000), ref: 00DF6419
  • _initialize_wide_environment.UCRTBASE_CLR0400 ref: 00DF6428
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: HeadInitializeList__p__commode__setusermatherr_configthreadlocale_configure_wide_argv_controlfp_s_initialize_wide_environment_set_app_type_set_fmode
  • String ID:
  • API String ID: 3394526760-0
  • Opcode ID: b7d9c0092c04e69f6e4015eba6cf47689f23401a4a8cc910d8fa0a88fb6aa76c
  • Instruction ID: a510c37af4a68a02089e91491e14f2c1bf9aa282ed8f1b4b9423d094a92c43fc
  • Opcode Fuzzy Hash: b7d9c0092c04e69f6e4015eba6cf47689f23401a4a8cc910d8fa0a88fb6aa76c
  • Instruction Fuzzy Hash: 35F06D21D4830D65D9257BF11907A7E12CACF01B5CF1BC808BB58A6AC7EE5AE6885133
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 31%
			E00DF1833(int __ebx, void* __ecx, void* __edx, char* __edi, intOrPtr* __esi, char _a4, char _a8, signed int _a12, wchar_t* _a16, char _a20, char _a24, long _a288, signed int _a548) {
				wchar_t* _v4;
				wchar_t* _v8;
				void* __ebp;
				void* _t50;
				signed int _t53;
				signed int _t58;
				signed int _t62;
				signed int _t64;
				signed int _t71;
				long _t73;
				long _t80;
				signed int _t87;
				signed char _t93;
				unsigned int _t94;
				signed int _t108;
				intOrPtr* _t114;
				signed int _t116;

				_t114 = __esi;
				_t112 = __edi;
				_push(__ecx);
				_push(__ecx);
				_v8 = 0;
				_t50 = E00DF1809(__ecx, _v8);
				if(_t50 == 0) {
					E00E044E0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
					asm("int3");
					_a8 = __ebx;
					_t53 = E00E0002A(__ebx,  *__esi,  &_a8, __edi, __esi,  &_a24);
					__eflags = _t53;
					if(_t53 < 0) {
						L2:
						_t93 =  *(_t114 + 8);
						_a16 = E00DF5720(_t93);
						_t87 =  !(_t93 >> 1) & 0x00000001;
						__eflags = _t93 & 0x00000020;
						if((_t93 & 0x00000020) != 0) {
							L4:
							_t94 =  *(_t114 + 8);
							__eflags = _t94 & 0x00000010;
							if((_t94 & 0x00000010) == 0) {
								_t108 =  *0xe0f0ec; // 0x0
								_a12 = _t108;
								__eflags = _t108;
								if(_t108 == 0) {
									goto L5;
								} else {
									 *0xe10244( *_t114,  &_a8, _t94 >> 0x00000006 & 0x00000001, _t94 >> 0x00000007 & 0x00000001);
									_t71 = _a12();
									__eflags = _t71;
									if(_t71 < 0) {
										goto L5;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											goto L5;
										} else {
											__imp___errno();
											 *_t71 =  *_t71 & 0x00000000;
											_t73 = wcstoul(_v8,  &_v4, 0);
											_t116 = _t116 + 0xc;
											__imp___errno();
											__eflags =  *_t73 - 0x22;
											if( *_t73 == 0x22) {
												goto L7;
											} else {
												__eflags = _v4 - _v8;
												if(_v4 == _v8) {
													goto L7;
												} else {
													goto L12;
												}
											}
										}
									}
								}
							} else {
								L5:
								__eflags =  *(_t114 + 8) & 0x00000020;
								if(( *(_t114 + 8) & 0x00000020) != 0) {
									E00DF5EAE( *_t114,  *((intOrPtr*)(_t114 + 4)),  &_a12, _a16, _t87);
									__eflags = _a12 -  *((intOrPtr*)(_t114 + 4));
									if(_a12 ==  *((intOrPtr*)(_t114 + 4))) {
										goto L6;
									} else {
										goto L12;
									}
								} else {
									L6:
									__eflags =  *(_t114 + 8) & 0x00000200;
									if(( *(_t114 + 8) & 0x00000200) != 0) {
										_t58 =  *0xe0f59c; // 0x0
										_a12 = _t58;
										__eflags = _t58;
										if(_t58 == 0) {
											goto L7;
										} else {
											 *0xe10244( *_t114,  &_a20);
											_t62 = _a12();
											__eflags = _t62;
											if(_t62 == 0) {
												goto L7;
											} else {
												_t64 = E00DF5EAE( *_t114,  *((intOrPtr*)(_t114 + 4)),  &_a4, _a8, _t87);
												__eflags = _t64;
												if(_t64 >= 0) {
													goto L7;
												} else {
													 *_t112 = 1;
												}
											}
										}
									} else {
										goto L7;
									}
								}
							}
						} else {
							E00DF5EAE( *_t114,  *((intOrPtr*)(_t114 + 4)),  &_a8, _t54, _t87);
							__eflags = _v4 -  *((intOrPtr*)(_t114 + 4));
							if(_v4 !=  *((intOrPtr*)(_t114 + 4))) {
								L12:
								 *_t112 = 0;
							} else {
								goto L4;
							}
						}
					} else {
						__eflags = _a8 - __ebx;
						if(_a8 == __ebx) {
							goto L2;
						} else {
							__imp___errno();
							 *_t53 = __ebx;
							_t80 = wcstoul( &_a288,  &_a16, __ebx);
							_t116 = _t116 + 0xc;
							__imp___errno();
							__eflags =  *_t80 - 0x22;
							if( *_t80 == 0x22) {
								L7:
								 *_t112 = 1;
							} else {
								__eflags = _a16 -  &_a288;
								if(_a16 ==  &_a288) {
									goto L7;
								} else {
									 *__edi = 0;
								}
							}
						}
					}
					__eflags = _a548 ^ _t116;
					return E00DF13F0(_a548 ^ _t116);
				} else {
					return _t50;
				}
			}




















0x00df1833
0x00df1833
0x00df1836
0x00df1837
0x00df1838
0x00df1846
0x00df184d
0x00dfb3f4
0x00dfb3f9
0x00dfb405
0x00dfb409
0x00dfb40e
0x00dfb410
0x00df5f13
0x00df5f13
0x00df5f1b
0x00df5f25
0x00df5f28
0x00df5f2b
0x00df5f47
0x00df5f47
0x00df5f4a
0x00df5f4d
0x00df5f83
0x00df5f89
0x00df5f8d
0x00df5f8f
0x00000000
0x00df5f91
0x00dfb484
0x00dfb48a
0x00dfb48e
0x00dfb490
0x00000000
0x00dfb496
0x00dfb496
0x00dfb49b
0x00000000
0x00dfb4a1
0x00dfb4a1
0x00dfb4a9
0x00dfb4b5
0x00dfb4bb
0x00dfb4c0
0x00dfb4c6
0x00dfb4c9
0x00000000
0x00dfb4cf
0x00dfb4d3
0x00dfb4d7
0x00000000
0x00dfb4dd
0x00000000
0x00dfb4dd
0x00dfb4d7
0x00dfb4c9
0x00dfb49b
0x00dfb490
0x00df5f4f
0x00df5f4f
0x00df5f4f
0x00df5f53
0x00dfb4f3
0x00df5f9a
0x00df5f9d
0x00000000
0x00000000
0x00000000
0x00000000
0x00df5f59
0x00df5f59
0x00df5f59
0x00df5f60
0x00dfb4fd
0x00dfb502
0x00dfb506
0x00dfb508
0x00000000
0x00dfb50e
0x00dfb517
0x00dfb51d
0x00dfb521
0x00dfb523
0x00000000
0x00dfb529
0x00dfb538
0x00dfb53d
0x00dfb53f
0x00000000
0x00dfb545
0x00dfb549
0x00dfb549
0x00dfb53f
0x00dfb523
0x00000000
0x00000000
0x00000000
0x00df5f60
0x00df5f53
0x00df5f2d
0x00df5f39
0x00df5f42
0x00df5f45
0x00df5f9f
0x00df5f9f
0x00000000
0x00000000
0x00000000
0x00df5f45
0x00dfb416
0x00dfb416
0x00dfb41a
0x00000000
0x00dfb420
0x00dfb420
0x00dfb427
0x00dfb436
0x00dfb43c
0x00dfb441
0x00dfb447
0x00dfb44a
0x00df5f66
0x00df5f66
0x00dfb450
0x00dfb457
0x00dfb45b
0x00000000
0x00dfb461
0x00dfb461
0x00dfb464
0x00dfb45b
0x00dfb44a
0x00dfb41a
0x00df5f76
0x00df5f80
0x00df1856
0x00df1856
0x00df1856

APIs
    • Part of subcall function 00DF1809: HeapAlloc.KERNEL32(00000000,00000000,00000004,?,00DF184B,00000004,00000000,00000004,00000004,?,00DF186F,00000004,?,?,?,00DF755E), ref: 00DF1829
  • _errno.UCRTBASE_CLR0400(?,00000004,00000000,00000004,00000004,?,00DF186F,00000004,?,?,?,00DF755E,?,00000001,?,?), ref: 00DFB420
  • wcstoul.UCRTBASE_CLR0400(?,00DFBA14,00000000,?,00DF186F,00000004,?,?,?,00DF755E,?,00000001,?,?,?,00DFC8F6), ref: 00DFB436
  • _errno.UCRTBASE_CLR0400(?,00000004), ref: 00DFB441
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: _errno$AllocHeapwcstoul
  • String ID:
  • API String ID: 811303061-0
  • Opcode ID: dcb1d801ff8d374c0e284b3d915bf3ec3ac0269dcf95b670982e71486842c92a
  • Instruction ID: 2f601596805c7f652b3ced8239fbcecb37df1ca318afd1603a051d0d9315b673
  • Opcode Fuzzy Hash: dcb1d801ff8d374c0e284b3d915bf3ec3ac0269dcf95b670982e71486842c92a
  • Instruction Fuzzy Hash: 4D519C7020474A9FC724DF20E984A7AB7E9EF84300F09886DFB8683255D770E948CB72
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 94%
			E00E05B9A(void* __ebx, int __ecx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t42;
				int _t45;
				WCHAR* _t48;
				int _t49;
				long _t50;
				signed int _t53;
				WCHAR* _t57;
				int _t61;
				WCHAR* _t62;
				void* _t63;
				int _t64;
				int _t72;
				int _t74;
				int _t75;
				void* _t76;
				void* _t77;
				void* _t78;
				intOrPtr _t87;

				_t64 = __ecx;
				_push(0x38);
				E00DF1718(0xe0bc4c, __ebx, __ecx, __edi, __esi);
				_t72 = _t64;
				if( *((intOrPtr*)(_t72 + 0x44)) == 0) {
					L16:
					return E00DF1679();
				}
				 *(_t78 - 0x44) =  *(_t78 - 0x44) & 0x00000000;
				_t61 = _t72 + 0x34;
				while(1) {
					 *(_t78 - 0x3c) =  *(_t78 - 0x3c) | 0xffffffff;
					 *((intOrPtr*)(_t78 - 0x40)) = 0xdfc6ec;
					 *(_t78 - 4) =  *(_t78 - 4) & 0x00000000;
					_t82 = _t61;
					if(_t61 != 0) {
						_t64 = _t61;
						E00DF169F(_t64);
						_t42 =  *((intOrPtr*)(_t61 + 0xc));
					} else {
						_t42 = 0;
					}
					_push(_t64);
					_push(_t64);
					_push(_t42);
					if(E00E04A30(_t61, _t72, _t82) < 0) {
						break;
					}
					if( *((intOrPtr*)(_t78 + 8)) == 0) {
						_t45 = E00DF5C86(_t72);
						__eflags = _t45;
						if(_t45 == 0) {
							break;
						}
						L18:
						_t74 = _t72 + 0x24;
						__eflags = _t74;
						if(_t74 != 0) {
							E00DF169F(_t74);
							_t62 =  *(_t74 + 0xc);
						} else {
							_t62 = 0;
						}
						_t75 = _t72 + 4;
						__eflags = _t75;
						if(_t75 != 0) {
							_t64 = _t75;
							E00DF169F(_t64);
							_t48 =  *(_t75 + 0xc);
						} else {
							_t48 = 0;
						}
						_t49 = MoveFileExW(_t48, _t62, 3);
						__eflags = _t49;
						if(_t49 != 0) {
							break;
						} else {
							_t50 = GetLastError();
							__eflags = _t50 - 0x20;
							if(_t50 != 0x20) {
								break;
							}
							_t76 =  *(_t78 - 0x3c);
							_t63 = _t62 | 0xffffffff;
							__eflags = _t76 - _t63;
							if(_t76 != _t63) {
								CloseHandle(_t76);
								_t76 = _t63;
								 *(_t78 - 0x3c) = _t76;
							}
							E00DFFFB5(_t64);
							 *(_t78 - 4) = _t63;
							 *((intOrPtr*)(_t78 - 0x40)) = 0xdfc6ec;
							__eflags = _t76 - _t63;
							if(_t76 != _t63) {
								CloseHandle(_t76);
								 *(_t78 - 0x3c) = _t63;
							}
							_t61 = _t72 + 0x34;
							_t53 =  *(_t78 - 0x44) + 1;
							 *(_t78 - 0x44) = _t53;
							__eflags = _t53 - 0xa;
							if(__eflags >= 0) {
								goto L16;
							} else {
								continue;
							}
						}
					}
					_t77 = _t72 + 4;
					if(_t77 != 0) {
						E00DF169F(_t77);
						_t57 =  *(_t77 + 0xc);
					} else {
						_t57 = 0;
					}
					if(GetFileAttributesExW(_t57, 0, _t78 - 0x38) == 0) {
						break;
					} else {
						_t64 =  *(_t78 - 0x18);
						_t87 =  *((intOrPtr*)(_t78 - 0x1c));
						if(_t87 < 0 || _t87 <= 0 && _t64 <=  *((intOrPtr*)(_t72 + 0x44))) {
							break;
						} else {
							goto L18;
						}
					}
				}
				 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t78 - 0x40)) = 0xdfc6ec;
				if( *(_t78 - 0x3c) != 0xffffffff) {
					CloseHandle( *(_t78 - 0x3c));
					 *(_t78 - 0x3c) =  *(_t78 - 0x3c) | 0xffffffff;
				}
				goto L16;
			}





















