Edit tour

Windows Analysis Report
6LTym8YhUJ.exe

Overview

General Information

Sample Name:	6LTym8YhUJ.exe
Analysis ID:	654950
MD5:	1b35d7b6c5252ef4cca1d703c4134f6f
SHA1:	38344e5a27ed51c6e4e335573478ad3b6f8a7767
SHA256:	07a029536d442a18485d88a48362cd84a184a6e54695496b1462b7f6d9a2c2c1
Tags:	exeSocelars
Infos:

Detection

Socelars

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Yara detected Socelars

Machine Learning detection for sample

May check the online IP address of the machine

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Enables driver privileges

PE file contains strange resources

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Enables security privileges

Found large amount of non-executed APIs

Classification

Process Tree

System is w10x64

6LTym8YhUJ.exe (PID: 2572 cmdline: "C:\Users\user\Desktop\6LTym8YhUJ.exe" MD5: 1B35D7B6C5252EF4CCA1D703C4134F6F)

WerFault.exe (PID: 6076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1912 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Socelars

{"C2 url": "http://ngdatas.pw/"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
6LTym8YhUJ.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6LTym8YhUJ.exe	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
6LTym8YhUJ.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x144558:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1445a8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x143340:$s1: CoGetObject 0x144414:$s2: Elevation:Administrator!new:

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.271855497.0000000001126000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000000.270071748.0000000001126000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000000.256990699.0000000001126000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000000.00000000.271817051.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000000.00000000.256862432.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000000.00000000.270001473.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
Process Memory Space: 6LTym8YhUJ.exe PID: 2572	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: 6LTym8YhUJ.exe PID: 2572	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.6LTym8YhUJ.exe.fe0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.6LTym8YhUJ.exe.fe0000.0.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
0.2.6LTym8YhUJ.exe.fe0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x144558:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1445a8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x143340:$s1: CoGetObject 0x144414:$s2: Elevation:Administrator!new:
0.0.6LTym8YhUJ.exe.fe0000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.0.6LTym8YhUJ.exe.fe0000.2.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
0.0.6LTym8YhUJ.exe.fe0000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x144558:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1445a8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x143340:$s1: CoGetObject 0x144414:$s2: Elevation:Administrator!new:
0.0.6LTym8YhUJ.exe.fe0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.0.6LTym8YhUJ.exe.fe0000.0.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
0.0.6LTym8YhUJ.exe.fe0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x144558:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1445a8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x143340:$s1: CoGetObject 0x144414:$s2: Elevation:Administrator!new:
0.0.6LTym8YhUJ.exe.fe0000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.0.6LTym8YhUJ.exe.fe0000.1.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
0.0.6LTym8YhUJ.exe.fe0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x144558:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1445a8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x143340:$s1: CoGetObject 0x144414:$s2: Elevation:Administrator!new:
Click to see the 7 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6LTym8YhUJ.exe

ReversingLabs: Detection: 84%

Antivirus / Scanner detection for submitted sample

Source: 6LTym8YhUJ.exe	Avira: detected
Source: 6LTym8YhUJ.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://ngdatas.pw/https://www.icodeps.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP

URL Reputation: Label: malware

Machine Learning detection for sample

Source: 6LTym8YhUJ.exe

Joe Sandbox ML: detected

Source: 0.2.6LTym8YhUJ.exe.fe0000.0.unpack	Avira: Label: JS/SpyBanker.G2
Source: 0.0.6LTym8YhUJ.exe.fe0000.0.unpack	Avira: Label: JS/SpyBanker.G2
Source: 0.0.6LTym8YhUJ.exe.fe0000.1.unpack	Avira: Label: JS/SpyBanker.G2
Source: 0.0.6LTym8YhUJ.exe.fe0000.2.unpack	Avira: Label: JS/SpyBanker.G2

Source: 6LTym8YhUJ.exe

Malware Configuration Extractor: Socelars {"C2 url": "http://ngdatas.pw/"}

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 6LTym8YhUJ.exe, type: SAMPLE
Source: Yara match	File source: 0.2.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6LTym8YhUJ.exe.fe0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6LTym8YhUJ.exe.fe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.271855497.0000000001126000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270071748.0000000001126000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256990699.0000000001126000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6LTym8YhUJ.exe PID: 2572, type: MEMORYSTR

Source: 6LTym8YhUJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.4:49759 version: TLS 1.2

Source: 6LTym8YhUJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

May check the online IP address of the machine

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

DNS query: name: iplogger.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://ngdatas.pw/

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83
Source: Joe Sandbox View	IP Address: 148.251.234.83 148.251.234.83

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.icodeps.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1DnXg7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: 6LTym8YhUJ.exe

String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: 6LTym8YhUJ.exe, 00000000.00000000.270818657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.266848446.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000002.340951721.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.267639324.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 6LTym8YhUJ.exe	String found in binary or memory: http://ngdatas.pw/
Source: 6LTym8YhUJ.exe	String found in binary or memory: http://ngdatas.pw/https://www.icodeps.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
Source: 6LTym8YhUJ.exe	String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
Source: 6LTym8YhUJ.exe	String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
Source: 6LTym8YhUJ.exe	String found in binary or memory: http://www.mkpmc.com
Source: 6LTym8YhUJ.exe	String found in binary or memory: http://www.mkpmc.com/Home/Index/getdata
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://htyjh.s3.ap-south-1.amazonaws.com/613fdh2
Source: 6LTym8YhUJ.exe, 00000000.00000000.270818657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000002.340951721.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.267639324.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/12QMs7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/12TMs7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/143up7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/14Jup7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/169Bx7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1746b7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1756b7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/19iM77
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1BBCf7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1CDGu7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1CUGu7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Cr3a7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1DEXg7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1DQXg7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Dk7g7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Dm7g7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Dn7g7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1DnXg7
Source: 6LTym8YhUJ.exe, 00000000.00000000.270818657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000002.340951721.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.267639324.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1DnXg7k_
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Dv7g7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1E2ma7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1ELna7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1G7Sc7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1GWfv7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1GaLz7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Gbzj7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Gczj7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Ghzj7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1GiLz7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Gjzj7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1H3Fa7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1HQGc7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1HWGc7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1J2q67
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1J9q67
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1JD967
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Jeq67
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1LvRk7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1N3J25
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1NaYz7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1NpYz7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1NsYz7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1NuYz7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1NyYz7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Pdet7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1RWXp7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1SWks7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Smzs7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Sxzs7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1TBch7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1TCch7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1TW3i7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1TXch7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Tkij7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1VPXi7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1XJq97
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1YkFc7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1Z7qd7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1b4887
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1bV787
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1fHtp7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1ibws7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1lcZz
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1mxKf7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1nnRF4
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1ntLF4
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1nvRF4
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1pcji7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1pdxr7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1q6Jt7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1rDMq7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1rd8N6
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1rqRg7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1s4qp7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1s5qp7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1spuy7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1tAnk7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1tEnk7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1tSnk7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1tTnk7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1tUnk7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1uS4i7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1uW6i7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1vb2Q7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1vk2Q7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1vv2Q7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1vx2Q7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1x5bg7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1xWbz7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://iplogger.org/1xvbz7
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://lgfftg.s3.eu-west-3.amazonaws.com/613jyr1
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://lgfftg.s3.eu-west-3.amazonaws.com/613jyr1https://htyjh.s3.ap-south-1.amazonaws.com/613fdh2ht
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://prntscr.com/upload.php
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://prntscr.com/upload.phphttps://prntscr.com/upload.php
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://sa-us-bucket.s3.us-east-2.amazonaws.com/hdherf623
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://sm.ms/api/v2/upload?inajax=1
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://uewrgu.s3.us-west-2.amazonaws.com/613dge3
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://www.amazon.com/
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://www.aol.com
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://www.google.com
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://www.google.com/search?q=admob&oq=admob
Source: 6LTym8YhUJ.exe	String found in binary or memory: https://www.icodeps.com/

Source: unknown

DNS traffic detected: queries for: www.icodeps.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.icodeps.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1DnXg7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.4:49759 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 6LTym8YhUJ.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.6LTym8YhUJ.exe.fe0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.6LTym8YhUJ.exe.fe0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: 6LTym8YhUJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6LTym8YhUJ.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.6LTym8YhUJ.exe.fe0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.6LTym8YhUJ.exe.fe0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1912

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_00FEB4D0	0_2_00FEB4D0
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_00FECC40	0_2_00FECC40
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_00FE2410	0_2_00FE2410
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_010D0C7E	0_2_010D0C7E
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_00FEA540	0_2_00FEA540
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_010D2BE0	0_2_010D2BE0
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_00FE8F40	0_2_00FE8F40
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_00FE7B10	0_2_00FE7B10

Source: 6LTym8YhUJ.exe

Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

Process token adjusted: Load Driver

Jump to behavior

Source: 6LTym8YhUJ.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

Process token adjusted: Security

Jump to behavior

Source: 6LTym8YhUJ.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6LTym8YhUJ.exe "C:\Users\user\Desktop\6LTym8YhUJ.exe"
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1912

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E3B.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.winEXE@2/4@2/2

Source: 6LTym8YhUJ.exe, 00000000.00000000.270001473.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, 6LTym8YhUJ.exe, 00000000.00000000.256862432.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 6LTym8YhUJ.exe, 00000000.00000000.270001473.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, 6LTym8YhUJ.exe, 00000000.00000000.256862432.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com';
Source: 6LTym8YhUJ.exe, 00000000.00000000.270001473.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, 6LTym8YhUJ.exe, 00000000.00000000.256862432.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 6LTym8YhUJ.exe, 00000000.00000000.270001473.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, 6LTym8YhUJ.exe, 00000000.00000000.256862432.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 6LTym8YhUJ.exe, 00000000.00000000.270001473.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, 6LTym8YhUJ.exe, 00000000.00000000.256862432.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2572
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Mutant created: \Sessions\1\BaseNamedObjects\patatoes

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 6LTym8YhUJ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 6LTym8YhUJ.exe

Static file information: File size 1794048 > 1048576

Source: 6LTym8YhUJ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x112800

Source: 6LTym8YhUJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6LTym8YhUJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6LTym8YhUJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6LTym8YhUJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6LTym8YhUJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6LTym8YhUJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6LTym8YhUJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 6LTym8YhUJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 6LTym8YhUJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6LTym8YhUJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6LTym8YhUJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6LTym8YhUJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6LTym8YhUJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 6LTym8YhUJ.exe	Static PE information: section name: .lcnrhtx
Source: 6LTym8YhUJ.exe	Static PE information: section name: .lcnrhtx

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

Code function: 0_2_010CBBC6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_010CBBC6

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_010E2818 mov eax, dword ptr fs:[00000030h]		0_2_010E2818
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_010D86F7 mov eax, dword ptr fs:[00000030h]		0_2_010D86F7

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_010CBBC6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_010CBBC6
Source: C:\Users\user\Desktop\6LTym8YhUJ.exe	Code function: 0_2_010C5292 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_010C5292

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

Code function: 0_2_010C6624 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_010C6624

Source: C:\Users\user\Desktop\6LTym8YhUJ.exe

Code function: 0_2_010E2D00 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_010E2D00

Stealing of Sensitive Information

Yara detected Socelars

Source: Yara match	File source: 6LTym8YhUJ.exe, type: SAMPLE
Source: Yara match	File source: 0.2.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6LTym8YhUJ.exe.fe0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6LTym8YhUJ.exe.fe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.271817051.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256862432.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270001473.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6LTym8YhUJ.exe PID: 2572, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 LSASS Driver	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 LSASS Driver	1 Process Injection	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
6LTym8YhUJ.exe	84%	ReversingLabs	Win32.Trojan.RedLineStealer
6LTym8YhUJ.exe	100%	Avira	HEUR/AGEN.1213343
6LTym8YhUJ.exe	100%	Avira	JS/SpyBanker.G2
6LTym8YhUJ.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.6LTym8YhUJ.exe.fe0000.0.unpack	100%	Avira	HEUR/AGEN.1213343	Download File
0.2.6LTym8YhUJ.exe.fe0000.0.unpack	100%	Avira	JS/SpyBanker.G2	Download File
0.0.6LTym8YhUJ.exe.fe0000.0.unpack	100%	Avira	HEUR/AGEN.1213343	Download File
0.0.6LTym8YhUJ.exe.fe0000.0.unpack	100%	Avira	JS/SpyBanker.G2	Download File
0.0.6LTym8YhUJ.exe.fe0000.1.unpack	100%	Avira	HEUR/AGEN.1213343	Download File
0.0.6LTym8YhUJ.exe.fe0000.1.unpack	100%	Avira	JS/SpyBanker.G2	Download File
0.0.6LTym8YhUJ.exe.fe0000.2.unpack	100%	Avira	HEUR/AGEN.1213343	Download File
0.0.6LTym8YhUJ.exe.fe0000.2.unpack	100%	Avira	JS/SpyBanker.G2	Download File

URLs

Source	Detection	Scanner	Label
http://ngdatas.pw/https://www.icodeps.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	100%	URL Reputation	malware
http://www.mkpmc.com	0%	URL Reputation	safe
http://www.mkpmc.com/Home/Index/getdata	0%	URL Reputation	safe
http://www.channelinfo.pw/index.php/Home/Index/getExe	0%	URL Reputation	safe
https://www.icodeps.com/	0%	URL Reputation	safe
http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband	0%	URL Reputation	safe
http://ngdatas.pw/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iplogger.org	148.251.234.83	true	false		high
www.icodeps.com	149.28.253.196	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.icodeps.com/	false	URL Reputation: safe	unknown
http://ngdatas.pw/	true	URL Reputation: safe	unknown
https://iplogger.org/1DnXg7	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://iplogger.org/1tUnk7	6LTym8YhUJ.exe	false		high
https://iplogger.org/12QMs7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1E2ma7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1TBch7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1nnRF4	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Cr3a7	6LTym8YhUJ.exe	false		high
https://uewrgu.s3.us-west-2.amazonaws.com/613dge3	6LTym8YhUJ.exe	false		high
https://iplogger.org/1fHtp7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1NsYz7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Tkij7	6LTym8YhUJ.exe	false		high
https://www.google.com	6LTym8YhUJ.exe	false		high
https://iplogger.org/1pcji7	6LTym8YhUJ.exe	false		high
https://iplogger.org/12TMs7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1LvRk7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1GWfv7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1nvRF4	6LTym8YhUJ.exe	false		high
https://iplogger.org/1b4887	6LTym8YhUJ.exe	false		high
https://iplogger.org/1pdxr7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1rqRg7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1J2q67	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Jeq67	6LTym8YhUJ.exe	false		high
https://iplogger.org/1NpYz7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1746b7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1xvbz7	6LTym8YhUJ.exe	false		high
http://ngdatas.pw/https://www.icodeps.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	6LTym8YhUJ.exe	true	URL Reputation: malware	unknown
http://www.mkpmc.com	6LTym8YhUJ.exe	false	URL Reputation: safe	unknown
https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog	6LTym8YhUJ.exe	false		high
https://iplogger.org/1s4qp7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1uS4i7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1uW6i7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1tSnk7	6LTym8YhUJ.exe	false		high
https://www.amazon.com/	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Ghzj7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1DnXg7k_	6LTym8YhUJ.exe, 00000000.00000000.270818657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000002.340951721.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.267639324.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://iplogger.org/1TW3i7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1mxKf7	6LTym8YhUJ.exe	false		high
http://www.mkpmc.com/Home/Index/getdata	6LTym8YhUJ.exe	false	URL Reputation: safe	unknown
https://iplogger.org/1vk2Q7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1NyYz7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1J9q67	6LTym8YhUJ.exe	false		high
https://prntscr.com/upload.php	6LTym8YhUJ.exe	false		high
https://iplogger.org/1ELna7	6LTym8YhUJ.exe	false		high
https://sm.ms/api/v2/upload?inajax=1	6LTym8YhUJ.exe	false		high
https://www.google.com/search?q=admob&oq=admob	6LTym8YhUJ.exe	false		high
https://iplogger.org/14Jup7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1SWks7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1ntLF4	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Gczj7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1YkFc7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1CDGu7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1vv2Q7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1N3J25	6LTym8YhUJ.exe	false		high
https://iplogger.org/1tEnk7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Gjzj7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1756b7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1DEXg7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Gbzj7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1spuy7	6LTym8YhUJ.exe	false		high
http://www.channelinfo.pw/index.php/Home/Index/getExe	6LTym8YhUJ.exe	false	URL Reputation: safe	unknown
https://iplogger.org/	6LTym8YhUJ.exe, 00000000.00000000.270818657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000002.340951721.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.267639324.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://iplogger.org/1XJq97	6LTym8YhUJ.exe	false		high
https://iplogger.org/1BBCf7	6LTym8YhUJ.exe	false		high
https://lgfftg.s3.eu-west-3.amazonaws.com/613jyr1https://htyjh.s3.ap-south-1.amazonaws.com/613fdh2ht	6LTym8YhUJ.exe	false		high
https://iplogger.org/143up7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Dm7g7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1HWGc7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1NaYz7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1s5qp7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1TCch7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1G7Sc7	6LTym8YhUJ.exe	false		high
https://lgfftg.s3.eu-west-3.amazonaws.com/613jyr1	6LTym8YhUJ.exe	false		high
https://iplogger.org/1H3Fa7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1rd8N6	6LTym8YhUJ.exe	false		high
https://iplogger.org/1xWbz7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Pdet7	6LTym8YhUJ.exe	false		high
http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband	6LTym8YhUJ.exe	false	URL Reputation: safe	unknown
https://iplogger.org/1x5bg7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1vx2Q7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1JD967	6LTym8YhUJ.exe	false		high
https://iplogger.org/19iM77	6LTym8YhUJ.exe	false		high
https://iplogger.org/169Bx7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Dn7g7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1rDMq7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1lcZz	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Z7qd7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1q6Jt7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1CUGu7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1NuYz7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1bV787	6LTym8YhUJ.exe	false		high
https://iplogger.org/1Dk7g7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1VPXi7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1tAnk7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1TXch7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1ibws7	6LTym8YhUJ.exe	false		high
https://htyjh.s3.ap-south-1.amazonaws.com/613fdh2	6LTym8YhUJ.exe	false		high
https://iplogger.org/1tTnk7	6LTym8YhUJ.exe	false		high
https://iplogger.org/1DQXg7	6LTym8YhUJ.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
148.251.234.83	iplogger.org	Germany		24940	HETZNER-ASDE	false
149.28.253.196	www.icodeps.com	United States		20473	AS-CHOOPAUS	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	654950
Start date and time: 30/06/202210:48:12	2022-06-30 10:48:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	6LTym8YhUJ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.winEXE@2/4@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 35.3% (good quality ratio 32.4%) Quality average: 75.7% Quality standard deviation: 32.4%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.89.179.12
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 6LTym8YhUJ.exe

Simulations

Behavior and APIs

Time	Type	Description
10:50:05	API Interceptor	1x Sleep call for process: WerFault.exe modified

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6LTym8YhUJ.exe_db919e54df72560cff6fb42bbc6c1cd6c16e99c_4c701d04_17d79ec8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0261424977756217
Encrypted:	false
SSDEEP:	192:Qkeyxne7IHBUZMXQjmH6v8/u7sNS274It0:5eie7wBUZMXQj18/u7sNX4It0
MD5:	220CF8321B8ACB1E2E43EC3C337E9E33
SHA1:	5179099B0C3527635738B8A45490606779FC0A18
SHA-256:	4C03C78F96A0CB4F566FA84630F400F752FCAD833A37CDBCF402489F585EE6AB
SHA-512:	B377BA5D98128BA29D9BA2BC00FE1CBC93BEAABFF5060D371AE7DC46558633741408079A7E9BD55D4941C231A93E52DB6AE74940220B25272C0DCBD4DFBA4FC7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.1.0.5.2.5.7.6.8.1.8.0.8.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.1.0.5.2.5.7.9.3.8.0.5.3.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.c.1.5.b.0.f.-.d.9.f.4.-.4.7.0.9.-.a.7.4.0.-.d.7.7.8.0.f.1.0.c.b.4.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.c.c.b.2.d.2.-.7.4.6.d.-.4.3.f.2.-.a.1.f.e.-.b.d.0.0.8.0.d.a.e.3.a.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.L.T.y.m.8.Y.h.U.J...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.0.c.-.0.0.0.1.-.0.0.1.c.-.a.8.4.4.-.6.c.4.d.5.e.8.c.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.3.8.2.f.9.0.9.c.b.b.5.5.1.d.a.6.e.d.2.8.c.d.1.9.3.2.9.9.5.0.0.0.0.0.9.0.4.!.0.0.0.0.3.8.3.4.4.e.5.a.2.7.e.d.5.1.c.6.e.4.e.3.3.5.5.7.3.4.7.8.a.d.3.b.6.f.8.a.7.7.6.7.!.6.L.T.y.m.8.Y.h.U.J...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E3B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jun 30 08:49:38 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	134122
Entropy (8bit):	1.932888748089032
Encrypted:	false
SSDEEP:	384:OgXvGz6GkPx/Xb3XOyQuWOXV5bShDW657VCbqH/Y5pWYgVMSR:K6GkPx/j+tuWKV5bShKw6qHgCYdSR
MD5:	284A7F520F1949806E8D40CFA8A1FCCE
SHA1:	88CAB578D77517737BFC0A1B308D99A064550A10
SHA-256:	1F1FEA678D07DE0C79C6D3141316910EB86B634271ABB6475B191FFFAA841A03
SHA-512:	8E13587F2A436A69F86A4C301FA23E0BEBC3AD355ECDF56862F81FBB6C3A9C2EAA679E7F7212651B77717EC369EF366664E340B3501274E56509CDDCD0237800
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........c.b............D...........,...L............Q..........T.......8...........T............K..b...........x#..........d%...................................................................U...........B.......%......GenuineIntelW...........T............c.b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3512.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8298
Entropy (8bit):	3.70473847464356
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNinm6r6Y4WSU9GvugmfJSx+prq89bTgsfleyjxm:RrlsNim6r6Y5SU9GvugmfJSWTzfleR
MD5:	556DF506E6F14D4624FBA01F6B48F4F7
SHA1:	AF043E715F8E8B45F2FC9BF464A0192D5B79AFF1
SHA-256:	E4BAEB99AF236D0440F4C1D0A23DC4A718DF6E6395D8B822C21C921163420D45
SHA-512:	84895E9DF831BB165C432E450D97FEB3934B78F5CBB08BEF64687863C52DD314677B1F390DA01B6B51388CC78882AD6A53390DF10B6BDEA5B127C20C3CFDDAED
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.7.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER367A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4563
Entropy (8bit):	4.469173951230425
Encrypted:	false
SSDEEP:	48:cvIwSD8zs0JgtWI9ScWgc8sqYjl8fm8M4J+EFT+q8Y5O0O13lr2d:uITfyNVgrsqYOJlnO0O1x2d
MD5:	CEE44E637D747F90FEBA6C10CC95ACD5
SHA1:	6B66FAF24AFCFBF03DCCE4FB0EA10014368469E3
SHA-256:	9BE2844FEAB96C048DA415DC9A65732AAD87C83C17057B8B73F80579A40757A3
SHA-512:	90177DE158F6674DAD5A991FFCBB5C904D1F38F386D3CBBC64F0CA0606AF56AC37F5B13ABEE836E5076C5A5CF13427CD11538D606EC1392941C7108F604AE248
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1582200" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.247600157214999
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6LTym8YhUJ.exe
File size:	1794048
MD5:	1b35d7b6c5252ef4cca1d703c4134f6f
SHA1:	38344e5a27ed51c6e4e335573478ad3b6f8a7767
SHA256:	07a029536d442a18485d88a48362cd84a184a6e54695496b1462b7f6d9a2c2c1
SHA512:	f51749dc881f227a9de1eb124e631d2ae928df2460e01c6e14884f4ff5d3506bd0aa15f1ebe214c941f69b7dc2f20ff9142dedb748cd4be6f63977cf15982ab5
SSDEEP:	24576:7DpA+VrcE2Htvuz/3GZ2IbEeC0pt8uvTvoKBPtJjVaXR4A0:XpPwDMJBMj/BPtlEXmV
TLSH:	8C859E13F6425037EAE3007286BEC6BA8D287D21034464F7D3E47A6E5E715E23B3665B
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........@...............-.......+.w.....+..............-.......&..............(......./......./.7.....*.......+....................

File Icon


Icon Hash:	b2b2be7676feb200

Static PE Info

General

Entrypoint:	0x4e61d3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62BAB044 [Tue Jun 28 07:39:48 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d69e4c13e25f0ad622344ac56118c0df

Entrypoint Preview

Instruction
call 00007F9B7C947D3Eh
jmp 00007F9B7C947719h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00528A8Ch
mov dword ptr [ecx], 0051A520h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F9B7C94787Fh
push 00543AECh
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F9B7C949723h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F9B7C8F75B5h
push 0053FDBCh
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F9B7C949706h
int3
int3
push 004EA1C0h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00546944h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
push ebp
mov ebp, esp
and dword ptr [0054C4D0h], 00000000h
sub esp, 24h
or dword ptr [00546960h], 01h
push 0000000Ah
call dword ptr [0051A1D4h]
test eax, eax
je 00007F9B7C947A4Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x144484	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14f000	0x66e40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1b6000	0x8164	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13d7d0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x13d900	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13d808	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x30c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x112641	0x112800	False	0.5049059369307832	data	6.558925589349701	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.lcnrhtx	0x114000	0x58ba	0x5a00	False	0.4671875	data	6.010808957488555	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11a000	0x2b642	0x2b800	False	0.44691204202586204	data	5.812121988451388	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x146000	0x77e4	0x2e00	False	0.2523777173913043	PGP symmetric key encrypted data - Plaintext or unencrypted data	3.885922022775808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.lcnrhtx	0x14e000	0x50	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14f000	0x66e40	0x67000	False	0.1663522072208738	data	4.064978480186063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1b6000	0x8164	0x8200	False	0.7056189903846154	data	6.654496134831818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
ZIP	0x1a9990	0xc32d	Zip archive data, at least v1.0 to extract	Chinese	China
RT_ICON	0x14f270	0x42028	dBase III DBT, version number 0, next free block index 40	Chinese	China
RT_ICON	0x191298	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x191700	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x193ca8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x194d50	0x10828	dBase III DBT, version number 0, next free block index 40	Chinese	China
RT_ICON	0x1a5578	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_GROUP_ICON	0x1a97a0	0x5a	data	Chinese	China
RT_VERSION	0x1a9800	0x18c	PGP symmetric key encrypted data - Plaintext or unencrypted data	Chinese	China
RT_MANIFEST	0x1b5cc0	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetComputerNameW, GetModuleFileNameA, GetCurrentProcessId, OpenProcess, GetModuleFileNameW, SetLastError, WaitForSingleObject, CreateEventW, FreeLibrary, WinExec, GetPrivateProfileStringW, CopyFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, LocalFree, LocalAlloc, LoadResource, FindResourceW, SizeofResource, LockResource, GetTickCount, GetCurrentThread, Sleep, GetProcessHeap, HeapAlloc, GetLastError, GetTempPathA, SetCurrentDirectoryW, GetShortPathNameA, LoadLibraryW, GetProcAddress, WideCharToMultiByte, MultiByteToWideChar, SystemTimeToFileTime, DosDateTimeToFileTime, GetCurrentProcess, DuplicateHandle, CloseHandle, WriteFile, SetFileTime, SetFilePointer, ReadFile, GetFileType, CreateFileW, CreateDirectoryW, TerminateProcess, GetCurrentDirectoryW, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, GetFileSizeEx, GetConsoleOutputCP, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, RaiseException, GetStringTypeW, WriteConsoleW, GetCPInfo, CompareStringEx, LCMapStringEx, DecodePointer, EncodePointer, InitializeCriticalSectionEx, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, GetModuleHandleW, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FlushFileBuffers, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, HeapFree, EnterCriticalSection, GetFullPathNameW, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, FormatMessageW, GetDiskFreeSpaceA, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, GetSystemInfo, HeapCompact, HeapDestroy, UnlockFile, LockFileEx, GetFileSize, DeleteCriticalSection, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA
ADVAPI32.dll	LookupPrivilegeValueW, AdjustTokenPrivileges, LookupAccountNameW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, IsValidSecurityDescriptor, InitializeSecurityDescriptor, InitializeAcl, GetTokenInformation, GetLengthSid, FreeSid, EqualSid, DuplicateToken, AllocateAndInitializeSid, AddAccessAllowedAce, AccessCheck, OpenThreadToken, OpenProcessToken
SHELL32.dll	ShellExecuteExA
ole32.dll	CoInitializeEx, CoGetObject, CoUninitialize
WININET.dll	InternetGetCookieExA
NETAPI32.dll	Netbios
ntdll.dll	RtlInitUnicodeString, NtFreeVirtualMemory, LdrEnumerateLoadedModules, RtlEqualUnicodeString, RtlAcquirePebLock, NtAllocateVirtualMemory, RtlReleasePebLock, RtlNtStatusToDosError, RtlCreateHeap, RtlDestroyHeap, RtlAllocateHeap, RtlFreeHeap, NtClose, NtOpenKey, NtEnumerateValueKey, NtQueryValueKey

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2022 10:49:29.767503977 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:29.767566919 CEST	443	49755	149.28.253.196	192.168.2.4
Jun 30, 2022 10:49:29.767668962 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:29.799447060 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:29.799498081 CEST	443	49755	149.28.253.196	192.168.2.4
Jun 30, 2022 10:49:30.252321959 CEST	443	49755	149.28.253.196	192.168.2.4
Jun 30, 2022 10:49:30.252494097 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:30.643476009 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:30.643517971 CEST	443	49755	149.28.253.196	192.168.2.4
Jun 30, 2022 10:49:30.644057989 CEST	443	49755	149.28.253.196	192.168.2.4
Jun 30, 2022 10:49:30.644149065 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:30.652699947 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:30.696507931 CEST	443	49755	149.28.253.196	192.168.2.4
Jun 30, 2022 10:49:30.874794960 CEST	443	49755	149.28.253.196	192.168.2.4
Jun 30, 2022 10:49:30.874870062 CEST	443	49755	149.28.253.196	192.168.2.4
Jun 30, 2022 10:49:30.874934912 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:30.874964952 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:31.238213062 CEST	49755	443	192.168.2.4	149.28.253.196
Jun 30, 2022 10:49:31.238270998 CEST	443	49755	149.28.253.196	192.168.2.4
Jun 30, 2022 10:49:31.467380047 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.467433929 CEST	443	49759	148.251.234.83	192.168.2.4
Jun 30, 2022 10:49:31.467564106 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.469418049 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.469446898 CEST	443	49759	148.251.234.83	192.168.2.4
Jun 30, 2022 10:49:31.566976070 CEST	443	49759	148.251.234.83	192.168.2.4
Jun 30, 2022 10:49:31.567137957 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.577445984 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.577474117 CEST	443	49759	148.251.234.83	192.168.2.4
Jun 30, 2022 10:49:31.578763962 CEST	443	49759	148.251.234.83	192.168.2.4
Jun 30, 2022 10:49:31.578928947 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.579849958 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.607743025 CEST	443	49759	148.251.234.83	192.168.2.4
Jun 30, 2022 10:49:31.607851028 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.607871056 CEST	443	49759	148.251.234.83	192.168.2.4
Jun 30, 2022 10:49:31.607944012 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.631427050 CEST	49759	443	192.168.2.4	148.251.234.83
Jun 30, 2022 10:49:31.631453991 CEST	443	49759	148.251.234.83	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2022 10:49:29.419118881 CEST	60506	53	192.168.2.4	8.8.8.8
Jun 30, 2022 10:49:29.742429972 CEST	53	60506	8.8.8.8	192.168.2.4
Jun 30, 2022 10:49:31.443171024 CEST	64277	53	192.168.2.4	8.8.8.8
Jun 30, 2022 10:49:31.461678982 CEST	53	64277	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 30, 2022 10:49:29.419118881 CEST	192.168.2.4	8.8.8.8	0x2ddf	Standard query (0)	www.icodeps.com	A (IP address)	IN (0x0001)
Jun 30, 2022 10:49:31.443171024 CEST	192.168.2.4	8.8.8.8	0xbe9e	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 30, 2022 10:49:29.742429972 CEST	8.8.8.8	192.168.2.4	0x2ddf	No error (0)	www.icodeps.com		149.28.253.196	A (IP address)	IN (0x0001)
Jun 30, 2022 10:49:31.461678982 CEST	8.8.8.8	192.168.2.4	0xbe9e	No error (0)	iplogger.org		148.251.234.83	A (IP address)	IN (0x0001)

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49755	149.28.253.196	443	C:\Users\user\Desktop\6LTym8YhUJ.exe