0x00e05b9a
0x00e05b9a
0x00e05ba1
0x00e05ba6
0x00e05bac
0x00e05c6d
0x00e05c72
0x00e05c72
0x00e05bb2
0x00e05bb9
0x00e05bbc
0x00e05bbc
0x00e05bc3
0x00e05bcd
0x00e05bd4
0x00e05bd6
0x00e05bdc
0x00e05bde
0x00e05be3
0x00e05bd8
0x00e05bd8
0x00e05bd8
0x00e05be6
0x00e05be7
0x00e05be8
0x00e05bf6
0x00000000
0x00000000
0x00e05bfc
0x00e05c77
0x00e05c7c
0x00e05c7e
0x00000000
0x00000000
0x00e05c80
0x00e05c80
0x00e05c83
0x00e05c85
0x00e05c8d
0x00e05c92
0x00e05c87
0x00e05c87
0x00e05c87
0x00e05c95
0x00e05c98
0x00e05c9a
0x00e05ca0
0x00e05ca2
0x00e05ca7
0x00e05c9c
0x00e05c9c
0x00e05c9c
0x00e05cae
0x00e05cb4
0x00e05cb6
0x00000000
0x00e05cb8
0x00e05cb8
0x00e05cbe
0x00e05cc1
0x00000000
0x00000000
0x00e05cc7
0x00e05ccd
0x00e05cd0
0x00e05cd2
0x00e05cd5
0x00e05cdb
0x00e05cdd
0x00e05cdd
0x00e05ce3
0x00e05ce8
0x00e05cee
0x00e05cf8
0x00e05cfa
0x00e05cfd
0x00e05d03
0x00e05d03
0x00e05d0f
0x00e05d12
0x00e05d13
0x00e05d19
0x00e05d1c
0x00000000
0x00e05d22
0x00000000
0x00e05d22
0x00e05d1c
0x00e05cb6
0x00e05bfe
0x00e05c03
0x00e05c0b
0x00e05c10
0x00e05c05
0x00e05c05
0x00e05c05
0x00e05c25
0x00000000
0x00e05c27
0x00e05c2f
0x00e05c35
0x00e05c37
0x00000000
0x00000000
0x00000000
0x00000000
0x00e05c37
0x00e05c25
0x00e05c40
0x00e05c4e
0x00e05c58
0x00e05c60
0x00e05c66
0x00e05c66
0x00000000

APIs
  • GetFileAttributesExW.KERNEL32(?,00000000,00DF2B4E,00000000,?,?,?,?,00000038,00DFC033,00000001), ref: 00E05C1D
  • CloseHandle.KERNEL32(000000FF,00DFC6EC,?,?,00000038,00DFC033,00000001), ref: 00E05C60
  • MoveFileExW.KERNEL32(?,?,00000003,00DFC6EC,?,?,00000038,00DFC033,00000001), ref: 00E05CAE
  • GetLastError.KERNEL32(?,?,00000038,00DFC033,00000001), ref: 00E05CB8
  • CloseHandle.KERNEL32(000000FF,?,?,00000038,00DFC033,00000001), ref: 00E05CD5
  • CloseHandle.KERNEL32(000000FF,?,?,00000038,00DFC033,00000001), ref: 00E05CFD
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: CloseHandle$File$AttributesErrorLastMove
  • String ID:
  • API String ID: 2472611047-0
  • Opcode ID: 4f7fcdbabbd6b613050ca2d6db633347168c6871553284703078c34a8f511358
  • Instruction ID: d4129dc88e20f54153b27b51bebfec42222a6916b9b43b960cb4f05f3ee08faa
  • Opcode Fuzzy Hash: 4f7fcdbabbd6b613050ca2d6db633347168c6871553284703078c34a8f511358
  • Instruction Fuzzy Hash: F0415372600B299FEB359F2089C9BAAB765AB00354F459698D61AB71C0D7309EC4CF64
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 31%
			E00DF6D92(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v136;
				signed int _v140;
				signed int _v144;
				signed int _t26;
				intOrPtr _t28;
				void* _t51;
				intOrPtr* _t63;
				long _t64;
				intOrPtr* _t66;
				WCHAR* _t69;
				signed int _t70;
				void* _t71;
				intOrPtr _t78;

				_t26 =  *0xe0f000; // 0x365ea2a8
				_v8 = _t26 ^ _t70;
				_t63 = __ecx;
				_t66 = __ecx;
				_t2 = _t66 + 2; // 0x12
				_t51 = _t2;
				do {
					_t28 =  *_t66;
					_t66 = _t66 + 2;
				} while (_t28 != 0);
				if(_t66 - _t51 >> 1 > 0x37 + (0 | __edx == 0x00000000) * 8) {
					L7:
					L8:
					return E00DF13F0(_v8 ^ _t70);
				}
				if(__edx == 0) {
					_v136 = 0;
					L6:
					__imp__wcscat_s( &_v136, 0x40, _t63);
					_t64 = GetEnvironmentVariableW( &_v136, 0, 0);
					if(_t64 != 0) {
						_push(2);
						_t69 = E00DF6E8C();
						if(_t69 != 0) {
							GetEnvironmentVariableW( &_v136, _t69, _t64);
						}
						goto L8;
					}
					goto L7;
				}
				_t78 =  *0xe0f118; // 0x0
				if(_t78 != 0) {
					E00E059BE(__ecx, _t51,  &_v144,  &_v140);
					if(( *(0xe0f908 + _v144 * 4) & _v140) != 0) {
						goto L5;
					}
					goto L7;
				}
				L5:
				__imp__wcscpy_s( &_v136, 0x40, L"COMPlus_");
				_t71 = _t71 + 0xc;
				goto L6;
			}

















0x00df6d9b
0x00df6da2
0x00df6dab
0x00df6dad
0x00df6db1
0x00df6db1
0x00df6db4
0x00df6db4
0x00df6db7
0x00df6dba
0x00df6dd3
0x00df6e28
0x00df6e2a
0x00df6e3d
0x00df6e3d
0x00df6dd7
0x00df6e80
0x00df6e00
0x00df6e0a
0x00df6e22
0x00df6e26
0x00df6e54
0x00df6e65
0x00df6e69
0x00df6e74
0x00df6e74
0x00000000
0x00df6e7a
0x00000000
0x00df6e26
0x00df6ddd
0x00df6de3
0x00dfba50
0x00dfba68
0x00000000
0x00000000
0x00000000
0x00dfba6e
0x00df6de9
0x00df6df7
0x00df6dfd
0x00000000

APIs
  • wcscpy_s.UCRTBASE_CLR0400(?,00000040,COMPlus_,00000010,00000012,?,?,00000010,00000004,?), ref: 00DF6DF7
  • wcscat_s.UCRTBASE_CLR0400(?,00000040,00000010,00000010,00000004,?), ref: 00DF6E0A
  • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00DF6E1C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: EnvironmentVariablewcscat_swcscpy_s
  • String ID: COMPlus_
  • API String ID: 3804201087-665472478
  • Opcode ID: 246bb9c7cf5eec35cf1f12274f02e37b74f6696df751608eea3fdb3fd4c8a8d7
  • Instruction ID: b162348b1c564d86c9d4b30ff3c7b8ee4d5b0797bbcd3719f3292158813d8f8f
  • Opcode Fuzzy Hash: 246bb9c7cf5eec35cf1f12274f02e37b74f6696df751608eea3fdb3fd4c8a8d7
  • Instruction Fuzzy Hash: 5621B176A0111D9BDB209B69DC45BBAB378EB44700F05C16AFA4AE3540EA70DE488BB0
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 49%
			E00E07220(intOrPtr __ecx, void* __edx) {
				intOrPtr _t112;
				signed int _t115;
				intOrPtr _t120;
				intOrPtr _t122;
				intOrPtr _t131;
				signed int _t152;
				intOrPtr* _t171;
				signed int _t173;
				void* _t177;
				void* _t182;
				intOrPtr* _t183;
				signed int _t185;
				intOrPtr* _t188;
				intOrPtr* _t226;
				signed int _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				unsigned int* _t235;
				signed int _t236;
				void* _t237;
				unsigned int* _t238;
				unsigned int* _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t244;
				void* _t246;

				_push(0x278);
				E00E07E3B();
				 *((intOrPtr*)(_t242 - 0x23c)) = __ecx;
				 *((intOrPtr*)(_t242 - 0x248)) = __ecx;
				 *((intOrPtr*)(_t242 - 0x254)) =  *((intOrPtr*)(_t242 + 8));
				 *((intOrPtr*)(_t242 - 0x244)) =  *((intOrPtr*)(_t242 + 0xc));
				_t233 = 0x80004005;
				_t171 =  *((intOrPtr*)(__ecx + 0x18));
				_t177 = _t171 + 2;
				_t232 = 0;
				do {
					_t112 =  *_t171;
					_t171 = _t171 + 2;
					_t249 = _t112;
				} while (_t112 != 0);
				_t173 = _t171 - _t177 >> 1;
				 *(_t242 - 0x234) = _t173;
				E00DF354F(_t177, 0x80004005, _t249);
				 *(_t242 - 0x274) = 0;
				 *((intOrPtr*)(_t242 - 0x270)) = 0;
				 *((intOrPtr*)(_t242 - 0x26c)) = 5;
				 *(_t242 - 4) = 1;
				_t115 =  *( *((intOrPtr*)(_t242 - 0x23c)) + 0x20);
				 *(_t242 - 0x238) = _t115;
				if(_t115 == 0) {
					 *(_t242 - 0x250) = 0;
					 *(_t242 - 0x24c) = 0;
					 *(_t242 - 4) = 2;
					 *(_t242 - 4) = 3;
					_push( *0xe0f0f0);
					E00E06A9D(_t173, _t242 - 0x274, __edx, 0, 0x80004005, __eflags);
					 *(_t242 - 4) = 2;
					 *(_t242 - 4) = 1;
					__eflags =  *(_t242 - 0x250) & 0x00000002;
					if(( *(_t242 - 0x250) & 0x00000002) != 0) {
						E00E05A08();
					}
				} else {
					 *0xe10244(_t242 - 0x274);
					_t233 =  *(_t242 - 0x238)();
				}
				_t251 = _t233 - 0x8007000e;
				if(_t233 != 0x8007000e) {
					 *((short*)(_t242 - 0x22c)) = 0;
					 *((short*)(_t242 - 0x20)) = 0;
					__eflags = 0;
					 *((short*)( *((intOrPtr*)(_t242 - 0x244)) + 0x206)) = 0;
					_t244 = _t243 - 0x14;
					E00E06866( *((intOrPtr*)(_t242 - 0x244)), _t242 - 0x20, _t242 - 0x22c, _t242 - 0x22c);
					_t226 = _t242 - 0x20;
					_t182 = _t226 + 2;
					do {
						_t120 =  *_t226;
						_t226 = _t226 + 2;
						__eflags = _t120 - _t232;
					} while (_t120 != _t232);
					_t227 = _t226 - _t182;
					__eflags = _t227;
					_t228 = _t227 >> 1;
					 *(_t242 - 0x24c) = _t228;
					_t183 = _t242 - 0x22c;
					 *((intOrPtr*)(_t242 - 0x248)) = _t183 + 2;
					do {
						_t122 =  *_t183;
						_t183 = _t183 + 2;
						__eflags = _t122 - _t232;
					} while (_t122 != _t232);
					_t185 = _t183 -  *((intOrPtr*)(_t242 - 0x248)) >> 1;
					 *(_t242 - 0x238) = _t185;
					 *((intOrPtr*)(_t242 - 0x248)) = _t228 + 1 + _t185 + _t173;
					__eflags =  *(_t242 - 0x274);
					if( *(_t242 - 0x274) <= 0) {
						L24:
						__eflags = _t233;
						if(_t233 < 0) {
							_t233 = E00E071EB( *((intOrPtr*)(_t242 - 0x23c)),  *((intOrPtr*)(_t242 - 0x254)),  *((intOrPtr*)( *((intOrPtr*)(_t242 - 0x23c)) + 0x18)));
						}
						L26:
						_t107 = _t242 - 4;
						 *_t107 =  *(_t242 - 4) | 0xffffffff;
						__eflags =  *_t107;
						E00E06B97();
						goto L27;
					} else {
						goto L14;
					}
					do {
						L14:
						_t234 = _t232;
						_t188 = _t242 - 0x270;
						_t131 =  *((intOrPtr*)(_t242 - 0x26c));
						__eflags = _t232 - _t131;
						if(_t232 < _t131) {
							L16:
							_t235 =  *(_t188 + 8 + _t234 * 4);
							 *(_t242 - 0x234) = _t235;
							E00DF1B89(_t173, _t235, _t232);
							__eflags = ( *_t235 >> ( !(_t235[2]) & 0x00000001)) +  *((intOrPtr*)(_t242 - 0x248)) - 1 - 0x104;
							if(( *_t235 >> ( !(_t235[2]) & 0x00000001)) +  *((intOrPtr*)(_t242 - 0x248)) - 1 > 0x104) {
								_t233 = 0x80004005;
								goto L23;
							}
							_t236 =  *(_t242 - 0x24c);
							__imp__wcscpy_s( *((intOrPtr*)(_t242 - 0x244)), _t236 + 1, _t242 - 0x20);
							_t237 =  *((intOrPtr*)(_t242 - 0x244)) + _t236 * 2;
							__imp__wcscpy_s(_t237,  *(_t242 - 0x238) + 1, _t242 - 0x22c);
							_t246 = _t244 + 0x18;
							 *((intOrPtr*)(_t242 - 0x230)) = _t237 +  *(_t242 - 0x238) * 2;
							_t238 =  *(_t242 - 0x234);
							__eflags =  *_t238 >> ( !(_t238[2]) & 0x00000001) == 1;
							if( *_t238 >> ( !(_t238[2]) & 0x00000001) == 1) {
								E00DF1B89(_t173, _t238, _t232);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t242 - 0x23c)) + 0x18)));
								_push(_t173 + 1);
								_t152 =  *((intOrPtr*)(_t242 - 0x230)) + ( *_t238 >> ( !(_t238[2]) & 0x00000001)) * 2 + 0xfffffffe;
								__eflags = _t152;
							} else {
								E00DF169F(_t238);
								E00DF1B89(_t173,  *(_t242 - 0x234), _t232);
								_t240 =  *(_t242 - 0x234);
								__imp__wcscpy_s( *((intOrPtr*)(_t242 - 0x230)),  *( *(_t242 - 0x234)) >> ( !(_t240[2]) & 0x00000001), _t238[3]);
								E00DF1B89(_t173, _t240, _t232);
								_t241 = _t173 + 1;
								__imp__wcscpy_s( *((intOrPtr*)(_t242 - 0x230)) - 2 + ( *_t240 >> ( !(( *(_t242 - 0x234))[2]) & 0x00000001)) * 2, _t241, 0xdfc6f0);
								_t246 = _t246 + 0x18;
								E00DF1B89(_t173,  *(_t242 - 0x234), _t232);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t242 - 0x23c)) + 0x18)));
								_push(_t241);
								_t152 =  *((intOrPtr*)(_t242 - 0x230)) + ( *( *(_t242 - 0x234)) >> ( !(( *(_t242 - 0x234))[2]) & 0x00000001)) * 2;
							}
							__imp__wcscpy_s(_t152);
							_t244 = _t246 + 0xc;
							_t233 = E00E071EB( *((intOrPtr*)(_t242 - 0x23c)),  *((intOrPtr*)(_t242 - 0x254)),  *((intOrPtr*)(_t242 - 0x244)));
							__eflags = _t233;
							if(_t233 < 0) {
								goto L23;
							} else {
								goto L26;
							}
						} else {
							goto L15;
						}
						do {
							L15:
							_t234 = _t234 - _t131;
							_t188 =  *_t188;
							_t131 =  *((intOrPtr*)(_t188 + 4));
							__eflags = _t234 - _t131;
						} while (_t234 >= _t131);
						goto L16;
						L23:
						_t232 = _t232 + 1;
						__eflags = _t232 -  *(_t242 - 0x274);
					} while (_t232 <  *(_t242 - 0x274));
					goto L24;
				} else {
					 *(_t242 - 4) =  *(_t242 - 4) | 0xffffffff;
					E00E06B97();
					L27:
					return E00E07E28(_t251);
				}
			}
































0x00e07220
0x00e0722a
0x00e07231
0x00e07237
0x00e07240
0x00e07249
0x00e0724f
0x00e07254
0x00e07257
0x00e0725a
0x00e0725c
0x00e0725c
0x00e0725f
0x00e07262
0x00e07262
0x00e07269
0x00e0726b
0x00e07271
0x00e07276
0x00e0727c
0x00e07282
0x00e0728c
0x00e0729c
0x00e0729f
0x00e072a7
0x00e072c5
0x00e072cb
0x00e072d1
0x00e072d8
0x00e072df
0x00e072eb
0x00e072f0
0x00e072fa
0x00e0744f
0x00e07456
0x00e07458
0x00e07458
0x00e072a9
0x00e072b2
0x00e072be
0x00e072be
0x00e0745d
0x00e07463
0x00e07480
0x00e07487
0x00e0748e
0x00e07496
0x00e0749d
0x00e074b0
0x00e074b5
0x00e074bb
0x00e074be
0x00e074be
0x00e074c1
0x00e074c4
0x00e074c4
0x00e074c9
0x00e074c9
0x00e074cb
0x00e074cd
0x00e074d3
0x00e074dc
0x00e074e2
0x00e074e2
0x00e074e5
0x00e074e8
0x00e074e8
0x00e074f3
0x00e074f5
0x00e07502
0x00e07508
0x00e0750f
0x00e076de
0x00e076de
0x00e076e0
0x00e076f8
0x00e076f8
0x00e076fa
0x00e076fa
0x00e076fa
0x00e076fa
0x00e07707
0x00000000
0x00000000
0x00000000
0x00000000
0x00e07515
0x00e07515
0x00e07515
0x00e07517
0x00e0751d
0x00e07523
0x00e07525
0x00e07532
0x00e07532
0x00e07536
0x00e0753e
0x00e07558
0x00e0755d
0x00e076cc
0x00000000
0x00e076cc
0x00e0756a
0x00e0757a
0x00e07589
0x00e0759c
0x00e075a2
0x00e075ae
0x00e075b4
0x00e075c6
0x00e075c9
0x00e07679
0x00e07686
0x00e0768c
0x00e076a0
0x00e076a0
0x00e075cf
0x00e075d1
0x00e075df
0x00e075ed
0x00e07604
0x00e0760f
0x00e07616
0x00e0763c
0x00e07642
0x00e0764b
0x00e0765e
0x00e07661
0x00e07672
0x00e07672
0x00e076a4
0x00e076aa
0x00e076c4
0x00e076c6
0x00e076c8
0x00000000
0x00e076ca
0x00000000
0x00e076ca
0x00000000
0x00000000
0x00000000
0x00e07527
0x00e07527
0x00e07527
0x00e07529
0x00e0752b
0x00e0752e
0x00e0752e
0x00000000
0x00e076d1
0x00e076d1
0x00e076d2
0x00e076d2
0x00000000
0x00e07465
0x00e07465
0x00e07472
0x00e0770e
0x00e07713
0x00e07713

APIs
  • wcscpy_s.UCRTBASE_CLR0400(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00E044DF), ref: 00E0757A
  • wcscpy_s.UCRTBASE_CLR0400(?,?,?,?,?,?,?,?,?,80004005,00000000), ref: 00E0759C
  • wcscpy_s.UCRTBASE_CLR0400(?,?,?,?,?,?,?,?,?,80004005,00000000), ref: 00E07604
  • wcscpy_s.UCRTBASE_CLR0400(00000000,?,00DFC6F0,?,?,?,?,?,?,?,?,?,?,?,?,80004005), ref: 00E0763C
  • wcscpy_s.UCRTBASE_CLR0400(?,?,?,?,?,?,?,?,?,?,?,?,80004005,00000000), ref: 00E076A4
    • Part of subcall function 00E071EB: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E076F8,?,?), ref: 00E07204
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: wcscpy_s$LibraryLoad
  • String ID:
  • API String ID: 2116003880-0
  • Opcode ID: 8b10a03e695c1c1af876a9c637248feefd576c1a54d2ad6c01c7525b938c840d
  • Instruction ID: 2869999e7be2cb48592066843c6e2f69eb8ccee7fd0acc0e9bbc015a24295b09
  • Opcode Fuzzy Hash: 8b10a03e695c1c1af876a9c637248feefd576c1a54d2ad6c01c7525b938c840d
  • Instruction Fuzzy Hash: 90A17A35D0552A8BCB24EF28CC99BA8B7B1EF48314F0081D9E54AA7291DB35AEC5CF54
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 89%
			E00DF53D0(void* __ebx, void* __ecx, signed int __edi, signed int __esi, void* __eflags) {
				int _t86;
				void* _t89;
				void* _t98;
				void* _t104;
				signed int _t113;
				short* _t117;
				int _t118;
				void* _t119;
				signed int _t124;
				void* _t126;
				signed int _t140;
				signed char _t143;
				short* _t151;
				signed int _t152;
				void* _t153;
				int _t157;
				void* _t159;

				_t154 = __esi;
				_t152 = __edi;
				_t119 = __ecx;
				_push(0x45c);
				E00DF1718(E00E0958E, __ebx, __ecx, __edi, __esi);
				_t150 = 0;
				 *(_t159 - 0x224) = 0;
				 *((intOrPtr*)(_t159 - 0x220)) = 0;
				 *(_t159 - 0x21c) = 0;
				 *(_t159 - 0x218) = 0;
				 *((intOrPtr*)(_t159 - 0x220)) = 0x200;
				 *(_t159 - 0x218) = _t159 - 0x214;
				 *(_t159 - 4) = 0;
				 *(_t159 - 0x224) = 2;
				 *( *(_t159 - 0x218)) = 0;
				 *(_t159 - 4) = 1;
				E00DF59E1(_t159 - 0x224, _t119);
				 *(_t159 - 4) = 2;
				E00DF282C(1, _t159 - 0x224, __edi);
				if(( *(_t159 - 0x21c) & 0x00000010) != 0) {
					E00DF1857(_t159 - 0x224, 0,  *((intOrPtr*)(_t159 - 0x220)), 1);
					_t124 =  *(_t159 - 0x21c);
				}
				 *(_t159 - 0x444) =  *(_t159 - 0x218);
				_t126 =  !_t124 & 1;
				__eflags = _t126;
				 *(_t159 - 0x440) = _t126;
				while(E00DF5355(_t159 - 0x224, _t159 - 0x444, 0xa) != 0) {
					E00DF282C(1, _t159 - 0x224, _t152);
					_t140 =  *(_t159 - 0x21c);
					if((_t140 & 0x00000010) != 0) {
						E00DF1857(_t159 - 0x224, _t150,  *((intOrPtr*)(_t159 - 0x220)), 1);
						_t140 =  *(_t159 - 0x21c);
					}
					_t143 =  !_t140 & 1;
					_t151 =  *(_t159 - 0x444);
					if( *(_t159 - 0x218) - _t151 >> _t143 == 0) {
						L9:
						_push(E00DF5558);
						_push(_t143);
						_t104 = E00DF528A(1, _t159 - 0x468, _t152, _t154, _t162);
						 *(_t159 - 4) = 3;
						_push(_t104);
						_push(1);
						_push(_t159 - 0x444);
						E00DF1A52(1, _t159 - 0x224, _t152, _t154, _t162);
						 *(_t159 - 4) = 2;
						E00DF1A07();
						_t154 =  *(_t159 - 0x440);
						_t151 =  *(_t159 - 0x444);
					} else {
						_t152 = _t159 - 0x458;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t154 =  *(_t159 - 0x440);
						_t143 = _t151 - (1 << _t154);
						if( *((intOrPtr*)(_t159 - 0x454)) == 0) {
							_t113 =  *_t143 & 0x0000ffff;
						} else {
							_t113 =  *_t143 & 0x0000ffff;
						}
						_t162 = _t113 - 0xd;
						if(_t113 != 0xd) {
							goto L9;
						}
					}
					_t150 = _t151 + (1 << _t154);
					 *(_t159 - 0x444) = _t151 + (1 << _t154);
				}
				E00DF169F(_t159 - 0x224);
				_t153 = _t152 >> 0xff;
				_t117 =  *(_t159 - 0x218);
				 *(_t159 - 0x448) = _t117;
				E00DF1B89(_t117, _t159 - 0x224, _t153);
				_t157 = ( *(_t159 - 0x224) >> ( !( *(_t159 - 0x21c)) & 0x00000001)) - 1;
				_t86 = GetConsoleOutputCP();
				 *(_t159 - 0x438) = _t86;
				 *(_t159 - 0x434) = 0;
				 *((intOrPtr*)(_t159 - 0x430)) = 0;
				 *((intOrPtr*)(_t159 - 0x42c)) = 0x200;
				 *(_t159 - 4) = 4;
				_t118 = WideCharToMultiByte(_t86, 0, _t117, _t157, 0, 0, 0, 0);
				__eflags = _t118 - 0x1fffff00;
				if(_t118 > 0x1fffff00) {
					L00E042D0(_t118, 0x80131516, _t150, _t153, _t157);
					goto L21;
				} else {
					_t53 = _t118 + 1; // 0x1
					_t153 = E00DF3899(_t159 - 0x434, _t53);
					_t98 = WideCharToMultiByte( *(_t159 - 0x438), 0,  *(_t159 - 0x448), _t157, _t153, _t118, 0, 0);
					 *(_t159 - 0x438) = _t98;
					__eflags = _t98;
					if(_t98 == 0) {
						L21:
						__eflags = _t157;
						if(_t157 <= 0) {
							goto L14;
						} else {
							E00E044B0(_t118, 0x459, _t150, _t153, _t157);
							goto L23;
						}
					} else {
						L14:
						 *((char*)(_t153 + _t118)) = 0;
						_t89 = GetStdHandle(0xfffffff5);
						__eflags = _t89;
						if(_t89 != 0) {
							WriteFile(_t89, _t153,  *(_t159 - 0x438), _t159 - 0x44c, 0);
						}
						 *(_t159 - 4) = 2;
						_t150 =  *(_t159 - 0x434);
						__eflags =  *(_t159 - 0x434);
						if( *(_t159 - 0x434) != 0) {
							L23:
							E00DF1480(_t150);
							 *(_t159 - 0x434) =  *(_t159 - 0x434) & 0x00000000;
						}
					}
				}
				_t63 = _t159 - 4;
				 *_t63 =  *(_t159 - 4) | 0xffffffff;
				__eflags =  *_t63;
				E00DF1A07();
				return E00DF1679();
			}




