Timestamp	Direction	Data
2022-06-30 08:49:30 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: www.icodeps.com Cache-Control: no-cache
2022-06-30 08:49:30 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 30 Jun 2022 08:49:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2 Connection: close X-Powered-By: PHP/5.6.40 Access-Control-Allow-Origin: *
2022-06-30 08:49:30 UTC	IN	Data Raw: 55 53 Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49759	148.251.234.83	443	C:\Users\user\Desktop\6LTym8YhUJ.exe

Timestamp	kBytes transferred	Direction	Data
2022-06-30 08:49:31 UTC	0	OUT	GET /1DnXg7 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: iplogger.org Cache-Control: no-cache
2022-06-30 08:49:31 UTC	0	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 30 Jun 2022 08:49:31 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: clhf03028ja=102.129.143.85; expires=Fri, 30-Jun-2023 08:49:31 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Set-Cookie: 371745971719766869=3; expires=Fri, 30-Jun-2023 08:49:31 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Expires: Thu, 30 Jun 2022 08:49:31 +0000 Cache-Control: no-store, no-cache, must-revalidate Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN
2022-06-30 08:49:31 UTC	1	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: 6LTym8YhUJ.exePID: 2572, Parent PID: 5760COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.6%
Total number of Nodes:	680
Total number of Limit Nodes:	17

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E010740E0(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12) {
				signed int _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _t39;
				void* _t41;
				char _t49;
				signed int _t86;

				_t39 =  *0x1126944; // 0x1b5cf865
				_v8 = _t39 ^ _t86;
				_v16 = __ecx;
				_t41 = E0107AF30(_v16, __eflags);
				_t91 = _a4 - _t41;
				if(_a4 > _t41) {
					E01079700();
				}
				_t6 = _v16 + 0x14; // 0x483b0c4d
				_v24 =  *_t6;
				_v20 = E010776F0(_v16, _a4);
				_v28 = E01078150(_v16);
				_t49 = E01079750(_v28, _t91,  ~(0 | _t91 > 0x00000000) | _v20 + 0x00000001); // executed
				_v12 = _t49;
				E010767D0(_t49, _v16);
				 *((intOrPtr*)(_v16 + 0x10)) = _a4;
				 *((intOrPtr*)(_v16 + 0x14)) = _v20;
				E01076EB0( &_a8, E01073BF0(_v12), _a4, _a12);
				if(_v24 < 0x10) {
					_t85 =  &_v12;
					E01073BB0( &_a8, _v16,  &_v12);
				} else {
					_t85 =  *_v16;
					E01079D90(_v28,  *_v16, _v24 + 1);
					 *_v16 = _v12;
				}
				return E010C54D2(_v16, _v8 ^ _t86, _t85);
			}

0x010740e6
0x010740ed
0x010740f0
0x010740f6
0x010740fb
0x010740fe
0x01074100
0x01074100
0x01074108
0x0107410b
0x0107411a
0x01074125
0x0107413b
0x01074140
0x01074146
0x01074151
0x0107415a
0x01074175
0x0107417e
0x0107419f
0x010741a7
0x01074180
0x0107418a
0x01074190
0x0107419b
0x0107419b
0x010741bf

APIs

Part of subcall function 0107AF30: _Max_value.LIBCPMTD ref: 0107AF66
Part of subcall function 0107AF30: _Min_value.LIBCPMTD ref: 0107AF8C

allocator.LIBCONCRTD ref: 0107413B
allocator.LIBCONCRTD ref: 01074190

Part of subcall function 01079700: std::_Xinvalid_argument.LIBCPMT ref: 01079708

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: allocator$Max_valueMin_valueXinvalid_argumentstd::_
String ID:
API String ID: 3868691235-0
Opcode ID: 62c525cfc76db419213c0c0b28b5760174607c7ba04863a4fcf2185da4e1d8c5
Instruction ID: ac8c2f4817827e955cb1fcedac55195548358013a493b8dc3ac1abb847404d1c
Opcode Fuzzy Hash: 62c525cfc76db419213c0c0b28b5760174607c7ba04863a4fcf2185da4e1d8c5
Instruction Fuzzy Hash: 8E31AC75E00109AFCB08EFA8D8919EEF7B5FF58210F1085A9D955A7350EB30AA50CB95

Uniqueness

Uniqueness Score: -1.00%

Function 010C808F Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,010C622E,?,?,?,010C622E,0108D963,0111FDBC,0108D963), ref: 010C80EF

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4177d028259b03c37160c10a99742ad733d1077285c4f4cf403fd53de8c3e88f
Instruction ID: 24d511ed25dbbc862e00597694aeab2f6faa6cc8559b3b88a5121c3ca3c80445
Opcode Fuzzy Hash: 4177d028259b03c37160c10a99742ad733d1077285c4f4cf403fd53de8c3e88f
Instruction Fuzzy Hash: 1E018435A002099BE7419F5CD540B9EBFF9FF44604F15819AEA54AB351D7759900CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0109EEB0 Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0109EEB0(intOrPtr _a4) {
				signed int _v8;
				char _v12;
				signed int _t16;
				char _t18;
				signed int _t37;

				_t16 =  *0x1126944; // 0x1b5cf865
				_v8 = _t16 ^ _t37;
				_t18 = E010ADF50(_a4, 1); // executed
				_v12 = _t18;
				E01073BB0(_v12, _v12,  &_v12);
				E01073BB0(_v12, _v12 + 4,  &_v12);
				E01073BB0( &_v12, _v12 + 8,  &_v12);
				 *((char*)(_v12 + 0xc)) = 1;
				 *((char*)(_v12 + 0xd)) = 1;
				return E010C54D2(_v12, _v8 ^ _t37, _v12 + 8);
			}

0x0109eeb6
0x0109eebd
0x0109eec5
0x0109eeca
0x0109eed5
0x0109eee8
0x0109eefb
0x0109ef06
0x0109ef0d
0x0109ef21

APIs

allocator.LIBCONCRTD ref: 0109EEC5

Part of subcall function 010ADF50: _Allocate.LIBCONCRTD ref: 010ADF64

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: Allocateallocator
String ID:
API String ID: 40054573-0
Opcode ID: c5c2de8f81f9fd40ae3c43818e0fb739cf356c8282a97607e8a33769a096fbee
Instruction ID: 4facddf027390dbebb56b12e8d585c943303a0dd90bac761edee17c04d061fe2
Opcode Fuzzy Hash: c5c2de8f81f9fd40ae3c43818e0fb739cf356c8282a97607e8a33769a096fbee
Instruction Fuzzy Hash: 03014475E00208ABDB04DFA4D851EEDBBB4AF54319F4440E8D945AB341EA31A654CB55

Uniqueness

Uniqueness Score: -1.00%

Function 010C548F Relevance: 1.5, APIs: 1, Instructions: 39
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E010C548F(signed int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t65;
				signed int _t66;
				signed int _t71;
				signed int _t75;
				intOrPtr _t88;
				signed int _t90;
				signed int _t91;
				signed int _t95;
				signed int _t101;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr* _t108;
				signed int _t109;
				intOrPtr* _t113;
				void* _t114;
				void* _t115;
				signed int _t119;
				signed int _t125;
				intOrPtr* _t128;
				signed int _t131;
				signed int _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t145;
				void* _t146;

				_t125 = __edx;
				while(1) {
					_push(_a4);
					_t65 = E010CBBBB(_t114); // executed
					_pop(_t115);
					if(_t65 != 0) {
						return _t65;
					}
					_t66 = E010D831D(_t115, __eflags, _a4);
					_pop(_t114);
					__eflags = _t66;
					if(_t66 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(_a4 != 0xffffffff) {
							_push(_t141);
							_t141 = _t145;
							_t145 = _t145 - 0xc;
							E010C61DD( &_v20);
							E010C808F( &_v20, 0x1123aec);
							asm("int3");
						}
						_push(_t141);
						_t142 = _t145;
						_t146 = _t145 - 0xc;
						E01075F30( &_v20);
						E010C808F( &_v20, 0x111fdbc);
						asm("int3");
						asm("int3");
						_push( &M010CA1C0);
						_push( *[fs:0x0]);
						_v12 = _t142;
						_t143 =  &_v12;
						_push(_t105);
						_t71 =  *0x1126944; // 0x1b5cf865
						_v12 = _v12 ^ _t71;
						_push(_t71 ^ _t143);
						_v32 = _t146 - _v12;
						_push(_v16);
						_v12 = 0xfffffffe;
						_v16 = _v12;
						 *[fs:0x0] =  &_v24;
						asm("repne ret");
						_push(_t143);
						 *0x112c4d0 =  *0x112c4d0 & 0x00000000;
						 *0x1126960 =  *0x1126960 | 0x00000001;
						_t75 = IsProcessorFeaturePresent(0xa);
						__eflags = _t75;
						if(_t75 != 0) {
							_v28 = _v28 & 0x00000000;
							_push(_t105);
							_push(_t135);
							_push(_t127);
							_t128 =  &_v48;
							asm("cpuid");
							_t106 = _t105;
							 *_t128 = 0;
							 *((intOrPtr*)(_t128 + 4)) = _t105;
							 *((intOrPtr*)(_t128 + 8)) = 0;
							 *(_t128 + 0xc) = _t125;
							_v24 = _v48;
							_v20 = _v36 ^ 0x49656e69;
							_v16 = _v44 ^ 0x756e6547;
							_push(_t106);
							asm("cpuid");
							_t108 =  &_v48;
							 *_t108 = 1;
							 *((intOrPtr*)(_t108 + 4)) = _t106;
							__eflags = _v16 | _v40 ^ 0x6c65746e | _v20;
							 *((intOrPtr*)(_t108 + 8)) = 0;
							 *(_t108 + 0xc) = _t125;
							if((_v16 | _v40 ^ 0x6c65746e | _v20) != 0) {
								L18:
								_t131 =  *0x112c4d4;
							} else {
								_t101 = _v48 & 0x0fff3ff0;
								__eflags = _t101 - 0x106c0;
								if(_t101 == 0x106c0) {
									L17:
									_t131 =  *0x112c4d4 | 0x00000001;
									 *0x112c4d4 = _t131;
								} else {
									__eflags = _t101 - 0x20660;
									if(_t101 == 0x20660) {
										goto L17;
									} else {
										__eflags = _t101 - 0x20670;
										if(_t101 == 0x20670) {
											goto L17;
										} else {
											__eflags = _t101 - 0x30650;
											if(_t101 == 0x30650) {
												goto L17;
											} else {
												__eflags = _t101 - 0x30660;
												if(_t101 == 0x30660) {
													goto L17;
												} else {
													__eflags = _t101 - 0x30670;
													if(_t101 != 0x30670) {
														goto L18;
													} else {
														goto L17;
													}
												}
											}
										}
									}
								}
							}
							_t119 = _v40;
							_t88 = 7;
							_v16 = _t119;
							__eflags = _v24 - _t88;
							if(_v24 < _t88) {
								_t109 = _v28;
							} else {
								_push(_t108);
								asm("cpuid");
								_t113 =  &_v48;
								 *_t113 = _t88;
								 *((intOrPtr*)(_t113 + 4)) = _t108;
								 *((intOrPtr*)(_t113 + 8)) = 0;
								_t119 = _v16;
								 *(_t113 + 0xc) = _t125;
								_t109 = _v44;
								__eflags = _t109 & 0x00000200;
								if((_t109 & 0x00000200) != 0) {
									 *0x112c4d4 = _t131 | 0x00000002;
								}
							}
							_t90 =  *0x1126960 | 0x00000002;
							 *0x112c4d0 = 1;
							 *0x1126960 = _t90;
							__eflags = _t119 & 0x00100000;
							if((_t119 & 0x00100000) != 0) {
								_t91 = _t90 | 0x00000004;
								 *0x112c4d0 = 2;
								 *0x1126960 = _t91;
								__eflags = _t119 & 0x08000000;
								if((_t119 & 0x08000000) != 0) {
									__eflags = _t119 & 0x10000000;
									if((_t119 & 0x10000000) != 0) {
										asm("xgetbv");
										_v32 = _t91;
										_v28 = _t125;
										_t139 = 6;
										__eflags = (_v32 & _t139) - _t139;
										if((_v32 & _t139) == _t139) {
											_t95 =  *0x1126960 | 0x00000008;
											 *0x112c4d0 = 3;
											 *0x1126960 = _t95;
											__eflags = _t109 & 0x00000020;
											if((_t109 & 0x00000020) != 0) {
												 *0x112c4d0 = 5;
												 *0x1126960 = _t95 | 0x00000020;
												__eflags = (_t109 & 0xd0030000) - 0xd0030000;
												if((_t109 & 0xd0030000) == 0xd0030000) {
													__eflags = (_v32 & 0x000000e0) - 0xe0;
													if((_v32 & 0x000000e0) == 0xe0) {
														 *0x1126960 =  *0x1126960 | 0x00000040;
														__eflags =  *0x1126960;
														 *0x112c4d0 = _t139;
													}
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
					} else {
						continue;
					}
					break;
				}
			}

0x010c548f
0x010c54a1
0x010c54a1
0x010c54a4
0x010c54a9
0x010c54ac
0x010c54af
0x010c54af
0x010c5497
0x010c549c
0x010c549d
0x010c549f
0x010c54b0
0x010c54b4
0x010c61f5
0x010c61f6
0x010c61f8
0x010c61fe
0x010c620c
0x010c6211
0x010c6211
0x010c6212
0x010c6213
0x010c6215
0x010c621b
0x010c6229
0x010c622e
0x010c622f
0x010c6230
0x010c6235
0x010c6240
0x010c6244
0x010c624a
0x010c624d
0x010c6252
0x010c6257
0x010c6258
0x010c625b
0x010c6261
0x010c6268
0x010c626e
0x010c6274
0x010c6276
0x010c6279
0x010c6283
0x010c628c
0x010c6292
0x010c6294
0x010c629a
0x010c62a0
0x010c62a1
0x010c62a2
0x010c62a5
0x010c62a9
0x010c62ad
0x010c62ae
0x010c62b0
0x010c62b3
0x010c62b8
0x010c62c1
0x010c62d2
0x010c62dd
0x010c62e3
0x010c62e4
0x010c62e9
0x010c62ec
0x010c62f1
0x010c62f6
0x010c62f9
0x010c62fc
0x010c62ff
0x010c6344
0x010c6344
0x010c6301
0x010c6304
0x010c6309
0x010c630e
0x010c6333
0x010c6339
0x010c633c
0x010c6310
0x010c6310
0x010c6315
0x00000000
0x010c6317
0x010c6317
0x010c631c
0x00000000
0x010c631e
0x010c631e
0x010c6323
0x00000000
0x010c6325
0x010c6325
0x010c632a
0x00000000
0x010c632c
0x010c632c
0x010c6331
0x00000000
0x00000000
0x00000000
0x00000000
0x010c6331
0x010c632a
0x010c6323
0x010c631c
0x010c6315
0x010c630e
0x010c634a
0x010c634f
0x010c6350
0x010c6353
0x010c6356
0x010c6387
0x010c6358
0x010c635a
0x010c635b
0x010c6360
0x010c6363
0x010c6365
0x010c6368
0x010c636b
0x010c636e
0x010c6371
0x010c6374
0x010c637a
0x010c637f
0x010c637f
0x010c637a
0x010c638f
0x010c6392
0x010c639c
0x010c63a1
0x010c63a7
0x010c63ad
0x010c63b0
0x010c63ba
0x010c63bf
0x010c63c5
0x010c63c7
0x010c63cd
0x010c63d1
0x010c63d4
0x010c63d7
0x010c63e2
0x010c63e5
0x010c63e7
0x010c63ee
0x010c63f1
0x010c63fb
0x010c6400
0x010c6403
0x010c6408
0x010c6412
0x010c641e
0x010c6420
0x010c642f
0x010c6431
0x010c6433
0x010c6433
0x010c643a
0x010c643a
0x010c6431
0x010c6420
0x010c6403
0x010c63e7
0x010c63cd
0x010c63c5
0x010c6442
0x010c6443
0x010c6446
0x00000000
0x00000000
0x00000000
0x00000000
0x010c549f

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 010C621B

Part of subcall function 010C808F: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,010C622E,?,?,?,010C622E,0108D963,0111FDBC,0108D963), ref: 010C80EF

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: DispatcherExceptionUserstdext::threads::lock_error::lock_error
String ID:
API String ID: 3035003668-0
Opcode ID: 5cea23a1a4d1051817967066552851c4acac9c2526fffb1d72cbda347bb9051f
Instruction ID: e2752239ac349ff2506e035120ff0422248dd84be884344aaafd3ed20c587acd
Opcode Fuzzy Hash: 5cea23a1a4d1051817967066552851c4acac9c2526fffb1d72cbda347bb9051f
Instruction Fuzzy Hash: 3AF0F03890030E76CF14BBB8EC099EE776C5A10910B508179EDA495090EF70E2558DD4

Uniqueness

Uniqueness Score: -1.00%

Function 010DDA9C Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E010DDA9C(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x112ce4c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E010DB5A2();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E010CF349(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E010D831D(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x010dda9c
0x010ddaa2
0x010ddaa7
0x010ddab5
0x010ddab5
0x010ddabb
0x010ddabd
0x010ddabd
0x010ddad4
0x010ddadd
0x010ddae5
0x00000000
0x00000000
0x010ddac5
0x010ddac7
0x010ddae9
0x010ddaee
0x010ddaf4
0x00000000
0x010ddaf4
0x010ddaca
0x010ddacf
0x010ddad0
0x010ddad2
0x00000000
0x00000000
0x010ddad2
0x00000000
0x010ddad4
0x010ddaad
0x010ddab3
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,0108D963,00000000,?,010DD6C3,00000001,00000364,00000006,000000FF,?,00000000,?,010CF34E,010DD810), ref: 010DDADD

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e7c5dedb20150abc037cce1a921b7ae24353802edc41c2f854d1bac7df89cc1d
Instruction ID: 368d192fda09314bc552a70e3b30ee33920672acddf508cd5dfd5e9b5422d2b8
Opcode Fuzzy Hash: e7c5dedb20150abc037cce1a921b7ae24353802edc41c2f854d1bac7df89cc1d
Instruction Fuzzy Hash: 86F0B431609322A7AB615BFE9804B9F3F89AF41670B09C152F985E71C0DA60D80087E2

Uniqueness

Uniqueness Score: -1.00%

Function 010DD7CD Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E010DD7CD(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E010CF349(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x112ce4c, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E010DB5A2();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E010D831D(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x010dd7cd
0x010dd7d3
0x010dd7d9
0x010dd80b
0x010dd810
0x010dd816
0x00000000
0x010dd816
0x010dd7dd
0x010dd7df
0x010dd7df
0x010dd7f6
0x010dd7ff
0x010dd807
0x00000000
0x00000000
0x010dd7e7
0x010dd7e9
0x00000000
0x00000000
0x010dd7ec
0x010dd7f1
0x010dd7f2
0x010dd7f4
0x00000000
0x00000000
0x010dd7f4
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,010C54A9,00000000,00000000,010842D7,00000008), ref: 010DD7FF

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 40d4ee3591b7041df168e08d89b99e0ddee0052f1fe563c77a6fe966a27bd55a
Instruction ID: 09e3be05e7eb135188cfe5819382867237bd778a512bafafc74d850f4e04c4dc
Opcode Fuzzy Hash: 40d4ee3591b7041df168e08d89b99e0ddee0052f1fe563c77a6fe966a27bd55a
Instruction Fuzzy Hash: E0E06531101362A6E77227FA5C05BAF7E88EF826B0F1641A5EDD9A71D0DA54E80087F1

Uniqueness

Uniqueness Score: -1.00%

Function 010A3A50 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E010A3A50(intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				void* __ecx;
				signed int _t11;
				intOrPtr _t18;
				signed int _t23;

				_push(0xffffffff);
				_push(0x10f085d);
				_push( *[fs:0x0]);
				_push(_t18);
				_t11 =  *0x1126944; // 0x1b5cf865
				_push(_t11 ^ _t23);
				 *[fs:0x0] =  &_v16;
				_v20 = _t18;
				E01083020(_v20, _a4);
				_v8 = 0;
				E010A8B90(_v20); // executed
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v20;
			}

0x010a3a53
0x010a3a55
0x010a3a60
0x010a3a61
0x010a3a62
0x010a3a69
0x010a3a6d
0x010a3a73
0x010a3a7d
0x010a3a82
0x010a3a8c
0x010a3a91
0x010a3a9e
0x010a3aa9

APIs

Concurrency::details::SweeperContext::SweeperContext.LIBCMTD ref: 010A3A7D

Part of subcall function 010A8B90: allocator.LIBCONCRTD ref: 010A8BA8

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: Sweeper$Concurrency::details::ContextContext::allocator
String ID:
API String ID: 1818788282-0
Opcode ID: 94dabe1972e5cce92d8464ed3940807d745c4a88ae1517aa3f77a9ef4ef6194e
Instruction ID: 16c949bf65dd414513cdd00609dcf5df25de05a7a0dacfe91be15e22a84daeb1
Opcode Fuzzy Hash: 94dabe1972e5cce92d8464ed3940807d745c4a88ae1517aa3f77a9ef4ef6194e
Instruction Fuzzy Hash: 64F017B1A04649EBCB14DF88D850BAEB7B8FB09720F10462AE92597780DB3569008B90

Uniqueness

Uniqueness Score: -1.00%

Function 01079A00 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E01079A00(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t8;

				_push(__ecx);
				_v8 = __ecx;
				_t8 = E01079A30(_v8, _a4, E01073BF0(E0107AEC0(_a4))); // executed
				return _t8;
			}

0x01079a03
0x01079a04
0x01079a24
0x01079a2c

APIs

char_traits.LIBCPMTD ref: 01079A0B

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: char_traits
String ID:
API String ID: 1158913984-0
Opcode ID: 962530e0a1c8eca2ba0709bf5758f4615a36fc9a73e783997e432b75e71e709b
Instruction ID: 5a78cd5cb4a7a264c7df609ebcc3b3d3d1e21fc66201e65cfd9b3db58beed317
Opcode Fuzzy Hash: 962530e0a1c8eca2ba0709bf5758f4615a36fc9a73e783997e432b75e71e709b
Instruction Fuzzy Hash: 7CD05EF6D04109B7CB04EB98FC02CDF77AC9B28328F004178F90D97300E931AA1096EA

Uniqueness

Uniqueness Score: -1.00%

Function 010A8B90 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E010A8B90(intOrPtr* __ecx) {
				intOrPtr* _v8;
				intOrPtr _t8;

				_push(__ecx);
				_v8 = __ecx;
				 *((intOrPtr*)(_v8 + 4)) = 0;
				_t8 = E010ADF50( *_v8, 1); // executed
				 *((intOrPtr*)(_v8 + 4)) = _t8;
				return _t8;
			}

0x010a8b93
0x010a8b94
0x010a8b9a
0x010a8ba8
0x010a8bb0
0x010a8bb6

APIs

allocator.LIBCONCRTD ref: 010A8BA8

Part of subcall function 010ADF50: _Allocate.LIBCONCRTD ref: 010ADF64

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: Allocateallocator
String ID:
API String ID: 40054573-0
Opcode ID: a96456a152ed901be9ef967162b874377f0fd57863a1e0a734a6904219b92e4b
Instruction ID: bac4ff4735fa01eba184a3cbbed04b0065132d6d8098e658fade2a641d18a074
Opcode Fuzzy Hash: a96456a152ed901be9ef967162b874377f0fd57863a1e0a734a6904219b92e4b
Instruction Fuzzy Hash: 53D06774A05208EBC704DF94D641B99FBF9EB49304F2082D9E80C5B751D672AE00DB85

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010E2D00 Relevance: 7.8, APIs: 5, Instructions: 333
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E010E2D00(void* __ebx, signed short* __edi, signed int __esi, void* __eflags, void* __fp0, signed short* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed short _v32;
				signed int _v36;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v124;
				char _v528;
				intOrPtr _v532;
				char _v536;
				char _v636;
				char _v640;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t93;
				void* _t96;
				signed int _t101;
				signed int _t103;
				long _t105;
				signed int* _t108;
				signed int _t109;
				signed int _t117;
				signed int _t120;
				signed int _t123;
				signed short _t124;
				signed short _t129;
				void* _t131;
				void* _t141;
				signed int _t142;
				signed int _t144;
				void* _t146;
				void* _t147;
				signed int _t156;
				signed short _t158;
				void* _t159;
				void* _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t167;
				intOrPtr* _t168;
				signed short* _t170;
				intOrPtr* _t171;
				intOrPtr* _t172;
				signed int _t173;
				void* _t177;
				void* _t178;
				signed int _t185;
				signed short* _t187;
				signed short* _t193;
				void* _t198;
				signed int _t199;
				signed int _t200;
				signed short _t201;
				signed int _t202;
				signed short* _t203;
				signed int _t205;
				signed short* _t206;
				signed int _t207;
				void* _t208;
				signed short _t209;
				signed short _t210;
				signed short* _t211;
				intOrPtr* _t212;
				signed int _t213;
				signed int _t215;
				signed int _t221;
				signed int _t225;
				signed int _t229;
				void* _t230;
				void* _t231;
				void* _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				void* _t242;
				void* _t243;
				void* _t267;

				_t267 = __fp0;
				_t215 = __esi;
				_t211 = __edi;
				_v28 = E010E2890();
				_v12 = E010E2896();
				_t167 = 0;
				_v32 = 0;
				_v8 = 0;
				_v16 = 0;
				if(E010E28F4( &_v8) != 0 || E010E289C( &_v16) != 0) {
					L47:
					_push(_t167);
					_push(_t167);
					_push(_t167);
					_push(_t167);
					_push(_t167);
					E010CBD9F();
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t233 = _t235;
					_t236 = _t235 - 0xc;
					_push(_t167);
					_push(_t215);
					_t212 = E010E2890();
					_t168 = E010E2896();
					_v76 = 0;
					_v80 = 0;
					_v84 = 0;
					_t82 = E010E28F4( &_v76);
					_t177 = _t211;
					__eflags = _t82;
					if(_t82 != 0) {
						L60:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E010CBD9F();
						asm("int3");
						_push(_t233);
						_t234 = _t236;
						_t84 =  *0x1126944; // 0x1b5cf865
						_v124 = _t84 ^ _t234;
						 *0x1126eb4 =  *0x1126eb4 | 0xffffffff;
						 *0x1126ea8 =  *0x1126ea8 | 0xffffffff;
						_push(_t168);
						_push(0);
						_push(_t212);
						 *0x112cd98 = 0;
						_t88 = E010EC5FB(_t177, _t204, __eflags,  &_v640,  &_v636, 0x100, 0x1111038);
						__eflags = _t88;
						if(_t88 != 0) {
							__eflags = _t88 - 0x22;
							if(_t88 == 0x22) {
								_t213 = E010DD7CD(_t177, _v532 + _v532);
								_pop(_t178);
								__eflags = _t213;
								if(__eflags != 0) {
									_t93 = E010EC5FB(_t178, _t204, __eflags,  &_v536, _t213, _v532, 0x1111038);
									__eflags = _t93;
									if(_t93 == 0) {
										E010DDAF9(0);
									} else {
										_push(_t213);
										goto L68;
									}
								} else {
									_push(0);
									L68:
									E010DDAF9();
									_t213 = 0;
								}
							} else {
								_t213 = 0;
							}
						} else {
							_t213 =  &_v528;
						}
						asm("sbb esi, esi");
						_t221 =  ~(_t213 -  &_v528) & _t213;
						__eflags = _t213;
						if(_t213 == 0) {
							L76:
							L48();
						} else {
							__eflags =  *_t213;
							if(__eflags == 0) {
								goto L76;
							} else {
								_push(_t213);
								E010E2D00(0, _t213, _t221, __eflags, _t267);
							}
						}
						_t96 = E010DDAF9(_t221);
						__eflags = _v16 ^ _t234;
						return E010C54D2(_t96, _v16 ^ _t234, _t204);
					} else {
						_t101 = E010E289C( &_v16);
						_pop(_t177);
						__eflags = _t101;
						if(_t101 != 0) {
							goto L60;
						} else {
							_t103 = E010E28C8( &_v20);
							_pop(_t177);
							__eflags = _t103;
							if(_t103 != 0) {
								goto L60;
							} else {
								E010DDAF9( *0x112cd90);
								 *0x112cd90 = 0;
								 *_t236 = 0x112cda0;
								_t105 = GetTimeZoneInformation(??);
								__eflags = _t105 - 0xffffffff;
								if(_t105 != 0xffffffff) {
									_t205 =  *0x112cda0 * 0x3c;
									_t185 = 1;
									__eflags =  *0x112cde6; // 0x0
									_t225 =  *0x112cdf4; // 0x0
									 *0x112cd98 = 1;
									_v12 = _t205;
									if(__eflags != 0) {
										_t120 = _t225 * 0x3c + _t205;
										__eflags = _t120;
										_v12 = _t120;
									}
									__eflags =  *0x112ce3a;
									if( *0x112ce3a == 0) {
										L57:
										_t109 = 0;
										_t185 = 0;
										__eflags = 0;
									} else {
										_t117 =  *0x112ce48; // 0x0
										__eflags = _t117;
										if(_t117 == 0) {
											goto L57;
										} else {
											_t109 = (_t117 - _t225) * 0x3c;
										}
									}
									_v16 = _t185;
									_v20 = _t109;
									E010C8A40(_t212,  *_t168, 0, 0x80);
									__eflags = 0;
									E010C8A40(_t212,  *((intOrPtr*)(_t168 + 4)), 0, 0x80);
									E010C8A40(_t212,  *_t212, 0, 0x40);
									E010C8A40(_t212,  *((intOrPtr*)(_t212 + 4)), 0, 0x40);
									E010DB9A5(_t205, _t267);
									E010E31E3(_t168, _t185, _t205, _t212, _t114, _t267, 0x112cda4,  *_t168,  *_t212, _t114);
									E010E31E3(_t168, _t185, _t205, _t212, _t114, _t267, 0x112cdf8,  *((intOrPtr*)(_t168 + 4)),  *((intOrPtr*)(_t212 + 4)), _t114);
								}
								 *(E010E288A()) = _v12;
								 *(E010E287E()) = _v16;
								_t108 = E010E2884();
								 *_t108 = _v20;
								return _t108;
							}
						}
					}
				} else {
					_t123 =  *0x112cd90; // 0x0
					_t211 = _a4;
					if(_t123 == 0) {
						L11:
						_t187 = _t211;
						_t11 =  &(_t187[1]); // 0x10e31c7
						_t206 = _t11;
						do {
							_t124 =  *_t187;
							_t187 =  &(_t187[1]);
						} while (_t124 != _t167);
						_t229 = E010DD7CD(_t187 - _t206 >> 1, 2 + (_t187 - _t206 >> 1) * 2);
						if(_t229 == 0) {
							L44:
							return E010DDAF9(_t229);
						}
						E010DDAF9( *0x112cd90);
						_t193 = _t211;
						_t204 = _t229;
						_t215 = _t167;
						 *0x112cd90 = _t229;
						_v24 = _t215;
						_t15 =  &(_t193[1]); // 0x10e31c7
						_t170 = _t15;
						do {
							_t129 =  *_t193;
							_t193 =  &(_t193[1]);
						} while (_t129 != _v32);
						_t17 = (_t193 - _t170 >> 1) + 1; // 0x10e31c4
						_t131 = E010D7CD5(_t204, _t17, _t211);
						_t235 = _t235 + 0xc;
						if(_t131 == 0) {
							_t171 = _v12;
							E010C8A40(_t211,  *_t171, _t131, 0x80);
							_t19 = _t171 + 4; // 0xfffffdd7
							E010C8A40(_t211,  *_t19, 0, 0x80);
							_t172 = _v28;
							E010C8A40(_t211,  *_t172, 0, 0x40);
							E010C8A40(_t211,  *((intOrPtr*)(_t172 + 4)), 0, 0x40);
							_push(3);
							_push( *_t172);
							_push( *_v12);
							E010E2CB9(_t172, _t211, _t215, _t267, _t211);
							_t242 = _t235 + 0x40;
							_t141 = 3;
							do {
								if( *_t211 != 0) {
									_t211 =  &(_t211[1]);
								}
								_t141 = _t141 - 1;
							} while (_t141 != 0);
							_t142 =  *_t211 & 0x0000ffff;
							_v36 = _t142;
							_t198 = 0x2d;
							if(_t142 == _t198) {
								_t211 =  &(_t211[1]);
							}
							_t144 = E010DDB87(_t198, _t267, _t211,  &_v20, 0xa);
							_t243 = _t242 + 0xc;
							_t173 = _t144 * 0xe10;
							_v8 = _t173;
							while(1) {
								_t199 =  *_t211 & 0x0000ffff;
								if(_t199 != 0x2b && _t199 - 0x30 > 9) {
									break;
								}
								_t211 =  &(_t211[1]);
							}
							_t146 = 0x3a;
							__eflags = _t199 - _t146;
							if(_t199 != _t146) {
								L39:
								_t147 = 0x2d;
								__eflags = _v36 - _t147;
								if(_v36 == _t147) {
									_t173 =  ~_t173;
									_v8 = _t173;
								}
								_t200 =  *_t211 & 0x0000ffff;
								__eflags = _t200;
								_v16 = 0 | _t200 != 0x00000000;
								__eflags = _t200;
								if(_t200 != 0) {
									_push(3);
									_push( *((intOrPtr*)(_v28 + 4)));
									_push( *((intOrPtr*)(_v12 + 4)));
									E010E2CB9(_t173, _t211, _t215, _t267, _t211);
									_t173 = _v8;
								}
								 *(E010E288A()) = _t173;
								 *(E010E287E()) = _v16;
								goto L44;
							}
							_t211 =  &(_t211[1]);
							_t156 = E010DDB87(_t199, _t267, _t211,  &_v20, 0xa);
							_t243 = _t243 + 0xc;
							_t201 = 0x30;
							_t173 = _v8 + _t156 * 0x3c;
							_v32 = _t201;
							_t158 =  *_t211 & 0x0000ffff;
							_v8 = _t173;
							_t207 = _t158;
							__eflags = _t158 - _t201;
							if(_t158 < _t201) {
								L33:
								_t159 = 0x3a;
								__eflags = _t207 - _t159;
								if(_t207 != _t159) {
									goto L39;
								}
								_t211 =  &(_t211[1]);
								_t161 = E010DDB87(_t201, _t267, _t211,  &_v20, 0xa);
								_t243 = _t243 + 0xc;
								_t173 = _v8 + _t161;
								_t162 =  *_t211 & 0x0000ffff;
								_v8 = _t173;
								_t208 = 0x30;
								__eflags = _t162 - _t208;
								if(_t162 < _t208) {
									goto L39;
								}
								_t202 = _t162;
								_t230 = 0x39;
								while(1) {
									__eflags = _t202 - _t230;
									if(_t202 > _t230) {
										break;
									}
									_t211 =  &(_t211[1]);
									_t163 =  *_t211 & 0x0000ffff;
									_t202 = _t163;
									__eflags = _t163 - _t208;
									if(_t163 >= _t208) {
										continue;
									}
									break;
								}
								_t229 = _v24;
								goto L39;
							}
							_t201 = _t158;
							_t231 = 0x39;
							while(1) {
								_t207 = _t201 & 0x0000ffff;
								__eflags = _t201 - _t231;
								if(_t201 > _t231) {
									break;
								}
								_t211 =  &(_t211[1]);
								_t164 =  *_t211 & 0x0000ffff;
								_t201 = _t164;
								_t207 = _t164;
								__eflags = _t164 - _v32;
								if(_t164 >= _v32) {
									continue;
								}
								break;
							}
							_t229 = _v24;
							goto L33;
						}
						_t167 = 0;
						__eflags = 0;
						goto L47;
					} else {
						_t203 = _t211;
						while(1) {
							_t209 =  *_t203;
							if(_t209 !=  *_t123) {
								break;
							}
							if(_t209 == 0) {
								L8:
								_t165 = _t167;
							} else {
								_t9 =  &(_t203[1]); // 0xfdd7e805
								_t210 =  *_t9;
								if(_t210 !=  *((intOrPtr*)(_t123 + 2))) {
									break;
								} else {
									_t203 =  &(_t203[2]);
									_t123 = _t123 + 4;
									if(_t210 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t165 == 0) {
								return _t165;
							} else {
								goto L11;
							}
							goto L78;
						}
						asm("sbb eax, eax");
						_t165 = _t123 | 0x00000001;
						__eflags = _t165;
						goto L10;
					}
				}
				L78:
			}