0x00df53d0
0x00df53d0
0x00df53d0
0x00df53d0
0x00df53da
0x00df53df
0x00df53e1
0x00df53e7
0x00df53ed
0x00df53f3
0x00df53ff
0x00df5409
0x00df540f
0x00df5415
0x00df5425
0x00df542b
0x00df5438
0x00df543d
0x00df544d
0x00df545b
0x00dfa389
0x00dfa38e
0x00dfa38e
0x00df5467
0x00df546f
0x00df546f
0x00df5471
0x00df5477
0x00df5499
0x00df549e
0x00df54a7
0x00dfa3a6
0x00dfa3ab
0x00dfa3ab
0x00df54b5
0x00df54b7
0x00df54c3
0x00df54fa
0x00df54fa
0x00df54ff
0x00df5506
0x00df550b
0x00df5518
0x00df5519
0x00df5520
0x00df5521
0x00df5526
0x00df5533
0x00df5538
0x00df553e
0x00df54c5
0x00df54cb
0x00df54d1
0x00df54d2
0x00df54d3
0x00df54d4
0x00df54e2
0x00df54eb
0x00df3891
0x00df54f1
0x00df54f1
0x00df54f1
0x00df54f4
0x00df54f8
0x00000000
0x00000000
0x00df54f8
0x00df554a
0x00df554c
0x00df554c
0x00df5564
0x00df5565
0x00df5569
0x00df5575
0x00df557b
0x00df5593
0x00df5594
0x00df559c
0x00df55a2
0x00df55a8
0x00df55ae
0x00df55b8
0x00df55cd
0x00df55cf
0x00df55d5
0x00dfa3bb
0x00000000
0x00df55db
0x00df55db
0x00df55ea
0x00df5600
0x00df5606
0x00df560c
0x00df560e
0x00dfa3c0
0x00dfa3c0
0x00dfa3c2
0x00000000
0x00dfa3c8
0x00dfa3cd
0x00000000
0x00dfa3cd
0x00df5614
0x00df5614
0x00df5616
0x00df561a
0x00df5620
0x00df5622
0x00df5635
0x00df5635
0x00df563b
0x00df5642
0x00df5648
0x00df564a
0x00dfa3d2
0x00dfa3d2
0x00dfa3d7
0x00dfa3d7
0x00df564a
0x00df560e
0x00df5650
0x00df5650
0x00df5650
0x00df565d
0x00df5667

APIs
  • GetConsoleOutputCP.KERNEL32(?,0000000A,?,0000045C,00DF56DD), ref: 00DF5594
  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00DF55C7
  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000,00000001), ref: 00DF5600
  • GetStdHandle.KERNEL32(000000F5), ref: 00DF561A
  • WriteFile.KERNEL32(00000000,00000002,?,?,00000000), ref: 00DF5635
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: ByteCharMultiWide$ConsoleFileHandleOutputWrite
  • String ID:
  • API String ID: 830990279-0
  • Opcode ID: 7fc431f3d5b0ad2019adf4947111653be7a3e741e455a24dbfcb074615c1913a
  • Instruction ID: f51620aee8d90d7ffebac998f5e6162b7957d29e2c78f834ac21a0543c6e9f07
  • Opcode Fuzzy Hash: 7fc431f3d5b0ad2019adf4947111653be7a3e741e455a24dbfcb074615c1913a
  • Instruction Fuzzy Hash: A17179B490022D9BDB28EF64DD89BF9B7B4EF48304F0181D8A709A7291DA705E84CF74
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 49%
			E00DF2BDA(unsigned int* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t25;
				intOrPtr* _t26;
				void* _t29;
				signed int* _t30;
				intOrPtr* _t32;
				intOrPtr* _t33;
				void* _t36;
				signed int* _t37;
				void* _t38;
				intOrPtr* _t51;
				intOrPtr* _t59;
				intOrPtr* _t70;
				unsigned int* _t84;
				unsigned int _t88;
				void* _t89;
				void* _t92;
				void* _t96;
				void* _t98;
				unsigned int* _t102;
				void* _t105;
				void* _t106;
				void* _t107;

				_t102 = __ecx;
				_t51 = _a4;
				_t88 =  *__ecx >> ( !(__ecx[2]) & 0x00000001);
				_t24 = _t88 != 1;
				if(_t88 != 1) {
					_t25 = E00DF2BAD(__ecx[3], _t88, 0xffffffff, _t51, _a8);
					_t106 = _t105 + 0xc;
					__eflags = _t25;
					if(_t25 < 0) {
						goto L16;
					} else {
						goto L21;
					}
				} else {
					L16:
					_t59 = _t51;
					_t89 = _t59 + 1;
					do {
						_t26 =  *_t59;
						_t59 = _t59 + 1;
						__eflags = _t26;
					} while (_t26 != 0);
					_t96 = _t59 - _t89 + 1;
					_t29 = ( *_t102 >> ( !(_t102[2]) & 0x00000001)) - 1;
					__eflags = _t96 - _t29;
					if(_t96 < _t29) {
						_t96 = _t29;
					}
					__eflags = _t96 - 0x14;
					if(_t96 < 0x14) {
						_t96 = 0x14;
					}
					while(1) {
						_t96 = _t96 + _t96;
						_t30 = E00DF18AF(_t51, _t102, _t96, _t102, _t96, 7, 0);
						__imp___errno();
						 *_t30 =  *_t30 & 0x00000000;
						_t91 =  *_t102 >> ( !(_t102[2]) & 0x00000001);
						_t68 = _t102[3];
						_t25 = E00DF2BAD(_t102[3],  *_t102 >> ( !(_t102[2]) & 0x00000001), 0xffffffff, _t51, _a8);
						_t106 = _t106 + 0xc;
						__eflags = _t25;
						if(_t25 >= 0) {
							break;
						}
						__imp___errno();
						__eflags =  *_t25 - 0xc;
						if(__eflags == 0) {
							L31:
							E00E044E0(_t51, _t68, _t91, _t96, _t102, __eflags);
							asm("int3");
							_t32 = E00DF1B9F(_t102[3], _t91, _t68, _t51, _t68, _a8);
							_t107 = _t106 + 0x10;
							__eflags = _t32;
							if(_t32 < 0) {
								_t70 = _t51;
								__eflags = 0;
								_t92 = _t70 + 2;
								do {
									_t33 =  *_t70;
									_t70 = _t70 + 2;
									__eflags = _t33;
								} while (_t33 != 0);
								_t98 = (_t70 - _t92 >> 1) + 1;
								_t36 = ( *_t102 >> ( !(_t102[2]) & 0x00000001)) - 1;
								__eflags = _t98 - _t36;
								if(_t98 < _t36) {
									_t98 = _t36;
								}
								__eflags = _t98 - 0x14;
								if(_t98 < 0x14) {
									_t98 = 0x14;
								}
								while(1) {
									_t98 = _t98 + _t98;
									_t76 = _t102;
									_t37 = E00DF18AF(_t51, _t102, _t98, _t102, _t98, 4, 0);
									__imp___errno();
									 *_t37 =  *_t37 & 0x00000000;
									_t94 =  *_t102 >> ( !(_t102[2]) & 0x00000001);
									_t80 = _t102[3];
									_t32 = E00DF1B9F(_t102[3],  *_t102 >> ( !(_t102[2]) & 0x00000001), _t102, _t51, _t76, _a8);
									_t107 = _t107 + 0x10;
									__eflags = _t32;
									if(_t32 >= 0) {
										goto L12;
									}
									__imp___errno();
									__eflags =  *_t32 - 0xc;
									if(__eflags == 0) {
										L38:
										_t38 = E00E044E0(_t51, _t80, _t94, _t98, _t102, __eflags);
										asm("int3");
										__eflags = _t38 - 1;
										if(_t38 == 1) {
											L4:
											return 1;
										}
										_t24 = E00DF284A(_t80);
										if(_t24 == 0) {
											return 0;
										}
										goto L4;
									}
									__imp___errno();
									__eflags =  *_t32;
									if( *_t32 == 0) {
										continue;
									} else {
										__imp___errno();
										__eflags =  *_t32 - 9;
										if( *_t32 == 9) {
											continue;
										} else {
											__imp___errno();
											__eflags =  *_t32 - 0x22;
											if( *_t32 == 0x22) {
												continue;
											} else {
												_t80 = 0x80070459;
												L00E042D0(_t51, 0x80070459, _t94, _t98, _t102);
												goto L38;
											}
										}
									}
									goto L41;
								}
							} else {
							}
							L12:
							E00DF18AF(_t51, _t102, _t98, _t102, _t32, 4, 1);
							_push(_t51);
							E00DF1C0C(_t51,  &_v20, _t98, _t102, __eflags);
							return E00DF1A07();
						} else {
							__imp___errno();
							__eflags =  *_t25;
							if( *_t25 == 0) {
								continue;
							} else {
								__imp___errno();
								__eflags =  *_t25 - 9;
								if( *_t25 == 9) {
									continue;
								} else {
									__imp___errno();
									__eflags =  *_t25 - 0x22;
									if( *_t25 == 0x22) {
										continue;
									} else {
										_t68 = 0x80070459;
										L00E042D0(_t51, 0x80070459, _t91, _t96, _t102);
										goto L31;
									}
								}
							}
						}
						goto L41;
					}
					L21:
					_t84 = _t102;
					E00DF18AF(_t51, _t84, _t96, _t102, _t25, 7, 1);
					_push(_t51);
					_push(_t84);
					E00DF2E66(_t51,  &_v20, _t96, _t102, __eflags);
					return E00DF1A07();
				}
				goto L41;
			}






























0x00df2be3
0x00df2bec
0x00df2bf2
0x00df2bf4
0x00df2bfc
0x00dfb921
0x00dfb926
0x00dfb929
0x00dfb92b
0x00000000
0x00dfb931
0x00000000
0x00dfb931
0x00df2c02
0x00df2c02
0x00df2c02
0x00df2c04
0x00df2c07
0x00df2c07
0x00df2c09
0x00df2c0a
0x00df2c0a
0x00df2c10
0x00df2c1f
0x00df2c20
0x00df2c22
0x00dfb936
0x00dfb936
0x00df2c28
0x00df2c2b
0x00dfb93f
0x00dfb93f
0x00df2c31
0x00df2c35
0x00df2c3a
0x00df2c3f
0x00df2c45
0x00df2c56
0x00df2c58
0x00df2c5d
0x00df2c62
0x00df2c65
0x00df2c67
0x00000000
0x00000000
0x00dfb945
0x00dfb94b
0x00dfb94e
0x00dfb987
0x00dfb987
0x00dfb98c
0x00dfb996
0x00dfb99b
0x00dfb99e
0x00dfb9a0
0x00df1940
0x00df1942
0x00df1944
0x00df1947
0x00df1947
0x00df194a
0x00df194d
0x00df194d
0x00df1956
0x00df1965
0x00df1966
0x00df1968
0x00dfb9ab
0x00dfb9ab
0x00df196e
0x00df1971
0x00df1975
0x00df1975
0x00df1976
0x00df197a
0x00df197c
0x00df197f
0x00df1984
0x00df198a
0x00df199d
0x00df199f
0x00df19a2
0x00df19a7
0x00df19aa
0x00df19ac
0x00000000
0x00000000
0x00df19da
0x00df19e0
0x00df19e3
0x00dfb9da
0x00dfb9da
0x00dfb9df
0x00dfb9e0
0x00dfb9e3
0x00df15bc
0x00000000
0x00df15be
0x00dfb9e9
0x00df159d
0x00000000
0x00df15aa
0x00000000
0x00df159f
0x00df19e9
0x00df19ef
0x00df19f2
0x00000000
0x00df19f4
0x00dfb9b2
0x00dfb9b8
0x00dfb9bb
0x00000000
0x00dfb9c1
0x00dfb9c1
0x00dfb9c7
0x00dfb9ca
0x00000000
0x00dfb9d0
0x00dfb9d0
0x00dfb9d5
0x00000000
0x00dfb9d5
0x00dfb9ca
0x00dfb9bb
0x00000000
0x00df19f2
0x00000000
0x00dfb9a6
0x00df19ae
0x00df19b5
0x00df19ba
0x00df19c1
0x00df19d7
0x00dfb950
0x00dfb950
0x00dfb956
0x00dfb959
0x00000000
0x00dfb95f
0x00dfb95f
0x00dfb965
0x00dfb968
0x00000000
0x00dfb96e
0x00dfb96e
0x00dfb974
0x00dfb977
0x00000000
0x00dfb97d
0x00dfb97d
0x00dfb982
0x00000000
0x00dfb982
0x00dfb977
0x00dfb968
0x00dfb959
0x00000000
0x00dfb94e
0x00df2c6d
0x00df2c72
0x00df2c74
0x00df2c79
0x00df2c7a
0x00df2c81
0x00df2c97
0x00df2c97
0x00000000