0x010e2d00
0x010e2d00
0x010e2d00
0x010e2d10
0x010e2d18
0x010e2d1b
0x010e2d20
0x010e2d24
0x010e2d27
0x010e2d32
0x010e2f96
0x010e2f96
0x010e2f97
0x010e2f98
0x010e2f99
0x010e2f9a
0x010e2f9b
0x010e2fa0
0x010e2fa1
0x010e2fa2
0x010e2fa3
0x010e2fa7
0x010e2fa9
0x010e2fac
0x010e2fad
0x010e2fb4
0x010e2fbb
0x010e2fc2
0x010e2fc6
0x010e2fc9
0x010e2fcc
0x010e2fd1
0x010e2fd2
0x010e2fd4
0x010e30f3
0x010e30f3
0x010e30f4
0x010e30f5
0x010e30f6
0x010e30f7
0x010e30f8
0x010e30fd
0x010e3100
0x010e3101
0x010e3109
0x010e3110
0x010e3113
0x010e3120
0x010e3127
0x010e3128
0x010e3129
0x010e313e
0x010e3145
0x010e314d
0x010e314f
0x010e3159
0x010e315c
0x010e3170
0x010e3172
0x010e3173
0x010e3175
0x010e3190
0x010e3198
0x010e319a
0x010e31a0
0x010e319c
0x010e319c
0x00000000
0x010e319c
0x010e3177
0x010e3177
0x010e3178
0x010e3178
0x010e317d
0x010e317d
0x010e315e
0x010e315e
0x010e315e
0x010e3151
0x010e3151
0x010e3151
0x010e31b2
0x010e31b4
0x010e31b6
0x010e31b8
0x010e31c8
0x010e31c8
0x010e31ba
0x010e31ba
0x010e31bd
0x00000000
0x010e31bf
0x010e31bf
0x010e31c0
0x010e31c5
0x010e31bd
0x010e31ce
0x010e31d9
0x010e31e2
0x010e2fda
0x010e2fde
0x010e2fe3
0x010e2fe4
0x010e2fe6
0x00000000
0x010e2fec
0x010e2ff0
0x010e2ff5
0x010e2ff6
0x010e2ff8
0x00000000
0x010e2ffe
0x010e3004
0x010e3009
0x010e300f
0x010e3016
0x010e301c
0x010e301f
0x010e3025
0x010e302e
0x010e302f
0x010e3036
0x010e303c
0x010e3042
0x010e3045
0x010e304a
0x010e304a
0x010e304c
0x010e304c
0x010e304f
0x010e3057
0x010e3069
0x010e3069
0x010e306b
0x010e306b
0x010e3059
0x010e3059
0x010e305e
0x010e3060
0x00000000
0x010e3062
0x010e3064
0x010e3064
0x010e3060
0x010e3072
0x010e3076
0x010e307d
0x010e3083
0x010e3089
0x010e3093
0x010e309e
0x010e30a8
0x010e30b4
0x010e30c8
0x010e30cd
0x010e30d8
0x010e30e2
0x010e30e7
0x010e30ed
0x010e30f2
0x010e30f2
0x010e2ff8
0x010e2fe6
0x010e2d4a
0x010e2d4a
0x010e2d4f
0x010e2d54
0x010e2d8b
0x010e2d8b
0x010e2d8d
0x010e2d8d
0x010e2d90
0x010e2d90
0x010e2d93
0x010e2d96
0x010e2dac
0x010e2db1
0x010e2f88
0x00000000
0x010e2f8e
0x010e2dbd
0x010e2dc3
0x010e2dc5
0x010e2dc7
0x010e2dc9
0x010e2dcf
0x010e2dd2
0x010e2dd2
0x010e2dd5
0x010e2dd5
0x010e2dd8
0x010e2ddb
0x010e2de6
0x010e2deb
0x010e2df0
0x010e2df5
0x010e2dfb
0x010e2e06
0x010e2e13
0x010e2e16
0x010e2e1b
0x010e2e25
0x010e2e32
0x010e2e3a
0x010e2e3c
0x010e2e3e
0x010e2e41
0x010e2e46
0x010e2e4d
0x010e2e4e
0x010e2e51
0x010e2e53
0x010e2e53
0x010e2e56
0x010e2e56
0x010e2e5b
0x010e2e62
0x010e2e65
0x010e2e69
0x010e2e6b
0x010e2e6b
0x010e2e75
0x010e2e7a
0x010e2e7d
0x010e2e83
0x010e2e86
0x010e2e86
0x010e2e8c
0x00000000
0x00000000
0x010e2e97
0x010e2e97
0x010e2e9e
0x010e2e9f
0x010e2ea2
0x010e2f3c
0x010e2f3e
0x010e2f3f
0x010e2f43
0x010e2f45
0x010e2f47
0x010e2f47
0x010e2f4a
0x010e2f4f
0x010e2f55
0x010e2f58
0x010e2f5b
0x010e2f60
0x010e2f62
0x010e2f68
0x010e2f6c
0x010e2f71
0x010e2f74
0x010e2f7c
0x010e2f86
0x00000000
0x010e2f86
0x010e2ead
0x010e2eb2
0x010e2eba
0x010e2ec2
0x010e2ec3
0x010e2ec5
0x010e2ec8
0x010e2ecb
0x010e2ece
0x010e2ed0
0x010e2ed3
0x010e2ef5
0x010e2ef7
0x010e2ef8
0x010e2efb
0x00000000
0x00000000
0x010e2f02
0x010e2f07
0x010e2f0f
0x010e2f12
0x010e2f14
0x010e2f17
0x010e2f1c
0x010e2f1d
0x010e2f20
0x00000000
0x00000000
0x010e2f24
0x010e2f26
0x010e2f27
0x010e2f27
0x010e2f2a
0x00000000
0x00000000
0x010e2f2c
0x010e2f2f
0x010e2f32
0x010e2f34
0x010e2f37
0x00000000
0x00000000
0x00000000
0x010e2f37
0x010e2f39
0x00000000
0x010e2f39
0x010e2ed7
0x010e2ed9
0x010e2eda
0x010e2eda
0x010e2edd
0x010e2ee0
0x00000000
0x00000000
0x010e2ee2
0x010e2ee5
0x010e2ee8
0x010e2eea
0x010e2eec
0x010e2ef0
0x00000000
0x00000000
0x00000000
0x010e2ef0
0x010e2ef2
0x00000000
0x010e2ef2
0x010e2f94
0x010e2f94
0x00000000
0x010e2d56
0x010e2d56
0x010e2d58
0x010e2d58
0x010e2d5e
0x00000000
0x00000000
0x010e2d63
0x010e2d7a
0x010e2d7a
0x010e2d65
0x010e2d65
0x010e2d65
0x010e2d6d
0x00000000
0x010e2d6f
0x010e2d6f
0x010e2d72
0x010e2d78
0x00000000
0x00000000
0x00000000
0x00000000
0x010e2d78
0x010e2d6d
0x010e2d83
0x010e2d85
0x010e2f93
0x00000000
0x00000000
0x00000000
0x00000000
0x010e2d85
0x010e2d7e
0x010e2d80
0x010e2d80
0x00000000
0x010e2d80
0x010e2d54
0x00000000

APIs

_free.LIBCMT ref: 010E2DBD
_free.LIBCMT ref: 010E2F89
_free.LIBCMT ref: 010E3004
GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,010E31C5,?,?,00000000), ref: 010E3016

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: c1c237f7ff502566c7f535c02c5ca2e11220e5c7c6250e07b0e2e18a4cf8467a
Instruction ID: da40f66496a17852a7464322f3589603d52c0daf3f313367350c1420429d732f
Opcode Fuzzy Hash: c1c237f7ff502566c7f535c02c5ca2e11220e5c7c6250e07b0e2e18a4cf8467a
Instruction Fuzzy Hash: FAA14C71900216AFDB28BFAADC45AEE7FFDEF54610F1440AAE6859B180E7719940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010CBBC6 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E010CBBC6(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t69;
				signed int _t71;
				signed int _t73;

				_t69 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				_t60 = __ebx;
				_t71 = _t73;
				_t40 =  *0x1126944; // 0x1b5cf865
				_t41 = _t40 ^ _t71;
				_v8 = _t40 ^ _t71;
				_push(__edi);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E010C661C(_t41);
					_pop(_t61);
				}
				E010C8A40(_t66,  &_v804, 0, 0x50);
				E010C8A40(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t69;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E010C661C(_t57);
				}
				return E010C54D2(_t57, _v8 ^ _t71, _t65);
			}

0x010cbbc6
0x010cbbc6
0x010cbbc6
0x010cbbc6
0x010cbbc9
0x010cbbd1
0x010cbbd6
0x010cbbd8
0x010cbbdf
0x010cbbe0
0x010cbbe2
0x010cbbe5
0x010cbbea
0x010cbbea
0x010cbbf6
0x010cbc09
0x010cbc17
0x010cbc1d
0x010cbc23
0x010cbc29
0x010cbc2f
0x010cbc35
0x010cbc3b
0x010cbc41
0x010cbc47
0x010cbc4d
0x010cbc54
0x010cbc5b
0x010cbc62
0x010cbc69
0x010cbc70
0x010cbc77
0x010cbc78
0x010cbc81
0x010cbc87
0x010cbc8a
0x010cbc90
0x010cbc9d
0x010cbca6
0x010cbcaf
0x010cbcb8
0x010cbcc6
0x010cbcc8
0x010cbcdd
0x010cbce9
0x010cbcec
0x010cbcf1
0x010cbcfe

APIs

IsDebuggerPresent.KERNEL32 ref: 010CBCBE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 010CBCC8
UnhandledExceptionFilter.KERNEL32(?), ref: 010CBCD5

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8232382829de1395cbe2228d003adac5b80fe53b643c834f1fecaf856754de06
Instruction ID: 5949b169cb62bbe310d632f236c211040e97c68fad497affd3e83bc5c0d0ca18
Opcode Fuzzy Hash: 8232382829de1395cbe2228d003adac5b80fe53b643c834f1fecaf856754de06
Instruction Fuzzy Hash: 0E31E67490122D9BCB61DF69D8897DDBBF4BF08750F5041EAE84CA7250EB749B818F44

Uniqueness

Uniqueness Score: -1.00%

Function 010D86F7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D86F7(int _a4) {
				void* _t14;

				if(E010E2818(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E010D8739(_t14, _a4);
				ExitProcess(_a4);
			}

0x010d8704
0x010d8720
0x010d8720
0x010d8729
0x010d8732

APIs

GetCurrentProcess.KERNEL32(00000000,?,010D86F6,00000000,?,00000000,00000000,00000000,00000000), ref: 010D8719
TerminateProcess.KERNEL32(00000000,?,010D86F6,00000000,?,00000000,00000000,00000000,00000000), ref: 010D8720
ExitProcess.KERNEL32 ref: 010D8732

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 93f2964e0fe9b264d8aa25a04f5d3bdebaaa5b6868f3a2823b80360707ac7961
Instruction ID: 5d60cfe3a496d6ae90f1f1288c18d53c19337d9449f6aeb5ec00296ef01dc06d
Opcode Fuzzy Hash: 93f2964e0fe9b264d8aa25a04f5d3bdebaaa5b6868f3a2823b80360707ac7961
Instruction Fuzzy Hash: FBE0E631501208EFCF216F54D94DA593F69FB443C1B018459F58997521CB3AE991DB50

Uniqueness

Uniqueness Score: -1.00%

Function 010D2BE0 Relevance: 3.4, APIs: 2, Instructions: 450
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E010D2BE0(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t190;
				signed int _t191;
				intOrPtr _t192;
				signed int _t195;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t204;
				signed int _t210;
				intOrPtr _t216;
				void* _t219;
				signed int _t221;
				signed int _t232;
				void* _t236;
				signed int _t239;
				signed int* _t245;
				signed int _t247;
				signed int* _t248;
				signed int* _t250;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t255;
				signed int _t259;
				unsigned int _t260;
				signed int _t262;
				signed int* _t266;
				signed int _t267;
				signed int _t268;
				intOrPtr _t270;
				void* _t274;
				signed char _t280;
				signed int* _t283;
				signed int _t287;
				signed int* _t288;
				intOrPtr* _t295;
				signed int _t297;
				signed int _t298;
				signed int* _t301;
				signed int _t302;
				signed int _t304;
				intOrPtr* _t305;
				signed int _t309;
				signed int _t310;
				signed int _t315;
				signed int _t320;
				signed int _t321;
				signed int _t323;
				void* _t324;
				signed int _t325;
				signed int _t328;
				signed int _t332;
				signed int* _t334;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t343;
				void* _t344;
				signed int _t349;
				signed int _t356;
				signed int* _t357;

				_t245 = _a4;
				_t338 =  *_t245;
				if(_t338 == 0) {
					L75:
					__eflags = 0;
					return 0;
				} else {
					_t295 = _a8;
					_t190 =  *_t295;
					_v56 = _t190;
					if(_t190 == 0) {
						goto L75;
					} else {
						_t320 = _t190 - 1;
						_t259 = _t338 - 1;
						_v12 = _t259;
						if(_t320 != 0) {
							__eflags = _t320 - _t259;
							if(_t320 > _t259) {
								goto L75;
							} else {
								_t191 = _t259;
								_t297 = _t259 - _t320;
								__eflags = _t259 - _t297;
								if(_t259 < _t297) {
									L20:
									_t297 = _t297 + 1;
									__eflags = _t297;
								} else {
									_t283 =  &(_t245[_t259 + 1]);
									_t356 = _a8 + _t320 * 4 + 4;
									__eflags = _t356;
									while(1) {
										__eflags =  *_t356 -  *_t283;
										if(__eflags != 0) {
											break;
										}
										_t191 = _t191 - 1;
										_t356 = _t356 - 4;
										_t283 = _t283 - 4;
										__eflags = _t191 - _t297;
										if(_t191 >= _t297) {
											continue;
										} else {
											goto L20;
										}
										goto L21;
									}
									if(__eflags < 0) {
										goto L20;
									}
								}
								L21:
								__eflags = _t297;
								if(__eflags == 0) {
									goto L75;
								} else {
									_t192 = _a8;
									_t247 = _v56;
									_t340 =  *(_t192 + _t247 * 4);
									_t260 =  *(_t192 + _t247 * 4 - 4);
									asm("bsr eax, esi");
									_v52 = _t340;
									_v36 = _t260;
									if(__eflags == 0) {
										_t321 = 0x20;
									} else {
										_t321 = 0x1f - _t192;
									}
									_v16 = _t321;
									_v48 = 0x20 - _t321;
									__eflags = _t321;
									if(_t321 != 0) {
										_t280 = _t321;
										_v36 = _v36 << _t280;
										_v52 = _t340 << _t280 | _t260 >> _v48;
										__eflags = _t247 - 2;
										if(_t247 > 2) {
											_t70 =  &_v36;
											 *_t70 = _v36 |  *(_a8 + _t247 * 4 - 8) >> _v48;
											__eflags =  *_t70;
										}
									}
									_t341 = 0;
									_v32 = 0;
									_t298 = _t297 + 0xffffffff;
									__eflags = _t298;
									_v28 = _t298;
									if(_t298 >= 0) {
										_t197 = _t298 + _t247;
										_t250 = _a4;
										_v60 = _t197;
										_v64 = _t250 + 4 + _t298 * 4;
										_t266 = _t250 - 4 + _t197 * 4;
										_v80 = _t266;
										do {
											__eflags = _t197 - _v12;
											if(_t197 > _v12) {
												_t198 = 0;
												__eflags = 0;
											} else {
												_t198 = _t266[2];
											}
											_t302 = _t266[1];
											_t267 =  *_t266;
											_v76 = _t198;
											_v40 = 0;
											_v8 = _t198;
											_v24 = _t267;
											__eflags = _t321;
											if(_t321 != 0) {
												_t309 = _v8;
												_t328 = _t267 >> _v48;
												_t221 = E010C5580(_t302, _v16, _t309);
												_t267 = _v16;
												_t198 = _t309;
												_t302 = _t328 | _t221;
												_t341 = _v24 << _t267;
												__eflags = _v60 - 3;
												_v8 = _t309;
												_v24 = _t341;
												if(_v60 >= 3) {
													_t267 = _v48;
													_t341 = _t341 |  *(_t250 + (_v56 + _v28) * 4 - 8) >> _t267;
													__eflags = _t341;
													_t198 = _v8;
													_v24 = _t341;
												}
											}
											_push(_t250);
											_t199 = E010EE3A0(_t302, _t198, _v52, 0);
											_v40 = _t250;
											_t252 = _t199;
											_t343 = _t341 ^ _t341;
											_t200 = _t302;
											_v8 = _t252;
											_v20 = _t200;
											_t323 = _t267;
											_v72 = _t252;
											_v68 = _t200;
											_v40 = _t343;
											__eflags = _t200;
											if(_t200 != 0) {
												L38:
												_t253 = _t252 + 1;
												asm("adc eax, 0xffffffff");
												_t323 = _t323 + E010C5540(_t253, _t200, _v52, 0);
												asm("adc esi, edx");
												_t252 = _t253 | 0xffffffff;
												_t200 = 0;
												__eflags = 0;
												_v40 = _t343;
												_v8 = _t252;
												_v72 = _t252;
												_v20 = 0;
												_v68 = 0;
											} else {
												__eflags = _t252 - 0xffffffff;
												if(_t252 > 0xffffffff) {
													goto L38;
												}
											}
											__eflags = _t343;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L42;
												} else {
													__eflags = _t323 - 0xffffffff;
													if(_t323 <= 0xffffffff) {
														while(1) {
															L42:
															_v8 = _v24;
															_t219 = E010C5540(_v36, 0, _t252, _t200);
															__eflags = _t302 - _t323;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L45:
																_t200 = _v20;
																_t252 = _t252 + 0xffffffff;
																_v72 = _t252;
																asm("adc eax, 0xffffffff");
																_t323 = _t323 + _v52;
																__eflags = _t323;
																_v20 = _t200;
																asm("adc dword [ebp-0x24], 0x0");
																_v68 = _t200;
																if(_t323 == 0) {
																	__eflags = _t323 - 0xffffffff;
																	if(_t323 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t219 - _v8;
																if(_t219 <= _v8) {
																	break;
																} else {
																	goto L45;
																}
															}
															L49:
															_v8 = _t252;
															goto L50;
														}
														_t200 = _v20;
														goto L49;
													}
												}
											}
											L50:
											__eflags = _t200;
											if(_t200 != 0) {
												L52:
												_t268 = _v56;
												_t324 = 0;
												_t344 = 0;
												__eflags = _t268;
												if(_t268 != 0) {
													_t255 = _v64;
													_t210 = _a8 + 4;
													__eflags = _t210;
													_v40 = _t210;
													_v24 = _t268;
													do {
														_v12 =  *_t210;
														_t216 =  *_t255;
														_t274 = _t324 + _v72 * _v12;
														asm("adc esi, edx");
														_t324 = _t344;
														_t344 = 0;
														__eflags = _t216 - _t274;
														if(_t216 < _t274) {
															_t324 = _t324 + 1;
															asm("adc esi, esi");
														}
														 *_t255 = _t216 - _t274;
														_t255 = _t255 + 4;
														_t210 = _v40 + 4;
														_t153 =  &_v24;
														 *_t153 = _v24 - 1;
														__eflags =  *_t153;
														_v40 = _t210;
													} while ( *_t153 != 0);
													_t252 = _v8;
													_t268 = _v56;
												}
												__eflags = 0 - _t344;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L61:
														__eflags = _t268;
														if(_t268 != 0) {
															_t254 = 0;
															_t305 = _v64;
															_t349 = _a8 + 4;
															__eflags = _t349;
															_t325 = _t268;
															do {
																_t270 =  *_t305;
																_t349 = _t349 + 4;
																_t305 = _t305 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t305 - 4)) = _t270 +  *((intOrPtr*)(_t349 - 4)) + _t254;
																asm("adc eax, 0x0");
																_t254 = 0;
																_t325 = _t325 - 1;
																__eflags = _t325;
															} while (_t325 != 0);
															_t252 = _v8;
														}
														_t252 = _t252 + 0xffffffff;
														asm("adc dword [ebp-0x10], 0xffffffff");
													} else {
														__eflags = _v76 - _t324;
														if(_v76 < _t324) {
															goto L61;
														}
													}
												}
												_t204 = _v60 - 1;
												__eflags = _t204;
												_v12 = _t204;
											} else {
												__eflags = _t252;
												if(_t252 != 0) {
													goto L52;
												}
											}
											_t341 = _v32;
											_t250 = _a4;
											asm("adc esi, 0x0");
											_v64 = _v64 - 4;
											_t304 = _v28 - 1;
											_t321 = _v16;
											_t266 = _v80 - 4;
											_v32 = 0 + _t252;
											_t197 = _v60 - 1;
											_v28 = _t304;
											_v60 = _t197;
											_v80 = _t266;
											__eflags = _t304;
										} while (_t304 >= 0);
									}
									_t248 = _a4;
									_t262 = _v12 + 1;
									_t195 = _t262;
									__eflags = _t195 -  *_t248;
									if(_t195 <  *_t248) {
										_t301 =  &(( &(_t248[1]))[_t195]);
										do {
											 *_t301 = 0;
											_t301 =  &(_t301[1]);
											_t195 = _t195 + 1;
											__eflags = _t195 -  *_t248;
										} while (_t195 <  *_t248);
									}
									 *_t248 = _t262;
									__eflags = _t262;
									if(_t262 != 0) {
										while(1) {
											__eflags = _t248[_t262];
											if(_t248[_t262] != 0) {
												goto L74;
											}
											_t262 = _t262 + 0xffffffff;
											__eflags = _t262;
											 *_t248 = _t262;
											if(_t262 != 0) {
												continue;
											}
											goto L74;
										}
									}
									L74:
									return _v32;
								}
							}
						} else {
							_t310 =  *(_t295 + 4);
							_v12 = _t310;
							if(_t310 != 1) {
								__eflags = _t259;
								if(_t259 != 0) {
									_t332 = 0;
									_v16 = 0;
									_v40 = 0;
									_v28 = 0;
									__eflags = _t259 - 0xffffffff;
									if(_t259 != 0xffffffff) {
										_t287 = _t259 + 1;
										__eflags = _t287;
										_t288 =  &(_t245[_t287]);
										_v32 = _t288;
										do {
											_t236 = E010EE3A0( *_t288, _t332, _t310, 0);
											_v28 = _t245;
											_t245 = _t245;
											_v68 = _t310;
											_t332 = _t288;
											_v16 = 0 + _t236;
											_t310 = _v12;
											asm("adc ecx, 0x0");
											_v40 = _v16;
											_t288 = _v32 - 4;
											_v32 = _t288;
											_t338 = _t338 - 1;
											__eflags = _t338;
										} while (_t338 != 0);
										_t245 = _a4;
									}
									_v544 = 0;
									_t357 =  &(_t245[1]);
									 *_t245 = 0;
									E010D3BEA(_t357, 0x1cc,  &_v540, 0);
									_t232 = _v28;
									__eflags = 0 - _t232;
									 *_t357 = _t332;
									_t245[2] = _t232;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t245 = 0xbadbae;
									return _v16;
								} else {
									_t334 =  &(_t245[1]);
									_v544 = _t259;
									 *_t245 = _t259;
									E010D3BEA(_t334, 0x1cc,  &_v540, _t259);
									_t239 = _t245[1];
									_t315 = _t239 % _v12;
									__eflags = 0 - _t315;
									 *_t334 = _t315;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t245 =  ~0x00000000;
									return _t239 / _v12;
								}
							} else {
								_v544 = _t320;
								 *_t245 = _t320;
								E010D3BEA( &(_t245[1]), 0x1cc,  &_v540, _t320);
								return _t245[1];
							}
						}
					}
				}
			}

0x010d2bec
0x010d2bf1
0x010d2bf5
0x010d306d
0x010d3071
0x010d3077
0x010d2bfb
0x010d2bfb
0x010d2bfe
0x010d2c00
0x010d2c05
0x00000000
0x010d2c0b
0x010d2c0b
0x010d2c0e
0x010d2c11
0x010d2c16
0x010d2d47
0x010d2d49
0x00000000
0x010d2d4f
0x010d2d51
0x010d2d53
0x010d2d55
0x010d2d57
0x010d2d7b
0x010d2d7b
0x010d2d7b
0x010d2d59
0x010d2d60
0x010d2d63
0x010d2d63
0x010d2d66
0x010d2d68
0x010d2d6a
0x00000000
0x00000000
0x010d2d6c
0x010d2d6d
0x010d2d70
0x010d2d73
0x010d2d75
0x00000000
0x010d2d77
0x00000000
0x010d2d77
0x00000000
0x010d2d75
0x010d2d79
0x00000000
0x00000000
0x010d2d79
0x010d2d7c
0x010d2d7c
0x010d2d7e
0x00000000
0x010d2d84
0x010d2d84
0x010d2d87
0x010d2d8a
0x010d2d8d
0x010d2d91
0x010d2d94
0x010d2d97
0x010d2d9a
0x010d2da5
0x010d2d9c
0x010d2da1
0x010d2da1
0x010d2daf
0x010d2db4
0x010d2db7
0x010d2db9
0x010d2dc2
0x010d2dc4
0x010d2dcb
0x010d2dce
0x010d2dd1
0x010d2ddf
0x010d2ddf
0x010d2ddf
0x010d2ddf
0x010d2dd1
0x010d2de2
0x010d2de4
0x010d2deb
0x010d2deb
0x010d2dee
0x010d2df1
0x010d2df7
0x010d2dfa
0x010d2dfd
0x010d2e06
0x010d2e0c
0x010d2e0f
0x010d2e12
0x010d2e12
0x010d2e15
0x010d2e1c
0x010d2e1c
0x010d2e17
0x010d2e17
0x010d2e17
0x010d2e1e
0x010d2e21
0x010d2e23
0x010d2e26
0x010d2e2d
0x010d2e30
0x010d2e33
0x010d2e35
0x010d2e40
0x010d2e43
0x010d2e48
0x010d2e4d
0x010d2e54
0x010d2e59
0x010d2e5b
0x010d2e5d
0x010d2e61
0x010d2e64
0x010d2e67
0x010d2e6f
0x010d2e78
0x010d2e78
0x010d2e7a
0x010d2e7d
0x010d2e7d
0x010d2e67
0x010d2e80
0x010d2e88
0x010d2e8d
0x010d2e92
0x010d2e94
0x010d2e96
0x010d2e98
0x010d2e9b
0x010d2e9e
0x010d2ea0
0x010d2ea3
0x010d2ea6
0x010d2ea9
0x010d2eab
0x010d2eb2
0x010d2eb7
0x010d2eba
0x010d2ec4
0x010d2ec6
0x010d2ec8
0x010d2ecb
0x010d2ecb
0x010d2ecd
0x010d2ed0
0x010d2ed3
0x010d2ed6
0x010d2ed9
0x010d2ead
0x010d2ead
0x010d2eb0
0x00000000
0x00000000
0x010d2eb0
0x010d2edc
0x010d2ede
0x010d2ee0
0x00000000
0x010d2ee2
0x010d2ee2
0x010d2ee5
0x010d2ee7
0x010d2ee7
0x010d2ef5
0x010d2ef8
0x010d2efd
0x010d2eff
0x00000000
0x00000000
0x010d2f01
0x010d2f08
0x010d2f08
0x010d2f0b
0x010d2f0e
0x010d2f11
0x010d2f14
0x010d2f14
0x010d2f17
0x010d2f1a
0x010d2f1e
0x010d2f21
0x010d2f23
0x010d2f26
0x00000000
0x00000000
0x010d2f28
0x010d2f26
0x010d2f03
0x010d2f03
0x010d2f06
0x00000000
0x00000000
0x00000000
0x00000000
0x010d2f06
0x010d2f2d
0x010d2f2d
0x00000000
0x010d2f2d
0x010d2f2a
0x00000000
0x010d2f2a
0x010d2ee5
0x010d2ee0
0x010d2f30
0x010d2f30
0x010d2f32
0x010d2f3c
0x010d2f3c
0x010d2f3f
0x010d2f41
0x010d2f43
0x010d2f45
0x010d2f4a
0x010d2f4d
0x010d2f4d
0x010d2f50
0x010d2f53
0x010d2f56
0x010d2f58
0x010d2f6d
0x010d2f6f
0x010d2f71
0x010d2f73
0x010d2f75
0x010d2f77
0x010d2f79
0x010d2f7b
0x010d2f7e
0x010d2f7e
0x010d2f82
0x010d2f84
0x010d2f8a
0x010d2f8d
0x010d2f8d
0x010d2f8d
0x010d2f91
0x010d2f91
0x010d2f96
0x010d2f99
0x010d2f99
0x010d2f9e
0x010d2fa0
0x010d2fa2
0x010d2fa9
0x010d2fa9
0x010d2fab
0x010d2fb0
0x010d2fb2
0x010d2fb5
0x010d2fb5
0x010d2fb8
0x010d2fc0
0x010d2fc0
0x010d2fc2
0x010d2fc7
0x010d2fcd
0x010d2fd1
0x010d2fd4
0x010d2fd7
0x010d2fd9
0x010d2fd9
0x010d2fd9
0x010d2fde
0x010d2fde
0x010d2fe1
0x010d2fe4
0x010d2fa4
0x010d2fa4
0x010d2fa7
0x00000000
0x00000000
0x010d2fa7
0x010d2fa2
0x010d2feb
0x010d2feb
0x010d2fec
0x010d2f34
0x010d2f34
0x010d2f36
0x00000000
0x00000000
0x010d2f36
0x010d2fef
0x010d2ffc
0x010d2fff
0x010d3002
0x010d3006
0x010d3007
0x010d300a
0x010d300d
0x010d3013
0x010d3014
0x010d3017
0x010d301a
0x010d301d
0x010d301d
0x010d2e12
0x010d3028
0x010d302b
0x010d302c
0x010d302e
0x010d3030
0x010d3035
0x010d3040
0x010d3040
0x010d3046
0x010d3049
0x010d304a
0x010d304a
0x010d3040
0x010d304e
0x010d3050
0x010d3052
0x010d3054
0x010d3054
0x010d3058
0x00000000
0x00000000
0x010d305a
0x010d305a
0x010d305d
0x010d305f
0x00000000
0x00000000
0x00000000
0x010d305f
0x010d3054
0x010d3061
0x010d306c
0x010d306c
0x010d2d7e
0x010d2c1c
0x010d2c1c
0x010d2c1f
0x010d2c25
0x010d2c56
0x010d2c58
0x010d2c9a
0x010d2c9c
0x010d2ca3
0x010d2caa
0x010d2cad
0x010d2cb0
0x010d2cb2
0x010d2cb2
0x010d2cb3
0x010d2cb6
0x010d2cc0
0x010d2cca
0x010d2ccf
0x010d2cd2
0x010d2cd4
0x010d2cd7
0x010d2ce0
0x010d2ce3
0x010d2ce6
0x010d2ce9
0x010d2cef
0x010d2cf2
0x010d2cf5
0x010d2cf5
0x010d2cf5
0x010d2cfa
0x010d2cfa
0x010d2d05
0x010d2d10
0x010d2d13
0x010d2d1f
0x010d2d24
0x010d2d2f
0x010d2d31
0x010d2d33
0x010d2d39
0x010d2d3e
0x010d2d40
0x010d2d46
0x010d2c5a
0x010d2c65
0x010d2c68
0x010d2c74
0x010d2c76
0x010d2c7d
0x010d2c7f
0x010d2c87
0x010d2c89
0x010d2c8b
0x010d2c90
0x010d2c93
0x010d2c99
0x010d2c99
0x010d2c27
0x010d2c35
0x010d2c41
0x010d2c43
0x010d2c55
0x010d2c55
0x010d2c25
0x010d2c16
0x010d2c05