APIs
  • _errno.UCRTBASE_CLR0400(?,00000007,00000000,?,?), ref: 00DF2C3F
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: _errno
  • String ID:
  • API String ID: 2918714741-0
  • Opcode ID: fe12056fa4ae52ae8cf6ac4be6b55570f5a4e2aafe1c5030b3af7e96a9636d85
  • Instruction ID: 6ce248eab3a8dce72af4de784f9faee80ae703dc64f80c50de41bb859086d499
  • Opcode Fuzzy Hash: fe12056fa4ae52ae8cf6ac4be6b55570f5a4e2aafe1c5030b3af7e96a9636d85
  • Instruction Fuzzy Hash: 0041263520020CEFD728AB15DC51BBD73A6EB45321F0AC159FB6A9B1D1DBB15D84CA70
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 52%
			E00DF1918(unsigned int* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t15;
				intOrPtr* _t16;
				void* _t19;
				signed int* _t20;
				void* _t21;
				intOrPtr* _t30;
				intOrPtr* _t37;
				unsigned int _t52;
				void* _t53;
				void* _t58;
				unsigned int* _t61;
				void* _t63;
				void* _t64;

				_t61 = __ecx;
				_t30 = _a4;
				_t35 =  !(__ecx[2]) & 0x00000001;
				_t52 =  *__ecx >> ( !(__ecx[2]) & 0x00000001);
				_t14 = _t52 != 1;
				if(_t52 != 1) {
					_t15 = E00DF1B9F(__ecx[3], _t52, _t35, _t30, _t35, _a8);
					_t64 = _t63 + 0x10;
					__eflags = _t15;
					if(_t15 < 0) {
						goto L6;
					} else {
					}
				} else {
					L6:
					_t37 = _t30;
					__eflags = 0;
					_t53 = _t37 + 2;
					do {
						_t16 =  *_t37;
						_t37 = _t37 + 2;
						__eflags = _t16;
					} while (_t16 != 0);
					_t58 = (_t37 - _t53 >> 1) + 1;
					_t19 = ( *_t61 >> ( !(_t61[2]) & 0x00000001)) - 1;
					__eflags = _t58 - _t19;
					if(_t58 < _t19) {
						_t58 = _t19;
					}
					__eflags = _t58 - 0x14;
					if(_t58 < 0x14) {
						_t58 = 0x14;
					}
					while(1) {
						_t58 = _t58 + _t58;
						_t43 = _t61;
						_t20 = E00DF18AF(_t30, _t61, _t58, _t61, _t58, 4, 0);
						__imp___errno();
						 *_t20 =  *_t20 & 0x00000000;
						_t55 =  *_t61 >> ( !(_t61[2]) & 0x00000001);
						_t47 = _t61[3];
						_t15 = E00DF1B9F(_t61[3],  *_t61 >> ( !(_t61[2]) & 0x00000001), _t61, _t30, _t43, _a8);
						_t64 = _t64 + 0x10;
						__eflags = _t15;
						if(_t15 >= 0) {
							goto L12;
						}
						__imp___errno();
						__eflags =  *_t15 - 0xc;
						if(__eflags == 0) {
							L22:
							_t21 = E00E044E0(_t30, _t47, _t55, _t58, _t61, __eflags);
							asm("int3");
							__eflags = _t21 - 1;
							if(_t21 == 1) {
								L4:
								return 1;
							}
							_t14 = E00DF284A(_t47);
							if(_t14 == 0) {
								return 0;
							}
							goto L4;
						}
						__imp___errno();
						__eflags =  *_t15;
						if( *_t15 == 0) {
							continue;
						} else {
							__imp___errno();
							__eflags =  *_t15 - 9;
							if( *_t15 == 9) {
								continue;
							} else {
								__imp___errno();
								__eflags =  *_t15 - 0x22;
								if( *_t15 == 0x22) {
									continue;
								} else {
									_t47 = 0x80070459;
									L00E042D0(_t30, 0x80070459, _t55, _t58, _t61);
									goto L22;
								}
							}
						}
						goto L25;
					}
				}
				L12:
				E00DF18AF(_t30, _t61, _t58, _t61, _t15, 4, 1);
				_push(_t30);
				E00DF1C0C(_t30,  &_v20, _t58, _t61, __eflags);
				return E00DF1A07();
				goto L25;
			}





















0x00df1921
0x00df192a
0x00df192d
0x00df1930
0x00df1932
0x00df193a
0x00dfb996
0x00dfb99b
0x00dfb99e
0x00dfb9a0
0x00000000
0x00000000
0x00dfb9a6
0x00df1940
0x00df1940
0x00df1940
0x00df1942
0x00df1944
0x00df1947
0x00df1947
0x00df194a
0x00df194d
0x00df194d
0x00df1956
0x00df1965
0x00df1966
0x00df1968
0x00dfb9ab
0x00dfb9ab
0x00df196e
0x00df1971
0x00df1975
0x00df1975
0x00df1976
0x00df197a
0x00df197c
0x00df197f
0x00df1984
0x00df198a
0x00df199d
0x00df199f
0x00df19a2
0x00df19a7
0x00df19aa
0x00df19ac
0x00000000
0x00000000
0x00df19da
0x00df19e0
0x00df19e3
0x00dfb9da
0x00dfb9da
0x00dfb9df
0x00dfb9e0
0x00dfb9e3
0x00df15bc
0x00000000
0x00df15be
0x00dfb9e9
0x00df159d
0x00000000
0x00df15aa
0x00000000
0x00df159f
0x00df19e9
0x00df19ef
0x00df19f2
0x00000000
0x00df19f4
0x00dfb9b2
0x00dfb9b8
0x00dfb9bb
0x00000000
0x00dfb9c1
0x00dfb9c1
0x00dfb9c7
0x00dfb9ca
0x00000000
0x00dfb9d0
0x00dfb9d0
0x00dfb9d5
0x00000000
0x00dfb9d5
0x00dfb9ca
0x00dfb9bb
0x00000000
0x00df19f2
0x00df1976
0x00df19ae
0x00df19b5
0x00df19ba
0x00df19c1
0x00df19d7
0x00000000

APIs
  • _errno.UCRTBASE_CLR0400(?,00000004,00000000,?,00000002,00000000), ref: 00DF1984
  • _errno.UCRTBASE_CLR0400(?,?,?,?,?,00000002,00000000), ref: 00DF19DA
  • _errno.UCRTBASE_CLR0400(?,?,?,?,?,00000002,00000000), ref: 00DF19E9
  • _errno.UCRTBASE_CLR0400(?,?,?,?,?,00000002,00000000), ref: 00DFB9B2
  • _errno.UCRTBASE_CLR0400(?,?,?,?,?,00000002,00000000), ref: 00DFB9C1
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: _errno
  • String ID:
  • API String ID: 2918714741-0
  • Opcode ID: 7ea34adad2ce8bd14210d43887e8803991919cc3f2d3fbb9b965c19c11d7bc55
  • Instruction ID: ea6dcfd2d4d4838ef20351f3336535980d2c21594dea94a0f86bda987de23af6
  • Opcode Fuzzy Hash: 7ea34adad2ce8bd14210d43887e8803991919cc3f2d3fbb9b965c19c11d7bc55
  • Instruction Fuzzy Hash: 9F313A3920020CDFD328AB15DC55BB973A5EF84351F06C118EB5B5B590DBB15C80CE70
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 96%
			E00E05A68(void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t29;
				long _t38;
				void* _t44;
				intOrPtr* _t47;
				void* _t55;
				signed int _t59;
				void* _t62;
				WCHAR* _t63;
				void* _t64;

				_push(0xc);
				E00DF1BCF(E00E0B7A6, __ebx, __ecx, __edi, __esi);
				_t44 = __edx;
				_t47 = __edx;
				_t59 = 0;
				_t62 = 2;
				_t55 = __edx + 2;
				do {
					_t29 =  *_t47;
					_t47 = _t47 + _t62;
				} while (_t29 != 0);
				 *(_t64 - 0x10) = (_t47 - _t55 >> 1) + 1;
				_t63 = E00DF6E8C();
				 *(_t64 - 0x14) = 0;
				 *(_t64 - 0x18) = _t63;
				if(_t63 != 0) {
					_t59 = 1;
					 *(_t64 - 0x14) = 1;
				}
				 *(_t64 - 4) = 3;
				if(_t63 != 0) {
					memcpy(_t63, _t44,  *(_t64 - 0x10) +  *(_t64 - 0x10));
					CreateProcessW(0, _t63, 0, 0, 0, 0, 0, 0,  *(_t64 + 0x20),  *(_t64 + 0x24));
					_t38 = GetLastError();
					 *(_t64 - 0x10) = _t38;
					 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
					if(_t59 != 0) {
						E00DF1480(_t63);
						 *(_t64 - 0x14) =  *(_t64 - 0x14) & 0x00000000;
						_t38 =  *(_t64 - 0x10);
					}
					SetLastError(_t38);
				} else {
					SetLastError(0xe);
					 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
					 *(_t64 - 0x14) =  *(_t64 - 0x14) & _t63;
				}
				return E00DF1687();
			}












0x00e05a68
0x00e05a6f
0x00e05a74
0x00e05a76
0x00e05a78
0x00e05a7c
0x00e05a7d
0x00e05a80
0x00e05a80
0x00e05a83
0x00e05a85
0x00e05a93
0x00e05aa7
0x00e05aa9
0x00e05aaf
0x00e05ab7
0x00e05abb
0x00e05abc
0x00e05abc
0x00e05ac2
0x00e05ace
0x00e05af4
0x00e05b0c
0x00e05b14
0x00e05b1a
0x00e05b20
0x00e05b29
0x00e05b2d
0x00e05b32
0x00e05b39
0x00e05b39
0x00e05b40
0x00e05ad0
0x00e05ad2
0x00e05ad8
0x00e05adf
0x00e05ae5
0x00e05b4d

APIs
  • SetLastError.KERNEL32(0000000E,0000000C,00DFE6C9), ref: 00E05AD2
  • memcpy.VCRUNTIME140_CLR0400(00000000,?,?,0000000C,00DFE6C9), ref: 00E05AF4
  • CreateProcessW.KERNEL32 ref: 00E05B0C
  • GetLastError.KERNEL32(?,0000000C,00DFE6C9), ref: 00E05B14
  • SetLastError.KERNEL32(00000000,?,0000000C,00DFE6C9), ref: 00E05B40
    • Part of subcall function 00DF1480: HeapFree.KERNEL32(00000000,00000000,?,?,00DF7537,?,?,?,00DFC8F6,?,00000014,00E00CC6,?,?,?,00DFBA14), ref: 00DF1494
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: ErrorLast$CreateFreeHeapProcessmemcpy
  • String ID:
  • API String ID: 2176818907-0
  • Opcode ID: 3b098078e1f2d7e7453ba40fc535cc6c2284c185132630ba92e41a4e75142404
  • Instruction ID: 27fdc3a48ac79a28783da45b9093d56b8e4c70c5a91ee07c53cb7e7e513bbf76
  • Opcode Fuzzy Hash: 3b098078e1f2d7e7453ba40fc535cc6c2284c185132630ba92e41a4e75142404
  • Instruction Fuzzy Hash: 8621F976E002189BCB319F348C05BFEB6B4EF48710F058699FA59E7290D7748E818FA0
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 100%
			E00DF5565(signed int __edi) {
				int _t27;
				void* _t30;
				long _t39;
				short* _t40;
				int _t41;
				void* _t54;
				int _t57;
				void* _t58;

				_t54 = __edi >> 0xff;
				_t40 =  *(_t58 - 0x218);
				 *(_t58 - 0x448) = _t40;
				E00DF1B89(_t40, _t58 - 0x224, _t54);
				_t57 = ( *(_t58 - 0x224) >> ( !( *(_t58 - 0x21c)) & 0x00000001)) - 1;
				_t27 = GetConsoleOutputCP();
				 *(_t58 - 0x438) = _t27;
				 *(_t58 - 0x434) = 0;
				 *((intOrPtr*)(_t58 - 0x430)) = 0;
				 *((intOrPtr*)(_t58 - 0x42c)) = 0x200;
				 *(_t58 - 4) = 4;
				_t41 = WideCharToMultiByte(_t27, 0, _t40, _t57, 0, 0, 0, 0);
				if(_t41 > 0x1fffff00) {
					L00E042D0(_t41, 0x80131516, _t52, _t54, _t57);
					goto L7;
				} else {
					_t11 = _t41 + 1; // 0x1
					_t54 = E00DF3899(_t58 - 0x434, _t11);
					_t39 = WideCharToMultiByte( *(_t58 - 0x438), 0,  *(_t58 - 0x448), _t57, _t54, _t41, 0, 0);
					 *(_t58 - 0x438) = _t39;
					if(_t39 == 0) {
						L7:
						if(_t57 <= 0) {
							goto L2;
						} else {
							E00E044B0(_t41, 0x459, _t52, _t54, _t57);
							goto L9;
						}
					} else {
						L2:
						 *((char*)(_t54 + _t41)) = 0;
						_t30 = GetStdHandle(0xfffffff5);
						if(_t30 != 0) {
							WriteFile(_t30, _t54,  *(_t58 - 0x438), _t58 - 0x44c, 0);
						}
						 *(_t58 - 4) = 2;
						_t52 =  *(_t58 - 0x434);
						if( *(_t58 - 0x434) != 0) {
							L9:
							E00DF1480(_t52);
							 *(_t58 - 0x434) =  *(_t58 - 0x434) & 0x00000000;
						}
					}
				}
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				E00DF1A07();
				return E00DF1679();
			}











0x00df5565
0x00df5569
0x00df5575
0x00df557b
0x00df5593
0x00df5594
0x00df559c
0x00df55a2
0x00df55a8
0x00df55ae
0x00df55b8
0x00df55cd
0x00df55d5
0x00dfa3bb
0x00000000
0x00df55db
0x00df55db
0x00df55ea
0x00df5600
0x00df5606
0x00df560e
0x00dfa3c0
0x00dfa3c2
0x00000000
0x00dfa3c8
0x00dfa3cd
0x00000000
0x00dfa3cd
0x00df5614
0x00df5614
0x00df5616
0x00df561a
0x00df5622
0x00df5635
0x00df5635
0x00df563b
0x00df5642
0x00df564a
0x00dfa3d2
0x00dfa3d2
0x00dfa3d7
0x00dfa3d7
0x00df564a
0x00df560e
0x00df5650
0x00df565d
0x00df5667

APIs
  • GetConsoleOutputCP.KERNEL32(?,0000000A,?,0000045C,00DF56DD), ref: 00DF5594
  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00DF55C7
  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000,00000001), ref: 00DF5600
  • GetStdHandle.KERNEL32(000000F5), ref: 00DF561A
  • WriteFile.KERNEL32(00000000,00000002,?,?,00000000), ref: 00DF5635
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: ByteCharMultiWide$ConsoleFileHandleOutputWrite
  • String ID:
  • API String ID: 830990279-0
  • Opcode ID: 204df4f72ab0500be847ebbd34adeda9b2a82cc38795df9c7111bbe0fabef466
  • Instruction ID: 22f5ea12c090b4428de253ab842f4c14ce3d456cf11e71d87b91b869a50a8057
  • Opcode Fuzzy Hash: 204df4f72ab0500be847ebbd34adeda9b2a82cc38795df9c7111bbe0fabef466
  • Instruction Fuzzy Hash: 122174F0901229AFDB249F65CC49BEEBBB8EB05310F4582C9B609A3191DB705E84CE34
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 80%
			E00DF7108(void* __ebx, WCHAR* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				long _t27;
				WCHAR* _t41;
				intOrPtr _t48;
				WCHAR* _t51;
				intOrPtr _t53;
				void* _t54;

				_t48 = __edx;
				_t41 = __ecx;
				_push(0x424);
				E00DF1718(E00E081D9, __ebx, __ecx, __edi, __esi);
				_t53 = _t48;
				_t51 = _t41;
				 *(_t54 - 0x430) = 0;
				_t27 = GetFullPathNameW(_t51, 0x105, _t54 - 0x21c, _t54 - 0x430);
				if(_t27 == 0 || _t27 > 0x105 || GetFileAttributesW(_t54 - 0x21c) == 0xffffffff) {
					__eflags =  *((intOrPtr*)(_t54 + 8));
					if( *((intOrPtr*)(_t54 + 8)) != 0) {
						 *((intOrPtr*)(_t54 - 0x42c)) = 0;
						 *((intOrPtr*)(_t54 - 0x428)) = 0;
						 *((intOrPtr*)(_t54 - 0x424)) = 0;
						 *((intOrPtr*)(_t54 - 0x420)) = 0;
						 *((intOrPtr*)(_t54 - 0x428)) = 0x200;
						 *((intOrPtr*)(_t54 - 0x420)) = _t54 - 0x41c;
						 *((intOrPtr*)(_t54 - 4)) = 0;
						_t53 = 2;
						 *((intOrPtr*)(_t54 - 0x42c)) = _t53;
						__eflags = 0;
						 *((short*)( *((intOrPtr*)(_t54 - 0x420)))) = 0;
						 *((intOrPtr*)(_t54 - 4)) = 1;
						E00DF1C56(_t54 - 0x42c, L"Error: The specified file or directory \"");
						 *((intOrPtr*)(_t54 - 4)) = _t53;
						_push(_t51);
						E00DF52F0(0, _t54 - 0x42c, _t51, _t53, __eflags);
						E00DF52F0(0, _t54 - 0x42c, _t51, _t53, __eflags);
						E00E043CC(0, 0x80070002, _t54 - 0x42c, _t51, _t53, __eflags, L"\" is invalid.");
					}
					_push(_t51);
				} else {
					_push(_t54 - 0x21c);
				}
				E00DF1C56(_t53);
				return E00DF1679();
			}









0x00df7108
0x00df7108
0x00df7108
0x00df7112
0x00df7117
0x00df7119
0x00df712a
0x00df7137
0x00df713f
0x00df7170
0x00df7173
0x00df75a5
0x00df75ab
0x00df75b1
0x00df75b7
0x00df75c3
0x00df75cd
0x00df75d3
0x00df75db
0x00df75dc
0x00df75e8
0x00df75ea
0x00df75ed
0x00df7602
0x00df7607
0x00df7613
0x00df7614
0x00df7624
0x00df7634
0x00df7634
0x00df7639
0x00df715a
0x00df7160
0x00df7160
0x00df7163
0x00df716d

APIs
  • GetFullPathNameW.KERNEL32(?,00000105,?,?,00000424,00DF8A46,00000001,?,00000200,?,?,?,?,00000000,?,?), ref: 00DF7137
  • GetFileAttributesW.KERNEL32(?,?,00000105,?,?,00000424,00DF8A46,00000001,?,00000200,?,?,?,?,00000000,?), ref: 00DF714F
    • Part of subcall function 00DF1C56: wcscpy_s.UCRTBASE_CLR0400(00DF2EB0,00000000,00000004,00000004,00000000,?,?,00000000,?,00DF1C45,00000004,00000004,00E0453C,00DFC770,00000024,00000000), ref: 00DF1CAB
Strings
  • Error: The specified file or directory ", xrefs: 00DF75F7
  • " is invalid., xrefs: 00DF7619
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: AttributesFileFullNamePathwcscpy_s
  • String ID: " is invalid.$Error: The specified file or directory "
  • API String ID: 3351666927-24183672
  • Opcode ID: 47a2c9d82bfd8aa3a65f51e396cdc711d113b2f2cb1bfed128be4e23f6c9760c
  • Instruction ID: ffe19672917d545cb72d7845f6620c867b93ebe1973f5771627c3aeab29550e9
  • Opcode Fuzzy Hash: 47a2c9d82bfd8aa3a65f51e396cdc711d113b2f2cb1bfed128be4e23f6c9760c
  • Instruction Fuzzy Hash: 152124F4A4022C8ADB20DF14DC857EDB6B4EB08304F9181EAE709A6141D7704E898F78
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 67%
			E00E044B0(void* __ebx, signed short __ecx, signed short __edx, void* __edi, void* __esi) {
				signed int _v8;
				void* _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				signed short _t32;
				intOrPtr* _t37;
				signed int _t44;
				intOrPtr _t45;
				void* _t46;
				char _t48;
				signed int _t64;
				void* _t67;
				void* _t68;
				signed short _t71;
				signed short _t76;
				signed short _t84;
				void* _t85;
				signed short _t86;
				void* _t87;
				signed short _t88;
				signed short _t96;

				_t87 = __esi;
				_t85 = __edi;
				_t84 = __edx;
				_t67 = __ebx;
				_t32 = __ecx;
				_push(__ecx);
				if(__ecx == 8) {
					L6();
				}
				if(_t32 > 0) {
					_t32 = _t32 & 0x0000ffff | 0x80070000;
					_t96 = _t32;
				}
				_t70 = _t32;
				L00E042D0(_t67, _t32, _t84, _t85, _t87);
				asm("int3");
				_t71 = GetLastError();
				E00E044B0(_t67, _t71, _t84, _t85, _t87, _t70);
				asm("int3");
				_push(_t71);
				 *0xe0f5a4 = 0x8007000e;
				_v8 = E00E0146C(_t71, _t85, _t87, _t96);
				_t37 =  &_v8;
				_push(0xe0450c);
				_push(_t37);
				L00E07E84();
				asm("int3");
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				asm("aam 0xe2");
				asm("loopne 0x2");
				_push(0x24);
				E00DF1BCF(E00E0B187, _t67, _t71, _t85, _t87);
				_t88 = _t84;
				_t86 = _t71;
				_push(0xdfc770);
				E00DF1C0C(_t67,  &_v52, _t86, _t88, _t96);
				_v8 = _v8 & 0x00000000;
				E00DF59E1(_t88,  &_v52);
				_v8 = _v8 | 0xffffffff;
				_t74 =  &_v52;
				E00DF1A07();
				_t44 = 2;
				_v36 = _t44;
				_v32 = _t44;
				_v28 = 0x10;
				_v24 = 0xdf2eb0;
				_v8 = _t44;
				if(_t86 >= 0 || (_t86 & 0x1fff0000) != 0x130000) {
					L11:
					_t45 =  *0xe0f0f0; // 0x0
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t86);
					_t46 = E00E00971(_t67,  &_v36, _t86, _t88, __eflags);
				} else {
					_t64 = _t86 & 0x0000ffff;
					_t99 = _t64 - 0x3000;
					if(_t64 >= 0x3000) {
						goto L11;
					} else {
						_t46 = E00E0634F( &_v36, _t99,  &_v52, _t64 + 0x6000);
					}
				}
				_t76 = _t86;
				_t68 = _t46;
				_v20 = E00E0179B(_t76);
				_t100 = _t68;
				if(_t68 != 0) {
					E00DF1B32(_t68, _t88, _t86,  &_v36);
					_push(0xe046b8);
					_t76 = _t88;
					E00DF52F0(_t68, _t76, _t86, _t88, _t100);
				}
				_t48 = 2;
				_v52 = _t48;
				_v48 = _t48;
				_v44 = 0x10;
				_v40 = 0xdf2eb0;
				_v8 = 4;
				_push(0x1709);
				_push(_t76);
				_push(_t76);
				E00E06369(_t68,  &_v52, _t86, _t88, _t100);
				E00DF1B32(_t68, _t88, _t86,  &_v52);
				E00DF17F5(_t88, L"0x%.8X", _t86);
				_t53 = _v20;
				if(_v20 != 0) {
					E00DF17F5(_t88, L" (%S)", _t53);
				}
				_t102 = _t68;
				if(_t68 != 0) {
					_push(")");
					E00DF52F0(_t68, _t88, _t86, _t88, _t102);
				}
				_v8 = 2;
				E00DF1A07();
				_v8 = _v8 | 0xffffffff;
				E00DF1A07();
				return E00DF1687();
			}































0x00e044b0
0x00e044b0
0x00e044b0
0x00e044b0
0x00e044b0
0x00e044b2
0x00e044b6
0x00e044b8
0x00e044b8
0x00e044bf
0x00e044c4
0x00e044c4
0x00e044c4
0x00e044c9
0x00e044cb
0x00e044d0
0x00e044d8
0x00e044da
0x00e044df
0x00e044e3
0x00e044e4
0x00e044f3
0x00e044f9
0x00e044ff
0x00e04504
0x00e04505
0x00e0450a
0x00e0450c
0x00e0450e
0x00e04510
0x00e04512
0x00e04514
0x00e04516
0x00e04518
0x00e0451a
0x00e0451c
0x00e04523
0x00e04528
0x00e0452a
0x00e0452c
0x00e04537
0x00e0453c
0x00e0454c
0x00e04551
0x00e04558
0x00e0455e
0x00e04565
0x00e04566
0x00e0456c
0x00e04572
0x00e0457c
0x00e04586
0x00e0458e
0x00e045bc
0x00e045bc
0x00e045c1
0x00e045c2
0x00e045c3
0x00e045c4
0x00e045c5
0x00e045c6
0x00e045c7
0x00e045c8
0x00e045c9
0x00e045ca
0x00e045cc
0x00e045d5
0x00e0459e
0x00e0459e
0x00e045a1
0x00e045a6
0x00000000
0x00e045a8
0x00e045b5
0x00e045b5
0x00e045a6
0x00e045da
0x00e045dc
0x00e045e3
0x00e045e9
0x00e045eb
0x00e045f6
0x00e045fb
0x00e04600
0x00e04602
0x00e04602
0x00e04609
0x00e0460a
0x00e04610
0x00e04616
0x00e04620
0x00e0462a
0x00e04631
0x00e04636
0x00e04637
0x00e0463e
0x00e0464c
0x00e04658
0x00e0465d
0x00e04668
0x00e04671
0x00e04676
0x00e04679
0x00e0467b
0x00e0467d
0x00e04684
0x00e04684
0x00e04689
0x00e04696
0x00e0469b
0x00e046a8
0x00e046b2