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4847e42faf65096a39c8b94e548a263cfcbe231601104489e32df2d0a8bc25
Instruction ID: 62ad7358fdf75a93eb0e9f0f252f85ca25e1d1e852a2d37b207f731d7e8affe6
Opcode Fuzzy Hash: 8c4847e42faf65096a39c8b94e548a263cfcbe231601104489e32df2d0a8bc25
Instruction Fuzzy Hash: 0BF13E71E012199FDF14CFA8C8906EDBBF1FF88314F1582A9E959AB345D731A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2410 Relevance: 1.6, Strings: 1, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E00FE2410(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t146;
				intOrPtr _t148;
				signed int _t164;
				signed int _t165;
				intOrPtr _t167;
				signed int _t174;
				intOrPtr* _t176;
				intOrPtr _t178;
				signed int _t179;
				void* _t180;

				_t174 = __edx;
				_t146 =  *0x1126944; // 0x1b5cf865
				_v8 = _t146 ^ _t179;
				_t164 = _a8;
				_t178 = _a4;
				_t176 = _a16;
				_v36 = _t164;
				_t148 =  *((intOrPtr*)(_t178 + 0xc));
				_v20 = _a12;
				_v28 = _t176;
				if(_t148 != 0) {
					 *0x1127474(_t148);
					_t180 = _t180 + 4;
				}
				if(_t164 > 0xb) {
					_t165 = 1;
					L65:
					_t167 =  *((intOrPtr*)(_t178 + 0xc));
					if(_t167 != 0) {
						 *0x112747c(_t167);
					}
					return E010C54D2(_t165, _v8 ^ _t179, _t174);
				}
				switch( *((intOrPtr*)(_t164 * 4 +  &M00FE2860))) {
					case 0:
						_t152 =  *(_t178 + 0x120);
						_t170 = 0;
						if(_t152 == 0) {
							L6:
							_t153 =  *(_t178 + 0x124);
							_t174 = 0;
							if(_t153 == 0) {
								L9:
								if(_t176 != 0) {
									 *_t176 =  *((intOrPtr*)(_t178 + 0x110)) - _t170;
								}
								 *_v20 =  *((intOrPtr*)(_t178 + 0x110)) - _t174 - _t170;
								if(_a20 == 0) {
									goto L64;
								} else {
									_t174 =  *(_t178 + 0x124);
									if(_t174 == 0) {
										goto L64;
									}
									_t172 =  *_t174;
									if(_t172 == 0) {
										L15:
										 *_t174 =  *(_t178 + 0x120);
										 *(_t178 + 0x120) =  *(_t178 + 0x124);
										 *(_t178 + 0x124) = 0;
										goto L64;
									} else {
										goto L14;
									}
									do {
										L14:
										_t159 =  *_t172;
										_t174 = _t172;
										_t172 = _t159;
									} while (_t159 != 0);
									goto L15;
								}
							}
							do {
								_t153 =  *_t153;
								_t174 = _t174 + 1;
							} while (_t153 != 0);
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t152 =  *_t152;
							_t170 = _t170 + 1;
						} while (_t152 != 0);
						goto L6;
					case 1:
						__ebx = 0;
						_v12 = 0;
						__eflags =  *((intOrPtr*)(__esi + 0x51)) - __bl;
						if( *((intOrPtr*)(__esi + 0x51)) == __bl) {
							__ecx = __esi;
							__eax = E00FF6EF0(__esi);
						}
						__ecx = 0;
						_v24 = 0;
						__eflags =  *(__esi + 0x14);
						if( *(__esi + 0x14) <= 0) {
							L28:
							__eflags =  *((char*)(__esi + 0x51));
							if( *((char*)(__esi + 0x51)) == 0) {
								__ecx = __esi;
								__eax = E00FF6F40(__esi);
							}
							__ecx = _v20;
							 *__ecx = __ebx;
							 *__edi = 0;
							goto L64;
						} else {
							__edx = 0;
							__eflags = 0;
							_v16 = 0;
							do {
								__eax =  *(__esi + 0x10);
								__eax =  *(__edx +  *(__esi + 0x10) + 4);
								_v40 = __eax;
								__eflags = __eax;
								if(__eax != 0) {
									__ebx =  *__eax;
									__eax =  *(__ebx + 0xd0);
									__ecx =  *(__ebx + 0x8c) & 0x0000ffff;
									__edi =  *(__ebx + 0x98);
									__ecx = ( *(__ebx + 0x8c) & 0x0000ffff) + 0x3c;
									__edi =  *(__ebx + 0x98) + ( *(__ebx + 0x8c) & 0x0000ffff) + 0x3c;
									_push( *((intOrPtr*)( *(__ebx + 0xd0) + 0x2c)));
									__eax =  *0x11274a0();
									_push(__ebx);
									_v32 =  *(__ebx + 0xd0);
									__eax =  *0x1127450();
									__edx = _v32;
									__esp = __esp + 8;
									_v32 * ( *(__ebx + 0x98) + ( *(__ebx + 0x8c) & 0x0000ffff) + 0x3c) = _v32 * ( *(__ebx + 0x98) + ( *(__ebx + 0x8c) & 0x0000ffff) + 0x3c) +  *(__ebx + 0x98);
									__edx = _v32 * ( *(__ebx + 0x98) + ( *(__ebx + 0x8c) & 0x0000ffff) + 0x3c) +  *(__ebx + 0x98) + __eax;
									__eflags = _v36 - 0xb;
									if(_v36 == 0xb) {
										__ecx = _v40;
										__eax = __edx;
										asm("cdq");
										__ecx =  *(_v40 + 4);
										_t53 = __eax %  *(__ecx + 0x40);
										__eflags = _t53;
										__eax = __eax /  *(__ecx + 0x40);
										__edx = _t53;
										__edx = __eax;
									}
									__ebx = _v12;
									__ecx = _v24;
									__ebx = _v12 + __edx;
									__eflags = __ebx;
									__edx = _v16;
									_v12 = __ebx;
								}
								__ecx = __ecx + 1;
								__edx = __edx + 0x10;
								_v24 = __ecx;
								_v16 = __edx;
								__eflags = __ecx -  *(__esi + 0x14);
							} while (__ecx <  *(__esi + 0x14));
							__edi = _v28;
							goto L28;
						}
					case 2:
						__eflags =  *((char*)(__esi + 0x51));
						_v12 = 0;
						if( *((char*)(__esi + 0x51)) == 0) {
							__ecx = __esi;
							__eax = E00FF6EF0(__esi);
						}
						__eflags =  *(__esi + 0x14);
						__eax =  &_v12;
						 *(__esi + 0x1d0) =  &_v12;
						_v16 = 0;
						if( *(__esi + 0x14) <= 0) {
							L59:
							__eflags =  *((char*)(__esi + 0x51));
							 *(__esi + 0x1d0) = 0;
							if( *((char*)(__esi + 0x51)) == 0) {
								__ecx = __esi;
								__eax = E00FF6F40(__esi);
							}
							__eax = _v12;
							 *__edi = 0;
							goto L62;
						} else {
							__ebx = 0;
							__eflags = 0;
							_v24 = 0;
							do {
								__eax =  *(__esi + 0x10);
								__ebx =  *(__ebx +  *(__esi + 0x10) + 0xc);
								__eflags = __ebx;
								if(__ebx == 0) {
									goto L57;
								}
								_push(0x10);
								__eax =  *0x1127454();
								__ecx =  *(__ebx + 0x3c);
								__esp = __esp + 4;
								 *(__ebx + 0x3c) +  *((intOrPtr*)(__ebx + 0x2c)) =  *(__ebx + 0x3c) +  *((intOrPtr*)(__ebx + 0x2c)) +  *((intOrPtr*)(__ebx + 0x1c));
								__ecx =  *(__ebx + 0x3c) +  *((intOrPtr*)(__ebx + 0x2c)) +  *((intOrPtr*)(__ebx + 0x1c)) +  *((intOrPtr*)(__ebx + 0xc));
								_v12 = _v12 + __eax;
								__eax =  *(__ebx + 0x14);
								__eflags = __eax;
								if(__eax == 0) {
									__eax = 0;
									__eflags = 0;
								} else {
									_push(__eax);
									__eax =  *0x1127450();
									__esp = __esp + 4;
								}
								_v12 = _v12 + __eax;
								__eax =  *(__ebx + 0x34);
								__eflags = __eax;
								if(__eax == 0) {
									__eax = 0;
									__eflags = 0;
								} else {
									_push(__eax);
									__eax =  *0x1127450();
									__esp = __esp + 4;
								}
								_v12 = _v12 + __eax;
								__eax =  *(__ebx + 0x24);
								__eflags = __eax;
								if(__eax == 0) {
									__eax = 0;
									__eflags = 0;
								} else {
									_push(__eax);
									__eax =  *0x1127450();
									__esp = __esp + 4;
								}
								_v12 = _v12 + __eax;
								__eax =  *(__ebx + 0x44);
								__eflags = __eax;
								if(__eax == 0) {
									__eax = 0;
									__eflags = 0;
								} else {
									_push(__eax);
									__eax =  *0x1127450();
									__esp = __esp + 4;
								}
								_v12 = _v12 + __eax;
								__edi =  *(__ebx + 0x30);
								__eflags = __edi;
								if(__edi == 0) {
									L50:
									__edi =  *(__ebx + 0x10);
									__eflags = __edi;
									if(__edi == 0) {
										goto L57;
									}
									do {
										__edx =  *(__edi + 8);
										__eflags = __edx;
										if(__edx == 0) {
											goto L56;
										}
										__eflags =  *(__esi + 0x1d0);
										if( *(__esi + 0x1d0) != 0) {
											L55:
											__ecx = __esi;
											__eax = E0102AC60(__esi, __edx);
											goto L56;
										}
										_t100 = __edx + 0x20;
										 *_t100 =  *(__edx + 0x20) + 0xffffffff;
										__eflags =  *_t100;
										if( *_t100 != 0) {
											goto L56;
										}
										goto L55;
										L56:
										__edi =  *__edi;
										__eflags = __edi;
									} while (__edi != 0);
								} else {
									do {
										__edx =  *(__edi + 8);
										__ecx = __esi;
										__eax = E01056500(__ebx, __esi, __edx);
										__edi =  *__edi;
										__eflags = __edi;
									} while (__edi != 0);
									goto L50;
								}
								L57:
								__eax = _v16;
								__ebx = _v24;
								__eax = _v16 + 1;
								__ebx = _v24 + 0x10;
								_v16 = __eax;
								_v24 = __ebx;
								__eflags = __eax -  *(__esi + 0x14);
							} while (__eax <  *(__esi + 0x14));
							__edi = _v28;
							goto L59;
						}
					case 3:
						__edi =  *(__esi + 4);
						__ecx =  &_v16;
						__eax = 0;
						 *(__esi + 0x1d0) =  &_v16;
						_v16 = 0;
						__eflags = __edi;
						if(__edi == 0) {
							L78:
							__ecx = _v28;
							 *(__esi + 0x1d0) = 0;
							 *_v28 = 0;
							L62:
							__ecx = _v20;
							goto L63;
						}
						do {
							__edx = __edi;
							__ecx = __esi;
							__eax = E01008E20(__esi, __edx);
							__eflags =  *(__esi + 0x1d0);
							if( *(__esi + 0x1d0) == 0) {
								__eflags = __edi -  *((intOrPtr*)(__esi + 0x128));
								if(__edi <  *((intOrPtr*)(__esi + 0x128))) {
									L75:
									__eax = E00FE5130(__edi);
									goto L76;
								}
								__eflags = __edi -  *((intOrPtr*)(__esi + 0x12c));
								if(__edi >=  *((intOrPtr*)(__esi + 0x12c))) {
									goto L75;
								}
								__eax =  *(__esi + 0x124);
								 *__edi =  *(__esi + 0x124);
								 *(__esi + 0x124) = __edi;
								goto L76;
							}
							__edx = __edi;
							__ecx = __esi;
							__eax = E00FE51A0(__esi, __edx);
							L76:
							__edi =  *(__edi + 8);
							__eflags = __edi;
						} while (__edi != 0);
						__eax = _v16;
						goto L78;
					case 4:
						__eflags = _a20;
						 *__ecx = 0;
						__eax =  *(__esi + 0x104 + __ebx * 4);
						 *__edi = __eax;
						if(_a20 != 0) {
							 *(__esi + 0x104 + __ebx * 4) = 0;
						}
						goto L64;
					case 5:
						__ecx = 0;
						__edi = 0;
						__eflags =  *(__esi + 0x14);
						if( *(__esi + 0x14) <= 0) {
							L85:
							__ecx = _v28;
							 *_v28 = 0;
							__ecx = _v20;
							 *__ecx = __edi;
							goto L64;
						}
						__edx = 0;
						__eflags = 0;
						do {
							__eax =  *(__esi + 0x10);
							__eax =  *(__edx +  *(__esi + 0x10) + 4);
							__eflags = __eax;
							if(__eax != 0) {
								__eax =  *(__eax + 4);
								__eax =  *__eax;
								__edi = __edi +  *(__eax + 0x9c + __ebx * 4);
								__eflags = _a20;
								if(_a20 != 0) {
									 *(__eax + 0x9c + __ebx * 4) = 0;
								}
							}
							__ecx = __ecx + 1;
							__edx = __edx + 0x10;
							__eflags = __ecx -  *(__esi + 0x14);
						} while (__ecx <  *(__esi + 0x14));
						goto L85;
					case 6:
						 *__edi = 0;
						__eflags =  *(__esi + 0x1cc);
						if(__eflags > 0) {
							L93:
							__eax = 1;
							L63:
							 *__ecx = __eax;
							L64:
							_t165 = 0;
							goto L65;
						}
						if(__eflags < 0) {
							L89:
							__eflags =  *(__esi + 0x1c4);
							if(__eflags > 0) {
								goto L93;
							}
							if(__eflags < 0) {
								L92:
								__eax = 0;
								goto L63;
							}
							__eflags =  *(__esi + 0x1c0);
							if( *(__esi + 0x1c0) > 0) {
								goto L93;
							}
							goto L92;
						}
						__eflags =  *(__esi + 0x1c8);
						if( *(__esi + 0x1c8) > 0) {
							goto L93;
						}
						goto L89;
				}
			}

0x00fe2410
0x00fe2416
0x00fe241d
0x00fe2424
0x00fe2428
0x00fe242c
0x00fe242f
0x00fe2432
0x00fe2435
0x00fe2438
0x00fe243d
0x00fe2440
0x00fe2449
0x00fe2449
0x00fe244f
0x00fe2856
0x00fe2726
0x00fe2726
0x00fe272b
0x00fe272e
0x00fe2734
0x00fe2749
0x00fe2749
0x00fe2455
0x00000000
0x00fe245c
0x00fe2462
0x00fe2466
0x00fe246f
0x00fe246f
0x00fe2475
0x00fe2479
0x00fe2487
0x00fe2489
0x00fe2493
0x00fe2493
0x00fe24a6
0x00fe24a8
0x00000000
0x00fe24ae
0x00fe24ae
0x00fe24b6
0x00000000
0x00000000
0x00fe24bc
0x00fe24c0
0x00fe24cc
0x00fe24d2
0x00fe24da
0x00fe24e0
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe24c2
0x00fe24c2
0x00fe24c2
0x00fe24c4
0x00fe24c6
0x00fe24c8
0x00000000
0x00fe24c2
0x00fe24a8
0x00fe2480
0x00fe2480
0x00fe2482
0x00fe2483
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe2468
0x00fe2468
0x00fe2468
0x00fe246a
0x00fe246b
0x00000000
0x00000000
0x00fe2518
0x00fe251a
0x00fe251d
0x00fe2520
0x00fe2522
0x00fe2524
0x00fe2524
0x00fe2529
0x00fe252b
0x00fe252e
0x00fe2531
0x00fe25c3
0x00fe25c3
0x00fe25c7
0x00fe25c9
0x00fe25cb
0x00fe25cb
0x00fe25d0
0x00fe25d3
0x00fe25d5
0x00000000
0x00fe2537
0x00fe2537
0x00fe2537
0x00fe2539
0x00fe2540
0x00fe2540
0x00fe2543
0x00fe2547
0x00fe254a
0x00fe254c
0x00fe2551
0x00fe2553
0x00fe2559
0x00fe2560
0x00fe2566
0x00fe2569
0x00fe256b
0x00fe256e
0x00fe2574
0x00fe2575
0x00fe2578
0x00fe257e
0x00fe2581
0x00fe2587
0x00fe258d
0x00fe258f
0x00fe2593
0x00fe2595
0x00fe2598
0x00fe259a
0x00fe259b
0x00fe259e
0x00fe259e
0x00fe259e
0x00fe259e
0x00fe25a1
0x00fe25a1
0x00fe25a3
0x00fe25a6
0x00fe25a9
0x00fe25a9
0x00fe25ab
0x00fe25ae
0x00fe25ae
0x00fe25b1
0x00fe25b2
0x00fe25b5
0x00fe25b8
0x00fe25bb
0x00fe25bb
0x00fe25c0
0x00000000
0x00fe25c0
0x00000000
0x00fe25e0
0x00fe25e4
0x00fe25eb
0x00fe25ed
0x00fe25ef
0x00fe25ef
0x00fe25f4
0x00fe25f8
0x00fe25fb
0x00fe2601
0x00fe2608
0x00fe26ff
0x00fe26ff
0x00fe2703
0x00fe270d
0x00fe270f
0x00fe2711
0x00fe2711
0x00fe2716
0x00fe2719
0x00000000
0x00fe260e
0x00fe260e
0x00fe260e
0x00fe2610
0x00fe2613
0x00fe2613
0x00fe2616
0x00fe261a
0x00fe261c
0x00000000
0x00000000
0x00fe2622
0x00fe2624
0x00fe262a
0x00fe262d
0x00fe2633
0x00fe2636
0x00fe263c
0x00fe263f
0x00fe2642
0x00fe2644
0x00fe2652
0x00fe2652
0x00fe2646
0x00fe2646
0x00fe2647
0x00fe264d
0x00fe264d
0x00fe2654
0x00fe2657
0x00fe265a
0x00fe265c
0x00fe266a
0x00fe266a
0x00fe265e
0x00fe265e
0x00fe265f
0x00fe2665
0x00fe2665
0x00fe266c
0x00fe266f
0x00fe2672
0x00fe2674
0x00fe2682
0x00fe2682
0x00fe2676
0x00fe2676
0x00fe2677
0x00fe267d
0x00fe267d
0x00fe2684
0x00fe2687
0x00fe268a
0x00fe268c
0x00fe269a
0x00fe269a
0x00fe268e
0x00fe268e
0x00fe268f
0x00fe2695
0x00fe2695
0x00fe269c
0x00fe269f
0x00fe26a2
0x00fe26a4
0x00fe26b6
0x00fe26b6
0x00fe26b9
0x00fe26bb
0x00000000
0x00000000
0x00fe26c0
0x00fe26c0
0x00fe26c3
0x00fe26c5
0x00000000
0x00000000
0x00fe26c7
0x00fe26ce
0x00fe26d6
0x00fe26d6
0x00fe26d8
0x00000000
0x00fe26d8
0x00fe26d0
0x00fe26d0
0x00fe26d0
0x00fe26d4
0x00000000
0x00000000
0x00000000
0x00fe26dd
0x00fe26dd
0x00fe26df
0x00fe26df
0x00fe26a6
0x00fe26a6
0x00fe26a6
0x00fe26a9
0x00fe26ab
0x00fe26b0
0x00fe26b2
0x00fe26b2
0x00000000
0x00fe26a6
0x00fe26e3
0x00fe26e3
0x00fe26e6
0x00fe26e9
0x00fe26ea
0x00fe26ed
0x00fe26f0
0x00fe26f3
0x00fe26f3
0x00fe26fc
0x00000000
0x00fe26fc
0x00000000
0x00fe274a
0x00fe274d
0x00fe2750
0x00fe2752
0x00fe2758
0x00fe275b
0x00fe275d
0x00fe27b0
0x00fe27b0
0x00fe27b3
0x00fe27bd
0x00fe271f
0x00fe271f
0x00000000
0x00fe271f
0x00fe2760
0x00fe2760
0x00fe2762
0x00fe2764
0x00fe2769
0x00fe2770
0x00fe277d
0x00fe2783
0x00fe279d
0x00fe279e
0x00000000
0x00fe27a3
0x00fe2785
0x00fe278b
0x00000000
0x00000000
0x00fe278d
0x00fe2793
0x00fe2795
0x00000000
0x00fe2795
0x00fe2772
0x00fe2774
0x00fe2776
0x00fe27a6
0x00fe27a6
0x00fe27a9
0x00fe27a9
0x00fe27ad
0x00000000
0x00000000
0x00fe24ef
0x00fe24f3
0x00fe24f9
0x00fe2500
0x00fe2502
0x00fe2508
0x00fe2508
0x00000000
0x00000000
0x00fe27c8
0x00fe27ca
0x00fe27cc
0x00fe27cf
0x00fe2804
0x00fe2804
0x00fe2807
0x00fe280d
0x00fe2810
0x00000000
0x00fe2810
0x00fe27d1
0x00fe27d1
0x00fe27d3
0x00fe27d3
0x00fe27d6
0x00fe27da
0x00fe27dc
0x00fe27de
0x00fe27e1
0x00fe27e3
0x00fe27ea
0x00fe27ee
0x00fe27f0
0x00fe27f0
0x00fe27ee
0x00fe27fb
0x00fe27fc
0x00fe27ff
0x00fe27ff
0x00000000
0x00000000
0x00fe2817
0x00fe281d
0x00fe2824
0x00fe284c
0x00fe284c
0x00fe2722
0x00fe2722
0x00fe2724
0x00fe2724
0x00000000
0x00fe2724
0x00fe2826
0x00fe2831
0x00fe2831
0x00fe2838
0x00000000
0x00000000
0x00fe283a
0x00fe2845
0x00fe2845
0x00000000
0x00fe2845
0x00fe283c
0x00fe2843
0x00000000
0x00000000
0x00000000
0x00fe2843
0x00fe2828
0x00fe282f
0x00000000
0x00000000
0x00000000
0x00000000

Strings

%*, xrefs: 00FE2776

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID: %*
API String ID: 0-3615067565
Opcode ID: 043f55e405e23628a0fff95b9a56364dc84e754d055ce0f3290ede69fb595cc9
Instruction ID: 750c233d450b21fd0919e9cb239c9b96fb0ae6dd11d85b28edcadaad6fbe28d5
Opcode Fuzzy Hash: 043f55e405e23628a0fff95b9a56364dc84e754d055ce0f3290ede69fb595cc9
Instruction Fuzzy Hash: E7D19A74A00745CFDB68CF2AC480BAABBF9BF48314F14446DD85A9B381EB30E940DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA540 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 00FEA7B5

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID: winUnlockReadLock
API String ID: 0-4244601998
Opcode ID: c190e12601cb2a45d1fed60428d4bb96a7d1aa89146ca899b2df8cc1a4652184
Instruction ID: 55739956b726c436864bf66c89dd6d57f4e0ad5c92a5984181a0041bec3a363f
Opcode Fuzzy Hash: c190e12601cb2a45d1fed60428d4bb96a7d1aa89146ca899b2df8cc1a4652184
Instruction Fuzzy Hash: 0F91B771E00309AFEB30CFA5C8457AEBBF5FF49710F248129E915A62C0D7B5A9809F51

Uniqueness

Uniqueness Score: -1.00%

Function 00FE7B10 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec1d0dfdd856bf2c928efd32516290a42378f05ad6c52bc216687243f5814e6
Instruction ID: 294aafa35fad074c6773a54a5e9516b1b850997b579776d9d273e2cf6bd0860b
Opcode Fuzzy Hash: 7ec1d0dfdd856bf2c928efd32516290a42378f05ad6c52bc216687243f5814e6
Instruction Fuzzy Hash: 9DE14D7390C3C24FD7259E39C4913A9BBD2DFA5310F188AA9D8E587382D235D909E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB4D0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b093c1f011d642577125c9b9db6c117bdaad7c00ed0085bfe9bd28338a4969a5
Instruction ID: 8e0ce115146e3d05d5d92979be7414543ec3315cf3761f06f57d0b33e063bb19
Opcode Fuzzy Hash: b093c1f011d642577125c9b9db6c117bdaad7c00ed0085bfe9bd28338a4969a5
Instruction Fuzzy Hash: 2C619E35E007599BDB20CF66C884BABB7B4FF08760F198168EC15AB294E7B4D840DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00FECC40 Relevance: .2, Instructions: 167
COMMONCrypto

Download Yara Rule

C-Code - Quality: 16%

			E00FECC40(void* __ebx, void* __edi, void* __esi, intOrPtr _a8, signed char _a12) {
				signed int _v8;
				signed int _v16;
				char _v28;
				signed char _v29;
				signed char _v30;
				signed char _v31;
				signed char _v32;
				signed char _v33;
				signed char _v34;
				signed char _v35;
				signed char _v36;
				intOrPtr _v40;
				signed int _t86;
				unsigned int _t98;
				unsigned int _t106;
				signed char _t135;
				unsigned int _t136;
				void* _t140;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t148;
				void* _t150;
				void* _t154;
				void* _t156;
				void* _t158;
				void* _t160;
				void* _t162;
				void* _t164;
				void* _t166;
				void* _t168;
				void* _t173;
				unsigned int _t174;
				void* _t177;
				intOrPtr _t178;
				intOrPtr _t180;
				void* _t183;
				void* _t188;
				signed char _t189;
				void* _t191;
				signed int _t193;
				signed int _t195;
				signed int _t196;

				_t195 = (_t193 & 0xfffffff8) - 0x1c;
				_t86 =  *0x1126944; // 0x1b5cf865
				_v8 = _t86 ^ _t195;
				_t135 = _a12;
				_t180 = _a8;
				_v32 = _t135;
				E010C8A40(_t180, _t135, 0, _t180);
				_t196 = _t195 + 0xc;
				 *0x1127ef0( &_v28, __edi, __esi, __ebx);
				_t173 = 0;
				_t183 = 0;
				do {
					 *(_t183 + _t135) =  *(_t183 + _t135) ^  *(_t196 + _t173 + 0x10) & 0x000000ff;
					_t140 =  <  ? _t183 + 1 : 0;
					 *(_t140 + _t135) =  *(_t140 + _t135) ^  *(_t196 + _t173 + 0x11) & 0x000000ff;
					_t14 = _t140 + 1; // 0x1
					_t142 =  <  ? _t14 : 0;
					 *(_t142 + _t135) =  *(_t142 + _t135) ^  *(_t196 + _t173 + 0x12) & 0x000000ff;
					_t19 = _t142 + 1; // 0x1
					_t144 =  <  ? _t19 : 0;
					 *(_t144 + _t135) =  *(_t144 + _t135) ^  *(_t196 + _t173 + 0x13) & 0x000000ff;
					_t24 = _t144 + 1; // 0x1
					_t183 =  <  ? _t24 : 0;
					_t173 = _t173 + 4;
				} while (_t173 < 0x10);
				_t98 =  *0x1127e60();
				_t174 = _t98;
				 *(_t183 + _t135) =  *(_t183 + _t135) ^ _t174;
				_t146 =  <  ? _t183 + 1 : 0;
				 *(_t146 + _t135) =  *(_t146 + _t135) ^ _t98 >> 0x00000008;
				_t29 = _t146 + 1; // 0x1
				_t148 =  <  ? _t29 : 0;
				 *(_t148 + _t135) =  *(_t148 + _t135) ^ _t174 >> 0x00000010;
				_t32 = _t148 + 1; // 0x1
				_t150 =  <  ? _t32 : 0;
				 *(_t150 + _t135) =  *(_t150 + _t135) ^ _t174 >> 0x00000018;
				_t36 = _t150 + 1; // 0x1
				_t188 =  <  ? _t36 : 0;
				_t106 =  *0x1127f20();
				_t136 = _t106;
				 *(_v36 + _t188) =  *(_v36 + _t188) ^ _t136;
				_t40 = _t188 + 1; // 0x1
				_t189 = _v36;
				_t177 =  <  ? _t40 : 0;
				 *(_t177 + _t189) =  *(_t177 + _t189) ^ _t106 >> 0x00000008;
				_t44 = _t177 + 1; // 0x1
				_t154 =  <  ? _t44 : 0;
				 *(_t154 + _t189) =  *(_t154 + _t189) ^ _t136 >> 0x00000010;
				_t47 = _t154 + 1; // 0x1
				_t156 =  <  ? _t47 : 0;
				 *(_t156 + _t189) =  *(_t156 + _t189) ^ _t136 >> 0x00000018;
				_t51 = _t156 + 1; // 0x1
				_t191 =  <  ? _t51 : 0;
				 *0x1127ff8( &_v32);
				_t178 = _v40;
				 *(_t191 + _t178) =  *(_t191 + _t178) ^ _v36 & 0x000000ff;
				_t57 = _t191 + 1; // 0x1
				_t158 =  <  ? _t57 : 0;
				 *(_t158 + _t178) =  *(_t158 + _t178) ^ _v35 & 0x000000ff;
				_t61 = _t158 + 1; // 0x1
				_t160 =  <  ? _t61 : 0;
				 *(_t160 + _t178) =  *(_t160 + _t178) ^ _v34 & 0x000000ff;
				_t65 = _t160 + 1; // 0x1
				_t162 =  <  ? _t65 : 0;
				 *(_t162 + _t178) =  *(_t162 + _t178) ^ _v33 & 0x000000ff;
				_t69 = _t162 + 1; // 0x1
				_t164 =  <  ? _t69 : 0;
				 *(_t164 + _t178) =  *(_t164 + _t178) ^ _v32 & 0x000000ff;
				_t73 = _t164 + 1; // 0x1
				_t166 =  <  ? _t73 : 0;
				 *(_t166 + _t178) =  *(_t166 + _t178) ^ _v31 & 0x000000ff;
				_t77 = _t166 + 1; // 0x1
				_t168 =  <  ? _t77 : 0;
				 *(_t168 + _t178) =  *(_t168 + _t178) ^ _v30 & 0x000000ff;
				_t81 = _t168 + 1; // 0x1
				_t170 =  <  ? _t81 : 0;
				 *(( <  ? _t81 : 0) + _t178) =  *(( <  ? _t81 : 0) + _t178) ^ _v29 & 0x000000ff;
				_t132 =  <  ? _t180 : 0x20;
				return E010C54D2( <  ? _t180 : 0x20, _v16 ^ _t196, _t178);
			}

0x00fecc46
0x00fecc49
0x00fecc50
0x00fecc55
0x00fecc5a
0x00fecc61
0x00fecc65
0x00fecc6a
0x00fecc72
0x00fecc78
0x00fecc7a
0x00fecc80
0x00fecc87
0x00fecc92
0x00fecc95
0x00fecc98
0x00fecc9f
0x00fecca7
0x00feccaa
0x00feccb1
0x00feccbb
0x00feccbe
0x00feccc3
0x00feccc6
0x00feccc9
0x00feccce
0x00feccd4
0x00feccd8
0x00feccde
0x00fecce4
0x00fecce7
0x00feccee
0x00feccf6
0x00feccf9
0x00fecd00
0x00fecd06
0x00fecd0e
0x00fecd13
0x00fecd16
0x00fecd20
0x00fecd24
0x00fecd27
0x00fecd2a
0x00fecd30
0x00fecd38
0x00fecd3b
0x00fecd40
0x00fecd48
0x00fecd4b
0x00fecd52
0x00fecd58
0x00fecd60
0x00fecd65
0x00fecd6d
0x00fecd73
0x00fecd7e
0x00fecd81
0x00fecd86
0x00fecd8e
0x00fecd91
0x00fecd98
0x00fecda0
0x00fecda3
0x00fecdaa
0x00fecdb2
0x00fecdb5
0x00fecdbc
0x00fecdc4
0x00fecdc7
0x00fecdce
0x00fecdd6
0x00fecdd9
0x00fecde0
0x00fecde8
0x00fecdeb
0x00fecdf2
0x00fecdfa
0x00fece08
0x00fece18

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2787f2bcb77191f909196c343f4323ac9840659b9e9c016dbd96fb58ddca8a7
Instruction ID: a553d64a6b955028e571e61a078c0d1e9f31bae27e8afc22f0a4fa8ebd58f711
Opcode Fuzzy Hash: d2787f2bcb77191f909196c343f4323ac9840659b9e9c016dbd96fb58ddca8a7
Instruction Fuzzy Hash: E651F53020D3A10ACB2ECF38C49453FBBE2BE8D98576945BED496CE443E126D64BC781

Uniqueness

Uniqueness Score: -1.00%

Function 010D0C7E Relevance: .2, Instructions: 159
COMMONCrypto

Download Yara Rule

C-Code - Quality: 25%

			E010D0C7E(signed char _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v36;
				void* _t85;
				intOrPtr _t106;
				intOrPtr _t109;
				signed char _t111;
				signed char _t113;
				intOrPtr _t119;
				signed int _t121;
				signed char _t127;
				signed char _t128;
				signed int _t129;
				void* _t134;
				signed int* _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				intOrPtr _t143;
				signed int _t144;
				signed int _t145;

				_t106 = _a20;
				_t140 = _a8;
				_t134 = ((0 |  *((intOrPtr*)(_t106 + 4)) == 0x00000000) - 0x00000001 & 0x0000001d) + 0x17;
				if(_t140 > 0x40) {
					_t141 = _t140 >> 5;
					_t113 = _t140 & 0x0000001f;
					_v32 = _t113;
					_t144 = _t141 - 2;
					_v16 = _t144 << 5;
					_t81 = _a4;
					_v28 =  *((intOrPtr*)(_t81 + 4 + _t144 * 4));
					_v12 =  *((intOrPtr*)(_t81 + _t141 * 4));
					_t109 = _a20;
					__eflags = _t113;
					if(_t113 != 0) {
						_t111 = 1;
						_v24 = (1 << _t113) - 1;
						_t85 = 0x40;
						_v20 = _t85 - _t113;
						_v36 = _v16 + _t113 + _t134;
						_v8 = E010C5580(_v12, _v20 - 0x20, 0);
						_v12 = 0;
						_v8 = _v8 + E010C5580( *(_a4 + 4 + _t141 * 4) & _v24, _v20, 0);
						asm("adc [ebp-0x8], edx");
						_t142 = _v28;
						_t81 = E010C54F0( !_v24 & _t142, _v32, 0);
						_t119 = _v8 + _t81;
						_v8 = _t119;
						asm("adc [ebp-0x8], edx");
						__eflags = _a16;
						if(_a16 != 0) {
							L16:
							_t111 = 0;
							__eflags = 0;
						} else {
							__eflags = _v24 & _t142;
							if((_v24 & _t142) != 0) {
								goto L16;
							}
						}
						_v16 = _t111;
						__eflags = _t144;
						if(_t144 != 0) {
							_t121 = _a4 + 4;
							__eflags = _t121;
							do {
								__eflags =  *_t121;
								_t121 = _t121 + 4;
								_t81 = (_t81 & 0xffffff00 | __eflags != 0x00000000) - 1;
								_t111 = _t111 & _t81;
								_v16 = _t111;
								_t144 = _t144 - 1;
								__eflags = _t144;
							} while (_t144 != 0);
							_t119 = _v8;
						}
						_push(_a20);
						_push(_v16);
						_push(_a12);
						_push(_v36);
						_push(_v12);
						_push(_t119);
					} else {
						_t143 = _v12;
						_v24 = _v16 + _t134;
						_v20 = 0 +  *((intOrPtr*)(_t81 + 4 + _t144 * 4));
						asm("adc edi, 0x0");
						_t127 = _a16 ^ 0x00000001;
						_v16 = _t127;
						__eflags = _t144;
						if(_t144 != 0) {
							_t139 = _t81 + 4;
							do {
								__eflags =  *_t139;
								_t139 =  &(_t139[1]);
								_t81 = (_t81 & 0xffffff00 | __eflags != 0x00000000) - 1;
								_t127 = _t127 & _t81;
								_t144 = _t144 - 1;
								__eflags = _t144;
							} while (_t144 != 0);
							_v16 = _t127;
						}
						_push(_t109);
						_push(_v16);
						_push(_a12);
						_push(_v24);
						_push(_t143);
						_push(_v20);
					}
				} else {
					_t128 = _a4;
					if( *_t128 <= 0) {
						_t145 = 0;
						__eflags = 0;
					} else {
						_t145 =  *((intOrPtr*)(_t128 + 4));
					}
					if( *_t128 <= 1) {
						_t129 = 0;
						__eflags = 0;
					} else {
						_t129 =  *((intOrPtr*)(_t128 + 8));
					}
					_push(_t106);
					_push((_a16 ^ 0x00000001) & 0x000000ff);
					_push(_a12);
					_t81 = 0 + _t145;
					_push(_t134);
					asm("adc ecx, 0x0");
					_push(_t129);
					_push(0 + _t145);
				}
				return E010D0929(_t81);
			}

0x010d0c89
0x010d0c8e
0x010d0c9b
0x010d0ca1
0x010d0cdc
0x010d0cdf
0x010d0ce2
0x010d0ce5
0x010d0ced
0x010d0cf0
0x010d0cf7
0x010d0cfd
0x010d0d00
0x010d0d03
0x010d0d05
0x010d0d58
0x010d0d5e
0x010d0d63
0x010d0d66
0x010d0d75
0x010d0d86
0x010d0d8c
0x010d0d9d
0x010d0da3
0x010d0da8
0x010d0db2
0x010d0dba
0x010d0dbc
0x010d0dbf
0x010d0dc2
0x010d0dc6
0x010d0dcd
0x010d0dcd
0x010d0dcd
0x010d0dc8
0x010d0dc8
0x010d0dcb
0x00000000
0x00000000
0x010d0dcb
0x010d0dcf
0x010d0dd2
0x010d0dd4
0x010d0dd9
0x010d0dd9
0x010d0ddc
0x010d0ddc
0x010d0ddf
0x010d0de5
0x010d0de7
0x010d0de9
0x010d0dec
0x010d0dec
0x010d0dec
0x010d0df1
0x010d0df1
0x010d0df4
0x010d0dfa
0x010d0dfd
0x010d0e00
0x010d0e03
0x010d0e04
0x010d0d07
0x010d0d0a
0x010d0d0f
0x010d0d18
0x010d0d1e
0x010d0d21
0x010d0d24
0x010d0d27
0x010d0d29
0x010d0d2b
0x010d0d2e
0x010d0d2e
0x010d0d31
0x010d0d37
0x010d0d39
0x010d0d3b
0x010d0d3b
0x010d0d3b
0x010d0d40
0x010d0d40
0x010d0d43
0x010d0d44
0x010d0d47
0x010d0d4a
0x010d0d4d
0x010d0d4e
0x010d0d4e
0x010d0ca3
0x010d0ca3
0x010d0ca9
0x010d0cb0
0x010d0cb0
0x010d0cab
0x010d0cab
0x010d0cab
0x010d0cb5
0x010d0cbc
0x010d0cbc
0x010d0cb7
0x010d0cb7
0x010d0cb7
0x010d0cc3
0x010d0cc7
0x010d0cc8
0x010d0ccd
0x010d0ccf
0x010d0cd0
0x010d0cd3
0x010d0cd4
0x010d0cd4
0x010d0e11

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd028cca51dcb0a9ce8e1b7b517d940cc06647a0eff984a25aff3c88d84d55f
Instruction ID: 7ba33294d3f76d186e53ad9b734eabfa51520c63eea325c25ee2e95aa94c0877
Opcode Fuzzy Hash: 2dd028cca51dcb0a9ce8e1b7b517d940cc06647a0eff984a25aff3c88d84d55f
Instruction Fuzzy Hash: 9E519571E00219EFDF05CF99C940AEEBBB2EF88304F19809DE559AB245C734AE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8F40 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction ID: 24b4083850bc9e6c1a205863d5a6603c04cbb19e7c7b4612cb0241eaaf6e20ce
Opcode Fuzzy Hash: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction Fuzzy Hash: F021D341E1A2E84BDB00593EC890782BFC1C792329F28D3F0D8588FBCED614A40AD3E0

Uniqueness

Uniqueness Score: -1.00%

Function 010E2818 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858e7b9b8f89abda53e995bf705560342153d45e2927cfa6cabf3195b3abe9c3
Instruction ID: 9c645251061038c4d4f0c5f361cc92d93f225f8662923fe9595e2b35e814f05d
Opcode Fuzzy Hash: 858e7b9b8f89abda53e995bf705560342153d45e2927cfa6cabf3195b3abe9c3
Instruction Fuzzy Hash: CAE08C72912229EFCB14EB8DCA08D8AF7ECFB44A00B150096F611D3120C270DE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE1DE0 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE1DE0() {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v28;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				void* _t132;

				_v44 =  *((intOrPtr*)(7 + "Jun 28 2022"));
				_t3 = (1 << 3) + "Jun 28 2022"; // 0x32206e75
				_v43 =  *_t3;
				_t5 = 9 + "Jun 28 2022"; // 0x32206e75
				_v42 =  *_t5;
				_t7 = 0xa + "Jun 28 2022"; // 0x32206e75
				_v41 =  *_t7;
				_t9 = 0 + "Jun 28 2022"; // 0x32206e75
				if( *_t9 == 0x4f) {
					L4:
					_v5 = 0x31;
				} else {
					_t10 = 0 + "Jun 28 2022"; // 0x32206e75
					if( *_t10 == 0x4e) {
						goto L4;
					} else {
						_t11 = 0 + "Jun 28 2022"; // 0x32206e75
						if( *_t11 == 0x44) {
							goto L4;
						} else {
							_v5 = 0x30;
						}
					}
				}
				_v40 = _v5;
				if( *((char*)(0 + "Jun 28 2022")) != 0x4a) {
					L9:
					__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x46;
					if(__eflags != 0) {
						__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x4d;
						if( *((char*)(0 + "Jun 28 2022")) != 0x4d) {
							L15:
							__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x41;
							if( *((char*)(0 + "Jun 28 2022")) != 0x41) {
								L18:
								_t29 = 0 + "Jun 28 2022"; // 0x32206e75
								__eflags =  *_t29 - 0x4d;
								if( *_t29 != 0x4d) {
									L22:
									__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x4a;
									if( *((char*)(0 + "Jun 28 2022")) != 0x4a) {
										L26:
										__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x4a;
										if( *((char*)(0 + "Jun 28 2022")) != 0x4a) {
											L30:
											__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x41;
											if( *((char*)(0 + "Jun 28 2022")) != 0x41) {
												L33:
												_t44 = 0 + "Jun 28 2022"; // 0x32206e75
												__eflags =  *_t44 - 0x53;
												if(__eflags != 0) {
													_t46 = 0 + "Jun 28 2022"; // 0x32206e75
													__eflags =  *_t46 - 0x4f;
													if(__eflags != 0) {
														_t48 = 0 + "Jun 28 2022"; // 0x32206e75
														__eflags =  *_t48 - 0x4e;
														if(__eflags != 0) {
															_t50 = 0 + "Jun 28 2022"; // 0x32206e75
															__eflags =  *_t50 - 0x44;
															if(__eflags != 0) {
																_v6 = 0x3f;
															} else {
																_v6 = 0x32;
															}
															_v7 = _v6;
														} else {
															_v7 = 0x31;
														}
														_v8 = _v7;
													} else {
														_v8 = 0x30;
													}
													_v9 = _v8;
												} else {
													_v9 = 0x39;
												}
												_v10 = _v9;
											} else {
												_t42 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
												__eflags =  *_t42 - 0x75;
												if(__eflags != 0) {
													goto L33;
												} else {
													_v10 = 0x38;
												}
											}
											_v11 = _v10;
										} else {
											_t38 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
											__eflags =  *_t38 - 0x75;
											if( *_t38 != 0x75) {
												goto L30;
											} else {
												_t39 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
												__eflags =  *_t39 - 0x6c;
												if(__eflags != 0) {
													goto L30;
												} else {
													_v11 = 0x37;
												}
											}
										}
										_v12 = _v11;
									} else {
										_t34 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
										__eflags =  *_t34 - 0x75;
										if( *_t34 != 0x75) {
											goto L26;
										} else {
											_t35 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
											__eflags =  *_t35 - 0x6e;
											if(__eflags != 0) {
												goto L26;
											} else {
												_v12 = 0x36;
											}
										}
									}
									_v13 = _v12;
								} else {
									_t30 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
									__eflags =  *_t30 - 0x61;
									if( *_t30 != 0x61) {
										goto L22;
									} else {
										_t31 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
										__eflags =  *_t31 - 0x79;
										if(__eflags != 0) {
											goto L22;
										} else {
											_v13 = 0x35;
										}
									}
								}
								_v14 = _v13;
							} else {
								_t27 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
								__eflags =  *_t27 - 0x70;
								if(__eflags != 0) {
									goto L18;
								} else {
									_v14 = 0x34;
								}
							}
							_v15 = _v14;
						} else {
							_t23 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
							__eflags =  *_t23 - 0x61;
							if( *_t23 != 0x61) {
								goto L15;
							} else {
								_t24 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
								__eflags =  *_t24 - 0x72;
								if(__eflags != 0) {
									goto L15;
								} else {
									_v15 = 0x33;
								}
							}
						}
						_v16 = _v15;
					} else {
						_v16 = 0x32;
					}
					_v17 = _v16;
				} else {
					_t17 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
					if( *_t17 != 0x61) {
						goto L9;
					} else {
						_t18 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
						if( *_t18 != 0x6e) {
							goto L9;
						} else {
							_v17 = 0x31;
						}
					}
				}
				_v39 = _v17;
				_t77 = (1 << 2) + "Jun 28 2022"; // 0x32206e75
				if( *_t77 < 0x30) {
					_v18 = 0x30;
				} else {
					_t78 = (1 << 2) + "Jun 28 2022"; // 0x32206e75
					_v18 =  *_t78;
				}
				_v38 = _v18;
				_t83 = 5 + "Jun 28 2022"; // 0x32206e75
				_v37 =  *_t83;
				_t85 = 0 + "15:39:40"; // 0x39333a35
				_v36 =  *_t85;
				_t87 = (1 << 0) + "15:39:40"; // 0x39333a35
				_v35 =  *_t87;
				_t89 = 3 + "15:39:40"; // 0x39333a35
				_v34 =  *_t89;
				_t91 = (1 << 2) + "15:39:40"; // 0x39333a35
				_v33 =  *_t91;
				_t93 = 6 + "15:39:40"; // 0x39333a35
				_v32 =  *_t93;
				_t95 = 7 + "15:39:40"; // 0x39333a35
				_v31 =  *_t95;
				_t132 = E01075260( &_v19);
				E010B1640(0x112c0d0, 7,  *((intOrPtr*)(E01075FF0( &_v28,  &_v44,  &_v30))),  *((intOrPtr*)(_t134 + 4)), _t132);
				return E010C597B(0x112c0d0, 7, 0x10f35b0);
			}

0x00fe1df4
0x00fe1dff
0x00fe1e05
0x00fe1e10
0x00fe1e16
0x00fe1e21
0x00fe1e27
0x00fe1e32
0x00fe1e3c
0x00fe1e6c
0x00fe1e6c
0x00fe1e3e
0x00fe1e46
0x00fe1e50
0x00000000
0x00fe1e52
0x00fe1e5a
0x00fe1e64
0x00000000
0x00fe1e66
0x00fe1e66
0x00fe1e66
0x00fe1e64
0x00fe1e50
0x00fe1e73
0x00fe1e88
0x00fe1eba
0x00fe1ec9
0x00fe1ecc
0x00fe1ee6
0x00fe1ee9
0x00fe1f1b
0x00fe1f2a
0x00fe1f2d
0x00fe1f4c
0x00fe1f54
0x00fe1f5b
0x00fe1f5e
0x00fe1f90
0x00fe1f9f
0x00fe1fa2
0x00fe1fd4
0x00fe1fe3
0x00fe1fe6
0x00fe2018
0x00fe2027
0x00fe202a
0x00fe2049
0x00fe2051
0x00fe2058
0x00fe205b
0x00fe206b
0x00fe2072
0x00fe2075
0x00fe2085
0x00fe208c
0x00fe208f
0x00fe209f
0x00fe20a6
0x00fe20a9
0x00fe20b1
0x00fe20ab
0x00fe20ab
0x00fe20ab
0x00fe20b8
0x00fe2091
0x00fe2091
0x00fe2091
0x00fe20be
0x00fe2077
0x00fe2077
0x00fe2077
0x00fe20c4
0x00fe205d
0x00fe205d
0x00fe205d
0x00fe20ca
0x00fe202c
0x00fe2034
0x00fe203b
0x00fe203e
0x00000000
0x00fe2040
0x00fe2040
0x00fe2040
0x00fe203e
0x00fe20d0
0x00fe1fe8
0x00fe1ff0
0x00fe1ff7
0x00fe1ffa
0x00000000
0x00fe1ffc
0x00fe2003
0x00fe200a
0x00fe200d
0x00000000
0x00fe200f
0x00fe200f
0x00fe200f
0x00fe200d
0x00fe1ffa
0x00fe20d6
0x00fe1fa4
0x00fe1fac
0x00fe1fb3
0x00fe1fb6
0x00000000
0x00fe1fb8
0x00fe1fbf
0x00fe1fc6
0x00fe1fc9
0x00000000
0x00fe1fcb
0x00fe1fcb
0x00fe1fcb
0x00fe1fc9
0x00fe1fb6
0x00fe20dc
0x00fe1f60
0x00fe1f68
0x00fe1f6f
0x00fe1f72
0x00000000
0x00fe1f74
0x00fe1f7b
0x00fe1f82
0x00fe1f85
0x00000000
0x00fe1f87
0x00fe1f87
0x00fe1f87
0x00fe1f85
0x00fe1f72
0x00fe20e2
0x00fe1f2f
0x00fe1f37
0x00fe1f3e
0x00fe1f41
0x00000000
0x00fe1f43
0x00fe1f43
0x00fe1f43
0x00fe1f41
0x00fe20e8
0x00fe1eeb
0x00fe1ef3
0x00fe1efa
0x00fe1efd
0x00000000
0x00fe1eff
0x00fe1f06
0x00fe1f0d
0x00fe1f10
0x00000000
0x00fe1f12
0x00fe1f12
0x00fe1f12
0x00fe1f10
0x00fe1efd
0x00fe20ee
0x00fe1ece
0x00fe1ece
0x00fe1ece
0x00fe20f4
0x00fe1e8a
0x00fe1e92
0x00fe1e9c
0x00000000
0x00fe1e9e
0x00fe1ea5
0x00fe1eaf
0x00000000
0x00fe1eb1
0x00fe1eb1
0x00fe1eb1
0x00fe1eaf
0x00fe1e9c
0x00fe20fa
0x00fe2105
0x00fe210f
0x00fe2124
0x00fe2111
0x00fe2119
0x00fe211f
0x00fe211f
0x00fe212b
0x00fe2136
0x00fe213c
0x00fe2147
0x00fe214d
0x00fe2158
0x00fe215e
0x00fe2169
0x00fe216f
0x00fe217a
0x00fe2180
0x00fe218b
0x00fe2191
0x00fe219c
0x00fe21a2
0x00fe21a8
0x00fe21ca
0x00fe21df

APIs

_Smanip.LIBCPMTD ref: 00FE21B9

Strings

20220628153940, xrefs: 00FE21C5
9, xrefs: 00FE205D
0, xrefs: 00FE2077
2, xrefs: 00FE1ECE
1, xrefs: 00FE1EB1
3, xrefs: 00FE1F12
5, xrefs: 00FE1F87
0, xrefs: 00FE2124
4, xrefs: 00FE1F43
6, xrefs: 00FE1FCB
7, xrefs: 00FE200F
8, xrefs: 00FE2040
?, xrefs: 00FE20B1
1, xrefs: 00FE1E6C
1, xrefs: 00FE2091

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: Smanip
String ID: 0$0$1$1$1$2$20220628153940$3$4$5$6$7$8$9$?
API String ID: 2140389272-2007596861
Opcode ID: b7b56d88a4816394676b905040d9efa347560a8a17b7f2fab7677554e786b5bf
Instruction ID: 80c29aa438d489ed311847db705ed411347aff5beb08a7abc62c85e94d16f2e0
Opcode Fuzzy Hash: b7b56d88a4816394676b905040d9efa347560a8a17b7f2fab7677554e786b5bf
Instruction Fuzzy Hash: 97B1E521D0C5D549FB0F8A6940A43FEAFB69B63340F2C81E9C4925FBC7C5BA4A85D391

Uniqueness

Uniqueness Score: -1.00%

Function 00FE13F0 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE13F0() {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v28;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				void* _t132;

				_v44 =  *((intOrPtr*)(7 + "Jun 28 2022"));
				_t3 = (1 << 3) + "Jun 28 2022"; // 0x32206e75
				_v43 =  *_t3;
				_t5 = 9 + "Jun 28 2022"; // 0x32206e75
				_v42 =  *_t5;
				_t7 = 0xa + "Jun 28 2022"; // 0x32206e75
				_v41 =  *_t7;
				_t9 = 0 + "Jun 28 2022"; // 0x32206e75
				if( *_t9 == 0x4f) {
					L4:
					_v5 = 0x31;
				} else {
					_t10 = 0 + "Jun 28 2022"; // 0x32206e75
					if( *_t10 == 0x4e) {
						goto L4;
					} else {
						_t11 = 0 + "Jun 28 2022"; // 0x32206e75
						if( *_t11 == 0x44) {
							goto L4;
						} else {
							_v5 = 0x30;
						}
					}
				}
				_v40 = _v5;
				if( *((char*)(0 + "Jun 28 2022")) != 0x4a) {
					L9:
					__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x46;
					if(__eflags != 0) {
						__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x4d;
						if( *((char*)(0 + "Jun 28 2022")) != 0x4d) {
							L15:
							__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x41;
							if( *((char*)(0 + "Jun 28 2022")) != 0x41) {
								L18:
								_t29 = 0 + "Jun 28 2022"; // 0x32206e75
								__eflags =  *_t29 - 0x4d;
								if( *_t29 != 0x4d) {
									L22:
									__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x4a;
									if( *((char*)(0 + "Jun 28 2022")) != 0x4a) {
										L26:
										__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x4a;
										if( *((char*)(0 + "Jun 28 2022")) != 0x4a) {
											L30:
											__eflags =  *((char*)(0 + "Jun 28 2022")) - 0x41;
											if( *((char*)(0 + "Jun 28 2022")) != 0x41) {
												L33:
												_t44 = 0 + "Jun 28 2022"; // 0x32206e75
												__eflags =  *_t44 - 0x53;
												if(__eflags != 0) {
													_t46 = 0 + "Jun 28 2022"; // 0x32206e75
													__eflags =  *_t46 - 0x4f;
													if(__eflags != 0) {
														_t48 = 0 + "Jun 28 2022"; // 0x32206e75
														__eflags =  *_t48 - 0x4e;
														if(__eflags != 0) {
															_t50 = 0 + "Jun 28 2022"; // 0x32206e75
															__eflags =  *_t50 - 0x44;
															if(__eflags != 0) {
																_v6 = 0x3f;
															} else {
																_v6 = 0x32;
															}
															_v7 = _v6;
														} else {
															_v7 = 0x31;
														}
														_v8 = _v7;
													} else {
														_v8 = 0x30;
													}
													_v9 = _v8;
												} else {
													_v9 = 0x39;
												}
												_v10 = _v9;
											} else {
												_t42 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
												__eflags =  *_t42 - 0x75;
												if(__eflags != 0) {
													goto L33;
												} else {
													_v10 = 0x38;
												}
											}
											_v11 = _v10;
										} else {
											_t38 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
											__eflags =  *_t38 - 0x75;
											if( *_t38 != 0x75) {
												goto L30;
											} else {
												_t39 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
												__eflags =  *_t39 - 0x6c;
												if(__eflags != 0) {
													goto L30;
												} else {
													_v11 = 0x37;
												}
											}
										}
										_v12 = _v11;
									} else {
										_t34 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
										__eflags =  *_t34 - 0x75;
										if( *_t34 != 0x75) {
											goto L26;
										} else {
											_t35 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
											__eflags =  *_t35 - 0x6e;
											if(__eflags != 0) {
												goto L26;
											} else {
												_v12 = 0x36;
											}
										}
									}
									_v13 = _v12;
								} else {
									_t30 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
									__eflags =  *_t30 - 0x61;
									if( *_t30 != 0x61) {
										goto L22;
									} else {
										_t31 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
										__eflags =  *_t31 - 0x79;
										if(__eflags != 0) {
											goto L22;
										} else {
											_v13 = 0x35;
										}
									}
								}
								_v14 = _v13;
							} else {
								_t27 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
								__eflags =  *_t27 - 0x70;
								if(__eflags != 0) {
									goto L18;
								} else {
									_v14 = 0x34;
								}
							}
							_v15 = _v14;
						} else {
							_t23 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
							__eflags =  *_t23 - 0x61;
							if( *_t23 != 0x61) {
								goto L15;
							} else {
								_t24 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
								__eflags =  *_t24 - 0x72;
								if(__eflags != 0) {
									goto L15;
								} else {
									_v15 = 0x33;
								}
							}
						}
						_v16 = _v15;
					} else {
						_v16 = 0x32;
					}
					_v17 = _v16;
				} else {
					_t17 = (1 << 0) + "Jun 28 2022"; // 0x32206e75
					if( *_t17 != 0x61) {
						goto L9;
					} else {
						_t18 = (1 << 1) + "Jun 28 2022"; // 0x32206e75
						if( *_t18 != 0x6e) {
							goto L9;
						} else {
							_v17 = 0x31;
						}
					}
				}
				_v39 = _v17;
				_t77 = (1 << 2) + "Jun 28 2022"; // 0x32206e75
				if( *_t77 < 0x30) {
					_v18 = 0x30;
				} else {
					_t78 = (1 << 2) + "Jun 28 2022"; // 0x32206e75
					_v18 =  *_t78;
				}
				_v38 = _v18;
				_t83 = 5 + "Jun 28 2022"; // 0x32206e75
				_v37 =  *_t83;
				_t85 = 0 + "15:39:31"; // 0x39333a35
				_v36 =  *_t85;
				_t87 = (1 << 0) + "15:39:31"; // 0x39333a35
				_v35 =  *_t87;
				_t89 = 3 + "15:39:31"; // 0x39333a35
				_v34 =  *_t89;
				_t91 = (1 << 2) + "15:39:31"; // 0x39333a35
				_v33 =  *_t91;
				_t93 = 6 + "15:39:31"; // 0x39333a35
				_v32 =  *_t93;
				_t95 = 7 + "15:39:31"; // 0x39333a35
				_v31 =  *_t95;
				_t132 = E01075260( &_v19);
				E010B1640(0x112b808, 7,  *((intOrPtr*)(E01075FF0( &_v28,  &_v44,  &_v30))),  *((intOrPtr*)(_t134 + 4)), _t132);
				return E010C597B(0x112b808, 7, 0x10f33a0);
			}

0x00fe1404
0x00fe140f
0x00fe1415
0x00fe1420
0x00fe1426
0x00fe1431
0x00fe1437
0x00fe1442
0x00fe144c
0x00fe147c
0x00fe147c
0x00fe144e
0x00fe1456
0x00fe1460
0x00000000
0x00fe1462
0x00fe146a
0x00fe1474
0x00000000
0x00fe1476
0x00fe1476
0x00fe1476
0x00fe1474
0x00fe1460
0x00fe1483
0x00fe1498
0x00fe14ca
0x00fe14d9
0x00fe14dc
0x00fe14f6
0x00fe14f9
0x00fe152b
0x00fe153a
0x00fe153d
0x00fe155c
0x00fe1564
0x00fe156b
0x00fe156e
0x00fe15a0
0x00fe15af
0x00fe15b2
0x00fe15e4
0x00fe15f3
0x00fe15f6
0x00fe1628
0x00fe1637
0x00fe163a
0x00fe1659
0x00fe1661
0x00fe1668
0x00fe166b
0x00fe167b
0x00fe1682
0x00fe1685
0x00fe1695
0x00fe169c
0x00fe169f
0x00fe16af
0x00fe16b6
0x00fe16b9
0x00fe16c1
0x00fe16bb
0x00fe16bb
0x00fe16bb
0x00fe16c8
0x00fe16a1
0x00fe16a1
0x00fe16a1
0x00fe16ce
0x00fe1687
0x00fe1687
0x00fe1687
0x00fe16d4
0x00fe166d
0x00fe166d
0x00fe166d
0x00fe16da
0x00fe163c
0x00fe1644
0x00fe164b
0x00fe164e
0x00000000
0x00fe1650
0x00fe1650
0x00fe1650
0x00fe164e
0x00fe16e0
0x00fe15f8
0x00fe1600
0x00fe1607
0x00fe160a
0x00000000
0x00fe160c
0x00fe1613
0x00fe161a
0x00fe161d
0x00000000
0x00fe161f
0x00fe161f
0x00fe161f
0x00fe161d
0x00fe160a
0x00fe16e6
0x00fe15b4
0x00fe15bc
0x00fe15c3
0x00fe15c6
0x00000000
0x00fe15c8
0x00fe15cf
0x00fe15d6
0x00fe15d9
0x00000000
0x00fe15db
0x00fe15db
0x00fe15db
0x00fe15d9
0x00fe15c6
0x00fe16ec
0x00fe1570
0x00fe1578
0x00fe157f
0x00fe1582
0x00000000
0x00fe1584
0x00fe158b
0x00fe1592
0x00fe1595
0x00000000
0x00fe1597
0x00fe1597
0x00fe1597
0x00fe1595
0x00fe1582
0x00fe16f2
0x00fe153f
0x00fe1547
0x00fe154e
0x00fe1551
0x00000000
0x00fe1553
0x00fe1553
0x00fe1553
0x00fe1551
0x00fe16f8
0x00fe14fb
0x00fe1503
0x00fe150a
0x00fe150d
0x00000000
0x00fe150f
0x00fe1516
0x00fe151d
0x00fe1520
0x00000000
0x00fe1522
0x00fe1522
0x00fe1522
0x00fe1520
0x00fe150d
0x00fe16fe
0x00fe14de
0x00fe14de
0x00fe14de
0x00fe1704
0x00fe149a
0x00fe14a2
0x00fe14ac
0x00000000
0x00fe14ae
0x00fe14b5
0x00fe14bf
0x00000000
0x00fe14c1
0x00fe14c1
0x00fe14c1
0x00fe14bf
0x00fe14ac
0x00fe170a
0x00fe1715
0x00fe171f
0x00fe1734
0x00fe1721
0x00fe1729
0x00fe172f
0x00fe172f
0x00fe173b
0x00fe1746
0x00fe174c
0x00fe1757
0x00fe175d
0x00fe1768
0x00fe176e
0x00fe1779
0x00fe177f
0x00fe178a
0x00fe1790
0x00fe179b
0x00fe17a1
0x00fe17ac
0x00fe17b2
0x00fe17b8
0x00fe17da
0x00fe17ef