APIs
  • GetLastError.KERNEL32(?,00E005E0,?,?,00000010,?,?,?,00DFB79F,?), ref: 00E044D2
  • _CxxThrowException.VCRUNTIME140_CLR0400(00000000,00E0450C,?,?,00DFB3F9,00000004,00000000,00000004,00000004,?,00DF186F,00000004,?,?,?,00DF755E), ref: 00E04505
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: ErrorExceptionLastThrow
  • String ID: (%S)$0x%.8X
  • API String ID: 256353096-2048090024
  • Opcode ID: 1d76bf103b6aa285a17b4dd88f434c94271e6da13c51214bd6ca3451f9b75e28
  • Instruction ID: 473052afa5cda35cc6dd218a4e0997e6220befd39a13ca7c6a8579e9004ba987
  • Opcode Fuzzy Hash: 1d76bf103b6aa285a17b4dd88f434c94271e6da13c51214bd6ca3451f9b75e28
  • Instruction Fuzzy Hash: 794188F49112189BDB25EB60DD16BAE76B8AF05310F0051D9B309F62D2EA749EC48EB4
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 69%
			E00DF28A1(void* __ebx, signed short* __ecx, signed short __edi, void* __esi, void* __eflags) {
				signed int _t56;
				intOrPtr _t62;
				void* _t72;
				intOrPtr _t73;
				signed short* _t74;
				void* _t82;
				signed short _t85;
				void* _t86;
				signed short* _t88;
				void* _t90;

				_t85 = __edi;
				_t74 = __ecx;
				_t72 = __ebx;
				_push(0x140);
				_t56 = E00DF1718(E00E0BB86, __ebx, __ecx, __edi, __esi);
				_t88 = _t74;
				if( *_t88 == 0) {
					L18:
					return E00DF1679();
				} else {
					__edi = E00DF16C5(__ebx, __ecx, __edi, __esi, __eflags);
					 *(__ebp - 0x124) = __edi;
					__eflags = __edi - 0xffffffff;
					if(__edi == 0xffffffff) {
						goto L18;
					}
					__ebx = 0;
					__eflags =  *(__esi + 0x48) & 0x0000000f;
					if(( *(__esi + 0x48) & 0x0000000f) == 0) {
						__eax = __ebp - 0x138;
						__imp__GetFileSizeEx(__edi, __eax);
						__eflags = __eax;
						if(__eax == 0) {
							goto L5;
						}
						__eax =  *(__esi + 0x44);
						__eflags =  *(__ebp - 0x134);
						if(__eflags < 0) {
							goto L5;
						}
						if(__eflags > 0) {
							L24:
							__eax = CloseHandle(__edi);
							__ecx = __esi;
							__eax = E00E05B9A(__ebx, __esi, __edi, __esi, __eflags, 1);
							__ecx = __esi;
							__eax = E00DF16C5(__ebx, __esi, __edi, __esi, __eflags);
							__edi = __eax;
							 *(__ebp - 0x124) = __eax;
							__eflags = __edi - 0xffffffff;
							if(__edi != 0xffffffff) {
								goto L5;
							}
							goto L18;
						}
						__eflags =  *(__ebp - 0x138) - __eax;
						if(__eflags <= 0) {
							goto L5;
						}
						goto L24;
					}
					L5:
					_t5 = __esi + 0x48;
					 *_t5 =  *(__esi + 0x48) + 1;
					__eflags =  *_t5;
					__esi =  *(__ebp + 8);
					__ecx = __esi;
					__edx = __ecx + 2;
					do {
						__ax =  *__ecx;
						__ecx = __ecx + 2;
						__eflags = __ax - __bx;
					} while (__eflags != 0);
					__ecx = __ecx - __edx;
					__ecx = __ecx >> 1;
					__edx = 2;
					__eax = 1 + __ecx * 2;
					__ecx = 0;
					_t11 = __eax * __edx;
					__edx = __eax * __edx >> 0x20;
					__eax = _t11;
					0 | __eflags > 0x00000000 =  ~(__eflags > 0);
					__ecx =  ~(__eflags > 0) | _t11;
					__ebx = E00DF1833(__ebx,  ~(__eflags > 0) | _t11, __edx, __edi, __esi);
					__edx = 0;
					 *(__ebp - 0x12c) = __ebx;
					 *((intOrPtr*)(__ebp - 0x128)) = 0;
					__eflags = __ebx;
					if(__ebx != 0) {
						 *((intOrPtr*)(__ebp - 0x128)) = 1;
					}
					 *((intOrPtr*)(__ebp - 4)) = 3;
					__ecx = __ebx;
					__eax = __edx;
					__eflags =  *__esi - __dx;
					if(__eflags == 0) {
						L14:
						 *_t74 = 0;
						_push(_t73);
						E00DF1C0C(_t73, _t90 - 0x14c, _t86, _t88, _t94);
						 *(_t90 - 4) = 4;
						 *((intOrPtr*)(_t90 - 0x120)) = 0;
						 *((intOrPtr*)(_t90 - 0x11c)) = 0;
						 *((intOrPtr*)(_t90 - 0x118)) = 0;
						 *((intOrPtr*)(_t90 - 0x114)) = 0;
						 *((intOrPtr*)(_t90 - 0x11c)) = 0x100;
						 *((intOrPtr*)(_t90 - 0x114)) = _t90 - 0x110;
						 *(_t90 - 4) = 5;
						_t62 = 2;
						 *((intOrPtr*)(_t90 - 0x120)) = _t62;
						 *((short*)( *((intOrPtr*)(_t90 - 0x114)))) = 0;
						 *(_t90 - 4) = 8;
						 *(_t90 - 0x124) = 0;
						WriteFile(_t86, E00DF2DDB(_t90 - 0x14c, _t90 - 0x120, _t90 - 0x124),  *(_t90 - 0x124) - 1, _t90 - 0x13c, 0);
						CloseHandle(_t86);
						 *(_t90 - 4) = 4;
						E00DF1A07();
						 *(_t90 - 4) = 3;
						E00DF1A07();
						 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
						if( *((intOrPtr*)(_t90 - 0x128)) != 0) {
							if(_t73 != 0) {
								E00DF1480(_t73);
							}
							 *((intOrPtr*)(_t90 - 0x128)) = 0;
						}
						goto L18;
					} else {
						__ebx = 2;
						__edi = 0xd;
						do {
							__eflags =  *_t88 - 0xa;
							if(__eflags == 0) {
								if(_t56 != _t85) {
									 *_t74 = _t85;
									_t74 = _t74 + _t72;
								}
							}
							 *_t74 =  *_t88;
							_t74 = _t74 + _t72;
							_t56 =  *_t88 & 0x0000ffff;
							_t88 = _t88 + _t72;
							_t94 =  *_t88 - _t82;
						} while ( *_t88 != _t82);
						_t86 =  *(_t90 - 0x124);
						_t73 =  *((intOrPtr*)(_t90 - 0x12c));
						goto L14;
					}
				}
			}













0x00df28a1
0x00df28a1
0x00df28a1
0x00df28a1
0x00df28ab
0x00df28b0
0x00df28b5
0x00df2a5c
0x00df2a61
0x00df28bb
0x00df28c0
0x00df28c2
0x00df28c8
0x00df28cb
0x00000000
0x00000000
0x00df28d1
0x00df28d3
0x00df28d7
0x00df369d
0x00df36a5
0x00df36ab
0x00df36ad
0x00000000
0x00000000
0x00df36b3
0x00df36b6
0x00df36bc
0x00000000
0x00000000
0x00df36c2
0x00dfc023
0x00dfc024
0x00dfc02c
0x00dfc02e
0x00dfc033
0x00dfc035
0x00dfc03a
0x00dfc03c
0x00dfc042
0x00dfc045
0x00000000
0x00000000
0x00000000
0x00dfc04b
0x00df36c8
0x00df36ce
0x00000000
0x00000000
0x00000000
0x00df36d4
0x00df28dd
0x00df28dd
0x00df28dd
0x00df28dd
0x00df28e0
0x00df28e3
0x00df28e5
0x00df28e8
0x00df28e8
0x00df28eb
0x00df28ee
0x00df28ee
0x00df28f3
0x00df28f5
0x00df28f9
0x00df28fa
0x00df2901
0x00df2903
0x00df2903
0x00df2903
0x00df2908
0x00df290a
0x00df2911
0x00df2913
0x00df2915
0x00df291b
0x00df2921
0x00df2923
0x00df2925
0x00df2925
0x00df292f
0x00df2939
0x00df293b
0x00df293d
0x00df2940
0x00df2970
0x00df2972
0x00df297b
0x00df297c
0x00df2981
0x00df298a
0x00df2990
0x00df2996
0x00df299c
0x00df29a8
0x00df29b2
0x00df29b8
0x00df29c1
0x00df29c2
0x00df29d0
0x00df29d3
0x00df29e7
0x00df2a0b
0x00df2a12
0x00df2a18
0x00df2a25
0x00df2a2a
0x00df2a37
0x00df2a3c
0x00df2a49
0x00df2a4d
0x00df2a51
0x00df2a51
0x00df2a56
0x00df2a56
0x00000000
0x00df2942
0x00df2944
0x00df2947
0x00df2948
0x00df2948
0x00df294c
0x00df2891
0x00df2897
0x00df289a
0x00df289a
0x00df2891
0x00df2955
0x00df2958
0x00df295a
0x00df295d
0x00df295f
0x00df295f
0x00df2964
0x00df296a
0x00000000
0x00df296a
0x00df2940

APIs
    • Part of subcall function 00DF16C5: CreateFileW.KERNEL32(?,00000004,00000003,00000000,00000003,00000080,00000000,0000012C,00DF28C0,00000140,00DF2B4E,?,?,?), ref: 00DF1703
  • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?), ref: 00DF2A0B
  • CloseHandle.KERNEL32(00000000), ref: 00DF2A12
  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00DF36A5
  • CloseHandle.KERNEL32(00000000), ref: 00DFC024
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: File$CloseHandle$CreateSizeWrite
  • String ID:
  • API String ID: 212350632-0
  • Opcode ID: 932ab854e34ea0e5cad4909dfc7d2f5f948c6d49ab2431ef0167fcd12a318b6e
  • Instruction ID: 79606a00a59eb240ea534c203ca5850864c1aab55fe61d27474dcb641e6dbe5b
  • Opcode Fuzzy Hash: 932ab854e34ea0e5cad4909dfc7d2f5f948c6d49ab2431ef0167fcd12a318b6e
  • Instruction Fuzzy Hash: A9516B759012298BCB359F28CC457F9B7B4AF48710F0981E9E689A7291DB701EC5CFA4
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 66%
			E00E044D1(void* __ebx, void* __ecx, signed short __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr* _t35;
				signed int _t42;
				intOrPtr _t43;
				void* _t44;
				char _t46;
				signed int _t62;
				void* _t65;
				signed short _t67;
				signed short _t72;
				signed short _t80;
				signed short _t82;
				signed short _t84;
				void* _t90;