APIs

_Smanip.LIBCPMTD ref: 00FE17C9

Strings

1, xrefs: 00FE16A1
4, xrefs: 00FE1553
1, xrefs: 00FE14C1
20220628153931, xrefs: 00FE17D5
6, xrefs: 00FE15DB
0, xrefs: 00FE1734
0, xrefs: 00FE1687
8, xrefs: 00FE1650
?, xrefs: 00FE16C1
3, xrefs: 00FE1522
9, xrefs: 00FE166D
2, xrefs: 00FE14DE
5, xrefs: 00FE1597
1, xrefs: 00FE147C
7, xrefs: 00FE161F

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: Smanip
String ID: 0$0$1$1$1$2$20220628153931$3$4$5$6$7$8$9$?
API String ID: 2140389272-287424026
Opcode ID: 7b30ef69b18e2023807fc3952469e059a4db5900645b670e029c4d416b4d9fad
Instruction ID: 01e5b7b47e333dd313fb580224d39e8930b1f2fe4f632bd20b10cc0f8660fdf0
Opcode Fuzzy Hash: 7b30ef69b18e2023807fc3952469e059a4db5900645b670e029c4d416b4d9fad
Instruction Fuzzy Hash: 90B1E921D091D55DE70F866A40A43FEAFB67B93350F2C81E9C0A25FBC3C1BA8A85D751

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4160 Relevance: 23.2, APIs: 6, Strings: 7, Instructions: 403
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00FE4160(void* __ebx, void* __edi, void* __esi, void* __fp0, signed int _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				char _v116;
				char _v124;
				signed int _v148;
				signed int _v152;
				char _v164;
				intOrPtr _v168;
				char* _v172;
				char* _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				char* _v240;
				unsigned int _v244;
				char _v245;
				signed int _v252;
				char _v261;
				signed int _v268;
				unsigned int _v272;
				unsigned int _v276;
				unsigned int _v284;
				signed int _t109;
				intOrPtr _t116;
				char _t121;
				char _t124;
				void* _t126;
				char _t132;
				signed int _t134;
				signed int _t137;
				char _t138;
				void* _t140;
				intOrPtr _t143;
				intOrPtr* _t146;
				signed int _t150;
				intOrPtr _t152;
				intOrPtr* _t163;
				void* _t166;
				intOrPtr _t169;
				intOrPtr* _t171;
				signed int _t172;
				signed int _t173;
				intOrPtr* _t175;
				signed int _t177;
				signed int _t180;
				signed int _t182;
				void* _t196;
				void* _t199;

				_t199 = __fp0;
				_t140 = __ebx;
				_t182 = (_t180 & 0xfffffff0) - 0xf8;
				_t109 =  *0x1126944; // 0x1b5cf865
				_v8 = _t109 ^ _t182;
				_t111 = _a4;
				_t169 = _a8;
				_v180 = _a4;
				_push(__edi);
				_t163 = _a12;
				if(_t169 == 0) {
					L69:
					return E010C54D2(_t111, _v8 ^ _t182, _t160);
				} else {
					_t143 =  *_t163;
					if(_t143 == 0) {
						goto L69;
					} else {
						_t160 =  *(_t143 + 8) & 0x0000ffff;
						_t111 = _t160 & 0x00000202;
						if((_t160 & 0x00000202) != 0x202 ||  *((char*)(_t143 + 0xa)) != 1) {
							if((_t160 & 0x00000001) != 0) {
								goto L69;
							} else {
								_t160 = 1;
								_t111 = E01005A00(1, _t163);
								goto L7;
							}
						} else {
							_t111 =  *(_t143 + 0x10);
							L7:
							_v184 = _t111;
							if(_t111 == 0) {
								goto L69;
							} else {
								_t160 = _t169 - 1;
								_t171 = _v180;
								_t111 = E00FE3C60(_t171, _t169 - 1, _t199, _t163 + 4,  &_v244);
								_t182 = _t182 + 8;
								if(_t111 != 0) {
									goto L69;
								} else {
									_t146 = _v184;
									_t172 = 1;
									_t160 =  *( *_t171 + 0x20);
									_t116 =  *_t146;
									_v176 = _t160;
									if(_t116 == 0) {
										L27:
										_v252 =  &_v116;
										goto L28;
									} else {
										do {
											if(_t116 != 0x25) {
												goto L18;
											} else {
												_t138 =  *((char*)(_t146 + 1));
												_t146 = _t146 + 1;
												_t111 = _t138 + 0xffffffdb;
												if(_t111 > 0x52) {
													goto L69;
												} else {
													switch( *((intOrPtr*)(( *(_t111 + 0xfe46e4) & 0x000000ff) * 4 +  &M00FE46CC))) {
														case 0:
															goto L18;
														case 1:
															_t172 = _t172 + 1;
															goto L17;
														case 2:
															__esi = __esi + 0x32;
															goto L17;
														case 3:
															__esi = __esi + 8;
															goto L17;
														case 4:
															__esi = __esi + 3;
															L17:
															asm("adc edi, 0x0");
															goto L18;
														case 5:
															goto L69;
													}
												}
											}
											goto L70;
											L18:
											_t116 =  *((intOrPtr*)(_t146 + 1));
											_t146 = _t146 + 1;
											_t172 = _t172 + 1;
											asm("adc edi, 0x0");
										} while (_t116 != 0);
										if(0 != 0 || _t172 >= 0x64) {
											_t132 = _t160[0x64];
											asm("cdq");
											_t196 = 0 - _t160;
											if(_t196 < 0 || _t196 <= 0 && _t172 <= _t132) {
												asm("cdq");
												_t134 = E00FE5520(_t160, _t172, _t160);
												_t182 = _t182 + 8;
												_v252 = _t134;
												if(_t134 != 0) {
													L28:
													E00FE2B20( &_v244, 0);
													E00FE2F80( &_v244, _t160);
													E00FE30D0( &_v244);
													_t173 = _v184;
													_t166 = 0;
													_t121 =  *_t173;
													if(_t121 != 0) {
														asm("movsd xmm1, [esp+0x30]");
														asm("movaps xmm0, [esp+0x30]");
														asm("movaps xmm2, [esp+0x20]");
														_t160 = _v240;
														asm("movaps xmm3, [esp+0x10]");
														do {
															if(_t121 == 0x25) {
																_t124 =  *((intOrPtr*)(_t173 + 1));
																_v245 = _t124;
																_t126 = _t124 + 0xffffffb8;
																_v184 = _t173 + 1;
																if(_t126 > 0x2f) {
																	L63:
																	 *((char*)(_t166 + _v252)) = 0x25;
																	goto L64;
																} else {
																	switch( *((intOrPtr*)(( *(_t126 + 0xfe4768) & 0x000000ff) * 4 +  &M00FE4738))) {
																		case 0:
																			_push(_v224);
																			goto L35;
																		case 1:
																			__esi = _v252;
																			__esi = _v252 + __edi;
																			__eax = L010C5E50(__eax, __ecx);
																			asm("divsd xmm0, [0x111d6c8]");
																			__esp = __esp - 8;
																			asm("movsd [esp], xmm0");
																			_push("%.16g");
																			_push(__esi);
																			_push(0x14);
																			__eax = E00FE7790(__ebx, __edi, __esi);
																			__esp = __esp + 0x14;
																			if(__esi != 0) {
																				__ecx = __esi + 1;
																				do {
																					__al =  *__esi;
																					__esi = __esi + 1;
																				} while (__al != 0);
																				__esi = __esi - __ecx;
																				__esi = __esi & 0x3fffffff;
																			}
																			goto L37;
																		case 2:
																			_push(_v220);
																			goto L35;
																		case 3:
																			asm("cvttsd2si eax, xmm1");
																			_push(__eax);
																			goto L35;
																		case 4:
																			asm("movaps [esp+0x60], xmm3");
																			__ecx =  &_v164;
																			asm("movaps [esp+0x70], xmm2");
																			asm("movaps [esp+0x80], xmm0");
																			_v124 = 0;
																			_v152 = 1;
																			_v148 = 1;
																			__eax = E00FE2B20( &_v164, __edi);
																			_v244 = _v244 - _v164;
																			__eax = _v240;
																			asm("sbb eax, [esp+0x64]");
																			__ecx = _v244 - _v164 + 0x2932e00;
																			asm("adc eax, 0x0");
																			__esi = E010EE440(_v244 - _v164 + 0x2932e00, _v240, 0x5265c00, 0);
																			_v268 = _v268 + __edi;
																			_v184 = _v268 + __edi;
																			if(_v261 != 0x57) {
																				_t79 = __esi + 1; // 0x1
																				__eax = _t79;
																				_v172 = "%03d";
																				_v176 = 4;
																				__esi = 3;
																				__eax = E00FE7790(__ebx, __edi, 3, _v176, _v168, _v172, _t79);
																			} else {
																				__edx = _v244;
																				__ecx = _v240;
																				__edx = _v244 + 0x2932e00;
																				asm("adc ecx, 0x0");
																				_v176 = 3;
																				_v172 = "%02d";
																				__eax = E010EE440(_v244 + 0x2932e00, _v240, 0x5265c00, 0);
																				__esi = __esi - __eax;
																				__eax = 0x92492493;
																				__esi = __esi + 7;
																				__edx = 0x92492493 * __esi >> 0x20;
																				__eax = 0x92492493 * __esi;
																				__edx = (0x92492493 * __esi >> 0x20) + __esi;
																				__esi = 2;
																				__edx = __edx >> 2;
																				__eax = (__edx >> 0x1f) + __edx;
																				__eax = E00FE7790(__ebx, __edi, 2, _v208, _v200, _v204, (__edx >> 0x1f) + __edx);
																			}
																			goto L36;
																		case 5:
																			__esi = _v252;
																			__esi = _v252 + __edi;
																			__eax = E00FE7790(__ebx, __edi, __esi, 5, __esi, "%04d", _v236);
																			if(__esi != 0) {
																				__ecx = __esi + 1;
																				do {
																					__al =  *__esi;
																					__esi = __esi + 1;
																				} while (__al != 0);
																				__esi = __esi - __ecx;
																				__esi = __esi & 0x3fffffff;
																			}
																			goto L37;
																		case 6:
																			_push(_v228);
																			goto L35;
																		case 7:
																			asm("movsd xmm0, [0x111d688]");
																			__esp = __esp - 8;
																			__esi = _v252;
																			asm("minsd xmm0, xmm1");
																			__esi = _v252 + __edi;
																			asm("movsd [esp], xmm0");
																			_push("%06.3f");
																			_push(__esi);
																			_push(7);
																			__eax = E00FE7790(__ebx, __edi, __esi);
																			__esp = __esp + 0x14;
																			if(__esi != 0) {
																				__ecx = __esi + 1;
																				do {
																					__al =  *__esi;
																					__esi = __esi + 1;
																				} while (__al != 0);
																				__esi = __esi - __ecx;
																				__esi = __esi & 0x3fffffff;
																			}
																			asm("movsd xmm1, [esp+0x30]");
																			asm("movaps xmm0, [esp+0x30]");
																			asm("movaps xmm2, [esp+0x20]");
																			asm("movaps xmm3, [esp+0x10]");
																			__edx = _v240;
																			__ecx = _v244;
																			goto L65;
																		case 8:
																			_push(_v232);
																			L35:
																			_push("%02d");
																			_push(_v252 + _t166);
																			_push(3);
																			E00FE7790(_t140, _t166, _t176);
																			_t177 = 2;
																			L36:
																			_t182 = _t182 + 0x10;
																			goto L37;
																		case 9:
																			__esi = _v252;
																			__esi = _v252 + __edi;
																			E010EE440(__ecx, __edx, 0x3e8, 0) = __eax - 0x18a36940;
																			asm("sbb edx, 0x31");
																			_push(__edx);
																			__eax = E00FE7790(__ebx, __edi, __esi, 0x1e, __esi, "%lld", __eax);
																			if(__esi == 0) {
																				L37:
																				asm("movsd xmm1, [esp+0x30]");
																				asm("movaps xmm0, [esp+0x30]");
																				asm("movaps xmm2, [esp+0x20]");
																				asm("movaps xmm3, [esp+0x10]");
																				_t160 = _v240;
																				goto L65;
																			} else {
																				__ecx = __esi + 1;
																				do {
																					__al =  *__esi;
																					__esi = __esi + 1;
																				} while (__al != 0);
																				__esi = __esi - __ecx;
																				__esi = __esi & 0x3fffffff;
																				goto L37;
																			}
																			goto L66;
																		case 0xa:
																			__ecx = __ecx + 0x7b98a00;
																			__eax = __edx;
																			asm("adc eax, 0x0");
																			__eax = E010EE440(__ecx, __edx, 0x5265c00, 0);
																			__eax = E010EE5D0(__eax, __edx, 7, 0);
																			__ecx = _v284;
																			__al = __al + 0x30;
																			asm("movsd xmm1, [esp+0x30]");
																			asm("movaps xmm0, [esp+0x30]");
																			asm("movaps xmm2, [esp+0x20]");
																			asm("movaps xmm3, [esp+0x10]");
																			__edx = _v272;
																			 *((char*)(__edi + _v284)) = __al;
																			__ecx = _v276;
																			goto L64;
																		case 0xb:
																			goto L63;
																	}
																}
															} else {
																 *((char*)(_t166 + _v252)) = _t121;
																L64:
																_t177 = 1;
															}
															L65:
															_t166 = _t166 + _t177;
															_t173 = _v184 + 1;
															_v184 = _t173;
															_t121 =  *_t173;
														} while (_t121 != 0);
													}
													L66:
													_t150 = _v252;
													_t175 = _v180;
													_t123 =  ==  ? _t150 | 0xffffffff : E00FE5100;
													 *((char*)(_t166 + _t150)) = 0;
													_t160 = _t150;
													_t111 = E01005680( *_t175, _t150, 0xffffffff, 1,  ==  ? _t150 | 0xffffffff : E00FE5100);
													_t182 = _t182 + 0xc;
													if(_t111 == 0x12) {
														_t152 =  *_t175;
														 *(_t175 + 0x14) = _t111;
														 *((char*)(_t175 + 0x19)) = 1;
														goto L68;
													}
													goto L69;
												} else {
													return E010C54D2(E0100BE00(_v180), _v8 ^ _t182 + 0x00000004, _t160);
												}
											} else {
												_t137 = _v180;
												_t152 =  *_t137;
												 *((intOrPtr*)(_t137 + 0x14)) = 0x12;
												 *((char*)(_t137 + 0x19)) = 1;
												L68:
												_t160 = "string or blob too big";
												_t111 = E01005680(_t152, "string or blob too big", 0xffffffff, 1, 0);
												_t182 = _t182 + 0xc;
												goto L69;
											}
										} else {
											goto L27;
										}
									}
								}
							}
						}
					}
				}
				L70:
			}

0x00fe4160
0x00fe4160
0x00fe4166
0x00fe416c
0x00fe4173
0x00fe417a
0x00fe417e
0x00fe4181
0x00fe4185
0x00fe4186
0x00fe418b
0x00fe46b8
0x00fe46cb
0x00fe4191
0x00fe4191
0x00fe4195
0x00000000
0x00fe419b
0x00fe419b
0x00fe41a1
0x00fe41ab
0x00fe41bb
0x00000000
0x00fe41c1
0x00fe41c1
0x00fe41c3
0x00000000
0x00fe41c3
0x00fe41b3
0x00fe41b3
0x00fe41c8
0x00fe41c8
0x00fe41ce
0x00000000
0x00fe41d4
0x00fe41dc
0x00fe41df
0x00fe41e6
0x00fe41eb
0x00fe41f0
0x00000000
0x00fe41f6
0x00fe41fa
0x00fe41fe
0x00fe4203
0x00fe4206
0x00fe4208
0x00fe420e
0x00fe42c0
0x00fe42c7
0x00000000
0x00fe4214
0x00fe4214
0x00fe4216
0x00000000
0x00fe4218
0x00fe4218
0x00fe421c
0x00fe421d
0x00fe4223
0x00000000
0x00fe4229
0x00fe4230
0x00000000
0x00000000
0x00000000
0x00fe4237
0x00000000
0x00000000
0x00fe4246
0x00000000
0x00000000
0x00fe423c
0x00000000
0x00000000
0x00fe4241
0x00fe4249
0x00fe4249
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe4230
0x00fe4223
0x00000000
0x00fe424c
0x00fe424c
0x00fe424f
0x00fe4250
0x00fe4253
0x00fe4256
0x00fe425c
0x00fe4263
0x00fe4266
0x00fe4267
0x00fe4269
0x00fe428d
0x00fe4290
0x00fe4295
0x00fe4298
0x00fe429e
0x00fe42cb
0x00fe42cf
0x00fe42d8
0x00fe42e1
0x00fe42e6
0x00fe42ea
0x00fe42ec
0x00fe42f0
0x00fe42f6
0x00fe42fc
0x00fe4301
0x00fe4306
0x00fe430a
0x00fe4313
0x00fe4315
0x00fe4327
0x00fe432b
0x00fe4332
0x00fe4335
0x00fe433c
0x00fe4644
0x00fe4648
0x00000000
0x00fe4342
0x00fe4349
0x00000000
0x00fe43f3
0x00000000
0x00000000
0x00fe4506
0x00fe450a
0x00fe450c
0x00fe4511
0x00fe4519
0x00fe451c
0x00fe4521
0x00fe4526
0x00fe4527
0x00fe4529
0x00fe452e
0x00fe4533
0x00fe4539
0x00fe4540
0x00fe4540
0x00fe4542
0x00fe4543
0x00fe4547
0x00fe4549
0x00fe4549
0x00000000
0x00000000
0x00fe455d
0x00000000
0x00000000
0x00fe45b4
0x00fe45b8
0x00000000
0x00000000
0x00fe43fc
0x00fe4401
0x00fe4405
0x00fe440a
0x00fe4412
0x00fe441a
0x00fe4422
0x00fe442a
0x00fe4433
0x00fe4437
0x00fe443b
0x00fe443f
0x00fe444c
0x00fe4456
0x00fe445c
0x00fe4463
0x00fe4467
0x00fe44d7
0x00fe44d7
0x00fe44da
0x00fe44e7
0x00fe44ef
0x00fe44fc
0x00fe4469
0x00fe4469
0x00fe446d
0x00fe4471
0x00fe447e
0x00fe4481
0x00fe448b
0x00fe4493
0x00fe44a3
0x00fe44a5
0x00fe44aa
0x00fe44ad
0x00fe44ad
0x00fe44af
0x00fe44b1
0x00fe44b6
0x00fe44be
0x00fe44cd
0x00fe44cd
0x00000000
0x00000000
0x00fe460e
0x00fe4617
0x00fe461c
0x00fe4626
0x00fe462c
0x00fe4630
0x00fe4630
0x00fe4632
0x00fe4633
0x00fe4637
0x00fe4639
0x00fe4639
0x00000000
0x00000000
0x00fe4350
0x00000000
0x00000000
0x00fe4391
0x00fe4399
0x00fe439c
0x00fe43a0
0x00fe43a4
0x00fe43a6
0x00fe43ab
0x00fe43b0
0x00fe43b1
0x00fe43b3
0x00fe43b8
0x00fe43bd
0x00fe43bf
0x00fe43c2
0x00fe43c2
0x00fe43c4
0x00fe43c5
0x00fe43c9
0x00fe43cb
0x00fe43cb
0x00fe43d1
0x00fe43d7
0x00fe43dc
0x00fe43e1
0x00fe43e6
0x00fe43ea
0x00000000
0x00000000
0x00fe4554
0x00fe4354
0x00fe4358
0x00fe435f
0x00fe4360
0x00fe4362
0x00fe4367
0x00fe436c
0x00fe436c
0x00000000
0x00000000
0x00fe4566
0x00fe4573
0x00fe457a
0x00fe457f
0x00fe4582
0x00fe458c
0x00fe4596
0x00fe436f
0x00fe436f
0x00fe4375
0x00fe437a
0x00fe437f
0x00fe4384
0x00000000
0x00fe459c
0x00fe459c
0x00fe45a0
0x00fe45a0
0x00fe45a2
0x00fe45a3
0x00fe45a7
0x00fe45a9
0x00000000
0x00fe45a9
0x00000000
0x00000000
0x00fe45be
0x00fe45c4
0x00fe45cd
0x00fe45d2
0x00fe45dd
0x00fe45e2
0x00fe45e6
0x00fe45e8
0x00fe45ee
0x00fe45f3
0x00fe45f8
0x00fe45fd
0x00fe4601
0x00fe4604
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe4349
0x00fe4317
0x00fe431b
0x00fe464c
0x00fe464c
0x00fe464c
0x00fe4651
0x00fe4651
0x00fe4657
0x00fe4658
0x00fe465c
0x00fe465e
0x00fe4313
0x00fe4666
0x00fe4666
0x00fe467b
0x00fe467f
0x00fe4682
0x00fe4689
0x00fe468f
0x00fe4694
0x00fe469a
0x00fe469c
0x00fe469e
0x00fe46a1
0x00000000
0x00fe46a1
0x00000000
0x00fe42a0
0x00fe42bf
0x00fe42bf
0x00fe4271
0x00fe4271
0x00fe4275
0x00fe4277
0x00fe427e
0x00fe46a5
0x00fe46ab
0x00fe46b0
0x00fe46b5
0x00000000
0x00fe46b5
0x00000000
0x00000000
0x00000000
0x00fe425c
0x00fe420e
0x00fe41f0
0x00fe41ce
0x00fe41ab
0x00fe4195
0x00000000

Strings

%lld, xrefs: 00FE4584
%04d, xrefs: 00FE4612
%06.3f, xrefs: 00FE43AB
%.16g, xrefs: 00FE4521
W, xrefs: 00FE445E
%02d, xrefs: 00FE4358, 00FE448B
string or blob too big, xrefs: 00FE46AB

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID: %.16g$%02d$%04d$%06.3f$%lld$W$string or blob too big
API String ID: 0-4289744004
Opcode ID: faacd83da877c4cdc603011511ec8b68d24e00e103aa54fde6380fe3e8b9a35a
Instruction ID: f706db46eea31b9efaf908fb434fd1a7302852a1e207f719b853b04d3605cb9a
Opcode Fuzzy Hash: faacd83da877c4cdc603011511ec8b68d24e00e103aa54fde6380fe3e8b9a35a
Instruction Fuzzy Hash: 57E120729083819FD725CF29C801BAAF7E5BF91714F054A4CFCE467291EB35E805AB92

Uniqueness

Uniqueness Score: -1.00%

Function 010E5234 Relevance: 19.6, APIs: 13, Instructions: 88
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E010E5234(intOrPtr _a4) {
				intOrPtr _t15;
				intOrPtr _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t54 = _a4;
				if(_t54 != 0) {
					_t56 =  *((intOrPtr*)(_t54 + 0xc)) -  *0x11269dc; // 0x112c788
					if(_t56 != 0) {
						E010DDAF9(_t16);
					}
					_t57 =  *((intOrPtr*)(_t54 + 0x10)) -  *0x11269e0; // 0x112c788
					if(_t57 != 0) {
						E010DDAF9(_t17);
					}
					_t58 =  *((intOrPtr*)(_t54 + 0x14)) -  *0x11269e4; // 0x112c788
					if(_t58 != 0) {
						E010DDAF9(_t18);
					}
					_t59 =  *((intOrPtr*)(_t54 + 0x18)) -  *0x11269e8; // 0x112c788
					if(_t59 != 0) {
						E010DDAF9(_t19);
					}
					_t60 =  *((intOrPtr*)(_t54 + 0x1c)) -  *0x11269ec; // 0x112c788
					if(_t60 != 0) {
						E010DDAF9(_t20);
					}
					_t61 =  *((intOrPtr*)(_t54 + 0x20)) -  *0x11269f0; // 0x112c788
					if(_t61 != 0) {
						E010DDAF9(_t21);
					}
					_t62 =  *((intOrPtr*)(_t54 + 0x24)) -  *0x11269f4; // 0x112c788
					if(_t62 != 0) {
						E010DDAF9(_t22);
					}
					_t63 =  *((intOrPtr*)(_t54 + 0x38)) -  *0x1126a08; // 0x112c78c
					if(_t63 != 0) {
						E010DDAF9(_t23);
					}
					_t64 =  *((intOrPtr*)(_t54 + 0x3c)) -  *0x1126a0c; // 0x112c78c
					if(_t64 != 0) {
						E010DDAF9(_t24);
					}
					_t65 =  *((intOrPtr*)(_t54 + 0x40)) -  *0x1126a10; // 0x112c78c
					if(_t65 != 0) {
						E010DDAF9(_t25);
					}
					_t66 =  *((intOrPtr*)(_t54 + 0x44)) -  *0x1126a14; // 0x112c78c
					if(_t66 != 0) {
						E010DDAF9(_t26);
					}
					_t67 =  *((intOrPtr*)(_t54 + 0x48)) -  *0x1126a18; // 0x112c78c
					if(_t67 != 0) {
						E010DDAF9(_t27);
					}
					_t15 =  *((intOrPtr*)(_t54 + 0x4c));
					_t68 = _t15 -  *0x1126a1c; // 0x112c78c
					if(_t68 != 0) {
						return E010DDAF9(_t15);
					}
				}
				return _t15;
			}

0x010e523a
0x010e523f
0x010e5248
0x010e524e
0x010e5251
0x010e5256
0x010e525a
0x010e5260
0x010e5263
0x010e5268
0x010e526c
0x010e5272
0x010e5275
0x010e527a
0x010e527e
0x010e5284
0x010e5287
0x010e528c
0x010e5290
0x010e5296
0x010e5299
0x010e529e
0x010e52a2
0x010e52a8
0x010e52ab
0x010e52b0
0x010e52b4
0x010e52ba
0x010e52bd
0x010e52c2
0x010e52c6
0x010e52cc
0x010e52cf
0x010e52d4
0x010e52d8
0x010e52de
0x010e52e1
0x010e52e6
0x010e52ea
0x010e52f0
0x010e52f3
0x010e52f8
0x010e52fc
0x010e5302
0x010e5305
0x010e530a
0x010e530e
0x010e5314
0x010e5317
0x010e531c
0x010e531d
0x010e5320
0x010e5326
0x00000000
0x010e532e
0x010e5326
0x010e5331

APIs

_free.LIBCMT ref: 010E5251

Part of subcall function 010DDAF9: HeapFree.KERNEL32(00000000,00000000,?,010E5989,?,00000000,?,?,?,010E5C2C,?,00000007,?,?,010E6222,?), ref: 010DDB0F
Part of subcall function 010DDAF9: GetLastError.KERNEL32(?,?,010E5989,?,00000000,?,?,?,010E5C2C,?,00000007,?,?,010E6222,?,?), ref: 010DDB21

_free.LIBCMT ref: 010E5263
_free.LIBCMT ref: 010E5275
_free.LIBCMT ref: 010E5287
_free.LIBCMT ref: 010E5299
_free.LIBCMT ref: 010E52AB
_free.LIBCMT ref: 010E52BD
_free.LIBCMT ref: 010E52CF
_free.LIBCMT ref: 010E52E1
_free.LIBCMT ref: 010E52F3
_free.LIBCMT ref: 010E5305
_free.LIBCMT ref: 010E5317
_free.LIBCMT ref: 010E5329

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9360c5c3265e2addad322bbae33a2675d511642c91ede2fb86feaadaa5d50f6e
Instruction ID: f102bc54dda0261fdc0fd6efaf6167070ed6635f655b1e1607da5cb483e0dee9
Opcode Fuzzy Hash: 9360c5c3265e2addad322bbae33a2675d511642c91ede2fb86feaadaa5d50f6e
Instruction Fuzzy Hash: B6215C36208300AFCA78EFBEF899C5A37E9AA143107648C99F595D35C1CE70F8C08B21

Uniqueness

Uniqueness Score: -1.00%

Function 010E608B Relevance: 18.1, APIs: 12, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E010E608B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x11269d0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E010DDAF9(_t46);
							E010E5234( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E010DDAF9(_t47);
							E010E56E8( *((intOrPtr*)(_t74 + 0x88)));
						}
						E010DDAF9( *((intOrPtr*)(_t74 + 0x7c)));
						E010DDAF9( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E010DDAF9( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E010DDAF9( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E010DDAF9( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E010DDAF9( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E010E61FC( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x1126bc8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E010DDAF9(_t31);
							E010DDAF9( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E010DDAF9(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E010DDAF9(_t74);
			}

0x010e6093
0x010e6097
0x010e609f
0x010e60a8
0x010e60ad
0x010e60b4
0x010e60bc
0x010e60c4
0x010e60cf
0x010e60d5
0x010e60d6
0x010e60de
0x010e60e6
0x010e60f1
0x010e60f7
0x010e60fb
0x010e6106
0x010e610c
0x010e60ad
0x010e610d
0x010e6115
0x010e6128
0x010e613b
0x010e6149
0x010e6154
0x010e6159
0x010e6162
0x010e616a
0x010e616b
0x010e6171
0x010e6174
0x010e6177
0x010e617e
0x010e6180
0x010e6184
0x010e618c
0x010e6193
0x010e6199
0x010e619a
0x010e619a
0x010e61a1
0x010e61a3
0x010e61a8
0x010e61b0
0x010e61b5
0x010e61b6
0x010e61b6
0x010e61b9
0x010e61bc
0x010e61bf
0x010e61c2
0x010e61c2
0x010e61d2

APIs

_free.LIBCMT ref: 010E60C4

Part of subcall function 010DDAF9: HeapFree.KERNEL32(00000000,00000000,?,010E5989,?,00000000,?,?,?,010E5C2C,?,00000007,?,?,010E6222,?), ref: 010DDB0F
Part of subcall function 010DDAF9: GetLastError.KERNEL32(?,?,010E5989,?,00000000,?,?,?,010E5C2C,?,00000007,?,?,010E6222,?,?), ref: 010DDB21

Part of subcall function 010E5234: _free.LIBCMT ref: 010E5251
Part of subcall function 010E5234: _free.LIBCMT ref: 010E5263
Part of subcall function 010E5234: _free.LIBCMT ref: 010E5275
Part of subcall function 010E5234: _free.LIBCMT ref: 010E5287
Part of subcall function 010E5234: _free.LIBCMT ref: 010E5299
Part of subcall function 010E5234: _free.LIBCMT ref: 010E52AB
Part of subcall function 010E5234: _free.LIBCMT ref: 010E52BD
Part of subcall function 010E5234: _free.LIBCMT ref: 010E52CF
Part of subcall function 010E5234: _free.LIBCMT ref: 010E52E1
Part of subcall function 010E5234: _free.LIBCMT ref: 010E52F3
Part of subcall function 010E5234: _free.LIBCMT ref: 010E5305
Part of subcall function 010E5234: _free.LIBCMT ref: 010E5317
Part of subcall function 010E5234: _free.LIBCMT ref: 010E5329

_free.LIBCMT ref: 010E60E6
_free.LIBCMT ref: 010E60FB
_free.LIBCMT ref: 010E6106
_free.LIBCMT ref: 010E6128
_free.LIBCMT ref: 010E613B
_free.LIBCMT ref: 010E6149
_free.LIBCMT ref: 010E6154
_free.LIBCMT ref: 010E618C
_free.LIBCMT ref: 010E6193
_free.LIBCMT ref: 010E61B0
_free.LIBCMT ref: 010E61C8

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21b6fbaf5ef29fe050500db30ca68e942d18ce71564e8f1e763034400521d9c6
Instruction ID: da52cfa6c8296e3543ba7f65eeffd1a1073d53d622c6237ddfae337125574dcc
Opcode Fuzzy Hash: 21b6fbaf5ef29fe050500db30ca68e942d18ce71564e8f1e763034400521d9c6
Instruction Fuzzy Hash: A13163316047029FEB629FBEE848B9A77E4AF20350F1484D9E5D5D7192DF72E880CB11

Uniqueness

Uniqueness Score: -1.00%

Function 010DEEA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E010DEEA0(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x112cc88 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x110d0c0 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E010DD0DE(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E010DD0DE(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x010deea9
0x010def53
0x010deeb1
0x010deeb3
0x010deeba
0x010deebc
0x010deec2
0x010deecf
0x010deee4
0x010deee8
0x010def3a
0x010def3a
0x010def3f
0x010def43
0x010def46
0x010def46
0x010def4c
0x010def4e
0x010def63
0x010def5e
0x010def62
0x010def62
0x010def50
0x010def50
0x00000000
0x010def50
0x010deeea
0x010deef3
0x010def2a
0x010def2a
0x010def2c
0x010def2e
0x00000000
0x00000000
0x010def36
0x00000000
0x010def36
0x010deefd
0x010def02
0x010def07
0x00000000
0x00000000
0x010def11
0x010def16
0x010def1b
0x00000000
0x00000000
0x010def20
0x010def26
0x00000000
0x010def26
0x010deec7
0x00000000
0x00000000
0x00000000
0x010deecd
0x010def5c
0x00000000

Strings

ext-ms-, xrefs: 010DEF0B
api-ms-, xrefs: 010DEEF7

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 230ea4a271e109facfb8c3ea6f36354178fad253918f268573de74bb4f191903
Instruction ID: 6aeb8532054edb84ecc4cd7a7fe9c949c9954713dd8326df1b4a36f95d13234e
Opcode Fuzzy Hash: 230ea4a271e109facfb8c3ea6f36354178fad253918f268573de74bb4f191903
Instruction Fuzzy Hash: 41210832A05711EBDB329A68DC40B1E3A94AF057A0B1501D4FEDAEF2C4D770E900C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 010E5C13 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E010E5C13(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E010E595F(_t45, 7);
					E010E595F(_t45 + 0x1c, 7);
					E010E595F(_t45 + 0x38, 0xc);
					E010E595F(_t45 + 0x68, 0xc);
					E010E595F(_t45 + 0x98, 2);
					E010DDAF9( *((intOrPtr*)(_t45 + 0xa0)));
					E010DDAF9( *((intOrPtr*)(_t45 + 0xa4)));
					E010DDAF9( *((intOrPtr*)(_t45 + 0xa8)));
					E010E595F(_t45 + 0xb4, 7);
					E010E595F(_t45 + 0xd0, 7);
					E010E595F(_t45 + 0xec, 0xc);
					E010E595F(_t45 + 0x11c, 0xc);
					E010E595F(_t45 + 0x14c, 2);
					E010DDAF9( *((intOrPtr*)(_t45 + 0x154)));
					E010DDAF9( *((intOrPtr*)(_t45 + 0x158)));
					E010DDAF9( *((intOrPtr*)(_t45 + 0x15c)));
					return E010DDAF9( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x010e5c19
0x010e5c1e
0x010e5c27
0x010e5c32
0x010e5c3d
0x010e5c48
0x010e5c56
0x010e5c61
0x010e5c6c
0x010e5c77
0x010e5c85
0x010e5c93
0x010e5ca4
0x010e5cb2
0x010e5cc0
0x010e5ccb
0x010e5cd6
0x010e5ce1
0x00000000
0x010e5cf1
0x010e5cf6

APIs

Part of subcall function 010E595F: _free.LIBCMT ref: 010E5984

_free.LIBCMT ref: 010E5C61

Part of subcall function 010DDAF9: HeapFree.KERNEL32(00000000,00000000,?,010E5989,?,00000000,?,?,?,010E5C2C,?,00000007,?,?,010E6222,?), ref: 010DDB0F
Part of subcall function 010DDAF9: GetLastError.KERNEL32(?,?,010E5989,?,00000000,?,?,?,010E5C2C,?,00000007,?,?,010E6222,?,?), ref: 010DDB21

_free.LIBCMT ref: 010E5C6C
_free.LIBCMT ref: 010E5C77
_free.LIBCMT ref: 010E5CCB
_free.LIBCMT ref: 010E5CD6
_free.LIBCMT ref: 010E5CE1
_free.LIBCMT ref: 010E5CEC

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 19819d5cab3d69d3db10b2d0ee7c6680dad567709245d65b06aa0ad9845c4bf1
Instruction ID: c5572a4eebf93b21a09c02df8f7269ec3526e0c0d2117221f65a9a59820439af
Opcode Fuzzy Hash: 19819d5cab3d69d3db10b2d0ee7c6680dad567709245d65b06aa0ad9845c4bf1
Instruction Fuzzy Hash: 68114CB5540B06AFD621BBF1CC09FCB77DCAF11724F404C15B3DAA6092EAA5B62487A1

Uniqueness

Uniqueness Score: -1.00%

Function 010D8028 Relevance: 9.3, APIs: 6, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E010D8028(void* __edx, void* __fp0, void _a4) {
				void* _v4;
				char _v12;
				void _v16;
				char _v20;
				void _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				void* _t65;
				void _t68;
				void* _t69;
				void _t71;
				void _t73;
				void _t75;
				intOrPtr _t78;
				void _t79;
				void* _t80;
				void _t82;
				void* _t83;
				void _t85;
				void _t91;
				void _t100;
				void _t104;
				void* _t107;
				void* _t108;
				void _t111;
				void _t113;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				void* _t123;
				void* _t125;
				void _t126;
				void* _t130;
				void* _t134;
				void _t136;
				intOrPtr _t139;
				void _t141;
				void _t145;
				void* _t146;
				void* _t148;
				void* _t150;
				void* _t151;
				void _t153;
				void _t154;
				void _t155;
				void* _t156;
				void* _t157;
				void* _t159;
				void* _t160;
				void* _t162;

				_t162 = __fp0;
				_t134 = __edx;
				E010D7EFE(_a4);
				asm("int3");
				while(1) {
					_push(_t156);
					_t157 = _t159;
					_t160 = _t159 - 0x14;
					_push(_t151);
					_t151 = _v4;
					_t161 = _t151;
					if(_t151 == 0) {
						break;
					}
					_push(_t141);
					_t118 = 9;
					memset(_t151, _t62 | 0xffffffff, _t118 << 2);
					_t159 = _t160 + 0xc;
					_t141 = _a4;
					__eflags = _t141;
					if(__eflags != 0) {
						_push(0);
						__eflags =  *(_t141 + 4);
						if(__eflags > 0) {
							L8:
							_t65 = 7;
							__eflags =  *(_t141 + 4) - _t65;
							if(__eflags < 0) {
								L15:
								E010E3225(0, 0, _t134, _t141, _t151, __eflags, _t162);
								_v16 = 0;
								_v20 = 0;
								_v12 = 0;
								_t68 = E010E289C( &_v16);
								__eflags = _t68;
								if(_t68 != 0) {
									L48:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_t62 = E010CBD9F();
									asm("int3");
									_t156 = _t157;
									continue;
								}
								_t73 = E010E28C8( &_v20);
								__eflags = _t73;
								if(_t73 != 0) {
									goto L48;
								}
								_t75 = E010E28F4( &_v12);
								__eflags = _t75;
								if(_t75 != 0) {
									goto L48;
								}
								_t123 =  *_t141;
								_t111 =  *(_t141 + 4);
								_t136 = _t123 + 0xfffc0b7f;
								asm("adc eax, 0xffffffff");
								__eflags = _t111 - 7;
								if(__eflags > 0) {
									L26:
									_push(_t141);
									_t71 = E010D6A61();
									_t125 = _t151;
									__eflags = _t71;
									if(_t71 != 0) {
										L12:
										L13:
										L14:
										return _t71;
									}
									__eflags = _v16;
									asm("cdq");
									_t145 =  *_t151;
									_t113 = _t136;
									if(__eflags == 0) {
										L30:
										_t78 = _v12;
										L31:
										asm("cdq");
										_t146 = _t145 - _t78;
										asm("sbb ebx, edx");
										_t79 = E010EE5D0(_t146, _t113, 0x3c, 0);
										 *_t151 = _t79;
										__eflags = _t79;
										if(_t79 < 0) {
											_t146 = _t146 + 0xffffffc4;
											 *_t151 = _t79 + 0x3c;
											asm("adc ebx, 0xffffffff");
										}
										_t80 = E010EE440(_t146, _t113, 0x3c, 0);
										_t114 = _t136;
										asm("cdq");
										_t148 = _t80 +  *(_t151 + 4);
										asm("adc ebx, edx");
										_t82 = E010EE5D0(_t148, _t136, 0x3c, 0);
										 *(_t151 + 4) = _t82;
										__eflags = _t82;
										if(_t82 < 0) {
											_t148 = _t148 + 0xffffffc4;
											 *(_t151 + 4) = _t82 + 0x3c;
											asm("adc ebx, 0xffffffff");
										}
										_t83 = E010EE440(_t148, _t114, 0x3c, 0);
										_t115 = _t136;
										asm("cdq");
										_t150 = _t83 +  *(_t151 + 8);
										asm("adc ebx, edx");
										_t85 = E010EE5D0(_t150, _t136, 0x18, 0);
										 *(_t151 + 8) = _t85;
										__eflags = _t85;
										if(_t85 < 0) {
											_t150 = _t150 + 0xffffffe8;
											 *(_t151 + 8) = _t85 + 0x18;
											asm("adc ebx, 0xffffffff");
										}
										_t126 = E010EE440(_t150, _t115, 0x18, 0);
										__eflags = _t136;
										if(__eflags < 0) {
											L44:
											 *(_t151 + 0xc) =  *(_t151 + 0xc) + _t126;
											asm("cdq");
											_t116 = 7;
											_t91 =  *(_t151 + 0xc);
											 *(_t151 + 0x18) = ( *(_t151 + 0x18) + 7 + _t126) % _t116;
											_t139 =  *((intOrPtr*)(_t151 + 0x1c)) + _t126;
											__eflags = _t91;
											if(_t91 > 0) {
												 *((intOrPtr*)(_t151 + 0x1c)) = _t139;
											} else {
												 *((intOrPtr*)(_t151 + 0x10)) = 0xb;
												 *((intOrPtr*)(_t151 + 0x14)) =  *((intOrPtr*)(_t151 + 0x14)) - 1;
												 *(_t151 + 0xc) = _t91 + 0x1f;
												 *((intOrPtr*)(_t151 + 0x1c)) = _t139 + 0x16d;
											}
											goto L47;
										} else {
											if(__eflags > 0) {
												L40:
												 *(_t151 + 0xc) =  *(_t151 + 0xc) + _t126;
												asm("cdq");
												_t117 = 7;
												 *((intOrPtr*)(_t151 + 0x1c)) =  *((intOrPtr*)(_t151 + 0x1c)) + _t126;
												 *(_t151 + 0x18) = ( *(_t151 + 0x18) + _t126) % _t117;
												L47:
												_t71 = 0;
												goto L12;
											}
											__eflags = _t126;
											if(_t126 == 0) {
												__eflags = _t136;
												if(__eflags > 0) {
													goto L47;
												}
												if(__eflags < 0) {
													goto L44;
												}
												__eflags = _t126;
												if(_t126 >= 0) {
													goto L47;
												}
												goto L44;
											}
											goto L40;
										}
									}
									_push(_t151);
									_t100 = E010E3282(_t113, _t125, _t136, _t145, _t151, __eflags, _t162);
									__eflags = _t100;
									if(_t100 == 0) {
										goto L30;
									}
									_t78 = _v12 + _v20;
									 *((intOrPtr*)(_t151 + 0x20)) = 1;
									goto L31;
								}
								if(__eflags < 0) {
									L21:
									asm("cdq");
									_push( &_v28);
									asm("sbb ebx, edx");
									_v28 = _t123 - _v12;
									_v24 = _t111;
									_t71 = E010D6A61();
									_t130 = _t151;
									__eflags = _t71;
									if(_t71 != 0) {
										goto L12;
									}
									__eflags = _v16 - _t71;
									if(__eflags == 0) {
										goto L47;
									}
									_push(_t151);
									_t104 = E010E3282(_t111, _t130, _t136, _t141, _t151, __eflags, _t162);
									__eflags = _t104;
									if(_t104 == 0) {
										goto L47;
									}
									asm("cdq");
									_v28 = _v28 - _v20;
									_push( &_v28);
									asm("sbb [ebp-0x10], edx");
									_push(_t151);
									_t71 = E010D6A61();
									__eflags = _t71;
									if(_t71 != 0) {
										goto L12;
									}
									 *((intOrPtr*)(_t151 + 0x20)) = 1;
									goto L47;
								}
								__eflags = _t136 - 0x935041fd;
								if(_t136 > 0x935041fd) {
									goto L26;
								}
								goto L21;
							}
							if(__eflags > 0) {
								L11:
								_t107 = E010CF349(__eflags);
								_t153 = 0x16;
								 *_t107 = _t153;
								_t71 = _t153;
								goto L12;
							}
							__eflags =  *_t141 - 0x93582aff;
							if(__eflags <= 0) {
								goto L15;
							}
							goto L11;
						}
						if(__eflags < 0) {
							goto L11;
						}
						__eflags =  *_t141;
						if(__eflags < 0) {
							goto L11;
						}
						goto L8;
					}
					_t108 = E010CF349(__eflags);
					_t154 = 0x16;
					 *_t108 = _t154;
					E010CBD72();
					_t71 = _t154;
					goto L13;
				}
				_t69 = E010CF349(_t161);
				_t155 = 0x16;
				 *_t69 = _t155;
				E010CBD72();
				_t71 = _t155;
				goto L14;
			}

0x010d8028
0x010d8028
0x010d8030
0x010d8035
0x010d8036
0x010d8038
0x010d8039
0x010d803b
0x010d803e
0x010d803f
0x010d8042
0x010d8044
0x00000000
0x00000000
0x010d8059
0x010d8061
0x010d8062
0x010d8062
0x010d8064
0x010d8067
0x010d8069
0x010d807e
0x010d8081
0x010d8084
0x010d808c
0x010d808e
0x010d808f
0x010d8092
0x010d80af
0x010d80af
0x010d80b7
0x010d80bb
0x010d80be
0x010d80c1
0x010d80c7
0x010d80c9
0x010d82ba
0x010d82ba
0x010d82bb
0x010d82bc
0x010d82bd
0x010d82be
0x010d82bf
0x010d82c4
0x010d82ca
0x00000000
0x010d82ca
0x010d80d3
0x010d80d9
0x010d80db
0x00000000
0x00000000
0x010d80e5
0x010d80eb
0x010d80ed
0x00000000
0x00000000
0x010d80f3
0x010d80f7
0x010d80fa
0x010d8102
0x010d8105
0x010d8108
0x010d8178
0x010d8178
0x010d817a
0x010d8180
0x010d8181
0x010d8183
0x010d80aa
0x010d80ab
0x010d80ac
0x010d80ae
0x010d80ae
0x010d8189
0x010d818f
0x010d8190
0x010d8192
0x010d8194
0x010d81b0
0x010d81b0
0x010d81b3
0x010d81b3
0x010d81b4
0x010d81ba
0x010d81be
0x010d81c3
0x010d81c5
0x010d81c7
0x010d81cc
0x010d81cf
0x010d81d1
0x010d81d1
0x010d81da
0x010d81e1
0x010d81e6
0x010d81e7
0x010d81ed
0x010d81f1
0x010d81f6
0x010d81f9
0x010d81fb
0x010d8200
0x010d8203
0x010d8206
0x010d8206
0x010d820f
0x010d8216
0x010d821b
0x010d821c
0x010d8222
0x010d8226
0x010d822b
0x010d822e
0x010d8230
0x010d8235
0x010d8238
0x010d823b
0x010d823b
0x010d8249
0x010d824b
0x010d824d
0x010d8275
0x010d827b
0x010d8282
0x010d8283
0x010d8286
0x010d8289
0x010d828f
0x010d8291
0x010d8293
0x010d82b0
0x010d8295
0x010d8298
0x010d829f
0x010d82a2
0x010d82ab
0x010d82ab
0x00000000
0x010d824f
0x010d824f
0x010d8255
0x010d825a
0x010d825f
0x010d8260
0x010d8263
0x010d8266
0x010d82b3
0x010d82b3
0x00000000
0x010d82b3
0x010d8251
0x010d8253
0x010d826b
0x010d826d
0x00000000
0x00000000
0x010d826f
0x00000000
0x00000000
0x010d8271
0x010d8273
0x00000000
0x00000000
0x00000000
0x010d8273
0x00000000
0x010d8253
0x010d824d
0x010d8196
0x010d8197
0x010d819d
0x010d819f
0x00000000
0x00000000
0x010d81a4
0x010d81a7
0x00000000
0x010d81a7
0x010d810a
0x010d8114
0x010d8117
0x010d811d
0x010d811e
0x010d8120
0x010d8124
0x010d8127
0x010d812d
0x010d812e
0x010d8130
0x00000000
0x00000000
0x010d8136
0x010d8139
0x00000000
0x00000000
0x010d813f
0x010d8140
0x010d8146
0x010d8148
0x00000000
0x00000000
0x010d8151
0x010d8152
0x010d8158
0x010d8159
0x010d815c
0x010d815d
0x010d8164
0x010d8166
0x00000000
0x00000000
0x010d816c
0x00000000
0x010d816c
0x010d810c
0x010d8112
0x00000000
0x00000000
0x00000000
0x010d8112
0x010d8094
0x010d809e
0x010d809e
0x010d80a5
0x010d80a6
0x010d80a8
0x00000000
0x010d80a8
0x010d8096
0x010d809c
0x00000000
0x00000000
0x00000000
0x010d809c
0x010d8086
0x00000000
0x00000000
0x010d8088
0x010d808a
0x00000000
0x00000000
0x00000000
0x010d808a
0x010d806b
0x010d8072
0x010d8073
0x010d8075
0x010d807a
0x00000000
0x010d807a
0x010d8046
0x010d804d
0x010d804e
0x010d8050
0x010d8055
0x00000000

APIs

Part of subcall function 010D7EFE: CloseHandle.KERNEL32(?,?,?,010D8035,?,?,00FE7A89,00000000), ref: 010D7F2F
Part of subcall function 010D7EFE: FreeLibraryAndExitThread.KERNEL32(?,?,?,?,010D8035,?,?,00FE7A89,00000000), ref: 010D7F45
Part of subcall function 010D7EFE: ExitThread.KERNEL32 ref: 010D7F4E

__allrem.LIBCMT ref: 010D81BE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010D81DA
__allrem.LIBCMT ref: 010D81F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010D820F
__allrem.LIBCMT ref: 010D8226
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010D8244

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 1885649644-0
Opcode ID: 50fc9fc5a220098b3e5420b6e6c690b699d278bf0f54554e0c0c23e70bae3d05
Instruction ID: a2156ce83e08adef8cf0ecf8042dd081d96874526c55eaed592bfadc1eceee60
Opcode Fuzzy Hash: 50fc9fc5a220098b3e5420b6e6c690b699d278bf0f54554e0c0c23e70bae3d05
Instruction Fuzzy Hash: ED81F771A01B06AFD7649B7DCC40BAEB7E9AF54760F14C52EF591D7280EB70EA008B51

Uniqueness

Uniqueness Score: -1.00%

Function 0109FC90 Relevance: 9.2, APIs: 6, Instructions: 244
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0109FC90(intOrPtr __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				signed int _t118;
				intOrPtr _t132;
				intOrPtr* _t227;
				signed int _t238;

				_t118 =  *0x1126944; // 0x1b5cf865
				_v8 = _t118 ^ _t238;
				_v32 = __ecx;
				_v24 = E01078150(_v32);
				_v28 =  *((intOrPtr*)(E01086930(_v32)));
				if( *((char*)(_a8 + 0xd)) == 0) {
					if(_a8 !=  *_v28) {
						if((E01085CC0(_v24, _a12, E01073BF0(_a8 + 0x10)) & 0x000000ff) == 0) {
							if((E01085CC0(_v24, E01073BF0(_a8 + 0x10), _a12) & 0x000000ff) == 0) {
								_t219 = _a8;
								 *_a4 = _a8;
								 *((intOrPtr*)(_a4 + 4)) = 0;
								 *((char*)(_a4 + 8)) = 1;
								_t132 = _a4;
								L26:
								return E010C54D2(_t132, _v8 ^ _t238, _t219);
							}
							_v40 =  *((intOrPtr*)(E01085950(E010751A0( &_v48, _a8, 0))));
							if( *((char*)(_v40 + 0xd)) != 0 || (E01085CC0(_v24, _a12, E01073BF0(_v40 + 0x10)) & 0x000000ff) != 0) {
								if( *((char*)( *((intOrPtr*)(_a8 + 8)) + 0xd)) == 0) {
									 *_a4 = _v40;
									_t219 = _a4;
									 *((intOrPtr*)(_a4 + 4)) = 1;
									 *((char*)(_a4 + 8)) = 0;
									_t132 = _a4;
								} else {
									 *_a4 = _a8;
									 *((intOrPtr*)(_a4 + 4)) = 0;
									_t219 = _a4;
									 *((char*)(_a4 + 8)) = 0;
									_t132 = _a4;
								}
							} else {
								L23:
								E0109FF80(_v32,  &_v20, _a12);
								if((E010A0700(_v32, _v12, _a12) & 0x000000ff) == 0) {
									_t227 = _a4;
									 *_t227 = _v20;
									 *((intOrPtr*)(_t227 + 4)) = _v16;
									_t219 = _a4;
									 *((char*)(_a4 + 8)) = 0;
									_t132 = _a4;
								} else {
									_t219 = _v12;
									 *_a4 = _v12;
									 *((intOrPtr*)(_a4 + 4)) = 2;
									 *((char*)(_a4 + 8)) = 1;
									_t132 = _a4;
								}
							}
							goto L26;
						}
						_v36 =  *((intOrPtr*)(E01085A80(E010751A0( &_v44, _a8, 0))));
						if((E01085CC0(_v24, E01073BF0(_v36 + 0x10), _a12) & 0x000000ff) == 0) {
							goto L23;
						}
						if( *((char*)( *((intOrPtr*)(_v36 + 8)) + 0xd)) == 0) {
							 *_a4 = _a8;
							_t219 = _a4;
							 *((intOrPtr*)(_a4 + 4)) = 1;
							 *((char*)(_a4 + 8)) = 0;
							_t132 = _a4;
						} else {
							 *_a4 = _v36;
							 *((intOrPtr*)(_a4 + 4)) = 0;
							_t219 = _a4;
							 *((char*)(_a4 + 8)) = 0;
							_t132 = _a4;
						}
						goto L26;
					}
					if((E01085CC0(_v24, _a12, E01073BF0(_a8 + 0x10)) & 0x000000ff) == 0) {
						goto L23;
					}
					 *_a4 = _a8;
					 *((intOrPtr*)(_a4 + 4)) = 1;
					_t219 = _a4;
					 *((char*)(_a4 + 8)) = 0;
					_t132 = _a4;
					goto L26;
				}
				if( *((char*)( *((intOrPtr*)(_v28 + 4)) + 0xd)) != 0 || (E01085CC0(_v24, E01073BF0( *((intOrPtr*)(_v28 + 8)) + 0x10), _a12) & 0x000000ff) != 0) {
					 *_a4 =  *((intOrPtr*)(_v28 + 8));
					 *((intOrPtr*)(_a4 + 4)) = 0;
					_t219 = _a4;
					 *((char*)(_a4 + 8)) = 0;
					_t132 = _a4;
					goto L26;
				} else {
					goto L23;
				}
			}

0x0109fc96
0x0109fc9d
0x0109fca0
0x0109fcab
0x0109fcb8
0x0109fcc4
0x0109fd2b
0x0109fd97
0x0109fe52
0x0109fef2
0x0109fef5
0x0109fefa
0x0109ff04
0x0109ff08
0x0109ff6a
0x0109ff77
0x0109ff77
0x0109fe6f
0x0109fe7b
0x0109feac
0x0109fed5
0x0109fed7
0x0109feda
0x0109fee4
0x0109fee8
0x0109feae
0x0109feb4
0x0109feb9
0x0109fec0
0x0109fec3
0x0109fec7
0x0109fec7
0x0109feed
0x0109ff0d
0x0109ff18
0x0109ff32
0x0109ff52
0x0109ff5b
0x0109ff5d
0x0109ff60
0x0109ff63
0x0109ff67
0x0109ff34
0x0109ff37
0x0109ff3a
0x0109ff3f
0x0109ff49
0x0109ff4d
0x0109ff4d
0x0109ff32
0x00000000
0x0109fe7b
0x0109fdb4
0x0109fdd8
0x00000000
0x0109fe2c
0x0109fde6
0x0109fe11
0x0109fe13
0x0109fe16
0x0109fe20
0x0109fe24
0x0109fde8
0x0109fdee
0x0109fdf3
0x0109fdfa
0x0109fdfd
0x0109fe01
0x0109fe01
0x00000000
0x0109fde6
0x0109fd4e
0x00000000
0x0109fd71
0x0109fd56
0x0109fd5b
0x0109fd62
0x0109fd65
0x0109fd69
0x00000000
0x0109fd69
0x0109fcd2
0x0109fd03
0x0109fd08
0x0109fd0f
0x0109fd12
0x0109fd16
0x00000000
0x0109fd1e
0x00000000
0x0109fd1e

APIs

allocator.LIBCONCRTD ref: 0109FCEE
allocator.LIBCONCRTD ref: 0109FD44

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 9d091e51026bc6e527e938ae9d32f964309ed31dfee96e15c5904cb58f4153a4
Instruction ID: 61369901087d19a88627462e90db9481b0cb5b997d421c05be5ed59d6af4c99d
Opcode Fuzzy Hash: 9d091e51026bc6e527e938ae9d32f964309ed31dfee96e15c5904cb58f4153a4
Instruction Fuzzy Hash: 70A1E97460420AAFDF04DF58C8A0AAEBBB5BF49314F18C158E8999F342DB35ED41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010D8739 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E010D8739(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x10fa30c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x010d873f
0x010d8743
0x010d874e
0x010d8756
0x010d8761
0x010d8767
0x010d876b
0x010d8772
0x010d8778
0x010d8778
0x010d877a
0x010d877f
0x00000000
0x010d8784
0x010d878b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,010D872E,00000000,?,010D86F6,00000000,?,00000000), ref: 010D874E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 010D8761
FreeLibrary.KERNEL32(00000000,?,?,010D872E,00000000,?,010D86F6,00000000,?,00000000), ref: 010D8784

Strings

mscoree.dll, xrefs: 010D8747
CorExitProcess, xrefs: 010D8759

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 74b052695e7dd51d4e30b3235457b72aa94ec5f65f79359f5339126434b6fa8a
Instruction ID: 6fc7f527aa9a333ca9106214ba630fad4ea94e3cacc50157deab8a80d9c73925
Opcode Fuzzy Hash: 74b052695e7dd51d4e30b3235457b72aa94ec5f65f79359f5339126434b6fa8a
Instruction Fuzzy Hash: EBF08231A04218FBDB219B65EC0AB9DBEB4FB00756F114198F545E3190CB768E00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 010E56E8 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E010E56E8(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x11269d0; // 0x1126a24
					if(_t23 != 0) {
						E010DDAF9(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x11269d4; // 0x112c788
					if(_t24 != 0) {
						E010DDAF9(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x11269d8; // 0x112c788
					if(_t25 != 0) {
						E010DDAF9(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x1126a00; // 0x1126a28
					if(_t26 != 0) {
						E010DDAF9(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x1126a04; // 0x112c78c
					if(_t27 != 0) {
						return E010DDAF9(_t6);
					}
				}
				return _t6;
			}

0x010e56ee
0x010e56f3
0x010e56f7
0x010e56fd
0x010e5700
0x010e5705
0x010e5709
0x010e570f
0x010e5712
0x010e5717
0x010e571b
0x010e5721
0x010e5724
0x010e5729
0x010e572d
0x010e5733
0x010e5736
0x010e573b
0x010e573c
0x010e573f
0x010e5745
0x00000000
0x010e574d
0x010e5745
0x010e5750

APIs

_free.LIBCMT ref: 010E5700

Part of subcall function 010DDAF9: HeapFree.KERNEL32(00000000,00000000,?,010E5989,?,00000000,?,?,?,010E5C2C,?,00000007,?,?,010E6222,?), ref: 010DDB0F
Part of subcall function 010DDAF9: GetLastError.KERNEL32(?,?,010E5989,?,00000000,?,?,?,010E5C2C,?,00000007,?,?,010E6222,?,?), ref: 010DDB21

_free.LIBCMT ref: 010E5712
_free.LIBCMT ref: 010E5724
_free.LIBCMT ref: 010E5736
_free.LIBCMT ref: 010E5748

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5dfbed96ce89c3799a0cf12357405bcf165cb170d191066eb8f1f313c4d6573f
Instruction ID: 61292afeb35d35a3258d0f566054bad1ab815d5f783a93280d6e1e8418ab51fd
Opcode Fuzzy Hash: 5dfbed96ce89c3799a0cf12357405bcf165cb170d191066eb8f1f313c4d6573f
Instruction Fuzzy Hash: E0F0AF36588200EF8674EFADF9C8C4A3BD9BE107207144C95F5D8C7481CE30F8908760

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA310 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00FEA34B

Strings

winSeekFile, xrefs: 00FEA39A
winTruncate1, xrefs: 00FEA3B7
winTruncate2, xrefs: 00FEA3E5

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: __allrem
String ID: winSeekFile$winTruncate1$winTruncate2
API String ID: 2933888876-2471937615
Opcode ID: 99097f13e5120926eca95823085129a3cc012128db74313955b184ecba364852
Instruction ID: a59b4511ade59a8501a3ceb096f0172ceb0a9193ba58ea95abec5c65aeb02f1a
Opcode Fuzzy Hash: 99097f13e5120926eca95823085129a3cc012128db74313955b184ecba364852
Instruction Fuzzy Hash: 4F3192716003059FD724CF3ADC85A5BB7E6FB84720B108A3DF955C3690EA71F8149B62

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9490 Relevance: 6.1, APIs: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00FE9490(signed int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v8;
				intOrPtr* _v12;
				void* _t13;
				intOrPtr _t14;
				void* _t19;
				void* _t20;
				signed int _t21;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				void* _t34;
				void* _t36;

				_t29 = __edx;
				_t12 = _a8;
				_v12 = __ecx;
				_t21 = __ecx[1];
				_t31 =  *__ecx;
				_t30 = _a4;
				_t32 = _t12;
				if(_t32 < 0) {
					L14:
					__eflags = _t21;
					if(__eflags < 0) {
						L24:
						__eflags = _t30;
						if(_t30 != 0) {
							L26:
							__eflags = _t31;
							if(_t31 != 0) {
								L28:
								_t13 = E010EE440(1, 0x80000000, _t30, _t12);
								_v8 =  ~_t31;
								asm("adc ecx, 0x0");
								__eflags =  ~_t21 - _t29;
								if(__eflags < 0) {
									goto L9;
								} else {
									if(__eflags > 0) {
										goto L31;
									} else {
										__eflags = _v8 - _t13;
										if(_v8 <= _t13) {
											goto L9;
										} else {
											goto L31;
										}
									}
								}
							} else {
								__eflags = _t21 - 0x80000000;
								if(_t21 == 0x80000000) {
									goto L31;
								} else {
									goto L28;
								}
							}
						} else {
							__eflags = _t12 - 0x80000000;
							if(_t12 == 0x80000000) {
								goto L31;
							} else {
								goto L26;
							}
						}
					} else {
						if(__eflags > 0) {
							L17:
							_t28 = E010EE440(0, 0x80000000, _t31, _t21);
							_t12 = _a8;
							__eflags = _a8 - _t29;
							if(__eflags > 0) {
								goto L10;
							} else {
								if(__eflags < 0) {
									goto L31;
								} else {
									__eflags = _t30 - _t28;
									if(_t30 >= _t28) {
										goto L10;
									} else {
										return 1;
									}
								}
							}
						} else {
							__eflags = _t31;
							if(_t31 == 0) {
								__eflags = _t21;
								if(__eflags > 0) {
									goto L10;
								} else {
									if(__eflags < 0) {
										goto L24;
									} else {
										__eflags = _t31;
										if(_t31 >= 0) {
											goto L10;
										} else {
											goto L24;
										}
									}
								}
							} else {
								goto L17;
							}
						}
					}
				} else {
					if(_t32 > 0 || _t30 != 0) {
						_t19 = E010C5BA0(0xffffffff, 0x7fffffff, _t30, _t12);
						_t34 = _t21 - _t29;
						if(_t34 > 0 || _t34 >= 0 && _t31 > _t19) {
							L31:
							return 1;
						} else {
							_t20 = E010EE440(0, 0x80000000, _t30, _a8);
							_t36 = _t21 - _t29;
							if(_t36 > 0 || _t36 >= 0 && _t31 >= _t20) {
								L9:
								_t12 = _a8;
								goto L10;
							} else {
								goto L31;
							}
						}
					} else {
						__eflags = _t12;
						if(__eflags > 0) {
							L10:
							_t14 = E010C5540(_t31, _t21, _t30, _t12);
							_t27 = _v12;
							 *_t27 = _t14;
							 *((intOrPtr*)(_t27 + 4)) = _t29;
							return 0;
						} else {
							if(__eflags < 0) {
								goto L14;
							} else {
								__eflags = _t30;
								if(_t30 >= 0) {
									goto L10;
								} else {
									goto L14;
								}
							}
						}
					}
				}
			}