				_t90 = __eflags;
				_t83 = __esi;
				_t81 = __edi;
				_t80 = __edx;
				_t64 = __ebx;
				_t67 = GetLastError();
				E00E044B0(__ebx, _t67, _t80, __edi, __esi, __ecx);
				asm("int3");
				_push(_t67);
				 *0xe0f5a4 = 0x8007000e;
				_v8 = E00E0146C(_t67, __edi, __esi, _t90);
				_t35 =  &_v8;
				_push(0xe0450c);
				_push(_t35);
				L00E07E84();
				asm("int3");
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				asm("aam 0xe2");
				asm("loopne 0x2");
				_push(0x24);
				E00DF1BCF(E00E0B187, __ebx, _t67, _t81, _t83);
				_t84 = _t80;
				_t82 = _t67;
				_push(0xdfc770);
				E00DF1C0C(__ebx,  &_v52, _t82, _t84, _t90);
				_v8 = _v8 & 0x00000000;
				E00DF59E1(_t84,  &_v52);
				_v8 = _v8 | 0xffffffff;
				_t70 =  &_v52;
				E00DF1A07();
				_t42 = 2;
				_v36 = _t42;
				_v32 = _t42;
				_v28 = 0x10;
				_v24 = 0xdf2eb0;
				_v8 = _t42;
				if(_t82 >= 0 || (_t82 & 0x1fff0000) != 0x130000) {
					L6:
					_t43 =  *0xe0f0f0; // 0x0
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t82);
					_t44 = E00E00971(_t64,  &_v36, _t82, _t84, __eflags);
				} else {
					_t62 = _t82 & 0x0000ffff;
					_t93 = _t62 - 0x3000;
					if(_t62 >= 0x3000) {
						goto L6;
					} else {
						_t44 = E00E0634F( &_v36, _t93,  &_v52, _t62 + 0x6000);
					}
				}
				_t72 = _t82;
				_t65 = _t44;
				_v20 = E00E0179B(_t72);
				_t94 = _t65;
				if(_t65 != 0) {
					E00DF1B32(_t65, _t84, _t82,  &_v36);
					_push(0xe046b8);
					_t72 = _t84;
					E00DF52F0(_t65, _t72, _t82, _t84, _t94);
				}
				_t46 = 2;
				_v52 = _t46;
				_v48 = _t46;
				_v44 = 0x10;
				_v40 = 0xdf2eb0;
				_v8 = 4;
				_push(0x1709);
				_push(_t72);
				_push(_t72);
				E00E06369(_t65,  &_v52, _t82, _t84, _t94);
				E00DF1B32(_t65, _t84, _t82,  &_v52);
				E00DF17F5(_t84, L"0x%.8X", _t82);
				_t51 = _v20;
				if(_v20 != 0) {
					E00DF17F5(_t84, L" (%S)", _t51);
				}
				_t96 = _t65;
				if(_t65 != 0) {
					_push(")");
					E00DF52F0(_t65, _t84, _t82, _t84, _t96);
				}
				_v8 = 2;
				E00DF1A07();
				_v8 = _v8 | 0xffffffff;
				E00DF1A07();
				return E00DF1687();
			}


























0x00e044d1
0x00e044d1
0x00e044d1
0x00e044d1
0x00e044d1
0x00e044d8
0x00e044da
0x00e044df
0x00e044e3
0x00e044e4
0x00e044f3
0x00e044f9
0x00e044ff
0x00e04504
0x00e04505
0x00e0450a
0x00e0450c
0x00e0450e
0x00e04510
0x00e04512
0x00e04514
0x00e04516
0x00e04518
0x00e0451a
0x00e0451c
0x00e04523
0x00e04528
0x00e0452a
0x00e0452c
0x00e04537
0x00e0453c
0x00e0454c
0x00e04551
0x00e04558
0x00e0455e
0x00e04565
0x00e04566
0x00e0456c
0x00e04572
0x00e0457c
0x00e04586
0x00e0458e
0x00e045bc
0x00e045bc
0x00e045c1
0x00e045c2
0x00e045c3
0x00e045c4
0x00e045c5
0x00e045c6
0x00e045c7
0x00e045c8
0x00e045c9
0x00e045ca
0x00e045cc
0x00e045d5
0x00e0459e
0x00e0459e
0x00e045a1
0x00e045a6
0x00000000
0x00e045a8
0x00e045b5
0x00e045b5
0x00e045a6
0x00e045da
0x00e045dc
0x00e045e3
0x00e045e9
0x00e045eb
0x00e045f6
0x00e045fb
0x00e04600
0x00e04602
0x00e04602
0x00e04609
0x00e0460a
0x00e04610
0x00e04616
0x00e04620
0x00e0462a
0x00e04631
0x00e04636
0x00e04637
0x00e0463e
0x00e0464c
0x00e04658
0x00e0465d
0x00e04668
0x00e04671
0x00e04676
0x00e04679
0x00e0467b
0x00e0467d
0x00e04684
0x00e04684
0x00e04689
0x00e04696
0x00e0469b
0x00e046a8
0x00e046b2

APIs
  • GetLastError.KERNEL32(?,00E005E0,?,?,00000010,?,?,?,00DFB79F,?), ref: 00E044D2
    • Part of subcall function 00E044B0: _CxxThrowException.VCRUNTIME140_CLR0400(00000000,00E0450C,?,?,00DFB3F9,00000004,00000000,00000004,00000004,?,00DF186F,00000004,?,?,?,00DF755E), ref: 00E04505
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: ErrorExceptionLastThrow
  • String ID: (%S)$0x%.8X
  • API String ID: 256353096-2048090024
  • Opcode ID: dd4aae8020966b870f2d1fe38e8d0874d101d31c413311b6c79ffb5cc780e8c9
  • Instruction ID: f494cc82dae913f64907faba5b988b475c494e4f32421498533c4a0dc2423001
  • Opcode Fuzzy Hash: dd4aae8020966b870f2d1fe38e8d0874d101d31c413311b6c79ffb5cc780e8c9
  • Instruction Fuzzy Hash: 6D4161F491121C9BCB25EB60DD56BAD76B8AF15310F0181D9A309B62C2EA745FC48EA8
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • wcsncpy_s.UCRTBASE_CLR0400(?,00000043,00DF2EB0,00000006,00000004,?,00000000), ref: 00E0009F
  • wcscat_s.UCRTBASE_CLR0400(?,00000043,?), ref: 00E000BB
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: wcscat_swcsncpy_s
  • String ID: NETFX.
  • API String ID: 1203174629-2320477842
  • Opcode ID: 8ac9f150365d443775dd528e536df6f9b1cab44766befbfd4716143bb6ea65d9
  • Instruction ID: 5adeb01d63f66527fa05afde6932158e5f44fc9ddbf712da634afbe00bf19efb
  • Opcode Fuzzy Hash: 8ac9f150365d443775dd528e536df6f9b1cab44766befbfd4716143bb6ea65d9
  • Instruction Fuzzy Hash: 2421D671A0021D9FDB24CF69DD41BEA73FAEF45304F0040A5EA09FB291E7B19E848B50
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 37%
			E00E05224(intOrPtr __edx, void* __edi, void* __esi, char _a12, intOrPtr* _a16, char _a20) {
				signed int _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				signed int _t26;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t38;
				intOrPtr* _t39;
				void* _t44;
				signed int _t45;

				_t26 =  *0xe0f000; // 0x365ea2a8
				_v12 = _t26 ^ _t45;
				_t34 = _a16;
				_v80 =  &_v84;
				_v84 = __edx;
				_v76 = 0;
				_v72 = 4;
				_v68 = 0;
				_v64 =  &_a12;
				_v60 = 0;
				_v56 = 1;
				_v52 = 0;
				if(_t34 == 0) {
					_t38 = 5;
				} else {
					_t39 = _t34;
					_t44 = _t39 + 1;
					do {
						_t33 =  *_t39;
						_t39 = _t39 + 1;
					} while (_t33 != 0);
					_t38 = _t39 - _t44 + 1;
				}
				if(_t34 == 0) {
					_t34 = 0xe05308;
				}
				_t15 =  &_a20; // 0xe0595e
				_v48 = _t34;
				_v32 = _t15;
				_v44 = 0;
				_v40 = _t38;
				_v36 = 0;
				_v28 = 0;
				_v24 = 2;
				_v20 = 0;
				__imp__EventWrite(4,  &_v80);
				return E00DF13F0(_v12 ^ _t45, 0, 0, 0xe05310);
			}




























0x00e0522a
0x00e05231
0x00e05237
0x00e05244
0x00e0524a
0x00e05253
0x00e05259
0x00e05263
0x00e05269
0x00e0526f
0x00e05275
0x00e0527f
0x00e05287
0x00e0529c
0x00e05289
0x00e05289
0x00e0528b
0x00e0528e
0x00e0528e
0x00e05290
0x00e05291
0x00e05297
0x00e05297
0x00e0529f
0x00e052a1
0x00e052a1
0x00e052a6
0x00e052a9
0x00e052af
0x00e052c5
0x00e052cb
0x00e052d1
0x00e052d7
0x00e052dd
0x00e052e7
0x00e052ed
0x00e05305

APIs
  • EventWrite.ADVAPI32(00000000,00000000,00E05310,00000004,?,00000100,?), ref: 00E052ED
Strings
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: EventWrite
  • String ID: NULL$^Y
  • API String ID: 2971232827-2139950986
  • Opcode ID: 2b20c623e926b909954397bc67e7543de52f2c0a4e46539b256eac2e97c311af
  • Instruction ID: 9fd871fff675f8f68acd1a4da88f59f1eaddae29607e6b78be9ff74be42726e6
  • Opcode Fuzzy Hash: 2b20c623e926b909954397bc67e7543de52f2c0a4e46539b256eac2e97c311af
  • Instruction Fuzzy Hash: 2421F8B1D0122D8BDB24CF1A8C44BDAFBB8BF84310F0081DAD60DA6250D7755AC9CF54
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 60%
			E00DF2A64(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t51;
				signed int _t57;
				void* _t62;
				void* _t65;

				_t65 = __eflags;
				_t51 = __ecx;
				_push(0x224);
				E00DF1718(E00E094FC, __ebx, __ecx, __edi, __esi);
				GetLocalTime(_t62 - 0x20);
				 *(_t62 - 0x230) = 0;
				 *((intOrPtr*)(_t62 - 0x22c)) = 0;
				 *((intOrPtr*)(_t62 - 0x228)) = 0;
				 *((intOrPtr*)(_t62 - 0x224)) = 0;
				 *((intOrPtr*)(_t62 - 0x22c)) = 0x200;
				 *((intOrPtr*)(_t62 - 0x224)) = _t62 - 0x220;
				 *(_t62 - 4) = 0;
				_t57 = 2;
				 *(_t62 - 0x230) = _t57;
				 *((short*)( *((intOrPtr*)(_t62 - 0x224)))) = 0;
				 *(_t62 - 4) = _t57;
				_push(GetCurrentProcessId());
				_push( *(_t62 - 0x12) & 0x0000ffff);
				_push( *(_t62 - 0x14) & 0x0000ffff);
				_push( *(_t62 - 0x16) & 0x0000ffff);
				_push( *(_t62 - 0x18) & 0x0000ffff);
				_push( *(_t62 - 0x20) & 0x0000ffff);
				_push( *(_t62 - 0x1a) & 0x0000ffff);
				E00DF2C9A(_t62 - 0x230, "%02hu/%02hu/%02hu %02hu:%02hu:%02hu.%03hu [%i]: ",  *(_t62 - 0x1e) & 0x0000ffff);
				_push( *((intOrPtr*)(_t62 + 0xc)));
				_push( *((intOrPtr*)(_t62 + 8)));
				E00DF175B(_t51, _t62 - 0x230,  *((intOrPtr*)(_t62 + 8)),  *((intOrPtr*)(_t62 + 0xc)), _t65);
				E00DF169F(_t62 - 0x230);
				E00DF28A1(_t51, _t51,  *((intOrPtr*)(_t62 + 8)),  *((intOrPtr*)(_t62 + 0xc)), _t65,  *((intOrPtr*)(_t62 - 0x224)));
				 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
				E00DF1A07();
				return E00DF1679();
			}







0x00df2a64
0x00df2a64
0x00df2a64
0x00df2a6e
0x00df2a82
0x00df2a8a
0x00df2a90
0x00df2a96
0x00df2a9c
0x00df2aa8
0x00df2ab2
0x00df2ab8
0x00df2ac0
0x00df2ac1
0x00df2acd
0x00df2ad0
0x00df2adc
0x00df2ae4
0x00df2aec
0x00df2af4
0x00df2afc
0x00df2b04
0x00df2b0c
0x00df2b21
0x00df2b2f
0x00df2b30
0x00df2b31
0x00df2b3c
0x00df2b49
0x00df2b4e
0x00df2b5b
0x00df2b65

APIs
  • GetLocalTime.KERNEL32(?,00000224,00DF571B,?,?), ref: 00DF2A82
  • GetCurrentProcessId.KERNEL32 ref: 00DF2AD6
    • Part of subcall function 00DF28A1: WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?), ref: 00DF2A0B
    • Part of subcall function 00DF28A1: CloseHandle.KERNEL32(00000000), ref: 00DF2A12
Strings
  • %02hu/%02hu/%02hu %02hu:%02hu:%02hu.%03hu [%i]: , xrefs: 00DF2B1B
Memory Dump Source
  • Source File: 00000000.00000002.558414662.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
  • Associated: 00000000.00000002.558407431.0000000000DF0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.558436034.0000000000E0F000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.558443631.0000000000E11000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_df0000_ngen.jbxd
Similarity
  • API ID: CloseCurrentFileHandleLocalProcessTimeWrite
  • String ID: %02hu/%02hu/%02hu %02hu:%02hu:%02hu.%03hu [%i]:
  • API String ID: 367727280-1408566355
  • Opcode ID: 3c7a855b8e376f953b7fcc4f078e05a2e8c7b8bc82a0af95d992d55d24ddcb21
  • Instruction ID: 049261a53ccfb3b783e3e664e246dd9e4d48d8c4764b50ecac052fd632d234ee
  • Opcode Fuzzy Hash: 3c7a855b8e376f953b7fcc4f078e05a2e8c7b8bc82a0af95d992d55d24ddcb21
  • Instruction Fuzzy Hash: 7121B77580022CAACB24AF95DC99BFDB7F8AF0C701F0180D9B609A6291D7385E85DF34
Uniqueness

Uniqueness Score: -1.00%