0x00fe9490
0x00fe9496
0x00fe9499
0x00fe949d
0x00fe94a1
0x00fe94a4
0x00fe94a7
0x00fe94a9
0x00fe951a
0x00fe951a
0x00fe951c
0x00fe9557
0x00fe9557
0x00fe9559
0x00fe9562
0x00fe9562
0x00fe9564
0x00fe956e
0x00fe9577
0x00fe9580
0x00fe9585
0x00fe958a
0x00fe958c
0x00000000
0x00fe9592
0x00fe9592
0x00000000
0x00fe9594
0x00fe9594
0x00fe9597
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe9597
0x00fe9592
0x00fe9566
0x00fe9566
0x00fe956c
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe956c
0x00fe955b
0x00fe955b
0x00fe9560
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe9560
0x00fe951e
0x00fe951e
0x00fe9524
0x00fe9532
0x00fe9534
0x00fe9537
0x00fe9539
0x00000000
0x00fe953b
0x00fe953b
0x00000000
0x00fe953d
0x00fe953d
0x00fe953f
0x00000000
0x00fe9541
0x00fe954c
0x00fe954c
0x00fe953f
0x00fe953b
0x00fe9520
0x00fe9520
0x00fe9522
0x00fe954d
0x00fe954f
0x00000000
0x00fe9551
0x00fe9551
0x00000000
0x00fe9553
0x00fe9553
0x00fe9555
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe9555
0x00fe9551
0x00000000
0x00000000
0x00000000
0x00fe9522
0x00fe951e
0x00fe94ab
0x00fe94ab
0x00fe94ba
0x00fe94bf
0x00fe94c1
0x00fe959f
0x00fe95a8
0x00fe94d1
0x00fe94dc
0x00fe94e1
0x00fe94e3
0x00fe94f3
0x00fe94f3
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe94e3
0x00fe9510
0x00fe9510
0x00fe9512
0x00fe94f6
0x00fe94fa
0x00fe94ff
0x00fe9502
0x00fe9506
0x00fe950f
0x00fe9514
0x00fe9514
0x00000000
0x00fe9516
0x00fe9516
0x00fe9518
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe9518
0x00fe9514
0x00fe9512
0x00fe94ab

APIs

__aulldiv.LIBCMT ref: 00FE94BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE94DC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE952D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE9577

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv
String ID:
API String ID: 3650730422-0
Opcode ID: 19c70b36d4f62b1db75a77f19b174a4d349ae7c75df6d754789d4c8a8add80f4
Instruction ID: 44ee13a3429aee7caf88c39e646b2af63c7d1aaf0805bf44e7f3ccc4e53c4bf0
Opcode Fuzzy Hash: 19c70b36d4f62b1db75a77f19b174a4d349ae7c75df6d754789d4c8a8add80f4
Instruction Fuzzy Hash: 7E31F876B083D567EB27895B8C80B6E73D8DB85730F6C813DFD28D6290E6E19C4162B1

Uniqueness

Uniqueness Score: -1.00%

Function 010DD521 Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E010DD521(void* __ecx, void* __edx, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;
				void* _t72;

				_t72 = __fp0;
				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x1126b00; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E010DF1F7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E010DDA9C(_t43, 1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E010DF1F7(__eflags,  *0x1126b00, _t51);
							if(__eflags != 0) {
								E010DD34F(_t51, 0x112ca64);
								E010DDAF9(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E010DF1F7(__eflags,  *0x1126b00, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E010DF1F7(0,  *0x1126b00, 0);
							_push(0);
							L9:
							E010DDAF9();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E010DF1B8(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x1126b00; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E010D3FA8(_t39, _t43, _t49, _t53, _t60, _t72);
					asm("int3");
					_t5 =  *0x1126b00; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E010DF1F7(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E010DDA9C(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E010DF1F7(__eflags,  *0x1126b00, _t60);
								if(__eflags != 0) {
									E010DD34F(_t60, 0x112ca64);
									E010DDAF9(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E010DF1F7(__eflags,  *0x1126b00, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E010DF1F7(__eflags,  *0x1126b00, _t20);
								_push(_t60);
								L25:
								E010DDAF9();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E010DF1B8(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x1126b00; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E010D3FA8(_t39, _t43, _t49, _t53, _t60, _t72);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x1126b00; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E010DF1F7(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E010DDA9C(_t43, 1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E010DF1F7(__eflags,  *0x1126b00, _t54);
											if(__eflags != 0) {
												E010DD34F(_t54, 0x112ca64);
												E010DDAF9(0);
												goto L45;
											} else {
												_t40 = 0;
												E010DF1F7(__eflags,  *0x1126b00, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E010DF1F7(0,  *0x1126b00, 0);
											_push(0);
											L41:
											E010DDAF9();
											goto L36;
										}
									}
								} else {
									_t54 = E010DF1B8(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x1126b00; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x010dd521
0x010dd521
0x010dd521
0x010dd52c
0x010dd52e
0x010dd533
0x010dd536
0x010dd554
0x010dd557
0x010dd55c
0x010dd55e
0x00000000
0x010dd560
0x010dd56c
0x010dd56f
0x010dd570
0x010dd572
0x010dd597
0x010dd599
0x010dd5b2
0x010dd5b9
0x010dd5be
0x00000000
0x010dd59b
0x010dd59b
0x010dd5a4
0x010dd5a9
0x00000000
0x010dd5a9
0x010dd574
0x010dd574
0x010dd574
0x010dd57d
0x010dd582
0x010dd583
0x010dd583
0x010dd588
0x00000000
0x010dd588
0x010dd572
0x010dd538
0x010dd53e
0x010dd542
0x010dd54f
0x00000000
0x010dd544
0x010dd547
0x010dd5c1
0x010dd5c1
0x010dd549
0x010dd549
0x010dd549
0x010dd54b
0x010dd54b
0x010dd54b
0x010dd547
0x010dd542
0x010dd5c4
0x010dd5cc
0x010dd5ce
0x010dd5d0
0x010dd5d8
0x010dd5dd
0x010dd5de
0x010dd5e3
0x010dd5e4
0x010dd5e7
0x010dd601
0x010dd604
0x010dd609
0x010dd60b
0x00000000
0x010dd60d
0x010dd619
0x010dd61c
0x010dd61d
0x010dd61f
0x010dd642
0x010dd644
0x010dd65b
0x010dd662
0x010dd667
0x00000000
0x010dd646
0x010dd64d
0x010dd652
0x00000000
0x010dd652
0x010dd621
0x010dd628
0x010dd62d
0x010dd62e
0x010dd62e
0x010dd633
0x00000000
0x010dd633
0x010dd61f
0x010dd5e9
0x010dd5ef
0x010dd5f1
0x010dd5f3
0x010dd5fc
0x00000000
0x010dd5f5
0x010dd5f5
0x010dd5f8
0x010dd672
0x010dd672
0x010dd677
0x010dd67a
0x010dd67b
0x010dd67c
0x010dd683
0x010dd685
0x010dd68a
0x010dd68d
0x010dd6ab
0x010dd6ae
0x010dd6b3
0x010dd6b5
0x00000000
0x010dd6b7
0x010dd6c3
0x010dd6c7
0x010dd6c9
0x010dd6ee
0x010dd6f0
0x010dd709
0x010dd710
0x00000000
0x010dd6f2
0x010dd6f2
0x010dd6fb
0x010dd700
0x00000000
0x010dd700
0x010dd6cb
0x010dd6cb
0x010dd6cb
0x010dd6d4
0x010dd6d9
0x010dd6da
0x010dd6da
0x00000000
0x010dd6df
0x010dd6c9
0x010dd68f
0x010dd695
0x010dd697
0x010dd699
0x010dd6a6
0x00000000
0x010dd69b
0x010dd69b
0x010dd69e
0x010dd718
0x010dd718
0x010dd6a0
0x010dd6a0
0x010dd6a0
0x010dd6a0
0x010dd6a2
0x010dd6a2
0x010dd6a2
0x010dd69e
0x010dd699
0x010dd71b
0x010dd723
0x010dd725
0x010dd725
0x010dd72c
0x010dd5fa
0x010dd66a
0x010dd66a
0x010dd66c
0x00000000
0x010dd66e
0x010dd671
0x010dd671
0x010dd66c
0x010dd5f8
0x010dd5f3
0x010dd5d2
0x010dd5d7
0x010dd5d7

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,010DB9B0,?,?,010E30A8,?,00000000,00000040,00000000,00000000,00000040,?,00000000,00000080), ref: 010DD526
_free.LIBCMT ref: 010DD583
_free.LIBCMT ref: 010DD5B9
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,010E30A8,?,00000000,00000040,00000000,00000000,00000040,?,00000000,00000080,00000000), ref: 010DD5C4

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 29786666225f99006ad298ab37933e77515b34877d4817aebd15566411ac4fe5
Instruction ID: b5c5d6da1093a8ea961defcf0f2cbf7763c2951b09072a43906ac807b156decc
Opcode Fuzzy Hash: 29786666225f99006ad298ab37933e77515b34877d4817aebd15566411ac4fe5
Instruction Fuzzy Hash: 6D11C63A3043037ADA616AFCAC84E7E3A999FC27787644278F6A5921C8DF618C51C311

Uniqueness

Uniqueness Score: -1.00%

Function 010DD678 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E010DD678(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				void* _t14;
				signed int _t18;
				long _t21;

				_t14 = __ecx;
				_t21 = GetLastError();
				_t2 =  *0x1126b00; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E010DF1F7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E010DDA9C(_t14, 1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E010DF1F7(__eflags,  *0x1126b00, _t18);
							if(__eflags != 0) {
								E010DD34F(_t18, 0x112ca64);
								E010DDAF9(0);
								goto L13;
							} else {
								_t13 = 0;
								E010DF1F7(__eflags,  *0x1126b00, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E010DF1F7(0,  *0x1126b00, 0);
							_push(0);
							L9:
							E010DDAF9();
							goto L4;
						}
					}
				} else {
					_t18 = E010DF1B8(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x1126b00; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x010dd678
0x010dd683
0x010dd685
0x010dd68a
0x010dd68d
0x010dd6ab
0x010dd6ae
0x010dd6b3
0x010dd6b5
0x00000000
0x010dd6b7
0x010dd6c3
0x010dd6c7
0x010dd6c9
0x010dd6ee
0x010dd6f0
0x010dd709
0x010dd710
0x00000000
0x010dd6f2
0x010dd6f2
0x010dd6fb
0x010dd700
0x00000000
0x010dd700
0x010dd6cb
0x010dd6cb
0x010dd6cb
0x010dd6d4
0x010dd6d9
0x010dd6da
0x010dd6da
0x00000000
0x010dd6df
0x010dd6c9
0x010dd68f
0x010dd695
0x010dd699
0x010dd6a6
0x00000000
0x010dd69b
0x010dd69e
0x010dd718
0x010dd718
0x010dd6a0
0x010dd6a0
0x010dd6a0
0x010dd6a2
0x010dd6a2
0x010dd6a2
0x010dd69e
0x010dd699
0x010dd71b
0x010dd723
0x010dd72c

APIs

GetLastError.KERNEL32(?,00000000,?,010CF34E,010DD810,?,?,010C54A9,00000000,00000000,010842D7,00000008), ref: 010DD67D
_free.LIBCMT ref: 010DD6DA
_free.LIBCMT ref: 010DD710
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,010CF34E,010DD810,?,?,010C54A9,00000000,00000000,010842D7,00000008), ref: 010DD71B

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: c1085bb45a71665d7bc661c0416ef900cf576b26fb53f4badd962e3ae3a0e7cc
Instruction ID: c6f571d04ffa939333f6c13a9463885245d6ca41067a167fcb3220ae0df51b34
Opcode Fuzzy Hash: c1085bb45a71665d7bc661c0416ef900cf576b26fb53f4badd962e3ae3a0e7cc
Instruction Fuzzy Hash: 4611E53A3043037AD6716AFCAC94E6A2699AFC6774B254274F6E9931C4DF618C128350

Uniqueness

Uniqueness Score: -1.00%

Function 010C5B4B Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E010C5B4B(long _a4) {
				long _t3;
				intOrPtr* _t7;

				_t7 =  *0x112c4c0;
				if(_t7 == 0) {
					LeaveCriticalSection(0x112c4a8);
					_t3 = WaitForSingleObjectEx( *0x112c4a4, _a4, 0);
					EnterCriticalSection(0x112c4a8);
					return _t3;
				}
				 *0x10fa30c(0x112c4a0, 0x112c4a8, _a4);
				return  *_t7();
			}

0x010c5b4f
0x010c5b57
0x010c5b78
0x010c5b89
0x010c5b90
0x00000000
0x010c5b90
0x010c5b68
0x00000000

APIs

SleepConditionVariableCS.KERNELBASE(?,010C5AE8,00000064), ref: 010C5B6E
LeaveCriticalSection.KERNEL32(0112C4A8,?,?,010C5AE8,00000064,?,?,?,0108D938,0112B130,1B5CF865,?,010EFDF1,000000FF,?,00FE1068), ref: 010C5B78
WaitForSingleObjectEx.KERNEL32(?,00000000,?,010C5AE8,00000064,?,?,?,0108D938,0112B130,1B5CF865,?,010EFDF1,000000FF,?,00FE1068), ref: 010C5B89
EnterCriticalSection.KERNEL32(0112C4A8,?,010C5AE8,00000064,?,?,?,0108D938,0112B130,1B5CF865,?,010EFDF1,000000FF,?,00FE1068), ref: 010C5B90

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: d65ce0341243a199dc807981dcd1c295c273c23492864c6d7ef29bb38e4af7e5
Instruction ID: d7675bd6e9b5610dbc76dcddebc509bc412dc46163f9a0d460f00b6458dbd421
Opcode Fuzzy Hash: d65ce0341243a199dc807981dcd1c295c273c23492864c6d7ef29bb38e4af7e5
Instruction Fuzzy Hash: 0AE0123A741174FBC6252F59ED1ABAE7F68EF08B62B008018FB4D67514C76669208FE1

Uniqueness

Uniqueness Score: -1.00%

Function 010E3E69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E010E3E69(void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				char _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t37;
				signed int _t46;
				char _t49;
				char _t56;
				signed int _t61;
				signed int _t62;
				char _t66;
				void* _t74;
				void* _t80;
				signed int _t85;

				_t78 = __edx;
				_push(_a16);
				_push(_a12);
				E010E3F7D(__ecx, __edx, __eflags, __fp0);
				_t37 = E010E3C13(__eflags, _a4);
				_t66 = _a12;
				_v16 = _t37;
				_t6 = _t66 + 0x48; // 0x350a083
				_t67 =  *_t6;
				if(_t37 !=  *((intOrPtr*)( *_t6 + 4))) {
					_push(_t61);
					_t80 = E010DD7CD(_t67, 0x220);
					_t62 = _t61 | 0xffffffff;
					__eflags = _t80;
					if(__eflags == 0) {
						L5:
						_t85 = _t62;
					} else {
						_t9 = _a12 + 0x48; // 0x350a083
						_t80 = memcpy(_t80,  *_t9, 0x88 << 2);
						 *_t80 =  *_t80 & 0x00000000;
						_t85 = E010E4078(_t62, _t78, _t80,  *_t9, __eflags, __fp0, _v16, _t80);
						__eflags = _t85 - _t62;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E010DA235();
							}
							asm("lock xadd [eax], ebx");
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								_t56 = _a12;
								__eflags =  *((intOrPtr*)(_t56 + 0x48)) - 0x1126ec0;
								if( *((intOrPtr*)(_t56 + 0x48)) != 0x1126ec0) {
									_t17 = _t56 + 0x48; // 0x350a083
									E010DDAF9( *_t17);
								}
							}
							 *_t80 = 1;
							_t74 = _t80;
							_t80 = 0;
							 *(_a12 + 0x48) = _t74;
							_t46 =  *0x11273e0; // 0xfffffffe
							__eflags =  *(_a12 + 0x350) & _t46;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t49 = 5;
								_v16 = _t49;
								_v12 = _t49;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E010E3B05( &_v5, _t78, __eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x1126bc4 =  *_a16;
								}
							}
						} else {
							 *((intOrPtr*)(E010CF349(__eflags))) = 0x16;
							goto L5;
						}
					}
					E010DDAF9(_t80);
					return _t85;
				} else {
					return 0;
				}
			}

0x010e3e69
0x010e3e71
0x010e3e74
0x010e3e77
0x010e3e7f
0x010e3e84
0x010e3e8a
0x010e3e8d
0x010e3e8d
0x010e3e93
0x010e3e99
0x010e3ea6
0x010e3ea8
0x010e3eac
0x010e3eae
0x010e3ede
0x010e3ede
0x010e3eb0
0x010e3eb8
0x010e3ebd
0x010e3ec3
0x010e3ecb
0x010e3ecf
0x010e3ed1
0x010e3eee
0x010e3ef2
0x010e3ef4
0x010e3ef4
0x010e3eff
0x010e3f03
0x010e3f04
0x010e3f06
0x010e3f09
0x010e3f10
0x010e3f12
0x010e3f15
0x010e3f1a
0x010e3f10
0x010e3f1b
0x010e3f21
0x010e3f26
0x010e3f28
0x010e3f2e
0x010e3f33
0x010e3f39
0x010e3f3e
0x010e3f49
0x010e3f4c
0x010e3f4d
0x010e3f50
0x010e3f56
0x010e3f5a
0x010e3f5e
0x010e3f5f
0x010e3f64
0x010e3f68
0x010e3f73
0x010e3f73
0x010e3f68
0x010e3ed3
0x010e3ed8
0x00000000
0x010e3ed8
0x010e3ed1
0x010e3ee1
0x010e3eed
0x010e3e95
0x010e3e98
0x010e3e98

APIs

Part of subcall function 010E3C13: GetOEMCP.KERNEL32(00000000,010E3E84,00000000,010D4025,?,?,010D4025,00000040,00000000), ref: 010E3C3E

_free.LIBCMT ref: 010E3EE1

Strings

0V, xrefs: 010E3F73

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: _free
String ID: 0V
API String ID: 269201875-4101932012
Opcode ID: 4bdacf4f6f3115babc2493a5df44bacbbe3689c3cf94a39b9e55b08ab8d70f05
Instruction ID: eb421c2e29cd120f556e72f13577fa72135dab1ac172a68e357a67d47db97443
Opcode Fuzzy Hash: 4bdacf4f6f3115babc2493a5df44bacbbe3689c3cf94a39b9e55b08ab8d70f05
Instruction Fuzzy Hash: A7319C7290420AAFDB11DFAED884ADE7BF5FF44310F1140AAF9519B291EB329D51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FE1190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00FE1190(void* __ecx) {
				char _v8;
				char _v16;
				char _v24;
				char _v32;
				char _v36;
				char _v84;
				void* __ebp;
				signed int _t14;
				void* _t24;
				signed int _t35;

				_push(0xffffffff);
				_push(0x10f0ac2);
				_push( *[fs:0x0]);
				_t14 =  *0x1126944; // 0x1b5cf865
				_t15 = _t14 ^ _t35;
				_push(_t14 ^ _t35);
				 *[fs:0x0] =  &_v16;
				 *0x112b308 = 0x1f40;
				 *0x112b30c = 1;
				E0109E8B0(_t15, E010A2ED0( &_v24, "User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"));
				_v8 = 0;
				E010A3CE0(0x112b310,  *((intOrPtr*)(E01075FF0( &_v32,  &_v84,  &_v36))),  *((intOrPtr*)(_t20 + 4)));
				_v8 = 2;
				_push(E010A55F0);
				_push(1);
				_push(0x30);
				_push( &_v84);
				E010C5613(0x112b310,  *((intOrPtr*)(E01075FF0( &_v32,  &_v84,  &_v36))), _t15);
				_v8 = 0xffffffff;
				_t24 = E010C597B(0x112b310, _t15, 0x10f3300);
				 *[fs:0x0] = _v16;
				return _t24;
			}

0x00fe1193
0x00fe1195
0x00fe11a0
0x00fe11a4
0x00fe11a9
0x00fe11ab
0x00fe11af
0x00fe11b5
0x00fe11bf
0x00fe11e0
0x00fe11e5
0x00fe1208
0x00fe120d
0x00fe1211
0x00fe1216
0x00fe1218
0x00fe121d
0x00fe121e
0x00fe1223
0x00fe122f
0x00fe123a
0x00fe1245

APIs

_Smanip.LIBCPMTD ref: 00FE11F7

Strings

User-Agent, xrefs: 00FE11CB
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36, xrefs: 00FE11C6

Memory Dump Source

Source File: 00000000.00000002.341156056.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.341146793.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341442335.000000000112B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341458488.000000000112F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341478367.0000000001137000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341536548.000000000116F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341547592.0000000001177000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_6LTym8YhUJ.jbxd

Yara matches

Similarity

API ID: Smanip
String ID: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36$User-Agent
API String ID: 2140389272-3885995274
Opcode ID: 17a7c549fd54ec33b50664d71c2f4ff04e611f4ce54a16f19d8b2b7348e16564
Instruction ID: 295edba400285deead45c8ca4c228a7f2a9e626d234fc74f914e84c4dd0d43f1
Opcode Fuzzy Hash: 17a7c549fd54ec33b50664d71c2f4ff04e611f4ce54a16f19d8b2b7348e16564
Instruction Fuzzy Hash: 2E11BFB1A14248ABCB14DBD5CC41FDEB7B8FB14B10F04866DE551AB2C4EBB46608CB90

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
148.251.234.83	B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe	Get hash	malicious	Browse	iplogger.org/1YKyj7
	0153AD4D1224B9A37B2EB3264EA7F8685828AB18C9C49.exe	Get hash	malicious	Browse	iplogger.org/1YZyj7
	585be0c57969f505e1ce900d1c0a7c10fc9f69a0e2e36.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	Fza7TPh6Z7.exe	Get hash	malicious	Browse	iplogger.org/1fEwd7
	u7Ib2JQQZL.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	1XdtZLPD3f.exe	Get hash	malicious	Browse	iplogger.org/1szwr7
	6Mt29QRW0p.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	ANOTHER.exe	Get hash	malicious	Browse	iplogger.org/1asSq7
	HKoLuz7ekJ.exe	Get hash	malicious	Browse	iplogger.org/1dnc57
	yLuLadKu7U.exe	Get hash	malicious	Browse	iplogger.org/1dnc57
	4618FB57958C19496E668916D769CB40E6BB0A0AF0FBB.exe	Get hash	malicious	Browse	iplogger.org/1kB597
	045A93EE4AA61FD3BB2C7F706085A249B9664876B7A2E.exe	Get hash	malicious	Browse	iplogger.org/1kB597
	i864x__setup__62257ec67f6ca.exe	Get hash	malicious	Browse	iplogger.org/1jiiu7
	WBIy6QzxFS.exe	Get hash	malicious	Browse	iplogger.org/1m2gj7.gz
	oBMW6d0NXa.exe	Get hash	malicious	Browse	iplogger.org/1m2gj7.gz
	qqq.exe	Get hash	malicious	Browse	iplogger.org/XG6vg
	explorer.exe	Get hash	malicious	Browse	iplogger.org/XG6vg
	BjEwXjK71p.exe	Get hash	malicious	Browse	iplogger.org/1dnc57
	WfBayGk51Z.exe	Get hash	malicious	Browse	iplogger.org/1dnc57
	LZetStOCHC.exe	Get hash	malicious	Browse	iplogger.org/1imy57

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
iplogger.org	CBE35192C04F83D4D3B179A8C229047ADE740AAC3785E.exe	Get hash	malicious	Browse	148.251.234.83
	Ywt1yWSwne.exe	Get hash	malicious	Browse	148.251.234.83
	d8tlgwSs5C.exe	Get hash	malicious	Browse	148.251.234.83
	D8eA0NDsVW.exe	Get hash	malicious	Browse	148.251.234.83
	ClF3uFa2At.exe	Get hash	malicious	Browse	148.251.234.83
	Setup_L3100_x64_261JAHomeExportAsiaML.exe	Get hash	malicious	Browse	148.251.234.83
	3F947F5A849F11BE9079A5C2418240E2FAF7E53B63662.exe	Get hash	malicious	Browse	148.251.234.83
	PCehpIwZ3F.exe	Get hash	malicious	Browse	148.251.234.83
	ziMhCvj0xz.exe	Get hash	malicious	Browse	148.251.234.83
	w9AJD6nRbD.exe	Get hash	malicious	Browse	148.251.234.83
	ETBOdBrV1t.exe	Get hash	malicious	Browse	148.251.234.83
	YMxido5Qgs.exe	Get hash	malicious	Browse	148.251.234.83
	9BA131F17050F1A0C0ACB436F1912AA5086F78A5B378F.exe	Get hash	malicious	Browse	148.251.234.83
	R8B8ktGtaP.exe	Get hash	malicious	Browse	148.251.234.83
	fQw7B31ZqJ.exe	Get hash	malicious	Browse	148.251.234.83
	wttZqjjr84.exe	Get hash	malicious	Browse	148.251.234.83
	1cYQzjrkI5.exe	Get hash	malicious	Browse	148.251.234.83
	iRLK5GZico.exe	Get hash	malicious	Browse	148.251.234.83
	3bcXIlJJQB.exe	Get hash	malicious	Browse	148.251.234.83
	GRJ9LVpkfF.exe	Get hash	malicious	Browse	148.251.234.83

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	UFSNLrrq1l.dll	Get hash	malicious	Browse	103.43.75.120
	arm7	Get hash	malicious	Browse	44.40.163.45
	UFSNLrrq1l.dll	Get hash	malicious	Browse	103.43.75.120
	JGK2V9tXbB.dll	Get hash	malicious	Browse	103.43.75.120
	I1uT9NgaSm.dll	Get hash	malicious	Browse	103.43.75.120
	MtIHdwaCUz.dll	Get hash	malicious	Browse	103.43.75.120
	Vb3FGHDPro.dll	Get hash	malicious	Browse	103.43.75.120
	D3ZDYP88gN.dll	Get hash	malicious	Browse	103.43.75.120
	dUeqV8Nhdx.dll	Get hash	malicious	Browse	103.43.75.120
	0gzUc8oX32.dll	Get hash	malicious	Browse	103.43.75.120
	dUeqV8Nhdx.dll	Get hash	malicious	Browse	103.43.75.120
	WDMvHAXO0t.dll	Get hash	malicious	Browse	103.43.75.120
	XdX76vcau5.dll	Get hash	malicious	Browse	103.43.75.120
	WDMvHAXO0t.dll	Get hash	malicious	Browse	103.43.75.120
	npdjHHpYBw.dll	Get hash	malicious	Browse	103.43.75.120
	1AupD7DwPX.dll	Get hash	malicious	Browse	103.43.75.120
	BMTl9rMaT5.dll	Get hash	malicious	Browse	103.43.75.120
	82Ly5kUF6b.dll	Get hash	malicious	Browse	103.43.75.120
	70vsQv7wKy.dll	Get hash	malicious	Browse	103.43.75.120
	82Ly5kUF6b.dll	Get hash	malicious	Browse	103.43.75.120
HETZNER-ASDE	JHpM9HHONQ.dll	Get hash	malicious	Browse	78.47.204.80
	07KAzot7Eh.dll	Get hash	malicious	Browse	78.47.204.80
	JHpM9HHONQ.dll	Get hash	malicious	Browse	78.47.204.80
	07KAzot7Eh.dll	Get hash	malicious	Browse	78.47.204.80
	ZqJbeH0HR5.dll	Get hash	malicious	Browse	78.47.204.80
	Payee_Request_form.htm	Get hash	malicious	Browse	176.9.84.42
	snai.apk	Get hash	malicious	Browse	136.243.51.171
	snai.apk	Get hash	malicious	Browse	136.243.51.205
	ZG9zarm7	Get hash	malicious	Browse	144.79.42.102
	Ny9VZNnRcJ.dll	Get hash	malicious	Browse	78.47.204.80
	UFSNLrrq1l.dll	Get hash	malicious	Browse	5.9.116.246
	Gguphk27y7.dll	Get hash	malicious	Browse	78.47.204.80
	1jR5b6JKjq.dll	Get hash	malicious	Browse	78.47.204.80
	O12CSxkzxR.dll	Get hash	malicious	Browse	78.47.204.80
	Ny9VZNnRcJ.dll	Get hash	malicious	Browse	78.47.204.80
	UFSNLrrq1l.dll	Get hash	malicious	Browse	5.9.116.246
	PO1CJTmU5y.dll	Get hash	malicious	Browse	78.47.204.80
	Qtv7CqSupw.dll	Get hash	malicious	Browse	78.47.204.80
	cEX8gtRpXf.dll	Get hash	malicious	Browse	78.47.204.80
	JGK2V9tXbB.dll	Get hash	malicious	Browse	5.9.116.246

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	message_zdm.html	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Payee_Request_form.htm	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	4_IT05242144277_14_29062022_073000.xlsm	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	http://www.fedblue.org	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	hOdgEiePTe.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	https://theunfused.be/reactivate/index2.html	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Socc.js	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Socc.js	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	heptene.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Captura20223624.js	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	hesaphareketi-01.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	http://go.ly/lwlzA	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	kUS2EbIhrM.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	https://t.co/xvLS8NTzBo	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	kUS2EbIhrM.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	Ywt1yWSwne.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	55M44d3Fux.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	SecuriteInfo.com.W32.AIDetect.malware2.19496.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196
	SecuriteInfo.com.W32.AIDetect.malware2.15232.exe	Get hash	malicious	Browse	148.251.234.83 149.28.253.196

Target ID:	0
Start time:	10:49:26
Start date:	30/06/2022
Path:	C:\Users\user\Desktop\6LTym8YhUJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6LTym8YhUJ.exe"
Imagebase:	0xfe0000
File size:	1794048 bytes
MD5 hash:	1B35D7B6C5252EF4CCA1D703C4134F6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.271855497.0000000001126000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.270071748.0000000001126000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.256990699.0000000001126000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000000.271817051.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000000.256862432.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000000.270001473.00000000010FA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Target ID:	4
Start time:	10:49:34
Start date:	30/06/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1912
Imagebase:	0x3e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6LTym8YhUJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socelars

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6LTym8YhUJ.exe_db919e54df72560cff6fb42bbc6c1cd6c16e99c_4c701d04_17d79ec8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E3B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3512.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER367A.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
6LTym8YhUJ.exe

Function 010740E0 Relevance: 3.1, APIs: 2, Instructions: 79
COMMON

Function 010C808F Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Function 0109EEB0 Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Function 010C548F Relevance: 1.5, APIs: 1, Instructions: 39
COMMONLIBRARYCODE

Function 010DDA9C Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 010DD7CD Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 010A3A50 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 01079A00 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Function 010A8B90 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Function 010E2D00 Relevance: 7.8, APIs: 5, Instructions: 333
timeCOMMON

Function 010CBBC6 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Function 010D86F7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 010D2BE0 Relevance: 3.4, APIs: 2, Instructions: 450
COMMONCrypto

Function 00FE2410 Relevance: 1.6, Strings: 1, Instructions: 323
COMMONCrypto

Function 00FECC40 Relevance: .2, Instructions: 167
COMMONCrypto

Function 010D0C7E Relevance: .2, Instructions: 159
COMMONCrypto

Function 00FE1DE0 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270
COMMON

Function 00FE13F0 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270
COMMON

Function 00FE4160 Relevance: 23.2, APIs: 6, Strings: 7, Instructions: 403
COMMON

Function 010E5234 Relevance: 19.6, APIs: 13, Instructions: 88
COMMONLIBRARYCODE

Function 010E608B Relevance: 18.1, APIs: 12, Instructions: 113
COMMONLIBRARYCODE

Function 010DEEA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Function 010E5C13 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Function 010D8028 Relevance: 9.3, APIs: 6, Instructions: 270
COMMON

Function 0109FC90 Relevance: 9.2, APIs: 6, Instructions: 244
COMMON

Function 010D8739 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Function 010E56E8 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Function 00FE9490 Relevance: 6.1, APIs: 4, Instructions: 117
COMMON

Function 010DD521 Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Function 010DD678 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Function 010C5B4B Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Function 010E3E69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON